From 5c5af8bec9d70e75605e96928359c884fae17265 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 13 Jul 2023 11:02:29 +0200 Subject: [PATCH 001/165] Download updated plugin schemas for v3.4.x Now that the descriptions were merged into the schemas, we can pull them using the API. --- schemas/acl/3.4.x.json | 50 +- schemas/acme/3.4.x.json | 235 ++-- schemas/application-registration/3.4.x.json | 60 +- schemas/aws-lambda/3.4.x.json | 98 +- schemas/azure-functions/3.4.x.json | 69 +- schemas/basic-auth/3.4.x.json | 38 +- schemas/bot-detection/3.4.x.json | 57 +- schemas/canary/3.4.x.json | 114 +- schemas/correlation-id/3.4.x.json | 37 +- schemas/cors/3.4.x.json | 64 +- schemas/datadog/3.4.x.json | 233 ++-- schemas/degraphql/3.4.x.json | 42 +- schemas/exit-transformer/3.4.x.json | 28 +- schemas/file-log/3.4.x.json | 40 +- schemas/forward-proxy/3.4.x.json | 59 +- .../graphql-proxy-cache-advanced/3.4.x.json | 46 +- .../graphql-rate-limiting-advanced/3.4.x.json | 269 ++-- schemas/grpc-gateway/3.4.x.json | 28 +- schemas/grpc-web/3.4.x.json | 36 +- schemas/hmac-auth/3.4.x.json | 82 +- schemas/http-log/3.4.x.json | 119 +- schemas/ip-restriction/3.4.x.json | 66 +- schemas/jq/3.4.x.json | 122 +- schemas/jwe-decrypt/3.4.x.json | 47 +- schemas/jwt-signer/3.4.x.json | 355 ++++-- schemas/jwt/3.4.x.json | 99 +- schemas/kafka-log/3.4.x.json | 139 +- schemas/kafka-upstream/3.4.x.json | 183 +-- schemas/key-auth-enc/3.4.x.json | 50 +- schemas/key-auth/3.4.x.json | 60 +- schemas/konnect-application-auth/3.4.x.json | 66 +- schemas/ldap-auth-advanced/3.4.x.json | 136 +- schemas/ldap-auth/3.4.x.json | 109 +- schemas/loggly/3.4.x.json | 56 +- schemas/mocking/3.4.x.json | 67 +- schemas/mtls-auth/3.4.x.json | 122 +- schemas/oas-validation/3.4.x.json | 82 +- schemas/oauth2-introspection/3.4.x.json | 90 +- schemas/oauth2/3.4.x.json | 94 +- schemas/opa/3.4.x.json | 85 +- schemas/openid-connect/3.4.x.json | 1115 ++++++++++------- schemas/opentelemetry/3.4.x.json | 152 ++- schemas/post-function/3.4.x.json | 105 +- schemas/pre-function/3.4.x.json | 105 +- schemas/prometheus/3.4.x.json | 52 +- schemas/proxy-cache-advanced/3.4.x.json | 275 ++-- schemas/proxy-cache/3.4.x.json | 95 +- schemas/rate-limiting-advanced/3.4.x.json | 276 ++-- schemas/rate-limiting/3.4.x.json | 198 ++- schemas/request-size-limiting/3.4.x.json | 27 +- schemas/request-termination/3.4.x.json | 50 +- .../request-transformer-advanced/3.4.x.json | 182 +-- schemas/request-transformer/3.4.x.json | 144 ++- schemas/request-validator/3.4.x.json | 123 +- schemas/response-ratelimiting/3.4.x.json | 181 ++- .../response-transformer-advanced/3.4.x.json | 110 +- schemas/response-transformer/3.4.x.json | 153 +-- schemas/route-by-header/3.4.x.json | 43 +- schemas/route-transformer-advanced/3.4.x.json | 48 +- schemas/saml/3.4.x.json | 363 +++--- schemas/session/3.4.x.json | 170 ++- schemas/statsd-advanced/3.4.x.json | 355 +++--- schemas/statsd/3.4.x.json | 273 ++-- schemas/syslog/3.4.x.json | 47 +- schemas/tcp-log/3.4.x.json | 54 +- schemas/tls-handshake-modifier/3.4.x.json | 37 +- schemas/tls-metadata-headers/3.4.x.json | 60 +- schemas/udp-log/3.4.x.json | 39 +- schemas/upstream-timeout/3.4.x.json | 29 +- schemas/vault-auth/3.4.x.json | 60 +- schemas/websocket-size-limit/3.4.x.json | 49 +- schemas/websocket-validator/3.4.x.json | 117 +- schemas/xml-threat-protection/3.4.x.json | 267 ++-- schemas/zipkin/3.4.x.json | 155 ++- 74 files changed, 5786 insertions(+), 3555 deletions(-) diff --git a/schemas/acl/3.4.x.json b/schemas/acl/3.4.x.json index b3c90235..6571ebb0 100644 --- a/schemas/acl/3.4.x.json +++ b/schemas/acl/3.4.x.json @@ -2,50 +2,59 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "allow": { + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "deny": { + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -56,8 +65,23 @@ } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/acme/3.4.x.json b/schemas/acme/3.4.x.json index 81602de5..d8c13b07 100644 --- a/schemas/acme/3.4.x.json +++ b/schemas/acme/3.4.x.json @@ -2,107 +2,127 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "service": { - "eq": null, "reference": "services", - "type": "foreign" + "description": "A reference to the 'services' table with a null value allowed.", + "type": "foreign", + "eq": null } }, { "route": { - "eq": null, "reference": "routes", - "type": "foreign" + "description": "A reference to the 'routes' table with a null value allowed.", + "type": "foreign", + "eq": null + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "account_email": { - "match": "%w*%p*@+%w*%.?%w*", + "required": true, + "referenceable": true, "encrypted": true, + "description": "The account identifier. Can be reused in a different plugin instance.", "type": "string", - "required": true, - "referenceable": true + "match": "%w*%p*@+%w*%.?%w*" } }, { "account_key": { "required": false, + "description": "The private key associated with the account.", + "type": "record", "fields": [ { "key_id": { + "description": "The Key ID.", "type": "string", "required": true } }, { "key_set": { - "type": "string" + "type": "string", + "description": "The ID of the key set to associate the Key ID with." } } - ], - "type": "record" + ] } }, { "api_uri": { - "type": "string", - "default": "https://acme-v02.api.letsencrypt.org/directory" + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "tos_accepted": { - "type": "boolean", - "default": false + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" } }, { "eab_kid": { - "encrypted": true, "referenceable": true, - "type": "string" + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string", + "encrypted": true } }, { "eab_hmac_key": { - "encrypted": true, "referenceable": true, - "type": "string" + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string", + "encrypted": true } }, { "cert_type": { "default": "rsa", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", "type": "string", "one_of": [ "rsa", @@ -113,6 +133,7 @@ { "rsa_key_size": { "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", "type": "number", "one_of": [ 2048, @@ -123,12 +144,15 @@ }, { "renew_threshold_days": { - "type": "number", - "default": 14 + "default": 14, + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" } }, { "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "type": "array", "elements": { "match_any": { "err": "invalid wildcard: must be placed at leftmost or rightmost label", @@ -140,30 +164,32 @@ }, "match_all": [ { - "err": "invalid wildcard: must have at most one wildcard", - "pattern": "^[^*]*%*?[^*]*$" + "pattern": "^[^*]*%*?[^*]*$", + "err": "invalid wildcard: must have at most one wildcard" } ], "type": "string" - }, - "type": "array" + } } }, { "allow_any_domain": { - "type": "boolean", - "default": false + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" } }, { "fail_backoff_minutes": { - "type": "number", - "default": 5 + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" } }, { "storage": { "default": "shm", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", "type": "string", "one_of": [ "kong", @@ -176,38 +202,38 @@ }, { "storage_config": { - "required": true, "fields": [ { "shm": { - "required": true, "fields": [ { "shm_name": { "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", "type": "string" } } ], - "type": "record" + "type": "record", + "required": true } }, { "kong": { - "required": true, "fields": [ ], - "type": "record" + "type": "record", + "required": true } }, { "redis": { - "required": true, "fields": [ { "host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -216,65 +242,74 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "database": { - "type": "number" + "type": "number", + "description": "The index of the Redis database to use." } }, { "auth": { + "description": "The Redis password to use for authentication. ", "type": "string", "referenceable": true } }, { "ssl": { - "required": true, "default": false, - "type": "boolean" + "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", + "type": "boolean", + "required": true } }, { "ssl_verify": { - "required": true, "default": false, - "type": "boolean" + "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", + "type": "boolean", + "required": true } }, { "ssl_server_name": { + "description": "The expected server name for the SSL/TLS certificate presented by the Redis server.", "type": "string", "required": false } }, { "namespace": { - "type": "string", - "len_min": 0, "required": true, - "default": "" + "default": "", + "description": "A namespace to prepend to all keys stored in Redis.", + "type": "string", + "len_min": 0 } } ], - "type": "record" + "type": "record", + "required": true } }, { "consul": { - "required": true, "fields": [ { "https": { - "type": "boolean", - "default": false + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" } }, { "host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -283,42 +318,48 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "kv_path": { - "type": "string" + "type": "string", + "description": "KV prefix path." } }, { "timeout": { - "type": "number" + "type": "number", + "description": "Timeout in milliseconds." } }, { "token": { + "description": "Consul ACL token.", "type": "string", "referenceable": true } } ], - "type": "record" + "type": "record", + "required": true } }, { "vault": { - "required": true, "fields": [ { "https": { - "type": "boolean", - "default": false + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" } }, { "host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -327,39 +368,46 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "kv_path": { - "type": "string" + "type": "string", + "description": "KV prefix path." } }, { "timeout": { - "type": "number" + "type": "number", + "description": "Timeout in milliseconds." } }, { "token": { + "description": "Consul ACL token.", "type": "string", "referenceable": true } }, { "tls_verify": { - "type": "boolean", - "default": true + "default": true, + "description": "Turn on TLS verification.", + "type": "boolean" } }, { "tls_server_name": { - "type": "string" + "type": "string", + "description": "SNI used in request, default to host if omitted." } }, { "auth_method": { "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", "type": "string", "one_of": [ "token", @@ -369,40 +417,73 @@ }, { "auth_path": { - "type": "string" + "type": "string", + "description": "Vault's authentication path to use." } }, { "auth_role": { - "type": "string" + "type": "string", + "description": "The role to try and assign." } }, { "jwt_path": { - "type": "string" + "type": "string", + "description": "The path to the JWT." } } ], - "type": "record" + "type": "record", + "required": true } } ], - "type": "record" + "type": "record", + "required": true } }, { "preferred_chain": { - "type": "string" + "type": "string", + "description": "A string value that specifies the preferred certificate chain to use when generating certificates." } }, { "enable_ipv4_common_name": { - "type": "boolean", - "default": true + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.tos_accepted", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "then_match": { + "eq": true + }, + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "if_field": "config.api_uri" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] } } ] diff --git a/schemas/application-registration/3.4.x.json b/schemas/application-registration/3.4.x.json index c9b1ab9b..f0656bf6 100644 --- a/schemas/application-registration/3.4.x.json +++ b/schemas/application-registration/3.4.x.json @@ -2,81 +2,99 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "service": { - "on_delete": "cascade", - "ne": null, "reference": "services", - "type": "foreign" + "on_delete": "cascade", + "type": "foreign", + "ne": null } }, { "route": { - "eq": null, "reference": "routes", - "type": "foreign" + "description": "A reference to the 'routes' table with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "display_name": { - "type": "string", "unique": true, + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string", "required": true } }, { "description": { - "unique": true, - "type": "string" + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string", + "unique": true } }, { "auto_approve": { - "required": true, + "default": false, + "description": "If enabled, all new Service Contracts requests are automatically approved.", "type": "boolean", - "default": false + "required": true } }, { "show_issuer": { - "required": true, + "default": false, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", "type": "boolean", - "default": false + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.4.x.json b/schemas/aws-lambda/3.4.x.json index c97dbde1..d3b29a65 100644 --- a/schemas/aws-lambda/3.4.x.json +++ b/schemas/aws-lambda/3.4.x.json @@ -2,32 +2,41 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "timeout": { "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", "type": "number", "required": true } @@ -35,6 +44,7 @@ { "keepalive": { "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "type": "number", "required": true } @@ -42,6 +52,7 @@ { "aws_key": { "referenceable": true, + "description": "The AWS key credential to be used when invoking the function.", "type": "string", "encrypted": true } @@ -49,6 +60,7 @@ { "aws_secret": { "referenceable": true, + "description": "The AWS secret credential to be used when invoking the function. ", "type": "string", "encrypted": true } @@ -56,6 +68,7 @@ { "aws_assume_role_arn": { "referenceable": true, + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", "type": "string", "encrypted": true } @@ -63,61 +76,69 @@ { "aws_role_session_name": { "default": "kong", + "description": "The identifier of the assumed role session.", "type": "string" } }, { "aws_region": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "function_name": { - "required": false, - "type": "string" + "description": "The AWS Lambda function name to invoke.", + "type": "string", + "required": false } }, { "qualifier": { - "type": "string" + "type": "string", + "description": "The qualifier to use when invoking the function." } }, { "invocation_type": { "required": true, + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "type": "string", "one_of": [ "RequestResponse", "Event", "DryRun" - ], - "type": "string", - "default": "RequestResponse" + ] } }, { "log_type": { "required": true, + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "type": "string", "one_of": [ "Tail", "None" - ], - "type": "string", - "default": "Tail" + ] } }, { "host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "default": 443 + ] } }, { @@ -132,75 +153,102 @@ 100, 999 ], + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", "type": "integer" } }, { "forward_request_method": { "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", "type": "boolean" } }, { "forward_request_uri": { "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", "type": "boolean" } }, { "forward_request_headers": { "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", "type": "boolean" } }, { "forward_request_body": { "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", "type": "boolean" } }, { "is_proxy_integration": { "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", "type": "boolean" } }, { "awsgateway_compatible": { "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", "type": "boolean" } }, { "proxy_url": { - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "skip_large_bodies": { "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", "type": "boolean" } }, { "base64_encode_body": { "default": true, + "description": "An optional value that Base64-encodes the request body.", "type": "boolean" } }, { "aws_imds_protocol_version": { "required": true, + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "type": "string", "one_of": [ "v1", "v2" - ], - "type": "string", - "default": "v1" + ] } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] } } ] diff --git a/schemas/azure-functions/3.4.x.json b/schemas/azure-functions/3.4.x.json index 12e39094..92bd6cee 100644 --- a/schemas/azure-functions/3.4.x.json +++ b/schemas/azure-functions/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,83 +25,101 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "timeout": { - "type": "number", - "default": 600000 + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" } }, { "keepalive": { - "type": "number", - "default": 60000 + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" } }, { "https": { - "type": "boolean", - "default": true + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" } }, { "https_verify": { - "type": "boolean", - "default": false + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" } }, { "apikey": { + "encrypted": true, + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", "type": "string", - "referenceable": true, - "encrypted": true + "referenceable": true } }, { "clientid": { + "encrypted": true, + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", "type": "string", - "referenceable": true, - "encrypted": true + "referenceable": true } }, { "appname": { + "description": "The Azure app name.", "type": "string", "required": true } }, { "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", "type": "string", - "required": true, - "default": "azurewebsites.net" + "required": true } }, { "routeprefix": { - "type": "string", - "default": "api" + "default": "api", + "description": "Route prefix to use.", + "type": "string" } }, { "functionname": { + "description": "Name of the Azure function to invoke.", "type": "string", "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.4.x.json b/schemas/basic-auth/3.4.x.json index 5764aedf..e391bd76 100644 --- a/schemas/basic-auth/3.4.x.json +++ b/schemas/basic-auth/3.4.x.json @@ -2,9 +2,10 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { @@ -17,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -25,32 +29,42 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "anonymous": { - "type": "string" + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "hide_credentials": { - "required": true, "default": false, - "type": "boolean" + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "type": "boolean", + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.4.x.json b/schemas/bot-detection/3.4.x.json index 1aa68467..1809483e 100644 --- a/schemas/bot-detection/3.4.x.json +++ b/schemas/bot-detection/3.4.x.json @@ -2,63 +2,78 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "allow": { - "type": "array", - "elements": { - "type": "string", - "is_regex": true - }, "default": [ - ] + ], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "type": "array", + "elements": { + "is_regex": true, + "type": "string" + } } }, { "deny": { - "type": "array", - "elements": { - "type": "string", - "is_regex": true - }, "default": [ - ] + ], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "type": "array", + "elements": { + "is_regex": true, + "type": "string" + } } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/canary/3.4.x.json b/schemas/canary/3.4.x.json index 49a4a71e..3bbfc0b4 100644 --- a/schemas/canary/3.4.x.json +++ b/schemas/canary/3.4.x.json @@ -2,52 +2,56 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "shorthand_fields": [ - { - "hash": { - "type": "string" - } - } - ], - "required": true, "fields": [ { "start": { - "type": "number" + "type": "number", + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." } }, { "hash": { - "type": "string", "default": "consumer", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "type": "string", "one_of": [ "consumer", "ip", @@ -60,21 +64,24 @@ }, { "hash_header": { - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "duration": { "default": 3600, - "gt": 0, - "type": "number" + "description": "The duration of the canary release in seconds.", + "type": "number", + "gt": 0 } }, { "steps": { "default": 1000, - "gt": 1, - "type": "number" + "description": "The number of steps for the canary release.", + "type": "number", + "gt": 1 } }, { @@ -83,12 +90,14 @@ 0, 100 ], + "description": "The percentage of traffic to be routed to the canary release.", "type": "number" } }, { "upstream_host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -97,37 +106,84 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "upstream_uri": { "len_min": 1, + "description": "The URI of the upstream server to be used for the canary release.", "type": "string" } }, { "upstream_fallback": { + "default": false, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", "type": "boolean", - "required": true, - "default": false + "required": true } }, { "groups": { + "description": "The groups allowed to access the canary release.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "canary_by_header_name": { - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "hash": { + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." } } ], - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_field": "config.hash", + "then_field": "config.hash_header", + "if_match": { + "eq": "header" + }, + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.upstream_fallback", + "then_field": "config.upstream_host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + } } } ] diff --git a/schemas/correlation-id/3.4.x.json b/schemas/correlation-id/3.4.x.json index 6a46c126..cabf5784 100644 --- a/schemas/correlation-id/3.4.x.json +++ b/schemas/correlation-id/3.4.x.json @@ -2,38 +2,48 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "header_name": { - "type": "string", - "default": "Kong-Request-ID" + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" } }, { "generator": { "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "type": "string", "one_of": [ "uuid", @@ -44,14 +54,19 @@ }, { "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", "type": "boolean", - "required": true, - "default": false + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/cors/3.4.x.json b/schemas/cors/3.4.x.json index 8f3e05ea..acdeca64 100644 --- a/schemas/cors/3.4.x.json +++ b/schemas/cors/3.4.x.json @@ -2,22 +2,26 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { - "type": "string", "len_min": 1, + "type": "string", "one_of": [ "grpc", "grpcs", @@ -25,42 +29,49 @@ "https" ], "required": true - }, - "required": true, - "type": "set" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "methods": { - "type": "array", "default": [ "GET", "HEAD", @@ -72,7 +83,10 @@ "TRACE", "CONNECT" ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "type": "array", "elements": { + "type": "string", "one_of": [ "GET", "HEAD", @@ -83,33 +97,39 @@ "OPTIONS", "TRACE", "CONNECT" - ], - "type": "string" + ] } } }, { "max_age": { - "type": "number" + "type": "number", + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." } }, { "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", "type": "boolean", - "required": true, - "default": false + "required": true } }, { "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", "type": "boolean", - "required": true, - "default": false + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/datadog/3.4.x.json b/schemas/datadog/3.4.x.json index d8251ec0..2a74a2bf 100644 --- a/schemas/datadog/3.4.x.json +++ b/schemas/datadog/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,221 +25,224 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" - ] - } - } - ], "fields": [ { "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", "type": "string", - "referenceable": true, - "default": "localhost" + "referenceable": true } }, { "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "default": 8125 + ] } }, { "prefix": { "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", "type": "string" } }, { "service_name_tag": { "default": "name", + "description": "String to be attached as the name of the service.", "type": "string" } }, { "status_tag": { "default": "status", + "description": "String to be attached as the tag of the HTTP status.", "type": "string" } }, { "consumer_tag": { "default": "consumer", + "description": "String to be attached as tag of the consumer.", "type": "string" } }, { "retry_count": { - "type": "integer" + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." } }, { "queue_size": { - "type": "integer" + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." } }, { "flush_timeout": { - "type": "number" + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." } }, { "queue": { - "required": true, "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 1 + ] } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 - ], - "type": "number", - "default": 1 + ] } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 10000 + ] } }, { "max_bytes": { - "type": "number" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number" } }, { "initial_retry_delay": { "default": 0.01, - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } }, { "max_retry_delay": { "default": 60, - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } } ], - "type": "record" + "type": "record", + "required": true } }, { "metrics": { + "required": true, "default": [ { - "stat_type": "counter", + "consumer_identifier": "custom_id", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id", - "name": "request_count", - "sample_rate": 1 + "stat_type": "counter", + "sample_rate": 1, + "name": "request_count" }, { - "stat_type": "timer", - "consumer_identifier": "custom_id", - "name": "latency", "tags": [ "app:kong" - ] + ], + "name": "latency", + "consumer_identifier": "custom_id", + "stat_type": "timer" }, { - "stat_type": "timer", - "consumer_identifier": "custom_id", - "name": "request_size", "tags": [ "app:kong" - ] + ], + "name": "request_size", + "consumer_identifier": "custom_id", + "stat_type": "timer" }, { - "stat_type": "timer", - "consumer_identifier": "custom_id", - "name": "response_size", "tags": [ "app:kong" - ] + ], + "name": "response_size", + "consumer_identifier": "custom_id", + "stat_type": "timer" }, { - "stat_type": "timer", - "consumer_identifier": "custom_id", - "name": "upstream_latency", "tags": [ "app:kong" - ] + ], + "name": "upstream_latency", + "consumer_identifier": "custom_id", + "stat_type": "timer" }, { - "stat_type": "timer", - "consumer_identifier": "custom_id", - "name": "kong_latency", "tags": [ "app:kong" - ] + ], + "name": "kong_latency", + "consumer_identifier": "custom_id", + "stat_type": "timer" } ], + "description": "List of metrics to be logged.", + "type": "array", "elements": { - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } - ], "fields": [ { "name": { "type": "string", - "required": true, + "description": "Datadog metric’s name", "one_of": [ "kong_latency", "latency", @@ -242,13 +250,14 @@ "request_size", "response_size", "upstream_latency" - ] + ], + "required": true } }, { "stat_type": { "type": "string", - "required": true, + "description": "Determines what sort of event the metric represents", "one_of": [ "counter", "gauge", @@ -257,16 +266,18 @@ "set", "timer", "distribution" - ] + ], + "required": true } }, { "tags": { + "description": "List of tags", + "type": "array", "elements": { - "match": "^.*[^:]$", - "type": "string" - }, - "type": "array" + "type": "string", + "match": "^.*[^:]$" + } } }, { @@ -275,29 +286,61 @@ 0, 1 ], + "description": "Sampling rate", "type": "number" } }, { "consumer_identifier": { + "description": "Authenticated user detail", + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string" + ] } } ], - "type": "record" - }, - "required": true, - "type": "array" + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_field": "stat_type", + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + } + } + } + ] + } } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/degraphql/3.4.x.json b/schemas/degraphql/3.4.x.json index 53c9616a..66ddbd40 100644 --- a/schemas/degraphql/3.4.x.json +++ b/schemas/degraphql/3.4.x.json @@ -2,53 +2,67 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "graphql_server_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], - "starts_with": "/", - "required": true, "default": "/graphql", - "type": "string" + "starts_with": "/", + "type": "string", + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.4.x.json b/schemas/exit-transformer/3.4.x.json index eb0f4934..7b3ac080 100644 --- a/schemas/exit-transformer/3.4.x.json +++ b/schemas/exit-transformer/3.4.x.json @@ -2,28 +2,36 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "functions": { @@ -37,18 +45,24 @@ { "handle_unknown": { "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", "type": "boolean" } }, { "handle_unexpected": { "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", "type": "boolean" } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/file-log/3.4.x.json b/schemas/file-log/3.4.x.json index 785e02e3..a76aa18a 100644 --- a/schemas/file-log/3.4.x.json +++ b/schemas/file-log/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,28 +25,34 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "path": { - "match": "^[^*&%%\\`]+$", - "required": true, "err": "not a valid filename", - "type": "string" + "required": true, + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "type": "string", + "match": "^[^*&%%\\`]+$" } }, { "reopen": { "default": false, + "description": "Determines whether the log file is closed and reopened on every request.", "type": "boolean", "required": true } @@ -49,19 +60,24 @@ { "custom_fields_by_lua": { "type": "map", - "keys": { + "description": "Lua code as a key-value map", + "values": { "len_min": 1, "type": "string" }, - "values": { + "keys": { "type": "string", "len_min": 1 } } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.4.x.json b/schemas/forward-proxy/3.4.x.json index 54692ed8..0b6b0c8e 100644 --- a/schemas/forward-proxy/3.4.x.json +++ b/schemas/forward-proxy/3.4.x.json @@ -2,23 +2,32 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { @@ -35,6 +44,7 @@ } } ], + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -61,22 +71,25 @@ ] } ], + "type": "record", "fields": [ { "x_headers": { + "required": true, + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", "type": "string", "one_of": [ "append", "transparent", "delete" - ], - "required": true, - "default": "append" + ] } }, { "http_proxy_host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -85,12 +98,14 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "https_proxy_host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -99,44 +114,50 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "proxy_scheme": { + "required": true, + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", "type": "string", "one_of": [ "http" - ], - "required": true, - "default": "http" + ] } }, { "auth_username": { - "type": "string", "referenceable": true, + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string", "required": false } }, { "auth_password": { - "type": "string", "referenceable": true, + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string", "required": false } }, { "https_verify": { - "type": "boolean", "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean", "required": true } } - ], - "required": true, - "type": "record" + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.4.x.json b/schemas/graphql-proxy-cache-advanced/3.4.x.json index e0c56352..258ebba7 100644 --- a/schemas/graphql-proxy-cache-advanced/3.4.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.4.x.json @@ -2,72 +2,88 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "strategy": { "required": true, + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "type": "string", "one_of": [ "memory" - ], - "type": "string", - "default": "memory" + ] } }, { "cache_ttl": { "default": 300, "gt": 0, - "type": "integer" + "type": "integer", + "description": "TTL in seconds of cache entities. Must be a value greater than 0." } }, { "memory": { - "required": true, "fields": [ { "dictionary_name": { "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", "type": "string", "required": true } } ], - "type": "record" + "type": "record", + "required": true } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.4.x.json b/schemas/graphql-rate-limiting-advanced/3.4.x.json index 26020240..dd2934c1 100644 --- a/schemas/graphql-rate-limiting-advanced/3.4.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.4.x.json @@ -2,45 +2,55 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "identifier": { "required": true, + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "type": "string", "one_of": [ "ip", "credential", "consumer" - ], - "type": "string", - "default": "consumer" + ] } }, { "window_size": { - "type": "array", "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "type": "array", "elements": { "type": "number" } @@ -48,8 +58,9 @@ }, { "window_type": { - "type": "string", "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "type": "string", "one_of": [ "fixed", "sliding" @@ -58,8 +69,9 @@ }, { "limit": { - "type": "array", "required": true, + "description": "One or more requests-per-window limits to apply.", + "type": "array", "elements": { "type": "number" } @@ -67,44 +79,50 @@ }, { "sync_rate": { - "required": true, - "type": "number" + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "type": "number", + "required": true } }, { "namespace": { "auto": true, - "type": "string" + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance." } }, { "strategy": { "required": true, + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "type": "string", "one_of": [ "cluster", "redis" - ], - "type": "string", - "default": "cluster" + ] } }, { "dictionary_name": { - "required": true, + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", "type": "string", - "default": "kong_rate_limiting_counters" + "required": true } }, { "hide_client_headers": { "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", "type": "boolean" } }, { "cost_strategy": { - "type": "string", "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "type": "string", "one_of": [ "default", "node_quantifier" @@ -113,84 +131,28 @@ }, { "score_factor": { - "required": false, - "type": "number", "gt": 0, - "default": 1 + "required": false, + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "type": "number" } }, { "max_cost": { - "required": false, + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", "type": "number", - "default": 0 + "required": false } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - } - ], "fields": [ { "host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -199,17 +161,19 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "default": 2000 + ] } }, { @@ -218,6 +182,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -227,6 +192,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -236,6 +202,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -247,9 +214,9 @@ }, { "password": { - "referenceable": true, "encrypted": true, - "type": "string" + "type": "string", + "referenceable": true } }, { @@ -260,9 +227,9 @@ }, { "sentinel_password": { - "referenceable": true, "encrypted": true, - "type": "string" + "type": "string", + "referenceable": true } }, { @@ -273,21 +240,21 @@ }, { "keepalive_pool_size": { + "default": 30, + "type": "integer", "between": [ 1, 2147483646 - ], - "default": 30, - "type": "integer" + ] } }, { "keepalive_backlog": { + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { @@ -297,58 +264,140 @@ }, { "sentinel_role": { + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string" + ] } }, { "sentinel_addresses": { "len_min": 1, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "cluster_addresses": { "len_min": 1, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "ssl": { "default": false, - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ssl_verify": { "default": false, - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", "required": false } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ] } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "config.redis.host", + "config.redis.sentinel_master" + ], + "if_match": { + "eq": "redis" + }, + "if_field": "config.strategy" } } ] diff --git a/schemas/grpc-gateway/3.4.x.json b/schemas/grpc-gateway/3.4.x.json index 37de613e..ee8b6484 100644 --- a/schemas/grpc-gateway/3.4.x.json +++ b/schemas/grpc-gateway/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,26 +25,35 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "proto": { + "description": "Describes the gRPC types and methods.", "type": "string", "required": false } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.4.x.json b/schemas/grpc-web/3.4.x.json index 0f63fb40..1f38322c 100644 --- a/schemas/grpc-web/3.4.x.json +++ b/schemas/grpc-web/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,39 +25,50 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "proto": { - "required": false, - "type": "string" + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string", + "required": false } }, { "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", "type": "boolean", "required": false } }, { "allow_origin_header": { - "type": "string", "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "type": "string", "required": false } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.4.x.json b/schemas/hmac-auth/3.4.x.json index 4d4976dd..5aefe9ef 100644 --- a/schemas/hmac-auth/3.4.x.json +++ b/schemas/hmac-auth/3.4.x.json @@ -2,9 +2,10 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { @@ -17,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -25,76 +29,96 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "hide_credentials": { - "required": true, + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "type": "boolean", - "default": false + "required": true } }, { "clock_skew": { - "type": "number", + "default": 300, "gt": 0, - "default": 300 + "type": "number", + "description": "Clock skew in seconds to prevent replay attacks." } }, { "anonymous": { - "type": "string" + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "validate_request_body": { - "required": true, + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", "type": "boolean", - "default": false + "required": true } }, { "enforce_headers": { + "default": [ + + ], + "description": "A list of headers that the client should at least use for HTTP signature creation.", "type": "array", "elements": { "type": "string" - }, - "default": [ - - ] + } } }, { "algorithms": { + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", "type": "array", "elements": { + "type": "string", "one_of": [ "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512" - ], - "type": "string" - }, - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ] + ] + } } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] } } ] diff --git a/schemas/http-log/3.4.x.json b/schemas/http-log/3.4.x.json index b8877735..3601ed06 100644 --- a/schemas/http-log/3.4.x.json +++ b/schemas/http-log/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,16 +25,20 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -44,16 +53,18 @@ "fields": [ { "http_endpoint": { - "type": "string", "required": true, "encrypted": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", "referenceable": true } }, { "method": { - "type": "string", "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "type": "string", "one_of": [ "POST", "PUT", @@ -63,8 +74,9 @@ }, { "content_type": { - "type": "string", "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "type": "string", "one_of": [ "application/json", "application/json; charset=utf-8" @@ -74,133 +86,160 @@ { "timeout": { "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "number" } }, { "keepalive": { "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", "type": "number" } }, { "retry_count": { - "type": "integer" + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." } }, { "queue_size": { - "type": "integer" + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." } }, { "flush_timeout": { - "type": "number" + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." } }, { "headers": { "type": "map", + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "values": { + "type": "string", + "referenceable": true + }, "keys": { + "description": "A string representing an HTTP header name.", + "type": "string", "match_none": [ { - "err": "cannot contain 'Host' header", - "pattern": "^[Hh][Oo][Ss][Tt]$" + "pattern": "^[Hh][Oo][Ss][Tt]$", + "err": "cannot contain 'Host' header" }, { - "err": "cannot contain 'Content-Length' header", - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$", + "err": "cannot contain 'Content-Length' header" }, { - "err": "cannot contain 'Content-Type' header", - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", + "err": "cannot contain 'Content-Type' header" } - ], - "type": "string" - }, - "values": { - "referenceable": true, - "type": "string" + ] } } }, { "queue": { - "required": true, "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 1 + ] } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 - ], - "type": "number", - "default": 1 + ] } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 10000 + ] } }, { "max_bytes": { - "type": "number" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number" } }, { "initial_retry_delay": { "default": 0.01, - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } }, { "max_retry_delay": { "default": 60, - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } } ], - "type": "record" + "type": "record", + "required": true } }, { "custom_fields_by_lua": { "type": "map", - "keys": { + "description": "Lua code as a key-value map", + "values": { "len_min": 1, "type": "string" }, - "values": { + "keys": { "type": "string", "len_min": 1 } } } ], + "type": "record", "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.4.x.json b/schemas/ip-restriction/3.4.x.json index e1992b07..304b9655 100644 --- a/schemas/ip-restriction/3.4.x.json +++ b/schemas/ip-restriction/3.4.x.json @@ -2,60 +2,92 @@ "fields": [ { "protocols": { + "required": true, "default": [ - "grpc", - "grpcs", "http", - "https" + "https", + "tcp", + "tls", + "grpc", + "grpcs" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", "http", - "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { - "type": "string" - }, - "type": "array" + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + } } }, { "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { - "type": "string" - }, - "type": "array" + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + } } }, { "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", "type": "number", "required": false } }, { "message": { + "description": "The message to send as a response body to rejected requests.", "type": "string", "required": false } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/jq/3.4.x.json b/schemas/jq/3.4.x.json index dbbb2971..6fea714f 100644 --- a/schemas/jq/3.4.x.json +++ b/schemas/jq/3.4.x.json @@ -2,41 +2,33 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "request_jq_program", - "response_jq_program" - ] - } - ], "fields": [ { "request_jq_program": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -45,62 +37,62 @@ ], "required": false, + "type": "record", "fields": [ { "compact_output": { - "required": true, + "default": true, "type": "boolean", - "default": true + "required": true } }, { "raw_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "join_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "ascii_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "sort_keys": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } } - ], - "type": "record" + ] } }, { "request_if_media_type": { - "elements": { - "type": "string" - }, "default": [ "application/json" ], "required": false, - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "response_jq_program": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -109,77 +101,89 @@ ], "required": false, + "type": "record", "fields": [ { "compact_output": { - "required": true, + "default": true, "type": "boolean", - "default": true + "required": true } }, { "raw_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "join_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "ascii_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "sort_keys": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } } - ], - "type": "record" + ] } }, { "response_if_media_type": { - "elements": { - "type": "string" - }, "default": [ "application/json" ], "required": false, - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "response_if_status_code": { - "elements": { - "between": [ - 100, - 599 - ], - "type": "integer" - }, "default": [ 200 ], "required": false, - "type": "array" + "type": "array", + "elements": { + "type": "integer", + "between": [ + 100, + 599 + ] + } } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.4.x.json b/schemas/jwe-decrypt/3.4.x.json index 7a9eaac7..015ebcbc 100644 --- a/schemas/jwe-decrypt/3.4.x.json +++ b/schemas/jwe-decrypt/3.4.x.json @@ -2,53 +2,65 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "lookup_header_name": { - "required": true, "default": "Authorization", - "type": "string" + "description": "The name of the header to look for the JWE token.", + "type": "string", + "required": true } }, { "forward_header_name": { - "required": true, "default": "Authorization", - "type": "string" + "description": "The name of the header that is used to set the decrypted value.", + "type": "string", + "required": true } }, { "key_sets": { "required": true, + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "type": "array", "elements": { "type": "string" @@ -57,13 +69,18 @@ }, { "strict": { - "type": "boolean", - "default": true + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.4.x.json b/schemas/jwt-signer/3.4.x.json index 7e889bba..236e8b4e 100644 --- a/schemas/jwt-signer/3.4.x.json +++ b/schemas/jwt-signer/3.4.x.json @@ -2,38 +2,50 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { "required": true, + "type": "record", "fields": [ { "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "type": "string", "required": false } @@ -41,33 +53,38 @@ { "enable_hs_signatures": { "default": false, - "required": false, - "type": "boolean" + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean", + "required": false } }, { "enable_instrumentation": { "default": false, - "required": false, - "type": "boolean" + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean", + "required": false } }, { "access_token_issuer": { "default": "kong", - "required": false, - "type": "string" + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string", + "required": false } }, { "access_token_keyset": { "default": "kong", - "required": false, - "type": "string" + "description": "The name of the keyset containing signing keys.", + "type": "string", + "required": false } }, { "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "type": "string", "required": false } @@ -75,20 +92,23 @@ { "access_token_request_header": { "default": "Authorization", - "required": false, - "type": "string" + "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string", + "required": false } }, { "access_token_leeway": { "default": 0, - "required": false, - "type": "number" + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number", + "required": false } }, { "access_token_scopes_required": { "required": false, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "type": "array", "elements": { "type": "string" @@ -97,19 +117,21 @@ }, { "access_token_scopes_claim": { - "elements": { - "type": "string" - }, + "required": false, "default": [ "scope" ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "type": "array", - "required": false + "elements": { + "type": "string" + } } }, { "access_token_consumer_claim": { "required": false, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "type": "array", "elements": { "type": "string" @@ -118,50 +140,56 @@ }, { "access_token_consumer_by": { - "elements": { - "one_of": [ - "id", - "username", - "custom_id" - ], - "type": "string" - }, + "required": false, "default": [ "username", "custom_id" ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "type": "array", - "required": false + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + } } }, { "access_token_upstream_header": { "default": "Authorization:Bearer", - "required": false, - "type": "string" + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string", + "required": false } }, { "access_token_upstream_leeway": { "default": 0, - "required": false, - "type": "number" + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number", + "required": false } }, { "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "type": "string", "required": false } }, { "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "type": "string", "required": false } }, { "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "type": "string", "required": false } @@ -169,13 +197,15 @@ { "access_token_introspection_hint": { "default": "access_token", - "required": false, - "type": "string" + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string", + "required": false } }, { "access_token_introspection_jwt_claim": { "required": false, + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "type": "array", "elements": { "type": "string" @@ -185,6 +215,7 @@ { "access_token_introspection_scopes_required": { "required": false, + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "type": "array", "elements": { "type": "string" @@ -193,19 +224,21 @@ }, { "access_token_introspection_scopes_claim": { - "elements": { - "type": "string" - }, + "required": true, "default": [ "scope" ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "type": "array", - "required": true + "elements": { + "type": "string" + } } }, { "access_token_introspection_consumer_claim": { "required": false, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "type": "array", "elements": { "type": "string" @@ -214,37 +247,43 @@ }, { "access_token_introspection_consumer_by": { - "elements": { - "one_of": [ - "id", - "username", - "custom_id" - ], - "type": "string" - }, + "required": false, "default": [ "username", "custom_id" ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "type": "array", - "required": false + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + } } }, { "access_token_introspection_leeway": { "default": 0, - "required": false, - "type": "number" + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number", + "required": false } }, { "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "type": "number", "required": false } }, { "access_token_signing_algorithm": { + "required": true, + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "type": "string", "one_of": [ "HS256", @@ -259,96 +298,107 @@ "PS384", "PS512", "EdDSA" - ], - "default": "RS256", - "required": true + ] } }, { "access_token_optional": { "default": false, - "required": false, - "type": "boolean" + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean", + "required": false } }, { "verify_access_token_signature": { "default": true, - "required": false, - "type": "boolean" + "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean", + "required": false } }, { "verify_access_token_expiry": { "default": true, - "required": false, - "type": "boolean" + "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean", + "required": false } }, { "verify_access_token_scopes": { "default": true, - "required": false, - "type": "boolean" + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean", + "required": false } }, { "verify_access_token_introspection_expiry": { "default": true, - "required": false, - "type": "boolean" + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean", + "required": false } }, { "verify_access_token_introspection_scopes": { "default": true, - "required": false, - "type": "boolean" + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean", + "required": false } }, { "cache_access_token_introspection": { "default": true, - "required": false, - "type": "boolean" + "description": "Whether to cache access token introspection results.", + "type": "boolean", + "required": false } }, { "trust_access_token_introspection": { "default": true, - "required": false, - "type": "boolean" + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean", + "required": false } }, { "enable_access_token_introspection": { "default": true, - "required": false, - "type": "boolean" + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean", + "required": false } }, { "channel_token_issuer": { "default": "kong", - "required": false, - "type": "string" + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string", + "required": false } }, { "channel_token_keyset": { "default": "kong", - "required": false, - "type": "string" + "description": "The name of the keyset containing signing keys.", + "type": "string", + "required": false } }, { "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "type": "string", "required": false } }, { "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "type": "string", "required": false } @@ -356,13 +406,15 @@ { "channel_token_leeway": { "default": 0, - "required": false, - "type": "number" + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number", + "required": false } }, { "channel_token_scopes_required": { "required": false, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "type": "array", "elements": { "type": "string" @@ -371,19 +423,21 @@ }, { "channel_token_scopes_claim": { - "elements": { - "type": "string" - }, + "required": false, "default": [ "scope" ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "type": "array", - "required": false + "elements": { + "type": "string" + } } }, { "channel_token_consumer_claim": { "required": false, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "type": "array", "elements": { "type": "string" @@ -392,23 +446,25 @@ }, { "channel_token_consumer_by": { + "default": [ + "username", + "custom_id" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", "type": "array", "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" - }, - "default": [ - "username", - "custom_id" - ] + ] + } } }, { "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "type": "string", "required": false } @@ -416,12 +472,14 @@ { "channel_token_upstream_leeway": { "default": 0, - "required": false, - "type": "number" + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number", + "required": false } }, { "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "type": "string", "required": false } @@ -429,6 +487,7 @@ { "channel_token_introspection_authorization": { "required": false, + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "type": "string", "elements": { "type": "string" @@ -438,6 +497,7 @@ { "channel_token_introspection_body_args": { "required": false, + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "type": "string", "elements": { "type": "string" @@ -447,6 +507,7 @@ { "channel_token_introspection_hint": { "required": false, + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "type": "string", "elements": { "type": "string" @@ -456,6 +517,7 @@ { "channel_token_introspection_jwt_claim": { "required": false, + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "type": "array", "elements": { "type": "string" @@ -465,6 +527,7 @@ { "channel_token_introspection_scopes_required": { "required": false, + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "type": "array", "elements": { "type": "string" @@ -473,19 +536,21 @@ }, { "channel_token_introspection_scopes_claim": { - "elements": { - "type": "string" - }, + "required": false, "default": [ "scope" ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "type": "array", - "required": false + "elements": { + "type": "string" + } } }, { "channel_token_introspection_consumer_claim": { "required": false, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "type": "array", "elements": { "type": "string" @@ -494,37 +559,43 @@ }, { "channel_token_introspection_consumer_by": { - "elements": { - "one_of": [ - "id", - "username", - "custom_id" - ], - "type": "string" - }, + "required": false, "default": [ "username", "custom_id" ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "type": "array", - "required": false + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + } } }, { "channel_token_introspection_leeway": { "default": 0, - "required": false, - "type": "number" + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number", + "required": false } }, { "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "type": "number", "required": false } }, { "channel_token_signing_algorithm": { + "required": true, + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "type": "string", "one_of": [ "HS256", @@ -539,72 +610,78 @@ "PS384", "PS512", "EdDSA" - ], - "default": "RS256", - "required": true + ] } }, { "channel_token_optional": { "default": false, - "required": false, - "type": "boolean" + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean", + "required": false } }, { "verify_channel_token_signature": { "default": true, - "required": false, - "type": "boolean" + "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean", + "required": false } }, { "verify_channel_token_expiry": { "default": true, - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "verify_channel_token_scopes": { "default": true, - "required": false, - "type": "boolean" + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean", + "required": false } }, { "verify_channel_token_introspection_expiry": { "default": true, - "required": false, - "type": "boolean" + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean", + "required": false } }, { "verify_channel_token_introspection_scopes": { "default": true, - "required": false, - "type": "boolean" + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean", + "required": false } }, { "cache_channel_token_introspection": { "default": true, - "required": false, - "type": "boolean" + "description": "Whether to cache channel token introspection results.", + "type": "boolean", + "required": false } }, { "trust_channel_token_introspection": { "default": true, - "required": false, - "type": "boolean" + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean", + "required": false } }, { "enable_channel_token_introspection": { "default": true, - "required": false, - "type": "boolean" + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean", + "required": false } }, { @@ -612,14 +689,15 @@ "values": { "type": "string" }, + "required": false, "default": [ ], + "description": "Add customized claims if they are not present yet.", + "type": "map", "keys": { "type": "string" - }, - "required": false, - "type": "map" + } } }, { @@ -627,19 +705,22 @@ "values": { "type": "string" }, + "required": false, "default": [ ], + "description": "Set customized claims. If a claim is already present, it will be overwritten.", + "type": "map", "keys": { "type": "string" - }, - "required": false, - "type": "map" + } } } - ], - "type": "record" + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwt/3.4.x.json b/schemas/jwt/3.4.x.json index 63d063a7..e43e6aff 100644 --- a/schemas/jwt/3.4.x.json +++ b/schemas/jwt/3.4.x.json @@ -2,118 +2,151 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "uri_param_names": { + "default": [ + "jwt" + ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "type": "set", "elements": { "type": "string" - }, - "default": [ - "jwt" - ] + } } }, { "cookie_names": { + "default": [ + + ], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "type": "set", "elements": { "type": "string" - }, - "default": [ - - ] + } } }, { "key_claim_name": { "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", "type": "string" } }, { "secret_is_base64": { "default": false, - "required": true, - "type": "boolean" + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean", + "required": true } }, { "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "type": "set", "elements": { + "type": "string", "one_of": [ "exp", "nbf" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "anonymous": { - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "run_on_preflight": { "default": true, - "required": true, - "type": "boolean" + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean", + "required": true } }, { "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "type": "number", "between": [ 0, 31536000 - ], - "type": "number", - "default": 0 + ] } }, { "header_names": { + "default": [ + "authorization" + ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "type": "set", "elements": { "type": "string" - }, - "default": [ - "authorization" - ] + } } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.maximum_expiration", + "then_field": "config.claims_to_verify", + "if_match": { + "gt": 0 + }, + "then_match": { + "contains": "exp" + } } } ] diff --git a/schemas/kafka-log/3.4.x.json b/schemas/kafka-log/3.4.x.json index 2b8e5c19..c2881818 100644 --- a/schemas/kafka-log/3.4.x.json +++ b/schemas/kafka-log/3.4.x.json @@ -10,7 +10,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,32 +21,31 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "authentication" - ] - } - } - ], "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { + "type": "record", "fields": [ { "host": { + "description": "A string representing a host name, such as example.com.", "type": "string", "required": true } @@ -54,121 +56,131 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "required": true } } - ], - "type": "record" - }, - "type": "set" + ] + } } }, { "topic": { - "required": true, - "type": "string" + "description": "The Kafka topic to publish to.", + "type": "string", + "required": true } }, { "timeout": { "default": 10000, + "description": "Socket timeout in milliseconds.", "type": "integer" } }, { "keepalive": { - "default": 60000, - "type": "integer" + "type": "integer", + "default": 60000 } }, { "keepalive_enabled": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "authentication": { - "required": true, "fields": [ { "strategy": { - "required": false, "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ] + ], + "required": false } }, { "mechanism": { - "required": false, "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "required": false } }, { "tokenauth": { - "required": false, - "type": "boolean" + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean", + "required": false } }, { "user": { - "type": "string", "encrypted": true, - "referenceable": true, - "required": false + "required": false, + "description": "Username for SASL authentication.", + "type": "string", + "referenceable": true } }, { "password": { - "type": "string", "encrypted": true, - "referenceable": true, - "required": false + "required": false, + "description": "Password for SASL authentication.", + "type": "string", + "referenceable": true } } ], - "type": "record" + "type": "record", + "required": true } }, { "security": { - "required": true, "fields": [ { "certificate_id": { "uuid": true, + "description": "UUID of certificate entity for mTLS authentication.", "type": "string", "required": false } }, { "ssl": { - "required": false, - "type": "boolean" + "description": "Enables TLS.", + "type": "boolean", + "required": false } } ], - "type": "record" + "type": "record", + "required": true } }, { "cluster_name": { - "required": false, "auto": true, - "type": "string" + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string", + "required": false } }, { "producer_request_acks": { "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", "one_of": [ -1, @@ -180,54 +192,89 @@ { "producer_request_timeout": { "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", "type": "integer" } }, { "producer_request_limits_messages_per_request": { "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", "type": "integer" } }, { "producer_request_limits_bytes_per_request": { "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", "type": "integer" } }, { "producer_request_retries_max_attempts": { "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", "type": "integer" } }, { "producer_request_retries_backoff_timeout": { "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", "type": "integer" } }, { "producer_async": { "default": true, + "description": "Flag to enable asynchronous mode.", "type": "boolean" } }, { "producer_async_flush_timeout": { "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "type": "integer" } + }, + { + "custom_fields_by_lua": { + "type": "map", + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + } + } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.4.x.json b/schemas/kafka-upstream/3.4.x.json index e06ee2d2..05c37a84 100644 --- a/schemas/kafka-upstream/3.4.x.json +++ b/schemas/kafka-upstream/3.4.x.json @@ -2,54 +2,47 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "forward_method", - "forward_uri", - "forward_headers", - "forward_body" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "authentication" - ] - } - } - ], "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { + "type": "record", "fields": [ { "host": { + "description": "A string representing a host name, such as example.com.", "type": "string", "required": true } @@ -60,145 +53,160 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "required": true } } - ], - "type": "record" - }, - "type": "set" + ] + } } }, { "topic": { + "description": "The Kafka topic to publish to.", "type": "string", "required": true } }, { "timeout": { - "type": "integer", - "default": 10000 + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" } }, { "keepalive": { - "type": "integer", - "default": 60000 + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "authentication": { - "required": true, "fields": [ { "strategy": { - "required": false, "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ] + ], + "required": false } }, { "mechanism": { - "required": false, "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "required": false } }, { "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", "type": "boolean", "required": false } }, { "user": { + "encrypted": true, "referenceable": true, + "description": "Username for SASL authentication.", "type": "string", - "encrypted": true, "required": false } }, { "password": { + "encrypted": true, "referenceable": true, + "description": "Password for SASL authentication.", "type": "string", - "encrypted": true, "required": false } } ], - "type": "record" + "type": "record", + "required": true } }, { "security": { - "required": true, "fields": [ { "certificate_id": { "uuid": true, + "description": "UUID of certificate entity for mTLS authentication.", "type": "string", "required": false } }, { "ssl": { + "description": "Enables TLS.", "type": "boolean", "required": false } } ], - "type": "record" + "type": "record", + "required": true } }, { "forward_method": { - "type": "boolean", - "default": false + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "forward_uri": { - "type": "boolean", - "default": false + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "forward_headers": { - "type": "boolean", - "default": false + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "forward_body": { - "type": "boolean", - "default": true + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "cluster_name": { - "required": false, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "auto": true, - "type": "string" + "type": "string", + "required": false } }, { "producer_request_acks": { "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", "one_of": [ -1, @@ -209,55 +217,86 @@ }, { "producer_request_timeout": { - "type": "integer", - "default": 2000 + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" } }, { "producer_request_limits_messages_per_request": { - "type": "integer", - "default": 200 + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" } }, { "producer_request_limits_bytes_per_request": { - "type": "integer", - "default": 1048576 + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" } }, { "producer_request_retries_max_attempts": { - "type": "integer", - "default": 10 + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" } }, { "producer_request_retries_backoff_timeout": { - "type": "integer", - "default": 100 + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" } }, { "producer_async": { - "type": "boolean", - "default": true + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" } }, { "producer_async_flush_timeout": { - "type": "integer", - "default": 1000 + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { - "type": "integer", - "default": 50000 + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.4.x.json b/schemas/key-auth-enc/3.4.x.json index 4c92373b..8eab531c 100644 --- a/schemas/key-auth-enc/3.4.x.json +++ b/schemas/key-auth-enc/3.4.x.json @@ -2,9 +2,10 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { @@ -17,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -25,67 +29,83 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "key_names": { - "elements": { - "type": "string" - }, + "required": true, "default": [ "apikey" ], - "required": true, - "type": "array" + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } } }, { "hide_credentials": { "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", "type": "boolean" } }, { "anonymous": { - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "key_in_header": { "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "type": "boolean" } }, { "key_in_query": { "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "type": "boolean" } }, { "key_in_body": { "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "type": "boolean" } }, { "run_on_preflight": { "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "type": "boolean" } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth/3.4.x.json b/schemas/key-auth/3.4.x.json index 4c8e5f56..414337ee 100644 --- a/schemas/key-auth/3.4.x.json +++ b/schemas/key-auth/3.4.x.json @@ -2,9 +2,10 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { @@ -17,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -25,72 +29,88 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "key_names": { - "elements": { - "type": "string" - }, + "required": true, "default": [ "apikey" ], - "required": true, - "type": "array" + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } } }, { "hide_credentials": { - "type": "boolean", "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean", "required": true } }, { "anonymous": { - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." } }, { "key_in_header": { - "type": "boolean", "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean", "required": true } }, { "key_in_query": { - "type": "boolean", "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean", "required": true } }, { "key_in_body": { - "type": "boolean", "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean", "required": true } }, { "run_on_preflight": { - "type": "boolean", "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean", "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.4.x.json b/schemas/konnect-application-auth/3.4.x.json index b02fdd98..b6e79044 100644 --- a/schemas/konnect-application-auth/3.4.x.json +++ b/schemas/konnect-application-auth/3.4.x.json @@ -2,79 +2,97 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "route": { - "eq": null, "reference": "routes", - "type": "foreign" + "description": "A reference to the 'routes' table with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - - ], "fields": [ { "key_names": { - "elements": { - "type": "string" - }, + "required": true, "default": [ "apikey" ], - "required": true, - "type": "array" + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } } }, { "auth_type": { + "required": true, "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", + "type": "string", "one_of": [ "openid-connect", "key-auth" - ], - "type": "string", - "required": true + ] } }, { "scope": { - "required": true, "unique": true, - "type": "string" + "description": "The unique scope identifier for the plugin configuration.", + "type": "string", + "required": true } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.4.x.json b/schemas/ldap-auth-advanced/3.4.x.json index cb36db07..4b3320dc 100644 --- a/schemas/ldap-auth-advanced/3.4.x.json +++ b/schemas/ldap-auth-advanced/3.4.x.json @@ -10,7 +10,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,26 +21,32 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "ldap_host": { + "description": "Host on which the LDAP server is running.", "type": "string", "required": true } @@ -45,18 +54,21 @@ { "ldap_password": { "encrypted": true, - "referenceable": true, - "type": "string" + "description": "The password to the LDAP server.", + "type": "string", + "referenceable": true } }, { "ldap_port": { - "type": "number", - "default": 389 + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" } }, { "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", "type": "string", "referenceable": true } @@ -64,32 +76,37 @@ { "ldaps": { "default": false, - "required": true, - "type": "boolean" + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean", + "required": true } }, { "start_tls": { "default": false, - "required": true, - "type": "boolean" + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean", + "required": true } }, { "verify_ldap_host": { "default": false, - "required": true, - "type": "boolean" + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean", + "required": true } }, { "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", "type": "string", "required": true } }, { "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", "type": "string", "required": true } @@ -97,99 +114,122 @@ { "cache_ttl": { "default": 60, - "required": true, - "type": "number" + "description": "Cache expiry time in seconds.", + "type": "number", + "required": true } }, { "hide_credentials": { - "type": "boolean", - "default": false + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" } }, { "timeout": { - "type": "number", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" } }, { "keepalive": { - "type": "number", - "default": 60000 + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" } }, { "anonymous": { - "len_min": 0, + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "default": "" + "len_min": 0 } }, { "header_type": { - "type": "string", - "default": "ldap" + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" } }, { "consumer_optional": { "default": false, - "required": false, - "type": "boolean" + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean", + "required": false } }, { "consumer_by": { - "elements": { - "one_of": [ - "username", - "custom_id" - ], - "type": "string" - }, + "required": false, "default": [ "username", "custom_id" ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "type": "array", - "required": false + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + } } }, { "group_base_dn": { - "type": "string" + "type": "string", + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." } }, { "group_name_attribute": { - "type": "string" + "type": "string", + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." } }, { "group_member_attribute": { - "type": "string", - "default": "memberOf" + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" } }, { "log_search_results": { "default": false, - "required": false, - "type": "boolean" + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean", + "required": false } }, { "groups_required": { - "type": "array", "required": false, + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "type": "array", "elements": { "type": "string" } } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/ldap-auth/3.4.x.json b/schemas/ldap-auth/3.4.x.json index 41b527b8..b3184e9b 100644 --- a/schemas/ldap-auth/3.4.x.json +++ b/schemas/ldap-auth/3.4.x.json @@ -2,9 +2,10 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { @@ -17,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -25,122 +29,143 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "conditional": { - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", - "if_match": { - "eq": true - }, - "then_field": "start_tls", - "if_field": "ldaps", - "then_match": { - "eq": false - } - } - } - ], "fields": [ { "ldap_host": { + "description": "A string representing a host name, such as example.com.", "type": "string", "required": true } }, { "ldap_port": { + "required": true, + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 - ], - "required": true, - "default": 389 + ] } }, { "ldaps": { "default": false, - "required": true, - "type": "boolean" + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean", + "required": true } }, { "start_tls": { "default": false, - "required": true, - "type": "boolean" + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean", + "required": true } }, { "verify_ldap_host": { "default": false, - "required": true, - "type": "boolean" + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean", + "required": true } }, { "base_dn": { - "required": true, - "type": "string" + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "type": "string", + "required": true } }, { "attribute": { - "required": true, - "type": "string" + "description": "Attribute to be used to search the user; e.g. cn", + "type": "string", + "required": true } }, { "cache_ttl": { "default": 60, - "required": true, - "type": "number" + "description": "Cache expiry time in seconds.", + "type": "number", + "required": true } }, { "hide_credentials": { "default": false, - "required": true, - "type": "boolean" + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean", + "required": true } }, { "timeout": { "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", "type": "number" } }, { "keepalive": { "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", "type": "number" } }, { "anonymous": { - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." } }, { "header_type": { "default": "ldap", + "description": "An optional string to use as part of the Authorization header", "type": "string" } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "start_tls", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "then_match": { + "eq": false + }, + "if_match": { + "eq": true + }, + "if_field": "ldaps" + } + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/loggly/3.4.x.json b/schemas/loggly/3.4.x.json index ed600985..e5464f58 100644 --- a/schemas/loggly/3.4.x.json +++ b/schemas/loggly/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,47 +25,53 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "host": { - "type": "string", - "default": "logs-01.loggly.com" + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "default": 514 + ] } }, { "key": { - "type": "string", "required": true, "encrypted": true, + "type": "string", "referenceable": true } }, { "tags": { - "type": "set", "default": [ "kong" ], + "type": "set", "elements": { "type": "string" } @@ -68,8 +79,8 @@ }, { "log_level": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -84,8 +95,8 @@ }, { "successful_severity": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -100,8 +111,8 @@ }, { "client_errors_severity": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -116,8 +127,8 @@ }, { "server_errors_severity": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -139,19 +150,24 @@ { "custom_fields_by_lua": { "type": "map", - "keys": { + "description": "Lua code as a key-value map", + "values": { "len_min": 1, "type": "string" }, - "values": { + "keys": { "type": "string", "len_min": 1 } } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/mocking/3.4.x.json b/schemas/mocking/3.4.x.json index 6c2bfd09..dd30d26e 100644 --- a/schemas/mocking/3.4.x.json +++ b/schemas/mocking/3.4.x.json @@ -2,83 +2,108 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", "type": "string", "required": false } }, { "api_specification": { - "required": false, - "type": "string" + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "type": "string", + "required": false } }, { "random_delay": { - "type": "boolean", - "default": false + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean" } }, { "max_delay_time": { - "type": "number", - "default": 1 + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number" } }, { "min_delay_time": { - "type": "number", - "default": 0.001 + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number" } }, { "random_examples": { - "type": "boolean", - "default": false + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean" } }, { "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "type": "array", "elements": { "type": "integer" - }, - "type": "array" + } } }, { "random_status_code": { - "required": true, "default": false, - "type": "boolean" + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean", + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.4.x.json b/schemas/mtls-auth/3.4.x.json index 369d2ebd..00e188b2 100644 --- a/schemas/mtls-auth/3.4.x.json +++ b/schemas/mtls-auth/3.4.x.json @@ -2,75 +2,73 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], "fields": [ { "anonymous": { - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "consumer_by": { - "elements": { - "one_of": [ - "username", - "custom_id" - ], - "type": "string" - }, + "required": false, "default": [ "username", "custom_id" ], - "required": false, - "type": "array" + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + } } }, { "ca_certificates": { "required": true, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "type": "array", "elements": { "uuid": true, @@ -80,69 +78,78 @@ }, { "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", "type": "number", - "required": true, - "default": 60 + "required": true } }, { "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "type": "boolean", - "required": true, - "default": false + "required": true } }, { "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "type": "boolean", - "required": true, - "default": false + "required": true } }, { "authenticated_group_by": { + "required": false, "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "type": "string", "one_of": [ "CN", "DN" - ], - "type": "string", - "required": false + ] } }, { "revocation_check_mode": { + "required": false, "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "type": "string", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ], - "type": "string", - "required": false + ] } }, { "http_timeout": { "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", "type": "number" } }, { "cert_cache_ttl": { "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", "type": "number" } }, { "send_ca_dn": { "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", "type": "boolean" } }, { "http_proxy_host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -151,12 +158,14 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "https_proxy_host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -165,12 +174,31 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.4.x.json b/schemas/oas-validation/3.4.x.json index 97a7361e..e0ff31a1 100644 --- a/schemas/oas-validation/3.4.x.json +++ b/schemas/oas-validation/3.4.x.json @@ -2,115 +2,139 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format.", "type": "string", "required": true } }, { "verbose_response": { - "required": false, + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", "type": "boolean", - "default": false + "required": false } }, { "validate_request_body": { - "required": false, + "default": true, + "description": "If set to true, validates the request body content against the API specification.", "type": "boolean", - "default": true + "required": false } }, { "notify_only_request_validation_failure": { - "required": false, + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", "type": "boolean", - "default": false + "required": false } }, { "validate_request_header_params": { - "required": false, + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", "type": "boolean", - "default": true + "required": false } }, { "validate_request_query_params": { - "required": false, + "default": true, + "description": "If set to true, validates query parameters against the API specification.", "type": "boolean", - "default": true + "required": false } }, { "validate_request_uri_params": { - "required": false, + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", "type": "boolean", - "default": true + "required": false } }, { "validate_response_body": { - "required": false, + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", "type": "boolean", - "default": false + "required": false } }, { "notify_only_response_body_validation_failure": { - "required": false, + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", "type": "boolean", - "default": false + "required": false } }, { "query_parameter_check": { - "required": true, + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", "type": "boolean", - "default": false + "required": true } }, { "header_parameter_check": { - "required": true, + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", "type": "boolean", - "default": false + "required": true } }, { "allowed_header_parameters": { - "required": false, + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", "type": "string", - "default": "Host,Content-Type,User-Agent,Accept,Content-Length" + "required": false } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.4.x.json b/schemas/oauth2-introspection/3.4.x.json index 3157912f..856e051c 100644 --- a/schemas/oauth2-introspection/3.4.x.json +++ b/schemas/oauth2-introspection/3.4.x.json @@ -2,106 +2,126 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": true } }, { "ttl": { - "type": "number", - "default": 30 + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" } }, { "token_type_hint": { - "type": "string" + "type": "string", + "description": "The `token_type_hint` value to associate to introspection requests." } }, { "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "type": "string", "required": true } }, { "timeout": { - "type": "integer", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" } }, { "keepalive": { - "type": "integer", - "default": 60000 + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" } }, { "introspect_request": { - "required": true, "default": false, - "type": "boolean" + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "type": "boolean", + "required": true } }, { "hide_credentials": { - "type": "boolean", - "default": false + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" } }, { "run_on_preflight": { - "type": "boolean", - "default": true + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" } }, { "anonymous": { "len_min": 0, + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", "default": "" } }, { "consumer_by": { + "required": true, "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "type": "string", "one_of": [ "username", "client_id" - ], - "type": "string", - "required": true + ] } }, { @@ -109,31 +129,37 @@ "values": { "type": "string" }, + "required": true, "default": [ ], + "description": "A list of custom headers to be added in the introspection request.", + "type": "map", "keys": { "type": "string" - }, - "required": true, - "type": "map" + } } }, { "custom_claims_forward": { - "elements": { - "type": "string" - }, + "required": true, "default": [ ], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "type": "set", - "required": true + "elements": { + "type": "string" + } } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2/3.4.x.json b/schemas/oauth2/3.4.x.json index 92284103..f952e014 100644 --- a/schemas/oauth2/3.4.x.json +++ b/schemas/oauth2/3.4.x.json @@ -2,9 +2,10 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { @@ -17,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -25,24 +29,28 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "type": "record", "entity_checks": [ { "conditional": { + "if_field": "mandatory_scope", + "then_field": "scopes", "if_match": { "eq": true }, - "then_field": "scopes", - "if_field": "mandatory_scope", "then_match": { "required": true } @@ -52,135 +60,155 @@ "fields": [ { "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "mandatory_scope": { - "type": "boolean", "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "type": "boolean", "required": true } }, { "provision_key": { - "unique": true, "encrypted": true, "required": true, - "auto": true, - "type": "string" + "unique": true, + "description": "The unique key the plugin has generated when it has been added to the Service.", + "type": "string", + "auto": true } }, { "token_expiration": { - "type": "number", "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "type": "number", "required": true } }, { "enable_authorization_code": { - "type": "boolean", "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "type": "boolean", "required": true } }, { "enable_implicit_grant": { - "type": "boolean", "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "type": "boolean", "required": true } }, { "enable_client_credentials": { - "type": "boolean", "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "type": "boolean", "required": true } }, { "enable_password_grant": { - "type": "boolean", "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "type": "boolean", "required": true } }, { "hide_credentials": { - "type": "boolean", "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean", "required": true } }, { "accept_http_if_already_terminated": { - "type": "boolean", "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "type": "boolean", "required": true } }, { "anonymous": { - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "global_credentials": { - "type": "boolean", "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "type": "boolean", "required": true } }, { "auth_header_name": { "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", "type": "string" } }, { "refresh_token_ttl": { + "required": true, + "default": 1209600, + "description": "Time-to-live value for data", "type": "number", "between": [ 0, 100000000 - ], - "default": 1209600, - "required": true + ] } }, { "reuse_refresh_token": { - "type": "boolean", "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "type": "boolean", "required": true } }, { "persistent_refresh_token": { - "type": "boolean", "default": false, + "type": "boolean", "required": true } }, { "pkce": { "required": false, + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "type": "string", "one_of": [ "none", "lax", "strict" - ], - "default": "lax", - "type": "string" + ] } } ], + "type": "record", "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/opa/3.4.x.json b/schemas/opa/3.4.x.json index b80c5381..b0aca76e 100644 --- a/schemas/opa/3.4.x.json +++ b/schemas/opa/3.4.x.json @@ -2,40 +2,50 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "opa_protocol": { - "type": "string", "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "type": "string", "one_of": [ "http", "https" @@ -44,51 +54,57 @@ }, { "opa_host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true, - "default": "localhost" + "required": true } }, { "opa_port": { + "required": true, + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 - ], - "default": 8181, - "required": true + ] } }, { "opa_path": { "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], - "type": "string", + "required": true, "starts_with": "/", - "required": true + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "include_service_in_opa_input": { - "type": "boolean", - "default": false + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" } }, { "include_route_in_opa_input": { - "type": "boolean", - "default": false + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" } }, { "include_consumer_in_opa_input": { - "type": "boolean", - "default": false + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" } }, { @@ -99,26 +115,33 @@ }, { "include_parsed_json_body_in_opa_input": { - "type": "boolean", - "default": false + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" } }, { "include_uri_captures_in_opa_input": { - "type": "boolean", - "default": false + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" } }, { "ssl_verify": { + "default": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "type": "boolean", - "required": true, - "default": true + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.4.x.json b/schemas/openid-connect/3.4.x.json index 5d6749fb..197761ae 100644 --- a/schemas/openid-connect/3.4.x.json +++ b/schemas/openid-connect/3.4.x.json @@ -2,128 +2,57 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - } - ], - "type": "record", "fields": [ { "issuer": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": true } }, { "discovery_headers_names": { - "type": "array", "required": false, + "description": "Extra header names passed to the discovery endpoint.", + "type": "array", "elements": { "type": "string" } @@ -131,8 +60,9 @@ }, { "discovery_headers_values": { - "type": "array", "required": false, + "description": "Extra header values passed to the discovery endpoint.", + "type": "array", "elements": { "type": "string" } @@ -140,22 +70,26 @@ }, { "extra_jwks_uris": { - "type": "set", "required": false, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "type": "set", "elements": { - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "rediscovery_lifetime": { - "required": false, + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "type": "number", - "default": 30 + "required": false } }, { "auth_methods": { + "required": false, "default": [ "password", "client_credentials", @@ -167,7 +101,10 @@ "refresh_token", "session" ], + "description": "Types of credentials/grants to enable.", + "type": "array", "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -178,57 +115,58 @@ "kong_oauth2", "refresh_token", "session" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "client_id": { "encrypted": true, + "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "type": "array", "elements": { "type": "string", "referenceable": true - }, - "type": "array", - "required": false + } } }, { "client_secret": { "encrypted": true, + "required": false, + "description": "The client secret.", + "type": "array", "elements": { "type": "string", "referenceable": true - }, - "type": "array", - "required": false + } } }, { "client_auth": { - "type": "array", "required": false, + "description": "The authentication method used by the client (plugin) when calling the endpoint.", + "type": "array", "elements": { + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ], - "type": "string" + ] } } }, { "client_jwk": { - "type": "array", "required": false, + "type": "array", "elements": { "required": false, + "type": "record", "fields": [ { "issuer": { @@ -301,9 +239,9 @@ { "k": { "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "encrypted": true } }, { @@ -339,85 +277,85 @@ { "d": { "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "encrypted": true } }, { "p": { "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "encrypted": true } }, { "q": { "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "encrypted": true } }, { "dp": { "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "encrypted": true } }, { "dq": { "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "encrypted": true } }, { "qi": { "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "encrypted": true } }, { "oth": { "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "encrypted": true } }, { "r": { "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "encrypted": true } }, { "t": { "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "encrypted": true } } - ], - "type": "record" + ] } } }, { "client_alg": { - "type": "array", "required": false, + "type": "array", "elements": { + "type": "string", "one_of": [ "HS256", "HS384", @@ -432,133 +370,152 @@ "PS384", "PS512", "EdDSA" - ], - "type": "string" + ] } } }, { "client_arg": { - "required": false, + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "type": "string", - "default": "client_id" + "required": false } }, { "redirect_uri": { - "type": "array", "required": false, + "description": "The redirect URI passed to the authorization and token endpoints.", + "type": "array", "elements": { - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "login_redirect_uri": { - "type": "array", "required": false, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array", "elements": { - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "logout_redirect_uri": { - "type": "array", "required": false, + "description": "Where to redirect the client after the logout.", + "type": "array", "elements": { - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "forbidden_redirect_uri": { - "type": "array", "required": false, + "description": "Where to redirect the client on forbidden requests.", + "type": "array", "elements": { - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "forbidden_error_message": { - "required": false, + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", "type": "string", - "default": "Forbidden" + "required": false } }, { "forbidden_destroy_session": { - "required": false, + "default": true, + "description": "Destroy any active session for the forbidden requests.", "type": "boolean", - "default": true + "required": false } }, { "unauthorized_redirect_uri": { - "type": "array", "required": false, + "description": "Where to redirect the client on unauthorized requests.", + "type": "array", "elements": { - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "unauthorized_error_message": { - "required": false, + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", "type": "string", - "default": "Unauthorized" + "required": false } }, { "unexpected_redirect_uri": { - "type": "array", "required": false, + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "type": "array", "elements": { - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "response_mode": { + "required": false, "default": "query", + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", + "type": "string", "one_of": [ "query", "form_post", "fragment" - ], - "type": "string", - "required": false + ] } }, { "response_type": { + "required": false, "default": [ "code" ], + "description": "The response type passed to the authorization endpoint.", + "type": "array", "elements": { "type": "string" - }, - "required": false, - "type": "array" + } } }, { "scopes": { + "required": false, "default": [ "openid" ], + "description": "The scopes passed to the authorization and token endpoints.", + "type": "array", "elements": { "type": "string" - }, - "required": false, - "type": "array" + } } }, { "audience": { - "type": "array", "required": false, + "description": "The audience passed to the authorization endpoint.", + "type": "array", "elements": { "type": "string" } @@ -566,8 +523,9 @@ }, { "issuers_allowed": { - "type": "array", "required": false, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array", "elements": { "type": "string" } @@ -575,8 +533,9 @@ }, { "scopes_required": { - "type": "array", "required": false, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" } @@ -584,20 +543,22 @@ }, { "scopes_claim": { + "required": false, "default": [ "scope" ], + "description": "The claim that contains the scopes.", + "type": "array", "elements": { "type": "string" - }, - "required": false, - "type": "array" + } } }, { "audience_required": { - "type": "array", "required": false, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" } @@ -605,20 +566,22 @@ }, { "audience_claim": { + "required": false, "default": [ "aud" ], + "description": "The claim that contains the audience.", + "type": "array", "elements": { "type": "string" - }, - "required": false, - "type": "array" + } } }, { "groups_required": { - "type": "array", "required": false, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" } @@ -626,20 +589,22 @@ }, { "groups_claim": { + "required": false, "default": [ "groups" ], + "description": "The claim that contains the groups.", + "type": "array", "elements": { "type": "string" - }, - "required": false, - "type": "array" + } } }, { "roles_required": { - "type": "array", "required": false, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" } @@ -647,20 +612,22 @@ }, { "roles_claim": { + "required": false, "default": [ "roles" ], + "description": "The claim that contains the roles.", + "type": "array", "elements": { "type": "string" - }, - "required": false, - "type": "array" + } } }, { "domains": { - "type": "array", "required": false, + "description": "The allowed values for the `hd` claim.", + "type": "array", "elements": { "type": "string" } @@ -668,14 +635,16 @@ }, { "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "type": "number", "required": false } }, { "authenticated_groups_claim": { - "type": "array", "required": false, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.", + "type": "array", "elements": { "type": "string" } @@ -683,14 +652,16 @@ }, { "authorization_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": false } }, { "authorization_query_args_names": { - "type": "array", "required": false, + "description": "Extra query argument names passed to the authorization endpoint.", + "type": "array", "elements": { "type": "string" } @@ -698,8 +669,9 @@ }, { "authorization_query_args_values": { - "type": "array", "required": false, + "description": "Extra query argument values passed to the authorization endpoint.", + "type": "array", "elements": { "type": "string" } @@ -707,8 +679,9 @@ }, { "authorization_query_args_client": { - "type": "array", "required": false, + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array", "elements": { "type": "string" } @@ -716,73 +689,82 @@ }, { "authorization_rolling_timeout": { - "required": false, + "default": 600, + "description": "Network IO timeout in milliseconds.", "type": "number", - "default": 600 + "required": false } }, { "authorization_cookie_name": { - "required": false, + "default": "authorization", + "description": "The authorization cookie name.", "type": "string", - "default": "authorization" + "required": false } }, { "authorization_cookie_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], - "starts_with": "/", "default": "/", - "required": false, - "type": "string" + "starts_with": "/", + "type": "string", + "required": false } }, { "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", "type": "string", "required": false } }, { "authorization_cookie_same_site": { + "required": false, "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string", - "required": false + ] } }, { "authorization_cookie_http_only": { - "required": false, + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "type": "boolean", - "default": true + "required": false } }, { "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", "required": false } }, { "preserve_query_args": { - "required": false, + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "type": "boolean", - "default": false + "required": false } }, { "token_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": false } @@ -790,20 +772,22 @@ { "token_endpoint_auth_method": { "type": "string", - "required": false, + "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "required": false } }, { "token_headers_names": { - "type": "array", "required": false, + "description": "Extra header names passed to the token endpoint.", + "type": "array", "elements": { "type": "string" } @@ -811,8 +795,9 @@ }, { "token_headers_values": { - "type": "array", "required": false, + "description": "Extra header values passed to the token endpoint.", + "type": "array", "elements": { "type": "string" } @@ -820,8 +805,9 @@ }, { "token_headers_client": { - "type": "array", "required": false, + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array", "elements": { "type": "string" } @@ -829,8 +815,9 @@ }, { "token_headers_replay": { - "type": "array", "required": false, + "description": "The names of token endpoint response headers to forward to the downstream client.", + "type": "array", "elements": { "type": "string" } @@ -838,29 +825,32 @@ }, { "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "type": "string", "required": false } }, { "token_headers_grants": { - "type": "array", "required": false, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", + "type": "array", "elements": { + "type": "string", "one_of": [ "password", "client_credentials", "authorization_code", "refresh_token" - ], - "type": "string" + ] } } }, { "token_post_args_names": { - "type": "array", "required": false, + "description": "Extra post argument names passed to the token endpoint.", + "type": "array", "elements": { "type": "string" } @@ -868,8 +858,9 @@ }, { "token_post_args_values": { - "type": "array", "required": false, + "description": "Extra post argument values passed to the token endpoint.", + "type": "array", "elements": { "type": "string" } @@ -877,8 +868,9 @@ }, { "token_post_args_client": { - "type": "array", "required": false, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", + "type": "array", "elements": { "type": "string" } @@ -886,6 +878,7 @@ }, { "introspection_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": false } @@ -893,46 +886,51 @@ { "introspection_endpoint_auth_method": { "type": "string", - "required": false, + "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "required": false } }, { "introspection_hint": { - "required": false, + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", "type": "string", - "default": "access_token" + "required": false } }, { "introspection_check_active": { - "required": false, + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", "type": "boolean", - "default": true + "required": false } }, { "introspection_accept": { + "required": false, "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", + "type": "string", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ], - "type": "string", - "required": false + ] } }, { "introspection_headers_names": { - "type": "array", "required": false, + "description": "Extra header names passed to the introspection endpoint.", + "type": "array", "elements": { "type": "string" } @@ -940,8 +938,9 @@ }, { "introspection_headers_values": { - "type": "array", "required": false, + "description": "Extra header values passed to the introspection endpoint.", + "type": "array", "elements": { "type": "string" } @@ -949,8 +948,9 @@ }, { "introspection_headers_client": { - "type": "array", "required": false, + "description": "Extra headers passed from the client to the introspection endpoint.", + "type": "array", "elements": { "type": "string" } @@ -958,8 +958,9 @@ }, { "introspection_post_args_names": { - "type": "array", "required": false, + "description": "Extra post argument names passed to the introspection endpoint.", + "type": "array", "elements": { "type": "string" } @@ -967,8 +968,9 @@ }, { "introspection_post_args_values": { - "type": "array", "required": false, + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array", "elements": { "type": "string" } @@ -976,8 +978,9 @@ }, { "introspection_post_args_client": { - "type": "array", "required": false, + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array", "elements": { "type": "string" } @@ -985,13 +988,15 @@ }, { "introspect_jwt_tokens": { - "required": false, + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "type": "boolean", - "default": false + "required": false } }, { "revocation_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": false } @@ -999,43 +1004,48 @@ { "revocation_endpoint_auth_method": { "type": "string", - "required": false, + "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "required": false } }, { "end_session_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": false } }, { "userinfo_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": false } }, { "userinfo_accept": { + "required": false, "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", + "type": "string", "one_of": [ "application/json", "application/jwt" - ], - "type": "string", - "required": false + ] } }, { "userinfo_headers_names": { - "type": "array", "required": false, + "description": "Extra header names passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" } @@ -1043,8 +1053,9 @@ }, { "userinfo_headers_values": { - "type": "array", "required": false, + "description": "Extra header values passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" } @@ -1052,8 +1063,9 @@ }, { "userinfo_headers_client": { - "type": "array", "required": false, + "description": "Extra headers passed from the client to the user info endpoint.", + "type": "array", "elements": { "type": "string" } @@ -1061,8 +1073,9 @@ }, { "userinfo_query_args_names": { - "type": "array", "required": false, + "description": "Extra query argument names passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" } @@ -1070,8 +1083,9 @@ }, { "userinfo_query_args_values": { - "type": "array", "required": false, + "description": "Extra query argument values passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" } @@ -1079,8 +1093,9 @@ }, { "userinfo_query_args_client": { - "type": "array", "required": false, + "description": "Extra query arguments passed from the client to the user info endpoint.", + "type": "array", "elements": { "type": "string" } @@ -1088,6 +1103,7 @@ }, { "token_exchange_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": false } @@ -1095,123 +1111,140 @@ { "session_secret": { "required": false, - "encrypted": true, "referenceable": true, - "type": "string" + "description": "The session secret.", + "type": "string", + "encrypted": true } }, { "session_audience": { - "required": false, + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "type": "string", - "default": "default" + "required": false } }, { "session_cookie_name": { - "required": false, + "default": "session", + "description": "The session cookie name.", "type": "string", - "default": "session" + "required": false } }, { "session_remember": { - "required": false, + "default": false, + "description": "Enables or disables persistent sessions.", "type": "boolean", - "default": false + "required": false } }, { "session_remember_cookie_name": { - "required": false, + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "type": "string", - "default": "remember" + "required": false } }, { "session_remember_rolling_timeout": { - "required": false, + "default": 604800, + "description": "Network IO timeout in milliseconds.", "type": "number", - "default": 604800 + "required": false } }, { "session_remember_absolute_timeout": { - "required": false, + "default": 2592000, + "description": "Network IO timeout in milliseconds.", "type": "number", - "default": 2592000 + "required": false } }, { "session_idling_timeout": { - "required": false, + "default": 900, + "description": "Network IO timeout in milliseconds.", "type": "number", - "default": 900 + "required": false } }, { "session_rolling_timeout": { - "required": false, + "default": 3600, + "description": "Network IO timeout in milliseconds.", "type": "number", - "default": 3600 + "required": false } }, { "session_absolute_timeout": { - "required": false, + "default": 86400, + "description": "Network IO timeout in milliseconds.", "type": "number", - "default": 86400 + "required": false } }, { "session_cookie_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], - "starts_with": "/", "default": "/", - "required": false, - "type": "string" + "starts_with": "/", + "type": "string", + "required": false } }, { "session_cookie_domain": { + "description": "The session cookie Domain flag.", "type": "string", "required": false } }, { "session_cookie_same_site": { + "required": false, "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string", - "required": false + ] } }, { "session_cookie_http_only": { - "required": false, + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "type": "boolean", - "default": true + "required": false } }, { "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", "required": false } }, { "session_request_headers": { + "type": "set", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -1220,15 +1253,15 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "session_response_headers": { + "type": "set", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -1237,345 +1270,381 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "session_storage": { + "required": false, "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", + "type": "string", "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "type": "string", - "required": false + ] } }, { "session_store_metadata": { - "required": false, + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "type": "boolean", - "default": false + "required": false } }, { "session_enforce_same_subject": { - "required": false, + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", "type": "boolean", - "default": false + "required": false } }, { "session_hash_subject": { - "required": false, + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "type": "boolean", - "default": false + "required": false } }, { "session_hash_storage_key": { - "required": false, + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "type": "boolean", - "default": false + "required": false } }, { "session_memcached_prefix": { + "description": "The memcached session key prefix.", "type": "string", "required": false } }, { "session_memcached_socket": { + "description": "The memcached unix socket path.", "type": "string", "required": false } }, { "session_memcached_host": { - "required": false, + "default": "127.0.0.1", + "description": "The memcached host.", "type": "string", - "default": "127.0.0.1" + "required": false } }, { "session_memcached_port": { + "required": false, + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 - ], - "required": false, - "default": 11211 + ] } }, { "session_redis_prefix": { + "description": "The Redis session key prefix.", "type": "string", "required": false } }, { "session_redis_socket": { + "description": "The Redis unix socket path.", "type": "string", "required": false } }, { "session_redis_host": { - "required": false, + "default": "127.0.0.1", + "description": "The Redis host", "type": "string", - "default": "127.0.0.1" + "required": false } }, { "session_redis_port": { + "required": false, + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 - ], - "required": false, - "default": 6379 + ] } }, { "session_redis_username": { + "required": false, + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "type": "string", - "referenceable": true, - "required": false + "referenceable": true } }, { "session_redis_password": { "required": false, - "encrypted": true, "referenceable": true, - "type": "string" + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "encrypted": true } }, { "session_redis_connect_timeout": { + "description": "Network IO timeout in milliseconds.", "type": "integer", "required": false } }, { "session_redis_read_timeout": { + "description": "Network IO timeout in milliseconds.", "type": "integer", "required": false } }, { "session_redis_send_timeout": { + "description": "Network IO timeout in milliseconds.", "type": "integer", "required": false } }, { "session_redis_ssl": { - "required": false, + "default": false, + "description": "Use SSL/TLS for Redis connection.", "type": "boolean", - "default": false + "required": false } }, { "session_redis_ssl_verify": { - "required": false, + "default": false, + "description": "Verify identity provider server certificate.", "type": "boolean", - "default": false + "required": false } }, { "session_redis_server_name": { + "description": "The SNI used for connecting the Redis server.", "type": "string", "required": false } }, { "session_redis_cluster_nodes": { - "type": "array", "required": false, + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string", "required": true } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "default": 6379 + ] } } - ], - "type": "record" + ] } } }, { "session_redis_cluster_max_redirections": { + "description": "The Redis cluster maximum redirects.", "type": "integer", "required": false } }, { "reverify": { - "required": false, + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", "type": "boolean", - "default": false + "required": false } }, { "jwt_session_claim": { - "required": false, + "default": "sid", + "description": "The claim to match against the JWT session cookie.", "type": "string", - "default": "sid" + "required": false } }, { "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", "type": "string", "required": false } }, { "bearer_token_param_type": { + "required": false, "default": [ "header", "query", "body" ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", + "type": "array", "elements": { + "type": "string", "one_of": [ "header", "cookie", "query", "body" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", "type": "string", "required": false } }, { "client_credentials_param_type": { + "required": false, "default": [ "header", "query", "body" ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", + "type": "array", "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "password_param_type": { + "required": false, "default": [ "header", "query", "body" ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "type": "array", "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "id_token_param_type": { + "required": false, "default": [ "header", "query", "body" ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "type": "array", "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", "type": "string", "required": false } }, { "refresh_token_param_type": { + "required": false, "default": [ "header", "query", "body" ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "type": "array", "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", "type": "string", "required": false } }, { "refresh_tokens": { - "required": false, + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "type": "boolean", - "default": true + "required": false } }, { "upstream_headers_claims": { - "type": "array", "required": false, + "description": "The upstream header claims.", + "type": "array", "elements": { "type": "string" } @@ -1583,8 +1652,9 @@ }, { "upstream_headers_names": { - "type": "array", "required": false, + "description": "The upstream header names for the claim values.", + "type": "array", "elements": { "type": "string" } @@ -1592,49 +1662,57 @@ }, { "upstream_access_token_header": { - "required": false, + "default": "authorization:bearer", + "description": "The upstream access token header.", "type": "string", - "default": "authorization:bearer" + "required": false } }, { "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", "type": "string", "required": false } }, { "upstream_id_token_header": { + "description": "The upstream id token header.", "type": "string", "required": false } }, { "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", "type": "string", "required": false } }, { "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", "type": "string", "required": false } }, { "upstream_user_info_header": { + "description": "The upstream user info header.", "type": "string", "required": false } }, { "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "type": "string", "required": false } }, { "upstream_introspection_header": { + "description": "The upstream introspection header.", "type": "string", "required": false } @@ -1647,14 +1725,16 @@ }, { "upstream_session_id_header": { + "description": "The upstream session id header.", "type": "string", "required": false } }, { "downstream_headers_claims": { - "type": "array", "required": false, + "description": "The downstream header claims.", + "type": "array", "elements": { "type": "string" } @@ -1662,8 +1742,9 @@ }, { "downstream_headers_names": { - "type": "array", "required": false, + "description": "The downstream header names for the claim values.", + "type": "array", "elements": { "type": "string" } @@ -1671,48 +1752,56 @@ }, { "downstream_access_token_header": { + "description": "The downstream access token header.", "type": "string", "required": false } }, { "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", "type": "string", "required": false } }, { "downstream_id_token_header": { + "description": "The downstream id token header.", "type": "string", "required": false } }, { "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", "type": "string", "required": false } }, { "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", "type": "string", "required": false } }, { "downstream_user_info_header": { + "description": "The downstream user info header.", "type": "string", "required": false } }, { "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "type": "string", "required": false } }, { "downstream_introspection_header": { + "description": "The downstream introspection header.", "type": "string", "required": false } @@ -1725,16 +1814,21 @@ }, { "downstream_session_id_header": { + "description": "The downstream session id header.", "type": "string", "required": false } }, { "login_methods": { + "required": false, "default": [ "authorization_code" ], + "description": "Enable login functionality with specified grants.", + "type": "array", "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -1745,116 +1839,124 @@ "kong_oauth2", "refresh_token", "session" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "login_action": { + "required": false, "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", + "type": "string", "one_of": [ "upstream", "response", "redirect" - ], - "type": "string", - "required": false + ] } }, { "login_tokens": { + "required": false, "default": [ "id_token" ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", + "type": "array", "elements": { + "type": "string", "one_of": [ "id_token", "access_token", "refresh_token", "tokens", "introspection" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "login_redirect_mode": { + "required": false, "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", + "type": "string", "one_of": [ "query", "fragment" - ], - "type": "string", - "required": false + ] } }, { "logout_query_arg": { + "description": "The request query argument that activates the logout.", "type": "string", "required": false } }, { "logout_post_arg": { + "description": "The request body argument that activates the logout.", "type": "string", "required": false } }, { "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", "type": "string", "required": false } }, { "logout_methods": { + "required": false, "default": [ "POST", "DELETE" ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", + "type": "array", "elements": { + "type": "string", "one_of": [ "POST", "GET", "DELETE" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "logout_revoke": { - "required": false, + "default": false, + "description": "Revoke tokens as part of the logout.", "type": "boolean", - "default": false + "required": false } }, { "logout_revoke_access_token": { - "required": false, + "default": true, + "description": "Revoke the access token as part of the logout.", "type": "boolean", - "default": true + "required": false } }, { "logout_revoke_refresh_token": { - "required": false, + "default": true, + "description": "Revoke the refresh token as part of the logout.", "type": "boolean", - "default": true + "required": false } }, { "consumer_claim": { - "type": "array", "required": false, + "description": "The claim used for consumer mapping.", + "type": "array", "elements": { "type": "string" } @@ -1862,95 +1964,109 @@ }, { "consumer_by": { + "required": false, "default": [ "username", "custom_id" ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", + "type": "array", "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "consumer_optional": { - "required": false, + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", "type": "boolean", - "default": false + "required": false } }, { "credential_claim": { + "required": false, "default": [ "sub" ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", + "type": "array", "elements": { "type": "string" - }, - "required": false, - "type": "array" + } } }, { "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", "required": false } }, { "run_on_preflight": { - "required": false, + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "type": "boolean", - "default": true + "required": false } }, { "leeway": { - "required": false, + "default": 0, + "description": "Allow some leeway (in seconds) on the ttl / expiry verification.", "type": "number", - "default": 0 + "required": false } }, { "verify_parameters": { - "required": false, + "default": false, + "description": "Verify plugin configuration against discovery.", "type": "boolean", - "default": false + "required": false } }, { "verify_nonce": { - "required": false, + "default": true, + "description": "Verify nonce on authorization code flow.", "type": "boolean", - "default": true + "required": false } }, { "verify_claims": { - "required": false, + "default": true, + "description": "Verify tokens for standard claims.", "type": "boolean", - "default": true + "required": false } }, { "verify_signature": { - "required": false, + "default": true, + "description": "Verify signature of tokens.", "type": "boolean", - "default": true + "required": false } }, { "ignore_signature": { + "required": false, "default": [ ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", + "type": "array", "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -1959,25 +2075,25 @@ "session", "introspection", "userinfo" - ], - "type": "string" - }, - "required": false, - "type": "array" + ] + } } }, { "enable_hs_signatures": { - "required": false, + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "type": "boolean", - "default": false + "required": false } }, { "disable_session": { - "type": "array", "required": false, + "description": "Disable issuing the session cookie with the specified grants.", + "type": "array", "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -1988,173 +2104,288 @@ "kong_oauth2", "refresh_token", "session" - ], - "type": "string" + ] } } }, { "cache_ttl": { - "required": false, + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "type": "number", - "default": 3600 + "required": false } }, { "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", "type": "number", "required": false } }, { "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", "type": "number", "required": false } }, { "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", "type": "number", "required": false } }, { "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", "type": "number", "required": false } }, { "cache_tokens": { - "required": false, + "default": true, + "description": "Cache the token endpoint requests.", "type": "boolean", - "default": true + "required": false } }, { "cache_tokens_salt": { - "type": "string", "auto": true, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string", "required": false } }, { "cache_introspection": { - "required": false, + "default": true, + "description": "Cache the introspection endpoint requests.", "type": "boolean", - "default": true + "required": false } }, { "cache_token_exchange": { - "required": false, + "default": true, + "description": "Cache the token exchange endpoint requests.", "type": "boolean", - "default": true + "required": false } }, { "cache_user_info": { - "required": false, + "default": true, + "description": "Cache the user info requests.", "type": "boolean", - "default": true + "required": false } }, { "search_user_info": { - "required": false, + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "type": "boolean", - "default": false + "required": false } }, { "hide_credentials": { - "required": false, + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "type": "boolean", - "default": false + "required": false } }, { "http_version": { "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", "type": "number", "required": false } }, { "http_proxy": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": false } }, { "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", "type": "string", "required": false } }, { "https_proxy": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": false } }, { "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", "type": "string", "required": false } }, { "no_proxy": { + "description": "Do not use proxy with these hosts.", "type": "string", "required": false } }, { "keepalive": { - "required": false, + "default": true, + "description": "Use keepalive with the HTTP client.", "type": "boolean", - "default": true + "required": false } }, { "ssl_verify": { - "required": false, + "default": false, + "description": "Verify identity provider server certificate.", "type": "boolean", - "default": false + "required": false } }, { "timeout": { - "required": false, + "default": 10000, + "description": "Network IO timeout in milliseconds.", "type": "number", - "default": 10000 + "required": false } }, { "display_errors": { - "required": false, + "default": false, + "description": "Display errors on failure responses.", "type": "boolean", - "default": false + "required": false } }, { "by_username_ignore_case": { - "required": false, + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "type": "boolean", - "default": false + "required": false } }, { "resolve_distributed_claims": { - "required": false, + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean", + "required": false + } + }, + { + "expose_error_code": { "type": "boolean", - "default": false + "default": true + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" } } ], "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/opentelemetry/3.4.x.json b/schemas/opentelemetry/3.4.x.json index 9d455e42..56fd8793 100644 --- a/schemas/opentelemetry/3.4.x.json +++ b/schemas/opentelemetry/3.4.x.json @@ -2,41 +2,40 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "batch_span_count", - "batch_flush_delay" - ] - } - } - ], "fields": [ { "endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": true } @@ -44,17 +43,20 @@ { "headers": { "type": "map", - "keys": { - "type": "string" - }, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "values": { "type": "string", "referenceable": true + }, + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." } } }, { "resource_attributes": { + "type": "map", "values": { "type": "string", "required": true @@ -62,109 +64,128 @@ "keys": { "type": "string", "required": true - }, - "type": "map" - } - }, - { - "batch_span_count": { - "type": "integer" - } - }, - { - "batch_flush_delay": { - "type": "integer" + } } }, { "queue": { - "required": true, "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 1 + ] } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 - ], - "type": "number", - "default": 1 + ] } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 10000 + ] } }, { "max_bytes": { - "type": "number" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number" } }, { "initial_retry_delay": { "default": 0.01, - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } }, { "max_retry_delay": { "default": 60, - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } } ], - "type": "record" + "type": "record", + "required": true + } + }, + { + "batch_span_count": { + "type": "integer", + "description": "The number of spans to be sent in a single batch." + } + }, + { + "batch_flush_delay": { + "type": "integer", + "description": "The delay, in seconds, between two consecutive batches." } }, { "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "default": 1000 + ] } }, { "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "default": 5000 + ] } }, { "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "default": 5000 + ] } }, { @@ -174,6 +195,7 @@ }, { "header_type": { + "default": "preserve", "type": "string", "one_of": [ "preserve", @@ -182,15 +204,29 @@ "b3-single", "w3c", "jaeger", - "ot" + "ot", + "aws" ], - "required": false, - "default": "preserve" + "required": false } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "batch_span_count", + "batch_flush_delay" + ] + } + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/post-function/3.4.x.json b/schemas/post-function/3.4.x.json index 35c001df..56a627c0 100644 --- a/schemas/post-function/3.4.x.json +++ b/schemas/post-function/3.4.x.json @@ -10,8 +10,10 @@ "ws", "wss" ], + "required": false, "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,28 +21,32 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "required": false + ] + } } }, { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -52,28 +58,24 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "certificate": { "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -81,12 +83,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -94,12 +96,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -107,12 +109,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -120,12 +122,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -133,12 +135,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -146,12 +148,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -159,12 +161,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -172,12 +174,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -185,17 +187,34 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.4.x.json b/schemas/pre-function/3.4.x.json index 35c001df..56a627c0 100644 --- a/schemas/pre-function/3.4.x.json +++ b/schemas/pre-function/3.4.x.json @@ -10,8 +10,10 @@ "ws", "wss" ], + "required": false, "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,28 +21,32 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "required": false + ] + } } }, { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -52,28 +58,24 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "certificate": { "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -81,12 +83,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -94,12 +96,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -107,12 +109,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -120,12 +122,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -133,12 +135,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -146,12 +148,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -159,12 +161,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -172,12 +174,12 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } }, { @@ -185,17 +187,34 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string", "required": false - }, - "required": true, - "type": "array" + } } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.4.x.json b/schemas/prometheus/3.4.x.json index 91f590bb..e3e5affe 100644 --- a/schemas/prometheus/3.4.x.json +++ b/schemas/prometheus/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,50 +25,63 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "per_consumer": { - "type": "boolean", - "default": false + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" } }, { "status_code_metrics": { - "type": "boolean", - "default": false + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" } }, { "latency_metrics": { - "type": "boolean", - "default": false + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" } }, { "bandwidth_metrics": { - "type": "boolean", - "default": false + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" } }, { "upstream_health_metrics": { - "type": "boolean", - "default": false + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.4.x.json b/schemas/proxy-cache-advanced/3.4.x.json index 95a4e988..139ccd92 100644 --- a/schemas/proxy-cache-advanced/3.4.x.json +++ b/schemas/proxy-cache-advanced/3.4.x.json @@ -2,213 +2,174 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "response_code": { "len_min": 1, + "required": true, "default": [ 200, 301, 404 ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "type": "array", "elements": { + "type": "integer", "between": [ 100, 900 - ], - "type": "integer" - }, - "required": true, - "type": "array" + ] + } } }, { "request_method": { + "required": true, "default": [ "GET", "HEAD" ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "type": "array", "elements": { + "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ], - "type": "string" - }, - "required": true, - "type": "array" + ] + } } }, { "content_type": { + "required": true, "default": [ "text/plain", "application/json" ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "type": "array", "elements": { "type": "string" - }, - "required": true, - "type": "array" + } } }, { "cache_ttl": { "default": 300, "gt": 0, - "type": "integer" + "type": "integer", + "description": "TTL in seconds of cache entities." } }, { "strategy": { - "required": true, "type": "string", + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "one_of": [ "memory", "redis" - ] + ], + "required": true } }, { "cache_control": { - "required": true, + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "type": "boolean", - "default": false + "required": true } }, { "ignore_uri_case": { - "required": false, + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "type": "boolean", - "default": false + "required": false } }, { "storage_ttl": { - "type": "integer" + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." } }, { "memory": { - "required": true, "fields": [ { "dictionary_name": { - "required": true, "default": "kong_db_cache", - "type": "string" + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string", + "required": true } } ], - "type": "record" + "type": "record", + "required": true } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - } - ], "fields": [ { "host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -217,17 +178,19 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "default": 2000 + ] } }, { @@ -236,6 +199,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -245,6 +209,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -254,6 +219,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -265,9 +231,9 @@ }, { "password": { - "referenceable": true, "encrypted": true, - "type": "string" + "type": "string", + "referenceable": true } }, { @@ -278,9 +244,9 @@ }, { "sentinel_password": { - "referenceable": true, "encrypted": true, - "type": "string" + "type": "string", + "referenceable": true } }, { @@ -291,21 +257,21 @@ }, { "keepalive_pool_size": { + "default": 30, + "type": "integer", "between": [ 1, 2147483646 - ], - "default": 30, - "type": "integer" + ] } }, { "keepalive_backlog": { + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { @@ -315,64 +281,135 @@ }, { "sentinel_role": { + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string" + ] } }, { "sentinel_addresses": { "len_min": 1, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "cluster_addresses": { "len_min": 1, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "ssl": { "default": false, - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ssl_verify": { "default": false, - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", "required": false } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ] } }, { "bypass_on_err": { "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", "type": "boolean" } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/proxy-cache/3.4.x.json b/schemas/proxy-cache/3.4.x.json index 47930b69..017d8222 100644 --- a/schemas/proxy-cache/3.4.x.json +++ b/schemas/proxy-cache/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,137 +25,153 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "response_code": { "len_min": 1, + "required": true, "default": [ 200, 301, 404 ], + "description": "Upstream response status code considered cacheable.", + "type": "array", "elements": { + "type": "integer", "between": [ 100, 900 - ], - "type": "integer" - }, - "required": true, - "type": "array" + ] + } } }, { "request_method": { + "required": true, "default": [ "GET", "HEAD" ], + "description": "Downstream request methods considered cacheable.", + "type": "array", "elements": { + "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ], - "type": "string" - }, - "type": "array", - "required": true + ] + } } }, { "content_type": { + "required": true, "default": [ "text/plain", "application/json" ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": true + } } }, { "cache_ttl": { "default": 300, - "gt": 0, - "type": "integer" + "description": "TTL, in seconds, of cache entities.", + "type": "integer", + "gt": 0 } }, { "strategy": { "type": "string", - "required": true, + "description": "The backing data store in which to hold cache entities.", "one_of": [ "memory" - ] + ], + "required": true } }, { "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "type": "boolean", - "required": true, - "default": false + "required": true } }, { "ignore_uri_case": { + "default": false, "type": "boolean", - "required": false, - "default": false + "required": false } }, { "storage_ttl": { - "type": "integer" + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." } }, { "memory": { - "required": true, "fields": [ { "dictionary_name": { - "required": true, + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "type": "string", - "default": "kong_db_cache" + "required": true } } ], - "type": "record" + "type": "record", + "required": true } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting-advanced/3.4.x.json b/schemas/rate-limiting-advanced/3.4.x.json index c203bdb4..d57f36d3 100644 --- a/schemas/rate-limiting-advanced/3.4.x.json +++ b/schemas/rate-limiting-advanced/3.4.x.json @@ -2,31 +2,34 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "identifier": { + "required": true, + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", "type": "string", "one_of": [ "ip", @@ -35,14 +38,13 @@ "service", "header", "path" - ], - "default": "consumer", - "required": true + ] } }, { "window_size": { "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "type": "array", "elements": { "type": "number" @@ -52,6 +54,7 @@ { "window_type": { "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "type": "string", "one_of": [ "fixed", @@ -62,6 +65,7 @@ { "limit": { "required": true, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "type": "array", "elements": { "type": "number" @@ -70,129 +74,79 @@ }, { "sync_rate": { - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." } }, { "namespace": { - "required": true, "auto": true, - "type": "string" + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.", + "type": "string", + "required": true } }, { "strategy": { + "required": true, + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", "one_of": [ "cluster", "redis", "local" - ], - "default": "local", - "required": true + ] } }, { "dictionary_name": { - "required": true, "default": "kong_rate_limiting_counters", - "type": "string" + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string", + "required": true } }, { "hide_client_headers": { - "type": "boolean", - "default": false + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" } }, { "retry_after_jitter_max": { - "type": "number", - "default": 0 + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" } }, { "header_name": { - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } - ], - "starts_with": "/", - "type": "string" + ] } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - } - ], "fields": [ { "host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -201,17 +155,19 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "default": 2000 + ] } }, { @@ -220,6 +176,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -229,6 +186,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -238,6 +196,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -249,9 +208,9 @@ }, { "password": { - "referenceable": true, "encrypted": true, - "type": "string" + "type": "string", + "referenceable": true } }, { @@ -262,9 +221,9 @@ }, { "sentinel_password": { - "referenceable": true, "encrypted": true, - "type": "string" + "type": "string", + "referenceable": true } }, { @@ -275,21 +234,21 @@ }, { "keepalive_pool_size": { + "default": 30, + "type": "integer", "between": [ 1, 2147483646 - ], - "default": 30, - "type": "integer" + ] } }, { "keepalive_backlog": { + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { @@ -299,91 +258,166 @@ }, { "sentinel_role": { + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string" + ] } }, { "sentinel_addresses": { "len_min": 1, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "cluster_addresses": { "len_min": 1, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "ssl": { "default": false, - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ssl_verify": { "default": false, - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", "required": false } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ] } }, { "enforce_consumer_groups": { - "type": "boolean", - "default": false + "default": false, + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" } }, { "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "disable_penalty": { - "type": "boolean", - "default": false + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" } }, { "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", "type": "number", - "gt": 0, - "default": 429 + "gt": 0 } }, { "error_message": { - "type": "string", - "default": "API rate limit exceeded" + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting/3.4.x.json b/schemas/rate-limiting/3.4.x.json index 001e7790..e98fb100 100644 --- a/schemas/rate-limiting/3.4.x.json +++ b/schemas/rate-limiting/3.4.x.json @@ -2,68 +2,83 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "second": { "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per second." } }, { "minute": { "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per minute." } }, { "hour": { "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per hour." } }, { "day": { "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per day." } }, { "month": { "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per month." } }, { "year": { "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per year." } }, { "limit_by": { "default": "consumer", + "description": "The entity that is used when aggregating the limits.", "type": "string", "one_of": [ "consumer", @@ -77,64 +92,72 @@ }, { "header_name": { - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } - ], - "starts_with": "/", - "type": "string" + ] } }, { "policy": { + "default": "local", + "len_min": 0, + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "one_of": [ "local", "cluster", "redis" ], - "len_min": 0, - "type": "string", - "default": "local" + "type": "string" } }, { "fault_tolerant": { "default": true, - "required": true, - "type": "boolean" + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean", + "required": true } }, { "redis_host": { - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "redis_port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "default": 6379 + ] } }, { "redis_password": { "len_min": 0, + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", "type": "string", "referenceable": true } }, { "redis_username": { + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.", "type": "string", "referenceable": true } @@ -142,56 +165,145 @@ { "redis_ssl": { "default": false, - "required": true, - "type": "boolean" + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", + "type": "boolean", + "required": true } }, { "redis_ssl_verify": { "default": false, - "required": true, - "type": "boolean" + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", + "type": "boolean", + "required": true } }, { "redis_server_name": { - "type": "string" + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "redis_timeout": { - "type": "number", - "default": 2000 + "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", + "type": "number" } }, { "redis_database": { - "type": "integer", - "default": 0 + "default": 0, + "description": "When using the `redis` policy, this property specifies the Redis database to use.", + "type": "integer" } }, { "hide_client_headers": { "default": false, - "required": true, - "type": "boolean" + "description": "Optionally hide informative response headers.", + "type": "boolean", + "required": true } }, { "error_code": { - "type": "number", + "default": 429, "gt": 0, - "default": 429 + "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { "error_message": { - "type": "string", - "default": "API rate limit exceeded" + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + } + }, + { + "sync_rate": { + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "type": "number", + "required": true } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "if_field": "config.policy", + "then_field": "config.redis_host", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "then_field": "config.redis_port", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.limit_by", + "then_field": "config.header_name", + "if_match": { + "eq": "header" + }, + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.limit_by", + "then_field": "config.path", + "if_match": { + "eq": "path" + }, + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "then_field": "config.redis_timeout", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + } } } ] diff --git a/schemas/request-size-limiting/3.4.x.json b/schemas/request-size-limiting/3.4.x.json index 92de1580..d2c58464 100644 --- a/schemas/request-size-limiting/3.4.x.json +++ b/schemas/request-size-limiting/3.4.x.json @@ -2,57 +2,64 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "allowed_payload_size": { "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", "type": "integer" } }, { "size_unit": { + "required": true, "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "type": "string", "one_of": [ "megabytes", "kilobytes", "bytes" - ], - "required": true, - "type": "string" + ] } }, { "require_content_length": { "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", "type": "boolean", "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-termination/3.4.x.json b/schemas/request-termination/3.4.x.json index 0f7ce4c5..2c516d5d 100644 --- a/schemas/request-termination/3.4.x.json +++ b/schemas/request-termination/3.4.x.json @@ -2,70 +2,88 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "status_code": { + "required": true, + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599.", "type": "integer", "between": [ 100, 599 - ], - "default": 503, - "required": true + ] } }, { "message": { - "type": "string" + "type": "string", + "description": "The message to send, if using the default response generator." } }, { "content_type": { - "type": "string" + "type": "string", + "description": "Content type of the raw response configured with `config.body`." } }, { "body": { - "type": "string" + "type": "string", + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." } }, { "echo": { "default": false, - "required": true, - "type": "boolean" + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean", + "required": true } }, { "trigger": { - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.4.x.json b/schemas/request-transformer-advanced/3.4.x.json index 2f158aed..41c03b5c 100644 --- a/schemas/request-transformer-advanced/3.4.x.json +++ b/schemas/request-transformer-advanced/3.4.x.json @@ -2,45 +2,45 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "http_method": { - "match": "^%u+$", - "type": "string" + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string", + "match": "^%u+$" } }, { "remove": { - "required": true, "fields": [ { "body": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -48,10 +48,10 @@ }, { "headers": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -59,77 +59,77 @@ }, { "querystring": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } ], - "type": "record" + "type": "record", + "required": true } }, { "rename": { - "required": true, "fields": [ { "body": { - "type": "array", "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } } }, { "headers": { - "type": "array", "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } } }, { "querystring": { - "type": "array", "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } } } ], - "type": "record" + "type": "record", + "required": true } }, { "replace": { - "required": true, "fields": [ { "body": { "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -137,11 +137,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -149,15 +149,19 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { "json_types": { + "default": [ + + ], + "type": "array", "elements": { "type": "string", "one_of": [ @@ -165,11 +169,7 @@ "number", "string" ] - }, - "type": "array", - "default": [ - - ] + } } }, { @@ -178,154 +178,160 @@ } } ], - "type": "record" + "type": "record", + "required": true } }, { "add": { - "required": true, "fields": [ { "body": { + "default": [ + + ], + "type": "array", "elements": { "type": "string", "referenceable": true - }, - "type": "array", - "default": [ - - ] + } } }, { "headers": { + "default": [ + + ], + "type": "array", "elements": { "type": "string", "referenceable": true - }, - "type": "array", - "default": [ - - ] + } } }, { "querystring": { + "default": [ + + ], + "type": "array", "elements": { "type": "string", "referenceable": true - }, - "type": "array", - "default": [ - - ] + } } }, { "json_types": { - "type": "array", "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" + ] } } } ], - "type": "record" + "type": "record", + "required": true } }, { "append": { - "required": true, "fields": [ { "body": { + "default": [ + + ], + "type": "array", "elements": { "type": "string", "referenceable": true - }, - "type": "array", - "default": [ - - ] + } } }, { "headers": { + "default": [ + + ], + "type": "array", "elements": { "type": "string", "referenceable": true - }, - "type": "array", - "default": [ - - ] + } } }, { "querystring": { + "default": [ + + ], + "type": "array", "elements": { "type": "string", "referenceable": true - }, - "type": "array", - "default": [ - - ] + } } }, { "json_types": { - "type": "array", "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" + ] } } } ], - "type": "record" + "type": "record", + "required": true } }, { "allow": { - "required": true, "fields": [ { "body": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "type": "record" + "type": "record", + "required": true } }, { "dots_in_keys": { "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", "type": "boolean" } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.4.x.json b/schemas/request-transformer/3.4.x.json index 00b0097d..110db3cb 100644 --- a/schemas/request-transformer/3.4.x.json +++ b/schemas/request-transformer/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,37 +25,33 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "http_method": { - "match": "^%u+$", - "type": "string" + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string", + "match": "^%u+$" } }, { "remove": { - "required": true, "fields": [ { "body": { "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": true + } } }, { @@ -58,11 +59,11 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": true + } } }, { @@ -70,31 +71,31 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": true + } } } ], - "type": "record" + "type": "record", + "required": true } }, { "rename": { - "required": true, "fields": [ { "body": { "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": true + } } }, { @@ -102,12 +103,12 @@ "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "required": true, "type": "array", - "required": true + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } }, { @@ -115,28 +116,28 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": true + } } } ], - "type": "record" + "type": "record", + "required": true } }, { "replace": { - "required": true, "fields": [ { "body": { - "required": true, - "type": "array", "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" } @@ -144,24 +145,24 @@ }, { "headers": { - "required": true, - "type": "array", "default": [ ], + "required": true, + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } }, { "querystring": { - "required": true, - "type": "array", "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" } @@ -173,23 +174,23 @@ } } ], - "type": "record" + "type": "record", + "required": true } }, { "add": { - "required": true, "fields": [ { "body": { "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": true + } } }, { @@ -197,12 +198,12 @@ "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "required": true, "type": "array", - "required": true + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } }, { @@ -210,31 +211,31 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": true + } } } ], - "type": "record" + "type": "record", + "required": true } }, { "append": { - "required": true, "fields": [ { "body": { "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": true + } } }, { @@ -242,12 +243,12 @@ "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "required": true, "type": "array", - "required": true + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } }, { @@ -255,20 +256,25 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": true + } } } ], - "type": "record" + "type": "record", + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-validator/3.4.x.json b/schemas/request-validator/3.4.x.json index e3e314b2..f26c8e86 100644 --- a/schemas/request-validator/3.4.x.json +++ b/schemas/request-validator/3.4.x.json @@ -2,49 +2,51 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "body_schema", - "parameter_schema" - ] - } - ], "fields": [ { "body_schema": { - "required": false, - "type": "string" + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "string", + "required": false } }, { "allowed_content_types": { - "type": "set", "default": [ "application/json" ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "type": "set", "elements": { "type": "string", "required": true @@ -53,63 +55,49 @@ }, { "version": { + "required": true, + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "one_of": [ "kong", "draft4" ], - "default": "kong", - "type": "string", - "required": true + "type": "string" } }, { "parameter_schema": { - "type": "array", "required": false, + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "array", "elements": { - "entity_checks": [ - { - "mutually_required": [ - "style", - "explode", - "schema" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "style", - "in" - ] - } - } - ], "fields": [ { "in": { - "required": true, "type": "string", "one_of": [ "query", "header", "path" - ] + ], + "required": true } }, { "name": { - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "required": { - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "style": { + "type": "string", "one_of": [ "label", "form", @@ -118,8 +106,7 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ], - "type": "string" + ] } }, { @@ -133,19 +120,55 @@ } } ], - "type": "record" + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ] } } }, { "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "type": "boolean", - "required": true, - "default": false + "required": true } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/response-ratelimiting/3.4.x.json b/schemas/response-ratelimiting/3.4.x.json index 3dbf1716..954f8d3c 100644 --- a/schemas/response-ratelimiting/3.4.x.json +++ b/schemas/response-ratelimiting/3.4.x.json @@ -2,38 +2,48 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "header_name": { - "type": "string", - "default": "x-kong-limit" + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" } }, { "limit_by": { "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "type": "string", "one_of": [ "consumer", @@ -45,6 +55,7 @@ { "policy": { "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "type": "string", "one_of": [ "local", @@ -55,150 +66,202 @@ }, { "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "type": "boolean", - "required": true, - "default": true + "required": true } }, { "redis_host": { - "type": "string" + "type": "string", + "description": "When using the `redis` policy, this property specifies the address to the Redis server." } }, { "redis_port": { + "default": 6379, + "description": "When using the `redis` policy, this property specifies the port of the Redis server.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "default": 6379 + ] } }, { "redis_password": { "len_min": 0, + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", "type": "string", "referenceable": true } }, { "redis_username": { + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", "type": "string", "referenceable": true } }, { "redis_ssl": { + "default": false, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", "type": "boolean", - "required": true, - "default": false + "required": true } }, { "redis_ssl_verify": { + "default": false, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "required": true, - "default": false + "required": true } }, { "redis_server_name": { - "type": "string" + "type": "string", + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI)." } }, { "redis_timeout": { - "type": "number", - "default": 2000 + "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", + "type": "number" } }, { "redis_database": { - "type": "number", - "default": 0 + "default": 0, + "description": "When using the `redis` policy, this property specifies Redis database to use.", + "type": "number" } }, { "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "type": "boolean", - "required": true, - "default": false + "required": true } }, { "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", "type": "boolean", - "required": true, - "default": false + "required": true } }, { "limits": { - "len_min": 1, - "keys": { - "type": "string" - }, "values": { - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "second", - "minute", - "hour", - "day", - "month", - "year" - ] - } - ], + "required": true, "fields": [ { "second": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "minute": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "hour": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "day": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "month": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "year": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } } ], - "required": true + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ] }, "required": true, - "type": "map" + "len_min": 1, + "description": "A map that defines rate limits for the plugin.", + "type": "map", + "keys": { + "type": "string" + } } } ], - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.policy", + "then_field": "config.redis_host", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "then_field": "config.redis_port", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "then_field": "config.redis_timeout", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + } } } ] diff --git a/schemas/response-transformer-advanced/3.4.x.json b/schemas/response-transformer-advanced/3.4.x.json index 48a5b19c..547fe826 100644 --- a/schemas/response-transformer-advanced/3.4.x.json +++ b/schemas/response-transformer-advanced/3.4.x.json @@ -2,39 +2,38 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "remove": { - "required": true, "fields": [ { "json": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -42,10 +41,10 @@ }, { "headers": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -53,65 +52,66 @@ }, { "if_status": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } ], - "type": "record" + "type": "record", + "required": true } }, { "rename": { - "required": true, "fields": [ { "headers": { - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } }, { "if_status": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } ], - "type": "record" + "type": "record", + "required": true } }, { "replace": { - "required": true, "fields": [ { "body": { - "type": "string" + "type": "string", + "description": "String with which to replace the entire response body." } }, { "json": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -119,26 +119,26 @@ }, { "json_types": { - "type": "array", "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" + ] } } }, { "headers": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -146,29 +146,29 @@ }, { "if_status": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } ], - "type": "record" + "type": "record", + "required": true } }, { "add": { - "required": true, "fields": [ { "json": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -176,26 +176,26 @@ }, { "json_types": { - "type": "array", "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" + ] } } }, { "headers": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -203,29 +203,29 @@ }, { "if_status": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } ], - "type": "record" + "type": "record", + "required": true } }, { "append": { - "required": true, "fields": [ { "json": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -233,26 +233,26 @@ }, { "json_types": { - "type": "array", "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" + ] } } }, { "headers": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -260,45 +260,45 @@ }, { "if_status": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } ], - "type": "record" + "type": "record", + "required": true } }, { "allow": { - "required": true, "fields": [ { "json": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "type": "record" + "type": "record", + "required": true } }, { "transform": { - "required": true, "fields": [ { "functions": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -306,10 +306,10 @@ }, { "if_status": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -317,28 +317,34 @@ }, { "json": { - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } ], - "type": "record" + "type": "record", + "required": true } }, { "dots_in_keys": { "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", "type": "boolean" } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.4.x.json b/schemas/response-transformer/3.4.x.json index 58468539..0ef5aab8 100644 --- a/schemas/response-transformer/3.4.x.json +++ b/schemas/response-transformer/3.4.x.json @@ -2,43 +2,42 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } } }, { "config": { - "required": true, "fields": [ { "remove": { - "required": true, "fields": [ { "json": { "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "required": true, - "type": "array" + } } }, { @@ -46,70 +45,71 @@ "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "required": true, - "type": "array" + } } } ], - "type": "record" + "type": "record", + "required": true } }, { "rename": { - "required": true, "fields": [ { "headers": { "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, "required": true, - "type": "array" + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } } ], - "type": "record" + "type": "record", + "required": true } }, { "replace": { - "required": true, "fields": [ { "json": { "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, "required": true, - "type": "array" + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } }, { "json_types": { + "required": true, "default": [ ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "required": true, - "type": "array" + ] + } } }, { @@ -117,50 +117,51 @@ "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, "required": true, - "type": "array" + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } } ], - "type": "record" + "type": "record", + "required": true } }, { "add": { - "required": true, "fields": [ { "json": { "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, "required": true, - "type": "array" + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } }, { "json_types": { + "required": true, "default": [ ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "required": true, - "type": "array" + ] + } } }, { @@ -168,50 +169,51 @@ "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, "required": true, - "type": "array" + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } } ], - "type": "record" + "type": "record", + "required": true } }, { "append": { - "required": true, "fields": [ { "json": { "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, "required": true, - "type": "array" + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } }, { "json_types": { + "required": true, "default": [ ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "required": true, - "type": "array" + ] + } } }, { @@ -219,21 +221,26 @@ "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, "required": true, - "type": "array" + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } } ], - "type": "record" + "type": "record", + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.4.x.json b/schemas/route-by-header/3.4.x.json index dc8a336b..195256b8 100644 --- a/schemas/route-by-header/3.4.x.json +++ b/schemas/route-by-header/3.4.x.json @@ -2,36 +2,46 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "rules": { - "type": "array", "default": [ ], + "description": "Route by header rules.", + "type": "array", "elements": { + "type": "record", "fields": [ { "upstream_name": { @@ -41,25 +51,28 @@ }, { "condition": { - "len_min": 1, - "keys": { - "type": "string" - }, "values": { "type": "string" }, "required": true, - "type": "map" + "len_min": 1, + "type": "map", + "keys": { + "type": "string" + } } } - ], - "type": "record" + ] } } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.4.x.json b/schemas/route-transformer-advanced/3.4.x.json index f743be94..4cf25cb5 100644 --- a/schemas/route-transformer-advanced/3.4.x.json +++ b/schemas/route-transformer-advanced/3.4.x.json @@ -2,37 +2,36 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "path", - "port", - "host" - ] - } - ], "fields": [ { "path": { @@ -51,13 +50,26 @@ }, { "escape_path": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/saml/3.4.x.json b/schemas/saml/3.4.x.json index 60c0881c..06923fbe 100644 --- a/schemas/saml/3.4.x.json +++ b/schemas/saml/3.4.x.json @@ -2,251 +2,204 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "shorthand_fields": [ - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - }, - { - "session_auth_ttl": { - "type": "number" - } - } - ], - "type": "record", "fields": [ { "assertion_consumer_path": { "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], - "type": "string", + "required": true, "starts_with": "/", - "required": true + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "required": true } }, { "idp_certificate": { - "required": false, "encrypted": true, + "referenceable": true, + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", "type": "string", - "referenceable": true + "required": false } }, { "response_encryption_key": { - "required": false, "encrypted": true, + "referenceable": true, + "description": "The private encryption key required to decrypt encrypted assertions.", "type": "string", - "referenceable": true + "required": false } }, { "request_signing_key": { - "required": false, "encrypted": true, + "referenceable": true, + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", "type": "string", - "referenceable": true + "required": false } }, { "request_signing_certificate": { - "required": false, "encrypted": true, + "referenceable": true, + "description": "The certificate for signing requests.", "type": "string", - "referenceable": true + "required": false } }, { "request_signature_algorithm": { "required": false, + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "type": "string", "one_of": [ "SHA256", "SHA384", "SHA512" - ], - "type": "string", - "default": "SHA256" + ] } }, { "request_digest_algorithm": { "required": false, + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "type": "string", "one_of": [ "SHA256", "SHA1" - ], - "type": "string", - "default": "SHA256" + ] } }, { "response_signature_algorithm": { "required": false, + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "type": "string", "one_of": [ "SHA256", "SHA384", "SHA512" - ], - "type": "string", - "default": "SHA256" + ] } }, { "response_digest_algorithm": { "required": false, + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "type": "string", "one_of": [ "SHA256", "SHA1" - ], - "type": "string", - "default": "SHA256" + ] } }, { "issuer": { - "required": true, - "type": "string" + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "type": "string", + "required": true } }, { "nameid_format": { "required": false, + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "type": "string", "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" - ], - "type": "string", - "default": "EmailAddress" + ] } }, { "validate_assertion_signature": { "default": true, + "description": "Enable signature validation for SAML responses.", "type": "boolean", "required": false } }, { "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", "type": "string", "required": false } }, { "session_secret": { - "match": "^[0-9a-zA-Z/_+]+$", - "len_min": 32, - "len_max": 32, - "required": true, "referenceable": true, + "required": true, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", "encrypted": true, - "type": "string" + "len_min": 32, + "len_max": 32, + "type": "string", + "match": "^[0-9a-zA-Z/_+]+$" } }, { "session_audience": { "default": "default", + "description": "The session audience, for example \"my-application\"", "type": "string", "required": false } @@ -254,6 +207,7 @@ { "session_cookie_name": { "default": "session", + "description": "The session cookie name.", "type": "string", "required": false } @@ -261,6 +215,7 @@ { "session_remember": { "default": false, + "description": "Enables or disables persistent sessions", "type": "boolean", "required": false } @@ -268,6 +223,7 @@ { "session_remember_cookie_name": { "default": "remember", + "description": "Persistent session cookie name", "type": "string", "required": false } @@ -275,6 +231,7 @@ { "session_remember_rolling_timeout": { "default": 604800, + "description": "Persistent session rolling timeout in seconds.", "type": "number", "required": false } @@ -282,6 +239,7 @@ { "session_remember_absolute_timeout": { "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", "type": "number", "required": false } @@ -289,6 +247,7 @@ { "session_idling_timeout": { "default": 900, + "description": "The session cookie idle time in seconds.", "type": "number", "required": false } @@ -296,6 +255,7 @@ { "session_rolling_timeout": { "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "type": "number", "required": false } @@ -303,26 +263,29 @@ { "session_absolute_timeout": { "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "type": "number", "required": false } }, { "session_cookie_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], - "starts_with": "/", "default": "/", - "required": false, - "type": "string" + "starts_with": "/", + "type": "string", + "required": false } }, { "session_cookie_domain": { + "description": "The session cookie domain flag.", "type": "string", "required": false } @@ -330,32 +293,37 @@ { "session_cookie_same_site": { "required": false, + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string", - "default": "Lax" + ] } }, { "session_cookie_http_only": { "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "type": "boolean", "required": false } }, { "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", "required": false } }, { "session_request_headers": { + "type": "set", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -364,15 +332,15 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "session_response_headers": { + "type": "set", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -381,28 +349,28 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "session_storage": { "required": false, + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "type": "string", "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "type": "string", - "default": "cookie" + ] } }, { "session_store_metadata": { "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "type": "boolean", "required": false } @@ -410,6 +378,7 @@ { "session_enforce_same_subject": { "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", "type": "boolean", "required": false } @@ -417,6 +386,7 @@ { "session_hash_subject": { "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "type": "boolean", "required": false } @@ -424,18 +394,21 @@ { "session_hash_storage_key": { "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "type": "boolean", "required": false } }, { "session_memcached_prefix": { + "description": "The memcached session key prefix.", "type": "string", "required": false } }, { "session_memcached_socket": { + "description": "The memcached unix socket path.", "type": "string", "required": false } @@ -443,29 +416,33 @@ { "session_memcached_host": { "default": "127.0.0.1", + "description": "The memcached host.", "type": "string", "required": false } }, { "session_memcached_port": { + "required": false, + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 - ], - "required": false, - "default": 11211 + ] } }, { "session_redis_prefix": { + "description": "The Redis session key prefix.", "type": "string", "required": false } }, { "session_redis_socket": { + "description": "The Redis unix socket path.", "type": "string", "required": false } @@ -473,50 +450,57 @@ { "session_redis_host": { "default": "127.0.0.1", + "description": "The Redis host IP.", "type": "string", "required": false } }, { "session_redis_port": { + "required": false, + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 - ], - "required": false, - "default": 6379 + ] } }, { "session_redis_username": { "referenceable": true, + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "type": "string", "required": false } }, { "session_redis_password": { - "required": false, "encrypted": true, + "referenceable": true, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", "type": "string", - "referenceable": true + "required": false } }, { "session_redis_connect_timeout": { + "description": "The Redis connection timeout in milliseconds.", "type": "integer", "required": false } }, { "session_redis_read_timeout": { + "description": "The Redis read timeout in milliseconds.", "type": "integer", "required": false } }, { "session_redis_send_timeout": { + "description": "The Redis send timeout in milliseconds.", "type": "integer", "required": false } @@ -524,6 +508,7 @@ { "session_redis_ssl": { "default": false, + "description": "Use SSL/TLS for the Redis connection.", "type": "boolean", "required": false } @@ -531,53 +516,135 @@ { "session_redis_ssl_verify": { "default": false, + "description": "Verify the Redis server certificate.", "type": "boolean", "required": false } }, { "session_redis_server_name": { + "description": "The SNI used for connecting to the Redis server.", "type": "string", "required": false } }, { "session_redis_cluster_nodes": { - "type": "array", "required": false, + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string", "required": true } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "default": 6379 + ] } } - ], - "type": "record" + ] } } }, { "session_redis_cluster_max_redirections": { + "description": "The Redis cluster maximum redirects.", "type": "integer", "required": false } } ], + "type": "record", + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" + } + } + ], "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/session/3.4.x.json b/schemas/session/3.4.x.json index ab89e85b..9cf9d1dc 100644 --- a/schemas/session/3.4.x.json +++ b/schemas/session/3.4.x.json @@ -2,20 +2,26 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,67 +33,36 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "shorthand_fields": [ - { - "cookie_lifetime": { - "type": "number" - } - }, - { - "cookie_idletime": { - "type": "number" - } - }, - { - "cookie_renew": { - "type": "number" - } - }, - { - "cookie_discard": { - "type": "number" - } - }, - { - "cookie_samesite": { - "type": "string" - } - }, - { - "cookie_httponly": { - "type": "boolean" - } - }, - { - "cookie_persistent": { - "type": "boolean" - } - } - ], - "required": true, "fields": [ { "secret": { + "referenceable": true, "required": false, + "default": "as6rhTxJRUuWhaZKo58zQN1ZdWZSxGzYdKDnvRIEUSUp", + "description": "The secret that is used in keyed HMAC generation.", "type": "string", - "default": "x8iNgCZK6ujBch4SJzrfXTvxciHURzefZYUqZ0PDyIwr", - "encrypted": true, - "referenceable": true + "encrypted": true } }, { "storage": { - "type": "string", "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "type": "string", "one_of": [ "cookie", "kong" @@ -97,54 +72,63 @@ { "audience": { "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "type": "string" } }, { "idling_timeout": { "default": 900, + "description": "The session cookie idle time, in seconds.", "type": "number" } }, { "rolling_timeout": { "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", "type": "number" } }, { "absolute_timeout": { "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", "type": "number" } }, { "stale_ttl": { "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", "type": "number" } }, { "cookie_name": { "default": "session", + "description": "The name of the cookie.", "type": "string" } }, { "cookie_path": { "default": "/", + "description": "The resource in the host where the cookie is available.", "type": "string" } }, { "cookie_domain": { - "type": "string" + "type": "string", + "description": "The domain with which the cookie is intended to be exchanged." } }, { "cookie_same_site": { - "type": "string", "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "type": "string", "one_of": [ "Strict", "Lax", @@ -156,42 +140,51 @@ { "cookie_http_only": { "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", "type": "boolean" } }, { "cookie_secure": { "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", "type": "boolean" } }, { "remember": { "default": false, + "description": "Enables or disables persistent sessions.", "type": "boolean" } }, { "remember_cookie_name": { "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "type": "string" } }, { "remember_rolling_timeout": { "default": 604800, + "description": "The persistent session rolling timeout window, in seconds.", "type": "number" } }, { "remember_absolute_timeout": { "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds.", "type": "number" } }, { "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -200,15 +193,16 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -217,44 +211,86 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "logout_methods": { + "default": [ + "POST", + "DELETE" + ], + "description": "A set of HTTP methods that the plugin will respond to.", "type": "set", "elements": { + "type": "string", "one_of": [ "GET", "POST", "DELETE" - ], - "type": "string" - }, - "default": [ - "POST", - "DELETE" - ] + ] + } } }, { "logout_query_arg": { "default": "session_logout", + "description": "The query argument passed to logout requests.", "type": "string" } }, { "logout_post_arg": { "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", "type": "string" } } ], - "type": "record" + "type": "record", + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.4.x.json b/schemas/statsd-advanced/3.4.x.json index 4e74fce9..710b4374 100644 --- a/schemas/statsd-advanced/3.4.x.json +++ b/schemas/statsd-advanced/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,185 +25,126 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "host": { - "type": "string", - "default": "localhost" + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "default": 8125 + ] } }, { "prefix": { - "type": "string", - "default": "kong" + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" } }, { "metrics": { - "type": "array", "default": [ { - "stat_type": "counter", "name": "request_count", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" }, { - "name": "latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "latency" }, { - "name": "request_size", - "stat_type": "timer" + "stat_type": "timer", + "name": "request_size" }, { - "stat_type": "counter", "name": "status_count", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" }, { - "name": "response_size", - "stat_type": "timer" + "stat_type": "timer", + "name": "response_size" }, { - "name": "unique_users", - "stat_type": "set" + "stat_type": "set", + "name": "unique_users" }, { "stat_type": "counter", - "name": "request_per_user", - "sample_rate": 1 + "sample_rate": 1, + "name": "request_per_user" }, { - "name": "upstream_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "upstream_latency" }, { - "name": "kong_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "kong_latency" }, { "stat_type": "counter", - "name": "status_count_per_user", - "sample_rate": 1 + "sample_rate": 1, + "name": "status_count_per_user" }, { - "stat_type": "counter", "name": "status_count_per_workspace", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" }, { "stat_type": "counter", - "name": "status_count_per_user_per_route", - "sample_rate": 1 + "sample_rate": 1, + "name": "status_count_per_user_per_route" }, { - "stat_type": "gauge", "name": "shdict_usage", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "gauge" }, { - "stat_type": "counter", "name": "cache_datastore_hits_total", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" }, { - "stat_type": "counter", "name": "cache_datastore_misses_total", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" } ], + "description": "List of Metrics to be logged.", + "type": "array", "elements": { - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "unique_users" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "set" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "request_count", - "status_count", - "request_per_user", - "status_count_per_user", - "status_count_per_workspace", - "status_count_per_user_per_route", - "cache_datastore_hits_total", - "cache_datastore_misses_total" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "counter" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "shdict_usage" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "gauge" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } - ], "fields": [ { "name": { "type": "string", - "required": true, "one_of": [ "kong_latency", "latency", @@ -215,13 +161,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "required": true } }, { "stat_type": { "type": "string", - "required": true, "one_of": [ "counter", "gauge", @@ -229,181 +175,274 @@ "meter", "set", "timer" - ] + ], + "required": true } }, { "sample_rate": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "consumer_identifier": { + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string" + ] } }, { "service_identifier": { + "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string" + ] } }, { "workspace_identifier": { + "type": "string", "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string" + ] } } ], - "type": "record" + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_field": "name", + "then_field": "stat_type", + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_match": { + "eq": "set" + } + } + }, + { + "conditional": { + "if_field": "name", + "then_field": "stat_type", + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_match": { + "eq": "counter" + } + } + }, + { + "conditional": { + "if_field": "name", + "then_field": "stat_type", + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_match": { + "eq": "gauge" + } + } + }, + { + "conditional": { + "if_field": "stat_type", + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + } + } + } + ] } } }, { "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array", "elements": { - "match": "^[0-9]+-[0-9]+$", - "type": "string" - }, - "type": "array" + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } } }, { "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "type": "number", "between": [ 0, 65507 - ], - "type": "number", - "default": 0 + ] } }, { "use_tcp": { - "type": "boolean", - "default": false + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" } }, { "hostname_in_prefix": { - "type": "boolean", - "default": false + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" } }, { "consumer_identifier_default": { "required": true, + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "default": "custom_id", - "type": "string" + ] } }, { "service_identifier_default": { "required": true, + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "default": "service_name_or_host", - "type": "string" + ] } }, { "workspace_identifier_default": { "required": true, + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "type": "string", "one_of": [ "workspace_id", "workspace_name" - ], - "default": "workspace_id", - "type": "string" + ] } }, { "queue": { - "required": true, "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 1 + ] } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 - ], - "type": "number", - "default": 1 + ] } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 10000 + ] } }, { "max_bytes": { - "type": "number" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number" } }, { "initial_retry_delay": { "default": 0.01, - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } }, { "max_retry_delay": { "default": 60, - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } } ], - "type": "record" + "type": "record", + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd/3.4.x.json b/schemas/statsd/3.4.x.json index f0d86dd8..b265dc54 100644 --- a/schemas/statsd/3.4.x.json +++ b/schemas/statsd/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,149 +25,134 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" - ] - } - } - ], "fields": [ { "host": { - "type": "string", - "default": "localhost" + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" } }, { "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "default": 8125 + ] } }, { "prefix": { "default": "kong", + "description": "String to prefix to each metric's name.", "type": "string" } }, { "metrics": { - "type": "array", "default": [ { "stat_type": "counter", - "name": "request_count", - "sample_rate": 1 + "sample_rate": 1, + "name": "request_count" }, { - "name": "latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "latency" }, { "stat_type": "counter", - "name": "request_size", - "sample_rate": 1 + "sample_rate": 1, + "name": "request_size" }, { "stat_type": "counter", - "name": "status_count", - "sample_rate": 1 + "sample_rate": 1, + "name": "status_count" }, { "stat_type": "counter", - "name": "response_size", - "sample_rate": 1 + "sample_rate": 1, + "name": "response_size" }, { - "name": "unique_users", - "stat_type": "set" + "stat_type": "set", + "name": "unique_users" }, { "stat_type": "counter", - "name": "request_per_user", - "sample_rate": 1 + "sample_rate": 1, + "name": "request_per_user" }, { - "name": "upstream_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "upstream_latency" }, { - "name": "kong_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "kong_latency" }, { "stat_type": "counter", - "name": "status_count_per_user", - "sample_rate": 1 + "sample_rate": 1, + "name": "status_count_per_user" }, { "stat_type": "counter", - "name": "status_count_per_workspace", - "sample_rate": 1 + "sample_rate": 1, + "name": "status_count_per_workspace" }, { "stat_type": "counter", - "name": "status_count_per_user_per_route", - "sample_rate": 1 + "sample_rate": 1, + "name": "status_count_per_user_per_route" }, { "stat_type": "gauge", - "name": "shdict_usage", - "sample_rate": 1 + "sample_rate": 1, + "name": "shdict_usage" + }, + { + "stat_type": "gauge", + "sample_rate": 1, + "name": "lmdb_usage" }, { "stat_type": "counter", - "name": "cache_datastore_hits_total", - "sample_rate": 1 + "sample_rate": 1, + "name": "cache_datastore_hits_total" }, { "stat_type": "counter", - "name": "cache_datastore_misses_total", - "sample_rate": 1 + "sample_rate": 1, + "name": "cache_datastore_misses_total" } ], + "description": "List of metrics to be logged.", + "type": "array", "elements": { - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } - ], "fields": [ { "name": { "type": "string", - "required": true, + "description": "StatsD metric’s name.", "one_of": [ "kong_latency", "latency", @@ -177,15 +167,17 @@ "status_count_per_workspace", "status_count_per_user_per_route", "shdict_usage", + "lmdb_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "required": true } }, { "stat_type": { "type": "string", - "required": true, + "description": "Determines what sort of event a metric represents.", "one_of": [ "counter", "gauge", @@ -193,114 +185,137 @@ "meter", "set", "timer" - ] + ], + "required": true } }, { "sample_rate": { - "gt": 0, - "type": "number" + "description": "Sampling rate", + "type": "number", + "gt": 0 } }, { "consumer_identifier": { + "description": "Authenticated user detail.", + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string" + ] } }, { "service_identifier": { + "description": "Service detail.", + "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string" + ] } }, { "workspace_identifier": { + "description": "Workspace detail.", + "type": "string", "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string" + ] } } ], - "type": "record" + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_field": "stat_type", + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + } + } + } + ] } } }, { "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array", "elements": { - "match": "^[0-9]+-[0-9]+$", - "type": "string" - }, - "type": "array" + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } } }, { "udp_packet_size": { + "default": 0, + "type": "number", "between": [ 0, 65507 - ], - "type": "number", - "default": 0 + ] } }, { "use_tcp": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "hostname_in_prefix": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "consumer_identifier_default": { "default": "custom_id", + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" ], - "type": "string", "required": true } }, { "service_identifier_default": { "default": "service_name_or_host", + "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" ], - "type": "string", "required": true } }, { "workspace_identifier_default": { "default": "workspace_id", + "type": "string", "one_of": [ "workspace_id", "workspace_name" ], - "type": "string", "required": true } }, @@ -322,79 +337,109 @@ { "tag_style": { "type": "string", - "required": false, "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ] + ], + "required": false } }, { "queue": { - "required": true, "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 1 + ] } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 - ], - "type": "number", - "default": 1 + ] } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 10000 + ] } }, { "max_bytes": { - "type": "number" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number" } }, { "initial_retry_delay": { "default": 0.01, - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } }, { "max_retry_delay": { "default": 60, - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } } ], - "type": "record" + "type": "record", + "required": true } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/syslog/3.4.x.json b/schemas/syslog/3.4.x.json index 68cc12eb..ac6877c5 100644 --- a/schemas/syslog/3.4.x.json +++ b/schemas/syslog/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,20 +25,25 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "log_level": { "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -44,13 +54,13 @@ "alert", "emerg" ], - "type": "string", "required": true } }, { "successful_severity": { "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -61,13 +71,13 @@ "alert", "emerg" ], - "type": "string", "required": true } }, { "client_errors_severity": { "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -78,13 +88,13 @@ "alert", "emerg" ], - "type": "string", "required": true } }, { "server_errors_severity": { "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -95,18 +105,18 @@ "alert", "emerg" ], - "type": "string", "required": true } }, { "custom_fields_by_lua": { "type": "map", - "keys": { + "description": "Lua code as a key-value map", + "values": { "len_min": 1, "type": "string" }, - "values": { + "keys": { "type": "string", "len_min": 1 } @@ -114,7 +124,10 @@ }, { "facility": { + "required": true, "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "type": "string", "one_of": [ "auth", "authpriv", @@ -136,14 +149,16 @@ "local5", "local6", "local7" - ], - "type": "string", - "required": true + ] } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.4.x.json b/schemas/tcp-log/3.4.x.json index 514c797b..f003733e 100644 --- a/schemas/tcp-log/3.4.x.json +++ b/schemas/tcp-log/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,19 +25,24 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "host": { + "description": "The IP address or host name to send data to.", "type": "string", "required": true } @@ -43,50 +53,60 @@ 0, 65535 ], + "description": "The port to send data to on the upstream server.", "type": "integer", "required": true } }, { "timeout": { - "type": "number", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" } }, { "keepalive": { - "type": "number", - "default": 60000 + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" } }, { "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", "type": "boolean", - "required": true, - "default": false + "required": true } }, { "tls_sni": { - "type": "string" + "type": "string", + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." } }, { "custom_fields_by_lua": { - "type": "map", - "keys": { + "values": { "len_min": 1, "type": "string" }, - "values": { + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "map", + "keys": { "type": "string", "len_min": 1 } } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.4.x.json b/schemas/tls-handshake-modifier/3.4.x.json index 6520e6ae..7e8624b9 100644 --- a/schemas/tls-handshake-modifier/3.4.x.json +++ b/schemas/tls-handshake-modifier/3.4.x.json @@ -2,9 +2,10 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { @@ -13,35 +14,47 @@ "https", "grpcs" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "https", "grpcs", "tls" - ], - "type": "string" - }, - "type": "set", - "required": true + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "tls_client_certificate": { + "required": false, + "default": "REQUEST", + "description": "TLS Client Certificate", "type": "string", "one_of": [ "REQUEST" - ], - "required": false, - "default": "REQUEST" + ] } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.4.x.json b/schemas/tls-metadata-headers/3.4.x.json index 0c234808..c4885e27 100644 --- a/schemas/tls-metadata-headers/3.4.x.json +++ b/schemas/tls-metadata-headers/3.4.x.json @@ -2,9 +2,10 @@ "fields": [ { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { @@ -13,66 +14,83 @@ "https", "grpcs" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "https", "grpcs", "tls" - ], - "type": "string" - }, - "type": "set", - "required": true + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "inject_client_cert_details": { - "type": "boolean", - "default": false + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" } }, { "client_cert_header_name": { "default": "X-Client-Cert", - "required": true, - "type": "string" + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "type": "string", + "required": true } }, { "client_serial_header_name": { "default": "X-Client-Cert-Serial", - "required": true, - "type": "string" + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "type": "string", + "required": true } }, { "client_cert_issuer_dn_header_name": { "default": "X-Client-Cert-Issuer-DN", - "required": true, - "type": "string" + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "type": "string", + "required": true } }, { "client_cert_subject_dn_header_name": { "default": "X-Client-Cert-Subject-DN", - "required": true, - "type": "string" + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "type": "string", + "required": true } }, { "client_cert_fingerprint_header_name": { "default": "X-Client-Cert-Fingerprint", - "required": true, - "type": "string" + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "type": "string", + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/udp-log/3.4.x.json b/schemas/udp-log/3.4.x.json index 5aa0881f..d7c0878c 100644 --- a/schemas/udp-log/3.4.x.json +++ b/schemas/udp-log/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,19 +25,24 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "host": { + "description": "A string representing a host name, such as example.com.", "type": "string", "required": true } @@ -43,32 +53,39 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "required": true } }, { "timeout": { - "type": "number", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" } }, { "custom_fields_by_lua": { "type": "map", - "keys": { + "description": "Lua code as a key-value map", + "values": { "len_min": 1, "type": "string" }, - "values": { + "keys": { "type": "string", "len_min": 1 } } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/upstream-timeout/3.4.x.json b/schemas/upstream-timeout/3.4.x.json index c28d97dd..7f1acc3c 100644 --- a/schemas/upstream-timeout/3.4.x.json +++ b/schemas/upstream-timeout/3.4.x.json @@ -2,28 +2,36 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "read_timeout": { @@ -31,6 +39,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -40,6 +49,7 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -49,12 +59,17 @@ 0, 2147483646 ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.4.x.json b/schemas/vault-auth/3.4.x.json index 188b14b5..d3234493 100644 --- a/schemas/vault-auth/3.4.x.json +++ b/schemas/vault-auth/3.4.x.json @@ -2,89 +2,111 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "consumer": { - "eq": null, "reference": "consumers", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "access_token_name": { + "required": true, "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "type": "string", "elements": { - "type": "string" - }, - "required": true, - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." + } } }, { "secret_token_name": { + "required": true, "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "type": "string", "elements": { - "type": "string" - }, - "required": true, - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." + } } }, { "vault": { - "type": "foreign", "reference": "vault_auth_vaults", + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "type": "foreign", "required": true } }, { "hide_credentials": { "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", "type": "boolean" } }, { "anonymous": { - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "tokens_in_body": { "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "type": "boolean" } }, { "run_on_preflight": { "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", "type": "boolean" } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.4.x.json b/schemas/websocket-size-limit/3.4.x.json index e77a8035..d327baaf 100644 --- a/schemas/websocket-size-limit/3.4.x.json +++ b/schemas/websocket-size-limit/3.4.x.json @@ -6,28 +6,27 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "client_max_payload", - "upstream_max_payload" - ] - } - ], "fields": [ { "client_max_payload": { @@ -35,8 +34,8 @@ 1, 33554432 ], - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { @@ -45,13 +44,25 @@ 1, 33554432 ], - "required": false, - "type": "integer" + "type": "integer", + "required": false } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.4.x.json b/schemas/websocket-validator/3.4.x.json index 5df13fb2..bdeee552 100644 --- a/schemas/websocket-validator/3.4.x.json +++ b/schemas/websocket-validator/3.4.x.json @@ -6,32 +6,31 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "client", - "upstream" - ] - } - ], "fields": [ { "client": { - "type": "record", + "required": false, "entity_checks": [ { "at_least_one_of": [ @@ -40,10 +39,11 @@ ] } ], + "type": "record", "fields": [ { "text": { - "type": "record", + "required": false, "entity_checks": [ { "custom_entity_check": { @@ -54,29 +54,31 @@ } } ], + "type": "record", "fields": [ { "type": { "type": "string", - "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ] + ], + "required": true } }, { "schema": { - "required": true, - "type": "string" + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string", + "required": true } } - ], - "required": false + ] } }, { "binary": { - "type": "record", + "required": false, "entity_checks": [ { "custom_entity_check": { @@ -87,33 +89,34 @@ } } ], + "type": "record", "fields": [ { "type": { "type": "string", - "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ] + ], + "required": true } }, { "schema": { - "required": true, - "type": "string" + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string", + "required": true } } - ], - "required": false + ] } } - ], - "required": false + ] } }, { "upstream": { - "type": "record", + "required": false, "entity_checks": [ { "at_least_one_of": [ @@ -122,10 +125,11 @@ ] } ], + "type": "record", "fields": [ { "text": { - "type": "record", + "required": false, "entity_checks": [ { "custom_entity_check": { @@ -136,29 +140,31 @@ } } ], + "type": "record", "fields": [ { "type": { "type": "string", - "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ] + ], + "required": true } }, { "schema": { - "required": true, - "type": "string" + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string", + "required": true } } - ], - "required": false + ] } }, { "binary": { - "type": "record", + "required": false, "entity_checks": [ { "custom_entity_check": { @@ -169,33 +175,46 @@ } } ], + "type": "record", "fields": [ { "type": { "type": "string", - "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ] + ], + "required": true } }, { "schema": { - "required": true, - "type": "string" + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string", + "required": true } } - ], - "required": false + ] } } - ], - "required": false + ] } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.4.x.json b/schemas/xml-threat-protection/3.4.x.json index d052e082..aeb364e4 100644 --- a/schemas/xml-threat-protection/3.4.x.json +++ b/schemas/xml-threat-protection/3.4.x.json @@ -2,264 +2,299 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, - "entity_checks": [ - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "max_namespaces", - "if_field": "namespace_aware", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "prefix", - "if_field": "namespace_aware", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "namespaceuri", - "if_field": "namespace_aware", - "then_match": { - "required": true - } - } - } - ], "fields": [ { "checked_content_types": { + "required": true, "default": [ "application/xml" ], + "description": "A list of Content-Type values with payloads that must be validated.", + "type": "set", "elements": { - "match": "^[^%s]+%/[^ ;]+$", + "required": true, "type": "string", - "required": true - }, - "type": "set", - "required": true + "match": "^[^%s]+%/[^ ;]+$" + } } }, { "allowed_content_types": { + "required": true, "default": [ ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "type": "set", "elements": { - "match": "^[^%s]+%/[^ ;]+$", + "required": true, "type": "string", - "required": true - }, - "type": "set", - "required": true + "match": "^[^%s]+%/[^ ;]+$" + } } }, { "allow_dtd": { "default": false, - "required": true, - "type": "boolean" + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean", + "required": true } }, { "namespace_aware": { "default": true, - "required": true, - "type": "boolean" + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean", + "required": true } }, { "max_depth": { - "type": "integer", - "required": true, "gt": 0, - "default": 50 + "required": true, + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "type": "integer" } }, { "max_children": { - "type": "integer", - "required": true, "gt": 0, - "default": 100 + "required": true, + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "type": "integer" } }, { "max_attributes": { - "type": "integer", - "required": true, "gt": 0, - "default": 100 + "required": true, + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "type": "integer" } }, { "max_namespaces": { - "type": "integer", - "required": false, "gt": 0, - "default": 20 + "required": false, + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "type": "integer" } }, { "document": { - "type": "integer", - "required": true, "gt": 0, - "default": 10485760 + "required": true, + "default": 10485760, + "description": "Maximum size of the entire document.", + "type": "integer" } }, { "buffer": { - "type": "integer", - "required": true, "gt": 0, - "default": 1048576 + "required": true, + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", + "type": "integer" } }, { "comment": { - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "required": true, + "default": 1024, + "description": "Maximum size of comments.", + "type": "integer" } }, { "localname": { - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "required": true, + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "type": "integer" } }, { "prefix": { - "type": "integer", - "required": false, "gt": 0, - "default": 1024 + "required": false, + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "type": "integer" } }, { "namespaceuri": { - "type": "integer", - "required": false, "gt": 0, - "default": 1024 + "required": false, + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "type": "integer" } }, { "attribute": { - "type": "integer", - "required": true, "gt": 0, - "default": 1048576 + "required": true, + "default": 1048576, + "description": "Maximum size of the attribute value.", + "type": "integer" } }, { "text": { - "type": "integer", - "required": true, "gt": 0, - "default": 1048576 + "required": true, + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "type": "integer" } }, { "pitarget": { - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "required": true, + "default": 1024, + "description": "Maximum size of processing instruction targets.", + "type": "integer" } }, { "pidata": { - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "required": true, + "default": 1024, + "description": "Maximum size of processing instruction data.", + "type": "integer" } }, { "entityname": { - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "required": true, + "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", + "type": "integer" } }, { "entity": { - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "required": true, + "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", + "type": "integer" } }, { "entityproperty": { - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "required": true, + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "type": "integer" } }, { "bla_max_amplification": { - "type": "number", - "required": true, "gt": 1, - "default": 100 + "required": true, + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "type": "number" } }, { "bla_threshold": { - "required": true, - "type": "integer", "gt": 1024, - "default": 8388608 + "required": true, + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "type": "integer" } } ], - "type": "record" + "required": true, + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_field": "namespace_aware", + "then_field": "max_namespaces", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "namespace_aware", + "then_field": "prefix", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "namespace_aware", + "then_field": "namespaceuri", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + } + } + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/zipkin/3.4.x.json b/schemas/zipkin/3.4.x.json index 7b252fc7..b518d499 100644 --- a/schemas/zipkin/3.4.x.json +++ b/schemas/zipkin/3.4.x.json @@ -2,13 +2,18 @@ "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing protocols.", + "type": "set", "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,47 +25,56 @@ "udp", "ws", "wss" - ], - "type": "string" - }, - "required": true, - "type": "set" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "required": true, "fields": [ { "local_service_name": { "default": "kong", + "description": "The name of the service as displayed in Zipkin.", "type": "string", "required": true } }, { "http_endpoint": { - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "type": "number", "between": [ 0, 1 - ], - "type": "number", - "default": 0.001 + ] } }, { "default_service_name": { - "type": "string" + "type": "string", + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." } }, { "include_credential": { "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", "type": "boolean", "required": true } @@ -68,17 +82,21 @@ { "traceid_byte_count": { "required": true, + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "type": "integer", "one_of": [ 8, 16 - ], - "type": "integer", - "default": 16 + ] } }, { "header_type": { "required": true, + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "type": "string", "one_of": [ "preserve", "ignore", @@ -87,41 +105,47 @@ "w3c", "jaeger", "ot", + "aws", "datadog" - ], - "type": "string", - "default": "preserve" + ] } }, { "default_header_type": { "required": true, + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "type": "string", "one_of": [ "b3", "b3-single", "w3c", "jaeger", "ot", + "aws", "datadog" - ], - "type": "string", - "default": "b3" + ] } }, { "tags_header": { "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", "type": "string", "required": true } }, { "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", "type": "array", "elements": { + "type": "record", "fields": [ { "name": { + "required": true, + "type": "string", "not_one_of": [ "error", "http.method", @@ -136,9 +160,7 @@ "kong.service", "lc", "peer.hostname" - ], - "type": "string", - "required": true + ] } }, { @@ -147,50 +169,53 @@ "required": true } } - ], - "type": "record" + ] } } }, { "http_span_name": { "required": true, + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "type": "string", "one_of": [ "method", "method_path" - ], - "type": "string", - "default": "method" + ] } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "default": 2000 + ] } }, { "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "default": 5000 + ] } }, { "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "default": 5000 + ] } }, { @@ -201,78 +226,98 @@ { "phase_duration_flavor": { "required": true, + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "type": "string", "one_of": [ "annotations", "tags" - ], - "type": "string", - "default": "annotations" + ] } }, { "queue": { - "required": true, "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 1 + ] } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 - ], - "type": "number", - "default": 1 + ] } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 - ], - "type": "number", - "default": 10000 + ] } }, { "max_bytes": { - "type": "number" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number" } }, { "initial_retry_delay": { "default": 0.01, - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } }, { "max_retry_delay": { "default": 60, - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ] } } ], - "type": "record" + "type": "record", + "required": true } } ], - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file From b838e8bf08e798e653a73dfafdfab10a83fa6eb0 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Tue, 1 Aug 2023 19:09:31 +0200 Subject: [PATCH 002/165] Drop consumer_group from rate-limiting-advanced example --- examples/rate-limiting-advanced/_3.4.x.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/examples/rate-limiting-advanced/_3.4.x.yaml b/examples/rate-limiting-advanced/_3.4.x.yaml index 3e36f7da..7fee7c38 100644 --- a/examples/rate-limiting-advanced/_3.4.x.yaml +++ b/examples/rate-limiting-advanced/_3.4.x.yaml @@ -9,7 +9,3 @@ config: namespace: example_namespace strategy: local hide_client_headers: false - enforce_consumer_groups: true - consumer_groups: - - group1 - - group2 From e013ed726b874d1c4079ef064481db27b9e5440f Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Wed, 19 Jul 2023 13:57:57 +0200 Subject: [PATCH 003/165] WIP: Add some info and instructions --- README.md | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/README.md b/README.md index f45c17e9..7f86783c 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,81 @@ gem install thor ## Usage +This toolkit requires an instance of [Kong Gateway Admin API](https://docs.konghq.com/gateway/latest/admin-api/) to be up and running. Most of the commands generate requests under the hood against the API. + +### Running different versions of Kong Gateway Admin API locally +The easiest way to run a specific version of the Admin API is with [Gojira](https://github.com/Kong/gojira/tree/master). It provides several [options](https://github.com/Kong/gojira/blob/master/docs/manual.md), but using [kong images](https://github.com/Kong/gojira/blob/master/docs/manual.md#using-kong-release-images-with-gojira) is probably the safest one. + +Note: By default, `Gojira` binds ports to random available ones on the host, so you probably want to [bind them to specific ports](https://github.com/Kong/gojira/blob/master/docs/manual.md#bind-ports-on-the-host). By default, the `toolkit` expects `host` to be `localhost` and `port` `8001`. + +### Demo https://user-images.githubusercontent.com/715229/220340450-5006aefe-e7e4-4b45-9272-d0e8b4543878.mov +## Commands + +Before running any of the commands, make sure you have the right version of Kong Gateway Admin API running. + +### Download Schemas + +Downloads the schemas in json format for the specified list of plugins and writes them into disk. Each schema will be stored under `//.json` + +| Options | Descriptions | +|--------------------------- |-----| +| `version` | **Required**. Kong Gateway release version, e.g. `3.3.x`. | +| `plugins` | **Required**. Space separated list of plugins for which the schemas will be downloaded, .e.g. `acme acl`. | +| `host` | Name of the host in which the API is running. Default: `localhost`. | +| `port` | Port in which the API is listening. Default: `8001`. | +| `destination` | Path to the root folder in which the schemas will be stored. Default: `./schemas` | + + +### Validate Examples + +Validates plugin examples config against the plugin schema using the [Admin API](https://docs.konghq.com/gateway/latest/admin-api/#validate-a-plugin-configuration-against-the-schema). It will iterate over the specified list of plugins and check whether the example for the specified version is valid. + +For example, running: + +``` +./plugins validate_examples --version _3.4.x --plugins acme --verbose +``` + +reads the file `./examples/acme/_3.4.x.yaml` and validate it against the schema using the API. + + +| Options | Descriptions | +|--------------------------- |-----| +| `version` | **Required**. Kong Gateway release version, e.g. `_3.3.x`. | +| `plugins` | **Required**. Space separated list of plugins to use, .e.g. `acme acl`. | +| `host` | Name of the host in which the API is running. Default: `localhost`. | +| `port` | Port in which the API is listening. Default: `8001`. | +| `source` | Path to the root folder containing the examples. Default: `./examples`. | + + +### Copy Examples + +Copies the last (ordered by version) example file stored in `//` and writes it to `//`. + +| Options | Descriptions | +|--------------------------- |-----| +| `version` | **Required**. Kong Gateway release version, e.g. `_3.3.x`. The new example file is named after it. | +| `plugins` | **Required**. Space separated list of plugins to use, .e.g. `acme acl`. | +| `source` | Path to the root folder containing the exisitng examples. Default: `./examples`. | + + +### Generate Referenceable Fileds List + +| Options | Descriptions | +|--------------------------- |-----| +| `version` | **Required**. Kong Gateway release version, e.g. `3.3.x`. | +| `plugins` | **Required**. Space separated list of plugins to use, .e.g. `acme acl`. | +| `source` | Path to the folder containing the plugin schemas. Default: `./schemas`. | +| `destination` | Path to the root folder in which the schemas will be stored. Default: `./data` | + +## Updating the repo after a new release + +Whenever a new version of Kong Gateway is released, we need run the following commands in order. For all of them, specify all the plugins `--plugins $(ls ./schemas)` + +1. Download Schemas - specify the new version `x.x.x` +1. Copy Examples - specify the previous version `_x.x.y` of the example that gets copied +1. Validate Examples - specify the new version `_x.x.x` +1. Generate Referenceable Fields List - specify the new version `x.x.x` \ No newline at end of file From 49e5f71e97fe3daf68f2cbee47433d6d963b7e1f Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Fri, 28 Jul 2023 10:59:06 +0200 Subject: [PATCH 004/165] Update README.md Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7f86783c..1d9ee230 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ For example, running: ./plugins validate_examples --version _3.4.x --plugins acme --verbose ``` -reads the file `./examples/acme/_3.4.x.yaml` and validate it against the schema using the API. +reads the file `./examples/acme/_3.4.x.yaml` and validates it against the schema using the API. | Options | Descriptions | From a2cadf14068815f4110fd487054a8ec8d1286061 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Fri, 28 Jul 2023 10:59:16 +0200 Subject: [PATCH 005/165] Update README.md Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1d9ee230..b9bc57cf 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ Copies the last (ordered by version) example file stored in `/ Date: Fri, 28 Jul 2023 12:38:38 +0200 Subject: [PATCH 006/165] Address code review comments --- README.md | 41 +++++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index b9bc57cf..f895f546 100644 --- a/README.md +++ b/README.md @@ -30,24 +30,24 @@ Downloads the schemas in json format for the specified list of plugins and write | Options | Descriptions | |--------------------------- |-----| | `version` | **Required**. Kong Gateway release version, e.g. `3.3.x`. | -| `plugins` | **Required**. Space separated list of plugins for which the schemas will be downloaded, .e.g. `acme acl`. | +| `plugins` | **Required**. Space separated list of plugins for which the schemas will be downloaded, .e.g. `acme acl`. Setting it to `$(ls ./schemas)` will download the schemas for all the plugins. | | `host` | Name of the host in which the API is running. Default: `localhost`. | | `port` | Port in which the API is listening. Default: `8001`. | | `destination` | Path to the root folder in which the schemas will be stored. Default: `./schemas` | - -### Validate Examples - -Validates plugin examples config against the plugin schema using the [Admin API](https://docs.konghq.com/gateway/latest/admin-api/#validate-a-plugin-configuration-against-the-schema). It will iterate over the specified list of plugins and check whether the example for the specified version is valid. - -For example, running: - +Downloading the schema for `acme`: +```bash +./plugins download_schemas --version=3.3.x --plugins acme ``` -./plugins validate_examples --version _3.4.x --plugins acme --verbose + +Downloading schemas for all the plugins: +```bash +./plugins download_schemas --version=3.3.x --plugins $(ls ./schemas) ``` -reads the file `./examples/acme/_3.4.x.yaml` and validates it against the schema using the API. +### Validate Examples +Validates plugin examples config against the plugin schema using the [Admin API](https://docs.konghq.com/gateway/latest/admin-api/#validate-a-plugin-configuration-against-the-schema). It will iterate over the specified list of plugins and check whether the example for the specified version is valid. | Options | Descriptions | |--------------------------- |-----| @@ -57,6 +57,12 @@ reads the file `./examples/acme/_3.4.x.yaml` and validates it against the schema | `port` | Port in which the API is listening. Default: `8001`. | | `source` | Path to the root folder containing the examples. Default: `./examples`. | +For example, running: +``` +./plugins validate_examples --version _3.4.x --plugins acme --verbose +``` +reads the file `./examples/acme/_3.4.x.yaml` and validates it against the schema using the API. + ### Copy Examples @@ -64,10 +70,15 @@ Copies the last (ordered by version) example file stored in `// Date: Fri, 28 Jul 2023 21:56:03 +0200 Subject: [PATCH 007/165] Add note indicating that the Enterprise Edition of the API needs to be running --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f895f546..2cc57961 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ gem install thor ## Usage -This toolkit requires an instance of [Kong Gateway Admin API](https://docs.konghq.com/gateway/latest/admin-api/) to be up and running. Most of the commands generate requests under the hood against the API. +This toolkit requires an instance of [Kong Gateway Admin API](https://docs.konghq.com/gateway/latest/admin-api/) to be up and running (make sure you are running the Enterprise version). Most of the commands generate requests under the hood against the API. ### Running different versions of Kong Gateway Admin API locally The easiest way to run a specific version of the Admin API is with [Gojira](https://github.com/Kong/gojira/tree/master). It provides several [options](https://github.com/Kong/gojira/blob/master/docs/manual.md), but using [kong images](https://github.com/Kong/gojira/blob/master/docs/manual.md#using-kong-release-images-with-gojira) is probably the safest one. From fe606f96ca2cf28c62f888184b5c539b164790c1 Mon Sep 17 00:00:00 2001 From: "lena.larionova" Date: Tue, 8 Aug 2023 11:18:07 -0700 Subject: [PATCH 008/165] generate plugin schemas and referenceable fields for 3.4 --- data/referenceable_fields/3.4.x.json | 77 +- schemas/acl/3.4.x.json | 22 +- schemas/acme/3.4.x.json | 230 ++-- schemas/application-registration/3.4.x.json | 38 +- schemas/aws-lambda/3.4.x.json | 106 +- schemas/azure-functions/3.4.x.json | 58 +- schemas/basic-auth/3.4.x.json | 20 +- schemas/bot-detection/3.4.x.json | 22 +- schemas/canary/3.4.x.json | 78 +- schemas/correlation-id/3.4.x.json | 22 +- schemas/cors/3.4.x.json | 42 +- schemas/datadog/3.4.x.json | 130 +- schemas/degraphql/3.4.x.json | 24 +- schemas/exit-transformer/3.4.x.json | 20 +- schemas/file-log/3.4.x.json | 30 +- schemas/forward-proxy/3.4.x.json | 122 +- .../graphql-proxy-cache-advanced/3.4.x.json | 26 +- .../graphql-rate-limiting-advanced/3.4.x.json | 139 +- schemas/grpc-gateway/3.4.x.json | 18 +- schemas/grpc-web/3.4.x.json | 26 +- schemas/hmac-auth/3.4.x.json | 34 +- schemas/http-log/3.4.x.json | 114 +- schemas/ip-restriction/3.4.x.json | 38 +- schemas/jq/3.4.x.json | 32 +- schemas/jwe-decrypt/3.4.x.json | 30 +- schemas/jwt-signer/3.4.x.json | 298 ++-- schemas/jwt/3.4.x.json | 52 +- schemas/kafka-log/3.4.x.json | 122 +- schemas/kafka-upstream/3.4.x.json | 138 +- schemas/key-auth-enc/3.4.x.json | 40 +- schemas/key-auth/3.4.x.json | 40 +- schemas/konnect-application-auth/3.4.x.json | 34 +- schemas/ldap-auth-advanced/3.4.x.json | 94 +- schemas/ldap-auth/3.4.x.json | 78 +- schemas/loggly/3.4.x.json | 28 +- schemas/mocking/3.4.x.json | 42 +- schemas/mtls-auth/3.4.x.json | 70 +- schemas/oas-validation/3.4.x.json | 58 +- schemas/oauth2-introspection/3.4.x.json | 70 +- schemas/oauth2/3.4.x.json | 108 +- schemas/opa/3.4.x.json | 64 +- schemas/openid-connect/3.4.x.json | 1221 +++++++++-------- schemas/opentelemetry/3.4.x.json | 75 +- schemas/post-function/3.4.x.json | 84 +- schemas/pre-function/3.4.x.json | 84 +- schemas/prometheus/3.4.x.json | 38 +- schemas/proxy-cache-advanced/3.4.x.json | 131 +- schemas/proxy-cache/3.4.x.json | 60 +- schemas/rate-limiting-advanced/3.4.x.json | 143 +- schemas/rate-limiting/3.4.x.json | 106 +- schemas/request-size-limiting/3.4.x.json | 26 +- schemas/request-termination/3.4.x.json | 42 +- .../request-transformer-advanced/3.4.x.json | 34 +- schemas/request-transformer/3.4.x.json | 70 +- schemas/request-validator/3.4.x.json | 48 +- schemas/response-ratelimiting/3.4.x.json | 116 +- .../response-transformer-advanced/3.4.x.json | 32 +- schemas/response-transformer/3.4.x.json | 74 +- schemas/route-by-header/3.4.x.json | 26 +- schemas/route-transformer-advanced/3.4.x.json | 14 +- schemas/saml/3.4.x.json | 414 +++--- schemas/session/3.4.x.json | 186 +-- schemas/statsd-advanced/3.4.x.json | 132 +- schemas/statsd/3.4.x.json | 170 ++- schemas/syslog/3.4.x.json | 40 +- schemas/tcp-log/3.4.x.json | 48 +- schemas/tls-handshake-modifier/3.4.x.json | 16 +- schemas/tls-metadata-headers/3.4.x.json | 36 +- schemas/udp-log/3.4.x.json | 36 +- schemas/upstream-timeout/3.4.x.json | 22 +- schemas/vault-auth/3.4.x.json | 46 +- schemas/websocket-size-limit/3.4.x.json | 20 +- schemas/websocket-validator/3.4.x.json | 146 +- schemas/xml-threat-protection/3.4.x.json | 122 +- schemas/zipkin/3.4.x.json | 96 +- 75 files changed, 3436 insertions(+), 3352 deletions(-) diff --git a/data/referenceable_fields/3.4.x.json b/data/referenceable_fields/3.4.x.json index 9922651b..ed1c3d41 100644 --- a/data/referenceable_fields/3.4.x.json +++ b/data/referenceable_fields/3.4.x.json @@ -1,4 +1,24 @@ { + "acme": [ + "config.account_email", + "config.eab_kid", + "config.eab_hmac_key", + "config.storage_config.redis.auth", + "config.storage_config.consul.token", + "config.storage_config.vault.token" + ], + "aws-lambda": [ + "config.aws_key", + "config.aws_secret", + "config.aws_assume_role_arn" + ], + "azure-functions": [ + "config.apikey", + "config.clientid" + ], + "datadog": [ + "config.host" + ], "forward-proxy": [ "config.auth_username", "config.auth_password" @@ -9,6 +29,10 @@ "config.redis.sentinel_username", "config.redis.sentinel_password" ], + "http-log": [ + "config.http_endpoint", + "config.headers" + ], "kafka-log": [ "config.authentication.user", "config.authentication.password" @@ -21,6 +45,9 @@ "config.ldap_password", "config.bind_dn" ], + "loggly": [ + "config.key" + ], "openid-connect": [ "config.client_id", "config.client_secret", @@ -38,12 +65,20 @@ "config.session_redis_username", "config.session_redis_password" ], + "opentelemetry": [ + "config.endpoint", + "config.headers" + ], "proxy-cache-advanced": [ "config.redis.username", "config.redis.password", "config.redis.sentinel_username", "config.redis.sentinel_password" ], + "rate-limiting": [ + "config.redis_password", + "config.redis_username" + ], "rate-limiting-advanced": [ "config.redis.username", "config.redis.password", @@ -64,6 +99,10 @@ "config.append.headers", "config.append.querystring" ], + "response-ratelimiting": [ + "config.redis_password", + "config.redis_username" + ], "saml": [ "config.idp_certificate", "config.response_encryption_key", @@ -73,44 +112,6 @@ "config.session_redis_username", "config.session_redis_password" ], - "acme": [ - "config.account_email", - "config.eab_kid", - "config.eab_hmac_key", - "config.storage_config.redis.auth", - "config.storage_config.consul.token", - "config.storage_config.vault.token" - ], - "aws-lambda": [ - "config.aws_key", - "config.aws_secret", - "config.aws_assume_role_arn" - ], - "azure-functions": [ - "config.apikey", - "config.clientid" - ], - "datadog": [ - "config.host" - ], - "http-log": [ - "config.http_endpoint", - "config.headers" - ], - "loggly": [ - "config.key" - ], - "opentelemetry": [ - "config.headers" - ], - "rate-limiting": [ - "config.redis_password", - "config.redis_username" - ], - "response-ratelimiting": [ - "config.redis_password", - "config.redis_username" - ], "session": [ "config.secret" ] diff --git a/schemas/acl/3.4.x.json b/schemas/acl/3.4.x.json index 6571ebb0..8d5fdaba 100644 --- a/schemas/acl/3.4.x.json +++ b/schemas/acl/3.4.x.json @@ -3,17 +3,17 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -25,7 +25,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -35,26 +34,28 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "type": "record", "fields": [ { "allow": { - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { "deny": { - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -65,7 +66,6 @@ } } ], - "type": "record", "required": true } } diff --git a/schemas/acme/3.4.x.json b/schemas/acme/3.4.x.json index d8c13b07..02fe693b 100644 --- a/schemas/acme/3.4.x.json +++ b/schemas/acme/3.4.x.json @@ -3,33 +3,33 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { "reference": "services", - "description": "A reference to the 'services' table with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "A reference to the 'services' table with a null value allowed." } }, { "route": { "reference": "routes", - "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "A reference to the 'routes' table with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -41,7 +41,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -51,145 +50,146 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "type": "record", "fields": [ { "account_email": { "required": true, "referenceable": true, - "encrypted": true, - "description": "The account identifier. Can be reused in a different plugin instance.", "type": "string", - "match": "%w*%p*@+%w*%.?%w*" + "match": "%w*%p*@+%w*%.?%w*", + "encrypted": true, + "description": "The account identifier. Can be reused in a different plugin instance." } }, { "account_key": { "required": false, - "description": "The private key associated with the account.", "type": "record", "fields": [ { "key_id": { - "description": "The Key ID.", "type": "string", - "required": true + "required": true, + "description": "The Key ID." } }, { "key_set": { - "type": "string", - "description": "The ID of the key set to associate the Key ID with." + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" } } - ] + ], + "description": "The private key associated with the account." } }, { "api_uri": { "default": "https://acme-v02.api.letsencrypt.org/directory", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "tos_accepted": { "default": false, - "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", - "type": "boolean" + "type": "boolean", + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service." } }, { "eab_kid": { "referenceable": true, - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", "type": "string", - "encrypted": true + "encrypted": true, + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA." } }, { "eab_hmac_key": { "referenceable": true, - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", "type": "string", - "encrypted": true + "encrypted": true, + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA." } }, { "cert_type": { "default": "rsa", - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", "type": "string", "one_of": [ "rsa", "ecc" - ] + ], + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." } }, { "rsa_key_size": { "default": 4096, - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", "type": "number", "one_of": [ 2048, 3072, 4096 - ] + ], + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." } }, { "renew_threshold_days": { "default": 14, - "description": "Days remaining to renew the certificate before it expires.", - "type": "number" + "type": "number", + "description": "Days remaining to renew the certificate before it expires." } }, { "domains": { - "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", "type": "array", "elements": { - "match_any": { - "err": "invalid wildcard: must be placed at leftmost or rightmost label", - "patterns": [ - "^%*%.", - "%.%*$", - "^[^*]*$" - ] - }, "match_all": [ { "pattern": "^[^*]*%*?[^*]*$", "err": "invalid wildcard: must have at most one wildcard" } ], - "type": "string" - } + "type": "string", + "match_any": { + "patterns": [ + "^%*%.", + "%.%*$", + "^[^*]*$" + ], + "err": "invalid wildcard: must be placed at leftmost or rightmost label" + } + }, + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" } }, { "allow_any_domain": { "default": false, - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", - "type": "boolean" + "type": "boolean", + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." } }, { "fail_backoff_minutes": { "default": 5, - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", - "type": "number" + "type": "number", + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." } }, { "storage": { "default": "shm", - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", "type": "string", "one_of": [ "kong", @@ -197,249 +197,250 @@ "redis", "consul", "vault" - ] + ], + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." } }, { "storage_config": { + "type": "record", "fields": [ { "shm": { + "type": "record", "fields": [ { "shm_name": { "default": "kong", - "description": "Name of shared memory zone used for Kong API gateway storage", - "type": "string" + "type": "string", + "description": "Name of shared memory zone used for Kong API gateway storage" } } ], - "type": "record", "required": true } }, { "kong": { + "type": "record", "fields": [ ], - "type": "record", "required": true } }, { "redis": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "database": { - "type": "number", - "description": "The index of the Redis database to use." + "description": "The index of the Redis database to use.", + "type": "number" } }, { "auth": { - "description": "The Redis password to use for authentication. ", "type": "string", + "description": "The Redis password to use for authentication. ", "referenceable": true } }, { "ssl": { "default": false, - "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", "type": "boolean", - "required": true + "required": true, + "description": "Whether to use SSL/TLS encryption when connecting to the Redis server." } }, { "ssl_verify": { "default": false, - "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", "type": "boolean", - "required": true + "required": true, + "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value." } }, { "ssl_server_name": { - "description": "The expected server name for the SSL/TLS certificate presented by the Redis server.", "type": "string", - "required": false + "required": false, + "description": "The expected server name for the SSL/TLS certificate presented by the Redis server." } }, { "namespace": { "required": true, + "len_min": 0, "default": "", - "description": "A namespace to prepend to all keys stored in Redis.", "type": "string", - "len_min": 0 + "description": "A namespace to prepend to all keys stored in Redis." } } ], - "type": "record", "required": true } }, { "consul": { + "type": "record", "fields": [ { "https": { "default": false, - "description": "Boolean representation of https.", - "type": "boolean" + "type": "boolean", + "description": "Boolean representation of https." } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { "token": { - "description": "Consul ACL token.", "type": "string", + "description": "Consul ACL token.", "referenceable": true } } ], - "type": "record", "required": true } }, { "vault": { + "type": "record", "fields": [ { "https": { "default": false, - "description": "Boolean representation of https.", - "type": "boolean" + "type": "boolean", + "description": "Boolean representation of https." } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { "token": { - "description": "Consul ACL token.", "type": "string", + "description": "Consul ACL token.", "referenceable": true } }, { "tls_verify": { "default": true, - "description": "Turn on TLS verification.", - "type": "boolean" + "type": "boolean", + "description": "Turn on TLS verification." } }, { "tls_server_name": { - "type": "string", - "description": "SNI used in request, default to host if omitted." + "description": "SNI used in request, default to host if omitted.", + "type": "string" } }, { "auth_method": { "default": "token", - "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", "type": "string", "one_of": [ "token", "kubernetes" - ] + ], + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'." } }, { "auth_path": { - "type": "string", - "description": "Vault's authentication path to use." + "description": "Vault's authentication path to use.", + "type": "string" } }, { "auth_role": { - "type": "string", - "description": "The role to try and assign." + "description": "The role to try and assign.", + "type": "string" } }, { "jwt_path": { - "type": "string", - "description": "The path to the JWT." + "description": "The path to the JWT.", + "type": "string" } } ], - "type": "record", "required": true } } ], - "type": "record", "required": true } }, @@ -452,12 +453,11 @@ { "enable_ipv4_common_name": { "default": true, - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." } } ], - "type": "record", "required": true } } @@ -465,18 +465,18 @@ "entity_checks": [ { "conditional": { - "then_field": "config.tos_accepted", "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", - "then_match": { - "eq": true - }, "if_match": { "one_of": [ "https://acme-v02.api.letsencrypt.org", "https://acme-staging-v02.api.letsencrypt.org" ] }, - "if_field": "config.api_uri" + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_match": { + "eq": true + } } }, { diff --git a/schemas/application-registration/3.4.x.json b/schemas/application-registration/3.4.x.json index f0656bf6..804f5b0b 100644 --- a/schemas/application-registration/3.4.x.json +++ b/schemas/application-registration/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -19,9 +19,9 @@ { "route": { "reference": "routes", - "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "A reference to the 'routes' table with a null value allowed." } }, { @@ -33,7 +33,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -42,54 +41,57 @@ "grpcs", "http", "https" - ] - } + ], + "required": true, + "len_min": 1 + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "display_name": { "unique": true, - "description": "Unique display name used for a Service in the Developer Portal.", "type": "string", - "required": true + "required": true, + "description": "Unique display name used for a Service in the Developer Portal." } }, { "description": { - "description": "Unique description displayed in information about a Service in the Developer Portal.", "type": "string", - "unique": true + "unique": true, + "description": "Unique description displayed in information about a Service in the Developer Portal." } }, { "auto_approve": { "default": false, - "description": "If enabled, all new Service Contracts requests are automatically approved.", "type": "boolean", - "required": true + "required": true, + "description": "If enabled, all new Service Contracts requests are automatically approved." } }, { "show_issuer": { "default": false, - "description": "Displays the **Issuer URL** in the **Service Details** dialog.", "type": "boolean", - "required": true + "required": true, + "description": "Displays the **Issuer URL** in the **Service Details** dialog." } } ], - "type": "record", "required": true } } diff --git a/schemas/aws-lambda/3.4.x.json b/schemas/aws-lambda/3.4.x.json index d3b29a65..51cafa16 100644 --- a/schemas/aws-lambda/3.4.x.json +++ b/schemas/aws-lambda/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,122 +18,124 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "timeout": { "default": 60000, - "description": "An optional timeout in milliseconds when invoking the function.", "type": "number", - "required": true + "required": true, + "description": "An optional timeout in milliseconds when invoking the function." } }, { "keepalive": { "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "type": "number", - "required": true + "required": true, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "aws_key": { "referenceable": true, - "description": "The AWS key credential to be used when invoking the function.", "type": "string", - "encrypted": true + "encrypted": true, + "description": "The AWS key credential to be used when invoking the function." } }, { "aws_secret": { "referenceable": true, - "description": "The AWS secret credential to be used when invoking the function. ", "type": "string", - "encrypted": true + "encrypted": true, + "description": "The AWS secret credential to be used when invoking the function. " } }, { "aws_assume_role_arn": { "referenceable": true, - "description": "The target AWS IAM role ARN used to invoke the Lambda function.", "type": "string", - "encrypted": true + "encrypted": true, + "description": "The target AWS IAM role ARN used to invoke the Lambda function." } }, { "aws_role_session_name": { "default": "kong", - "description": "The identifier of the assumed role session.", - "type": "string" + "type": "string", + "description": "The identifier of the assumed role session." } }, { "aws_region": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "function_name": { - "description": "The AWS Lambda function name to invoke.", "type": "string", - "required": false + "required": false, + "description": "The AWS Lambda function name to invoke." } }, { "qualifier": { - "type": "string", - "description": "The qualifier to use when invoking the function." + "description": "The qualifier to use when invoking the function.", + "type": "string" } }, { "invocation_type": { "required": true, "default": "RequestResponse", - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "type": "string", "one_of": [ "RequestResponse", "Event", "DryRun" - ] + ], + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun." } }, { "log_type": { "required": true, "default": "Tail", - "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "type": "string", "one_of": [ "Tail", "None" - ] + ], + "description": "The LogType to use when invoking the function. By default, None and Tail are supported." } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { "default": 443, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 @@ -149,90 +150,89 @@ }, { "unhandled_status": { + "type": "integer", + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", "between": [ 100, 999 - ], - "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", - "type": "integer" + ] } }, { "forward_request_method": { "default": false, - "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", - "type": "boolean" + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." } }, { "forward_request_uri": { "default": false, - "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", - "type": "boolean" + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." } }, { "forward_request_headers": { "default": false, - "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", - "type": "boolean" + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." } }, { "forward_request_body": { "default": false, - "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", - "type": "boolean" + "type": "boolean", + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " } }, { "is_proxy_integration": { "default": false, - "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", - "type": "boolean" + "type": "boolean", + "description": "An optional value that defines whether the response format to receive from the Lambda to this format." } }, { "awsgateway_compatible": { "default": false, - "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", - "type": "boolean" + "type": "boolean", + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." } }, { "proxy_url": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "skip_large_bodies": { "default": true, - "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", - "type": "boolean" + "type": "boolean", + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" } }, { "base64_encode_body": { "default": true, - "description": "An optional value that Base64-encodes the request body.", - "type": "boolean" + "type": "boolean", + "description": "An optional value that Base64-encodes the request body." } }, { "aws_imds_protocol_version": { "required": true, "default": "v1", - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "type": "string", "one_of": [ "v1", "v2" - ] + ], + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`." } } ], - "type": "record", "required": true } } diff --git a/schemas/azure-functions/3.4.x.json b/schemas/azure-functions/3.4.x.json index 92bd6cee..a942bef8 100644 --- a/schemas/azure-functions/3.4.x.json +++ b/schemas/azure-functions/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,96 +23,98 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "timeout": { "default": 600000, - "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", - "type": "number" + "type": "number", + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server." } }, { "keepalive": { "default": 60000, - "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", - "type": "number" + "type": "number", + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed." } }, { "https": { "default": true, - "description": "Use of HTTPS to connect with the Azure Functions server.", - "type": "boolean" + "type": "boolean", + "description": "Use of HTTPS to connect with the Azure Functions server." } }, { "https_verify": { "default": false, - "description": "Set to `true` to authenticate the Azure Functions server.", - "type": "boolean" + "type": "boolean", + "description": "Set to `true` to authenticate the Azure Functions server." } }, { "apikey": { - "encrypted": true, - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header." } }, { "clientid": { - "encrypted": true, - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header." } }, { "appname": { - "description": "The Azure app name.", "type": "string", - "required": true + "required": true, + "description": "The Azure app name." } }, { "hostdomain": { "default": "azurewebsites.net", - "description": "The domain where the function resides.", "type": "string", - "required": true + "required": true, + "description": "The domain where the function resides." } }, { "routeprefix": { "default": "api", - "description": "Route prefix to use.", - "type": "string" + "type": "string", + "description": "Route prefix to use." } }, { "functionname": { - "description": "Name of the Azure function to invoke.", "type": "string", - "required": true + "required": true, + "description": "Name of the Azure function to invoke." } } ], - "type": "record", "required": true } } diff --git a/schemas/basic-auth/3.4.x.json b/schemas/basic-auth/3.4.x.json index e391bd76..667c0770 100644 --- a/schemas/basic-auth/3.4.x.json +++ b/schemas/basic-auth/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -18,8 +18,8 @@ "ws", "wss" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -36,30 +36,30 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it." } } ], - "type": "record", "required": true } } diff --git a/schemas/bot-detection/3.4.x.json b/schemas/bot-detection/3.4.x.json index 1809483e..21e63f12 100644 --- a/schemas/bot-detection/3.4.x.json +++ b/schemas/bot-detection/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,7 +17,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -27,31 +26,33 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "allow": { "default": [ ], - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "type": "array", "elements": { "is_regex": true, "type": "string" - } + }, + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header." } }, { @@ -59,16 +60,15 @@ "default": [ ], - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "type": "array", "elements": { "is_regex": true, "type": "string" - } + }, + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header." } } ], - "type": "record", "required": true } } diff --git a/schemas/canary/3.4.x.json b/schemas/canary/3.4.x.json index 3bbfc0b4..019ca6ba 100644 --- a/schemas/canary/3.4.x.json +++ b/schemas/canary/3.4.x.json @@ -3,17 +3,17 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -25,7 +25,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -35,7 +34,8 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { @@ -43,14 +43,13 @@ "fields": [ { "start": { - "type": "number", - "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" } }, { "hash": { "default": "consumer", - "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", "type": "string", "one_of": [ "consumer", @@ -59,98 +58,99 @@ "allow", "deny", "header" - ] + ], + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value." } }, { "hash_header": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "duration": { "default": 3600, - "description": "The duration of the canary release in seconds.", "type": "number", - "gt": 0 + "gt": 0, + "description": "The duration of the canary release in seconds." } }, { "steps": { "default": 1000, - "description": "The number of steps for the canary release.", "type": "number", - "gt": 1 + "gt": 1, + "description": "The number of steps for the canary release." } }, { "percentage": { + "type": "number", + "description": "The percentage of traffic to be routed to the canary release.", "between": [ 0, 100 - ], - "description": "The percentage of traffic to be routed to the canary release.", - "type": "number" + ] } }, { "upstream_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "upstream_port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "upstream_uri": { - "len_min": 1, + "type": "string", "description": "The URI of the upstream server to be used for the canary release.", - "type": "string" + "len_min": 1 } }, { "upstream_fallback": { "default": false, - "description": "Specifies whether to fallback to the upstream server if the canary release fails.", "type": "boolean", - "required": true + "required": true, + "description": "Specifies whether to fallback to the upstream server if the canary release fails." } }, { "groups": { - "description": "The groups allowed to access the canary release.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The groups allowed to access the canary release." } }, { "canary_by_header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } ], "type": "record", + "required": true, "shorthand_fields": [ { "hash": { - "type": "string", - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" } } - ], - "required": true + ] } } ], @@ -164,11 +164,11 @@ }, { "conditional": { - "if_field": "config.hash", - "then_field": "config.hash_header", "if_match": { "eq": "header" }, + "then_field": "config.hash_header", + "if_field": "config.hash", "then_match": { "required": true } @@ -176,11 +176,11 @@ }, { "conditional": { - "if_field": "config.upstream_fallback", - "then_field": "config.upstream_host", "if_match": { "eq": true }, + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback", "then_match": { "required": true } diff --git a/schemas/correlation-id/3.4.x.json b/schemas/correlation-id/3.4.x.json index cabf5784..3d8a53f7 100644 --- a/schemas/correlation-id/3.4.x.json +++ b/schemas/correlation-id/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,49 +18,50 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "header_name": { "default": "Kong-Request-ID", - "description": "The HTTP header name to use for the correlation ID.", - "type": "string" + "type": "string", + "description": "The HTTP header name to use for the correlation ID." } }, { "generator": { "default": "uuid#counter", - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "type": "string", "one_of": [ "uuid", "uuid#counter", "tracker" - ] + ], + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators)." } }, { "echo_downstream": { "default": false, - "description": "Whether to echo the header back to downstream (the client).", "type": "boolean", - "required": true + "required": true, + "description": "Whether to echo the header back to downstream (the client)." } } ], - "type": "record", "required": true } } diff --git a/schemas/cors/3.4.x.json b/schemas/cors/3.4.x.json index acdeca64..09c02dd2 100644 --- a/schemas/cors/3.4.x.json +++ b/schemas/cors/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,10 +17,8 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { - "len_min": 1, "type": "string", "one_of": [ "grpc", @@ -28,46 +26,49 @@ "http", "https" ], - "required": true - } + "required": true, + "len_min": 1 + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "origins": { - "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", "type": "array", "elements": { "type": "string" - } + }, + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." } }, { "headers": { - "description": "Value for the `Access-Control-Allow-Headers` header.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Value for the `Access-Control-Allow-Headers` header." } }, { "exposed_headers": { - "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." } }, { @@ -83,7 +84,6 @@ "TRACE", "CONNECT" ], - "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", "type": "array", "elements": { "type": "string", @@ -98,7 +98,8 @@ "TRACE", "CONNECT" ] - } + }, + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'" } }, { @@ -110,21 +111,20 @@ { "credentials": { "default": false, - "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", "type": "boolean", - "required": true + "required": true, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value." } }, { "preflight_continue": { "default": false, - "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", "type": "boolean", - "required": true + "required": true, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service." } } ], - "type": "record", "required": true } } diff --git a/schemas/datadog/3.4.x.json b/schemas/datadog/3.4.x.json index 2a74a2bf..6de45159 100644 --- a/schemas/datadog/3.4.x.json +++ b/schemas/datadog/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,16 +23,18 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,16 +43,16 @@ { "host": { "default": "localhost", - "description": "A string representing a host name, such as example.com.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "A string representing a host name, such as example.com." } }, { "port": { "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 @@ -62,29 +62,29 @@ { "prefix": { "default": "kong", - "description": "String to be attached as a prefix to a metric's name.", - "type": "string" + "type": "string", + "description": "String to be attached as a prefix to a metric's name." } }, { "service_name_tag": { "default": "name", - "description": "String to be attached as the name of the service.", - "type": "string" + "type": "string", + "description": "String to be attached as the name of the service." } }, { "status_tag": { "default": "status", - "description": "String to be attached as the tag of the HTTP status.", - "type": "string" + "type": "string", + "description": "String to be attached as the tag of the HTTP status." } }, { "consumer_tag": { "default": "consumer", - "description": "String to be attached as tag of the consumer.", - "type": "string" + "type": "string", + "description": "String to be attached as tag of the consumer." } }, { @@ -107,38 +107,39 @@ }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "type": "number", "between": [ 0, 3600 - ] + ], + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -150,26 +151,26 @@ { "max_retry_time": { "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "type": "number", "between": [ 0.001, 1000000 - ] + ], + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 @@ -177,7 +178,6 @@ } } ], - "type": "record", "required": true } }, @@ -186,63 +186,61 @@ "required": true, "default": [ { + "sample_rate": 1, + "stat_type": "counter", + "name": "request_count", "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "stat_type": "counter", - "sample_rate": 1, - "name": "request_count" + ] }, { + "consumer_identifier": "custom_id", + "name": "latency", "tags": [ "app:kong" ], - "name": "latency", - "consumer_identifier": "custom_id", "stat_type": "timer" }, { + "consumer_identifier": "custom_id", + "name": "request_size", "tags": [ "app:kong" ], - "name": "request_size", - "consumer_identifier": "custom_id", "stat_type": "timer" }, { + "consumer_identifier": "custom_id", + "name": "response_size", "tags": [ "app:kong" ], - "name": "response_size", - "consumer_identifier": "custom_id", "stat_type": "timer" }, { + "consumer_identifier": "custom_id", + "name": "upstream_latency", "tags": [ "app:kong" ], - "name": "upstream_latency", - "consumer_identifier": "custom_id", "stat_type": "timer" }, { + "consumer_identifier": "custom_id", + "name": "kong_latency", "tags": [ "app:kong" ], - "name": "kong_latency", - "consumer_identifier": "custom_id", "stat_type": "timer" } ], - "description": "List of metrics to be logged.", "type": "array", "elements": { + "type": "record", "fields": [ { "name": { - "type": "string", - "description": "Datadog metric’s name", "one_of": [ "kong_latency", "latency", @@ -251,13 +249,13 @@ "response_size", "upstream_latency" ], - "required": true + "type": "string", + "required": true, + "description": "Datadog metric’s name" } }, { "stat_type": { - "type": "string", - "description": "Determines what sort of event the metric represents", "one_of": [ "counter", "gauge", @@ -267,65 +265,67 @@ "timer", "distribution" ], - "required": true + "type": "string", + "required": true, + "description": "Determines what sort of event the metric represents" } }, { "tags": { - "description": "List of tags", "type": "array", "elements": { - "type": "string", - "match": "^.*[^:]$" - } + "match": "^.*[^:]$", + "type": "string" + }, + "description": "List of tags" } }, { "sample_rate": { + "type": "number", + "description": "Sampling rate", "between": [ 0, 1 - ], - "description": "Sampling rate", - "type": "number" + ] } }, { "consumer_identifier": { - "description": "Authenticated user detail", - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string", + "description": "Authenticated user detail" } } ], - "type": "record", "entity_checks": [ { "conditional": { - "if_field": "stat_type", - "then_field": "sample_rate", "if_match": { "one_of": [ "counter", "gauge" ] }, + "then_field": "sample_rate", + "if_field": "stat_type", "then_match": { "required": true } } } ] - } + }, + "description": "List of metrics to be logged." } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "custom_entity_check": { diff --git a/schemas/degraphql/3.4.x.json b/schemas/degraphql/3.4.x.json index 66ddbd40..2bfcb4a6 100644 --- a/schemas/degraphql/3.4.x.json +++ b/schemas/degraphql/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,7 +17,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -27,37 +26,38 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "graphql_server_path": { - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": true, + "default": "/graphql", + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/graphql", - "starts_with": "/", - "type": "string", - "required": true + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } } ], - "type": "record", "required": true } } diff --git a/schemas/exit-transformer/3.4.x.json b/schemas/exit-transformer/3.4.x.json index 7b3ac080..55e8e83f 100644 --- a/schemas/exit-transformer/3.4.x.json +++ b/schemas/exit-transformer/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,24 +18,26 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "functions": { - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } @@ -45,19 +46,18 @@ { "handle_unknown": { "default": false, - "description": "Determines whether to handle unknown status codes by transforming their responses.", - "type": "boolean" + "type": "boolean", + "description": "Determines whether to handle unknown status codes by transforming their responses." } }, { "handle_unexpected": { "default": false, - "description": "Determines whether to handle unexpected errors by transforming their responses.", - "type": "boolean" + "type": "boolean", + "description": "Determines whether to handle unexpected errors by transforming their responses." } } ], - "type": "record", "required": true } } diff --git a/schemas/file-log/3.4.x.json b/schemas/file-log/3.4.x.json index a76aa18a..455baaf9 100644 --- a/schemas/file-log/3.4.x.json +++ b/schemas/file-log/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,42 +23,43 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "path": { - "err": "not a valid filename", "required": true, - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "err": "not a valid filename", + "match": "^[^*&%%\\`]+$", "type": "string", - "match": "^[^*&%%\\`]+$" + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." } }, { "reopen": { "default": false, - "description": "Determines whether the log file is closed and reopened on every request.", "type": "boolean", - "required": true + "required": true, + "description": "Determines whether the log file is closed and reopened on every request." } }, { "custom_fields_by_lua": { - "type": "map", - "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" @@ -68,11 +67,12 @@ "keys": { "type": "string", "len_min": 1 - } + }, + "type": "map", + "description": "Lua code as a key-value map" } } ], - "type": "record", "required": true } } diff --git a/schemas/forward-proxy/3.4.x.json b/schemas/forward-proxy/3.4.x.json index 0b6b0c8e..904cb96f 100644 --- a/schemas/forward-proxy/3.4.x.json +++ b/schemas/forward-proxy/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,140 +18,141 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "shorthand_fields": [ - { - "proxy_host": { - "type": "string" - } - }, - { - "proxy_port": { - "type": "integer" - } - } - ], "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "http_proxy_host", - "https_proxy_host" - ] - }, - { - "at_least_one_of": [ - "http_proxy_port", - "https_proxy_port" - ] - }, - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], - "type": "record", "fields": [ { "x_headers": { "required": true, "default": "append", - "description": "Determines how to handle headers when forwarding the request.", "type": "string", "one_of": [ "append", "transparent", "delete" - ] + ], + "description": "Determines how to handle headers when forwarding the request." } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "proxy_scheme": { "required": true, "default": "http", - "description": "The proxy scheme to use when connecting. Only `http` is supported.", "type": "string", "one_of": [ "http" - ] + ], + "description": "The proxy scheme to use when connecting. Only `http` is supported." } }, { "auth_username": { - "referenceable": true, "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "type": "string", - "required": false + "required": false, + "referenceable": true } }, { "auth_password": { - "referenceable": true, "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "type": "string", - "required": false + "required": false, + "referenceable": true } }, { "https_verify": { "default": false, - "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "type": "boolean", - "required": true + "required": true, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "proxy_host": { + "type": "string" + } + }, + { + "proxy_port": { + "type": "integer" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } ] } } diff --git a/schemas/graphql-proxy-cache-advanced/3.4.x.json b/schemas/graphql-proxy-cache-advanced/3.4.x.json index 258ebba7..63291ce6 100644 --- a/schemas/graphql-proxy-cache-advanced/3.4.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,66 +18,67 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "strategy": { "required": true, "default": "memory", - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "type": "string", "one_of": [ "memory" - ] + ], + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`." } }, { "cache_ttl": { - "default": 300, "gt": 0, "type": "integer", + "default": 300, "description": "TTL in seconds of cache entities. Must be a value greater than 0." } }, { "memory": { + "type": "record", "fields": [ { "dictionary_name": { "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", "type": "string", - "required": true + "required": true, + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template." } } ], - "type": "record", "required": true } }, { "vary_headers": { - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } } ], - "type": "record", "required": true } } diff --git a/schemas/graphql-rate-limiting-advanced/3.4.x.json b/schemas/graphql-rate-limiting-advanced/3.4.x.json index dd2934c1..19097f39 100644 --- a/schemas/graphql-rate-limiting-advanced/3.4.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,75 +18,77 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "identifier": { "required": true, "default": "consumer", - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "type": "string", "one_of": [ "ip", "credential", "consumer" - ] + ], + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." } }, { "window_size": { "required": true, - "description": "One or more window sizes to apply a limit to (defined in seconds).", "type": "array", "elements": { "type": "number" - } + }, + "description": "One or more window sizes to apply a limit to (defined in seconds)." } }, { "window_type": { "default": "sliding", - "description": "Sets the time window to either `sliding` or `fixed`.", "type": "string", "one_of": [ "fixed", "sliding" - ] + ], + "description": "Sets the time window to either `sliding` or `fixed`." } }, { "limit": { "required": true, - "description": "One or more requests-per-window limits to apply.", "type": "array", "elements": { "type": "number" - } + }, + "description": "One or more requests-per-window limits to apply." } }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", "type": "number", - "required": true + "required": true, + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." } }, { "namespace": { - "auto": true, "type": "string", + "auto": true, "description": "The rate limiting library namespace to use for this plugin instance." } }, @@ -95,38 +96,38 @@ "strategy": { "required": true, "default": "cluster", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "type": "string", "one_of": [ "cluster", "redis" - ] + ], + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." } }, { "dictionary_name": { "default": "kong_rate_limiting_counters", - "description": "The shared dictionary where counters will be stored until the next sync cycle.", "type": "string", - "required": true + "required": true, + "description": "The shared dictionary where counters will be stored until the next sync cycle." } }, { "hide_client_headers": { "default": false, - "description": "Optionally hide informative response headers. Available options: `true` or `false`.", - "type": "boolean" + "type": "boolean", + "description": "Optionally hide informative response headers. Available options: `true` or `false`." } }, { "cost_strategy": { "default": "default", - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", "type": "string", "one_of": [ "default", "node_quantifier" - ] + ], + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`." } }, { @@ -134,16 +135,16 @@ "gt": 0, "required": false, "default": 1, - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", - "type": "number" + "type": "number", + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." } }, { "max_cost": { "default": 0, - "description": "A defined maximum cost per query. 0 means unlimited.", "type": "number", - "required": false + "required": false, + "description": "A defined maximum cost per query. 0 means unlimited." } }, { @@ -151,25 +152,25 @@ "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 @@ -178,70 +179,76 @@ }, { "connect_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "type": "string", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "password": { - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "sentinel_username": { "type": "string", - "referenceable": true + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { + "default": 0, "type": "integer", - "default": 0 + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { "default": 30, "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "between": [ 1, 2147483646 @@ -251,6 +258,7 @@ { "keepalive_backlog": { "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", "between": [ 0, 2147483646 @@ -259,61 +267,67 @@ }, { "sentinel_master": { - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { - "len_min": 1, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array", "elements": { "type": "string" - } + }, + "len_min": 1 } }, { "cluster_addresses": { - "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array", "elements": { "type": "string" - } + }, + "len_min": 1 } }, { "ssl": { "default": false, "type": "boolean", - "required": false + "required": false, + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { "default": false, "type": "boolean", - "required": false + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "required": false + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS." } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "mutually_exclusive_sets": { @@ -375,7 +389,6 @@ } } ], - "type": "record", "required": true } } @@ -390,14 +403,14 @@ }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "config.redis.host", - "config.redis.sentinel_master" - ], "if_match": { "eq": "redis" }, - "if_field": "config.strategy" + "if_field": "config.strategy", + "then_at_least_one_of": [ + "config.redis.host", + "config.redis.sentinel_master" + ] } } ] diff --git a/schemas/grpc-gateway/3.4.x.json b/schemas/grpc-gateway/3.4.x.json index ee8b6484..f3ce7329 100644 --- a/schemas/grpc-gateway/3.4.x.json +++ b/schemas/grpc-gateway/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,30 +23,32 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "proto": { - "description": "Describes the gRPC types and methods.", "type": "string", - "required": false + "required": false, + "description": "Describes the gRPC types and methods." } } ], - "type": "record", "required": true } } diff --git a/schemas/grpc-web/3.4.x.json b/schemas/grpc-web/3.4.x.json index 1f38322c..49de320e 100644 --- a/schemas/grpc-web/3.4.x.json +++ b/schemas/grpc-web/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,45 +23,47 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "proto": { - "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", "type": "string", - "required": false + "required": false, + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content." } }, { "pass_stripped_path": { - "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", "type": "boolean", - "required": false + "required": false, + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service." } }, { "allow_origin_header": { "default": "*", - "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", "type": "string", - "required": false + "required": false, + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client." } } ], - "type": "record", "required": true } } diff --git a/schemas/hmac-auth/3.4.x.json b/schemas/hmac-auth/3.4.x.json index 5aefe9ef..93f13306 100644 --- a/schemas/hmac-auth/3.4.x.json +++ b/schemas/hmac-auth/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -18,8 +18,8 @@ "ws", "wss" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -36,42 +36,43 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." } }, { "clock_skew": { - "default": 300, "gt": 0, "type": "number", + "default": 300, "description": "Clock skew in seconds to prevent replay attacks." } }, { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "validate_request_body": { "default": false, - "description": "A boolean value telling the plugin to enable body validation.", "type": "boolean", - "required": true + "required": true, + "description": "A boolean value telling the plugin to enable body validation." } }, { @@ -79,11 +80,11 @@ "default": [ ], - "description": "A list of headers that the client should at least use for HTTP signature creation.", "type": "array", "elements": { "type": "string" - } + }, + "description": "A list of headers that the client should at least use for HTTP signature creation." } }, { @@ -94,7 +95,6 @@ "hmac-sha384", "hmac-sha512" ], - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", "type": "array", "elements": { "type": "string", @@ -104,11 +104,11 @@ "hmac-sha384", "hmac-sha512" ] - } + }, + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`" } } ], - "type": "record", "required": true } } diff --git a/schemas/http-log/3.4.x.json b/schemas/http-log/3.4.x.json index 3601ed06..a3dda798 100644 --- a/schemas/http-log/3.4.x.json +++ b/schemas/http-log/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,106 +23,92 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" - ] - } - } - ], "fields": [ { "http_endpoint": { - "required": true, "encrypted": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, "type": "string", - "referenceable": true + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "method": { "default": "POST", - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", "type": "string", "one_of": [ "POST", "PUT", "PATCH" - ] + ], + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`." } }, { "content_type": { "default": "application/json", - "description": "Indicates the type of data sent. The only available option is `application/json`.", "type": "string", "one_of": [ "application/json", "application/json; charset=utf-8" - ] + ], + "description": "Indicates the type of data sent. The only available option is `application/json`." } }, { "timeout": { "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", - "type": "number" + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." } }, { "retry_count": { - "type": "integer", - "description": "Number of times to retry when sending data to the upstream server." + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" } }, { "queue_size": { - "type": "integer", - "description": "Maximum number of log entries to be sent on each message to the upstream server." + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" } }, { "flush_timeout": { - "type": "number", - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { "headers": { - "type": "map", "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", - "values": { - "type": "string", - "referenceable": true - }, + "type": "map", "keys": { - "description": "A string representing an HTTP header name.", "type": "string", "match_none": [ { @@ -139,44 +123,50 @@ "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", "err": "cannot contain 'Content-Type' header" } - ] + ], + "description": "A string representing an HTTP header name." + }, + "values": { + "referenceable": true, + "type": "string" } } }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "type": "number", "between": [ 0, 3600 - ] + ], + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -188,26 +178,26 @@ { "max_retry_time": { "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "type": "number", "between": [ 0.001, 1000000 - ] + ], + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 @@ -215,14 +205,11 @@ } } ], - "type": "record", "required": true } }, { "custom_fields_by_lua": { - "type": "map", - "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" @@ -230,12 +217,25 @@ "keys": { "type": "string", "len_min": 1 - } + }, + "type": "map", + "description": "Lua code as a key-value map" } } ], "type": "record", - "required": true + "required": true, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ] } } ], diff --git a/schemas/ip-restriction/3.4.x.json b/schemas/ip-restriction/3.4.x.json index 304b9655..acf098fb 100644 --- a/schemas/ip-restriction/3.4.x.json +++ b/schemas/ip-restriction/3.4.x.json @@ -11,10 +11,8 @@ "grpc", "grpcs" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -27,57 +25,59 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "allow": { - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." - } + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" + }, + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." } }, { "deny": { - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." - } + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" + }, + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." } }, { "status": { - "description": "The HTTP status of the requests that will be rejected by the plugin.", "type": "number", - "required": false + "required": false, + "description": "The HTTP status of the requests that will be rejected by the plugin." } }, { "message": { - "description": "The message to send as a response body to rejected requests.", "type": "string", - "required": false + "required": false, + "description": "The message to send as a response body to rejected requests." } } ], - "type": "record", "required": true } } diff --git a/schemas/jq/3.4.x.json b/schemas/jq/3.4.x.json index 6fea714f..976d3cf2 100644 --- a/schemas/jq/3.4.x.json +++ b/schemas/jq/3.4.x.json @@ -1,5 +1,13 @@ { "fields": [ + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, { "protocols": { "required": true, @@ -9,7 +17,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,7 +26,8 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,8 +35,8 @@ "fields": [ { "request_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { @@ -36,8 +44,8 @@ "default": [ ], - "required": false, "type": "record", + "required": false, "fields": [ { "compact_output": { @@ -82,8 +90,8 @@ "default": [ "application/json" ], - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -91,8 +99,8 @@ }, { "response_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { @@ -100,8 +108,8 @@ "default": [ ], - "required": false, "type": "record", + "required": false, "fields": [ { "compact_output": { @@ -146,8 +154,8 @@ "default": [ "application/json" ], - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -158,8 +166,8 @@ "default": [ 200 ], - "required": false, "type": "array", + "required": false, "elements": { "type": "integer", "between": [ @@ -170,8 +178,8 @@ } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "at_least_one_of": [ diff --git a/schemas/jwe-decrypt/3.4.x.json b/schemas/jwe-decrypt/3.4.x.json index 015ebcbc..51952780 100644 --- a/schemas/jwe-decrypt/3.4.x.json +++ b/schemas/jwe-decrypt/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,63 +18,64 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "lookup_header_name": { "default": "Authorization", - "description": "The name of the header to look for the JWE token.", "type": "string", - "required": true + "required": true, + "description": "The name of the header to look for the JWE token." } }, { "forward_header_name": { "default": "Authorization", - "description": "The name of the header that is used to set the decrypted value.", "type": "string", - "required": true + "required": true, + "description": "The name of the header that is used to set the decrypted value." } }, { "key_sets": { "required": true, - "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token." } }, { "strict": { "default": true, - "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", - "type": "boolean" + "type": "boolean", + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found." } } ], - "type": "record", "required": true } } diff --git a/schemas/jwt-signer/3.4.x.json b/schemas/jwt-signer/3.4.x.json index 236e8b4e..a8d9d3aa 100644 --- a/schemas/jwt-signer/3.4.x.json +++ b/schemas/jwt-signer/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,7 +17,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -27,92 +26,93 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, "type": "record", + "required": true, "fields": [ { "realm": { - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "type": "string", - "required": false + "required": false, + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." } }, { "enable_hs_signatures": { "default": false, - "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", "type": "boolean", - "required": false + "required": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting." } }, { "enable_instrumentation": { "default": false, - "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", "type": "boolean", - "required": false + "required": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level." } }, { "access_token_issuer": { "default": "kong", - "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", "type": "string", - "required": false + "required": false, + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token." } }, { "access_token_keyset": { "default": "kong", - "description": "The name of the keyset containing signing keys.", "type": "string", - "required": false + "required": false, + "description": "The name of the keyset containing signing keys." } }, { "access_token_jwks_uri": { - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "type": "string", - "required": false + "required": false, + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token." } }, { "access_token_request_header": { "default": "Authorization", - "description": "This parameter tells the name of the header where to look for the access token.", "type": "string", - "required": false + "required": false, + "description": "This parameter tells the name of the header where to look for the access token." } }, { "access_token_leeway": { "default": 0, - "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", "type": "number", - "required": false + "required": false, + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`." } }, { "access_token_scopes_required": { "required": false, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." } }, { @@ -121,21 +121,21 @@ "default": [ "scope" ], - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." } }, { "access_token_consumer_claim": { "required": false, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "type": "array", "elements": { "type": "string" - } + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." } }, { @@ -145,7 +145,6 @@ "username", "custom_id" ], - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "type": "array", "elements": { "type": "string", @@ -154,72 +153,73 @@ "username", "custom_id" ] - } + }, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." } }, { "access_token_upstream_header": { "default": "Authorization:Bearer", - "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", "type": "string", - "required": false + "required": false, + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token." } }, { "access_token_upstream_leeway": { "default": 0, - "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", "type": "number", - "required": false + "required": false, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim." } }, { "access_token_introspection_endpoint": { - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "type": "string", - "required": false + "required": false, + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter." } }, { "access_token_introspection_authorization": { - "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "type": "string", - "required": false + "required": false, + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." } }, { "access_token_introspection_body_args": { - "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "type": "string", - "required": false + "required": false, + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." } }, { "access_token_introspection_hint": { "default": "access_token", - "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", "type": "string", - "required": false + "required": false, + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`." } }, { "access_token_introspection_jwt_claim": { "required": false, - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "type": "array", "elements": { "type": "string" - } + }, + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." } }, { "access_token_introspection_scopes_required": { "required": false, - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." } }, { @@ -228,21 +228,21 @@ "default": [ "scope" ], - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." } }, { "access_token_introspection_consumer_claim": { "required": false, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "type": "array", "elements": { "type": "string" - } + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." } }, { @@ -252,7 +252,6 @@ "username", "custom_id" ], - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "type": "array", "elements": { "type": "string", @@ -261,29 +260,29 @@ "username", "custom_id" ] - } + }, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." } }, { "access_token_introspection_leeway": { "default": 0, - "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", "type": "number", - "required": false + "required": false, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`." } }, { "access_token_introspection_timeout": { - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "type": "number", - "required": false + "required": false, + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." } }, { "access_token_signing_algorithm": { "required": true, "default": "RS256", - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "type": "string", "one_of": [ "HS256", @@ -298,127 +297,128 @@ "PS384", "PS512", "EdDSA" - ] + ], + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." } }, { "access_token_optional": { "default": false, - "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", "type": "boolean", - "required": false + "required": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect" } }, { "verify_access_token_signature": { "default": true, - "description": "Quickly turn access token signature verification off and on as needed.", "type": "boolean", - "required": false + "required": false, + "description": "Quickly turn access token signature verification off and on as needed." } }, { "verify_access_token_expiry": { "default": true, - "description": "Quickly turn access token expiry verification off and on as needed.", "type": "boolean", - "required": false + "required": false, + "description": "Quickly turn access token expiry verification off and on as needed." } }, { "verify_access_token_scopes": { "default": true, - "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", "type": "boolean", - "required": false + "required": false, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`." } }, { "verify_access_token_introspection_expiry": { "default": true, - "description": "Quickly turn access token introspection expiry verification off and on as needed.", "type": "boolean", - "required": false + "required": false, + "description": "Quickly turn access token introspection expiry verification off and on as needed." } }, { "verify_access_token_introspection_scopes": { "default": true, - "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", "type": "boolean", - "required": false + "required": false, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`." } }, { "cache_access_token_introspection": { "default": true, - "description": "Whether to cache access token introspection results.", "type": "boolean", - "required": false + "required": false, + "description": "Whether to cache access token introspection results." } }, { "trust_access_token_introspection": { "default": true, - "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", "type": "boolean", - "required": false + "required": false, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload." } }, { "enable_access_token_introspection": { "default": true, - "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", "type": "boolean", - "required": false + "required": false, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection." } }, { "channel_token_issuer": { "default": "kong", - "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", "type": "string", - "required": false + "required": false, + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token." } }, { "channel_token_keyset": { "default": "kong", - "description": "The name of the keyset containing signing keys.", "type": "string", - "required": false + "required": false, + "description": "The name of the keyset containing signing keys." } }, { "channel_token_jwks_uri": { - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "type": "string", - "required": false + "required": false, + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`." } }, { "channel_token_request_header": { - "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "type": "string", - "required": false + "required": false, + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." } }, { "channel_token_leeway": { "default": 0, - "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", "type": "number", - "required": false + "required": false, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`." } }, { "channel_token_scopes_required": { "required": false, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." } }, { @@ -427,21 +427,21 @@ "default": [ "scope" ], - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." } }, { "channel_token_consumer_claim": { "required": false, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "type": "array", "elements": { "type": "string" - } + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." } }, { @@ -450,7 +450,6 @@ "username", "custom_id" ], - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", "type": "array", "elements": { "type": "string", @@ -459,79 +458,80 @@ "username", "custom_id" ] - } + }, + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`." } }, { "channel_token_upstream_header": { - "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "type": "string", - "required": false + "required": false, + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." } }, { "channel_token_upstream_leeway": { "default": 0, - "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", "type": "number", - "required": false + "required": false, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim." } }, { "channel_token_introspection_endpoint": { - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "type": "string", - "required": false + "required": false, + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead." } }, { "channel_token_introspection_authorization": { "required": false, - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "type": "string", "elements": { "type": "string" - } + }, + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." } }, { "channel_token_introspection_body_args": { "required": false, - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "type": "string", "elements": { "type": "string" - } + }, + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." } }, { "channel_token_introspection_hint": { "required": false, - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "type": "string", "elements": { "type": "string" - } + }, + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." } }, { "channel_token_introspection_jwt_claim": { "required": false, - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "type": "array", "elements": { "type": "string" - } + }, + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." } }, { "channel_token_introspection_scopes_required": { "required": false, - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." } }, { @@ -540,21 +540,21 @@ "default": [ "scope" ], - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." } }, { "channel_token_introspection_consumer_claim": { "required": false, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "type": "array", "elements": { "type": "string" - } + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" } }, { @@ -564,7 +564,6 @@ "username", "custom_id" ], - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "type": "array", "elements": { "type": "string", @@ -573,29 +572,29 @@ "username", "custom_id" ] - } + }, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." } }, { "channel_token_introspection_leeway": { "default": 0, - "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", "type": "number", - "required": false + "required": false, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`." } }, { "channel_token_introspection_timeout": { - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "type": "number", - "required": false + "required": false, + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." } }, { "channel_token_signing_algorithm": { "required": true, "default": "RS256", - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "type": "string", "one_of": [ "HS256", @@ -610,23 +609,24 @@ "PS384", "PS512", "EdDSA" - ] + ], + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." } }, { "channel_token_optional": { "default": false, - "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", "type": "boolean", - "required": false + "required": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect" } }, { "verify_channel_token_signature": { "default": true, - "description": "Quickly turn on/off the channel token signature verification.", "type": "boolean", - "required": false + "required": false, + "description": "Quickly turn on/off the channel token signature verification." } }, { @@ -639,81 +639,81 @@ { "verify_channel_token_scopes": { "default": true, - "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", "type": "boolean", - "required": false + "required": false, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`." } }, { "verify_channel_token_introspection_expiry": { "default": true, - "description": "Quickly turn on/off the channel token introspection expiry verification.", "type": "boolean", - "required": false + "required": false, + "description": "Quickly turn on/off the channel token introspection expiry verification." } }, { "verify_channel_token_introspection_scopes": { "default": true, - "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", "type": "boolean", - "required": false + "required": false, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`." } }, { "cache_channel_token_introspection": { "default": true, - "description": "Whether to cache channel token introspection results.", "type": "boolean", - "required": false + "required": false, + "description": "Whether to cache channel token introspection results." } }, { "trust_channel_token_introspection": { "default": true, - "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", "type": "boolean", - "required": false + "required": false, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked." } }, { "enable_channel_token_introspection": { "default": true, - "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", "type": "boolean", - "required": false + "required": false, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`." } }, { "add_claims": { - "values": { + "keys": { "type": "string" }, "required": false, + "values": { + "type": "string" + }, "default": [ ], - "description": "Add customized claims if they are not present yet.", "type": "map", - "keys": { - "type": "string" - } + "description": "Add customized claims if they are not present yet." } }, { "set_claims": { - "values": { + "keys": { "type": "string" }, "required": false, + "values": { + "type": "string" + }, "default": [ ], - "description": "Set customized claims. If a claim is already present, it will be overwritten.", "type": "map", - "keys": { - "type": "string" - } + "description": "Set customized claims. If a claim is already present, it will be overwritten." } } ] diff --git a/schemas/jwt/3.4.x.json b/schemas/jwt/3.4.x.json index e43e6aff..2804a28c 100644 --- a/schemas/jwt/3.4.x.json +++ b/schemas/jwt/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,7 +17,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -27,30 +26,32 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "uri_param_names": { "default": [ "jwt" ], - "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "type": "set", "elements": { "type": "string" - } + }, + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs." } }, { @@ -58,31 +59,30 @@ "default": [ ], - "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "type": "set", "elements": { "type": "string" - } + }, + "description": "A list of cookie names that Kong will inspect to retrieve JWTs." } }, { "key_claim_name": { "default": "iss", - "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", - "type": "string" + "type": "string", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order." } }, { "secret_is_base64": { "default": false, - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", "type": "boolean", - "required": true + "required": true, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." } }, { "claims_to_verify": { - "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", "type": "set", "elements": { "type": "string", @@ -90,28 +90,29 @@ "exp", "nbf" ] - } + }, + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf." } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "run_on_preflight": { "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", "type": "boolean", - "required": true + "required": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." } }, { "maximum_expiration": { "default": 0, - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", "type": "number", + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", "between": [ 0, 31536000 @@ -123,15 +124,14 @@ "default": [ "authorization" ], - "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "type": "set", "elements": { "type": "string" - } + }, + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs." } } ], - "type": "record", "required": true } } @@ -139,11 +139,11 @@ "entity_checks": [ { "conditional": { - "if_field": "config.maximum_expiration", - "then_field": "config.claims_to_verify", "if_match": { "gt": 0 }, + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration", "then_match": { "contains": "exp" } diff --git a/schemas/kafka-log/3.4.x.json b/schemas/kafka-log/3.4.x.json index c2881818..a7790545 100644 --- a/schemas/kafka-log/3.4.x.json +++ b/schemas/kafka-log/3.4.x.json @@ -10,8 +10,8 @@ "ws", "wss" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -28,9 +28,9 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -38,217 +38,215 @@ "fields": [ { "bootstrap_servers": { - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set", "elements": { - "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true + "required": true, + "description": "A string representing a host name, such as example.com." } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "required": true, "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "required": true + ] } } - ] - } + ], + "type": "record" + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, { "topic": { - "description": "The Kafka topic to publish to.", "type": "string", - "required": true + "required": true, + "description": "The Kafka topic to publish to." } }, { "timeout": { "default": 10000, - "description": "Socket timeout in milliseconds.", - "type": "integer" + "type": "integer", + "description": "Socket timeout in milliseconds." } }, { "keepalive": { - "type": "integer", - "default": 60000 + "default": 60000, + "type": "integer" } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "authentication": { + "type": "record", "fields": [ { "strategy": { - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" ], - "required": false + "type": "string", + "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." } }, { "mechanism": { - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" ], - "required": false + "type": "string", + "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`." } }, { "tokenauth": { - "description": "Enable this to indicate `DelegationToken` authentication", "type": "boolean", - "required": false + "required": false, + "description": "Enable this to indicate `DelegationToken` authentication" } }, { "user": { "encrypted": true, - "required": false, "description": "Username for SASL authentication.", "type": "string", + "required": false, "referenceable": true } }, { "password": { "encrypted": true, - "required": false, "description": "Password for SASL authentication.", "type": "string", + "required": false, "referenceable": true } } ], - "type": "record", "required": true } }, { "security": { + "type": "record", "fields": [ { "certificate_id": { "uuid": true, - "description": "UUID of certificate entity for mTLS authentication.", "type": "string", - "required": false + "required": false, + "description": "UUID of certificate entity for mTLS authentication." } }, { "ssl": { - "description": "Enables TLS.", "type": "boolean", - "required": false + "required": false, + "description": "Enables TLS." } } ], - "type": "record", "required": true } }, { "cluster_name": { - "auto": true, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "type": "string", - "required": false + "required": false, + "auto": true } }, { "producer_request_acks": { "default": 1, - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", "one_of": [ -1, 0, 1 - ] + ], + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." } }, { "producer_request_timeout": { "default": 2000, - "description": "Time to wait for a Produce response in milliseconds", - "type": "integer" + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds" } }, { "producer_request_limits_messages_per_request": { "default": 200, - "description": "Maximum number of messages to include into a single Produce request.", - "type": "integer" + "type": "integer", + "description": "Maximum number of messages to include into a single Produce request." } }, { "producer_request_limits_bytes_per_request": { "default": 1048576, - "description": "Maximum size of a Produce request in bytes.", - "type": "integer" + "type": "integer", + "description": "Maximum size of a Produce request in bytes." } }, { "producer_request_retries_max_attempts": { "default": 10, - "description": "Maximum number of retry attempts per single Produce request.", - "type": "integer" + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request." } }, { "producer_request_retries_backoff_timeout": { "default": 100, - "description": "Backoff interval between retry attempts in milliseconds.", - "type": "integer" + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds." } }, { "producer_async": { "default": true, - "description": "Flag to enable asynchronous mode.", - "type": "boolean" + "type": "boolean", + "description": "Flag to enable asynchronous mode." } }, { "producer_async_flush_timeout": { "default": 1000, - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "type": "integer" + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." } }, { "producer_async_buffering_limits_messages_in_memory": { "default": 50000, - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "type": "integer" + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." } }, { "custom_fields_by_lua": { - "type": "map", - "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" @@ -256,12 +254,14 @@ "keys": { "type": "string", "len_min": 1 - } + }, + "type": "map", + "description": "Lua code as a key-value map" } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "custom_entity_check": { diff --git a/schemas/kafka-upstream/3.4.x.json b/schemas/kafka-upstream/3.4.x.json index 05c37a84..63a31c30 100644 --- a/schemas/kafka-upstream/3.4.x.json +++ b/schemas/kafka-upstream/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,15 +18,16 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,52 +35,52 @@ "fields": [ { "bootstrap_servers": { - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set", "elements": { - "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true + "required": true, + "description": "A string representing a host name, such as example.com." } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "required": true, "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "required": true + ] } } - ] - } + ], + "type": "record" + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, { "topic": { - "description": "The Kafka topic to publish to.", "type": "string", - "required": true + "required": true, + "description": "The Kafka topic to publish to." } }, { "timeout": { "default": 10000, - "description": "Socket timeout in milliseconds.", - "type": "integer" + "type": "integer", + "description": "Socket timeout in milliseconds." } }, { "keepalive": { "default": 60000, - "description": "Keepalive timeout in milliseconds.", - "type": "integer" + "type": "integer", + "description": "Keepalive timeout in milliseconds." } }, { @@ -91,189 +91,189 @@ }, { "authentication": { + "type": "record", "fields": [ { "strategy": { - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" ], - "required": false + "type": "string", + "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." } }, { "mechanism": { - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" ], - "required": false + "type": "string", + "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`." } }, { "tokenauth": { - "description": "Enable this to indicate `DelegationToken` authentication.", "type": "boolean", - "required": false + "required": false, + "description": "Enable this to indicate `DelegationToken` authentication." } }, { "user": { - "encrypted": true, - "referenceable": true, + "required": false, "description": "Username for SASL authentication.", "type": "string", - "required": false + "encrypted": true, + "referenceable": true } }, { "password": { - "encrypted": true, - "referenceable": true, + "required": false, "description": "Password for SASL authentication.", "type": "string", - "required": false + "encrypted": true, + "referenceable": true } } ], - "type": "record", "required": true } }, { "security": { + "type": "record", "fields": [ { "certificate_id": { "uuid": true, - "description": "UUID of certificate entity for mTLS authentication.", "type": "string", - "required": false + "required": false, + "description": "UUID of certificate entity for mTLS authentication." } }, { "ssl": { - "description": "Enables TLS.", "type": "boolean", - "required": false + "required": false, + "description": "Enables TLS." } } ], - "type": "record", "required": true } }, { "forward_method": { "default": false, - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_uri": { "default": false, - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_headers": { "default": false, - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_body": { "default": true, - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "cluster_name": { "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "auto": true, "type": "string", - "required": false + "required": false, + "auto": true } }, { "producer_request_acks": { "default": 1, - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", "one_of": [ -1, 0, 1 - ] + ], + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." } }, { "producer_request_timeout": { "default": 2000, - "description": "Time to wait for a Produce response in milliseconds.", - "type": "integer" + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds." } }, { "producer_request_limits_messages_per_request": { "default": 200, - "description": "Maximum number of messages to include into a single producer request.", - "type": "integer" + "type": "integer", + "description": "Maximum number of messages to include into a single producer request." } }, { "producer_request_limits_bytes_per_request": { "default": 1048576, - "description": "Maximum size of a Produce request in bytes.", - "type": "integer" + "type": "integer", + "description": "Maximum size of a Produce request in bytes." } }, { "producer_request_retries_max_attempts": { "default": 10, - "description": "Maximum number of retry attempts per single Produce request.", - "type": "integer" + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request." } }, { "producer_request_retries_backoff_timeout": { "default": 100, - "description": "Backoff interval between retry attempts in milliseconds.", - "type": "integer" + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds." } }, { "producer_async": { "default": true, - "description": "Flag to enable asynchronous mode.", - "type": "boolean" + "type": "boolean", + "description": "Flag to enable asynchronous mode." } }, { "producer_async_flush_timeout": { "default": 1000, - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "type": "integer" + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." } }, { "producer_async_buffering_limits_messages_in_memory": { "default": 50000, - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "type": "integer" + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "custom_entity_check": { diff --git a/schemas/key-auth-enc/3.4.x.json b/schemas/key-auth-enc/3.4.x.json index 8eab531c..4c862ea4 100644 --- a/schemas/key-auth-enc/3.4.x.json +++ b/schemas/key-auth-enc/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -18,8 +18,8 @@ "ws", "wss" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -36,13 +36,14 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "key_names": { @@ -50,19 +51,19 @@ "default": [ "apikey" ], - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - } + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." } }, { @@ -74,33 +75,32 @@ { "key_in_header": { "default": true, - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", - "type": "boolean" + "type": "boolean", + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." } }, { "key_in_query": { "default": true, - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", - "type": "boolean" + "type": "boolean", + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." } }, { "key_in_body": { "default": false, - "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean" + "type": "boolean", + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." } } ], - "type": "record", "required": true } } diff --git a/schemas/key-auth/3.4.x.json b/schemas/key-auth/3.4.x.json index 414337ee..c87e8d74 100644 --- a/schemas/key-auth/3.4.x.json +++ b/schemas/key-auth/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -18,8 +18,8 @@ "ws", "wss" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -36,13 +36,14 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "key_names": { @@ -50,20 +51,20 @@ "default": [ "apikey" ], - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - } + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request." } }, { @@ -75,37 +76,36 @@ { "key_in_header": { "default": true, - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "type": "boolean", - "required": true + "required": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." } }, { "key_in_query": { "default": true, - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "type": "boolean", - "required": true + "required": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." } }, { "key_in_body": { "default": false, - "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "type": "boolean", - "required": true + "required": true, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "type": "boolean", - "required": true + "required": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." } } ], - "type": "record", "required": true } } diff --git a/schemas/konnect-application-auth/3.4.x.json b/schemas/konnect-application-auth/3.4.x.json index b6e79044..68526368 100644 --- a/schemas/konnect-application-auth/3.4.x.json +++ b/schemas/konnect-application-auth/3.4.x.json @@ -3,17 +3,17 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "route": { "reference": "routes", - "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "A reference to the 'routes' table with a null value allowed." } }, { @@ -25,7 +25,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -35,15 +34,16 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -55,37 +55,37 @@ "default": [ "apikey" ], - "description": "The names of the headers containing the API key. You can specify multiple header names.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - } + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "description": "The names of the headers containing the API key. You can specify multiple header names." } }, { "auth_type": { "required": true, "default": "openid-connect", - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", "type": "string", "one_of": [ "openid-connect", "key-auth" - ] + ], + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'." } }, { "scope": { "unique": true, - "description": "The unique scope identifier for the plugin configuration.", "type": "string", - "required": true + "required": true, + "description": "The unique scope identifier for the plugin configuration." } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ ] diff --git a/schemas/ldap-auth-advanced/3.4.x.json b/schemas/ldap-auth-advanced/3.4.x.json index 4b3320dc..fb715cf8 100644 --- a/schemas/ldap-auth-advanced/3.4.x.json +++ b/schemas/ldap-auth-advanced/3.4.x.json @@ -10,8 +10,8 @@ "ws", "wss" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -28,139 +28,140 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "ldap_host": { - "description": "Host on which the LDAP server is running.", "type": "string", - "required": true + "required": true, + "description": "Host on which the LDAP server is running." } }, { "ldap_password": { - "encrypted": true, "description": "The password to the LDAP server.", "type": "string", + "encrypted": true, "referenceable": true } }, { "ldap_port": { "default": 389, - "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", - "type": "number" + "type": "number", + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636." } }, { "bind_dn": { - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", "type": "string", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", "referenceable": true } }, { "ldaps": { "default": false, - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "type": "boolean", - "required": true + "required": true, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." } }, { "start_tls": { "default": false, - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "type": "boolean", - "required": true + "required": true, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." } }, { "verify_ldap_host": { "default": false, - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "type": "boolean", - "required": true + "required": true, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." } }, { "base_dn": { - "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", "type": "string", - "required": true + "required": true, + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'." } }, { "attribute": { - "description": "Attribute to be used to search the user; e.g., \"cn\".", "type": "string", - "required": true + "required": true, + "description": "Attribute to be used to search the user; e.g., \"cn\"." } }, { "cache_ttl": { "default": 60, - "description": "Cache expiry time in seconds.", "type": "number", - "required": true + "required": true, + "description": "Cache expiry time in seconds." } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." } }, { "timeout": { "default": 10000, - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." } }, { "keepalive": { "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number" + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." } }, { "anonymous": { "default": "", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "len_min": 0 } }, { "header_type": { "default": "ldap", - "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", - "type": "string" + "type": "string", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`." } }, { "consumer_optional": { "default": false, - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", "type": "boolean", - "required": false + "required": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." } }, { @@ -170,7 +171,6 @@ "username", "custom_id" ], - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "type": "array", "elements": { "type": "string", @@ -178,48 +178,48 @@ "username", "custom_id" ] - } + }, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." } }, { "group_base_dn": { - "type": "string", - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" } }, { "group_name_attribute": { - "type": "string", - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" } }, { "group_member_attribute": { "default": "memberOf", - "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", - "type": "string" + "type": "string", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive." } }, { "log_search_results": { "default": false, - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", "type": "boolean", - "required": false + "required": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." } }, { "groups_required": { "required": false, - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result." } } ], - "type": "record", "required": true } } diff --git a/schemas/ldap-auth/3.4.x.json b/schemas/ldap-auth/3.4.x.json index b3184e9b..b8208859 100644 --- a/schemas/ldap-auth/3.4.x.json +++ b/schemas/ldap-auth/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -18,8 +18,8 @@ "ws", "wss" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -36,9 +36,9 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -46,119 +46,119 @@ "fields": [ { "ldap_host": { - "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true + "required": true, + "description": "A string representing a host name, such as example.com." } }, { "ldap_port": { "required": true, - "default": 389, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 389, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "ldaps": { "default": false, - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "type": "boolean", - "required": true + "required": true, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." } }, { "start_tls": { "default": false, - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "type": "boolean", - "required": true + "required": true, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." } }, { "verify_ldap_host": { "default": false, - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "type": "boolean", - "required": true + "required": true, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." } }, { "base_dn": { - "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", "type": "string", - "required": true + "required": true, + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com" } }, { "attribute": { - "description": "Attribute to be used to search the user; e.g. cn", "type": "string", - "required": true + "required": true, + "description": "Attribute to be used to search the user; e.g. cn" } }, { "cache_ttl": { "default": 60, - "description": "Cache expiry time in seconds.", "type": "number", - "required": true + "required": true, + "description": "Cache expiry time in seconds." } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." } }, { "timeout": { "default": 10000, - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." } }, { "keepalive": { "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number" + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" } }, { "header_type": { "default": "ldap", - "description": "An optional string to use as part of the Authorization header", - "type": "string" + "type": "string", + "description": "An optional string to use as part of the Authorization header" } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "conditional": { - "then_field": "start_tls", "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", - "then_match": { - "eq": false - }, "if_match": { "eq": true }, - "if_field": "ldaps" + "then_field": "start_tls", + "if_field": "ldaps", + "then_match": { + "eq": false + } } } ] diff --git a/schemas/loggly/3.4.x.json b/schemas/loggly/3.4.x.json index e5464f58..9c95b1d2 100644 --- a/schemas/loggly/3.4.x.json +++ b/schemas/loggly/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,33 +23,36 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "host": { "default": "logs-01.loggly.com", - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { "default": 514, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 @@ -61,8 +62,8 @@ { "key": { "required": true, - "encrypted": true, "type": "string", + "encrypted": true, "referenceable": true } }, @@ -149,8 +150,6 @@ }, { "custom_fields_by_lua": { - "type": "map", - "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" @@ -158,11 +157,12 @@ "keys": { "type": "string", "len_min": 1 - } + }, + "type": "map", + "description": "Lua code as a key-value map" } } ], - "type": "record", "required": true } } diff --git a/schemas/mocking/3.4.x.json b/schemas/mocking/3.4.x.json index dd30d26e..f69883bc 100644 --- a/schemas/mocking/3.4.x.json +++ b/schemas/mocking/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,81 +18,82 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "api_specification_filename": { - "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", "type": "string", - "required": false + "required": false, + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode." } }, { "api_specification": { - "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", "type": "string", - "required": false + "required": false, + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field." } }, { "random_delay": { "default": false, - "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", - "type": "boolean" + "type": "boolean", + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs." } }, { "max_delay_time": { "default": 1, - "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", - "type": "number" + "type": "number", + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`." } }, { "min_delay_time": { "default": 0.001, - "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", - "type": "number" + "type": "number", + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`." } }, { "random_examples": { "default": false, - "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", - "type": "boolean" + "type": "boolean", + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured." } }, { "included_status_codes": { - "description": "A global list of the HTTP status codes that can only be selected and returned.", "type": "array", "elements": { "type": "integer" - } + }, + "description": "A global list of the HTTP status codes that can only be selected and returned." } }, { "random_status_code": { "default": false, - "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", "type": "boolean", - "required": true + "required": true, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned." } } ], - "type": "record", "required": true } } diff --git a/schemas/mtls-auth/3.4.x.json b/schemas/mtls-auth/3.4.x.json index 00e188b2..9e11e123 100644 --- a/schemas/mtls-auth/3.4.x.json +++ b/schemas/mtls-auth/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,7 +17,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -27,15 +26,16 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -54,7 +54,6 @@ "username", "custom_id" ], - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "type": "array", "elements": { "type": "string", @@ -62,125 +61,126 @@ "username", "custom_id" ] - } + }, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." } }, { "ca_certificates": { "required": true, - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "type": "array", "elements": { "uuid": true, "type": "string" - } + }, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." } }, { "cache_ttl": { "default": 60, - "description": "Cache expiry time in seconds.", "type": "number", - "required": true + "required": true, + "description": "Cache expiry time in seconds." } }, { "skip_consumer_lookup": { "default": false, - "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "type": "boolean", - "required": true + "required": true, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list." } }, { "allow_partial_chain": { "default": false, - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "type": "boolean", - "required": true + "required": true, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." } }, { "authenticated_group_by": { "required": false, "default": "CN", - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "type": "string", "one_of": [ "CN", "DN" - ] + ], + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." } }, { "revocation_check_mode": { "required": false, "default": "IGNORE_CA_ERROR", - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "type": "string", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ] + ], + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." } }, { "http_timeout": { "default": 30000, - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", - "type": "number" + "type": "number", + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." } }, { "cert_cache_ttl": { "default": 60000, - "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", - "type": "number" + "type": "number", + "description": "The length of time in milliseconds between refreshes of the revocation check status cache." } }, { "send_ca_dn": { "default": false, - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", - "type": "boolean" + "type": "boolean", + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "mutually_required": [ diff --git a/schemas/oas-validation/3.4.x.json b/schemas/oas-validation/3.4.x.json index e0ff31a1..353b408a 100644 --- a/schemas/oas-validation/3.4.x.json +++ b/schemas/oas-validation/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,117 +18,118 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "api_spec": { - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format.", "type": "string", - "required": true + "required": true, + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format." } }, { "verbose_response": { "default": false, - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", "type": "boolean", - "required": false + "required": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." } }, { "validate_request_body": { "default": true, - "description": "If set to true, validates the request body content against the API specification.", "type": "boolean", - "required": false + "required": false, + "description": "If set to true, validates the request body content against the API specification." } }, { "notify_only_request_validation_failure": { "default": false, - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", "type": "boolean", - "required": false + "required": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." } }, { "validate_request_header_params": { "default": true, - "description": "If set to true, validates HTTP header parameters against the API specification.", "type": "boolean", - "required": false + "required": false, + "description": "If set to true, validates HTTP header parameters against the API specification." } }, { "validate_request_query_params": { "default": true, - "description": "If set to true, validates query parameters against the API specification.", "type": "boolean", - "required": false + "required": false, + "description": "If set to true, validates query parameters against the API specification." } }, { "validate_request_uri_params": { "default": true, - "description": "If set to true, validates URI parameters in the request against the API specification.", "type": "boolean", - "required": false + "required": false, + "description": "If set to true, validates URI parameters in the request against the API specification." } }, { "validate_response_body": { "default": false, - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", "type": "boolean", - "required": false + "required": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." } }, { "notify_only_response_body_validation_failure": { "default": false, - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", "type": "boolean", - "required": false + "required": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." } }, { "query_parameter_check": { "default": false, - "description": "If set to true, checks if query parameters in the request exist in the API specification.", "type": "boolean", - "required": true + "required": true, + "description": "If set to true, checks if query parameters in the request exist in the API specification." } }, { "header_parameter_check": { "default": false, - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", "type": "boolean", - "required": true + "required": true, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." } }, { "allowed_header_parameters": { "default": "Host,Content-Type,User-Agent,Accept,Content-Length", - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", "type": "string", - "required": false + "required": false, + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." } } ], - "type": "record", "required": true } } diff --git a/schemas/oauth2-introspection/3.4.x.json b/schemas/oauth2-introspection/3.4.x.json index 856e051c..bd0cefb2 100644 --- a/schemas/oauth2-introspection/3.4.x.json +++ b/schemas/oauth2-introspection/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,7 +17,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -27,32 +26,34 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "introspection_url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": true + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "ttl": { "default": 30, - "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", - "type": "number" + "type": "number", + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." } }, { @@ -63,81 +64,81 @@ }, { "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "type": "string", - "required": true + "required": true, + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." } }, { "timeout": { "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "integer" + "type": "integer", + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "type": "integer" + "type": "integer", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "introspect_request": { "default": false, - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", "type": "boolean", - "required": true + "required": true, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request." } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." } }, { "run_on_preflight": { "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } }, { "anonymous": { - "len_min": 0, - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "default": "", "type": "string", - "default": "" + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0 } }, { "consumer_by": { "required": true, "default": "username", - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "type": "string", "one_of": [ "username", "client_id" - ] + ], + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`." } }, { "custom_introspection_headers": { - "values": { + "keys": { "type": "string" }, "required": true, + "values": { + "type": "string" + }, "default": [ ], - "description": "A list of custom headers to be added in the introspection request.", "type": "map", - "keys": { - "type": "string" - } + "description": "A list of custom headers to be added in the introspection request." } }, { @@ -146,15 +147,14 @@ "default": [ ], - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "type": "set", "elements": { "type": "string" - } + }, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." } } ], - "type": "record", "required": true } } diff --git a/schemas/oauth2/3.4.x.json b/schemas/oauth2/3.4.x.json index f952e014..847d2903 100644 --- a/schemas/oauth2/3.4.x.json +++ b/schemas/oauth2/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -18,8 +18,8 @@ "ws", "wss" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -36,109 +36,95 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "entity_checks": [ - { - "conditional": { - "if_field": "mandatory_scope", - "then_field": "scopes", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - } - } - } - ], "fields": [ { "scopes": { - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." } }, { "mandatory_scope": { "default": false, - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user." } }, { "provision_key": { - "encrypted": true, "required": true, - "unique": true, - "description": "The unique key the plugin has generated when it has been added to the Service.", + "auto": true, + "encrypted": true, "type": "string", - "auto": true + "unique": true, + "description": "The unique key the plugin has generated when it has been added to the Service." } }, { "token_expiration": { "default": 7200, - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", "type": "number", - "required": true + "required": true, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration." } }, { "enable_authorization_code": { "default": false, - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1)." } }, { "enable_implicit_grant": { "default": false, - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2)." } }, { "enable_client_credentials": { "default": false, - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4)." } }, { "enable_password_grant": { "default": false, - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3)." } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." } }, { "accept_http_if_already_terminated": { "default": false, - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", "type": "boolean", - "required": true + "required": true, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer." } }, { @@ -150,36 +136,36 @@ { "global_credentials": { "default": false, - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`." } }, { "auth_header_name": { "default": "authorization", - "description": "The name of the header that is supposed to carry the access token.", - "type": "string" + "type": "string", + "description": "The name of the header that is supposed to carry the access token." } }, { "refresh_token_ttl": { "required": true, - "default": 1209600, - "description": "Time-to-live value for data", - "type": "number", "between": [ 0, 100000000 - ] + ], + "default": 1209600, + "type": "number", + "description": "Time-to-live value for data" } }, { "reuse_refresh_token": { "default": false, - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", "type": "boolean", - "required": true + "required": true, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token." } }, { @@ -193,18 +179,32 @@ "pkce": { "required": false, "default": "lax", - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "type": "string", "one_of": [ "none", "lax", "strict" - ] + ], + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin." } } ], "type": "record", - "required": true + "required": true, + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "scopes", + "if_field": "mandatory_scope", + "then_match": { + "required": true + } + } + } + ] } } ], diff --git a/schemas/opa/3.4.x.json b/schemas/opa/3.4.x.json index b0aca76e..528217ab 100644 --- a/schemas/opa/3.4.x.json +++ b/schemas/opa/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,7 +17,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -27,116 +26,117 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "opa_protocol": { "default": "http", - "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", "type": "string", "one_of": [ "http", "https" - ] + ], + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`." } }, { "opa_host": { "default": "localhost", - "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true + "required": true, + "description": "A string representing a host name, such as example.com." } }, { "opa_port": { "required": true, - "default": 8181, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 8181, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "opa_path": { + "required": true, + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": true, - "starts_with": "/", - "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "include_service_in_opa_input": { "default": false, - "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA." } }, { "include_route_in_opa_input": { "default": false, - "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA." } }, { "include_consumer_in_opa_input": { "default": false, - "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA." } }, { "include_body_in_opa_input": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "include_parsed_json_body_in_opa_input": { "default": false, - "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA." } }, { "include_uri_captures_in_opa_input": { "default": false, - "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", - "type": "boolean" + "type": "boolean", + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA." } }, { "ssl_verify": { "default": true, - "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "type": "boolean", - "required": true + "required": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." } } ], - "type": "record", "required": true } } diff --git a/schemas/openid-connect/3.4.x.json b/schemas/openid-connect/3.4.x.json index 197761ae..570347d3 100644 --- a/schemas/openid-connect/3.4.x.json +++ b/schemas/openid-connect/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,7 +17,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -27,64 +26,149 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + } + ], + "type": "record", + "required": true, "fields": [ { "issuer": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": true + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "discovery_headers_names": { "required": false, - "description": "Extra header names passed to the discovery endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra header names passed to the discovery endpoint." } }, { "discovery_headers_values": { "required": false, - "description": "Extra header values passed to the discovery endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra header values passed to the discovery endpoint." } }, { "extra_jwks_uris": { "required": false, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "type": "set", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." } }, { "rediscovery_lifetime": { "default": 30, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "type": "number", - "required": false + "required": false, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." } }, { @@ -101,7 +185,6 @@ "refresh_token", "session" ], - "description": "Types of credentials/grants to enable.", "type": "array", "elements": { "type": "string", @@ -116,37 +199,37 @@ "refresh_token", "session" ] - } + }, + "description": "Types of credentials/grants to enable." } }, { "client_id": { - "encrypted": true, "required": false, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true, "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." } }, { "client_secret": { - "encrypted": true, "required": false, - "description": "The client secret.", + "encrypted": true, "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "description": "The client secret." } }, { "client_auth": { "required": false, - "description": "The authentication method used by the client (plugin) when calling the endpoint.", "type": "array", "elements": { "type": "string", @@ -157,193 +240,194 @@ "private_key_jwt", "none" ] - } + }, + "description": "The authentication method used by the client (plugin) when calling the endpoint." } }, { "client_jwk": { - "required": false, "type": "array", + "required": false, "elements": { - "required": false, "type": "record", + "required": false, "fields": [ { "issuer": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kty": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "use": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "key_ops": { - "required": false, "type": "array", + "required": false, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, { "alg": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kid": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5u": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5c": { - "required": false, "type": "array", + "required": false, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, { "x5t": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5t#S256": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "k": { - "required": false, - "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "required": false, + "referenceable": true } }, { "x": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "y": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "crv": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "n": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "e": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "d": { - "required": false, - "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "required": false, + "referenceable": true } }, { "p": { - "required": false, - "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "required": false, + "referenceable": true } }, { "q": { - "required": false, - "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "required": false, + "referenceable": true } }, { "dp": { - "required": false, - "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "required": false, + "referenceable": true } }, { "dq": { - "required": false, - "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "required": false, + "referenceable": true } }, { "qi": { - "required": false, - "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "required": false, + "referenceable": true } }, { "oth": { - "required": false, - "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "required": false, + "referenceable": true } }, { "r": { - "required": false, - "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "required": false, + "referenceable": true } }, { "t": { - "required": false, - "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "required": false, + "referenceable": true } } ] @@ -352,8 +436,8 @@ }, { "client_alg": { - "required": false, "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -377,112 +461,112 @@ { "client_arg": { "default": "client_id", - "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "type": "string", - "required": false + "required": false, + "description": "The client to use for this request (the selection is made with a request parameter with the same name)." } }, { "redirect_uri": { "required": false, - "description": "The redirect URI passed to the authorization and token endpoints.", "type": "array", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "description": "The redirect URI passed to the authorization and token endpoints." } }, { "login_redirect_uri": { "required": false, - "description": "Where to redirect the client when `login_action` is set to `redirect`.", "type": "array", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "description": "Where to redirect the client when `login_action` is set to `redirect`." } }, { "logout_redirect_uri": { "required": false, - "description": "Where to redirect the client after the logout.", "type": "array", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "description": "Where to redirect the client after the logout." } }, { "forbidden_redirect_uri": { "required": false, - "description": "Where to redirect the client on forbidden requests.", "type": "array", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "description": "Where to redirect the client on forbidden requests." } }, { "forbidden_error_message": { "default": "Forbidden", - "description": "The error message for the forbidden requests (when not using the redirection).", "type": "string", - "required": false + "required": false, + "description": "The error message for the forbidden requests (when not using the redirection)." } }, { "forbidden_destroy_session": { "default": true, - "description": "Destroy any active session for the forbidden requests.", "type": "boolean", - "required": false + "required": false, + "description": "Destroy any active session for the forbidden requests." } }, { "unauthorized_redirect_uri": { "required": false, - "description": "Where to redirect the client on unauthorized requests.", "type": "array", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "description": "Where to redirect the client on unauthorized requests." } }, { "unauthorized_error_message": { "default": "Unauthorized", - "description": "The error message for the unauthorized requests (when not using the redirection).", "type": "string", - "required": false + "required": false, + "description": "The error message for the unauthorized requests (when not using the redirection)." } }, { "unexpected_redirect_uri": { "required": false, - "description": "Where to redirect the client when unexpected errors happen with the requests.", "type": "array", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "description": "Where to redirect the client when unexpected errors happen with the requests." } }, { "response_mode": { "required": false, "default": "query", - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", "type": "string", "one_of": [ "query", "form_post", "fragment" - ] + ], + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)" } }, { @@ -491,11 +575,11 @@ "default": [ "code" ], - "description": "The response type passed to the authorization endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The response type passed to the authorization endpoint." } }, { @@ -504,41 +588,41 @@ "default": [ "openid" ], - "description": "The scopes passed to the authorization and token endpoints.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The scopes passed to the authorization and token endpoints." } }, { "audience": { "required": false, - "description": "The audience passed to the authorization endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The audience passed to the authorization endpoint." } }, { "issuers_allowed": { "required": false, - "description": "The issuers allowed to be present in the tokens (`iss` claim).", "type": "array", "elements": { "type": "string" - } + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim)." } }, { "scopes_required": { "required": false, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { @@ -547,21 +631,21 @@ "default": [ "scope" ], - "description": "The claim that contains the scopes.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The claim that contains the scopes." } }, { "audience_required": { "required": false, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { @@ -570,21 +654,21 @@ "default": [ "aud" ], - "description": "The claim that contains the audience.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The claim that contains the audience." } }, { "groups_required": { "required": false, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { @@ -593,21 +677,21 @@ "default": [ "groups" ], - "description": "The claim that contains the groups.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The claim that contains the groups." } }, { "roles_required": { "required": false, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { @@ -616,163 +700,161 @@ "default": [ "roles" ], - "description": "The claim that contains the roles.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The claim that contains the roles." } }, { "domains": { "required": false, - "description": "The allowed values for the `hd` claim.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The allowed values for the `hd` claim." } }, { "max_age": { - "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "type": "number", - "required": false + "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim." } }, { "authenticated_groups_claim": { "required": false, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations." } }, { "authorization_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": false + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "authorization_query_args_names": { "required": false, - "description": "Extra query argument names passed to the authorization endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra query argument names passed to the authorization endpoint." } }, { "authorization_query_args_values": { "required": false, - "description": "Extra query argument values passed to the authorization endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra query argument values passed to the authorization endpoint." } }, { "authorization_query_args_client": { "required": false, - "description": "Extra query arguments passed from the client to the authorization endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra query arguments passed from the client to the authorization endpoint." } }, { "authorization_rolling_timeout": { "default": 600, - "description": "Network IO timeout in milliseconds.", "type": "number", - "required": false + "required": false, + "description": "Network IO timeout in milliseconds." } }, { "authorization_cookie_name": { "default": "authorization", - "description": "The authorization cookie name.", "type": "string", - "required": false + "required": false, + "description": "The authorization cookie name." } }, { "authorization_cookie_path": { - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": false, + "default": "/", + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/", - "starts_with": "/", - "type": "string", - "required": false + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "authorization_cookie_domain": { - "description": "The authorization cookie Domain flag.", "type": "string", - "required": false + "required": false, + "description": "The authorization cookie Domain flag." } }, { "authorization_cookie_same_site": { "required": false, "default": "Default", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "authorization_cookie_http_only": { "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "type": "boolean", - "required": false + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "authorization_cookie_secure": { - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", - "required": false + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "preserve_query_args": { "default": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "type": "boolean", - "required": false + "required": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." } }, { "token_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": false + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "token_endpoint_auth_method": { - "type": "string", - "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -780,60 +862,61 @@ "private_key_jwt", "none" ], - "required": false + "type": "string", + "required": false, + "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" } }, { "token_headers_names": { "required": false, - "description": "Extra header names passed to the token endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra header names passed to the token endpoint." } }, { "token_headers_values": { "required": false, - "description": "Extra header values passed to the token endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra header values passed to the token endpoint." } }, { "token_headers_client": { "required": false, - "description": "Extra headers passed from the client to the token endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra headers passed from the client to the token endpoint." } }, { "token_headers_replay": { "required": false, - "description": "The names of token endpoint response headers to forward to the downstream client.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The names of token endpoint response headers to forward to the downstream client." } }, { "token_headers_prefix": { - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "type": "string", - "required": false + "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." } }, { "token_headers_grants": { "required": false, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", "type": "array", "elements": { "type": "string", @@ -843,50 +926,49 @@ "authorization_code", "refresh_token" ] - } + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant" } }, { "token_post_args_names": { "required": false, - "description": "Extra post argument names passed to the token endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra post argument names passed to the token endpoint." } }, { "token_post_args_values": { "required": false, - "description": "Extra post argument values passed to the token endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra post argument values passed to the token endpoint." } }, { "token_post_args_client": { "required": false, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint." } }, { "introspection_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": false + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "introspection_endpoint_auth_method": { - "type": "string", - "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -894,117 +976,117 @@ "private_key_jwt", "none" ], - "required": false + "type": "string", + "required": false, + "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" } }, { "introspection_hint": { "default": "access_token", - "description": "Introspection hint parameter value passed to the introspection endpoint.", "type": "string", - "required": false + "required": false, + "description": "Introspection hint parameter value passed to the introspection endpoint." } }, { "introspection_check_active": { "default": true, - "description": "Check that the introspection response has an `active` claim with a value of `true`.", "type": "boolean", - "required": false + "required": false, + "description": "Check that the introspection response has an `active` claim with a value of `true`." } }, { "introspection_accept": { "required": false, "default": "application/json", - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", "type": "string", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ] + ], + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)" } }, { "introspection_headers_names": { "required": false, - "description": "Extra header names passed to the introspection endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra header names passed to the introspection endpoint." } }, { "introspection_headers_values": { "required": false, - "description": "Extra header values passed to the introspection endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra header values passed to the introspection endpoint." } }, { "introspection_headers_client": { "required": false, - "description": "Extra headers passed from the client to the introspection endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra headers passed from the client to the introspection endpoint." } }, { "introspection_post_args_names": { "required": false, - "description": "Extra post argument names passed to the introspection endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra post argument names passed to the introspection endpoint." } }, { "introspection_post_args_values": { "required": false, - "description": "Extra post argument values passed to the introspection endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra post argument values passed to the introspection endpoint." } }, { "introspection_post_args_client": { "required": false, - "description": "Extra post arguments passed from the client to the introspection endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra post arguments passed from the client to the introspection endpoint." } }, { "introspect_jwt_tokens": { "default": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "type": "boolean", - "required": false + "required": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." } }, { "revocation_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": false + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "revocation_endpoint_auth_method": { - "type": "string", - "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1012,237 +1094,238 @@ "private_key_jwt", "none" ], - "required": false + "type": "string", + "required": false, + "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" } }, { "end_session_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": false + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "userinfo_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": false + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "userinfo_accept": { "required": false, "default": "application/json", - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", "type": "string", "one_of": [ "application/json", "application/jwt" - ] + ], + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)" } }, { "userinfo_headers_names": { "required": false, - "description": "Extra header names passed to the user info endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra header names passed to the user info endpoint." } }, { "userinfo_headers_values": { "required": false, - "description": "Extra header values passed to the user info endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra header values passed to the user info endpoint." } }, { "userinfo_headers_client": { "required": false, - "description": "Extra headers passed from the client to the user info endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra headers passed from the client to the user info endpoint." } }, { "userinfo_query_args_names": { "required": false, - "description": "Extra query argument names passed to the user info endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra query argument names passed to the user info endpoint." } }, { "userinfo_query_args_values": { "required": false, - "description": "Extra query argument values passed to the user info endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra query argument values passed to the user info endpoint." } }, { "userinfo_query_args_client": { "required": false, - "description": "Extra query arguments passed from the client to the user info endpoint.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Extra query arguments passed from the client to the user info endpoint." } }, { "token_exchange_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": false + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "session_secret": { "required": false, - "referenceable": true, "description": "The session secret.", "type": "string", - "encrypted": true + "encrypted": true, + "referenceable": true } }, { "session_audience": { "default": "default", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "type": "string", - "required": false + "required": false, + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." } }, { "session_cookie_name": { "default": "session", - "description": "The session cookie name.", "type": "string", - "required": false + "required": false, + "description": "The session cookie name." } }, { "session_remember": { "default": false, - "description": "Enables or disables persistent sessions.", "type": "boolean", - "required": false + "required": false, + "description": "Enables or disables persistent sessions." } }, { "session_remember_cookie_name": { "default": "remember", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "type": "string", - "required": false + "required": false, + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." } }, { "session_remember_rolling_timeout": { "default": 604800, - "description": "Network IO timeout in milliseconds.", "type": "number", - "required": false + "required": false, + "description": "Network IO timeout in milliseconds." } }, { "session_remember_absolute_timeout": { "default": 2592000, - "description": "Network IO timeout in milliseconds.", "type": "number", - "required": false + "required": false, + "description": "Network IO timeout in milliseconds." } }, { "session_idling_timeout": { "default": 900, - "description": "Network IO timeout in milliseconds.", "type": "number", - "required": false + "required": false, + "description": "Network IO timeout in milliseconds." } }, { "session_rolling_timeout": { "default": 3600, - "description": "Network IO timeout in milliseconds.", "type": "number", - "required": false + "required": false, + "description": "Network IO timeout in milliseconds." } }, { "session_absolute_timeout": { "default": 86400, - "description": "Network IO timeout in milliseconds.", "type": "number", - "required": false + "required": false, + "description": "Network IO timeout in milliseconds." } }, { "session_cookie_path": { - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": false, + "default": "/", + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/", - "starts_with": "/", - "type": "string", - "required": false + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "session_cookie_domain": { - "description": "The session cookie Domain flag.", "type": "string", - "required": false + "required": false, + "description": "The session cookie Domain flag." } }, { "session_cookie_same_site": { "required": false, "default": "Lax", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "session_cookie_http_only": { "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "type": "boolean", - "required": false + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "session_cookie_secure": { - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", - "required": false + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "session_request_headers": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -1254,12 +1337,12 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "type": "set" } }, { "session_response_headers": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -1271,243 +1354,244 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "type": "set" } }, { "session_storage": { "required": false, "default": "cookie", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", "type": "string", "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis" } }, { "session_store_metadata": { "default": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "type": "boolean", - "required": false + "required": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." } }, { "session_enforce_same_subject": { "default": false, - "description": "When set to `true`, audiences are forced to share the same subject.", "type": "boolean", - "required": false + "required": false, + "description": "When set to `true`, audiences are forced to share the same subject." } }, { "session_hash_subject": { "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "type": "boolean", - "required": false + "required": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." } }, { "session_hash_storage_key": { "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "type": "boolean", - "required": false + "required": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." } }, { "session_memcached_prefix": { - "description": "The memcached session key prefix.", "type": "string", - "required": false + "required": false, + "description": "The memcached session key prefix." } }, { "session_memcached_socket": { - "description": "The memcached unix socket path.", "type": "string", - "required": false + "required": false, + "description": "The memcached unix socket path." } }, { "session_memcached_host": { "default": "127.0.0.1", - "description": "The memcached host.", "type": "string", - "required": false + "required": false, + "description": "The memcached host." } }, { "session_memcached_port": { "required": false, - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 11211, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { - "description": "The Redis session key prefix.", "type": "string", - "required": false + "required": false, + "description": "The Redis session key prefix." } }, { "session_redis_socket": { - "description": "The Redis unix socket path.", "type": "string", - "required": false + "required": false, + "description": "The Redis unix socket path." } }, { "session_redis_host": { "default": "127.0.0.1", - "description": "The Redis host", "type": "string", - "required": false + "required": false, + "description": "The Redis host" } }, { "session_redis_port": { "required": false, - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { - "required": false, - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "referenceable": true, "type": "string", - "referenceable": true + "required": false, + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "session_redis_password": { "required": false, - "referenceable": true, "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "encrypted": true + "encrypted": true, + "referenceable": true } }, { "session_redis_connect_timeout": { - "description": "Network IO timeout in milliseconds.", "type": "integer", - "required": false + "required": false, + "description": "Network IO timeout in milliseconds." } }, { "session_redis_read_timeout": { - "description": "Network IO timeout in milliseconds.", "type": "integer", - "required": false + "required": false, + "description": "Network IO timeout in milliseconds." } }, { "session_redis_send_timeout": { - "description": "Network IO timeout in milliseconds.", "type": "integer", - "required": false + "required": false, + "description": "Network IO timeout in milliseconds." } }, { "session_redis_ssl": { "default": false, - "description": "Use SSL/TLS for Redis connection.", "type": "boolean", - "required": false + "required": false, + "description": "Use SSL/TLS for Redis connection." } }, { "session_redis_ssl_verify": { "default": false, - "description": "Verify identity provider server certificate.", "type": "boolean", - "required": false + "required": false, + "description": "Verify identity provider server certificate." } }, { "session_redis_server_name": { - "description": "The SNI used for connecting the Redis server.", "type": "string", - "required": false + "required": false, + "description": "The SNI used for connecting the Redis server." } }, { "session_redis_cluster_nodes": { "required": false, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "type": "array", "elements": { - "type": "record", "fields": [ { "ip": { "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true + "required": true, + "description": "A string representing a host name, such as example.com." } }, { "port": { "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ] } } - ] - } + ], + "type": "record" + }, + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." } }, { "session_redis_cluster_max_redirections": { - "description": "The Redis cluster maximum redirects.", "type": "integer", - "required": false + "required": false, + "description": "The Redis cluster maximum redirects." } }, { "reverify": { "default": false, - "description": "Specifies whether to always verify tokens stored in the session.", "type": "boolean", - "required": false + "required": false, + "description": "Specifies whether to always verify tokens stored in the session." } }, { "jwt_session_claim": { "default": "sid", - "description": "The claim to match against the JWT session cookie.", "type": "string", - "required": false + "required": false, + "description": "The claim to match against the JWT session cookie." } }, { "jwt_session_cookie": { - "description": "The name of the JWT session cookie.", "type": "string", - "required": false + "required": false, + "description": "The name of the JWT session cookie." } }, { @@ -1518,7 +1602,6 @@ "query", "body" ], - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", "type": "array", "elements": { "type": "string", @@ -1528,14 +1611,15 @@ "query", "body" ] - } + }, + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`" } }, { "bearer_token_cookie_name": { - "description": "The name of the cookie in which the bearer token is passed.", "type": "string", - "required": false + "required": false, + "description": "The name of the cookie in which the bearer token is passed." } }, { @@ -1546,7 +1630,6 @@ "query", "body" ], - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", "type": "array", "elements": { "type": "string", @@ -1555,7 +1638,8 @@ "query", "body" ] - } + }, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body" } }, { @@ -1566,7 +1650,6 @@ "query", "body" ], - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "type": "array", "elements": { "type": "string", @@ -1575,7 +1658,8 @@ "query", "body" ] - } + }, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body" } }, { @@ -1586,7 +1670,6 @@ "query", "body" ], - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "type": "array", "elements": { "type": "string", @@ -1595,14 +1678,15 @@ "query", "body" ] - } + }, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body" } }, { "id_token_param_name": { - "description": "The name of the parameter used to pass the id token.", "type": "string", - "required": false + "required": false, + "description": "The name of the parameter used to pass the id token." } }, { @@ -1613,7 +1697,6 @@ "query", "body" ], - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "type": "array", "elements": { "type": "string", @@ -1622,201 +1705,202 @@ "query", "body" ] - } + }, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body" } }, { "refresh_token_param_name": { - "description": "The name of the parameter used to pass the refresh token.", "type": "string", - "required": false + "required": false, + "description": "The name of the parameter used to pass the refresh token." } }, { "refresh_tokens": { "default": true, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "type": "boolean", - "required": false + "required": false, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." } }, { "upstream_headers_claims": { "required": false, - "description": "The upstream header claims.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The upstream header claims." } }, { "upstream_headers_names": { "required": false, - "description": "The upstream header names for the claim values.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The upstream header names for the claim values." } }, { "upstream_access_token_header": { "default": "authorization:bearer", - "description": "The upstream access token header.", "type": "string", - "required": false + "required": false, + "description": "The upstream access token header." } }, { "upstream_access_token_jwk_header": { - "description": "The upstream access token JWK header.", "type": "string", - "required": false + "required": false, + "description": "The upstream access token JWK header." } }, { "upstream_id_token_header": { - "description": "The upstream id token header.", "type": "string", - "required": false + "required": false, + "description": "The upstream id token header." } }, { "upstream_id_token_jwk_header": { - "description": "The upstream id token JWK header.", "type": "string", - "required": false + "required": false, + "description": "The upstream id token JWK header." } }, { "upstream_refresh_token_header": { - "description": "The upstream refresh token header.", "type": "string", - "required": false + "required": false, + "description": "The upstream refresh token header." } }, { "upstream_user_info_header": { - "description": "The upstream user info header.", "type": "string", - "required": false + "required": false, + "description": "The upstream user info header." } }, { "upstream_user_info_jwt_header": { - "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "required": false + "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response)." } }, { "upstream_introspection_header": { - "description": "The upstream introspection header.", "type": "string", - "required": false + "required": false, + "description": "The upstream introspection header." } }, { "upstream_introspection_jwt_header": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_session_id_header": { - "description": "The upstream session id header.", "type": "string", - "required": false + "required": false, + "description": "The upstream session id header." } }, { "downstream_headers_claims": { "required": false, - "description": "The downstream header claims.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The downstream header claims." } }, { "downstream_headers_names": { "required": false, - "description": "The downstream header names for the claim values.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The downstream header names for the claim values." } }, { "downstream_access_token_header": { - "description": "The downstream access token header.", "type": "string", - "required": false + "required": false, + "description": "The downstream access token header." } }, { "downstream_access_token_jwk_header": { - "description": "The downstream access token JWK header.", "type": "string", - "required": false + "required": false, + "description": "The downstream access token JWK header." } }, { "downstream_id_token_header": { - "description": "The downstream id token header.", "type": "string", - "required": false + "required": false, + "description": "The downstream id token header." } }, { "downstream_id_token_jwk_header": { - "description": "The downstream id token JWK header.", "type": "string", - "required": false + "required": false, + "description": "The downstream id token JWK header." } }, { "downstream_refresh_token_header": { - "description": "The downstream refresh token header.", "type": "string", - "required": false + "required": false, + "description": "The downstream refresh token header." } }, { "downstream_user_info_header": { - "description": "The downstream user info header.", "type": "string", - "required": false + "required": false, + "description": "The downstream user info header." } }, { "downstream_user_info_jwt_header": { - "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "required": false + "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response)." } }, { "downstream_introspection_header": { - "description": "The downstream introspection header.", "type": "string", - "required": false + "required": false, + "description": "The downstream introspection header." } }, { "downstream_introspection_jwt_header": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_session_id_header": { - "description": "The downstream session id header.", "type": "string", - "required": false + "required": false, + "description": "The downstream session id header." } }, { @@ -1825,7 +1909,6 @@ "default": [ "authorization_code" ], - "description": "Enable login functionality with specified grants.", "type": "array", "elements": { "type": "string", @@ -1840,20 +1923,21 @@ "refresh_token", "session" ] - } + }, + "description": "Enable login functionality with specified grants." } }, { "login_action": { "required": false, "default": "upstream", - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", "type": "string", "one_of": [ "upstream", "response", "redirect" - ] + ], + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location" } }, { @@ -1862,7 +1946,6 @@ "default": [ "id_token" ], - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", "type": "array", "elements": { "type": "string", @@ -1873,40 +1956,41 @@ "tokens", "introspection" ] - } + }, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response" } }, { "login_redirect_mode": { "required": false, "default": "fragment", - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", "type": "string", "one_of": [ "query", "fragment" - ] + ], + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)" } }, { "logout_query_arg": { - "description": "The request query argument that activates the logout.", "type": "string", - "required": false + "required": false, + "description": "The request query argument that activates the logout." } }, { "logout_post_arg": { - "description": "The request body argument that activates the logout.", "type": "string", - "required": false + "required": false, + "description": "The request body argument that activates the logout." } }, { "logout_uri_suffix": { - "description": "The request URI suffix that activates the logout.", "type": "string", - "required": false + "required": false, + "description": "The request URI suffix that activates the logout." } }, { @@ -1916,7 +2000,6 @@ "POST", "DELETE" ], - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", "type": "array", "elements": { "type": "string", @@ -1925,41 +2008,42 @@ "GET", "DELETE" ] - } + }, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method" } }, { "logout_revoke": { "default": false, - "description": "Revoke tokens as part of the logout.", "type": "boolean", - "required": false + "required": false, + "description": "Revoke tokens as part of the logout." } }, { "logout_revoke_access_token": { "default": true, - "description": "Revoke the access token as part of the logout.", "type": "boolean", - "required": false + "required": false, + "description": "Revoke the access token as part of the logout." } }, { "logout_revoke_refresh_token": { "default": true, - "description": "Revoke the refresh token as part of the logout.", "type": "boolean", - "required": false + "required": false, + "description": "Revoke the refresh token as part of the logout." } }, { "consumer_claim": { "required": false, - "description": "The claim used for consumer mapping.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The claim used for consumer mapping." } }, { @@ -1969,7 +2053,6 @@ "username", "custom_id" ], - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", "type": "array", "elements": { "type": "string", @@ -1978,15 +2061,16 @@ "username", "custom_id" ] - } + }, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`" } }, { "consumer_optional": { "default": false, - "description": "Do not terminate the request if consumer mapping fails.", "type": "boolean", - "required": false + "required": false, + "description": "Do not terminate the request if consumer mapping fails." } }, { @@ -1995,66 +2079,66 @@ "default": [ "sub" ], - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", "type": "array", "elements": { "type": "string" - } + }, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used." } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "required": false + "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "run_on_preflight": { "default": true, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "type": "boolean", - "required": false + "required": false, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." } }, { "leeway": { "default": 0, - "description": "Allow some leeway (in seconds) on the ttl / expiry verification.", "type": "number", - "required": false + "required": false, + "description": "Allow some leeway (in seconds) on the ttl / expiry verification." } }, { "verify_parameters": { "default": false, - "description": "Verify plugin configuration against discovery.", "type": "boolean", - "required": false + "required": false, + "description": "Verify plugin configuration against discovery." } }, { "verify_nonce": { "default": true, - "description": "Verify nonce on authorization code flow.", "type": "boolean", - "required": false + "required": false, + "description": "Verify nonce on authorization code flow." } }, { "verify_claims": { "default": true, - "description": "Verify tokens for standard claims.", "type": "boolean", - "required": false + "required": false, + "description": "Verify tokens for standard claims." } }, { "verify_signature": { "default": true, - "description": "Verify signature of tokens.", "type": "boolean", - "required": false + "required": false, + "description": "Verify signature of tokens." } }, { @@ -2063,7 +2147,6 @@ "default": [ ], - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", "type": "array", "elements": { "type": "string", @@ -2076,21 +2159,21 @@ "introspection", "userinfo" ] - } + }, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication" } }, { "enable_hs_signatures": { "default": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "type": "boolean", - "required": false + "required": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." } }, { "disable_session": { "required": false, - "description": "Disable issuing the session cookie with the specified grants.", "type": "array", "elements": { "type": "string", @@ -2105,283 +2188,207 @@ "refresh_token", "session" ] - } + }, + "description": "Disable issuing the session cookie with the specified grants." } }, { "cache_ttl": { "default": 3600, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "type": "number", - "required": false + "required": false, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." } }, { "cache_ttl_max": { - "description": "The maximum cache ttl in seconds (enforced).", "type": "number", - "required": false + "required": false, + "description": "The maximum cache ttl in seconds (enforced)." } }, { "cache_ttl_min": { - "description": "The minimum cache ttl in seconds (enforced).", "type": "number", - "required": false + "required": false, + "description": "The minimum cache ttl in seconds (enforced)." } }, { "cache_ttl_neg": { - "description": "The negative cache ttl in seconds.", "type": "number", - "required": false + "required": false, + "description": "The negative cache ttl in seconds." } }, { "cache_ttl_resurrect": { - "description": "The resurrection ttl in seconds.", "type": "number", - "required": false + "required": false, + "description": "The resurrection ttl in seconds." } }, { "cache_tokens": { "default": true, - "description": "Cache the token endpoint requests.", "type": "boolean", - "required": false + "required": false, + "description": "Cache the token endpoint requests." } }, { "cache_tokens_salt": { "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "type": "string", - "required": false + "required": false, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." } }, { "cache_introspection": { "default": true, - "description": "Cache the introspection endpoint requests.", "type": "boolean", - "required": false + "required": false, + "description": "Cache the introspection endpoint requests." } }, { "cache_token_exchange": { "default": true, - "description": "Cache the token exchange endpoint requests.", "type": "boolean", - "required": false + "required": false, + "description": "Cache the token exchange endpoint requests." } }, { "cache_user_info": { "default": true, - "description": "Cache the user info requests.", "type": "boolean", - "required": false + "required": false, + "description": "Cache the user info requests." } }, { "search_user_info": { "default": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "type": "boolean", - "required": false + "required": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." } }, { "hide_credentials": { "default": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "type": "boolean", - "required": false + "required": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." } }, { "http_version": { "default": 1.1, - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", "type": "number", - "required": false + "required": false, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0" } }, { "http_proxy": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": false + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "http_proxy_authorization": { - "description": "The HTTP proxy authorization.", "type": "string", - "required": false + "required": false, + "description": "The HTTP proxy authorization." } }, { "https_proxy": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": false + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "https_proxy_authorization": { - "description": "The HTTPS proxy authorization.", "type": "string", - "required": false + "required": false, + "description": "The HTTPS proxy authorization." } }, { "no_proxy": { - "description": "Do not use proxy with these hosts.", "type": "string", - "required": false + "required": false, + "description": "Do not use proxy with these hosts." } }, { "keepalive": { "default": true, - "description": "Use keepalive with the HTTP client.", "type": "boolean", - "required": false + "required": false, + "description": "Use keepalive with the HTTP client." } }, { "ssl_verify": { "default": false, - "description": "Verify identity provider server certificate.", "type": "boolean", - "required": false + "required": false, + "description": "Verify identity provider server certificate." } }, { "timeout": { "default": 10000, - "description": "Network IO timeout in milliseconds.", "type": "number", - "required": false + "required": false, + "description": "Network IO timeout in milliseconds." } }, { "display_errors": { "default": false, - "description": "Display errors on failure responses.", "type": "boolean", - "required": false + "required": false, + "description": "Display errors on failure responses." } }, { "by_username_ignore_case": { "default": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "type": "boolean", - "required": false + "required": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." } }, { "resolve_distributed_claims": { "default": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "type": "boolean", - "required": false + "required": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." } }, { "expose_error_code": { - "type": "boolean", - "default": true - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { + "default": true, "type": "boolean" } }, { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" + "token_cache_key_include_scope": { + "default": false, + "type": "boolean", + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." } } - ], - "required": true + ] } } ], diff --git a/schemas/opentelemetry/3.4.x.json b/schemas/opentelemetry/3.4.x.json index 56fd8793..c21b00ed 100644 --- a/schemas/opentelemetry/3.4.x.json +++ b/schemas/opentelemetry/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,15 +18,16 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,72 +35,74 @@ "fields": [ { "endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, "type": "string", - "required": true + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "headers": { - "type": "map", "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", - "values": { - "type": "string", - "referenceable": true - }, + "type": "map", "keys": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "values": { + "referenceable": true, + "type": "string" } } }, { "resource_attributes": { + "keys": { + "required": true, + "type": "string" + }, "type": "map", "values": { - "type": "string", - "required": true - }, - "keys": { - "type": "string", - "required": true + "required": true, + "type": "string" } } }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "type": "number", "between": [ 0, 3600 - ] + ], + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -112,26 +114,26 @@ { "max_retry_time": { "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "type": "number", "between": [ 0.001, 1000000 - ] + ], + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 @@ -139,7 +141,6 @@ } } ], - "type": "record", "required": true } }, @@ -158,8 +159,8 @@ { "connect_timeout": { "default": 1000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 @@ -169,8 +170,8 @@ { "send_timeout": { "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 @@ -180,8 +181,8 @@ { "read_timeout": { "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 @@ -197,6 +198,7 @@ "header_type": { "default": "preserve", "type": "string", + "required": false, "one_of": [ "preserve", "ignore", @@ -206,13 +208,12 @@ "jaeger", "ot", "aws" - ], - "required": false + ] } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "custom_entity_check": { diff --git a/schemas/post-function/3.4.x.json b/schemas/post-function/3.4.x.json index 56a627c0..cd0390c8 100644 --- a/schemas/post-function/3.4.x.json +++ b/schemas/post-function/3.4.x.json @@ -10,8 +10,8 @@ "ws", "wss" ], - "required": false, "type": "set", + "required": false, "elements": { "type": "string", "one_of": [ @@ -28,9 +28,17 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -42,10 +50,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -58,23 +64,26 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "config": { + "type": "record", "fields": [ { "certificate": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -83,11 +92,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -96,11 +105,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -109,11 +118,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -122,11 +131,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -135,11 +144,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -148,11 +157,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -161,11 +170,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -174,11 +183,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -187,16 +196,15 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } } ], - "type": "record", "required": true } } diff --git a/schemas/pre-function/3.4.x.json b/schemas/pre-function/3.4.x.json index 56a627c0..cd0390c8 100644 --- a/schemas/pre-function/3.4.x.json +++ b/schemas/pre-function/3.4.x.json @@ -10,8 +10,8 @@ "ws", "wss" ], - "required": false, "type": "set", + "required": false, "elements": { "type": "string", "one_of": [ @@ -28,9 +28,17 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -42,10 +50,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -58,23 +64,26 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "config": { + "type": "record", "fields": [ { "certificate": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -83,11 +92,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -96,11 +105,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -109,11 +118,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -122,11 +131,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -135,11 +144,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -148,11 +157,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -161,11 +170,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -174,11 +183,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } }, @@ -187,16 +196,15 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" } } } ], - "type": "record", "required": true } } diff --git a/schemas/prometheus/3.4.x.json b/schemas/prometheus/3.4.x.json index e3e5affe..dde575c3 100644 --- a/schemas/prometheus/3.4.x.json +++ b/schemas/prometheus/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,59 +23,61 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", + "required": true, "fields": [ { "per_consumer": { "default": false, - "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available." } }, { "status_code_metrics": { "default": false, - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported." } }, { "latency_metrics": { "default": false, - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported." } }, { "bandwidth_metrics": { "default": false, - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported." } }, { "upstream_health_metrics": { "default": false, - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported." } } - ], - "type": "record", - "required": true + ] } } ], diff --git a/schemas/proxy-cache-advanced/3.4.x.json b/schemas/proxy-cache-advanced/3.4.x.json index 139ccd92..7fc47b82 100644 --- a/schemas/proxy-cache-advanced/3.4.x.json +++ b/schemas/proxy-cache-advanced/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,30 +18,31 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "response_code": { - "len_min": 1, "required": true, + "len_min": 1, "default": [ 200, 301, 404 ], - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "type": "array", "elements": { "type": "integer", @@ -50,7 +50,8 @@ 100, 900 ] - } + }, + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900." } }, { @@ -60,7 +61,6 @@ "GET", "HEAD" ], - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", "type": "array", "elements": { "type": "string", @@ -71,7 +71,8 @@ "PATCH", "PUT" ] - } + }, + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." } }, { @@ -81,46 +82,46 @@ "text/plain", "application/json" ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." } }, { "cache_ttl": { "default": 300, - "gt": 0, "type": "integer", + "gt": 0, "description": "TTL in seconds of cache entities." } }, { "strategy": { - "type": "string", - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "one_of": [ "memory", "redis" ], - "required": true + "type": "string", + "required": true, + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`." } }, { "cache_control": { "default": false, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "type": "boolean", - "required": true + "required": true, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." } }, { "ignore_uri_case": { "default": false, - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "type": "boolean", - "required": false + "required": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI." } }, { @@ -131,36 +132,36 @@ }, { "memory": { + "type": "record", "fields": [ { "dictionary_name": { "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "type": "string", - "required": true + "required": true, + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." } } ], - "type": "record", "required": true } }, { "vary_query_params": { - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." } }, { "vary_headers": { - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } }, { @@ -168,25 +169,25 @@ "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 @@ -195,70 +196,76 @@ }, { "connect_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "type": "string", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "password": { - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "sentinel_username": { "type": "string", - "referenceable": true + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { + "default": 0, "type": "integer", - "default": 0 + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { "default": 30, "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "between": [ 1, 2147483646 @@ -268,6 +275,7 @@ { "keepalive_backlog": { "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", "between": [ 0, 2147483646 @@ -276,61 +284,67 @@ }, { "sentinel_master": { - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { - "len_min": 1, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array", "elements": { "type": "string" - } + }, + "len_min": 1 } }, { "cluster_addresses": { - "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array", "elements": { "type": "string" - } + }, + "len_min": 1 } }, { "ssl": { "default": false, "type": "boolean", - "required": false + "required": false, + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { "default": false, "type": "boolean", - "required": false + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "required": false + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS." } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "mutually_exclusive_sets": { @@ -394,12 +408,11 @@ { "bypass_on_err": { "default": false, - "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", - "type": "boolean" + "type": "boolean", + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." } } ], - "type": "record", "required": true } } diff --git a/schemas/proxy-cache/3.4.x.json b/schemas/proxy-cache/3.4.x.json index 017d8222..c2640db9 100644 --- a/schemas/proxy-cache/3.4.x.json +++ b/schemas/proxy-cache/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,23 +23,33 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "response_code": { - "len_min": 1, "required": true, + "len_min": 1, "default": [ 200, 301, 404 ], - "description": "Upstream response status code considered cacheable.", "type": "array", "elements": { "type": "integer", @@ -49,7 +57,8 @@ 100, 900 ] - } + }, + "description": "Upstream response status code considered cacheable." } }, { @@ -59,7 +68,6 @@ "GET", "HEAD" ], - "description": "Downstream request methods considered cacheable.", "type": "array", "elements": { "type": "string", @@ -70,7 +78,8 @@ "PATCH", "PUT" ] - } + }, + "description": "Downstream request methods considered cacheable." } }, { @@ -80,37 +89,37 @@ "text/plain", "application/json" ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value." } }, { "cache_ttl": { "default": 300, - "description": "TTL, in seconds, of cache entities.", "type": "integer", - "gt": 0 + "gt": 0, + "description": "TTL, in seconds, of cache entities." } }, { "strategy": { - "type": "string", - "description": "The backing data store in which to hold cache entities.", "one_of": [ "memory" ], - "required": true + "type": "string", + "required": true, + "description": "The backing data store in which to hold cache entities." } }, { "cache_control": { "default": false, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "type": "boolean", - "required": true + "required": true, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." } }, { @@ -128,40 +137,39 @@ }, { "memory": { + "type": "record", "fields": [ { "dictionary_name": { "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "type": "string", - "required": true + "required": true, + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." } } ], - "type": "record", "required": true } }, { "vary_query_params": { - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." } }, { "vary_headers": { - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array", "elements": { "type": "string" - } + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } } ], - "type": "record", "required": true } } diff --git a/schemas/rate-limiting-advanced/3.4.x.json b/schemas/rate-limiting-advanced/3.4.x.json index d57f36d3..b0096fb3 100644 --- a/schemas/rate-limiting-advanced/3.4.x.json +++ b/schemas/rate-limiting-advanced/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,17 +18,18 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "type": "record", "fields": [ { "identifier": { "required": true, "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", "type": "string", "one_of": [ "ip", @@ -38,38 +38,39 @@ "service", "header", "path" - ] + ], + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`." } }, { "window_size": { "required": true, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "type": "array", "elements": { "type": "number" - } + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified." } }, { "window_type": { "default": "sliding", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "type": "string", "one_of": [ "fixed", "sliding" - ] + ], + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." } }, { "limit": { "required": true, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "type": "array", "elements": { "type": "number" - } + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified." } }, { @@ -81,63 +82,63 @@ { "namespace": { "auto": true, - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.", "type": "string", - "required": true + "required": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace." } }, { "strategy": { "required": true, "default": "local", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", "one_of": [ "cluster", "redis", "local" - ] + ], + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." } }, { "dictionary_name": { "default": "kong_rate_limiting_counters", - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", "type": "string", - "required": true + "required": true, + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." } }, { "hide_client_headers": { "default": false, - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "type": "boolean" + "type": "boolean", + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." } }, { "retry_after_jitter_max": { "default": 0, - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "type": "number" + "type": "number", + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { @@ -145,25 +146,25 @@ "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 @@ -172,70 +173,76 @@ }, { "connect_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "type": "string", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "password": { - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "sentinel_username": { "type": "string", - "referenceable": true + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { + "default": 0, "type": "integer", - "default": 0 + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { "default": 30, "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "between": [ 1, 2147483646 @@ -245,6 +252,7 @@ { "keepalive_backlog": { "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", "between": [ 0, 2147483646 @@ -253,61 +261,67 @@ }, { "sentinel_master": { - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { - "len_min": 1, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array", "elements": { "type": "string" - } + }, + "len_min": 1 } }, { "cluster_addresses": { - "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array", "elements": { "type": "string" - } + }, + "len_min": 1 } }, { "ssl": { "default": false, "type": "boolean", - "required": false + "required": false, + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { "default": false, "type": "boolean", - "required": false + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "required": false + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS." } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "mutually_exclusive_sets": { @@ -371,43 +385,42 @@ { "enforce_consumer_groups": { "default": false, - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", - "type": "boolean" + "type": "boolean", + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." } }, { "consumer_groups": { - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", "type": "array", "elements": { "type": "string" - } + }, + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." } }, { "disable_penalty": { "default": false, - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", - "type": "boolean" + "type": "boolean", + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." } }, { "error_code": { "default": 429, - "description": "Set a custom error code to return when the rate limit is exceeded.", "type": "number", - "gt": 0 + "gt": 0, + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { "error_message": { "default": "API rate limit exceeded", - "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string" + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded." } } ], - "type": "record", "required": true } } diff --git a/schemas/rate-limiting/3.4.x.json b/schemas/rate-limiting/3.4.x.json index e98fb100..6c61b296 100644 --- a/schemas/rate-limiting/3.4.x.json +++ b/schemas/rate-limiting/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,19 +18,22 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", + "required": true, "fields": [ { "second": { @@ -78,7 +80,6 @@ { "limit_by": { "default": "consumer", - "description": "The entity that is used when aggregating the limits.", "type": "string", "one_of": [ "consumer", @@ -87,60 +88,61 @@ "service", "header", "path" - ] + ], + "description": "The entity that is used when aggregating the limits." } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "policy": { - "default": "local", "len_min": 0, - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "default": "local", + "type": "string", "one_of": [ "local", "cluster", "redis" ], - "type": "string" + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { "default": true, - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", "type": "boolean", - "required": true + "required": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." } }, { "redis_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "redis_port": { "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 @@ -149,89 +151,87 @@ }, { "redis_password": { - "len_min": 0, - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "referenceable": true, "type": "string", - "referenceable": true + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "len_min": 0 } }, { "redis_username": { - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired." } }, { "redis_ssl": { "default": false, - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", "type": "boolean", - "required": true + "required": true, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." } }, { "redis_ssl_verify": { "default": false, - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", "type": "boolean", - "required": true + "required": true, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly." } }, { "redis_server_name": { - "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" } }, { "redis_timeout": { "default": 2000, - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", - "type": "number" + "type": "number", + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." } }, { "redis_database": { "default": 0, - "description": "When using the `redis` policy, this property specifies the Redis database to use.", - "type": "integer" + "type": "integer", + "description": "When using the `redis` policy, this property specifies the Redis database to use." } }, { "hide_client_headers": { "default": false, - "description": "Optionally hide informative response headers.", "type": "boolean", - "required": true + "required": true, + "description": "Optionally hide informative response headers." } }, { "error_code": { "default": 429, - "gt": 0, "type": "number", + "gt": 0, "description": "Set a custom error code to return when the rate limit is exceeded." } }, { "error_message": { "default": "API rate limit exceeded", - "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string" + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded." } }, { "sync_rate": { "default": -1, - "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", "type": "number", - "required": true + "required": true, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." } } - ], - "type": "record", - "required": true + ] } } ], @@ -248,11 +248,11 @@ }, { "conditional": { - "if_field": "config.policy", - "then_field": "config.redis_host", "if_match": { "eq": "redis" }, + "then_field": "config.redis_host", + "if_field": "config.policy", "then_match": { "required": true } @@ -260,11 +260,11 @@ }, { "conditional": { - "if_field": "config.policy", - "then_field": "config.redis_port", "if_match": { "eq": "redis" }, + "then_field": "config.redis_port", + "if_field": "config.policy", "then_match": { "required": true } @@ -272,11 +272,11 @@ }, { "conditional": { - "if_field": "config.limit_by", - "then_field": "config.header_name", "if_match": { "eq": "header" }, + "then_field": "config.header_name", + "if_field": "config.limit_by", "then_match": { "required": true } @@ -284,11 +284,11 @@ }, { "conditional": { - "if_field": "config.limit_by", - "then_field": "config.path", "if_match": { "eq": "path" }, + "then_field": "config.path", + "if_field": "config.limit_by", "then_match": { "required": true } @@ -296,11 +296,11 @@ }, { "conditional": { - "if_field": "config.policy", - "then_field": "config.redis_timeout", "if_match": { "eq": "redis" }, + "then_field": "config.redis_timeout", + "if_field": "config.policy", "then_match": { "required": true } diff --git a/schemas/request-size-limiting/3.4.x.json b/schemas/request-size-limiting/3.4.x.json index d2c58464..8bfc5a08 100644 --- a/schemas/request-size-limiting/3.4.x.json +++ b/schemas/request-size-limiting/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,42 +18,51 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "allowed_payload_size": { "default": 128, - "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", - "type": "integer" + "type": "integer", + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes)." } }, { "size_unit": { "required": true, "default": "megabytes", - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "type": "string", "one_of": [ "megabytes", "kilobytes", "bytes" - ] + ], + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0." } }, { "require_content_length": { "default": false, - "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", "type": "boolean", - "required": true + "required": true, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body." } } ], - "type": "record", "required": true } } diff --git a/schemas/request-termination/3.4.x.json b/schemas/request-termination/3.4.x.json index 2c516d5d..de11be84 100644 --- a/schemas/request-termination/3.4.x.json +++ b/schemas/request-termination/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,67 +18,68 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", + "required": true, "fields": [ { "status_code": { "required": true, - "default": 503, - "description": "The response code to send. Must be an integer between 100 and 599.", - "type": "integer", "between": [ 100, 599 - ] + ], + "default": 503, + "type": "integer", + "description": "The response code to send. Must be an integer between 100 and 599." } }, { "message": { - "type": "string", - "description": "The message to send, if using the default response generator." + "description": "The message to send, if using the default response generator.", + "type": "string" } }, { "content_type": { - "type": "string", - "description": "Content type of the raw response configured with `config.body`." + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" } }, { "body": { - "type": "string", - "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" } }, { "echo": { "default": false, - "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", "type": "boolean", - "required": true + "required": true, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic." } }, { "trigger": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } - ], - "type": "record", - "required": true + ] } } ], diff --git a/schemas/request-transformer-advanced/3.4.x.json b/schemas/request-transformer-advanced/3.4.x.json index 41c03b5c..1a7aca1c 100644 --- a/schemas/request-transformer-advanced/3.4.x.json +++ b/schemas/request-transformer-advanced/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,21 +18,25 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "type": "record", + "required": true, "fields": [ { "http_method": { - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string", - "match": "^%u+$" + "match": "^%u+$", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." } }, { "remove": { + "type": "record", "fields": [ { "body": { @@ -69,12 +72,12 @@ } } ], - "type": "record", "required": true } }, { "rename": { + "type": "record", "fields": [ { "body": { @@ -113,12 +116,12 @@ } } ], - "type": "record", "required": true } }, { "replace": { + "type": "record", "fields": [ { "body": { @@ -178,12 +181,12 @@ } } ], - "type": "record", "required": true } }, { "add": { + "type": "record", "fields": [ { "body": { @@ -238,12 +241,12 @@ } } ], - "type": "record", "required": true } }, { "append": { + "type": "record", "fields": [ { "body": { @@ -298,36 +301,33 @@ } } ], - "type": "record", "required": true } }, { "allow": { + "type": "record", "fields": [ { "body": { - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } } ], - "type": "record", "required": true } }, { "dots_in_keys": { "default": true, - "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", - "type": "boolean" + "type": "boolean", + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." } } - ], - "type": "record", - "required": true + ] } } ], diff --git a/schemas/request-transformer/3.4.x.json b/schemas/request-transformer/3.4.x.json index 110db3cb..debbc884 100644 --- a/schemas/request-transformer/3.4.x.json +++ b/schemas/request-transformer/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,30 +23,34 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "config": { + "type": "record", "fields": [ { "http_method": { - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string", - "match": "^%u+$" + "match": "^%u+$", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." } }, { "remove": { + "type": "record", "fields": [ { "body": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } @@ -59,8 +61,8 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } @@ -71,28 +73,28 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } } } ], - "type": "record", "required": true } }, { "rename": { + "type": "record", "fields": [ { "body": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } @@ -103,11 +105,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } }, @@ -116,28 +118,28 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } } } ], - "type": "record", "required": true } }, { "replace": { + "type": "record", "fields": [ { "body": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } @@ -148,11 +150,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } }, @@ -161,8 +163,8 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } @@ -174,20 +176,20 @@ } } ], - "type": "record", "required": true } }, { "add": { + "type": "record", "fields": [ { "body": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } @@ -198,11 +200,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } }, @@ -211,28 +213,28 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } } } ], - "type": "record", "required": true } }, { "append": { + "type": "record", "fields": [ { "body": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } @@ -243,11 +245,11 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } }, @@ -256,20 +258,18 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } } } ], - "type": "record", "required": true } } ], - "type": "record", "required": true } } diff --git a/schemas/request-validator/3.4.x.json b/schemas/request-validator/3.4.x.json index f26c8e86..1e5ce7d7 100644 --- a/schemas/request-validator/3.4.x.json +++ b/schemas/request-validator/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,15 +18,16 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,9 +35,9 @@ "fields": [ { "body_schema": { - "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", "type": "string", - "required": false + "required": false, + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified." } }, { @@ -45,54 +45,54 @@ "default": [ "application/json" ], - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "type": "set", "elements": { - "type": "string", - "required": true - } + "required": true, + "type": "string" + }, + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`." } }, { "version": { "required": true, "default": "kong", - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "one_of": [ "kong", "draft4" ], - "type": "string" + "type": "string", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator." } }, { "parameter_schema": { "required": false, - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", "type": "array", "elements": { + "type": "record", "fields": [ { "in": { "type": "string", + "required": true, "one_of": [ "query", "header", "path" - ], - "required": true + ] } }, { "name": { - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "required": { - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } }, { @@ -120,7 +120,6 @@ } } ], - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -138,20 +137,21 @@ } } ] - } + }, + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." } }, { "verbose_response": { "default": false, - "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "type": "boolean", - "required": true + "required": true, + "description": "If enabled, the plugin returns more verbose and detailed validation errors." } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "at_least_one_of": [ diff --git a/schemas/response-ratelimiting/3.4.x.json b/schemas/response-ratelimiting/3.4.x.json index 954f8d3c..d2093247 100644 --- a/schemas/response-ratelimiting/3.4.x.json +++ b/schemas/response-ratelimiting/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,70 +18,72 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "header_name": { "default": "x-kong-limit", - "description": "The name of the response header used to increment the counters.", - "type": "string" + "type": "string", + "description": "The name of the response header used to increment the counters." } }, { "limit_by": { "default": "consumer", - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "type": "string", "one_of": [ "consumer", "credential", "ip" - ] + ], + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." } }, { "policy": { "default": "local", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "type": "string", "one_of": [ "local", "cluster", "redis" - ] + ], + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { "default": true, - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "type": "boolean", - "required": true + "required": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." } }, { "redis_host": { - "type": "string", - "description": "When using the `redis` policy, this property specifies the address to the Redis server." + "description": "When using the `redis` policy, this property specifies the address to the Redis server.", + "type": "string" } }, { "redis_port": { "default": 6379, - "description": "When using the `redis` policy, this property specifies the port of the Redis server.", "type": "integer", + "description": "When using the `redis` policy, this property specifies the port of the Redis server.", "between": [ 0, 65535 @@ -92,113 +93,119 @@ { "redis_password": { "len_min": 0, - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", "type": "string", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", "referenceable": true } }, { "redis_username": { - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", "type": "string", + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", "referenceable": true } }, { "redis_ssl": { "default": false, - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", "type": "boolean", - "required": true + "required": true, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." } }, { "redis_ssl_verify": { "default": false, - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "required": true + "required": true, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "redis_server_name": { - "type": "string", - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI)." + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI).", + "type": "string" } }, { "redis_timeout": { "default": 2000, - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", - "type": "number" + "type": "number", + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." } }, { "redis_database": { "default": 0, - "description": "When using the `redis` policy, this property specifies Redis database to use.", - "type": "number" + "type": "number", + "description": "When using the `redis` policy, this property specifies Redis database to use." } }, { "block_on_first_violation": { "default": false, - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "type": "boolean", - "required": true + "required": true, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." } }, { "hide_client_headers": { "default": false, - "description": "Optionally hide informative response headers.", "type": "boolean", - "required": true + "required": true, + "description": "Optionally hide informative response headers." } }, { "limits": { + "keys": { + "type": "string" + }, + "required": true, + "len_min": 1, + "type": "map", "values": { - "required": true, "fields": [ { "second": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "minute": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "hour": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "day": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "month": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "year": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } } ], "type": "record", + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -212,17 +219,10 @@ } ] }, - "required": true, - "len_min": 1, - "description": "A map that defines rate limits for the plugin.", - "type": "map", - "keys": { - "type": "string" - } + "description": "A map that defines rate limits for the plugin." } } ], - "type": "record", "required": true } } @@ -230,11 +230,11 @@ "entity_checks": [ { "conditional": { - "if_field": "config.policy", - "then_field": "config.redis_host", "if_match": { "eq": "redis" }, + "then_field": "config.redis_host", + "if_field": "config.policy", "then_match": { "required": true } @@ -242,11 +242,11 @@ }, { "conditional": { - "if_field": "config.policy", - "then_field": "config.redis_port", "if_match": { "eq": "redis" }, + "then_field": "config.redis_port", + "if_field": "config.policy", "then_match": { "required": true } @@ -254,11 +254,11 @@ }, { "conditional": { - "if_field": "config.policy", - "then_field": "config.redis_timeout", "if_match": { "eq": "redis" }, + "then_field": "config.redis_timeout", + "if_field": "config.policy", "then_match": { "required": true } diff --git a/schemas/response-transformer-advanced/3.4.x.json b/schemas/response-transformer-advanced/3.4.x.json index 547fe826..743e9a4a 100644 --- a/schemas/response-transformer-advanced/3.4.x.json +++ b/schemas/response-transformer-advanced/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,14 +18,17 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "type": "record", "fields": [ { "remove": { + "type": "record", "fields": [ { "json": { @@ -62,12 +64,12 @@ } } ], - "type": "record", "required": true } }, { "rename": { + "type": "record", "fields": [ { "headers": { @@ -76,8 +78,8 @@ ], "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } }, @@ -93,12 +95,12 @@ } } ], - "type": "record", "required": true } }, { "replace": { + "type": "record", "fields": [ { "body": { @@ -156,12 +158,12 @@ } } ], - "type": "record", "required": true } }, { "add": { + "type": "record", "fields": [ { "json": { @@ -213,12 +215,12 @@ } } ], - "type": "record", "required": true } }, { "append": { + "type": "record", "fields": [ { "json": { @@ -270,28 +272,28 @@ } } ], - "type": "record", "required": true } }, { "allow": { + "type": "record", "fields": [ { "json": { - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } } ], - "type": "record", "required": true } }, { "transform": { + "type": "record", "fields": [ { "functions": { @@ -327,19 +329,17 @@ } } ], - "type": "record", "required": true } }, { "dots_in_keys": { "default": true, - "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", - "type": "boolean" + "type": "boolean", + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." } } ], - "type": "record", "required": true } } diff --git a/schemas/response-transformer/3.4.x.json b/schemas/response-transformer/3.4.x.json index 0ef5aab8..c74f4453 100644 --- a/schemas/response-transformer/3.4.x.json +++ b/schemas/response-transformer/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,22 +18,25 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "type": "record", "fields": [ { "remove": { + "type": "record", "fields": [ { "json": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } @@ -45,52 +47,52 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { "type": "string" } } } ], - "type": "record", "required": true } }, { "rename": { + "type": "record", "fields": [ { "headers": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } } ], - "type": "record", "required": true } }, { "replace": { + "type": "record", "fields": [ { "json": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } }, @@ -100,7 +102,6 @@ "default": [ ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "type": "array", "elements": { "type": "string", @@ -109,7 +110,8 @@ "number", "string" ] - } + }, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { @@ -117,32 +119,32 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } } ], - "type": "record", "required": true } }, { "add": { + "type": "record", "fields": [ { "json": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } }, @@ -152,7 +154,6 @@ "default": [ ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "type": "array", "elements": { "type": "string", @@ -161,7 +162,8 @@ "number", "string" ] - } + }, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { @@ -169,32 +171,32 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } } ], - "type": "record", "required": true } }, { "append": { + "type": "record", "fields": [ { "json": { "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } }, @@ -204,7 +206,6 @@ "default": [ ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "type": "array", "elements": { "type": "string", @@ -213,7 +214,8 @@ "number", "string" ] - } + }, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { @@ -221,21 +223,19 @@ "default": [ ], - "required": true, "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" } } } ], - "type": "record", "required": true } } ], - "type": "record", "required": true } } diff --git a/schemas/route-by-header/3.4.x.json b/schemas/route-by-header/3.4.x.json index 195256b8..9cdd763c 100644 --- a/schemas/route-by-header/3.4.x.json +++ b/schemas/route-by-header/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,55 +18,56 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "rules": { "default": [ ], - "description": "Route by header rules.", "type": "array", "elements": { - "type": "record", "fields": [ { "upstream_name": { - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "condition": { - "values": { + "keys": { "type": "string" }, "required": true, "len_min": 1, "type": "map", - "keys": { + "values": { "type": "string" } } } - ] - } + ], + "type": "record" + }, + "description": "Route by header rules." } } ], - "type": "record", "required": true } } diff --git a/schemas/route-transformer-advanced/3.4.x.json b/schemas/route-transformer-advanced/3.4.x.json index 4cf25cb5..e8bb9558 100644 --- a/schemas/route-transformer-advanced/3.4.x.json +++ b/schemas/route-transformer-advanced/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,15 +18,16 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -50,13 +50,13 @@ }, { "escape_path": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "at_least_one_of": [ diff --git a/schemas/saml/3.4.x.json b/schemas/saml/3.4.x.json index 06923fbe..699c865d 100644 --- a/schemas/saml/3.4.x.json +++ b/schemas/saml/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,7 +17,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -27,301 +26,375 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" + } + } + ], + "type": "record", + "required": true, "fields": [ { "assertion_consumer_path": { + "required": true, + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": true, - "starts_with": "/", - "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "idp_sso_url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": true + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "idp_certificate": { - "encrypted": true, + "required": false, "referenceable": true, - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", "type": "string", - "required": false + "encrypted": true, + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." } }, { "response_encryption_key": { - "encrypted": true, + "required": false, "referenceable": true, - "description": "The private encryption key required to decrypt encrypted assertions.", "type": "string", - "required": false + "encrypted": true, + "description": "The private encryption key required to decrypt encrypted assertions." } }, { "request_signing_key": { - "encrypted": true, + "required": false, "referenceable": true, - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", "type": "string", - "required": false + "encrypted": true, + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." } }, { "request_signing_certificate": { - "encrypted": true, + "required": false, "referenceable": true, - "description": "The certificate for signing requests.", "type": "string", - "required": false + "encrypted": true, + "description": "The certificate for signing requests." } }, { "request_signature_algorithm": { "required": false, "default": "SHA256", - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "type": "string", "one_of": [ "SHA256", "SHA384", "SHA512" - ] + ], + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { "request_digest_algorithm": { "required": false, "default": "SHA256", - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "type": "string", "one_of": [ "SHA256", "SHA1" - ] + ], + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" } }, { "response_signature_algorithm": { "required": false, "default": "SHA256", - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "type": "string", "one_of": [ "SHA256", "SHA384", "SHA512" - ] + ], + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { "response_digest_algorithm": { "required": false, "default": "SHA256", - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "type": "string", "one_of": [ "SHA256", "SHA1" - ] + ], + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" } }, { "issuer": { - "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", "type": "string", - "required": true + "required": true, + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP." } }, { "nameid_format": { "required": false, "default": "EmailAddress", - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "type": "string", "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" - ] + ], + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" } }, { "validate_assertion_signature": { "default": true, - "description": "Enable signature validation for SAML responses.", "type": "boolean", - "required": false + "required": false, + "description": "Enable signature validation for SAML responses." } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", "type": "string", - "required": false + "required": false, + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username." } }, { "session_secret": { "referenceable": true, "required": true, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", "encrypted": true, "len_min": 32, "len_max": 32, + "match": "^[0-9a-zA-Z/_+]+$", "type": "string", - "match": "^[0-9a-zA-Z/_+]+$" + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." } }, { "session_audience": { "default": "default", - "description": "The session audience, for example \"my-application\"", "type": "string", - "required": false + "required": false, + "description": "The session audience, for example \"my-application\"" } }, { "session_cookie_name": { "default": "session", - "description": "The session cookie name.", "type": "string", - "required": false + "required": false, + "description": "The session cookie name." } }, { "session_remember": { "default": false, - "description": "Enables or disables persistent sessions", "type": "boolean", - "required": false + "required": false, + "description": "Enables or disables persistent sessions" } }, { "session_remember_cookie_name": { "default": "remember", - "description": "Persistent session cookie name", "type": "string", - "required": false + "required": false, + "description": "Persistent session cookie name" } }, { "session_remember_rolling_timeout": { "default": 604800, - "description": "Persistent session rolling timeout in seconds.", "type": "number", - "required": false + "required": false, + "description": "Persistent session rolling timeout in seconds." } }, { "session_remember_absolute_timeout": { "default": 2592000, - "description": "Persistent session absolute timeout in seconds.", "type": "number", - "required": false + "required": false, + "description": "Persistent session absolute timeout in seconds." } }, { "session_idling_timeout": { "default": 900, - "description": "The session cookie idle time in seconds.", "type": "number", - "required": false + "required": false, + "description": "The session cookie idle time in seconds." } }, { "session_rolling_timeout": { "default": 3600, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "type": "number", - "required": false + "required": false, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." } }, { "session_absolute_timeout": { "default": 86400, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "type": "number", - "required": false + "required": false, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." } }, { "session_cookie_path": { - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": false, + "default": "/", + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/", - "starts_with": "/", - "type": "string", - "required": false + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "session_cookie_domain": { - "description": "The session cookie domain flag.", "type": "string", - "required": false + "required": false, + "description": "The session cookie domain flag." } }, { "session_cookie_same_site": { "required": false, "default": "Lax", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "session_cookie_http_only": { "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "type": "boolean", - "required": false + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "session_cookie_secure": { - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", - "required": false + "required": false, + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "session_request_headers": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -333,12 +406,12 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "type": "set" } }, { "session_response_headers": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -350,297 +423,224 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "type": "set" } }, { "session_storage": { "required": false, "default": "cookie", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "type": "string", "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" } }, { "session_store_metadata": { "default": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "type": "boolean", - "required": false + "required": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject." } }, { "session_enforce_same_subject": { "default": false, - "description": "When set to `true`, audiences are forced to share the same subject.", "type": "boolean", - "required": false + "required": false, + "description": "When set to `true`, audiences are forced to share the same subject." } }, { "session_hash_subject": { "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "type": "boolean", - "required": false + "required": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." } }, { "session_hash_storage_key": { "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "type": "boolean", - "required": false + "required": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." } }, { "session_memcached_prefix": { - "description": "The memcached session key prefix.", "type": "string", - "required": false + "required": false, + "description": "The memcached session key prefix." } }, { "session_memcached_socket": { - "description": "The memcached unix socket path.", "type": "string", - "required": false + "required": false, + "description": "The memcached unix socket path." } }, { "session_memcached_host": { "default": "127.0.0.1", - "description": "The memcached host.", "type": "string", - "required": false + "required": false, + "description": "The memcached host." } }, { "session_memcached_port": { "required": false, - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 11211, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { - "description": "The Redis session key prefix.", "type": "string", - "required": false + "required": false, + "description": "The Redis session key prefix." } }, { "session_redis_socket": { - "description": "The Redis unix socket path.", "type": "string", - "required": false + "required": false, + "description": "The Redis unix socket path." } }, { "session_redis_host": { "default": "127.0.0.1", - "description": "The Redis host IP.", "type": "string", - "required": false + "required": false, + "description": "The Redis host IP." } }, { "session_redis_port": { "required": false, - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { "referenceable": true, - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "type": "string", - "required": false + "required": false, + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "session_redis_password": { - "encrypted": true, + "required": false, "referenceable": true, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", "type": "string", - "required": false + "encrypted": true, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from" } }, { "session_redis_connect_timeout": { - "description": "The Redis connection timeout in milliseconds.", "type": "integer", - "required": false + "required": false, + "description": "The Redis connection timeout in milliseconds." } }, { "session_redis_read_timeout": { - "description": "The Redis read timeout in milliseconds.", "type": "integer", - "required": false + "required": false, + "description": "The Redis read timeout in milliseconds." } }, { "session_redis_send_timeout": { - "description": "The Redis send timeout in milliseconds.", "type": "integer", - "required": false + "required": false, + "description": "The Redis send timeout in milliseconds." } }, { "session_redis_ssl": { "default": false, - "description": "Use SSL/TLS for the Redis connection.", "type": "boolean", - "required": false + "required": false, + "description": "Use SSL/TLS for the Redis connection." } }, { "session_redis_ssl_verify": { "default": false, - "description": "Verify the Redis server certificate.", "type": "boolean", - "required": false + "required": false, + "description": "Verify the Redis server certificate." } }, { "session_redis_server_name": { - "description": "The SNI used for connecting to the Redis server.", "type": "string", - "required": false + "required": false, + "description": "The SNI used for connecting to the Redis server." } }, { "session_redis_cluster_nodes": { "required": false, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "type": "array", "elements": { - "type": "record", "fields": [ { "ip": { "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true + "required": true, + "description": "A string representing a host name, such as example.com." } }, { "port": { "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ] } } - ] - } + ], + "type": "record" + }, + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." } }, { "session_redis_cluster_max_redirections": { - "description": "The Redis cluster maximum redirects.", "type": "integer", - "required": false - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - }, - { - "session_auth_ttl": { - "type": "number" + "required": false, + "description": "The Redis cluster maximum redirects." } } - ], - "required": true + ] } } ], diff --git a/schemas/session/3.4.x.json b/schemas/session/3.4.x.json index 9cf9d1dc..ed891bb2 100644 --- a/schemas/session/3.4.x.json +++ b/schemas/session/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -17,10 +17,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -33,155 +31,195 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "type": "record", + "required": true, "fields": [ { "secret": { - "referenceable": true, "required": false, - "default": "as6rhTxJRUuWhaZKo58zQN1ZdWZSxGzYdKDnvRIEUSUp", "description": "The secret that is used in keyed HMAC generation.", + "default": "wXhRlE4nPT2CwAuqu57egsj16Ij4G8g3F68UL06nBiUu", "type": "string", - "encrypted": true + "encrypted": true, + "referenceable": true } }, { "storage": { "default": "cookie", - "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", "type": "string", "one_of": [ "cookie", "kong" - ] + ], + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself." } }, { "audience": { "default": "default", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "type": "string" + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." } }, { "idling_timeout": { "default": 900, - "description": "The session cookie idle time, in seconds.", - "type": "number" + "type": "number", + "description": "The session cookie idle time, in seconds." } }, { "rolling_timeout": { "default": 3600, - "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", - "type": "number" + "type": "number", + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed." } }, { "absolute_timeout": { "default": 86400, - "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", - "type": "number" + "type": "number", + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid." } }, { "stale_ttl": { "default": 10, - "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", - "type": "number" + "type": "number", + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one." } }, { "cookie_name": { "default": "session", - "description": "The name of the cookie.", - "type": "string" + "type": "string", + "description": "The name of the cookie." } }, { "cookie_path": { "default": "/", - "description": "The resource in the host where the cookie is available.", - "type": "string" + "type": "string", + "description": "The resource in the host where the cookie is available." } }, { "cookie_domain": { - "type": "string", - "description": "The domain with which the cookie is intended to be exchanged." + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" } }, { "cookie_same_site": { "default": "Strict", - "description": "Determines whether and how a cookie may be sent with cross-site requests.", "type": "string", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Determines whether and how a cookie may be sent with cross-site requests." } }, { "cookie_http_only": { "default": true, - "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", - "type": "boolean" + "type": "boolean", + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server." } }, { "cookie_secure": { "default": true, - "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", - "type": "boolean" + "type": "boolean", + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol." } }, { "remember": { "default": false, - "description": "Enables or disables persistent sessions.", - "type": "boolean" + "type": "boolean", + "description": "Enables or disables persistent sessions." } }, { "remember_cookie_name": { "default": "remember", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "type": "string" + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." } }, { "remember_rolling_timeout": { "default": 604800, - "description": "The persistent session rolling timeout window, in seconds.", - "type": "number" + "type": "number", + "description": "The persistent session rolling timeout window, in seconds." } }, { "remember_absolute_timeout": { "default": 2592000, - "description": "The persistent session absolute timeout limit, in seconds.", - "type": "number" + "type": "number", + "description": "The persistent session absolute timeout limit, in seconds." } }, { "response_headers": { - "description": "List of information to include, as headers, in the response to the downstream.", "type": "set", "elements": { "type": "string", @@ -194,12 +232,12 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "description": "List of information to include, as headers, in the response to the downstream." } }, { "request_headers": { - "description": "List of information to include, as headers, in the response to the downstream.", "type": "set", "elements": { "type": "string", @@ -212,7 +250,8 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "description": "List of information to include, as headers, in the response to the downstream." } }, { @@ -221,7 +260,6 @@ "POST", "DELETE" ], - "description": "A set of HTTP methods that the plugin will respond to.", "type": "set", "elements": { "type": "string", @@ -230,63 +268,25 @@ "POST", "DELETE" ] - } + }, + "description": "A set of HTTP methods that the plugin will respond to." } }, { "logout_query_arg": { "default": "session_logout", - "description": "The query argument passed to logout requests.", - "type": "string" + "type": "string", + "description": "The query argument passed to logout requests." } }, { "logout_post_arg": { "default": "session_logout", - "description": "The POST argument passed to logout requests. Do not change this property.", - "type": "string" - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "cookie_lifetime": { - "type": "number" - } - }, - { - "cookie_idletime": { - "type": "number" - } - }, - { - "cookie_renew": { - "type": "number" - } - }, - { - "cookie_discard": { - "type": "number" - } - }, - { - "cookie_samesite": { - "type": "string" - } - }, - { - "cookie_httponly": { - "type": "boolean" - } - }, - { - "cookie_persistent": { - "type": "boolean" + "type": "string", + "description": "The POST argument passed to logout requests. Do not change this property." } } - ], - "required": true + ] } } ], diff --git a/schemas/statsd-advanced/3.4.x.json b/schemas/statsd-advanced/3.4.x.json index 710b4374..16c92874 100644 --- a/schemas/statsd-advanced/3.4.x.json +++ b/schemas/statsd-advanced/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,33 +23,36 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "host": { "default": "localhost", - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 @@ -61,16 +62,16 @@ { "prefix": { "default": "kong", - "description": "String to prefix to each metric's name.", - "type": "string" + "type": "string", + "description": "String to prefix to each metric's name." } }, { "metrics": { "default": [ { - "name": "request_count", "sample_rate": 1, + "name": "request_count", "stat_type": "counter" }, { @@ -82,8 +83,8 @@ "name": "request_size" }, { - "name": "status_count", "sample_rate": 1, + "name": "status_count", "stat_type": "counter" }, { @@ -95,9 +96,9 @@ "name": "unique_users" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "request_per_user" + "name": "request_per_user", + "stat_type": "counter" }, { "stat_type": "timer", @@ -108,43 +109,44 @@ "name": "kong_latency" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "status_count_per_user" + "name": "status_count_per_user", + "stat_type": "counter" }, { - "name": "status_count_per_workspace", "sample_rate": 1, + "name": "status_count_per_workspace", "stat_type": "counter" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "status_count_per_user_per_route" + "name": "status_count_per_user_per_route", + "stat_type": "counter" }, { - "name": "shdict_usage", "sample_rate": 1, + "name": "shdict_usage", "stat_type": "gauge" }, { - "name": "cache_datastore_hits_total", "sample_rate": 1, + "name": "cache_datastore_hits_total", "stat_type": "counter" }, { - "name": "cache_datastore_misses_total", "sample_rate": 1, + "name": "cache_datastore_misses_total", "stat_type": "counter" } ], - "description": "List of Metrics to be logged.", "type": "array", "elements": { + "type": "record", "fields": [ { "name": { "type": "string", + "required": true, "one_of": [ "kong_latency", "latency", @@ -161,13 +163,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "required": true + ] } }, { "stat_type": { "type": "string", + "required": true, "one_of": [ "counter", "gauge", @@ -175,14 +177,13 @@ "meter", "set", "timer" - ], - "required": true + ] } }, { "sample_rate": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { @@ -216,17 +217,16 @@ } } ], - "type": "record", "entity_checks": [ { "conditional": { - "if_field": "name", - "then_field": "stat_type", "if_match": { "one_of": [ "unique_users" ] }, + "then_field": "stat_type", + "if_field": "name", "then_match": { "eq": "set" } @@ -234,8 +234,6 @@ }, { "conditional": { - "if_field": "name", - "then_field": "stat_type", "if_match": { "one_of": [ "request_count", @@ -248,6 +246,8 @@ "cache_datastore_misses_total" ] }, + "then_field": "stat_type", + "if_field": "name", "then_match": { "eq": "counter" } @@ -255,13 +255,13 @@ }, { "conditional": { - "if_field": "name", - "then_field": "stat_type", "if_match": { "one_of": [ "shdict_usage" ] }, + "then_field": "stat_type", + "if_field": "name", "then_match": { "eq": "gauge" } @@ -269,38 +269,39 @@ }, { "conditional": { - "if_field": "stat_type", - "then_field": "sample_rate", "if_match": { "one_of": [ "counter", "gauge" ] }, + "then_field": "sample_rate", + "if_field": "stat_type", "then_match": { "required": true } } } ] - } + }, + "description": "List of Metrics to be logged." } }, { "allow_status_codes": { - "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" - } + }, + "description": "List of status code ranges that are allowed to be logged in metrics." } }, { "udp_packet_size": { "default": 0, - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", "type": "number", + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", "between": [ 0, 65507 @@ -310,90 +311,91 @@ { "use_tcp": { "default": false, - "description": "Use TCP instead of UDP.", - "type": "boolean" + "type": "boolean", + "description": "Use TCP instead of UDP." } }, { "hostname_in_prefix": { "default": false, - "description": "Include the `hostname` in the `prefix` for each metric name.", - "type": "boolean" + "type": "boolean", + "description": "Include the `hostname` in the `prefix` for each metric name." } }, { "consumer_identifier_default": { "required": true, "default": "custom_id", - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`." } }, { "service_identifier_default": { "required": true, "default": "service_name_or_host", - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`." } }, { "workspace_identifier_default": { "required": true, "default": "workspace_id", - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "type": "string", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. " } }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "type": "number", "between": [ 0, 3600 - ] + ], + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -405,26 +407,26 @@ { "max_retry_time": { "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "type": "number", "between": [ 0.001, 1000000 - ] + ], + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 @@ -432,12 +434,10 @@ } } ], - "type": "record", "required": true } } ], - "type": "record", "required": true } } diff --git a/schemas/statsd/3.4.x.json b/schemas/statsd/3.4.x.json index b265dc54..39ea54dc 100644 --- a/schemas/statsd/3.4.x.json +++ b/schemas/statsd/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,16 +23,18 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,15 +43,15 @@ { "host": { "default": "localhost", - "description": "The IP address or hostname of StatsD server to send data to.", - "type": "string" + "type": "string", + "description": "The IP address or hostname of StatsD server to send data to." } }, { "port": { "default": 8125, - "description": "The port of StatsD server to send data to.", "type": "integer", + "description": "The port of StatsD server to send data to.", "between": [ 0, 65535 @@ -61,45 +61,45 @@ { "prefix": { "default": "kong", - "description": "String to prefix to each metric's name.", - "type": "string" + "type": "string", + "description": "String to prefix to each metric's name." } }, { "metrics": { "default": [ { - "stat_type": "counter", "sample_rate": 1, - "name": "request_count" + "name": "request_count", + "stat_type": "counter" }, { "stat_type": "timer", "name": "latency" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "request_size" + "name": "request_size", + "stat_type": "counter" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "status_count" + "name": "status_count", + "stat_type": "counter" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "response_size" + "name": "response_size", + "stat_type": "counter" }, { "stat_type": "set", "name": "unique_users" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "request_per_user" + "name": "request_per_user", + "stat_type": "counter" }, { "stat_type": "timer", @@ -110,49 +110,42 @@ "name": "kong_latency" }, { - "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_user" - }, - { - "stat_type": "counter", "sample_rate": 1, - "name": "status_count_per_workspace" + "name": "status_count_per_user", + "stat_type": "counter" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "status_count_per_user_per_route" + "name": "status_count_per_workspace", + "stat_type": "counter" }, { - "stat_type": "gauge", "sample_rate": 1, - "name": "shdict_usage" + "name": "status_count_per_user_per_route", + "stat_type": "counter" }, { - "stat_type": "gauge", "sample_rate": 1, - "name": "lmdb_usage" + "name": "shdict_usage", + "stat_type": "gauge" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "cache_datastore_hits_total" + "name": "cache_datastore_hits_total", + "stat_type": "counter" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "cache_datastore_misses_total" + "name": "cache_datastore_misses_total", + "stat_type": "counter" } ], - "description": "List of metrics to be logged.", "type": "array", "elements": { + "type": "record", "fields": [ { "name": { - "type": "string", - "description": "StatsD metric’s name.", "one_of": [ "kong_latency", "latency", @@ -167,17 +160,16 @@ "status_count_per_workspace", "status_count_per_user_per_route", "shdict_usage", - "lmdb_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" ], - "required": true + "type": "string", + "required": true, + "description": "StatsD metric’s name." } }, { "stat_type": { - "type": "string", - "description": "Determines what sort of event a metric represents.", "one_of": [ "counter", "gauge", @@ -186,79 +178,81 @@ "set", "timer" ], - "required": true + "type": "string", + "required": true, + "description": "Determines what sort of event a metric represents." } }, { "sample_rate": { - "description": "Sampling rate", + "gt": 0, "type": "number", - "gt": 0 + "description": "Sampling rate" } }, { "consumer_identifier": { - "description": "Authenticated user detail.", - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string", + "description": "Authenticated user detail." } }, { "service_identifier": { - "description": "Service detail.", - "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "type": "string", + "description": "Service detail." } }, { "workspace_identifier": { - "description": "Workspace detail.", - "type": "string", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "type": "string", + "description": "Workspace detail." } } ], - "type": "record", "entity_checks": [ { "conditional": { - "if_field": "stat_type", - "then_field": "sample_rate", "if_match": { "one_of": [ "counter", "gauge" ] }, + "then_field": "sample_rate", + "if_field": "stat_type", "then_match": { "required": true } } } ] - } + }, + "description": "List of metrics to be logged." } }, { "allow_status_codes": { - "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" - } + }, + "description": "List of status code ranges that are allowed to be logged in metrics." } }, { @@ -273,50 +267,50 @@ }, { "use_tcp": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "hostname_in_prefix": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "consumer_identifier_default": { "default": "custom_id", "type": "string", + "required": true, "one_of": [ "consumer_id", "custom_id", "username" - ], - "required": true + ] } }, { "service_identifier_default": { "default": "service_name_or_host", "type": "string", + "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "required": true + ] } }, { "workspace_identifier_default": { "default": "workspace_id", "type": "string", + "required": true, "one_of": [ "workspace_id", "workspace_name" - ], - "required": true + ] } }, { @@ -337,49 +331,50 @@ { "tag_style": { "type": "string", + "required": false, "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ], - "required": false + ] } }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "type": "number", "between": [ 0, 3600 - ] + ], + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -391,26 +386,26 @@ { "max_retry_time": { "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "type": "number", "between": [ 0.001, 1000000 - ] + ], + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 @@ -418,13 +413,12 @@ } } ], - "type": "record", "required": true } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "custom_entity_check": { diff --git a/schemas/syslog/3.4.x.json b/schemas/syslog/3.4.x.json index ac6877c5..a2804c38 100644 --- a/schemas/syslog/3.4.x.json +++ b/schemas/syslog/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,25 +23,29 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "log_level": { "default": "info", "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -53,14 +55,14 @@ "crit", "alert", "emerg" - ], - "required": true + ] } }, { "successful_severity": { "default": "info", "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -70,14 +72,14 @@ "crit", "alert", "emerg" - ], - "required": true + ] } }, { "client_errors_severity": { "default": "info", "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -87,14 +89,14 @@ "crit", "alert", "emerg" - ], - "required": true + ] } }, { "server_errors_severity": { "default": "info", "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -104,14 +106,11 @@ "crit", "alert", "emerg" - ], - "required": true + ] } }, { "custom_fields_by_lua": { - "type": "map", - "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" @@ -119,14 +118,15 @@ "keys": { "type": "string", "len_min": 1 - } + }, + "type": "map", + "description": "Lua code as a key-value map" } }, { "facility": { "required": true, "default": "user", - "description": "The facility is used by the operating system to decide how to handle each log message.", "type": "string", "one_of": [ "auth", @@ -149,11 +149,11 @@ "local5", "local6", "local7" - ] + ], + "description": "The facility is used by the operating system to decide how to handle each log message." } } ], - "type": "record", "required": true } } diff --git a/schemas/tcp-log/3.4.x.json b/schemas/tcp-log/3.4.x.json index f003733e..bda9036f 100644 --- a/schemas/tcp-log/3.4.x.json +++ b/schemas/tcp-log/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,59 +23,62 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "host": { - "description": "The IP address or host name to send data to.", "type": "string", - "required": true + "required": true, + "description": "The IP address or host name to send data to." } }, { "port": { + "description": "The port to send data to on the upstream server.", + "type": "integer", + "required": true, "between": [ 0, 65535 - ], - "description": "The port to send data to on the upstream server.", - "type": "integer", - "required": true + ] } }, { "timeout": { "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "type": "number" + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "tls": { "default": false, - "description": "Indicates whether to perform a TLS handshake against the remote server.", "type": "boolean", - "required": true + "required": true, + "description": "Indicates whether to perform a TLS handshake against the remote server." } }, { @@ -88,20 +89,19 @@ }, { "custom_fields_by_lua": { - "values": { - "len_min": 1, - "type": "string" - }, "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", - "type": "map", "keys": { "type": "string", "len_min": 1 + }, + "type": "map", + "values": { + "len_min": 1, + "type": "string" } } } ], - "type": "record", "required": true } } diff --git a/schemas/tls-handshake-modifier/3.4.x.json b/schemas/tls-handshake-modifier/3.4.x.json index 7e8624b9..8e082047 100644 --- a/schemas/tls-handshake-modifier/3.4.x.json +++ b/schemas/tls-handshake-modifier/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -14,8 +14,8 @@ "https", "grpcs" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -29,27 +29,27 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "tls_client_certificate": { "required": false, "default": "REQUEST", - "description": "TLS Client Certificate", "type": "string", "one_of": [ "REQUEST" - ] + ], + "description": "TLS Client Certificate" } } ], - "type": "record", "required": true } } diff --git a/schemas/tls-metadata-headers/3.4.x.json b/schemas/tls-metadata-headers/3.4.x.json index c4885e27..ffd00ed9 100644 --- a/schemas/tls-metadata-headers/3.4.x.json +++ b/schemas/tls-metadata-headers/3.4.x.json @@ -3,9 +3,9 @@ { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -14,8 +14,8 @@ "https", "grpcs" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -29,63 +29,63 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "inject_client_cert_details": { "default": false, - "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", - "type": "boolean" + "type": "boolean", + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." } }, { "client_cert_header_name": { "default": "X-Client-Cert", - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "type": "string", - "required": true + "required": true, + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate." } }, { "client_serial_header_name": { "default": "X-Client-Cert-Serial", - "description": "Define the HTTP header name used for the serial number of the client certificate.", "type": "string", - "required": true + "required": true, + "description": "Define the HTTP header name used for the serial number of the client certificate." } }, { "client_cert_issuer_dn_header_name": { "default": "X-Client-Cert-Issuer-DN", - "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "type": "string", - "required": true + "required": true, + "description": "Define the HTTP header name used for the issuer DN of the client certificate." } }, { "client_cert_subject_dn_header_name": { "default": "X-Client-Cert-Subject-DN", - "description": "Define the HTTP header name used for the subject DN of the client certificate.", "type": "string", - "required": true + "required": true, + "description": "Define the HTTP header name used for the subject DN of the client certificate." } }, { "client_cert_fingerprint_header_name": { "default": "X-Client-Cert-Fingerprint", - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "type": "string", - "required": true + "required": true, + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate." } } ], - "type": "record", "required": true } } diff --git a/schemas/udp-log/3.4.x.json b/schemas/udp-log/3.4.x.json index d7c0878c..d899959d 100644 --- a/schemas/udp-log/3.4.x.json +++ b/schemas/udp-log/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,50 +23,51 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true + "required": true, + "description": "A string representing a host name, such as example.com." } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "required": true, "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "required": true + ] } }, { "timeout": { "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "custom_fields_by_lua": { - "type": "map", - "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" @@ -76,11 +75,12 @@ "keys": { "type": "string", "len_min": 1 - } + }, + "type": "map", + "description": "Lua code as a key-value map" } } ], - "type": "record", "required": true } } diff --git a/schemas/upstream-timeout/3.4.x.json b/schemas/upstream-timeout/3.4.x.json index 7f1acc3c..936ee27a 100644 --- a/schemas/upstream-timeout/3.4.x.json +++ b/schemas/upstream-timeout/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,52 +18,53 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "read_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "connect_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } } ], - "type": "record", "required": true } } diff --git a/schemas/vault-auth/3.4.x.json b/schemas/vault-auth/3.4.x.json index d3234493..7c46e3c7 100644 --- a/schemas/vault-auth/3.4.x.json +++ b/schemas/vault-auth/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,65 +18,67 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "access_token_name": { "required": true, "default": "access_token", - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "type": "string", "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - } + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." } }, { "secret_token_name": { "required": true, "default": "secret_token", - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "type": "string", "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - } + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." } }, { "vault": { "reference": "vault_auth_vaults", - "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", "type": "foreign", - "required": true + "required": true, + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API." } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it." } }, { @@ -89,19 +90,18 @@ { "tokens_in_body": { "default": false, - "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean" + "type": "boolean", + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } } ], - "type": "record", "required": true } } diff --git a/schemas/websocket-size-limit/3.4.x.json b/schemas/websocket-size-limit/3.4.x.json index d327baaf..d44a1a7e 100644 --- a/schemas/websocket-size-limit/3.4.x.json +++ b/schemas/websocket-size-limit/3.4.x.json @@ -6,8 +6,8 @@ "ws", "wss" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,9 +20,9 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -30,27 +30,27 @@ "fields": [ { "client_max_payload": { + "type": "integer", + "required": false, "between": [ 1, 33554432 - ], - "type": "integer", - "required": false + ] } }, { "upstream_max_payload": { + "type": "integer", + "required": false, "between": [ 1, 33554432 - ], - "type": "integer", - "required": false + ] } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "at_least_one_of": [ diff --git a/schemas/websocket-validator/3.4.x.json b/schemas/websocket-validator/3.4.x.json index bdeee552..3abe44b3 100644 --- a/schemas/websocket-validator/3.4.x.json +++ b/schemas/websocket-validator/3.4.x.json @@ -6,8 +6,8 @@ "ws", "wss" ], - "required": true, "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,9 +20,9 @@ { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -31,54 +31,31 @@ { "client": { "required": false, - "entity_checks": [ - { - "at_least_one_of": [ - "text", - "binary" - ] - } - ], "type": "record", "fields": [ { "text": { "required": false, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], - "required": true + "type": "string", + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string", - "required": true + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } - ] - } - }, - { - "binary": { - "required": false, + ], "entity_checks": [ { "custom_entity_check": { @@ -88,35 +65,45 @@ ] } } - ], + ] + } + }, + { + "binary": { + "required": false, "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], - "required": true + "type": "string", + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string", - "required": true + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] } } ] } } - ] - } - }, - { - "upstream": { - "required": false, + ], "entity_checks": [ { "at_least_one_of": [ @@ -124,47 +111,37 @@ "binary" ] } - ], + ] + } + }, + { + "upstream": { + "required": false, "type": "record", "fields": [ { "text": { "required": false, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], - "required": true + "type": "string", + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string", - "required": true + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } - ] - } - }, - { - "binary": { - "required": false, + ], "entity_checks": [ { "custom_entity_check": { @@ -174,35 +151,58 @@ ] } } - ], + ] + } + }, + { + "binary": { + "required": false, "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], - "required": true + "type": "string", + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string", - "required": true + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] } } ] } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } ] } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "at_least_one_of": [ diff --git a/schemas/xml-threat-protection/3.4.x.json b/schemas/xml-threat-protection/3.4.x.json index aeb364e4..37b4f5d4 100644 --- a/schemas/xml-threat-protection/3.4.x.json +++ b/schemas/xml-threat-protection/3.4.x.json @@ -9,7 +9,6 @@ "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "type": "set", "elements": { "type": "string", @@ -19,15 +18,16 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -39,13 +39,13 @@ "default": [ "application/xml" ], - "description": "A list of Content-Type values with payloads that must be validated.", "type": "set", "elements": { + "match": "^[^%s]+%/[^ ;]+$", "required": true, - "type": "string", - "match": "^[^%s]+%/[^ ;]+$" - } + "type": "string" + }, + "description": "A list of Content-Type values with payloads that must be validated." } }, { @@ -54,29 +54,29 @@ "default": [ ], - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "type": "set", "elements": { + "match": "^[^%s]+%/[^ ;]+$", "required": true, - "type": "string", - "match": "^[^%s]+%/[^ ;]+$" - } + "type": "string" + }, + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." } }, { "allow_dtd": { "default": false, - "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", "type": "boolean", - "required": true + "required": true, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed." } }, { "namespace_aware": { "default": true, - "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", "type": "boolean", - "required": true + "required": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such." } }, { @@ -84,8 +84,8 @@ "gt": 0, "required": true, "default": 50, - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", - "type": "integer" + "type": "integer", + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." } }, { @@ -93,8 +93,8 @@ "gt": 0, "required": true, "default": 100, - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", - "type": "integer" + "type": "integer", + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." } }, { @@ -102,8 +102,8 @@ "gt": 0, "required": true, "default": 100, - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", - "type": "integer" + "type": "integer", + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." } }, { @@ -111,8 +111,8 @@ "gt": 0, "required": false, "default": 20, - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", - "type": "integer" + "type": "integer", + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." } }, { @@ -120,8 +120,8 @@ "gt": 0, "required": true, "default": 10485760, - "description": "Maximum size of the entire document.", - "type": "integer" + "type": "integer", + "description": "Maximum size of the entire document." } }, { @@ -129,8 +129,8 @@ "gt": 0, "required": true, "default": 1048576, - "description": "Maximum size of the unparsed buffer (see below).", - "type": "integer" + "type": "integer", + "description": "Maximum size of the unparsed buffer (see below)." } }, { @@ -138,8 +138,8 @@ "gt": 0, "required": true, "default": 1024, - "description": "Maximum size of comments.", - "type": "integer" + "type": "integer", + "description": "Maximum size of comments." } }, { @@ -147,8 +147,8 @@ "gt": 0, "required": true, "default": 1024, - "description": "Maximum size of the localname. This applies to tags and attributes.", - "type": "integer" + "type": "integer", + "description": "Maximum size of the localname. This applies to tags and attributes." } }, { @@ -156,8 +156,8 @@ "gt": 0, "required": false, "default": 1024, - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", - "type": "integer" + "type": "integer", + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." } }, { @@ -165,8 +165,8 @@ "gt": 0, "required": false, "default": 1024, - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", - "type": "integer" + "type": "integer", + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." } }, { @@ -174,8 +174,8 @@ "gt": 0, "required": true, "default": 1048576, - "description": "Maximum size of the attribute value.", - "type": "integer" + "type": "integer", + "description": "Maximum size of the attribute value." } }, { @@ -183,8 +183,8 @@ "gt": 0, "required": true, "default": 1048576, - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", - "type": "integer" + "type": "integer", + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." } }, { @@ -192,8 +192,8 @@ "gt": 0, "required": true, "default": 1024, - "description": "Maximum size of processing instruction targets.", - "type": "integer" + "type": "integer", + "description": "Maximum size of processing instruction targets." } }, { @@ -201,8 +201,8 @@ "gt": 0, "required": true, "default": 1024, - "description": "Maximum size of processing instruction data.", - "type": "integer" + "type": "integer", + "description": "Maximum size of processing instruction data." } }, { @@ -210,8 +210,8 @@ "gt": 0, "required": true, "default": 1024, - "description": "Maximum size of entity names in EntityDecl.", - "type": "integer" + "type": "integer", + "description": "Maximum size of entity names in EntityDecl." } }, { @@ -219,8 +219,8 @@ "gt": 0, "required": true, "default": 1024, - "description": "Maximum size of entity values in EntityDecl.", - "type": "integer" + "type": "integer", + "description": "Maximum size of entity values in EntityDecl." } }, { @@ -228,8 +228,8 @@ "gt": 0, "required": true, "default": 1024, - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", - "type": "integer" + "type": "integer", + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." } }, { @@ -237,8 +237,8 @@ "gt": 1, "required": true, "default": 100, - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", - "type": "number" + "type": "number", + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." } }, { @@ -246,21 +246,21 @@ "gt": 1024, "required": true, "default": 8388608, - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", - "type": "integer" + "type": "integer", + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." } } ], - "required": true, "type": "record", + "required": true, "entity_checks": [ { "conditional": { - "if_field": "namespace_aware", - "then_field": "max_namespaces", "if_match": { "eq": true }, + "then_field": "max_namespaces", + "if_field": "namespace_aware", "then_match": { "required": true } @@ -268,11 +268,11 @@ }, { "conditional": { - "if_field": "namespace_aware", - "then_field": "prefix", "if_match": { "eq": true }, + "then_field": "prefix", + "if_field": "namespace_aware", "then_match": { "required": true } @@ -280,11 +280,11 @@ }, { "conditional": { - "if_field": "namespace_aware", - "then_field": "namespaceuri", "if_match": { "eq": true }, + "then_field": "namespaceuri", + "if_field": "namespace_aware", "then_match": { "required": true } diff --git a/schemas/zipkin/3.4.x.json b/schemas/zipkin/3.4.x.json index b518d499..b1cd5468 100644 --- a/schemas/zipkin/3.4.x.json +++ b/schemas/zipkin/3.4.x.json @@ -9,10 +9,8 @@ "http", "https" ], - "description": "A set of strings representing protocols.", "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "type": "string", "one_of": [ "grpc", @@ -25,40 +23,43 @@ "udp", "ws", "wss" - ] - } + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, "type": "foreign", - "eq": null + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", "fields": [ { "local_service_name": { "default": "kong", - "description": "The name of the service as displayed in Zipkin.", "type": "string", - "required": true + "required": true, + "description": "The name of the service as displayed in Zipkin." } }, { "http_endpoint": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "sample_ratio": { "default": 0.001, - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", "type": "number", + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", "between": [ 0, 1 @@ -74,28 +75,27 @@ { "include_credential": { "default": true, - "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", "type": "boolean", - "required": true + "required": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server." } }, { "traceid_byte_count": { "required": true, "default": 16, - "description": "The length in bytes of each request's Trace ID.", "type": "integer", "one_of": [ 8, 16 - ] + ], + "description": "The length in bytes of each request's Trace ID." } }, { "header_type": { "required": true, "default": "preserve", - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "type": "string", "one_of": [ "preserve", @@ -107,14 +107,14 @@ "ot", "aws", "datadog" - ] + ], + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests" } }, { "default_header_type": { "required": true, "default": "b3", - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "type": "string", "one_of": [ "b3", @@ -124,28 +124,27 @@ "ot", "aws", "datadog" - ] + ], + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored." } }, { "tags_header": { "default": "Zipkin-Tags", - "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", "type": "string", - "required": true + "required": true, + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property." } }, { "static_tags": { - "description": "The tags specified on this property will be added to the generated request traces.", "type": "array", "elements": { - "type": "record", "fields": [ { "name": { - "required": true, "type": "string", + "required": true, "not_one_of": [ "error", "http.method", @@ -165,31 +164,33 @@ }, { "value": { - "type": "string", - "required": true + "required": true, + "type": "string" } } - ] - } + ], + "type": "record" + }, + "description": "The tags specified on this property will be added to the generated request traces." } }, { "http_span_name": { "required": true, "default": "method", - "description": "Specify whether to include the HTTP path in the span name.", "type": "string", "one_of": [ "method", "method_path" - ] + ], + "description": "Specify whether to include the HTTP path in the span name." } }, { "connect_timeout": { "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 @@ -199,8 +200,8 @@ { "send_timeout": { "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 @@ -210,8 +211,8 @@ { "read_timeout": { "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 @@ -227,48 +228,49 @@ "phase_duration_flavor": { "required": true, "default": "annotations", - "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "type": "string", "one_of": [ "annotations", "tags" - ] + ], + "description": "Specify whether to include the duration of each phase as an annotation or a tag." } }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "type": "number", "between": [ 0, 3600 - ] + ], + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "type": "integer", "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -280,26 +282,26 @@ { "max_retry_time": { "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "type": "number", "between": [ 0.001, 1000000 - ] + ], + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 @@ -307,12 +309,10 @@ } } ], - "type": "record", "required": true } } ], - "type": "record", "required": true } } From 010dfa5a46ec1d6657be69aa6567bfb5db8393ef Mon Sep 17 00:00:00 2001 From: "lena.larionova" Date: Thu, 31 Aug 2023 15:42:19 -0700 Subject: [PATCH 009/165] generate examples for the post-function plugin --- examples/post-function/_2.6.x.yaml | 6 ++++++ examples/post-function/_2.7.x.yaml | 6 ++++++ examples/post-function/_2.8.x.yaml | 6 ++++++ examples/post-function/_3.0.x.yaml | 6 ++++++ examples/post-function/_3.1.x.yaml | 6 ++++++ examples/post-function/_3.2.x.yaml | 6 ++++++ examples/post-function/_3.3.x.yaml | 6 ++++++ examples/post-function/_3.4.x.yaml | 6 ++++++ 8 files changed, 48 insertions(+) create mode 100644 examples/post-function/_2.6.x.yaml create mode 100644 examples/post-function/_2.7.x.yaml create mode 100644 examples/post-function/_2.8.x.yaml create mode 100644 examples/post-function/_3.0.x.yaml create mode 100644 examples/post-function/_3.1.x.yaml create mode 100644 examples/post-function/_3.2.x.yaml create mode 100644 examples/post-function/_3.3.x.yaml create mode 100644 examples/post-function/_3.4.x.yaml diff --git a/examples/post-function/_2.6.x.yaml b/examples/post-function/_2.6.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_2.6.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/post-function/_2.7.x.yaml b/examples/post-function/_2.7.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_2.7.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/post-function/_2.8.x.yaml b/examples/post-function/_2.8.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_2.8.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/post-function/_3.0.x.yaml b/examples/post-function/_3.0.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.0.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/post-function/_3.1.x.yaml b/examples/post-function/_3.1.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.1.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/post-function/_3.2.x.yaml b/examples/post-function/_3.2.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.2.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/post-function/_3.3.x.yaml b/examples/post-function/_3.3.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.3.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/post-function/_3.4.x.yaml b/examples/post-function/_3.4.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.4.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) From eac5e0f4e889be43f9298eddeca91d25c00999c3 Mon Sep 17 00:00:00 2001 From: "lena.larionova" Date: Fri, 6 Oct 2023 14:32:54 -0700 Subject: [PATCH 010/165] fix typo in exit transformer examples --- examples/exit-transformer/_2.4.x.yaml | 2 +- examples/exit-transformer/_2.5.x.yaml | 2 +- examples/exit-transformer/_2.6.x.yaml | 2 +- examples/exit-transformer/_2.7.x.yaml | 2 +- examples/exit-transformer/_2.8.x.yaml | 2 +- examples/exit-transformer/_3.0.x.yaml | 2 +- examples/exit-transformer/_3.1.x.yaml | 2 +- examples/exit-transformer/_3.2.x.yaml | 2 +- examples/exit-transformer/_3.3.x.yaml | 2 +- examples/exit-transformer/_3.4.x.yaml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/examples/exit-transformer/_2.4.x.yaml b/examples/exit-transformer/_2.4.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_2.4.x.yaml +++ b/examples/exit-transformer/_2.4.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/exit-transformer/_2.5.x.yaml b/examples/exit-transformer/_2.5.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_2.5.x.yaml +++ b/examples/exit-transformer/_2.5.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/exit-transformer/_2.6.x.yaml b/examples/exit-transformer/_2.6.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_2.6.x.yaml +++ b/examples/exit-transformer/_2.6.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/exit-transformer/_2.7.x.yaml b/examples/exit-transformer/_2.7.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_2.7.x.yaml +++ b/examples/exit-transformer/_2.7.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/exit-transformer/_2.8.x.yaml b/examples/exit-transformer/_2.8.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_2.8.x.yaml +++ b/examples/exit-transformer/_2.8.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/exit-transformer/_3.0.x.yaml b/examples/exit-transformer/_3.0.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_3.0.x.yaml +++ b/examples/exit-transformer/_3.0.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/exit-transformer/_3.1.x.yaml b/examples/exit-transformer/_3.1.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_3.1.x.yaml +++ b/examples/exit-transformer/_3.1.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/exit-transformer/_3.2.x.yaml b/examples/exit-transformer/_3.2.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_3.2.x.yaml +++ b/examples/exit-transformer/_3.2.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/exit-transformer/_3.3.x.yaml b/examples/exit-transformer/_3.3.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_3.3.x.yaml +++ b/examples/exit-transformer/_3.3.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/exit-transformer/_3.4.x.yaml b/examples/exit-transformer/_3.4.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_3.4.x.yaml +++ b/examples/exit-transformer/_3.4.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" From 66f632006d40e5c58d01d5d99686f64ac7c8c5ef Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 12 Oct 2023 17:12:57 +0200 Subject: [PATCH 011/165] Update schemas after 3.4.1.x release Run against kong/kong-gateway:3.4.1.1-ubuntu --- schemas/acl/3.4.x.json | 58 +- schemas/acme/3.4.x.json | 268 ++-- schemas/application-registration/3.4.x.json | 58 +- schemas/aws-lambda/3.4.x.json | 162 +- schemas/azure-functions/3.4.x.json | 66 +- schemas/basic-auth/3.4.x.json | 40 +- schemas/bot-detection/3.4.x.json | 40 +- schemas/canary/3.4.x.json | 144 +- schemas/correlation-id/3.4.x.json | 38 +- schemas/cors/3.4.x.json | 64 +- schemas/datadog/3.4.x.json | 174 +-- schemas/degraphql/3.4.x.json | 40 +- schemas/exit-transformer/3.4.x.json | 38 +- schemas/file-log/3.4.x.json | 50 +- schemas/forward-proxy/3.4.x.json | 88 +- .../graphql-proxy-cache-advanced/3.4.x.json | 50 +- .../graphql-rate-limiting-advanced/3.4.x.json | 220 ++- schemas/grpc-gateway/3.4.x.json | 30 +- schemas/grpc-web/3.4.x.json | 38 +- schemas/hmac-auth/3.4.x.json | 72 +- schemas/http-log/3.4.x.json | 134 +- schemas/ip-restriction/3.4.x.json | 60 +- schemas/jq/3.4.x.json | 114 +- schemas/jwe-decrypt/3.4.x.json | 48 +- schemas/jwt-signer/3.4.x.json | 368 ++--- schemas/jwt/3.4.x.json | 94 +- schemas/kafka-log/3.4.x.json | 160 +- schemas/kafka-upstream/3.4.x.json | 160 +- schemas/key-auth-enc/3.4.x.json | 66 +- schemas/key-auth/3.4.x.json | 62 +- schemas/konnect-application-auth/3.4.x.json | 60 +- schemas/ldap-auth-advanced/3.4.x.json | 130 +- schemas/ldap-auth/3.4.x.json | 98 +- schemas/loggly/3.4.x.json | 80 +- schemas/mocking/3.4.x.json | 68 +- schemas/mtls-auth/3.4.x.json | 104 +- schemas/oas-validation/3.4.x.json | 74 +- schemas/oauth2-introspection/3.4.x.json | 98 +- schemas/oauth2/3.4.x.json | 118 +- schemas/opa/3.4.x.json | 76 +- schemas/openid-connect/3.4.x.json | 1309 +++++++++-------- schemas/opentelemetry/3.4.x.json | 127 +- schemas/post-function/3.4.x.json | 128 +- schemas/pre-function/3.4.x.json | 128 +- schemas/prometheus/3.4.x.json | 48 +- schemas/proxy-cache-advanced/3.4.x.json | 222 +-- schemas/proxy-cache/3.4.x.json | 102 +- schemas/rate-limiting-advanced/3.4.x.json | 220 +-- schemas/rate-limiting/3.4.x.json | 274 ++-- schemas/request-size-limiting/3.4.x.json | 40 +- schemas/request-termination/3.4.x.json | 44 +- .../request-transformer-advanced/3.4.x.json | 186 +-- schemas/request-transformer/3.4.x.json | 150 +- schemas/request-validator/3.4.x.json | 74 +- schemas/response-ratelimiting/3.4.x.json | 182 +-- .../response-transformer-advanced/3.4.x.json | 148 +- schemas/response-transformer/3.4.x.json | 148 +- schemas/route-by-header/3.4.x.json | 40 +- schemas/route-transformer-advanced/3.4.x.json | 32 +- schemas/saml/3.4.x.json | 446 +++--- schemas/session/3.4.x.json | 208 +-- schemas/statsd-advanced/3.4.x.json | 220 +-- schemas/statsd/3.4.x.json | 204 +-- schemas/syslog/3.4.x.json | 68 +- schemas/tcp-log/3.4.x.json | 62 +- schemas/tls-handshake-modifier/3.4.x.json | 38 +- schemas/tls-metadata-headers/3.4.x.json | 56 +- schemas/udp-log/3.4.x.json | 54 +- schemas/upstream-timeout/3.4.x.json | 38 +- schemas/vault-auth/3.4.x.json | 72 +- schemas/websocket-size-limit/3.4.x.json | 40 +- schemas/websocket-validator/3.4.x.json | 104 +- schemas/xml-threat-protection/3.4.x.json | 186 +-- schemas/zipkin/3.4.x.json | 152 +- 74 files changed, 4731 insertions(+), 4729 deletions(-) diff --git a/schemas/acl/3.4.x.json b/schemas/acl/3.4.x.json index 8d5fdaba..df9038ef 100644 --- a/schemas/acl/3.4.x.json +++ b/schemas/acl/3.4.x.json @@ -1,46 +1,59 @@ { + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "config": { - "type": "record", "fields": [ { "allow": { @@ -61,27 +74,14 @@ { "hide_groups_header": { "default": false, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "only_one_of": [ - "config.allow", - "config.deny" - ] - }, - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } ] } \ No newline at end of file diff --git a/schemas/acme/3.4.x.json b/schemas/acme/3.4.x.json index 02fe693b..b75508d3 100644 --- a/schemas/acme/3.4.x.json +++ b/schemas/acme/3.4.x.json @@ -1,83 +1,105 @@ { + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": true + }, + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_field": "config.tos_accepted", + "if_field": "config.api_uri" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "service": { - "reference": "services", - "eq": null, "type": "foreign", - "description": "A reference to the 'services' table with a null value allowed." + "description": "A reference to the 'services' table with a null value allowed.", + "eq": null, + "reference": "services" } }, { "route": { - "reference": "routes", - "eq": null, "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed." + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null, + "reference": "routes" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "config": { - "type": "record", "fields": [ { "account_email": { - "required": true, "referenceable": true, - "type": "string", "match": "%w*%p*@+%w*%.?%w*", + "type": "string", + "description": "The account identifier. Can be reused in a different plugin instance.", "encrypted": true, - "description": "The account identifier. Can be reused in a different plugin instance." + "required": true } }, { "account_key": { - "required": false, - "type": "record", "fields": [ { "key_id": { - "type": "string", + "description": "The Key ID.", "required": true, - "description": "The Key ID." + "type": "string" } }, { @@ -87,110 +109,112 @@ } } ], - "description": "The private key associated with the account." + "description": "The private key associated with the account.", + "required": false, + "type": "record" } }, { "api_uri": { "default": "https://acme-v02.api.letsencrypt.org/directory", - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "tos_accepted": { "default": false, - "type": "boolean", - "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service." + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" } }, { "eab_kid": { "referenceable": true, - "type": "string", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", "encrypted": true, - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA." + "type": "string" } }, { "eab_hmac_key": { "referenceable": true, - "type": "string", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", "encrypted": true, - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA." + "type": "string" } }, { "cert_type": { + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", "default": "rsa", - "type": "string", "one_of": [ "rsa", "ecc" ], - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." + "type": "string" } }, { "rsa_key_size": { + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", "default": 4096, - "type": "number", "one_of": [ 2048, 3072, 4096 ], - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." + "type": "number" } }, { "renew_threshold_days": { + "description": "Days remaining to renew the certificate before it expires.", "default": 14, - "type": "number", - "description": "Days remaining to renew the certificate before it expires." + "type": "number" } }, { "domains": { - "type": "array", + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", "elements": { + "match_any": { + "err": "invalid wildcard: must be placed at leftmost or rightmost label", + "patterns": [ + "^%*%.", + "%.%*$", + "^[^*]*$" + ] + }, "match_all": [ { "pattern": "^[^*]*%*?[^*]*$", "err": "invalid wildcard: must have at most one wildcard" } ], - "type": "string", - "match_any": { - "patterns": [ - "^%*%.", - "%.%*$", - "^[^*]*$" - ], - "err": "invalid wildcard: must be placed at leftmost or rightmost label" - } + "type": "string" }, - "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" + "type": "array" } }, { "allow_any_domain": { + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", "default": false, - "type": "boolean", - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." + "type": "boolean" } }, { "fail_backoff_minutes": { + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", "default": 5, - "type": "number", - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." + "type": "number" } }, { "storage": { + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", "default": "shm", - "type": "string", "one_of": [ "kong", "shm", @@ -198,55 +222,53 @@ "consul", "vault" ], - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." + "type": "string" } }, { "storage_config": { - "type": "record", "fields": [ { "shm": { - "type": "record", "fields": [ { "shm_name": { + "description": "Name of shared memory zone used for Kong API gateway storage", "default": "kong", - "type": "string", - "description": "Name of shared memory zone used for Kong API gateway storage" + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } }, { "kong": { - "type": "record", "fields": [ ], - "required": true + "required": true, + "type": "record" } }, { "redis": { - "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { @@ -257,72 +279,72 @@ }, { "auth": { - "type": "string", + "referenceable": true, "description": "The Redis password to use for authentication. ", - "referenceable": true + "type": "string" } }, { "ssl": { "default": false, - "type": "boolean", + "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", "required": true, - "description": "Whether to use SSL/TLS encryption when connecting to the Redis server." + "type": "boolean" } }, { "ssl_verify": { "default": false, - "type": "boolean", + "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", "required": true, - "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value." + "type": "boolean" } }, { "ssl_server_name": { - "type": "string", + "description": "The expected server name for the SSL/TLS certificate presented by the Redis server.", "required": false, - "description": "The expected server name for the SSL/TLS certificate presented by the Redis server." + "type": "string" } }, { "namespace": { - "required": true, - "len_min": 0, "default": "", "type": "string", - "description": "A namespace to prepend to all keys stored in Redis." + "len_min": 0, + "description": "A namespace to prepend to all keys stored in Redis.", + "required": true } } ], - "required": true + "required": true, + "type": "record" } }, { "consul": { - "type": "record", "fields": [ { "https": { "default": false, - "type": "boolean", - "description": "Boolean representation of https." + "description": "Boolean representation of https.", + "type": "boolean" } }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { @@ -339,40 +361,40 @@ }, { "token": { - "type": "string", + "referenceable": true, "description": "Consul ACL token.", - "referenceable": true + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } }, { "vault": { - "type": "record", "fields": [ { "https": { "default": false, - "type": "boolean", - "description": "Boolean representation of https." + "description": "Boolean representation of https.", + "type": "boolean" } }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { @@ -389,16 +411,16 @@ }, { "token": { - "type": "string", + "referenceable": true, "description": "Consul ACL token.", - "referenceable": true + "type": "string" } }, { "tls_verify": { "default": true, - "type": "boolean", - "description": "Turn on TLS verification." + "description": "Turn on TLS verification.", + "type": "boolean" } }, { @@ -409,13 +431,13 @@ }, { "auth_method": { + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", "default": "token", - "type": "string", "one_of": [ "token", "kubernetes" ], - "description": "Auth Method, default to token, can be 'token' or 'kubernetes'." + "type": "string" } }, { @@ -437,11 +459,13 @@ } } ], - "required": true + "required": true, + "type": "record" } } ], - "required": true + "required": true, + "type": "record" } }, { @@ -452,38 +476,14 @@ }, { "enable_ipv4_common_name": { + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", "default": true, - "type": "boolean", - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." + "type": "boolean" } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "conditional": { - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", - "if_match": { - "one_of": [ - "https://acme-v02.api.letsencrypt.org", - "https://acme-staging-v02.api.letsencrypt.org" - ] - }, - "then_field": "config.tos_accepted", - "if_field": "config.api_uri", - "then_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.storage" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/application-registration/3.4.x.json b/schemas/application-registration/3.4.x.json index 804f5b0b..75633de9 100644 --- a/schemas/application-registration/3.4.x.json +++ b/schemas/application-registration/3.4.x.json @@ -1,102 +1,100 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "service": { - "reference": "services", + "ne": null, "on_delete": "cascade", "type": "foreign", - "ne": null + "reference": "services" } }, { "route": { - "reference": "routes", - "eq": null, "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed." + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null, + "reference": "routes" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" ], - "required": true, - "len_min": 1 + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "display_name": { "unique": true, - "type": "string", + "description": "Unique display name used for a Service in the Developer Portal.", "required": true, - "description": "Unique display name used for a Service in the Developer Portal." + "type": "string" } }, { "description": { - "type": "string", "unique": true, - "description": "Unique description displayed in information about a Service in the Developer Portal." + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string" } }, { "auto_approve": { + "description": "If enabled, all new Service Contracts requests are automatically approved.", "default": false, - "type": "boolean", "required": true, - "description": "If enabled, all new Service Contracts requests are automatically approved." + "type": "boolean" } }, { "show_issuer": { + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", "default": false, - "type": "boolean", "required": true, - "description": "Displays the **Issuer URL** in the **Service Details** dialog." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.4.x.json b/schemas/aws-lambda/3.4.x.json index 51cafa16..4fe184c0 100644 --- a/schemas/aws-lambda/3.4.x.json +++ b/schemas/aws-lambda/3.4.x.json @@ -1,254 +1,254 @@ { + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "timeout": { "default": 60000, - "type": "number", + "description": "An optional timeout in milliseconds when invoking the function.", "required": true, - "description": "An optional timeout in milliseconds when invoking the function." + "type": "number" } }, { "keepalive": { "default": 60000, - "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "required": true, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "type": "number" } }, { "aws_key": { "referenceable": true, - "type": "string", + "description": "The AWS key credential to be used when invoking the function.", "encrypted": true, - "description": "The AWS key credential to be used when invoking the function." + "type": "string" } }, { "aws_secret": { "referenceable": true, - "type": "string", + "description": "The AWS secret credential to be used when invoking the function. ", "encrypted": true, - "description": "The AWS secret credential to be used when invoking the function. " + "type": "string" } }, { "aws_assume_role_arn": { "referenceable": true, - "type": "string", + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", "encrypted": true, - "description": "The target AWS IAM role ARN used to invoke the Lambda function." + "type": "string" } }, { "aws_role_session_name": { "default": "kong", - "type": "string", - "description": "The identifier of the assumed role session." + "description": "The identifier of the assumed role session.", + "type": "string" } }, { "aws_region": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "function_name": { - "type": "string", + "description": "The AWS Lambda function name to invoke.", "required": false, - "description": "The AWS Lambda function name to invoke." + "type": "string" } }, { "qualifier": { - "description": "The qualifier to use when invoking the function.", - "type": "string" + "type": "string", + "description": "The qualifier to use when invoking the function." } }, { "invocation_type": { - "required": true, "default": "RequestResponse", "type": "string", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "required": true, "one_of": [ "RequestResponse", "Event", "DryRun" - ], - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun." + ] } }, { "log_type": { - "required": true, "default": "Tail", "type": "string", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "required": true, "one_of": [ "Tail", "None" - ], - "description": "The LogType to use when invoking the function. By default, None and Tail are supported." + ] } }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "default": 443, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "disable_https": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "unhandled_status": { - "type": "integer", - "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", "between": [ 100, 999 - ] + ], + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer" } }, { "forward_request_method": { "default": false, - "type": "boolean", - "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" } }, { "forward_request_uri": { "default": false, - "type": "boolean", - "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" } }, { "forward_request_headers": { "default": false, - "type": "boolean", - "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" } }, { "forward_request_body": { "default": false, - "type": "boolean", - "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" } }, { "is_proxy_integration": { "default": false, - "type": "boolean", - "description": "An optional value that defines whether the response format to receive from the Lambda to this format." + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" } }, { "awsgateway_compatible": { "default": false, - "type": "boolean", - "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" } }, { "proxy_url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "skip_large_bodies": { "default": true, - "type": "boolean", - "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" } }, { "base64_encode_body": { "default": true, - "type": "boolean", - "description": "An optional value that Base64-encodes the request body." + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" } }, { "aws_imds_protocol_version": { - "required": true, "default": "v1", "type": "string", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "required": true, "one_of": [ "v1", "v2" - ], - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`." + ] } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "mutually_required": [ - "config.aws_key", - "config.aws_secret" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "config.proxy_url" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/azure-functions/3.4.x.json b/schemas/azure-functions/3.4.x.json index a942bef8..e3b309e8 100644 --- a/schemas/azure-functions/3.4.x.json +++ b/schemas/azure-functions/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,102 +25,101 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "timeout": { + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", "default": 600000, - "type": "number", - "description": "Timeout in milliseconds before closing a connection to the Azure Functions server." + "type": "number" } }, { "keepalive": { + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", "default": 60000, - "type": "number", - "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed." + "type": "number" } }, { "https": { + "description": "Use of HTTPS to connect with the Azure Functions server.", "default": true, - "type": "boolean", - "description": "Use of HTTPS to connect with the Azure Functions server." + "type": "boolean" } }, { "https_verify": { + "description": "Set to `true` to authenticate the Azure Functions server.", "default": false, - "type": "boolean", - "description": "Set to `true` to authenticate the Azure Functions server." + "type": "boolean" } }, { "apikey": { "referenceable": true, - "type": "string", + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", "encrypted": true, - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header." + "type": "string" } }, { "clientid": { "referenceable": true, - "type": "string", + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", "encrypted": true, - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header." + "type": "string" } }, { "appname": { - "type": "string", + "description": "The Azure app name.", "required": true, - "description": "The Azure app name." + "type": "string" } }, { "hostdomain": { + "description": "The domain where the function resides.", "default": "azurewebsites.net", - "type": "string", "required": true, - "description": "The domain where the function resides." + "type": "string" } }, { "routeprefix": { + "description": "Route prefix to use.", "default": "api", - "type": "string", - "description": "Route prefix to use." + "type": "string" } }, { "functionname": { - "type": "string", + "description": "Name of the Azure function to invoke.", "required": true, - "description": "Name of the Azure function to invoke." + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.4.x.json b/schemas/basic-auth/3.4.x.json index 667c0770..2350db1e 100644 --- a/schemas/basic-auth/3.4.x.json +++ b/schemas/basic-auth/3.4.x.json @@ -1,15 +1,19 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -18,10 +22,7 @@ "ws", "wss" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -29,42 +30,41 @@ "https", "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "anonymous": { - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "hide_credentials": { "default": false, - "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", "required": true, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.4.x.json b/schemas/bot-detection/3.4.x.json index 21e63f12..ea26e4ef 100644 --- a/schemas/bot-detection/3.4.x.json +++ b/schemas/bot-detection/3.4.x.json @@ -1,58 +1,60 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "allow": { "default": [ ], - "type": "array", + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "elements": { "is_regex": true, "type": "string" }, - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header." + "type": "array" } }, { @@ -60,20 +62,18 @@ "default": [ ], - "type": "array", + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "elements": { "is_regex": true, "type": "string" }, - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header." + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/canary/3.4.x.json b/schemas/canary/3.4.x.json index 019ca6ba..f62cc202 100644 --- a/schemas/canary/3.4.x.json +++ b/schemas/canary/3.4.x.json @@ -1,41 +1,74 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header", + "if_field": "config.hash" + } + }, + { + "conditional": { + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback" + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { @@ -50,7 +83,7 @@ { "hash": { "default": "consumer", - "type": "string", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", "one_of": [ "consumer", "ip", @@ -59,131 +92,98 @@ "deny", "header" ], - "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value." + "type": "string" } }, { "hash_header": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "duration": { "default": 3600, - "type": "number", + "description": "The duration of the canary release in seconds.", "gt": 0, - "description": "The duration of the canary release in seconds." + "type": "number" } }, { "steps": { "default": 1000, - "type": "number", + "description": "The number of steps for the canary release.", "gt": 1, - "description": "The number of steps for the canary release." + "type": "number" } }, { "percentage": { - "type": "number", - "description": "The percentage of traffic to be routed to the canary release.", "between": [ 0, 100 - ] + ], + "description": "The percentage of traffic to be routed to the canary release.", + "type": "number" } }, { "upstream_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "upstream_port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "upstream_uri": { - "type": "string", + "len_min": 1, "description": "The URI of the upstream server to be used for the canary release.", - "len_min": 1 + "type": "string" } }, { "upstream_fallback": { "default": false, - "type": "boolean", + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", "required": true, - "description": "Specifies whether to fallback to the upstream server if the canary release fails." + "type": "boolean" } }, { "groups": { - "type": "array", + "description": "The groups allowed to access the canary release.", "elements": { "type": "string" }, - "description": "The groups allowed to access the canary release." + "type": "array" } }, { "canary_by_header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } } ], - "type": "record", - "required": true, "shorthand_fields": [ { "hash": { - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", - "type": "string" + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." } } - ] - } - } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.upstream_uri", - "config.upstream_host", - "config.upstream_port" - ] - }, - { - "conditional": { - "if_match": { - "eq": "header" - }, - "then_field": "config.hash_header", - "if_field": "config.hash", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "config.upstream_host", - "if_field": "config.upstream_fallback", - "then_match": { - "required": true - } + ], + "required": true, + "type": "record" } } ] diff --git a/schemas/correlation-id/3.4.x.json b/schemas/correlation-id/3.4.x.json index 3d8a53f7..cb7448d7 100644 --- a/schemas/correlation-id/3.4.x.json +++ b/schemas/correlation-id/3.4.x.json @@ -1,72 +1,72 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "header_name": { + "description": "The HTTP header name to use for the correlation ID.", "default": "Kong-Request-ID", - "type": "string", - "description": "The HTTP header name to use for the correlation ID." + "type": "string" } }, { "generator": { + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "default": "uuid#counter", - "type": "string", "one_of": [ "uuid", "uuid#counter", "tracker" ], - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators)." + "type": "string" } }, { "echo_downstream": { + "description": "Whether to echo the header back to downstream (the client).", "default": false, - "type": "boolean", "required": true, - "description": "Whether to echo the header back to downstream (the client)." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/cors/3.4.x.json b/schemas/cors/3.4.x.json index 09c02dd2..59100eea 100644 --- a/schemas/cors/3.4.x.json +++ b/schemas/cors/3.4.x.json @@ -1,25 +1,26 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "len_min": 1, "one_of": [ "grpc", "grpcs", @@ -27,48 +28,49 @@ "https" ], "required": true, - "len_min": 1 + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "origins": { - "type": "array", + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", "elements": { "type": "string" }, - "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." + "type": "array" } }, { "headers": { - "type": "array", + "description": "Value for the `Access-Control-Allow-Headers` header.", "elements": { "type": "string" }, - "description": "Value for the `Access-Control-Allow-Headers` header." + "type": "array" } }, { "exposed_headers": { - "type": "array", + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", "elements": { "type": "string" }, - "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." + "type": "array" } }, { @@ -84,9 +86,8 @@ "TRACE", "CONNECT" ], - "type": "array", + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", "elements": { - "type": "string", "one_of": [ "GET", "HEAD", @@ -97,39 +98,38 @@ "OPTIONS", "TRACE", "CONNECT" - ] + ], + "type": "string" }, - "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'" + "type": "array" } }, { "max_age": { - "type": "number", - "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" } }, { "credentials": { "default": false, - "type": "boolean", + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", "required": true, - "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value." + "type": "boolean" } }, { "preflight_continue": { "default": false, - "type": "boolean", + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", "required": true, - "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/datadog/3.4.x.json b/schemas/datadog/3.4.x.json index 6de45159..1b5914de 100644 --- a/schemas/datadog/3.4.x.json +++ b/schemas/datadog/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,17 +25,19 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -42,49 +45,49 @@ "fields": [ { "host": { - "default": "localhost", - "type": "string", "referenceable": true, - "description": "A string representing a host name, such as example.com." + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "default": 8125, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "prefix": { + "description": "String to be attached as a prefix to a metric's name.", "default": "kong", - "type": "string", - "description": "String to be attached as a prefix to a metric's name." + "type": "string" } }, { "service_name_tag": { + "description": "String to be attached as the name of the service.", "default": "name", - "type": "string", - "description": "String to be attached as the name of the service." + "type": "string" } }, { "status_tag": { + "description": "String to be attached as the tag of the HTTP status.", "default": "status", - "type": "string", - "description": "String to be attached as the tag of the HTTP status." + "type": "string" } }, { "consumer_tag": { + "description": "String to be attached as tag of the consumer.", "default": "consumer", - "type": "string", - "description": "String to be attached as tag of the consumer." + "type": "string" } }, { @@ -107,39 +110,38 @@ }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be processed at a time." + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer" } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", "between": [ 0, 3600 ], - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number" } }, { "max_entries": { - "default": 10000, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer" } }, { @@ -150,97 +152,97 @@ }, { "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", "between": [ 0.001, 1000000 ], - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number" } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number" } } ], - "required": true + "required": true, + "type": "record" } }, { "metrics": { - "required": true, "default": [ { + "tags": [ + "app:kong" + ], "sample_rate": 1, "stat_type": "counter", "name": "request_count", - "consumer_identifier": "custom_id", - "tags": [ - "app:kong" - ] + "consumer_identifier": "custom_id" }, { - "consumer_identifier": "custom_id", + "stat_type": "timer", "name": "latency", "tags": [ "app:kong" ], - "stat_type": "timer" + "consumer_identifier": "custom_id" }, { - "consumer_identifier": "custom_id", + "stat_type": "timer", "name": "request_size", "tags": [ "app:kong" ], - "stat_type": "timer" + "consumer_identifier": "custom_id" }, { - "consumer_identifier": "custom_id", + "stat_type": "timer", "name": "response_size", "tags": [ "app:kong" ], - "stat_type": "timer" + "consumer_identifier": "custom_id" }, { - "consumer_identifier": "custom_id", + "stat_type": "timer", "name": "upstream_latency", "tags": [ "app:kong" ], - "stat_type": "timer" + "consumer_identifier": "custom_id" }, { - "consumer_identifier": "custom_id", + "stat_type": "timer", "name": "kong_latency", "tags": [ "app:kong" ], - "stat_type": "timer" + "consumer_identifier": "custom_id" } ], - "type": "array", "elements": { - "type": "record", "fields": [ { "name": { + "required": true, + "description": "Datadog metric’s name", "one_of": [ "kong_latency", "latency", @@ -249,13 +251,13 @@ "response_size", "upstream_latency" ], - "type": "string", - "required": true, - "description": "Datadog metric’s name" + "type": "string" } }, { "stat_type": { + "required": true, + "description": "Determines what sort of event the metric represents", "one_of": [ "counter", "gauge", @@ -265,46 +267,47 @@ "timer", "distribution" ], - "type": "string", - "required": true, - "description": "Determines what sort of event the metric represents" + "type": "string" } }, { "tags": { - "type": "array", + "description": "List of tags", "elements": { - "match": "^.*[^:]$", - "type": "string" + "type": "string", + "match": "^.*[^:]$" }, - "description": "List of tags" + "type": "array" } }, { "sample_rate": { - "type": "number", - "description": "Sampling rate", "between": [ 0, 1 - ] + ], + "description": "Sampling rate", + "type": "number" } }, { "consumer_identifier": { + "description": "Authenticated user detail", "one_of": [ "consumer_id", "custom_id", "username" ], - "type": "string", - "description": "Authenticated user detail" + "type": "string" } } ], "entity_checks": [ { "conditional": { + "then_match": { + "required": true + }, "if_match": { "one_of": [ "counter", @@ -312,20 +315,18 @@ ] }, "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } + "if_field": "stat_type" } } - ] + ], + "type": "record" }, - "description": "List of metrics to be logged." + "type": "array", + "description": "List of metrics to be logged.", + "required": true } } ], - "type": "record", - "required": true, "entity_checks": [ { "custom_entity_check": { @@ -336,11 +337,10 @@ ] } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/degraphql/3.4.x.json b/schemas/degraphql/3.4.x.json index 2bfcb4a6..66b1a91e 100644 --- a/schemas/degraphql/3.4.x.json +++ b/schemas/degraphql/3.4.x.json @@ -1,68 +1,68 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "graphql_server_path": { - "required": true, "default": "/graphql", - "starts_with": "/", "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", + "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + ] } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.4.x.json b/schemas/exit-transformer/3.4.x.json index 55e8e83f..98fba6ef 100644 --- a/schemas/exit-transformer/3.4.x.json +++ b/schemas/exit-transformer/3.4.x.json @@ -1,68 +1,68 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "functions": { - "type": "array", "required": true, "elements": { "type": "string" - } + }, + "type": "array" } }, { "handle_unknown": { "default": false, - "type": "boolean", - "description": "Determines whether to handle unknown status codes by transforming their responses." + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean" } }, { "handle_unexpected": { "default": false, - "type": "boolean", - "description": "Determines whether to handle unexpected errors by transforming their responses." + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/file-log/3.4.x.json b/schemas/file-log/3.4.x.json index 455baaf9..0bf904fe 100644 --- a/schemas/file-log/3.4.x.json +++ b/schemas/file-log/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,60 +25,59 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "path": { - "required": true, - "err": "not a valid filename", - "match": "^[^*&%%\\`]+$", "type": "string", - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." + "err": "not a valid filename", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "required": true, + "match": "^[^*&%%\\`]+$" } }, { "reopen": { + "description": "Determines whether the log file is closed and reopened on every request.", "default": false, - "type": "boolean", "required": true, - "description": "Determines whether the log file is closed and reopened on every request." + "type": "boolean" } }, { "custom_fields_by_lua": { - "values": { + "keys": { "len_min": 1, "type": "string" }, - "keys": { - "type": "string", - "len_min": 1 + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" }, - "type": "map", - "description": "Lua code as a key-value map" + "type": "map" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.4.x.json b/schemas/forward-proxy/3.4.x.json index 904cb96f..ac1a8ce9 100644 --- a/schemas/forward-proxy/3.4.x.json +++ b/schemas/forward-proxy/3.4.x.json @@ -1,133 +1,123 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "required": true, "fields": [ { "x_headers": { - "required": true, "default": "append", "type": "string", + "description": "Determines how to handle headers when forwarding the request.", + "required": true, "one_of": [ "append", "transparent", "delete" - ], - "description": "Determines how to handle headers when forwarding the request." + ] } }, { "http_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "http_proxy_port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "https_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "https_proxy_port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "proxy_scheme": { - "required": true, "default": "http", "type": "string", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "required": true, "one_of": [ "http" - ], - "description": "The proxy scheme to use when connecting. Only `http` is supported." + ] } }, { "auth_username": { + "referenceable": true, "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", - "type": "string", "required": false, - "referenceable": true + "type": "string" } }, { "auth_password": { + "referenceable": true, "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", - "type": "string", "required": false, - "referenceable": true + "type": "string" } }, { "https_verify": { + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "default": false, - "type": "boolean", "required": true, - "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." + "type": "boolean" } } ], "type": "record", - "shorthand_fields": [ - { - "proxy_host": { - "type": "string" - } - }, - { - "proxy_port": { - "type": "integer" - } - } - ], "entity_checks": [ { "at_least_one_of": [ @@ -153,11 +143,21 @@ "https_proxy_port" ] } + ], + "required": true, + "shorthand_fields": [ + { + "proxy_host": { + "type": "string" + } + }, + { + "proxy_port": { + "type": "integer" + } + } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.4.x.json b/schemas/graphql-proxy-cache-advanced/3.4.x.json index 63291ce6..c96124b0 100644 --- a/schemas/graphql-proxy-cache-advanced/3.4.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.4.x.json @@ -1,89 +1,89 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "strategy": { - "required": true, "default": "memory", "type": "string", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "required": true, "one_of": [ "memory" - ], - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`." + ] } }, { "cache_ttl": { - "gt": 0, - "type": "integer", "default": 300, - "description": "TTL in seconds of cache entities. Must be a value greater than 0." + "gt": 0, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "type": "integer" } }, { "memory": { - "type": "record", "fields": [ { "dictionary_name": { "default": "kong_db_cache", - "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", "required": true, - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template." + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } }, { "vary_headers": { - "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.4.x.json b/schemas/graphql-rate-limiting-advanced/3.4.x.json index 19097f39..cd9e1338 100644 --- a/schemas/graphql-rate-limiting-advanced/3.4.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.4.x.json @@ -1,150 +1,158 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "identifier": { - "required": true, "default": "consumer", "type": "string", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "required": true, "one_of": [ "ip", "credential", "consumer" - ], - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." + ] } }, { "window_size": { "required": true, - "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds).", "elements": { "type": "number" }, - "description": "One or more window sizes to apply a limit to (defined in seconds)." + "type": "array" } }, { "window_type": { "default": "sliding", - "type": "string", + "description": "Sets the time window to either `sliding` or `fixed`.", "one_of": [ "fixed", "sliding" ], - "description": "Sets the time window to either `sliding` or `fixed`." + "type": "string" } }, { "limit": { "required": true, - "type": "array", + "description": "One or more requests-per-window limits to apply.", "elements": { "type": "number" }, - "description": "One or more requests-per-window limits to apply." + "type": "array" } }, { "sync_rate": { - "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", "required": true, - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." + "type": "number" } }, { "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance.", "type": "string", - "auto": true, - "description": "The rate limiting library namespace to use for this plugin instance." + "auto": true } }, { "strategy": { - "required": true, "default": "cluster", "type": "string", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "required": true, "one_of": [ "cluster", "redis" - ], - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." + ] } }, { "dictionary_name": { "default": "kong_rate_limiting_counters", - "type": "string", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", "required": true, - "description": "The shared dictionary where counters will be stored until the next sync cycle." + "type": "string" } }, { "hide_client_headers": { "default": false, - "type": "boolean", - "description": "Optionally hide informative response headers. Available options: `true` or `false`." + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" } }, { "cost_strategy": { "default": "default", - "type": "string", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", "one_of": [ "default", "node_quantifier" ], - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`." + "type": "string" } }, { "score_factor": { - "gt": 0, - "required": false, "default": 1, "type": "number", - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "required": false, + "gt": 0 } }, { "max_cost": { "default": 0, - "type": "number", + "description": "A defined maximum cost per query. 0 means unlimited.", "required": false, - "description": "A defined maximum cost per query. 0 means unlimited." + "type": "number" } }, { @@ -152,216 +160,214 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "connect_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "password": { "referenceable": true, - "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "type": "string" } }, { "sentinel_username": { - "type": "string", "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" } }, { "sentinel_password": { "referenceable": true, - "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "type": "string" } }, { "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, - "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "type": "integer" } }, { "keepalive_pool_size": { - "default": 30, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "between": [ 1, 2147483646 - ] + ], + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", + "type": "integer" } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", "between": [ 0, 2147483646 - ] + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "type": "integer" } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + "type": "string" } }, { "sentinel_addresses": { + "len_min": 1, "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", "elements": { "type": "string" }, - "len_min": 1 + "type": "array" } }, { "cluster_addresses": { + "len_min": 1, "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", "elements": { "type": "string" }, - "len_min": 1 + "type": "array" } }, { "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", "default": false, - "type": "boolean", "required": false, - "description": "If set to true, uses SSL to connect to Redis." + "type": "boolean" } }, { "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, - "type": "boolean", "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } } ], - "type": "record", - "required": true, "entity_checks": [ { "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "host", - "port" ] } }, { "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" ] } }, { "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], "set2": [ "host", "port" + ], + "set1": [ + "cluster_addresses" ] } }, @@ -385,32 +391,14 @@ "read_timeout" ] } - ] + ], + "required": true, + "type": "record" } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "eq": "redis" - }, - "if_field": "config.strategy", - "then_at_least_one_of": [ - "config.redis.host", - "config.redis.sentinel_master" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/grpc-gateway/3.4.x.json b/schemas/grpc-gateway/3.4.x.json index f3ce7329..352b5b76 100644 --- a/schemas/grpc-gateway/3.4.x.json +++ b/schemas/grpc-gateway/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,36 +25,35 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "proto": { - "type": "string", + "description": "Describes the gRPC types and methods.", "required": false, - "description": "Describes the gRPC types and methods." + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.4.x.json b/schemas/grpc-web/3.4.x.json index 49de320e..22523665 100644 --- a/schemas/grpc-web/3.4.x.json +++ b/schemas/grpc-web/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,51 +25,50 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "proto": { - "type": "string", + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", "required": false, - "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content." + "type": "string" } }, { "pass_stripped_path": { - "type": "boolean", + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", "required": false, - "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service." + "type": "boolean" } }, { "allow_origin_header": { "default": "*", - "type": "string", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", "required": false, - "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client." + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.4.x.json b/schemas/hmac-auth/3.4.x.json index 93f13306..0adb9e80 100644 --- a/schemas/hmac-auth/3.4.x.json +++ b/schemas/hmac-auth/3.4.x.json @@ -1,15 +1,25 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -18,10 +28,7 @@ "ws", "wss" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -29,50 +36,51 @@ "https", "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "hide_credentials": { "default": false, - "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "required": true, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + "type": "boolean" } }, { "clock_skew": { "gt": 0, - "type": "number", + "description": "Clock skew in seconds to prevent replay attacks.", "default": 300, - "description": "Clock skew in seconds to prevent replay attacks." + "type": "number" } }, { "anonymous": { - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", - "type": "string" + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "validate_request_body": { "default": false, - "type": "boolean", + "description": "A boolean value telling the plugin to enable body validation.", "required": true, - "description": "A boolean value telling the plugin to enable body validation." + "type": "boolean" } }, { @@ -80,11 +88,11 @@ "default": [ ], - "type": "array", + "description": "A list of headers that the client should at least use for HTTP signature creation.", "elements": { "type": "string" }, - "description": "A list of headers that the client should at least use for HTTP signature creation." + "type": "array" } }, { @@ -95,30 +103,22 @@ "hmac-sha384", "hmac-sha512" ], - "type": "array", + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", "elements": { - "type": "string", "one_of": [ "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512" - ] + ], + "type": "string" }, - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`" + "type": "array" } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/http-log/3.4.x.json b/schemas/http-log/3.4.x.json index a3dda798..9bb62862 100644 --- a/schemas/http-log/3.4.x.json +++ b/schemas/http-log/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,17 +25,19 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -42,131 +45,130 @@ "fields": [ { "http_endpoint": { - "encrypted": true, "referenceable": true, "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "encrypted": true } }, { "method": { "default": "POST", - "type": "string", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", "one_of": [ "POST", "PUT", "PATCH" ], - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`." + "type": "string" } }, { "content_type": { "default": "application/json", - "type": "string", + "description": "Indicates the type of data sent. The only available option is `application/json`.", "one_of": [ "application/json", "application/json; charset=utf-8" ], - "description": "Indicates the type of data sent. The only available option is `application/json`." + "type": "string" } }, { "timeout": { "default": 10000, - "type": "number", - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" } }, { "keepalive": { "default": 60000, - "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" } }, { "retry_count": { - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer" + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." } }, { "queue_size": { - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer" + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." } }, { "flush_timeout": { - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number" + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." } }, { "headers": { - "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", - "type": "map", "keys": { - "type": "string", + "description": "A string representing an HTTP header name.", "match_none": [ { - "pattern": "^[Hh][Oo][Ss][Tt]$", - "err": "cannot contain 'Host' header" + "err": "cannot contain 'Host' header", + "pattern": "^[Hh][Oo][Ss][Tt]$" }, { - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$", - "err": "cannot contain 'Content-Length' header" + "err": "cannot contain 'Content-Length' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" }, { - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", - "err": "cannot contain 'Content-Type' header" + "err": "cannot contain 'Content-Type' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" } ], - "description": "A string representing an HTTP header name." + "type": "string" }, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", "values": { "referenceable": true, "type": "string" - } + }, + "type": "map" } }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be processed at a time." + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer" } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", "between": [ 0, 3600 ], - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number" } }, { "max_entries": { - "default": 10000, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer" } }, { @@ -177,54 +179,53 @@ }, { "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", "between": [ 0.001, 1000000 ], - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number" } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number" } } ], - "required": true + "required": true, + "type": "record" } }, { "custom_fields_by_lua": { - "values": { + "keys": { "len_min": 1, "type": "string" }, - "keys": { - "type": "string", - "len_min": 1 + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" }, - "type": "map", - "description": "Lua code as a key-value map" + "type": "map" } } ], - "type": "record", - "required": true, "entity_checks": [ { "custom_entity_check": { @@ -235,11 +236,10 @@ ] } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.4.x.json b/schemas/ip-restriction/3.4.x.json index acf098fb..7a3635e6 100644 --- a/schemas/ip-restriction/3.4.x.json +++ b/schemas/ip-restriction/3.4.x.json @@ -1,8 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], "fields": [ { "protocols": { - "required": true, "default": [ "http", "https", @@ -11,9 +18,8 @@ "grpc", "grpcs" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -26,68 +32,62 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "allow": { - "type": "array", + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "elements": { - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "type": "string" + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." }, - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." + "type": "array" } }, { "deny": { - "type": "array", + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "elements": { - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "type": "string" + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." }, - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." + "type": "array" } }, { "status": { - "type": "number", + "description": "The HTTP status of the requests that will be rejected by the plugin.", "required": false, - "description": "The HTTP status of the requests that will be rejected by the plugin." + "type": "number" } }, { "message": { - "type": "string", + "description": "The message to send as a response body to rejected requests.", "required": false, - "description": "The message to send as a response body to rejected requests." + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } ] } \ No newline at end of file diff --git a/schemas/jq/3.4.x.json b/schemas/jq/3.4.x.json index 976d3cf2..55ff9351 100644 --- a/schemas/jq/3.4.x.json +++ b/schemas/jq/3.4.x.json @@ -1,33 +1,36 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { @@ -41,60 +44,60 @@ }, { "request_jq_program_options": { - "default": [ - - ], - "type": "record", - "required": false, "fields": [ { "compact_output": { "default": true, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } }, { "raw_output": { "default": false, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } }, { "join_output": { "default": false, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } }, { "ascii_output": { "default": false, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } }, { "sort_keys": { "default": false, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } } - ] + ], + "default": [ + + ], + "required": false, + "type": "record" } }, { "request_if_media_type": { + "required": false, "default": [ "application/json" ], - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -105,81 +108,79 @@ }, { "response_jq_program_options": { - "default": [ - - ], - "type": "record", - "required": false, "fields": [ { "compact_output": { "default": true, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } }, { "raw_output": { "default": false, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } }, { "join_output": { "default": false, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } }, { "ascii_output": { "default": false, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } }, { "sort_keys": { "default": false, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } } - ] + ], + "default": [ + + ], + "required": false, + "type": "record" } }, { "response_if_media_type": { + "required": false, "default": [ "application/json" ], - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "type": "array" } }, { "response_if_status_code": { + "required": false, "default": [ 200 ], - "type": "array", - "required": false, "elements": { - "type": "integer", "between": [ 100, 599 - ] - } + ], + "type": "integer" + }, + "type": "array" } } ], - "type": "record", - "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -187,11 +188,10 @@ "response_jq_program" ] } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.4.x.json b/schemas/jwe-decrypt/3.4.x.json index 51952780..9ababf9d 100644 --- a/schemas/jwe-decrypt/3.4.x.json +++ b/schemas/jwe-decrypt/3.4.x.json @@ -1,86 +1,86 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "config": { - "type": "record", "fields": [ { "lookup_header_name": { "default": "Authorization", - "type": "string", + "description": "The name of the header to look for the JWE token.", "required": true, - "description": "The name of the header to look for the JWE token." + "type": "string" } }, { "forward_header_name": { "default": "Authorization", - "type": "string", + "description": "The name of the header that is used to set the decrypted value.", "required": true, - "description": "The name of the header that is used to set the decrypted value." + "type": "string" } }, { "key_sets": { "required": true, - "type": "array", + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "elements": { "type": "string" }, - "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token." + "type": "array" } }, { "strict": { "default": true, - "type": "boolean", - "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found." + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.4.x.json b/schemas/jwt-signer/3.4.x.json index a8d9d3aa..46e468eb 100644 --- a/schemas/jwt-signer/3.4.x.json +++ b/schemas/jwt-signer/3.4.x.json @@ -1,289 +1,291 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", - "required": true, "fields": [ { "realm": { - "type": "string", + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "required": false, - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." + "type": "string" } }, { "enable_hs_signatures": { "default": false, - "type": "boolean", + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", "required": false, - "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting." + "type": "boolean" } }, { "enable_instrumentation": { "default": false, - "type": "boolean", + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", "required": false, - "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level." + "type": "boolean" } }, { "access_token_issuer": { "default": "kong", - "type": "string", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", "required": false, - "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token." + "type": "string" } }, { "access_token_keyset": { "default": "kong", - "type": "string", + "description": "The name of the keyset containing signing keys.", "required": false, - "description": "The name of the keyset containing signing keys." + "type": "string" } }, { "access_token_jwks_uri": { - "type": "string", + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "required": false, - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token." + "type": "string" } }, { "access_token_request_header": { "default": "Authorization", - "type": "string", + "description": "This parameter tells the name of the header where to look for the access token.", "required": false, - "description": "This parameter tells the name of the header where to look for the access token." + "type": "string" } }, { "access_token_leeway": { "default": 0, - "type": "number", + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", "required": false, - "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`." + "type": "number" } }, { "access_token_scopes_required": { "required": false, - "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "elements": { "type": "string" }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." + "type": "array" } }, { "access_token_scopes_claim": { - "required": false, "default": [ "scope" ], - "type": "array", "elements": { "type": "string" }, - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." + "type": "array", + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "required": false } }, { "access_token_consumer_claim": { "required": false, - "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." + "type": "array" } }, { "access_token_consumer_by": { - "required": false, "default": [ "username", "custom_id" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." + "type": "array", + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "required": false } }, { "access_token_upstream_header": { "default": "Authorization:Bearer", - "type": "string", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", "required": false, - "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token." + "type": "string" } }, { "access_token_upstream_leeway": { "default": 0, - "type": "number", + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", "required": false, - "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim." + "type": "number" } }, { "access_token_introspection_endpoint": { - "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "required": false, - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter." + "type": "string" } }, { "access_token_introspection_authorization": { - "type": "string", + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "required": false, - "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." + "type": "string" } }, { "access_token_introspection_body_args": { - "type": "string", + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "required": false, - "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." + "type": "string" } }, { "access_token_introspection_hint": { "default": "access_token", - "type": "string", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", "required": false, - "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`." + "type": "string" } }, { "access_token_introspection_jwt_claim": { "required": false, - "type": "array", + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "elements": { "type": "string" }, - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." + "type": "array" } }, { "access_token_introspection_scopes_required": { "required": false, - "type": "array", + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "elements": { "type": "string" }, - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." + "type": "array" } }, { "access_token_introspection_scopes_claim": { - "required": true, "default": [ "scope" ], - "type": "array", "elements": { "type": "string" }, - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." + "type": "array", + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "required": true } }, { "access_token_introspection_consumer_claim": { "required": false, - "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." + "type": "array" } }, { "access_token_introspection_consumer_by": { - "required": false, "default": [ "username", "custom_id" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." + "type": "array", + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "required": false } }, { "access_token_introspection_leeway": { "default": 0, - "type": "number", + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", "required": false, - "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`." + "type": "number" } }, { "access_token_introspection_timeout": { - "type": "number", + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "required": false, - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." + "type": "number" } }, { "access_token_signing_algorithm": { - "required": true, "default": "RS256", "type": "string", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "required": true, "one_of": [ "HS256", "HS384", @@ -297,151 +299,150 @@ "PS384", "PS512", "EdDSA" - ], - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." + ] } }, { "access_token_optional": { "default": false, - "type": "boolean", + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", "required": false, - "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect" + "type": "boolean" } }, { "verify_access_token_signature": { "default": true, - "type": "boolean", + "description": "Quickly turn access token signature verification off and on as needed.", "required": false, - "description": "Quickly turn access token signature verification off and on as needed." + "type": "boolean" } }, { "verify_access_token_expiry": { "default": true, - "type": "boolean", + "description": "Quickly turn access token expiry verification off and on as needed.", "required": false, - "description": "Quickly turn access token expiry verification off and on as needed." + "type": "boolean" } }, { "verify_access_token_scopes": { "default": true, - "type": "boolean", + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", "required": false, - "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`." + "type": "boolean" } }, { "verify_access_token_introspection_expiry": { "default": true, - "type": "boolean", + "description": "Quickly turn access token introspection expiry verification off and on as needed.", "required": false, - "description": "Quickly turn access token introspection expiry verification off and on as needed." + "type": "boolean" } }, { "verify_access_token_introspection_scopes": { "default": true, - "type": "boolean", + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", "required": false, - "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`." + "type": "boolean" } }, { "cache_access_token_introspection": { "default": true, - "type": "boolean", + "description": "Whether to cache access token introspection results.", "required": false, - "description": "Whether to cache access token introspection results." + "type": "boolean" } }, { "trust_access_token_introspection": { "default": true, - "type": "boolean", + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", "required": false, - "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload." + "type": "boolean" } }, { "enable_access_token_introspection": { "default": true, - "type": "boolean", + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", "required": false, - "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection." + "type": "boolean" } }, { "channel_token_issuer": { "default": "kong", - "type": "string", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", "required": false, - "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token." + "type": "string" } }, { "channel_token_keyset": { "default": "kong", - "type": "string", + "description": "The name of the keyset containing signing keys.", "required": false, - "description": "The name of the keyset containing signing keys." + "type": "string" } }, { "channel_token_jwks_uri": { - "type": "string", + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "required": false, - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`." + "type": "string" } }, { "channel_token_request_header": { - "type": "string", + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "required": false, - "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." + "type": "string" } }, { "channel_token_leeway": { "default": 0, - "type": "number", + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", "required": false, - "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`." + "type": "number" } }, { "channel_token_scopes_required": { "required": false, - "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "elements": { "type": "string" }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." + "type": "array" } }, { "channel_token_scopes_claim": { - "required": false, "default": [ "scope" ], - "type": "array", "elements": { "type": "string" }, - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." + "type": "array", + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "required": false } }, { "channel_token_consumer_claim": { "required": false, - "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." + "type": "array" } }, { @@ -450,152 +451,153 @@ "username", "custom_id" ], - "type": "array", + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`." + "type": "array" } }, { "channel_token_upstream_header": { - "type": "string", + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "required": false, - "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." + "type": "string" } }, { "channel_token_upstream_leeway": { "default": 0, - "type": "number", + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", "required": false, - "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim." + "type": "number" } }, { "channel_token_introspection_endpoint": { - "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "required": false, - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead." + "type": "string" } }, { "channel_token_introspection_authorization": { "required": false, - "type": "string", + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "elements": { "type": "string" }, - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." + "type": "string" } }, { "channel_token_introspection_body_args": { "required": false, - "type": "string", + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "elements": { "type": "string" }, - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." + "type": "string" } }, { "channel_token_introspection_hint": { "required": false, - "type": "string", + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "elements": { "type": "string" }, - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." + "type": "string" } }, { "channel_token_introspection_jwt_claim": { "required": false, - "type": "array", + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "elements": { "type": "string" }, - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." + "type": "array" } }, { "channel_token_introspection_scopes_required": { "required": false, - "type": "array", + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "elements": { "type": "string" }, - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." + "type": "array" } }, { "channel_token_introspection_scopes_claim": { - "required": false, "default": [ "scope" ], - "type": "array", "elements": { "type": "string" }, - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." + "type": "array", + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "required": false } }, { "channel_token_introspection_consumer_claim": { "required": false, - "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" + "type": "array" } }, { "channel_token_introspection_consumer_by": { - "required": false, "default": [ "username", "custom_id" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." + "type": "array", + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "required": false } }, { "channel_token_introspection_leeway": { "default": 0, - "type": "number", + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", "required": false, - "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`." + "type": "number" } }, { "channel_token_introspection_timeout": { - "type": "number", + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "required": false, - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." + "type": "number" } }, { "channel_token_signing_algorithm": { - "required": true, "default": "RS256", "type": "string", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "required": true, "one_of": [ "HS256", "HS384", @@ -609,118 +611,116 @@ "PS384", "PS512", "EdDSA" - ], - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." + ] } }, { "channel_token_optional": { "default": false, - "type": "boolean", + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", "required": false, - "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect" + "type": "boolean" } }, { "verify_channel_token_signature": { "default": true, - "type": "boolean", + "description": "Quickly turn on/off the channel token signature verification.", "required": false, - "description": "Quickly turn on/off the channel token signature verification." + "type": "boolean" } }, { "verify_channel_token_expiry": { "default": true, - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { "verify_channel_token_scopes": { "default": true, - "type": "boolean", + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", "required": false, - "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`." + "type": "boolean" } }, { "verify_channel_token_introspection_expiry": { "default": true, - "type": "boolean", + "description": "Quickly turn on/off the channel token introspection expiry verification.", "required": false, - "description": "Quickly turn on/off the channel token introspection expiry verification." + "type": "boolean" } }, { "verify_channel_token_introspection_scopes": { "default": true, - "type": "boolean", + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", "required": false, - "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`." + "type": "boolean" } }, { "cache_channel_token_introspection": { "default": true, - "type": "boolean", + "description": "Whether to cache channel token introspection results.", "required": false, - "description": "Whether to cache channel token introspection results." + "type": "boolean" } }, { "trust_channel_token_introspection": { "default": true, - "type": "boolean", + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", "required": false, - "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked." + "type": "boolean" } }, { "enable_channel_token_introspection": { "default": true, - "type": "boolean", + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", "required": false, - "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`." + "type": "boolean" } }, { "add_claims": { - "keys": { - "type": "string" - }, - "required": false, - "values": { - "type": "string" - }, "default": [ ], + "values": { + "type": "string" + }, "type": "map", - "description": "Add customized claims if they are not present yet." + "description": "Add customized claims if they are not present yet.", + "keys": { + "type": "string" + }, + "required": false } }, { "set_claims": { - "keys": { - "type": "string" - }, - "required": false, - "values": { - "type": "string" - }, "default": [ ], + "values": { + "type": "string" + }, "type": "map", - "description": "Set customized claims. If a claim is already present, it will be overwritten." + "description": "Set customized claims. If a claim is already present, it will be overwritten.", + "keys": { + "type": "string" + }, + "required": false } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/jwt/3.4.x.json b/schemas/jwt/3.4.x.json index 2804a28c..96388cfa 100644 --- a/schemas/jwt/3.4.x.json +++ b/schemas/jwt/3.4.x.json @@ -1,57 +1,70 @@ { + "entity_checks": [ + { + "conditional": { + "then_match": { + "contains": "exp" + }, + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration" + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "uri_param_names": { "default": [ "jwt" ], - "type": "set", + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "elements": { "type": "string" }, - "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs." + "type": "set" } }, { @@ -59,39 +72,39 @@ "default": [ ], - "type": "set", + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "elements": { "type": "string" }, - "description": "A list of cookie names that Kong will inspect to retrieve JWTs." + "type": "set" } }, { "key_claim_name": { "default": "iss", - "type": "string", - "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order." + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" } }, { "secret_is_base64": { "default": false, - "type": "boolean", + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", "required": true, - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." + "type": "boolean" } }, { "claims_to_verify": { - "type": "set", + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", "elements": { - "type": "string", "one_of": [ "exp", "nbf" - ] + ], + "type": "string" }, - "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf." + "type": "set" } }, { @@ -103,20 +116,20 @@ { "run_on_preflight": { "default": true, - "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", "required": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." + "type": "boolean" } }, { "maximum_expiration": { - "default": 0, - "type": "number", - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", "between": [ 0, 31536000 - ] + ], + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "default": 0, + "type": "number" } }, { @@ -124,29 +137,16 @@ "default": [ "authorization" ], - "type": "set", + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "elements": { "type": "string" }, - "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs." + "type": "set" } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "gt": 0 - }, - "then_field": "config.claims_to_verify", - "if_field": "config.maximum_expiration", - "then_match": { - "contains": "exp" - } + "required": true, + "type": "record" } } ] diff --git a/schemas/kafka-log/3.4.x.json b/schemas/kafka-log/3.4.x.json index a7790545..a7b21bb3 100644 --- a/schemas/kafka-log/3.4.x.json +++ b/schemas/kafka-log/3.4.x.json @@ -1,7 +1,11 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -10,10 +14,7 @@ "ws", "wss" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -21,16 +22,18 @@ "https", "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -38,230 +41,228 @@ "fields": [ { "bootstrap_servers": { - "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { "fields": [ { "host": { - "type": "string", + "description": "A string representing a host name, such as example.com.", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "required": true, "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" } } ], "type": "record" }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + "type": "set" } }, { "topic": { - "type": "string", + "description": "The Kafka topic to publish to.", "required": true, - "description": "The Kafka topic to publish to." + "type": "string" } }, { "timeout": { + "description": "Socket timeout in milliseconds.", "default": 10000, - "type": "integer", - "description": "Socket timeout in milliseconds." + "type": "integer" } }, { "keepalive": { - "default": 60000, - "type": "integer" + "type": "integer", + "default": 60000 } }, { "keepalive_enabled": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "authentication": { - "type": "record", "fields": [ { "strategy": { + "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" ], - "type": "string", - "required": false, - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." + "type": "string" } }, { "mechanism": { + "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" ], - "type": "string", - "required": false, - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`." + "type": "string" } }, { "tokenauth": { - "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication", "required": false, - "description": "Enable this to indicate `DelegationToken` authentication" + "type": "boolean" } }, { "user": { - "encrypted": true, - "description": "Username for SASL authentication.", + "referenceable": true, "type": "string", - "required": false, - "referenceable": true + "description": "Username for SASL authentication.", + "encrypted": true, + "required": false } }, { "password": { - "encrypted": true, - "description": "Password for SASL authentication.", + "referenceable": true, "type": "string", - "required": false, - "referenceable": true + "description": "Password for SASL authentication.", + "encrypted": true, + "required": false } } ], - "required": true + "required": true, + "type": "record" } }, { "security": { - "type": "record", "fields": [ { "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", "uuid": true, - "type": "string", "required": false, - "description": "UUID of certificate entity for mTLS authentication." + "type": "string" } }, { "ssl": { - "type": "boolean", + "description": "Enables TLS.", "required": false, - "description": "Enables TLS." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } }, { "cluster_name": { + "auto": true, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "type": "string", "required": false, - "auto": true + "type": "string" } }, { "producer_request_acks": { + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "default": 1, - "type": "integer", "one_of": [ -1, 0, 1 ], - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." + "type": "integer" } }, { "producer_request_timeout": { + "description": "Time to wait for a Produce response in milliseconds", "default": 2000, - "type": "integer", - "description": "Time to wait for a Produce response in milliseconds" + "type": "integer" } }, { "producer_request_limits_messages_per_request": { + "description": "Maximum number of messages to include into a single Produce request.", "default": 200, - "type": "integer", - "description": "Maximum number of messages to include into a single Produce request." + "type": "integer" } }, { "producer_request_limits_bytes_per_request": { + "description": "Maximum size of a Produce request in bytes.", "default": 1048576, - "type": "integer", - "description": "Maximum size of a Produce request in bytes." + "type": "integer" } }, { "producer_request_retries_max_attempts": { + "description": "Maximum number of retry attempts per single Produce request.", "default": 10, - "type": "integer", - "description": "Maximum number of retry attempts per single Produce request." + "type": "integer" } }, { "producer_request_retries_backoff_timeout": { + "description": "Backoff interval between retry attempts in milliseconds.", "default": 100, - "type": "integer", - "description": "Backoff interval between retry attempts in milliseconds." + "type": "integer" } }, { "producer_async": { + "description": "Flag to enable asynchronous mode.", "default": true, - "type": "boolean", - "description": "Flag to enable asynchronous mode." + "type": "boolean" } }, { "producer_async_flush_timeout": { + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "default": 1000, - "type": "integer", - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." + "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "default": 50000, - "type": "integer", - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." + "type": "integer" } }, { "custom_fields_by_lua": { - "values": { + "keys": { "len_min": 1, "type": "string" }, - "keys": { - "type": "string", - "len_min": 1 + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" }, - "type": "map", - "description": "Lua code as a key-value map" + "type": "map" } } ], - "type": "record", - "required": true, "entity_checks": [ { "custom_entity_check": { @@ -270,11 +271,10 @@ ] } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.4.x.json b/schemas/kafka-upstream/3.4.x.json index 63a31c30..377f73f6 100644 --- a/schemas/kafka-upstream/3.4.x.json +++ b/schemas/kafka-upstream/3.4.x.json @@ -1,33 +1,36 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -35,245 +38,243 @@ "fields": [ { "bootstrap_servers": { - "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { "fields": [ { "host": { - "type": "string", + "description": "A string representing a host name, such as example.com.", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "required": true, "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" } } ], "type": "record" }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + "type": "set" } }, { "topic": { - "type": "string", + "description": "The Kafka topic to publish to.", "required": true, - "description": "The Kafka topic to publish to." + "type": "string" } }, { "timeout": { + "description": "Socket timeout in milliseconds.", "default": 10000, - "type": "integer", - "description": "Socket timeout in milliseconds." + "type": "integer" } }, { "keepalive": { + "description": "Keepalive timeout in milliseconds.", "default": 60000, - "type": "integer", - "description": "Keepalive timeout in milliseconds." + "type": "integer" } }, { "keepalive_enabled": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "authentication": { - "type": "record", "fields": [ { "strategy": { + "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" ], - "type": "string", - "required": false, - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." + "type": "string" } }, { "mechanism": { + "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" ], - "type": "string", - "required": false, - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`." + "type": "string" } }, { "tokenauth": { - "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication.", "required": false, - "description": "Enable this to indicate `DelegationToken` authentication." + "type": "boolean" } }, { "user": { - "required": false, - "description": "Username for SASL authentication.", + "referenceable": true, "type": "string", + "description": "Username for SASL authentication.", "encrypted": true, - "referenceable": true + "required": false } }, { "password": { - "required": false, - "description": "Password for SASL authentication.", + "referenceable": true, "type": "string", + "description": "Password for SASL authentication.", "encrypted": true, - "referenceable": true + "required": false } } ], - "required": true + "required": true, + "type": "record" } }, { "security": { - "type": "record", "fields": [ { "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", "uuid": true, - "type": "string", "required": false, - "description": "UUID of certificate entity for mTLS authentication." + "type": "string" } }, { "ssl": { - "type": "boolean", + "description": "Enables TLS.", "required": false, - "description": "Enables TLS." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } }, { "forward_method": { + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": false, - "type": "boolean", - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "type": "boolean" } }, { "forward_uri": { + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": false, - "type": "boolean", - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "type": "boolean" } }, { "forward_headers": { + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": false, - "type": "boolean", - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "type": "boolean" } }, { "forward_body": { + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": true, - "type": "boolean", - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "type": "boolean" } }, { "cluster_name": { + "auto": true, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "type": "string", "required": false, - "auto": true + "type": "string" } }, { "producer_request_acks": { + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "default": 1, - "type": "integer", "one_of": [ -1, 0, 1 ], - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." + "type": "integer" } }, { "producer_request_timeout": { + "description": "Time to wait for a Produce response in milliseconds.", "default": 2000, - "type": "integer", - "description": "Time to wait for a Produce response in milliseconds." + "type": "integer" } }, { "producer_request_limits_messages_per_request": { + "description": "Maximum number of messages to include into a single producer request.", "default": 200, - "type": "integer", - "description": "Maximum number of messages to include into a single producer request." + "type": "integer" } }, { "producer_request_limits_bytes_per_request": { + "description": "Maximum size of a Produce request in bytes.", "default": 1048576, - "type": "integer", - "description": "Maximum size of a Produce request in bytes." + "type": "integer" } }, { "producer_request_retries_max_attempts": { + "description": "Maximum number of retry attempts per single Produce request.", "default": 10, - "type": "integer", - "description": "Maximum number of retry attempts per single Produce request." + "type": "integer" } }, { "producer_request_retries_backoff_timeout": { + "description": "Backoff interval between retry attempts in milliseconds.", "default": 100, - "type": "integer", - "description": "Backoff interval between retry attempts in milliseconds." + "type": "integer" } }, { "producer_async": { + "description": "Flag to enable asynchronous mode.", "default": true, - "type": "boolean", - "description": "Flag to enable asynchronous mode." + "type": "boolean" } }, { "producer_async_flush_timeout": { + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "default": 1000, - "type": "integer", - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." + "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "default": 50000, - "type": "integer", - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." + "type": "integer" } } ], - "type": "record", - "required": true, "entity_checks": [ { "custom_entity_check": { @@ -292,11 +293,10 @@ ] } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.4.x.json b/schemas/key-auth-enc/3.4.x.json index 4c862ea4..5e24d162 100644 --- a/schemas/key-auth-enc/3.4.x.json +++ b/schemas/key-auth-enc/3.4.x.json @@ -1,15 +1,19 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -18,10 +22,7 @@ "ws", "wss" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -29,83 +30,82 @@ "https", "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "key_names": { - "required": true, "default": [ "apikey" ], - "type": "array", "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + "type": "array", + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true } }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", "default": false, - "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." + "type": "boolean" } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "key_in_header": { + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "default": true, - "type": "boolean", - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." + "type": "boolean" } }, { "key_in_query": { + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "default": true, - "type": "boolean", - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." + "type": "boolean" } }, { "key_in_body": { + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "default": false, - "type": "boolean", - "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + "type": "boolean" } }, { "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "default": true, - "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/key-auth/3.4.x.json b/schemas/key-auth/3.4.x.json index c87e8d74..a906f991 100644 --- a/schemas/key-auth/3.4.x.json +++ b/schemas/key-auth/3.4.x.json @@ -1,15 +1,19 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -18,10 +22,7 @@ "ws", "wss" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -29,42 +30,43 @@ "https", "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "key_names": { - "required": true, "default": [ "apikey" ], - "type": "array", "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + "type": "array", + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true } }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", "default": false, - "type": "boolean", "required": true, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request." + "type": "boolean" } }, { @@ -75,42 +77,40 @@ }, { "key_in_header": { + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "default": true, - "type": "boolean", "required": true, - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." + "type": "boolean" } }, { "key_in_query": { + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "default": true, - "type": "boolean", "required": true, - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." + "type": "boolean" } }, { "key_in_body": { + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "default": false, - "type": "boolean", "required": true, - "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + "type": "boolean" } }, { "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "default": true, - "type": "boolean", "required": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.4.x.json b/schemas/konnect-application-auth/3.4.x.json index 68526368..0d88c352 100644 --- a/schemas/konnect-application-auth/3.4.x.json +++ b/schemas/konnect-application-auth/3.4.x.json @@ -1,49 +1,52 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "route": { - "reference": "routes", - "eq": null, "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed." + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null, + "reference": "routes" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -51,48 +54,45 @@ "fields": [ { "key_names": { - "required": true, "default": [ "apikey" ], - "type": "array", "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, - "description": "The names of the headers containing the API key. You can specify multiple header names." + "type": "array", + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "required": true } }, { "auth_type": { - "required": true, "default": "openid-connect", "type": "string", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", + "required": true, "one_of": [ "openid-connect", "key-auth" - ], - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'." + ] } }, { "scope": { "unique": true, - "type": "string", + "description": "The unique scope identifier for the plugin configuration.", "required": true, - "description": "The unique scope identifier for the plugin configuration." + "type": "string" } } ], - "type": "record", - "required": true, "entity_checks": [ - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.4.x.json b/schemas/ldap-auth-advanced/3.4.x.json index fb715cf8..e19d447e 100644 --- a/schemas/ldap-auth-advanced/3.4.x.json +++ b/schemas/ldap-auth-advanced/3.4.x.json @@ -1,7 +1,17 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -10,10 +20,7 @@ "ws", "wss" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -21,165 +28,166 @@ "https", "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "config": { - "type": "record", "fields": [ { "ldap_host": { - "type": "string", + "description": "Host on which the LDAP server is running.", "required": true, - "description": "Host on which the LDAP server is running." + "type": "string" } }, { "ldap_password": { + "referenceable": true, "description": "The password to the LDAP server.", - "type": "string", "encrypted": true, - "referenceable": true + "type": "string" } }, { "ldap_port": { "default": 389, - "type": "number", - "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636." + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" } }, { "bind_dn": { - "type": "string", + "referenceable": true, "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", - "referenceable": true + "type": "string" } }, { "ldaps": { + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "default": false, - "type": "boolean", "required": true, - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + "type": "boolean" } }, { "start_tls": { + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "default": false, - "type": "boolean", "required": true, - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + "type": "boolean" } }, { "verify_ldap_host": { + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "default": false, - "type": "boolean", "required": true, - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + "type": "boolean" } }, { "base_dn": { - "type": "string", + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", "required": true, - "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'." + "type": "string" } }, { "attribute": { - "type": "string", + "description": "Attribute to be used to search the user; e.g., \"cn\".", "required": true, - "description": "Attribute to be used to search the user; e.g., \"cn\"." + "type": "string" } }, { "cache_ttl": { + "description": "Cache expiry time in seconds.", "default": 60, - "type": "number", "required": true, - "description": "Cache expiry time in seconds." + "type": "number" } }, { "hide_credentials": { "default": false, - "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" } }, { "timeout": { "default": 10000, - "type": "number", - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" } }, { "keepalive": { "default": 60000, - "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" } }, { "anonymous": { + "len_min": 0, "default": "", - "type": "string", "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "len_min": 0 + "type": "string" } }, { "header_type": { "default": "ldap", - "type": "string", - "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`." + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" } }, { "consumer_optional": { + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", "default": false, - "type": "boolean", "required": false, - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." + "type": "boolean" } }, { "consumer_by": { - "required": false, "default": [ "username", "custom_id" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "username", "custom_id" - ] + ], + "type": "string" }, - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." + "type": "array", + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "required": false } }, { @@ -197,39 +205,31 @@ { "group_member_attribute": { "default": "memberOf", - "type": "string", - "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive." + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" } }, { "log_search_results": { + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", "default": false, - "type": "boolean", "required": false, - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." + "type": "boolean" } }, { "groups_required": { "required": false, - "type": "array", + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "elements": { "type": "string" }, - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result." + "type": "array" } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/ldap-auth/3.4.x.json b/schemas/ldap-auth/3.4.x.json index b8208859..9cce316e 100644 --- a/schemas/ldap-auth/3.4.x.json +++ b/schemas/ldap-auth/3.4.x.json @@ -1,15 +1,19 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -18,10 +22,7 @@ "ws", "wss" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -29,16 +30,18 @@ "https", "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -46,126 +49,123 @@ "fields": [ { "ldap_host": { - "type": "string", + "description": "A string representing a host name, such as example.com.", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { "ldap_port": { - "required": true, + "default": 389, + "type": "integer", "between": [ 0, 65535 ], - "default": 389, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true } }, { "ldaps": { "default": false, - "type": "boolean", + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "required": true, - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + "type": "boolean" } }, { "start_tls": { "default": false, - "type": "boolean", + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "required": true, - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + "type": "boolean" } }, { "verify_ldap_host": { "default": false, - "type": "boolean", + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "required": true, - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + "type": "boolean" } }, { "base_dn": { - "type": "string", + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", "required": true, - "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com" + "type": "string" } }, { "attribute": { - "type": "string", + "description": "Attribute to be used to search the user; e.g. cn", "required": true, - "description": "Attribute to be used to search the user; e.g. cn" + "type": "string" } }, { "cache_ttl": { "default": 60, - "type": "number", + "description": "Cache expiry time in seconds.", "required": true, - "description": "Cache expiry time in seconds." + "type": "number" } }, { "hide_credentials": { "default": false, - "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "required": true, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + "type": "boolean" } }, { "timeout": { "default": 10000, - "type": "number", - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" } }, { "keepalive": { "default": 60000, - "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." } }, { "header_type": { "default": "ldap", - "type": "string", - "description": "An optional string to use as part of the Authorization header" + "description": "An optional string to use as part of the Authorization header", + "type": "string" } } ], - "type": "record", - "required": true, "entity_checks": [ { "conditional": { + "then_match": { + "eq": false + }, "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", "if_match": { "eq": true }, "then_field": "start_tls", - "if_field": "ldaps", - "then_match": { - "eq": false - } + "if_field": "ldaps" } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/loggly/3.4.x.json b/schemas/loggly/3.4.x.json index 9c95b1d2..be9fe1b5 100644 --- a/schemas/loggly/3.4.x.json +++ b/schemas/loggly/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,47 +25,48 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "host": { "default": "logs-01.loggly.com", - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "default": 514, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "key": { - "required": true, - "type": "string", + "referenceable": true, "encrypted": true, - "referenceable": true + "required": true, + "type": "string" } }, { @@ -72,16 +74,15 @@ "default": [ "kong" ], - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } }, { "log_level": { "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -91,13 +92,13 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "successful_severity": { "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -107,13 +108,13 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "client_errors_severity": { "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -123,13 +124,13 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "server_errors_severity": { "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -139,35 +140,34 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "timeout": { - "default": 10000, - "type": "number" + "type": "number", + "default": 10000 } }, { "custom_fields_by_lua": { - "values": { + "keys": { "len_min": 1, "type": "string" }, - "keys": { - "type": "string", - "len_min": 1 + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" }, - "type": "map", - "description": "Lua code as a key-value map" + "type": "map" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/mocking/3.4.x.json b/schemas/mocking/3.4.x.json index f69883bc..ad536361 100644 --- a/schemas/mocking/3.4.x.json +++ b/schemas/mocking/3.4.x.json @@ -1,109 +1,109 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "api_specification_filename": { - "type": "string", + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", "required": false, - "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode." + "type": "string" } }, { "api_specification": { - "type": "string", + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", "required": false, - "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field." + "type": "string" } }, { "random_delay": { + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", "default": false, - "type": "boolean", - "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs." + "type": "boolean" } }, { "max_delay_time": { + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", "default": 1, - "type": "number", - "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`." + "type": "number" } }, { "min_delay_time": { + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", "default": 0.001, - "type": "number", - "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`." + "type": "number" } }, { "random_examples": { + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", "default": false, - "type": "boolean", - "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured." + "type": "boolean" } }, { "included_status_codes": { - "type": "array", + "description": "A global list of the HTTP status codes that can only be selected and returned.", "elements": { "type": "integer" }, - "description": "A global list of the HTTP status codes that can only be selected and returned." + "type": "array" } }, { "random_status_code": { + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", "default": false, - "type": "boolean", "required": true, - "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.4.x.json b/schemas/mtls-auth/3.4.x.json index 9e11e123..32d7171e 100644 --- a/schemas/mtls-auth/3.4.x.json +++ b/schemas/mtls-auth/3.4.x.json @@ -1,41 +1,44 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -43,144 +46,142 @@ "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "consumer_by": { - "required": false, "default": [ "username", "custom_id" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "username", "custom_id" - ] + ], + "type": "string" }, - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + "type": "array", + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "required": false } }, { "ca_certificates": { "required": true, - "type": "array", + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "elements": { "uuid": true, "type": "string" }, - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." + "type": "array" } }, { "cache_ttl": { "default": 60, - "type": "number", + "description": "Cache expiry time in seconds.", "required": true, - "description": "Cache expiry time in seconds." + "type": "number" } }, { "skip_consumer_lookup": { "default": false, - "type": "boolean", + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "required": true, - "description": "Skip consumer lookup once certificate is trusted against the configured CA list." + "type": "boolean" } }, { "allow_partial_chain": { "default": false, - "type": "boolean", + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "required": true, - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." + "type": "boolean" } }, { "authenticated_group_by": { - "required": false, "default": "CN", "type": "string", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "required": false, "one_of": [ "CN", "DN" - ], - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." + ] } }, { "revocation_check_mode": { - "required": false, "default": "IGNORE_CA_ERROR", "type": "string", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "required": false, "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ], - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." + ] } }, { "http_timeout": { "default": 30000, - "type": "number", - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" } }, { "cert_cache_ttl": { "default": 60000, - "type": "number", - "description": "The length of time in milliseconds between refreshes of the revocation check status cache." + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" } }, { "send_ca_dn": { "default": false, - "type": "boolean", - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" } }, { "http_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "http_proxy_port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "https_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "https_proxy_port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } ], - "type": "record", - "required": true, "entity_checks": [ { "mutually_required": [ @@ -194,11 +195,10 @@ "https_proxy_port" ] } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.4.x.json b/schemas/oas-validation/3.4.x.json index 353b408a..7641383b 100644 --- a/schemas/oas-validation/3.4.x.json +++ b/schemas/oas-validation/3.4.x.json @@ -1,140 +1,140 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "api_spec": { - "type": "string", + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format.", "required": true, - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format." + "type": "string" } }, { "verbose_response": { "default": false, - "type": "boolean", + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", "required": false, - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." + "type": "boolean" } }, { "validate_request_body": { "default": true, - "type": "boolean", + "description": "If set to true, validates the request body content against the API specification.", "required": false, - "description": "If set to true, validates the request body content against the API specification." + "type": "boolean" } }, { "notify_only_request_validation_failure": { "default": false, - "type": "boolean", + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", "required": false, - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." + "type": "boolean" } }, { "validate_request_header_params": { "default": true, - "type": "boolean", + "description": "If set to true, validates HTTP header parameters against the API specification.", "required": false, - "description": "If set to true, validates HTTP header parameters against the API specification." + "type": "boolean" } }, { "validate_request_query_params": { "default": true, - "type": "boolean", + "description": "If set to true, validates query parameters against the API specification.", "required": false, - "description": "If set to true, validates query parameters against the API specification." + "type": "boolean" } }, { "validate_request_uri_params": { "default": true, - "type": "boolean", + "description": "If set to true, validates URI parameters in the request against the API specification.", "required": false, - "description": "If set to true, validates URI parameters in the request against the API specification." + "type": "boolean" } }, { "validate_response_body": { "default": false, - "type": "boolean", + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", "required": false, - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." + "type": "boolean" } }, { "notify_only_response_body_validation_failure": { "default": false, - "type": "boolean", + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", "required": false, - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." + "type": "boolean" } }, { "query_parameter_check": { "default": false, - "type": "boolean", + "description": "If set to true, checks if query parameters in the request exist in the API specification.", "required": true, - "description": "If set to true, checks if query parameters in the request exist in the API specification." + "type": "boolean" } }, { "header_parameter_check": { "default": false, - "type": "boolean", + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", "required": true, - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." + "type": "boolean" } }, { "allowed_header_parameters": { "default": "Host,Content-Type,User-Agent,Accept,Content-Length", - "type": "string", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", "required": false, - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.4.x.json b/schemas/oauth2-introspection/3.4.x.json index bd0cefb2..b7fc57b9 100644 --- a/schemas/oauth2-introspection/3.4.x.json +++ b/schemas/oauth2-introspection/3.4.x.json @@ -1,59 +1,61 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "introspection_url": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "ttl": { "default": 30, - "type": "number", - "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" } }, { @@ -64,102 +66,100 @@ }, { "authorization_value": { - "type": "string", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "required": true, - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." + "type": "string" } }, { "timeout": { "default": 10000, - "type": "integer", - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" } }, { "keepalive": { "default": 60000, - "type": "integer", - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" } }, { "introspect_request": { "default": false, - "type": "boolean", + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", "required": true, - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request." + "type": "boolean" } }, { "hide_credentials": { "default": false, - "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" } }, { "run_on_preflight": { "default": true, - "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" } }, { "anonymous": { - "default": "", - "type": "string", + "len_min": 0, "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "len_min": 0 + "default": "", + "type": "string" } }, { "consumer_by": { - "required": true, "default": "username", "type": "string", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "required": true, "one_of": [ "username", "client_id" - ], - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`." + ] } }, { "custom_introspection_headers": { - "keys": { - "type": "string" - }, - "required": true, - "values": { - "type": "string" - }, "default": [ ], + "values": { + "type": "string" + }, "type": "map", - "description": "A list of custom headers to be added in the introspection request." + "description": "A list of custom headers to be added in the introspection request.", + "keys": { + "type": "string" + }, + "required": true } }, { "custom_claims_forward": { - "required": true, "default": [ ], - "type": "set", "elements": { "type": "string" }, - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." + "type": "set", + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "required": true } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2/3.4.x.json b/schemas/oauth2/3.4.x.json index 847d2903..e6d76411 100644 --- a/schemas/oauth2/3.4.x.json +++ b/schemas/oauth2/3.4.x.json @@ -1,15 +1,19 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -18,10 +22,7 @@ "ws", "wss" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -29,16 +30,18 @@ "https", "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -46,169 +49,166 @@ "fields": [ { "scopes": { - "type": "array", + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "elements": { "type": "string" }, - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." + "type": "array" } }, { "mandatory_scope": { + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", "default": false, - "type": "boolean", "required": true, - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user." + "type": "boolean" } }, { "provision_key": { "required": true, - "auto": true, - "encrypted": true, "type": "string", "unique": true, - "description": "The unique key the plugin has generated when it has been added to the Service." + "description": "The unique key the plugin has generated when it has been added to the Service.", + "encrypted": true, + "auto": true } }, { "token_expiration": { + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", "default": 7200, - "type": "number", "required": true, - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration." + "type": "number" } }, { "enable_authorization_code": { + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", "default": false, - "type": "boolean", "required": true, - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1)." + "type": "boolean" } }, { "enable_implicit_grant": { + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", "default": false, - "type": "boolean", "required": true, - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2)." + "type": "boolean" } }, { "enable_client_credentials": { + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", "default": false, - "type": "boolean", "required": true, - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4)." + "type": "boolean" } }, { "enable_password_grant": { + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", "default": false, - "type": "boolean", "required": true, - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3)." + "type": "boolean" } }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "default": false, - "type": "boolean", "required": true, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + "type": "boolean" } }, { "accept_http_if_already_terminated": { + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", "default": false, - "type": "boolean", "required": true, - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer." + "type": "boolean" } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "global_credentials": { + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", "default": false, - "type": "boolean", "required": true, - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`." + "type": "boolean" } }, { "auth_header_name": { + "description": "The name of the header that is supposed to carry the access token.", "default": "authorization", - "type": "string", - "description": "The name of the header that is supposed to carry the access token." + "type": "string" } }, { "refresh_token_ttl": { - "required": true, + "default": 1209600, + "type": "number", "between": [ 0, 100000000 ], - "default": 1209600, - "type": "number", - "description": "Time-to-live value for data" + "description": "Time-to-live value for data", + "required": true } }, { "reuse_refresh_token": { + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", "default": false, - "type": "boolean", "required": true, - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token." + "type": "boolean" } }, { "persistent_refresh_token": { "default": false, - "type": "boolean", - "required": true + "required": true, + "type": "boolean" } }, { "pkce": { - "required": false, "default": "lax", "type": "string", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "required": false, "one_of": [ "none", "lax", "strict" - ], - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin." + ] } } ], - "type": "record", - "required": true, "entity_checks": [ { "conditional": { + "then_match": { + "required": true + }, "if_match": { "eq": true }, "then_field": "scopes", - "if_field": "mandatory_scope", - "then_match": { - "required": true - } + "if_field": "mandatory_scope" } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/opa/3.4.x.json b/schemas/opa/3.4.x.json index 528217ab..7fdf5f5d 100644 --- a/schemas/opa/3.4.x.json +++ b/schemas/opa/3.4.x.json @@ -1,82 +1,82 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "opa_protocol": { + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", "default": "http", - "type": "string", "one_of": [ "http", "https" ], - "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`." + "type": "string" } }, { "opa_host": { + "description": "A string representing a host name, such as example.com.", "default": "localhost", - "type": "string", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { "opa_port": { - "required": true, + "default": 8181, + "type": "integer", "between": [ 0, 65535 ], - "default": 8181, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true } }, { "opa_path": { - "required": true, - "starts_with": "/", "type": "string", "match_none": [ { @@ -84,28 +84,30 @@ "err": "must not have empty segments" } ], + "starts_with": "/", + "required": true, "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "include_service_in_opa_input": { + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", "default": false, - "type": "boolean", - "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA." + "type": "boolean" } }, { "include_route_in_opa_input": { + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", "default": false, - "type": "boolean", - "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA." + "type": "boolean" } }, { "include_consumer_in_opa_input": { + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", "default": false, - "type": "boolean", - "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA." + "type": "boolean" } }, { @@ -116,32 +118,30 @@ }, { "include_parsed_json_body_in_opa_input": { + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", "default": false, - "type": "boolean", - "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA." + "type": "boolean" } }, { "include_uri_captures_in_opa_input": { + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", "default": false, - "type": "boolean", - "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA." + "type": "boolean" } }, { "ssl_verify": { + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "default": true, - "type": "boolean", "required": true, - "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.4.x.json b/schemas/openid-connect/3.4.x.json index 570347d3..5e98becc 100644 --- a/schemas/openid-connect/3.4.x.json +++ b/schemas/openid-connect/3.4.x.json @@ -1,179 +1,97 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - } - ], - "type": "record", - "required": true, "fields": [ { "issuer": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "discovery_headers_names": { "required": false, - "type": "array", + "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the discovery endpoint." + "type": "array" } }, { "discovery_headers_values": { "required": false, - "type": "array", + "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" }, - "description": "Extra header values passed to the discovery endpoint." + "type": "array" } }, { "extra_jwks_uris": { "required": false, - "type": "set", + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." + "type": "set" } }, { "rediscovery_lifetime": { + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "default": 30, - "type": "number", "required": false, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + "type": "number" } }, { "auth_methods": { - "required": false, "default": [ "password", "client_credentials", @@ -185,9 +103,7 @@ "refresh_token", "session" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -198,59 +114,59 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "type": "string" }, - "description": "Types of credentials/grants to enable." + "type": "array", + "description": "Types of credentials/grants to enable.", + "required": false } }, { "client_id": { - "required": false, - "encrypted": true, - "type": "array", "elements": { "referenceable": true, "type": "string" }, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "type": "array", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "required": false, + "encrypted": true } }, { "client_secret": { - "required": false, - "encrypted": true, - "type": "array", "elements": { "referenceable": true, "type": "string" }, - "description": "The client secret." + "type": "array", + "description": "The client secret.", + "required": false, + "encrypted": true } }, { "client_auth": { "required": false, - "type": "array", + "description": "The authentication method used by the client (plugin) when calling the endpoint.", "elements": { - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "type": "string" }, - "description": "The authentication method used by the client (plugin) when calling the endpoint." + "type": "array" } }, { "client_jwk": { - "type": "array", "required": false, "elements": { - "type": "record", - "required": false, "fields": [ { "issuer": { @@ -272,12 +188,12 @@ }, { "key_ops": { - "type": "array", "required": false, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { @@ -300,12 +216,12 @@ }, { "x5c": { - "type": "array", "required": false, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { @@ -322,10 +238,10 @@ }, { "k": { - "encrypted": true, - "type": "string", + "referenceable": true, "required": false, - "referenceable": true + "encrypted": true, + "type": "string" } }, { @@ -360,86 +276,87 @@ }, { "d": { - "encrypted": true, - "type": "string", + "referenceable": true, "required": false, - "referenceable": true + "encrypted": true, + "type": "string" } }, { "p": { - "encrypted": true, - "type": "string", + "referenceable": true, "required": false, - "referenceable": true + "encrypted": true, + "type": "string" } }, { "q": { - "encrypted": true, - "type": "string", + "referenceable": true, "required": false, - "referenceable": true + "encrypted": true, + "type": "string" } }, { "dp": { - "encrypted": true, - "type": "string", + "referenceable": true, "required": false, - "referenceable": true + "encrypted": true, + "type": "string" } }, { "dq": { - "encrypted": true, - "type": "string", + "referenceable": true, "required": false, - "referenceable": true + "encrypted": true, + "type": "string" } }, { "qi": { - "encrypted": true, - "type": "string", + "referenceable": true, "required": false, - "referenceable": true + "encrypted": true, + "type": "string" } }, { "oth": { - "encrypted": true, - "type": "string", + "referenceable": true, "required": false, - "referenceable": true + "encrypted": true, + "type": "string" } }, { "r": { - "encrypted": true, - "type": "string", + "referenceable": true, "required": false, - "referenceable": true + "encrypted": true, + "type": "string" } }, { "t": { - "encrypted": true, - "type": "string", + "referenceable": true, "required": false, - "referenceable": true + "encrypted": true, + "type": "string" } } - ] - } + ], + "required": false, + "type": "record" + }, + "type": "array" } }, { "client_alg": { - "type": "array", "required": false, "elements": { - "type": "string", "one_of": [ "HS256", "HS384", @@ -454,407 +371,419 @@ "PS384", "PS512", "EdDSA" - ] - } + ], + "type": "string" + }, + "type": "array" } }, { "client_arg": { + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "default": "client_id", - "type": "string", "required": false, - "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + "type": "string" } }, { "redirect_uri": { "required": false, - "type": "array", + "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "The redirect URI passed to the authorization and token endpoints." + "type": "array" } }, { "login_redirect_uri": { "required": false, - "type": "array", + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client when `login_action` is set to `redirect`." + "type": "array" } }, { "logout_redirect_uri": { "required": false, - "type": "array", + "description": "Where to redirect the client after the logout.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client after the logout." + "type": "array" } }, { "forbidden_redirect_uri": { "required": false, - "type": "array", + "description": "Where to redirect the client on forbidden requests.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client on forbidden requests." + "type": "array" } }, { "forbidden_error_message": { + "description": "The error message for the forbidden requests (when not using the redirection).", "default": "Forbidden", - "type": "string", "required": false, - "description": "The error message for the forbidden requests (when not using the redirection)." + "type": "string" } }, { "forbidden_destroy_session": { + "description": "Destroy any active session for the forbidden requests.", + "default": true, + "required": false, + "type": "boolean" + } + }, + { + "unauthorized_destroy_session": { + "description": "Destroy any active session for the unauthorized requests.", "default": true, - "type": "boolean", "required": false, - "description": "Destroy any active session for the forbidden requests." + "type": "boolean" } }, { "unauthorized_redirect_uri": { "required": false, - "type": "array", + "description": "Where to redirect the client on unauthorized requests.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client on unauthorized requests." + "type": "array" } }, { "unauthorized_error_message": { + "description": "The error message for the unauthorized requests (when not using the redirection).", "default": "Unauthorized", - "type": "string", "required": false, - "description": "The error message for the unauthorized requests (when not using the redirection)." + "type": "string" } }, { "unexpected_redirect_uri": { "required": false, - "type": "array", + "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client when unexpected errors happen with the requests." + "type": "array" } }, { "response_mode": { - "required": false, "default": "query", "type": "string", + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", + "required": false, "one_of": [ "query", "form_post", "fragment" - ], - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)" + ] } }, { "response_type": { - "required": false, "default": [ "code" ], - "type": "array", "elements": { "type": "string" }, - "description": "The response type passed to the authorization endpoint." + "type": "array", + "description": "The response type passed to the authorization endpoint.", + "required": false } }, { "scopes": { - "required": false, "default": [ "openid" ], - "type": "array", "elements": { "type": "string" }, - "description": "The scopes passed to the authorization and token endpoints." + "type": "array", + "description": "The scopes passed to the authorization and token endpoints.", + "required": false } }, { "audience": { "required": false, - "type": "array", + "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" }, - "description": "The audience passed to the authorization endpoint." + "type": "array" } }, { "issuers_allowed": { "required": false, - "type": "array", + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" }, - "description": "The issuers allowed to be present in the tokens (`iss` claim)." + "type": "array" } }, { "scopes_required": { "required": false, - "type": "array", + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + "type": "array" } }, { "scopes_claim": { - "required": false, "default": [ "scope" ], - "type": "array", "elements": { "type": "string" }, - "description": "The claim that contains the scopes." + "type": "array", + "description": "The claim that contains the scopes.", + "required": false } }, { "audience_required": { "required": false, - "type": "array", + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + "type": "array" } }, { "audience_claim": { - "required": false, "default": [ "aud" ], - "type": "array", "elements": { "type": "string" }, - "description": "The claim that contains the audience." + "type": "array", + "description": "The claim that contains the audience.", + "required": false } }, { "groups_required": { "required": false, - "type": "array", + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + "type": "array" } }, { "groups_claim": { - "required": false, "default": [ "groups" ], - "type": "array", "elements": { "type": "string" }, - "description": "The claim that contains the groups." + "type": "array", + "description": "The claim that contains the groups.", + "required": false } }, { "roles_required": { "required": false, - "type": "array", + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + "type": "array" } }, { "roles_claim": { - "required": false, "default": [ "roles" ], - "type": "array", "elements": { "type": "string" }, - "description": "The claim that contains the roles." + "type": "array", + "description": "The claim that contains the roles.", + "required": false } }, { "domains": { "required": false, - "type": "array", + "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" }, - "description": "The allowed values for the `hd` claim." + "type": "array" } }, { "max_age": { - "type": "number", + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "required": false, - "description": "The maximum age (in seconds) compared to the `auth_time` claim." + "type": "number" } }, { "authenticated_groups_claim": { "required": false, - "type": "array", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.", "elements": { "type": "string" }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations." + "type": "array" } }, { "authorization_endpoint": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "authorization_query_args_names": { "required": false, - "type": "array", + "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the authorization endpoint." + "type": "array" } }, { "authorization_query_args_values": { "required": false, - "type": "array", + "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the authorization endpoint." + "type": "array" } }, { "authorization_query_args_client": { "required": false, - "type": "array", + "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the authorization endpoint." + "type": "array" } }, { "authorization_rolling_timeout": { + "description": "Network IO timeout in milliseconds.", "default": 600, - "type": "number", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "number" } }, { "authorization_cookie_name": { + "description": "The authorization cookie name.", "default": "authorization", - "type": "string", "required": false, - "description": "The authorization cookie name." + "type": "string" } }, { "authorization_cookie_path": { - "required": false, "default": "/", - "starts_with": "/", "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + ] } }, { "authorization_cookie_domain": { - "type": "string", + "description": "The authorization cookie Domain flag.", "required": false, - "description": "The authorization cookie Domain flag." + "type": "string" } }, { "authorization_cookie_same_site": { - "required": false, "default": "Default", "type": "string", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + ] } }, { "authorization_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "default": true, - "type": "boolean", "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "boolean" } }, { "authorization_cookie_secure": { - "type": "boolean", + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "type": "boolean" } }, { "preserve_query_args": { + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "default": false, - "type": "boolean", "required": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + "type": "boolean" } }, { "token_endpoint": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "token_endpoint_auth_method": { + "required": false, + "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -862,113 +791,113 @@ "private_key_jwt", "none" ], - "type": "string", - "required": false, - "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" + "type": "string" } }, { "token_headers_names": { "required": false, - "type": "array", + "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the token endpoint." + "type": "array" } }, { "token_headers_values": { "required": false, - "type": "array", + "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra header values passed to the token endpoint." + "type": "array" } }, { "token_headers_client": { "required": false, - "type": "array", + "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the token endpoint." + "type": "array" } }, { "token_headers_replay": { "required": false, - "type": "array", + "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" }, - "description": "The names of token endpoint response headers to forward to the downstream client." + "type": "array" } }, { "token_headers_prefix": { - "type": "string", + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "required": false, - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." + "type": "string" } }, { "token_headers_grants": { "required": false, - "type": "array", + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", "authorization_code", "refresh_token" - ] + ], + "type": "string" }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant" + "type": "array" } }, { "token_post_args_names": { "required": false, - "type": "array", + "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the token endpoint." + "type": "array" } }, { "token_post_args_values": { "required": false, - "type": "array", + "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the token endpoint." + "type": "array" } }, { "token_post_args_client": { "required": false, - "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", "elements": { "type": "string" }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint." + "type": "array" } }, { "introspection_endpoint": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "introspection_endpoint_auth_method": { + "required": false, + "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -976,117 +905,117 @@ "private_key_jwt", "none" ], - "type": "string", - "required": false, - "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" + "type": "string" } }, { "introspection_hint": { + "description": "Introspection hint parameter value passed to the introspection endpoint.", "default": "access_token", - "type": "string", "required": false, - "description": "Introspection hint parameter value passed to the introspection endpoint." + "type": "string" } }, { "introspection_check_active": { + "description": "Check that the introspection response has an `active` claim with a value of `true`.", "default": true, - "type": "boolean", "required": false, - "description": "Check that the introspection response has an `active` claim with a value of `true`." + "type": "boolean" } }, { "introspection_accept": { - "required": false, "default": "application/json", "type": "string", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", + "required": false, "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ], - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)" + ] } }, { "introspection_headers_names": { "required": false, - "type": "array", + "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the introspection endpoint." + "type": "array" } }, { "introspection_headers_values": { "required": false, - "type": "array", + "description": "Extra header values passed to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra header values passed to the introspection endpoint." + "type": "array" } }, { "introspection_headers_client": { "required": false, - "type": "array", + "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the introspection endpoint." + "type": "array" } }, { "introspection_post_args_names": { "required": false, - "type": "array", + "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the introspection endpoint." + "type": "array" } }, { "introspection_post_args_values": { "required": false, - "type": "array", + "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the introspection endpoint." + "type": "array" } }, { "introspection_post_args_client": { "required": false, - "type": "array", + "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client to the introspection endpoint." + "type": "array" } }, { "introspect_jwt_tokens": { + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "default": false, - "type": "boolean", "required": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + "type": "boolean" } }, { "revocation_endpoint": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "revocation_endpoint_auth_method": { + "required": false, + "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1094,240 +1023,237 @@ "private_key_jwt", "none" ], - "type": "string", - "required": false, - "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" + "type": "string" } }, { "end_session_endpoint": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "userinfo_endpoint": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "userinfo_accept": { - "required": false, "default": "application/json", "type": "string", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", + "required": false, "one_of": [ "application/json", "application/jwt" - ], - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)" + ] } }, { "userinfo_headers_names": { "required": false, - "type": "array", + "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the user info endpoint." + "type": "array" } }, { "userinfo_headers_values": { "required": false, - "type": "array", + "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra header values passed to the user info endpoint." + "type": "array" } }, { "userinfo_headers_client": { "required": false, - "type": "array", + "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the user info endpoint." + "type": "array" } }, { "userinfo_query_args_names": { "required": false, - "type": "array", + "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the user info endpoint." + "type": "array" } }, { "userinfo_query_args_values": { "required": false, - "type": "array", + "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the user info endpoint." + "type": "array" } }, { "userinfo_query_args_client": { "required": false, - "type": "array", + "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the user info endpoint." + "type": "array" } }, { "token_exchange_endpoint": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "session_secret": { - "required": false, - "description": "The session secret.", + "referenceable": true, "type": "string", + "description": "The session secret.", "encrypted": true, - "referenceable": true + "required": false } }, { "session_audience": { + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "default": "default", - "type": "string", "required": false, - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "type": "string" } }, { "session_cookie_name": { + "description": "The session cookie name.", "default": "session", - "type": "string", "required": false, - "description": "The session cookie name." + "type": "string" } }, { "session_remember": { + "description": "Enables or disables persistent sessions.", "default": false, - "type": "boolean", "required": false, - "description": "Enables or disables persistent sessions." + "type": "boolean" } }, { "session_remember_cookie_name": { + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "default": "remember", - "type": "string", "required": false, - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "type": "string" } }, { "session_remember_rolling_timeout": { + "description": "Network IO timeout in milliseconds.", "default": 604800, - "type": "number", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "number" } }, { "session_remember_absolute_timeout": { + "description": "Network IO timeout in milliseconds.", "default": 2592000, - "type": "number", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "number" } }, { "session_idling_timeout": { + "description": "Network IO timeout in milliseconds.", "default": 900, - "type": "number", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "number" } }, { "session_rolling_timeout": { + "description": "Network IO timeout in milliseconds.", "default": 3600, - "type": "number", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "number" } }, { "session_absolute_timeout": { + "description": "Network IO timeout in milliseconds.", "default": 86400, - "type": "number", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "number" } }, { "session_cookie_path": { - "required": false, "default": "/", - "starts_with": "/", "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + ] } }, { "session_cookie_domain": { - "type": "string", + "description": "The session cookie Domain flag.", "required": false, - "description": "The session cookie Domain flag." + "type": "string" } }, { "session_cookie_same_site": { - "required": false, "default": "Lax", "type": "string", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + ] } }, { "session_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "default": true, - "type": "boolean", "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "boolean" } }, { "session_cookie_secure": { - "type": "boolean", + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "type": "boolean" } }, { "session_request_headers": { "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -1336,7 +1262,8 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] + ], + "type": "string" }, "type": "set" } @@ -1344,7 +1271,6 @@ { "session_response_headers": { "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -1353,452 +1279,453 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] + ], + "type": "string" }, "type": "set" } }, { "session_storage": { - "required": false, "default": "cookie", "type": "string", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", + "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis" + ] } }, { "session_store_metadata": { + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "default": false, - "type": "boolean", "required": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + "type": "boolean" } }, { "session_enforce_same_subject": { + "description": "When set to `true`, audiences are forced to share the same subject.", "default": false, - "type": "boolean", "required": false, - "description": "When set to `true`, audiences are forced to share the same subject." + "type": "boolean" } }, { "session_hash_subject": { + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "default": false, - "type": "boolean", "required": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "type": "boolean" } }, { "session_hash_storage_key": { + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "default": false, - "type": "boolean", "required": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "type": "boolean" } }, { "session_memcached_prefix": { - "type": "string", + "description": "The memcached session key prefix.", "required": false, - "description": "The memcached session key prefix." + "type": "string" } }, { "session_memcached_socket": { - "type": "string", + "description": "The memcached unix socket path.", "required": false, - "description": "The memcached unix socket path." + "type": "string" } }, { "session_memcached_host": { + "description": "The memcached host.", "default": "127.0.0.1", - "type": "string", "required": false, - "description": "The memcached host." + "type": "string" } }, { "session_memcached_port": { - "required": false, + "default": 11211, + "type": "integer", "between": [ 0, 65535 ], - "default": 11211, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false } }, { "session_redis_prefix": { - "type": "string", + "description": "The Redis session key prefix.", "required": false, - "description": "The Redis session key prefix." + "type": "string" } }, { "session_redis_socket": { - "type": "string", + "description": "The Redis unix socket path.", "required": false, - "description": "The Redis unix socket path." + "type": "string" } }, { "session_redis_host": { + "description": "The Redis host", "default": "127.0.0.1", - "type": "string", "required": false, - "description": "The Redis host" + "type": "string" } }, { "session_redis_port": { - "required": false, + "default": 6379, + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false } }, { "session_redis_username": { "referenceable": true, - "type": "string", + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "required": false, - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "type": "string" } }, { "session_redis_password": { - "required": false, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, "type": "string", + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "referenceable": true + "required": false } }, { "session_redis_connect_timeout": { - "type": "integer", + "description": "Network IO timeout in milliseconds.", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", + "description": "Network IO timeout in milliseconds.", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", + "description": "Network IO timeout in milliseconds.", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "integer" } }, { "session_redis_ssl": { + "description": "Use SSL/TLS for Redis connection.", "default": false, - "type": "boolean", "required": false, - "description": "Use SSL/TLS for Redis connection." + "type": "boolean" } }, { "session_redis_ssl_verify": { + "description": "Verify identity provider server certificate.", "default": false, - "type": "boolean", "required": false, - "description": "Verify identity provider server certificate." + "type": "boolean" } }, { "session_redis_server_name": { - "type": "string", + "description": "The SNI used for connecting the Redis server.", "required": false, - "description": "The SNI used for connecting the Redis server." + "type": "string" } }, { "session_redis_cluster_nodes": { "required": false, - "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { "fields": [ { "ip": { + "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "type": "string", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { "port": { - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } ], "type": "record" }, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." + "type": "array" } }, { "session_redis_cluster_max_redirections": { - "type": "integer", + "description": "The Redis cluster maximum redirects.", "required": false, - "description": "The Redis cluster maximum redirects." + "type": "integer" } }, { "reverify": { + "description": "Specifies whether to always verify tokens stored in the session.", "default": false, - "type": "boolean", "required": false, - "description": "Specifies whether to always verify tokens stored in the session." + "type": "boolean" } }, { "jwt_session_claim": { + "description": "The claim to match against the JWT session cookie.", "default": "sid", - "type": "string", "required": false, - "description": "The claim to match against the JWT session cookie." + "type": "string" } }, { "jwt_session_cookie": { - "type": "string", + "description": "The name of the JWT session cookie.", "required": false, - "description": "The name of the JWT session cookie." + "type": "string" } }, { "bearer_token_param_type": { - "required": false, "default": [ "header", "query", "body" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "cookie", "query", "body" - ] + ], + "type": "string" }, - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`" + "type": "array", + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", + "required": false } }, { "bearer_token_cookie_name": { - "type": "string", + "description": "The name of the cookie in which the bearer token is passed.", "required": false, - "description": "The name of the cookie in which the bearer token is passed." + "type": "string" } }, { "client_credentials_param_type": { - "required": false, "default": [ "header", "query", "body" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body" + "type": "array", + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", + "required": false } }, { "password_param_type": { - "required": false, "default": [ "header", "query", "body" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body" + "type": "array", + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false } }, { "id_token_param_type": { - "required": false, "default": [ "header", "query", "body" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body" + "type": "array", + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false } }, { "id_token_param_name": { - "type": "string", + "description": "The name of the parameter used to pass the id token.", "required": false, - "description": "The name of the parameter used to pass the id token." + "type": "string" } }, { "refresh_token_param_type": { - "required": false, "default": [ "header", "query", "body" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body" + "type": "array", + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false } }, { "refresh_token_param_name": { - "type": "string", + "description": "The name of the parameter used to pass the refresh token.", "required": false, - "description": "The name of the parameter used to pass the refresh token." + "type": "string" } }, { "refresh_tokens": { + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "default": true, - "type": "boolean", "required": false, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + "type": "boolean" } }, { "upstream_headers_claims": { "required": false, - "type": "array", + "description": "The upstream header claims.", "elements": { "type": "string" }, - "description": "The upstream header claims." + "type": "array" } }, { "upstream_headers_names": { "required": false, - "type": "array", + "description": "The upstream header names for the claim values.", "elements": { "type": "string" }, - "description": "The upstream header names for the claim values." + "type": "array" } }, { "upstream_access_token_header": { + "description": "The upstream access token header.", "default": "authorization:bearer", - "type": "string", "required": false, - "description": "The upstream access token header." + "type": "string" } }, { "upstream_access_token_jwk_header": { - "type": "string", + "description": "The upstream access token JWK header.", "required": false, - "description": "The upstream access token JWK header." + "type": "string" } }, { "upstream_id_token_header": { - "type": "string", + "description": "The upstream id token header.", "required": false, - "description": "The upstream id token header." + "type": "string" } }, { "upstream_id_token_jwk_header": { - "type": "string", + "description": "The upstream id token JWK header.", "required": false, - "description": "The upstream id token JWK header." + "type": "string" } }, { "upstream_refresh_token_header": { - "type": "string", + "description": "The upstream refresh token header.", "required": false, - "description": "The upstream refresh token header." + "type": "string" } }, { "upstream_user_info_header": { - "type": "string", + "description": "The upstream user info header.", "required": false, - "description": "The upstream user info header." + "type": "string" } }, { "upstream_user_info_jwt_header": { - "type": "string", + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "required": false, - "description": "The upstream user info JWT header (in case the user info returns a JWT response)." + "type": "string" } }, { "upstream_introspection_header": { - "type": "string", + "description": "The upstream introspection header.", "required": false, - "description": "The upstream introspection header." + "type": "string" } }, { @@ -1809,85 +1736,85 @@ }, { "upstream_session_id_header": { - "type": "string", + "description": "The upstream session id header.", "required": false, - "description": "The upstream session id header." + "type": "string" } }, { "downstream_headers_claims": { "required": false, - "type": "array", + "description": "The downstream header claims.", "elements": { "type": "string" }, - "description": "The downstream header claims." + "type": "array" } }, { "downstream_headers_names": { "required": false, - "type": "array", + "description": "The downstream header names for the claim values.", "elements": { "type": "string" }, - "description": "The downstream header names for the claim values." + "type": "array" } }, { "downstream_access_token_header": { - "type": "string", + "description": "The downstream access token header.", "required": false, - "description": "The downstream access token header." + "type": "string" } }, { "downstream_access_token_jwk_header": { - "type": "string", + "description": "The downstream access token JWK header.", "required": false, - "description": "The downstream access token JWK header." + "type": "string" } }, { "downstream_id_token_header": { - "type": "string", + "description": "The downstream id token header.", "required": false, - "description": "The downstream id token header." + "type": "string" } }, { "downstream_id_token_jwk_header": { - "type": "string", + "description": "The downstream id token JWK header.", "required": false, - "description": "The downstream id token JWK header." + "type": "string" } }, { "downstream_refresh_token_header": { - "type": "string", + "description": "The downstream refresh token header.", "required": false, - "description": "The downstream refresh token header." + "type": "string" } }, { "downstream_user_info_header": { - "type": "string", + "description": "The downstream user info header.", "required": false, - "description": "The downstream user info header." + "type": "string" } }, { "downstream_user_info_jwt_header": { - "type": "string", + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "required": false, - "description": "The downstream user info JWT header (in case the user info returns a JWT response)." + "type": "string" } }, { "downstream_introspection_header": { - "type": "string", + "description": "The downstream introspection header.", "required": false, - "description": "The downstream introspection header." + "type": "string" } }, { @@ -1898,20 +1825,17 @@ }, { "downstream_session_id_header": { - "type": "string", + "description": "The downstream session id header.", "required": false, - "description": "The downstream session id header." + "type": "string" } }, { "login_methods": { - "required": false, "default": [ "authorization_code" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -1922,234 +1846,234 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "type": "string" }, - "description": "Enable login functionality with specified grants." + "type": "array", + "description": "Enable login functionality with specified grants.", + "required": false } }, { "login_action": { - "required": false, "default": "upstream", "type": "string", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", + "required": false, "one_of": [ "upstream", "response", "redirect" - ], - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location" + ] } }, { "login_tokens": { - "required": false, "default": [ "id_token" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "id_token", "access_token", "refresh_token", "tokens", "introspection" - ] + ], + "type": "string" }, - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response" + "type": "array", + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", + "required": false } }, { "login_redirect_mode": { - "required": false, "default": "fragment", "type": "string", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", + "required": false, "one_of": [ "query", "fragment" - ], - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)" + ] } }, { "logout_query_arg": { - "type": "string", + "description": "The request query argument that activates the logout.", "required": false, - "description": "The request query argument that activates the logout." + "type": "string" } }, { "logout_post_arg": { - "type": "string", + "description": "The request body argument that activates the logout.", "required": false, - "description": "The request body argument that activates the logout." + "type": "string" } }, { "logout_uri_suffix": { - "type": "string", + "description": "The request URI suffix that activates the logout.", "required": false, - "description": "The request URI suffix that activates the logout." + "type": "string" } }, { "logout_methods": { - "required": false, "default": [ "POST", "DELETE" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "POST", "GET", "DELETE" - ] + ], + "type": "string" }, - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method" + "type": "array", + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", + "required": false } }, { "logout_revoke": { + "description": "Revoke tokens as part of the logout.", "default": false, - "type": "boolean", "required": false, - "description": "Revoke tokens as part of the logout." + "type": "boolean" } }, { "logout_revoke_access_token": { + "description": "Revoke the access token as part of the logout.", "default": true, - "type": "boolean", "required": false, - "description": "Revoke the access token as part of the logout." + "type": "boolean" } }, { "logout_revoke_refresh_token": { + "description": "Revoke the refresh token as part of the logout.", "default": true, - "type": "boolean", "required": false, - "description": "Revoke the refresh token as part of the logout." + "type": "boolean" } }, { "consumer_claim": { "required": false, - "type": "array", + "description": "The claim used for consumer mapping.", "elements": { "type": "string" }, - "description": "The claim used for consumer mapping." + "type": "array" } }, { "consumer_by": { - "required": false, "default": [ "username", "custom_id" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`" + "type": "array", + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", + "required": false } }, { "consumer_optional": { + "description": "Do not terminate the request if consumer mapping fails.", "default": false, - "type": "boolean", "required": false, - "description": "Do not terminate the request if consumer mapping fails." + "type": "boolean" } }, { "credential_claim": { - "required": false, "default": [ "sub" ], - "type": "array", "elements": { "type": "string" }, - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used." + "type": "array", + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", + "required": false } }, { "anonymous": { - "type": "string", + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "required": false, - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "type": "string" } }, { "run_on_preflight": { + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "default": true, - "type": "boolean", "required": false, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + "type": "boolean" } }, { "leeway": { + "description": "Allow some leeway (in seconds) on the ttl / expiry verification.", "default": 0, - "type": "number", "required": false, - "description": "Allow some leeway (in seconds) on the ttl / expiry verification." + "type": "number" } }, { "verify_parameters": { + "description": "Verify plugin configuration against discovery.", "default": false, - "type": "boolean", "required": false, - "description": "Verify plugin configuration against discovery." + "type": "boolean" } }, { "verify_nonce": { + "description": "Verify nonce on authorization code flow.", "default": true, - "type": "boolean", "required": false, - "description": "Verify nonce on authorization code flow." + "type": "boolean" } }, { "verify_claims": { + "description": "Verify tokens for standard claims.", "default": true, - "type": "boolean", "required": false, - "description": "Verify tokens for standard claims." + "type": "boolean" } }, { "verify_signature": { + "description": "Verify signature of tokens.", "default": true, - "type": "boolean", "required": false, - "description": "Verify signature of tokens." + "type": "boolean" } }, { "ignore_signature": { - "required": false, "default": [ ], - "type": "array", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -2158,25 +2082,27 @@ "session", "introspection", "userinfo" - ] + ], + "type": "string" }, - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication" + "type": "array", + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", + "required": false } }, { "enable_hs_signatures": { + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "default": false, - "type": "boolean", "required": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + "type": "boolean" } }, { "disable_session": { "required": false, - "type": "array", + "description": "Disable issuing the session cookie with the specified grants.", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -2187,212 +2113,301 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "type": "string" }, - "description": "Disable issuing the session cookie with the specified grants." + "type": "array" } }, { "cache_ttl": { + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "default": 3600, - "type": "number", "required": false, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + "type": "number" } }, { "cache_ttl_max": { - "type": "number", + "description": "The maximum cache ttl in seconds (enforced).", "required": false, - "description": "The maximum cache ttl in seconds (enforced)." + "type": "number" } }, { "cache_ttl_min": { - "type": "number", + "description": "The minimum cache ttl in seconds (enforced).", "required": false, - "description": "The minimum cache ttl in seconds (enforced)." + "type": "number" } }, { "cache_ttl_neg": { - "type": "number", + "description": "The negative cache ttl in seconds.", "required": false, - "description": "The negative cache ttl in seconds." + "type": "number" } }, { "cache_ttl_resurrect": { - "type": "number", + "description": "The resurrection ttl in seconds.", "required": false, - "description": "The resurrection ttl in seconds." + "type": "number" } }, { "cache_tokens": { + "description": "Cache the token endpoint requests.", "default": true, - "type": "boolean", "required": false, - "description": "Cache the token endpoint requests." + "type": "boolean" } }, { "cache_tokens_salt": { "auto": true, - "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "required": false, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "type": "string" } }, { "cache_introspection": { + "description": "Cache the introspection endpoint requests.", "default": true, - "type": "boolean", "required": false, - "description": "Cache the introspection endpoint requests." + "type": "boolean" } }, { "cache_token_exchange": { + "description": "Cache the token exchange endpoint requests.", "default": true, - "type": "boolean", "required": false, - "description": "Cache the token exchange endpoint requests." + "type": "boolean" } }, { "cache_user_info": { + "description": "Cache the user info requests.", "default": true, - "type": "boolean", "required": false, - "description": "Cache the user info requests." + "type": "boolean" } }, { "search_user_info": { + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "default": false, - "type": "boolean", "required": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + "type": "boolean" } }, { "hide_credentials": { + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "default": false, - "type": "boolean", "required": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + "type": "boolean" } }, { "http_version": { + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", "default": 1.1, - "type": "number", "required": false, - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0" + "type": "number" } }, { "http_proxy": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "http_proxy_authorization": { - "type": "string", + "description": "The HTTP proxy authorization.", "required": false, - "description": "The HTTP proxy authorization." + "type": "string" } }, { "https_proxy": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "https_proxy_authorization": { - "type": "string", + "description": "The HTTPS proxy authorization.", "required": false, - "description": "The HTTPS proxy authorization." + "type": "string" } }, { "no_proxy": { - "type": "string", + "description": "Do not use proxy with these hosts.", "required": false, - "description": "Do not use proxy with these hosts." + "type": "string" } }, { "keepalive": { + "description": "Use keepalive with the HTTP client.", "default": true, - "type": "boolean", "required": false, - "description": "Use keepalive with the HTTP client." + "type": "boolean" } }, { "ssl_verify": { + "description": "Verify identity provider server certificate.", "default": false, - "type": "boolean", "required": false, - "description": "Verify identity provider server certificate." + "type": "boolean" } }, { "timeout": { + "description": "Network IO timeout in milliseconds.", "default": 10000, - "type": "number", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "number" } }, { "display_errors": { + "description": "Display errors on failure responses.", "default": false, - "type": "boolean", "required": false, - "description": "Display errors on failure responses." + "type": "boolean" } }, { "by_username_ignore_case": { + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "default": false, - "type": "boolean", "required": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + "type": "boolean" } }, { "resolve_distributed_claims": { + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "default": false, - "type": "boolean", "required": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + "type": "boolean" } }, { "expose_error_code": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "token_cache_key_include_scope": { "default": false, - "type": "boolean", - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + } + }, + { + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL.", + "type": "boolean" } } - ] + ], + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + } + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/opentelemetry/3.4.x.json b/schemas/opentelemetry/3.4.x.json index c21b00ed..a7cbaae4 100644 --- a/schemas/opentelemetry/3.4.x.json +++ b/schemas/opentelemetry/3.4.x.json @@ -1,33 +1,36 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -36,23 +39,23 @@ { "endpoint": { "referenceable": true, - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "headers": { - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", - "type": "map", "keys": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "values": { "referenceable": true, "type": "string" - } + }, + "type": "map" } }, { @@ -61,48 +64,47 @@ "required": true, "type": "string" }, - "type": "map", "values": { "required": true, "type": "string" - } + }, + "type": "map" } }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be processed at a time." + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer" } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", "between": [ 0, 3600 ], - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number" } }, { "max_entries": { - "default": 10000, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer" } }, { @@ -113,80 +115,81 @@ }, { "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", "between": [ 0.001, 1000000 ], - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number" } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number" } } ], - "required": true + "required": true, + "type": "record" } }, { "batch_span_count": { - "type": "integer", - "description": "The number of spans to be sent in a single batch." + "description": "The number of spans to be sent in a single batch.", + "type": "integer" } }, { "batch_flush_delay": { - "type": "integer", - "description": "The delay, in seconds, between two consecutive batches." + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" } }, { "connect_timeout": { - "default": 1000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -196,9 +199,8 @@ }, { "header_type": { - "default": "preserve", - "type": "string", "required": false, + "default": "preserve", "one_of": [ "preserve", "ignore", @@ -207,13 +209,13 @@ "w3c", "jaeger", "ot", - "aws" - ] + "aws", + "datadog" + ], + "type": "string" } } ], - "type": "record", - "required": true, "entity_checks": [ { "custom_entity_check": { @@ -223,11 +225,10 @@ ] } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/post-function/3.4.x.json b/schemas/post-function/3.4.x.json index cd0390c8..1c071e1d 100644 --- a/schemas/post-function/3.4.x.json +++ b/schemas/post-function/3.4.x.json @@ -1,7 +1,24 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], "fields": [ { "protocols": { + "required": false, "default": [ "grpc", "grpcs", @@ -10,10 +27,7 @@ "ws", "wss" ], - "type": "set", - "required": false, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -21,38 +35,38 @@ "https", "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -65,164 +79,150 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "config": { - "type": "record", "fields": [ { "certificate": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "rewrite": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "access": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "header_filter": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "body_filter": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "log": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "ws_handshake": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "ws_client_frame": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "ws_upstream_frame": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "ws_close": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.4.x.json b/schemas/pre-function/3.4.x.json index cd0390c8..1c071e1d 100644 --- a/schemas/pre-function/3.4.x.json +++ b/schemas/pre-function/3.4.x.json @@ -1,7 +1,24 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], "fields": [ { "protocols": { + "required": false, "default": [ "grpc", "grpcs", @@ -10,10 +27,7 @@ "ws", "wss" ], - "type": "set", - "required": false, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -21,38 +35,38 @@ "https", "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -65,164 +79,150 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "config": { - "type": "record", "fields": [ { "certificate": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "rewrite": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "access": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "header_filter": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "body_filter": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "log": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "ws_handshake": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "ws_client_frame": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "ws_upstream_frame": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { "ws_close": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.4.x.json b/schemas/prometheus/3.4.x.json index dde575c3..a851036d 100644 --- a/schemas/prometheus/3.4.x.json +++ b/schemas/prometheus/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,64 +25,63 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", - "required": true, "fields": [ { "per_consumer": { "default": false, - "type": "boolean", - "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available." + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" } }, { "status_code_metrics": { "default": false, - "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported." + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" } }, { "latency_metrics": { "default": false, - "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported." + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" } }, { "bandwidth_metrics": { "default": false, - "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported." + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" } }, { "upstream_health_metrics": { "default": false, - "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported." + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.4.x.json b/schemas/proxy-cache-advanced/3.4.x.json index 7fc47b82..45409c1a 100644 --- a/schemas/proxy-cache-advanced/3.4.x.json +++ b/schemas/proxy-cache-advanced/3.4.x.json @@ -1,127 +1,135 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "response_code": { - "required": true, - "len_min": 1, "default": [ 200, 301, 404 ], - "type": "array", "elements": { - "type": "integer", "between": [ 100, 900 - ] + ], + "type": "integer" }, - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900." + "type": "array", + "len_min": 1, + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "required": true } }, { "request_method": { - "required": true, "default": [ "GET", "HEAD" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ] + ], + "type": "string" }, - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." + "type": "array", + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "required": true } }, { "content_type": { - "required": true, "default": [ "text/plain", "application/json" ], - "type": "array", "elements": { "type": "string" }, - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." + "type": "array", + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "required": true } }, { "cache_ttl": { - "default": 300, - "type": "integer", "gt": 0, - "description": "TTL in seconds of cache entities." + "description": "TTL in seconds of cache entities.", + "default": 300, + "type": "integer" } }, { "strategy": { + "required": true, + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "one_of": [ "memory", "redis" ], - "type": "string", - "required": true, - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`." + "type": "string" } }, { "cache_control": { "default": false, - "type": "boolean", + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + "type": "boolean" } }, { "ignore_uri_case": { "default": false, - "type": "boolean", + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "required": false, - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI." + "type": "boolean" } }, { @@ -132,36 +140,36 @@ }, { "memory": { - "type": "record", "fields": [ { "dictionary_name": { "default": "kong_db_cache", - "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true, - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } }, { "vary_query_params": { - "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" }, - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + "type": "array" } }, { "vary_headers": { - "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + "type": "array" } }, { @@ -169,216 +177,214 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "connect_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "password": { "referenceable": true, - "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "type": "string" } }, { "sentinel_username": { - "type": "string", "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" } }, { "sentinel_password": { "referenceable": true, - "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "type": "string" } }, { "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, - "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "type": "integer" } }, { "keepalive_pool_size": { - "default": 30, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "between": [ 1, 2147483646 - ] + ], + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", + "type": "integer" } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", "between": [ 0, 2147483646 - ] + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "type": "integer" } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + "type": "string" } }, { "sentinel_addresses": { + "len_min": 1, "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", "elements": { "type": "string" }, - "len_min": 1 + "type": "array" } }, { "cluster_addresses": { + "len_min": 1, "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", "elements": { "type": "string" }, - "len_min": 1 + "type": "array" } }, { "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", "default": false, - "type": "boolean", "required": false, - "description": "If set to true, uses SSL to connect to Redis." + "type": "boolean" } }, { "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, - "type": "boolean", "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } } ], - "type": "record", - "required": true, "entity_checks": [ { "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "host", - "port" ] } }, { "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" ] } }, { "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], "set2": [ "host", "port" + ], + "set1": [ + "cluster_addresses" ] } }, @@ -402,27 +408,21 @@ "read_timeout" ] } - ] + ], + "required": true, + "type": "record" } }, { "bypass_on_err": { "default": false, - "type": "boolean", - "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/proxy-cache/3.4.x.json b/schemas/proxy-cache/3.4.x.json index c2640db9..cb1dfc18 100644 --- a/schemas/proxy-cache/3.4.x.json +++ b/schemas/proxy-cache/3.4.x.json @@ -1,17 +1,24 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,109 +31,110 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "response_code": { - "required": true, - "len_min": 1, "default": [ 200, 301, 404 ], - "type": "array", "elements": { - "type": "integer", "between": [ 100, 900 - ] + ], + "type": "integer" }, - "description": "Upstream response status code considered cacheable." + "type": "array", + "len_min": 1, + "description": "Upstream response status code considered cacheable.", + "required": true } }, { "request_method": { - "required": true, "default": [ "GET", "HEAD" ], - "type": "array", "elements": { - "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ] + ], + "type": "string" }, - "description": "Downstream request methods considered cacheable." + "type": "array", + "description": "Downstream request methods considered cacheable.", + "required": true } }, { "content_type": { - "required": true, "default": [ "text/plain", "application/json" ], - "type": "array", "elements": { "type": "string" }, - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value." + "type": "array", + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "required": true } }, { "cache_ttl": { - "default": 300, - "type": "integer", "gt": 0, - "description": "TTL, in seconds, of cache entities." + "description": "TTL, in seconds, of cache entities.", + "default": 300, + "type": "integer" } }, { "strategy": { + "required": true, + "description": "The backing data store in which to hold cache entities.", "one_of": [ "memory" ], - "type": "string", - "required": true, - "description": "The backing data store in which to hold cache entities." + "type": "string" } }, { "cache_control": { "default": false, - "type": "boolean", + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + "type": "boolean" } }, { "ignore_uri_case": { "default": false, - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { @@ -137,49 +145,41 @@ }, { "memory": { - "type": "record", "fields": [ { "dictionary_name": { "default": "kong_db_cache", - "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true, - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } }, { "vary_query_params": { - "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" }, - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + "type": "array" } }, { "vary_headers": { - "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + "type": "array" } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/rate-limiting-advanced/3.4.x.json b/schemas/rate-limiting-advanced/3.4.x.json index b0096fb3..fdcd78cd 100644 --- a/schemas/rate-limiting-advanced/3.4.x.json +++ b/schemas/rate-limiting-advanced/3.4.x.json @@ -1,36 +1,45 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "config": { - "type": "record", "fields": [ { "identifier": { - "required": true, "default": "consumer", "type": "string", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", + "required": true, "one_of": [ "ip", "credential", @@ -38,39 +47,38 @@ "service", "header", "path" - ], - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`." + ] } }, { "window_size": { "required": true, - "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" }, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified." + "type": "array" } }, { "window_type": { "default": "sliding", - "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "one_of": [ "fixed", "sliding" ], - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." + "type": "string" } }, { "limit": { "required": true, - "type": "array", + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" }, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified." + "type": "array" } }, { @@ -82,63 +90,63 @@ { "namespace": { "auto": true, - "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.", "required": true, - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace." + "type": "string" } }, { "strategy": { - "required": true, "default": "local", "type": "string", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "required": true, "one_of": [ "cluster", "redis", "local" - ], - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." + ] } }, { "dictionary_name": { "default": "kong_rate_limiting_counters", - "type": "string", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", "required": true, - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." + "type": "string" } }, { "hide_client_headers": { "default": false, - "type": "boolean", - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" } }, { "retry_after_jitter_max": { "default": 0, - "type": "number", - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" } }, { "header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "path": { - "starts_with": "/", "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + ] } }, { @@ -146,216 +154,214 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "connect_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "password": { "referenceable": true, - "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "type": "string" } }, { "sentinel_username": { - "type": "string", "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" } }, { "sentinel_password": { "referenceable": true, - "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "type": "string" } }, { "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, - "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "type": "integer" } }, { "keepalive_pool_size": { - "default": 30, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "between": [ 1, 2147483646 - ] + ], + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", + "type": "integer" } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", "between": [ 0, 2147483646 - ] + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "type": "integer" } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + "type": "string" } }, { "sentinel_addresses": { + "len_min": 1, "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", "elements": { "type": "string" }, - "len_min": 1 + "type": "array" } }, { "cluster_addresses": { + "len_min": 1, "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", "elements": { "type": "string" }, - "len_min": 1 + "type": "array" } }, { "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", "default": false, - "type": "boolean", "required": false, - "description": "If set to true, uses SSL to connect to Redis." + "type": "boolean" } }, { "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, - "type": "boolean", "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } } ], - "type": "record", - "required": true, "entity_checks": [ { "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "host", - "port" ] } }, { "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" ] } }, { "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], "set2": [ "host", "port" + ], + "set1": [ + "cluster_addresses" ] } }, @@ -379,58 +385,52 @@ "read_timeout" ] } - ] + ], + "required": true, + "type": "record" } }, { "enforce_consumer_groups": { "default": false, - "type": "boolean", - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" } }, { "consumer_groups": { - "type": "array", + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "elements": { "type": "string" }, - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." + "type": "array" } }, { "disable_penalty": { "default": false, - "type": "boolean", - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" } }, { "error_code": { - "default": 429, - "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded.", "gt": 0, - "description": "Set a custom error code to return when the rate limit is exceeded." + "default": 429, + "type": "number" } }, { "error_message": { "default": "API rate limit exceeded", - "type": "string", - "description": "Set a custom error message to return when the rate limit is exceeded." + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/rate-limiting/3.4.x.json b/schemas/rate-limiting/3.4.x.json index 6c61b296..973af9b7 100644 --- a/schemas/rate-limiting/3.4.x.json +++ b/schemas/rate-limiting/3.4.x.json @@ -1,86 +1,156 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis_host", + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis_port", + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name", + "if_field": "config.limit_by" + } + }, + { + "conditional": { + "then_match": { + "required": true + }, + "if_match": { + "eq": "path" + }, + "then_field": "config.path", + "if_field": "config.limit_by" + } + }, + { + "conditional": { + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis_timeout", + "if_field": "config.policy" + } + } + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", - "required": true, "fields": [ { "second": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per second." + "description": "The number of HTTP requests that can be made per second.", + "type": "number" } }, { "minute": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per minute." + "description": "The number of HTTP requests that can be made per minute.", + "type": "number" } }, { "hour": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per hour." + "description": "The number of HTTP requests that can be made per hour.", + "type": "number" } }, { "day": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per day." + "description": "The number of HTTP requests that can be made per day.", + "type": "number" } }, { "month": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per month." + "description": "The number of HTTP requests that can be made per month.", + "type": "number" } }, { "year": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per year." + "description": "The number of HTTP requests that can be made per year.", + "type": "number" } }, { "limit_by": { "default": "consumer", - "type": "string", + "description": "The entity that is used when aggregating the limits.", "one_of": [ "consumer", "credential", @@ -89,221 +159,151 @@ "header", "path" ], - "description": "The entity that is used when aggregating the limits." + "type": "string" } }, { "header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "path": { - "starts_with": "/", "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + ] } }, { "policy": { - "len_min": 0, "default": "local", "type": "string", + "len_min": 0, + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "one_of": [ "local", "cluster", "redis" - ], - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + ] } }, { "fault_tolerant": { "default": true, - "type": "boolean", + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", "required": true, - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." + "type": "boolean" } }, { "redis_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "redis_port": { - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "redis_password": { - "referenceable": true, - "type": "string", + "len_min": 0, "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", - "len_min": 0 + "referenceable": true, + "type": "string" } }, { "redis_username": { - "type": "string", "referenceable": true, - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired." + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.", + "type": "string" } }, { "redis_ssl": { "default": false, - "type": "boolean", + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", "required": true, - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." + "type": "boolean" } }, { "redis_ssl_verify": { "default": false, - "type": "boolean", + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", "required": true, - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly." + "type": "boolean" } }, { "redis_server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", - "type": "string" + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "redis_timeout": { "default": 2000, - "type": "number", - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", + "type": "number" } }, { "redis_database": { "default": 0, - "type": "integer", - "description": "When using the `redis` policy, this property specifies the Redis database to use." + "description": "When using the `redis` policy, this property specifies the Redis database to use.", + "type": "integer" } }, { "hide_client_headers": { "default": false, - "type": "boolean", + "description": "Optionally hide informative response headers.", "required": true, - "description": "Optionally hide informative response headers." + "type": "boolean" } }, { "error_code": { - "default": 429, - "type": "number", "gt": 0, - "description": "Set a custom error code to return when the rate limit is exceeded." + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, + "type": "number" } }, { "error_message": { "default": "API rate limit exceeded", - "type": "string", - "description": "Set a custom error message to return when the rate limit is exceeded." + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" } }, { "sync_rate": { "default": -1, - "type": "number", + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", "required": true, - "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." + "type": "number" } } - ] - } - } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_host", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_port", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "header" - }, - "then_field": "config.header_name", - "if_field": "config.limit_by", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "path" - }, - "then_field": "config.path", - "if_field": "config.limit_by", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_timeout", - "if_field": "config.policy", - "then_match": { - "required": true - } + ], + "required": true, + "type": "record" } } ] diff --git a/schemas/request-size-limiting/3.4.x.json b/schemas/request-size-limiting/3.4.x.json index 8bfc5a08..3c96984a 100644 --- a/schemas/request-size-limiting/3.4.x.json +++ b/schemas/request-size-limiting/3.4.x.json @@ -1,73 +1,73 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "allowed_payload_size": { "default": 128, - "type": "integer", - "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes)." + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer" } }, { "size_unit": { - "required": true, "default": "megabytes", "type": "string", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "required": true, "one_of": [ "megabytes", "kilobytes", "bytes" - ], - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0." + ] } }, { "require_content_length": { "default": false, - "type": "boolean", + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", "required": true, - "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body." + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-termination/3.4.x.json b/schemas/request-termination/3.4.x.json index de11be84..59d914f3 100644 --- a/schemas/request-termination/3.4.x.json +++ b/schemas/request-termination/3.4.x.json @@ -1,50 +1,51 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", - "required": true, "fields": [ { "status_code": { - "required": true, + "default": 503, + "type": "integer", "between": [ 100, 599 ], - "default": 503, - "type": "integer", - "description": "The response code to send. Must be an integer between 100 and 599." + "description": "The response code to send. Must be an integer between 100 and 599.", + "required": true } }, { @@ -68,22 +69,21 @@ { "echo": { "default": false, - "type": "boolean", + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", "required": true, - "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic." + "type": "boolean" } }, { "trigger": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.4.x.json b/schemas/request-transformer-advanced/3.4.x.json index 1a7aca1c..040f5998 100644 --- a/schemas/request-transformer-advanced/3.4.x.json +++ b/schemas/request-transformer-advanced/3.4.x.json @@ -1,52 +1,52 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "config": { - "type": "record", - "required": true, "fields": [ { "http_method": { - "type": "string", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "match": "^%u+$", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + "type": "string" } }, { "remove": { - "type": "record", "fields": [ { "body": { "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -54,10 +54,10 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -65,30 +65,30 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "rename": { - "type": "record", "fields": [ { "body": { "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -96,11 +96,11 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -108,31 +108,31 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "replace": { - "type": "record", "fields": [ { "body": { "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -140,11 +140,11 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -152,11 +152,11 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -164,15 +164,15 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] - } + ], + "type": "string" + }, + "type": "array" } }, { @@ -181,23 +181,23 @@ } } ], - "required": true + "required": true, + "type": "record" } }, { "add": { - "type": "record", "fields": [ { "body": { "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -205,11 +205,11 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -217,11 +217,11 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -229,35 +229,35 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] - } + ], + "type": "string" + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "append": { - "type": "record", "fields": [ { "body": { "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -265,11 +265,11 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -277,11 +277,11 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { @@ -289,24 +289,24 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] - } + ], + "type": "string" + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "allow": { - "type": "record", "fields": [ { "body": { @@ -317,21 +317,21 @@ } } ], - "required": true + "required": true, + "type": "record" } }, { "dots_in_keys": { + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", "default": true, - "type": "boolean", - "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." + "type": "boolean" } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.4.x.json b/schemas/request-transformer/3.4.x.json index debbc884..be151262 100644 --- a/schemas/request-transformer/3.4.x.json +++ b/schemas/request-transformer/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,150 +25,150 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "config": { - "type": "record", "fields": [ { "http_method": { - "type": "string", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "match": "^%u+$", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + "type": "string" } }, { "remove": { - "type": "record", "fields": [ { "body": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } }, { "headers": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } }, { "querystring": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "rename": { - "type": "record", "fields": [ { "body": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } }, { "headers": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } }, { "querystring": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "replace": { - "type": "record", "fields": [ { "body": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } }, { "headers": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } }, { "querystring": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -176,105 +177,104 @@ } } ], - "required": true + "required": true, + "type": "record" } }, { "add": { - "type": "record", "fields": [ { "body": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } }, { "headers": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } }, { "querystring": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "append": { - "type": "record", "fields": [ { "body": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } }, { "headers": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } }, { "querystring": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-validator/3.4.x.json b/schemas/request-validator/3.4.x.json index 1e5ce7d7..1f717922 100644 --- a/schemas/request-validator/3.4.x.json +++ b/schemas/request-validator/3.4.x.json @@ -1,33 +1,42 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -35,9 +44,9 @@ "fields": [ { "body_schema": { - "type": "string", + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", "required": false, - "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified." + "type": "string" } }, { @@ -45,42 +54,41 @@ "default": [ "application/json" ], - "type": "set", + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "elements": { "required": true, "type": "string" }, - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`." + "type": "set" } }, { "version": { - "required": true, "default": "kong", + "type": "string", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "one_of": [ "kong", "draft4" ], - "type": "string", - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator." + "required": true } }, { "parameter_schema": { "required": false, - "type": "array", + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", "elements": { - "type": "record", "fields": [ { "in": { - "type": "string", "required": true, "one_of": [ "query", "header", "path" - ] + ], + "type": "string" } }, { @@ -97,7 +105,6 @@ }, { "style": { - "type": "string", "one_of": [ "label", "form", @@ -106,7 +113,8 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ] + ], + "type": "string" } }, { @@ -136,22 +144,21 @@ ] } } - ] + ], + "type": "record" }, - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." + "type": "array" } }, { "verbose_response": { + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "default": false, - "type": "boolean", "required": true, - "description": "If enabled, the plugin returns more verbose and detailed validation errors." + "type": "boolean" } } ], - "type": "record", - "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -159,16 +166,9 @@ "parameter_schema" ] } - ] - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + ], + "required": true, + "type": "record" } } ] diff --git a/schemas/response-ratelimiting/3.4.x.json b/schemas/response-ratelimiting/3.4.x.json index d2093247..04f8a2cc 100644 --- a/schemas/response-ratelimiting/3.4.x.json +++ b/schemas/response-ratelimiting/3.4.x.json @@ -1,170 +1,201 @@ { + "entity_checks": [ + { + "conditional": { + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis_host", + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis_port", + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis_timeout", + "if_field": "config.policy" + } + } + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "header_name": { + "description": "The name of the response header used to increment the counters.", "default": "x-kong-limit", - "type": "string", - "description": "The name of the response header used to increment the counters." + "type": "string" } }, { "limit_by": { + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "default": "consumer", - "type": "string", "one_of": [ "consumer", "credential", "ip" ], - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." + "type": "string" } }, { "policy": { + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "default": "local", - "type": "string", "one_of": [ "local", "cluster", "redis" ], - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + "type": "string" } }, { "fault_tolerant": { + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "default": true, - "type": "boolean", "required": true, - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." + "type": "boolean" } }, { "redis_host": { - "description": "When using the `redis` policy, this property specifies the address to the Redis server.", - "type": "string" + "type": "string", + "description": "When using the `redis` policy, this property specifies the address to the Redis server." } }, { "redis_port": { - "default": 6379, - "type": "integer", - "description": "When using the `redis` policy, this property specifies the port of the Redis server.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "When using the `redis` policy, this property specifies the port of the Redis server.", + "type": "integer" } }, { "redis_password": { - "len_min": 0, - "type": "string", + "referenceable": true, "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", - "referenceable": true + "len_min": 0, + "type": "string" } }, { "redis_username": { - "type": "string", + "referenceable": true, "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "referenceable": true + "type": "string" } }, { "redis_ssl": { + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", "default": false, - "type": "boolean", "required": true, - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." + "type": "boolean" } }, { "redis_ssl_verify": { + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, - "type": "boolean", "required": true, - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "type": "boolean" } }, { "redis_server_name": { - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI).", - "type": "string" + "type": "string", + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI)." } }, { "redis_timeout": { + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", "default": 2000, - "type": "number", - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." + "type": "number" } }, { "redis_database": { + "description": "When using the `redis` policy, this property specifies Redis database to use.", "default": 0, - "type": "number", - "description": "When using the `redis` policy, this property specifies Redis database to use." + "type": "number" } }, { "block_on_first_violation": { + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "default": false, - "type": "boolean", "required": true, - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." + "type": "boolean" } }, { "hide_client_headers": { + "description": "Optionally hide informative response headers.", "default": false, - "type": "boolean", "required": true, - "description": "Optionally hide informative response headers." + "type": "boolean" } }, { "limits": { - "keys": { - "type": "string" - }, - "required": true, - "len_min": 1, - "type": "map", "values": { "fields": [ { @@ -204,8 +235,6 @@ } } ], - "type": "record", - "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -217,51 +246,22 @@ "year" ] } - ] + ], + "required": true, + "type": "record" }, - "description": "A map that defines rate limits for the plugin." + "type": "map", + "len_min": 1, + "description": "A map that defines rate limits for the plugin.", + "required": true, + "keys": { + "type": "string" + } } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_host", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_port", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_timeout", - "if_field": "config.policy", - "then_match": { - "required": true - } + "required": true, + "type": "record" } } ] diff --git a/schemas/response-transformer-advanced/3.4.x.json b/schemas/response-transformer-advanced/3.4.x.json index 743e9a4a..ddfe3a2a 100644 --- a/schemas/response-transformer-advanced/3.4.x.json +++ b/schemas/response-transformer-advanced/3.4.x.json @@ -1,44 +1,45 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "config": { - "type": "record", "fields": [ { "remove": { - "type": "record", "fields": [ { "json": { "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -46,10 +47,10 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -57,30 +58,30 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "rename": { - "type": "record", "fields": [ { "headers": { "default": [ ], - "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } }, { @@ -88,19 +89,19 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "replace": { - "type": "record", "fields": [ { "body": { @@ -113,10 +114,10 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -124,15 +125,15 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] - } + ], + "type": "string" + }, + "type": "array" } }, { @@ -140,10 +141,10 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -151,29 +152,29 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "add": { - "type": "record", "fields": [ { "json": { "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -181,15 +182,15 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] - } + ], + "type": "string" + }, + "type": "array" } }, { @@ -197,10 +198,10 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -208,29 +209,29 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "append": { - "type": "record", "fields": [ { "json": { "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -238,15 +239,15 @@ "default": [ ], - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] - } + ], + "type": "string" + }, + "type": "array" } }, { @@ -254,10 +255,10 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -265,19 +266,19 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "allow": { - "type": "record", "fields": [ { "json": { @@ -288,22 +289,22 @@ } } ], - "required": true + "required": true, + "type": "record" } }, { "transform": { - "type": "record", "fields": [ { "functions": { "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -311,10 +312,10 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -322,29 +323,28 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "dots_in_keys": { "default": true, - "type": "boolean", - "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.4.x.json b/schemas/response-transformer/3.4.x.json index c74f4453..6e3a84ee 100644 --- a/schemas/response-transformer/3.4.x.json +++ b/schemas/response-transformer/3.4.x.json @@ -1,246 +1,246 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "config": { - "type": "record", "fields": [ { "remove": { - "type": "record", "fields": [ { "json": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } }, { "headers": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "rename": { - "type": "record", "fields": [ { "headers": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" - } + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "replace": { - "type": "record", "fields": [ { "json": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } }, { "json_types": { - "required": true, "default": [ ], - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + "type": "array", + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true } }, { "headers": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "add": { - "type": "record", "fields": [ { "json": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } }, { "json_types": { - "required": true, "default": [ ], - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + "type": "array", + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true } }, { "headers": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } }, { "append": { - "type": "record", "fields": [ { "json": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } }, { "json_types": { - "required": true, "default": [ ], - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + "type": "array", + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true } }, { "headers": { + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.4.x.json b/schemas/route-by-header/3.4.x.json index 9cdd763c..28fec8bc 100644 --- a/schemas/route-by-header/3.4.x.json +++ b/schemas/route-by-header/3.4.x.json @@ -1,45 +1,47 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "rules": { "default": [ ], - "type": "array", + "description": "Route by header rules.", "elements": { "fields": [ { @@ -50,29 +52,27 @@ }, { "condition": { - "keys": { + "values": { "type": "string" }, - "required": true, - "len_min": 1, "type": "map", - "values": { + "len_min": 1, + "keys": { "type": "string" - } + }, + "required": true } } ], "type": "record" }, - "description": "Route by header rules." + "type": "array" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.4.x.json b/schemas/route-transformer-advanced/3.4.x.json index e8bb9558..8b34c46e 100644 --- a/schemas/route-transformer-advanced/3.4.x.json +++ b/schemas/route-transformer-advanced/3.4.x.json @@ -1,33 +1,36 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -50,13 +53,11 @@ }, { "escape_path": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } ], - "type": "record", - "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -65,11 +66,10 @@ "host" ] } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/saml/3.4.x.json b/schemas/saml/3.4.x.json index 699c865d..ab70c14d 100644 --- a/schemas/saml/3.4.x.json +++ b/schemas/saml/3.4.x.json @@ -1,124 +1,51 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "shorthand_fields": [ - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - }, - { - "session_auth_ttl": { - "type": "number" - } - } - ], - "type": "record", - "required": true, "fields": [ { "assertion_consumer_path": { - "required": true, - "starts_with": "/", "type": "string", "match_none": [ { @@ -126,277 +53,278 @@ "err": "must not have empty segments" } ], + "starts_with": "/", + "required": true, "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "idp_sso_url": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "idp_certificate": { - "required": false, "referenceable": true, "type": "string", - "encrypted": true, - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "required": false, + "encrypted": true } }, { "response_encryption_key": { - "required": false, "referenceable": true, "type": "string", - "encrypted": true, - "description": "The private encryption key required to decrypt encrypted assertions." + "description": "The private encryption key required to decrypt encrypted assertions.", + "required": false, + "encrypted": true } }, { "request_signing_key": { - "required": false, "referenceable": true, "type": "string", - "encrypted": true, - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "required": false, + "encrypted": true } }, { "request_signing_certificate": { - "required": false, "referenceable": true, "type": "string", - "encrypted": true, - "description": "The certificate for signing requests." + "description": "The certificate for signing requests.", + "required": false, + "encrypted": true } }, { "request_signature_algorithm": { - "required": false, "default": "SHA256", "type": "string", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "required": false, "one_of": [ "SHA256", "SHA384", "SHA512" - ], - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" + ] } }, { "request_digest_algorithm": { - "required": false, "default": "SHA256", "type": "string", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "required": false, "one_of": [ "SHA256", "SHA1" - ], - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" + ] } }, { "response_signature_algorithm": { - "required": false, "default": "SHA256", "type": "string", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "required": false, "one_of": [ "SHA256", "SHA384", "SHA512" - ], - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" + ] } }, { "response_digest_algorithm": { - "required": false, "default": "SHA256", "type": "string", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "required": false, "one_of": [ "SHA256", "SHA1" - ], - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" + ] } }, { "issuer": { - "type": "string", + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", "required": true, - "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP." + "type": "string" } }, { "nameid_format": { - "required": false, "default": "EmailAddress", "type": "string", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "required": false, "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" - ], - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" + ] } }, { "validate_assertion_signature": { "default": true, - "type": "boolean", + "description": "Enable signature validation for SAML responses.", "required": false, - "description": "Enable signature validation for SAML responses." + "type": "boolean" } }, { "anonymous": { - "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", "required": false, - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username." + "type": "string" } }, { "session_secret": { "referenceable": true, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", "required": true, - "encrypted": true, + "match": "^[0-9a-zA-Z/_+]+$", "len_min": 32, "len_max": 32, - "match": "^[0-9a-zA-Z/_+]+$", - "type": "string", - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." + "encrypted": true, + "type": "string" } }, { "session_audience": { "default": "default", - "type": "string", + "description": "The session audience, for example \"my-application\"", "required": false, - "description": "The session audience, for example \"my-application\"" + "type": "string" } }, { "session_cookie_name": { "default": "session", - "type": "string", + "description": "The session cookie name.", "required": false, - "description": "The session cookie name." + "type": "string" } }, { "session_remember": { "default": false, - "type": "boolean", + "description": "Enables or disables persistent sessions", "required": false, - "description": "Enables or disables persistent sessions" + "type": "boolean" } }, { "session_remember_cookie_name": { "default": "remember", - "type": "string", + "description": "Persistent session cookie name", "required": false, - "description": "Persistent session cookie name" + "type": "string" } }, { "session_remember_rolling_timeout": { "default": 604800, - "type": "number", + "description": "Persistent session rolling timeout in seconds.", "required": false, - "description": "Persistent session rolling timeout in seconds." + "type": "number" } }, { "session_remember_absolute_timeout": { "default": 2592000, - "type": "number", + "description": "Persistent session absolute timeout in seconds.", "required": false, - "description": "Persistent session absolute timeout in seconds." + "type": "number" } }, { "session_idling_timeout": { "default": 900, - "type": "number", + "description": "The session cookie idle time in seconds.", "required": false, - "description": "The session cookie idle time in seconds." + "type": "number" } }, { "session_rolling_timeout": { "default": 3600, - "type": "number", + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." + "type": "number" } }, { "session_absolute_timeout": { "default": 86400, - "type": "number", + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." + "type": "number" } }, { "session_cookie_path": { - "required": false, "default": "/", - "starts_with": "/", "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + ] } }, { "session_cookie_domain": { - "type": "string", + "description": "The session cookie domain flag.", "required": false, - "description": "The session cookie domain flag." + "type": "string" } }, { "session_cookie_same_site": { - "required": false, "default": "Lax", "type": "string", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + ] } }, { "session_cookie_http_only": { "default": true, - "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "boolean" } }, { "session_cookie_secure": { - "type": "boolean", + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "type": "boolean" } }, { "session_request_headers": { "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -405,7 +333,8 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] + ], + "type": "string" }, "type": "set" } @@ -413,7 +342,6 @@ { "session_response_headers": { "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -422,229 +350,301 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] + ], + "type": "string" }, "type": "set" } }, { "session_storage": { - "required": false, "default": "cookie", "type": "string", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" + ] } }, { "session_store_metadata": { "default": false, - "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "required": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject." + "type": "boolean" } }, { "session_enforce_same_subject": { "default": false, - "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, - "description": "When set to `true`, audiences are forced to share the same subject." + "type": "boolean" } }, { "session_hash_subject": { "default": false, - "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "type": "boolean" } }, { "session_hash_storage_key": { "default": false, - "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "type": "boolean" } }, { "session_memcached_prefix": { - "type": "string", + "description": "The memcached session key prefix.", "required": false, - "description": "The memcached session key prefix." + "type": "string" } }, { "session_memcached_socket": { - "type": "string", + "description": "The memcached unix socket path.", "required": false, - "description": "The memcached unix socket path." + "type": "string" } }, { "session_memcached_host": { "default": "127.0.0.1", - "type": "string", + "description": "The memcached host.", "required": false, - "description": "The memcached host." + "type": "string" } }, { "session_memcached_port": { - "required": false, + "default": 11211, + "type": "integer", "between": [ 0, 65535 ], - "default": 11211, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false } }, { "session_redis_prefix": { - "type": "string", + "description": "The Redis session key prefix.", "required": false, - "description": "The Redis session key prefix." + "type": "string" } }, { "session_redis_socket": { - "type": "string", + "description": "The Redis unix socket path.", "required": false, - "description": "The Redis unix socket path." + "type": "string" } }, { "session_redis_host": { "default": "127.0.0.1", - "type": "string", + "description": "The Redis host IP.", "required": false, - "description": "The Redis host IP." + "type": "string" } }, { "session_redis_port": { - "required": false, + "default": 6379, + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false } }, { "session_redis_username": { "referenceable": true, - "type": "string", + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "required": false, - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "type": "string" } }, { "session_redis_password": { - "required": false, "referenceable": true, "type": "string", - "encrypted": true, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from" + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "required": false, + "encrypted": true } }, { "session_redis_connect_timeout": { - "type": "integer", + "description": "The Redis connection timeout in milliseconds.", "required": false, - "description": "The Redis connection timeout in milliseconds." + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", + "description": "The Redis read timeout in milliseconds.", "required": false, - "description": "The Redis read timeout in milliseconds." + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", + "description": "The Redis send timeout in milliseconds.", "required": false, - "description": "The Redis send timeout in milliseconds." + "type": "integer" } }, { "session_redis_ssl": { "default": false, - "type": "boolean", + "description": "Use SSL/TLS for the Redis connection.", "required": false, - "description": "Use SSL/TLS for the Redis connection." + "type": "boolean" } }, { "session_redis_ssl_verify": { "default": false, - "type": "boolean", + "description": "Verify the Redis server certificate.", "required": false, - "description": "Verify the Redis server certificate." + "type": "boolean" } }, { "session_redis_server_name": { - "type": "string", + "description": "The SNI used for connecting to the Redis server.", "required": false, - "description": "The SNI used for connecting to the Redis server." + "type": "string" } }, { "session_redis_cluster_nodes": { "required": false, - "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { "fields": [ { "ip": { + "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "type": "string", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { "port": { - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } ], "type": "record" }, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." + "type": "array" } }, { "session_redis_cluster_max_redirections": { - "type": "integer", + "description": "The Redis cluster maximum redirects.", "required": false, - "description": "The Redis cluster maximum redirects." + "type": "integer" + } + } + ], + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/session/3.4.x.json b/schemas/session/3.4.x.json index ed891bb2..09b14172 100644 --- a/schemas/session/3.4.x.json +++ b/schemas/session/3.4.x.json @@ -1,25 +1,26 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -32,129 +33,92 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "shorthand_fields": [ - { - "cookie_lifetime": { - "type": "number" - } - }, - { - "cookie_idletime": { - "type": "number" - } - }, - { - "cookie_renew": { - "type": "number" - } - }, - { - "cookie_discard": { - "type": "number" - } - }, - { - "cookie_samesite": { - "type": "string" - } - }, - { - "cookie_httponly": { - "type": "boolean" - } - }, - { - "cookie_persistent": { - "type": "boolean" - } - } - ], - "type": "record", - "required": true, "fields": [ { "secret": { - "required": false, - "description": "The secret that is used in keyed HMAC generation.", - "default": "wXhRlE4nPT2CwAuqu57egsj16Ij4G8g3F68UL06nBiUu", + "referenceable": true, + "default": "SlGI58s4QRfcq8J6AW5LSteAUJxQJUqY1pBFtkl3l6Ij", "type": "string", - "encrypted": true, - "referenceable": true + "description": "The secret that is used in keyed HMAC generation.", + "required": false, + "encrypted": true } }, { "storage": { + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", "default": "cookie", - "type": "string", "one_of": [ "cookie", "kong" ], - "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself." + "type": "string" } }, { "audience": { + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "default": "default", - "type": "string", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "type": "string" } }, { "idling_timeout": { + "description": "The session cookie idle time, in seconds.", "default": 900, - "type": "number", - "description": "The session cookie idle time, in seconds." + "type": "number" } }, { "rolling_timeout": { + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", "default": 3600, - "type": "number", - "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed." + "type": "number" } }, { "absolute_timeout": { + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", "default": 86400, - "type": "number", - "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid." + "type": "number" } }, { "stale_ttl": { + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", "default": 10, - "type": "number", - "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one." + "type": "number" } }, { "cookie_name": { + "description": "The name of the cookie.", "default": "session", - "type": "string", - "description": "The name of the cookie." + "type": "string" } }, { "cookie_path": { + "description": "The resource in the host where the cookie is available.", "default": "/", - "type": "string", - "description": "The resource in the host where the cookie is available." + "type": "string" } }, { @@ -165,64 +129,63 @@ }, { "cookie_same_site": { + "description": "Determines whether and how a cookie may be sent with cross-site requests.", "default": "Strict", - "type": "string", "one_of": [ "Strict", "Lax", "None", "Default" ], - "description": "Determines whether and how a cookie may be sent with cross-site requests." + "type": "string" } }, { "cookie_http_only": { + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", "default": true, - "type": "boolean", - "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server." + "type": "boolean" } }, { "cookie_secure": { + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", "default": true, - "type": "boolean", - "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol." + "type": "boolean" } }, { "remember": { + "description": "Enables or disables persistent sessions.", "default": false, - "type": "boolean", - "description": "Enables or disables persistent sessions." + "type": "boolean" } }, { "remember_cookie_name": { + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "default": "remember", - "type": "string", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "type": "string" } }, { "remember_rolling_timeout": { + "description": "The persistent session rolling timeout window, in seconds.", "default": 604800, - "type": "number", - "description": "The persistent session rolling timeout window, in seconds." + "type": "number" } }, { "remember_absolute_timeout": { + "description": "The persistent session absolute timeout limit, in seconds.", "default": 2592000, - "type": "number", - "description": "The persistent session absolute timeout limit, in seconds." + "type": "number" } }, { "response_headers": { - "type": "set", + "description": "List of information to include, as headers, in the response to the downstream.", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -231,16 +194,16 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] + ], + "type": "string" }, - "description": "List of information to include, as headers, in the response to the downstream." + "type": "set" } }, { "request_headers": { - "type": "set", + "description": "List of information to include, as headers, in the response to the downstream.", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -249,9 +212,10 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] + ], + "type": "string" }, - "description": "List of information to include, as headers, in the response to the downstream." + "type": "set" } }, { @@ -260,37 +224,73 @@ "POST", "DELETE" ], - "type": "set", + "description": "A set of HTTP methods that the plugin will respond to.", "elements": { - "type": "string", "one_of": [ "GET", "POST", "DELETE" - ] + ], + "type": "string" }, - "description": "A set of HTTP methods that the plugin will respond to." + "type": "set" } }, { "logout_query_arg": { + "description": "The query argument passed to logout requests.", "default": "session_logout", - "type": "string", - "description": "The query argument passed to logout requests." + "type": "string" } }, { "logout_post_arg": { + "description": "The POST argument passed to logout requests. Do not change this property.", "default": "session_logout", - "type": "string", - "description": "The POST argument passed to logout requests. Do not change this property." + "type": "string" + } + } + ], + "type": "record", + "required": true, + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.4.x.json b/schemas/statsd-advanced/3.4.x.json index 16c92874..ea5b48b9 100644 --- a/schemas/statsd-advanced/3.4.x.json +++ b/schemas/statsd-advanced/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,55 +25,56 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "host": { "default": "localhost", - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "default": 8125, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "prefix": { + "description": "String to prefix to each metric's name.", "default": "kong", - "type": "string", - "description": "String to prefix to each metric's name." + "type": "string" } }, { "metrics": { "default": [ { - "sample_rate": 1, + "stat_type": "counter", "name": "request_count", - "stat_type": "counter" + "sample_rate": 1 }, { "stat_type": "timer", @@ -83,9 +85,9 @@ "name": "request_size" }, { - "sample_rate": 1, + "stat_type": "counter", "name": "status_count", - "stat_type": "counter" + "sample_rate": 1 }, { "stat_type": "timer", @@ -96,9 +98,9 @@ "name": "unique_users" }, { - "sample_rate": 1, + "stat_type": "counter", "name": "request_per_user", - "stat_type": "counter" + "sample_rate": 1 }, { "stat_type": "timer", @@ -109,43 +111,41 @@ "name": "kong_latency" }, { - "sample_rate": 1, + "stat_type": "counter", "name": "status_count_per_user", - "stat_type": "counter" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "counter", "name": "status_count_per_workspace", - "stat_type": "counter" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "counter", "name": "status_count_per_user_per_route", - "stat_type": "counter" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "gauge", "name": "shdict_usage", - "stat_type": "gauge" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "counter", "name": "cache_datastore_hits_total", - "stat_type": "counter" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "counter", "name": "cache_datastore_misses_total", - "stat_type": "counter" + "sample_rate": 1 } ], - "type": "array", + "description": "List of Metrics to be logged.", "elements": { - "type": "record", "fields": [ { "name": { - "type": "string", "required": true, "one_of": [ "kong_latency", @@ -163,12 +163,12 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "type": "string" } }, { "stat_type": { - "type": "string", "required": true, "one_of": [ "counter", @@ -177,63 +177,67 @@ "meter", "set", "timer" - ] + ], + "type": "string" } }, { "sample_rate": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "consumer_identifier": { - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string" } }, { "service_identifier": { - "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "type": "string" } }, { "workspace_identifier": { - "type": "string", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "type": "string" } } ], "entity_checks": [ { "conditional": { + "then_match": { + "eq": "set" + }, "if_match": { "one_of": [ "unique_users" ] }, "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "set" - } + "if_field": "name" } }, { "conditional": { + "then_match": { + "eq": "counter" + }, "if_match": { "one_of": [ "request_count", @@ -247,28 +251,28 @@ ] }, "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "counter" - } + "if_field": "name" } }, { "conditional": { + "then_match": { + "eq": "gauge" + }, "if_match": { "one_of": [ "shdict_usage" ] }, "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "gauge" - } + "if_field": "name" } }, { "conditional": { + "then_match": { + "required": true + }, "if_match": { "one_of": [ "counter", @@ -276,126 +280,123 @@ ] }, "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } + "if_field": "stat_type" } } - ] + ], + "type": "record" }, - "description": "List of Metrics to be logged." + "type": "array" } }, { "allow_status_codes": { - "type": "array", + "description": "List of status code ranges that are allowed to be logged in metrics.", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" }, - "description": "List of status code ranges that are allowed to be logged in metrics." + "type": "array" } }, { "udp_packet_size": { - "default": 0, - "type": "number", - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", "between": [ 0, 65507 - ] + ], + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "default": 0, + "type": "number" } }, { "use_tcp": { + "description": "Use TCP instead of UDP.", "default": false, - "type": "boolean", - "description": "Use TCP instead of UDP." + "type": "boolean" } }, { "hostname_in_prefix": { + "description": "Include the `hostname` in the `prefix` for each metric name.", "default": false, - "type": "boolean", - "description": "Include the `hostname` in the `prefix` for each metric name." + "type": "boolean" } }, { "consumer_identifier_default": { - "required": true, "default": "custom_id", "type": "string", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "required": true, "one_of": [ "consumer_id", "custom_id", "username" - ], - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`." + ] } }, { "service_identifier_default": { - "required": true, "default": "service_name_or_host", "type": "string", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`." + ] } }, { "workspace_identifier_default": { - "required": true, "default": "workspace_id", "type": "string", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "required": true, "one_of": [ "workspace_id", "workspace_name" - ], - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. " + ] } }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be processed at a time." + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer" } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", "between": [ 0, 3600 ], - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number" } }, { "max_entries": { - "default": 10000, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer" } }, { @@ -406,43 +407,42 @@ }, { "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", "between": [ 0.001, 1000000 ], - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number" } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number" } } ], - "required": true + "required": true, + "type": "record" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/statsd/3.4.x.json b/schemas/statsd/3.4.x.json index 39ea54dc..64c70f11 100644 --- a/schemas/statsd/3.4.x.json +++ b/schemas/statsd/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,17 +25,19 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -43,63 +46,63 @@ { "host": { "default": "localhost", - "type": "string", - "description": "The IP address or hostname of StatsD server to send data to." + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" } }, { "port": { - "default": 8125, - "type": "integer", - "description": "The port of StatsD server to send data to.", "between": [ 0, 65535 - ] + ], + "description": "The port of StatsD server to send data to.", + "default": 8125, + "type": "integer" } }, { "prefix": { + "description": "String to prefix to each metric's name.", "default": "kong", - "type": "string", - "description": "String to prefix to each metric's name." + "type": "string" } }, { "metrics": { "default": [ { - "sample_rate": 1, + "stat_type": "counter", "name": "request_count", - "stat_type": "counter" + "sample_rate": 1 }, { "stat_type": "timer", "name": "latency" }, { - "sample_rate": 1, + "stat_type": "counter", "name": "request_size", - "stat_type": "counter" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "counter", "name": "status_count", - "stat_type": "counter" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "counter", "name": "response_size", - "stat_type": "counter" + "sample_rate": 1 }, { "stat_type": "set", "name": "unique_users" }, { - "sample_rate": 1, + "stat_type": "counter", "name": "request_per_user", - "stat_type": "counter" + "sample_rate": 1 }, { "stat_type": "timer", @@ -110,42 +113,43 @@ "name": "kong_latency" }, { - "sample_rate": 1, + "stat_type": "counter", "name": "status_count_per_user", - "stat_type": "counter" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "counter", "name": "status_count_per_workspace", - "stat_type": "counter" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "counter", "name": "status_count_per_user_per_route", - "stat_type": "counter" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "gauge", "name": "shdict_usage", - "stat_type": "gauge" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "counter", "name": "cache_datastore_hits_total", - "stat_type": "counter" + "sample_rate": 1 }, { - "sample_rate": 1, + "stat_type": "counter", "name": "cache_datastore_misses_total", - "stat_type": "counter" + "sample_rate": 1 } ], - "type": "array", + "description": "List of metrics to be logged.", "elements": { - "type": "record", "fields": [ { "name": { + "required": true, + "description": "StatsD metric’s name.", "one_of": [ "kong_latency", "latency", @@ -163,13 +167,13 @@ "cache_datastore_hits_total", "cache_datastore_misses_total" ], - "type": "string", - "required": true, - "description": "StatsD metric’s name." + "type": "string" } }, { "stat_type": { + "required": true, + "description": "Determines what sort of event a metric represents.", "one_of": [ "counter", "gauge", @@ -178,55 +182,56 @@ "set", "timer" ], - "type": "string", - "required": true, - "description": "Determines what sort of event a metric represents." + "type": "string" } }, { "sample_rate": { + "description": "Sampling rate", "gt": 0, - "type": "number", - "description": "Sampling rate" + "type": "number" } }, { "consumer_identifier": { + "description": "Authenticated user detail.", "one_of": [ "consumer_id", "custom_id", "username" ], - "type": "string", - "description": "Authenticated user detail." + "type": "string" } }, { "service_identifier": { + "description": "Service detail.", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" ], - "type": "string", - "description": "Service detail." + "type": "string" } }, { "workspace_identifier": { + "description": "Workspace detail.", "one_of": [ "workspace_id", "workspace_name" ], - "type": "string", - "description": "Workspace detail." + "type": "string" } } ], "entity_checks": [ { "conditional": { + "then_match": { + "required": true + }, "if_match": { "one_of": [ "counter", @@ -234,35 +239,33 @@ ] }, "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } + "if_field": "stat_type" } } - ] + ], + "type": "record" }, - "description": "List of metrics to be logged." + "type": "array" } }, { "allow_status_codes": { - "type": "array", + "description": "List of status code ranges that are allowed to be logged in metrics.", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" }, - "description": "List of status code ranges that are allowed to be logged in metrics." + "type": "array" } }, { "udp_packet_size": { - "default": 0, - "type": "number", "between": [ 0, 65507 - ] + ], + "default": 0, + "type": "number" } }, { @@ -279,38 +282,38 @@ }, { "consumer_identifier_default": { - "default": "custom_id", - "type": "string", "required": true, + "default": "custom_id", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string" } }, { "service_identifier_default": { - "default": "service_name_or_host", - "type": "string", "required": true, + "default": "service_name_or_host", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "type": "string" } }, { "workspace_identifier_default": { - "default": "workspace_id", - "type": "string", "required": true, + "default": "workspace_id", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "type": "string" } }, { @@ -330,51 +333,50 @@ }, { "tag_style": { - "type": "string", "required": false, "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ] + ], + "type": "string" } }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be processed at a time." + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer" } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", "between": [ 0, 3600 ], - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number" } }, { "max_entries": { - "default": 10000, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer" } }, { @@ -385,40 +387,39 @@ }, { "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", "between": [ 0.001, 1000000 ], - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number" } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number" } } ], - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true, "entity_checks": [ { "custom_entity_check": { @@ -429,11 +430,10 @@ ] } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/syslog/3.4.x.json b/schemas/syslog/3.4.x.json index a2804c38..2bfc7bad 100644 --- a/schemas/syslog/3.4.x.json +++ b/schemas/syslog/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,28 +25,28 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "log_level": { - "default": "info", - "type": "string", "required": true, + "default": "info", "one_of": [ "debug", "info", @@ -55,14 +56,14 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "successful_severity": { - "default": "info", - "type": "string", "required": true, + "default": "info", "one_of": [ "debug", "info", @@ -72,14 +73,14 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "client_errors_severity": { - "default": "info", - "type": "string", "required": true, + "default": "info", "one_of": [ "debug", "info", @@ -89,14 +90,14 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "server_errors_severity": { - "default": "info", - "type": "string", "required": true, + "default": "info", "one_of": [ "debug", "info", @@ -106,28 +107,30 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "custom_fields_by_lua": { - "values": { + "keys": { "len_min": 1, "type": "string" }, - "keys": { - "type": "string", - "len_min": 1 + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" }, - "type": "map", - "description": "Lua code as a key-value map" + "type": "map" } }, { "facility": { - "required": true, "default": "user", "type": "string", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "required": true, "one_of": [ "auth", "authpriv", @@ -149,16 +152,13 @@ "local5", "local6", "local7" - ], - "description": "The facility is used by the operating system to decide how to handle each log message." + ] } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.4.x.json b/schemas/tcp-log/3.4.x.json index bda9036f..72d6f752 100644 --- a/schemas/tcp-log/3.4.x.json +++ b/schemas/tcp-log/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,61 +25,62 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "host": { - "type": "string", + "description": "The IP address or host name to send data to.", "required": true, - "description": "The IP address or host name to send data to." + "type": "string" } }, { "port": { - "description": "The port to send data to on the upstream server.", - "type": "integer", - "required": true, "between": [ 0, 65535 - ] + ], + "description": "The port to send data to on the upstream server.", + "required": true, + "type": "integer" } }, { "timeout": { + "description": "An optional timeout in milliseconds when sending data to the upstream server.", "default": 10000, - "type": "number", - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "type": "number" } }, { "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "default": 60000, - "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "type": "number" } }, { "tls": { + "description": "Indicates whether to perform a TLS handshake against the remote server.", "default": false, - "type": "boolean", "required": true, - "description": "Indicates whether to perform a TLS handshake against the remote server." + "type": "boolean" } }, { @@ -89,24 +91,22 @@ }, { "custom_fields_by_lua": { + "values": { + "len_min": 1, + "type": "string" + }, "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "keys": { - "type": "string", - "len_min": 1 - }, - "type": "map", - "values": { "len_min": 1, "type": "string" - } + }, + "type": "map" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.4.x.json b/schemas/tls-handshake-modifier/3.4.x.json index 8e082047..b1be13fb 100644 --- a/schemas/tls-handshake-modifier/3.4.x.json +++ b/schemas/tls-handshake-modifier/3.4.x.json @@ -1,60 +1,60 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { + "required": true, "default": [ "https", "grpcs" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "https", "grpcs", "tls" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "tls_client_certificate": { - "required": false, "default": "REQUEST", "type": "string", + "description": "TLS Client Certificate", + "required": false, "one_of": [ "REQUEST" - ], - "description": "TLS Client Certificate" + ] } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.4.x.json b/schemas/tls-metadata-headers/3.4.x.json index ffd00ed9..b603b3e1 100644 --- a/schemas/tls-metadata-headers/3.4.x.json +++ b/schemas/tls-metadata-headers/3.4.x.json @@ -1,96 +1,96 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "protocols": { + "required": true, "default": [ "https", "grpcs" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "https", "grpcs", "tls" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "inject_client_cert_details": { + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", "default": false, - "type": "boolean", - "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." + "type": "boolean" } }, { "client_cert_header_name": { "default": "X-Client-Cert", - "type": "string", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "required": true, - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate." + "type": "string" } }, { "client_serial_header_name": { "default": "X-Client-Cert-Serial", - "type": "string", + "description": "Define the HTTP header name used for the serial number of the client certificate.", "required": true, - "description": "Define the HTTP header name used for the serial number of the client certificate." + "type": "string" } }, { "client_cert_issuer_dn_header_name": { "default": "X-Client-Cert-Issuer-DN", - "type": "string", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "required": true, - "description": "Define the HTTP header name used for the issuer DN of the client certificate." + "type": "string" } }, { "client_cert_subject_dn_header_name": { "default": "X-Client-Cert-Subject-DN", - "type": "string", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", "required": true, - "description": "Define the HTTP header name used for the subject DN of the client certificate." + "type": "string" } }, { "client_cert_fingerprint_header_name": { "default": "X-Client-Cert-Fingerprint", - "type": "string", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "required": true, - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate." + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/udp-log/3.4.x.json b/schemas/udp-log/3.4.x.json index d899959d..454bfece 100644 --- a/schemas/udp-log/3.4.x.json +++ b/schemas/udp-log/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,68 +25,67 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "host": { - "type": "string", + "description": "A string representing a host name, such as example.com.", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "required": true, "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" } }, { "timeout": { + "description": "An optional timeout in milliseconds when sending data to the upstream server.", "default": 10000, - "type": "number", - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "type": "number" } }, { "custom_fields_by_lua": { - "values": { + "keys": { "len_min": 1, "type": "string" }, - "keys": { - "type": "string", - "len_min": 1 + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" }, - "type": "map", - "description": "Lua code as a key-value map" + "type": "map" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/upstream-timeout/3.4.x.json b/schemas/upstream-timeout/3.4.x.json index 936ee27a..b5569d95 100644 --- a/schemas/upstream-timeout/3.4.x.json +++ b/schemas/upstream-timeout/3.4.x.json @@ -1,75 +1,75 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "read_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "connect_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.4.x.json b/schemas/vault-auth/3.4.x.json index 7c46e3c7..e41bf777 100644 --- a/schemas/vault-auth/3.4.x.json +++ b/schemas/vault-auth/3.4.x.json @@ -1,112 +1,112 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "consumer": { - "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" } }, { "config": { - "type": "record", "fields": [ { "access_token_name": { - "required": true, "default": "access_token", - "type": "string", "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + "type": "string", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true } }, { "secret_token_name": { - "required": true, "default": "secret_token", - "type": "string", "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + "type": "string", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true } }, { "vault": { "reference": "vault_auth_vaults", - "type": "foreign", + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", "required": true, - "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API." + "type": "foreign" } }, { "hide_credentials": { "default": false, - "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it." + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "tokens_in_body": { "default": false, - "type": "boolean", - "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" } }, { "run_on_preflight": { "default": true, - "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.4.x.json b/schemas/websocket-size-limit/3.4.x.json index d44a1a7e..ab4a9625 100644 --- a/schemas/websocket-size-limit/3.4.x.json +++ b/schemas/websocket-size-limit/3.4.x.json @@ -1,28 +1,31 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { + "required": true, "default": [ "ws", "wss" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -30,27 +33,25 @@ "fields": [ { "client_max_payload": { - "type": "integer", - "required": false, "between": [ 1, 33554432 - ] + ], + "required": false, + "type": "integer" } }, { "upstream_max_payload": { - "type": "integer", - "required": false, "between": [ 1, 33554432 - ] + ], + "required": false, + "type": "integer" } } ], - "type": "record", - "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -58,11 +59,10 @@ "upstream_max_payload" ] } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.4.x.json b/schemas/websocket-validator/3.4.x.json index 3abe44b3..df5dbd2c 100644 --- a/schemas/websocket-validator/3.4.x.json +++ b/schemas/websocket-validator/3.4.x.json @@ -1,28 +1,31 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { + "required": true, "default": [ "ws", "wss" ], - "type": "set", - "required": true, "elements": { - "type": "string", "one_of": [ "ws", "wss" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -30,29 +33,25 @@ "fields": [ { "client": { - "required": false, - "type": "record", "fields": [ { "text": { - "required": false, - "type": "record", "fields": [ { "type": { + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], - "type": "string", - "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + "type": "string" } }, { "schema": { - "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + "type": "string" } } ], @@ -65,29 +64,29 @@ ] } } - ] + ], + "required": false, + "type": "record" } }, { "binary": { - "required": false, - "type": "record", "fields": [ { "type": { + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], - "type": "string", - "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + "type": "string" } }, { "schema": { - "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + "type": "string" } } ], @@ -100,7 +99,9 @@ ] } } - ] + ], + "required": false, + "type": "record" } } ], @@ -111,34 +112,32 @@ "binary" ] } - ] + ], + "required": false, + "type": "record" } }, { "upstream": { - "required": false, - "type": "record", "fields": [ { "text": { - "required": false, - "type": "record", "fields": [ { "type": { + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], - "type": "string", - "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + "type": "string" } }, { "schema": { - "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + "type": "string" } } ], @@ -151,29 +150,29 @@ ] } } - ] + ], + "required": false, + "type": "record" } }, { "binary": { - "required": false, - "type": "record", "fields": [ { "type": { + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], - "type": "string", - "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + "type": "string" } }, { "schema": { - "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + "type": "string" } } ], @@ -186,7 +185,9 @@ ] } } - ] + ], + "required": false, + "type": "record" } } ], @@ -197,12 +198,12 @@ "binary" ] } - ] + ], + "required": false, + "type": "record" } } ], - "type": "record", - "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -210,11 +211,10 @@ "upstream" ] } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.4.x.json b/schemas/xml-threat-protection/3.4.x.json index 37b4f5d4..5f9354d1 100644 --- a/schemas/xml-threat-protection/3.4.x.json +++ b/schemas/xml-threat-protection/3.4.x.json @@ -1,33 +1,36 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "description": "A set of strings representing HTTP protocols." + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { @@ -35,266 +38,263 @@ "fields": [ { "checked_content_types": { - "required": true, "default": [ "application/xml" ], - "type": "set", "elements": { "match": "^[^%s]+%/[^ ;]+$", "required": true, "type": "string" }, - "description": "A list of Content-Type values with payloads that must be validated." + "type": "set", + "description": "A list of Content-Type values with payloads that must be validated.", + "required": true } }, { "allowed_content_types": { - "required": true, "default": [ ], - "type": "set", "elements": { "match": "^[^%s]+%/[^ ;]+$", "required": true, "type": "string" }, - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." + "type": "set", + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "required": true } }, { "allow_dtd": { "default": false, - "type": "boolean", + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", "required": true, - "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed." + "type": "boolean" } }, { "namespace_aware": { "default": true, - "type": "boolean", + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", "required": true, - "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such." + "type": "boolean" } }, { "max_depth": { - "gt": 0, - "required": true, "default": 50, "type": "integer", - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "required": true, + "gt": 0 } }, { "max_children": { - "gt": 0, - "required": true, "default": 100, "type": "integer", - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "required": true, + "gt": 0 } }, { "max_attributes": { - "gt": 0, - "required": true, "default": 100, "type": "integer", - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "required": true, + "gt": 0 } }, { "max_namespaces": { - "gt": 0, - "required": false, "default": 20, "type": "integer", - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "required": false, + "gt": 0 } }, { "document": { "gt": 0, - "required": true, - "default": 10485760, "type": "integer", - "description": "Maximum size of the entire document." + "description": "Maximum size of the entire document.", + "required": true, + "default": 10485760 } }, { "buffer": { "gt": 0, - "required": true, - "default": 1048576, "type": "integer", - "description": "Maximum size of the unparsed buffer (see below)." + "description": "Maximum size of the unparsed buffer (see below).", + "required": true, + "default": 1048576 } }, { "comment": { "gt": 0, - "required": true, - "default": 1024, "type": "integer", - "description": "Maximum size of comments." + "description": "Maximum size of comments.", + "required": true, + "default": 1024 } }, { "localname": { "gt": 0, - "required": true, - "default": 1024, "type": "integer", - "description": "Maximum size of the localname. This applies to tags and attributes." + "description": "Maximum size of the localname. This applies to tags and attributes.", + "required": true, + "default": 1024 } }, { "prefix": { "gt": 0, - "required": false, - "default": 1024, "type": "integer", - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "required": false, + "default": 1024 } }, { "namespaceuri": { "gt": 0, - "required": false, - "default": 1024, "type": "integer", - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "required": false, + "default": 1024 } }, { "attribute": { "gt": 0, - "required": true, - "default": 1048576, "type": "integer", - "description": "Maximum size of the attribute value." + "description": "Maximum size of the attribute value.", + "required": true, + "default": 1048576 } }, { "text": { "gt": 0, - "required": true, - "default": 1048576, "type": "integer", - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "required": true, + "default": 1048576 } }, { "pitarget": { "gt": 0, - "required": true, - "default": 1024, "type": "integer", - "description": "Maximum size of processing instruction targets." + "description": "Maximum size of processing instruction targets.", + "required": true, + "default": 1024 } }, { "pidata": { "gt": 0, - "required": true, - "default": 1024, "type": "integer", - "description": "Maximum size of processing instruction data." + "description": "Maximum size of processing instruction data.", + "required": true, + "default": 1024 } }, { "entityname": { "gt": 0, - "required": true, - "default": 1024, "type": "integer", - "description": "Maximum size of entity names in EntityDecl." + "description": "Maximum size of entity names in EntityDecl.", + "required": true, + "default": 1024 } }, { "entity": { "gt": 0, - "required": true, - "default": 1024, "type": "integer", - "description": "Maximum size of entity values in EntityDecl." + "description": "Maximum size of entity values in EntityDecl.", + "required": true, + "default": 1024 } }, { "entityproperty": { "gt": 0, - "required": true, - "default": 1024, "type": "integer", - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "required": true, + "default": 1024 } }, { "bla_max_amplification": { - "gt": 1, - "required": true, "default": 100, "type": "number", - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "required": true, + "gt": 1 } }, { "bla_threshold": { "gt": 1024, - "required": true, - "default": 8388608, "type": "integer", - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "required": true, + "default": 8388608 } } ], - "type": "record", - "required": true, "entity_checks": [ { "conditional": { + "then_match": { + "required": true + }, "if_match": { "eq": true }, "then_field": "max_namespaces", - "if_field": "namespace_aware", - "then_match": { - "required": true - } + "if_field": "namespace_aware" } }, { "conditional": { + "then_match": { + "required": true + }, "if_match": { "eq": true }, "then_field": "prefix", - "if_field": "namespace_aware", - "then_match": { - "required": true - } + "if_field": "namespace_aware" } }, { "conditional": { + "then_match": { + "required": true + }, "if_match": { "eq": true }, "then_field": "namespaceuri", - "if_field": "namespace_aware", - "then_match": { - "required": true - } + "if_field": "namespace_aware" } } - ] + ], + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/zipkin/3.4.x.json b/schemas/zipkin/3.4.x.json index b1cd5468..e7df563b 100644 --- a/schemas/zipkin/3.4.x.json +++ b/schemas/zipkin/3.4.x.json @@ -1,17 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "type": "set", "elements": { - "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -24,79 +25,81 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS." + "type": "string" }, - "description": "A set of strings representing protocols." + "type": "set", + "description": "A set of strings representing protocols.", + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "fields": [ { "local_service_name": { + "description": "The name of the service as displayed in Zipkin.", "default": "kong", - "type": "string", "required": true, - "description": "The name of the service as displayed in Zipkin." + "type": "string" } }, { "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "sample_ratio": { - "default": 0.001, - "type": "number", - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", "between": [ 0, 1 - ] + ], + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "type": "number" } }, { "default_service_name": { - "type": "string", - "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" } }, { "include_credential": { + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", "default": true, - "type": "boolean", "required": true, - "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server." + "type": "boolean" } }, { "traceid_byte_count": { - "required": true, "default": 16, "type": "integer", + "description": "The length in bytes of each request's Trace ID.", + "required": true, "one_of": [ 8, 16 - ], - "description": "The length in bytes of each request's Trace ID." + ] } }, { "header_type": { - "required": true, "default": "preserve", "type": "string", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "required": true, "one_of": [ "preserve", "ignore", @@ -107,15 +110,15 @@ "ot", "aws", "datadog" - ], - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests" + ] } }, { "default_header_type": { - "required": true, "default": "b3", "type": "string", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "required": true, "one_of": [ "b3", "b3-single", @@ -124,21 +127,20 @@ "ot", "aws", "datadog" - ], - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored." + ] } }, { "tags_header": { + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", "default": "Zipkin-Tags", - "type": "string", "required": true, - "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property." + "type": "string" } }, { "static_tags": { - "type": "array", + "description": "The tags specified on this property will be added to the generated request traces.", "elements": { "fields": [ { @@ -171,52 +173,52 @@ ], "type": "record" }, - "description": "The tags specified on this property will be added to the generated request traces." + "type": "array" } }, { "http_span_name": { - "required": true, "default": "method", "type": "string", + "description": "Specify whether to include the HTTP path in the span name.", + "required": true, "one_of": [ "method", "method_path" - ], - "description": "Specify whether to include the HTTP path in the span name." + ] } }, { "connect_timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -226,51 +228,50 @@ }, { "phase_duration_flavor": { - "required": true, "default": "annotations", "type": "string", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "required": true, "one_of": [ "annotations", "tags" - ], - "description": "Specify whether to include the duration of each phase as an annotation or a tag." + ] } }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be processed at a time." + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer" } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", "between": [ 0, 3600 ], - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number" } }, { "max_entries": { - "default": 10000, - "type": "integer", "between": [ 1, 1000000 ], - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer" } }, { @@ -281,43 +282,42 @@ }, { "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", "between": [ 0.001, 1000000 ], - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number" } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number" } } ], - "required": true + "required": true, + "type": "record" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file From df0261bc5d69a4c4d7a6c753046d07b7549592ac Mon Sep 17 00:00:00 2001 From: "lena.larionova" Date: Wed, 4 Oct 2023 10:26:24 -0700 Subject: [PATCH 012/165] generate placeholder schemas and examples for 3.5 --- data/referenceable_fields/3.5.x.json | 118 + examples/acl/_3.5.x.yaml | 6 + examples/acme/_3.5.x.yaml | 3 + examples/app-dynamics/_3.5.x.yaml | 2 + examples/application-registration/_3.5.x.yaml | 7 + examples/aws-lambda/_3.5.x.yaml | 9 + examples/azure-functions/_3.5.x.yaml | 6 + examples/basic-auth/_3.5.x.yaml | 3 + examples/bot-detection/_3.5.x.yaml | 4 + examples/canary/_3.5.x.yaml | 5 + examples/correlation-id/_3.5.x.yaml | 5 + examples/cors/_3.5.x.yaml | 19 + examples/datadog/_3.5.x.yaml | 6 + examples/degraphql/_3.5.x.yaml | 3 + examples/exit-transformer/_3.5.x.yaml | 4 + examples/file-log/_3.5.x.yaml | 3 + examples/forward-proxy/_3.5.x.yaml | 9 + .../graphql-proxy-cache-advanced/_3.5.x.yaml | 3 + .../_3.5.x.yaml | 9 + examples/grpc-gateway/_3.5.x.yaml | 3 + examples/grpc-web/_3.5.x.yaml | 3 + examples/hmac-auth/_3.5.x.yaml | 3 + examples/http-log/_3.5.x.yaml | 8 + examples/ip-restriction/_3.5.x.yaml | 5 + examples/jq/_3.5.x.yaml | 3 + examples/jwe-decrypt/_3.5.x.yaml | 4 + examples/jwt-signer/_3.5.x.yaml | 4 + examples/jwt/_3.5.x.yaml | 4 + examples/kafka-log/_3.5.x.yaml | 3 + examples/kafka-upstream/_3.5.x.yaml | 3 + examples/key-auth-enc/_3.5.x.yaml | 4 + examples/key-auth/_3.5.x.yaml | 4 + examples/konnect-application-auth/_3.5.x.yaml | 3 + examples/ldap-auth-advanced/_3.5.x.yaml | 10 + examples/ldap-auth/_3.5.x.yaml | 8 + examples/loggly/_3.5.x.yaml | 3 + examples/mocking/_3.5.x.yaml | 14 + examples/mtls-auth/_3.5.x.yaml | 6 + examples/oas-validation/_3.5.x.yaml | 29 + examples/oauth2-introspection/_3.5.x.yaml | 5 + examples/oauth2/_3.5.x.yaml | 9 + examples/opa/_3.5.x.yaml | 5 + examples/openid-connect/_3.5.x.yaml | 12 + examples/opentelemetry/_3.5.x.yaml | 5 + examples/post-function/_3.5.x.yaml | 6 + examples/pre-function/_3.5.x.yaml | 6 + examples/prometheus/_3.5.x.yaml | 4 + examples/proxy-cache-advanced/_3.5.x.yaml | 11 + examples/proxy-cache/_3.5.x.yaml | 12 + examples/rate-limiting-advanced/_3.5.x.yaml | 11 + examples/rate-limiting/_3.5.x.yaml | 5 + examples/request-size-limiting/_3.5.x.yaml | 4 + examples/request-termination/_3.5.x.yaml | 4 + .../request-transformer-advanced/_3.5.x.yaml | 43 + examples/request-transformer/_3.5.x.yaml | 36 + examples/request-validator/_3.5.x.yaml | 3 + examples/response-ratelimiting/_3.5.x.yaml | 8 + .../response-transformer-advanced/_3.5.x.yaml | 31 + examples/response-transformer/_3.5.x.yaml | 24 + examples/route-by-header/_3.5.x.yaml | 8 + .../route-transformer-advanced/_3.5.x.yaml | 3 + examples/saml/_3.5.x.yaml | 12 + examples/session/_3.5.x.yaml | 3 + examples/statsd-advanced/_3.5.x.yaml | 7 + examples/statsd/_3.5.x.yaml | 9 + examples/syslog/_3.5.x.yaml | 3 + examples/tcp-log/_3.5.x.yaml | 4 + examples/tls-handshake-modifier/_3.5.x.yaml | 1 + examples/tls-metadata-headers/_3.5.x.yaml | 4 + examples/udp-log/_3.5.x.yaml | 5 + examples/upstream-timeout/_3.5.x.yaml | 5 + examples/vault-auth/_3.5.x.yaml | 4 + examples/websocket-size-limit/_3.5.x.yaml | 4 + examples/websocket-validator/_3.5.x.yaml | 14 + examples/xml-threat-protection/_3.5.x.yaml | 6 + examples/zipkin/_3.5.x.yaml | 5 + schemas/acl/3.5.x.json | 87 + schemas/acme/3.5.x.json | 490 ++++ schemas/app-dynamics/3.5.x.json | 34 + schemas/application-registration/3.5.x.json | 100 + schemas/aws-lambda/3.5.x.json | 255 ++ schemas/azure-functions/3.5.x.json | 125 + schemas/basic-auth/3.5.x.json | 70 + schemas/bot-detection/3.5.x.json | 79 + schemas/canary/3.5.x.json | 190 ++ schemas/correlation-id/3.5.x.json | 72 + schemas/cors/3.5.x.json | 135 + schemas/datadog/3.5.x.json | 346 +++ schemas/degraphql/3.5.x.json | 68 + schemas/exit-transformer/3.5.x.json | 68 + schemas/file-log/3.5.x.json | 83 + schemas/forward-proxy/3.5.x.json | 163 ++ .../graphql-proxy-cache-advanced/3.5.x.json | 89 + .../graphql-rate-limiting-advanced/3.5.x.json | 417 +++ schemas/grpc-gateway/3.5.x.json | 59 + schemas/grpc-web/3.5.x.json | 74 + schemas/hmac-auth/3.5.x.json | 125 + schemas/http-log/3.5.x.json | 245 ++ schemas/ip-restriction/3.5.x.json | 93 + schemas/jq/3.5.x.json | 197 ++ schemas/jwe-decrypt/3.5.x.json | 86 + schemas/jwt-signer/3.5.x.json | 726 +++++ schemas/jwt/3.5.x.json | 153 ++ schemas/kafka-log/3.5.x.json | 280 ++ schemas/kafka-upstream/3.5.x.json | 302 +++ schemas/key-auth-enc/3.5.x.json | 111 + schemas/key-auth/3.5.x.json | 116 + schemas/konnect-application-auth/3.5.x.json | 98 + schemas/ldap-auth-advanced/3.5.x.json | 236 ++ schemas/ldap-auth/3.5.x.json | 171 ++ schemas/loggly/3.5.x.json | 173 ++ schemas/mocking/3.5.x.json | 109 + schemas/mtls-auth/3.5.x.json | 204 ++ schemas/oas-validation/3.5.x.json | 140 + schemas/oauth2-introspection/3.5.x.json | 165 ++ schemas/oauth2/3.5.x.json | 214 ++ schemas/opa/3.5.x.json | 147 + schemas/openid-connect/3.5.x.json | 2398 +++++++++++++++++ schemas/opentelemetry/3.5.x.json | 233 ++ schemas/post-function/3.5.x.json | 228 ++ schemas/pre-function/3.5.x.json | 228 ++ schemas/prometheus/3.5.x.json | 87 + schemas/proxy-cache-advanced/3.5.x.json | 429 +++ schemas/proxy-cache/3.5.x.json | 186 ++ schemas/rate-limiting-advanced/3.5.x.json | 437 +++ schemas/rate-limiting/3.5.x.json | 310 +++ schemas/request-size-limiting/3.5.x.json | 73 + schemas/request-termination/3.5.x.json | 89 + .../request-transformer-advanced/3.5.x.json | 337 +++ schemas/request-transformer/3.5.x.json | 280 ++ schemas/request-validator/3.5.x.json | 175 ++ schemas/response-ratelimiting/3.5.x.json | 268 ++ .../response-transformer-advanced/3.5.x.json | 350 +++ schemas/response-transformer/3.5.x.json | 246 ++ schemas/route-by-header/3.5.x.json | 78 + schemas/route-transformer-advanced/3.5.x.json | 75 + schemas/saml/3.5.x.json | 650 +++++ schemas/session/3.5.x.json | 296 ++ schemas/statsd-advanced/3.5.x.json | 448 +++ schemas/statsd/3.5.x.json | 439 +++ schemas/syslog/3.5.x.json | 164 ++ schemas/tcp-log/3.5.x.json | 112 + schemas/tls-handshake-modifier/3.5.x.json | 60 + schemas/tls-metadata-headers/3.5.x.json | 96 + schemas/udp-log/3.5.x.json | 91 + schemas/upstream-timeout/3.5.x.json | 75 + schemas/vault-auth/3.5.x.json | 112 + schemas/websocket-size-limit/3.5.x.json | 68 + schemas/websocket-validator/3.5.x.json | 220 ++ schemas/xml-threat-protection/3.5.x.json | 300 +++ schemas/zipkin/3.5.x.json | 323 +++ 151 files changed, 17745 insertions(+) create mode 100644 data/referenceable_fields/3.5.x.json create mode 100644 examples/acl/_3.5.x.yaml create mode 100644 examples/acme/_3.5.x.yaml create mode 100644 examples/app-dynamics/_3.5.x.yaml create mode 100644 examples/application-registration/_3.5.x.yaml create mode 100644 examples/aws-lambda/_3.5.x.yaml create mode 100644 examples/azure-functions/_3.5.x.yaml create mode 100644 examples/basic-auth/_3.5.x.yaml create mode 100644 examples/bot-detection/_3.5.x.yaml create mode 100644 examples/canary/_3.5.x.yaml create mode 100644 examples/correlation-id/_3.5.x.yaml create mode 100644 examples/cors/_3.5.x.yaml create mode 100644 examples/datadog/_3.5.x.yaml create mode 100644 examples/degraphql/_3.5.x.yaml create mode 100644 examples/exit-transformer/_3.5.x.yaml create mode 100644 examples/file-log/_3.5.x.yaml create mode 100644 examples/forward-proxy/_3.5.x.yaml create mode 100644 examples/graphql-proxy-cache-advanced/_3.5.x.yaml create mode 100644 examples/graphql-rate-limiting-advanced/_3.5.x.yaml create mode 100644 examples/grpc-gateway/_3.5.x.yaml create mode 100644 examples/grpc-web/_3.5.x.yaml create mode 100644 examples/hmac-auth/_3.5.x.yaml create mode 100644 examples/http-log/_3.5.x.yaml create mode 100644 examples/ip-restriction/_3.5.x.yaml create mode 100644 examples/jq/_3.5.x.yaml create mode 100644 examples/jwe-decrypt/_3.5.x.yaml create mode 100644 examples/jwt-signer/_3.5.x.yaml create mode 100644 examples/jwt/_3.5.x.yaml create mode 100644 examples/kafka-log/_3.5.x.yaml create mode 100644 examples/kafka-upstream/_3.5.x.yaml create mode 100644 examples/key-auth-enc/_3.5.x.yaml create mode 100644 examples/key-auth/_3.5.x.yaml create mode 100644 examples/konnect-application-auth/_3.5.x.yaml create mode 100644 examples/ldap-auth-advanced/_3.5.x.yaml create mode 100644 examples/ldap-auth/_3.5.x.yaml create mode 100644 examples/loggly/_3.5.x.yaml create mode 100644 examples/mocking/_3.5.x.yaml create mode 100644 examples/mtls-auth/_3.5.x.yaml create mode 100644 examples/oas-validation/_3.5.x.yaml create mode 100644 examples/oauth2-introspection/_3.5.x.yaml create mode 100644 examples/oauth2/_3.5.x.yaml create mode 100644 examples/opa/_3.5.x.yaml create mode 100644 examples/openid-connect/_3.5.x.yaml create mode 100644 examples/opentelemetry/_3.5.x.yaml create mode 100644 examples/post-function/_3.5.x.yaml create mode 100644 examples/pre-function/_3.5.x.yaml create mode 100644 examples/prometheus/_3.5.x.yaml create mode 100644 examples/proxy-cache-advanced/_3.5.x.yaml create mode 100644 examples/proxy-cache/_3.5.x.yaml create mode 100644 examples/rate-limiting-advanced/_3.5.x.yaml create mode 100644 examples/rate-limiting/_3.5.x.yaml create mode 100644 examples/request-size-limiting/_3.5.x.yaml create mode 100644 examples/request-termination/_3.5.x.yaml create mode 100644 examples/request-transformer-advanced/_3.5.x.yaml create mode 100644 examples/request-transformer/_3.5.x.yaml create mode 100644 examples/request-validator/_3.5.x.yaml create mode 100644 examples/response-ratelimiting/_3.5.x.yaml create mode 100644 examples/response-transformer-advanced/_3.5.x.yaml create mode 100644 examples/response-transformer/_3.5.x.yaml create mode 100644 examples/route-by-header/_3.5.x.yaml create mode 100644 examples/route-transformer-advanced/_3.5.x.yaml create mode 100644 examples/saml/_3.5.x.yaml create mode 100644 examples/session/_3.5.x.yaml create mode 100644 examples/statsd-advanced/_3.5.x.yaml create mode 100644 examples/statsd/_3.5.x.yaml create mode 100644 examples/syslog/_3.5.x.yaml create mode 100644 examples/tcp-log/_3.5.x.yaml create mode 100644 examples/tls-handshake-modifier/_3.5.x.yaml create mode 100644 examples/tls-metadata-headers/_3.5.x.yaml create mode 100644 examples/udp-log/_3.5.x.yaml create mode 100644 examples/upstream-timeout/_3.5.x.yaml create mode 100644 examples/vault-auth/_3.5.x.yaml create mode 100644 examples/websocket-size-limit/_3.5.x.yaml create mode 100644 examples/websocket-validator/_3.5.x.yaml create mode 100644 examples/xml-threat-protection/_3.5.x.yaml create mode 100644 examples/zipkin/_3.5.x.yaml create mode 100644 schemas/acl/3.5.x.json create mode 100644 schemas/acme/3.5.x.json create mode 100644 schemas/app-dynamics/3.5.x.json create mode 100644 schemas/application-registration/3.5.x.json create mode 100644 schemas/aws-lambda/3.5.x.json create mode 100644 schemas/azure-functions/3.5.x.json create mode 100644 schemas/basic-auth/3.5.x.json create mode 100644 schemas/bot-detection/3.5.x.json create mode 100644 schemas/canary/3.5.x.json create mode 100644 schemas/correlation-id/3.5.x.json create mode 100644 schemas/cors/3.5.x.json create mode 100644 schemas/datadog/3.5.x.json create mode 100644 schemas/degraphql/3.5.x.json create mode 100644 schemas/exit-transformer/3.5.x.json create mode 100644 schemas/file-log/3.5.x.json create mode 100644 schemas/forward-proxy/3.5.x.json create mode 100644 schemas/graphql-proxy-cache-advanced/3.5.x.json create mode 100644 schemas/graphql-rate-limiting-advanced/3.5.x.json create mode 100644 schemas/grpc-gateway/3.5.x.json create mode 100644 schemas/grpc-web/3.5.x.json create mode 100644 schemas/hmac-auth/3.5.x.json create mode 100644 schemas/http-log/3.5.x.json create mode 100644 schemas/ip-restriction/3.5.x.json create mode 100644 schemas/jq/3.5.x.json create mode 100644 schemas/jwe-decrypt/3.5.x.json create mode 100644 schemas/jwt-signer/3.5.x.json create mode 100644 schemas/jwt/3.5.x.json create mode 100644 schemas/kafka-log/3.5.x.json create mode 100644 schemas/kafka-upstream/3.5.x.json create mode 100644 schemas/key-auth-enc/3.5.x.json create mode 100644 schemas/key-auth/3.5.x.json create mode 100644 schemas/konnect-application-auth/3.5.x.json create mode 100644 schemas/ldap-auth-advanced/3.5.x.json create mode 100644 schemas/ldap-auth/3.5.x.json create mode 100644 schemas/loggly/3.5.x.json create mode 100644 schemas/mocking/3.5.x.json create mode 100644 schemas/mtls-auth/3.5.x.json create mode 100644 schemas/oas-validation/3.5.x.json create mode 100644 schemas/oauth2-introspection/3.5.x.json create mode 100644 schemas/oauth2/3.5.x.json create mode 100644 schemas/opa/3.5.x.json create mode 100644 schemas/openid-connect/3.5.x.json create mode 100644 schemas/opentelemetry/3.5.x.json create mode 100644 schemas/post-function/3.5.x.json create mode 100644 schemas/pre-function/3.5.x.json create mode 100644 schemas/prometheus/3.5.x.json create mode 100644 schemas/proxy-cache-advanced/3.5.x.json create mode 100644 schemas/proxy-cache/3.5.x.json create mode 100644 schemas/rate-limiting-advanced/3.5.x.json create mode 100644 schemas/rate-limiting/3.5.x.json create mode 100644 schemas/request-size-limiting/3.5.x.json create mode 100644 schemas/request-termination/3.5.x.json create mode 100644 schemas/request-transformer-advanced/3.5.x.json create mode 100644 schemas/request-transformer/3.5.x.json create mode 100644 schemas/request-validator/3.5.x.json create mode 100644 schemas/response-ratelimiting/3.5.x.json create mode 100644 schemas/response-transformer-advanced/3.5.x.json create mode 100644 schemas/response-transformer/3.5.x.json create mode 100644 schemas/route-by-header/3.5.x.json create mode 100644 schemas/route-transformer-advanced/3.5.x.json create mode 100644 schemas/saml/3.5.x.json create mode 100644 schemas/session/3.5.x.json create mode 100644 schemas/statsd-advanced/3.5.x.json create mode 100644 schemas/statsd/3.5.x.json create mode 100644 schemas/syslog/3.5.x.json create mode 100644 schemas/tcp-log/3.5.x.json create mode 100644 schemas/tls-handshake-modifier/3.5.x.json create mode 100644 schemas/tls-metadata-headers/3.5.x.json create mode 100644 schemas/udp-log/3.5.x.json create mode 100644 schemas/upstream-timeout/3.5.x.json create mode 100644 schemas/vault-auth/3.5.x.json create mode 100644 schemas/websocket-size-limit/3.5.x.json create mode 100644 schemas/websocket-validator/3.5.x.json create mode 100644 schemas/xml-threat-protection/3.5.x.json create mode 100644 schemas/zipkin/3.5.x.json diff --git a/data/referenceable_fields/3.5.x.json b/data/referenceable_fields/3.5.x.json new file mode 100644 index 00000000..ed1c3d41 --- /dev/null +++ b/data/referenceable_fields/3.5.x.json @@ -0,0 +1,118 @@ +{ + "acme": [ + "config.account_email", + "config.eab_kid", + "config.eab_hmac_key", + "config.storage_config.redis.auth", + "config.storage_config.consul.token", + "config.storage_config.vault.token" + ], + "aws-lambda": [ + "config.aws_key", + "config.aws_secret", + "config.aws_assume_role_arn" + ], + "azure-functions": [ + "config.apikey", + "config.clientid" + ], + "datadog": [ + "config.host" + ], + "forward-proxy": [ + "config.auth_username", + "config.auth_password" + ], + "graphql-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "http-log": [ + "config.http_endpoint", + "config.headers" + ], + "kafka-log": [ + "config.authentication.user", + "config.authentication.password" + ], + "kafka-upstream": [ + "config.authentication.user", + "config.authentication.password" + ], + "ldap-auth-advanced": [ + "config.ldap_password", + "config.bind_dn" + ], + "loggly": [ + "config.key" + ], + "openid-connect": [ + "config.client_id", + "config.client_secret", + "config.client_jwk.k", + "config.client_jwk.d", + "config.client_jwk.p", + "config.client_jwk.q", + "config.client_jwk.dp", + "config.client_jwk.dq", + "config.client_jwk.qi", + "config.client_jwk.oth", + "config.client_jwk.r", + "config.client_jwk.t", + "config.session_secret", + "config.session_redis_username", + "config.session_redis_password" + ], + "opentelemetry": [ + "config.endpoint", + "config.headers" + ], + "proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "rate-limiting": [ + "config.redis_password", + "config.redis_username" + ], + "rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "request-transformer-advanced": [ + "config.rename.body", + "config.rename.headers", + "config.rename.querystring", + "config.replace.body", + "config.replace.headers", + "config.replace.querystring", + "config.add.body", + "config.add.headers", + "config.add.querystring", + "config.append.body", + "config.append.headers", + "config.append.querystring" + ], + "response-ratelimiting": [ + "config.redis_password", + "config.redis_username" + ], + "saml": [ + "config.idp_certificate", + "config.response_encryption_key", + "config.request_signing_key", + "config.request_signing_certificate", + "config.session_secret", + "config.session_redis_username", + "config.session_redis_password" + ], + "session": [ + "config.secret" + ] +} \ No newline at end of file diff --git a/examples/acl/_3.5.x.yaml b/examples/acl/_3.5.x.yaml new file mode 100644 index 00000000..a76559c0 --- /dev/null +++ b/examples/acl/_3.5.x.yaml @@ -0,0 +1,6 @@ +name: acl +config: + allow: + - group1 + - group2 + hide_groups_header: true diff --git a/examples/acme/_3.5.x.yaml b/examples/acme/_3.5.x.yaml new file mode 100644 index 00000000..6b35cddc --- /dev/null +++ b/examples/acme/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: acme +config: + account_email: example@example.com diff --git a/examples/app-dynamics/_3.5.x.yaml b/examples/app-dynamics/_3.5.x.yaml new file mode 100644 index 00000000..fb73f97b --- /dev/null +++ b/examples/app-dynamics/_3.5.x.yaml @@ -0,0 +1,2 @@ +name: app-dynamics +config: {} diff --git a/examples/application-registration/_3.5.x.yaml b/examples/application-registration/_3.5.x.yaml new file mode 100644 index 00000000..a52184fb --- /dev/null +++ b/examples/application-registration/_3.5.x.yaml @@ -0,0 +1,7 @@ +name: application-registration +service: SERVICE_NAME +config: + auto_approve: false + description: + display_name: + show_issuer: false diff --git a/examples/aws-lambda/_3.5.x.yaml b/examples/aws-lambda/_3.5.x.yaml new file mode 100644 index 00000000..5eddd18d --- /dev/null +++ b/examples/aws-lambda/_3.5.x.yaml @@ -0,0 +1,9 @@ +name: aws-lambda +config: + aws_key: + aws_secret: + aws_region: + aws_assume_role_arn: + aws_role_session_name: + function_name: + proxy_url: http://my-proxy-server:3128 diff --git a/examples/azure-functions/_3.5.x.yaml b/examples/azure-functions/_3.5.x.yaml new file mode 100644 index 00000000..00f73c86 --- /dev/null +++ b/examples/azure-functions/_3.5.x.yaml @@ -0,0 +1,6 @@ +name: azure-functions +config: + functionname: + appname: + hostdomain: azurewebsites.net + apikey: diff --git a/examples/basic-auth/_3.5.x.yaml b/examples/basic-auth/_3.5.x.yaml new file mode 100644 index 00000000..40fcf8c2 --- /dev/null +++ b/examples/basic-auth/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: basic-auth +config: + hide_credentials: true diff --git a/examples/bot-detection/_3.5.x.yaml b/examples/bot-detection/_3.5.x.yaml new file mode 100644 index 00000000..e4f2eb24 --- /dev/null +++ b/examples/bot-detection/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: bot-detection +config: + deny: + - helloworld diff --git a/examples/canary/_3.5.x.yaml b/examples/canary/_3.5.x.yaml new file mode 100644 index 00000000..928424f8 --- /dev/null +++ b/examples/canary/_3.5.x.yaml @@ -0,0 +1,5 @@ +name: canary +config: + percentage: 50 + upstream_host: example.com + upstream_port: 80 diff --git a/examples/correlation-id/_3.5.x.yaml b/examples/correlation-id/_3.5.x.yaml new file mode 100644 index 00000000..31240989 --- /dev/null +++ b/examples/correlation-id/_3.5.x.yaml @@ -0,0 +1,5 @@ +name: correlation-id +config: + header_name: Kong-Request-ID + generator: uuid#counter + echo_downstream: false diff --git a/examples/cors/_3.5.x.yaml b/examples/cors/_3.5.x.yaml new file mode 100644 index 00000000..c2046281 --- /dev/null +++ b/examples/cors/_3.5.x.yaml @@ -0,0 +1,19 @@ +name: cors +config: + origins: + - http://mockbin.com + methods: + - GET + - POST + headers: + - Accept + - Accept-Version + - Content-Length + - Content-MD5 + - Content-Type + - Date + - X-Auth-Token + exposed_headers: + - X-Auth-Token + credentials: true + max_age: 3600 diff --git a/examples/datadog/_3.5.x.yaml b/examples/datadog/_3.5.x.yaml new file mode 100644 index 00000000..957e300c --- /dev/null +++ b/examples/datadog/_3.5.x.yaml @@ -0,0 +1,6 @@ +name: datadog +config: + host: 127.0.0.1 + port: 8125 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/degraphql/_3.5.x.yaml b/examples/degraphql/_3.5.x.yaml new file mode 100644 index 00000000..84443323 --- /dev/null +++ b/examples/degraphql/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: degraphql +config: + graphql_server_path: '/graphql' diff --git a/examples/exit-transformer/_3.5.x.yaml b/examples/exit-transformer/_3.5.x.yaml new file mode 100644 index 00000000..68893d04 --- /dev/null +++ b/examples/exit-transformer/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: exit-transformer +config: + functions: + - "return function(status, body, header) return status, body, headers end" diff --git a/examples/file-log/_3.5.x.yaml b/examples/file-log/_3.5.x.yaml new file mode 100644 index 00000000..aefd2bdc --- /dev/null +++ b/examples/file-log/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: file-log +config: + path: /tmp/file.log diff --git a/examples/forward-proxy/_3.5.x.yaml b/examples/forward-proxy/_3.5.x.yaml new file mode 100644 index 00000000..7fb797ca --- /dev/null +++ b/examples/forward-proxy/_3.5.x.yaml @@ -0,0 +1,9 @@ +name: forward-proxy +config: + http_proxy_host: example.com + http_proxy_port: 80 + proxy_scheme: http + auth_username: example_user + auth_password: example_pass + https_verify: false + x_headers: transparent diff --git a/examples/graphql-proxy-cache-advanced/_3.5.x.yaml b/examples/graphql-proxy-cache-advanced/_3.5.x.yaml new file mode 100644 index 00000000..e1ce637b --- /dev/null +++ b/examples/graphql-proxy-cache-advanced/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: graphql-proxy-cache-advanced +config: + strategy: memory diff --git a/examples/graphql-rate-limiting-advanced/_3.5.x.yaml b/examples/graphql-rate-limiting-advanced/_3.5.x.yaml new file mode 100644 index 00000000..10985f83 --- /dev/null +++ b/examples/graphql-rate-limiting-advanced/_3.5.x.yaml @@ -0,0 +1,9 @@ +name: graphql-rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + sync_rate: -1 + namespace: example_namespace + strategy: cluster diff --git a/examples/grpc-gateway/_3.5.x.yaml b/examples/grpc-gateway/_3.5.x.yaml new file mode 100644 index 00000000..36b576ea --- /dev/null +++ b/examples/grpc-gateway/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: grpc-gateway +config: + proto: path/to/hello.proto diff --git a/examples/grpc-web/_3.5.x.yaml b/examples/grpc-web/_3.5.x.yaml new file mode 100644 index 00000000..e4f2c597 --- /dev/null +++ b/examples/grpc-web/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: grpc-web +config: + proto: path/to/hello.proto diff --git a/examples/hmac-auth/_3.5.x.yaml b/examples/hmac-auth/_3.5.x.yaml new file mode 100644 index 00000000..ba1ae19d --- /dev/null +++ b/examples/hmac-auth/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: hmac-auth +config: + hide_credentials: false diff --git a/examples/http-log/_3.5.x.yaml b/examples/http-log/_3.5.x.yaml new file mode 100644 index 00000000..dd88c67c --- /dev/null +++ b/examples/http-log/_3.5.x.yaml @@ -0,0 +1,8 @@ +name: http-log +config: + http_endpoint: http://mockbin.org/bin/:id + method: POST + timeout: 1000 + keepalive: 1000 + flush_timeout: 2 + retry_count: 15 diff --git a/examples/ip-restriction/_3.5.x.yaml b/examples/ip-restriction/_3.5.x.yaml new file mode 100644 index 00000000..4ca5298d --- /dev/null +++ b/examples/ip-restriction/_3.5.x.yaml @@ -0,0 +1,5 @@ +name: ip-restriction +config: + allow: + - 54.13.21.1 + - 143.1.0.0/24 diff --git a/examples/jq/_3.5.x.yaml b/examples/jq/_3.5.x.yaml new file mode 100644 index 00000000..d69ce58d --- /dev/null +++ b/examples/jq/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: jq +config: + request_jq_program: .[0] diff --git a/examples/jwe-decrypt/_3.5.x.yaml b/examples/jwe-decrypt/_3.5.x.yaml new file mode 100644 index 00000000..f413b0e5 --- /dev/null +++ b/examples/jwe-decrypt/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: jwe-decrypt +config: + key_sets: + - dummyID diff --git a/examples/jwt-signer/_3.5.x.yaml b/examples/jwt-signer/_3.5.x.yaml new file mode 100644 index 00000000..71443348 --- /dev/null +++ b/examples/jwt-signer/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: jwt-signer +config: + access_token_introspection_scopes_claim: + - scope diff --git a/examples/jwt/_3.5.x.yaml b/examples/jwt/_3.5.x.yaml new file mode 100644 index 00000000..60fd478d --- /dev/null +++ b/examples/jwt/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: jwt +config: + uri_param_names: + - paramName_2.2.x diff --git a/examples/kafka-log/_3.5.x.yaml b/examples/kafka-log/_3.5.x.yaml new file mode 100644 index 00000000..efb1efa7 --- /dev/null +++ b/examples/kafka-log/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: kafka-log +config: + topic: TOPIC diff --git a/examples/kafka-upstream/_3.5.x.yaml b/examples/kafka-upstream/_3.5.x.yaml new file mode 100644 index 00000000..64ff19e5 --- /dev/null +++ b/examples/kafka-upstream/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: kafka-upstream +config: + topic: TOPIC diff --git a/examples/key-auth-enc/_3.5.x.yaml b/examples/key-auth-enc/_3.5.x.yaml new file mode 100644 index 00000000..9f1a6093 --- /dev/null +++ b/examples/key-auth-enc/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: key-auth-enc +config: + key_names: + - apikey diff --git a/examples/key-auth/_3.5.x.yaml b/examples/key-auth/_3.5.x.yaml new file mode 100644 index 00000000..f8ef72c5 --- /dev/null +++ b/examples/key-auth/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: key-auth +config: + key_names: + - apikey diff --git a/examples/konnect-application-auth/_3.5.x.yaml b/examples/konnect-application-auth/_3.5.x.yaml new file mode 100644 index 00000000..e54993e5 --- /dev/null +++ b/examples/konnect-application-auth/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: konnect-application-auth +config: + scope: 'uuid' diff --git a/examples/ldap-auth-advanced/_3.5.x.yaml b/examples/ldap-auth-advanced/_3.5.x.yaml new file mode 100644 index 00000000..5396d6cf --- /dev/null +++ b/examples/ldap-auth-advanced/_3.5.x.yaml @@ -0,0 +1,10 @@ +name: ldap-auth-advanced +config: + ldap_host: ldap.example.com + ldap_port: 389 + start_tls: true + base_dn: dc=example,dc=com + verify_ldap_host: false + attribute: cn + cache_ttl: 60 + header_type: ldap diff --git a/examples/ldap-auth/_3.5.x.yaml b/examples/ldap-auth/_3.5.x.yaml new file mode 100644 index 00000000..fe95f595 --- /dev/null +++ b/examples/ldap-auth/_3.5.x.yaml @@ -0,0 +1,8 @@ +name: ldap-auth +config: + hide_credentials: true + ldap_host: ldap.example.com + ldap_port: 389 + base_dn: dc=example,dc=com + attribute: cn + header_type: ldap diff --git a/examples/loggly/_3.5.x.yaml b/examples/loggly/_3.5.x.yaml new file mode 100644 index 00000000..186454f8 --- /dev/null +++ b/examples/loggly/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: loggly +config: + key: YOUR_LOGGLY_SERVICE_TOKEN diff --git a/examples/mocking/_3.5.x.yaml b/examples/mocking/_3.5.x.yaml new file mode 100644 index 00000000..549e1f46 --- /dev/null +++ b/examples/mocking/_3.5.x.yaml @@ -0,0 +1,14 @@ +name: mocking +config: + random_delay: true + max_delay_time: 1 + min_delay_time: 0.001 + random_examples: true + api_specification: | + openapi: 3.0.1 + info: + title: OpenAPI 3.0 API + description: This is a simple API + contact: + email: example@example.com + version: 1.0.0 diff --git a/examples/mtls-auth/_3.5.x.yaml b/examples/mtls-auth/_3.5.x.yaml new file mode 100644 index 00000000..4bcdb7fd --- /dev/null +++ b/examples/mtls-auth/_3.5.x.yaml @@ -0,0 +1,6 @@ +name: mtls-auth +config: + ca_certificates: + - fdac360e-7b19-4ade-a553-6dd22937c82f + http_proxy_host: example + http_proxy_port: 80 diff --git a/examples/oas-validation/_3.5.x.yaml b/examples/oas-validation/_3.5.x.yaml new file mode 100644 index 00000000..2eb7dc89 --- /dev/null +++ b/examples/oas-validation/_3.5.x.yaml @@ -0,0 +1,29 @@ +name: oas-validation +config: + api_spec: | + openapi: 3.0.0 + info: + version: "2.19.3" + title: Xero Finance API + description: The Finance API is a collection of endpoints which customers can use in the course of a loan application, which may assist lenders to gain the confidence they need to provide capital. + termsOfService: "https://developer.xero.com/xero-developer-platform-terms-conditions/" + contact: + name: "Xero Platform Team" + email: "api@xero.com" + url: "https://developer.xero.com" + license: + name: MIT + url: 'https://github.com/XeroAPI/Xero-OpenAPI/blob/master/LICENSE' + servers: + - description: Xero API servers + url: https://api.xero.com/finance.xro/1.0 + paths: + /CashValidation: + get: + security: + - OAuth2: [finance.cashvalidation.read] + tags: + - Finance + summary: Get cash validation + operationId: getCashValidation + description: Summarizes the total cash position for each account for an org diff --git a/examples/oauth2-introspection/_3.5.x.yaml b/examples/oauth2-introspection/_3.5.x.yaml new file mode 100644 index 00000000..bdf723af --- /dev/null +++ b/examples/oauth2-introspection/_3.5.x.yaml @@ -0,0 +1,5 @@ +name: oauth2-introspection +config: + introspection_url: https://example-url.com + authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l + consumer_by: username diff --git a/examples/oauth2/_3.5.x.yaml b/examples/oauth2/_3.5.x.yaml new file mode 100644 index 00000000..d733d558 --- /dev/null +++ b/examples/oauth2/_3.5.x.yaml @@ -0,0 +1,9 @@ +name: oauth2 +config: + scopes: + - email + - phone + - address + mandatory_scope: true + provision_key: + enable_authorization_code: true diff --git a/examples/opa/_3.5.x.yaml b/examples/opa/_3.5.x.yaml new file mode 100644 index 00000000..51ff2b78 --- /dev/null +++ b/examples/opa/_3.5.x.yaml @@ -0,0 +1,5 @@ +name: opa +config: + opa_host: localhost + opa_port: 8181 + opa_path: /v1/data/example/kong/allowBoolean diff --git a/examples/openid-connect/_3.5.x.yaml b/examples/openid-connect/_3.5.x.yaml new file mode 100644 index 00000000..69f30114 --- /dev/null +++ b/examples/openid-connect/_3.5.x.yaml @@ -0,0 +1,12 @@ +name: openid-connect +config: + auth_methods: + - authorization_code + - session + issuer: http://example.org + client_id: + - + client_secret: + - + session_secret: + response_mode: form_post diff --git a/examples/opentelemetry/_3.5.x.yaml b/examples/opentelemetry/_3.5.x.yaml new file mode 100644 index 00000000..efacb712 --- /dev/null +++ b/examples/opentelemetry/_3.5.x.yaml @@ -0,0 +1,5 @@ +name: opentelemetry +config: + endpoint: http://opentelemetry.collector:4318/v1/traces + headers: + X-Auth-Token: secret-token diff --git a/examples/post-function/_3.5.x.yaml b/examples/post-function/_3.5.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.5.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/pre-function/_3.5.x.yaml b/examples/pre-function/_3.5.x.yaml new file mode 100644 index 00000000..62ffe4dd --- /dev/null +++ b/examples/pre-function/_3.5.x.yaml @@ -0,0 +1,6 @@ +name: pre-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/prometheus/_3.5.x.yaml b/examples/prometheus/_3.5.x.yaml new file mode 100644 index 00000000..6b7b3b62 --- /dev/null +++ b/examples/prometheus/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: prometheus +config: + per_consumer: false + diff --git a/examples/proxy-cache-advanced/_3.5.x.yaml b/examples/proxy-cache-advanced/_3.5.x.yaml new file mode 100644 index 00000000..d070db76 --- /dev/null +++ b/examples/proxy-cache-advanced/_3.5.x.yaml @@ -0,0 +1,11 @@ +name: proxy-cache-advanced +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + strategy: memory diff --git a/examples/proxy-cache/_3.5.x.yaml b/examples/proxy-cache/_3.5.x.yaml new file mode 100644 index 00000000..ce185e5e --- /dev/null +++ b/examples/proxy-cache/_3.5.x.yaml @@ -0,0 +1,12 @@ +name: proxy-cache +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + cache_ttl: 300 + strategy: memory diff --git a/examples/rate-limiting-advanced/_3.5.x.yaml b/examples/rate-limiting-advanced/_3.5.x.yaml new file mode 100644 index 00000000..7fee7c38 --- /dev/null +++ b/examples/rate-limiting-advanced/_3.5.x.yaml @@ -0,0 +1,11 @@ +name: rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + identifier: consumer + sync_rate: -1 + namespace: example_namespace + strategy: local + hide_client_headers: false diff --git a/examples/rate-limiting/_3.5.x.yaml b/examples/rate-limiting/_3.5.x.yaml new file mode 100644 index 00000000..f43f89fd --- /dev/null +++ b/examples/rate-limiting/_3.5.x.yaml @@ -0,0 +1,5 @@ +name: rate-limiting +config: + second: 5 + hour: 10000 + policy: local diff --git a/examples/request-size-limiting/_3.5.x.yaml b/examples/request-size-limiting/_3.5.x.yaml new file mode 100644 index 00000000..983d6d9e --- /dev/null +++ b/examples/request-size-limiting/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: request-size-limiting +config: + allowed_payload_size: 128 + require_content_length: false diff --git a/examples/request-termination/_3.5.x.yaml b/examples/request-termination/_3.5.x.yaml new file mode 100644 index 00000000..7be67818 --- /dev/null +++ b/examples/request-termination/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: request-termination +config: + status_code: 403 + message: So long and thanks for all the fish! diff --git a/examples/request-transformer-advanced/_3.5.x.yaml b/examples/request-transformer-advanced/_3.5.x.yaml new file mode 100644 index 00000000..999898e7 --- /dev/null +++ b/examples/request-transformer-advanced/_3.5.x.yaml @@ -0,0 +1,43 @@ +name: request-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one + remove: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + remove: + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + rename: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + rename: + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + add: + querystring: + - new-param:some_value + - another-param:some_value + add: + json_types: + - string + - boolean + - number diff --git a/examples/request-transformer/_3.5.x.yaml b/examples/request-transformer/_3.5.x.yaml new file mode 100644 index 00000000..d9e0a346 --- /dev/null +++ b/examples/request-transformer/_3.5.x.yaml @@ -0,0 +1,36 @@ +name: request-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + querystring: + - new-param:some_value + - another-param:some_value + body: + - new-form-param:some_value + - another-form-param:some_value diff --git a/examples/request-validator/_3.5.x.yaml b/examples/request-validator/_3.5.x.yaml new file mode 100644 index 00000000..89251acf --- /dev/null +++ b/examples/request-validator/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: request-validator +config: + body_schema: '[{"name":{"type": "string", "required": true}}]' diff --git a/examples/response-ratelimiting/_3.5.x.yaml b/examples/response-ratelimiting/_3.5.x.yaml new file mode 100644 index 00000000..a3860b2a --- /dev/null +++ b/examples/response-ratelimiting/_3.5.x.yaml @@ -0,0 +1,8 @@ +name: response-ratelimiting +config: + limits: + limit_name: + limits: + limit_name: + minute: 10 + policy: local diff --git a/examples/response-transformer-advanced/_3.5.x.yaml b/examples/response-transformer-advanced/_3.5.x.yaml new file mode 100644 index 00000000..4942c5c5 --- /dev/null +++ b/examples/response-transformer-advanced/_3.5.x.yaml @@ -0,0 +1,31 @@ +name: response-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one:application/json + - x-list-of-values:v1,v2,v3 + - Set-Cookie:/JSESSIONID=.*/ + - x-another-regex://status/$/ + - x-one-more-regex:/^/begin// + remove: + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + add: + json: + - new-json-key:some_value + - another-json-key:some_value + add: + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/response-transformer/_3.5.x.yaml b/examples/response-transformer/_3.5.x.yaml new file mode 100644 index 00000000..aab7075a --- /dev/null +++ b/examples/response-transformer/_3.5.x.yaml @@ -0,0 +1,24 @@ +name: response-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + json: + - new-json-key:some_value + - another-json-key:some_value + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/route-by-header/_3.5.x.yaml b/examples/route-by-header/_3.5.x.yaml new file mode 100644 index 00000000..e2854428 --- /dev/null +++ b/examples/route-by-header/_3.5.x.yaml @@ -0,0 +1,8 @@ +name: route-by-header +config: + rules: + - + upstream_name: bar.domain.com + condition: + location: us-east + diff --git a/examples/route-transformer-advanced/_3.5.x.yaml b/examples/route-transformer-advanced/_3.5.x.yaml new file mode 100644 index 00000000..098f0994 --- /dev/null +++ b/examples/route-transformer-advanced/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: route-transformer-advanced +config: + path: /path diff --git a/examples/saml/_3.5.x.yaml b/examples/saml/_3.5.x.yaml new file mode 100644 index 00000000..18b41c3f --- /dev/null +++ b/examples/saml/_3.5.x.yaml @@ -0,0 +1,12 @@ +name: saml +config: + anonymous: anonymous + assertion_consumer_path: /acs-uri + idp_sso_url: http://example.org/sso-uri + validate_assertion_signature: true + session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + issuer: AzureAD_Identity_ID + idp_certificate: | + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- diff --git a/examples/session/_3.5.x.yaml b/examples/session/_3.5.x.yaml new file mode 100644 index 00000000..1c5100d2 --- /dev/null +++ b/examples/session/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: session +config: + secret: opensesame diff --git a/examples/statsd-advanced/_3.5.x.yaml b/examples/statsd-advanced/_3.5.x.yaml new file mode 100644 index 00000000..cfd68de0 --- /dev/null +++ b/examples/statsd-advanced/_3.5.x.yaml @@ -0,0 +1,7 @@ +name: statsd-advanced +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 diff --git a/examples/statsd/_3.5.x.yaml b/examples/statsd/_3.5.x.yaml new file mode 100644 index 00000000..796222aa --- /dev/null +++ b/examples/statsd/_3.5.x.yaml @@ -0,0 +1,9 @@ +name: statsd +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/syslog/_3.5.x.yaml b/examples/syslog/_3.5.x.yaml new file mode 100644 index 00000000..9cc23ca1 --- /dev/null +++ b/examples/syslog/_3.5.x.yaml @@ -0,0 +1,3 @@ +name: syslog +config: + log_level: info diff --git a/examples/tcp-log/_3.5.x.yaml b/examples/tcp-log/_3.5.x.yaml new file mode 100644 index 00000000..4e155f5a --- /dev/null +++ b/examples/tcp-log/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: tcp-log +config: + host: 127.0.0.1 + port: 9999 diff --git a/examples/tls-handshake-modifier/_3.5.x.yaml b/examples/tls-handshake-modifier/_3.5.x.yaml new file mode 100644 index 00000000..52561153 --- /dev/null +++ b/examples/tls-handshake-modifier/_3.5.x.yaml @@ -0,0 +1 @@ +name: tls-handshake-modifier diff --git a/examples/tls-metadata-headers/_3.5.x.yaml b/examples/tls-metadata-headers/_3.5.x.yaml new file mode 100644 index 00000000..98df21ec --- /dev/null +++ b/examples/tls-metadata-headers/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: tls-metadata-headers +config: + inject_client_cert_details: true + client_cert_header_name: X-Forwarded-Client-Cert diff --git a/examples/udp-log/_3.5.x.yaml b/examples/udp-log/_3.5.x.yaml new file mode 100644 index 00000000..bfd35c0a --- /dev/null +++ b/examples/udp-log/_3.5.x.yaml @@ -0,0 +1,5 @@ +name: udp-log +config: + host: 127.0.0.1 + port: 9999 + timeout: 10000 diff --git a/examples/upstream-timeout/_3.5.x.yaml b/examples/upstream-timeout/_3.5.x.yaml new file mode 100644 index 00000000..962a6cdf --- /dev/null +++ b/examples/upstream-timeout/_3.5.x.yaml @@ -0,0 +1,5 @@ +name: upstream-timeout +config: + connect_timeout: 4000 + send_timeout: 5000 + read_timeout: 5000 diff --git a/examples/vault-auth/_3.5.x.yaml b/examples/vault-auth/_3.5.x.yaml new file mode 100644 index 00000000..8a2e5285 --- /dev/null +++ b/examples/vault-auth/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: vault-auth +config: + vault: + id: 00000000-0000-0000-0000-000000000000 diff --git a/examples/websocket-size-limit/_3.5.x.yaml b/examples/websocket-size-limit/_3.5.x.yaml new file mode 100644 index 00000000..7274d312 --- /dev/null +++ b/examples/websocket-size-limit/_3.5.x.yaml @@ -0,0 +1,4 @@ +name: websocket-size-limit +config: + client_max_payload: 1024 + upstream_max_payload: 16384 diff --git a/examples/websocket-validator/_3.5.x.yaml b/examples/websocket-validator/_3.5.x.yaml new file mode 100644 index 00000000..12fe18ac --- /dev/null +++ b/examples/websocket-validator/_3.5.x.yaml @@ -0,0 +1,14 @@ +name: websocket-validator +config: + client: + text: + type: draft4 + schema: | + { + "type": "object", + "properties": { + "foo": { "type": "string" }, + "bar": { "type": "string" } + }, + "required": [ "foo", "bar" ] + } diff --git a/examples/xml-threat-protection/_3.5.x.yaml b/examples/xml-threat-protection/_3.5.x.yaml new file mode 100644 index 00000000..a25f15fc --- /dev/null +++ b/examples/xml-threat-protection/_3.5.x.yaml @@ -0,0 +1,6 @@ +name: xml-threat-protection +config: + max_depth: 50 + localname: 512 + prefix: 512 + namespaceuri: 1024 diff --git a/examples/zipkin/_3.5.x.yaml b/examples/zipkin/_3.5.x.yaml new file mode 100644 index 00000000..62ab05c8 --- /dev/null +++ b/examples/zipkin/_3.5.x.yaml @@ -0,0 +1,5 @@ +name: zipkin +config: + http_endpoint: http://your.zipkin.collector:9411/api/v2/spans + sample_ratio: 0.001 + include_credential: true diff --git a/schemas/acl/3.5.x.json b/schemas/acl/3.5.x.json new file mode 100644 index 00000000..c2b72b09 --- /dev/null +++ b/schemas/acl/3.5.x.json @@ -0,0 +1,87 @@ +{ + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allow": { + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "deny": { + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "hide_groups_header": { + "type": "boolean", + "required": true, + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/acme/3.5.x.json b/schemas/acme/3.5.x.json new file mode 100644 index 00000000..409513c9 --- /dev/null +++ b/schemas/acme/3.5.x.json @@ -0,0 +1,490 @@ +{ + "entity_checks": [ + { + "conditional": { + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_match": { + "eq": true + }, + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "service": { + "type": "foreign", + "description": "A reference to the 'services' table with a null value allowed.", + "eq": null, + "reference": "services" + } + }, + { + "route": { + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null, + "reference": "routes" + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "account_email": { + "match": "%w*%p*@+%w*%.?%w*", + "referenceable": true, + "description": "The account identifier. Can be reused in a different plugin instance.", + "encrypted": true, + "required": true, + "type": "string" + } + }, + { + "account_key": { + "description": "The private key associated with the account.", + "type": "record", + "fields": [ + { + "key_id": { + "description": "The Key ID.", + "required": true, + "type": "string" + } + }, + { + "key_set": { + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" + } + } + ], + "required": false + } + }, + { + "api_uri": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "default": "https://acme-v02.api.letsencrypt.org/directory" + } + }, + { + "tos_accepted": { + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean", + "default": false + } + }, + { + "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "cert_type": { + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "one_of": [ + "rsa", + "ecc" + ], + "type": "string", + "default": "rsa" + } + }, + { + "rsa_key_size": { + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "one_of": [ + 2048, + 3072, + 4096 + ], + "type": "number", + "default": 4096 + } + }, + { + "renew_threshold_days": { + "description": "Days remaining to renew the certificate before it expires.", + "type": "number", + "default": 14 + } + }, + { + "domains": { + "type": "array", + "elements": { + "type": "string", + "match_any": { + "patterns": [ + "^%*%.", + "%.%*$", + "^[^*]*$" + ], + "err": "invalid wildcard: must be placed at leftmost or rightmost label" + }, + "match_all": [ + { + "pattern": "^[^*]*%*?[^*]*$", + "err": "invalid wildcard: must have at most one wildcard" + } + ] + }, + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" + } + }, + { + "allow_any_domain": { + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean", + "default": false + } + }, + { + "fail_backoff_minutes": { + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number", + "default": 5 + } + }, + { + "storage": { + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "one_of": [ + "kong", + "shm", + "redis", + "consul", + "vault" + ], + "type": "string", + "default": "shm" + } + }, + { + "storage_config": { + "type": "record", + "fields": [ + { + "shm": { + "type": "record", + "fields": [ + { + "shm_name": { + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string", + "default": "kong" + } + } + ], + "required": true + } + }, + { + "kong": { + "type": "record", + "fields": [ + + ], + "required": true + } + }, + { + "redis": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "database": { + "description": "The index of the Redis database to use.", + "type": "number" + } + }, + { + "auth": { + "description": "The Redis password to use for authentication. ", + "referenceable": true, + "type": "string" + } + }, + { + "ssl": { + "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "ssl_verify": { + "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "ssl_server_name": { + "description": "The expected server name for the SSL/TLS certificate presented by the Redis server.", + "required": false, + "type": "string" + } + }, + { + "namespace": { + "type": "string", + "len_min": 0, + "description": "A namespace to prepend to all keys stored in Redis.", + "required": true, + "default": "" + } + } + ], + "required": true + } + }, + { + "consul": { + "type": "record", + "fields": [ + { + "https": { + "description": "Boolean representation of https.", + "type": "boolean", + "default": false + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "kv_path": { + "description": "KV prefix path.", + "type": "string" + } + }, + { + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + } + }, + { + "token": { + "description": "Consul ACL token.", + "referenceable": true, + "type": "string" + } + } + ], + "required": true + } + }, + { + "vault": { + "type": "record", + "fields": [ + { + "https": { + "description": "Boolean representation of https.", + "type": "boolean", + "default": false + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "kv_path": { + "description": "KV prefix path.", + "type": "string" + } + }, + { + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + } + }, + { + "token": { + "description": "Consul ACL token.", + "referenceable": true, + "type": "string" + } + }, + { + "tls_verify": { + "description": "Turn on TLS verification.", + "type": "boolean", + "default": true + } + }, + { + "tls_server_name": { + "description": "SNI used in request, default to host if omitted.", + "type": "string" + } + }, + { + "auth_method": { + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "one_of": [ + "token", + "kubernetes" + ], + "type": "string", + "default": "token" + } + }, + { + "auth_path": { + "description": "Vault's authentication path to use.", + "type": "string" + } + }, + { + "auth_role": { + "description": "The role to try and assign.", + "type": "string" + } + }, + { + "jwt_path": { + "description": "The path to the JWT.", + "type": "string" + } + } + ], + "required": true + } + } + ], + "required": true + } + }, + { + "preferred_chain": { + "type": "string", + "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + } + }, + { + "enable_ipv4_common_name": { + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean", + "default": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/app-dynamics/3.5.x.json b/schemas/app-dynamics/3.5.x.json new file mode 100644 index 00000000..db9ee9af --- /dev/null +++ b/schemas/app-dynamics/3.5.x.json @@ -0,0 +1,34 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set" + } + }, + { + "config": { + "required": true, + "fields": [ + + ], + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/application-registration/3.5.x.json b/schemas/application-registration/3.5.x.json new file mode 100644 index 00000000..e2295f45 --- /dev/null +++ b/schemas/application-registration/3.5.x.json @@ -0,0 +1,100 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "service": { + "type": "foreign", + "on_delete": "cascade", + "ne": null, + "reference": "services" + } + }, + { + "route": { + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null, + "reference": "routes" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "display_name": { + "type": "string", + "unique": true, + "required": true, + "description": "Unique display name used for a Service in the Developer Portal." + } + }, + { + "description": { + "type": "string", + "unique": true, + "description": "Unique description displayed in information about a Service in the Developer Portal." + } + }, + { + "auto_approve": { + "type": "boolean", + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "required": true, + "default": false + } + }, + { + "show_issuer": { + "type": "boolean", + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "required": true, + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/aws-lambda/3.5.x.json b/schemas/aws-lambda/3.5.x.json new file mode 100644 index 00000000..b5897dc2 --- /dev/null +++ b/schemas/aws-lambda/3.5.x.json @@ -0,0 +1,255 @@ +{ + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when invoking the function.", + "required": true, + "default": 60000 + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "required": true, + "default": 60000 + } + }, + { + "aws_key": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The AWS key credential to be used when invoking the function." + } + }, + { + "aws_secret": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The AWS secret credential to be used when invoking the function. " + } + }, + { + "aws_assume_role_arn": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The target AWS IAM role ARN used to invoke the Lambda function." + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "The identifier of the assumed role session.", + "default": "kong" + } + }, + { + "aws_region": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "function_name": { + "type": "string", + "required": false, + "description": "The AWS Lambda function name to invoke." + } + }, + { + "qualifier": { + "type": "string", + "description": "The qualifier to use when invoking the function." + } + }, + { + "invocation_type": { + "type": "string", + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "required": true, + "one_of": [ + "RequestResponse", + "Event", + "DryRun" + ] + } + }, + { + "log_type": { + "type": "string", + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "required": true, + "one_of": [ + "Tail", + "None" + ] + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "disable_https": { + "type": "boolean", + "default": false + } + }, + { + "unhandled_status": { + "type": "integer", + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "between": [ + 100, + 999 + ] + } + }, + { + "forward_request_method": { + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "default": false + } + }, + { + "forward_request_uri": { + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "default": false + } + }, + { + "forward_request_headers": { + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "default": false + } + }, + { + "forward_request_body": { + "type": "boolean", + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "default": false + } + }, + { + "is_proxy_integration": { + "type": "boolean", + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "default": false + } + }, + { + "awsgateway_compatible": { + "type": "boolean", + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "default": false + } + }, + { + "proxy_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "skip_large_bodies": { + "type": "boolean", + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "default": true + } + }, + { + "base64_encode_body": { + "type": "boolean", + "description": "An optional value that Base64-encodes the request body.", + "default": true + } + }, + { + "aws_imds_protocol_version": { + "type": "string", + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "required": true, + "one_of": [ + "v1", + "v2" + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/azure-functions/3.5.x.json b/schemas/azure-functions/3.5.x.json new file mode 100644 index 00000000..73180695 --- /dev/null +++ b/schemas/azure-functions/3.5.x.json @@ -0,0 +1,125 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "timeout": { + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number", + "default": 600000 + } + }, + { + "keepalive": { + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "https": { + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean", + "default": true + } + }, + { + "https_verify": { + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean", + "default": false + } + }, + { + "apikey": { + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "clientid": { + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "appname": { + "description": "The Azure app name.", + "required": true, + "type": "string" + } + }, + { + "hostdomain": { + "description": "The domain where the function resides.", + "type": "string", + "required": true, + "default": "azurewebsites.net" + } + }, + { + "routeprefix": { + "description": "Route prefix to use.", + "type": "string", + "default": "api" + } + }, + { + "functionname": { + "description": "Name of the Azure function to invoke.", + "required": true, + "type": "string" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/basic-auth/3.5.x.json b/schemas/basic-auth/3.5.x.json new file mode 100644 index 00000000..56f6b4dc --- /dev/null +++ b/schemas/basic-auth/3.5.x.json @@ -0,0 +1,70 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/bot-detection/3.5.x.json b/schemas/bot-detection/3.5.x.json new file mode 100644 index 00000000..0a24e40f --- /dev/null +++ b/schemas/bot-detection/3.5.x.json @@ -0,0 +1,79 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allow": { + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "type": "array", + "elements": { + "type": "string", + "is_regex": true + }, + "default": [ + + ] + } + }, + { + "deny": { + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "type": "array", + "elements": { + "type": "string", + "is_regex": true + }, + "default": [ + + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/canary/3.5.x.json b/schemas/canary/3.5.x.json new file mode 100644 index 00000000..cedbf947 --- /dev/null +++ b/schemas/canary/3.5.x.json @@ -0,0 +1,190 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "then_field": "config.hash_header", + "if_field": "config.hash", + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + } + } + }, + { + "conditional": { + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + } + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "hash": { + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" + } + } + ], + "fields": [ + { + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + } + }, + { + "hash": { + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "one_of": [ + "consumer", + "ip", + "none", + "allow", + "deny", + "header" + ], + "type": "string", + "default": "consumer" + } + }, + { + "hash_header": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "duration": { + "gt": 0, + "type": "number", + "description": "The duration of the canary release in seconds.", + "default": 3600 + } + }, + { + "steps": { + "gt": 1, + "type": "number", + "description": "The number of steps for the canary release.", + "default": 1000 + } + }, + { + "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "type": "number", + "between": [ + 0, + 100 + ] + } + }, + { + "upstream_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "upstream_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "type": "string", + "len_min": 1 + } + }, + { + "upstream_fallback": { + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "groups": { + "description": "The groups allowed to access the canary release.", + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "canary_by_header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/correlation-id/3.5.x.json b/schemas/correlation-id/3.5.x.json new file mode 100644 index 00000000..fe94f549 --- /dev/null +++ b/schemas/correlation-id/3.5.x.json @@ -0,0 +1,72 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "header_name": { + "description": "The HTTP header name to use for the correlation ID.", + "type": "string", + "default": "Kong-Request-ID" + } + }, + { + "generator": { + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "one_of": [ + "uuid", + "uuid#counter", + "tracker" + ], + "type": "string", + "default": "uuid#counter" + } + }, + { + "echo_downstream": { + "description": "Whether to echo the header back to downstream (the client).", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/cors/3.5.x.json b/schemas/cors/3.5.x.json new file mode 100644 index 00000000..175c5e44 --- /dev/null +++ b/schemas/cors/3.5.x.json @@ -0,0 +1,135 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "len_min": 1 + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "origins": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Value for the `Access-Control-Allow-Headers` header." + } + }, + { + "exposed_headers": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." + } + }, + { + "methods": { + "type": "array", + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "elements": { + "type": "string", + "one_of": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] + } + }, + { + "max_age": { + "type": "number", + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + } + }, + { + "credentials": { + "type": "boolean", + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "required": true, + "default": false + } + }, + { + "preflight_continue": { + "type": "boolean", + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "required": true, + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/datadog/3.5.x.json b/schemas/datadog/3.5.x.json new file mode 100644 index 00000000..26d7208a --- /dev/null +++ b/schemas/datadog/3.5.x.json @@ -0,0 +1,346 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "referenceable": true, + "default": "localhost" + } + }, + { + "port": { + "type": "integer", + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "prefix": { + "description": "String to be attached as a prefix to a metric's name.", + "type": "string", + "default": "kong" + } + }, + { + "service_name_tag": { + "description": "String to be attached as the name of the service.", + "type": "string", + "default": "name" + } + }, + { + "status_tag": { + "description": "String to be attached as the tag of the HTTP status.", + "type": "string", + "default": "status" + } + }, + { + "consumer_tag": { + "description": "String to be attached as tag of the consumer.", + "type": "string", + "default": "consumer" + } + }, + { + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + } + }, + { + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + } + }, + { + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + }, + { + "metrics": { + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "description": "Datadog metric’s name", + "type": "string", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ] + } + }, + { + "stat_type": { + "description": "Determines what sort of event the metric represents", + "type": "string", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer", + "distribution" + ] + } + }, + { + "tags": { + "description": "List of tags", + "elements": { + "match": "^.*[^:]$", + "type": "string" + }, + "type": "array" + } + }, + { + "sample_rate": { + "description": "Sampling rate", + "type": "number", + "between": [ + 0, + 1 + ] + } + }, + { + "consumer_identifier": { + "description": "Authenticated user detail", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + }, + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + } + } + } + ] + }, + "default": [ + { + "sample_rate": 1, + "stat_type": "counter", + "name": "request_count", + "consumer_identifier": "custom_id", + "tags": [ + "app:kong" + ] + }, + { + "tags": [ + "app:kong" + ], + "name": "latency", + "consumer_identifier": "custom_id", + "stat_type": "timer" + }, + { + "tags": [ + "app:kong" + ], + "name": "request_size", + "consumer_identifier": "custom_id", + "stat_type": "timer" + }, + { + "tags": [ + "app:kong" + ], + "name": "response_size", + "consumer_identifier": "custom_id", + "stat_type": "timer" + }, + { + "tags": [ + "app:kong" + ], + "name": "upstream_latency", + "consumer_identifier": "custom_id", + "stat_type": "timer" + }, + { + "tags": [ + "app:kong" + ], + "name": "kong_latency", + "consumer_identifier": "custom_id", + "stat_type": "timer" + } + ], + "description": "List of metrics to be logged.", + "required": true + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/degraphql/3.5.x.json b/schemas/degraphql/3.5.x.json new file mode 100644 index 00000000..12e4c024 --- /dev/null +++ b/schemas/degraphql/3.5.x.json @@ -0,0 +1,68 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "graphql_server_path": { + "type": "string", + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "starts_with": "/" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/exit-transformer/3.5.x.json b/schemas/exit-transformer/3.5.x.json new file mode 100644 index 00000000..066e3b40 --- /dev/null +++ b/schemas/exit-transformer/3.5.x.json @@ -0,0 +1,68 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "functions": { + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + }, + { + "handle_unknown": { + "type": "boolean", + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "default": false + } + }, + { + "handle_unexpected": { + "type": "boolean", + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/file-log/3.5.x.json b/schemas/file-log/3.5.x.json new file mode 100644 index 00000000..fac93b9c --- /dev/null +++ b/schemas/file-log/3.5.x.json @@ -0,0 +1,83 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "path": { + "match": "^[^*&%%\\`]+$", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "type": "string", + "required": true, + "err": "not a valid filename" + } + }, + { + "reopen": { + "type": "boolean", + "description": "Determines whether the log file is closed and reopened on every request.", + "required": true, + "default": false + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "keys": { + "type": "string", + "len_min": 1 + } + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/forward-proxy/3.5.x.json b/schemas/forward-proxy/3.5.x.json new file mode 100644 index 00000000..3ee1c813 --- /dev/null +++ b/schemas/forward-proxy/3.5.x.json @@ -0,0 +1,163 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "proxy_host": { + "type": "string" + } + }, + { + "proxy_port": { + "type": "integer" + } + } + ], + "fields": [ + { + "x_headers": { + "type": "string", + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", + "required": true, + "one_of": [ + "append", + "transparent", + "delete" + ] + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "proxy_scheme": { + "type": "string", + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "required": true, + "one_of": [ + "http" + ] + } + }, + { + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "https_verify": { + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "required": true, + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.5.x.json b/schemas/graphql-proxy-cache-advanced/3.5.x.json new file mode 100644 index 00000000..100dfec6 --- /dev/null +++ b/schemas/graphql-proxy-cache-advanced/3.5.x.json @@ -0,0 +1,89 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "strategy": { + "type": "string", + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "required": true, + "one_of": [ + "memory" + ] + } + }, + { + "cache_ttl": { + "gt": 0, + "type": "integer", + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "default": 300 + } + }, + { + "memory": { + "type": "record", + "fields": [ + { + "dictionary_name": { + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "default": "kong_db_cache" + } + } + ], + "required": true + } + }, + { + "vary_headers": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.5.x.json b/schemas/graphql-rate-limiting-advanced/3.5.x.json new file mode 100644 index 00000000..ed15567e --- /dev/null +++ b/schemas/graphql-rate-limiting-advanced/3.5.x.json @@ -0,0 +1,417 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_field": "config.strategy", + "then_at_least_one_of": [ + "config.redis.host", + "config.redis.sentinel_master" + ], + "if_match": { + "eq": "redis" + } + } + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "identifier": { + "type": "string", + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "required": true, + "one_of": [ + "ip", + "credential", + "consumer" + ] + } + }, + { + "window_size": { + "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "elements": { + "type": "number" + }, + "required": true + } + }, + { + "window_type": { + "type": "string", + "one_of": [ + "fixed", + "sliding" + ], + "description": "Sets the time window to either `sliding` or `fixed`.", + "default": "sliding" + } + }, + { + "limit": { + "type": "array", + "description": "One or more requests-per-window limits to apply.", + "elements": { + "type": "number" + }, + "required": true + } + }, + { + "sync_rate": { + "type": "number", + "required": true, + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." + } + }, + { + "namespace": { + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance.", + "auto": true + } + }, + { + "strategy": { + "type": "string", + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "required": true, + "one_of": [ + "cluster", + "redis" + ] + } + }, + { + "dictionary_name": { + "type": "string", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "required": true, + "default": "kong_rate_limiting_counters" + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "default": false + } + }, + { + "cost_strategy": { + "type": "string", + "one_of": [ + "default", + "node_quantifier" + ], + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "default": "default" + } + }, + { + "score_factor": { + "gt": 0, + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "required": false, + "type": "number" + } + }, + { + "max_cost": { + "type": "number", + "description": "A defined maximum cost per query. 0 means unlimited.", + "required": false, + "default": 0 + } + }, + { + "redis": { + "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "type": "string", + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + } + }, + { + "password": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "type": "string", + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "type": "integer", + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "default": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "default": false + } + }, + { + "server_name": { + "type": "string", + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS." + } + } + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/grpc-gateway/3.5.x.json b/schemas/grpc-gateway/3.5.x.json new file mode 100644 index 00000000..e7eeb8db --- /dev/null +++ b/schemas/grpc-gateway/3.5.x.json @@ -0,0 +1,59 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "proto": { + "description": "Describes the gRPC types and methods.", + "required": false, + "type": "string" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/grpc-web/3.5.x.json b/schemas/grpc-web/3.5.x.json new file mode 100644 index 00000000..154c7822 --- /dev/null +++ b/schemas/grpc-web/3.5.x.json @@ -0,0 +1,74 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "proto": { + "type": "string", + "required": false, + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content." + } + }, + { + "pass_stripped_path": { + "type": "boolean", + "required": false, + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service." + } + }, + { + "allow_origin_header": { + "type": "string", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "required": false, + "default": "*" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/hmac-auth/3.5.x.json b/schemas/hmac-auth/3.5.x.json new file mode 100644 index 00000000..a3aa1f7d --- /dev/null +++ b/schemas/hmac-auth/3.5.x.json @@ -0,0 +1,125 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "clock_skew": { + "gt": 0, + "type": "number", + "description": "Clock skew in seconds to prevent replay attacks.", + "default": 300 + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "validate_request_body": { + "description": "A boolean value telling the plugin to enable body validation.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "enforce_headers": { + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "algorithms": { + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] + }, + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/http-log/3.5.x.json b/schemas/http-log/3.5.x.json new file mode 100644 index 00000000..060d09a7 --- /dev/null +++ b/schemas/http-log/3.5.x.json @@ -0,0 +1,245 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], + "fields": [ + { + "http_endpoint": { + "type": "string", + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "encrypted": true, + "required": true + } + }, + { + "method": { + "type": "string", + "one_of": [ + "POST", + "PUT", + "PATCH" + ], + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "default": "POST" + } + }, + { + "content_type": { + "type": "string", + "one_of": [ + "application/json", + "application/json; charset=utf-8" + ], + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "default": "application/json" + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "default": 60000 + } + }, + { + "retry_count": { + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." + } + }, + { + "queue_size": { + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." + } + }, + { + "flush_timeout": { + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + } + }, + { + "headers": { + "type": "map", + "values": { + "referenceable": true, + "type": "string" + }, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "keys": { + "type": "string", + "match_none": [ + { + "err": "cannot contain 'Host' header", + "pattern": "^[Hh][Oo][Ss][Tt]$" + }, + { + "err": "cannot contain 'Content-Length' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" + }, + { + "err": "cannot contain 'Content-Type' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" + } + ], + "description": "A string representing an HTTP header name." + } + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "keys": { + "type": "string", + "len_min": 1 + } + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/ip-restriction/3.5.x.json b/schemas/ip-restriction/3.5.x.json new file mode 100644 index 00000000..574502e0 --- /dev/null +++ b/schemas/ip-restriction/3.5.x.json @@ -0,0 +1,93 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "type": "array" + } + }, + { + "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "type": "array" + } + }, + { + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "required": false, + "type": "number" + } + }, + { + "message": { + "description": "The message to send as a response body to rejected requests.", + "required": false, + "type": "string" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/jq/3.5.x.json b/schemas/jq/3.5.x.json new file mode 100644 index 00000000..53ef0690 --- /dev/null +++ b/schemas/jq/3.5.x.json @@ -0,0 +1,197 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } + ], + "required": true, + "fields": [ + { + "request_jq_program": { + "type": "string", + "required": false + } + }, + { + "request_jq_program_options": { + "type": "record", + "required": false, + "fields": [ + { + "compact_output": { + "type": "boolean", + "required": true, + "default": true + } + }, + { + "raw_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "join_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "ascii_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "sort_keys": { + "type": "boolean", + "required": true, + "default": false + } + } + ], + "default": [ + + ] + } + }, + { + "request_if_media_type": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "default": [ + "application/json" + ] + } + }, + { + "response_jq_program": { + "type": "string", + "required": false + } + }, + { + "response_jq_program_options": { + "type": "record", + "required": false, + "fields": [ + { + "compact_output": { + "type": "boolean", + "required": true, + "default": true + } + }, + { + "raw_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "join_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "ascii_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "sort_keys": { + "type": "boolean", + "required": true, + "default": false + } + } + ], + "default": [ + + ] + } + }, + { + "response_if_media_type": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "default": [ + "application/json" + ] + } + }, + { + "response_if_status_code": { + "type": "array", + "required": false, + "elements": { + "type": "integer", + "between": [ + 100, + 599 + ] + }, + "default": [ + 200 + ] + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.5.x.json b/schemas/jwe-decrypt/3.5.x.json new file mode 100644 index 00000000..c26e2a11 --- /dev/null +++ b/schemas/jwe-decrypt/3.5.x.json @@ -0,0 +1,86 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "lookup_header_name": { + "description": "The name of the header to look for the JWE token.", + "type": "string", + "required": true, + "default": "Authorization" + } + }, + { + "forward_header_name": { + "description": "The name of the header that is used to set the decrypted value.", + "type": "string", + "required": true, + "default": "Authorization" + } + }, + { + "key_sets": { + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "type": "array", + "elements": { + "type": "string" + }, + "required": true + } + }, + { + "strict": { + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean", + "default": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwt-signer/3.5.x.json b/schemas/jwt-signer/3.5.x.json new file mode 100644 index 00000000..32a25682 --- /dev/null +++ b/schemas/jwt-signer/3.5.x.json @@ -0,0 +1,726 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "required": false, + "type": "string" + } + }, + { + "enable_hs_signatures": { + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "enable_instrumentation": { + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "access_token_issuer": { + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string", + "required": false, + "default": "kong" + } + }, + { + "access_token_keyset": { + "description": "The name of the keyset containing signing keys.", + "type": "string", + "required": false, + "default": "kong" + } + }, + { + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_request_header": { + "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string", + "required": false, + "default": "Authorization" + } + }, + { + "access_token_leeway": { + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number", + "required": false, + "default": 0 + } + }, + { + "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "access_token_scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "required": false + } + }, + { + "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "access_token_consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "required": false + } + }, + { + "access_token_upstream_header": { + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string", + "required": false, + "default": "Authorization:Bearer" + } + }, + { + "access_token_upstream_leeway": { + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number", + "required": false, + "default": 0 + } + }, + { + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string", + "required": false, + "default": "access_token" + } + }, + { + "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "access_token_introspection_scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "required": true + } + }, + { + "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "access_token_introspection_consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "required": false + } + }, + { + "access_token_introspection_leeway": { + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number", + "required": false, + "default": 0 + } + }, + { + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "required": false, + "type": "number" + } + }, + { + "access_token_signing_algorithm": { + "type": "string", + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "required": true, + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + }, + { + "access_token_optional": { + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "verify_access_token_signature": { + "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_access_token_expiry": { + "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_access_token_scopes": { + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_access_token_introspection_expiry": { + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_access_token_introspection_scopes": { + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "cache_access_token_introspection": { + "description": "Whether to cache access token introspection results.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "trust_access_token_introspection": { + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "enable_access_token_introspection": { + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "channel_token_issuer": { + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string", + "required": false, + "default": "kong" + } + }, + { + "channel_token_keyset": { + "description": "The name of the keyset containing signing keys.", + "type": "string", + "required": false, + "default": "kong" + } + }, + { + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "required": false, + "type": "string" + } + }, + { + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "required": false, + "type": "string" + } + }, + { + "channel_token_leeway": { + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number", + "required": false, + "default": 0 + } + }, + { + "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "required": false + } + }, + { + "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_consumer_by": { + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ] + } + }, + { + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "required": false, + "type": "string" + } + }, + { + "channel_token_upstream_leeway": { + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number", + "required": false, + "default": 0 + } + }, + { + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "required": false, + "type": "string" + } + }, + { + "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "type": "string", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "type": "string", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "type": "string", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "required": false + } + }, + { + "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "required": false + } + }, + { + "channel_token_introspection_leeway": { + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number", + "required": false, + "default": 0 + } + }, + { + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "required": false, + "type": "number" + } + }, + { + "channel_token_signing_algorithm": { + "type": "string", + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "required": true, + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + }, + { + "channel_token_optional": { + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "verify_channel_token_signature": { + "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_channel_token_expiry": { + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_channel_token_scopes": { + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_channel_token_introspection_expiry": { + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_channel_token_introspection_scopes": { + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "cache_channel_token_introspection": { + "description": "Whether to cache channel token introspection results.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "trust_channel_token_introspection": { + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "enable_channel_token_introspection": { + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "add_claims": { + "type": "map", + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "description": "Add customized claims if they are not present yet.", + "required": false, + "default": [ + + ] + } + }, + { + "set_claims": { + "type": "map", + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "description": "Set customized claims. If a claim is already present, it will be overwritten.", + "required": false, + "default": [ + + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwt/3.5.x.json b/schemas/jwt/3.5.x.json new file mode 100644 index 00000000..908eac96 --- /dev/null +++ b/schemas/jwt/3.5.x.json @@ -0,0 +1,153 @@ +{ + "entity_checks": [ + { + "conditional": { + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration", + "then_match": { + "contains": "exp" + }, + "if_match": { + "gt": 0 + } + } + } + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "uri_param_names": { + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "type": "set", + "elements": { + "type": "string" + }, + "default": [ + "jwt" + ] + } + }, + { + "cookie_names": { + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "type": "set", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "key_claim_name": { + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string", + "default": "iss" + } + }, + { + "secret_is_base64": { + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "elements": { + "type": "string", + "one_of": [ + "exp", + "nbf" + ] + }, + "type": "set" + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "maximum_expiration": { + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "default": 0, + "type": "number", + "between": [ + 0, + 31536000 + ] + } + }, + { + "header_names": { + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "type": "set", + "elements": { + "type": "string" + }, + "default": [ + "authorization" + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-log/3.5.x.json b/schemas/kafka-log/3.5.x.json new file mode 100644 index 00000000..b0d3dc6d --- /dev/null +++ b/schemas/kafka-log/3.5.x.json @@ -0,0 +1,280 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "required": true, + "fields": [ + { + "bootstrap_servers": { + "type": "set", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "required": true, + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } + }, + { + "topic": { + "type": "string", + "required": true, + "description": "The Kafka topic to publish to." + } + }, + { + "timeout": { + "type": "integer", + "description": "Socket timeout in milliseconds.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "integer", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "type": "boolean", + "default": false + } + }, + { + "authentication": { + "type": "record", + "fields": [ + { + "strategy": { + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "required": false, + "one_of": [ + "sasl" + ] + } + }, + { + "mechanism": { + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "required": false, + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ] + } + }, + { + "tokenauth": { + "type": "boolean", + "required": false, + "description": "Enable this to indicate `DelegationToken` authentication" + } + }, + { + "user": { + "type": "string", + "referenceable": true, + "description": "Username for SASL authentication.", + "encrypted": true, + "required": false + } + }, + { + "password": { + "type": "string", + "referenceable": true, + "description": "Password for SASL authentication.", + "encrypted": true, + "required": false + } + } + ], + "required": true + } + }, + { + "security": { + "type": "record", + "fields": [ + { + "certificate_id": { + "type": "string", + "description": "UUID of certificate entity for mTLS authentication.", + "required": false, + "uuid": true + } + }, + { + "ssl": { + "type": "boolean", + "required": false, + "description": "Enables TLS." + } + } + ], + "required": true + } + }, + { + "cluster_name": { + "type": "string", + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, + "auto": true + } + }, + { + "producer_request_acks": { + "type": "integer", + "one_of": [ + -1, + 0, + 1 + ], + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1 + } + }, + { + "producer_request_timeout": { + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds", + "default": 2000 + } + }, + { + "producer_request_limits_messages_per_request": { + "type": "integer", + "description": "Maximum number of messages to include into a single Produce request.", + "default": 200 + } + }, + { + "producer_request_limits_bytes_per_request": { + "type": "integer", + "description": "Maximum size of a Produce request in bytes.", + "default": 1048576 + } + }, + { + "producer_request_retries_max_attempts": { + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request.", + "default": 10 + } + }, + { + "producer_request_retries_backoff_timeout": { + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds.", + "default": 100 + } + }, + { + "producer_async": { + "type": "boolean", + "description": "Flag to enable asynchronous mode.", + "default": true + } + }, + { + "producer_async_flush_timeout": { + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "default": 1000 + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "default": 50000 + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "keys": { + "type": "string", + "len_min": 1 + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-upstream/3.5.x.json b/schemas/kafka-upstream/3.5.x.json new file mode 100644 index 00000000..37d0733a --- /dev/null +++ b/schemas/kafka-upstream/3.5.x.json @@ -0,0 +1,302 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "required": true, + "fields": [ + { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "required": true, + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "type": "set" + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "required": true, + "type": "string" + } + }, + { + "timeout": { + "description": "Socket timeout in milliseconds.", + "type": "integer", + "default": 10000 + } + }, + { + "keepalive": { + "description": "Keepalive timeout in milliseconds.", + "type": "integer", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "type": "boolean", + "default": false + } + }, + { + "authentication": { + "type": "record", + "fields": [ + { + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string", + "required": false, + "one_of": [ + "sasl" + ] + } + }, + { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "type": "string", + "required": false, + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ] + } + }, + { + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "required": false, + "type": "boolean" + } + }, + { + "user": { + "type": "string", + "referenceable": true, + "description": "Username for SASL authentication.", + "encrypted": true, + "required": false + } + }, + { + "password": { + "type": "string", + "referenceable": true, + "description": "Password for SASL authentication.", + "encrypted": true, + "required": false + } + } + ], + "required": true + } + }, + { + "security": { + "type": "record", + "fields": [ + { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "required": false, + "uuid": true + } + }, + { + "ssl": { + "description": "Enables TLS.", + "required": false, + "type": "boolean" + } + } + ], + "required": true + } + }, + { + "forward_method": { + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_uri": { + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_headers": { + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_body": { + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": true + } + }, + { + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string", + "required": false, + "auto": true + } + }, + { + "producer_request_acks": { + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "one_of": [ + -1, + 0, + 1 + ], + "type": "integer", + "default": 1 + } + }, + { + "producer_request_timeout": { + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer", + "default": 2000 + } + }, + { + "producer_request_limits_messages_per_request": { + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer", + "default": 200 + } + }, + { + "producer_request_limits_bytes_per_request": { + "description": "Maximum size of a Produce request in bytes.", + "type": "integer", + "default": 1048576 + } + }, + { + "producer_request_retries_max_attempts": { + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer", + "default": 10 + } + }, + { + "producer_request_retries_backoff_timeout": { + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer", + "default": 100 + } + }, + { + "producer_async": { + "description": "Flag to enable asynchronous mode.", + "type": "boolean", + "default": true + } + }, + { + "producer_async_flush_timeout": { + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer", + "default": 1000 + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer", + "default": 50000 + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/key-auth-enc/3.5.x.json b/schemas/key-auth-enc/3.5.x.json new file mode 100644 index 00000000..bedd8ceb --- /dev/null +++ b/schemas/key-auth-enc/3.5.x.json @@ -0,0 +1,111 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "key_names": { + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean", + "default": false + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "key_in_header": { + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean", + "default": true + } + }, + { + "key_in_query": { + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean", + "default": true + } + }, + { + "key_in_body": { + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean", + "default": false + } + }, + { + "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean", + "default": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/key-auth/3.5.x.json b/schemas/key-auth/3.5.x.json new file mode 100644 index 00000000..074c77b6 --- /dev/null +++ b/schemas/key-auth/3.5.x.json @@ -0,0 +1,116 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "key_names": { + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + } + }, + { + "key_in_header": { + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "key_in_query": { + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "key_in_body": { + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean", + "required": true, + "default": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.5.x.json b/schemas/konnect-application-auth/3.5.x.json new file mode 100644 index 00000000..a50c7abe --- /dev/null +++ b/schemas/konnect-application-auth/3.5.x.json @@ -0,0 +1,98 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "route": { + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null, + "reference": "routes" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + + ], + "required": true, + "fields": [ + { + "key_names": { + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "required": true + } + }, + { + "auth_type": { + "type": "string", + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", + "required": true, + "one_of": [ + "openid-connect", + "key-auth" + ] + } + }, + { + "scope": { + "description": "The unique scope identifier for the plugin configuration.", + "unique": true, + "required": true, + "type": "string" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.5.x.json b/schemas/ldap-auth-advanced/3.5.x.json new file mode 100644 index 00000000..f0a34d78 --- /dev/null +++ b/schemas/ldap-auth-advanced/3.5.x.json @@ -0,0 +1,236 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "required": true, + "type": "string" + } + }, + { + "ldap_password": { + "description": "The password to the LDAP server.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "ldap_port": { + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number", + "default": 389 + } + }, + { + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "referenceable": true, + "type": "string" + } + }, + { + "ldaps": { + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "start_tls": { + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "verify_ldap_host": { + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "required": true, + "type": "string" + } + }, + { + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "required": true, + "type": "string" + } + }, + { + "cache_ttl": { + "description": "Cache expiry time in seconds.", + "type": "number", + "required": true, + "default": 60 + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean", + "default": false + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number", + "default": 10000 + } + }, + { + "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0, + "type": "string", + "default": "" + } + }, + { + "header_type": { + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string", + "default": "ldap" + } + }, + { + "consumer_optional": { + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "required": false + } + }, + { + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + } + }, + { + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + } + }, + { + "group_member_attribute": { + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string", + "default": "memberOf" + } + }, + { + "log_search_results": { + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "type": "array", + "elements": { + "type": "string" + }, + "required": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth/3.5.x.json b/schemas/ldap-auth/3.5.x.json new file mode 100644 index 00000000..bd113b55 --- /dev/null +++ b/schemas/ldap-auth/3.5.x.json @@ -0,0 +1,171 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "start_tls", + "if_field": "ldaps", + "then_match": { + "eq": false + }, + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "if_match": { + "eq": true + } + } + } + ], + "required": true, + "fields": [ + { + "ldap_host": { + "type": "string", + "required": true, + "description": "A string representing a host name, such as example.com." + } + }, + { + "ldap_port": { + "type": "integer", + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ] + } + }, + { + "ldaps": { + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "start_tls": { + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "verify_ldap_host": { + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "required": true, + "type": "string" + } + }, + { + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "required": true, + "type": "string" + } + }, + { + "cache_ttl": { + "description": "Cache expiry time in seconds.", + "type": "number", + "required": true, + "default": 60 + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number", + "default": 10000 + } + }, + { + "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" + } + }, + { + "header_type": { + "description": "An optional string to use as part of the Authorization header", + "type": "string", + "default": "ldap" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/loggly/3.5.x.json b/schemas/loggly/3.5.x.json new file mode 100644 index 00000000..56a8c31f --- /dev/null +++ b/schemas/loggly/3.5.x.json @@ -0,0 +1,173 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "logs-01.loggly.com" + } + }, + { + "port": { + "type": "integer", + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "key": { + "type": "string", + "encrypted": true, + "required": true, + "referenceable": true + } + }, + { + "tags": { + "type": "set", + "elements": { + "type": "string" + }, + "default": [ + "kong" + ] + } + }, + { + "log_level": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "default": "info" + } + }, + { + "successful_severity": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "default": "info" + } + }, + { + "client_errors_severity": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "default": "info" + } + }, + { + "server_errors_severity": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "default": "info" + } + }, + { + "timeout": { + "type": "number", + "default": 10000 + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "keys": { + "type": "string", + "len_min": 1 + } + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/mocking/3.5.x.json b/schemas/mocking/3.5.x.json new file mode 100644 index 00000000..0ace9c9f --- /dev/null +++ b/schemas/mocking/3.5.x.json @@ -0,0 +1,109 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "required": false, + "type": "string" + } + }, + { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "required": false, + "type": "string" + } + }, + { + "random_delay": { + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean", + "default": false + } + }, + { + "max_delay_time": { + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number", + "default": 1 + } + }, + { + "min_delay_time": { + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number", + "default": 0.001 + } + }, + { + "random_examples": { + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean", + "default": false + } + }, + { + "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "elements": { + "type": "integer" + }, + "type": "array" + } + }, + { + "random_status_code": { + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/mtls-auth/3.5.x.json b/schemas/mtls-auth/3.5.x.json new file mode 100644 index 00000000..71d7e9e6 --- /dev/null +++ b/schemas/mtls-auth/3.5.x.json @@ -0,0 +1,204 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "required": true, + "fields": [ + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "required": false + } + }, + { + "ca_certificates": { + "type": "array", + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "elements": { + "type": "string", + "uuid": true + }, + "required": true + } + }, + { + "cache_ttl": { + "type": "number", + "description": "Cache expiry time in seconds.", + "required": true, + "default": 60 + } + }, + { + "skip_consumer_lookup": { + "type": "boolean", + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "required": true, + "default": false + } + }, + { + "allow_partial_chain": { + "type": "boolean", + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "required": true, + "default": false + } + }, + { + "authenticated_group_by": { + "type": "string", + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "required": false, + "one_of": [ + "CN", + "DN" + ] + } + }, + { + "revocation_check_mode": { + "type": "string", + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "required": false, + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ] + } + }, + { + "http_timeout": { + "type": "number", + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "default": 30000 + } + }, + { + "cert_cache_ttl": { + "type": "number", + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "default": 60000 + } + }, + { + "send_ca_dn": { + "type": "boolean", + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "default": false + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/oas-validation/3.5.x.json b/schemas/oas-validation/3.5.x.json new file mode 100644 index 00000000..e2c44b56 --- /dev/null +++ b/schemas/oas-validation/3.5.x.json @@ -0,0 +1,140 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format.", + "required": true, + "type": "string" + } + }, + { + "verbose_response": { + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "validate_request_body": { + "description": "If set to true, validates the request body content against the API specification.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "notify_only_request_validation_failure": { + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "validate_request_header_params": { + "description": "If set to true, validates HTTP header parameters against the API specification.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "validate_request_query_params": { + "description": "If set to true, validates query parameters against the API specification.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "validate_request_uri_params": { + "description": "If set to true, validates URI parameters in the request against the API specification.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "validate_response_body": { + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "notify_only_response_body_validation_failure": { + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "query_parameter_check": { + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "header_parameter_check": { + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "allowed_header_parameters": { + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "type": "string", + "required": false, + "default": "Host,Content-Type,User-Agent,Accept,Content-Length" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.5.x.json b/schemas/oauth2-introspection/3.5.x.json new file mode 100644 index 00000000..4ba92528 --- /dev/null +++ b/schemas/oauth2-introspection/3.5.x.json @@ -0,0 +1,165 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "introspection_url": { + "type": "string", + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "ttl": { + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number", + "default": 30 + } + }, + { + "token_type_hint": { + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" + } + }, + { + "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "required": true, + "type": "string" + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer", + "default": 10000 + } + }, + { + "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer", + "default": 60000 + } + }, + { + "introspect_request": { + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean", + "default": false + } + }, + { + "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean", + "default": true + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "default": "", + "type": "string", + "len_min": 0 + } + }, + { + "consumer_by": { + "type": "string", + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "required": true, + "one_of": [ + "username", + "client_id" + ] + } + }, + { + "custom_introspection_headers": { + "type": "map", + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "description": "A list of custom headers to be added in the introspection request.", + "required": true, + "default": [ + + ] + } + }, + { + "custom_claims_forward": { + "type": "set", + "elements": { + "type": "string" + }, + "default": [ + + ], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "required": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/oauth2/3.5.x.json b/schemas/oauth2/3.5.x.json new file mode 100644 index 00000000..e5d596ea --- /dev/null +++ b/schemas/oauth2/3.5.x.json @@ -0,0 +1,214 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "scopes", + "if_field": "mandatory_scope", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + } + ], + "fields": [ + { + "scopes": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." + } + }, + { + "mandatory_scope": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "required": true, + "default": false + } + }, + { + "provision_key": { + "type": "string", + "required": true, + "description": "The unique key the plugin has generated when it has been added to the Service.", + "encrypted": true, + "unique": true, + "auto": true + } + }, + { + "token_expiration": { + "type": "number", + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "required": true, + "default": 7200 + } + }, + { + "enable_authorization_code": { + "type": "boolean", + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "required": true, + "default": false + } + }, + { + "enable_implicit_grant": { + "type": "boolean", + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "required": true, + "default": false + } + }, + { + "enable_client_credentials": { + "type": "boolean", + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "required": true, + "default": false + } + }, + { + "enable_password_grant": { + "type": "boolean", + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "required": true, + "default": false + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true, + "default": false + } + }, + { + "accept_http_if_already_terminated": { + "type": "boolean", + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "required": true, + "default": false + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "global_credentials": { + "type": "boolean", + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "required": true, + "default": false + } + }, + { + "auth_header_name": { + "type": "string", + "description": "The name of the header that is supposed to carry the access token.", + "default": "authorization" + } + }, + { + "refresh_token_ttl": { + "type": "number", + "default": 1209600, + "description": "Time-to-live value for data", + "required": true, + "between": [ + 0, + 100000000 + ] + } + }, + { + "reuse_refresh_token": { + "type": "boolean", + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "required": true, + "default": false + } + }, + { + "persistent_refresh_token": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "pkce": { + "type": "string", + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "required": false, + "one_of": [ + "none", + "lax", + "strict" + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/opa/3.5.x.json b/schemas/opa/3.5.x.json new file mode 100644 index 00000000..cfc9cc83 --- /dev/null +++ b/schemas/opa/3.5.x.json @@ -0,0 +1,147 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "opa_protocol": { + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "one_of": [ + "http", + "https" + ], + "type": "string", + "default": "http" + } + }, + { + "opa_host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "required": true, + "default": "localhost" + } + }, + { + "opa_port": { + "type": "integer", + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ] + } + }, + { + "opa_path": { + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "starts_with": "/" + } + }, + { + "include_service_in_opa_input": { + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_route_in_opa_input": { + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_consumer_in_opa_input": { + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_body_in_opa_input": { + "type": "boolean", + "default": false + } + }, + { + "include_parsed_json_body_in_opa_input": { + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_uri_captures_in_opa_input": { + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "required": true, + "default": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/openid-connect/3.5.x.json b/schemas/openid-connect/3.5.x.json new file mode 100644 index 00000000..092c4afc --- /dev/null +++ b/schemas/openid-connect/3.5.x.json @@ -0,0 +1,2398 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + } + ], + "fields": [ + { + "issuer": { + "type": "string", + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "discovery_headers_names": { + "type": "array", + "description": "Extra header names passed to the discovery endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "discovery_headers_values": { + "type": "array", + "description": "Extra header values passed to the discovery endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "extra_jwks_uris": { + "type": "set", + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "rediscovery_lifetime": { + "type": "number", + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "required": false, + "default": 30 + } + }, + { + "auth_methods": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "description": "Types of credentials/grants to enable.", + "required": false + } + }, + { + "client_id": { + "type": "array", + "elements": { + "type": "string", + "referenceable": true + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true, + "required": false + } + }, + { + "client_secret": { + "type": "array", + "elements": { + "type": "string", + "referenceable": true + }, + "description": "The client secret.", + "encrypted": true, + "required": false + } + }, + { + "client_auth": { + "type": "array", + "description": "The authentication method used by the client (plugin) when calling the endpoint.", + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "none" + ] + }, + "required": false + } + }, + { + "client_jwk": { + "type": "array", + "required": false, + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "issuer": { + "required": false, + "type": "string" + } + }, + { + "kty": { + "required": false, + "type": "string" + } + }, + { + "use": { + "required": false, + "type": "string" + } + }, + { + "key_ops": { + "type": "array", + "required": false, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "alg": { + "required": false, + "type": "string" + } + }, + { + "kid": { + "required": false, + "type": "string" + } + }, + { + "x5u": { + "required": false, + "type": "string" + } + }, + { + "x5c": { + "type": "array", + "required": false, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "x5t": { + "required": false, + "type": "string" + } + }, + { + "x5t#S256": { + "required": false, + "type": "string" + } + }, + { + "k": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "x": { + "required": false, + "type": "string" + } + }, + { + "y": { + "required": false, + "type": "string" + } + }, + { + "crv": { + "required": false, + "type": "string" + } + }, + { + "n": { + "required": false, + "type": "string" + } + }, + { + "e": { + "required": false, + "type": "string" + } + }, + { + "d": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "p": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "q": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "dp": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "dq": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "qi": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "oth": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "r": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "t": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + } + ] + } + } + }, + { + "client_alg": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + } + }, + { + "client_arg": { + "type": "string", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "required": false, + "default": "client_id" + } + }, + { + "redirect_uri": { + "type": "array", + "description": "The redirect URI passed to the authorization and token endpoints.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "login_redirect_uri": { + "type": "array", + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "logout_redirect_uri": { + "type": "array", + "description": "Where to redirect the client after the logout.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "forbidden_redirect_uri": { + "type": "array", + "description": "Where to redirect the client on forbidden requests.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "forbidden_error_message": { + "type": "string", + "description": "The error message for the forbidden requests (when not using the redirection).", + "required": false, + "default": "Forbidden" + } + }, + { + "forbidden_destroy_session": { + "type": "boolean", + "description": "Destroy any active session for the forbidden requests.", + "required": false, + "default": true + } + }, + { + "unauthorized_redirect_uri": { + "type": "array", + "description": "Where to redirect the client on unauthorized requests.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "unauthorized_error_message": { + "type": "string", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "required": false, + "default": "Unauthorized" + } + }, + { + "unexpected_redirect_uri": { + "type": "array", + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "response_mode": { + "type": "string", + "default": "query", + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", + "required": false, + "one_of": [ + "query", + "form_post", + "fragment" + ] + } + }, + { + "response_type": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "required": false + } + }, + { + "scopes": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "required": false + } + }, + { + "audience": { + "type": "array", + "description": "The audience passed to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "issuers_allowed": { + "type": "array", + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "scopes_required": { + "type": "array", + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "description": "The claim that contains the scopes.", + "required": false + } + }, + { + "audience_required": { + "type": "array", + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "audience_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "aud" + ], + "description": "The claim that contains the audience.", + "required": false + } + }, + { + "groups_required": { + "type": "array", + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "groups_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "groups" + ], + "description": "The claim that contains the groups.", + "required": false + } + }, + { + "roles_required": { + "type": "array", + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "roles_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "roles" + ], + "description": "The claim that contains the roles.", + "required": false + } + }, + { + "domains": { + "type": "array", + "description": "The allowed values for the `hd` claim.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "max_age": { + "type": "number", + "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim." + } + }, + { + "authenticated_groups_claim": { + "type": "array", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "authorization_endpoint": { + "type": "string", + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "authorization_query_args_names": { + "type": "array", + "description": "Extra query argument names passed to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "authorization_query_args_values": { + "type": "array", + "description": "Extra query argument values passed to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "authorization_query_args_client": { + "type": "array", + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "authorization_rolling_timeout": { + "type": "number", + "description": "Network IO timeout in milliseconds.", + "required": false, + "default": 600 + } + }, + { + "authorization_cookie_name": { + "type": "string", + "description": "The authorization cookie name.", + "required": false, + "default": "authorization" + } + }, + { + "authorization_cookie_path": { + "type": "string", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": false, + "starts_with": "/" + } + }, + { + "authorization_cookie_domain": { + "type": "string", + "required": false, + "description": "The authorization cookie Domain flag." + } + }, + { + "authorization_cookie_same_site": { + "type": "string", + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "authorization_cookie_http_only": { + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "default": true + } + }, + { + "authorization_cookie_secure": { + "type": "boolean", + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + } + }, + { + "preserve_query_args": { + "type": "boolean", + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "required": false, + "default": false + } + }, + { + "token_endpoint": { + "type": "string", + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "token_endpoint_auth_method": { + "type": "string", + "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "none" + ] + } + }, + { + "token_headers_names": { + "type": "array", + "description": "Extra header names passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_values": { + "type": "array", + "description": "Extra header values passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_client": { + "type": "array", + "description": "Extra headers passed from the client to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_replay": { + "type": "array", + "description": "The names of token endpoint response headers to forward to the downstream client.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_prefix": { + "type": "string", + "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." + } + }, + { + "token_headers_grants": { + "type": "array", + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "required": false + } + }, + { + "token_post_args_names": { + "type": "array", + "description": "Extra post argument names passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_post_args_values": { + "type": "array", + "description": "Extra post argument values passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_post_args_client": { + "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_endpoint": { + "type": "string", + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "introspection_endpoint_auth_method": { + "type": "string", + "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "none" + ] + } + }, + { + "introspection_hint": { + "type": "string", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "required": false, + "default": "access_token" + } + }, + { + "introspection_check_active": { + "type": "boolean", + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "required": false, + "default": true + } + }, + { + "introspection_accept": { + "type": "string", + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", + "required": false, + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ] + } + }, + { + "introspection_headers_names": { + "type": "array", + "description": "Extra header names passed to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_headers_values": { + "type": "array", + "description": "Extra header values passed to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_headers_client": { + "type": "array", + "description": "Extra headers passed from the client to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_post_args_names": { + "type": "array", + "description": "Extra post argument names passed to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_post_args_values": { + "type": "array", + "description": "Extra post argument values passed to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_post_args_client": { + "type": "array", + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspect_jwt_tokens": { + "type": "boolean", + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "required": false, + "default": false + } + }, + { + "revocation_endpoint": { + "type": "string", + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "revocation_endpoint_auth_method": { + "type": "string", + "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "none" + ] + } + }, + { + "end_session_endpoint": { + "type": "string", + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "userinfo_endpoint": { + "type": "string", + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "userinfo_accept": { + "type": "string", + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", + "required": false, + "one_of": [ + "application/json", + "application/jwt" + ] + } + }, + { + "userinfo_headers_names": { + "type": "array", + "description": "Extra header names passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_headers_values": { + "type": "array", + "description": "Extra header values passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_headers_client": { + "type": "array", + "description": "Extra headers passed from the client to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_query_args_names": { + "type": "array", + "description": "Extra query argument names passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_query_args_values": { + "type": "array", + "description": "Extra query argument values passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_query_args_client": { + "type": "array", + "description": "Extra query arguments passed from the client to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_exchange_endpoint": { + "type": "string", + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "session_secret": { + "type": "string", + "referenceable": true, + "description": "The session secret.", + "encrypted": true, + "required": false + } + }, + { + "session_audience": { + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "required": false, + "default": "default" + } + }, + { + "session_cookie_name": { + "type": "string", + "description": "The session cookie name.", + "required": false, + "default": "session" + } + }, + { + "session_remember": { + "type": "boolean", + "description": "Enables or disables persistent sessions.", + "required": false, + "default": false + } + }, + { + "session_remember_cookie_name": { + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "required": false, + "default": "remember" + } + }, + { + "session_remember_rolling_timeout": { + "type": "number", + "description": "Network IO timeout in milliseconds.", + "required": false, + "default": 604800 + } + }, + { + "session_remember_absolute_timeout": { + "type": "number", + "description": "Network IO timeout in milliseconds.", + "required": false, + "default": 2592000 + } + }, + { + "session_idling_timeout": { + "type": "number", + "description": "Network IO timeout in milliseconds.", + "required": false, + "default": 900 + } + }, + { + "session_rolling_timeout": { + "type": "number", + "description": "Network IO timeout in milliseconds.", + "required": false, + "default": 3600 + } + }, + { + "session_absolute_timeout": { + "type": "number", + "description": "Network IO timeout in milliseconds.", + "required": false, + "default": 86400 + } + }, + { + "session_cookie_path": { + "type": "string", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": false, + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "type": "string", + "required": false, + "description": "The session cookie Domain flag." + } + }, + { + "session_cookie_same_site": { + "type": "string", + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "default": true + } + }, + { + "session_cookie_secure": { + "type": "boolean", + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + } + }, + { + "session_request_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_response_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_storage": { + "type": "string", + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", + "required": false, + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "required": false, + "default": false + } + }, + { + "session_enforce_same_subject": { + "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "default": false + } + }, + { + "session_hash_subject": { + "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "default": false + } + }, + { + "session_hash_storage_key": { + "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "default": false + } + }, + { + "session_memcached_prefix": { + "type": "string", + "required": false, + "description": "The memcached session key prefix." + } + }, + { + "session_memcached_socket": { + "type": "string", + "required": false, + "description": "The memcached unix socket path." + } + }, + { + "session_memcached_host": { + "type": "string", + "description": "The memcached host.", + "required": false, + "default": "127.0.0.1" + } + }, + { + "session_memcached_port": { + "type": "integer", + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false, + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_prefix": { + "type": "string", + "required": false, + "description": "The Redis session key prefix." + } + }, + { + "session_redis_socket": { + "type": "string", + "required": false, + "description": "The Redis unix socket path." + } + }, + { + "session_redis_host": { + "type": "string", + "description": "The Redis host", + "required": false, + "default": "127.0.0.1" + } + }, + { + "session_redis_port": { + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false, + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_username": { + "type": "string", + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "referenceable": true, + "required": false + } + }, + { + "session_redis_password": { + "type": "string", + "referenceable": true, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "required": false + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "required": false, + "description": "Network IO timeout in milliseconds." + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "required": false, + "description": "Network IO timeout in milliseconds." + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "required": false, + "description": "Network IO timeout in milliseconds." + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "description": "Use SSL/TLS for Redis connection.", + "required": false, + "default": false + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "description": "Verify identity provider server certificate.", + "required": false, + "default": false + } + }, + { + "session_redis_server_name": { + "type": "string", + "required": false, + "description": "The SNI used for connecting the Redis server." + } + }, + { + "session_redis_cluster_nodes": { + "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "required": true, + "default": "127.0.0.1" + } + }, + { + "port": { + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "required": false + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "required": false, + "description": "The Redis cluster maximum redirects." + } + }, + { + "reverify": { + "type": "boolean", + "description": "Specifies whether to always verify tokens stored in the session.", + "required": false, + "default": false + } + }, + { + "jwt_session_claim": { + "type": "string", + "description": "The claim to match against the JWT session cookie.", + "required": false, + "default": "sid" + } + }, + { + "jwt_session_cookie": { + "type": "string", + "required": false, + "description": "The name of the JWT session cookie." + } + }, + { + "bearer_token_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", + "required": false + } + }, + { + "bearer_token_cookie_name": { + "type": "string", + "required": false, + "description": "The name of the cookie in which the bearer token is passed." + } + }, + { + "client_credentials_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", + "required": false + } + }, + { + "password_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false + } + }, + { + "id_token_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false + } + }, + { + "id_token_param_name": { + "type": "string", + "required": false, + "description": "The name of the parameter used to pass the id token." + } + }, + { + "refresh_token_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false + } + }, + { + "refresh_token_param_name": { + "type": "string", + "required": false, + "description": "The name of the parameter used to pass the refresh token." + } + }, + { + "refresh_tokens": { + "type": "boolean", + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "required": false, + "default": true + } + }, + { + "upstream_headers_claims": { + "type": "array", + "description": "The upstream header claims.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "upstream_headers_names": { + "type": "array", + "description": "The upstream header names for the claim values.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "upstream_access_token_header": { + "type": "string", + "description": "The upstream access token header.", + "required": false, + "default": "authorization:bearer" + } + }, + { + "upstream_access_token_jwk_header": { + "type": "string", + "required": false, + "description": "The upstream access token JWK header." + } + }, + { + "upstream_id_token_header": { + "type": "string", + "required": false, + "description": "The upstream id token header." + } + }, + { + "upstream_id_token_jwk_header": { + "type": "string", + "required": false, + "description": "The upstream id token JWK header." + } + }, + { + "upstream_refresh_token_header": { + "type": "string", + "required": false, + "description": "The upstream refresh token header." + } + }, + { + "upstream_user_info_header": { + "type": "string", + "required": false, + "description": "The upstream user info header." + } + }, + { + "upstream_user_info_jwt_header": { + "type": "string", + "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response)." + } + }, + { + "upstream_introspection_header": { + "type": "string", + "required": false, + "description": "The upstream introspection header." + } + }, + { + "upstream_introspection_jwt_header": { + "required": false, + "type": "string" + } + }, + { + "upstream_session_id_header": { + "type": "string", + "required": false, + "description": "The upstream session id header." + } + }, + { + "downstream_headers_claims": { + "type": "array", + "description": "The downstream header claims.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "downstream_headers_names": { + "type": "array", + "description": "The downstream header names for the claim values.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "downstream_access_token_header": { + "type": "string", + "required": false, + "description": "The downstream access token header." + } + }, + { + "downstream_access_token_jwk_header": { + "type": "string", + "required": false, + "description": "The downstream access token JWK header." + } + }, + { + "downstream_id_token_header": { + "type": "string", + "required": false, + "description": "The downstream id token header." + } + }, + { + "downstream_id_token_jwk_header": { + "type": "string", + "required": false, + "description": "The downstream id token JWK header." + } + }, + { + "downstream_refresh_token_header": { + "type": "string", + "required": false, + "description": "The downstream refresh token header." + } + }, + { + "downstream_user_info_header": { + "type": "string", + "required": false, + "description": "The downstream user info header." + } + }, + { + "downstream_user_info_jwt_header": { + "type": "string", + "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response)." + } + }, + { + "downstream_introspection_header": { + "type": "string", + "required": false, + "description": "The downstream introspection header." + } + }, + { + "downstream_introspection_jwt_header": { + "required": false, + "type": "string" + } + }, + { + "downstream_session_id_header": { + "type": "string", + "required": false, + "description": "The downstream session id header." + } + }, + { + "login_methods": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "required": false + } + }, + { + "login_action": { + "type": "string", + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", + "required": false, + "one_of": [ + "upstream", + "response", + "redirect" + ] + } + }, + { + "login_tokens": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + }, + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", + "required": false + } + }, + { + "login_redirect_mode": { + "type": "string", + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", + "required": false, + "one_of": [ + "query", + "fragment" + ] + } + }, + { + "logout_query_arg": { + "type": "string", + "required": false, + "description": "The request query argument that activates the logout." + } + }, + { + "logout_post_arg": { + "type": "string", + "required": false, + "description": "The request body argument that activates the logout." + } + }, + { + "logout_uri_suffix": { + "type": "string", + "required": false, + "description": "The request URI suffix that activates the logout." + } + }, + { + "logout_methods": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + }, + "default": [ + "POST", + "DELETE" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", + "required": false + } + }, + { + "logout_revoke": { + "type": "boolean", + "description": "Revoke tokens as part of the logout.", + "required": false, + "default": false + } + }, + { + "logout_revoke_access_token": { + "type": "boolean", + "description": "Revoke the access token as part of the logout.", + "required": false, + "default": true + } + }, + { + "logout_revoke_refresh_token": { + "type": "boolean", + "description": "Revoke the refresh token as part of the logout.", + "required": false, + "default": true + } + }, + { + "consumer_claim": { + "type": "array", + "description": "The claim used for consumer mapping.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", + "required": false + } + }, + { + "consumer_optional": { + "type": "boolean", + "description": "Do not terminate the request if consumer mapping fails.", + "required": false, + "default": false + } + }, + { + "credential_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", + "required": false + } + }, + { + "anonymous": { + "type": "string", + "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "required": false, + "default": true + } + }, + { + "leeway": { + "type": "number", + "description": "Allow some leeway (in seconds) on the ttl / expiry verification.", + "required": false, + "default": 0 + } + }, + { + "verify_parameters": { + "type": "boolean", + "description": "Verify plugin configuration against discovery.", + "required": false, + "default": false + } + }, + { + "verify_nonce": { + "type": "boolean", + "description": "Verify nonce on authorization code flow.", + "required": false, + "default": true + } + }, + { + "verify_claims": { + "type": "boolean", + "description": "Verify tokens for standard claims.", + "required": false, + "default": true + } + }, + { + "verify_signature": { + "type": "boolean", + "description": "Verify signature of tokens.", + "required": false, + "default": true + } + }, + { + "ignore_signature": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + }, + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", + "required": false + } + }, + { + "enable_hs_signatures": { + "type": "boolean", + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "required": false, + "default": false + } + }, + { + "disable_session": { + "type": "array", + "description": "Disable issuing the session cookie with the specified grants.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "required": false + } + }, + { + "cache_ttl": { + "type": "number", + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "required": false, + "default": 3600 + } + }, + { + "cache_ttl_max": { + "type": "number", + "required": false, + "description": "The maximum cache ttl in seconds (enforced)." + } + }, + { + "cache_ttl_min": { + "type": "number", + "required": false, + "description": "The minimum cache ttl in seconds (enforced)." + } + }, + { + "cache_ttl_neg": { + "type": "number", + "required": false, + "description": "The negative cache ttl in seconds." + } + }, + { + "cache_ttl_resurrect": { + "type": "number", + "required": false, + "description": "The resurrection ttl in seconds." + } + }, + { + "cache_tokens": { + "type": "boolean", + "description": "Cache the token endpoint requests.", + "required": false, + "default": true + } + }, + { + "cache_tokens_salt": { + "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false, + "auto": true + } + }, + { + "cache_introspection": { + "type": "boolean", + "description": "Cache the introspection endpoint requests.", + "required": false, + "default": true + } + }, + { + "cache_token_exchange": { + "type": "boolean", + "description": "Cache the token exchange endpoint requests.", + "required": false, + "default": true + } + }, + { + "cache_user_info": { + "type": "boolean", + "description": "Cache the user info requests.", + "required": false, + "default": true + } + }, + { + "search_user_info": { + "type": "boolean", + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "required": false, + "default": false + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "required": false, + "default": false + } + }, + { + "http_version": { + "type": "number", + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", + "required": false, + "default": 1.1 + } + }, + { + "http_proxy": { + "type": "string", + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "http_proxy_authorization": { + "type": "string", + "required": false, + "description": "The HTTP proxy authorization." + } + }, + { + "https_proxy": { + "type": "string", + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "https_proxy_authorization": { + "type": "string", + "required": false, + "description": "The HTTPS proxy authorization." + } + }, + { + "no_proxy": { + "type": "string", + "required": false, + "description": "Do not use proxy with these hosts." + } + }, + { + "keepalive": { + "type": "boolean", + "description": "Use keepalive with the HTTP client.", + "required": false, + "default": true + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "Verify identity provider server certificate.", + "required": false, + "default": false + } + }, + { + "timeout": { + "type": "number", + "description": "Network IO timeout in milliseconds.", + "required": false, + "default": 10000 + } + }, + { + "display_errors": { + "type": "boolean", + "description": "Display errors on failure responses.", + "required": false, + "default": false + } + }, + { + "by_username_ignore_case": { + "type": "boolean", + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "required": false, + "default": false + } + }, + { + "resolve_distributed_claims": { + "type": "boolean", + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "required": false, + "default": false + } + }, + { + "expose_error_code": { + "type": "boolean", + "default": true + } + }, + { + "token_cache_key_include_scope": { + "type": "boolean", + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/opentelemetry/3.5.x.json b/schemas/opentelemetry/3.5.x.json new file mode 100644 index 00000000..e2187382 --- /dev/null +++ b/schemas/opentelemetry/3.5.x.json @@ -0,0 +1,233 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "batch_span_count", + "batch_flush_delay" + ] + } + } + ], + "required": true, + "fields": [ + { + "endpoint": { + "type": "string", + "required": true, + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "headers": { + "type": "map", + "values": { + "referenceable": true, + "type": "string" + }, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + }, + { + "resource_attributes": { + "type": "map", + "values": { + "required": true, + "type": "string" + }, + "keys": { + "required": true, + "type": "string" + } + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + }, + { + "batch_span_count": { + "type": "integer", + "description": "The number of spans to be sent in a single batch." + } + }, + { + "batch_flush_delay": { + "type": "integer", + "description": "The delay, in seconds, between two consecutive batches." + } + }, + { + "connect_timeout": { + "type": "integer", + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "header_type": { + "type": "string", + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws" + ], + "required": false, + "default": "preserve" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/post-function/3.5.x.json b/schemas/post-function/3.5.x.json new file mode 100644 index 00000000..4c532bad --- /dev/null +++ b/schemas/post-function/3.5.x.json @@ -0,0 +1,228 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "certificate": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "rewrite": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "access": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "header_filter": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "body_filter": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "log": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "ws_handshake": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "ws_client_frame": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "ws_upstream_frame": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "ws_close": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/pre-function/3.5.x.json b/schemas/pre-function/3.5.x.json new file mode 100644 index 00000000..4c532bad --- /dev/null +++ b/schemas/pre-function/3.5.x.json @@ -0,0 +1,228 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "certificate": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "rewrite": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "access": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "header_filter": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "body_filter": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "log": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "ws_handshake": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "ws_client_frame": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "ws_upstream_frame": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + }, + { + "ws_close": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/prometheus/3.5.x.json b/schemas/prometheus/3.5.x.json new file mode 100644 index 00000000..96f7a5ee --- /dev/null +++ b/schemas/prometheus/3.5.x.json @@ -0,0 +1,87 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "per_consumer": { + "type": "boolean", + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "default": false + } + }, + { + "status_code_metrics": { + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "default": false + } + }, + { + "latency_metrics": { + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "default": false + } + }, + { + "bandwidth_metrics": { + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "default": false + } + }, + { + "upstream_health_metrics": { + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.5.x.json b/schemas/proxy-cache-advanced/3.5.x.json new file mode 100644 index 00000000..f0af8979 --- /dev/null +++ b/schemas/proxy-cache-advanced/3.5.x.json @@ -0,0 +1,429 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "response_code": { + "type": "array", + "elements": { + "type": "integer", + "between": [ + 100, + 900 + ] + }, + "len_min": 1, + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "required": true, + "default": [ + 200, + 301, + 404 + ] + } + }, + { + "request_method": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + }, + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "required": true + } + }, + { + "content_type": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "text/plain", + "application/json" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "required": true + } + }, + { + "cache_ttl": { + "type": "integer", + "gt": 0, + "description": "TTL in seconds of cache entities.", + "default": 300 + } + }, + { + "strategy": { + "type": "string", + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "required": true, + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "cache_control": { + "type": "boolean", + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "default": false + } + }, + { + "ignore_uri_case": { + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + } + }, + { + "memory": { + "type": "record", + "fields": [ + { + "dictionary_name": { + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "default": "kong_db_cache" + } + } + ], + "required": true + } + }, + { + "vary_query_params": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + } + }, + { + "vary_headers": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } + }, + { + "redis": { + "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "type": "string", + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + } + }, + { + "password": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "type": "string", + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "type": "integer", + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "default": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "default": false + } + }, + { + "server_name": { + "type": "string", + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS." + } + } + ] + } + }, + { + "bypass_on_err": { + "type": "boolean", + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache/3.5.x.json b/schemas/proxy-cache/3.5.x.json new file mode 100644 index 00000000..e98ccce8 --- /dev/null +++ b/schemas/proxy-cache/3.5.x.json @@ -0,0 +1,186 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "response_code": { + "type": "array", + "elements": { + "type": "integer", + "between": [ + 100, + 900 + ] + }, + "len_min": 1, + "description": "Upstream response status code considered cacheable.", + "required": true, + "default": [ + 200, + 301, + 404 + ] + } + }, + { + "request_method": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + }, + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "required": true + } + }, + { + "content_type": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "text/plain", + "application/json" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "required": true + } + }, + { + "cache_ttl": { + "description": "TTL, in seconds, of cache entities.", + "gt": 0, + "type": "integer", + "default": 300 + } + }, + { + "strategy": { + "description": "The backing data store in which to hold cache entities.", + "type": "string", + "required": true, + "one_of": [ + "memory" + ] + } + }, + { + "cache_control": { + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "ignore_uri_case": { + "type": "boolean", + "required": false, + "default": false + } + }, + { + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + } + }, + { + "memory": { + "type": "record", + "fields": [ + { + "dictionary_name": { + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string", + "required": true, + "default": "kong_db_cache" + } + } + ], + "required": true + } + }, + { + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.5.x.json b/schemas/rate-limiting-advanced/3.5.x.json new file mode 100644 index 00000000..050705a1 --- /dev/null +++ b/schemas/rate-limiting-advanced/3.5.x.json @@ -0,0 +1,437 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "identifier": { + "type": "string", + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", + "required": true, + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path" + ] + } + }, + { + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "type": "array", + "elements": { + "type": "number" + }, + "required": true + } + }, + { + "window_type": { + "type": "string", + "one_of": [ + "fixed", + "sliding" + ], + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "default": "sliding" + } + }, + { + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "type": "array", + "elements": { + "type": "number" + }, + "required": true + } + }, + { + "sync_rate": { + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + } + }, + { + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.", + "type": "string", + "required": true, + "auto": true + } + }, + { + "strategy": { + "type": "string", + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "required": true, + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string", + "required": true, + "default": "kong_rate_limiting_counters" + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "default": false + } + }, + { + "retry_after_jitter_max": { + "type": "number", + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "default": 0 + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" + } + }, + { + "redis": { + "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "type": "string", + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + } + }, + { + "password": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "type": "string", + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "type": "integer", + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "default": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "default": false + } + }, + { + "server_name": { + "type": "string", + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS." + } + } + ] + } + }, + { + "enforce_consumer_groups": { + "type": "boolean", + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "default": false + } + }, + { + "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "disable_penalty": { + "type": "boolean", + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "default": false + } + }, + { + "error_code": { + "type": "number", + "gt": 0, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429 + } + }, + { + "error_message": { + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting/3.5.x.json b/schemas/rate-limiting/3.5.x.json new file mode 100644 index 00000000..e96a9aba --- /dev/null +++ b/schemas/rate-limiting/3.5.x.json @@ -0,0 +1,310 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "then_field": "config.redis_host", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis_port", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.header_name", + "if_field": "config.limit_by", + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + } + } + }, + { + "conditional": { + "then_field": "config.path", + "if_field": "config.limit_by", + "then_match": { + "required": true + }, + "if_match": { + "eq": "path" + } + } + }, + { + "conditional": { + "then_field": "config.redis_timeout", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "second": { + "type": "number", + "description": "The number of HTTP requests that can be made per second.", + "gt": 0 + } + }, + { + "minute": { + "type": "number", + "description": "The number of HTTP requests that can be made per minute.", + "gt": 0 + } + }, + { + "hour": { + "type": "number", + "description": "The number of HTTP requests that can be made per hour.", + "gt": 0 + } + }, + { + "day": { + "type": "number", + "description": "The number of HTTP requests that can be made per day.", + "gt": 0 + } + }, + { + "month": { + "type": "number", + "description": "The number of HTTP requests that can be made per month.", + "gt": 0 + } + }, + { + "year": { + "type": "number", + "description": "The number of HTTP requests that can be made per year.", + "gt": 0 + } + }, + { + "limit_by": { + "type": "string", + "one_of": [ + "consumer", + "credential", + "ip", + "service", + "header", + "path" + ], + "description": "The entity that is used when aggregating the limits.", + "default": "consumer" + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" + } + }, + { + "policy": { + "type": "string", + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, + "one_of": [ + "local", + "cluster", + "redis" + ] + } + }, + { + "fault_tolerant": { + "type": "boolean", + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "required": true, + "default": true + } + }, + { + "redis_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "redis_port": { + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "redis_password": { + "type": "string", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "referenceable": true, + "len_min": 0 + } + }, + { + "redis_username": { + "type": "string", + "referenceable": true, + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired." + } + }, + { + "redis_ssl": { + "type": "boolean", + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", + "required": true, + "default": false + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", + "required": true, + "default": false + } + }, + { + "redis_server_name": { + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "redis_timeout": { + "type": "number", + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", + "default": 2000 + } + }, + { + "redis_database": { + "type": "integer", + "description": "When using the `redis` policy, this property specifies the Redis database to use.", + "default": 0 + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers.", + "required": true, + "default": false + } + }, + { + "error_code": { + "type": "number", + "gt": 0, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429 + } + }, + { + "error_message": { + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded" + } + }, + { + "sync_rate": { + "type": "number", + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "required": true, + "default": -1 + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-size-limiting/3.5.x.json b/schemas/request-size-limiting/3.5.x.json new file mode 100644 index 00000000..3f5e1714 --- /dev/null +++ b/schemas/request-size-limiting/3.5.x.json @@ -0,0 +1,73 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allowed_payload_size": { + "type": "integer", + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "default": 128 + } + }, + { + "size_unit": { + "type": "string", + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "required": true, + "one_of": [ + "megabytes", + "kilobytes", + "bytes" + ] + } + }, + { + "require_content_length": { + "type": "boolean", + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "required": true, + "default": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-termination/3.5.x.json b/schemas/request-termination/3.5.x.json new file mode 100644 index 00000000..f75c9ac1 --- /dev/null +++ b/schemas/request-termination/3.5.x.json @@ -0,0 +1,89 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "status_code": { + "type": "integer", + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599.", + "required": true, + "between": [ + 100, + 599 + ] + } + }, + { + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + } + }, + { + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + } + }, + { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + } + }, + { + "echo": { + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "trigger": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.5.x.json b/schemas/request-transformer-advanced/3.5.x.json new file mode 100644 index 00000000..760a9087 --- /dev/null +++ b/schemas/request-transformer-advanced/3.5.x.json @@ -0,0 +1,337 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "http_method": { + "type": "string", + "match": "^%u+$", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + } + }, + { + "remove": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "rename": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "replace": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + }, + { + "uri": { + "type": "string" + } + } + ], + "required": true + } + }, + { + "add": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "append": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "allow": { + "type": "record", + "fields": [ + { + "body": { + "type": "set", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + }, + { + "dots_in_keys": { + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean", + "default": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-transformer/3.5.x.json b/schemas/request-transformer/3.5.x.json new file mode 100644 index 00000000..06cf9d7b --- /dev/null +++ b/schemas/request-transformer/3.5.x.json @@ -0,0 +1,280 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "http_method": { + "type": "string", + "match": "^%u+$", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + } + }, + { + "remove": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "rename": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "replace": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "uri": { + "type": "string" + } + } + ], + "required": true + } + }, + { + "add": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "append": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-validator/3.5.x.json b/schemas/request-validator/3.5.x.json new file mode 100644 index 00000000..c534a1cf --- /dev/null +++ b/schemas/request-validator/3.5.x.json @@ -0,0 +1,175 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ], + "required": true, + "fields": [ + { + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "required": false, + "type": "string" + } + }, + { + "allowed_content_types": { + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "type": "set", + "elements": { + "type": "string", + "required": true + }, + "default": [ + "application/json" + ] + } + }, + { + "version": { + "one_of": [ + "kong", + "draft4" + ], + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "required": true, + "type": "string" + } + }, + { + "parameter_schema": { + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "in": { + "type": "string", + "required": true, + "one_of": [ + "query", + "header", + "path" + ] + } + }, + { + "name": { + "type": "string", + "required": true + } + }, + { + "required": { + "type": "boolean", + "required": true + } + }, + { + "style": { + "type": "string", + "one_of": [ + "label", + "form", + "matrix", + "simple", + "spaceDelimited", + "pipeDelimited", + "deepObject" + ] + } + }, + { + "explode": { + "type": "boolean" + } + }, + { + "schema": { + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ] + }, + "required": false + } + }, + { + "verbose_response": { + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "type": "boolean", + "required": true, + "default": false + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.5.x.json b/schemas/response-ratelimiting/3.5.x.json new file mode 100644 index 00000000..6d8eb3a8 --- /dev/null +++ b/schemas/response-ratelimiting/3.5.x.json @@ -0,0 +1,268 @@ +{ + "entity_checks": [ + { + "conditional": { + "then_field": "config.redis_host", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis_port", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis_timeout", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + } + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "header_name": { + "type": "string", + "description": "The name of the response header used to increment the counters.", + "default": "x-kong-limit" + } + }, + { + "limit_by": { + "type": "string", + "one_of": [ + "consumer", + "credential", + "ip" + ], + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "default": "consumer" + } + }, + { + "policy": { + "type": "string", + "one_of": [ + "local", + "cluster", + "redis" + ], + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "default": "local" + } + }, + { + "fault_tolerant": { + "type": "boolean", + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "required": true, + "default": true + } + }, + { + "redis_host": { + "type": "string", + "description": "When using the `redis` policy, this property specifies the address to the Redis server." + } + }, + { + "redis_port": { + "description": "When using the `redis` policy, this property specifies the port of the Redis server.", + "default": 6379, + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "redis_password": { + "type": "string", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "referenceable": true, + "len_min": 0 + } + }, + { + "redis_username": { + "type": "string", + "referenceable": true, + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`." + } + }, + { + "redis_ssl": { + "type": "boolean", + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", + "required": true, + "default": false + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": true, + "default": false + } + }, + { + "redis_server_name": { + "type": "string", + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI)." + } + }, + { + "redis_timeout": { + "type": "number", + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", + "default": 2000 + } + }, + { + "redis_database": { + "type": "number", + "description": "When using the `redis` policy, this property specifies Redis database to use.", + "default": 0 + } + }, + { + "block_on_first_violation": { + "type": "boolean", + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "required": true, + "default": false + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers.", + "required": true, + "default": false + } + }, + { + "limits": { + "type": "map", + "values": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], + "fields": [ + { + "second": { + "gt": 0, + "type": "number" + } + }, + { + "minute": { + "gt": 0, + "type": "number" + } + }, + { + "hour": { + "gt": 0, + "type": "number" + } + }, + { + "day": { + "gt": 0, + "type": "number" + } + }, + { + "month": { + "gt": 0, + "type": "number" + } + }, + { + "year": { + "gt": 0, + "type": "number" + } + } + ], + "required": true + }, + "len_min": 1, + "description": "A map that defines rate limits for the plugin.", + "required": true, + "keys": { + "type": "string" + } + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.5.x.json b/schemas/response-transformer-advanced/3.5.x.json new file mode 100644 index 00000000..13b434be --- /dev/null +++ b/schemas/response-transformer-advanced/3.5.x.json @@ -0,0 +1,350 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "remove": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "rename": { + "type": "record", + "fields": [ + { + "headers": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "replace": { + "type": "record", + "fields": [ + { + "body": { + "type": "string", + "description": "String with which to replace the entire response body." + } + }, + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "add": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "append": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "allow": { + "type": "record", + "fields": [ + { + "json": { + "type": "set", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + }, + { + "transform": { + "type": "record", + "fields": [ + { + "functions": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "dots_in_keys": { + "type": "boolean", + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "default": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-transformer/3.5.x.json b/schemas/response-transformer/3.5.x.json new file mode 100644 index 00000000..fb252b1c --- /dev/null +++ b/schemas/response-transformer/3.5.x.json @@ -0,0 +1,246 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "remove": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "rename": { + "type": "record", + "fields": [ + { + "headers": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "replace": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "add": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "append": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ] + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/route-by-header/3.5.x.json b/schemas/route-by-header/3.5.x.json new file mode 100644 index 00000000..4fed4c84 --- /dev/null +++ b/schemas/route-by-header/3.5.x.json @@ -0,0 +1,78 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "rules": { + "description": "Route by header rules.", + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "upstream_name": { + "required": true, + "type": "string" + } + }, + { + "condition": { + "type": "map", + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "required": true, + "len_min": 1 + } + } + ] + }, + "default": [ + + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.5.x.json b/schemas/route-transformer-advanced/3.5.x.json new file mode 100644 index 00000000..b5a08f6f --- /dev/null +++ b/schemas/route-transformer-advanced/3.5.x.json @@ -0,0 +1,75 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } + ], + "required": true, + "fields": [ + { + "path": { + "type": "string" + } + }, + { + "port": { + "type": "string" + } + }, + { + "host": { + "type": "string" + } + }, + { + "escape_path": { + "type": "boolean", + "default": false + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/saml/3.5.x.json b/schemas/saml/3.5.x.json new file mode 100644 index 00000000..e86caf5d --- /dev/null +++ b/schemas/saml/3.5.x.json @@ -0,0 +1,650 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" + } + } + ], + "fields": [ + { + "assertion_consumer_path": { + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "starts_with": "/" + } + }, + { + "idp_sso_url": { + "type": "string", + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "idp_certificate": { + "type": "string", + "referenceable": true, + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "encrypted": true, + "required": false + } + }, + { + "response_encryption_key": { + "type": "string", + "referenceable": true, + "description": "The private encryption key required to decrypt encrypted assertions.", + "encrypted": true, + "required": false + } + }, + { + "request_signing_key": { + "type": "string", + "referenceable": true, + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "encrypted": true, + "required": false + } + }, + { + "request_signing_certificate": { + "type": "string", + "referenceable": true, + "description": "The certificate for signing requests.", + "encrypted": true, + "required": false + } + }, + { + "request_signature_algorithm": { + "type": "string", + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "required": false, + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "request_digest_algorithm": { + "type": "string", + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "required": false, + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "response_signature_algorithm": { + "type": "string", + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "required": false, + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "response_digest_algorithm": { + "type": "string", + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "required": false, + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "issuer": { + "type": "string", + "required": true, + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP." + } + }, + { + "nameid_format": { + "type": "string", + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "required": false, + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ] + } + }, + { + "validate_assertion_signature": { + "type": "boolean", + "description": "Enable signature validation for SAML responses.", + "required": false, + "default": true + } + }, + { + "anonymous": { + "type": "string", + "required": false, + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username." + } + }, + { + "session_secret": { + "match": "^[0-9a-zA-Z/_+]+$", + "len_max": 32, + "referenceable": true, + "len_min": 32, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "encrypted": true, + "required": true, + "type": "string" + } + }, + { + "session_audience": { + "type": "string", + "description": "The session audience, for example \"my-application\"", + "required": false, + "default": "default" + } + }, + { + "session_cookie_name": { + "type": "string", + "description": "The session cookie name.", + "required": false, + "default": "session" + } + }, + { + "session_remember": { + "type": "boolean", + "description": "Enables or disables persistent sessions", + "required": false, + "default": false + } + }, + { + "session_remember_cookie_name": { + "type": "string", + "description": "Persistent session cookie name", + "required": false, + "default": "remember" + } + }, + { + "session_remember_rolling_timeout": { + "type": "number", + "description": "Persistent session rolling timeout in seconds.", + "required": false, + "default": 604800 + } + }, + { + "session_remember_absolute_timeout": { + "type": "number", + "description": "Persistent session absolute timeout in seconds.", + "required": false, + "default": 2592000 + } + }, + { + "session_idling_timeout": { + "type": "number", + "description": "The session cookie idle time in seconds.", + "required": false, + "default": 900 + } + }, + { + "session_rolling_timeout": { + "type": "number", + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "default": 3600 + } + }, + { + "session_absolute_timeout": { + "type": "number", + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "default": 86400 + } + }, + { + "session_cookie_path": { + "type": "string", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": false, + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "type": "string", + "required": false, + "description": "The session cookie domain flag." + } + }, + { + "session_cookie_same_site": { + "type": "string", + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "default": true + } + }, + { + "session_cookie_secure": { + "type": "boolean", + "required": false, + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + } + }, + { + "session_request_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_response_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_storage": { + "type": "string", + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "required": false, + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "required": false, + "default": false + } + }, + { + "session_enforce_same_subject": { + "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "default": false + } + }, + { + "session_hash_subject": { + "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "default": false + } + }, + { + "session_hash_storage_key": { + "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "default": false + } + }, + { + "session_memcached_prefix": { + "type": "string", + "required": false, + "description": "The memcached session key prefix." + } + }, + { + "session_memcached_socket": { + "type": "string", + "required": false, + "description": "The memcached unix socket path." + } + }, + { + "session_memcached_host": { + "type": "string", + "description": "The memcached host.", + "required": false, + "default": "127.0.0.1" + } + }, + { + "session_memcached_port": { + "type": "integer", + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false, + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_prefix": { + "type": "string", + "required": false, + "description": "The Redis session key prefix." + } + }, + { + "session_redis_socket": { + "type": "string", + "required": false, + "description": "The Redis unix socket path." + } + }, + { + "session_redis_host": { + "type": "string", + "description": "The Redis host IP.", + "required": false, + "default": "127.0.0.1" + } + }, + { + "session_redis_port": { + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false, + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_username": { + "type": "string", + "required": false, + "referenceable": true, + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + } + }, + { + "session_redis_password": { + "type": "string", + "referenceable": true, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "encrypted": true, + "required": false + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "required": false, + "description": "The Redis connection timeout in milliseconds." + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "required": false, + "description": "The Redis read timeout in milliseconds." + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "required": false, + "description": "The Redis send timeout in milliseconds." + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "description": "Use SSL/TLS for the Redis connection.", + "required": false, + "default": false + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "description": "Verify the Redis server certificate.", + "required": false, + "default": false + } + }, + { + "session_redis_server_name": { + "type": "string", + "required": false, + "description": "The SNI used for connecting to the Redis server." + } + }, + { + "session_redis_cluster_nodes": { + "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "required": true, + "default": "127.0.0.1" + } + }, + { + "port": { + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "required": false + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "required": false, + "description": "The Redis cluster maximum redirects." + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/session/3.5.x.json b/schemas/session/3.5.x.json new file mode 100644 index 00000000..c84b0373 --- /dev/null +++ b/schemas/session/3.5.x.json @@ -0,0 +1,296 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "fields": [ + { + "secret": { + "type": "string", + "referenceable": true, + "default": "y2WYXAByQsppS8mnZWcIUT2Pw7tdHxhR8RtclOijz80l", + "description": "The secret that is used in keyed HMAC generation.", + "encrypted": true, + "required": false + } + }, + { + "storage": { + "type": "string", + "one_of": [ + "cookie", + "kong" + ], + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "default": "cookie" + } + }, + { + "audience": { + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default" + } + }, + { + "idling_timeout": { + "type": "number", + "description": "The session cookie idle time, in seconds.", + "default": 900 + } + }, + { + "rolling_timeout": { + "type": "number", + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "default": 3600 + } + }, + { + "absolute_timeout": { + "type": "number", + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 86400 + } + }, + { + "stale_ttl": { + "type": "number", + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "default": 10 + } + }, + { + "cookie_name": { + "type": "string", + "description": "The name of the cookie.", + "default": "session" + } + }, + { + "cookie_path": { + "type": "string", + "description": "The resource in the host where the cookie is available.", + "default": "/" + } + }, + { + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + } + }, + { + "cookie_same_site": { + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "default": "Strict" + } + }, + { + "cookie_http_only": { + "type": "boolean", + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "default": true + } + }, + { + "cookie_secure": { + "type": "boolean", + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "default": true + } + }, + { + "remember": { + "type": "boolean", + "description": "Enables or disables persistent sessions.", + "default": false + } + }, + { + "remember_cookie_name": { + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember" + } + }, + { + "remember_rolling_timeout": { + "type": "number", + "description": "The persistent session rolling timeout window, in seconds.", + "default": 604800 + } + }, + { + "remember_absolute_timeout": { + "type": "number", + "description": "The persistent session absolute timeout limit, in seconds.", + "default": 2592000 + } + }, + { + "response_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "List of information to include, as headers, in the response to the downstream." + } + }, + { + "request_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "List of information to include, as headers, in the response to the downstream." + } + }, + { + "logout_methods": { + "type": "set", + "description": "A set of HTTP methods that the plugin will respond to.", + "elements": { + "type": "string", + "one_of": [ + "GET", + "POST", + "DELETE" + ] + }, + "default": [ + "POST", + "DELETE" + ] + } + }, + { + "logout_query_arg": { + "type": "string", + "description": "The query argument passed to logout requests.", + "default": "session_logout" + } + }, + { + "logout_post_arg": { + "type": "string", + "description": "The POST argument passed to logout requests. Do not change this property.", + "default": "session_logout" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/statsd-advanced/3.5.x.json b/schemas/statsd-advanced/3.5.x.json new file mode 100644 index 00000000..b9383437 --- /dev/null +++ b/schemas/statsd-advanced/3.5.x.json @@ -0,0 +1,448 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "localhost" + } + }, + { + "port": { + "type": "integer", + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "prefix": { + "description": "String to prefix to each metric's name.", + "type": "string", + "default": "kong" + } + }, + { + "metrics": { + "description": "List of Metrics to be logged.", + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "type": "string", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "gt": 0, + "type": "number" + } + }, + { + "consumer_identifier": { + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "set" + }, + "if_match": { + "one_of": [ + "unique_users" + ] + } + } + }, + { + "conditional": { + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "counter" + }, + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + } + }, + { + "conditional": { + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "gauge" + }, + "if_match": { + "one_of": [ + "shdict_usage" + ] + } + } + }, + { + "conditional": { + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + }, + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + } + } + } + ] + }, + "default": [ + { + "sample_rate": 1, + "name": "request_count", + "stat_type": "counter" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "timer", + "name": "request_size" + }, + { + "sample_rate": 1, + "name": "status_count", + "stat_type": "counter" + }, + { + "stat_type": "timer", + "name": "response_size" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "sample_rate": 1, + "name": "request_per_user", + "stat_type": "counter" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "sample_rate": 1, + "name": "status_count_per_user", + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "status_count_per_workspace", + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "status_count_per_user_per_route", + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "shdict_usage", + "stat_type": "gauge" + }, + { + "sample_rate": 1, + "name": "cache_datastore_hits_total", + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "cache_datastore_misses_total", + "stat_type": "counter" + } + ] + } + }, + { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "type": "array" + } + }, + { + "udp_packet_size": { + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "default": 0, + "type": "number", + "between": [ + 0, + 65507 + ] + } + }, + { + "use_tcp": { + "description": "Use TCP instead of UDP.", + "type": "boolean", + "default": false + } + }, + { + "hostname_in_prefix": { + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean", + "default": false + } + }, + { + "consumer_identifier_default": { + "type": "string", + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "required": true, + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier_default": { + "type": "string", + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "required": true, + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier_default": { + "type": "string", + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "required": true, + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/statsd/3.5.x.json b/schemas/statsd/3.5.x.json new file mode 100644 index 00000000..e5ff7d02 --- /dev/null +++ b/schemas/statsd/3.5.x.json @@ -0,0 +1,439 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], + "required": true, + "fields": [ + { + "host": { + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string", + "default": "localhost" + } + }, + { + "port": { + "description": "The port of StatsD server to send data to.", + "default": 8125, + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "prefix": { + "type": "string", + "description": "String to prefix to each metric's name.", + "default": "kong" + } + }, + { + "metrics": { + "type": "array", + "description": "List of metrics to be logged.", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "description": "StatsD metric’s name.", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "type": "string", + "description": "Determines what sort of event a metric represents.", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "type": "number", + "gt": 0, + "description": "Sampling rate" + } + }, + { + "consumer_identifier": { + "type": "string", + "description": "Authenticated user detail.", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "type": "string", + "description": "Service detail.", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "type": "string", + "description": "Workspace detail.", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + }, + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + } + } + } + ] + }, + "default": [ + { + "sample_rate": 1, + "name": "request_count", + "stat_type": "counter" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "sample_rate": 1, + "name": "request_size", + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "status_count", + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "response_size", + "stat_type": "counter" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "sample_rate": 1, + "name": "request_per_user", + "stat_type": "counter" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "sample_rate": 1, + "name": "status_count_per_user", + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "status_count_per_workspace", + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "status_count_per_user_per_route", + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "shdict_usage", + "stat_type": "gauge" + }, + { + "sample_rate": 1, + "name": "cache_datastore_hits_total", + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "cache_datastore_misses_total", + "stat_type": "counter" + } + ] + } + }, + { + "allow_status_codes": { + "type": "array", + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "description": "List of status code ranges that are allowed to be logged in metrics." + } + }, + { + "udp_packet_size": { + "type": "number", + "default": 0, + "between": [ + 0, + 65507 + ] + } + }, + { + "use_tcp": { + "type": "boolean", + "default": false + } + }, + { + "hostname_in_prefix": { + "type": "boolean", + "default": false + } + }, + { + "consumer_identifier_default": { + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ], + "required": true, + "default": "custom_id" + } + }, + { + "service_identifier_default": { + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ], + "required": true, + "default": "service_name_or_host" + } + }, + { + "workspace_identifier_default": { + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ], + "required": true, + "default": "workspace_id" + } + }, + { + "retry_count": { + "type": "integer" + } + }, + { + "queue_size": { + "type": "integer" + } + }, + { + "flush_timeout": { + "type": "number" + } + }, + { + "tag_style": { + "type": "string", + "required": false, + "one_of": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ] + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/syslog/3.5.x.json b/schemas/syslog/3.5.x.json new file mode 100644 index 00000000..674000a8 --- /dev/null +++ b/schemas/syslog/3.5.x.json @@ -0,0 +1,164 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "log_level": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "required": true, + "default": "info" + } + }, + { + "successful_severity": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "required": true, + "default": "info" + } + }, + { + "client_errors_severity": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "required": true, + "default": "info" + } + }, + { + "server_errors_severity": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "required": true, + "default": "info" + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "keys": { + "type": "string", + "len_min": 1 + } + } + }, + { + "facility": { + "type": "string", + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "required": true, + "one_of": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7" + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/tcp-log/3.5.x.json b/schemas/tcp-log/3.5.x.json new file mode 100644 index 00000000..c54f2f77 --- /dev/null +++ b/schemas/tcp-log/3.5.x.json @@ -0,0 +1,112 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "description": "The IP address or host name to send data to.", + "required": true, + "type": "string" + } + }, + { + "port": { + "description": "The port to send data to on the upstream server.", + "type": "integer", + "required": true, + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000 + } + }, + { + "tls": { + "type": "boolean", + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "required": true, + "default": false + } + }, + { + "tls_sni": { + "type": "string", + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." + } + }, + { + "custom_fields_by_lua": { + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "values": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "keys": { + "type": "string", + "len_min": 1 + } + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.5.x.json b/schemas/tls-handshake-modifier/3.5.x.json new file mode 100644 index 00000000..c8a6b45c --- /dev/null +++ b/schemas/tls-handshake-modifier/3.5.x.json @@ -0,0 +1,60 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "default": [ + "https", + "grpcs" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "tls_client_certificate": { + "type": "string", + "default": "REQUEST", + "description": "TLS Client Certificate", + "required": false, + "one_of": [ + "REQUEST" + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.5.x.json b/schemas/tls-metadata-headers/3.5.x.json new file mode 100644 index 00000000..da869cda --- /dev/null +++ b/schemas/tls-metadata-headers/3.5.x.json @@ -0,0 +1,96 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "default": [ + "https", + "grpcs" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "inject_client_cert_details": { + "type": "boolean", + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "default": false + } + }, + { + "client_cert_header_name": { + "type": "string", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "required": true, + "default": "X-Client-Cert" + } + }, + { + "client_serial_header_name": { + "type": "string", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "required": true, + "default": "X-Client-Cert-Serial" + } + }, + { + "client_cert_issuer_dn_header_name": { + "type": "string", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "required": true, + "default": "X-Client-Cert-Issuer-DN" + } + }, + { + "client_cert_subject_dn_header_name": { + "type": "string", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "required": true, + "default": "X-Client-Cert-Subject-DN" + } + }, + { + "client_cert_fingerprint_header_name": { + "type": "string", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "required": true, + "default": "X-Client-Cert-Fingerprint" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/udp-log/3.5.x.json b/schemas/udp-log/3.5.x.json new file mode 100644 index 00000000..8adf19b9 --- /dev/null +++ b/schemas/udp-log/3.5.x.json @@ -0,0 +1,91 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "required": true, + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number", + "default": 10000 + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "keys": { + "type": "string", + "len_min": 1 + } + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/upstream-timeout/3.5.x.json b/schemas/upstream-timeout/3.5.x.json new file mode 100644 index 00000000..ffad4fa4 --- /dev/null +++ b/schemas/upstream-timeout/3.5.x.json @@ -0,0 +1,75 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/vault-auth/3.5.x.json b/schemas/vault-auth/3.5.x.json new file mode 100644 index 00000000..aab597e0 --- /dev/null +++ b/schemas/vault-auth/3.5.x.json @@ -0,0 +1,112 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "consumer": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumers" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "access_token_name": { + "type": "string", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true + } + }, + { + "secret_token_name": { + "type": "string", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true + } + }, + { + "vault": { + "type": "foreign", + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "required": true, + "reference": "vault_auth_vaults" + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "default": false + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "tokens_in_body": { + "type": "boolean", + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "default": false + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "default": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.5.x.json b/schemas/websocket-size-limit/3.5.x.json new file mode 100644 index 00000000..ae53952d --- /dev/null +++ b/schemas/websocket-size-limit/3.5.x.json @@ -0,0 +1,68 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "default": [ + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], + "required": true, + "fields": [ + { + "client_max_payload": { + "type": "integer", + "required": false, + "between": [ + 1, + 33554432 + ] + } + }, + { + "upstream_max_payload": { + "type": "integer", + "required": false, + "between": [ + 1, + 33554432 + ] + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/websocket-validator/3.5.x.json b/schemas/websocket-validator/3.5.x.json new file mode 100644 index 00000000..03d0227b --- /dev/null +++ b/schemas/websocket-validator/3.5.x.json @@ -0,0 +1,220 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "default": [ + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], + "required": true, + "fields": [ + { + "client": { + "type": "record", + "fields": [ + { + "text": { + "type": "record", + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "type": "string", + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "required": false + } + }, + { + "binary": { + "type": "record", + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "type": "string", + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "required": false + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "required": false + } + }, + { + "upstream": { + "type": "record", + "fields": [ + { + "text": { + "type": "record", + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "type": "string", + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "required": false + } + }, + { + "binary": { + "type": "record", + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "type": "string", + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "required": false + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "required": false + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.5.x.json b/schemas/xml-threat-protection/3.5.x.json new file mode 100644 index 00000000..18f7d8ac --- /dev/null +++ b/schemas/xml-threat-protection/3.5.x.json @@ -0,0 +1,300 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "max_namespaces", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "conditional": { + "then_field": "prefix", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "conditional": { + "then_field": "namespaceuri", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + } + ], + "required": true, + "fields": [ + { + "checked_content_types": { + "type": "set", + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "required": true, + "type": "string" + }, + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "required": true + } + }, + { + "allowed_content_types": { + "type": "set", + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "required": true, + "type": "string" + }, + "default": [ + + ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "required": true + } + }, + { + "allow_dtd": { + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "namespace_aware": { + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "max_depth": { + "type": "integer", + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "required": true, + "gt": 0 + } + }, + { + "max_children": { + "type": "integer", + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "required": true, + "gt": 0 + } + }, + { + "max_attributes": { + "type": "integer", + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "required": true, + "gt": 0 + } + }, + { + "max_namespaces": { + "type": "integer", + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "required": false, + "gt": 0 + } + }, + { + "document": { + "type": "integer", + "default": 10485760, + "description": "Maximum size of the entire document.", + "required": true, + "gt": 0 + } + }, + { + "buffer": { + "type": "integer", + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", + "required": true, + "gt": 0 + } + }, + { + "comment": { + "type": "integer", + "default": 1024, + "description": "Maximum size of comments.", + "required": true, + "gt": 0 + } + }, + { + "localname": { + "type": "integer", + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "required": true, + "gt": 0 + } + }, + { + "prefix": { + "type": "integer", + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "required": false, + "gt": 0 + } + }, + { + "namespaceuri": { + "type": "integer", + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "required": false, + "gt": 0 + } + }, + { + "attribute": { + "type": "integer", + "default": 1048576, + "description": "Maximum size of the attribute value.", + "required": true, + "gt": 0 + } + }, + { + "text": { + "type": "integer", + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "required": true, + "gt": 0 + } + }, + { + "pitarget": { + "type": "integer", + "default": 1024, + "description": "Maximum size of processing instruction targets.", + "required": true, + "gt": 0 + } + }, + { + "pidata": { + "type": "integer", + "default": 1024, + "description": "Maximum size of processing instruction data.", + "required": true, + "gt": 0 + } + }, + { + "entityname": { + "type": "integer", + "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", + "required": true, + "gt": 0 + } + }, + { + "entity": { + "type": "integer", + "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", + "required": true, + "gt": 0 + } + }, + { + "entityproperty": { + "type": "integer", + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "required": true, + "gt": 0 + } + }, + { + "bla_max_amplification": { + "type": "number", + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "required": true, + "gt": 1 + } + }, + { + "bla_threshold": { + "type": "integer", + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "required": true, + "gt": 1024 + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/zipkin/3.5.x.json b/schemas/zipkin/3.5.x.json new file mode 100644 index 00000000..c26ab711 --- /dev/null +++ b/schemas/zipkin/3.5.x.json @@ -0,0 +1,323 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups" + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "local_service_name": { + "type": "string", + "description": "The name of the service as displayed in Zipkin.", + "required": true, + "default": "kong" + } + }, + { + "http_endpoint": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "sample_ratio": { + "type": "number", + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "between": [ + 0, + 1 + ] + } + }, + { + "default_service_name": { + "type": "string", + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + } + }, + { + "include_credential": { + "type": "boolean", + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "required": true, + "default": true + } + }, + { + "traceid_byte_count": { + "type": "integer", + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "required": true, + "one_of": [ + 8, + 16 + ] + } + }, + { + "header_type": { + "type": "string", + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "required": true, + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog" + ] + } + }, + { + "default_header_type": { + "type": "string", + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "required": true, + "one_of": [ + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog" + ] + } + }, + { + "tags_header": { + "type": "string", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "required": true, + "default": "Zipkin-Tags" + } + }, + { + "static_tags": { + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "required": true + } + }, + { + "value": { + "required": true, + "type": "string" + } + } + ] + }, + "description": "The tags specified on this property will be added to the generated request traces." + } + }, + { + "http_span_name": { + "type": "string", + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "required": true, + "one_of": [ + "method", + "method_path" + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "phase_duration_flavor": { + "type": "string", + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "required": true, + "one_of": [ + "annotations", + "tags" + ] + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file From 7a67e3d66d5c14a64f1eaf99e3fa840fba0e6644 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Fri, 6 Oct 2023 14:35:22 -0700 Subject: [PATCH 013/165] fix exit transformer example --- examples/exit-transformer/_3.5.x.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/exit-transformer/_3.5.x.yaml b/examples/exit-transformer/_3.5.x.yaml index 68893d04..c7f0c5d4 100644 --- a/examples/exit-transformer/_3.5.x.yaml +++ b/examples/exit-transformer/_3.5.x.yaml @@ -1,4 +1,4 @@ name: exit-transformer config: functions: - - "return function(status, body, header) return status, body, headers end" + - "return function(status, body, headers) return status, body, headers end" From e7c3964a8b52e713cbeaffb6fde814324f17f947 Mon Sep 17 00:00:00 2001 From: "lena.larionova" Date: Thu, 12 Oct 2023 13:51:42 -0700 Subject: [PATCH 014/165] generate schemas off the latest nightly build to get entity checks --- schemas/acl/3.5.x.json | 62 +- schemas/acme/3.5.x.json | 306 ++-- schemas/application-registration/3.5.x.json | 54 +- schemas/aws-lambda/3.5.x.json | 146 +- schemas/azure-functions/3.5.x.json | 60 +- schemas/basic-auth/3.5.x.json | 36 +- schemas/bot-detection/3.5.x.json | 40 +- schemas/canary/3.5.x.json | 142 +- schemas/correlation-id/3.5.x.json | 40 +- schemas/cors/3.5.x.json | 66 +- schemas/datadog/3.5.x.json | 144 +- schemas/degraphql/3.5.x.json | 38 +- schemas/exit-transformer/3.5.x.json | 36 +- schemas/file-log/3.5.x.json | 46 +- schemas/forward-proxy/3.5.x.json | 114 +- .../graphql-proxy-cache-advanced/3.5.x.json | 50 +- .../graphql-rate-limiting-advanced/3.5.x.json | 320 ++-- schemas/grpc-gateway/3.5.x.json | 24 +- schemas/grpc-web/3.5.x.json | 36 +- schemas/hmac-auth/3.5.x.json | 74 +- schemas/http-log/3.5.x.json | 136 +- schemas/ip-restriction/3.5.x.json | 44 +- schemas/jq/3.5.x.json | 114 +- schemas/jwe-decrypt/3.5.x.json | 48 +- schemas/jwt-signer/3.5.x.json | 416 ++--- schemas/jwt/3.5.x.json | 96 +- schemas/kafka-log/3.5.x.json | 172 +-- schemas/kafka-upstream/3.5.x.json | 188 +-- schemas/key-auth-enc/3.5.x.json | 52 +- schemas/key-auth/3.5.x.json | 66 +- schemas/konnect-application-auth/3.5.x.json | 56 +- schemas/ldap-auth-advanced/3.5.x.json | 142 +- schemas/ldap-auth/3.5.x.json | 116 +- schemas/loggly/3.5.x.json | 72 +- schemas/mocking/3.5.x.json | 70 +- schemas/mtls-auth/3.5.x.json | 130 +- schemas/oas-validation/3.5.x.json | 100 +- schemas/oauth2-introspection/3.5.x.json | 94 +- schemas/oauth2/3.5.x.json | 146 +- schemas/opa/3.5.x.json | 86 +- schemas/openid-connect/3.5.x.json | 1338 +++++++++-------- schemas/opentelemetry/3.5.x.json | 122 +- schemas/post-function/3.5.x.json | 140 +- schemas/pre-function/3.5.x.json | 140 +- schemas/prometheus/3.5.x.json | 42 +- schemas/proxy-cache-advanced/3.5.x.json | 319 ++-- schemas/proxy-cache/3.5.x.json | 123 +- schemas/rate-limiting-advanced/3.5.x.json | 312 ++-- schemas/rate-limiting/3.5.x.json | 262 ++-- schemas/request-size-limiting/3.5.x.json | 42 +- schemas/request-termination/3.5.x.json | 38 +- .../request-transformer-advanced/3.5.x.json | 138 +- schemas/request-transformer/3.5.x.json | 116 +- schemas/request-validator/3.5.x.json | 96 +- schemas/response-ratelimiting/3.5.x.json | 202 +-- .../response-transformer-advanced/3.5.x.json | 148 +- schemas/response-transformer/3.5.x.json | 134 +- schemas/route-by-header/3.5.x.json | 44 +- schemas/route-transformer-advanced/3.5.x.json | 44 +- schemas/saml/3.5.x.json | 506 +++---- schemas/session/3.5.x.json | 206 +-- schemas/statsd-advanced/3.5.x.json | 166 +- schemas/statsd/3.5.x.json | 188 +-- schemas/syslog/3.5.x.json | 66 +- schemas/tcp-log/3.5.x.json | 52 +- schemas/tls-handshake-modifier/3.5.x.json | 34 +- schemas/tls-metadata-headers/3.5.x.json | 60 +- schemas/udp-log/3.5.x.json | 46 +- schemas/upstream-timeout/3.5.x.json | 42 +- schemas/vault-auth/3.5.x.json | 62 +- schemas/websocket-size-limit/3.5.x.json | 40 +- schemas/websocket-validator/3.5.x.json | 92 +- schemas/xml-threat-protection/3.5.x.json | 242 +-- schemas/zipkin/3.5.x.json | 144 +- 74 files changed, 5020 insertions(+), 4904 deletions(-) diff --git a/schemas/acl/3.5.x.json b/schemas/acl/3.5.x.json index c2b72b09..b13e64a5 100644 --- a/schemas/acl/3.5.x.json +++ b/schemas/acl/3.5.x.json @@ -1,87 +1,87 @@ { - "entity_checks": [ - { - "only_one_of": [ - "config.allow", - "config.deny" - ] - }, - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "allow": { - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { "deny": { - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { "hide_groups_header": { - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/acme/3.5.x.json b/schemas/acme/3.5.x.json index 409513c9..bb6b9052 100644 --- a/schemas/acme/3.5.x.json +++ b/schemas/acme/3.5.x.json @@ -1,185 +1,164 @@ { - "entity_checks": [ - { - "conditional": { - "then_field": "config.tos_accepted", - "if_field": "config.api_uri", - "then_match": { - "eq": true - }, - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", - "if_match": { - "one_of": [ - "https://acme-v02.api.letsencrypt.org", - "https://acme-staging-v02.api.letsencrypt.org" - ] - } - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.storage" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "service": { - "type": "foreign", + "reference": "services", "description": "A reference to the 'services' table with a null value allowed.", "eq": null, - "reference": "services" + "type": "foreign" } }, { "route": { - "type": "foreign", + "reference": "routes", "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, - "reference": "routes" + "type": "foreign" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "account_email": { - "match": "%w*%p*@+%w*%.?%w*", - "referenceable": true, + "required": true, "description": "The account identifier. Can be reused in a different plugin instance.", + "referenceable": true, + "match": "%w*%p*@+%w*%.?%w*", "encrypted": true, - "required": true, "type": "string" } }, { "account_key": { - "description": "The private key associated with the account.", + "required": false, "type": "record", "fields": [ { "key_id": { - "description": "The Key ID.", "required": true, - "type": "string" + "type": "string", + "description": "The Key ID." } }, { "key_set": { - "description": "The ID of the key set to associate the Key ID with.", - "type": "string" + "type": "string", + "description": "The ID of the key set to associate the Key ID with." } } ], - "required": false + "description": "The private key associated with the account." } }, { "api_uri": { - "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "default": "https://acme-v02.api.letsencrypt.org/directory" + "default": "https://acme-v02.api.letsencrypt.org/directory", + "type": "string" } }, { "tos_accepted": { - "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", "type": "boolean", - "default": false + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service." } }, { "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", - "encrypted": true, "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA." } }, { "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", - "encrypted": true, "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA." } }, { "cert_type": { - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", "one_of": [ "rsa", "ecc" ], "type": "string", - "default": "rsa" + "default": "rsa", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." } }, { "rsa_key_size": { - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", "one_of": [ 2048, 3072, 4096 ], "type": "number", - "default": 4096 + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." } }, { "renew_threshold_days": { - "description": "Days remaining to renew the certificate before it expires.", "type": "number", - "default": 14 + "default": 14, + "description": "Days remaining to renew the certificate before it expires." } }, { "domains": { - "type": "array", "elements": { - "type": "string", + "match_all": [ + { + "pattern": "^[^*]*%*?[^*]*$", + "err": "invalid wildcard: must have at most one wildcard" + } + ], "match_any": { "patterns": [ "^%*%.", @@ -188,33 +167,28 @@ ], "err": "invalid wildcard: must be placed at leftmost or rightmost label" }, - "match_all": [ - { - "pattern": "^[^*]*%*?[^*]*$", - "err": "invalid wildcard: must have at most one wildcard" - } - ] + "type": "string" }, + "type": "array", "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" } }, { "allow_any_domain": { - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", "type": "boolean", - "default": false + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." } }, { "fail_backoff_minutes": { - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", "type": "number", - "default": 5 + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." } }, { "storage": { - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", "one_of": [ "kong", "shm", @@ -223,40 +197,41 @@ "vault" ], "type": "string", - "default": "shm" + "default": "shm", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." } }, { "storage_config": { - "type": "record", + "required": true, "fields": [ { "shm": { - "type": "record", + "required": true, "fields": [ { "shm_name": { - "description": "Name of shared memory zone used for Kong API gateway storage", "type": "string", - "default": "kong" + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage" } } ], - "required": true + "type": "record" } }, { "kong": { - "type": "record", + "required": true, "fields": [ ], - "required": true + "type": "record" } }, { "redis": { - "type": "record", + "required": true, "fields": [ { "host": { @@ -266,72 +241,80 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "database": { - "description": "The index of the Redis database to use.", - "type": "number" + "type": "number", + "description": "The index of the Redis database to use." } }, { "auth": { - "description": "The Redis password to use for authentication. ", "referenceable": true, - "type": "string" + "type": "string", + "description": "The Redis password to use for authentication. " } }, { "ssl": { - "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Whether to use SSL/TLS encryption when connecting to the Redis server." } }, { "ssl_verify": { - "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value." } }, { "ssl_server_name": { - "description": "The expected server name for the SSL/TLS certificate presented by the Redis server.", "required": false, + "description": "The expected server name for the SSL/TLS certificate presented by the Redis server.", "type": "string" } }, { "namespace": { - "type": "string", + "required": true, "len_min": 0, "description": "A namespace to prepend to all keys stored in Redis.", - "required": true, - "default": "" + "default": "", + "type": "string" + } + }, + { + "scan_count": { + "required": false, + "type": "number", + "default": 10, + "description": "The number of keys to return in Redis SCAN calls." } } ], - "required": true + "type": "record" } }, { "consul": { - "type": "record", + "required": true, "fields": [ { "https": { - "description": "Boolean representation of https.", "type": "boolean", - "default": false + "default": false, + "description": "Boolean representation of https." } }, { @@ -342,46 +325,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "kv_path": { - "description": "KV prefix path.", - "type": "string" + "type": "string", + "description": "KV prefix path." } }, { "timeout": { - "description": "Timeout in milliseconds.", - "type": "number" + "type": "number", + "description": "Timeout in milliseconds." } }, { "token": { - "description": "Consul ACL token.", "referenceable": true, - "type": "string" + "type": "string", + "description": "Consul ACL token." } } ], - "required": true + "type": "record" } }, { "vault": { - "type": "record", + "required": true, "fields": [ { "https": { - "description": "Boolean representation of https.", "type": "boolean", - "default": false + "default": false, + "description": "Boolean representation of https." } }, { @@ -392,98 +375,123 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "kv_path": { - "description": "KV prefix path.", - "type": "string" + "type": "string", + "description": "KV prefix path." } }, { "timeout": { - "description": "Timeout in milliseconds.", - "type": "number" + "type": "number", + "description": "Timeout in milliseconds." } }, { "token": { - "description": "Consul ACL token.", "referenceable": true, - "type": "string" + "type": "string", + "description": "Consul ACL token." } }, { "tls_verify": { - "description": "Turn on TLS verification.", "type": "boolean", - "default": true + "default": true, + "description": "Turn on TLS verification." } }, { "tls_server_name": { - "description": "SNI used in request, default to host if omitted.", - "type": "string" + "type": "string", + "description": "SNI used in request, default to host if omitted." } }, { "auth_method": { - "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", "one_of": [ "token", "kubernetes" ], - "type": "string", - "default": "token" + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "default": "token", + "type": "string" } }, { "auth_path": { - "description": "Vault's authentication path to use.", - "type": "string" + "type": "string", + "description": "Vault's authentication path to use." } }, { "auth_role": { - "description": "The role to try and assign.", - "type": "string" + "type": "string", + "description": "The role to try and assign." } }, { "jwt_path": { - "description": "The path to the JWT.", - "type": "string" + "type": "string", + "description": "The path to the JWT." } } ], - "required": true + "type": "record" } } ], - "required": true + "type": "record" } }, { "preferred_chain": { - "type": "string", - "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" } }, { "enable_ipv4_common_name": { - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", "type": "boolean", - "default": true + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "then_match": { + "eq": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] } } ] diff --git a/schemas/application-registration/3.5.x.json b/schemas/application-registration/3.5.x.json index e2295f45..51fc1456 100644 --- a/schemas/application-registration/3.5.x.json +++ b/schemas/application-registration/3.5.x.json @@ -1,100 +1,100 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "service": { - "type": "foreign", + "reference": "services", "on_delete": "cascade", "ne": null, - "reference": "services" + "type": "foreign" } }, { "route": { - "type": "foreign", + "reference": "routes", "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, - "reference": "routes" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "display_name": { - "type": "string", - "unique": true, "required": true, + "unique": true, + "type": "string", "description": "Unique display name used for a Service in the Developer Portal." } }, { "description": { - "type": "string", "unique": true, + "type": "string", "description": "Unique description displayed in information about a Service in the Developer Portal." } }, { "auto_approve": { - "type": "boolean", - "description": "If enabled, all new Service Contracts requests are automatically approved.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "If enabled, all new Service Contracts requests are automatically approved." } }, { "show_issuer": { - "type": "boolean", - "description": "Displays the **Issuer URL** in the **Service Details** dialog.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Displays the **Issuer URL** in the **Service Details** dialog." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.5.x.json b/schemas/aws-lambda/3.5.x.json index b5897dc2..0b860117 100644 --- a/schemas/aws-lambda/3.5.x.json +++ b/schemas/aws-lambda/3.5.x.json @@ -1,99 +1,84 @@ { - "entity_checks": [ - { - "mutually_required": [ - "config.aws_key", - "config.aws_secret" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "config.proxy_url" - ] - } - } - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "timeout": { - "type": "number", - "description": "An optional timeout in milliseconds when invoking the function.", "required": true, - "default": 60000 + "type": "number", + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function." } }, { "keepalive": { - "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "required": true, - "default": 60000 + "type": "number", + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "aws_key": { + "referenceable": true, "type": "string", "encrypted": true, - "referenceable": true, "description": "The AWS key credential to be used when invoking the function." } }, { "aws_secret": { + "referenceable": true, "type": "string", "encrypted": true, - "referenceable": true, "description": "The AWS secret credential to be used when invoking the function. " } }, { "aws_assume_role_arn": { + "referenceable": true, "type": "string", "encrypted": true, - "referenceable": true, "description": "The target AWS IAM role ARN used to invoke the Lambda function." } }, { "aws_role_session_name": { "type": "string", - "description": "The identifier of the assumed role session.", - "default": "kong" + "default": "kong", + "description": "The identifier of the assumed role session." } }, { @@ -104,40 +89,40 @@ }, { "function_name": { - "type": "string", "required": false, + "type": "string", "description": "The AWS Lambda function name to invoke." } }, { "qualifier": { - "type": "string", - "description": "The qualifier to use when invoking the function." + "description": "The qualifier to use when invoking the function.", + "type": "string" } }, { "invocation_type": { - "type": "string", - "default": "RequestResponse", - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "required": true, "one_of": [ "RequestResponse", "Event", "DryRun" - ] + ], + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "default": "RequestResponse", + "type": "string" } }, { "log_type": { - "type": "string", - "default": "Tail", - "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "required": true, "one_of": [ "Tail", "None" - ] + ], + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "default": "Tail", + "type": "string" } }, { @@ -148,71 +133,71 @@ }, { "port": { - "type": "integer", - "default": 443, "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 443, + "type": "integer" } }, { "disable_https": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "unhandled_status": { - "type": "integer", "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", "between": [ 100, 999 - ] + ], + "type": "integer" } }, { "forward_request_method": { "type": "boolean", - "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", - "default": false + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." } }, { "forward_request_uri": { "type": "boolean", - "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", - "default": false + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." } }, { "forward_request_headers": { "type": "boolean", - "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", - "default": false + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." } }, { "forward_request_body": { "type": "boolean", - "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", - "default": false + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " } }, { "is_proxy_integration": { "type": "boolean", - "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", - "default": false + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format." } }, { "awsgateway_compatible": { "type": "boolean", - "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", - "default": false + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." } }, { @@ -224,31 +209,46 @@ { "skip_large_bodies": { "type": "boolean", - "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", - "default": true + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" } }, { "base64_encode_body": { "type": "boolean", - "description": "An optional value that Base64-encodes the request body.", - "default": true + "default": true, + "description": "An optional value that Base64-encodes the request body." } }, { "aws_imds_protocol_version": { - "type": "string", - "default": "v1", - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "required": true, "one_of": [ "v1", "v2" - ] + ], + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "default": "v1", + "type": "string" } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] } } ] diff --git a/schemas/azure-functions/3.5.x.json b/schemas/azure-functions/3.5.x.json index 73180695..5d140e0d 100644 --- a/schemas/azure-functions/3.5.x.json +++ b/schemas/azure-functions/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,106 +16,110 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "timeout": { - "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", "type": "number", - "default": 600000 + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server." } }, { "keepalive": { - "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", "type": "number", - "default": 60000 + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed." } }, { "https": { "description": "Use of HTTPS to connect with the Azure Functions server.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "https_verify": { - "description": "Set to `true` to authenticate the Azure Functions server.", "type": "boolean", - "default": false + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server." } }, { "apikey": { - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", "encrypted": true, + "type": "string", "referenceable": true, - "type": "string" + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header." } }, { "clientid": { - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", "encrypted": true, + "type": "string", "referenceable": true, - "type": "string" + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header." } }, { "appname": { - "description": "The Azure app name.", "required": true, + "description": "The Azure app name.", "type": "string" } }, { "hostdomain": { - "description": "The domain where the function resides.", - "type": "string", "required": true, - "default": "azurewebsites.net" + "description": "The domain where the function resides.", + "default": "azurewebsites.net", + "type": "string" } }, { "routeprefix": { - "description": "Route prefix to use.", "type": "string", - "default": "api" + "default": "api", + "description": "Route prefix to use." } }, { "functionname": { - "description": "Name of the Azure function to invoke.", "required": true, + "description": "Name of the Azure function to invoke.", "type": "string" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.5.x.json b/schemas/basic-auth/3.5.x.json index 56f6b4dc..34968d4f 100644 --- a/schemas/basic-auth/3.5.x.json +++ b/schemas/basic-auth/3.5.x.json @@ -1,22 +1,17 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -24,7 +19,8 @@ "https", "ws", "wss" - ] + ], + "type": "string" }, "default": [ "grpc", @@ -33,38 +29,42 @@ "https", "ws", "wss" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "anonymous": { - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.5.x.json b/schemas/bot-detection/3.5.x.json index 0a24e40f..064f7db2 100644 --- a/schemas/bot-detection/3.5.x.json +++ b/schemas/bot-detection/3.5.x.json @@ -1,79 +1,79 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "allow": { - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", - "type": "array", "elements": { "type": "string", "is_regex": true }, + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "default": [ - ] + ], + "type": "array" } }, { "deny": { - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", - "type": "array", "elements": { "type": "string", "is_regex": true }, + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/canary/3.5.x.json b/schemas/canary/3.5.x.json index cedbf947..ce7c257d 100644 --- a/schemas/canary/3.5.x.json +++ b/schemas/canary/3.5.x.json @@ -1,87 +1,46 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.upstream_uri", - "config.upstream_host", - "config.upstream_port" - ] - }, - { - "conditional": { - "then_field": "config.hash_header", - "if_field": "config.hash", - "then_match": { - "required": true - }, - "if_match": { - "eq": "header" - } - } - }, - { - "conditional": { - "then_field": "config.upstream_host", - "if_field": "config.upstream_fallback", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - } - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", - "shorthand_fields": [ - { - "hash": { - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", - "type": "string" - } - } - ], + "required": true, "fields": [ { "start": { @@ -91,7 +50,6 @@ }, { "hash": { - "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", "one_of": [ "consumer", "ip", @@ -100,8 +58,9 @@ "deny", "header" ], - "type": "string", - "default": "consumer" + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "default": "consumer", + "type": "string" } }, { @@ -113,27 +72,27 @@ { "duration": { "gt": 0, - "type": "number", "description": "The duration of the canary release in seconds.", - "default": 3600 + "default": 3600, + "type": "number" } }, { "steps": { "gt": 1, - "type": "number", "description": "The number of steps for the canary release.", - "default": 1000 + "default": 1000, + "type": "number" } }, { "percentage": { - "description": "The percentage of traffic to be routed to the canary release.", "type": "number", "between": [ 0, 100 - ] + ], + "description": "The percentage of traffic to be routed to the canary release." } }, { @@ -144,36 +103,36 @@ }, { "upstream_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "upstream_uri": { - "description": "The URI of the upstream server to be used for the canary release.", + "len_min": 1, "type": "string", - "len_min": 1 + "description": "The URI of the upstream server to be used for the canary release." } }, { "upstream_fallback": { - "description": "Specifies whether to fallback to the upstream server if the canary release fails.", - "type": "boolean", "required": true, - "default": false + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "default": false, + "type": "boolean" } }, { "groups": { - "description": "The groups allowed to access the canary release.", "elements": { "type": "string" }, - "type": "array" + "type": "array", + "description": "The groups allowed to access the canary release." } }, { @@ -183,7 +142,48 @@ } } ], - "required": true + "shorthand_fields": [ + { + "hash": { + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "then_field": "config.hash_header", + "if_field": "config.hash", + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + } + } + }, + { + "conditional": { + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } } } ] diff --git a/schemas/correlation-id/3.5.x.json b/schemas/correlation-id/3.5.x.json index fe94f549..e54598ed 100644 --- a/schemas/correlation-id/3.5.x.json +++ b/schemas/correlation-id/3.5.x.json @@ -1,72 +1,72 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "header_name": { "description": "The HTTP header name to use for the correlation ID.", - "type": "string", - "default": "Kong-Request-ID" + "default": "Kong-Request-ID", + "type": "string" } }, { "generator": { - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "one_of": [ "uuid", "uuid#counter", "tracker" ], - "type": "string", - "default": "uuid#counter" + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "default": "uuid#counter", + "type": "string" } }, { "echo_downstream": { - "description": "Whether to echo the header back to downstream (the client).", - "type": "boolean", "required": true, - "default": false + "description": "Whether to echo the header back to downstream (the client).", + "default": false, + "type": "boolean" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/cors/3.5.x.json b/schemas/cors/3.5.x.json index 175c5e44..a952df50 100644 --- a/schemas/cors/3.5.x.json +++ b/schemas/cors/3.5.x.json @@ -1,85 +1,79 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" ], + "type": "string", "required": true, "len_min": 1 }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "origins": { - "type": "array", "elements": { "type": "string" }, - "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "type": "array" } }, { "headers": { - "type": "array", "elements": { "type": "string" }, - "description": "Value for the `Access-Control-Allow-Headers` header." + "description": "Value for the `Access-Control-Allow-Headers` header.", + "type": "array" } }, { "exposed_headers": { - "type": "array", "elements": { "type": "string" }, - "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "type": "array" } }, { "methods": { - "type": "array", - "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", "elements": { - "type": "string", "one_of": [ "GET", "HEAD", @@ -90,8 +84,10 @@ "OPTIONS", "TRACE", "CONNECT" - ] + ], + "type": "string" }, + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", "default": [ "GET", "HEAD", @@ -102,7 +98,8 @@ "OPTIONS", "TRACE", "CONNECT" - ] + ], + "type": "array" } }, { @@ -113,23 +110,34 @@ }, { "credentials": { + "required": true, "type": "boolean", - "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value." + } + }, + { + "private_network": { "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value." } }, { "preflight_continue": { - "type": "boolean", - "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/datadog/3.5.x.json b/schemas/datadog/3.5.x.json index 26d7208a..7615c352 100644 --- a/schemas/datadog/3.5.x.json +++ b/schemas/datadog/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,87 +16,77 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" - ] - } - } - ], "required": true, + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "referenceable": true, - "default": "localhost" + "description": "A string representing a host name, such as example.com.", + "default": "localhost", + "type": "string" } }, { "port": { - "type": "integer", - "default": 8125, "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 8125, + "type": "integer" } }, { "prefix": { "description": "String to be attached as a prefix to a metric's name.", - "type": "string", - "default": "kong" + "default": "kong", + "type": "string" } }, { "service_name_tag": { "description": "String to be attached as the name of the service.", - "type": "string", - "default": "name" + "default": "name", + "type": "string" } }, { "status_tag": { "description": "String to be attached as the tag of the HTTP status.", - "type": "string", - "default": "status" + "default": "status", + "type": "string" } }, { "consumer_tag": { "description": "String to be attached as tag of the consumer.", - "type": "string", - "default": "consumer" + "default": "consumer", + "type": "string" } }, { @@ -123,13 +109,13 @@ }, { "queue": { - "type": "record", + "required": true, "fields": [ { "max_batch_size": { "type": "integer", - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -139,8 +125,8 @@ { "max_coalescing_delay": { "type": "number", - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -150,8 +136,8 @@ { "max_entries": { "type": "integer", - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -167,15 +153,15 @@ { "max_retry_time": { "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "type": "number", - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -185,29 +171,28 @@ { "max_retry_delay": { "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true + "type": "record" } }, { "metrics": { - "type": "array", + "required": true, "elements": { "type": "record", "fields": [ { "name": { - "description": "Datadog metric’s name", - "type": "string", "required": true, + "description": "Datadog metric’s name", "one_of": [ "kong_latency", "latency", @@ -215,14 +200,14 @@ "request_size", "response_size", "upstream_latency" - ] + ], + "type": "string" } }, { "stat_type": { - "description": "Determines what sort of event the metric represents", - "type": "string", "required": true, + "description": "Determines what sort of event the metric represents", "one_of": [ "counter", "gauge", @@ -231,38 +216,39 @@ "set", "timer", "distribution" - ] + ], + "type": "string" } }, { "tags": { - "description": "List of tags", "elements": { "match": "^.*[^:]$", "type": "string" }, - "type": "array" + "type": "array", + "description": "List of tags" } }, { "sample_rate": { - "description": "Sampling rate", "type": "number", "between": [ 0, 1 - ] + ], + "description": "Sampling rate" } }, { "consumer_identifier": { - "description": "Authenticated user detail", - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string", + "description": "Authenticated user detail" } } ], @@ -284,63 +270,77 @@ } ] }, + "type": "array", "default": [ { - "sample_rate": 1, - "stat_type": "counter", - "name": "request_count", - "consumer_identifier": "custom_id", "tags": [ "app:kong" - ] + ], + "consumer_identifier": "custom_id", + "name": "request_count", + "sample_rate": 1, + "stat_type": "counter" }, { + "name": "latency", "tags": [ "app:kong" ], - "name": "latency", "consumer_identifier": "custom_id", "stat_type": "timer" }, { + "name": "request_size", "tags": [ "app:kong" ], - "name": "request_size", "consumer_identifier": "custom_id", "stat_type": "timer" }, { + "name": "response_size", "tags": [ "app:kong" ], - "name": "response_size", "consumer_identifier": "custom_id", "stat_type": "timer" }, { + "name": "upstream_latency", "tags": [ "app:kong" ], - "name": "upstream_latency", "consumer_identifier": "custom_id", "stat_type": "timer" }, { + "name": "kong_latency", "tags": [ "app:kong" ], - "name": "kong_latency", "consumer_identifier": "custom_id", "stat_type": "timer" } ], - "description": "List of metrics to be logged.", - "required": true + "description": "List of metrics to be logged." + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/degraphql/3.5.x.json b/schemas/degraphql/3.5.x.json index 12e4c024..feeb1582 100644 --- a/schemas/degraphql/3.5.x.json +++ b/schemas/degraphql/3.5.x.json @@ -1,68 +1,68 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "graphql_server_path": { - "type": "string", - "default": "/graphql", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": true, - "starts_with": "/" + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/graphql", + "type": "string" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.5.x.json b/schemas/exit-transformer/3.5.x.json index 066e3b40..ce275844 100644 --- a/schemas/exit-transformer/3.5.x.json +++ b/schemas/exit-transformer/3.5.x.json @@ -1,68 +1,68 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "functions": { - "type": "array", "required": true, "elements": { "type": "string" - } + }, + "type": "array" } }, { "handle_unknown": { "type": "boolean", - "description": "Determines whether to handle unknown status codes by transforming their responses.", - "default": false + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses." } }, { "handle_unexpected": { "type": "boolean", - "description": "Determines whether to handle unexpected errors by transforming their responses.", - "default": false + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/file-log/3.5.x.json b/schemas/file-log/3.5.x.json index fac93b9c..3389196f 100644 --- a/schemas/file-log/3.5.x.json +++ b/schemas/file-log/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,64 +16,68 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "path": { + "required": true, + "err": "not a valid filename", "match": "^[^*&%%\\`]+$", - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", "type": "string", - "required": true, - "err": "not a valid filename" + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." } }, { "reopen": { - "type": "boolean", - "description": "Determines whether the log file is closed and reopened on every request.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Determines whether the log file is closed and reopened on every request." } }, { "custom_fields_by_lua": { "type": "map", - "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map", "keys": { "type": "string", "len_min": 1 - } + }, + "values": { + "len_min": 1, + "type": "string" + }, + "description": "Lua code as a key-value map" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.5.x.json b/schemas/forward-proxy/3.5.x.json index 3ee1c813..8573ec7a 100644 --- a/schemas/forward-proxy/3.5.x.json +++ b/schemas/forward-proxy/3.5.x.json @@ -1,41 +1,38 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "shorthand_fields": [ { "proxy_host": { @@ -48,18 +45,44 @@ } } ], + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], "fields": [ { "x_headers": { - "type": "string", - "default": "append", - "description": "Determines how to handle headers when forwarding the request.", "required": true, "one_of": [ "append", "transparent", "delete" - ] + ], + "type": "string", + "default": "append", + "description": "Determines how to handle headers when forwarding the request." } }, { @@ -70,12 +93,12 @@ }, { "http_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { @@ -86,78 +109,55 @@ }, { "https_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "proxy_scheme": { - "type": "string", - "default": "http", - "description": "The proxy scheme to use when connecting. Only `http` is supported.", "required": true, "one_of": [ "http" - ] + ], + "type": "string", + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported." } }, { "auth_username": { - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "required": false, + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "referenceable": true, "type": "string" } }, { "auth_password": { - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "required": false, + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "referenceable": true, "type": "string" } }, { "https_verify": { - "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "type": "boolean", "required": true, - "default": false + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "default": false, + "type": "boolean" } } ], - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "http_proxy_host", - "https_proxy_host" - ] - }, - { - "at_least_one_of": [ - "http_proxy_port", - "https_proxy_port" - ] - }, - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ] + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.5.x.json b/schemas/graphql-proxy-cache-advanced/3.5.x.json index 100dfec6..05969c29 100644 --- a/schemas/graphql-proxy-cache-advanced/3.5.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.5.x.json @@ -1,89 +1,89 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "strategy": { - "type": "string", - "default": "memory", - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "required": true, "one_of": [ "memory" - ] + ], + "type": "string", + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`." } }, { "cache_ttl": { "gt": 0, "type": "integer", - "description": "TTL in seconds of cache entities. Must be a value greater than 0.", - "default": 300 + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0." } }, { "memory": { - "type": "record", + "required": true, "fields": [ { "dictionary_name": { - "type": "string", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", "required": true, - "default": "kong_db_cache" + "type": "string", + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template." } } ], - "required": true + "type": "record" } }, { "vary_headers": { - "type": "array", "elements": { "type": "string" }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.5.x.json b/schemas/graphql-rate-limiting-advanced/3.5.x.json index ed15567e..b4fd1b52 100644 --- a/schemas/graphql-rate-limiting-advanced/3.5.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.5.x.json @@ -1,235 +1,156 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_field": "config.strategy", - "then_at_least_one_of": [ - "config.redis.host", - "config.redis.sentinel_master" - ], - "if_match": { - "eq": "redis" - } - } - } - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "identifier": { - "type": "string", - "default": "consumer", - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "required": true, "one_of": [ "ip", "credential", "consumer" - ] + ], + "type": "string", + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." } }, { "window_size": { - "type": "array", + "required": true, "description": "One or more window sizes to apply a limit to (defined in seconds).", "elements": { "type": "number" }, - "required": true + "type": "array" } }, { "window_type": { - "type": "string", "one_of": [ "fixed", "sliding" ], "description": "Sets the time window to either `sliding` or `fixed`.", - "default": "sliding" + "default": "sliding", + "type": "string" } }, { "limit": { - "type": "array", + "required": true, "description": "One or more requests-per-window limits to apply.", "elements": { "type": "number" }, - "required": true + "type": "array" } }, { "sync_rate": { - "type": "number", "required": true, - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "type": "number" } }, { "namespace": { - "type": "string", - "description": "The rate limiting library namespace to use for this plugin instance.", - "auto": true + "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "auto": true, + "type": "string" } }, { "strategy": { - "type": "string", - "default": "cluster", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "required": true, "one_of": [ "cluster", "redis" - ] + ], + "type": "string", + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." } }, { "dictionary_name": { - "type": "string", - "description": "The shared dictionary where counters will be stored until the next sync cycle.", "required": true, - "default": "kong_rate_limiting_counters" + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "default": "kong_rate_limiting_counters", + "type": "string" } }, { "hide_client_headers": { - "type": "boolean", "description": "Optionally hide informative response headers. Available options: `true` or `false`.", - "default": false + "default": false, + "type": "boolean" } }, { "cost_strategy": { - "type": "string", "one_of": [ "default", "node_quantifier" ], "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", - "default": "default" + "default": "default", + "type": "string" } }, { "score_factor": { + "required": false, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", "gt": 0, "default": 1, - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", - "required": false, "type": "number" } }, { "max_cost": { - "type": "number", - "description": "A defined maximum cost per query. 0 means unlimited.", "required": false, - "default": 0 + "description": "A defined maximum cost per query. 0 means unlimited.", + "default": 0, + "type": "number" } }, { "redis": { - "type": "record", - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_addresses" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - } - ], "required": true, + "type": "record", "fields": [ { "host": { @@ -239,178 +160,245 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "timeout": { - "type": "integer", - "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer" } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "password": { - "type": "string", "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "type": "string" } }, { "sentinel_username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "type": "string", "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "type": "string" } }, { "database": { "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy", - "default": 0 + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { "type": "integer", - "default": 30, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ] + ], + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_addresses": { - "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "cluster_addresses": { - "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "ssl": { - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "server_name": { - "type": "string", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" } } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } ] } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/grpc-gateway/3.5.x.json b/schemas/grpc-gateway/3.5.x.json index e7eeb8db..7a47949c 100644 --- a/schemas/grpc-gateway/3.5.x.json +++ b/schemas/grpc-gateway/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,40 +16,44 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "proto": { - "description": "Describes the gRPC types and methods.", "required": false, + "description": "Describes the gRPC types and methods.", "type": "string" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.5.x.json b/schemas/grpc-web/3.5.x.json index 154c7822..f2a2fde1 100644 --- a/schemas/grpc-web/3.5.x.json +++ b/schemas/grpc-web/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,55 +16,59 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "proto": { - "type": "string", "required": false, - "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content." + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string" } }, { "pass_stripped_path": { - "type": "boolean", "required": false, - "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service." + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "type": "boolean" } }, { "allow_origin_header": { - "type": "string", - "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", "required": false, - "default": "*" + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "default": "*", + "type": "string" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.5.x.json b/schemas/hmac-auth/3.5.x.json index a3aa1f7d..6b792e49 100644 --- a/schemas/hmac-auth/3.5.x.json +++ b/schemas/hmac-auth/3.5.x.json @@ -1,28 +1,17 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -30,7 +19,8 @@ "https", "ws", "wss" - ] + ], + "type": "string" }, "default": [ "grpc", @@ -39,86 +29,96 @@ "https", "ws", "wss" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." } }, { "clock_skew": { "gt": 0, "type": "number", - "description": "Clock skew in seconds to prevent replay attacks.", - "default": 300 + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks." } }, { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "validate_request_body": { - "description": "A boolean value telling the plugin to enable body validation.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "A boolean value telling the plugin to enable body validation." } }, { "enforce_headers": { - "description": "A list of headers that the client should at least use for HTTP signature creation.", - "type": "array", "elements": { "type": "string" }, + "description": "A list of headers that the client should at least use for HTTP signature creation.", "default": [ - ] + ], + "type": "array" } }, { "algorithms": { - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", - "type": "array", "elements": { - "type": "string", "one_of": [ "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512" - ] + ], + "type": "string" }, + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", "default": [ "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512" - ] + ], + "type": "array" } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] } } ] diff --git a/schemas/http-log/3.5.x.json b/schemas/http-log/3.5.x.json index 060d09a7..c1684a24 100644 --- a/schemas/http-log/3.5.x.json +++ b/schemas/http-log/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,142 +16,133 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { + "required": true, "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" - ] - } - } - ], "fields": [ { "http_endpoint": { - "type": "string", + "required": true, "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "encrypted": true, - "required": true + "type": "string" } }, { "method": { - "type": "string", "one_of": [ "POST", "PUT", "PATCH" ], "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", - "default": "POST" + "default": "POST", + "type": "string" } }, { "content_type": { - "type": "string", "one_of": [ "application/json", "application/json; charset=utf-8" ], "description": "Indicates the type of data sent. The only available option is `application/json`.", - "default": "application/json" + "default": "application/json", + "type": "string" } }, { "timeout": { - "type": "number", "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "default": 10000 + "default": 10000, + "type": "number" } }, { "keepalive": { - "type": "number", "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", - "default": 60000 + "default": 60000, + "type": "number" } }, { "retry_count": { - "type": "integer", - "description": "Number of times to retry when sending data to the upstream server." + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" } }, { "queue_size": { - "type": "integer", - "description": "Maximum number of log entries to be sent on each message to the upstream server." + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" } }, { "flush_timeout": { - "type": "number", - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { "headers": { "type": "map", - "values": { - "referenceable": true, - "type": "string" - }, - "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", "keys": { - "type": "string", "match_none": [ { - "err": "cannot contain 'Host' header", - "pattern": "^[Hh][Oo][Ss][Tt]$" + "pattern": "^[Hh][Oo][Ss][Tt]$", + "err": "cannot contain 'Host' header" }, { - "err": "cannot contain 'Content-Length' header", - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$", + "err": "cannot contain 'Content-Length' header" }, { - "err": "cannot contain 'Content-Type' header", - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", + "err": "cannot contain 'Content-Type' header" } ], - "description": "A string representing an HTTP header name." - } + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "values": { + "referenceable": true, + "type": "string" + }, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string." } }, { "queue": { - "type": "record", + "required": true, "fields": [ { "max_batch_size": { "type": "integer", - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -165,8 +152,8 @@ { "max_coalescing_delay": { "type": "number", - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -176,8 +163,8 @@ { "max_entries": { "type": "integer", - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -193,15 +180,15 @@ { "max_retry_time": { "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "type": "number", - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -211,35 +198,48 @@ { "max_retry_delay": { "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true + "type": "record" } }, { "custom_fields_by_lua": { "type": "map", - "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map", "keys": { "type": "string", "len_min": 1 - } + }, + "values": { + "len_min": 1, + "type": "string" + }, + "description": "Lua code as a key-value map" } } ], - "required": true + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.5.x.json b/schemas/ip-restriction/3.5.x.json index 574502e0..14e0c7d4 100644 --- a/schemas/ip-restriction/3.5.x.json +++ b/schemas/ip-restriction/3.5.x.json @@ -1,18 +1,9 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -25,8 +16,10 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "description": "A set of strings representing protocols.", "default": [ "http", "https", @@ -35,59 +28,66 @@ "grpc", "grpcs" ], - "description": "A set of strings representing protocols.", - "required": true + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "allow": { - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." }, - "type": "array" + "type": "array", + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." } }, { "deny": { - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." }, - "type": "array" + "type": "array", + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." } }, { "status": { - "description": "The HTTP status of the requests that will be rejected by the plugin.", "required": false, + "description": "The HTTP status of the requests that will be rejected by the plugin.", "type": "number" } }, { "message": { - "description": "The message to send as a response body to rejected requests.", "required": false, + "description": "The message to send as a response body to rejected requests.", "type": "string" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/jq/3.5.x.json b/schemas/jq/3.5.x.json index 53ef0690..8940de16 100644 --- a/schemas/jq/3.5.x.json +++ b/schemas/jq/3.5.x.json @@ -1,182 +1,170 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "request_jq_program", - "response_jq_program" - ] - } - ], "required": true, + "type": "record", "fields": [ { "request_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "request_jq_program_options": { - "type": "record", "required": false, + "default": [ + + ], "fields": [ { "compact_output": { - "type": "boolean", "required": true, - "default": true + "default": true, + "type": "boolean" } }, { "raw_output": { - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } }, { "join_output": { - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } }, { "ascii_output": { - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } }, { "sort_keys": { - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } } ], - "default": [ - - ] + "type": "record" } }, { "request_if_media_type": { - "type": "array", "required": false, "elements": { "type": "string" }, "default": [ "application/json" - ] + ], + "type": "array" } }, { "response_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "response_jq_program_options": { - "type": "record", "required": false, + "default": [ + + ], "fields": [ { "compact_output": { - "type": "boolean", "required": true, - "default": true + "default": true, + "type": "boolean" } }, { "raw_output": { - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } }, { "join_output": { - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } }, { "ascii_output": { - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } }, { "sort_keys": { - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } } ], - "default": [ - - ] + "type": "record" } }, { "response_if_media_type": { - "type": "array", "required": false, "elements": { "type": "string" }, "default": [ "application/json" - ] + ], + "type": "array" } }, { "response_if_status_code": { - "type": "array", "required": false, "elements": { "type": "integer", @@ -187,11 +175,23 @@ }, "default": [ 200 - ] + ], + "type": "array" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.5.x.json b/schemas/jwe-decrypt/3.5.x.json index c26e2a11..8e4639bc 100644 --- a/schemas/jwe-decrypt/3.5.x.json +++ b/schemas/jwe-decrypt/3.5.x.json @@ -1,86 +1,86 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "lookup_header_name": { - "description": "The name of the header to look for the JWE token.", - "type": "string", "required": true, - "default": "Authorization" + "description": "The name of the header to look for the JWE token.", + "default": "Authorization", + "type": "string" } }, { "forward_header_name": { - "description": "The name of the header that is used to set the decrypted value.", - "type": "string", "required": true, - "default": "Authorization" + "description": "The name of the header that is used to set the decrypted value.", + "default": "Authorization", + "type": "string" } }, { "key_sets": { + "required": true, "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", - "type": "array", "elements": { "type": "string" }, - "required": true + "type": "array" } }, { "strict": { "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.5.x.json b/schemas/jwt-signer/3.5.x.json index 32a25682..9c314e05 100644 --- a/schemas/jwt-signer/3.5.x.json +++ b/schemas/jwt-signer/3.5.x.json @@ -1,291 +1,285 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "realm": { - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "required": false, - "type": "string" + "type": "string", + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." } }, { "enable_hs_signatures": { - "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", - "type": "boolean", "required": false, - "default": false + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "default": false, + "type": "boolean" } }, { "enable_instrumentation": { - "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", - "type": "boolean", "required": false, - "default": false + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "default": false, + "type": "boolean" } }, { "access_token_issuer": { - "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", - "type": "string", "required": false, - "default": "kong" + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "default": "kong", + "type": "string" } }, { "access_token_keyset": { - "description": "The name of the keyset containing signing keys.", - "type": "string", "required": false, - "default": "kong" + "description": "The name of the keyset containing signing keys.", + "default": "kong", + "type": "string" } }, { "access_token_jwks_uri": { - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "required": false, + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "type": "string" } }, { "access_token_request_header": { - "description": "This parameter tells the name of the header where to look for the access token.", - "type": "string", "required": false, - "default": "Authorization" + "description": "This parameter tells the name of the header where to look for the access token.", + "default": "Authorization", + "type": "string" } }, { "access_token_leeway": { - "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", - "type": "number", "required": false, - "default": 0 + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "default": 0, + "type": "number" } }, { "access_token_scopes_required": { + "required": false, "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", - "type": "array", "elements": { "type": "string" }, - "required": false + "type": "array" } }, { "access_token_scopes_claim": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "type": "array", "default": [ "scope" ], - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", - "required": false + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." } }, { "access_token_consumer_claim": { + "required": false, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", - "type": "array", "elements": { "type": "string" }, - "required": false + "type": "array" } }, { "access_token_consumer_by": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", "default": [ "username", "custom_id" ], - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", - "required": false + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." } }, { "access_token_upstream_header": { - "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", - "type": "string", "required": false, - "default": "Authorization:Bearer" + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "default": "Authorization:Bearer", + "type": "string" } }, { "access_token_upstream_leeway": { - "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", - "type": "number", "required": false, - "default": 0 + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "default": 0, + "type": "number" } }, { "access_token_introspection_endpoint": { - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "required": false, + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "type": "string" } }, { "access_token_introspection_authorization": { - "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "required": false, - "type": "string" + "type": "string", + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." } }, { "access_token_introspection_body_args": { - "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "required": false, - "type": "string" + "type": "string", + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." } }, { "access_token_introspection_hint": { - "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", - "type": "string", "required": false, - "default": "access_token" + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "default": "access_token", + "type": "string" } }, { "access_token_introspection_jwt_claim": { + "required": false, "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", - "type": "array", "elements": { "type": "string" }, - "required": false + "type": "array" } }, { "access_token_introspection_scopes_required": { + "required": false, "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", - "type": "array", "elements": { "type": "string" }, - "required": false + "type": "array" } }, { "access_token_introspection_scopes_claim": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ "scope" ], - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", - "required": true + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." } }, { "access_token_introspection_consumer_claim": { + "required": false, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", - "type": "array", "elements": { "type": "string" }, - "required": false + "type": "array" } }, { "access_token_introspection_consumer_by": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", "default": [ "username", "custom_id" ], - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", - "required": false + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." } }, { "access_token_introspection_leeway": { - "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", - "type": "number", "required": false, - "default": 0 + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "default": 0, + "type": "number" } }, { "access_token_introspection_timeout": { - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "required": false, - "type": "number" + "type": "number", + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." } }, { "access_token_signing_algorithm": { - "type": "string", - "default": "RS256", - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "required": true, "one_of": [ "HS256", @@ -300,304 +294,304 @@ "PS384", "PS512", "EdDSA" - ] + ], + "type": "string", + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." } }, { "access_token_optional": { - "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", - "type": "boolean", "required": false, - "default": false + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "default": false, + "type": "boolean" } }, { "verify_access_token_signature": { - "description": "Quickly turn access token signature verification off and on as needed.", - "type": "boolean", "required": false, - "default": true + "description": "Quickly turn access token signature verification off and on as needed.", + "default": true, + "type": "boolean" } }, { "verify_access_token_expiry": { - "description": "Quickly turn access token expiry verification off and on as needed.", - "type": "boolean", "required": false, - "default": true + "description": "Quickly turn access token expiry verification off and on as needed.", + "default": true, + "type": "boolean" } }, { "verify_access_token_scopes": { - "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", - "type": "boolean", "required": false, - "default": true + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "default": true, + "type": "boolean" } }, { "verify_access_token_introspection_expiry": { - "description": "Quickly turn access token introspection expiry verification off and on as needed.", - "type": "boolean", "required": false, - "default": true + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "default": true, + "type": "boolean" } }, { "verify_access_token_introspection_scopes": { - "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", - "type": "boolean", "required": false, - "default": true + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "default": true, + "type": "boolean" } }, { "cache_access_token_introspection": { - "description": "Whether to cache access token introspection results.", - "type": "boolean", "required": false, - "default": true + "description": "Whether to cache access token introspection results.", + "default": true, + "type": "boolean" } }, { "trust_access_token_introspection": { - "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", - "type": "boolean", "required": false, - "default": true + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "default": true, + "type": "boolean" } }, { "enable_access_token_introspection": { - "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", - "type": "boolean", "required": false, - "default": true + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "default": true, + "type": "boolean" } }, { "channel_token_issuer": { - "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", - "type": "string", "required": false, - "default": "kong" + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "default": "kong", + "type": "string" } }, { "channel_token_keyset": { - "description": "The name of the keyset containing signing keys.", - "type": "string", "required": false, - "default": "kong" + "description": "The name of the keyset containing signing keys.", + "default": "kong", + "type": "string" } }, { "channel_token_jwks_uri": { - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "required": false, + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "type": "string" } }, { "channel_token_request_header": { - "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "required": false, - "type": "string" + "type": "string", + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." } }, { "channel_token_leeway": { - "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", - "type": "number", "required": false, - "default": 0 + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "default": 0, + "type": "number" } }, { "channel_token_scopes_required": { + "required": false, "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", - "type": "array", "elements": { "type": "string" }, - "required": false + "type": "array" } }, { "channel_token_scopes_claim": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "type": "array", "default": [ "scope" ], - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", - "required": false + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." } }, { "channel_token_consumer_claim": { + "required": false, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", - "type": "array", "elements": { "type": "string" }, - "required": false + "type": "array" } }, { "channel_token_consumer_by": { - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "type": "array", "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", "default": [ "username", "custom_id" - ] + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`." } }, { "channel_token_upstream_header": { - "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "required": false, - "type": "string" + "type": "string", + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." } }, { "channel_token_upstream_leeway": { - "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", - "type": "number", "required": false, - "default": 0 + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "default": 0, + "type": "number" } }, { "channel_token_introspection_endpoint": { - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "required": false, + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "type": "string" } }, { "channel_token_introspection_authorization": { + "required": false, "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", - "type": "string", "elements": { "type": "string" }, - "required": false + "type": "string" } }, { "channel_token_introspection_body_args": { + "required": false, "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", - "type": "string", "elements": { "type": "string" }, - "required": false + "type": "string" } }, { "channel_token_introspection_hint": { + "required": false, "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", - "type": "string", "elements": { "type": "string" }, - "required": false + "type": "string" } }, { "channel_token_introspection_jwt_claim": { + "required": false, "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", - "type": "array", "elements": { "type": "string" }, - "required": false + "type": "array" } }, { "channel_token_introspection_scopes_required": { + "required": false, "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", - "type": "array", "elements": { "type": "string" }, - "required": false + "type": "array" } }, { "channel_token_introspection_scopes_claim": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "type": "array", "default": [ "scope" ], - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", - "required": false + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." } }, { "channel_token_introspection_consumer_claim": { + "required": false, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", - "type": "array", "elements": { "type": "string" }, - "required": false + "type": "array" } }, { "channel_token_introspection_consumer_by": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", "default": [ "username", "custom_id" ], - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", - "required": false + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." } }, { "channel_token_introspection_leeway": { - "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", - "type": "number", "required": false, - "default": 0 + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "default": 0, + "type": "number" } }, { "channel_token_introspection_timeout": { - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "required": false, - "type": "number" + "type": "number", + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." } }, { "channel_token_signing_algorithm": { - "type": "string", - "default": "RS256", - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "required": true, "one_of": [ "HS256", @@ -612,115 +606,121 @@ "PS384", "PS512", "EdDSA" - ] + ], + "type": "string", + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." } }, { "channel_token_optional": { - "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", - "type": "boolean", "required": false, - "default": false + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "default": false, + "type": "boolean" } }, { "verify_channel_token_signature": { - "description": "Quickly turn on/off the channel token signature verification.", - "type": "boolean", "required": false, - "default": true + "description": "Quickly turn on/off the channel token signature verification.", + "default": true, + "type": "boolean" } }, { "verify_channel_token_expiry": { - "type": "boolean", "required": false, - "default": true + "default": true, + "type": "boolean" } }, { "verify_channel_token_scopes": { - "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", - "type": "boolean", "required": false, - "default": true + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "default": true, + "type": "boolean" } }, { "verify_channel_token_introspection_expiry": { - "description": "Quickly turn on/off the channel token introspection expiry verification.", - "type": "boolean", "required": false, - "default": true + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "default": true, + "type": "boolean" } }, { "verify_channel_token_introspection_scopes": { - "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", - "type": "boolean", "required": false, - "default": true + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "default": true, + "type": "boolean" } }, { "cache_channel_token_introspection": { - "description": "Whether to cache channel token introspection results.", - "type": "boolean", "required": false, - "default": true + "description": "Whether to cache channel token introspection results.", + "default": true, + "type": "boolean" } }, { "trust_channel_token_introspection": { - "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", - "type": "boolean", "required": false, - "default": true + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "default": true, + "type": "boolean" } }, { "enable_channel_token_introspection": { - "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", - "type": "boolean", "required": false, - "default": true + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "default": true, + "type": "boolean" } }, { "add_claims": { - "type": "map", - "values": { + "required": false, + "keys": { "type": "string" }, - "keys": { + "type": "map", + "values": { "type": "string" }, - "description": "Add customized claims if they are not present yet.", - "required": false, "default": [ - ] + ], + "description": "Add customized claims if they are not present yet." } }, { "set_claims": { - "type": "map", - "values": { + "required": false, + "keys": { "type": "string" }, - "keys": { + "type": "map", + "values": { "type": "string" }, - "description": "Set customized claims. If a claim is already present, it will be overwritten.", - "required": false, "default": [ - ] + ], + "description": "Set customized claims. If a claim is already present, it will be overwritten." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwt/3.5.x.json b/schemas/jwt/3.5.x.json index 908eac96..099742ba 100644 --- a/schemas/jwt/3.5.x.json +++ b/schemas/jwt/3.5.x.json @@ -1,110 +1,96 @@ { - "entity_checks": [ - { - "conditional": { - "then_field": "config.claims_to_verify", - "if_field": "config.maximum_expiration", - "then_match": { - "contains": "exp" - }, - "if_match": { - "gt": 0 - } - } - } - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "uri_param_names": { - "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", - "type": "set", "elements": { "type": "string" }, + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "default": [ "jwt" - ] + ], + "type": "set" } }, { "cookie_names": { - "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", - "type": "set", "elements": { "type": "string" }, + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "default": [ - ] + ], + "type": "set" } }, { "key_claim_name": { - "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", "type": "string", - "default": "iss" + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order." } }, { "secret_is_base64": { - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." } }, { "claims_to_verify": { - "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", "elements": { - "type": "string", "one_of": [ "exp", "nbf" - ] + ], + "type": "string" }, + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", "type": "set" } }, @@ -116,37 +102,51 @@ }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", - "type": "boolean", "required": true, - "default": true + "type": "boolean", + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." } }, { "maximum_expiration": { - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", - "default": 0, "type": "number", "between": [ 0, 31536000 - ] + ], + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future." } }, { "header_names": { - "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", - "type": "set", "elements": { "type": "string" }, + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "default": [ "authorization" - ] + ], + "type": "set" } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration", + "then_match": { + "contains": "exp" + }, + "if_match": { + "gt": 0 + } } } ] diff --git a/schemas/kafka-log/3.5.x.json b/schemas/kafka-log/3.5.x.json index b0d3dc6d..abdfda84 100644 --- a/schemas/kafka-log/3.5.x.json +++ b/schemas/kafka-log/3.5.x.json @@ -1,14 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -16,7 +11,8 @@ "https", "ws", "wss" - ] + ], + "type": "string" }, "default": [ "grpc", @@ -25,256 +21,260 @@ "https", "ws", "wss" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "authentication" - ] - } - } - ], "required": true, + "type": "record", "fields": [ { "bootstrap_servers": { - "type": "set", "elements": { - "type": "record", "fields": [ { "host": { - "type": "string", "required": true, - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ] } } - ] + ], + "type": "record" }, + "type": "set", "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, { "topic": { - "type": "string", "required": true, - "description": "The Kafka topic to publish to." + "description": "The Kafka topic to publish to.", + "type": "string" } }, { "timeout": { - "type": "integer", "description": "Socket timeout in milliseconds.", - "default": 10000 + "default": 10000, + "type": "integer" } }, { "keepalive": { - "type": "integer", - "default": 60000 + "default": 60000, + "type": "integer" } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "authentication": { - "type": "record", + "required": true, "fields": [ { "strategy": { - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ] + ], + "type": "string" } }, { "mechanism": { - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "type": "string" } }, { "tokenauth": { - "type": "boolean", "required": false, - "description": "Enable this to indicate `DelegationToken` authentication" + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" } }, { "user": { - "type": "string", - "referenceable": true, - "description": "Username for SASL authentication.", "encrypted": true, - "required": false + "referenceable": true, + "type": "string", + "required": false, + "description": "Username for SASL authentication." } }, { "password": { - "type": "string", - "referenceable": true, - "description": "Password for SASL authentication.", "encrypted": true, - "required": false + "referenceable": true, + "type": "string", + "required": false, + "description": "Password for SASL authentication." } } ], - "required": true + "type": "record" } }, { "security": { - "type": "record", + "required": true, "fields": [ { "certificate_id": { - "type": "string", - "description": "UUID of certificate entity for mTLS authentication.", "required": false, - "uuid": true + "uuid": true, + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string" } }, { "ssl": { - "type": "boolean", "required": false, - "description": "Enables TLS." + "description": "Enables TLS.", + "type": "boolean" } } ], - "required": true + "type": "record" } }, { "cluster_name": { - "type": "string", - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "required": false, - "auto": true + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true, + "type": "string" } }, { "producer_request_acks": { - "type": "integer", "one_of": [ -1, 0, 1 ], "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", - "default": 1 + "default": 1, + "type": "integer" } }, { "producer_request_timeout": { - "type": "integer", "description": "Time to wait for a Produce response in milliseconds", - "default": 2000 + "default": 2000, + "type": "integer" } }, { "producer_request_limits_messages_per_request": { - "type": "integer", "description": "Maximum number of messages to include into a single Produce request.", - "default": 200 + "default": 200, + "type": "integer" } }, { "producer_request_limits_bytes_per_request": { - "type": "integer", "description": "Maximum size of a Produce request in bytes.", - "default": 1048576 + "default": 1048576, + "type": "integer" } }, { "producer_request_retries_max_attempts": { - "type": "integer", "description": "Maximum number of retry attempts per single Produce request.", - "default": 10 + "default": 10, + "type": "integer" } }, { "producer_request_retries_backoff_timeout": { - "type": "integer", "description": "Backoff interval between retry attempts in milliseconds.", - "default": 100 + "default": 100, + "type": "integer" } }, { "producer_async": { - "type": "boolean", "description": "Flag to enable asynchronous mode.", - "default": true + "default": true, + "type": "boolean" } }, { "producer_async_flush_timeout": { - "type": "integer", "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "default": 1000 + "default": 1000, + "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { - "type": "integer", "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "default": 50000 + "default": 50000, + "type": "integer" } }, { "custom_fields_by_lua": { "type": "map", - "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map", "keys": { "type": "string", "len_min": 1 - } + }, + "values": { + "len_min": 1, + "type": "string" + }, + "description": "Lua code as a key-value map" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.5.x.json b/schemas/kafka-upstream/3.5.x.json index 37d0733a..620fe128 100644 --- a/schemas/kafka-upstream/3.5.x.json +++ b/schemas/kafka-upstream/3.5.x.json @@ -1,302 +1,302 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "forward_method", - "forward_uri", - "forward_headers", - "forward_body" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "authentication" - ] - } - } - ], "required": true, + "type": "record", "fields": [ { "bootstrap_servers": { - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { - "type": "record", "fields": [ { "host": { - "type": "string", "required": true, - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ] } } - ] + ], + "type": "record" }, - "type": "set" + "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, { "topic": { - "description": "The Kafka topic to publish to.", "required": true, + "description": "The Kafka topic to publish to.", "type": "string" } }, { "timeout": { "description": "Socket timeout in milliseconds.", - "type": "integer", - "default": 10000 + "default": 10000, + "type": "integer" } }, { "keepalive": { "description": "Keepalive timeout in milliseconds.", - "type": "integer", - "default": 60000 + "default": 60000, + "type": "integer" } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "authentication": { - "type": "record", + "required": true, "fields": [ { "strategy": { - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", - "type": "string", "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ] + ], + "type": "string" } }, { "mechanism": { - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", - "type": "string", "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "type": "string" } }, { "tokenauth": { - "description": "Enable this to indicate `DelegationToken` authentication.", "required": false, + "description": "Enable this to indicate `DelegationToken` authentication.", "type": "boolean" } }, { "user": { - "type": "string", + "required": false, "referenceable": true, "description": "Username for SASL authentication.", "encrypted": true, - "required": false + "type": "string" } }, { "password": { - "type": "string", + "required": false, "referenceable": true, "description": "Password for SASL authentication.", "encrypted": true, - "required": false + "type": "string" } } ], - "required": true + "type": "record" } }, { "security": { - "type": "record", + "required": true, "fields": [ { "certificate_id": { - "description": "UUID of certificate entity for mTLS authentication.", - "type": "string", "required": false, - "uuid": true + "uuid": true, + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string" } }, { "ssl": { - "description": "Enables TLS.", "required": false, + "description": "Enables TLS.", "type": "boolean" } } ], - "required": true + "type": "record" } }, { "forward_method": { "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "forward_uri": { "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "forward_headers": { "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "forward_body": { "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "cluster_name": { - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "type": "string", "required": false, - "auto": true + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true, + "type": "string" } }, { "producer_request_acks": { - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "one_of": [ -1, 0, 1 ], - "type": "integer", - "default": 1 + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1, + "type": "integer" } }, { "producer_request_timeout": { "description": "Time to wait for a Produce response in milliseconds.", - "type": "integer", - "default": 2000 + "default": 2000, + "type": "integer" } }, { "producer_request_limits_messages_per_request": { "description": "Maximum number of messages to include into a single producer request.", - "type": "integer", - "default": 200 + "default": 200, + "type": "integer" } }, { "producer_request_limits_bytes_per_request": { "description": "Maximum size of a Produce request in bytes.", - "type": "integer", - "default": 1048576 + "default": 1048576, + "type": "integer" } }, { "producer_request_retries_max_attempts": { "description": "Maximum number of retry attempts per single Produce request.", - "type": "integer", - "default": 10 + "default": 10, + "type": "integer" } }, { "producer_request_retries_backoff_timeout": { "description": "Backoff interval between retry attempts in milliseconds.", - "type": "integer", - "default": 100 + "default": 100, + "type": "integer" } }, { "producer_async": { "description": "Flag to enable asynchronous mode.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "producer_async_flush_timeout": { "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "type": "integer", - "default": 1000 + "default": 1000, + "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "type": "integer", - "default": 50000 + "default": 50000, + "type": "integer" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.5.x.json b/schemas/key-auth-enc/3.5.x.json index bedd8ceb..6a85e846 100644 --- a/schemas/key-auth-enc/3.5.x.json +++ b/schemas/key-auth-enc/3.5.x.json @@ -1,22 +1,17 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -24,7 +19,8 @@ "https", "ws", "wss" - ] + ], + "type": "string" }, "default": [ "grpc", @@ -33,40 +29,41 @@ "https", "ws", "wss" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "key_names": { - "type": "array", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "default": [ "apikey" ], - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", - "required": true + "type": "array" } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", "type": "boolean", - "default": false + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." } }, { @@ -77,35 +74,38 @@ }, { "key_in_header": { - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "type": "boolean", - "default": true + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." } }, { "key_in_query": { - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "type": "boolean", - "default": true + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." } }, { "key_in_body": { - "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "type": "boolean", - "default": false + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "type": "boolean", - "default": true + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth/3.5.x.json b/schemas/key-auth/3.5.x.json index 074c77b6..bc248036 100644 --- a/schemas/key-auth/3.5.x.json +++ b/schemas/key-auth/3.5.x.json @@ -1,22 +1,17 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -24,7 +19,8 @@ "https", "ws", "wss" - ] + ], + "type": "string" }, "default": [ "grpc", @@ -33,84 +29,88 @@ "https", "ws", "wss" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "key_names": { - "type": "array", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "default": [ "apikey" ], - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", - "required": true + "type": "array" } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request." } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." } }, { "key_in_header": { - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", - "type": "boolean", "required": true, - "default": true + "type": "boolean", + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." } }, { "key_in_query": { - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", - "type": "boolean", "required": true, - "default": true + "type": "boolean", + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." } }, { "key_in_body": { - "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", - "type": "boolean", "required": true, - "default": true + "type": "boolean", + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.5.x.json b/schemas/konnect-application-auth/3.5.x.json index a50c7abe..5fae6eb8 100644 --- a/schemas/konnect-application-auth/3.5.x.json +++ b/schemas/konnect-application-auth/3.5.x.json @@ -1,98 +1,98 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "route": { - "type": "foreign", + "reference": "routes", "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, - "reference": "routes" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - - ], "required": true, + "type": "record", "fields": [ { "key_names": { - "type": "array", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, + "description": "The names of the headers containing the API key. You can specify multiple header names.", "default": [ "apikey" ], - "description": "The names of the headers containing the API key. You can specify multiple header names.", - "required": true + "type": "array" } }, { "auth_type": { - "type": "string", - "default": "openid-connect", - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", "required": true, "one_of": [ "openid-connect", "key-auth" - ] + ], + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", + "default": "openid-connect", + "type": "string" } }, { "scope": { - "description": "The unique scope identifier for the plugin configuration.", - "unique": true, "required": true, - "type": "string" + "unique": true, + "type": "string", + "description": "The unique scope identifier for the plugin configuration." } } + ], + "entity_checks": [ + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.5.x.json b/schemas/ldap-auth-advanced/3.5.x.json index f0a34d78..3d98294f 100644 --- a/schemas/ldap-auth-advanced/3.5.x.json +++ b/schemas/ldap-auth-advanced/3.5.x.json @@ -1,20 +1,9 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -22,7 +11,8 @@ "https", "ws", "wss" - ] + ], + "type": "string" }, "default": [ "grpc", @@ -31,40 +21,41 @@ "https", "ws", "wss" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "ldap_host": { - "description": "Host on which the LDAP server is running.", "required": true, - "type": "string" + "type": "string", + "description": "Host on which the LDAP server is running." } }, { "ldap_password": { - "description": "The password to the LDAP server.", "encrypted": true, + "description": "The password to the LDAP server.", "referenceable": true, "type": "string" } @@ -72,164 +63,173 @@ { "ldap_port": { "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", - "type": "number", - "default": 389 + "default": 389, + "type": "number" } }, { "bind_dn": { - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", "referenceable": true, - "type": "string" + "type": "string", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." } }, { "ldaps": { - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "type": "boolean", "required": true, - "default": false + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "default": false, + "type": "boolean" } }, { "start_tls": { - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "type": "boolean", "required": true, - "default": false + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "default": false, + "type": "boolean" } }, { "verify_ldap_host": { - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "type": "boolean", "required": true, - "default": false + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "default": false, + "type": "boolean" } }, { "base_dn": { - "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", "required": true, - "type": "string" + "type": "string", + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'." } }, { "attribute": { - "description": "Attribute to be used to search the user; e.g., \"cn\".", "required": true, - "type": "string" + "type": "string", + "description": "Attribute to be used to search the user; e.g., \"cn\"." } }, { "cache_ttl": { - "description": "Cache expiry time in seconds.", - "type": "number", "required": true, - "default": 60 + "description": "Cache expiry time in seconds.", + "default": 60, + "type": "number" } }, { "hide_credentials": { "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "timeout": { "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number", - "default": 10000 + "default": 10000, + "type": "number" } }, { "keepalive": { "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number", - "default": 60000 + "default": 60000, + "type": "number" } }, { "anonymous": { "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "len_min": 0, - "type": "string", - "default": "" + "default": "", + "type": "string" } }, { "header_type": { "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", - "type": "string", - "default": "ldap" + "default": "ldap", + "type": "string" } }, { "consumer_optional": { - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", - "type": "boolean", "required": false, - "default": false + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "default": false, + "type": "boolean" } }, { "consumer_by": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", "default": [ "username", "custom_id" ], - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", - "required": false + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." } }, { "group_base_dn": { - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", - "type": "string" + "type": "string", + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." } }, { "group_name_attribute": { - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", - "type": "string" + "type": "string", + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." } }, { "group_member_attribute": { "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", - "type": "string", - "default": "memberOf" + "default": "memberOf", + "type": "string" } }, { "log_search_results": { - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", - "type": "boolean", "required": false, - "default": false + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "default": false, + "type": "boolean" } }, { "groups_required": { - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "required": false, "type": "array", "elements": { "type": "string" }, - "required": false + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result." } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/ldap-auth/3.5.x.json b/schemas/ldap-auth/3.5.x.json index bd113b55..d3c007bb 100644 --- a/schemas/ldap-auth/3.5.x.json +++ b/schemas/ldap-auth/3.5.x.json @@ -1,22 +1,17 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -24,7 +19,8 @@ "https", "ws", "wss" - ] + ], + "type": "string" }, "default": [ "grpc", @@ -33,122 +29,108 @@ "https", "ws", "wss" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "conditional": { - "then_field": "start_tls", - "if_field": "ldaps", - "then_match": { - "eq": false - }, - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", - "if_match": { - "eq": true - } - } - } - ], "required": true, + "type": "record", "fields": [ { "ldap_host": { - "type": "string", "required": true, - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "ldap_port": { - "type": "integer", - "default": 389, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "ldaps": { - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." } }, { "start_tls": { - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." } }, { "verify_ldap_host": { - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." } }, { "base_dn": { - "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", "required": true, - "type": "string" + "type": "string", + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com" } }, { "attribute": { - "description": "Attribute to be used to search the user; e.g. cn", "required": true, - "type": "string" + "type": "string", + "description": "Attribute to be used to search the user; e.g. cn" } }, { "cache_ttl": { - "description": "Cache expiry time in seconds.", - "type": "number", "required": true, - "default": 60 + "type": "number", + "default": 60, + "description": "Cache expiry time in seconds." } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." } }, { "timeout": { - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", "type": "number", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", "type": "number", - "default": 60000 + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." } }, { @@ -159,13 +141,31 @@ }, { "header_type": { - "description": "An optional string to use as part of the Authorization header", "type": "string", - "default": "ldap" + "default": "ldap", + "description": "An optional string to use as part of the Authorization header" + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "start_tls", + "if_field": "ldaps", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "then_match": { + "eq": false + } } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/loggly/3.5.x.json b/schemas/loggly/3.5.x.json index 56a8c31f..f7b7377b 100644 --- a/schemas/loggly/3.5.x.json +++ b/schemas/loggly/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,70 +16,70 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "host": { - "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "logs-01.loggly.com" + "default": "logs-01.loggly.com", + "type": "string" } }, { "port": { - "type": "integer", - "default": 514, "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 514, + "type": "integer" } }, { "key": { - "type": "string", + "referenceable": true, "encrypted": true, "required": true, - "referenceable": true + "type": "string" } }, { "tags": { - "type": "set", "elements": { "type": "string" }, "default": [ "kong" - ] + ], + "type": "set" } }, { "log_level": { - "type": "string", "one_of": [ "debug", "info", @@ -94,12 +90,12 @@ "alert", "emerg" ], - "default": "info" + "default": "info", + "type": "string" } }, { "successful_severity": { - "type": "string", "one_of": [ "debug", "info", @@ -110,12 +106,12 @@ "alert", "emerg" ], - "default": "info" + "default": "info", + "type": "string" } }, { "client_errors_severity": { - "type": "string", "one_of": [ "debug", "info", @@ -126,12 +122,12 @@ "alert", "emerg" ], - "default": "info" + "default": "info", + "type": "string" } }, { "server_errors_severity": { - "type": "string", "one_of": [ "debug", "info", @@ -142,32 +138,36 @@ "alert", "emerg" ], - "default": "info" + "default": "info", + "type": "string" } }, { "timeout": { - "type": "number", - "default": 10000 + "default": 10000, + "type": "number" } }, { "custom_fields_by_lua": { "type": "map", - "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map", "keys": { "type": "string", "len_min": 1 - } + }, + "values": { + "len_min": 1, + "type": "string" + }, + "description": "Lua code as a key-value map" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/mocking/3.5.x.json b/schemas/mocking/3.5.x.json index 0ace9c9f..3e069418 100644 --- a/schemas/mocking/3.5.x.json +++ b/schemas/mocking/3.5.x.json @@ -1,109 +1,117 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "api_specification_filename": { - "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", "required": false, + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", "type": "string" } }, { "api_specification": { - "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", "required": false, + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", "type": "string" } }, { "random_delay": { "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "max_delay_time": { "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", - "type": "number", - "default": 1 + "default": 1, + "type": "number" } }, { "min_delay_time": { "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", - "type": "number", - "default": 0.001 + "default": 0.001, + "type": "number" } }, { "random_examples": { "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "included_status_codes": { - "description": "A global list of the HTTP status codes that can only be selected and returned.", "elements": { "type": "integer" }, - "type": "array" + "type": "array", + "description": "A global list of the HTTP status codes that can only be selected and returned." } }, { "random_status_code": { + "required": true, "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", - "type": "boolean", + "default": false, + "type": "boolean" + } + }, + { + "include_base_path": { "required": true, - "default": false + "description": "Indicates whether to include the base path when performing path match evaluation.", + "default": false, + "type": "boolean" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.5.x.json b/schemas/mtls-auth/3.5.x.json index 71d7e9e6..a03abfa2 100644 --- a/schemas/mtls-auth/3.5.x.json +++ b/schemas/mtls-auth/3.5.x.json @@ -1,168 +1,151 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], "required": true, + "type": "record", "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "consumer_by": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", "default": [ "username", "custom_id" ], - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", - "required": false + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." } }, { "ca_certificates": { + "required": true, "type": "array", - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "elements": { "type": "string", "uuid": true }, - "required": true + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." } }, { "cache_ttl": { - "type": "number", - "description": "Cache expiry time in seconds.", "required": true, - "default": 60 + "type": "number", + "default": 60, + "description": "Cache expiry time in seconds." } }, { "skip_consumer_lookup": { - "type": "boolean", - "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list." } }, { "allow_partial_chain": { - "type": "boolean", - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." } }, { "authenticated_group_by": { - "type": "string", - "default": "CN", - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, "one_of": [ "CN", "DN" - ] + ], + "type": "string", + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." } }, { "revocation_check_mode": { - "type": "string", - "default": "IGNORE_CA_ERROR", - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ] + ], + "type": "string", + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." } }, { "http_timeout": { "type": "number", - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", - "default": 30000 + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." } }, { "cert_cache_ttl": { "type": "number", - "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", - "default": 60000 + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache." } }, { "send_ca_dn": { "type": "boolean", - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", - "default": false + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." } }, { @@ -173,12 +156,12 @@ }, { "http_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { @@ -189,16 +172,33 @@ }, { "https_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } + ], + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.5.x.json b/schemas/oas-validation/3.5.x.json index e2c44b56..2b74ef0f 100644 --- a/schemas/oas-validation/3.5.x.json +++ b/schemas/oas-validation/3.5.x.json @@ -1,140 +1,148 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "api_spec": { - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format.", "required": true, + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format.", "type": "string" } }, { "verbose_response": { - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", - "type": "boolean", "required": false, - "default": false + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "default": false, + "type": "boolean" } }, { "validate_request_body": { - "description": "If set to true, validates the request body content against the API specification.", - "type": "boolean", "required": false, - "default": true + "description": "If set to true, validates the request body content against the API specification.", + "default": true, + "type": "boolean" } }, { "notify_only_request_validation_failure": { - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", - "type": "boolean", "required": false, - "default": false + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "default": false, + "type": "boolean" } }, { "validate_request_header_params": { - "description": "If set to true, validates HTTP header parameters against the API specification.", - "type": "boolean", "required": false, - "default": true + "description": "If set to true, validates HTTP header parameters against the API specification.", + "default": true, + "type": "boolean" } }, { "validate_request_query_params": { - "description": "If set to true, validates query parameters against the API specification.", - "type": "boolean", "required": false, - "default": true + "description": "If set to true, validates query parameters against the API specification.", + "default": true, + "type": "boolean" } }, { "validate_request_uri_params": { - "description": "If set to true, validates URI parameters in the request against the API specification.", - "type": "boolean", "required": false, - "default": true + "description": "If set to true, validates URI parameters in the request against the API specification.", + "default": true, + "type": "boolean" } }, { "validate_response_body": { - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", - "type": "boolean", "required": false, - "default": false + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "default": false, + "type": "boolean" } }, { "notify_only_response_body_validation_failure": { - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", - "type": "boolean", "required": false, - "default": false + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "default": false, + "type": "boolean" } }, { "query_parameter_check": { - "description": "If set to true, checks if query parameters in the request exist in the API specification.", - "type": "boolean", "required": true, - "default": false + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "default": false, + "type": "boolean" } }, { "header_parameter_check": { - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", - "type": "boolean", "required": true, - "default": false + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "default": false, + "type": "boolean" } }, { "allowed_header_parameters": { - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", - "type": "string", "required": false, - "default": "Host,Content-Type,User-Agent,Accept,Content-Length" + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "type": "string" + } + }, + { + "include_base_path": { + "required": true, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "default": false, + "type": "boolean" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.5.x.json b/schemas/oauth2-introspection/3.5.x.json index 4ba92528..eba00114 100644 --- a/schemas/oauth2-introspection/3.5.x.json +++ b/schemas/oauth2-introspection/3.5.x.json @@ -1,165 +1,165 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "introspection_url": { - "type": "string", "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "ttl": { - "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", "type": "number", - "default": 30 + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." } }, { "token_type_hint": { - "description": "The `token_type_hint` value to associate to introspection requests.", - "type": "string" + "type": "string", + "description": "The `token_type_hint` value to associate to introspection requests." } }, { "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "required": true, - "type": "string" + "type": "string", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." } }, { "timeout": { - "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "integer", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "type": "integer", - "default": 60000 + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "introspect_request": { - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request." } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", "type": "boolean", - "default": false + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." } }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", "type": "boolean", - "default": true + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } }, { "anonymous": { + "type": "string", "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "default": "", - "type": "string", "len_min": 0 } }, { "consumer_by": { - "type": "string", - "default": "username", - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "required": true, "one_of": [ "username", "client_id" - ] + ], + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "default": "username", + "type": "string" } }, { "custom_introspection_headers": { - "type": "map", - "values": { - "type": "string" - }, + "required": true, "keys": { "type": "string" }, "description": "A list of custom headers to be added in the introspection request.", - "required": true, + "values": { + "type": "string" + }, "default": [ - ] + ], + "type": "map" } }, { "custom_claims_forward": { - "type": "set", + "required": true, "elements": { "type": "string" }, + "type": "set", "default": [ ], - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", - "required": true + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2/3.5.x.json b/schemas/oauth2/3.5.x.json index e5d596ea..5c06a69e 100644 --- a/schemas/oauth2/3.5.x.json +++ b/schemas/oauth2/3.5.x.json @@ -1,22 +1,17 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -24,7 +19,8 @@ "https", "ws", "wss" - ] + ], + "type": "string" }, "default": [ "grpc", @@ -33,116 +29,104 @@ "https", "ws", "wss" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { + "required": true, "type": "record", - "entity_checks": [ - { - "conditional": { - "then_field": "scopes", - "if_field": "mandatory_scope", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - } - ], "fields": [ { "scopes": { - "type": "array", "elements": { "type": "string" }, - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "type": "array" } }, { "mandatory_scope": { - "type": "boolean", - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user." } }, { "provision_key": { + "encrypted": true, "type": "string", "required": true, - "description": "The unique key the plugin has generated when it has been added to the Service.", - "encrypted": true, "unique": true, - "auto": true + "auto": true, + "description": "The unique key the plugin has generated when it has been added to the Service." } }, { "token_expiration": { - "type": "number", - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", "required": true, - "default": 7200 + "type": "number", + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration." } }, { "enable_authorization_code": { - "type": "boolean", - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1)." } }, { "enable_implicit_grant": { - "type": "boolean", - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2)." } }, { "enable_client_credentials": { - "type": "boolean", - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4)." } }, { "enable_password_grant": { - "type": "boolean", - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3)." } }, { "hide_credentials": { - "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." } }, { "accept_http_if_already_terminated": { - "type": "boolean", - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer." } }, { @@ -153,62 +137,78 @@ }, { "global_credentials": { - "type": "boolean", - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`." } }, { "auth_header_name": { "type": "string", - "description": "The name of the header that is supposed to carry the access token.", - "default": "authorization" + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token." } }, { "refresh_token_ttl": { - "type": "number", - "default": 1209600, - "description": "Time-to-live value for data", "required": true, "between": [ 0, 100000000 - ] + ], + "type": "number", + "default": 1209600, + "description": "Time-to-live value for data" } }, { "reuse_refresh_token": { - "type": "boolean", - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token." } }, { "persistent_refresh_token": { - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } }, { "pkce": { - "type": "string", - "default": "lax", - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "required": false, "one_of": [ "none", "lax", "strict" - ] + ], + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "default": "lax", + "type": "string" } } ], - "required": true + "entity_checks": [ + { + "conditional": { + "then_field": "scopes", + "if_field": "mandatory_scope", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/opa/3.5.x.json b/schemas/opa/3.5.x.json index cfc9cc83..a9325ca5 100644 --- a/schemas/opa/3.5.x.json +++ b/schemas/opa/3.5.x.json @@ -1,147 +1,147 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "opa_protocol": { - "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", "one_of": [ "http", "https" ], - "type": "string", - "default": "http" + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "default": "http", + "type": "string" } }, { "opa_host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "required": true, - "default": "localhost" + "description": "A string representing a host name, such as example.com.", + "default": "localhost", + "type": "string" } }, { "opa_port": { - "type": "integer", - "default": 8181, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "opa_path": { - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": true, - "starts_with": "/" + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" } }, { "include_service_in_opa_input": { "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "include_route_in_opa_input": { "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "include_consumer_in_opa_input": { "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "include_body_in_opa_input": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "include_parsed_json_body_in_opa_input": { "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "include_uri_captures_in_opa_input": { "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "ssl_verify": { - "type": "boolean", - "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "required": true, - "default": true + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "default": true, + "type": "boolean" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.5.x.json b/schemas/openid-connect/3.5.x.json index 092c4afc..60715904 100644 --- a/schemas/openid-connect/3.5.x.json +++ b/schemas/openid-connect/3.5.x.json @@ -1,183 +1,97 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - } - ], + "required": true, "fields": [ { "issuer": { - "type": "string", "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "discovery_headers_names": { + "required": false, "type": "array", - "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the discovery endpoint." } }, { "discovery_headers_values": { + "required": false, "type": "array", - "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra header values passed to the discovery endpoint." } }, { "extra_jwks_uris": { + "required": false, "type": "set", - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." } }, { "rediscovery_lifetime": { - "type": "number", - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "required": false, - "default": 30 + "type": "number", + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." } }, { "auth_methods": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -188,8 +102,10 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "type": "string" }, + "description": "Types of credentials/grants to enable.", "default": [ "password", "client_credentials", @@ -201,57 +117,54 @@ "refresh_token", "session" ], - "description": "Types of credentials/grants to enable.", - "required": false + "type": "array" } }, { "client_id": { - "type": "array", + "encrypted": true, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", - "encrypted": true, - "required": false + "type": "array", + "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." } }, { "client_secret": { - "type": "array", + "encrypted": true, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "description": "The client secret.", - "encrypted": true, - "required": false + "type": "array", + "required": false, + "description": "The client secret." } }, { "client_auth": { + "required": false, "type": "array", - "description": "The authentication method used by the client (plugin) when calling the endpoint.", "elements": { - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "type": "string" }, - "required": false + "description": "The authentication method used by the client (plugin) when calling the endpoint." } }, { "client_jwk": { - "type": "array", "required": false, "elements": { - "type": "record", "required": false, "fields": [ { @@ -274,12 +187,12 @@ }, { "key_ops": { - "type": "array", "required": false, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { @@ -302,12 +215,12 @@ }, { "x5c": { - "type": "array", "required": false, "elements": { "required": false, "type": "string" - } + }, + "type": "array" } }, { @@ -324,10 +237,10 @@ }, { "k": { - "type": "string", "encrypted": true, + "required": false, "referenceable": true, - "required": false + "type": "string" } }, { @@ -362,86 +275,86 @@ }, { "d": { - "type": "string", "encrypted": true, + "required": false, "referenceable": true, - "required": false + "type": "string" } }, { "p": { - "type": "string", "encrypted": true, + "required": false, "referenceable": true, - "required": false + "type": "string" } }, { "q": { - "type": "string", "encrypted": true, + "required": false, "referenceable": true, - "required": false + "type": "string" } }, { "dp": { - "type": "string", "encrypted": true, + "required": false, "referenceable": true, - "required": false + "type": "string" } }, { "dq": { - "type": "string", "encrypted": true, + "required": false, "referenceable": true, - "required": false + "type": "string" } }, { "qi": { - "type": "string", "encrypted": true, + "required": false, "referenceable": true, - "required": false + "type": "string" } }, { "oth": { - "type": "string", "encrypted": true, + "required": false, "referenceable": true, - "required": false + "type": "string" } }, { "r": { - "type": "string", "encrypted": true, + "required": false, "referenceable": true, - "required": false + "type": "string" } }, { "t": { - "type": "string", "encrypted": true, + "required": false, "referenceable": true, - "required": false + "type": "string" } } - ] - } + ], + "type": "record" + }, + "type": "array" } }, { "client_alg": { - "type": "array", "required": false, "elements": { - "type": "string", "one_of": [ "HS256", "HS384", @@ -456,881 +369,889 @@ "PS384", "PS512", "EdDSA" - ] - } + ], + "type": "string" + }, + "type": "array" } }, { "client_arg": { - "type": "string", - "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "required": false, - "default": "client_id" + "type": "string", + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name)." } }, { "redirect_uri": { + "required": false, "type": "array", - "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "The redirect URI passed to the authorization and token endpoints." } }, { "login_redirect_uri": { + "required": false, "type": "array", - "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client when `login_action` is set to `redirect`." } }, { "logout_redirect_uri": { + "required": false, "type": "array", - "description": "Where to redirect the client after the logout.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client after the logout." } }, { "forbidden_redirect_uri": { + "required": false, "type": "array", - "description": "Where to redirect the client on forbidden requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client on forbidden requests." } }, { "forbidden_error_message": { - "type": "string", - "description": "The error message for the forbidden requests (when not using the redirection).", "required": false, - "default": "Forbidden" + "type": "string", + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection)." } }, { "forbidden_destroy_session": { + "required": false, "type": "boolean", - "description": "Destroy any active session for the forbidden requests.", + "default": true, + "description": "Destroy any active session for the forbidden requests." + } + }, + { + "unauthorized_destroy_session": { "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Destroy any active session for the unauthorized requests." } }, { "unauthorized_redirect_uri": { + "required": false, "type": "array", - "description": "Where to redirect the client on unauthorized requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client on unauthorized requests." } }, { "unauthorized_error_message": { - "type": "string", - "description": "The error message for the unauthorized requests (when not using the redirection).", "required": false, - "default": "Unauthorized" + "type": "string", + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection)." } }, { "unexpected_redirect_uri": { + "required": false, "type": "array", - "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client when unexpected errors happen with the requests." } }, { "response_mode": { - "type": "string", - "default": "query", - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", "required": false, "one_of": [ "query", "form_post", "fragment" - ] + ], + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", + "default": "query", + "type": "string" } }, { "response_type": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The response type passed to the authorization endpoint.", "default": [ "code" ], - "description": "The response type passed to the authorization endpoint.", - "required": false + "type": "array" } }, { "scopes": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The scopes passed to the authorization and token endpoints.", "default": [ "openid" ], - "description": "The scopes passed to the authorization and token endpoints.", - "required": false + "type": "array" } }, { "audience": { + "required": false, "type": "array", - "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" }, - "required": false + "description": "The audience passed to the authorization endpoint." } }, { "issuers_allowed": { + "required": false, "type": "array", - "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" }, - "required": false + "description": "The issuers allowed to be present in the tokens (`iss` claim)." } }, { "scopes_required": { + "required": false, "type": "array", - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "required": false + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "scopes_claim": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the scopes.", "default": [ "scope" ], - "description": "The claim that contains the scopes.", - "required": false + "type": "array" } }, { "audience_required": { + "required": false, "type": "array", - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "required": false + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "audience_claim": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the audience.", "default": [ "aud" ], - "description": "The claim that contains the audience.", - "required": false + "type": "array" } }, { "groups_required": { + "required": false, "type": "array", - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "required": false + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "groups_claim": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the groups.", "default": [ "groups" ], - "description": "The claim that contains the groups.", - "required": false + "type": "array" } }, { "roles_required": { + "required": false, "type": "array", - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "required": false + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "roles_claim": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the roles.", "default": [ "roles" ], - "description": "The claim that contains the roles.", - "required": false + "type": "array" } }, { "domains": { + "required": false, "type": "array", - "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" }, - "required": false + "description": "The allowed values for the `hd` claim." } }, { "max_age": { - "type": "number", "required": false, + "type": "number", "description": "The maximum age (in seconds) compared to the `auth_time` claim." } }, { "authenticated_groups_claim": { + "required": false, "type": "array", - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.", "elements": { "type": "string" }, - "required": false + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations." } }, { "authorization_endpoint": { - "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "authorization_query_args_names": { + "required": false, "type": "array", - "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra query argument names passed to the authorization endpoint." } }, { "authorization_query_args_values": { + "required": false, "type": "array", - "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra query argument values passed to the authorization endpoint." } }, { "authorization_query_args_client": { + "required": false, "type": "array", - "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra query arguments passed from the client to the authorization endpoint." } }, { "authorization_rolling_timeout": { - "type": "number", - "description": "Network IO timeout in milliseconds.", "required": false, - "default": 600 + "type": "number", + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." } }, { "authorization_cookie_name": { - "type": "string", - "description": "The authorization cookie name.", "required": false, - "default": "authorization" + "type": "string", + "default": "authorization", + "description": "The authorization cookie name." } }, { "authorization_cookie_path": { - "type": "string", - "default": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": false, - "starts_with": "/" + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/", + "type": "string" } }, { "authorization_cookie_domain": { - "type": "string", "required": false, + "type": "string", "description": "The authorization cookie Domain flag." } }, { "authorization_cookie_same_site": { - "type": "string", - "default": "Default", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Default", + "type": "string" } }, { "authorization_cookie_http_only": { - "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "authorization_cookie_secure": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "preserve_query_args": { - "type": "boolean", - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." } }, { "token_endpoint": { - "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "token_endpoint_auth_method": { - "type": "string", - "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "required": false, + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" } }, { "token_headers_names": { + "required": false, "type": "array", - "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the token endpoint." } }, { "token_headers_values": { + "required": false, "type": "array", - "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra header values passed to the token endpoint." } }, { "token_headers_client": { + "required": false, "type": "array", - "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra headers passed from the client to the token endpoint." } }, { "token_headers_replay": { + "required": false, "type": "array", - "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" }, - "required": false + "description": "The names of token endpoint response headers to forward to the downstream client." } }, { "token_headers_prefix": { - "type": "string", "required": false, + "type": "string", "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." } }, { "token_headers_grants": { + "required": false, "type": "array", - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", "authorization_code", "refresh_token" - ] + ], + "type": "string" }, - "required": false + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant" } }, { "token_post_args_names": { + "required": false, "type": "array", - "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra post argument names passed to the token endpoint." } }, { "token_post_args_values": { + "required": false, "type": "array", - "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra post argument values passed to the token endpoint." } }, { "token_post_args_client": { + "required": false, "type": "array", - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint." } }, { "introspection_endpoint": { - "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "introspection_endpoint_auth_method": { - "type": "string", - "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "required": false, + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" } }, { "introspection_hint": { - "type": "string", - "description": "Introspection hint parameter value passed to the introspection endpoint.", "required": false, - "default": "access_token" + "type": "string", + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint." } }, { "introspection_check_active": { - "type": "boolean", - "description": "Check that the introspection response has an `active` claim with a value of `true`.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`." } }, { "introspection_accept": { - "type": "string", - "default": "application/json", - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", "required": false, "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ] + ], + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", + "default": "application/json", + "type": "string" } }, { "introspection_headers_names": { + "required": false, "type": "array", - "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the introspection endpoint." } }, { "introspection_headers_values": { + "required": false, "type": "array", - "description": "Extra header values passed to the introspection endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra header values passed to the introspection endpoint." } }, { "introspection_headers_client": { + "required": false, "type": "array", - "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra headers passed from the client to the introspection endpoint." } }, { "introspection_post_args_names": { + "required": false, "type": "array", - "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra post argument names passed to the introspection endpoint." } }, { "introspection_post_args_values": { + "required": false, "type": "array", - "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra post argument values passed to the introspection endpoint." } }, { "introspection_post_args_client": { + "required": false, "type": "array", - "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra post arguments passed from the client to the introspection endpoint." } }, { "introspect_jwt_tokens": { - "type": "boolean", - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." } }, { "revocation_endpoint": { - "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "revocation_endpoint_auth_method": { - "type": "string", - "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "required": false, + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" } }, { "end_session_endpoint": { - "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "userinfo_endpoint": { - "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "userinfo_accept": { - "type": "string", - "default": "application/json", - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", "required": false, "one_of": [ "application/json", "application/jwt" - ] + ], + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", + "default": "application/json", + "type": "string" } }, { "userinfo_headers_names": { + "required": false, "type": "array", - "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the user info endpoint." } }, { "userinfo_headers_values": { + "required": false, "type": "array", - "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra header values passed to the user info endpoint." } }, { "userinfo_headers_client": { + "required": false, "type": "array", - "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra headers passed from the client to the user info endpoint." } }, { "userinfo_query_args_names": { + "required": false, "type": "array", - "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra query argument names passed to the user info endpoint." } }, { "userinfo_query_args_values": { + "required": false, "type": "array", - "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra query argument values passed to the user info endpoint." } }, { "userinfo_query_args_client": { + "required": false, "type": "array", - "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" }, - "required": false + "description": "Extra query arguments passed from the client to the user info endpoint." } }, { "token_exchange_endpoint": { - "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "session_secret": { - "type": "string", + "encrypted": true, "referenceable": true, "description": "The session secret.", - "encrypted": true, - "required": false + "required": false, + "type": "string" } }, { "session_audience": { - "type": "string", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "required": false, - "default": "default" + "type": "string", + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." } }, { "session_cookie_name": { - "type": "string", - "description": "The session cookie name.", "required": false, - "default": "session" + "type": "string", + "default": "session", + "description": "The session cookie name." } }, { "session_remember": { - "type": "boolean", - "description": "Enables or disables persistent sessions.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Enables or disables persistent sessions." } }, { "session_remember_cookie_name": { - "type": "string", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "required": false, - "default": "remember" + "type": "string", + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." } }, { "session_remember_rolling_timeout": { - "type": "number", - "description": "Network IO timeout in milliseconds.", "required": false, - "default": 604800 + "type": "number", + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." } }, { "session_remember_absolute_timeout": { - "type": "number", - "description": "Network IO timeout in milliseconds.", "required": false, - "default": 2592000 + "type": "number", + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." } }, { "session_idling_timeout": { - "type": "number", - "description": "Network IO timeout in milliseconds.", "required": false, - "default": 900 + "type": "number", + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." } }, { "session_rolling_timeout": { - "type": "number", - "description": "Network IO timeout in milliseconds.", "required": false, - "default": 3600 + "type": "number", + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." } }, { "session_absolute_timeout": { - "type": "number", - "description": "Network IO timeout in milliseconds.", "required": false, - "default": 86400 + "type": "number", + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." } }, { "session_cookie_path": { - "type": "string", - "default": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": false, - "starts_with": "/" + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/", + "type": "string" } }, { "session_cookie_domain": { - "type": "string", "required": false, + "type": "string", "description": "The session cookie Domain flag." } }, { "session_cookie_same_site": { - "type": "string", - "default": "Lax", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Lax", + "type": "string" } }, { "session_cookie_http_only": { - "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "session_cookie_secure": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "session_request_headers": { - "type": "set", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -1339,15 +1260,15 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "session_response_headers": { - "type": "set", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -1356,450 +1277,452 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "session_storage": { - "type": "string", - "default": "cookie", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", + "default": "cookie", + "type": "string" } }, { "session_store_metadata": { - "type": "boolean", - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." } }, { "session_enforce_same_subject": { - "type": "boolean", - "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject." } }, { "session_hash_subject": { - "type": "boolean", - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." } }, { "session_hash_storage_key": { - "type": "boolean", - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." } }, { "session_memcached_prefix": { - "type": "string", "required": false, + "type": "string", "description": "The memcached session key prefix." } }, { "session_memcached_socket": { - "type": "string", "required": false, + "type": "string", "description": "The memcached unix socket path." } }, { "session_memcached_host": { - "type": "string", - "description": "The memcached host.", "required": false, - "default": "127.0.0.1" + "type": "string", + "default": "127.0.0.1", + "description": "The memcached host." } }, { "session_memcached_port": { - "type": "integer", - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": false, "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { - "type": "string", "required": false, + "type": "string", "description": "The Redis session key prefix." } }, { "session_redis_socket": { - "type": "string", "required": false, + "type": "string", "description": "The Redis unix socket path." } }, { "session_redis_host": { - "type": "string", - "description": "The Redis host", "required": false, - "default": "127.0.0.1" + "type": "string", + "default": "127.0.0.1", + "description": "The Redis host" } }, { "session_redis_port": { - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": false, "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { + "required": false, "type": "string", - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "referenceable": true, - "required": false + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "session_redis_password": { - "type": "string", + "encrypted": true, "referenceable": true, "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", - "encrypted": true, - "required": false + "required": false, + "type": "string" } }, { "session_redis_connect_timeout": { - "type": "integer", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "integer", + "description": "Session redis connection timeout in milliseconds." } }, { "session_redis_read_timeout": { - "type": "integer", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "integer", + "description": "Session redis read timeout in milliseconds." } }, { "session_redis_send_timeout": { - "type": "integer", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "integer", + "description": "Session redis send timeout in milliseconds." } }, { "session_redis_ssl": { - "type": "boolean", - "description": "Use SSL/TLS for Redis connection.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Use SSL/TLS for Redis connection." } }, { "session_redis_ssl_verify": { - "type": "boolean", - "description": "Verify identity provider server certificate.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Verify identity provider server certificate." } }, { "session_redis_server_name": { - "type": "string", "required": false, + "type": "string", "description": "The SNI used for connecting the Redis server." } }, { "session_redis_cluster_nodes": { + "required": false, "type": "array", - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { - "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "required": true, - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "type": "integer", - "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer" } } - ] + ], + "type": "record" }, - "required": false + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." } }, { "session_redis_cluster_max_redirections": { - "type": "integer", "required": false, + "type": "integer", "description": "The Redis cluster maximum redirects." } }, { "reverify": { - "type": "boolean", - "description": "Specifies whether to always verify tokens stored in the session.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specifies whether to always verify tokens stored in the session." } }, { "jwt_session_claim": { - "type": "string", - "description": "The claim to match against the JWT session cookie.", "required": false, - "default": "sid" + "type": "string", + "default": "sid", + "description": "The claim to match against the JWT session cookie." } }, { "jwt_session_cookie": { - "type": "string", "required": false, + "type": "string", "description": "The name of the JWT session cookie." } }, { "bearer_token_param_type": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "header", "cookie", "query", "body" - ] + ], + "type": "string" }, + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", "default": [ "header", "query", "body" ], - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", - "required": false + "type": "array" } }, { "bearer_token_cookie_name": { - "type": "string", "required": false, + "type": "string", "description": "The name of the cookie in which the bearer token is passed." } }, { "client_credentials_param_type": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", "default": [ "header", "query", "body" ], - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", - "required": false + "type": "array" } }, { "password_param_type": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "default": [ "header", "query", "body" ], - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false + "type": "array" } }, { "id_token_param_type": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "default": [ "header", "query", "body" ], - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false + "type": "array" } }, { "id_token_param_name": { - "type": "string", "required": false, + "type": "string", "description": "The name of the parameter used to pass the id token." } }, { "refresh_token_param_type": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "default": [ "header", "query", "body" ], - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false + "type": "array" } }, { "refresh_token_param_name": { - "type": "string", "required": false, + "type": "string", "description": "The name of the parameter used to pass the refresh token." } }, { "refresh_tokens": { - "type": "boolean", - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." } }, { "upstream_headers_claims": { + "required": false, "type": "array", - "description": "The upstream header claims.", "elements": { "type": "string" }, - "required": false + "description": "The upstream header claims." } }, { "upstream_headers_names": { + "required": false, "type": "array", - "description": "The upstream header names for the claim values.", "elements": { "type": "string" }, - "required": false + "description": "The upstream header names for the claim values." } }, { "upstream_access_token_header": { - "type": "string", - "description": "The upstream access token header.", "required": false, - "default": "authorization:bearer" + "type": "string", + "default": "authorization:bearer", + "description": "The upstream access token header." } }, { "upstream_access_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream access token JWK header." } }, { "upstream_id_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream id token header." } }, { "upstream_id_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream id token JWK header." } }, { "upstream_refresh_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream refresh token header." } }, { "upstream_user_info_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream user info header." } }, { "upstream_user_info_jwt_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream user info JWT header (in case the user info returns a JWT response)." } }, { "upstream_introspection_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream introspection header." } }, @@ -1811,84 +1734,84 @@ }, { "upstream_session_id_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream session id header." } }, { "downstream_headers_claims": { + "required": false, "type": "array", - "description": "The downstream header claims.", "elements": { "type": "string" }, - "required": false + "description": "The downstream header claims." } }, { "downstream_headers_names": { + "required": false, "type": "array", - "description": "The downstream header names for the claim values.", "elements": { "type": "string" }, - "required": false + "description": "The downstream header names for the claim values." } }, { "downstream_access_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream access token header." } }, { "downstream_access_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream access token JWK header." } }, { "downstream_id_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream id token header." } }, { "downstream_id_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream id token JWK header." } }, { "downstream_refresh_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream refresh token header." } }, { "downstream_user_info_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream user info header." } }, { "downstream_user_info_jwt_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream user info JWT header (in case the user info returns a JWT response)." } }, { "downstream_introspection_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream introspection header." } }, @@ -1900,16 +1823,15 @@ }, { "downstream_session_id_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream session id header." } }, { "login_methods": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -1920,234 +1842,234 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "type": "string" }, + "description": "Enable login functionality with specified grants.", "default": [ "authorization_code" ], - "description": "Enable login functionality with specified grants.", - "required": false + "type": "array" } }, { "login_action": { - "type": "string", - "default": "upstream", - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", "required": false, "one_of": [ "upstream", "response", "redirect" - ] + ], + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", + "default": "upstream", + "type": "string" } }, { "login_tokens": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "id_token", "access_token", "refresh_token", "tokens", "introspection" - ] + ], + "type": "string" }, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", "default": [ "id_token" ], - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", - "required": false + "type": "array" } }, { "login_redirect_mode": { - "type": "string", - "default": "fragment", - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", "required": false, "one_of": [ "query", "fragment" - ] + ], + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", + "default": "fragment", + "type": "string" } }, { "logout_query_arg": { - "type": "string", "required": false, + "type": "string", "description": "The request query argument that activates the logout." } }, { "logout_post_arg": { - "type": "string", "required": false, + "type": "string", "description": "The request body argument that activates the logout." } }, { "logout_uri_suffix": { - "type": "string", "required": false, + "type": "string", "description": "The request URI suffix that activates the logout." } }, { "logout_methods": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "POST", "GET", "DELETE" - ] + ], + "type": "string" }, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", "default": [ "POST", "DELETE" ], - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", - "required": false + "type": "array" } }, { "logout_revoke": { - "type": "boolean", - "description": "Revoke tokens as part of the logout.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Revoke tokens as part of the logout." } }, { "logout_revoke_access_token": { - "type": "boolean", - "description": "Revoke the access token as part of the logout.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Revoke the access token as part of the logout." } }, { "logout_revoke_refresh_token": { - "type": "boolean", - "description": "Revoke the refresh token as part of the logout.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Revoke the refresh token as part of the logout." } }, { "consumer_claim": { + "required": false, "type": "array", - "description": "The claim used for consumer mapping.", "elements": { "type": "string" }, - "required": false + "description": "The claim used for consumer mapping." } }, { "consumer_by": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", "default": [ "username", "custom_id" ], - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", - "required": false + "type": "array" } }, { "consumer_optional": { - "type": "boolean", - "description": "Do not terminate the request if consumer mapping fails.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Do not terminate the request if consumer mapping fails." } }, { "credential_claim": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", "default": [ "sub" ], - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", - "required": false + "type": "array" } }, { "anonymous": { - "type": "string", "required": false, + "type": "string", "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "run_on_preflight": { - "type": "boolean", - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." } }, { "leeway": { - "type": "number", - "description": "Allow some leeway (in seconds) on the ttl / expiry verification.", "required": false, - "default": 0 + "type": "number", + "default": 0, + "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification." } }, { "verify_parameters": { - "type": "boolean", - "description": "Verify plugin configuration against discovery.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Verify plugin configuration against discovery." } }, { "verify_nonce": { - "type": "boolean", - "description": "Verify nonce on authorization code flow.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify nonce on authorization code flow." } }, { "verify_claims": { - "type": "boolean", - "description": "Verify tokens for standard claims.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify tokens for standard claims." } }, { "verify_signature": { - "type": "boolean", - "description": "Verify signature of tokens.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify signature of tokens." } }, { "ignore_signature": { - "type": "array", + "required": false, "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -2156,29 +2078,29 @@ "session", "introspection", "userinfo" - ] + ], + "type": "string" }, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", "default": [ ], - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", - "required": false + "type": "array" } }, { "enable_hs_signatures": { - "type": "boolean", - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." } }, { "disable_session": { + "required": false, "type": "array", - "description": "Disable issuing the session cookie with the specified grants.", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -2189,210 +2111,320 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "type": "string" }, - "required": false + "description": "Disable issuing the session cookie with the specified grants." } }, { "cache_ttl": { - "type": "number", - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "required": false, - "default": 3600 + "type": "number", + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." } }, { "cache_ttl_max": { - "type": "number", "required": false, + "type": "number", "description": "The maximum cache ttl in seconds (enforced)." } }, { "cache_ttl_min": { - "type": "number", "required": false, + "type": "number", "description": "The minimum cache ttl in seconds (enforced)." } }, { "cache_ttl_neg": { - "type": "number", "required": false, + "type": "number", "description": "The negative cache ttl in seconds." } }, { "cache_ttl_resurrect": { - "type": "number", "required": false, + "type": "number", "description": "The resurrection ttl in seconds." } }, { "cache_tokens": { - "type": "boolean", - "description": "Cache the token endpoint requests.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the token endpoint requests." } }, { "cache_tokens_salt": { - "type": "string", - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "required": false, - "auto": true + "type": "string", + "auto": true, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." } }, { "cache_introspection": { - "type": "boolean", - "description": "Cache the introspection endpoint requests.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the introspection endpoint requests." } }, { "cache_token_exchange": { - "type": "boolean", - "description": "Cache the token exchange endpoint requests.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the token exchange endpoint requests." } }, { "cache_user_info": { - "type": "boolean", - "description": "Cache the user info requests.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the user info requests." } }, { "search_user_info": { - "type": "boolean", - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." } }, { "hide_credentials": { - "type": "boolean", - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." } }, { "http_version": { - "type": "number", - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", "required": false, - "default": 1.1 + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", + "default": 1.1, + "type": "number" } }, { "http_proxy": { - "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "http_proxy_authorization": { - "type": "string", "required": false, + "type": "string", "description": "The HTTP proxy authorization." } }, { "https_proxy": { - "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "https_proxy_authorization": { - "type": "string", "required": false, + "type": "string", "description": "The HTTPS proxy authorization." } }, { "no_proxy": { - "type": "string", "required": false, + "type": "string", "description": "Do not use proxy with these hosts." } }, { "keepalive": { - "type": "boolean", - "description": "Use keepalive with the HTTP client.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Use keepalive with the HTTP client." } }, { "ssl_verify": { - "type": "boolean", - "description": "Verify identity provider server certificate.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Verify identity provider server certificate." } }, { "timeout": { - "type": "number", - "description": "Network IO timeout in milliseconds.", "required": false, - "default": 10000 + "type": "number", + "default": 10000, + "description": "Network IO timeout in milliseconds." } }, { "display_errors": { - "type": "boolean", - "description": "Display errors on failure responses.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Display errors on failure responses." } }, { "by_username_ignore_case": { - "type": "boolean", - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." } }, { "resolve_distributed_claims": { - "type": "boolean", - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." } }, { "expose_error_code": { "type": "boolean", - "default": true + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." } }, { "token_cache_key_include_scope": { "type": "boolean", - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", - "default": false + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + } + }, + { + "introspection_token_param_name": { + "required": false, + "type": "string", + "default": "token", + "description": "Designate token's parameter name for introspection." + } + }, + { + "using_pseudo_issuer": { + "type": "boolean", + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL." + } + }, + { + "revocation_token_param_name": { + "required": false, + "type": "string", + "default": "token", + "description": "Designate token's parameter name for revocation." } } ], - "required": true + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + } + ], + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/opentelemetry/3.5.x.json b/schemas/opentelemetry/3.5.x.json index e2187382..29e0f1b5 100644 --- a/schemas/opentelemetry/3.5.x.json +++ b/schemas/opentelemetry/3.5.x.json @@ -1,97 +1,84 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "batch_span_count", - "batch_flush_delay" - ] - } - } - ], "required": true, + "type": "record", "fields": [ { "endpoint": { - "type": "string", "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "headers": { "type": "map", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, "values": { "referenceable": true, "type": "string" }, - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", - "keys": { - "type": "string", - "description": "A string representing an HTTP header name." - } + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend." } }, { "resource_attributes": { - "type": "map", - "values": { + "keys": { "required": true, "type": "string" }, - "keys": { + "values": { "required": true, "type": "string" - } + }, + "type": "map" } }, { "queue": { - "type": "record", + "required": true, "fields": [ { "max_batch_size": { "type": "integer", - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -101,8 +88,8 @@ { "max_coalescing_delay": { "type": "number", - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -112,8 +99,8 @@ { "max_entries": { "type": "integer", - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -129,15 +116,15 @@ { "max_retry_time": { "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "type": "number", - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -147,61 +134,61 @@ { "max_retry_delay": { "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true + "type": "record" } }, { "batch_span_count": { - "type": "integer", - "description": "The number of spans to be sent in a single batch." + "description": "The number of spans to be sent in a single batch.", + "type": "integer" } }, { "batch_flush_delay": { - "type": "integer", - "description": "The delay, in seconds, between two consecutive batches." + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" } }, { "connect_timeout": { - "type": "integer", - "default": 1000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 1000, + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "default": 5000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "type": "integer" } }, { "read_timeout": { - "type": "integer", - "default": 5000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "type": "integer" } }, { @@ -211,7 +198,7 @@ }, { "header_type": { - "type": "string", + "required": false, "one_of": [ "preserve", "ignore", @@ -220,14 +207,29 @@ "w3c", "jaeger", "ot", - "aws" + "aws", + "gcp", + "datadog" ], - "required": false, - "default": "preserve" + "default": "preserve", + "type": "string" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "batch_span_count", + "batch_flush_delay" + ] } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/post-function/3.5.x.json b/schemas/post-function/3.5.x.json index 4c532bad..4daa34eb 100644 --- a/schemas/post-function/3.5.x.json +++ b/schemas/post-function/3.5.x.json @@ -1,27 +1,9 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ { "protocols": { - "type": "set", "required": false, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -29,7 +11,8 @@ "https", "ws", "wss" - ] + ], + "type": "string" }, "default": [ "grpc", @@ -38,30 +21,30 @@ "https", "ws", "wss" - ] + ], + "type": "set" } }, { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -74,155 +57,172 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "certificate": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "rewrite": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "access": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "header_filter": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "body_filter": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "log": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "ws_handshake": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "ws_client_frame": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "ws_upstream_frame": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "ws_close": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.5.x.json b/schemas/pre-function/3.5.x.json index 4c532bad..4daa34eb 100644 --- a/schemas/pre-function/3.5.x.json +++ b/schemas/pre-function/3.5.x.json @@ -1,27 +1,9 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ { "protocols": { - "type": "set", "required": false, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -29,7 +11,8 @@ "https", "ws", "wss" - ] + ], + "type": "string" }, "default": [ "grpc", @@ -38,30 +21,30 @@ "https", "ws", "wss" - ] + ], + "type": "set" } }, { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -74,155 +57,172 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "certificate": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "rewrite": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "access": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "header_filter": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "body_filter": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "log": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "ws_handshake": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "ws_client_frame": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "ws_upstream_frame": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "ws_close": { - "type": "array", "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.5.x.json b/schemas/prometheus/3.5.x.json index 96f7a5ee..9ca74ac5 100644 --- a/schemas/prometheus/3.5.x.json +++ b/schemas/prometheus/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,68 +16,72 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "per_consumer": { "type": "boolean", - "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", - "default": false + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available." } }, { "status_code_metrics": { "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", - "default": false + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported." } }, { "latency_metrics": { "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", - "default": false + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported." } }, { "bandwidth_metrics": { "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", - "default": false + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported." } }, { "upstream_health_metrics": { "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", - "default": false + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.5.x.json b/schemas/proxy-cache-advanced/3.5.x.json index f0af8979..3cccf765 100644 --- a/schemas/proxy-cache-advanced/3.5.x.json +++ b/schemas/proxy-cache-advanced/3.5.x.json @@ -1,51 +1,43 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "response_code": { - "type": "array", + "required": true, + "len_min": 1, "elements": { "type": "integer", "between": [ @@ -53,84 +45,83 @@ 900 ] }, - "len_min": 1, - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", - "required": true, + "type": "array", "default": [ 200, 301, 404 - ] + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900." } }, { "request_method": { - "type": "array", + "required": true, "elements": { - "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ] + ], + "type": "string" }, + "type": "array", "default": [ "GET", "HEAD" ], - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", - "required": true + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." } }, { "content_type": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ "text/plain", "application/json" ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", - "required": true + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." } }, { "cache_ttl": { - "type": "integer", "gt": 0, "description": "TTL in seconds of cache entities.", - "default": 300 + "default": 300, + "type": "integer" } }, { "strategy": { - "type": "string", - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "required": true, + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "one_of": [ "memory", "redis" - ] + ], + "type": "string" } }, { "cache_control": { - "type": "boolean", - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true, - "default": false + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "default": false, + "type": "boolean" } }, { "ignore_uri_case": { - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", - "type": "boolean", "required": false, - "default": false + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "default": false, + "type": "boolean" } }, { @@ -141,100 +132,69 @@ }, { "memory": { - "type": "record", + "required": true, "fields": [ { "dictionary_name": { - "type": "string", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true, - "default": "kong_db_cache" + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "default": "kong_db_cache", + "type": "string" } } ], - "required": true + "type": "record" } }, { "vary_query_params": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." } }, { "vary_headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } }, { - "redis": { + "response_headers": { + "required": true, "type": "record", - "entity_checks": [ + "fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "age": { + "default": true, + "type": "boolean" } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "X-Cache-Status": { + "default": true, + "type": "boolean" } }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_addresses" - ] + "X-Cache-Key": { + "default": true, + "type": "boolean" } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] } ], + "description": "Caching related diagnostic headers that should be included in cached responses" + } + }, + { + "redis": { "required": true, + "type": "record", "fields": [ { "host": { @@ -244,185 +204,252 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "timeout": { - "type": "integer", - "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer" } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "password": { - "type": "string", "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "type": "string" } }, { "sentinel_username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "type": "string", "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "type": "string" } }, { "database": { "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy", - "default": 0 + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { "type": "integer", - "default": 30, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ] + ], + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_addresses": { - "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "cluster_addresses": { - "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "ssl": { - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "server_name": { - "type": "string", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] } ] } }, { "bypass_on_err": { - "type": "boolean", "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", - "default": false + "default": false, + "type": "boolean" } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/proxy-cache/3.5.x.json b/schemas/proxy-cache/3.5.x.json index e98ccce8..ed75cf88 100644 --- a/schemas/proxy-cache/3.5.x.json +++ b/schemas/proxy-cache/3.5.x.json @@ -1,19 +1,9 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -26,33 +16,35 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "response_code": { - "type": "array", + "required": true, + "len_min": 1, "elements": { "type": "integer", "between": [ @@ -60,126 +52,161 @@ 900 ] }, - "len_min": 1, "description": "Upstream response status code considered cacheable.", - "required": true, "default": [ 200, 301, 404 - ] + ], + "type": "array" } }, { "request_method": { - "type": "array", + "required": true, "elements": { - "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ] + ], + "type": "string" }, + "description": "Downstream request methods considered cacheable.", "default": [ "GET", "HEAD" ], - "description": "Downstream request methods considered cacheable.", - "required": true + "type": "array" } }, { "content_type": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "default": [ "text/plain", "application/json" ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", - "required": true + "type": "array" } }, { "cache_ttl": { - "description": "TTL, in seconds, of cache entities.", "gt": 0, "type": "integer", - "default": 300 + "default": 300, + "description": "TTL, in seconds, of cache entities." } }, { "strategy": { - "description": "The backing data store in which to hold cache entities.", - "type": "string", "required": true, + "type": "string", "one_of": [ "memory" - ] + ], + "description": "The backing data store in which to hold cache entities." } }, { "cache_control": { - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." } }, { "ignore_uri_case": { - "type": "boolean", "required": false, - "default": false + "default": false, + "type": "boolean" } }, { "storage_ttl": { - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", - "type": "integer" + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." } }, { "memory": { - "type": "record", + "required": true, "fields": [ { "dictionary_name": { - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "type": "string", "required": true, - "default": "kong_db_cache" + "type": "string", + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." } } ], - "required": true + "type": "record" } }, { "vary_query_params": { - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "type": "array" } }, { "vary_headers": { - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array" } + }, + { + "response_headers": { + "required": true, + "description": "Caching related diagnostic headers that should be included in cached responses", + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ], + "type": "record" + } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting-advanced/3.5.x.json b/schemas/rate-limiting-advanced/3.5.x.json index 050705a1..dc063492 100644 --- a/schemas/rate-limiting-advanced/3.5.x.json +++ b/schemas/rate-limiting-advanced/3.5.x.json @@ -1,45 +1,33 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "identifier": { - "type": "string", - "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", "required": true, "one_of": [ "ip", @@ -48,38 +36,41 @@ "service", "header", "path" - ] + ], + "type": "string", + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`." } }, { "window_size": { - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, "type": "array", "elements": { "type": "number" }, - "required": true + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified." } }, { "window_type": { - "type": "string", "one_of": [ "fixed", "sliding" ], - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", - "default": "sliding" + "type": "string", + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." } }, { "limit": { - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, "type": "array", "elements": { "type": "number" }, - "required": true + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified." } }, { @@ -90,45 +81,45 @@ }, { "namespace": { - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.", - "type": "string", "required": true, - "auto": true + "type": "string", + "auto": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." } }, { "strategy": { - "type": "string", - "default": "local", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "required": true, "one_of": [ "cluster", "redis", "local" - ] + ], + "type": "string", + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." } }, { "dictionary_name": { - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "type": "string", "required": true, - "default": "kong_rate_limiting_counters" + "type": "string", + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." } }, { "hide_client_headers": { "type": "boolean", - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "default": false + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." } }, { "retry_after_jitter_max": { "type": "number", - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "default": 0 + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." } }, { @@ -152,66 +143,8 @@ }, { "redis": { - "type": "record", - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_addresses" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - } - ], "required": true, + "type": "record", "fields": [ { "host": { @@ -221,172 +154,230 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "timeout": { - "type": "integer", - "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer" } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "password": { - "type": "string", "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "type": "string" } }, { "sentinel_username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "type": "string", "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "type": "string" } }, { "database": { "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy", - "default": 0 + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { "type": "integer", - "default": 30, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ] + ], + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_addresses": { - "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "cluster_addresses": { - "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "ssl": { - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "server_name": { - "type": "string", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] } ] } @@ -394,43 +385,52 @@ { "enforce_consumer_groups": { "type": "boolean", - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", - "default": false + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." } }, { "consumer_groups": { - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", "elements": { "type": "string" }, + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "type": "array" } }, { "disable_penalty": { "type": "boolean", - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", - "default": false + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." } }, { "error_code": { - "type": "number", "gt": 0, - "description": "Set a custom error code to return when the rate limit is exceeded.", - "default": 429 + "type": "number", + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { "error_message": { "type": "string", - "description": "Set a custom error message to return when the rate limit is exceeded.", - "default": "API rate limit exceeded" + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded." } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting/3.5.x.json b/schemas/rate-limiting/3.5.x.json index e96a9aba..5f6b7f18 100644 --- a/schemas/rate-limiting/3.5.x.json +++ b/schemas/rate-limiting/3.5.x.json @@ -1,156 +1,83 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "then_field": "config.redis_host", - "if_field": "config.policy", - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - } - } - }, - { - "conditional": { - "then_field": "config.redis_port", - "if_field": "config.policy", - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - } - } - }, - { - "conditional": { - "then_field": "config.header_name", - "if_field": "config.limit_by", - "then_match": { - "required": true - }, - "if_match": { - "eq": "header" - } - } - }, - { - "conditional": { - "then_field": "config.path", - "if_field": "config.limit_by", - "then_match": { - "required": true - }, - "if_match": { - "eq": "path" - } - } - }, - { - "conditional": { - "then_field": "config.redis_timeout", - "if_field": "config.policy", - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - } - } - } - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "second": { + "gt": 0, "type": "number", - "description": "The number of HTTP requests that can be made per second.", - "gt": 0 + "description": "The number of HTTP requests that can be made per second." } }, { "minute": { + "gt": 0, "type": "number", - "description": "The number of HTTP requests that can be made per minute.", - "gt": 0 + "description": "The number of HTTP requests that can be made per minute." } }, { "hour": { + "gt": 0, "type": "number", - "description": "The number of HTTP requests that can be made per hour.", - "gt": 0 + "description": "The number of HTTP requests that can be made per hour." } }, { "day": { + "gt": 0, "type": "number", - "description": "The number of HTTP requests that can be made per day.", - "gt": 0 + "description": "The number of HTTP requests that can be made per day." } }, { "month": { + "gt": 0, "type": "number", - "description": "The number of HTTP requests that can be made per month.", - "gt": 0 + "description": "The number of HTTP requests that can be made per month." } }, { "year": { + "gt": 0, "type": "number", - "description": "The number of HTTP requests that can be made per year.", - "gt": 0 + "description": "The number of HTTP requests that can be made per year." } }, { "limit_by": { - "type": "string", "one_of": [ "consumer", "credential", @@ -159,8 +86,9 @@ "header", "path" ], - "description": "The entity that is used when aggregating the limits.", - "default": "consumer" + "type": "string", + "default": "consumer", + "description": "The entity that is used when aggregating the limits." } }, { @@ -184,23 +112,23 @@ }, { "policy": { - "type": "string", - "default": "local", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "len_min": 0, "one_of": [ "local", "cluster", "redis" - ] + ], + "type": "string", + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { - "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", "required": true, - "default": true + "type": "boolean", + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." } }, { @@ -211,44 +139,44 @@ }, { "redis_port": { - "type": "integer", - "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer" } }, { "redis_password": { - "type": "string", - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", "referenceable": true, - "len_min": 0 + "len_min": 0, + "type": "string", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." } }, { "redis_username": { - "type": "string", "referenceable": true, + "type": "string", "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired." } }, { "redis_ssl": { - "type": "boolean", - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." } }, { "redis_ssl_verify": { - "type": "boolean", - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly." } }, { @@ -260,50 +188,122 @@ { "redis_timeout": { "type": "number", - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", - "default": 2000 + "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." } }, { "redis_database": { "type": "integer", - "description": "When using the `redis` policy, this property specifies the Redis database to use.", - "default": 0 + "default": 0, + "description": "When using the `redis` policy, this property specifies the Redis database to use." } }, { "hide_client_headers": { - "type": "boolean", - "description": "Optionally hide informative response headers.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Optionally hide informative response headers." } }, { "error_code": { - "type": "number", "gt": 0, - "description": "Set a custom error code to return when the rate limit is exceeded.", - "default": 429 + "type": "number", + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { "error_message": { "type": "string", - "description": "Set a custom error message to return when the rate limit is exceeded.", - "default": "API rate limit exceeded" + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded." } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", "required": true, - "default": -1 + "type": "number", + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "then_field": "config.redis_host", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis_port", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.header_name", + "if_field": "config.limit_by", + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + } + } + }, + { + "conditional": { + "then_field": "config.path", + "if_field": "config.limit_by", + "then_match": { + "required": true + }, + "if_match": { + "eq": "path" + } + } + }, + { + "conditional": { + "then_field": "config.redis_timeout", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } } } ] diff --git a/schemas/request-size-limiting/3.5.x.json b/schemas/request-size-limiting/3.5.x.json index 3f5e1714..7ca10101 100644 --- a/schemas/request-size-limiting/3.5.x.json +++ b/schemas/request-size-limiting/3.5.x.json @@ -1,73 +1,73 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "allowed_payload_size": { "type": "integer", - "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", - "default": 128 + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes)." } }, { "size_unit": { - "type": "string", - "default": "megabytes", - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "required": true, "one_of": [ "megabytes", "kilobytes", "bytes" - ] + ], + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "default": "megabytes", + "type": "string" } }, { "require_content_length": { - "type": "boolean", - "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-termination/3.5.x.json b/schemas/request-termination/3.5.x.json index f75c9ac1..dbb1f8b9 100644 --- a/schemas/request-termination/3.5.x.json +++ b/schemas/request-termination/3.5.x.json @@ -1,52 +1,49 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "status_code": { - "type": "integer", - "default": 503, - "description": "The response code to send. Must be an integer between 100 and 599.", "required": true, "between": [ 100, 599 - ] + ], + "type": "integer", + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599." } }, { @@ -69,10 +66,10 @@ }, { "echo": { - "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic." } }, { @@ -82,8 +79,11 @@ } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.5.x.json b/schemas/request-transformer-advanced/3.5.x.json index 760a9087..5e853d70 100644 --- a/schemas/request-transformer-advanced/3.5.x.json +++ b/schemas/request-transformer-advanced/3.5.x.json @@ -1,180 +1,177 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "http_method": { - "type": "string", "match": "^%u+$", + "type": "string", "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." } }, { "remove": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "querystring": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "rename": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "querystring": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "replace": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "querystring": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "json_types": { - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { @@ -183,155 +180,158 @@ } } ], - "required": true + "type": "record" } }, { "add": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "querystring": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "json_types": { - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "append": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "querystring": { - "type": "array", "elements": { "referenceable": true, "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "json_types": { - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "allow": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } } ], - "required": true + "type": "record" } }, { "dots_in_keys": { - "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", "type": "boolean", - "default": true + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.5.x.json b/schemas/request-transformer/3.5.x.json index 06cf9d7b..eb5a135a 100644 --- a/schemas/request-transformer/3.5.x.json +++ b/schemas/request-transformer/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,157 +16,158 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "http_method": { - "type": "string", "match": "^%u+$", + "type": "string", "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." } }, { "remove": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "querystring": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "rename": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" }, "default": [ - ] + ], + "type": "array" } }, { "querystring": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "replace": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" }, "default": [ - ] + ], + "type": "array" } }, { "querystring": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { @@ -179,102 +176,105 @@ } } ], - "required": true + "type": "record" } }, { "add": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" }, "default": [ - ] + ], + "type": "array" } }, { "querystring": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "append": { - "type": "record", + "required": true, "fields": [ { "body": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" }, "default": [ - ] + ], + "type": "array" } }, { "querystring": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-validator/3.5.x.json b/schemas/request-validator/3.5.x.json index c534a1cf..3b67930a 100644 --- a/schemas/request-validator/3.5.x.json +++ b/schemas/request-validator/3.5.x.json @@ -1,122 +1,107 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "body_schema", - "parameter_schema" - ] - } - ], "required": true, + "type": "record", "fields": [ { "body_schema": { - "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", "required": false, - "type": "string" + "type": "string", + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified." } }, { "allowed_content_types": { - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", - "type": "set", "elements": { - "type": "string", - "required": true + "required": true, + "type": "string" }, + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "default": [ "application/json" - ] + ], + "type": "set" } }, { "version": { + "required": true, "one_of": [ "kong", "draft4" ], - "default": "kong", "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", - "required": true, + "default": "kong", "type": "string" } }, { "parameter_schema": { - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "required": false, "type": "array", "elements": { "type": "record", "fields": [ { "in": { - "type": "string", "required": true, + "type": "string", "one_of": [ "query", "header", "path" - ] + ], + "description": "The location of the parameter." } }, { "name": { + "required": true, "type": "string", - "required": true + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`." } }, { "required": { + "required": true, "type": "boolean", - "required": true + "description": "Determines whether this parameter is mandatory." } }, { "style": { - "type": "string", "one_of": [ "label", "form", @@ -125,16 +110,20 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ] + ], + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "type": "string" } }, { "explode": { + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", "type": "boolean" } }, { "schema": { + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", "type": "string" } } @@ -157,17 +146,34 @@ } ] }, - "required": false + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." } }, { "verbose_response": { - "description": "If enabled, the plugin returns more verbose and detailed validation errors.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors." } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" ] } } diff --git a/schemas/response-ratelimiting/3.5.x.json b/schemas/response-ratelimiting/3.5.x.json index 6d8eb3a8..5a6f3685 100644 --- a/schemas/response-ratelimiting/3.5.x.json +++ b/schemas/response-ratelimiting/3.5.x.json @@ -1,114 +1,76 @@ { - "entity_checks": [ - { - "conditional": { - "then_field": "config.redis_host", - "if_field": "config.policy", - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - } - } - }, - { - "conditional": { - "then_field": "config.redis_port", - "if_field": "config.policy", - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - } - } - }, - { - "conditional": { - "then_field": "config.redis_timeout", - "if_field": "config.policy", - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - } - } - } - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "header_name": { "type": "string", - "description": "The name of the response header used to increment the counters.", - "default": "x-kong-limit" + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters." } }, { "limit_by": { - "type": "string", "one_of": [ "consumer", "credential", "ip" ], - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", - "default": "consumer" + "type": "string", + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." } }, { "policy": { - "type": "string", "one_of": [ "local", "cluster", "redis" ], - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", - "default": "local" + "type": "string", + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { - "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "required": true, - "default": true + "type": "boolean", + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." } }, { @@ -120,43 +82,43 @@ { "redis_port": { "description": "When using the `redis` policy, this property specifies the port of the Redis server.", - "default": 6379, - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer" } }, { "redis_password": { - "type": "string", - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", "referenceable": true, - "len_min": 0 + "len_min": 0, + "type": "string", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." } }, { "redis_username": { - "type": "string", "referenceable": true, + "type": "string", "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "redis_ssl": { - "type": "boolean", - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." } }, { "redis_ssl_verify": { - "type": "boolean", - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { @@ -168,50 +130,44 @@ { "redis_timeout": { "type": "number", - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", - "default": 2000 + "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." } }, { "redis_database": { "type": "number", - "description": "When using the `redis` policy, this property specifies Redis database to use.", - "default": 0 + "default": 0, + "description": "When using the `redis` policy, this property specifies Redis database to use." } }, { "block_on_first_violation": { - "type": "boolean", - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." } }, { "hide_client_headers": { - "type": "boolean", - "description": "Optionally hide informative response headers.", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Optionally hide informative response headers." } }, { "limits": { - "type": "map", + "required": true, + "keys": { + "type": "string" + }, + "len_min": 1, + "description": "A map that defines rate limits for the plugin.", "values": { + "required": true, "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "second", - "minute", - "hour", - "day", - "month", - "year" - ] - } - ], "fields": [ { "second": { @@ -250,18 +206,62 @@ } } ], - "required": true + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ] }, - "len_min": 1, - "description": "A map that defines rate limits for the plugin.", - "required": true, - "keys": { - "type": "string" - } + "type": "map" } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.redis_host", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis_port", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis_timeout", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } } } ] diff --git a/schemas/response-transformer-advanced/3.5.x.json b/schemas/response-transformer-advanced/3.5.x.json index 13b434be..ece29738 100644 --- a/schemas/response-transformer-advanced/3.5.x.json +++ b/schemas/response-transformer-advanced/3.5.x.json @@ -1,109 +1,106 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "remove": { - "type": "record", + "required": true, "fields": [ { "json": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "if_status": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "rename": { - "type": "record", + "required": true, "fields": [ { "headers": { - "type": "array", "elements": { "type": "string", "match": "^[^:]+:.*$" }, "default": [ - ] + ], + "type": "array" } }, { "if_status": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "replace": { - "type": "record", + "required": true, "fields": [ { "body": { @@ -113,238 +110,241 @@ }, { "json": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "json_types": { - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "if_status": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "add": { - "type": "record", + "required": true, "fields": [ { "json": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "json_types": { - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "if_status": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "append": { - "type": "record", + "required": true, "fields": [ { "json": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "json_types": { - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "if_status": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "allow": { - "type": "record", + "required": true, "fields": [ { "json": { - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } } ], - "required": true + "type": "record" } }, { "transform": { - "type": "record", + "required": true, "fields": [ { "functions": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "if_status": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "json": { - "type": "array", "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "dots_in_keys": { "type": "boolean", - "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", - "default": true + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.5.x.json b/schemas/response-transformer/3.5.x.json index fb252b1c..e6f5d866 100644 --- a/schemas/response-transformer/3.5.x.json +++ b/schemas/response-transformer/3.5.x.json @@ -1,246 +1,246 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "remove": { - "type": "record", + "required": true, "fields": [ { "json": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "headers": { - "type": "array", "required": true, "elements": { "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "rename": { - "type": "record", + "required": true, "fields": [ { "headers": { - "type": "array", "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "replace": { - "type": "record", + "required": true, "fields": [ { "json": { - "type": "array", "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "json_types": { - "type": "array", + "required": true, "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, + "type": "array", "default": [ ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { "headers": { - "type": "array", "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "add": { - "type": "record", + "required": true, "fields": [ { "json": { - "type": "array", "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "json_types": { - "type": "array", + "required": true, "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, + "type": "array", "default": [ ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { "headers": { - "type": "array", "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } }, { "append": { - "type": "record", + "required": true, "fields": [ { "json": { - "type": "array", "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, "default": [ - ] + ], + "type": "array" } }, { "json_types": { - "type": "array", + "required": true, "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, + "type": "array", "default": [ ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { "headers": { - "type": "array", "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.5.x.json b/schemas/route-by-header/3.5.x.json index 4fed4c84..21b57ddf 100644 --- a/schemas/route-by-header/3.5.x.json +++ b/schemas/route-by-header/3.5.x.json @@ -1,48 +1,42 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "rules": { - "description": "Route by header rules.", - "type": "array", "elements": { - "type": "record", "fields": [ { "upstream_name": { @@ -52,27 +46,33 @@ }, { "condition": { - "type": "map", - "values": { + "required": true, + "keys": { "type": "string" }, - "keys": { + "len_min": 1, + "values": { "type": "string" }, - "required": true, - "len_min": 1 + "type": "map" } } - ] + ], + "type": "record" }, + "description": "Route by header rules.", "default": [ - ] + ], + "type": "array" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.5.x.json b/schemas/route-transformer-advanced/3.5.x.json index b5a08f6f..ee2b7522 100644 --- a/schemas/route-transformer-advanced/3.5.x.json +++ b/schemas/route-transformer-advanced/3.5.x.json @@ -1,51 +1,39 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "path", - "port", - "host" - ] - } - ], "required": true, + "type": "record", "fields": [ { "path": { @@ -64,12 +52,24 @@ }, { "escape_path": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/saml/3.5.x.json b/schemas/saml/3.5.x.json index e86caf5d..a36027a7 100644 --- a/schemas/saml/3.5.x.json +++ b/schemas/saml/3.5.x.json @@ -1,405 +1,328 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "shorthand_fields": [ - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - }, - { - "session_auth_ttl": { - "type": "number" - } - } - ], + "required": true, "fields": [ { "assertion_consumer_path": { - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": true, - "starts_with": "/" + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" } }, { "idp_sso_url": { - "type": "string", "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "idp_certificate": { - "type": "string", + "required": false, "referenceable": true, "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", "encrypted": true, - "required": false + "type": "string" } }, { "response_encryption_key": { - "type": "string", + "required": false, "referenceable": true, "description": "The private encryption key required to decrypt encrypted assertions.", "encrypted": true, - "required": false + "type": "string" } }, { "request_signing_key": { - "type": "string", + "required": false, "referenceable": true, "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", "encrypted": true, - "required": false + "type": "string" } }, { "request_signing_certificate": { - "type": "string", + "required": false, "referenceable": true, "description": "The certificate for signing requests.", "encrypted": true, - "required": false + "type": "string" } }, { "request_signature_algorithm": { - "type": "string", - "default": "SHA256", - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "required": false, "one_of": [ "SHA256", "SHA384", "SHA512" - ] + ], + "type": "string", + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { "request_digest_algorithm": { - "type": "string", - "default": "SHA256", - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "required": false, "one_of": [ "SHA256", "SHA1" - ] + ], + "type": "string", + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" } }, { "response_signature_algorithm": { - "type": "string", - "default": "SHA256", - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "required": false, "one_of": [ "SHA256", "SHA384", "SHA512" - ] + ], + "type": "string", + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { "response_digest_algorithm": { - "type": "string", - "default": "SHA256", - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "required": false, "one_of": [ "SHA256", "SHA1" - ] + ], + "type": "string", + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" } }, { "issuer": { - "type": "string", "required": true, + "type": "string", "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP." } }, { "nameid_format": { - "type": "string", - "default": "EmailAddress", - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "required": false, "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" - ] + ], + "type": "string", + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" } }, { "validate_assertion_signature": { - "type": "boolean", - "description": "Enable signature validation for SAML responses.", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Enable signature validation for SAML responses." } }, { "anonymous": { - "type": "string", "required": false, - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "type": "string" } }, { "session_secret": { + "required": true, + "type": "string", + "encrypted": true, + "len_min": 32, + "referenceable": true, "match": "^[0-9a-zA-Z/_+]+$", "len_max": 32, - "referenceable": true, - "len_min": 32, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", - "encrypted": true, - "required": true, - "type": "string" + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." } }, { "session_audience": { - "type": "string", - "description": "The session audience, for example \"my-application\"", "required": false, - "default": "default" + "description": "The session audience, for example \"my-application\"", + "default": "default", + "type": "string" } }, { "session_cookie_name": { - "type": "string", - "description": "The session cookie name.", "required": false, - "default": "session" + "description": "The session cookie name.", + "default": "session", + "type": "string" } }, { "session_remember": { - "type": "boolean", - "description": "Enables or disables persistent sessions", "required": false, - "default": false + "description": "Enables or disables persistent sessions", + "default": false, + "type": "boolean" } }, { "session_remember_cookie_name": { - "type": "string", - "description": "Persistent session cookie name", "required": false, - "default": "remember" + "description": "Persistent session cookie name", + "default": "remember", + "type": "string" } }, { "session_remember_rolling_timeout": { - "type": "number", - "description": "Persistent session rolling timeout in seconds.", "required": false, - "default": 604800 + "description": "Persistent session rolling timeout in seconds.", + "default": 604800, + "type": "number" } }, { "session_remember_absolute_timeout": { - "type": "number", - "description": "Persistent session absolute timeout in seconds.", "required": false, - "default": 2592000 + "description": "Persistent session absolute timeout in seconds.", + "default": 2592000, + "type": "number" } }, { "session_idling_timeout": { - "type": "number", - "description": "The session cookie idle time in seconds.", "required": false, - "default": 900 + "description": "The session cookie idle time in seconds.", + "default": 900, + "type": "number" } }, { "session_rolling_timeout": { - "type": "number", - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false, - "default": 3600 + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 3600, + "type": "number" } }, { "session_absolute_timeout": { - "type": "number", - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false, - "default": 86400 + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 86400, + "type": "number" } }, { "session_cookie_path": { - "type": "string", - "default": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": false, - "starts_with": "/" + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/", + "type": "string" } }, { "session_cookie_domain": { - "type": "string", "required": false, - "description": "The session cookie domain flag." + "description": "The session cookie domain flag.", + "type": "string" } }, { "session_cookie_same_site": { - "type": "string", - "default": "Lax", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Lax", + "type": "string" } }, { "session_cookie_http_only": { - "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, - "default": true + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, + "type": "boolean" } }, { "session_cookie_secure": { - "type": "boolean", "required": false, - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" } }, { "session_request_headers": { - "type": "set", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -408,15 +331,15 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "session_response_headers": { - "type": "set", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -425,226 +348,303 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "session_storage": { - "type": "string", - "default": "cookie", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "default": "cookie", + "type": "string" } }, { "session_store_metadata": { - "type": "boolean", - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "required": false, - "default": false + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "default": false, + "type": "boolean" } }, { "session_enforce_same_subject": { - "type": "boolean", - "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, - "default": false + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false, + "type": "boolean" } }, { "session_hash_subject": { - "type": "boolean", - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false, - "default": false + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false, + "type": "boolean" } }, { "session_hash_storage_key": { - "type": "boolean", - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, - "default": false + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false, + "type": "boolean" } }, { "session_memcached_prefix": { - "type": "string", "required": false, - "description": "The memcached session key prefix." + "description": "The memcached session key prefix.", + "type": "string" } }, { "session_memcached_socket": { - "type": "string", "required": false, - "description": "The memcached unix socket path." + "description": "The memcached unix socket path.", + "type": "string" } }, { "session_memcached_host": { - "type": "string", - "description": "The memcached host.", "required": false, - "default": "127.0.0.1" + "description": "The memcached host.", + "default": "127.0.0.1", + "type": "string" } }, { "session_memcached_port": { - "type": "integer", - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": false, "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { - "type": "string", "required": false, - "description": "The Redis session key prefix." + "description": "The Redis session key prefix.", + "type": "string" } }, { "session_redis_socket": { - "type": "string", "required": false, - "description": "The Redis unix socket path." + "description": "The Redis unix socket path.", + "type": "string" } }, { "session_redis_host": { - "type": "string", - "description": "The Redis host IP.", "required": false, - "default": "127.0.0.1" + "description": "The Redis host IP.", + "default": "127.0.0.1", + "type": "string" } }, { "session_redis_port": { - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": false, "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { - "type": "string", - "required": false, "referenceable": true, - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "required": false, + "type": "string" } }, { "session_redis_password": { - "type": "string", + "required": false, "referenceable": true, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "type": "string", "encrypted": true, - "required": false + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from" } }, { "session_redis_connect_timeout": { - "type": "integer", "required": false, - "description": "The Redis connection timeout in milliseconds." + "description": "The Redis connection timeout in milliseconds.", + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", "required": false, - "description": "The Redis read timeout in milliseconds." + "description": "The Redis read timeout in milliseconds.", + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", "required": false, - "description": "The Redis send timeout in milliseconds." + "description": "The Redis send timeout in milliseconds.", + "type": "integer" } }, { "session_redis_ssl": { - "type": "boolean", - "description": "Use SSL/TLS for the Redis connection.", "required": false, - "default": false + "description": "Use SSL/TLS for the Redis connection.", + "default": false, + "type": "boolean" } }, { "session_redis_ssl_verify": { - "type": "boolean", - "description": "Verify the Redis server certificate.", "required": false, - "default": false + "description": "Verify the Redis server certificate.", + "default": false, + "type": "boolean" } }, { "session_redis_server_name": { - "type": "string", "required": false, - "description": "The SNI used for connecting to the Redis server." + "description": "The SNI used for connecting to the Redis server.", + "type": "string" } }, { "session_redis_cluster_nodes": { - "type": "array", + "required": false, "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { - "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "required": true, - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "type": "integer", - "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer" } } - ] + ], + "type": "record" }, - "required": false + "type": "array" } }, { "session_redis_cluster_max_redirections": { - "type": "integer", "required": false, - "description": "The Redis cluster maximum redirects." + "description": "The Redis cluster maximum redirects.", + "type": "integer" } } ], - "required": true + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" + } + } + ], + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/session/3.5.x.json b/schemas/session/3.5.x.json index c84b0373..c824425b 100644 --- a/schemas/session/3.5.x.json +++ b/schemas/session/3.5.x.json @@ -1,21 +1,17 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -28,135 +24,99 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "shorthand_fields": [ - { - "cookie_lifetime": { - "type": "number" - } - }, - { - "cookie_idletime": { - "type": "number" - } - }, - { - "cookie_renew": { - "type": "number" - } - }, - { - "cookie_discard": { - "type": "number" - } - }, - { - "cookie_samesite": { - "type": "string" - } - }, - { - "cookie_httponly": { - "type": "boolean" - } - }, - { - "cookie_persistent": { - "type": "boolean" - } - } - ], + "required": true, "fields": [ { "secret": { + "encrypted": true, "type": "string", "referenceable": true, - "default": "y2WYXAByQsppS8mnZWcIUT2Pw7tdHxhR8RtclOijz80l", - "description": "The secret that is used in keyed HMAC generation.", - "encrypted": true, - "required": false + "required": false, + "default": "chdSaZ1O6qQwIlAI6XYMYWNzIhhNIEqQ10HrRVIvyTAf", + "description": "The secret that is used in keyed HMAC generation." } }, { "storage": { - "type": "string", "one_of": [ "cookie", "kong" ], - "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", - "default": "cookie" + "type": "string", + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself." } }, { "audience": { - "type": "string", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "default": "default" + "default": "default", + "type": "string" } }, { "idling_timeout": { - "type": "number", "description": "The session cookie idle time, in seconds.", - "default": 900 + "default": 900, + "type": "number" } }, { "rolling_timeout": { - "type": "number", "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", - "default": 3600 + "default": 3600, + "type": "number" } }, { "absolute_timeout": { - "type": "number", "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", - "default": 86400 + "default": 86400, + "type": "number" } }, { "stale_ttl": { - "type": "number", "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", - "default": 10 + "default": 10, + "type": "number" } }, { "cookie_name": { - "type": "string", "description": "The name of the cookie.", - "default": "session" + "default": "session", + "type": "string" } }, { "cookie_path": { - "type": "string", "description": "The resource in the host where the cookie is available.", - "default": "/" + "default": "/", + "type": "string" } }, { @@ -167,64 +127,62 @@ }, { "cookie_same_site": { - "type": "string", "one_of": [ "Strict", "Lax", "None", "Default" ], - "description": "Determines whether and how a cookie may be sent with cross-site requests.", - "default": "Strict" + "type": "string", + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests." } }, { "cookie_http_only": { - "type": "boolean", "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", - "default": true + "default": true, + "type": "boolean" } }, { "cookie_secure": { - "type": "boolean", "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", - "default": true + "default": true, + "type": "boolean" } }, { "remember": { - "type": "boolean", "description": "Enables or disables persistent sessions.", - "default": false + "default": false, + "type": "boolean" } }, { "remember_cookie_name": { - "type": "string", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "default": "remember" + "default": "remember", + "type": "string" } }, { "remember_rolling_timeout": { - "type": "number", "description": "The persistent session rolling timeout window, in seconds.", - "default": 604800 + "default": 604800, + "type": "number" } }, { "remember_absolute_timeout": { - "type": "number", "description": "The persistent session absolute timeout limit, in seconds.", - "default": 2592000 + "default": 2592000, + "type": "number" } }, { "response_headers": { - "type": "set", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -233,16 +191,16 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] + ], + "type": "string" }, - "description": "List of information to include, as headers, in the response to the downstream." + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" } }, { "request_headers": { - "type": "set", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -251,46 +209,88 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] + ], + "type": "string" }, - "description": "List of information to include, as headers, in the response to the downstream." + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" } }, { "logout_methods": { - "type": "set", - "description": "A set of HTTP methods that the plugin will respond to.", "elements": { - "type": "string", "one_of": [ "GET", "POST", "DELETE" - ] + ], + "type": "string" }, + "description": "A set of HTTP methods that the plugin will respond to.", "default": [ "POST", "DELETE" - ] + ], + "type": "set" } }, { "logout_query_arg": { - "type": "string", "description": "The query argument passed to logout requests.", - "default": "session_logout" + "default": "session_logout", + "type": "string" } }, { "logout_post_arg": { - "type": "string", "description": "The POST argument passed to logout requests. Do not change this property.", - "default": "session_logout" + "default": "session_logout", + "type": "string" } } ], - "required": true + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.5.x.json b/schemas/statsd-advanced/3.5.x.json index b9383437..b8f76759 100644 --- a/schemas/statsd-advanced/3.5.x.json +++ b/schemas/statsd-advanced/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,65 +16,63 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "host": { - "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "localhost" + "default": "localhost", + "type": "string" } }, { "port": { - "type": "integer", - "default": 8125, "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 8125, + "type": "integer" } }, { "prefix": { - "description": "String to prefix to each metric's name.", "type": "string", - "default": "kong" + "default": "kong", + "description": "String to prefix to each metric's name." } }, { "metrics": { - "description": "List of Metrics to be logged.", - "type": "array", "elements": { "type": "record", "fields": [ { "name": { - "type": "string", "required": true, "one_of": [ "kong_latency", @@ -96,12 +90,12 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "type": "string" } }, { "stat_type": { - "type": "string", "required": true, "one_of": [ "counter", @@ -110,7 +104,8 @@ "meter", "set", "timer" - ] + ], + "type": "string" } }, { @@ -121,32 +116,32 @@ }, { "consumer_identifier": { - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string" } }, { "service_identifier": { - "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "type": "string" } }, { "workspace_identifier": { - "type": "string", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "type": "string" } } ], @@ -217,162 +212,164 @@ } ] }, + "description": "List of Metrics to be logged.", "default": [ { - "sample_rate": 1, "name": "request_count", + "sample_rate": 1, "stat_type": "counter" }, { - "stat_type": "timer", - "name": "latency" + "name": "latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "request_size" + "name": "request_size", + "stat_type": "timer" }, { - "sample_rate": 1, "name": "status_count", + "sample_rate": 1, "stat_type": "counter" }, { - "stat_type": "timer", - "name": "response_size" + "name": "response_size", + "stat_type": "timer" }, { - "stat_type": "set", - "name": "unique_users" + "name": "unique_users", + "stat_type": "set" }, { - "sample_rate": 1, "name": "request_per_user", + "sample_rate": 1, "stat_type": "counter" }, { - "stat_type": "timer", - "name": "upstream_latency" + "name": "upstream_latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "kong_latency" + "name": "kong_latency", + "stat_type": "timer" }, { - "sample_rate": 1, "name": "status_count_per_user", + "sample_rate": 1, "stat_type": "counter" }, { - "sample_rate": 1, "name": "status_count_per_workspace", + "sample_rate": 1, "stat_type": "counter" }, { - "sample_rate": 1, "name": "status_count_per_user_per_route", + "sample_rate": 1, "stat_type": "counter" }, { - "sample_rate": 1, "name": "shdict_usage", + "sample_rate": 1, "stat_type": "gauge" }, { - "sample_rate": 1, "name": "cache_datastore_hits_total", + "sample_rate": 1, "stat_type": "counter" }, { - "sample_rate": 1, "name": "cache_datastore_misses_total", + "sample_rate": 1, "stat_type": "counter" } - ] + ], + "type": "array" } }, { "allow_status_codes": { - "description": "List of status code ranges that are allowed to be logged in metrics.", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" }, + "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array" } }, { "udp_packet_size": { - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", - "default": 0, "type": "number", "between": [ 0, 65507 - ] + ], + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive)." } }, { "use_tcp": { - "description": "Use TCP instead of UDP.", "type": "boolean", - "default": false + "default": false, + "description": "Use TCP instead of UDP." } }, { "hostname_in_prefix": { - "description": "Include the `hostname` in the `prefix` for each metric name.", "type": "boolean", - "default": false + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name." } }, { "consumer_identifier_default": { - "type": "string", - "default": "custom_id", - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "required": true, "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "default": "custom_id", + "type": "string" } }, { "service_identifier_default": { - "type": "string", - "default": "service_name_or_host", - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "default": "service_name_or_host", + "type": "string" } }, { "workspace_identifier_default": { - "type": "string", - "default": "workspace_id", - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "required": true, "one_of": [ "workspace_id", "workspace_name" - ] + ], + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "default": "workspace_id", + "type": "string" } }, { "queue": { - "type": "record", + "required": true, "fields": [ { "max_batch_size": { "type": "integer", - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -382,8 +379,8 @@ { "max_coalescing_delay": { "type": "number", - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -393,8 +390,8 @@ { "max_entries": { "type": "integer", - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -410,15 +407,15 @@ { "max_retry_time": { "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "type": "number", - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -428,21 +425,24 @@ { "max_retry_delay": { "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true + "type": "record" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd/3.5.x.json b/schemas/statsd/3.5.x.json index e5ff7d02..75bc4051 100644 --- a/schemas/statsd/3.5.x.json +++ b/schemas/statsd/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,79 +16,66 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" - ] - } - } - ], "required": true, + "type": "record", "fields": [ { "host": { "description": "The IP address or hostname of StatsD server to send data to.", - "type": "string", - "default": "localhost" + "default": "localhost", + "type": "string" } }, { "port": { "description": "The port of StatsD server to send data to.", - "default": 8125, - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 8125, + "type": "integer" } }, { "prefix": { - "type": "string", "description": "String to prefix to each metric's name.", - "default": "kong" + "default": "kong", + "type": "string" } }, { "metrics": { - "type": "array", - "description": "List of metrics to be logged.", "elements": { "type": "record", "fields": [ { "name": { - "type": "string", - "description": "StatsD metric’s name.", "required": true, + "description": "StatsD metric’s name.", "one_of": [ "kong_latency", "latency", @@ -109,14 +92,14 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "type": "string" } }, { "stat_type": { - "type": "string", - "description": "Determines what sort of event a metric represents.", "required": true, + "description": "Determines what sort of event a metric represents.", "one_of": [ "counter", "gauge", @@ -124,47 +107,48 @@ "meter", "set", "timer" - ] + ], + "type": "string" } }, { "sample_rate": { - "type": "number", "gt": 0, - "description": "Sampling rate" + "description": "Sampling rate", + "type": "number" } }, { "consumer_identifier": { - "type": "string", - "description": "Authenticated user detail.", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string", + "description": "Authenticated user detail." } }, { "service_identifier": { - "type": "string", - "description": "Service detail.", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "type": "string", + "description": "Service detail." } }, { "workspace_identifier": { - "type": "string", - "description": "Workspace detail.", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "type": "string", + "description": "Workspace detail." } } ], @@ -186,88 +170,90 @@ } ] }, + "type": "array", "default": [ { - "sample_rate": 1, "name": "request_count", + "sample_rate": 1, "stat_type": "counter" }, { - "stat_type": "timer", - "name": "latency" + "name": "latency", + "stat_type": "timer" }, { - "sample_rate": 1, "name": "request_size", + "sample_rate": 1, "stat_type": "counter" }, { - "sample_rate": 1, "name": "status_count", + "sample_rate": 1, "stat_type": "counter" }, { - "sample_rate": 1, "name": "response_size", + "sample_rate": 1, "stat_type": "counter" }, { - "stat_type": "set", - "name": "unique_users" + "name": "unique_users", + "stat_type": "set" }, { - "sample_rate": 1, "name": "request_per_user", + "sample_rate": 1, "stat_type": "counter" }, { - "stat_type": "timer", - "name": "upstream_latency" + "name": "upstream_latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "kong_latency" + "name": "kong_latency", + "stat_type": "timer" }, { - "sample_rate": 1, "name": "status_count_per_user", + "sample_rate": 1, "stat_type": "counter" }, { - "sample_rate": 1, "name": "status_count_per_workspace", + "sample_rate": 1, "stat_type": "counter" }, { - "sample_rate": 1, "name": "status_count_per_user_per_route", + "sample_rate": 1, "stat_type": "counter" }, { - "sample_rate": 1, "name": "shdict_usage", + "sample_rate": 1, "stat_type": "gauge" }, { - "sample_rate": 1, "name": "cache_datastore_hits_total", + "sample_rate": 1, "stat_type": "counter" }, { - "sample_rate": 1, "name": "cache_datastore_misses_total", + "sample_rate": 1, "stat_type": "counter" } - ] + ], + "description": "List of metrics to be logged." } }, { "allow_status_codes": { - "type": "array", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" }, + "type": "array", "description": "List of status code ranges that are allowed to be logged in metrics." } }, @@ -283,50 +269,50 @@ }, { "use_tcp": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "hostname_in_prefix": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "consumer_identifier_default": { - "type": "string", + "required": true, "one_of": [ "consumer_id", "custom_id", "username" ], - "required": true, - "default": "custom_id" + "default": "custom_id", + "type": "string" } }, { "service_identifier_default": { - "type": "string", + "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" ], - "required": true, - "default": "service_name_or_host" + "default": "service_name_or_host", + "type": "string" } }, { "workspace_identifier_default": { - "type": "string", + "required": true, "one_of": [ "workspace_id", "workspace_name" ], - "required": true, - "default": "workspace_id" + "default": "workspace_id", + "type": "string" } }, { @@ -346,25 +332,25 @@ }, { "tag_style": { - "type": "string", "required": false, "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ] + ], + "type": "string" } }, { "queue": { - "type": "record", + "required": true, "fields": [ { "max_batch_size": { "type": "integer", - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -374,8 +360,8 @@ { "max_coalescing_delay": { "type": "number", - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -385,8 +371,8 @@ { "max_entries": { "type": "integer", - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -402,15 +388,15 @@ { "max_retry_time": { "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "type": "number", - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -420,20 +406,34 @@ { "max_retry_delay": { "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/syslog/3.5.x.json b/schemas/syslog/3.5.x.json index 674000a8..b64aca32 100644 --- a/schemas/syslog/3.5.x.json +++ b/schemas/syslog/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,33 +16,34 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "log_level": { - "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -57,13 +54,13 @@ "alert", "emerg" ], - "required": true, - "default": "info" + "default": "info", + "type": "string" } }, { "successful_severity": { - "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -74,13 +71,13 @@ "alert", "emerg" ], - "required": true, - "default": "info" + "default": "info", + "type": "string" } }, { "client_errors_severity": { - "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -91,13 +88,13 @@ "alert", "emerg" ], - "required": true, - "default": "info" + "default": "info", + "type": "string" } }, { "server_errors_severity": { - "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -108,29 +105,26 @@ "alert", "emerg" ], - "required": true, - "default": "info" + "default": "info", + "type": "string" } }, { "custom_fields_by_lua": { "type": "map", - "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map", "keys": { "type": "string", "len_min": 1 - } + }, + "values": { + "len_min": 1, + "type": "string" + }, + "description": "Lua code as a key-value map" } }, { "facility": { - "type": "string", - "default": "user", - "description": "The facility is used by the operating system to decide how to handle each log message.", "required": true, "one_of": [ "auth", @@ -153,12 +147,18 @@ "local5", "local6", "local7" - ] + ], + "description": "The facility is used by the operating system to decide how to handle each log message.", + "default": "user", + "type": "string" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.5.x.json b/schemas/tcp-log/3.5.x.json index c54f2f77..2c6adaf6 100644 --- a/schemas/tcp-log/3.5.x.json +++ b/schemas/tcp-log/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,42 +16,43 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "host": { - "description": "The IP address or host name to send data to.", "required": true, + "description": "The IP address or host name to send data to.", "type": "string" } }, { "port": { + "required": true, "description": "The port to send data to on the upstream server.", "type": "integer", - "required": true, "between": [ 0, 65535 @@ -64,49 +61,52 @@ }, { "timeout": { - "type": "number", "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "default": 10000 + "default": 10000, + "type": "number" } }, { "keepalive": { - "type": "number", "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "default": 60000 + "default": 60000, + "type": "number" } }, { "tls": { - "type": "boolean", - "description": "Indicates whether to perform a TLS handshake against the remote server.", "required": true, - "default": false + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "default": false, + "type": "boolean" } }, { "tls_sni": { - "type": "string", - "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" } }, { "custom_fields_by_lua": { "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "values": { - "type": "string", - "len_min": 1 + "len_min": 1, + "type": "string" }, - "type": "map", "keys": { "type": "string", "len_min": 1 - } + }, + "type": "map" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.5.x.json b/schemas/tls-handshake-modifier/3.5.x.json index c8a6b45c..2895908c 100644 --- a/schemas/tls-handshake-modifier/3.5.x.json +++ b/schemas/tls-handshake-modifier/3.5.x.json @@ -1,60 +1,60 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "https", "grpcs", "tls" - ] + ], + "type": "string" }, "default": [ "https", "grpcs" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "tls_client_certificate": { - "type": "string", - "default": "REQUEST", - "description": "TLS Client Certificate", "required": false, "one_of": [ "REQUEST" - ] + ], + "type": "string", + "default": "REQUEST", + "description": "TLS Client Certificate" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.5.x.json b/schemas/tls-metadata-headers/3.5.x.json index da869cda..49e82f5d 100644 --- a/schemas/tls-metadata-headers/3.5.x.json +++ b/schemas/tls-metadata-headers/3.5.x.json @@ -1,96 +1,96 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "https", "grpcs", "tls" - ] + ], + "type": "string" }, "default": [ "https", "grpcs" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "inject_client_cert_details": { "type": "boolean", - "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", - "default": false + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." } }, { "client_cert_header_name": { - "type": "string", - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "required": true, - "default": "X-Client-Cert" + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "default": "X-Client-Cert", + "type": "string" } }, { "client_serial_header_name": { - "type": "string", - "description": "Define the HTTP header name used for the serial number of the client certificate.", "required": true, - "default": "X-Client-Cert-Serial" + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "default": "X-Client-Cert-Serial", + "type": "string" } }, { "client_cert_issuer_dn_header_name": { - "type": "string", - "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "required": true, - "default": "X-Client-Cert-Issuer-DN" + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "default": "X-Client-Cert-Issuer-DN", + "type": "string" } }, { "client_cert_subject_dn_header_name": { - "type": "string", - "description": "Define the HTTP header name used for the subject DN of the client certificate.", "required": true, - "default": "X-Client-Cert-Subject-DN" + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "default": "X-Client-Cert-Subject-DN", + "type": "string" } }, { "client_cert_fingerprint_header_name": { - "type": "string", - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "required": true, - "default": "X-Client-Cert-Fingerprint" + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "default": "X-Client-Cert-Fingerprint", + "type": "string" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/udp-log/3.5.x.json b/schemas/udp-log/3.5.x.json index 8adf19b9..72f00f8d 100644 --- a/schemas/udp-log/3.5.x.json +++ b/schemas/udp-log/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,42 +16,43 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "host": { - "type": "string", "required": true, - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -64,28 +61,31 @@ }, { "timeout": { - "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "number", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "custom_fields_by_lua": { "type": "map", - "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map", "keys": { "type": "string", "len_min": 1 - } + }, + "values": { + "len_min": 1, + "type": "string" + }, + "description": "Lua code as a key-value map" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/upstream-timeout/3.5.x.json b/schemas/upstream-timeout/3.5.x.json index ffad4fa4..beb3c65f 100644 --- a/schemas/upstream-timeout/3.5.x.json +++ b/schemas/upstream-timeout/3.5.x.json @@ -1,75 +1,75 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.5.x.json b/schemas/vault-auth/3.5.x.json index aab597e0..8818335f 100644 --- a/schemas/vault-auth/3.5.x.json +++ b/schemas/vault-auth/3.5.x.json @@ -1,112 +1,112 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "access_token_name": { - "type": "string", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, + "type": "string", "default": "access_token", - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", - "required": true + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." } }, { "secret_token_name": { - "type": "string", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, + "type": "string", "default": "secret_token", - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", - "required": true + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." } }, { "vault": { - "type": "foreign", - "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", "required": true, - "reference": "vault_auth_vaults" + "type": "foreign", + "reference": "vault_auth_vaults", + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API." } }, { "hide_credentials": { "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", - "default": false + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it." } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "tokens_in_body": { "type": "boolean", - "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "default": false + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "default": true + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.5.x.json b/schemas/websocket-size-limit/3.5.x.json index ae53952d..62de2696 100644 --- a/schemas/websocket-size-limit/3.5.x.json +++ b/schemas/websocket-size-limit/3.5.x.json @@ -1,50 +1,39 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "ws", "wss" - ] + ], + "type": "string" }, "default": [ "ws", "wss" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "client_max_payload", - "upstream_max_payload" - ] - } - ], "required": true, + "type": "record", "fields": [ { "client_max_payload": { - "type": "integer", "required": false, + "type": "integer", "between": [ 1, 33554432 @@ -53,16 +42,27 @@ }, { "upstream_max_payload": { - "type": "integer", "required": false, + "type": "integer", "between": [ 1, 33554432 ] } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.5.x.json b/schemas/websocket-validator/3.5.x.json index 03d0227b..3f7cfbcd 100644 --- a/schemas/websocket-validator/3.5.x.json +++ b/schemas/websocket-validator/3.5.x.json @@ -1,68 +1,59 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", "one_of": [ "ws", "wss" - ] + ], + "type": "string" }, "default": [ "ws", "wss" - ] + ], + "type": "set" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "client", - "upstream" - ] - } - ], "required": true, + "type": "record", "fields": [ { "client": { + "required": false, "type": "record", "fields": [ { "text": { + "required": false, "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "type": "string", "one_of": [ "draft4" - ] + ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "type": "string", "required": true, + "type": "string", "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } @@ -76,28 +67,28 @@ ] } } - ], - "required": false + ] } }, { "binary": { + "required": false, "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "type": "string", "one_of": [ "draft4" - ] + ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "type": "string", "required": true, + "type": "string", "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } @@ -111,8 +102,7 @@ ] } } - ], - "required": false + ] } } ], @@ -123,32 +113,33 @@ "binary" ] } - ], - "required": false + ] } }, { "upstream": { + "required": false, "type": "record", "fields": [ { "text": { + "required": false, "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "type": "string", "one_of": [ "draft4" - ] + ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "type": "string", "required": true, + "type": "string", "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } @@ -162,28 +153,28 @@ ] } } - ], - "required": false + ] } }, { "binary": { + "required": false, "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "type": "string", "one_of": [ "draft4" - ] + ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "type": "string", "required": true, + "type": "string", "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } @@ -197,8 +188,7 @@ ] } } - ], - "required": false + ] } } ], @@ -209,12 +199,22 @@ "binary" ] } - ], - "required": false + ] } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.5.x.json b/schemas/xml-threat-protection/3.5.x.json index 18f7d8ac..098a6a16 100644 --- a/schemas/xml-threat-protection/3.5.x.json +++ b/schemas/xml-threat-protection/3.5.x.json @@ -1,300 +1,300 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", - "entity_checks": [ - { - "conditional": { - "then_field": "max_namespaces", - "if_field": "namespace_aware", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "conditional": { - "then_field": "prefix", - "if_field": "namespace_aware", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "conditional": { - "then_field": "namespaceuri", - "if_field": "namespace_aware", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - } - ], "required": true, + "type": "record", "fields": [ { "checked_content_types": { - "type": "set", + "required": true, "elements": { - "match": "^[^%s]+%/[^ ;]+$", "required": true, + "match": "^[^%s]+%/[^ ;]+$", "type": "string" }, + "type": "set", "default": [ "application/xml" ], - "description": "A list of Content-Type values with payloads that must be validated.", - "required": true + "description": "A list of Content-Type values with payloads that must be validated." } }, { "allowed_content_types": { - "type": "set", + "required": true, "elements": { - "match": "^[^%s]+%/[^ ;]+$", "required": true, + "match": "^[^%s]+%/[^ ;]+$", "type": "string" }, + "type": "set", "default": [ ], - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", - "required": true + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." } }, { "allow_dtd": { - "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", - "type": "boolean", "required": true, - "default": false + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "default": false, + "type": "boolean" } }, { "namespace_aware": { - "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", - "type": "boolean", "required": true, - "default": true + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "default": true, + "type": "boolean" } }, { "max_depth": { + "gt": 0, "type": "integer", - "default": 50, - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", "required": true, - "gt": 0 + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." } }, { "max_children": { + "gt": 0, "type": "integer", - "default": 100, - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", "required": true, - "gt": 0 + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." } }, { "max_attributes": { + "gt": 0, "type": "integer", - "default": 100, - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", "required": true, - "gt": 0 + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." } }, { "max_namespaces": { + "gt": 0, "type": "integer", - "default": 20, - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", "required": false, - "gt": 0 + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." } }, { "document": { - "type": "integer", - "default": 10485760, + "gt": 0, "description": "Maximum size of the entire document.", "required": true, - "gt": 0 + "default": 10485760, + "type": "integer" } }, { "buffer": { - "type": "integer", - "default": 1048576, + "gt": 0, "description": "Maximum size of the unparsed buffer (see below).", "required": true, - "gt": 0 + "default": 1048576, + "type": "integer" } }, { "comment": { - "type": "integer", - "default": 1024, + "gt": 0, "description": "Maximum size of comments.", "required": true, - "gt": 0 + "default": 1024, + "type": "integer" } }, { "localname": { - "type": "integer", - "default": 1024, + "gt": 0, "description": "Maximum size of the localname. This applies to tags and attributes.", "required": true, - "gt": 0 + "default": 1024, + "type": "integer" } }, { "prefix": { - "type": "integer", - "default": 1024, + "gt": 0, "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "required": false, - "gt": 0 + "default": 1024, + "type": "integer" } }, { "namespaceuri": { - "type": "integer", - "default": 1024, + "gt": 0, "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "required": false, - "gt": 0 + "default": 1024, + "type": "integer" } }, { "attribute": { - "type": "integer", - "default": 1048576, + "gt": 0, "description": "Maximum size of the attribute value.", "required": true, - "gt": 0 + "default": 1048576, + "type": "integer" } }, { "text": { - "type": "integer", - "default": 1048576, + "gt": 0, "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "required": true, - "gt": 0 + "default": 1048576, + "type": "integer" } }, { "pitarget": { - "type": "integer", - "default": 1024, + "gt": 0, "description": "Maximum size of processing instruction targets.", "required": true, - "gt": 0 + "default": 1024, + "type": "integer" } }, { "pidata": { - "type": "integer", - "default": 1024, + "gt": 0, "description": "Maximum size of processing instruction data.", "required": true, - "gt": 0 + "default": 1024, + "type": "integer" } }, { "entityname": { - "type": "integer", - "default": 1024, + "gt": 0, "description": "Maximum size of entity names in EntityDecl.", "required": true, - "gt": 0 + "default": 1024, + "type": "integer" } }, { "entity": { - "type": "integer", - "default": 1024, + "gt": 0, "description": "Maximum size of entity values in EntityDecl.", "required": true, - "gt": 0 + "default": 1024, + "type": "integer" } }, { "entityproperty": { - "type": "integer", - "default": 1024, + "gt": 0, "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "required": true, - "gt": 0 + "default": 1024, + "type": "integer" } }, { "bla_max_amplification": { + "gt": 1, "type": "number", - "default": 100, - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", "required": true, - "gt": 1 + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." } }, { "bla_threshold": { - "type": "integer", - "default": 8388608, - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", "required": true, - "gt": 1024 + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "gt": 1024, + "default": 8388608, + "type": "integer" + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "max_namespaces", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "conditional": { + "then_field": "prefix", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "conditional": { + "then_field": "namespaceuri", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/zipkin/3.5.x.json b/schemas/zipkin/3.5.x.json index c26ab711..f7f89d89 100644 --- a/schemas/zipkin/3.5.x.json +++ b/schemas/zipkin/3.5.x.json @@ -1,13 +1,9 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,36 +16,37 @@ "ws", "wss" ], + "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", - "required": true + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { - "type": "record", + "required": true, "fields": [ { "local_service_name": { - "type": "string", - "description": "The name of the service as displayed in Zipkin.", "required": true, - "default": "kong" + "type": "string", + "default": "kong", + "description": "The name of the service as displayed in Zipkin." } }, { @@ -61,12 +58,12 @@ { "sample_ratio": { "type": "number", - "default": 0.001, - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", "between": [ 0, 1 - ] + ], + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " } }, { @@ -77,29 +74,26 @@ }, { "include_credential": { - "type": "boolean", - "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", "required": true, - "default": true + "type": "boolean", + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server." } }, { "traceid_byte_count": { - "type": "integer", - "default": 16, - "description": "The length in bytes of each request's Trace ID.", "required": true, "one_of": [ 8, 16 - ] + ], + "description": "The length in bytes of each request's Trace ID.", + "default": 16, + "type": "integer" } }, { "header_type": { - "type": "string", - "default": "preserve", - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "required": true, "one_of": [ "preserve", @@ -110,15 +104,16 @@ "jaeger", "ot", "aws", - "datadog" - ] + "datadog", + "gcp" + ], + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "default": "preserve", + "type": "string" } }, { "default_header_type": { - "type": "string", - "default": "b3", - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "required": true, "one_of": [ "b3", @@ -127,27 +122,29 @@ "jaeger", "ot", "aws", - "datadog" - ] + "datadog", + "gcp" + ], + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "default": "b3", + "type": "string" } }, { "tags_header": { - "type": "string", - "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", "required": true, - "default": "Zipkin-Tags" + "type": "string", + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property." } }, { "static_tags": { - "type": "array", "elements": { - "type": "record", "fields": [ { "name": { - "type": "string", + "required": true, "not_one_of": [ "error", "http.method", @@ -163,7 +160,7 @@ "lc", "peer.hostname" ], - "required": true + "type": "string" } }, { @@ -172,54 +169,56 @@ "type": "string" } } - ] + ], + "type": "record" }, - "description": "The tags specified on this property will be added to the generated request traces." + "description": "The tags specified on this property will be added to the generated request traces.", + "type": "array" } }, { "http_span_name": { - "type": "string", - "default": "method", - "description": "Specify whether to include the HTTP path in the span name.", "required": true, "one_of": [ "method", "method_path" - ] + ], + "description": "Specify whether to include the HTTP path in the span name.", + "default": "method", + "type": "string" } }, { "connect_timeout": { - "type": "integer", - "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "default": 5000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "type": "integer" } }, { "read_timeout": { - "type": "integer", - "default": 5000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "type": "integer" } }, { @@ -229,25 +228,25 @@ }, { "phase_duration_flavor": { - "type": "string", - "default": "annotations", - "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "required": true, "one_of": [ "annotations", "tags" - ] + ], + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "default": "annotations", + "type": "string" } }, { "queue": { - "type": "record", + "required": true, "fields": [ { "max_batch_size": { "type": "integer", - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -257,8 +256,8 @@ { "max_coalescing_delay": { "type": "number", - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -268,8 +267,8 @@ { "max_entries": { "type": "integer", - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -285,15 +284,15 @@ { "max_retry_time": { "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { "type": "number", - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -303,21 +302,24 @@ { "max_retry_delay": { "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true + "type": "record" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file From 535b9dd714b8c20df51e5614022d6002a42d231d Mon Sep 17 00:00:00 2001 From: "lena.larionova" Date: Wed, 25 Oct 2023 10:26:40 -0700 Subject: [PATCH 015/165] generate real schemas for 3.5 --- schemas/acl/3.5.x.json | 28 +- schemas/acme/3.5.x.json | 252 ++-- schemas/application-registration/3.5.x.json | 48 +- schemas/aws-lambda/3.5.x.json | 110 +- schemas/azure-functions/3.5.x.json | 52 +- schemas/basic-auth/3.5.x.json | 48 +- schemas/bot-detection/3.5.x.json | 40 +- schemas/canary/3.5.x.json | 98 +- schemas/correlation-id/3.5.x.json | 38 +- schemas/cors/3.5.x.json | 82 +- schemas/datadog/3.5.x.json | 180 +-- schemas/degraphql/3.5.x.json | 34 +- schemas/exit-transformer/3.5.x.json | 28 +- schemas/file-log/3.5.x.json | 42 +- schemas/forward-proxy/3.5.x.json | 116 +- .../graphql-proxy-cache-advanced/3.5.x.json | 46 +- .../graphql-rate-limiting-advanced/3.5.x.json | 290 ++-- schemas/grpc-gateway/3.5.x.json | 24 +- schemas/grpc-web/3.5.x.json | 34 +- schemas/hmac-auth/3.5.x.json | 68 +- schemas/http-log/3.5.x.json | 120 +- schemas/ip-restriction/3.5.x.json | 34 +- schemas/jq/3.5.x.json | 96 +- schemas/jwe-decrypt/3.5.x.json | 44 +- schemas/jwt-signer/3.5.x.json | 318 ++--- schemas/jwt/3.5.x.json | 72 +- schemas/kafka-log/3.5.x.json | 162 +-- schemas/kafka-upstream/3.5.x.json | 172 +-- schemas/key-auth-enc/3.5.x.json | 58 +- schemas/key-auth/3.5.x.json | 72 +- schemas/konnect-application-auth/3.5.x.json | 52 +- schemas/ldap-auth-advanced/3.5.x.json | 132 +- schemas/ldap-auth/3.5.x.json | 108 +- schemas/loggly/3.5.x.json | 78 +- schemas/mocking/3.5.x.json | 52 +- schemas/mtls-auth/3.5.x.json | 116 +- schemas/oas-validation/3.5.x.json | 96 +- schemas/oauth2-introspection/3.5.x.json | 74 +- schemas/oauth2/3.5.x.json | 156 +-- schemas/opa/3.5.x.json | 74 +- schemas/openid-connect/3.5.x.json | 1225 +++++++++-------- schemas/opentelemetry/3.5.x.json | 106 +- schemas/post-function/3.5.x.json | 132 +- schemas/pre-function/3.5.x.json | 132 +- schemas/prometheus/3.5.x.json | 30 +- schemas/proxy-cache-advanced/3.5.x.json | 292 ++-- schemas/proxy-cache/3.5.x.json | 100 +- schemas/rate-limiting-advanced/3.5.x.json | 292 ++-- schemas/rate-limiting/3.5.x.json | 174 +-- schemas/request-size-limiting/3.5.x.json | 34 +- schemas/request-termination/3.5.x.json | 32 +- .../request-transformer-advanced/3.5.x.json | 228 +-- schemas/request-transformer/3.5.x.json | 164 +-- schemas/request-validator/3.5.x.json | 104 +- schemas/response-ratelimiting/3.5.x.json | 176 +-- .../response-transformer-advanced/3.5.x.json | 228 +-- schemas/response-transformer/3.5.x.json | 150 +- schemas/route-by-header/3.5.x.json | 44 +- schemas/route-transformer-advanced/3.5.x.json | 34 +- schemas/saml/3.5.x.json | 468 +++---- schemas/session/3.5.x.json | 212 +-- schemas/statsd-advanced/3.5.x.json | 390 +++--- schemas/statsd/3.5.x.json | 314 ++--- schemas/syslog/3.5.x.json | 64 +- schemas/tcp-log/3.5.x.json | 48 +- schemas/tls-handshake-modifier/3.5.x.json | 38 +- schemas/tls-metadata-headers/3.5.x.json | 62 +- schemas/udp-log/3.5.x.json | 40 +- schemas/upstream-timeout/3.5.x.json | 32 +- schemas/vault-auth/3.5.x.json | 50 +- schemas/websocket-size-limit/3.5.x.json | 38 +- schemas/websocket-validator/3.5.x.json | 158 +-- schemas/xml-threat-protection/3.5.x.json | 238 ++-- schemas/zipkin/3.5.x.json | 140 +- 74 files changed, 4869 insertions(+), 4844 deletions(-) diff --git a/schemas/acl/3.5.x.json b/schemas/acl/3.5.x.json index b13e64a5..f05a40d2 100644 --- a/schemas/acl/3.5.x.json +++ b/schemas/acl/3.5.x.json @@ -2,45 +2,46 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { "required": true, + "type": "record", "fields": [ { "allow": { @@ -61,12 +62,11 @@ { "hide_groups_header": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } - ], - "type": "record" + ] } } ], diff --git a/schemas/acme/3.5.x.json b/schemas/acme/3.5.x.json index bb6b9052..7f964ef7 100644 --- a/schemas/acme/3.5.x.json +++ b/schemas/acme/3.5.x.json @@ -2,76 +2,78 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "service": { - "reference": "services", + "type": "foreign", "description": "A reference to the 'services' table with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "services" } }, { "route": { - "reference": "routes", + "type": "foreign", "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "routes" } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { "required": true, + "type": "record", "fields": [ { "account_email": { - "required": true, - "description": "The account identifier. Can be reused in a different plugin instance.", "referenceable": true, - "match": "%w*%p*@+%w*%.?%w*", + "description": "The account identifier. Can be reused in a different plugin instance.", "encrypted": true, - "type": "string" + "type": "string", + "match": "%w*%p*@+%w*%.?%w*", + "required": true } }, { "account_key": { "required": false, "type": "record", + "description": "The private key associated with the account.", "fields": [ { "key_id": { @@ -82,71 +84,70 @@ }, { "key_set": { - "type": "string", - "description": "The ID of the key set to associate the Key ID with." + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" } } - ], - "description": "The private key associated with the account." + ] } }, { "api_uri": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "default": "https://acme-v02.api.letsencrypt.org/directory", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "tos_accepted": { - "type": "boolean", "default": false, + "type": "boolean", "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service." } }, { "eab_kid": { - "referenceable": true, - "type": "string", "encrypted": true, - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA." + "type": "string", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "referenceable": true } }, { "eab_hmac_key": { - "referenceable": true, - "type": "string", "encrypted": true, - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA." + "type": "string", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "referenceable": true } }, { "cert_type": { + "default": "rsa", + "type": "string", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", "one_of": [ "rsa", "ecc" - ], - "type": "string", - "default": "rsa", - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." + ] } }, { "rsa_key_size": { + "default": 4096, + "type": "number", + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", "one_of": [ 2048, 3072, 4096 - ], - "type": "number", - "default": 4096, - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." + ] } }, { "renew_threshold_days": { - "type": "number", "default": 14, + "type": "number", "description": "Days remaining to renew the certificate before it expires." } }, @@ -159,6 +160,7 @@ "err": "invalid wildcard: must have at most one wildcard" } ], + "type": "string", "match_any": { "patterns": [ "^%*%.", @@ -166,8 +168,7 @@ "^[^*]*$" ], "err": "invalid wildcard: must be placed at leftmost or rightmost label" - }, - "type": "string" + } }, "type": "array", "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" @@ -175,68 +176,70 @@ }, { "allow_any_domain": { - "type": "boolean", "default": false, + "type": "boolean", "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." } }, { "fail_backoff_minutes": { - "type": "number", "default": 5, + "type": "number", "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." } }, { "storage": { + "default": "shm", + "type": "string", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", "one_of": [ "kong", "shm", "redis", "consul", "vault" - ], - "type": "string", - "default": "shm", - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." + ] } }, { "storage_config": { "required": true, + "type": "record", "fields": [ { "shm": { "required": true, + "type": "record", "fields": [ { "shm_name": { - "type": "string", "default": "kong", + "type": "string", "description": "Name of shared memory zone used for Kong API gateway storage" } } - ], - "type": "record" + ] } }, { "kong": { "required": true, + "type": "record", "fields": [ - ], - "type": "record" + ] } }, { "redis": { "required": true, + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -245,82 +248,82 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "database": { - "type": "number", - "description": "The index of the Redis database to use." + "description": "The index of the Redis database to use.", + "type": "number" } }, { "auth": { - "referenceable": true, "type": "string", - "description": "The Redis password to use for authentication. " + "description": "The Redis password to use for authentication. ", + "referenceable": true } }, { "ssl": { - "required": true, - "type": "boolean", "default": false, - "description": "Whether to use SSL/TLS encryption when connecting to the Redis server." + "type": "boolean", + "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", + "required": true } }, { "ssl_verify": { - "required": true, - "type": "boolean", "default": false, - "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value." + "type": "boolean", + "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", + "required": true } }, { "ssl_server_name": { "required": false, - "description": "The expected server name for the SSL/TLS certificate presented by the Redis server.", - "type": "string" + "type": "string", + "description": "The expected server name for the SSL/TLS certificate presented by the Redis server." } }, { "namespace": { - "required": true, "len_min": 0, + "type": "string", "description": "A namespace to prepend to all keys stored in Redis.", "default": "", - "type": "string" + "required": true } }, { "scan_count": { - "required": false, - "type": "number", "default": 10, - "description": "The number of keys to return in Redis SCAN calls." + "type": "number", + "description": "The number of keys to return in Redis SCAN calls.", + "required": false } } - ], - "type": "record" + ] } }, { "consul": { "required": true, + "type": "record", "fields": [ { "https": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Boolean representation of https." } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -329,48 +332,48 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { "token": { - "referenceable": true, "type": "string", - "description": "Consul ACL token." + "description": "Consul ACL token.", + "referenceable": true } } - ], - "type": "record" + ] } }, { "vault": { "required": true, + "type": "record", "fields": [ { "https": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Boolean representation of https." } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -379,77 +382,75 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { "token": { - "referenceable": true, "type": "string", - "description": "Consul ACL token." + "description": "Consul ACL token.", + "referenceable": true } }, { "tls_verify": { - "type": "boolean", "default": true, + "type": "boolean", "description": "Turn on TLS verification." } }, { "tls_server_name": { - "type": "string", - "description": "SNI used in request, default to host if omitted." + "description": "SNI used in request, default to host if omitted.", + "type": "string" } }, { "auth_method": { + "default": "token", + "type": "string", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", "one_of": [ "token", "kubernetes" - ], - "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", - "default": "token", - "type": "string" + ] } }, { "auth_path": { - "type": "string", - "description": "Vault's authentication path to use." + "description": "Vault's authentication path to use.", + "type": "string" } }, { "auth_role": { - "type": "string", - "description": "The role to try and assign." + "description": "The role to try and assign.", + "type": "string" } }, { "jwt_path": { - "type": "string", - "description": "The path to the JWT." + "description": "The path to the JWT.", + "type": "string" } } - ], - "type": "record" + ] } } - ], - "type": "record" + ] } }, { @@ -460,31 +461,30 @@ }, { "enable_ipv4_common_name": { - "type": "boolean", "default": true, + "type": "boolean", "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." } } - ], - "type": "record" + ] } } ], "entity_checks": [ { "conditional": { + "then_field": "config.tos_accepted", + "then_match": { + "eq": true + }, + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", "if_match": { "one_of": [ "https://acme-v02.api.letsencrypt.org", "https://acme-staging-v02.api.letsencrypt.org" ] }, - "then_field": "config.tos_accepted", - "if_field": "config.api_uri", - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", - "then_match": { - "eq": true - } + "if_field": "config.api_uri" } }, { diff --git a/schemas/application-registration/3.5.x.json b/schemas/application-registration/3.5.x.json index 51fc1456..bc2d64f3 100644 --- a/schemas/application-registration/3.5.x.json +++ b/schemas/application-registration/3.5.x.json @@ -2,68 +2,69 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "service": { - "reference": "services", + "type": "foreign", "on_delete": "cascade", "ne": null, - "type": "foreign" + "reference": "services" } }, { "route": { - "reference": "routes", + "type": "foreign", "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "routes" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "display_name": { - "required": true, "unique": true, "type": "string", - "description": "Unique display name used for a Service in the Developer Portal." + "description": "Unique display name used for a Service in the Developer Portal.", + "required": true } }, { @@ -75,22 +76,21 @@ }, { "auto_approve": { - "required": true, - "type": "boolean", "default": false, - "description": "If enabled, all new Service Contracts requests are automatically approved." + "type": "boolean", + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "required": true } }, { "show_issuer": { - "required": true, - "type": "boolean", "default": false, - "description": "Displays the **Issuer URL** in the **Service Details** dialog." + "type": "boolean", + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "required": true } } - ], - "type": "record" + ] } } ], diff --git a/schemas/aws-lambda/3.5.x.json b/schemas/aws-lambda/3.5.x.json index 0b860117..1bdba91f 100644 --- a/schemas/aws-lambda/3.5.x.json +++ b/schemas/aws-lambda/3.5.x.json @@ -2,89 +2,90 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "timeout": { "required": true, "type": "number", - "default": 60000, - "description": "An optional timeout in milliseconds when invoking the function." + "description": "An optional timeout in milliseconds when invoking the function.", + "default": 60000 } }, { "keepalive": { "required": true, "type": "number", - "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000 } }, { "aws_key": { - "referenceable": true, - "type": "string", "encrypted": true, - "description": "The AWS key credential to be used when invoking the function." + "referenceable": true, + "description": "The AWS key credential to be used when invoking the function.", + "type": "string" } }, { "aws_secret": { - "referenceable": true, - "type": "string", "encrypted": true, - "description": "The AWS secret credential to be used when invoking the function. " + "referenceable": true, + "description": "The AWS secret credential to be used when invoking the function. ", + "type": "string" } }, { "aws_assume_role_arn": { - "referenceable": true, - "type": "string", "encrypted": true, - "description": "The target AWS IAM role ARN used to invoke the Lambda function." + "referenceable": true, + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "type": "string" } }, { "aws_role_session_name": { - "type": "string", "default": "kong", + "type": "string", "description": "The identifier of the assumed role session." } }, { "aws_region": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -102,44 +103,44 @@ }, { "invocation_type": { + "type": "string", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "default": "RequestResponse", "required": true, "one_of": [ "RequestResponse", "Event", "DryRun" - ], - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", - "default": "RequestResponse", - "type": "string" + ] } }, { "log_type": { + "type": "string", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "default": "Tail", "required": true, "one_of": [ "Tail", "None" - ], - "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", - "default": "Tail", - "type": "string" + ] } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 443, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 443, - "type": "integer" + ] } }, { @@ -150,90 +151,89 @@ }, { "unhandled_status": { - "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", "between": [ 100, 999 ], - "type": "integer" + "type": "integer", + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error." } }, { "forward_request_method": { - "type": "boolean", "default": false, + "type": "boolean", "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." } }, { "forward_request_uri": { - "type": "boolean", "default": false, + "type": "boolean", "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." } }, { "forward_request_headers": { - "type": "boolean", "default": false, + "type": "boolean", "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." } }, { "forward_request_body": { - "type": "boolean", "default": false, + "type": "boolean", "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " } }, { "is_proxy_integration": { - "type": "boolean", "default": false, + "type": "boolean", "description": "An optional value that defines whether the response format to receive from the Lambda to this format." } }, { "awsgateway_compatible": { - "type": "boolean", "default": false, + "type": "boolean", "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." } }, { "proxy_url": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "skip_large_bodies": { - "type": "boolean", "default": true, + "type": "boolean", "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" } }, { "base64_encode_body": { - "type": "boolean", "default": true, + "type": "boolean", "description": "An optional value that Base64-encodes the request body." } }, { "aws_imds_protocol_version": { + "type": "string", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "default": "v1", "required": true, "one_of": [ "v1", "v2" - ], - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", - "default": "v1", - "type": "string" + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/azure-functions/3.5.x.json b/schemas/azure-functions/3.5.x.json index 5d140e0d..0f181b75 100644 --- a/schemas/azure-functions/3.5.x.json +++ b/schemas/azure-functions/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,56 +15,58 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "timeout": { - "type": "number", "default": 600000, + "type": "number", "description": "Timeout in milliseconds before closing a connection to the Azure Functions server." } }, { "keepalive": { - "type": "number", "default": 60000, + "type": "number", "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed." } }, { "https": { - "description": "Use of HTTPS to connect with the Azure Functions server.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Use of HTTPS to connect with the Azure Functions server." } }, { "https_verify": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Set to `true` to authenticate the Azure Functions server." } }, @@ -73,49 +74,48 @@ "apikey": { "encrypted": true, "type": "string", - "referenceable": true, - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header." + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "referenceable": true } }, { "clientid": { "encrypted": true, "type": "string", - "referenceable": true, - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header." + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "referenceable": true } }, { "appname": { "required": true, - "description": "The Azure app name.", - "type": "string" + "type": "string", + "description": "The Azure app name." } }, { "hostdomain": { "required": true, + "type": "string", "description": "The domain where the function resides.", - "default": "azurewebsites.net", - "type": "string" + "default": "azurewebsites.net" } }, { "routeprefix": { - "type": "string", "default": "api", + "type": "string", "description": "Route prefix to use." } }, { "functionname": { "required": true, - "description": "Name of the Azure function to invoke.", - "type": "string" + "type": "string", + "description": "Name of the Azure function to invoke." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/basic-auth/3.5.x.json b/schemas/basic-auth/3.5.x.json index 34968d4f..bb1cf5d0 100644 --- a/schemas/basic-auth/3.5.x.json +++ b/schemas/basic-auth/3.5.x.json @@ -2,26 +2,16 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { "required": true, - "elements": { - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "type": "string" - }, + "type": "set", "default": [ "grpc", "grpcs", @@ -30,37 +20,47 @@ "ws", "wss" ], - "type": "set" + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "hide_credentials": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it." + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "required": true } } - ], - "type": "record" + ] } } ], diff --git a/schemas/bot-detection/3.5.x.json b/schemas/bot-detection/3.5.x.json index 064f7db2..86d31e9f 100644 --- a/schemas/bot-detection/3.5.x.json +++ b/schemas/bot-detection/3.5.x.json @@ -2,74 +2,74 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "allow": { "elements": { - "type": "string", - "is_regex": true + "is_regex": true, + "type": "string" }, + "type": "array", "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "default": [ - ], - "type": "array" + ] } }, { "deny": { "elements": { - "type": "string", - "is_regex": true + "is_regex": true, + "type": "string" }, + "type": "array", "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "default": [ - ], - "type": "array" + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/canary/3.5.x.json b/schemas/canary/3.5.x.json index ce7c257d..26b4448a 100644 --- a/schemas/canary/3.5.x.json +++ b/schemas/canary/3.5.x.json @@ -2,44 +2,53 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { + "shorthand_fields": [ + { + "hash": { + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" + } + } + ], + "type": "record", "required": true, "fields": [ { @@ -50,6 +59,9 @@ }, { "hash": { + "default": "consumer", + "type": "string", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", "one_of": [ "consumer", "ip", @@ -57,48 +69,45 @@ "allow", "deny", "header" - ], - "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", - "default": "consumer", - "type": "string" + ] } }, { "hash_header": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "duration": { - "gt": 0, - "description": "The duration of the canary release in seconds.", "default": 3600, - "type": "number" + "type": "number", + "description": "The duration of the canary release in seconds.", + "gt": 0 } }, { "steps": { - "gt": 1, - "description": "The number of steps for the canary release.", "default": 1000, - "type": "number" + "type": "number", + "description": "The number of steps for the canary release.", + "gt": 1 } }, { "percentage": { - "type": "number", "between": [ 0, 100 ], + "type": "number", "description": "The percentage of traffic to be routed to the canary release." } }, { "upstream_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -107,8 +116,8 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -121,9 +130,9 @@ { "upstream_fallback": { "required": true, + "type": "boolean", "description": "Specifies whether to fallback to the upstream server if the canary release fails.", - "default": false, - "type": "boolean" + "default": false } }, { @@ -137,20 +146,11 @@ }, { "canary_by_header_name": { - "type": "string", - "description": "A string representing an HTTP header name." - } - } - ], - "shorthand_fields": [ - { - "hash": { - "type": "string", - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + "description": "A string representing an HTTP header name.", + "type": "string" } } - ], - "type": "record" + ] } } ], @@ -165,25 +165,25 @@ { "conditional": { "then_field": "config.hash_header", - "if_field": "config.hash", + "if_match": { + "eq": "header" + }, "then_match": { "required": true }, - "if_match": { - "eq": "header" - } + "if_field": "config.hash" } }, { "conditional": { "then_field": "config.upstream_host", - "if_field": "config.upstream_fallback", + "if_match": { + "eq": true + }, "then_match": { "required": true }, - "if_match": { - "eq": true - } + "if_field": "config.upstream_fallback" } } ] diff --git a/schemas/correlation-id/3.5.x.json b/schemas/correlation-id/3.5.x.json index e54598ed..31e905c2 100644 --- a/schemas/correlation-id/3.5.x.json +++ b/schemas/correlation-id/3.5.x.json @@ -2,67 +2,67 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "header_name": { - "description": "The HTTP header name to use for the correlation ID.", "default": "Kong-Request-ID", - "type": "string" + "type": "string", + "description": "The HTTP header name to use for the correlation ID." } }, { "generator": { + "default": "uuid#counter", + "type": "string", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "one_of": [ "uuid", "uuid#counter", "tracker" - ], - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", - "default": "uuid#counter", - "type": "string" + ] } }, { "echo_downstream": { - "required": true, - "description": "Whether to echo the header back to downstream (the client).", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Whether to echo the header back to downstream (the client).", + "required": true } } - ], - "type": "record" + ] } } ], diff --git a/schemas/cors/3.5.x.json b/schemas/cors/3.5.x.json index a952df50..42d55c67 100644 --- a/schemas/cors/3.5.x.json +++ b/schemas/cors/3.5.x.json @@ -2,16 +2,16 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { + "required": true, "one_of": [ "grpc", "grpcs", @@ -19,38 +19,39 @@ "https" ], "type": "string", - "required": true, "len_min": 1 }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "origins": { "elements": { "type": "string" }, - "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", - "type": "array" + "type": "array", + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." } }, { @@ -58,8 +59,8 @@ "elements": { "type": "string" }, - "description": "Value for the `Access-Control-Allow-Headers` header.", - "type": "array" + "type": "array", + "description": "Value for the `Access-Control-Allow-Headers` header." } }, { @@ -67,27 +68,12 @@ "elements": { "type": "string" }, - "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", - "type": "array" + "type": "array", + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." } }, { "methods": { - "elements": { - "one_of": [ - "GET", - "HEAD", - "PUT", - "PATCH", - "POST", - "DELETE", - "OPTIONS", - "TRACE", - "CONNECT" - ], - "type": "string" - }, - "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", "default": [ "GET", "HEAD", @@ -99,41 +85,55 @@ "TRACE", "CONNECT" ], - "type": "array" + "type": "array", + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "elements": { + "type": "string", + "one_of": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] + } } }, { "max_age": { - "type": "number", - "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" } }, { "credentials": { "required": true, "type": "boolean", - "default": false, - "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value." + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "default": false } }, { "private_network": { "required": true, "type": "boolean", - "default": false, - "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value." + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "default": false } }, { "preflight_continue": { "required": true, "type": "boolean", - "default": false, - "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service." + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "default": false } } - ], - "type": "record" + ] } } ], diff --git a/schemas/datadog/3.5.x.json b/schemas/datadog/3.5.x.json index 7615c352..6950e0d3 100644 --- a/schemas/datadog/3.5.x.json +++ b/schemas/datadog/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,77 +15,89 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], "fields": [ { "host": { + "default": "localhost", "referenceable": true, "description": "A string representing a host name, such as example.com.", - "default": "localhost", "type": "string" } }, { "port": { + "default": 8125, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 8125, - "type": "integer" + ] } }, { "prefix": { - "description": "String to be attached as a prefix to a metric's name.", "default": "kong", - "type": "string" + "type": "string", + "description": "String to be attached as a prefix to a metric's name." } }, { "service_name_tag": { - "description": "String to be attached as the name of the service.", "default": "name", - "type": "string" + "type": "string", + "description": "String to be attached as the name of the service." } }, { "status_tag": { - "description": "String to be attached as the tag of the HTTP status.", "default": "status", - "type": "string" + "type": "string", + "description": "String to be attached as the tag of the HTTP status." } }, { "consumer_tag": { - "description": "String to be attached as tag of the consumer.", "default": "consumer", - "type": "string" + "type": "string", + "description": "String to be attached as tag of the consumer." } }, { @@ -110,12 +121,13 @@ { "queue": { "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -124,9 +136,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -135,9 +147,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -146,22 +158,22 @@ }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "type": "number", "default": 60, + "type": "number", "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -170,28 +182,44 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } - ], - "type": "record" + ] } }, { "metrics": { - "required": true, "elements": { + "entity_checks": [ + { + "conditional": { + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + }, + "if_field": "stat_type" + } + } + ], "type": "record", "fields": [ { "name": { "required": true, + "type": "string", "description": "Datadog metric’s name", "one_of": [ "kong_latency", @@ -200,13 +228,13 @@ "request_size", "response_size", "upstream_latency" - ], - "type": "string" + ] } }, { "stat_type": { "required": true, + "type": "string", "description": "Determines what sort of event the metric represents", "one_of": [ "counter", @@ -216,8 +244,7 @@ "set", "timer", "distribution" - ], - "type": "string" + ] } }, { @@ -232,107 +259,80 @@ }, { "sample_rate": { - "type": "number", "between": [ 0, 1 ], + "type": "number", "description": "Sampling rate" } }, { "consumer_identifier": { + "type": "string", + "description": "Authenticated user detail", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string", - "description": "Authenticated user detail" - } - } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - }, - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - } + ] } } ] }, "type": "array", + "description": "List of metrics to be logged.", + "required": true, "default": [ { + "sample_rate": 1, + "stat_type": "counter", + "name": "request_count", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "request_count", - "sample_rate": 1, - "stat_type": "counter" + ] }, { "name": "latency", + "consumer_identifier": "custom_id", + "stat_type": "timer", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "stat_type": "timer" + ] }, { "name": "request_size", + "consumer_identifier": "custom_id", + "stat_type": "timer", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "stat_type": "timer" + ] }, { "name": "response_size", + "consumer_identifier": "custom_id", + "stat_type": "timer", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "stat_type": "timer" + ] }, { "name": "upstream_latency", + "consumer_identifier": "custom_id", + "stat_type": "timer", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "stat_type": "timer" + ] }, { "name": "kong_latency", + "consumer_identifier": "custom_id", + "stat_type": "timer", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "stat_type": "timer" + ] } - ], - "description": "List of metrics to be logged." - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" ] } } diff --git a/schemas/degraphql/3.5.x.json b/schemas/degraphql/3.5.x.json index feeb1582..88b03f5f 100644 --- a/schemas/degraphql/3.5.x.json +++ b/schemas/degraphql/3.5.x.json @@ -2,63 +2,63 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "graphql_server_path": { - "required": true, + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/graphql", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "default": "/graphql", - "type": "string" + "required": true } } - ], - "type": "record" + ] } } ], diff --git a/schemas/exit-transformer/3.5.x.json b/schemas/exit-transformer/3.5.x.json index ce275844..271b24b3 100644 --- a/schemas/exit-transformer/3.5.x.json +++ b/schemas/exit-transformer/3.5.x.json @@ -2,63 +2,63 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "functions": { "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "handle_unknown": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Determines whether to handle unknown status codes by transforming their responses." } }, { "handle_unexpected": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Determines whether to handle unexpected errors by transforming their responses." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/file-log/3.5.x.json b/schemas/file-log/3.5.x.json index 3389196f..9e4401a6 100644 --- a/schemas/file-log/3.5.x.json +++ b/schemas/file-log/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,64 +15,65 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "path": { + "type": "string", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", "required": true, "err": "not a valid filename", - "match": "^[^*&%%\\`]+$", - "type": "string", - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." + "match": "^[^*&%%\\`]+$" } }, { "reopen": { "required": true, "type": "boolean", - "default": false, - "description": "Determines whether the log file is closed and reopened on every request." + "description": "Determines whether the log file is closed and reopened on every request.", + "default": false } }, { "custom_fields_by_lua": { - "type": "map", - "keys": { - "type": "string", - "len_min": 1 - }, "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map" + "type": "map", + "description": "Lua code as a key-value map", + "keys": { + "len_min": 1, + "type": "string" + } } } - ], - "type": "record" + ] } } ], diff --git a/schemas/forward-proxy/3.5.x.json b/schemas/forward-proxy/3.5.x.json index 8573ec7a..d3080f7f 100644 --- a/schemas/forward-proxy/3.5.x.json +++ b/schemas/forward-proxy/3.5.x.json @@ -2,37 +2,36 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { - "required": true, "shorthand_fields": [ { "proxy_host": { @@ -45,50 +44,25 @@ } } ], - "entity_checks": [ - { - "at_least_one_of": [ - "http_proxy_host", - "https_proxy_host" - ] - }, - { - "at_least_one_of": [ - "http_proxy_port", - "https_proxy_port" - ] - }, - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], + "type": "record", "fields": [ { "x_headers": { + "type": "string", + "description": "Determines how to handle headers when forwarding the request.", + "default": "append", "required": true, "one_of": [ "append", "transparent", "delete" - ], - "type": "string", - "default": "append", - "description": "Determines how to handle headers when forwarding the request." + ] } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -97,14 +71,14 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -113,47 +87,73 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "proxy_scheme": { + "type": "string", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "default": "http", "required": true, "one_of": [ "http" - ], - "type": "string", - "default": "http", - "description": "The proxy scheme to use when connecting. Only `http` is supported." + ] } }, { "auth_username": { "required": false, + "type": "string", "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", - "referenceable": true, - "type": "string" + "referenceable": true } }, { "auth_password": { "required": false, + "type": "string", "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", - "referenceable": true, - "type": "string" + "referenceable": true } }, { "https_verify": { "required": true, + "type": "boolean", "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "default": false, - "type": "boolean" + "default": false } } ], - "type": "record" + "required": true, + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ] } } ], diff --git a/schemas/graphql-proxy-cache-advanced/3.5.x.json b/schemas/graphql-proxy-cache-advanced/3.5.x.json index 05969c29..20acb40a 100644 --- a/schemas/graphql-proxy-cache-advanced/3.5.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.5.x.json @@ -2,71 +2,72 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "strategy": { + "type": "string", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "required": true, + "default": "memory", "one_of": [ "memory" - ], - "type": "string", - "default": "memory", - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`." + ] } }, { "cache_ttl": { - "gt": 0, - "type": "integer", "default": 300, - "description": "TTL in seconds of cache entities. Must be a value greater than 0." + "type": "integer", + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "gt": 0 } }, { "memory": { "required": true, + "type": "record", "fields": [ { "dictionary_name": { "required": true, "type": "string", - "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template." + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "default": "kong_db_cache" } } - ], - "type": "record" + ] } }, { @@ -74,12 +75,11 @@ "elements": { "type": "string" }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", - "type": "array" + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/graphql-rate-limiting-advanced/3.5.x.json b/schemas/graphql-rate-limiting-advanced/3.5.x.json index b4fd1b52..62be0d4c 100644 --- a/schemas/graphql-rate-limiting-advanced/3.5.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.5.x.json @@ -2,160 +2,219 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "identifier": { + "type": "string", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "required": true, + "default": "consumer", "one_of": [ "ip", "credential", "consumer" - ], - "type": "string", - "default": "consumer", - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." + ] } }, { "window_size": { "required": true, + "type": "array", "description": "One or more window sizes to apply a limit to (defined in seconds).", "elements": { "type": "number" - }, - "type": "array" + } } }, { "window_type": { + "default": "sliding", + "type": "string", + "description": "Sets the time window to either `sliding` or `fixed`.", "one_of": [ "fixed", "sliding" - ], - "description": "Sets the time window to either `sliding` or `fixed`.", - "default": "sliding", - "type": "string" + ] } }, { "limit": { "required": true, + "type": "array", "description": "One or more requests-per-window limits to apply.", "elements": { "type": "number" - }, - "type": "array" + } } }, { "sync_rate": { "required": true, - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." } }, { "namespace": { - "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string", "auto": true, - "type": "string" + "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." } }, { "strategy": { + "type": "string", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "required": true, + "default": "cluster", "one_of": [ "cluster", "redis" - ], - "type": "string", - "default": "cluster", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." + ] } }, { "dictionary_name": { "required": true, + "type": "string", "description": "The shared dictionary where counters will be stored until the next sync cycle.", - "default": "kong_rate_limiting_counters", - "type": "string" + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "description": "Optionally hide informative response headers. Available options: `true` or `false`.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Optionally hide informative response headers. Available options: `true` or `false`." } }, { "cost_strategy": { + "default": "default", + "type": "string", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", "one_of": [ "default", "node_quantifier" - ], - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", - "default": "default", - "type": "string" + ] } }, { "score_factor": { - "required": false, + "type": "number", "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "required": false, "gt": 0, - "default": 1, - "type": "number" + "default": 1 } }, { "max_cost": { "required": false, + "type": "number", "description": "A defined maximum cost per query. 0 means unlimited.", - "default": 0, - "type": "number" + "default": 0 } }, { "redis": { "required": true, "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -164,19 +223,19 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { + "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer" + ] } }, { @@ -185,8 +244,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -195,8 +254,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -205,191 +264,132 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "referenceable": true, - "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "password": { "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string" } }, { "sentinel_username": { "referenceable": true, - "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" } }, { "sentinel_password": { "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string" } }, { "database": { - "type": "integer", "default": 0, + "type": "integer", "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { + "default": 256, "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + ] } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "type": "integer" + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_addresses": { + "len_min": 1, + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - }, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", - "len_min": 1 + } } }, { "cluster_addresses": { + "len_min": 1, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", - "len_min": 1 + } } }, { "ssl": { "required": false, "type": "boolean", - "default": false, - "description": "If set to true, uses SSL to connect to Redis." + "description": "If set to true, uses SSL to connect to Redis.", + "default": false } }, { "ssl_verify": { "required": false, "type": "boolean", - "default": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false } }, { "server_name": { "required": false, - "description": "A string representing an SNI (server name indication) value for TLS.", - "type": "string" - } - } - ], - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], - "set2": [ - "host", - "port" - ] + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] } ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/grpc-gateway/3.5.x.json b/schemas/grpc-gateway/3.5.x.json index 7a47949c..fbf66260 100644 --- a/schemas/grpc-gateway/3.5.x.json +++ b/schemas/grpc-gateway/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,40 +15,41 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "proto": { "required": false, - "description": "Describes the gRPC types and methods.", - "type": "string" + "type": "string", + "description": "Describes the gRPC types and methods." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/grpc-web/3.5.x.json b/schemas/grpc-web/3.5.x.json index f2a2fde1..684868ca 100644 --- a/schemas/grpc-web/3.5.x.json +++ b/schemas/grpc-web/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,55 +15,56 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "proto": { "required": false, - "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", - "type": "string" + "type": "string", + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content." } }, { "pass_stripped_path": { "required": false, - "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", - "type": "boolean" + "type": "boolean", + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service." } }, { "allow_origin_header": { - "required": false, - "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", "default": "*", - "type": "string" + "type": "string", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "required": false } } - ], - "type": "record" + ] } } ], diff --git a/schemas/hmac-auth/3.5.x.json b/schemas/hmac-auth/3.5.x.json index 6b792e49..70014e9b 100644 --- a/schemas/hmac-auth/3.5.x.json +++ b/schemas/hmac-auth/3.5.x.json @@ -2,26 +2,16 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { "required": true, - "elements": { - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "type": "string" - }, + "type": "set", "default": [ "grpc", "grpcs", @@ -30,35 +20,46 @@ "ws", "wss" ], - "type": "set" + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "hide_credentials": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true } }, { "clock_skew": { - "gt": 0, - "type": "number", "default": 300, - "description": "Clock skew in seconds to prevent replay attacks." + "gt": 0, + "description": "Clock skew in seconds to prevent replay attacks.", + "type": "number" } }, { @@ -69,10 +70,10 @@ }, { "validate_request_body": { - "required": true, - "type": "boolean", "default": false, - "description": "A boolean value telling the plugin to enable body validation." + "type": "boolean", + "description": "A boolean value telling the plugin to enable body validation.", + "required": true } }, { @@ -80,36 +81,35 @@ "elements": { "type": "string" }, + "type": "array", "description": "A list of headers that the client should at least use for HTTP signature creation.", "default": [ - ], - "type": "array" + ] } }, { "algorithms": { "elements": { + "type": "string", "one_of": [ "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512" - ], - "type": "string" + ] }, + "type": "array", "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", "default": [ "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512" - ], - "type": "array" + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/http-log/3.5.x.json b/schemas/http-log/3.5.x.json index c1684a24..da896d6f 100644 --- a/schemas/http-log/3.5.x.json +++ b/schemas/http-log/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,76 +15,88 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], "type": "record", "fields": [ { "http_endpoint": { - "required": true, "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "encrypted": true, - "type": "string" + "type": "string", + "required": true } }, { "method": { + "default": "POST", + "type": "string", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", "one_of": [ "POST", "PUT", "PATCH" - ], - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", - "default": "POST", - "type": "string" + ] } }, { "content_type": { + "default": "application/json", + "type": "string", + "description": "Indicates the type of data sent. The only available option is `application/json`.", "one_of": [ "application/json", "application/json; charset=utf-8" - ], - "description": "Indicates the type of data sent. The only available option is `application/json`.", - "default": "application/json", - "type": "string" + ] } }, { "timeout": { - "description": "An optional timeout in milliseconds when sending data to the upstream server.", "default": 10000, - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", "default": 60000, - "type": "number" + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." } }, { @@ -108,8 +119,15 @@ }, { "headers": { + "values": { + "referenceable": true, + "type": "string" + }, "type": "map", + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", "keys": { + "type": "string", + "description": "A string representing an HTTP header name.", "match_none": [ { "pattern": "^[Hh][Oo][Ss][Tt]$", @@ -123,26 +141,20 @@ "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", "err": "cannot contain 'Content-Type' header" } - ], - "description": "A string representing an HTTP header name.", - "type": "string" - }, - "values": { - "referenceable": true, - "type": "string" - }, - "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string." + ] + } } }, { "queue": { "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -151,9 +163,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -162,9 +174,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -173,22 +185,22 @@ }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "type": "number", "default": 60, + "type": "number", "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -197,42 +209,30 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } - ], - "type": "record" + ] } }, { "custom_fields_by_lua": { - "type": "map", - "keys": { - "type": "string", - "len_min": 1 - }, "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map" - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" - ] + "type": "map", + "description": "Lua code as a key-value map", + "keys": { + "len_min": 1, + "type": "string" + } } } ] diff --git a/schemas/ip-restriction/3.5.x.json b/schemas/ip-restriction/3.5.x.json index 14e0c7d4..ca61af68 100644 --- a/schemas/ip-restriction/3.5.x.json +++ b/schemas/ip-restriction/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,9 +15,10 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, + "type": "set", "description": "A set of strings representing protocols.", "default": [ "http", @@ -28,26 +28,27 @@ "grpc", "grpcs" ], - "type": "set" + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "allow": { "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" }, "type": "array", "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." @@ -56,8 +57,8 @@ { "deny": { "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" }, "type": "array", "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." @@ -66,19 +67,18 @@ { "status": { "required": false, - "description": "The HTTP status of the requests that will be rejected by the plugin.", - "type": "number" + "type": "number", + "description": "The HTTP status of the requests that will be rejected by the plugin." } }, { "message": { "required": false, - "description": "The message to send as a response body to rejected requests.", - "type": "string" + "type": "string", + "description": "The message to send as a response body to rejected requests." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/jq/3.5.x.json b/schemas/jq/3.5.x.json index 8940de16..559e162e 100644 --- a/schemas/jq/3.5.x.json +++ b/schemas/jq/3.5.x.json @@ -2,38 +2,46 @@ "fields": [ { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } + ], "fields": [ { "request_jq_program": { @@ -44,6 +52,7 @@ { "request_jq_program_options": { "required": false, + "type": "record", "default": [ ], @@ -51,52 +60,51 @@ { "compact_output": { "required": true, - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "raw_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "join_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "ascii_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "sort_keys": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } - ], - "type": "record" + ] } }, { "request_if_media_type": { "required": false, + "type": "array", "elements": { "type": "string" }, "default": [ "application/json" - ], - "type": "array" + ] } }, { @@ -108,6 +116,7 @@ { "response_jq_program_options": { "required": false, + "type": "record", "default": [ ], @@ -115,78 +124,69 @@ { "compact_output": { "required": true, - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "raw_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "join_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "ascii_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "sort_keys": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } - ], - "type": "record" + ] } }, { "response_if_media_type": { "required": false, + "type": "array", "elements": { "type": "string" }, "default": [ "application/json" - ], - "type": "array" + ] } }, { "response_if_status_code": { "required": false, + "type": "array", "elements": { - "type": "integer", "between": [ 100, 599 - ] + ], + "type": "integer" }, "default": [ 200 - ], - "type": "array" + ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "request_jq_program", - "response_jq_program" - ] - } ] } } diff --git a/schemas/jwe-decrypt/3.5.x.json b/schemas/jwe-decrypt/3.5.x.json index 8e4639bc..1992c265 100644 --- a/schemas/jwe-decrypt/3.5.x.json +++ b/schemas/jwe-decrypt/3.5.x.json @@ -2,81 +2,81 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "config": { "required": true, + "type": "record", "fields": [ { "lookup_header_name": { - "required": true, - "description": "The name of the header to look for the JWE token.", "default": "Authorization", - "type": "string" + "type": "string", + "description": "The name of the header to look for the JWE token.", + "required": true } }, { "forward_header_name": { - "required": true, - "description": "The name of the header that is used to set the decrypted value.", "default": "Authorization", - "type": "string" + "type": "string", + "description": "The name of the header that is used to set the decrypted value.", + "required": true } }, { "key_sets": { "required": true, + "type": "array", "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "strict": { - "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/jwt-signer/3.5.x.json b/schemas/jwt-signer/3.5.x.json index 9c314e05..3c935d36 100644 --- a/schemas/jwt-signer/3.5.x.json +++ b/schemas/jwt-signer/3.5.x.json @@ -2,45 +2,46 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "realm": { @@ -52,131 +53,131 @@ { "enable_hs_signatures": { "required": false, + "type": "boolean", "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", - "default": false, - "type": "boolean" + "default": false } }, { "enable_instrumentation": { "required": false, + "type": "boolean", "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", - "default": false, - "type": "boolean" + "default": false } }, { "access_token_issuer": { "required": false, + "type": "string", "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", - "default": "kong", - "type": "string" + "default": "kong" } }, { "access_token_keyset": { "required": false, + "type": "string", "description": "The name of the keyset containing signing keys.", - "default": "kong", - "type": "string" + "default": "kong" } }, { "access_token_jwks_uri": { "required": false, - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", - "type": "string" + "type": "string", + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token." } }, { "access_token_request_header": { "required": false, + "type": "string", "description": "This parameter tells the name of the header where to look for the access token.", - "default": "Authorization", - "type": "string" + "default": "Authorization" } }, { "access_token_leeway": { "required": false, + "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", - "default": 0, - "type": "number" + "default": 0 } }, { "access_token_scopes_required": { "required": false, + "type": "array", "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "access_token_scopes_claim": { - "required": false, "elements": { "type": "string" }, "type": "array", + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "required": false, "default": [ "scope" - ], - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." + ] } }, { "access_token_consumer_claim": { "required": false, + "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "access_token_consumer_by": { - "required": false, "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" + ] }, "type": "array", + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "required": false, "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." + ] } }, { "access_token_upstream_header": { "required": false, + "type": "string", "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", - "default": "Authorization:Bearer", - "type": "string" + "default": "Authorization:Bearer" } }, { "access_token_upstream_leeway": { "required": false, + "type": "number", "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", - "default": 0, - "type": "number" + "default": 0 } }, { "access_token_introspection_endpoint": { "required": false, - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", - "type": "string" + "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter." } }, { @@ -196,79 +197,79 @@ { "access_token_introspection_hint": { "required": false, + "type": "string", "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", - "default": "access_token", - "type": "string" + "default": "access_token" } }, { "access_token_introspection_jwt_claim": { "required": false, + "type": "array", "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "access_token_introspection_scopes_required": { "required": false, + "type": "array", "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "access_token_introspection_scopes_claim": { - "required": true, "elements": { "type": "string" }, "type": "array", + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "required": true, "default": [ "scope" - ], - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." + ] } }, { "access_token_introspection_consumer_claim": { "required": false, + "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "access_token_introspection_consumer_by": { - "required": false, "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" + ] }, "type": "array", + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "required": false, "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." + ] } }, { "access_token_introspection_leeway": { "required": false, + "type": "number", "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", - "default": 0, - "type": "number" + "default": 0 } }, { @@ -280,6 +281,9 @@ }, { "access_token_signing_algorithm": { + "type": "string", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "default": "RS256", "required": true, "one_of": [ "HS256", @@ -294,105 +298,102 @@ "PS384", "PS512", "EdDSA" - ], - "type": "string", - "default": "RS256", - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." + ] } }, { "access_token_optional": { "required": false, + "type": "boolean", "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", - "default": false, - "type": "boolean" + "default": false } }, { "verify_access_token_signature": { "required": false, + "type": "boolean", "description": "Quickly turn access token signature verification off and on as needed.", - "default": true, - "type": "boolean" + "default": true } }, { "verify_access_token_expiry": { "required": false, + "type": "boolean", "description": "Quickly turn access token expiry verification off and on as needed.", - "default": true, - "type": "boolean" + "default": true } }, { "verify_access_token_scopes": { "required": false, + "type": "boolean", "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", - "default": true, - "type": "boolean" + "default": true } }, { "verify_access_token_introspection_expiry": { "required": false, + "type": "boolean", "description": "Quickly turn access token introspection expiry verification off and on as needed.", - "default": true, - "type": "boolean" + "default": true } }, { "verify_access_token_introspection_scopes": { "required": false, + "type": "boolean", "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", - "default": true, - "type": "boolean" + "default": true } }, { "cache_access_token_introspection": { "required": false, + "type": "boolean", "description": "Whether to cache access token introspection results.", - "default": true, - "type": "boolean" + "default": true } }, { "trust_access_token_introspection": { "required": false, + "type": "boolean", "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", - "default": true, - "type": "boolean" + "default": true } }, { "enable_access_token_introspection": { "required": false, + "type": "boolean", "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", - "default": true, - "type": "boolean" + "default": true } }, { "channel_token_issuer": { "required": false, + "type": "string", "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", - "default": "kong", - "type": "string" + "default": "kong" } }, { "channel_token_keyset": { "required": false, + "type": "string", "description": "The name of the keyset containing signing keys.", - "default": "kong", - "type": "string" + "default": "kong" } }, { "channel_token_jwks_uri": { "required": false, - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", - "type": "string" + "type": "string", + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`." } }, { @@ -405,60 +406,60 @@ { "channel_token_leeway": { "required": false, + "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", - "default": 0, - "type": "number" + "default": 0 } }, { "channel_token_scopes_required": { "required": false, + "type": "array", "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "channel_token_scopes_claim": { - "required": false, "elements": { "type": "string" }, "type": "array", + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "required": false, "default": [ "scope" - ], - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." + ] } }, { "channel_token_consumer_claim": { "required": false, + "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "channel_token_consumer_by": { "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" + ] }, "type": "array", + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`." + ] } }, { @@ -471,116 +472,116 @@ { "channel_token_upstream_leeway": { "required": false, + "type": "number", "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", - "default": 0, - "type": "number" + "default": 0 } }, { "channel_token_introspection_endpoint": { "required": false, - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", - "type": "string" + "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead." } }, { "channel_token_introspection_authorization": { "required": false, + "type": "string", "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "elements": { "type": "string" - }, - "type": "string" + } } }, { "channel_token_introspection_body_args": { "required": false, + "type": "string", "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "elements": { "type": "string" - }, - "type": "string" + } } }, { "channel_token_introspection_hint": { "required": false, + "type": "string", "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "elements": { "type": "string" - }, - "type": "string" + } } }, { "channel_token_introspection_jwt_claim": { "required": false, + "type": "array", "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "channel_token_introspection_scopes_required": { "required": false, + "type": "array", "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "channel_token_introspection_scopes_claim": { - "required": false, "elements": { "type": "string" }, "type": "array", + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "required": false, "default": [ "scope" - ], - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." + ] } }, { "channel_token_introspection_consumer_claim": { "required": false, + "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "elements": { "type": "string" - }, - "type": "array" + } } }, { "channel_token_introspection_consumer_by": { - "required": false, "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" + ] }, "type": "array", + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "required": false, "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." + ] } }, { "channel_token_introspection_leeway": { "required": false, + "type": "number", "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", - "default": 0, - "type": "number" + "default": 0 } }, { @@ -592,6 +593,9 @@ }, { "channel_token_signing_algorithm": { + "type": "string", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "default": "RS256", "required": true, "one_of": [ "HS256", @@ -606,117 +610,113 @@ "PS384", "PS512", "EdDSA" - ], - "type": "string", - "default": "RS256", - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." + ] } }, { "channel_token_optional": { "required": false, + "type": "boolean", "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", - "default": false, - "type": "boolean" + "default": false } }, { "verify_channel_token_signature": { "required": false, + "type": "boolean", "description": "Quickly turn on/off the channel token signature verification.", - "default": true, - "type": "boolean" + "default": true } }, { "verify_channel_token_expiry": { "required": false, - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "verify_channel_token_scopes": { "required": false, + "type": "boolean", "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", - "default": true, - "type": "boolean" + "default": true } }, { "verify_channel_token_introspection_expiry": { "required": false, + "type": "boolean", "description": "Quickly turn on/off the channel token introspection expiry verification.", - "default": true, - "type": "boolean" + "default": true } }, { "verify_channel_token_introspection_scopes": { "required": false, + "type": "boolean", "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", - "default": true, - "type": "boolean" + "default": true } }, { "cache_channel_token_introspection": { "required": false, + "type": "boolean", "description": "Whether to cache channel token introspection results.", - "default": true, - "type": "boolean" + "default": true } }, { "trust_channel_token_introspection": { "required": false, + "type": "boolean", "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", - "default": true, - "type": "boolean" + "default": true } }, { "enable_channel_token_introspection": { "required": false, + "type": "boolean", "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", - "default": true, - "type": "boolean" + "default": true } }, { "add_claims": { - "required": false, + "type": "map", + "description": "Add customized claims if they are not present yet.", "keys": { "type": "string" }, - "type": "map", + "required": false, "values": { "type": "string" }, "default": [ - ], - "description": "Add customized claims if they are not present yet." + ] } }, { "set_claims": { - "required": false, + "type": "map", + "description": "Set customized claims. If a claim is already present, it will be overwritten.", "keys": { "type": "string" }, - "type": "map", + "required": false, "values": { "type": "string" }, "default": [ - ], - "description": "Set customized claims. If a claim is already present, it will be overwritten." + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/jwt/3.5.x.json b/schemas/jwt/3.5.x.json index 099742ba..577219e4 100644 --- a/schemas/jwt/3.5.x.json +++ b/schemas/jwt/3.5.x.json @@ -2,56 +2,57 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "uri_param_names": { "elements": { "type": "string" }, + "type": "set", "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "default": [ "jwt" - ], - "type": "set" + ] } }, { @@ -59,17 +60,17 @@ "elements": { "type": "string" }, + "type": "set", "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "default": [ - ], - "type": "set" + ] } }, { "key_claim_name": { - "type": "string", "default": "iss", + "type": "string", "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order." } }, @@ -77,46 +78,46 @@ "secret_is_base64": { "required": true, "type": "boolean", - "default": false, - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "default": false } }, { "claims_to_verify": { "elements": { + "type": "string", "one_of": [ "exp", "nbf" - ], - "type": "string" + ] }, - "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", - "type": "set" + "type": "set", + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf." } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "run_on_preflight": { "required": true, "type": "boolean", - "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "default": true } }, { "maximum_expiration": { + "default": 0, "type": "number", + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", "between": [ 0, 31536000 - ], - "default": 0, - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future." + ] } }, { @@ -124,15 +125,14 @@ "elements": { "type": "string" }, + "type": "set", "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "default": [ "authorization" - ], - "type": "set" + ] } } - ], - "type": "record" + ] } } ], @@ -140,13 +140,13 @@ { "conditional": { "then_field": "config.claims_to_verify", - "if_field": "config.maximum_expiration", + "if_match": { + "gt": 0 + }, "then_match": { "contains": "exp" }, - "if_match": { - "gt": 0 - } + "if_field": "config.maximum_expiration" } } ] diff --git a/schemas/kafka-log/3.5.x.json b/schemas/kafka-log/3.5.x.json index abdfda84..68ac53b0 100644 --- a/schemas/kafka-log/3.5.x.json +++ b/schemas/kafka-log/3.5.x.json @@ -3,17 +3,7 @@ { "protocols": { "required": true, - "elements": { - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "type": "string" - }, + "type": "set", "default": [ "grpc", "grpcs", @@ -22,46 +12,65 @@ "ws", "wss" ], - "type": "set" + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], "fields": [ { "bootstrap_servers": { "elements": { + "type": "record", "fields": [ { "host": { "required": true, - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { "required": true, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ] } } - ], - "type": "record" + ] }, "type": "set", "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." @@ -70,15 +79,15 @@ { "topic": { "required": true, - "description": "The Kafka topic to publish to.", - "type": "string" + "type": "string", + "description": "The Kafka topic to publish to." } }, { "timeout": { - "description": "Socket timeout in milliseconds.", "default": 10000, - "type": "integer" + "type": "integer", + "description": "Socket timeout in milliseconds." } }, { @@ -96,178 +105,169 @@ { "authentication": { "required": true, + "type": "record", "fields": [ { "strategy": { "required": false, + "type": "string", "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ], - "type": "string" + ] } }, { "mechanism": { "required": false, + "type": "string", "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "type": "string" + ] } }, { "tokenauth": { "required": false, - "description": "Enable this to indicate `DelegationToken` authentication", - "type": "boolean" + "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication" } }, { "user": { - "encrypted": true, "referenceable": true, - "type": "string", + "description": "Username for SASL authentication.", "required": false, - "description": "Username for SASL authentication." + "encrypted": true, + "type": "string" } }, { "password": { - "encrypted": true, "referenceable": true, - "type": "string", + "description": "Password for SASL authentication.", "required": false, - "description": "Password for SASL authentication." + "encrypted": true, + "type": "string" } } - ], - "type": "record" + ] } }, { "security": { "required": true, + "type": "record", "fields": [ { "certificate_id": { "required": false, - "uuid": true, + "type": "string", "description": "UUID of certificate entity for mTLS authentication.", - "type": "string" + "uuid": true } }, { "ssl": { "required": false, - "description": "Enables TLS.", - "type": "boolean" + "type": "boolean", + "description": "Enables TLS." } } - ], - "type": "record" + ] } }, { "cluster_name": { "required": false, + "type": "string", "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "auto": true, - "type": "string" + "auto": true } }, { "producer_request_acks": { + "default": 1, + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "one_of": [ -1, 0, 1 - ], - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", - "default": 1, - "type": "integer" + ] } }, { "producer_request_timeout": { - "description": "Time to wait for a Produce response in milliseconds", "default": 2000, - "type": "integer" + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds" } }, { "producer_request_limits_messages_per_request": { - "description": "Maximum number of messages to include into a single Produce request.", "default": 200, - "type": "integer" + "type": "integer", + "description": "Maximum number of messages to include into a single Produce request." } }, { "producer_request_limits_bytes_per_request": { - "description": "Maximum size of a Produce request in bytes.", "default": 1048576, - "type": "integer" + "type": "integer", + "description": "Maximum size of a Produce request in bytes." } }, { "producer_request_retries_max_attempts": { - "description": "Maximum number of retry attempts per single Produce request.", "default": 10, - "type": "integer" + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request." } }, { "producer_request_retries_backoff_timeout": { - "description": "Backoff interval between retry attempts in milliseconds.", "default": 100, - "type": "integer" + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds." } }, { "producer_async": { - "description": "Flag to enable asynchronous mode.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Flag to enable asynchronous mode." } }, { "producer_async_flush_timeout": { - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "default": 1000, - "type": "integer" + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." } }, { "producer_async_buffering_limits_messages_in_memory": { - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "default": 50000, - "type": "integer" + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." } }, { "custom_fields_by_lua": { - "type": "map", - "keys": { - "type": "string", - "len_min": 1 - }, "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map" - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "authentication" - ] + "type": "map", + "description": "Lua code as a key-value map", + "keys": { + "len_min": 1, + "type": "string" + } } } ] diff --git a/schemas/kafka-upstream/3.5.x.json b/schemas/kafka-upstream/3.5.x.json index 620fe128..28383b3b 100644 --- a/schemas/kafka-upstream/3.5.x.json +++ b/schemas/kafka-upstream/3.5.x.json @@ -2,63 +2,82 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], "fields": [ { "bootstrap_servers": { "elements": { + "type": "record", "fields": [ { "host": { "required": true, - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { "required": true, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ] } } - ], - "type": "record" + ] }, "type": "set", "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." @@ -67,22 +86,22 @@ { "topic": { "required": true, - "description": "The Kafka topic to publish to.", - "type": "string" + "type": "string", + "description": "The Kafka topic to publish to." } }, { "timeout": { - "description": "Socket timeout in milliseconds.", "default": 10000, - "type": "integer" + "type": "integer", + "description": "Socket timeout in milliseconds." } }, { "keepalive": { - "description": "Keepalive timeout in milliseconds.", "default": 60000, - "type": "integer" + "type": "integer", + "description": "Keepalive timeout in milliseconds." } }, { @@ -94,202 +113,183 @@ { "authentication": { "required": true, + "type": "record", "fields": [ { "strategy": { "required": false, + "type": "string", "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ], - "type": "string" + ] } }, { "mechanism": { "required": false, + "type": "string", "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "type": "string" + ] } }, { "tokenauth": { "required": false, - "description": "Enable this to indicate `DelegationToken` authentication.", - "type": "boolean" + "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication." } }, { "user": { - "required": false, "referenceable": true, "description": "Username for SASL authentication.", "encrypted": true, - "type": "string" + "type": "string", + "required": false } }, { "password": { - "required": false, "referenceable": true, "description": "Password for SASL authentication.", "encrypted": true, - "type": "string" + "type": "string", + "required": false } } - ], - "type": "record" + ] } }, { "security": { "required": true, + "type": "record", "fields": [ { "certificate_id": { - "required": false, "uuid": true, + "type": "string", "description": "UUID of certificate entity for mTLS authentication.", - "type": "string" + "required": false } }, { "ssl": { "required": false, - "description": "Enables TLS.", - "type": "boolean" + "type": "boolean", + "description": "Enables TLS." } } - ], - "type": "record" + ] } }, { "forward_method": { - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_uri": { - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_headers": { - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_body": { - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "cluster_name": { "required": false, - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string", "auto": true, - "type": "string" + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster." } }, { "producer_request_acks": { + "default": 1, + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "one_of": [ -1, 0, 1 - ], - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", - "default": 1, - "type": "integer" + ] } }, { "producer_request_timeout": { - "description": "Time to wait for a Produce response in milliseconds.", "default": 2000, - "type": "integer" + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds." } }, { "producer_request_limits_messages_per_request": { - "description": "Maximum number of messages to include into a single producer request.", "default": 200, - "type": "integer" + "type": "integer", + "description": "Maximum number of messages to include into a single producer request." } }, { "producer_request_limits_bytes_per_request": { - "description": "Maximum size of a Produce request in bytes.", "default": 1048576, - "type": "integer" + "type": "integer", + "description": "Maximum size of a Produce request in bytes." } }, { "producer_request_retries_max_attempts": { - "description": "Maximum number of retry attempts per single Produce request.", "default": 10, - "type": "integer" + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request." } }, { "producer_request_retries_backoff_timeout": { - "description": "Backoff interval between retry attempts in milliseconds.", "default": 100, - "type": "integer" + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds." } }, { "producer_async": { - "description": "Flag to enable asynchronous mode.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Flag to enable asynchronous mode." } }, { "producer_async_flush_timeout": { - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "default": 1000, - "type": "integer" + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." } }, { "producer_async_buffering_limits_messages_in_memory": { - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "default": 50000, - "type": "integer" - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "forward_method", - "forward_uri", - "forward_headers", - "forward_body" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "authentication" - ] + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." } } ] diff --git a/schemas/key-auth-enc/3.5.x.json b/schemas/key-auth-enc/3.5.x.json index 6a85e846..9eb7c796 100644 --- a/schemas/key-auth-enc/3.5.x.json +++ b/schemas/key-auth-enc/3.5.x.json @@ -2,26 +2,16 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { "required": true, - "elements": { - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "type": "string" - }, + "type": "set", "default": [ "grpc", "grpcs", @@ -30,39 +20,50 @@ "ws", "wss" ], - "type": "set" + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "key_names": { - "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, + "type": "array", "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true, "default": [ "apikey" - ], - "type": "array" + ] } }, { "hide_credentials": { - "type": "boolean", "default": false, + "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." } }, @@ -74,34 +75,33 @@ }, { "key_in_header": { - "type": "boolean", "default": true, + "type": "boolean", "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." } }, { "key_in_query": { - "type": "boolean", "default": true, + "type": "boolean", "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." } }, { "key_in_body": { - "type": "boolean", "default": false, + "type": "boolean", "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { - "type": "boolean", "default": true, + "type": "boolean", "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/key-auth/3.5.x.json b/schemas/key-auth/3.5.x.json index bc248036..a7f20f68 100644 --- a/schemas/key-auth/3.5.x.json +++ b/schemas/key-auth/3.5.x.json @@ -2,26 +2,16 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { "required": true, - "elements": { - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "type": "string" - }, + "type": "set", "default": [ "grpc", "grpcs", @@ -30,83 +20,93 @@ "ws", "wss" ], - "type": "set" + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "key_names": { - "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, + "type": "array", "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true, "default": [ "apikey" - ], - "type": "array" + ] } }, { "hide_credentials": { "required": true, "type": "boolean", - "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request." + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" } }, { "key_in_header": { "required": true, "type": "boolean", - "default": true, - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "default": true } }, { "key_in_query": { "required": true, "type": "boolean", - "default": true, - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "default": true } }, { "key_in_body": { "required": true, "type": "boolean", - "default": false, - "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "default": false } }, { "run_on_preflight": { "required": true, "type": "boolean", - "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "default": true } } - ], - "type": "record" + ] } } ], diff --git a/schemas/konnect-application-auth/3.5.x.json b/schemas/konnect-application-auth/3.5.x.json index 5fae6eb8..5219f26d 100644 --- a/schemas/konnect-application-auth/3.5.x.json +++ b/schemas/konnect-application-auth/3.5.x.json @@ -2,92 +2,92 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "route": { - "reference": "routes", + "type": "foreign", "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "routes" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + + ], "fields": [ { "key_names": { - "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, + "type": "array", "description": "The names of the headers containing the API key. You can specify multiple header names.", + "required": true, "default": [ "apikey" - ], - "type": "array" + ] } }, { "auth_type": { + "type": "string", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", "required": true, + "default": "openid-connect", "one_of": [ "openid-connect", "key-auth" - ], - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", - "default": "openid-connect", - "type": "string" + ] } }, { "scope": { "required": true, - "unique": true, "type": "string", - "description": "The unique scope identifier for the plugin configuration." + "description": "The unique scope identifier for the plugin configuration.", + "unique": true } } - ], - "entity_checks": [ - ] } } diff --git a/schemas/ldap-auth-advanced/3.5.x.json b/schemas/ldap-auth-advanced/3.5.x.json index 3d98294f..f0765e52 100644 --- a/schemas/ldap-auth-advanced/3.5.x.json +++ b/schemas/ldap-auth-advanced/3.5.x.json @@ -3,17 +3,7 @@ { "protocols": { "required": true, - "elements": { - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "type": "string" - }, + "type": "set", "default": [ "grpc", "grpcs", @@ -22,28 +12,39 @@ "ws", "wss" ], - "type": "set" + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "config": { "required": true, + "type": "record", "fields": [ { "ldap_host": { @@ -55,47 +56,47 @@ { "ldap_password": { "encrypted": true, - "description": "The password to the LDAP server.", "referenceable": true, + "description": "The password to the LDAP server.", "type": "string" } }, { "ldap_port": { - "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", "default": 389, - "type": "number" + "type": "number", + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636." } }, { "bind_dn": { "referenceable": true, - "type": "string", - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "type": "string" } }, { "ldaps": { - "required": true, - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "required": true } }, { "start_tls": { - "required": true, - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "required": true } }, { "verify_ldap_host": { - "required": true, - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "required": true } }, { @@ -114,113 +115,112 @@ }, { "cache_ttl": { - "required": true, - "description": "Cache expiry time in seconds.", "default": 60, - "type": "number" + "type": "number", + "description": "Cache expiry time in seconds.", + "required": true } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." } }, { "timeout": { - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", "default": 10000, - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", "default": 60000, - "type": "number" + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "len_min": 0, "default": "", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0 } }, { "header_type": { - "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", "default": "ldap", - "type": "string" + "type": "string", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`." } }, { "consumer_optional": { - "required": false, - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "required": false } }, { "consumer_by": { - "required": false, "elements": { + "type": "string", "one_of": [ "username", "custom_id" - ], - "type": "string" + ] }, "type": "array", + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "required": false, "default": [ "username", "custom_id" - ], - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." + ] } }, { "group_base_dn": { - "type": "string", - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" } }, { "group_name_attribute": { - "type": "string", - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" } }, { "group_member_attribute": { - "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", "default": "memberOf", - "type": "string" + "type": "string", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive." } }, { "log_search_results": { - "required": false, - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "required": false } }, { "groups_required": { "required": false, "type": "array", + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "elements": { "type": "string" - }, - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result." + } } } - ], - "type": "record" + ] } } ], diff --git a/schemas/ldap-auth/3.5.x.json b/schemas/ldap-auth/3.5.x.json index d3c007bb..9264dac2 100644 --- a/schemas/ldap-auth/3.5.x.json +++ b/schemas/ldap-auth/3.5.x.json @@ -2,26 +2,16 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { "required": true, - "elements": { - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "type": "string" - }, + "type": "set", "default": [ "grpc", "grpcs", @@ -30,63 +20,88 @@ "ws", "wss" ], - "type": "set" + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "start_tls", + "then_match": { + "eq": false + }, + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "if_match": { + "eq": true + }, + "if_field": "ldaps" + } + } + ], "fields": [ { "ldap_host": { "required": true, - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "ldap_port": { - "required": true, "between": [ 0, 65535 ], "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 389, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "required": true } }, { "ldaps": { - "required": true, - "type": "boolean", "default": false, - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + "type": "boolean", + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "required": true } }, { "start_tls": { - "required": true, - "type": "boolean", "default": false, - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + "type": "boolean", + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "required": true } }, { "verify_ldap_host": { - "required": true, - "type": "boolean", "default": false, - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + "type": "boolean", + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "required": true } }, { @@ -105,31 +120,31 @@ }, { "cache_ttl": { - "required": true, - "type": "number", "default": 60, - "description": "Cache expiry time in seconds." + "type": "number", + "description": "Cache expiry time in seconds.", + "required": true } }, { "hide_credentials": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "required": true } }, { "timeout": { - "type": "number", "default": 10000, + "type": "number", "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." } }, { "keepalive": { - "type": "number", "default": 60000, + "type": "number", "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." } }, @@ -141,26 +156,11 @@ }, { "header_type": { - "type": "string", "default": "ldap", + "type": "string", "description": "An optional string to use as part of the Authorization header" } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "start_tls", - "if_field": "ldaps", - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", - "then_match": { - "eq": false - } - } - } ] } } diff --git a/schemas/loggly/3.5.x.json b/schemas/loggly/3.5.x.json index f7b7377b..36d2212a 100644 --- a/schemas/loggly/3.5.x.json +++ b/schemas/loggly/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,70 +15,74 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "default": "logs-01.loggly.com", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 514, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 514, - "type": "integer" + ] } }, { "key": { - "referenceable": true, "encrypted": true, + "type": "string", "required": true, - "type": "string" + "referenceable": true } }, { "tags": { - "elements": { - "type": "string" - }, "default": [ "kong" ], - "type": "set" + "type": "set", + "elements": { + "type": "string" + } } }, { "log_level": { + "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -89,13 +92,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "successful_severity": { + "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -105,13 +108,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "client_errors_severity": { + "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -121,13 +124,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "server_errors_severity": { + "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -137,9 +140,7 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { @@ -150,20 +151,19 @@ }, { "custom_fields_by_lua": { - "type": "map", - "keys": { - "type": "string", - "len_min": 1 - }, "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map" + "type": "map", + "description": "Lua code as a key-value map", + "keys": { + "len_min": 1, + "type": "string" + } } } - ], - "type": "record" + ] } } ], diff --git a/schemas/mocking/3.5.x.json b/schemas/mocking/3.5.x.json index 3e069418..e401a6e6 100644 --- a/schemas/mocking/3.5.x.json +++ b/schemas/mocking/3.5.x.json @@ -2,78 +2,79 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "api_specification_filename": { "required": false, - "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", - "type": "string" + "type": "string", + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode." } }, { "api_specification": { "required": false, - "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", - "type": "string" + "type": "string", + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field." } }, { "random_delay": { - "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs." } }, { "max_delay_time": { - "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", "default": 1, - "type": "number" + "type": "number", + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`." } }, { "min_delay_time": { - "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", "default": 0.001, - "type": "number" + "type": "number", + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`." } }, { "random_examples": { - "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured." } }, { @@ -88,21 +89,20 @@ { "random_status_code": { "required": true, + "type": "boolean", "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", - "default": false, - "type": "boolean" + "default": false } }, { "include_base_path": { "required": true, + "type": "boolean", "description": "Indicates whether to include the base path when performing path match evaluation.", - "default": false, - "type": "boolean" + "default": false } } - ], - "type": "record" + ] } } ], diff --git a/schemas/mtls-auth/3.5.x.json b/schemas/mtls-auth/3.5.x.json index a03abfa2..3c9c1a9b 100644 --- a/schemas/mtls-auth/3.5.x.json +++ b/schemas/mtls-auth/3.5.x.json @@ -2,46 +2,60 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], "fields": [ { "anonymous": { @@ -51,107 +65,107 @@ }, { "consumer_by": { - "required": false, "elements": { + "type": "string", "one_of": [ "username", "custom_id" - ], - "type": "string" + ] }, "type": "array", + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "required": false, "default": [ "username", "custom_id" - ], - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + ] } }, { "ca_certificates": { "required": true, "type": "array", + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "elements": { - "type": "string", - "uuid": true - }, - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." + "uuid": true, + "type": "string" + } } }, { "cache_ttl": { "required": true, "type": "number", - "default": 60, - "description": "Cache expiry time in seconds." + "description": "Cache expiry time in seconds.", + "default": 60 } }, { "skip_consumer_lookup": { "required": true, "type": "boolean", - "default": false, - "description": "Skip consumer lookup once certificate is trusted against the configured CA list." + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "default": false } }, { "allow_partial_chain": { "required": true, "type": "boolean", - "default": false, - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "default": false } }, { "authenticated_group_by": { + "type": "string", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, + "default": "CN", "one_of": [ "CN", "DN" - ], - "type": "string", - "default": "CN", - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." + ] } }, { "revocation_check_mode": { + "type": "string", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, + "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ], - "type": "string", - "default": "IGNORE_CA_ERROR", - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." + ] } }, { "http_timeout": { - "type": "number", "default": 30000, + "type": "number", "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." } }, { "cert_cache_ttl": { - "type": "number", "default": 60000, + "type": "number", "description": "The length of time in milliseconds between refreshes of the revocation check status cache." } }, { "send_ca_dn": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -160,14 +174,14 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -176,24 +190,10 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } - ], - "entity_checks": [ - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } ] } } diff --git a/schemas/oas-validation/3.5.x.json b/schemas/oas-validation/3.5.x.json index 2b74ef0f..6f85afd1 100644 --- a/schemas/oas-validation/3.5.x.json +++ b/schemas/oas-validation/3.5.x.json @@ -2,143 +2,143 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "api_spec": { "required": true, - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format.", - "type": "string" + "type": "string", + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format." } }, { "verbose_response": { - "required": false, - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "required": false } }, { "validate_request_body": { - "required": false, - "description": "If set to true, validates the request body content against the API specification.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "If set to true, validates the request body content against the API specification.", + "required": false } }, { "notify_only_request_validation_failure": { - "required": false, - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "required": false } }, { "validate_request_header_params": { - "required": false, - "description": "If set to true, validates HTTP header parameters against the API specification.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "If set to true, validates HTTP header parameters against the API specification.", + "required": false } }, { "validate_request_query_params": { - "required": false, - "description": "If set to true, validates query parameters against the API specification.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "If set to true, validates query parameters against the API specification.", + "required": false } }, { "validate_request_uri_params": { - "required": false, - "description": "If set to true, validates URI parameters in the request against the API specification.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "If set to true, validates URI parameters in the request against the API specification.", + "required": false } }, { "validate_response_body": { - "required": false, - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "required": false } }, { "notify_only_response_body_validation_failure": { - "required": false, - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "required": false } }, { "query_parameter_check": { - "required": true, - "description": "If set to true, checks if query parameters in the request exist in the API specification.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "required": true } }, { "header_parameter_check": { - "required": true, - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "required": true } }, { "allowed_header_parameters": { - "required": false, - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", "default": "Host,Content-Type,User-Agent,Accept,Content-Length", - "type": "string" + "type": "string", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "required": false } }, { "include_base_path": { - "required": true, - "description": "Indicates whether to include the base path when performing path match evaluation.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true } } - ], - "type": "record" + ] } } ], diff --git a/schemas/oauth2-introspection/3.5.x.json b/schemas/oauth2-introspection/3.5.x.json index eba00114..10ac128c 100644 --- a/schemas/oauth2-introspection/3.5.x.json +++ b/schemas/oauth2-introspection/3.5.x.json @@ -2,64 +2,65 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "introspection_url": { "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "ttl": { - "type": "number", "default": 30, + "type": "number", "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." } }, { "token_type_hint": { - "type": "string", - "description": "The `token_type_hint` value to associate to introspection requests." + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" } }, { @@ -71,91 +72,90 @@ }, { "timeout": { - "type": "integer", "default": 10000, + "type": "integer", "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { - "type": "integer", "default": 60000, + "type": "integer", "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "introspect_request": { - "required": true, - "type": "boolean", "default": false, - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request." + "type": "boolean", + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "required": true } }, { "hide_credentials": { - "type": "boolean", "default": false, + "type": "boolean", "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." } }, { "run_on_preflight": { - "type": "boolean", "default": true, + "type": "boolean", "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } }, { "anonymous": { + "len_min": 0, "type": "string", "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "default": "", - "len_min": 0 + "default": "" } }, { "consumer_by": { + "type": "string", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "required": true, + "default": "username", "one_of": [ "username", "client_id" - ], - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", - "default": "username", - "type": "string" + ] } }, { "custom_introspection_headers": { - "required": true, + "type": "map", + "description": "A list of custom headers to be added in the introspection request.", "keys": { "type": "string" }, - "description": "A list of custom headers to be added in the introspection request.", + "required": true, "values": { "type": "string" }, "default": [ - ], - "type": "map" + ] } }, { "custom_claims_forward": { - "required": true, "elements": { "type": "string" }, "type": "set", + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "required": true, "default": [ - ], - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/oauth2/3.5.x.json b/schemas/oauth2/3.5.x.json index 5c06a69e..01916b09 100644 --- a/schemas/oauth2/3.5.x.json +++ b/schemas/oauth2/3.5.x.json @@ -2,26 +2,16 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { "required": true, - "elements": { - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "type": "string" - }, + "type": "set", "default": [ "grpc", "grpcs", @@ -30,20 +20,44 @@ "ws", "wss" ], - "type": "set" + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "entity_checks": [ + { + "conditional": { + "then_field": "scopes", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "mandatory_scope" + } + } + ], "type": "record", "fields": [ { @@ -51,157 +65,143 @@ "elements": { "type": "string" }, - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", - "type": "array" + "type": "array", + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." } }, { "mandatory_scope": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user." + "type": "boolean", + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "required": true } }, { "provision_key": { - "encrypted": true, "type": "string", - "required": true, + "description": "The unique key the plugin has generated when it has been added to the Service.", "unique": true, - "auto": true, - "description": "The unique key the plugin has generated when it has been added to the Service." + "required": true, + "encrypted": true, + "auto": true } }, { "token_expiration": { - "required": true, - "type": "number", "default": 7200, - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration." + "type": "number", + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "required": true } }, { "enable_authorization_code": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1)." + "type": "boolean", + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "required": true } }, { "enable_implicit_grant": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2)." + "type": "boolean", + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "required": true } }, { "enable_client_credentials": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4)." + "type": "boolean", + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "required": true } }, { "enable_password_grant": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3)." + "type": "boolean", + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "required": true } }, { "hide_credentials": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true } }, { "accept_http_if_already_terminated": { - "required": true, - "type": "boolean", "default": false, - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer." + "type": "boolean", + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "required": true } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "global_credentials": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`." + "type": "boolean", + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "required": true } }, { "auth_header_name": { - "type": "string", "default": "authorization", + "type": "string", "description": "The name of the header that is supposed to carry the access token." } }, { "refresh_token_ttl": { - "required": true, "between": [ 0, 100000000 ], "type": "number", + "description": "Time-to-live value for data", "default": 1209600, - "description": "Time-to-live value for data" + "required": true } }, { "reuse_refresh_token": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token." + "type": "boolean", + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "required": true } }, { "persistent_refresh_token": { - "required": true, "default": false, - "type": "boolean" + "type": "boolean", + "required": true } }, { "pkce": { + "type": "string", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "required": false, + "default": "lax", "one_of": [ "none", "lax", "strict" - ], - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", - "default": "lax", - "type": "string" - } - } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "scopes", - "if_field": "mandatory_scope", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } + ] } } ] diff --git a/schemas/opa/3.5.x.json b/schemas/opa/3.5.x.json index a9325ca5..0c974262 100644 --- a/schemas/opa/3.5.x.json +++ b/schemas/opa/3.5.x.json @@ -2,110 +2,111 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "opa_protocol": { + "default": "http", + "type": "string", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", "one_of": [ "http", "https" - ], - "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", - "default": "http", - "type": "string" + ] } }, { "opa_host": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "localhost", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com.", + "required": true } }, { "opa_port": { - "required": true, "between": [ 0, 65535 ], "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 8181, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "required": true } }, { "opa_path": { + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "type": "string" + ] } }, { "include_service_in_opa_input": { - "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA." } }, { "include_route_in_opa_input": { - "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA." } }, { "include_consumer_in_opa_input": { - "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA." } }, { @@ -116,28 +117,27 @@ }, { "include_parsed_json_body_in_opa_input": { - "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA." } }, { "include_uri_captures_in_opa_input": { - "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA." } }, { "ssl_verify": { "required": true, + "type": "boolean", "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "default": true, - "type": "boolean" + "default": true } } - ], - "type": "record" + ] } } ], diff --git a/schemas/openid-connect/3.5.x.json b/schemas/openid-connect/3.5.x.json index 60715904..9b18a055 100644 --- a/schemas/openid-connect/3.5.x.json +++ b/schemas/openid-connect/3.5.x.json @@ -2,96 +2,179 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + } + ], + "type": "record", "required": true, "fields": [ { "issuer": { "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "discovery_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the discovery endpoint." + } } }, { "discovery_headers_values": { "required": false, "type": "array", + "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" - }, - "description": "Extra header values passed to the discovery endpoint." + } } }, { "extra_jwks_uris": { "required": false, "type": "set", + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "rediscovery_lifetime": { - "required": false, - "type": "number", "default": 30, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + "type": "number", + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "required": false } }, { "auth_methods": { - "required": false, "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -102,10 +185,11 @@ "kong_oauth2", "refresh_token", "session" - ], - "type": "string" + ] }, + "type": "array", "description": "Types of credentials/grants to enable.", + "required": false, "default": [ "password", "client_credentials", @@ -116,56 +200,57 @@ "kong_oauth2", "refresh_token", "session" - ], - "type": "array" + ] } }, { "client_id": { - "encrypted": true, "elements": { "referenceable": true, "type": "string" }, "type": "array", - "required": false, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true, + "required": false } }, { "client_secret": { - "encrypted": true, "elements": { "referenceable": true, "type": "string" }, "type": "array", - "required": false, - "description": "The client secret." + "description": "The client secret.", + "encrypted": true, + "required": false } }, { "client_auth": { "required": false, "type": "array", + "description": "The authentication method used by the client (plugin) when calling the endpoint.", "elements": { + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ], - "type": "string" - }, - "description": "The authentication method used by the client (plugin) when calling the endpoint." + ] + } } }, { "client_jwk": { "required": false, + "type": "array", "elements": { "required": false, + "type": "record", "fields": [ { "issuer": { @@ -188,11 +273,11 @@ { "key_ops": { "required": false, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { @@ -216,11 +301,11 @@ { "x5c": { "required": false, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { @@ -238,9 +323,9 @@ { "k": { "encrypted": true, - "required": false, + "type": "string", "referenceable": true, - "type": "string" + "required": false } }, { @@ -276,85 +361,85 @@ { "d": { "encrypted": true, - "required": false, + "type": "string", "referenceable": true, - "type": "string" + "required": false } }, { "p": { "encrypted": true, - "required": false, + "type": "string", "referenceable": true, - "type": "string" + "required": false } }, { "q": { "encrypted": true, - "required": false, + "type": "string", "referenceable": true, - "type": "string" + "required": false } }, { "dp": { "encrypted": true, - "required": false, + "type": "string", "referenceable": true, - "type": "string" + "required": false } }, { "dq": { "encrypted": true, - "required": false, + "type": "string", "referenceable": true, - "type": "string" + "required": false } }, { "qi": { "encrypted": true, - "required": false, + "type": "string", "referenceable": true, - "type": "string" + "required": false } }, { "oth": { "encrypted": true, - "required": false, + "type": "string", "referenceable": true, - "type": "string" + "required": false } }, { "r": { "encrypted": true, - "required": false, + "type": "string", "referenceable": true, - "type": "string" + "required": false } }, { "t": { "encrypted": true, - "required": false, + "type": "string", "referenceable": true, - "type": "string" + "required": false } } - ], - "type": "record" - }, - "type": "array" + ] + } } }, { "client_alg": { "required": false, + "type": "array", "elements": { + "type": "string", "one_of": [ "HS256", "HS384", @@ -369,277 +454,275 @@ "PS384", "PS512", "EdDSA" - ], - "type": "string" - }, - "type": "array" + ] + } } }, { "client_arg": { - "required": false, - "type": "string", "default": "client_id", - "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + "type": "string", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "required": false } }, { "redirect_uri": { "required": false, "type": "array", + "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "The redirect URI passed to the authorization and token endpoints." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "login_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client when `login_action` is set to `redirect`." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "logout_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client after the logout.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client after the logout." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "forbidden_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client on forbidden requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on forbidden requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "forbidden_error_message": { - "required": false, - "type": "string", "default": "Forbidden", - "description": "The error message for the forbidden requests (when not using the redirection)." + "type": "string", + "description": "The error message for the forbidden requests (when not using the redirection).", + "required": false } }, { "forbidden_destroy_session": { - "required": false, - "type": "boolean", "default": true, - "description": "Destroy any active session for the forbidden requests." + "type": "boolean", + "description": "Destroy any active session for the forbidden requests.", + "required": false } }, { "unauthorized_destroy_session": { - "required": false, - "type": "boolean", "default": true, - "description": "Destroy any active session for the unauthorized requests." + "type": "boolean", + "description": "Destroy any active session for the unauthorized requests.", + "required": false } }, { "unauthorized_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client on unauthorized requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on unauthorized requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "unauthorized_error_message": { - "required": false, - "type": "string", "default": "Unauthorized", - "description": "The error message for the unauthorized requests (when not using the redirection)." + "type": "string", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "required": false } }, { "unexpected_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client when unexpected errors happen with the requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "response_mode": { + "type": "string", + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", + "default": "query", "required": false, "one_of": [ "query", "form_post", "fragment" - ], - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", - "default": "query", - "type": "string" + ] } }, { "response_type": { - "required": false, "elements": { "type": "string" }, + "type": "array", "description": "The response type passed to the authorization endpoint.", + "required": false, "default": [ "code" - ], - "type": "array" + ] } }, { "scopes": { - "required": false, "elements": { "type": "string" }, + "type": "array", "description": "The scopes passed to the authorization and token endpoints.", + "required": false, "default": [ "openid" - ], - "type": "array" + ] } }, { "audience": { "required": false, "type": "array", + "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "The audience passed to the authorization endpoint." + } } }, { "issuers_allowed": { "required": false, "type": "array", + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" - }, - "description": "The issuers allowed to be present in the tokens (`iss` claim)." + } } }, { "scopes_required": { "required": false, "type": "array", + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "scopes_claim": { - "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the scopes.", + "type": "array", + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "default": [ "scope" - ], - "type": "array" + ] } }, { "audience_required": { "required": false, "type": "array", + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "audience_claim": { - "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the audience.", + "type": "array", + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "default": [ "aud" - ], - "type": "array" + ] } }, { "groups_required": { "required": false, "type": "array", + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "groups_claim": { - "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the groups.", + "type": "array", + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "default": [ "groups" - ], - "type": "array" + ] } }, { "roles_required": { "required": false, "type": "array", + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "roles_claim": { - "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the roles.", + "type": "array", + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "default": [ "roles" - ], - "type": "array" + ] } }, { "domains": { "required": false, "type": "array", + "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" - }, - "description": "The allowed values for the `hd` claim." + } } }, { @@ -653,67 +736,70 @@ "authenticated_groups_claim": { "required": false, "type": "array", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations." + } } }, { "authorization_endpoint": { "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "authorization_query_args_names": { "required": false, "type": "array", + "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument names passed to the authorization endpoint." + } } }, { "authorization_query_args_values": { "required": false, "type": "array", + "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the authorization endpoint." + } } }, { "authorization_query_args_client": { "required": false, "type": "array", + "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the authorization endpoint." + } } }, { "authorization_rolling_timeout": { - "required": false, - "type": "number", "default": 600, - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "type": "number", + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false } }, { "authorization_cookie_name": { - "required": false, - "type": "string", "default": "authorization", - "description": "The authorization cookie name." + "type": "string", + "description": "The authorization cookie name.", + "required": false } }, { "authorization_cookie_path": { + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "required": false, "match_none": [ { @@ -721,10 +807,7 @@ "err": "must not have empty segments" } ], - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "default": "/", - "type": "string" + "default": "/" } }, { @@ -736,24 +819,24 @@ }, { "authorization_cookie_same_site": { + "type": "string", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Default", "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "default": "Default", - "type": "string" + ] } }, { "authorization_cookie_http_only": { - "required": false, - "type": "boolean", "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false } }, { @@ -765,71 +848,71 @@ }, { "preserve_query_args": { - "required": false, - "type": "boolean", "default": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + "type": "boolean", + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "required": false } }, { "token_endpoint": { "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "token_endpoint_auth_method": { "required": false, "type": "string", + "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ], - "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" + ] } }, { "token_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the token endpoint." + } } }, { "token_headers_values": { "required": false, "type": "array", + "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra header values passed to the token endpoint." + } } }, { "token_headers_client": { "required": false, "type": "array", + "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the token endpoint." + } } }, { "token_headers_replay": { "required": false, "type": "array", + "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" - }, - "description": "The names of token endpoint response headers to forward to the downstream client." + } } }, { @@ -843,363 +926,366 @@ "token_headers_grants": { "required": false, "type": "array", + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", "elements": { + "type": "string", "one_of": [ "password", "client_credentials", "authorization_code", "refresh_token" - ], - "type": "string" - }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant" + ] + } } }, { "token_post_args_names": { "required": false, "type": "array", + "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the token endpoint." + } } }, { "token_post_args_values": { "required": false, "type": "array", + "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the token endpoint." + } } }, { "token_post_args_client": { "required": false, "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", "elements": { "type": "string" - }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint." + } } }, { "introspection_endpoint": { "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "introspection_endpoint_auth_method": { "required": false, "type": "string", + "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ], - "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" + ] } }, { "introspection_hint": { - "required": false, - "type": "string", "default": "access_token", - "description": "Introspection hint parameter value passed to the introspection endpoint." + "type": "string", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "required": false } }, { "introspection_check_active": { - "required": false, - "type": "boolean", "default": true, - "description": "Check that the introspection response has an `active` claim with a value of `true`." + "type": "boolean", + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "required": false } }, { "introspection_accept": { + "type": "string", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", + "default": "application/json", "required": false, "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ], - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", - "default": "application/json", - "type": "string" + ] } }, { "introspection_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the introspection endpoint." + } } }, { "introspection_headers_values": { "required": false, "type": "array", + "description": "Extra header values passed to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra header values passed to the introspection endpoint." + } } }, { "introspection_headers_client": { "required": false, "type": "array", + "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the introspection endpoint." + } } }, { "introspection_post_args_names": { "required": false, "type": "array", + "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the introspection endpoint." + } } }, { "introspection_post_args_values": { "required": false, "type": "array", + "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the introspection endpoint." + } } }, { "introspection_post_args_client": { "required": false, "type": "array", + "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra post arguments passed from the client to the introspection endpoint." + } } }, { "introspect_jwt_tokens": { - "required": false, - "type": "boolean", "default": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + "type": "boolean", + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "required": false } }, { "revocation_endpoint": { "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "revocation_endpoint_auth_method": { "required": false, "type": "string", + "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ], - "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate" + ] } }, { "end_session_endpoint": { "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "userinfo_endpoint": { "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "userinfo_accept": { + "type": "string", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", + "default": "application/json", "required": false, "one_of": [ "application/json", "application/jwt" - ], - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", - "default": "application/json", - "type": "string" + ] } }, { "userinfo_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the user info endpoint." + } } }, { "userinfo_headers_values": { "required": false, "type": "array", + "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra header values passed to the user info endpoint." + } } }, { "userinfo_headers_client": { "required": false, "type": "array", + "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the user info endpoint." + } } }, { "userinfo_query_args_names": { "required": false, "type": "array", + "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument names passed to the user info endpoint." + } } }, { "userinfo_query_args_values": { "required": false, "type": "array", + "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the user info endpoint." + } } }, { "userinfo_query_args_client": { "required": false, "type": "array", + "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the user info endpoint." + } } }, { "token_exchange_endpoint": { "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "session_secret": { - "encrypted": true, "referenceable": true, "description": "The session secret.", - "required": false, - "type": "string" + "encrypted": true, + "type": "string", + "required": false } }, { "session_audience": { - "required": false, - "type": "string", "default": "default", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "required": false } }, { "session_cookie_name": { - "required": false, - "type": "string", "default": "session", - "description": "The session cookie name." + "type": "string", + "description": "The session cookie name.", + "required": false } }, { "session_remember": { - "required": false, - "type": "boolean", "default": false, - "description": "Enables or disables persistent sessions." + "type": "boolean", + "description": "Enables or disables persistent sessions.", + "required": false } }, { "session_remember_cookie_name": { - "required": false, - "type": "string", "default": "remember", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "required": false } }, { "session_remember_rolling_timeout": { - "required": false, - "type": "number", "default": 604800, - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." + "type": "number", + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "required": false } }, { "session_remember_absolute_timeout": { - "required": false, - "type": "number", "default": 2592000, - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "type": "number", + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false } }, { "session_idling_timeout": { - "required": false, - "type": "number", "default": 900, - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." + "type": "number", + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "required": false } }, { "session_rolling_timeout": { - "required": false, - "type": "number", "default": 3600, - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "type": "number", + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false } }, { "session_absolute_timeout": { - "required": false, - "type": "number", "default": 86400, - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "type": "number", + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false } }, { "session_cookie_path": { + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "required": false, "match_none": [ { @@ -1207,10 +1293,7 @@ "err": "must not have empty segments" } ], - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "default": "/", - "type": "string" + "default": "/" } }, { @@ -1222,24 +1305,24 @@ }, { "session_cookie_same_site": { + "type": "string", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Lax", "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "default": "Lax", - "type": "string" + ] } }, { "session_cookie_http_only": { - "required": false, - "type": "boolean", "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false } }, { @@ -1252,6 +1335,7 @@ { "session_request_headers": { "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -1260,8 +1344,7 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" + ] }, "type": "set" } @@ -1269,6 +1352,7 @@ { "session_response_headers": { "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -1277,56 +1361,55 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" + ] }, "type": "set" } }, { "session_storage": { + "type": "string", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", + "default": "cookie", "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", - "default": "cookie", - "type": "string" + ] } }, { "session_store_metadata": { - "required": false, - "type": "boolean", "default": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "required": false } }, { "session_enforce_same_subject": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, audiences are forced to share the same subject." + "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false } }, { "session_hash_subject": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false } }, { "session_hash_storage_key": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false } }, { @@ -1345,22 +1428,22 @@ }, { "session_memcached_host": { - "required": false, - "type": "string", "default": "127.0.0.1", - "description": "The memcached host." + "type": "string", + "description": "The memcached host.", + "required": false } }, { "session_memcached_port": { - "required": false, "between": [ 0, 65535 ], "type": "integer", - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false, + "default": 11211 } }, { @@ -1379,39 +1462,39 @@ }, { "session_redis_host": { - "required": false, - "type": "string", "default": "127.0.0.1", - "description": "The Redis host" + "type": "string", + "description": "The Redis host", + "required": false } }, { "session_redis_port": { - "required": false, "between": [ 0, 65535 ], "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false, + "default": 6379 } }, { "session_redis_username": { "required": false, - "type": "string", "referenceable": true, - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "session_redis_password": { - "encrypted": true, "referenceable": true, "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", - "required": false, - "type": "string" + "encrypted": true, + "type": "string", + "required": false } }, { @@ -1437,18 +1520,18 @@ }, { "session_redis_ssl": { - "required": false, - "type": "boolean", "default": false, - "description": "Use SSL/TLS for Redis connection." + "type": "boolean", + "description": "Use SSL/TLS for Redis connection.", + "required": false } }, { "session_redis_ssl_verify": { - "required": false, - "type": "boolean", "default": false, - "description": "Verify identity provider server certificate." + "type": "boolean", + "description": "Verify identity provider server certificate.", + "required": false } }, { @@ -1462,31 +1545,31 @@ "session_redis_cluster_nodes": { "required": false, "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { + "type": "record", "fields": [ { "ip": { "required": true, + "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "type": "string" + "default": "127.0.0.1" } }, { "port": { + "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer" + ] } } - ], - "type": "record" - }, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." + ] + } } }, { @@ -1498,18 +1581,18 @@ }, { "reverify": { - "required": false, - "type": "boolean", "default": false, - "description": "Specifies whether to always verify tokens stored in the session." + "type": "boolean", + "description": "Specifies whether to always verify tokens stored in the session.", + "required": false } }, { "jwt_session_claim": { - "required": false, - "type": "string", "default": "sid", - "description": "The claim to match against the JWT session cookie." + "type": "string", + "description": "The claim to match against the JWT session cookie.", + "required": false } }, { @@ -1521,23 +1604,23 @@ }, { "bearer_token_param_type": { - "required": false, "elements": { + "type": "string", "one_of": [ "header", "cookie", "query", "body" - ], - "type": "string" + ] }, + "type": "array", "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", + "required": false, "default": [ "header", "query", "body" - ], - "type": "array" + ] } }, { @@ -1549,62 +1632,62 @@ }, { "client_credentials_param_type": { - "required": false, "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" + ] }, + "type": "array", "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", + "required": false, "default": [ "header", "query", "body" - ], - "type": "array" + ] } }, { "password_param_type": { - "required": false, "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" + ] }, + "type": "array", "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false, "default": [ "header", "query", "body" - ], - "type": "array" + ] } }, { "id_token_param_type": { - "required": false, "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" + ] }, + "type": "array", "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false, "default": [ "header", "query", "body" - ], - "type": "array" + ] } }, { @@ -1616,22 +1699,22 @@ }, { "refresh_token_param_type": { - "required": false, "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" + ] }, + "type": "array", "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false, "default": [ "header", "query", "body" - ], - "type": "array" + ] } }, { @@ -1643,38 +1726,38 @@ }, { "refresh_tokens": { - "required": false, - "type": "boolean", "default": true, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + "type": "boolean", + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "required": false } }, { "upstream_headers_claims": { "required": false, "type": "array", + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The upstream header claims." + } } }, { "upstream_headers_names": { "required": false, "type": "array", + "description": "The upstream header names for the claim values.", "elements": { "type": "string" - }, - "description": "The upstream header names for the claim values." + } } }, { "upstream_access_token_header": { - "required": false, - "type": "string", "default": "authorization:bearer", - "description": "The upstream access token header." + "type": "string", + "description": "The upstream access token header.", + "required": false } }, { @@ -1743,20 +1826,20 @@ "downstream_headers_claims": { "required": false, "type": "array", + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The downstream header claims." + } } }, { "downstream_headers_names": { "required": false, "type": "array", + "description": "The downstream header names for the claim values.", "elements": { "type": "string" - }, - "description": "The downstream header names for the claim values." + } } }, { @@ -1830,8 +1913,8 @@ }, { "login_methods": { - "required": false, "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -1842,59 +1925,59 @@ "kong_oauth2", "refresh_token", "session" - ], - "type": "string" + ] }, + "type": "array", "description": "Enable login functionality with specified grants.", + "required": false, "default": [ "authorization_code" - ], - "type": "array" + ] } }, { "login_action": { + "type": "string", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", + "default": "upstream", "required": false, "one_of": [ "upstream", "response", "redirect" - ], - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", - "default": "upstream", - "type": "string" + ] } }, { "login_tokens": { - "required": false, "elements": { + "type": "string", "one_of": [ "id_token", "access_token", "refresh_token", "tokens", "introspection" - ], - "type": "string" + ] }, + "type": "array", "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", + "required": false, "default": [ "id_token" - ], - "type": "array" + ] } }, { "login_redirect_mode": { + "type": "string", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", + "default": "fragment", "required": false, "one_of": [ "query", "fragment" - ], - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", - "default": "fragment", - "type": "string" + ] } }, { @@ -1920,95 +2003,95 @@ }, { "logout_methods": { - "required": false, "elements": { + "type": "string", "one_of": [ "POST", "GET", "DELETE" - ], - "type": "string" + ] }, + "type": "array", "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", + "required": false, "default": [ "POST", "DELETE" - ], - "type": "array" + ] } }, { "logout_revoke": { - "required": false, - "type": "boolean", "default": false, - "description": "Revoke tokens as part of the logout." + "type": "boolean", + "description": "Revoke tokens as part of the logout.", + "required": false } }, { "logout_revoke_access_token": { - "required": false, - "type": "boolean", "default": true, - "description": "Revoke the access token as part of the logout." + "type": "boolean", + "description": "Revoke the access token as part of the logout.", + "required": false } }, { "logout_revoke_refresh_token": { - "required": false, - "type": "boolean", "default": true, - "description": "Revoke the refresh token as part of the logout." + "type": "boolean", + "description": "Revoke the refresh token as part of the logout.", + "required": false } }, { "consumer_claim": { "required": false, "type": "array", + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The claim used for consumer mapping." + } } }, { "consumer_by": { - "required": false, "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" + ] }, + "type": "array", "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", + "required": false, "default": [ "username", "custom_id" - ], - "type": "array" + ] } }, { "consumer_optional": { - "required": false, - "type": "boolean", "default": false, - "description": "Do not terminate the request if consumer mapping fails." + "type": "boolean", + "description": "Do not terminate the request if consumer mapping fails.", + "required": false } }, { "credential_claim": { - "required": false, "elements": { "type": "string" }, - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", + "type": "array", + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "default": [ "sub" - ], - "type": "array" + ] } }, { @@ -2020,56 +2103,56 @@ }, { "run_on_preflight": { - "required": false, - "type": "boolean", "default": true, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + "type": "boolean", + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "required": false } }, { "leeway": { - "required": false, - "type": "number", "default": 0, - "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification." + "type": "number", + "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", + "required": false } }, { "verify_parameters": { - "required": false, - "type": "boolean", "default": false, - "description": "Verify plugin configuration against discovery." + "type": "boolean", + "description": "Verify plugin configuration against discovery.", + "required": false } }, { "verify_nonce": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify nonce on authorization code flow." + "type": "boolean", + "description": "Verify nonce on authorization code flow.", + "required": false } }, { "verify_claims": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify tokens for standard claims." + "type": "boolean", + "description": "Verify tokens for standard claims.", + "required": false } }, { "verify_signature": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify signature of tokens." + "type": "boolean", + "description": "Verify signature of tokens.", + "required": false } }, { "ignore_signature": { - "required": false, "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -2078,29 +2161,31 @@ "session", "introspection", "userinfo" - ], - "type": "string" + ] }, + "type": "array", "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", + "required": false, "default": [ - ], - "type": "array" + ] } }, { "enable_hs_signatures": { - "required": false, - "type": "boolean", "default": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + "type": "boolean", + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "required": false } }, { "disable_session": { "required": false, "type": "array", + "description": "Disable issuing the session cookie with the specified grants.", "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -2111,18 +2196,16 @@ "kong_oauth2", "refresh_token", "session" - ], - "type": "string" - }, - "description": "Disable issuing the session cookie with the specified grants." + ] + } } }, { "cache_ttl": { - "required": false, - "type": "number", "default": 3600, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + "type": "number", + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "required": false } }, { @@ -2155,10 +2238,10 @@ }, { "cache_tokens": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the token endpoint requests." + "type": "boolean", + "description": "Cache the token endpoint requests.", + "required": false } }, { @@ -2171,57 +2254,57 @@ }, { "cache_introspection": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the introspection endpoint requests." + "type": "boolean", + "description": "Cache the introspection endpoint requests.", + "required": false } }, { "cache_token_exchange": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the token exchange endpoint requests." + "type": "boolean", + "description": "Cache the token exchange endpoint requests.", + "required": false } }, { "cache_user_info": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the user info requests." + "type": "boolean", + "description": "Cache the user info requests.", + "required": false } }, { "search_user_info": { - "required": false, - "type": "boolean", "default": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + "type": "boolean", + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "required": false } }, { "hide_credentials": { - "required": false, - "type": "boolean", "default": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + "type": "boolean", + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "required": false } }, { "http_version": { - "required": false, - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", "default": 1.1, - "type": "number" + "type": "number", + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", + "required": false } }, { "http_proxy": { "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { @@ -2234,8 +2317,8 @@ { "https_proxy": { "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { @@ -2254,173 +2337,109 @@ }, { "keepalive": { - "required": false, - "type": "boolean", "default": true, - "description": "Use keepalive with the HTTP client." + "type": "boolean", + "description": "Use keepalive with the HTTP client.", + "required": false } }, { "ssl_verify": { - "required": false, - "type": "boolean", "default": false, - "description": "Verify identity provider server certificate." + "type": "boolean", + "description": "Verify identity provider server certificate.", + "required": false } }, { "timeout": { - "required": false, - "type": "number", "default": 10000, - "description": "Network IO timeout in milliseconds." + "type": "number", + "description": "Network IO timeout in milliseconds.", + "required": false } }, { "display_errors": { - "required": false, - "type": "boolean", "default": false, - "description": "Display errors on failure responses." + "type": "boolean", + "description": "Display errors on failure responses.", + "required": false } }, { "by_username_ignore_case": { - "required": false, - "type": "boolean", "default": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + "type": "boolean", + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "required": false } }, { "resolve_distributed_claims": { - "required": false, - "type": "boolean", "default": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + "type": "boolean", + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "required": false } }, { "expose_error_code": { - "type": "boolean", "default": true, + "type": "boolean", "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." } }, { "token_cache_key_include_scope": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." } }, { "introspection_token_param_name": { - "required": false, - "type": "string", "default": "token", - "description": "Designate token's parameter name for introspection." + "type": "string", + "description": "Designate token's parameter name for introspection.", + "required": false } }, { "using_pseudo_issuer": { - "type": "boolean", "default": false, + "type": "boolean", "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL." } }, { "revocation_token_param_name": { - "required": false, - "type": "string", "default": "token", - "description": "Designate token's parameter name for revocation." - } - } - ], - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" + "type": "string", + "description": "Designate token's parameter name for revocation.", + "required": false } }, { - "session_strategy": { - "type": "string" + "proof_of_possession_mtls": { + "default": "off", + "type": "string", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "one_of": [ + "off", + "strict", + "optional" + ] } }, { - "session_compressor": { - "type": "string" + "proof_of_possession_auth_methods_validation": { + "default": true, + "type": "boolean", + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/opentelemetry/3.5.x.json b/schemas/opentelemetry/3.5.x.json index 29e0f1b5..080800db 100644 --- a/schemas/opentelemetry/3.5.x.json +++ b/schemas/opentelemetry/3.5.x.json @@ -2,83 +2,94 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "batch_span_count", + "batch_flush_delay" + ] + } + } + ], "fields": [ { "endpoint": { "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" } }, { "headers": { - "type": "map", - "keys": { + "values": { "type": "string", - "description": "A string representing an HTTP header name." + "referenceable": true }, - "values": { - "referenceable": true, + "type": "map", + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "keys": { + "description": "A string representing an HTTP header name.", "type": "string" - }, - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend." + } } }, { "resource_attributes": { - "keys": { + "values": { "required": true, "type": "string" }, - "values": { + "type": "map", + "keys": { "required": true, "type": "string" - }, - "type": "map" + } } }, { "queue": { "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -87,9 +98,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -98,9 +109,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -109,22 +120,22 @@ }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "type": "number", "default": 60, + "type": "number", "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -133,17 +144,16 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } - ], - "type": "record" + ] } }, { @@ -160,35 +170,35 @@ }, { "connect_timeout": { + "default": 1000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 1000, - "type": "integer" + ] } }, { "send_timeout": { + "default": 5000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 5000, - "type": "integer" + ] } }, { "read_timeout": { + "default": 5000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 5000, - "type": "integer" + ] } }, { @@ -199,6 +209,8 @@ { "header_type": { "required": false, + "type": "string", + "default": "preserve", "one_of": [ "preserve", "ignore", @@ -210,18 +222,6 @@ "aws", "gcp", "datadog" - ], - "default": "preserve", - "type": "string" - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "batch_span_count", - "batch_flush_delay" ] } } diff --git a/schemas/post-function/3.5.x.json b/schemas/post-function/3.5.x.json index 4daa34eb..45616adc 100644 --- a/schemas/post-function/3.5.x.json +++ b/schemas/post-function/3.5.x.json @@ -3,7 +3,9 @@ { "protocols": { "required": false, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -11,8 +13,7 @@ "https", "ws", "wss" - ], - "type": "string" + ] }, "default": [ "grpc", @@ -21,29 +22,27 @@ "https", "ws", "wss" - ], - "type": "set" + ] } }, { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -57,155 +56,156 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "config": { "required": true, + "type": "record", "fields": [ { "certificate": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "rewrite": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "access": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "header_filter": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "body_filter": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "log": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "ws_handshake": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "ws_client_frame": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "ws_upstream_frame": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "ws_close": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } } - ], - "type": "record" + ] } } ], diff --git a/schemas/pre-function/3.5.x.json b/schemas/pre-function/3.5.x.json index 4daa34eb..45616adc 100644 --- a/schemas/pre-function/3.5.x.json +++ b/schemas/pre-function/3.5.x.json @@ -3,7 +3,9 @@ { "protocols": { "required": false, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -11,8 +13,7 @@ "https", "ws", "wss" - ], - "type": "string" + ] }, "default": [ "grpc", @@ -21,29 +22,27 @@ "https", "ws", "wss" - ], - "type": "set" + ] } }, { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -57,155 +56,156 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "config": { "required": true, + "type": "record", "fields": [ { "certificate": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "rewrite": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "access": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "header_filter": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "body_filter": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "log": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "ws_handshake": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "ws_client_frame": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "ws_upstream_frame": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } }, { "ws_close": { "required": true, - "elements": { - "required": false, - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "required": false, + "type": "string" + } } } - ], - "type": "record" + ] } } ], diff --git a/schemas/prometheus/3.5.x.json b/schemas/prometheus/3.5.x.json index 9ca74ac5..de535d24 100644 --- a/schemas/prometheus/3.5.x.json +++ b/schemas/prometheus/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,68 +15,69 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "per_consumer": { - "type": "boolean", "default": false, + "type": "boolean", "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available." } }, { "status_code_metrics": { - "type": "boolean", "default": false, + "type": "boolean", "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported." } }, { "latency_metrics": { - "type": "boolean", "default": false, + "type": "boolean", "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported." } }, { "bandwidth_metrics": { - "type": "boolean", "default": false, + "type": "boolean", "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported." } }, { "upstream_health_metrics": { - "type": "boolean", "default": false, + "type": "boolean", "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/proxy-cache-advanced/3.5.x.json b/schemas/proxy-cache-advanced/3.5.x.json index 3cccf765..a235d788 100644 --- a/schemas/proxy-cache-advanced/3.5.x.json +++ b/schemas/proxy-cache-advanced/3.5.x.json @@ -2,126 +2,127 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "response_code": { - "required": true, "len_min": 1, - "elements": { - "type": "integer", - "between": [ - 100, - 900 - ] - }, "type": "array", + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "required": true, "default": [ 200, 301, 404 ], - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900." + "elements": { + "between": [ + 100, + 900 + ], + "type": "integer" + } } }, { "request_method": { - "required": true, "elements": { + "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ], - "type": "string" + ] }, "type": "array", + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "required": true, "default": [ "GET", "HEAD" - ], - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." + ] } }, { "content_type": { - "required": true, "elements": { "type": "string" }, "type": "array", + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "required": true, "default": [ "text/plain", "application/json" - ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." + ] } }, { "cache_ttl": { + "default": 300, "gt": 0, "description": "TTL in seconds of cache entities.", - "default": 300, "type": "integer" } }, { "strategy": { "required": true, + "type": "string", "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "one_of": [ "memory", "redis" - ], - "type": "string" + ] } }, { "cache_control": { - "required": true, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true } }, { "ignore_uri_case": { - "required": false, - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "required": false } }, { @@ -133,17 +134,17 @@ { "memory": { "required": true, + "type": "record", "fields": [ { "dictionary_name": { "required": true, + "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "default": "kong_db_cache", - "type": "string" + "default": "kong_db_cache" } } - ], - "type": "record" + ] } }, { @@ -168,6 +169,7 @@ "response_headers": { "required": true, "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", "fields": [ { "age": { @@ -187,19 +189,76 @@ "type": "boolean" } } - ], - "description": "Caching related diagnostic headers that should be included in cached responses" + ] } }, { "redis": { "required": true, "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -208,19 +267,19 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { + "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer" + ] } }, { @@ -229,8 +288,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -239,8 +298,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -249,198 +308,139 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "referenceable": true, - "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "password": { "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string" } }, { "sentinel_username": { "referenceable": true, - "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" } }, { "sentinel_password": { "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string" } }, { "database": { - "type": "integer", "default": 0, + "type": "integer", "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { + "default": 256, "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + ] } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "type": "integer" + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_addresses": { + "len_min": 1, + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - }, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", - "len_min": 1 + } } }, { "cluster_addresses": { + "len_min": 1, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", - "len_min": 1 + } } }, { "ssl": { "required": false, "type": "boolean", - "default": false, - "description": "If set to true, uses SSL to connect to Redis." + "description": "If set to true, uses SSL to connect to Redis.", + "default": false } }, { "ssl_verify": { "required": false, "type": "boolean", - "default": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false } }, { "server_name": { "required": false, - "description": "A string representing an SNI (server name indication) value for TLS.", - "type": "string" - } - } - ], - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], - "set2": [ - "host", - "port" - ] + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] } ] } }, { "bypass_on_err": { - "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/proxy-cache/3.5.x.json b/schemas/proxy-cache/3.5.x.json index ed75cf88..188e644c 100644 --- a/schemas/proxy-cache/3.5.x.json +++ b/schemas/proxy-cache/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,139 +15,141 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "response_code": { - "required": true, "len_min": 1, - "elements": { - "type": "integer", - "between": [ - 100, - 900 - ] - }, + "type": "array", "description": "Upstream response status code considered cacheable.", + "required": true, "default": [ 200, 301, 404 ], - "type": "array" + "elements": { + "between": [ + 100, + 900 + ], + "type": "integer" + } } }, { "request_method": { - "required": true, "elements": { + "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ], - "type": "string" + ] }, + "type": "array", "description": "Downstream request methods considered cacheable.", + "required": true, "default": [ "GET", "HEAD" - ], - "type": "array" + ] } }, { "content_type": { - "required": true, "elements": { "type": "string" }, + "type": "array", "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "required": true, "default": [ "text/plain", "application/json" - ], - "type": "array" + ] } }, { "cache_ttl": { - "gt": 0, - "type": "integer", "default": 300, - "description": "TTL, in seconds, of cache entities." + "type": "integer", + "description": "TTL, in seconds, of cache entities.", + "gt": 0 } }, { "strategy": { "required": true, "type": "string", + "description": "The backing data store in which to hold cache entities.", "one_of": [ "memory" - ], - "description": "The backing data store in which to hold cache entities." + ] } }, { "cache_control": { - "required": true, - "type": "boolean", "default": false, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + "type": "boolean", + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true } }, { "ignore_uri_case": { - "required": false, "default": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "storage_ttl": { - "type": "integer", - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" } }, { "memory": { "required": true, + "type": "record", "fields": [ { "dictionary_name": { - "required": true, - "type": "string", "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "required": true } } - ], - "type": "record" + ] } }, { @@ -156,8 +157,8 @@ "elements": { "type": "string" }, - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", - "type": "array" + "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." } }, { @@ -165,13 +166,14 @@ "elements": { "type": "string" }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", - "type": "array" + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } }, { "response_headers": { "required": true, + "type": "record", "description": "Caching related diagnostic headers that should be included in cached responses", "fields": [ { @@ -192,12 +194,10 @@ "type": "boolean" } } - ], - "type": "record" + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/rate-limiting-advanced/3.5.x.json b/schemas/rate-limiting-advanced/3.5.x.json index dc063492..fe30aaba 100644 --- a/schemas/rate-limiting-advanced/3.5.x.json +++ b/schemas/rate-limiting-advanced/3.5.x.json @@ -2,33 +2,37 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { "required": true, + "type": "record", "fields": [ { "identifier": { + "type": "string", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", "required": true, + "default": "consumer", "one_of": [ "ip", "credential", @@ -36,100 +40,98 @@ "service", "header", "path" - ], - "type": "string", - "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`." + ] } }, { "window_size": { "required": true, "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" - }, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified." + } } }, { "window_type": { + "default": "sliding", + "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "one_of": [ "fixed", "sliding" - ], - "type": "string", - "default": "sliding", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." + ] } }, { "limit": { "required": true, "type": "array", + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" - }, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified." + } } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "namespace": { "required": true, "type": "string", - "auto": true, - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "auto": true } }, { "strategy": { + "type": "string", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "required": true, + "default": "local", "one_of": [ "cluster", "redis", "local" - ], - "type": "string", - "default": "local", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." + ] } }, { "dictionary_name": { - "required": true, - "type": "string", "default": "kong_rate_limiting_counters", - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." + "type": "string", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "required": true } }, { "hide_client_headers": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." } }, { "retry_after_jitter_max": { - "type": "number", "default": 0, + "type": "number", "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { + "starts_with": "/", "type": "string", "match_none": [ { @@ -137,19 +139,76 @@ "err": "must not have empty segments" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { "required": true, "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -158,19 +217,19 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { + "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer" + ] } }, { @@ -179,8 +238,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -189,8 +248,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -199,193 +258,135 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "referenceable": true, - "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "password": { "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string" } }, { "sentinel_username": { "referenceable": true, - "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" } }, { "sentinel_password": { "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string" } }, { "database": { - "type": "integer", "default": 0, + "type": "integer", "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { + "default": 256, "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + ] } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "type": "integer" + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_addresses": { + "len_min": 1, + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - }, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", - "len_min": 1 + } } }, { "cluster_addresses": { + "len_min": 1, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array", - "len_min": 1 + } } }, { "ssl": { "required": false, "type": "boolean", - "default": false, - "description": "If set to true, uses SSL to connect to Redis." + "description": "If set to true, uses SSL to connect to Redis.", + "default": false } }, { "ssl_verify": { "required": false, "type": "boolean", - "default": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false } }, { "server_name": { "required": false, - "description": "A string representing an SNI (server name indication) value for TLS.", - "type": "string" - } - } - ], - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], - "set2": [ - "host", - "port" - ] + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] } ] } }, { "enforce_consumer_groups": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." } }, @@ -394,34 +395,33 @@ "elements": { "type": "string" }, - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", - "type": "array" + "type": "array", + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`." } }, { "disable_penalty": { - "type": "boolean", "default": false, + "type": "boolean", "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." } }, { "error_code": { - "gt": 0, - "type": "number", "default": 429, - "description": "Set a custom error code to return when the rate limit is exceeded." + "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded.", + "gt": 0 } }, { "error_message": { - "type": "string", "default": "API rate limit exceeded", + "type": "string", "description": "Set a custom error message to return when the rate limit is exceeded." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/rate-limiting/3.5.x.json b/schemas/rate-limiting/3.5.x.json index 5f6b7f18..4476af38 100644 --- a/schemas/rate-limiting/3.5.x.json +++ b/schemas/rate-limiting/3.5.x.json @@ -2,82 +2,86 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "second": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per second." + "description": "The number of HTTP requests that can be made per second.", + "type": "number" } }, { "minute": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per minute." + "description": "The number of HTTP requests that can be made per minute.", + "type": "number" } }, { "hour": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per hour." + "description": "The number of HTTP requests that can be made per hour.", + "type": "number" } }, { "day": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per day." + "description": "The number of HTTP requests that can be made per day.", + "type": "number" } }, { "month": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per month." + "description": "The number of HTTP requests that can be made per month.", + "type": "number" } }, { "year": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per year." + "description": "The number of HTTP requests that can be made per year.", + "type": "number" } }, { "limit_by": { + "default": "consumer", + "type": "string", + "description": "The entity that is used when aggregating the limits.", "one_of": [ "consumer", "credential", @@ -85,20 +89,18 @@ "service", "header", "path" - ], - "type": "string", - "default": "consumer", - "description": "The entity that is used when aggregating the limits." + ] } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { + "starts_with": "/", "type": "string", "match_none": [ { @@ -106,132 +108,130 @@ "err": "must not have empty segments" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "policy": { "len_min": 0, + "type": "string", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "default": "local", "one_of": [ "local", "cluster", "redis" - ], - "type": "string", - "default": "local", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + ] } }, { "fault_tolerant": { - "required": true, - "type": "boolean", "default": true, - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." + "type": "boolean", + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "required": true } }, { "redis_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "redis_port": { + "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer" + ] } }, { "redis_password": { - "referenceable": true, "len_min": 0, - "type": "string", - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." + "referenceable": true, + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "type": "string" } }, { "redis_username": { - "referenceable": true, "type": "string", - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired." + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.", + "referenceable": true } }, { "redis_ssl": { - "required": true, - "type": "boolean", "default": false, - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." + "type": "boolean", + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", + "required": true } }, { "redis_ssl_verify": { - "required": true, - "type": "boolean", "default": false, - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly." + "type": "boolean", + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", + "required": true } }, { "redis_server_name": { - "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" } }, { "redis_timeout": { - "type": "number", "default": 2000, + "type": "number", "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." } }, { "redis_database": { - "type": "integer", "default": 0, + "type": "integer", "description": "When using the `redis` policy, this property specifies the Redis database to use." } }, { "hide_client_headers": { - "required": true, - "type": "boolean", "default": false, - "description": "Optionally hide informative response headers." + "type": "boolean", + "description": "Optionally hide informative response headers.", + "required": true } }, { "error_code": { - "gt": 0, - "type": "number", "default": 429, - "description": "Set a custom error code to return when the rate limit is exceeded." + "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded.", + "gt": 0 } }, { "error_message": { - "type": "string", "default": "API rate limit exceeded", + "type": "string", "description": "Set a custom error message to return when the rate limit is exceeded." } }, { "sync_rate": { - "required": true, - "type": "number", "default": -1, - "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." + "type": "number", + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "required": true } } - ], - "type": "record" + ] } } ], @@ -249,61 +249,61 @@ { "conditional": { "then_field": "config.redis_host", - "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, "then_match": { "required": true }, - "if_match": { - "eq": "redis" - } + "if_field": "config.policy" } }, { "conditional": { "then_field": "config.redis_port", - "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, "then_match": { "required": true }, - "if_match": { - "eq": "redis" - } + "if_field": "config.policy" } }, { "conditional": { "then_field": "config.header_name", - "if_field": "config.limit_by", + "if_match": { + "eq": "header" + }, "then_match": { "required": true }, - "if_match": { - "eq": "header" - } + "if_field": "config.limit_by" } }, { "conditional": { "then_field": "config.path", - "if_field": "config.limit_by", + "if_match": { + "eq": "path" + }, "then_match": { "required": true }, - "if_match": { - "eq": "path" - } + "if_field": "config.limit_by" } }, { "conditional": { "then_field": "config.redis_timeout", - "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, "then_match": { "required": true }, - "if_match": { - "eq": "redis" - } + "if_field": "config.policy" } } ] diff --git a/schemas/request-size-limiting/3.5.x.json b/schemas/request-size-limiting/3.5.x.json index 7ca10101..168c1cb6 100644 --- a/schemas/request-size-limiting/3.5.x.json +++ b/schemas/request-size-limiting/3.5.x.json @@ -2,68 +2,68 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "allowed_payload_size": { - "type": "integer", "default": 128, + "type": "integer", "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes)." } }, { "size_unit": { + "type": "string", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "required": true, + "default": "megabytes", "one_of": [ "megabytes", "kilobytes", "bytes" - ], - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", - "default": "megabytes", - "type": "string" + ] } }, { "require_content_length": { "required": true, "type": "boolean", - "default": false, - "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body." + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "default": false } } - ], - "type": "record" + ] } } ], diff --git a/schemas/request-termination/3.5.x.json b/schemas/request-termination/3.5.x.json index dbb1f8b9..ffa5c52f 100644 --- a/schemas/request-termination/3.5.x.json +++ b/schemas/request-termination/3.5.x.json @@ -2,48 +2,49 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "status_code": { - "required": true, "between": [ 100, 599 ], "type": "integer", + "description": "The response code to send. Must be an integer between 100 and 599.", "default": 503, - "description": "The response code to send. Must be an integer between 100 and 599." + "required": true } }, { @@ -68,18 +69,17 @@ "echo": { "required": true, "type": "boolean", - "default": false, - "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic." + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "default": false } }, { "trigger": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } - ], - "type": "record" + ] } } ], diff --git a/schemas/request-transformer-advanced/3.5.x.json b/schemas/request-transformer-advanced/3.5.x.json index 5e853d70..9e2d3b89 100644 --- a/schemas/request-transformer-advanced/3.5.x.json +++ b/schemas/request-transformer-advanced/3.5.x.json @@ -2,176 +2,178 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { "required": true, + "type": "record", "fields": [ { "http_method": { - "match": "^%u+$", "type": "string", + "match": "^%u+$", "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." } }, { "remove": { "required": true, + "type": "record", "fields": [ { "body": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "headers": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "querystring": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "rename": { "required": true, + "type": "record", "fields": [ { "body": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "headers": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "querystring": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } } - ], - "type": "record" + ] } }, { "replace": { "required": true, + "type": "record", "fields": [ { "body": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "headers": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "querystring": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "json_types": { + "default": [ + + ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "default": [ - - ], - "type": "array" + ] + } } }, { @@ -179,133 +181,133 @@ "type": "string" } } - ], - "type": "record" + ] } }, { "add": { "required": true, + "type": "record", "fields": [ { "body": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "headers": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "querystring": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "json_types": { + "default": [ + + ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "default": [ - - ], - "type": "array" + ] + } } } - ], - "type": "record" + ] } }, { "append": { "required": true, + "type": "record", "fields": [ { "body": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "headers": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "querystring": { - "elements": { - "referenceable": true, - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string", + "referenceable": true + } } }, { "json_types": { + "default": [ + + ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "default": [ - - ], - "type": "array" + ] + } } } - ], - "type": "record" + ] } }, { "allow": { "required": true, + "type": "record", "fields": [ { "body": { @@ -315,19 +317,17 @@ "type": "set" } } - ], - "type": "record" + ] } }, { "dots_in_keys": { - "type": "boolean", "default": true, + "type": "boolean", "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/request-transformer/3.5.x.json b/schemas/request-transformer/3.5.x.json index eb5a135a..1d9ea3aa 100644 --- a/schemas/request-transformer/3.5.x.json +++ b/schemas/request-transformer/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,158 +15,161 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "config": { "required": true, + "type": "record", "fields": [ { "http_method": { - "match": "^%u+$", "type": "string", + "match": "^%u+$", "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." } }, { "remove": { "required": true, + "type": "record", "fields": [ { "body": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } }, { "headers": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } }, { "querystring": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "rename": { "required": true, + "type": "record", "fields": [ { "body": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } }, { "headers": { "required": true, - "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } }, { "querystring": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "replace": { "required": true, + "type": "record", "fields": [ { "body": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } }, { "headers": { "required": true, - "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } }, { "querystring": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } }, { @@ -175,102 +177,100 @@ "type": "string" } } - ], - "type": "record" + ] } }, { "add": { "required": true, + "type": "record", "fields": [ { "body": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } }, { "headers": { "required": true, - "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } }, { "querystring": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "append": { "required": true, + "type": "record", "fields": [ { "body": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } }, { "headers": { "required": true, - "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } }, { "querystring": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/request-validator/3.5.x.json b/schemas/request-validator/3.5.x.json index 3b67930a..74b56d30 100644 --- a/schemas/request-validator/3.5.x.json +++ b/schemas/request-validator/3.5.x.json @@ -2,38 +2,46 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ], "fields": [ { "body_schema": { @@ -44,46 +52,64 @@ }, { "allowed_content_types": { - "elements": { - "required": true, - "type": "string" - }, - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "default": [ "application/json" ], - "type": "set" + "type": "set", + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "elements": { + "required": true, + "type": "string" + } } }, { "version": { + "type": "string", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "required": true, "one_of": [ "kong", "draft4" ], - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", - "default": "kong", - "type": "string" + "default": "kong" } }, { "parameter_schema": { "required": false, "type": "array", + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", "elements": { + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ], "type": "record", "fields": [ { "in": { "required": true, "type": "string", + "description": "The location of the parameter.", "one_of": [ "query", "header", "path" - ], - "description": "The location of the parameter." + ] } }, { @@ -102,6 +128,8 @@ }, { "style": { + "type": "string", + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", "one_of": [ "label", "form", @@ -110,9 +138,7 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ], - "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", - "type": "string" + ] } }, { @@ -127,44 +153,18 @@ "type": "string" } } - ], - "entity_checks": [ - { - "mutually_required": [ - "style", - "explode", - "schema" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "style", - "in" - ] - } - } ] - }, - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." + } } }, { "verbose_response": { - "required": true, - "type": "boolean", "default": false, - "description": "If enabled, the plugin returns more verbose and detailed validation errors." + "type": "boolean", + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "body_schema", - "parameter_schema" - ] - } ] } } diff --git a/schemas/response-ratelimiting/3.5.x.json b/schemas/response-ratelimiting/3.5.x.json index 5a6f3685..68da3ddb 100644 --- a/schemas/response-ratelimiting/3.5.x.json +++ b/schemas/response-ratelimiting/3.5.x.json @@ -2,228 +2,228 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "header_name": { - "type": "string", "default": "x-kong-limit", + "type": "string", "description": "The name of the response header used to increment the counters." } }, { "limit_by": { + "default": "consumer", + "type": "string", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "one_of": [ "consumer", "credential", "ip" - ], - "type": "string", - "default": "consumer", - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." + ] } }, { "policy": { + "default": "local", + "type": "string", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "one_of": [ "local", "cluster", "redis" - ], - "type": "string", - "default": "local", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + ] } }, { "fault_tolerant": { - "required": true, - "type": "boolean", "default": true, - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." + "type": "boolean", + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "required": true } }, { "redis_host": { - "type": "string", - "description": "When using the `redis` policy, this property specifies the address to the Redis server." + "description": "When using the `redis` policy, this property specifies the address to the Redis server.", + "type": "string" } }, { "redis_port": { + "default": 6379, + "type": "integer", "description": "When using the `redis` policy, this property specifies the port of the Redis server.", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer" + ] } }, { "redis_password": { - "referenceable": true, "len_min": 0, "type": "string", - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "referenceable": true } }, { "redis_username": { - "referenceable": true, "type": "string", - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "referenceable": true } }, { "redis_ssl": { - "required": true, - "type": "boolean", "default": false, - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." + "type": "boolean", + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", + "required": true } }, { "redis_ssl_verify": { - "required": true, - "type": "boolean", "default": false, - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "type": "boolean", + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": true } }, { "redis_server_name": { - "type": "string", - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI)." + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI).", + "type": "string" } }, { "redis_timeout": { - "type": "number", "default": 2000, + "type": "number", "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." } }, { "redis_database": { - "type": "number", "default": 0, + "type": "number", "description": "When using the `redis` policy, this property specifies Redis database to use." } }, { "block_on_first_violation": { - "required": true, - "type": "boolean", "default": false, - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." + "type": "boolean", + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "required": true } }, { "hide_client_headers": { - "required": true, - "type": "boolean", "default": false, - "description": "Optionally hide informative response headers." + "type": "boolean", + "description": "Optionally hide informative response headers.", + "required": true } }, { "limits": { - "required": true, + "len_min": 1, + "type": "map", + "description": "A map that defines rate limits for the plugin.", "keys": { "type": "string" }, - "len_min": 1, - "description": "A map that defines rate limits for the plugin.", + "required": true, "values": { "required": true, "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], "fields": [ { "second": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "minute": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "hour": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "day": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "month": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "year": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "second", - "minute", - "hour", - "day", - "month", - "year" - ] - } ] - }, - "type": "map" + } } } - ], - "type": "record" + ] } } ], @@ -231,37 +231,37 @@ { "conditional": { "then_field": "config.redis_host", - "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, "then_match": { "required": true }, - "if_match": { - "eq": "redis" - } + "if_field": "config.policy" } }, { "conditional": { "then_field": "config.redis_port", - "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, "then_match": { "required": true }, - "if_match": { - "eq": "redis" - } + "if_field": "config.policy" } }, { "conditional": { "then_field": "config.redis_timeout", - "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, "then_match": { "required": true }, - "if_match": { - "eq": "redis" - } + "if_field": "config.policy" } } ] diff --git a/schemas/response-transformer-advanced/3.5.x.json b/schemas/response-transformer-advanced/3.5.x.json index ece29738..a5a43f82 100644 --- a/schemas/response-transformer-advanced/3.5.x.json +++ b/schemas/response-transformer-advanced/3.5.x.json @@ -2,282 +2,284 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { "required": true, + "type": "record", "fields": [ { "remove": { "required": true, + "type": "record", "fields": [ { "json": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "headers": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "if_status": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "rename": { "required": true, + "type": "record", "fields": [ { "headers": { - "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } }, { "if_status": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "replace": { "required": true, + "type": "record", "fields": [ { "body": { - "type": "string", - "description": "String with which to replace the entire response body." + "description": "String with which to replace the entire response body.", + "type": "string" } }, { "json": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "json_types": { + "default": [ + + ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "default": [ - - ], - "type": "array" + ] + } } }, { "headers": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "if_status": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "add": { "required": true, + "type": "record", "fields": [ { "json": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "json_types": { + "default": [ + + ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "default": [ - - ], - "type": "array" + ] + } } }, { "headers": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "if_status": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "append": { "required": true, + "type": "record", "fields": [ { "json": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "json_types": { + "default": [ + + ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "default": [ - - ], - "type": "array" + ] + } } }, { "headers": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "if_status": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "allow": { "required": true, + "type": "record", "fields": [ { "json": { @@ -287,60 +289,58 @@ "type": "set" } } - ], - "type": "record" + ] } }, { "transform": { "required": true, + "type": "record", "fields": [ { "functions": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "if_status": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } }, { "json": { - "elements": { - "type": "string" - }, "default": [ ], - "type": "array" + "type": "array", + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "dots_in_keys": { - "type": "boolean", "default": true, + "type": "boolean", "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/response-transformer/3.5.x.json b/schemas/response-transformer/3.5.x.json index e6f5d866..e6d31513 100644 --- a/schemas/response-transformer/3.5.x.json +++ b/schemas/response-transformer/3.5.x.json @@ -2,241 +2,241 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { "required": true, + "type": "record", "fields": [ { "remove": { "required": true, + "type": "record", "fields": [ { "json": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } }, { "headers": { "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "type": "string" + } } } - ], - "type": "record" + ] } }, { "rename": { "required": true, + "type": "record", "fields": [ { "headers": { "required": true, - "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } } - ], - "type": "record" + ] } }, { "replace": { "required": true, + "type": "record", "fields": [ { "json": { "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } }, { "json_types": { - "required": true, "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" + ] }, "type": "array", + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, "default": [ - ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } } - ], - "type": "record" + ] } }, { "add": { "required": true, + "type": "record", "fields": [ { "json": { "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } }, { "json_types": { - "required": true, "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" + ] }, "type": "array", + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, "default": [ - ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } } - ], - "type": "record" + ] } }, { "append": { "required": true, + "type": "record", "fields": [ { "json": { "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } }, { "json_types": { - "required": true, "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" + ] }, "type": "array", + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, "default": [ - ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ ], - "type": "array" + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } } } - ], - "type": "record" + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/route-by-header/3.5.x.json b/schemas/route-by-header/3.5.x.json index 21b57ddf..02635b7f 100644 --- a/schemas/route-by-header/3.5.x.json +++ b/schemas/route-by-header/3.5.x.json @@ -2,41 +2,48 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "rules": { + "default": [ + + ], + "type": "array", + "description": "Route by header rules.", "elements": { + "type": "record", "fields": [ { "upstream_name": { @@ -46,29 +53,22 @@ }, { "condition": { - "required": true, + "len_min": 1, + "type": "map", "keys": { "type": "string" }, - "len_min": 1, + "required": true, "values": { "type": "string" - }, - "type": "map" + } } } - ], - "type": "record" - }, - "description": "Route by header rules.", - "default": [ - - ], - "type": "array" + ] + } } } - ], - "type": "record" + ] } } ], diff --git a/schemas/route-transformer-advanced/3.5.x.json b/schemas/route-transformer-advanced/3.5.x.json index ee2b7522..2cbc96c7 100644 --- a/schemas/route-transformer-advanced/3.5.x.json +++ b/schemas/route-transformer-advanced/3.5.x.json @@ -2,38 +2,47 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } + ], "fields": [ { "path": { @@ -56,15 +65,6 @@ "type": "boolean" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "path", - "port", - "host" - ] - } ] } } diff --git a/schemas/saml/3.5.x.json b/schemas/saml/3.5.x.json index a36027a7..6e63d191 100644 --- a/schemas/saml/3.5.x.json +++ b/schemas/saml/3.5.x.json @@ -2,151 +2,224 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" + } + } + ], + "type": "record", "required": true, "fields": [ { "assertion_consumer_path": { + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "type": "string" + ] } }, { "idp_sso_url": { "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "idp_certificate": { - "required": false, "referenceable": true, "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "required": false, "encrypted": true, "type": "string" } }, { "response_encryption_key": { - "required": false, "referenceable": true, "description": "The private encryption key required to decrypt encrypted assertions.", + "required": false, "encrypted": true, "type": "string" } }, { "request_signing_key": { - "required": false, "referenceable": true, "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "required": false, "encrypted": true, "type": "string" } }, { "request_signing_certificate": { - "required": false, "referenceable": true, "description": "The certificate for signing requests.", + "required": false, "encrypted": true, "type": "string" } }, { "request_signature_algorithm": { + "type": "string", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "required": false, + "default": "SHA256", "one_of": [ "SHA256", "SHA384", "SHA512" - ], - "type": "string", - "default": "SHA256", - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" + ] } }, { "request_digest_algorithm": { + "type": "string", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "required": false, + "default": "SHA256", "one_of": [ "SHA256", "SHA1" - ], - "type": "string", - "default": "SHA256", - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" + ] } }, { "response_signature_algorithm": { + "type": "string", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "required": false, + "default": "SHA256", "one_of": [ "SHA256", "SHA384", "SHA512" - ], - "type": "string", - "default": "SHA256", - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" + ] } }, { "response_digest_algorithm": { + "type": "string", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "required": false, + "default": "SHA256", "one_of": [ "SHA256", "SHA1" - ], - "type": "string", - "default": "SHA256", - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" + ] } }, { @@ -158,119 +231,122 @@ }, { "nameid_format": { + "type": "string", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "required": false, + "default": "EmailAddress", "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" - ], - "type": "string", - "default": "EmailAddress", - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" + ] } }, { "validate_assertion_signature": { "required": false, "type": "boolean", - "default": true, - "description": "Enable signature validation for SAML responses." + "description": "Enable signature validation for SAML responses.", + "default": true } }, { "anonymous": { "required": false, - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username." } }, { "session_secret": { - "required": true, - "type": "string", - "encrypted": true, "len_min": 32, + "len_max": 32, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", "referenceable": true, + "required": true, + "encrypted": true, "match": "^[0-9a-zA-Z/_+]+$", - "len_max": 32, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." + "type": "string" } }, { "session_audience": { - "required": false, - "description": "The session audience, for example \"my-application\"", "default": "default", - "type": "string" + "type": "string", + "description": "The session audience, for example \"my-application\"", + "required": false } }, { "session_cookie_name": { - "required": false, - "description": "The session cookie name.", "default": "session", - "type": "string" + "type": "string", + "description": "The session cookie name.", + "required": false } }, { "session_remember": { - "required": false, - "description": "Enables or disables persistent sessions", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Enables or disables persistent sessions", + "required": false } }, { "session_remember_cookie_name": { - "required": false, - "description": "Persistent session cookie name", "default": "remember", - "type": "string" + "type": "string", + "description": "Persistent session cookie name", + "required": false } }, { "session_remember_rolling_timeout": { - "required": false, - "description": "Persistent session rolling timeout in seconds.", "default": 604800, - "type": "number" + "type": "number", + "description": "Persistent session rolling timeout in seconds.", + "required": false } }, { "session_remember_absolute_timeout": { - "required": false, - "description": "Persistent session absolute timeout in seconds.", "default": 2592000, - "type": "number" + "type": "number", + "description": "Persistent session absolute timeout in seconds.", + "required": false } }, { "session_idling_timeout": { - "required": false, - "description": "The session cookie idle time in seconds.", "default": 900, - "type": "number" + "type": "number", + "description": "The session cookie idle time in seconds.", + "required": false } }, { "session_rolling_timeout": { - "required": false, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "default": 3600, - "type": "number" + "type": "number", + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false } }, { "session_absolute_timeout": { - "required": false, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "default": 86400, - "type": "number" + "type": "number", + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false } }, { "session_cookie_path": { + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "required": false, "match_none": [ { @@ -278,51 +354,49 @@ "err": "must not have empty segments" } ], - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "default": "/", - "type": "string" + "default": "/" } }, { "session_cookie_domain": { "required": false, - "description": "The session cookie domain flag.", - "type": "string" + "type": "string", + "description": "The session cookie domain flag." } }, { "session_cookie_same_site": { + "type": "string", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Lax", "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "default": "Lax", - "type": "string" + ] } }, { "session_cookie_http_only": { - "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false } }, { "session_cookie_secure": { "required": false, - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean" + "type": "boolean", + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "session_request_headers": { "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -331,8 +405,7 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" + ] }, "type": "set" } @@ -340,6 +413,7 @@ { "session_response_headers": { "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -348,299 +422,225 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" + ] }, "type": "set" } }, { "session_storage": { + "type": "string", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "default": "cookie", "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", - "default": "cookie", - "type": "string" + ] } }, { "session_store_metadata": { - "required": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "required": false } }, { "session_enforce_same_subject": { - "required": false, - "description": "When set to `true`, audiences are forced to share the same subject.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false } }, { "session_hash_subject": { - "required": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false } }, { "session_hash_storage_key": { - "required": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false } }, { "session_memcached_prefix": { "required": false, - "description": "The memcached session key prefix.", - "type": "string" + "type": "string", + "description": "The memcached session key prefix." } }, { "session_memcached_socket": { "required": false, - "description": "The memcached unix socket path.", - "type": "string" + "type": "string", + "description": "The memcached unix socket path." } }, { "session_memcached_host": { - "required": false, - "description": "The memcached host.", "default": "127.0.0.1", - "type": "string" + "type": "string", + "description": "The memcached host.", + "required": false } }, { "session_memcached_port": { - "required": false, "between": [ 0, 65535 ], "type": "integer", - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false, + "default": 11211 } }, { "session_redis_prefix": { "required": false, - "description": "The Redis session key prefix.", - "type": "string" + "type": "string", + "description": "The Redis session key prefix." } }, { "session_redis_socket": { "required": false, - "description": "The Redis unix socket path.", - "type": "string" + "type": "string", + "description": "The Redis unix socket path." } }, { "session_redis_host": { - "required": false, - "description": "The Redis host IP.", "default": "127.0.0.1", - "type": "string" + "type": "string", + "description": "The Redis host IP.", + "required": false } }, { "session_redis_port": { - "required": false, "between": [ 0, 65535 ], "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false, + "default": 6379 } }, { "session_redis_username": { + "required": false, "referenceable": true, "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "required": false, "type": "string" } }, { "session_redis_password": { - "required": false, "referenceable": true, - "type": "string", + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "required": false, "encrypted": true, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from" + "type": "string" } }, { "session_redis_connect_timeout": { "required": false, - "description": "The Redis connection timeout in milliseconds.", - "type": "integer" + "type": "integer", + "description": "The Redis connection timeout in milliseconds." } }, { "session_redis_read_timeout": { "required": false, - "description": "The Redis read timeout in milliseconds.", - "type": "integer" + "type": "integer", + "description": "The Redis read timeout in milliseconds." } }, { "session_redis_send_timeout": { "required": false, - "description": "The Redis send timeout in milliseconds.", - "type": "integer" + "type": "integer", + "description": "The Redis send timeout in milliseconds." } }, { "session_redis_ssl": { - "required": false, - "description": "Use SSL/TLS for the Redis connection.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Use SSL/TLS for the Redis connection.", + "required": false } }, { "session_redis_ssl_verify": { - "required": false, - "description": "Verify the Redis server certificate.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Verify the Redis server certificate.", + "required": false } }, { "session_redis_server_name": { "required": false, - "description": "The SNI used for connecting to the Redis server.", - "type": "string" + "type": "string", + "description": "The SNI used for connecting to the Redis server." } }, { "session_redis_cluster_nodes": { "required": false, + "type": "array", "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { + "type": "record", "fields": [ { "ip": { "required": true, + "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "type": "string" + "default": "127.0.0.1" } }, { "port": { + "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer" + ] } } - ], - "type": "record" - }, - "type": "array" + ] + } } }, { "session_redis_cluster_max_redirections": { "required": false, - "description": "The Redis cluster maximum redirects.", - "type": "integer" - } - } - ], - "shorthand_fields": [ - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - }, - { - "session_auth_ttl": { - "type": "number" + "type": "integer", + "description": "The Redis cluster maximum redirects." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/session/3.5.x.json b/schemas/session/3.5.x.json index c824425b..832268ec 100644 --- a/schemas/session/3.5.x.json +++ b/schemas/session/3.5.x.json @@ -2,15 +2,14 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -24,99 +23,138 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "type": "record", "required": true, "fields": [ { "secret": { - "encrypted": true, - "type": "string", "referenceable": true, + "description": "The secret that is used in keyed HMAC generation.", "required": false, - "default": "chdSaZ1O6qQwIlAI6XYMYWNzIhhNIEqQ10HrRVIvyTAf", - "description": "The secret that is used in keyed HMAC generation." + "encrypted": true, + "type": "string", + "default": "4emYUIRQFQNiaq7oFjHjfmU0XnvKvdUJVFFCcdpskXga" } }, { "storage": { + "default": "cookie", + "type": "string", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", "one_of": [ "cookie", "kong" - ], - "type": "string", - "default": "cookie", - "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself." + ] } }, { "audience": { - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "default": "default", - "type": "string" + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." } }, { "idling_timeout": { - "description": "The session cookie idle time, in seconds.", "default": 900, - "type": "number" + "type": "number", + "description": "The session cookie idle time, in seconds." } }, { "rolling_timeout": { - "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", "default": 3600, - "type": "number" + "type": "number", + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed." } }, { "absolute_timeout": { - "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", "default": 86400, - "type": "number" + "type": "number", + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid." } }, { "stale_ttl": { - "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", "default": 10, - "type": "number" + "type": "number", + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one." } }, { "cookie_name": { - "description": "The name of the cookie.", "default": "session", - "type": "string" + "type": "string", + "description": "The name of the cookie." } }, { "cookie_path": { - "description": "The resource in the host where the cookie is available.", "default": "/", - "type": "string" + "type": "string", + "description": "The resource in the host where the cookie is available." } }, { @@ -127,62 +165,63 @@ }, { "cookie_same_site": { + "default": "Strict", + "type": "string", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string", - "default": "Strict", - "description": "Determines whether and how a cookie may be sent with cross-site requests." + ] } }, { "cookie_http_only": { - "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server." } }, { "cookie_secure": { - "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol." } }, { "remember": { - "description": "Enables or disables persistent sessions.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Enables or disables persistent sessions." } }, { "remember_cookie_name": { - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "default": "remember", - "type": "string" + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." } }, { "remember_rolling_timeout": { - "description": "The persistent session rolling timeout window, in seconds.", "default": 604800, - "type": "number" + "type": "number", + "description": "The persistent session rolling timeout window, in seconds." } }, { "remember_absolute_timeout": { - "description": "The persistent session absolute timeout limit, in seconds.", "default": 2592000, - "type": "number" + "type": "number", + "description": "The persistent session absolute timeout limit, in seconds." } }, { "response_headers": { "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -191,16 +230,16 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" + ] }, - "description": "List of information to include, as headers, in the response to the downstream.", - "type": "set" + "type": "set", + "description": "List of information to include, as headers, in the response to the downstream." } }, { "request_headers": { "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -209,84 +248,51 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" + ] }, - "description": "List of information to include, as headers, in the response to the downstream.", - "type": "set" + "type": "set", + "description": "List of information to include, as headers, in the response to the downstream." + } + }, + { + "read_body_for_logout": { + "default": false, + "type": "boolean" } }, { "logout_methods": { "elements": { + "type": "string", "one_of": [ "GET", "POST", "DELETE" - ], - "type": "string" + ] }, + "type": "set", "description": "A set of HTTP methods that the plugin will respond to.", "default": [ "POST", "DELETE" - ], - "type": "set" + ] } }, { "logout_query_arg": { - "description": "The query argument passed to logout requests.", "default": "session_logout", - "type": "string" + "type": "string", + "description": "The query argument passed to logout requests." } }, { "logout_post_arg": { - "description": "The POST argument passed to logout requests. Do not change this property.", "default": "session_logout", - "type": "string" - } - } - ], - "shorthand_fields": [ - { - "cookie_lifetime": { - "type": "number" - } - }, - { - "cookie_idletime": { - "type": "number" - } - }, - { - "cookie_renew": { - "type": "number" - } - }, - { - "cookie_discard": { - "type": "number" - } - }, - { - "cookie_samesite": { - "type": "string" - } - }, - { - "cookie_httponly": { - "type": "boolean" - } - }, - { - "cookie_persistent": { - "type": "boolean" + "type": "string", + "description": "The POST argument passed to logout requests. Do not change this property." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/statsd-advanced/3.5.x.json b/schemas/statsd-advanced/3.5.x.json index b8f76759..57406a81 100644 --- a/schemas/statsd-advanced/3.5.x.json +++ b/schemas/statsd-advanced/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,203 +15,60 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "default": "localhost", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 8125, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 8125, - "type": "integer" + ] } }, { "prefix": { - "type": "string", "default": "kong", + "type": "string", "description": "String to prefix to each metric's name." } }, { "metrics": { - "elements": { - "type": "record", - "fields": [ - { - "name": { - "required": true, - "one_of": [ - "kong_latency", - "latency", - "request_count", - "request_per_user", - "request_size", - "response_size", - "status_count", - "status_count_per_user", - "unique_users", - "upstream_latency", - "status_count_per_workspace", - "status_count_per_user_per_route", - "shdict_usage", - "cache_datastore_hits_total", - "cache_datastore_misses_total" - ], - "type": "string" - } - }, - { - "stat_type": { - "required": true, - "one_of": [ - "counter", - "gauge", - "histogram", - "meter", - "set", - "timer" - ], - "type": "string" - } - }, - { - "sample_rate": { - "gt": 0, - "type": "number" - } - }, - { - "consumer_identifier": { - "one_of": [ - "consumer_id", - "custom_id", - "username" - ], - "type": "string" - } - }, - { - "service_identifier": { - "one_of": [ - "service_id", - "service_name", - "service_host", - "service_name_or_host" - ], - "type": "string" - } - }, - { - "workspace_identifier": { - "one_of": [ - "workspace_id", - "workspace_name" - ], - "type": "string" - } - } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "set" - }, - "if_match": { - "one_of": [ - "unique_users" - ] - } - } - }, - { - "conditional": { - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "counter" - }, - "if_match": { - "one_of": [ - "request_count", - "status_count", - "request_per_user", - "status_count_per_user", - "status_count_per_workspace", - "status_count_per_user_per_route", - "cache_datastore_hits_total", - "cache_datastore_misses_total" - ] - } - } - }, - { - "conditional": { - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "gauge" - }, - "if_match": { - "one_of": [ - "shdict_usage" - ] - } - } - }, - { - "conditional": { - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - }, - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - } - } - } - ] - }, - "description": "List of Metrics to be logged.", "default": [ { "name": "request_count", @@ -284,92 +140,238 @@ "stat_type": "counter" } ], - "type": "array" + "type": "array", + "description": "List of Metrics to be logged.", + "elements": { + "entity_checks": [ + { + "conditional": { + "then_field": "stat_type", + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_match": { + "eq": "set" + }, + "if_field": "name" + } + }, + { + "conditional": { + "then_field": "stat_type", + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_match": { + "eq": "counter" + }, + "if_field": "name" + } + }, + { + "conditional": { + "then_field": "stat_type", + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_match": { + "eq": "gauge" + }, + "if_field": "name" + } + }, + { + "conditional": { + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + }, + "if_field": "stat_type" + } + } + ], + "type": "record", + "fields": [ + { + "name": { + "required": true, + "type": "string", + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "required": true, + "type": "string", + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "type": "number", + "gt": 0 + } + }, + { + "consumer_identifier": { + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ] + } } }, { "allow_status_codes": { "elements": { - "type": "string", - "match": "^[0-9]+-[0-9]+$" + "match": "^[0-9]+-[0-9]+$", + "type": "string" }, - "description": "List of status code ranges that are allowed to be logged in metrics.", - "type": "array" + "type": "array", + "description": "List of status code ranges that are allowed to be logged in metrics." } }, { "udp_packet_size": { + "default": 0, "type": "number", + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", "between": [ 0, 65507 - ], - "default": 0, - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive)." + ] } }, { "use_tcp": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Use TCP instead of UDP." } }, { "hostname_in_prefix": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Include the `hostname` in the `prefix` for each metric name." } }, { "consumer_identifier_default": { + "type": "string", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "default": "custom_id", "required": true, "one_of": [ "consumer_id", "custom_id", "username" - ], - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", - "default": "custom_id", - "type": "string" + ] } }, { "service_identifier_default": { + "type": "string", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "default": "service_name_or_host", "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", - "default": "service_name_or_host", - "type": "string" + ] } }, { "workspace_identifier_default": { + "type": "string", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "default": "workspace_id", "required": true, "one_of": [ "workspace_id", "workspace_name" - ], - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", - "default": "workspace_id", - "type": "string" + ] } }, { "queue": { "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -378,9 +380,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -389,9 +391,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -400,22 +402,22 @@ }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "type": "number", "default": 60, + "type": "number", "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -424,21 +426,19 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } - ], - "type": "record" + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/statsd/3.5.x.json b/schemas/statsd/3.5.x.json index 75bc4051..a28b3666 100644 --- a/schemas/statsd/3.5.x.json +++ b/schemas/statsd/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,65 +15,170 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], "fields": [ { "host": { - "description": "The IP address or hostname of StatsD server to send data to.", "default": "localhost", - "type": "string" + "type": "string", + "description": "The IP address or hostname of StatsD server to send data to." } }, { "port": { + "default": 8125, + "type": "integer", "description": "The port of StatsD server to send data to.", "between": [ 0, 65535 - ], - "default": 8125, - "type": "integer" + ] } }, { "prefix": { - "description": "String to prefix to each metric's name.", "default": "kong", - "type": "string" + "type": "string", + "description": "String to prefix to each metric's name." } }, { "metrics": { + "default": [ + { + "name": "request_count", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "name": "request_size", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "name": "status_count", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "name": "response_size", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "name": "request_per_user", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "name": "status_count_per_user", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "name": "status_count_per_workspace", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "name": "status_count_per_user_per_route", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "name": "shdict_usage", + "sample_rate": 1, + "stat_type": "gauge" + }, + { + "name": "cache_datastore_hits_total", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "type": "array", + "description": "List of metrics to be logged.", "elements": { + "entity_checks": [ + { + "conditional": { + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + }, + "if_field": "stat_type" + } + } + ], "type": "record", "fields": [ { "name": { "required": true, + "type": "string", "description": "StatsD metric’s name.", "one_of": [ "kong_latency", @@ -92,13 +196,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "type": "string" + ] } }, { "stat_type": { "required": true, + "type": "string", "description": "Determines what sort of event a metric represents.", "one_of": [ "counter", @@ -107,8 +211,7 @@ "meter", "set", "timer" - ], - "type": "string" + ] } }, { @@ -120,138 +223,46 @@ }, { "consumer_identifier": { + "type": "string", + "description": "Authenticated user detail.", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string", - "description": "Authenticated user detail." + ] } }, { "service_identifier": { + "type": "string", + "description": "Service detail.", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string", - "description": "Service detail." + ] } }, { "workspace_identifier": { + "type": "string", + "description": "Workspace detail.", "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string", - "description": "Workspace detail." - } - } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - }, - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - } + ] } } ] - }, - "type": "array", - "default": [ - { - "name": "request_count", - "sample_rate": 1, - "stat_type": "counter" - }, - { - "name": "latency", - "stat_type": "timer" - }, - { - "name": "request_size", - "sample_rate": 1, - "stat_type": "counter" - }, - { - "name": "status_count", - "sample_rate": 1, - "stat_type": "counter" - }, - { - "name": "response_size", - "sample_rate": 1, - "stat_type": "counter" - }, - { - "name": "unique_users", - "stat_type": "set" - }, - { - "name": "request_per_user", - "sample_rate": 1, - "stat_type": "counter" - }, - { - "name": "upstream_latency", - "stat_type": "timer" - }, - { - "name": "kong_latency", - "stat_type": "timer" - }, - { - "name": "status_count_per_user", - "sample_rate": 1, - "stat_type": "counter" - }, - { - "name": "status_count_per_workspace", - "sample_rate": 1, - "stat_type": "counter" - }, - { - "name": "status_count_per_user_per_route", - "sample_rate": 1, - "stat_type": "counter" - }, - { - "name": "shdict_usage", - "sample_rate": 1, - "stat_type": "gauge" - }, - { - "name": "cache_datastore_hits_total", - "sample_rate": 1, - "stat_type": "counter" - }, - { - "name": "cache_datastore_misses_total", - "sample_rate": 1, - "stat_type": "counter" - } - ], - "description": "List of metrics to be logged." + } } }, { "allow_status_codes": { "elements": { - "type": "string", - "match": "^[0-9]+-[0-9]+$" + "match": "^[0-9]+-[0-9]+$", + "type": "string" }, "type": "array", "description": "List of status code ranges that are allowed to be logged in metrics." @@ -259,8 +270,8 @@ }, { "udp_packet_size": { - "type": "number", "default": 0, + "type": "number", "between": [ 0, 65507 @@ -281,38 +292,38 @@ }, { "consumer_identifier_default": { + "default": "custom_id", + "type": "string", "required": true, "one_of": [ "consumer_id", "custom_id", "username" - ], - "default": "custom_id", - "type": "string" + ] } }, { "service_identifier_default": { + "default": "service_name_or_host", + "type": "string", "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "default": "service_name_or_host", - "type": "string" + ] } }, { "workspace_identifier_default": { + "default": "workspace_id", + "type": "string", "required": true, "one_of": [ "workspace_id", "workspace_name" - ], - "default": "workspace_id", - "type": "string" + ] } }, { @@ -333,24 +344,25 @@ { "tag_style": { "required": false, + "type": "string", "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ], - "type": "string" + ] } }, { "queue": { "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -359,9 +371,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -370,9 +382,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -381,22 +393,22 @@ }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "type": "number", "default": 60, + "type": "number", "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -405,27 +417,15 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } - ], - "type": "record" - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" ] } } diff --git a/schemas/syslog/3.5.x.json b/schemas/syslog/3.5.x.json index b64aca32..64e94bb4 100644 --- a/schemas/syslog/3.5.x.json +++ b/schemas/syslog/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,34 +15,38 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "log_level": { "required": true, + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -53,14 +56,14 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "successful_severity": { "required": true, + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -70,14 +73,14 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "client_errors_severity": { "required": true, + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -87,14 +90,14 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "server_errors_severity": { "required": true, + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -104,28 +107,29 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "custom_fields_by_lua": { - "type": "map", - "keys": { - "type": "string", - "len_min": 1 - }, "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map" + "type": "map", + "description": "Lua code as a key-value map", + "keys": { + "len_min": 1, + "type": "string" + } } }, { "facility": { + "type": "string", + "description": "The facility is used by the operating system to decide how to handle each log message.", "required": true, + "default": "user", "one_of": [ "auth", "authpriv", @@ -147,14 +151,10 @@ "local5", "local6", "local7" - ], - "description": "The facility is used by the operating system to decide how to handle each log message.", - "default": "user", - "type": "string" + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/tcp-log/3.5.x.json b/schemas/tcp-log/3.5.x.json index 2c6adaf6..435c097c 100644 --- a/schemas/tcp-log/3.5.x.json +++ b/schemas/tcp-log/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,43 +15,45 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "host": { "required": true, - "description": "The IP address or host name to send data to.", - "type": "string" + "type": "string", + "description": "The IP address or host name to send data to." } }, { "port": { "required": true, - "description": "The port to send data to on the upstream server.", "type": "integer", + "description": "The port to send data to on the upstream server.", "between": [ 0, 65535 @@ -61,24 +62,24 @@ }, { "timeout": { - "description": "An optional timeout in milliseconds when sending data to the upstream server.", "default": 10000, - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "default": 60000, - "type": "number" + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "tls": { "required": true, + "type": "boolean", "description": "Indicates whether to perform a TLS handshake against the remote server.", - "default": false, - "type": "boolean" + "default": false } }, { @@ -89,20 +90,19 @@ }, { "custom_fields_by_lua": { - "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "values": { "len_min": 1, "type": "string" }, + "type": "map", + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "keys": { - "type": "string", - "len_min": 1 - }, - "type": "map" + "len_min": 1, + "type": "string" + } } } - ], - "type": "record" + ] } } ], diff --git a/schemas/tls-handshake-modifier/3.5.x.json b/schemas/tls-handshake-modifier/3.5.x.json index 2895908c..c6fafc79 100644 --- a/schemas/tls-handshake-modifier/3.5.x.json +++ b/schemas/tls-handshake-modifier/3.5.x.json @@ -2,55 +2,55 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "https", + "grpcs" + ], "elements": { + "type": "string", "one_of": [ "https", "grpcs", "tls" - ], - "type": "string" - }, - "default": [ - "https", - "grpcs" - ], - "type": "set" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "tls_client_certificate": { + "type": "string", + "description": "TLS Client Certificate", "required": false, + "default": "REQUEST", "one_of": [ "REQUEST" - ], - "type": "string", - "default": "REQUEST", - "description": "TLS Client Certificate" + ] } } - ], - "type": "record" + ] } } ], diff --git a/schemas/tls-metadata-headers/3.5.x.json b/schemas/tls-metadata-headers/3.5.x.json index 49e82f5d..24fbc95f 100644 --- a/schemas/tls-metadata-headers/3.5.x.json +++ b/schemas/tls-metadata-headers/3.5.x.json @@ -2,91 +2,91 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "https", + "grpcs" + ], "elements": { + "type": "string", "one_of": [ "https", "grpcs", "tls" - ], - "type": "string" - }, - "default": [ - "https", - "grpcs" - ], - "type": "set" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "inject_client_cert_details": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." } }, { "client_cert_header_name": { - "required": true, - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "default": "X-Client-Cert", - "type": "string" + "type": "string", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "required": true } }, { "client_serial_header_name": { - "required": true, - "description": "Define the HTTP header name used for the serial number of the client certificate.", "default": "X-Client-Cert-Serial", - "type": "string" + "type": "string", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "required": true } }, { "client_cert_issuer_dn_header_name": { - "required": true, - "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "default": "X-Client-Cert-Issuer-DN", - "type": "string" + "type": "string", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "required": true } }, { "client_cert_subject_dn_header_name": { - "required": true, - "description": "Define the HTTP header name used for the subject DN of the client certificate.", "default": "X-Client-Cert-Subject-DN", - "type": "string" + "type": "string", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "required": true } }, { "client_cert_fingerprint_header_name": { - "required": true, - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "default": "X-Client-Cert-Fingerprint", - "type": "string" + "type": "string", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "required": true } } - ], - "type": "record" + ] } } ], diff --git a/schemas/udp-log/3.5.x.json b/schemas/udp-log/3.5.x.json index 72f00f8d..8043e51e 100644 --- a/schemas/udp-log/3.5.x.json +++ b/schemas/udp-log/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,43 +15,45 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "host": { "required": true, - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { "required": true, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 @@ -61,27 +62,26 @@ }, { "timeout": { - "type": "number", "default": 10000, + "type": "number", "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "custom_fields_by_lua": { - "type": "map", - "keys": { - "type": "string", - "len_min": 1 - }, "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map" + "type": "map", + "description": "Lua code as a key-value map", + "keys": { + "len_min": 1, + "type": "string" + } } } - ], - "type": "record" + ] } } ], diff --git a/schemas/upstream-timeout/3.5.x.json b/schemas/upstream-timeout/3.5.x.json index beb3c65f..60d87640 100644 --- a/schemas/upstream-timeout/3.5.x.json +++ b/schemas/upstream-timeout/3.5.x.json @@ -2,37 +2,38 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "read_timeout": { @@ -40,8 +41,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -50,8 +51,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -60,12 +61,11 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/vault-auth/3.5.x.json b/schemas/vault-auth/3.5.x.json index 8818335f..1a9aac1a 100644 --- a/schemas/vault-auth/3.5.x.json +++ b/schemas/vault-auth/3.5.x.json @@ -2,82 +2,83 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "config": { "required": true, + "type": "record", "fields": [ { "access_token_name": { - "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "string", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "default": "access_token", - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + "required": true } }, { "secret_token_name": { - "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "string", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "default": "secret_token", - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + "required": true } }, { "vault": { "required": true, "type": "foreign", - "reference": "vault_auth_vaults", - "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API." + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "reference": "vault_auth_vaults" } }, { "hide_credentials": { - "type": "boolean", "default": false, + "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it." } }, @@ -89,20 +90,19 @@ }, { "tokens_in_body": { - "type": "boolean", "default": false, + "type": "boolean", "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { - "type": "boolean", "default": true, + "type": "boolean", "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } } - ], - "type": "record" + ] } } ], diff --git a/schemas/websocket-size-limit/3.5.x.json b/schemas/websocket-size-limit/3.5.x.json index 62de2696..ccea27e7 100644 --- a/schemas/websocket-size-limit/3.5.x.json +++ b/schemas/websocket-size-limit/3.5.x.json @@ -3,32 +3,40 @@ { "protocols": { "required": true, - "elements": { - "one_of": [ - "ws", - "wss" - ], - "type": "string" - }, + "type": "set", "default": [ "ws", "wss" ], - "type": "set" + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], "fields": [ { "client_max_payload": { @@ -50,14 +58,6 @@ ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "client_max_payload", - "upstream_max_payload" - ] - } ] } } diff --git a/schemas/websocket-validator/3.5.x.json b/schemas/websocket-validator/3.5.x.json index 3f7cfbcd..d9c5bd6c 100644 --- a/schemas/websocket-validator/3.5.x.json +++ b/schemas/websocket-validator/3.5.x.json @@ -3,51 +3,77 @@ { "protocols": { "required": true, - "elements": { - "one_of": [ - "ws", - "wss" - ], - "type": "string" - }, + "type": "set", "default": [ "ws", "wss" ], - "type": "set" + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], "fields": [ { "client": { "required": false, "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], "fields": [ { "text": { "required": false, "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], "fields": [ { "type": { "required": true, "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + ] } }, { @@ -57,7 +83,13 @@ "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } - ], + ] + } + }, + { + "binary": { + "required": false, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -67,22 +99,16 @@ ] } } - ] - } - }, - { - "binary": { - "required": false, - "type": "record", + ], "fields": [ { "type": { "required": true, "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + ] } }, { @@ -92,27 +118,9 @@ "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "text", - "binary" - ] - } ] } }, @@ -120,20 +128,38 @@ "upstream": { "required": false, "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], "fields": [ { "text": { "required": false, "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], "fields": [ { "type": { "required": true, "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + ] } }, { @@ -143,7 +169,13 @@ "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } - ], + ] + } + }, + { + "binary": { + "required": false, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -153,22 +185,16 @@ ] } } - ] - } - }, - { - "binary": { - "required": false, - "type": "record", + ], "fields": [ { "type": { "required": true, "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + ] } }, { @@ -178,38 +204,12 @@ "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "text", - "binary" - ] - } ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "client", - "upstream" - ] - } ] } } diff --git a/schemas/xml-threat-protection/3.5.x.json b/schemas/xml-threat-protection/3.5.x.json index 098a6a16..03b85a74 100644 --- a/schemas/xml-threat-protection/3.5.x.json +++ b/schemas/xml-threat-protection/3.5.x.json @@ -2,292 +2,292 @@ "fields": [ { "protocols": { - "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "max_namespaces", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "namespace_aware" + } + }, + { + "conditional": { + "then_field": "prefix", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "namespace_aware" + } + }, + { + "conditional": { + "then_field": "namespaceuri", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "namespace_aware" + } + } + ], "fields": [ { "checked_content_types": { - "required": true, "elements": { "required": true, - "match": "^[^%s]+%/[^ ;]+$", - "type": "string" + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" }, "type": "set", + "description": "A list of Content-Type values with payloads that must be validated.", + "required": true, "default": [ "application/xml" - ], - "description": "A list of Content-Type values with payloads that must be validated." + ] } }, { "allowed_content_types": { - "required": true, "elements": { "required": true, - "match": "^[^%s]+%/[^ ;]+$", - "type": "string" + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" }, "type": "set", + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "required": true, "default": [ - ], - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." + ] } }, { "allow_dtd": { - "required": true, - "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "required": true } }, { "namespace_aware": { - "required": true, - "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "required": true } }, { "max_depth": { - "gt": 0, "type": "integer", + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", "required": true, - "default": 50, - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." + "gt": 0, + "default": 50 } }, { "max_children": { - "gt": 0, "type": "integer", + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", "required": true, - "default": 100, - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." + "gt": 0, + "default": 100 } }, { "max_attributes": { - "gt": 0, "type": "integer", + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", "required": true, - "default": 100, - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." + "gt": 0, + "default": 100 } }, { "max_namespaces": { - "gt": 0, "type": "integer", + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", "required": false, - "default": 20, - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." + "gt": 0, + "default": 20 } }, { "document": { - "gt": 0, + "type": "integer", "description": "Maximum size of the entire document.", "required": true, - "default": 10485760, - "type": "integer" + "gt": 0, + "default": 10485760 } }, { "buffer": { - "gt": 0, + "type": "integer", "description": "Maximum size of the unparsed buffer (see below).", "required": true, - "default": 1048576, - "type": "integer" + "gt": 0, + "default": 1048576 } }, { "comment": { - "gt": 0, + "type": "integer", "description": "Maximum size of comments.", "required": true, - "default": 1024, - "type": "integer" + "gt": 0, + "default": 1024 } }, { "localname": { - "gt": 0, + "type": "integer", "description": "Maximum size of the localname. This applies to tags and attributes.", "required": true, - "default": 1024, - "type": "integer" + "gt": 0, + "default": 1024 } }, { "prefix": { - "gt": 0, + "type": "integer", "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "required": false, - "default": 1024, - "type": "integer" + "gt": 0, + "default": 1024 } }, { "namespaceuri": { - "gt": 0, + "type": "integer", "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "required": false, - "default": 1024, - "type": "integer" + "gt": 0, + "default": 1024 } }, { "attribute": { - "gt": 0, + "type": "integer", "description": "Maximum size of the attribute value.", "required": true, - "default": 1048576, - "type": "integer" + "gt": 0, + "default": 1048576 } }, { "text": { - "gt": 0, + "type": "integer", "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "required": true, - "default": 1048576, - "type": "integer" + "gt": 0, + "default": 1048576 } }, { "pitarget": { - "gt": 0, + "type": "integer", "description": "Maximum size of processing instruction targets.", "required": true, - "default": 1024, - "type": "integer" + "gt": 0, + "default": 1024 } }, { "pidata": { - "gt": 0, + "type": "integer", "description": "Maximum size of processing instruction data.", "required": true, - "default": 1024, - "type": "integer" + "gt": 0, + "default": 1024 } }, { "entityname": { - "gt": 0, + "type": "integer", "description": "Maximum size of entity names in EntityDecl.", "required": true, - "default": 1024, - "type": "integer" + "gt": 0, + "default": 1024 } }, { "entity": { - "gt": 0, + "type": "integer", "description": "Maximum size of entity values in EntityDecl.", "required": true, - "default": 1024, - "type": "integer" + "gt": 0, + "default": 1024 } }, { "entityproperty": { - "gt": 0, + "type": "integer", "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "required": true, - "default": 1024, - "type": "integer" + "gt": 0, + "default": 1024 } }, { "bla_max_amplification": { - "gt": 1, "type": "number", + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", "required": true, - "default": 100, - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." + "gt": 1, + "default": 100 } }, { "bla_threshold": { - "required": true, + "type": "integer", "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "required": true, "gt": 1024, - "default": 8388608, - "type": "integer" - } - } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "max_namespaces", - "if_field": "namespace_aware", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "conditional": { - "then_field": "prefix", - "if_field": "namespace_aware", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "conditional": { - "then_field": "namespaceuri", - "if_field": "namespace_aware", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } + "default": 8388608 } } ] diff --git a/schemas/zipkin/3.5.x.json b/schemas/zipkin/3.5.x.json index f7f89d89..9a8af17c 100644 --- a/schemas/zipkin/3.5.x.json +++ b/schemas/zipkin/3.5.x.json @@ -2,7 +2,6 @@ "fields": [ { "protocols": { - "required": true, "elements": { "one_of": [ "grpc", @@ -16,85 +15,90 @@ "ws", "wss" ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string" }, "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { "required": true, + "type": "record", "fields": [ { "local_service_name": { "required": true, "type": "string", - "default": "kong", - "description": "The name of the service as displayed in Zipkin." + "description": "The name of the service as displayed in Zipkin.", + "default": "kong" } }, { "http_endpoint": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "sample_ratio": { + "default": 0.001, "type": "number", + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", "between": [ 0, 1 - ], - "default": 0.001, - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " + ] } }, { "default_service_name": { - "type": "string", - "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" } }, { "include_credential": { "required": true, "type": "boolean", - "default": true, - "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server." + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "default": true } }, { "traceid_byte_count": { + "type": "integer", + "description": "The length in bytes of each request's Trace ID.", "required": true, + "default": 16, "one_of": [ 8, 16 - ], - "description": "The length in bytes of each request's Trace ID.", - "default": 16, - "type": "integer" + ] } }, { "header_type": { + "type": "string", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "required": true, + "default": "preserve", "one_of": [ "preserve", "ignore", @@ -106,15 +110,15 @@ "aws", "datadog", "gcp" - ], - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", - "default": "preserve", - "type": "string" + ] } }, { "default_header_type": { + "type": "string", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "required": true, + "default": "b3", "one_of": [ "b3", "b3-single", @@ -124,27 +128,26 @@ "aws", "datadog", "gcp" - ], - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", - "default": "b3", - "type": "string" + ] } }, { "tags_header": { "required": true, "type": "string", - "default": "Zipkin-Tags", - "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property." + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "default": "Zipkin-Tags" } }, { "static_tags": { "elements": { + "type": "record", "fields": [ { "name": { "required": true, + "type": "string", "not_one_of": [ "error", "http.method", @@ -159,8 +162,7 @@ "kong.service", "lc", "peer.hostname" - ], - "type": "string" + ] } }, { @@ -169,56 +171,55 @@ "type": "string" } } - ], - "type": "record" + ] }, - "description": "The tags specified on this property will be added to the generated request traces.", - "type": "array" + "type": "array", + "description": "The tags specified on this property will be added to the generated request traces." } }, { "http_span_name": { + "type": "string", + "description": "Specify whether to include the HTTP path in the span name.", "required": true, + "default": "method", "one_of": [ "method", "method_path" - ], - "description": "Specify whether to include the HTTP path in the span name.", - "default": "method", - "type": "string" + ] } }, { "connect_timeout": { + "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer" + ] } }, { "send_timeout": { + "default": 5000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 5000, - "type": "integer" + ] } }, { "read_timeout": { + "default": 5000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 5000, - "type": "integer" + ] } }, { @@ -228,25 +229,26 @@ }, { "phase_duration_flavor": { + "type": "string", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "required": true, + "default": "annotations", "one_of": [ "annotations", "tags" - ], - "description": "Specify whether to include the duration of each phase as an annotation or a tag.", - "default": "annotations", - "type": "string" + ] } }, { "queue": { "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -255,9 +257,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -266,9 +268,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -277,22 +279,22 @@ }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "type": "number", "default": 60, + "type": "number", "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -301,21 +303,19 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } - ], - "type": "record" + ] } } - ], - "type": "record" + ] } } ], From 4a0747454d6099b3aafdd45321cb340051872fdd Mon Sep 17 00:00:00 2001 From: "lena.larionova" Date: Wed, 25 Oct 2023 14:23:54 -0700 Subject: [PATCH 016/165] fix 3.4 schemas --- schemas/.DS_Store | Bin 0 -> 22532 bytes schemas/acl/3.4.x.json | 64 +- schemas/acme/3.4.x.json | 206 ++-- schemas/application-registration/3.4.x.json | 60 +- schemas/aws-lambda/3.4.x.json | 98 +- schemas/azure-functions/3.4.x.json | 68 +- schemas/basic-auth/3.4.x.json | 36 +- schemas/bot-detection/3.4.x.json | 38 +- schemas/canary/3.4.x.json | 126 +-- schemas/correlation-id/3.4.x.json | 40 +- schemas/cors/3.4.x.json | 58 +- schemas/datadog/3.4.x.json | 164 +-- schemas/degraphql/3.4.x.json | 40 +- schemas/exit-transformer/3.4.x.json | 30 +- schemas/file-log/3.4.x.json | 46 +- schemas/forward-proxy/3.4.x.json | 64 +- .../graphql-proxy-cache-advanced/3.4.x.json | 44 +- .../graphql-rate-limiting-advanced/3.4.x.json | 152 +-- schemas/grpc-gateway/3.4.x.json | 26 +- schemas/grpc-web/3.4.x.json | 34 +- schemas/hmac-auth/3.4.x.json | 66 +- schemas/http-log/3.4.x.json | 98 +- schemas/ip-restriction/3.4.x.json | 52 +- schemas/jq/3.4.x.json | 100 +- schemas/jwe-decrypt/3.4.x.json | 46 +- schemas/jwt-signer/3.4.x.json | 358 +++---- schemas/jwt/3.4.x.json | 86 +- schemas/kafka-log/3.4.x.json | 108 +- schemas/kafka-upstream/3.4.x.json | 140 +-- schemas/key-auth-enc/3.4.x.json | 56 +- schemas/key-auth/3.4.x.json | 50 +- schemas/konnect-application-auth/3.4.x.json | 50 +- schemas/ldap-auth-advanced/3.4.x.json | 134 +-- schemas/ldap-auth/3.4.x.json | 66 +- schemas/loggly/3.4.x.json | 48 +- schemas/mocking/3.4.x.json | 60 +- schemas/mtls-auth/3.4.x.json | 76 +- schemas/oas-validation/3.4.x.json | 34 +- schemas/oauth2-introspection/3.4.x.json | 62 +- schemas/oauth2/3.4.x.json | 118 +-- schemas/opa/3.4.x.json | 70 +- schemas/openid-connect/3.4.x.json | 972 +++++++++--------- schemas/opentelemetry/3.4.x.json | 103 +- schemas/post-function/3.4.x.json | 122 +-- schemas/pre-function/3.4.x.json | 122 +-- schemas/prometheus/3.4.x.json | 46 +- schemas/proxy-cache-advanced/3.4.x.json | 183 ++-- schemas/proxy-cache/3.4.x.json | 119 ++- schemas/rate-limiting-advanced/3.4.x.json | 162 +-- schemas/rate-limiting/3.4.x.json | 254 ++--- schemas/request-size-limiting/3.4.x.json | 34 +- schemas/request-termination/3.4.x.json | 30 +- .../request-transformer-advanced/3.4.x.json | 188 ++-- schemas/request-transformer/3.4.x.json | 134 +-- schemas/request-validator/3.4.x.json | 74 +- schemas/response-ratelimiting/3.4.x.json | 188 ++-- .../response-transformer-advanced/3.4.x.json | 154 +-- schemas/response-transformer/3.4.x.json | 160 +-- schemas/route-by-header/3.4.x.json | 40 +- schemas/route-transformer-advanced/3.4.x.json | 30 +- schemas/saml/3.4.x.json | 290 +++--- schemas/session/3.4.x.json | 132 +-- schemas/statsd-advanced/3.4.x.json | 216 ++-- schemas/statsd/3.4.x.json | 178 ++-- schemas/syslog/3.4.x.json | 48 +- schemas/tcp-log/3.4.x.json | 46 +- schemas/tls-handshake-modifier/3.4.x.json | 34 +- schemas/tls-metadata-headers/3.4.x.json | 52 +- schemas/udp-log/3.4.x.json | 44 +- schemas/upstream-timeout/3.4.x.json | 38 +- schemas/vault-auth/3.4.x.json | 64 +- schemas/websocket-size-limit/3.4.x.json | 32 +- schemas/websocket-validator/3.4.x.json | 72 +- schemas/xml-threat-protection/3.4.x.json | 150 +-- schemas/zipkin/3.4.x.json | 146 +-- 75 files changed, 4033 insertions(+), 3896 deletions(-) create mode 100644 schemas/.DS_Store diff --git a/schemas/.DS_Store b/schemas/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..0067c7c3cb0a5639c3f1128426b40bc99f6105d9 GIT binary patch literal 22532 zcmeHPe{5A(9Y6QAg%;YTw%?wBouHr#UE{&d^bX zI}ZMT9M>A?D>bC@YKhva3aTq4{oi*Z2S~)B8fUHQRl^+rK(V{MtG`G*Y6p(pvhYOD zZ&u+uc&Y}-71f9u1=k)mrUt=!RBgn)!T#Q58}h}0AxPoaH;IpFIIAJusRmU4P#;To z4lB|T_tYtft9q0$3@aw&fAEiSvIE8T5`*QhpEL|i-c(NIs92z4frP_h8^53M-q+U8xy-K*|8@Ig~(N~bBbKJXoWfWFu2UE93txO>&A z(9x>6x~h)nVmPik?zfUSu5I3R+`YQ$%5l||8b zEN~O^VV(PnVF~V8?(WGg@_ge!KHP(jmJ;5tGf5Dq0m&%*-9Jxf+92j}qnJlQ-V97}9S zo|p(ra4hdOPd8Ws`EWGRQUZ^fBs_D0ryq7%qWbjH?Z$WdwpmAD24Jmjw2U5{1vM<~ zHgA7cea>ay!dk;669&$-+&rWmI>-(!B|8j&DYd|EoOC726!hP)fEtlDxaE~Bx}5)G zSJWB)smtcv%h9*+o{kt^cT|1s`U2PmBshmZ&!1s9grxj-8!aXA9H!^c1Uy5igQGeI zNO8j@_`VU>0_x(J8kP3H?{{f*IOeU3XBy0jWpR6F(UZKWnW!1M_Z&l8qsVC|F;RVz z%hNxNlH>S~tgbist$A|HNwN~BwttHk!5)FN^ST!xyfiv)#}lAli=M^C;B#0o2JESI zIiH)?H5fh_^!?gZj=tpG0qAOul{bxe#Mtc%ioqW62j5Ju$vNNk`9{MzWx4#RX4jT{ z4-ntW)WZ~$*R8A1YisnRDfV7O-7G}K_4nVEO`G%H`uHrvJ45-LdwDrX{-=olG}Pyf zV7nQga^=F=O|w3c&N)(|kk%J<{_-IHqS;H>MwTXm3f-um8>`k~KK?of981*b~a()i}MD;NwPaW?-LD zr}oTf-;vd$yoaI_RymIS?xTwh_6S+u?n$y1oDIN99tHI%6j_P%EV{^-kCEn>cbxpF z!5pjMBTuJc!9PuR71R?Bt8JoQt6$6mVv)` zX@2Jg|5W0-=c~XKE6;HrEL>}FCg}LM)9MHwZoRGccmyJ8hh7BcQX0p1UFUTMA4~VK z*wRJ0j&A?cJujXjd%+m6^W+CmdO(6>IKOkL!4Q)2kwi;LJbKulCGntrP|S;FBk)L7 zFCTgmMCHS;Z32}94Nh&xH%{cfwL)+3OVskIrq>eG-4)I{-4)QLLz-;#sV%Bsa#(Ob zI9Q}O?#Alt%_Ff&`dH&7CBFSA7$6G>k08iZdMJbFXnS^e>jQ4lG=@rq$z+C zz50fa8KQ}0@zEuVp2Y~YI_lpKy4JOdKB~ka8IF6!+8YdRi=6*>;^ZW*Nfe0@!hH~1 zb&uQ)bZ*S*;b8Cl^snNjIo20;-Dt4J?6`$kBcbb;w^@>CM znw#2iaVmLn?#)d%8SZ6c*!w%fbcvmmvlz}#k$>%93p!-Xv8|Ci>Q4gbizdHqNu zFL1kVa%h*j>{r*{if0;<;W*h&c8KD50B1-;mOM#vb!d+Ruu$YYd*33v6fgbL^|u-; zS@PrdiIsXW9ZGBrH|C1znj`!-HwHdszWpM0ibp#K$=H=8TwMEvplS_eD-{-g{-dSaEd1-!& z4yK86oK|F~W}+N=f5i2a^03=B*e|f+x$tw*k{rwUhSdg3M84cQ$trrqEvrTW$hr;75Ny~q@vEZN7bNA_Zt9Nd#o^ZOl9avaN5Pu*^?So7qT zNs<*fYfcf)I;<*nVwOUmwz-qD;!3*|$GBX5%3!qQ#}UR$3VhBu;cFE50_*Lfo;%x4 zC&_cnoh#NF%&}!~^l5b@4{hgK@F<{-L_|L(?f~|X49DBGYMsGrk@IV3oSeYr_80X* zTtHZ$om0ZLY7f0<7Aebd{`mPj49*yNA8#6YiF-ewAUe4jF3zBCSJY3FT`3kE4wqV^ zO^e?vClAi^PlsMKJTqhAb!sa4NV{~9UFu)~#5DC-W@GML@4BlYDbDS&YhE(kEctQt z@sa|cbAa&84&&3$E_%nFGw}7adYr?Z&m1uvQkBVBW!1ItoCcnV+~8k-aJG7y;SG3%RnoUqyrjVAbf932H$}7_S|O18X)JGz<_D7GIp#0@ z_PD_uTL!mmS{=bd?Ij-5G!MOVODz{q-TD4y!E}yu&8x2)oFWg7D@sP-aNBze#{sKS zEu`2Xy_Y+LktSk}eYyo0Q|og4EzACD@MqBXYfL%%l6ME7V^&!NKe@J~el*8V;h3L! z@C}36)8p0-r^@o0s647uWY0lZnBq(ne=m)WCIm>q`B*_wQ5yEXnIz9iVV4b|KF}j zM840?Nj&-XTRw>x4WC3h4M{@JYRx<9p*2cTk<^sle-Gu&E0E=V`H;N8?JR{M;hnj0 zShvd1p6RjRs%ksU5Uq0D*1a$P&Dc6Z*0*w!tib8c&S!c!5iizl+KabJ>z;cDNFyXU z){%K{8?2GiKH6kyf!FnVTkLp&JvPSq(0yQ#T9=%m;b}qAVc}Q7c4Ia!Qbs~=7jju z;5v+6(mM>jZSexFNTtx?wx~JsuCYZbO}}nr(-iz%uh;E&$Ri`Kf!;Eul@NDCE4@Wy z>Gzz`UhvGI&G~LR_D{n%Qw~1w@^X;;4}bvX9`3pi=WlHpq9<@BXdh5&UCzDv!Ue-U zgTBwa9DTt%*9Pe7%Cx)_dW75uzc{trxNRmbUNp9u0zTd=T$&uE{q~amX2E{?O+VdY zy7Vlay@4rei&{x-B|(GRVSD4hj2#lS{F;$oOYm`{b5{sH))tUZ6Vw{o>rqxdock}A zDf8x1nR)pZnQC4ZJC%MXPCQ}f+xVqE> zT`2}Zf6!0y+)Ll-!2J&W#r-}`-yOQEuUZv5o|117K d=3hK&V~twKar`h 1, this is the max idle time before sending a log with less than `queue_size` records." + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { @@ -113,35 +110,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer" + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number" + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { + "default": 10000, + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer" + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -152,96 +149,98 @@ }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { + "default": 60, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "metrics": { "default": [ { + "name": "request_count", + "stat_type": "counter", "tags": [ "app:kong" ], - "sample_rate": 1, - "stat_type": "counter", - "name": "request_count", - "consumer_identifier": "custom_id" + "consumer_identifier": "custom_id", + "sample_rate": 1 }, { - "stat_type": "timer", - "name": "latency", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id" + "consumer_identifier": "custom_id", + "name": "latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "request_size", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id" + "consumer_identifier": "custom_id", + "name": "request_size", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "response_size", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id" + "consumer_identifier": "custom_id", + "name": "response_size", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "upstream_latency", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id" + "consumer_identifier": "custom_id", + "name": "upstream_latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "kong_latency", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id" + "consumer_identifier": "custom_id", + "name": "kong_latency", + "stat_type": "timer" } ], + "required": true, + "type": "array", + "description": "List of metrics to be logged.", "elements": { "fields": [ { "name": { - "required": true, "description": "Datadog metric’s name", "one_of": [ "kong_latency", @@ -251,12 +250,12 @@ "response_size", "upstream_latency" ], + "required": true, "type": "string" } }, { "stat_type": { - "required": true, "description": "Determines what sort of event the metric represents", "one_of": [ "counter", @@ -267,17 +266,18 @@ "timer", "distribution" ], + "required": true, "type": "string" } }, { "tags": { - "description": "List of tags", + "type": "array", "elements": { "type": "string", "match": "^.*[^:]$" }, - "type": "array" + "description": "List of tags" } }, { @@ -286,44 +286,41 @@ 0, 1 ], - "description": "Sampling rate", - "type": "number" + "type": "number", + "description": "Sampling rate" } }, { "consumer_identifier": { - "description": "Authenticated user detail", "one_of": [ "consumer_id", "custom_id", "username" ], - "type": "string" + "type": "string", + "description": "Authenticated user detail" } } ], "entity_checks": [ { "conditional": { - "then_match": { - "required": true - }, + "then_field": "sample_rate", "if_match": { "one_of": [ "counter", "gauge" ] }, - "then_field": "sample_rate", + "then_match": { + "required": true + }, "if_field": "stat_type" } } ], "type": "record" - }, - "type": "array", - "description": "List of metrics to be logged.", - "required": true + } } } ], @@ -338,9 +335,12 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/degraphql/3.4.x.json b/schemas/degraphql/3.4.x.json index 66b1a91e..2bd888ab 100644 --- a/schemas/degraphql/3.4.x.json +++ b/schemas/degraphql/3.4.x.json @@ -1,14 +1,11 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -19,26 +16,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -47,22 +44,25 @@ { "graphql_server_path": { "default": "/graphql", - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/", - "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "type": "string", + "starts_with": "/", + "required": true, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.4.x.json b/schemas/exit-transformer/3.4.x.json index 98fba6ef..626dc3ad 100644 --- a/schemas/exit-transformer/3.4.x.json +++ b/schemas/exit-transformer/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -38,11 +35,11 @@ "fields": [ { "functions": { - "required": true, + "type": "array", "elements": { "type": "string" }, - "type": "array" + "required": true } }, { @@ -60,9 +57,12 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/file-log/3.4.x.json b/schemas/file-log/3.4.x.json index 0bf904fe..7e930751 100644 --- a/schemas/file-log/3.4.x.json +++ b/schemas/file-log/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -45,39 +42,42 @@ "fields": [ { "path": { + "match": "^[^*&%%\\`]+$", "type": "string", - "err": "not a valid filename", - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", "required": true, - "match": "^[^*&%%\\`]+$" + "err": "not a valid filename", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." } }, { "reopen": { - "description": "Determines whether the log file is closed and reopened on every request.", "default": false, - "required": true, - "type": "boolean" + "description": "Determines whether the log file is closed and reopened on every request.", + "type": "boolean", + "required": true } }, { "custom_fields_by_lua": { - "keys": { + "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map", - "values": { + "keys": { "len_min": 1, "type": "string" }, - "type": "map" + "type": "map", + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.4.x.json b/schemas/forward-proxy/3.4.x.json index ac1a8ce9..68b4c942 100644 --- a/schemas/forward-proxy/3.4.x.json +++ b/schemas/forward-proxy/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,42 +8,43 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "config": { + "required": true, "fields": [ { "x_headers": { "default": "append", "type": "string", - "description": "Determines how to handle headers when forwarding the request.", - "required": true, "one_of": [ "append", "transparent", "delete" - ] + ], + "description": "Determines how to handle headers when forwarding the request.", + "required": true } }, { @@ -61,8 +59,8 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -77,47 +75,46 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "proxy_scheme": { "default": "http", "type": "string", - "description": "The proxy scheme to use when connecting. Only `http` is supported.", - "required": true, "one_of": [ "http" - ] + ], + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "required": true } }, { "auth_username": { - "referenceable": true, - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "required": false, - "type": "string" + "referenceable": true, + "type": "string", + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication." } }, { "auth_password": { - "referenceable": true, - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "required": false, - "type": "string" + "referenceable": true, + "type": "string", + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication." } }, { "https_verify": { - "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "default": false, "required": true, - "type": "boolean" + "type": "boolean", + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." } } ], - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -144,7 +141,6 @@ ] } ], - "required": true, "shorthand_fields": [ { "proxy_host": { @@ -156,8 +152,12 @@ "type": "integer" } } - ] + ], + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.4.x.json b/schemas/graphql-proxy-cache-advanced/3.4.x.json index c96124b0..82c49948 100644 --- a/schemas/graphql-proxy-cache-advanced/3.4.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -39,20 +36,20 @@ { "strategy": { "default": "memory", - "type": "string", - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "required": true, "one_of": [ "memory" - ] + ], + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "type": "string" } }, { "cache_ttl": { "default": 300, "gt": 0, - "description": "TTL in seconds of cache entities. Must be a value greater than 0.", - "type": "integer" + "type": "integer", + "description": "TTL in seconds of cache entities. Must be a value greater than 0." } }, { @@ -61,14 +58,14 @@ { "dictionary_name": { "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", "required": true, - "type": "string" + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -81,9 +78,12 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.4.x.json b/schemas/graphql-rate-limiting-advanced/3.4.x.json index cd9e1338..ce7402a1 100644 --- a/schemas/graphql-rate-limiting-advanced/3.4.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.4.x.json @@ -1,13 +1,4 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { @@ -17,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -46,113 +37,113 @@ "identifier": { "default": "consumer", "type": "string", - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", - "required": true, "one_of": [ "ip", "credential", "consumer" - ] + ], + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "required": true } }, { "window_size": { + "type": "array", "required": true, - "description": "One or more window sizes to apply a limit to (defined in seconds).", "elements": { "type": "number" }, - "type": "array" + "description": "One or more window sizes to apply a limit to (defined in seconds)." } }, { "window_type": { "default": "sliding", - "description": "Sets the time window to either `sliding` or `fixed`.", "one_of": [ "fixed", "sliding" ], - "type": "string" + "type": "string", + "description": "Sets the time window to either `sliding` or `fixed`." } }, { "limit": { + "type": "array", "required": true, - "description": "One or more requests-per-window limits to apply.", "elements": { "type": "number" }, - "type": "array" + "description": "One or more requests-per-window limits to apply." } }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", "required": true, + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", "type": "number" } }, { "namespace": { - "description": "The rate limiting library namespace to use for this plugin instance.", + "auto": true, "type": "string", - "auto": true + "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." } }, { "strategy": { "default": "cluster", "type": "string", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", - "required": true, "one_of": [ "cluster", "redis" - ] + ], + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "required": true } }, { "dictionary_name": { "default": "kong_rate_limiting_counters", - "description": "The shared dictionary where counters will be stored until the next sync cycle.", "required": true, - "type": "string" + "type": "string", + "description": "The shared dictionary where counters will be stored until the next sync cycle." } }, { "hide_client_headers": { "default": false, - "description": "Optionally hide informative response headers. Available options: `true` or `false`.", - "type": "boolean" + "type": "boolean", + "description": "Optionally hide informative response headers. Available options: `true` or `false`." } }, { "cost_strategy": { "default": "default", - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", "one_of": [ "default", "node_quantifier" ], - "type": "string" + "type": "string", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`." } }, { "score_factor": { "default": 1, - "type": "number", - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "gt": 0, "required": false, - "gt": 0 + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "type": "number" } }, { "max_cost": { "default": 0, - "description": "A defined maximum cost per query. 0 means unlimited.", "required": false, - "type": "number" + "type": "number", + "description": "A defined maximum cost per query. 0 means unlimited." } }, { @@ -170,18 +161,18 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -191,8 +182,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -201,8 +192,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -211,8 +202,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -224,10 +215,10 @@ }, { "password": { - "referenceable": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "type": "string" + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { @@ -239,27 +230,27 @@ }, { "sentinel_password": { - "referenceable": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, - "type": "string" + "referenceable": true, + "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "default": 30, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "type": "integer" } }, @@ -269,8 +260,8 @@ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", - "type": "integer" + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -281,47 +272,47 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" ], - "type": "string" + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { "len_min": 1, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array" } }, { "cluster_addresses": { "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array" } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", "required": false, "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, "type": "boolean" } @@ -329,8 +320,8 @@ { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], @@ -392,13 +383,22 @@ ] } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/grpc-gateway/3.4.x.json b/schemas/grpc-gateway/3.4.x.json index 352b5b76..0401fb91 100644 --- a/schemas/grpc-gateway/3.4.x.json +++ b/schemas/grpc-gateway/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -51,9 +48,12 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.4.x.json b/schemas/grpc-web/3.4.x.json index 22523665..67e83227 100644 --- a/schemas/grpc-web/3.4.x.json +++ b/schemas/grpc-web/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -46,15 +43,15 @@ { "proto": { "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "pass_stripped_path": { "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -66,9 +63,12 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.4.x.json b/schemas/hmac-auth/3.4.x.json index 0adb9e80..4f6ba080 100644 --- a/schemas/hmac-auth/3.4.x.json +++ b/schemas/hmac-auth/3.4.x.json @@ -1,25 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -28,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -36,18 +29,16 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -56,17 +47,17 @@ { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "required": true, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." } }, { "clock_skew": { - "gt": 0, - "description": "Clock skew in seconds to prevent replay attacks.", "default": 300, - "type": "number" + "gt": 0, + "type": "number", + "description": "Clock skew in seconds to prevent replay attacks." } }, { @@ -78,9 +69,9 @@ { "validate_request_body": { "default": false, - "description": "A boolean value telling the plugin to enable body validation.", "required": true, - "type": "boolean" + "type": "boolean", + "description": "A boolean value telling the plugin to enable body validation." } }, { @@ -89,10 +80,10 @@ ], "description": "A list of headers that the client should at least use for HTTP signature creation.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -104,21 +95,30 @@ "hmac-sha512" ], "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "type": "array", "elements": { + "type": "string", "one_of": [ "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512" - ], - "type": "string" - }, - "type": "array" + ] + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] } } ] diff --git a/schemas/http-log/3.4.x.json b/schemas/http-log/3.4.x.json index 9bb62862..7f9e9d14 100644 --- a/schemas/http-log/3.4.x.json +++ b/schemas/http-log/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -45,48 +42,48 @@ "fields": [ { "http_endpoint": { + "encrypted": true, + "required": true, "referenceable": true, - "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true, - "encrypted": true + "type": "string" } }, { "method": { "default": "POST", - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", "one_of": [ "POST", "PUT", "PATCH" ], - "type": "string" + "type": "string", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`." } }, { "content_type": { "default": "application/json", - "description": "Indicates the type of data sent. The only available option is `application/json`.", "one_of": [ "application/json", "application/json; charset=utf-8" ], - "type": "string" + "type": "string", + "description": "Indicates the type of data sent. The only available option is `application/json`." } }, { "timeout": { "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", - "type": "number" + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." } }, { @@ -109,6 +106,10 @@ }, { "headers": { + "values": { + "referenceable": true, + "type": "string" + }, "keys": { "description": "A string representing an HTTP header name.", "match_none": [ @@ -128,10 +129,6 @@ "type": "string" }, "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", - "values": { - "referenceable": true, - "type": "string" - }, "type": "map" } }, @@ -140,35 +137,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer" + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number" + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { + "default": 10000, + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer" + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -179,50 +176,50 @@ }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { + "default": 60, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "custom_fields_by_lua": { - "keys": { + "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map", - "values": { + "keys": { "len_min": 1, "type": "string" }, - "type": "map" + "type": "map", + "description": "Lua code as a key-value map" } } ], @@ -241,5 +238,8 @@ "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.4.x.json b/schemas/ip-restriction/3.4.x.json index 7a3635e6..659c9887 100644 --- a/schemas/ip-restriction/3.4.x.json +++ b/schemas/ip-restriction/3.4.x.json @@ -1,12 +1,4 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "protocols": { @@ -18,8 +10,10 @@ "grpc", "grpcs" ], + "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -32,19 +26,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -52,42 +44,50 @@ "fields": [ { "allow": { - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." }, - "type": "array" + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." } }, { "deny": { - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." }, - "type": "array" + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." } }, { "status": { - "description": "The HTTP status of the requests that will be rejected by the plugin.", "required": false, - "type": "number" + "type": "number", + "description": "The HTTP status of the requests that will be rejected by the plugin." } }, { "message": { - "description": "The message to send as a response body to rejected requests.", "required": false, - "type": "string" + "type": "string", + "description": "The message to send as a response body to rejected requests." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/jq/3.4.x.json b/schemas/jq/3.4.x.json index 55ff9351..a4dfaab7 100644 --- a/schemas/jq/3.4.x.json +++ b/schemas/jq/3.4.x.json @@ -1,14 +1,11 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -19,18 +16,18 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { @@ -44,60 +41,60 @@ }, { "request_jq_program_options": { + "default": [ + + ], + "required": false, "fields": [ { "compact_output": { "default": true, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "raw_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "join_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "ascii_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "sort_keys": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } } ], - "default": [ - - ], - "required": false, "type": "record" } }, { "request_if_media_type": { - "required": false, "default": [ "application/json" ], + "required": false, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -108,76 +105,76 @@ }, { "response_jq_program_options": { + "default": [ + + ], + "required": false, "fields": [ { "compact_output": { "default": true, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "raw_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "join_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "ascii_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "sort_keys": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } } ], - "default": [ - - ], - "required": false, "type": "record" } }, { "response_if_media_type": { - "required": false, "default": [ "application/json" ], + "required": false, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "response_if_status_code": { - "required": false, "default": [ 200 ], + "required": false, + "type": "array", "elements": { "between": [ 100, 599 ], "type": "integer" - }, - "type": "array" + } } } ], @@ -189,9 +186,12 @@ ] } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.4.x.json b/schemas/jwe-decrypt/3.4.x.json index 9ababf9d..8a0cd9f6 100644 --- a/schemas/jwe-decrypt/3.4.x.json +++ b/schemas/jwe-decrypt/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,34 +8,34 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -47,40 +44,43 @@ { "lookup_header_name": { "default": "Authorization", + "type": "string", "description": "The name of the header to look for the JWE token.", - "required": true, - "type": "string" + "required": true } }, { "forward_header_name": { "default": "Authorization", + "type": "string", "description": "The name of the header that is used to set the decrypted value.", - "required": true, - "type": "string" + "required": true } }, { "key_sets": { - "required": true, + "type": "array", "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "elements": { "type": "string" }, - "type": "array" + "required": true } }, { "strict": { "default": true, - "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", - "type": "boolean" + "type": "boolean", + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.4.x.json b/schemas/jwt-signer/3.4.x.json index 46e468eb..aa11ec18 100644 --- a/schemas/jwt-signer/3.4.x.json +++ b/schemas/jwt-signer/3.4.x.json @@ -1,14 +1,11 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -19,26 +16,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -46,74 +43,74 @@ "fields": [ { "realm": { + "type": "string", "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", - "required": false, - "type": "string" + "required": false } }, { "enable_hs_signatures": { "default": false, - "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting." } }, { "enable_instrumentation": { "default": false, - "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level." } }, { "access_token_issuer": { "default": "kong", - "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string", "required": false, - "type": "string" + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token." } }, { "access_token_keyset": { "default": "kong", - "description": "The name of the keyset containing signing keys.", + "type": "string", "required": false, - "type": "string" + "description": "The name of the keyset containing signing keys." } }, { "access_token_jwks_uri": { - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "required": false, - "type": "string" + "type": "string", + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token." } }, { "access_token_request_header": { "default": "Authorization", - "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string", "required": false, - "type": "string" + "description": "This parameter tells the name of the header where to look for the access token." } }, { "access_token_leeway": { "default": 0, - "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number", "required": false, - "type": "number" + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`." } }, { "access_token_scopes_required": { + "type": "array", "required": false, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "elements": { "type": "string" }, - "type": "array" + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." } }, { @@ -121,22 +118,22 @@ "default": [ "scope" ], - "elements": { - "type": "string" - }, "type": "array", + "required": false, "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", - "required": false + "elements": { + "type": "string" + } } }, { "access_token_consumer_claim": { + "type": "array", "required": false, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "elements": { "type": "string" }, - "type": "array" + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." } }, { @@ -145,82 +142,82 @@ "username", "custom_id" ], + "type": "array", + "required": false, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" - }, - "type": "array", - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", - "required": false + ] + } } }, { "access_token_upstream_header": { "default": "Authorization:Bearer", - "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string", "required": false, - "type": "string" + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token." } }, { "access_token_upstream_leeway": { "default": 0, - "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number", "required": false, - "type": "number" + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim." } }, { "access_token_introspection_endpoint": { - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "required": false, - "type": "string" + "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter." } }, { "access_token_introspection_authorization": { + "type": "string", "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", - "required": false, - "type": "string" + "required": false } }, { "access_token_introspection_body_args": { + "type": "string", "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", - "required": false, - "type": "string" + "required": false } }, { "access_token_introspection_hint": { "default": "access_token", - "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string", "required": false, - "type": "string" + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`." } }, { "access_token_introspection_jwt_claim": { + "type": "array", "required": false, - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "elements": { "type": "string" }, - "type": "array" + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." } }, { "access_token_introspection_scopes_required": { + "type": "array", "required": false, - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "elements": { "type": "string" }, - "type": "array" + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." } }, { @@ -228,22 +225,22 @@ "default": [ "scope" ], - "elements": { - "type": "string" - }, "type": "array", + "required": true, "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", - "required": true + "elements": { + "type": "string" + } } }, { "access_token_introspection_consumer_claim": { + "type": "array", "required": false, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "elements": { "type": "string" }, - "type": "array" + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." } }, { @@ -252,39 +249,37 @@ "username", "custom_id" ], + "type": "array", + "required": false, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" - }, - "type": "array", - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", - "required": false + ] + } } }, { "access_token_introspection_leeway": { "default": 0, - "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number", "required": false, - "type": "number" + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`." } }, { "access_token_introspection_timeout": { + "type": "number", "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", - "required": false, - "type": "number" + "required": false } }, { "access_token_signing_algorithm": { "default": "RS256", - "type": "string", - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "required": true, "one_of": [ "HS256", @@ -299,127 +294,129 @@ "PS384", "PS512", "EdDSA" - ] + ], + "type": "string", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." } }, { "access_token_optional": { "default": false, - "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean", "required": false, - "type": "boolean" + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect" } }, { "verify_access_token_signature": { "default": true, - "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Quickly turn access token signature verification off and on as needed." } }, { "verify_access_token_expiry": { "default": true, - "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Quickly turn access token expiry verification off and on as needed." } }, { "verify_access_token_scopes": { "default": true, - "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`." } }, { "verify_access_token_introspection_expiry": { "default": true, - "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Quickly turn access token introspection expiry verification off and on as needed." } }, { "verify_access_token_introspection_scopes": { "default": true, - "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`." } }, { "cache_access_token_introspection": { "default": true, - "description": "Whether to cache access token introspection results.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Whether to cache access token introspection results." } }, { "trust_access_token_introspection": { "default": true, - "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload." } }, { "enable_access_token_introspection": { "default": true, - "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection." } }, { "channel_token_issuer": { "default": "kong", - "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string", "required": false, - "type": "string" + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token." } }, { "channel_token_keyset": { "default": "kong", - "description": "The name of the keyset containing signing keys.", + "type": "string", "required": false, - "type": "string" + "description": "The name of the keyset containing signing keys." } }, { "channel_token_jwks_uri": { - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "required": false, - "type": "string" + "type": "string", + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`." } }, { "channel_token_request_header": { + "type": "string", "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", - "required": false, - "type": "string" + "required": false } }, { "channel_token_leeway": { "default": 0, - "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number", "required": false, - "type": "number" + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`." } }, { "channel_token_scopes_required": { + "type": "array", "required": false, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "elements": { "type": "string" }, - "type": "array" + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." } }, { @@ -427,22 +424,22 @@ "default": [ "scope" ], - "elements": { - "type": "string" - }, "type": "array", + "required": false, "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", - "required": false + "elements": { + "type": "string" + } } }, { "channel_token_consumer_claim": { + "type": "array", "required": false, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "elements": { "type": "string" }, - "type": "array" + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." } }, { @@ -452,87 +449,87 @@ "custom_id" ], "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "type": "array", "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" - }, - "type": "array" + ] + } } }, { "channel_token_upstream_header": { + "type": "string", "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", - "required": false, - "type": "string" + "required": false } }, { "channel_token_upstream_leeway": { "default": 0, - "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number", "required": false, - "type": "number" + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim." } }, { "channel_token_introspection_endpoint": { - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "required": false, - "type": "string" + "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead." } }, { "channel_token_introspection_authorization": { + "type": "string", "required": false, - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "elements": { "type": "string" }, - "type": "string" + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." } }, { "channel_token_introspection_body_args": { + "type": "string", "required": false, - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "elements": { "type": "string" }, - "type": "string" + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." } }, { "channel_token_introspection_hint": { + "type": "string", "required": false, - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "elements": { "type": "string" }, - "type": "string" + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." } }, { "channel_token_introspection_jwt_claim": { + "type": "array", "required": false, - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "elements": { "type": "string" }, - "type": "array" + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." } }, { "channel_token_introspection_scopes_required": { + "type": "array", "required": false, - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "elements": { "type": "string" }, - "type": "array" + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." } }, { @@ -540,22 +537,22 @@ "default": [ "scope" ], - "elements": { - "type": "string" - }, "type": "array", + "required": false, "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", - "required": false + "elements": { + "type": "string" + } } }, { "channel_token_introspection_consumer_claim": { + "type": "array", "required": false, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "elements": { "type": "string" }, - "type": "array" + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" } }, { @@ -564,39 +561,37 @@ "username", "custom_id" ], + "type": "array", + "required": false, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" - }, - "type": "array", - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", - "required": false + ] + } } }, { "channel_token_introspection_leeway": { "default": 0, - "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number", "required": false, - "type": "number" + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`." } }, { "channel_token_introspection_timeout": { + "type": "number", "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", - "required": false, - "type": "number" + "required": false } }, { "channel_token_signing_algorithm": { "default": "RS256", - "type": "string", - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "required": true, "one_of": [ "HS256", @@ -611,23 +606,25 @@ "PS384", "PS512", "EdDSA" - ] + ], + "type": "string", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." } }, { "channel_token_optional": { "default": false, - "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean", "required": false, - "type": "boolean" + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect" } }, { "verify_channel_token_signature": { "default": true, - "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Quickly turn on/off the channel token signature verification." } }, { @@ -640,49 +637,49 @@ { "verify_channel_token_scopes": { "default": true, - "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`." } }, { "verify_channel_token_introspection_expiry": { "default": true, - "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Quickly turn on/off the channel token introspection expiry verification." } }, { "verify_channel_token_introspection_scopes": { "default": true, - "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`." } }, { "cache_channel_token_introspection": { "default": true, - "description": "Whether to cache channel token introspection results.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Whether to cache channel token introspection results." } }, { "trust_channel_token_introspection": { "default": true, - "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked." } }, { "enable_channel_token_introspection": { "default": true, - "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`." } }, { @@ -690,15 +687,15 @@ "default": [ ], - "values": { + "keys": { "type": "string" }, "type": "map", - "description": "Add customized claims if they are not present yet.", - "keys": { + "values": { "type": "string" }, - "required": false + "required": false, + "description": "Add customized claims if they are not present yet." } }, { @@ -706,21 +703,24 @@ "default": [ ], - "values": { + "keys": { "type": "string" }, "type": "map", - "description": "Set customized claims. If a claim is already present, it will be overwritten.", - "keys": { + "values": { "type": "string" }, - "required": false + "required": false, + "description": "Set customized claims. If a claim is already present, it will be overwritten." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwt/3.4.x.json b/schemas/jwt/3.4.x.json index 96388cfa..f7510bf8 100644 --- a/schemas/jwt/3.4.x.json +++ b/schemas/jwt/3.4.x.json @@ -1,25 +1,11 @@ { - "entity_checks": [ - { - "conditional": { - "then_match": { - "contains": "exp" - }, - "if_match": { - "gt": 0 - }, - "then_field": "config.claims_to_verify", - "if_field": "config.maximum_expiration" - } - } - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -30,26 +16,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -61,10 +47,10 @@ "jwt" ], "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } }, { @@ -73,36 +59,36 @@ ], "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } }, { "key_claim_name": { "default": "iss", - "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", - "type": "string" + "type": "string", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order." } }, { "secret_is_base64": { "default": false, - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean", "required": true, - "type": "boolean" + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." } }, { "claims_to_verify": { "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", "elements": { + "type": "string", "one_of": [ "exp", "nbf" - ], - "type": "string" + ] }, "type": "set" } @@ -116,20 +102,20 @@ { "run_on_preflight": { "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean", "required": true, - "type": "boolean" + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." } }, { "maximum_expiration": { + "default": 0, + "type": "number", "between": [ 0, 31536000 ], - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", - "default": 0, - "type": "number" + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future." } }, { @@ -138,15 +124,29 @@ "authorization" ], "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.claims_to_verify", + "if_match": { + "gt": 0 + }, + "then_match": { + "contains": "exp" + }, + "if_field": "config.maximum_expiration" } } ] diff --git a/schemas/kafka-log/3.4.x.json b/schemas/kafka-log/3.4.x.json index a7b21bb3..f5a622fb 100644 --- a/schemas/kafka-log/3.4.x.json +++ b/schemas/kafka-log/3.4.x.json @@ -1,11 +1,7 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -14,7 +10,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -22,18 +21,16 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -41,14 +38,14 @@ "fields": [ { "bootstrap_servers": { - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { "fields": [ { "host": { "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -57,41 +54,41 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } ], "type": "record" }, - "type": "set" + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, { "topic": { "description": "The Kafka topic to publish to.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "timeout": { - "description": "Socket timeout in milliseconds.", "default": 10000, + "description": "Socket timeout in milliseconds.", "type": "integer" } }, { "keepalive": { - "type": "integer", - "default": 60000 + "default": 60000, + "type": "integer" } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { @@ -100,53 +97,53 @@ { "strategy": { "required": false, - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" ], - "type": "string" + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." } }, { "mechanism": { "required": false, - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" ], - "type": "string" + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`." } }, { "tokenauth": { "description": "Enable this to indicate `DelegationToken` authentication", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "user": { + "encrypted": true, + "description": "Username for SASL authentication.", "referenceable": true, "type": "string", - "description": "Username for SASL authentication.", - "encrypted": true, "required": false } }, { "password": { + "encrypted": true, + "description": "Password for SASL authentication.", "referenceable": true, "type": "string", - "description": "Password for SASL authentication.", - "encrypted": true, "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -163,13 +160,13 @@ { "ssl": { "description": "Enables TLS.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -182,84 +179,84 @@ }, { "producer_request_acks": { - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "default": 1, "one_of": [ -1, 0, 1 ], - "type": "integer" + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." } }, { "producer_request_timeout": { - "description": "Time to wait for a Produce response in milliseconds", "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", "type": "integer" } }, { "producer_request_limits_messages_per_request": { - "description": "Maximum number of messages to include into a single Produce request.", "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", "type": "integer" } }, { "producer_request_limits_bytes_per_request": { - "description": "Maximum size of a Produce request in bytes.", "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", "type": "integer" } }, { "producer_request_retries_max_attempts": { - "description": "Maximum number of retry attempts per single Produce request.", "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", "type": "integer" } }, { "producer_request_retries_backoff_timeout": { - "description": "Backoff interval between retry attempts in milliseconds.", "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", "type": "integer" } }, { "producer_async": { - "description": "Flag to enable asynchronous mode.", "default": true, + "description": "Flag to enable asynchronous mode.", "type": "boolean" } }, { "producer_async_flush_timeout": { - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "type": "integer" } }, { "custom_fields_by_lua": { - "keys": { + "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map", - "values": { + "keys": { "len_min": 1, "type": "string" }, - "type": "map" + "type": "map", + "description": "Lua code as a key-value map" } } ], @@ -272,9 +269,12 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.4.x.json b/schemas/kafka-upstream/3.4.x.json index 377f73f6..d99a49f4 100644 --- a/schemas/kafka-upstream/3.4.x.json +++ b/schemas/kafka-upstream/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -44,8 +41,8 @@ { "host": { "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -54,8 +51,8 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } @@ -67,29 +64,29 @@ }, { "topic": { - "description": "The Kafka topic to publish to.", "required": true, + "description": "The Kafka topic to publish to.", "type": "string" } }, { "timeout": { - "description": "Socket timeout in milliseconds.", "default": 10000, - "type": "integer" + "type": "integer", + "description": "Socket timeout in milliseconds." } }, { "keepalive": { - "description": "Keepalive timeout in milliseconds.", "default": 60000, - "type": "integer" + "type": "integer", + "description": "Keepalive timeout in milliseconds." } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { @@ -98,53 +95,53 @@ { "strategy": { "required": false, - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" ], - "type": "string" + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." } }, { "mechanism": { "required": false, - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" ], - "type": "string" + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`." } }, { "tokenauth": { - "description": "Enable this to indicate `DelegationToken` authentication.", "required": false, + "description": "Enable this to indicate `DelegationToken` authentication.", "type": "boolean" } }, { "user": { - "referenceable": true, + "required": false, "type": "string", + "referenceable": true, "description": "Username for SASL authentication.", - "encrypted": true, - "required": false + "encrypted": true } }, { "password": { - "referenceable": true, + "required": false, "type": "string", + "referenceable": true, "description": "Password for SASL authentication.", - "encrypted": true, - "required": false + "encrypted": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -152,126 +149,126 @@ "fields": [ { "certificate_id": { - "description": "UUID of certificate entity for mTLS authentication.", - "uuid": true, "required": false, - "type": "string" + "uuid": true, + "type": "string", + "description": "UUID of certificate entity for mTLS authentication." } }, { "ssl": { - "description": "Enables TLS.", "required": false, + "description": "Enables TLS.", "type": "boolean" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "forward_method": { - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_uri": { - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_headers": { - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_body": { - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "cluster_name": { "auto": true, - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "required": false, - "type": "string" + "type": "string", + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster." } }, { "producer_request_acks": { - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "default": 1, "one_of": [ -1, 0, 1 ], - "type": "integer" + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." } }, { "producer_request_timeout": { - "description": "Time to wait for a Produce response in milliseconds.", "default": 2000, - "type": "integer" + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds." } }, { "producer_request_limits_messages_per_request": { - "description": "Maximum number of messages to include into a single producer request.", "default": 200, - "type": "integer" + "type": "integer", + "description": "Maximum number of messages to include into a single producer request." } }, { "producer_request_limits_bytes_per_request": { - "description": "Maximum size of a Produce request in bytes.", "default": 1048576, - "type": "integer" + "type": "integer", + "description": "Maximum size of a Produce request in bytes." } }, { "producer_request_retries_max_attempts": { - "description": "Maximum number of retry attempts per single Produce request.", "default": 10, - "type": "integer" + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request." } }, { "producer_request_retries_backoff_timeout": { - "description": "Backoff interval between retry attempts in milliseconds.", "default": 100, - "type": "integer" + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds." } }, { "producer_async": { - "description": "Flag to enable asynchronous mode.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Flag to enable asynchronous mode." } }, { "producer_async_flush_timeout": { - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "default": 1000, - "type": "integer" + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." } }, { "producer_async_buffering_limits_messages_in_memory": { - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "default": 50000, - "type": "integer" + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." } } ], @@ -294,9 +291,12 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.4.x.json b/schemas/key-auth-enc/3.4.x.json index 5e24d162..2d2c2e41 100644 --- a/schemas/key-auth-enc/3.4.x.json +++ b/schemas/key-auth-enc/3.4.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -30,18 +29,16 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -52,20 +49,20 @@ "default": [ "apikey" ], + "type": "array", + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." - }, - "type": "array", - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", - "required": true + } } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." } }, { @@ -76,36 +73,39 @@ }, { "key_in_header": { - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." } }, { "key_in_query": { - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." } }, { "key_in_body": { - "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth/3.4.x.json b/schemas/key-auth/3.4.x.json index a906f991..d414f629 100644 --- a/schemas/key-auth/3.4.x.json +++ b/schemas/key-auth/3.4.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -30,18 +29,16 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -52,65 +49,68 @@ "default": [ "apikey" ], + "type": "array", + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." - }, - "type": "array", - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", - "required": true + } } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", "required": true, "type": "boolean" } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" } }, { "key_in_header": { - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "required": true, "type": "boolean" } }, { "key_in_query": { - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "required": true, "type": "boolean" } }, { "key_in_body": { - "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "required": true, "type": "boolean" } }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "required": true, "type": "boolean" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.4.x.json b/schemas/konnect-application-auth/3.4.x.json index 0d88c352..587877e6 100644 --- a/schemas/konnect-application-auth/3.4.x.json +++ b/schemas/konnect-application-auth/3.4.x.json @@ -1,22 +1,19 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "route": { - "type": "foreign", + "reference": "routes", "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, - "reference": "routes" + "type": "foreign" } }, { @@ -27,26 +24,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -57,32 +54,32 @@ "default": [ "apikey" ], + "type": "array", + "required": true, + "description": "The names of the headers containing the API key. You can specify multiple header names.", "elements": { "type": "string", "description": "A string representing an HTTP header name." - }, - "type": "array", - "description": "The names of the headers containing the API key. You can specify multiple header names.", - "required": true + } } }, { "auth_type": { "default": "openid-connect", "type": "string", - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", - "required": true, "one_of": [ "openid-connect", "key-auth" - ] + ], + "required": true, + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'." } }, { "scope": { - "unique": true, "description": "The unique scope identifier for the plugin configuration.", "required": true, + "unique": true, "type": "string" } } @@ -90,9 +87,12 @@ "entity_checks": [ ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.4.x.json b/schemas/ldap-auth-advanced/3.4.x.json index e19d447e..2e2d779f 100644 --- a/schemas/ldap-auth-advanced/3.4.x.json +++ b/schemas/ldap-auth-advanced/3.4.x.json @@ -1,17 +1,7 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -20,7 +10,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -28,26 +21,24 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -55,121 +46,121 @@ "fields": [ { "ldap_host": { - "description": "Host on which the LDAP server is running.", "required": true, + "description": "Host on which the LDAP server is running.", "type": "string" } }, { "ldap_password": { - "referenceable": true, - "description": "The password to the LDAP server.", "encrypted": true, - "type": "string" + "referenceable": true, + "type": "string", + "description": "The password to the LDAP server." } }, { "ldap_port": { "default": 389, - "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", - "type": "number" + "type": "number", + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636." } }, { "bind_dn": { "referenceable": true, - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", - "type": "string" + "type": "string", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." } }, { "ldaps": { - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "default": false, "required": true, - "type": "boolean" + "type": "boolean", + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." } }, { "start_tls": { - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "default": false, "required": true, - "type": "boolean" + "type": "boolean", + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." } }, { "verify_ldap_host": { - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "default": false, "required": true, - "type": "boolean" + "type": "boolean", + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." } }, { "base_dn": { - "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", "required": true, + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", "type": "string" } }, { "attribute": { - "description": "Attribute to be used to search the user; e.g., \"cn\".", "required": true, + "description": "Attribute to be used to search the user; e.g., \"cn\".", "type": "string" } }, { "cache_ttl": { - "description": "Cache expiry time in seconds.", "default": 60, "required": true, - "type": "number" + "type": "number", + "description": "Cache expiry time in seconds." } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." } }, { "timeout": { "default": 10000, - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." } }, { "keepalive": { "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number" + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." } }, { "anonymous": { - "len_min": 0, "default": "", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "len_min": 0, + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "header_type": { "default": "ldap", - "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", - "type": "string" + "type": "string", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`." } }, { "consumer_optional": { - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", "default": false, "required": false, - "type": "boolean" + "type": "boolean", + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." } }, { @@ -178,58 +169,67 @@ "username", "custom_id" ], + "type": "array", + "required": false, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "elements": { + "type": "string", "one_of": [ "username", "custom_id" - ], - "type": "string" - }, - "type": "array", - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", - "required": false + ] + } } }, { "group_base_dn": { - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", - "type": "string" + "type": "string", + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." } }, { "group_name_attribute": { - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", - "type": "string" + "type": "string", + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." } }, { "group_member_attribute": { "default": "memberOf", - "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", - "type": "string" + "type": "string", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive." } }, { "log_search_results": { - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", "default": false, "required": false, - "type": "boolean" + "type": "boolean", + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." } }, { "groups_required": { "required": false, - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "type": "array", "elements": { "type": "string" }, - "type": "array" + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/ldap-auth/3.4.x.json b/schemas/ldap-auth/3.4.x.json index 9cce316e..ece1547b 100644 --- a/schemas/ldap-auth/3.4.x.json +++ b/schemas/ldap-auth/3.4.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -30,18 +29,16 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -50,8 +47,8 @@ { "ldap_host": { "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -62,32 +59,32 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "ldaps": { "default": false, "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "start_tls": { "default": false, "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "verify_ldap_host": { "default": false, "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { @@ -108,16 +105,16 @@ "cache_ttl": { "default": 60, "description": "Cache expiry time in seconds.", - "required": true, - "type": "number" + "type": "number", + "required": true } }, { "hide_credentials": { "default": false, "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { @@ -136,8 +133,8 @@ }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" } }, { @@ -154,18 +151,21 @@ "then_match": { "eq": false }, - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "then_field": "start_tls", "if_match": { "eq": true }, - "then_field": "start_tls", - "if_field": "ldaps" + "if_field": "ldaps", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/loggly/3.4.x.json b/schemas/loggly/3.4.x.json index be9fe1b5..7d6520ed 100644 --- a/schemas/loggly/3.4.x.json +++ b/schemas/loggly/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -52,19 +49,19 @@ }, { "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 514, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "key": { - "referenceable": true, "encrypted": true, + "referenceable": true, "required": true, "type": "string" } @@ -74,10 +71,10 @@ "default": [ "kong" ], + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } }, { @@ -146,28 +143,31 @@ }, { "timeout": { - "type": "number", - "default": 10000 + "default": 10000, + "type": "number" } }, { "custom_fields_by_lua": { - "keys": { + "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map", - "values": { + "keys": { "len_min": 1, "type": "string" }, - "type": "map" + "type": "map", + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/mocking/3.4.x.json b/schemas/mocking/3.4.x.json index ad536361..7e95402a 100644 --- a/schemas/mocking/3.4.x.json +++ b/schemas/mocking/3.4.x.json @@ -1,12 +1,4 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } - ], "fields": [ { "protocols": { @@ -16,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -43,9 +35,9 @@ "fields": [ { "api_specification_filename": { - "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", "required": false, - "type": "string" + "type": "string", + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode." } }, { @@ -57,53 +49,69 @@ }, { "random_delay": { - "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", "type": "boolean" } }, { "max_delay_time": { - "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", "type": "number" } }, { "min_delay_time": { - "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", "type": "number" } }, { "random_examples": { - "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", "type": "boolean" } }, { "included_status_codes": { - "description": "A global list of the HTTP status codes that can only be selected and returned.", + "type": "array", "elements": { "type": "integer" }, - "type": "array" + "description": "A global list of the HTTP status codes that can only be selected and returned." } }, { "random_status_code": { + "default": false, + "required": true, "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean" + } + }, + { + "include_base_path": { "default": false, "required": true, + "description": "Indicates whether to include the base path when performing path match evaluation.", "type": "boolean" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.4.x.json b/schemas/mtls-auth/3.4.x.json index 32d7171e..3de7176a 100644 --- a/schemas/mtls-auth/3.4.x.json +++ b/schemas/mtls-auth/3.4.x.json @@ -1,14 +1,11 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -19,26 +16,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -46,8 +43,8 @@ "fields": [ { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { @@ -56,16 +53,16 @@ "username", "custom_id" ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "required": false, + "type": "array", "elements": { + "type": "string", "one_of": [ "username", "custom_id" - ], - "type": "string" - }, - "type": "array", - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", - "required": false + ] + } } }, { @@ -73,8 +70,8 @@ "required": true, "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "elements": { - "uuid": true, - "type": "string" + "type": "string", + "uuid": true }, "type": "array" } @@ -82,50 +79,50 @@ { "cache_ttl": { "default": 60, - "description": "Cache expiry time in seconds.", "required": true, + "description": "Cache expiry time in seconds.", "type": "number" } }, { "skip_consumer_lookup": { "default": false, - "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "required": true, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "type": "boolean" } }, { "allow_partial_chain": { "default": false, - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "required": true, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "type": "boolean" } }, { "authenticated_group_by": { "default": "CN", - "type": "string", - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, "one_of": [ "CN", "DN" - ] + ], + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "type": "string" } }, { "revocation_check_mode": { "default": "IGNORE_CA_ERROR", - "type": "string", - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ] + ], + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "type": "string" } }, { @@ -161,8 +158,8 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -177,8 +174,8 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], @@ -196,9 +193,12 @@ ] } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.4.x.json b/schemas/oas-validation/3.4.x.json index 7641383b..d4d23860 100644 --- a/schemas/oas-validation/3.4.x.json +++ b/schemas/oas-validation/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -130,11 +127,22 @@ "required": false, "type": "string" } + }, + { + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true, + "type": "boolean" + } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.4.x.json b/schemas/oauth2-introspection/3.4.x.json index b7fc57b9..6bbdbfa5 100644 --- a/schemas/oauth2-introspection/3.4.x.json +++ b/schemas/oauth2-introspection/3.4.x.json @@ -1,14 +1,11 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -19,26 +16,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -47,8 +44,8 @@ { "introspection_url": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -66,9 +63,9 @@ }, { "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "required": true, - "type": "string" + "type": "string", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." } }, { @@ -119,12 +116,12 @@ "consumer_by": { "default": "username", "type": "string", - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", - "required": true, "one_of": [ "username", "client_id" - ] + ], + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "required": true } }, { @@ -132,15 +129,15 @@ "default": [ ], - "values": { + "keys": { "type": "string" }, - "type": "map", - "description": "A list of custom headers to be added in the introspection request.", - "keys": { + "required": true, + "values": { "type": "string" }, - "required": true + "description": "A list of custom headers to be added in the introspection request.", + "type": "map" } }, { @@ -148,18 +145,21 @@ "default": [ ], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "type": "set", + "required": true, "elements": { "type": "string" - }, - "type": "set", - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", - "required": true + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2/3.4.x.json b/schemas/oauth2/3.4.x.json index e6d76411..99ce801e 100644 --- a/schemas/oauth2/3.4.x.json +++ b/schemas/oauth2/3.4.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,7 +18,10 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -30,18 +29,16 @@ "https", "ws", "wss" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -58,76 +55,76 @@ }, { "mandatory_scope": { - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "required": true } }, { "provision_key": { - "required": true, - "type": "string", "unique": true, - "description": "The unique key the plugin has generated when it has been added to the Service.", "encrypted": true, - "auto": true + "auto": true, + "description": "The unique key the plugin has generated when it has been added to the Service.", + "required": true, + "type": "string" } }, { "token_expiration": { - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", "default": 7200, - "required": true, - "type": "number" + "type": "number", + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "required": true } }, { "enable_authorization_code": { - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "required": true } }, { "enable_implicit_grant": { - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "required": true } }, { "enable_client_credentials": { - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "required": true } }, { "enable_password_grant": { - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "required": true } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true } }, { "accept_http_if_already_terminated": { - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "required": true } }, { @@ -138,17 +135,17 @@ }, { "global_credentials": { - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "required": true } }, { "auth_header_name": { - "description": "The name of the header that is supposed to carry the access token.", "default": "authorization", - "type": "string" + "type": "string", + "description": "The name of the header that is supposed to carry the access token." } }, { @@ -159,49 +156,49 @@ 0, 100000000 ], - "description": "Time-to-live value for data", - "required": true + "required": true, + "description": "Time-to-live value for data" } }, { "reuse_refresh_token": { - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "required": true } }, { "persistent_refresh_token": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "pkce": { "default": "lax", "type": "string", - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", - "required": false, "one_of": [ "none", "lax", "strict" - ] + ], + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "required": false } } ], "entity_checks": [ { "conditional": { - "then_match": { - "required": true - }, + "then_field": "scopes", "if_match": { "eq": true }, - "then_field": "scopes", + "then_match": { + "required": true + }, "if_field": "mandatory_scope" } } @@ -210,5 +207,8 @@ "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/opa/3.4.x.json b/schemas/opa/3.4.x.json index 7fdf5f5d..3188b58e 100644 --- a/schemas/opa/3.4.x.json +++ b/schemas/opa/3.4.x.json @@ -1,14 +1,11 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -19,26 +16,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -46,21 +43,21 @@ "fields": [ { "opa_protocol": { - "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", "default": "http", "one_of": [ "http", "https" ], - "type": "string" + "type": "string", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`." } }, { "opa_host": { - "description": "A string representing a host name, such as example.com.", "default": "localhost", "required": true, - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -71,43 +68,43 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "opa_path": { - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "starts_with": "/", "required": true, - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string" } }, { "include_service_in_opa_input": { - "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA." } }, { "include_route_in_opa_input": { - "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA." } }, { "include_consumer_in_opa_input": { - "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA." } }, { @@ -118,30 +115,33 @@ }, { "include_parsed_json_body_in_opa_input": { - "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA." } }, { "include_uri_captures_in_opa_input": { - "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA." } }, { "ssl_verify": { - "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "default": true, "required": true, - "type": "boolean" + "type": "boolean", + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.4.x.json b/schemas/openid-connect/3.4.x.json index 5e98becc..e9291b9b 100644 --- a/schemas/openid-connect/3.4.x.json +++ b/schemas/openid-connect/3.4.x.json @@ -1,14 +1,11 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -19,26 +16,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -47,14 +44,14 @@ { "issuer": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "discovery_headers_names": { - "required": false, "description": "Extra header names passed to the discovery endpoint.", + "required": false, "elements": { "type": "string" }, @@ -63,8 +60,8 @@ }, { "discovery_headers_values": { - "required": false, "description": "Extra header values passed to the discovery endpoint.", + "required": false, "elements": { "type": "string" }, @@ -73,8 +70,8 @@ }, { "extra_jwks_uris": { - "required": false, "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." @@ -84,8 +81,8 @@ }, { "rediscovery_lifetime": { - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "required": false, "type": "number" } @@ -103,7 +100,11 @@ "refresh_token", "session" ], + "type": "array", + "description": "Types of credentials/grants to enable.", + "required": false, "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -114,249 +115,246 @@ "kong_oauth2", "refresh_token", "session" - ], - "type": "string" - }, - "type": "array", - "description": "Types of credentials/grants to enable.", - "required": false + ] + } } }, { "client_id": { - "elements": { - "referenceable": true, - "type": "string" - }, + "encrypted": true, "type": "array", "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "required": false, - "encrypted": true + "elements": { + "referenceable": true, + "type": "string" + } } }, { "client_secret": { - "elements": { - "referenceable": true, - "type": "string" - }, + "encrypted": true, "type": "array", "description": "The client secret.", "required": false, - "encrypted": true + "elements": { + "referenceable": true, + "type": "string" + } } }, { "client_auth": { - "required": false, "description": "The authentication method used by the client (plugin) when calling the endpoint.", + "required": false, "elements": { + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none" - ], - "type": "string" + ] }, "type": "array" } }, { "client_jwk": { - "required": false, + "type": "array", "elements": { "fields": [ { "issuer": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kty": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "use": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "key_ops": { "required": false, "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false }, "type": "array" } }, { "alg": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kid": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5u": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5c": { "required": false, "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false }, "type": "array" } }, { "x5t": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5t#S256": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "k": { + "type": "string", "referenceable": true, - "required": false, "encrypted": true, - "type": "string" + "required": false } }, { "x": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "y": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "crv": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "n": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "e": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "d": { + "type": "string", "referenceable": true, - "required": false, "encrypted": true, - "type": "string" + "required": false } }, { "p": { + "type": "string", "referenceable": true, - "required": false, "encrypted": true, - "type": "string" + "required": false } }, { "q": { + "type": "string", "referenceable": true, - "required": false, "encrypted": true, - "type": "string" + "required": false } }, { "dp": { + "type": "string", "referenceable": true, - "required": false, "encrypted": true, - "type": "string" + "required": false } }, { "dq": { + "type": "string", "referenceable": true, - "required": false, "encrypted": true, - "type": "string" + "required": false } }, { "qi": { + "type": "string", "referenceable": true, - "required": false, "encrypted": true, - "type": "string" + "required": false } }, { "oth": { + "type": "string", "referenceable": true, - "required": false, "encrypted": true, - "type": "string" + "required": false } }, { "r": { + "type": "string", "referenceable": true, - "required": false, "encrypted": true, - "type": "string" + "required": false } }, { "t": { + "type": "string", "referenceable": true, - "required": false, "encrypted": true, - "type": "string" + "required": false } } ], "required": false, "type": "record" }, - "type": "array" + "required": false } }, { "client_alg": { - "required": false, + "type": "array", "elements": { + "type": "string", "one_of": [ "HS256", "HS384", @@ -371,24 +369,23 @@ "PS384", "PS512", "EdDSA" - ], - "type": "string" + ] }, - "type": "array" + "required": false } }, { "client_arg": { - "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "required": false, "type": "string" } }, { "redirect_uri": { - "required": false, "description": "The redirect URI passed to the authorization and token endpoints.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." @@ -398,8 +395,8 @@ }, { "login_redirect_uri": { - "required": false, "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." @@ -409,8 +406,8 @@ }, { "logout_redirect_uri": { - "required": false, "description": "Where to redirect the client after the logout.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." @@ -420,8 +417,8 @@ }, { "forbidden_redirect_uri": { - "required": false, "description": "Where to redirect the client on forbidden requests.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." @@ -431,32 +428,32 @@ }, { "forbidden_error_message": { - "description": "The error message for the forbidden requests (when not using the redirection).", "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", "required": false, "type": "string" } }, { "forbidden_destroy_session": { - "description": "Destroy any active session for the forbidden requests.", "default": true, + "description": "Destroy any active session for the forbidden requests.", "required": false, "type": "boolean" } }, { "unauthorized_destroy_session": { - "description": "Destroy any active session for the unauthorized requests.", "default": true, + "description": "Destroy any active session for the unauthorized requests.", "required": false, "type": "boolean" } }, { "unauthorized_redirect_uri": { - "required": false, "description": "Where to redirect the client on unauthorized requests.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." @@ -466,16 +463,16 @@ }, { "unauthorized_error_message": { - "description": "The error message for the unauthorized requests (when not using the redirection).", "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", "required": false, "type": "string" } }, { "unexpected_redirect_uri": { - "required": false, "description": "Where to redirect the client when unexpected errors happen with the requests.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." @@ -487,13 +484,13 @@ "response_mode": { "default": "query", "type": "string", - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", - "required": false, "one_of": [ "query", "form_post", "fragment" - ] + ], + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", + "required": false } }, { @@ -501,12 +498,12 @@ "default": [ "code" ], - "elements": { - "type": "string" - }, "type": "array", "description": "The response type passed to the authorization endpoint.", - "required": false + "required": false, + "elements": { + "type": "string" + } } }, { @@ -514,18 +511,18 @@ "default": [ "openid" ], - "elements": { - "type": "string" - }, "type": "array", "description": "The scopes passed to the authorization and token endpoints.", - "required": false + "required": false, + "elements": { + "type": "string" + } } }, { "audience": { - "required": false, "description": "The audience passed to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, @@ -534,8 +531,8 @@ }, { "issuers_allowed": { - "required": false, "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "required": false, "elements": { "type": "string" }, @@ -544,8 +541,8 @@ }, { "scopes_required": { - "required": false, "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, @@ -557,18 +554,18 @@ "default": [ "scope" ], + "type": "array", + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" - }, - "type": "array", - "description": "The claim that contains the scopes.", - "required": false + } } }, { "audience_required": { - "required": false, "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, @@ -580,18 +577,18 @@ "default": [ "aud" ], + "type": "array", + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" - }, - "type": "array", - "description": "The claim that contains the audience.", - "required": false + } } }, { "groups_required": { - "required": false, "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, @@ -603,18 +600,18 @@ "default": [ "groups" ], + "type": "array", + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" - }, - "type": "array", - "description": "The claim that contains the groups.", - "required": false + } } }, { "roles_required": { - "required": false, "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, @@ -626,18 +623,18 @@ "default": [ "roles" ], + "type": "array", + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" - }, - "type": "array", - "description": "The claim that contains the roles.", - "required": false + } } }, { "domains": { - "required": false, "description": "The allowed values for the `hd` claim.", + "required": false, "elements": { "type": "string" }, @@ -647,14 +644,14 @@ { "max_age": { "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.", "elements": { "type": "string" }, @@ -664,14 +661,14 @@ { "authorization_endpoint": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "authorization_query_args_names": { - "required": false, "description": "Extra query argument names passed to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, @@ -680,8 +677,8 @@ }, { "authorization_query_args_values": { - "required": false, "description": "Extra query argument values passed to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, @@ -690,8 +687,8 @@ }, { "authorization_query_args_client": { - "required": false, "description": "Extra query arguments passed from the client to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, @@ -700,16 +697,16 @@ }, { "authorization_rolling_timeout": { - "description": "Network IO timeout in milliseconds.", "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "required": false, "type": "number" } }, { "authorization_cookie_name": { - "description": "The authorization cookie name.", "default": "authorization", + "description": "The authorization cookie name.", "required": false, "type": "string" } @@ -717,43 +714,43 @@ { "authorization_cookie_path": { "default": "/", - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/", - "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "type": "string", + "starts_with": "/", + "required": false, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "authorization_cookie_domain": { "description": "The authorization cookie Domain flag.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "authorization_cookie_same_site": { "default": "Default", "type": "string", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false } }, { "authorization_cookie_http_only": { - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, "type": "boolean" } @@ -761,14 +758,14 @@ { "authorization_cookie_secure": { "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "preserve_query_args": { - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "required": false, "type": "boolean" } @@ -776,13 +773,12 @@ { "token_endpoint": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "token_endpoint_auth_method": { - "required": false, "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -791,13 +787,14 @@ "private_key_jwt", "none" ], + "required": false, "type": "string" } }, { "token_headers_names": { - "required": false, "description": "Extra header names passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, @@ -806,8 +803,8 @@ }, { "token_headers_values": { - "required": false, "description": "Extra header values passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, @@ -816,8 +813,8 @@ }, { "token_headers_client": { - "required": false, "description": "Extra headers passed from the client to the token endpoint.", + "required": false, "elements": { "type": "string" }, @@ -826,8 +823,8 @@ }, { "token_headers_replay": { - "required": false, "description": "The names of token endpoint response headers to forward to the downstream client.", + "required": false, "elements": { "type": "string" }, @@ -837,30 +834,30 @@ { "token_headers_prefix": { "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "token_headers_grants": { - "required": false, "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", + "required": false, "elements": { + "type": "string", "one_of": [ "password", "client_credentials", "authorization_code", "refresh_token" - ], - "type": "string" + ] }, "type": "array" } }, { "token_post_args_names": { - "required": false, "description": "Extra post argument names passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, @@ -869,8 +866,8 @@ }, { "token_post_args_values": { - "required": false, "description": "Extra post argument values passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, @@ -879,8 +876,8 @@ }, { "token_post_args_client": { - "required": false, "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", + "required": false, "elements": { "type": "string" }, @@ -890,13 +887,12 @@ { "introspection_endpoint": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "introspection_endpoint_auth_method": { - "required": false, "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -905,21 +901,22 @@ "private_key_jwt", "none" ], + "required": false, "type": "string" } }, { "introspection_hint": { - "description": "Introspection hint parameter value passed to the introspection endpoint.", "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", "required": false, "type": "string" } }, { "introspection_check_active": { - "description": "Check that the introspection response has an `active` claim with a value of `true`.", "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", "required": false, "type": "boolean" } @@ -928,19 +925,19 @@ "introspection_accept": { "default": "application/json", "type": "string", - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", - "required": false, "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ] + ], + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", + "required": false } }, { "introspection_headers_names": { - "required": false, "description": "Extra header names passed to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, @@ -949,8 +946,8 @@ }, { "introspection_headers_values": { - "required": false, "description": "Extra header values passed to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, @@ -959,8 +956,8 @@ }, { "introspection_headers_client": { - "required": false, "description": "Extra headers passed from the client to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, @@ -969,8 +966,8 @@ }, { "introspection_post_args_names": { - "required": false, "description": "Extra post argument names passed to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, @@ -979,8 +976,8 @@ }, { "introspection_post_args_values": { - "required": false, "description": "Extra post argument values passed to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, @@ -989,8 +986,8 @@ }, { "introspection_post_args_client": { - "required": false, "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, @@ -999,8 +996,8 @@ }, { "introspect_jwt_tokens": { - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "required": false, "type": "boolean" } @@ -1008,13 +1005,12 @@ { "revocation_endpoint": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "revocation_endpoint_auth_method": { - "required": false, "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -1023,39 +1019,40 @@ "private_key_jwt", "none" ], + "required": false, "type": "string" } }, { "end_session_endpoint": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "userinfo_endpoint": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "userinfo_accept": { "default": "application/json", "type": "string", - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", - "required": false, "one_of": [ "application/json", "application/jwt" - ] + ], + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", + "required": false } }, { "userinfo_headers_names": { - "required": false, "description": "Extra header names passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, @@ -1064,8 +1061,8 @@ }, { "userinfo_headers_values": { - "required": false, "description": "Extra header values passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, @@ -1074,8 +1071,8 @@ }, { "userinfo_headers_client": { - "required": false, "description": "Extra headers passed from the client to the user info endpoint.", + "required": false, "elements": { "type": "string" }, @@ -1084,8 +1081,8 @@ }, { "userinfo_query_args_names": { - "required": false, "description": "Extra query argument names passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, @@ -1094,8 +1091,8 @@ }, { "userinfo_query_args_values": { - "required": false, "description": "Extra query argument values passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, @@ -1104,8 +1101,8 @@ }, { "userinfo_query_args_client": { - "required": false, "description": "Extra query arguments passed from the client to the user info endpoint.", + "required": false, "elements": { "type": "string" }, @@ -1115,87 +1112,87 @@ { "token_exchange_endpoint": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_secret": { - "referenceable": true, - "type": "string", "description": "The session secret.", "encrypted": true, - "required": false + "referenceable": true, + "required": false, + "type": "string" } }, { "session_audience": { - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "required": false, "type": "string" } }, { "session_cookie_name": { - "description": "The session cookie name.", "default": "session", + "description": "The session cookie name.", "required": false, "type": "string" } }, { "session_remember": { - "description": "Enables or disables persistent sessions.", "default": false, + "description": "Enables or disables persistent sessions.", "required": false, "type": "boolean" } }, { "session_remember_cookie_name": { - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "required": false, "type": "string" } }, { "session_remember_rolling_timeout": { - "description": "Network IO timeout in milliseconds.", "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", "required": false, "type": "number" } }, { "session_remember_absolute_timeout": { - "description": "Network IO timeout in milliseconds.", "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "required": false, "type": "number" } }, { "session_idling_timeout": { - "description": "Network IO timeout in milliseconds.", "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", "required": false, "type": "number" } }, { "session_rolling_timeout": { - "description": "Network IO timeout in milliseconds.", "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "required": false, "type": "number" } }, { "session_absolute_timeout": { - "description": "Network IO timeout in milliseconds.", "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "required": false, "type": "number" } @@ -1203,43 +1200,43 @@ { "session_cookie_path": { "default": "/", - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/", - "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "type": "string", + "starts_with": "/", + "required": false, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "session_cookie_domain": { "description": "The session cookie Domain flag.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_cookie_same_site": { "default": "Lax", "type": "string", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false } }, { "session_cookie_http_only": { - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, "type": "boolean" } @@ -1247,13 +1244,15 @@ { "session_cookie_secure": { "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_request_headers": { + "type": "set", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -1262,15 +1261,15 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "session_response_headers": { + "type": "set", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -1279,54 +1278,52 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "session_storage": { "default": "cookie", "type": "string", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", - "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", + "required": false } }, { "session_store_metadata": { - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "required": false, "type": "boolean" } }, { "session_enforce_same_subject": { - "description": "When set to `true`, audiences are forced to share the same subject.", "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, "type": "boolean" } }, { "session_hash_subject": { - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false, "type": "boolean" } }, { "session_hash_storage_key": { - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, "type": "boolean" } @@ -1334,21 +1331,21 @@ { "session_memcached_prefix": { "description": "The memcached session key prefix.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_memcached_socket": { "description": "The memcached unix socket path.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_memcached_host": { - "description": "The memcached host.", "default": "127.0.0.1", + "description": "The memcached host.", "required": false, "type": "string" } @@ -1361,28 +1358,28 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": false + "required": false, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { "description": "The Redis session key prefix.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_redis_socket": { "description": "The Redis unix socket path.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_redis_host": { - "description": "The Redis host", "default": "127.0.0.1", + "description": "The Redis host", "required": false, "type": "string" } @@ -1395,60 +1392,60 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": false + "required": false, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { - "referenceable": true, "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "referenceable": true, "required": false, "type": "string" } }, { "session_redis_password": { - "referenceable": true, - "type": "string", "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "required": false + "referenceable": true, + "required": false, + "type": "string" } }, { "session_redis_connect_timeout": { - "description": "Network IO timeout in milliseconds.", - "required": false, - "type": "integer" + "description": "Session redis connection timeout in milliseconds.", + "type": "integer", + "required": false } }, { "session_redis_read_timeout": { - "description": "Network IO timeout in milliseconds.", - "required": false, - "type": "integer" + "description": "Session redis read timeout in milliseconds.", + "type": "integer", + "required": false } }, { "session_redis_send_timeout": { - "description": "Network IO timeout in milliseconds.", - "required": false, - "type": "integer" + "description": "Session redis send timeout in milliseconds.", + "type": "integer", + "required": false } }, { "session_redis_ssl": { - "description": "Use SSL/TLS for Redis connection.", "default": false, + "description": "Use SSL/TLS for Redis connection.", "required": false, "type": "boolean" } }, { "session_redis_ssl_verify": { - "description": "Verify identity provider server certificate.", "default": false, + "description": "Verify identity provider server certificate.", "required": false, "type": "boolean" } @@ -1456,32 +1453,32 @@ { "session_redis_server_name": { "description": "The SNI used for connecting the Redis server.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_redis_cluster_nodes": { - "required": false, "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", "required": true, - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } @@ -1494,22 +1491,22 @@ { "session_redis_cluster_max_redirections": { "description": "The Redis cluster maximum redirects.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "reverify": { - "description": "Specifies whether to always verify tokens stored in the session.", "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", "required": false, "type": "boolean" } }, { "jwt_session_claim": { - "description": "The claim to match against the JWT session cookie.", "default": "sid", + "description": "The claim to match against the JWT session cookie.", "required": false, "type": "string" } @@ -1517,8 +1514,8 @@ { "jwt_session_cookie": { "description": "The name of the JWT session cookie.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1528,25 +1525,25 @@ "query", "body" ], + "type": "array", + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", + "required": false, "elements": { + "type": "string", "one_of": [ "header", "cookie", "query", "body" - ], - "type": "string" - }, - "type": "array", - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", - "required": false + ] + } } }, { "bearer_token_cookie_name": { "description": "The name of the cookie in which the bearer token is passed.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1556,17 +1553,17 @@ "query", "body" ], + "type": "array", + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", + "required": false, "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" - }, - "type": "array", - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", - "required": false + ] + } } }, { @@ -1576,17 +1573,17 @@ "query", "body" ], + "type": "array", + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false, "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" - }, - "type": "array", - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false + ] + } } }, { @@ -1596,24 +1593,24 @@ "query", "body" ], + "type": "array", + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false, "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" - }, - "type": "array", - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false + ] + } } }, { "id_token_param_name": { "description": "The name of the parameter used to pass the id token.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1623,38 +1620,38 @@ "query", "body" ], + "type": "array", + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false, "elements": { + "type": "string", "one_of": [ "header", "query", "body" - ], - "type": "string" - }, - "type": "array", - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false + ] + } } }, { "refresh_token_param_name": { "description": "The name of the parameter used to pass the refresh token.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "refresh_tokens": { - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "required": false, "type": "boolean" } }, { "upstream_headers_claims": { + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, - "description": "The upstream header claims.", "elements": { "type": "string" }, @@ -1663,8 +1660,8 @@ }, { "upstream_headers_names": { - "required": false, "description": "The upstream header names for the claim values.", + "required": false, "elements": { "type": "string" }, @@ -1673,8 +1670,8 @@ }, { "upstream_access_token_header": { - "description": "The upstream access token header.", "default": "authorization:bearer", + "description": "The upstream access token header.", "required": false, "type": "string" } @@ -1682,50 +1679,50 @@ { "upstream_access_token_jwk_header": { "description": "The upstream access token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_id_token_header": { "description": "The upstream id token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_id_token_jwk_header": { "description": "The upstream id token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_refresh_token_header": { "description": "The upstream refresh token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_user_info_header": { "description": "The upstream user info header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_user_info_jwt_header": { "description": "The upstream user info JWT header (in case the user info returns a JWT response).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_introspection_header": { "description": "The upstream introspection header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1737,14 +1734,14 @@ { "upstream_session_id_header": { "description": "The upstream session id header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, - "description": "The downstream header claims.", "elements": { "type": "string" }, @@ -1753,8 +1750,8 @@ }, { "downstream_headers_names": { - "required": false, "description": "The downstream header names for the claim values.", + "required": false, "elements": { "type": "string" }, @@ -1764,57 +1761,57 @@ { "downstream_access_token_header": { "description": "The downstream access token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_access_token_jwk_header": { "description": "The downstream access token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_id_token_header": { "description": "The downstream id token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_id_token_jwk_header": { "description": "The downstream id token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_refresh_token_header": { "description": "The downstream refresh token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_user_info_header": { "description": "The downstream user info header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_user_info_jwt_header": { "description": "The downstream user info JWT header (in case the user info returns a JWT response).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_introspection_header": { "description": "The downstream introspection header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1826,8 +1823,8 @@ { "downstream_session_id_header": { "description": "The downstream session id header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1835,7 +1832,11 @@ "default": [ "authorization_code" ], + "type": "array", + "description": "Enable login functionality with specified grants.", + "required": false, "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -1846,25 +1847,21 @@ "kong_oauth2", "refresh_token", "session" - ], - "type": "string" - }, - "type": "array", - "description": "Enable login functionality with specified grants.", - "required": false + ] + } } }, { "login_action": { "default": "upstream", "type": "string", - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", - "required": false, "one_of": [ "upstream", "response", "redirect" - ] + ], + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", + "required": false } }, { @@ -1872,52 +1869,52 @@ "default": [ "id_token" ], + "type": "array", + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", + "required": false, "elements": { + "type": "string", "one_of": [ "id_token", "access_token", "refresh_token", "tokens", "introspection" - ], - "type": "string" - }, - "type": "array", - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", - "required": false + ] + } } }, { "login_redirect_mode": { "default": "fragment", "type": "string", - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", - "required": false, "one_of": [ "query", "fragment" - ] + ], + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", + "required": false } }, { "logout_query_arg": { "description": "The request query argument that activates the logout.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "logout_post_arg": { "description": "The request body argument that activates the logout.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "logout_uri_suffix": { "description": "The request URI suffix that activates the logout.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1926,47 +1923,47 @@ "POST", "DELETE" ], + "type": "array", + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", + "required": false, "elements": { + "type": "string", "one_of": [ "POST", "GET", "DELETE" - ], - "type": "string" - }, - "type": "array", - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", - "required": false + ] + } } }, { "logout_revoke": { - "description": "Revoke tokens as part of the logout.", "default": false, + "description": "Revoke tokens as part of the logout.", "required": false, "type": "boolean" } }, { "logout_revoke_access_token": { - "description": "Revoke the access token as part of the logout.", "default": true, + "description": "Revoke the access token as part of the logout.", "required": false, "type": "boolean" } }, { "logout_revoke_refresh_token": { - "description": "Revoke the refresh token as part of the logout.", "default": true, + "description": "Revoke the refresh token as part of the logout.", "required": false, "type": "boolean" } }, { "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, - "description": "The claim used for consumer mapping.", "elements": { "type": "string" }, @@ -1979,23 +1976,23 @@ "username", "custom_id" ], + "type": "array", + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", + "required": false, "elements": { + "type": "string", "one_of": [ "id", "username", "custom_id" - ], - "type": "string" - }, - "type": "array", - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", - "required": false + ] + } } }, { "consumer_optional": { - "description": "Do not terminate the request if consumer mapping fails.", "default": false, + "description": "Do not terminate the request if consumer mapping fails.", "required": false, "type": "boolean" } @@ -2005,65 +2002,65 @@ "default": [ "sub" ], + "type": "array", + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" - }, - "type": "array", - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", - "required": false + } } }, { "anonymous": { "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "run_on_preflight": { - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "required": false, "type": "boolean" } }, { "leeway": { - "description": "Allow some leeway (in seconds) on the ttl / expiry verification.", "default": 0, + "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", "required": false, "type": "number" } }, { "verify_parameters": { - "description": "Verify plugin configuration against discovery.", "default": false, + "description": "Verify plugin configuration against discovery.", "required": false, "type": "boolean" } }, { "verify_nonce": { - "description": "Verify nonce on authorization code flow.", "default": true, + "description": "Verify nonce on authorization code flow.", "required": false, "type": "boolean" } }, { "verify_claims": { - "description": "Verify tokens for standard claims.", "default": true, + "description": "Verify tokens for standard claims.", "required": false, "type": "boolean" } }, { "verify_signature": { - "description": "Verify signature of tokens.", "default": true, + "description": "Verify signature of tokens.", "required": false, "type": "boolean" } @@ -2073,7 +2070,11 @@ "default": [ ], + "type": "array", + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", + "required": false, "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -2082,27 +2083,24 @@ "session", "introspection", "userinfo" - ], - "type": "string" - }, - "type": "array", - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", - "required": false + ] + } } }, { "enable_hs_signatures": { - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "required": false, "type": "boolean" } }, { "disable_session": { - "required": false, "description": "Disable issuing the session cookie with the specified grants.", + "required": false, "elements": { + "type": "string", "one_of": [ "password", "client_credentials", @@ -2113,16 +2111,15 @@ "kong_oauth2", "refresh_token", "session" - ], - "type": "string" + ] }, "type": "array" } }, { "cache_ttl": { - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "required": false, "type": "number" } @@ -2130,35 +2127,35 @@ { "cache_ttl_max": { "description": "The maximum cache ttl in seconds (enforced).", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_min": { "description": "The minimum cache ttl in seconds (enforced).", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_neg": { "description": "The negative cache ttl in seconds.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_resurrect": { "description": "The resurrection ttl in seconds.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_tokens": { - "description": "Cache the token endpoint requests.", "default": true, + "description": "Cache the token endpoint requests.", "required": false, "type": "boolean" } @@ -2173,139 +2170,140 @@ }, { "cache_introspection": { - "description": "Cache the introspection endpoint requests.", "default": true, + "description": "Cache the introspection endpoint requests.", "required": false, "type": "boolean" } }, { "cache_token_exchange": { - "description": "Cache the token exchange endpoint requests.", "default": true, + "description": "Cache the token exchange endpoint requests.", "required": false, "type": "boolean" } }, { "cache_user_info": { - "description": "Cache the user info requests.", "default": true, + "description": "Cache the user info requests.", "required": false, "type": "boolean" } }, { "search_user_info": { - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "required": false, "type": "boolean" } }, { "hide_credentials": { - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "required": false, "type": "boolean" } }, { "http_version": { - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", "default": 1.1, - "required": false, - "type": "number" + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", + "type": "number", + "required": false } }, { "http_proxy": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "http_proxy_authorization": { "description": "The HTTP proxy authorization.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "https_proxy": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "https_proxy_authorization": { "description": "The HTTPS proxy authorization.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "no_proxy": { "description": "Do not use proxy with these hosts.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "keepalive": { - "description": "Use keepalive with the HTTP client.", "default": true, + "description": "Use keepalive with the HTTP client.", "required": false, "type": "boolean" } }, { "ssl_verify": { - "description": "Verify identity provider server certificate.", "default": false, + "description": "Verify identity provider server certificate.", "required": false, "type": "boolean" } }, { "timeout": { - "description": "Network IO timeout in milliseconds.", "default": 10000, + "description": "Network IO timeout in milliseconds.", "required": false, "type": "number" } }, { "display_errors": { - "description": "Display errors on failure responses.", "default": false, + "description": "Display errors on failure responses.", "required": false, "type": "boolean" } }, { "by_username_ignore_case": { - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "required": false, "type": "boolean" } }, { "resolve_distributed_claims": { - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "required": false, "type": "boolean" } }, { "expose_error_code": { - "type": "boolean", - "default": true + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" } }, { @@ -2315,12 +2313,47 @@ "type": "boolean" } }, + { + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "required": false, + "type": "string" + } + }, { "using_pseudo_issuer": { "default": false, "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL.", "type": "boolean" } + }, + { + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_mtls": { + "default": "off", + "one_of": [ + "off", + "strict", + "optional" + ], + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "type": "string" + } + }, + { + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + } } ], "shorthand_fields": [ @@ -2409,5 +2442,8 @@ "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/opentelemetry/3.4.x.json b/schemas/opentelemetry/3.4.x.json index a7cbaae4..f2e4e312 100644 --- a/schemas/opentelemetry/3.4.x.json +++ b/schemas/opentelemetry/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -38,35 +35,35 @@ "fields": [ { "endpoint": { + "required": true, "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true, "type": "string" } }, { "headers": { + "values": { + "type": "string", + "referenceable": true + }, "keys": { "type": "string", "description": "A string representing an HTTP header name." }, "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", - "values": { - "referenceable": true, - "type": "string" - }, "type": "map" } }, { "resource_attributes": { - "keys": { - "required": true, - "type": "string" - }, "values": { - "required": true, - "type": "string" + "type": "string", + "required": true + }, + "keys": { + "type": "string", + "required": true }, "type": "map" } @@ -76,35 +73,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer" + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number" + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { + "default": 10000, + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer" + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -115,36 +112,36 @@ }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { + "default": 60, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -161,34 +158,34 @@ }, { "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 1000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -199,7 +196,6 @@ }, { "header_type": { - "required": false, "default": "preserve", "one_of": [ "preserve", @@ -210,9 +206,11 @@ "jaeger", "ot", "aws", + "gcp", "datadog" ], - "type": "string" + "type": "string", + "required": false } } ], @@ -226,9 +224,12 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/post-function/3.4.x.json b/schemas/post-function/3.4.x.json index 1c071e1d..dcba797d 100644 --- a/schemas/post-function/3.4.x.json +++ b/schemas/post-function/3.4.x.json @@ -1,24 +1,7 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ { "protocols": { - "required": false, "default": [ "grpc", "grpcs", @@ -27,7 +10,9 @@ "ws", "wss" ], + "required": false, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -35,26 +20,25 @@ "https", "ws", "wss" - ], - "type": "string" + ] }, "type": "set" } }, { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -65,8 +49,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -79,11 +65,9 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { @@ -91,138 +75,154 @@ "fields": [ { "certificate": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "rewrite": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "access": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "header_filter": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "body_filter": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "log": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_handshake": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_client_frame": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_upstream_frame": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_close": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.4.x.json b/schemas/pre-function/3.4.x.json index 1c071e1d..dcba797d 100644 --- a/schemas/pre-function/3.4.x.json +++ b/schemas/pre-function/3.4.x.json @@ -1,24 +1,7 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ { "protocols": { - "required": false, "default": [ "grpc", "grpcs", @@ -27,7 +10,9 @@ "ws", "wss" ], + "required": false, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -35,26 +20,25 @@ "https", "ws", "wss" - ], - "type": "string" + ] }, "type": "set" } }, { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -65,8 +49,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -79,11 +65,9 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { @@ -91,138 +75,154 @@ "fields": [ { "certificate": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "rewrite": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "access": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "header_filter": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "body_filter": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "log": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_handshake": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_client_frame": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_upstream_frame": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_close": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.4.x.json b/schemas/prometheus/3.4.x.json index a851036d..913a1dca 100644 --- a/schemas/prometheus/3.4.x.json +++ b/schemas/prometheus/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -46,42 +43,45 @@ { "per_consumer": { "default": false, - "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available." } }, { "status_code_metrics": { "default": false, - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported." } }, { "latency_metrics": { "default": false, - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported." } }, { "bandwidth_metrics": { "default": false, - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported." } }, { "upstream_health_metrics": { "default": false, - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.4.x.json b/schemas/proxy-cache-advanced/3.4.x.json index 45409c1a..084ee9f7 100644 --- a/schemas/proxy-cache-advanced/3.4.x.json +++ b/schemas/proxy-cache-advanced/3.4.x.json @@ -1,13 +1,4 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { @@ -17,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -49,17 +40,17 @@ 301, 404 ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "len_min": 1, + "type": "array", + "required": true, "elements": { "between": [ 100, 900 ], "type": "integer" - }, - "type": "array", - "len_min": 1, - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", - "required": true + } } }, { @@ -68,19 +59,19 @@ "GET", "HEAD" ], + "required": true, + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "type": "array", "elements": { + "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ], - "type": "string" - }, - "type": "array", - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", - "required": true + ] + } } }, { @@ -89,53 +80,53 @@ "text/plain", "application/json" ], + "required": true, + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", - "required": true + } } }, { "cache_ttl": { + "default": 300, "gt": 0, "description": "TTL in seconds of cache entities.", - "default": 300, "type": "integer" } }, { "strategy": { "required": true, - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "one_of": [ "memory", "redis" ], + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "type": "string" } }, { "cache_control": { "default": false, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "type": "boolean" } }, { "ignore_uri_case": { "default": false, - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "required": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "type": "boolean" } }, { "storage_ttl": { - "type": "integer", - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" } }, { @@ -144,32 +135,59 @@ { "dictionary_name": { "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true, + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "type": "string" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "vary_query_params": { - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array", "elements": { "type": "string" }, - "type": "array" + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." } }, { "vary_headers": { - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" }, - "type": "array" + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } + }, + { + "response_headers": { + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ], + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", + "required": true } }, { @@ -187,18 +205,18 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -208,8 +226,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -218,8 +236,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -228,8 +246,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -241,10 +259,10 @@ }, { "password": { - "referenceable": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "type": "string" + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { @@ -256,27 +274,27 @@ }, { "sentinel_password": { - "referenceable": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, - "type": "string" + "referenceable": true, + "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "default": 30, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "type": "integer" } }, @@ -286,8 +304,8 @@ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", - "type": "integer" + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -298,47 +316,47 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" ], - "type": "string" + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { "len_min": 1, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array" } }, { "cluster_addresses": { "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array" } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", "required": false, "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, "type": "boolean" } @@ -346,8 +364,8 @@ { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], @@ -409,8 +427,8 @@ ] } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -421,8 +439,17 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/proxy-cache/3.4.x.json b/schemas/proxy-cache/3.4.x.json index cb1dfc18..d1602895 100644 --- a/schemas/proxy-cache/3.4.x.json +++ b/schemas/proxy-cache/3.4.x.json @@ -1,13 +1,4 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { @@ -17,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -31,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -56,17 +47,17 @@ 301, 404 ], + "required": true, + "len_min": 1, + "description": "Upstream response status code considered cacheable.", + "type": "array", "elements": { "between": [ 100, 900 ], "type": "integer" - }, - "type": "array", - "len_min": 1, - "description": "Upstream response status code considered cacheable.", - "required": true + } } }, { @@ -75,19 +66,19 @@ "GET", "HEAD" ], + "type": "array", + "required": true, + "description": "Downstream request methods considered cacheable.", "elements": { + "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ], - "type": "string" - }, - "type": "array", - "description": "Downstream request methods considered cacheable.", - "required": true + ] + } } }, { @@ -96,38 +87,38 @@ "text/plain", "application/json" ], - "elements": { - "type": "string" - }, "type": "array", + "required": true, "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", - "required": true + "elements": { + "type": "string" + } } }, { "cache_ttl": { - "gt": 0, - "description": "TTL, in seconds, of cache entities.", "default": 300, - "type": "integer" + "gt": 0, + "type": "integer", + "description": "TTL, in seconds, of cache entities." } }, { "strategy": { - "required": true, - "description": "The backing data store in which to hold cache entities.", + "type": "string", "one_of": [ "memory" ], - "type": "string" + "required": true, + "description": "The backing data store in which to hold cache entities." } }, { "cache_control": { "default": false, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean", "required": true, - "type": "boolean" + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." } }, { @@ -149,14 +140,14 @@ { "dictionary_name": { "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true, - "type": "string" + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -176,10 +167,46 @@ }, "type": "array" } + }, + { + "response_headers": { + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ], + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", + "required": true + } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting-advanced/3.4.x.json b/schemas/rate-limiting-advanced/3.4.x.json index fdcd78cd..d6e7100f 100644 --- a/schemas/rate-limiting-advanced/3.4.x.json +++ b/schemas/rate-limiting-advanced/3.4.x.json @@ -1,13 +1,4 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { @@ -17,18 +8,18 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { @@ -38,8 +29,6 @@ "identifier": { "default": "consumer", "type": "string", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", - "required": true, "one_of": [ "ip", "credential", @@ -47,38 +36,40 @@ "service", "header", "path" - ] + ], + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", + "required": true } }, { "window_size": { - "required": true, + "type": "array", "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" }, - "type": "array" + "required": true } }, { "window_type": { "default": "sliding", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "one_of": [ "fixed", "sliding" ], - "type": "string" + "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." } }, { "limit": { - "required": true, + "type": "array", "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" }, - "type": "array" + "required": true } }, { @@ -90,44 +81,44 @@ { "namespace": { "auto": true, - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.", - "required": true, - "type": "string" + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "required": true } }, { "strategy": { "default": "local", "type": "string", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", - "required": true, "one_of": [ "cluster", "redis", "local" - ] + ], + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "required": true } }, { "dictionary_name": { "default": "kong_rate_limiting_counters", + "type": "string", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "required": true, - "type": "string" + "required": true } }, { "hide_client_headers": { "default": false, - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "type": "boolean" + "type": "boolean", + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." } }, { "retry_after_jitter_max": { "default": 0, - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "type": "number" + "type": "number", + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." } }, { @@ -138,15 +129,15 @@ }, { "path": { - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "type": "string" } }, { @@ -164,18 +155,18 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -185,8 +176,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -195,8 +186,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -205,8 +196,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -218,10 +209,10 @@ }, { "password": { - "referenceable": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "type": "string" + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { @@ -233,27 +224,27 @@ }, { "sentinel_password": { - "referenceable": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, - "type": "string" + "referenceable": true, + "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "default": 30, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "type": "integer" } }, @@ -263,8 +254,8 @@ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", - "type": "integer" + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -275,47 +266,47 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" ], - "type": "string" + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { "len_min": 1, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array" } }, { "cluster_addresses": { "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array" } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", "required": false, "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, "type": "boolean" } @@ -323,8 +314,8 @@ { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], @@ -386,15 +377,15 @@ ] } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "enforce_consumer_groups": { "default": false, - "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", - "type": "boolean" + "type": "boolean", + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." } }, { @@ -409,28 +400,37 @@ { "disable_penalty": { "default": false, - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", - "type": "boolean" + "type": "boolean", + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." } }, { "error_code": { - "description": "Set a custom error code to return when the rate limit is exceeded.", - "gt": 0, "default": 429, - "type": "number" + "gt": 0, + "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { "error_message": { "default": "API rate limit exceeded", - "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string" + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting/3.4.x.json b/schemas/rate-limiting/3.4.x.json index 973af9b7..bbbe2adf 100644 --- a/schemas/rate-limiting/3.4.x.json +++ b/schemas/rate-limiting/3.4.x.json @@ -1,76 +1,4 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_host", - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_port", - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_match": { - "required": true - }, - "if_match": { - "eq": "header" - }, - "then_field": "config.header_name", - "if_field": "config.limit_by" - } - }, - { - "conditional": { - "then_match": { - "required": true - }, - "if_match": { - "eq": "path" - }, - "then_field": "config.path", - "if_field": "config.limit_by" - } - }, - { - "conditional": { - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_timeout", - "if_field": "config.policy" - } - } - ], "fields": [ { "protocols": { @@ -80,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -108,49 +36,48 @@ { "second": { "gt": 0, - "description": "The number of HTTP requests that can be made per second.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per second." } }, { "minute": { "gt": 0, - "description": "The number of HTTP requests that can be made per minute.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per minute." } }, { "hour": { "gt": 0, - "description": "The number of HTTP requests that can be made per hour.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per hour." } }, { "day": { "gt": 0, - "description": "The number of HTTP requests that can be made per day.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per day." } }, { "month": { "gt": 0, - "description": "The number of HTTP requests that can be made per month.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per month." } }, { "year": { "gt": 0, - "description": "The number of HTTP requests that can be made per year.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per year." } }, { "limit_by": { "default": "consumer", - "description": "The entity that is used when aggregating the limits.", "one_of": [ "consumer", "credential", @@ -159,7 +86,8 @@ "header", "path" ], - "type": "string" + "type": "string", + "description": "The entity that is used when aggregating the limits." } }, { @@ -170,36 +98,36 @@ }, { "path": { - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "type": "string" } }, { "policy": { "default": "local", - "type": "string", - "len_min": 0, "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, "one_of": [ "local", "cluster", "redis" - ] + ], + "type": "string" } }, { "fault_tolerant": { "default": true, + "type": "boolean", "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", - "required": true, - "type": "boolean" + "required": true } }, { @@ -210,44 +138,44 @@ }, { "redis_port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "redis_password": { "len_min": 0, - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", "referenceable": true, - "type": "string" + "type": "string", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." } }, { "redis_username": { "referenceable": true, - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.", - "type": "string" + "type": "string", + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired." } }, { "redis_ssl": { "default": false, + "type": "boolean", "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", - "required": true, - "type": "boolean" + "required": true } }, { "redis_ssl_verify": { "default": false, + "type": "boolean", "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", - "required": true, - "type": "boolean" + "required": true } }, { @@ -259,51 +187,123 @@ { "redis_timeout": { "default": 2000, - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", - "type": "number" + "type": "number", + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." } }, { "redis_database": { "default": 0, - "description": "When using the `redis` policy, this property specifies the Redis database to use.", - "type": "integer" + "type": "integer", + "description": "When using the `redis` policy, this property specifies the Redis database to use." } }, { "hide_client_headers": { "default": false, + "type": "boolean", "description": "Optionally hide informative response headers.", - "required": true, - "type": "boolean" + "required": true } }, { "error_code": { - "gt": 0, - "description": "Set a custom error code to return when the rate limit is exceeded.", "default": 429, - "type": "number" + "gt": 0, + "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { "error_message": { "default": "API rate limit exceeded", - "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string" + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded." } }, { "sync_rate": { "default": -1, + "type": "number", "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", - "required": true, - "type": "number" + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "then_field": "config.redis_host", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.redis_port", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.header_name", + "if_match": { + "eq": "header" + }, + "then_match": { + "required": true + }, + "if_field": "config.limit_by" + } + }, + { + "conditional": { + "then_field": "config.path", + "if_match": { + "eq": "path" + }, + "then_match": { + "required": true + }, + "if_field": "config.limit_by" + } + }, + { + "conditional": { + "then_field": "config.redis_timeout", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" } } ] diff --git a/schemas/request-size-limiting/3.4.x.json b/schemas/request-size-limiting/3.4.x.json index 3c96984a..03f352b8 100644 --- a/schemas/request-size-limiting/3.4.x.json +++ b/schemas/request-size-limiting/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -46,28 +43,31 @@ { "size_unit": { "default": "megabytes", - "type": "string", - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "required": true, "one_of": [ "megabytes", "kilobytes", "bytes" - ] + ], + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "type": "string" } }, { "require_content_length": { "default": false, - "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", "required": true, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", "type": "boolean" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-termination/3.4.x.json b/schemas/request-termination/3.4.x.json index 59d914f3..5c6b340c 100644 --- a/schemas/request-termination/3.4.x.json +++ b/schemas/request-termination/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -39,12 +36,12 @@ { "status_code": { "default": 503, - "type": "integer", + "description": "The response code to send. Must be an integer between 100 and 599.", "between": [ 100, 599 ], - "description": "The response code to send. Must be an integer between 100 and 599.", + "type": "integer", "required": true } }, @@ -81,9 +78,12 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.4.x.json b/schemas/request-transformer-advanced/3.4.x.json index 040f5998..25ac3a01 100644 --- a/schemas/request-transformer-advanced/3.4.x.json +++ b/schemas/request-transformer-advanced/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,18 +8,18 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { @@ -30,8 +27,8 @@ "fields": [ { "http_method": { - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "match": "^%u+$", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string" } }, @@ -43,10 +40,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -54,10 +51,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -65,15 +62,15 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -84,11 +81,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -96,11 +93,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -108,16 +105,16 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -128,11 +125,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -140,11 +137,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -152,11 +149,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -164,15 +161,15 @@ "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "type": "array" + ] + } } }, { @@ -181,8 +178,8 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -193,11 +190,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -205,11 +202,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -217,11 +214,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -229,20 +226,20 @@ "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "type": "array" + ] + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -253,11 +250,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -265,11 +262,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -277,11 +274,11 @@ "default": [ ], + "type": "array", "elements": { - "referenceable": true, - "type": "string" - }, - "type": "array" + "type": "string", + "referenceable": true + } } }, { @@ -289,20 +286,20 @@ "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "type": "array" + ] + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -310,28 +307,31 @@ "fields": [ { "body": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "dots_in_keys": { - "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.4.x.json b/schemas/request-transformer/3.4.x.json index be151262..109f34ca 100644 --- a/schemas/request-transformer/3.4.x.json +++ b/schemas/request-transformer/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,11 +24,9 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { @@ -37,8 +34,8 @@ "fields": [ { "http_method": { - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "match": "^%u+$", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string" } }, @@ -47,43 +44,43 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -91,44 +88,44 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string", "match": "^[^:]+:.*$" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -136,39 +133,39 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string", "match": "^[^:]+:.*$" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -177,8 +174,8 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -186,44 +183,44 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string", "match": "^[^:]+:.*$" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -231,50 +228,53 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string", "match": "^[^:]+:.*$" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-validator/3.4.x.json b/schemas/request-validator/3.4.x.json index 1f717922..91fbb7eb 100644 --- a/schemas/request-validator/3.4.x.json +++ b/schemas/request-validator/3.4.x.json @@ -1,13 +1,4 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { @@ -17,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -44,8 +35,8 @@ "fields": [ { "body_schema": { - "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", "required": false, + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", "type": "string" } }, @@ -55,51 +46,54 @@ "application/json" ], "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "type": "set", "elements": { - "required": true, - "type": "string" - }, - "type": "set" + "type": "string", + "required": true + } } }, { "version": { "default": "kong", - "type": "string", - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "required": true, "one_of": [ "kong", "draft4" ], - "required": true + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "type": "string" } }, { "parameter_schema": { "required": false, - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "array", "elements": { "fields": [ { "in": { - "required": true, + "type": "string", "one_of": [ "query", "header", "path" ], - "type": "string" + "description": "The location of the parameter.", + "required": true } }, { "name": { "required": true, + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", "type": "string" } }, { "required": { "required": true, + "description": "Determines whether this parameter is mandatory.", "type": "boolean" } }, @@ -114,16 +108,19 @@ "pipeDelimited", "deepObject" ], + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", "type": "string" } }, { "explode": { + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", "type": "boolean" } }, { "schema": { + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", "type": "string" } } @@ -147,15 +144,15 @@ ], "type": "record" }, - "type": "array" + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." } }, { "verbose_response": { - "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "required": true } } ], @@ -167,8 +164,17 @@ ] } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/response-ratelimiting/3.4.x.json b/schemas/response-ratelimiting/3.4.x.json index 04f8a2cc..301d1410 100644 --- a/schemas/response-ratelimiting/3.4.x.json +++ b/schemas/response-ratelimiting/3.4.x.json @@ -1,42 +1,4 @@ { - "entity_checks": [ - { - "conditional": { - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_host", - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_port", - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_match": { - "required": true - }, - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis_timeout", - "if_field": "config.policy" - } - } - ], "fields": [ { "protocols": { @@ -46,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -73,41 +35,41 @@ "fields": [ { "header_name": { - "description": "The name of the response header used to increment the counters.", "default": "x-kong-limit", - "type": "string" + "type": "string", + "description": "The name of the response header used to increment the counters." } }, { "limit_by": { - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "default": "consumer", "one_of": [ "consumer", "credential", "ip" ], - "type": "string" + "type": "string", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." } }, { "policy": { - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "default": "local", "one_of": [ "local", "cluster", "redis" ], - "type": "string" + "type": "string", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "default": true, + "type": "boolean", "required": true, - "type": "boolean" + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." } }, { @@ -118,44 +80,44 @@ }, { "redis_port": { + "default": 6379, + "description": "When using the `redis` policy, this property specifies the port of the Redis server.", "between": [ 0, 65535 ], - "default": 6379, - "description": "When using the `redis` policy, this property specifies the port of the Redis server.", "type": "integer" } }, { "redis_password": { - "referenceable": true, - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", "len_min": 0, - "type": "string" + "referenceable": true, + "type": "string", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." } }, { "redis_username": { "referenceable": true, - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "type": "string" + "type": "string", + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "redis_ssl": { - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", "default": false, + "type": "boolean", "required": true, - "type": "boolean" + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." } }, { "redis_ssl_verify": { - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": true, - "type": "boolean" + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { @@ -166,72 +128,79 @@ }, { "redis_timeout": { - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", "default": 2000, - "type": "number" + "type": "number", + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." } }, { "redis_database": { - "description": "When using the `redis` policy, this property specifies Redis database to use.", "default": 0, - "type": "number" + "type": "number", + "description": "When using the `redis` policy, this property specifies Redis database to use." } }, { "block_on_first_violation": { - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "default": false, + "type": "boolean", "required": true, - "type": "boolean" + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." } }, { "hide_client_headers": { - "description": "Optionally hide informative response headers.", "default": false, + "type": "boolean", "required": true, - "type": "boolean" + "description": "Optionally hide informative response headers." } }, { "limits": { + "keys": { + "type": "string" + }, + "required": true, + "len_min": 1, + "description": "A map that defines rate limits for the plugin.", + "type": "map", "values": { "fields": [ { "second": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "minute": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "hour": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "day": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "month": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "year": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } } ], @@ -249,19 +218,50 @@ ], "required": true, "type": "record" - }, - "type": "map", - "len_min": 1, - "description": "A map that defines rate limits for the plugin.", - "required": true, - "keys": { - "type": "string" } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.redis_host", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.redis_port", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.redis_timeout", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" } } ] diff --git a/schemas/response-transformer-advanced/3.4.x.json b/schemas/response-transformer-advanced/3.4.x.json index ddfe3a2a..67a8f9ba 100644 --- a/schemas/response-transformer-advanced/3.4.x.json +++ b/schemas/response-transformer-advanced/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,18 +8,18 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { @@ -36,10 +33,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -47,10 +44,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -58,15 +55,15 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -77,11 +74,11 @@ "default": [ ], + "type": "array", "elements": { "type": "string", "match": "^[^:]+:.*$" - }, - "type": "array" + } } }, { @@ -89,15 +86,15 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -105,8 +102,8 @@ "fields": [ { "body": { - "type": "string", - "description": "String with which to replace the entire response body." + "description": "String with which to replace the entire response body.", + "type": "string" } }, { @@ -114,10 +111,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -125,15 +122,15 @@ "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "type": "array" + ] + } } }, { @@ -141,10 +138,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -152,15 +149,15 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -171,10 +168,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -182,15 +179,15 @@ "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "type": "array" + ] + } } }, { @@ -198,10 +195,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -209,15 +206,15 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -228,10 +225,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -239,15 +236,15 @@ "default": [ ], + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "type": "array" + ] + } } }, { @@ -255,10 +252,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -266,15 +263,15 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -282,15 +279,15 @@ "fields": [ { "json": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -301,10 +298,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -312,10 +309,10 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -323,28 +320,31 @@ "default": [ ], + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "dots_in_keys": { "default": true, - "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", - "type": "boolean" + "type": "boolean", + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.4.x.json b/schemas/response-transformer/3.4.x.json index 6e3a84ee..6e81953c 100644 --- a/schemas/response-transformer/3.4.x.json +++ b/schemas/response-transformer/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,18 +8,18 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { @@ -33,31 +30,31 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -65,20 +62,20 @@ "fields": [ { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, - "type": "array" + "type": "string", + "match": "^[^:]+:.*$" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -86,15 +83,15 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, - "type": "array" + "match": "^[^:]+:.*$", + "type": "string" + } } }, { @@ -102,35 +99,35 @@ "default": [ ], + "required": true, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "type": "array", - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true + ] + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, - "type": "array" + "match": "^[^:]+:.*$", + "type": "string" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -138,15 +135,15 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, - "type": "array" + "match": "^[^:]+:.*$", + "type": "string" + } } }, { @@ -154,35 +151,35 @@ "default": [ ], + "required": true, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "type": "array", - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true + ] + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, - "type": "array" + "match": "^[^:]+:.*$", + "type": "string" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -190,15 +187,15 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, - "type": "array" + "match": "^[^:]+:.*$", + "type": "string" + } } }, { @@ -206,41 +203,44 @@ "default": [ ], + "required": true, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "type": "array", "elements": { + "type": "string", "one_of": [ "boolean", "number", "string" - ], - "type": "string" - }, - "type": "array", - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true + ] + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, - "type": "array" + "match": "^[^:]+:.*$", + "type": "string" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.4.x.json b/schemas/route-by-header/3.4.x.json index 28fec8bc..b1e7d36b 100644 --- a/schemas/route-by-header/3.4.x.json +++ b/schemas/route-by-header/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -42,6 +39,7 @@ ], "description": "Route by header rules.", + "type": "array", "elements": { "fields": [ { @@ -52,27 +50,29 @@ }, { "condition": { - "values": { + "keys": { "type": "string" }, - "type": "map", + "required": true, "len_min": 1, - "keys": { + "type": "map", + "values": { "type": "string" - }, - "required": true + } } } ], "type": "record" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.4.x.json b/schemas/route-transformer-advanced/3.4.x.json index 8b34c46e..a3f7dc31 100644 --- a/schemas/route-transformer-advanced/3.4.x.json +++ b/schemas/route-transformer-advanced/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -53,8 +50,8 @@ }, { "escape_path": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } ], @@ -67,9 +64,12 @@ ] } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/saml/3.4.x.json b/schemas/saml/3.4.x.json index ab70c14d..f4f01aaf 100644 --- a/schemas/saml/3.4.x.json +++ b/schemas/saml/3.4.x.json @@ -1,14 +1,11 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -19,26 +16,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -46,285 +43,287 @@ "fields": [ { "assertion_consumer_path": { - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "starts_with": "/", "required": true, - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string" } }, { "idp_sso_url": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "idp_certificate": { - "referenceable": true, "type": "string", + "encrypted": true, + "referenceable": true, "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", - "required": false, - "encrypted": true + "required": false } }, { "response_encryption_key": { - "referenceable": true, "type": "string", + "encrypted": true, + "referenceable": true, "description": "The private encryption key required to decrypt encrypted assertions.", - "required": false, - "encrypted": true + "required": false } }, { "request_signing_key": { - "referenceable": true, "type": "string", + "encrypted": true, + "referenceable": true, "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", - "required": false, - "encrypted": true + "required": false } }, { "request_signing_certificate": { - "referenceable": true, "type": "string", + "encrypted": true, + "referenceable": true, "description": "The certificate for signing requests.", - "required": false, - "encrypted": true + "required": false } }, { "request_signature_algorithm": { "default": "SHA256", - "type": "string", - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "required": false, "one_of": [ "SHA256", "SHA384", "SHA512" - ] + ], + "type": "string", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { "request_digest_algorithm": { "default": "SHA256", - "type": "string", - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "required": false, "one_of": [ "SHA256", "SHA1" - ] + ], + "type": "string", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" } }, { "response_signature_algorithm": { "default": "SHA256", - "type": "string", - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "required": false, "one_of": [ "SHA256", "SHA384", "SHA512" - ] + ], + "type": "string", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { "response_digest_algorithm": { "default": "SHA256", - "type": "string", - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "required": false, "one_of": [ "SHA256", "SHA1" - ] + ], + "type": "string", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" } }, { "issuer": { - "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", "required": true, + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", "type": "string" } }, { "nameid_format": { "default": "EmailAddress", - "type": "string", - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "required": false, "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" - ] + ], + "type": "string", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" } }, { "validate_assertion_signature": { "default": true, - "description": "Enable signature validation for SAML responses.", "required": false, - "type": "boolean" + "type": "boolean", + "description": "Enable signature validation for SAML responses." } }, { "anonymous": { + "type": "string", "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", - "required": false, - "type": "string" + "required": false } }, { "session_secret": { - "referenceable": true, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", "required": true, + "referenceable": true, + "type": "string", "match": "^[0-9a-zA-Z/_+]+$", "len_min": 32, "len_max": 32, - "encrypted": true, - "type": "string" + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "encrypted": true } }, { "session_audience": { "default": "default", - "description": "The session audience, for example \"my-application\"", + "type": "string", "required": false, - "type": "string" + "description": "The session audience, for example \"my-application\"" } }, { "session_cookie_name": { "default": "session", - "description": "The session cookie name.", + "type": "string", "required": false, - "type": "string" + "description": "The session cookie name." } }, { "session_remember": { "default": false, - "description": "Enables or disables persistent sessions", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Enables or disables persistent sessions" } }, { "session_remember_cookie_name": { "default": "remember", - "description": "Persistent session cookie name", + "type": "string", "required": false, - "type": "string" + "description": "Persistent session cookie name" } }, { "session_remember_rolling_timeout": { "default": 604800, - "description": "Persistent session rolling timeout in seconds.", + "type": "number", "required": false, - "type": "number" + "description": "Persistent session rolling timeout in seconds." } }, { "session_remember_absolute_timeout": { "default": 2592000, - "description": "Persistent session absolute timeout in seconds.", + "type": "number", "required": false, - "type": "number" + "description": "Persistent session absolute timeout in seconds." } }, { "session_idling_timeout": { "default": 900, - "description": "The session cookie idle time in seconds.", + "type": "number", "required": false, - "type": "number" + "description": "The session cookie idle time in seconds." } }, { "session_rolling_timeout": { "default": 3600, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number", "required": false, - "type": "number" + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." } }, { "session_absolute_timeout": { "default": 86400, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number", "required": false, - "type": "number" + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." } }, { "session_cookie_path": { "default": "/", - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/", - "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "type": "string", + "starts_with": "/", + "required": false, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "session_cookie_domain": { + "type": "string", "description": "The session cookie domain flag.", - "required": false, - "type": "string" + "required": false } }, { "session_cookie_same_site": { "default": "Lax", - "type": "string", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "type": "string", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "session_cookie_http_only": { "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "session_cookie_secure": { + "type": "boolean", "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false, - "type": "boolean" + "required": false } }, { "session_request_headers": { + "type": "set", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -333,15 +332,15 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "session_response_headers": { + "type": "set", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -350,78 +349,76 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "session_storage": { "default": "cookie", - "type": "string", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "type": "string", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" } }, { "session_store_metadata": { "default": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject." } }, { "session_enforce_same_subject": { "default": false, - "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "When set to `true`, audiences are forced to share the same subject." } }, { "session_hash_subject": { "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." } }, { "session_hash_storage_key": { "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." } }, { "session_memcached_prefix": { + "type": "string", "description": "The memcached session key prefix.", - "required": false, - "type": "string" + "required": false } }, { "session_memcached_socket": { + "type": "string", "description": "The memcached unix socket path.", - "required": false, - "type": "string" + "required": false } }, { "session_memcached_host": { "default": "127.0.0.1", - "description": "The memcached host.", + "type": "string", "required": false, - "type": "string" + "description": "The memcached host." } }, { @@ -432,30 +429,30 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": false + "required": false, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { + "type": "string", "description": "The Redis session key prefix.", - "required": false, - "type": "string" + "required": false } }, { "session_redis_socket": { + "type": "string", "description": "The Redis unix socket path.", - "required": false, - "type": "string" + "required": false } }, { "session_redis_host": { "default": "127.0.0.1", - "description": "The Redis host IP.", + "type": "string", "required": false, - "type": "string" + "description": "The Redis host IP." } }, { @@ -466,107 +463,107 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": false + "required": false, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { + "type": "string", "referenceable": true, - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "required": false, - "type": "string" + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "session_redis_password": { - "referenceable": true, "type": "string", + "encrypted": true, + "referenceable": true, "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", - "required": false, - "encrypted": true + "required": false } }, { "session_redis_connect_timeout": { + "type": "integer", "description": "The Redis connection timeout in milliseconds.", - "required": false, - "type": "integer" + "required": false } }, { "session_redis_read_timeout": { + "type": "integer", "description": "The Redis read timeout in milliseconds.", - "required": false, - "type": "integer" + "required": false } }, { "session_redis_send_timeout": { + "type": "integer", "description": "The Redis send timeout in milliseconds.", - "required": false, - "type": "integer" + "required": false } }, { "session_redis_ssl": { "default": false, - "description": "Use SSL/TLS for the Redis connection.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Use SSL/TLS for the Redis connection." } }, { "session_redis_ssl_verify": { "default": false, - "description": "Verify the Redis server certificate.", + "type": "boolean", "required": false, - "type": "boolean" + "description": "Verify the Redis server certificate." } }, { "session_redis_server_name": { + "type": "string", "description": "The SNI used for connecting to the Redis server.", - "required": false, - "type": "string" + "required": false } }, { "session_redis_cluster_nodes": { + "type": "array", "required": false, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", "required": true, - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } ], "type": "record" }, - "type": "array" + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." } }, { "session_redis_cluster_max_redirections": { + "type": "integer", "description": "The Redis cluster maximum redirects.", - "required": false, - "type": "integer" + "required": false } } ], @@ -646,5 +643,8 @@ "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/session/3.4.x.json b/schemas/session/3.4.x.json index 09b14172..c985ebc2 100644 --- a/schemas/session/3.4.x.json +++ b/schemas/session/3.4.x.json @@ -1,14 +1,11 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -19,8 +16,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -33,19 +32,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -53,83 +50,82 @@ "fields": [ { "secret": { - "referenceable": true, - "default": "SlGI58s4QRfcq8J6AW5LSteAUJxQJUqY1pBFtkl3l6Ij", + "default": "jUVc08J7Ji4ZDXVsLUZRvfCyF1cfFrVZ4rnoj9KTVyAi", "type": "string", - "description": "The secret that is used in keyed HMAC generation.", "required": false, - "encrypted": true + "referenceable": true, + "encrypted": true, + "description": "The secret that is used in keyed HMAC generation." } }, { "storage": { - "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", "default": "cookie", "one_of": [ "cookie", "kong" ], - "type": "string" + "type": "string", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself." } }, { "audience": { - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "default": "default", - "type": "string" + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." } }, { "idling_timeout": { - "description": "The session cookie idle time, in seconds.", "default": 900, - "type": "number" + "type": "number", + "description": "The session cookie idle time, in seconds." } }, { "rolling_timeout": { - "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", "default": 3600, - "type": "number" + "type": "number", + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed." } }, { "absolute_timeout": { - "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", "default": 86400, - "type": "number" + "type": "number", + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid." } }, { "stale_ttl": { - "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", "default": 10, - "type": "number" + "type": "number", + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one." } }, { "cookie_name": { - "description": "The name of the cookie.", "default": "session", - "type": "string" + "type": "string", + "description": "The name of the cookie." } }, { "cookie_path": { - "description": "The resource in the host where the cookie is available.", "default": "/", - "type": "string" + "type": "string", + "description": "The resource in the host where the cookie is available." } }, { "cookie_domain": { - "description": "The domain with which the cookie is intended to be exchanged.", - "type": "string" + "type": "string", + "description": "The domain with which the cookie is intended to be exchanged." } }, { "cookie_same_site": { - "description": "Determines whether and how a cookie may be sent with cross-site requests.", "default": "Strict", "one_of": [ "Strict", @@ -137,55 +133,57 @@ "None", "Default" ], - "type": "string" + "type": "string", + "description": "Determines whether and how a cookie may be sent with cross-site requests." } }, { "cookie_http_only": { - "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server." } }, { "cookie_secure": { - "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", "default": true, - "type": "boolean" + "type": "boolean", + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol." } }, { "remember": { - "description": "Enables or disables persistent sessions.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Enables or disables persistent sessions." } }, { "remember_cookie_name": { - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "default": "remember", - "type": "string" + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." } }, { "remember_rolling_timeout": { - "description": "The persistent session rolling timeout window, in seconds.", "default": 604800, - "type": "number" + "type": "number", + "description": "The persistent session rolling timeout window, in seconds." } }, { "remember_absolute_timeout": { - "description": "The persistent session absolute timeout limit, in seconds.", "default": 2592000, - "type": "number" + "type": "number", + "description": "The persistent session absolute timeout limit, in seconds." } }, { "response_headers": { "description": "List of information to include, as headers, in the response to the downstream.", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -194,8 +192,7 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" + ] }, "type": "set" } @@ -204,6 +201,7 @@ "request_headers": { "description": "List of information to include, as headers, in the response to the downstream.", "elements": { + "type": "string", "one_of": [ "id", "audience", @@ -212,12 +210,17 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ], - "type": "string" + ] }, "type": "set" } }, + { + "read_body_for_logout": { + "default": false, + "type": "boolean" + } + }, { "logout_methods": { "default": [ @@ -225,34 +228,33 @@ "DELETE" ], "description": "A set of HTTP methods that the plugin will respond to.", + "type": "set", "elements": { + "type": "string", "one_of": [ "GET", "POST", "DELETE" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "logout_query_arg": { - "description": "The query argument passed to logout requests.", "default": "session_logout", - "type": "string" + "type": "string", + "description": "The query argument passed to logout requests." } }, { "logout_post_arg": { - "description": "The POST argument passed to logout requests. Do not change this property.", "default": "session_logout", - "type": "string" + "type": "string", + "description": "The POST argument passed to logout requests. Do not change this property." } } ], "type": "record", - "required": true, "shorthand_fields": [ { "cookie_lifetime": { @@ -289,8 +291,12 @@ "type": "boolean" } } - ] + ], + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.4.x.json b/schemas/statsd-advanced/3.4.x.json index ea5b48b9..6c8078c6 100644 --- a/schemas/statsd-advanced/3.4.x.json +++ b/schemas/statsd-advanced/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -52,101 +49,101 @@ }, { "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "prefix": { - "description": "String to prefix to each metric's name.", "default": "kong", - "type": "string" + "type": "string", + "description": "String to prefix to each metric's name." } }, { "metrics": { "default": [ { - "stat_type": "counter", + "sample_rate": 1, "name": "request_count", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "timer", - "name": "latency" + "name": "latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "request_size" + "name": "request_size", + "stat_type": "timer" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "timer", - "name": "response_size" + "name": "response_size", + "stat_type": "timer" }, { - "stat_type": "set", - "name": "unique_users" + "name": "unique_users", + "stat_type": "set" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "request_per_user", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "timer", - "name": "upstream_latency" + "name": "upstream_latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "kong_latency" + "name": "kong_latency", + "stat_type": "timer" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "counter", "name": "status_count_per_workspace", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user_per_route", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "gauge", + "sample_rate": 1, "name": "shdict_usage", - "sample_rate": 1 + "stat_type": "gauge" }, { - "stat_type": "counter", "name": "cache_datastore_hits_total", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" }, { - "stat_type": "counter", "name": "cache_datastore_misses_total", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" } ], "description": "List of Metrics to be logged.", + "type": "array", "elements": { "fields": [ { "name": { - "required": true, "one_of": [ "kong_latency", "latency", @@ -164,12 +161,12 @@ "cache_datastore_hits_total", "cache_datastore_misses_total" ], + "required": true, "type": "string" } }, { "stat_type": { - "required": true, "one_of": [ "counter", "gauge", @@ -178,6 +175,7 @@ "set", "timer" ], + "required": true, "type": "string" } }, @@ -189,55 +187,53 @@ }, { "consumer_identifier": { + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string" + ] } }, { "service_identifier": { + "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string" + ] } }, { "workspace_identifier": { + "type": "string", "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string" + ] } } ], "entity_checks": [ { "conditional": { - "then_match": { - "eq": "set" - }, + "then_field": "stat_type", "if_match": { "one_of": [ "unique_users" ] }, - "then_field": "stat_type", + "then_match": { + "eq": "set" + }, "if_field": "name" } }, { "conditional": { - "then_match": { - "eq": "counter" - }, + "then_field": "stat_type", "if_match": { "one_of": [ "request_count", @@ -250,43 +246,44 @@ "cache_datastore_misses_total" ] }, - "then_field": "stat_type", + "then_match": { + "eq": "counter" + }, "if_field": "name" } }, { "conditional": { - "then_match": { - "eq": "gauge" - }, + "then_field": "stat_type", "if_match": { "one_of": [ "shdict_usage" ] }, - "then_field": "stat_type", + "then_match": { + "eq": "gauge" + }, "if_field": "name" } }, { "conditional": { - "then_match": { - "required": true - }, + "then_field": "sample_rate", "if_match": { "one_of": [ "counter", "gauge" ] }, - "then_field": "sample_rate", + "then_match": { + "required": true + }, "if_field": "stat_type" } } ], "type": "record" - }, - "type": "array" + } } }, { @@ -301,66 +298,66 @@ }, { "udp_packet_size": { + "default": 0, + "type": "number", "between": [ 0, 65507 ], - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", - "default": 0, - "type": "number" + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive)." } }, { "use_tcp": { - "description": "Use TCP instead of UDP.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Use TCP instead of UDP." } }, { "hostname_in_prefix": { - "description": "Include the `hostname` in the `prefix` for each metric name.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Include the `hostname` in the `prefix` for each metric name." } }, { "consumer_identifier_default": { "default": "custom_id", "type": "string", - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", - "required": true, "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "required": true } }, { "service_identifier_default": { "default": "service_name_or_host", "type": "string", - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", - "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "required": true } }, { "workspace_identifier_default": { "default": "workspace_id", "type": "string", - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", - "required": true, "one_of": [ "workspace_id", "workspace_name" - ] + ], + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "required": true } }, { @@ -368,35 +365,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer" + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number" + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { + "default": 10000, + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer" + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -407,42 +404,45 @@ }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { + "default": 60, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd/3.4.x.json b/schemas/statsd/3.4.x.json index 64c70f11..ba900e2b 100644 --- a/schemas/statsd/3.4.x.json +++ b/schemas/statsd/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -52,104 +49,104 @@ }, { "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", "between": [ 0, 65535 ], - "description": "The port of StatsD server to send data to.", - "default": 8125, "type": "integer" } }, { "prefix": { - "description": "String to prefix to each metric's name.", "default": "kong", - "type": "string" + "type": "string", + "description": "String to prefix to each metric's name." } }, { "metrics": { "default": [ { - "stat_type": "counter", + "sample_rate": 1, "name": "request_count", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "timer", - "name": "latency" + "name": "latency", + "stat_type": "timer" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "request_size", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "response_size", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "set", - "name": "unique_users" + "name": "unique_users", + "stat_type": "set" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "request_per_user", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "timer", - "name": "upstream_latency" + "name": "upstream_latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "kong_latency" + "name": "kong_latency", + "stat_type": "timer" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_workspace", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user_per_route", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "gauge", + "sample_rate": 1, "name": "shdict_usage", - "sample_rate": 1 + "stat_type": "gauge" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_hits_total", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_misses_total", - "sample_rate": 1 + "stat_type": "counter" } ], "description": "List of metrics to be logged.", + "type": "array", "elements": { "fields": [ { "name": { "required": true, - "description": "StatsD metric’s name.", "one_of": [ "kong_latency", "latency", @@ -167,13 +164,13 @@ "cache_datastore_hits_total", "cache_datastore_misses_total" ], - "type": "string" + "type": "string", + "description": "StatsD metric’s name." } }, { "stat_type": { "required": true, - "description": "Determines what sort of event a metric represents.", "one_of": [ "counter", "gauge", @@ -182,46 +179,47 @@ "set", "timer" ], - "type": "string" + "type": "string", + "description": "Determines what sort of event a metric represents." } }, { "sample_rate": { - "description": "Sampling rate", "gt": 0, - "type": "number" + "type": "number", + "description": "Sampling rate" } }, { "consumer_identifier": { - "description": "Authenticated user detail.", "one_of": [ "consumer_id", "custom_id", "username" ], + "description": "Authenticated user detail.", "type": "string" } }, { "service_identifier": { - "description": "Service detail.", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" ], + "description": "Service detail.", "type": "string" } }, { "workspace_identifier": { - "description": "Workspace detail.", "one_of": [ "workspace_id", "workspace_name" ], + "description": "Workspace detail.", "type": "string" } } @@ -229,23 +227,22 @@ "entity_checks": [ { "conditional": { - "then_match": { - "required": true - }, + "then_field": "sample_rate", "if_match": { "one_of": [ "counter", "gauge" ] }, - "then_field": "sample_rate", + "then_match": { + "required": true + }, "if_field": "stat_type" } } ], "type": "record" - }, - "type": "array" + } } }, { @@ -260,11 +257,11 @@ }, { "udp_packet_size": { + "default": 0, "between": [ 0, 65507 ], - "default": 0, "type": "number" } }, @@ -282,19 +279,18 @@ }, { "consumer_identifier_default": { - "required": true, "default": "custom_id", "one_of": [ "consumer_id", "custom_id", "username" ], - "type": "string" + "type": "string", + "required": true } }, { "service_identifier_default": { - "required": true, "default": "service_name_or_host", "one_of": [ "service_id", @@ -302,18 +298,19 @@ "service_host", "service_name_or_host" ], - "type": "string" + "type": "string", + "required": true } }, { "workspace_identifier_default": { - "required": true, "default": "workspace_id", "one_of": [ "workspace_id", "workspace_name" ], - "type": "string" + "type": "string", + "required": true } }, { @@ -333,13 +330,13 @@ }, { "tag_style": { - "required": false, "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" ], + "required": false, "type": "string" } }, @@ -348,35 +345,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer" + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number" + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { + "default": 10000, + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer" + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -387,36 +384,36 @@ }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { + "default": 60, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], @@ -431,9 +428,12 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/syslog/3.4.x.json b/schemas/syslog/3.4.x.json index 2bfc7bad..f6f14d64 100644 --- a/schemas/syslog/3.4.x.json +++ b/schemas/syslog/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -45,7 +42,6 @@ "fields": [ { "log_level": { - "required": true, "default": "info", "one_of": [ "debug", @@ -57,12 +53,12 @@ "alert", "emerg" ], + "required": true, "type": "string" } }, { "successful_severity": { - "required": true, "default": "info", "one_of": [ "debug", @@ -74,12 +70,12 @@ "alert", "emerg" ], + "required": true, "type": "string" } }, { "client_errors_severity": { - "required": true, "default": "info", "one_of": [ "debug", @@ -91,12 +87,12 @@ "alert", "emerg" ], + "required": true, "type": "string" } }, { "server_errors_severity": { - "required": true, "default": "info", "one_of": [ "debug", @@ -108,28 +104,27 @@ "alert", "emerg" ], + "required": true, "type": "string" } }, { "custom_fields_by_lua": { - "keys": { + "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map", - "values": { + "keys": { "len_min": 1, "type": "string" }, - "type": "map" + "type": "map", + "description": "Lua code as a key-value map" } }, { "facility": { "default": "user", - "type": "string", - "description": "The facility is used by the operating system to decide how to handle each log message.", "required": true, "one_of": [ "auth", @@ -152,13 +147,18 @@ "local5", "local6", "local7" - ] + ], + "type": "string", + "description": "The facility is used by the operating system to decide how to handle each log message." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.4.x.json b/schemas/tcp-log/3.4.x.json index 72d6f752..6f7de3c9 100644 --- a/schemas/tcp-log/3.4.x.json +++ b/schemas/tcp-log/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -46,8 +43,8 @@ { "host": { "description": "The IP address or host name to send data to.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -63,24 +60,24 @@ }, { "timeout": { - "description": "An optional timeout in milliseconds when sending data to the upstream server.", "default": 10000, - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "default": 60000, - "type": "number" + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "tls": { - "description": "Indicates whether to perform a TLS handshake against the remote server.", "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "required": true } }, { @@ -95,18 +92,21 @@ "len_min": 1, "type": "string" }, - "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "keys": { "len_min": 1, "type": "string" }, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "type": "map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.4.x.json b/schemas/tls-handshake-modifier/3.4.x.json index b1be13fb..199a62e6 100644 --- a/schemas/tls-handshake-modifier/3.4.x.json +++ b/schemas/tls-handshake-modifier/3.4.x.json @@ -1,40 +1,37 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "required": true, "default": [ "https", "grpcs" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "https", "grpcs", "tls" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -43,18 +40,21 @@ { "tls_client_certificate": { "default": "REQUEST", - "type": "string", - "description": "TLS Client Certificate", "required": false, "one_of": [ "REQUEST" - ] + ], + "description": "TLS Client Certificate", + "type": "string" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.4.x.json b/schemas/tls-metadata-headers/3.4.x.json index b603b3e1..83edf9aa 100644 --- a/schemas/tls-metadata-headers/3.4.x.json +++ b/schemas/tls-metadata-headers/3.4.x.json @@ -1,40 +1,37 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { "protocols": { - "required": true, "default": [ "https", "grpcs" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "https", "grpcs", "tls" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -42,55 +39,58 @@ "fields": [ { "inject_client_cert_details": { - "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", "default": false, - "type": "boolean" + "type": "boolean", + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." } }, { "client_cert_header_name": { "default": "X-Client-Cert", "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "client_serial_header_name": { "default": "X-Client-Cert-Serial", "description": "Define the HTTP header name used for the serial number of the client certificate.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "client_cert_issuer_dn_header_name": { "default": "X-Client-Cert-Issuer-DN", "description": "Define the HTTP header name used for the issuer DN of the client certificate.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "client_cert_subject_dn_header_name": { "default": "X-Client-Cert-Subject-DN", "description": "Define the HTTP header name used for the subject DN of the client certificate.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "client_cert_fingerprint_header_name": { "default": "X-Client-Cert-Fingerprint", "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", - "required": true, - "type": "string" + "type": "string", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/udp-log/3.4.x.json b/schemas/udp-log/3.4.x.json index 454bfece..231ce3f9 100644 --- a/schemas/udp-log/3.4.x.json +++ b/schemas/udp-log/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -46,8 +43,8 @@ { "host": { "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -56,36 +53,39 @@ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "timeout": { - "description": "An optional timeout in milliseconds when sending data to the upstream server.", "default": 10000, - "type": "number" + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "custom_fields_by_lua": { - "keys": { + "values": { "len_min": 1, "type": "string" }, - "description": "Lua code as a key-value map", - "values": { + "keys": { "len_min": 1, "type": "string" }, - "type": "map" + "type": "map", + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/upstream-timeout/3.4.x.json b/schemas/upstream-timeout/3.4.x.json index b5569d95..bc2d498d 100644 --- a/schemas/upstream-timeout/3.4.x.json +++ b/schemas/upstream-timeout/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -42,8 +39,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -52,8 +49,8 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -62,14 +59,17 @@ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.4.x.json b/schemas/vault-auth/3.4.x.json index e41bf777..04c2f822 100644 --- a/schemas/vault-auth/3.4.x.json +++ b/schemas/vault-auth/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,34 +8,34 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { "consumer": { - "type": "foreign", + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "type": "foreign" } }, { @@ -47,40 +44,40 @@ { "access_token_name": { "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "type": "string", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." - }, - "type": "string", - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", - "required": true + } } }, { "secret_token_name": { "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "type": "string", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." - }, - "type": "string", - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", - "required": true + } } }, { "vault": { - "reference": "vault_auth_vaults", + "type": "foreign", "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", - "required": true, - "type": "foreign" + "reference": "vault_auth_vaults", + "required": true } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it." } }, { @@ -92,21 +89,24 @@ { "tokens_in_body": { "default": false, - "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean" + "type": "boolean", + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.4.x.json b/schemas/websocket-size-limit/3.4.x.json index ab4a9625..a2aae773 100644 --- a/schemas/websocket-size-limit/3.4.x.json +++ b/schemas/websocket-size-limit/3.4.x.json @@ -1,31 +1,28 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "default": [ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "ws", "wss" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -37,8 +34,8 @@ 1, 33554432 ], - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { @@ -47,8 +44,8 @@ 1, 33554432 ], - "required": false, - "type": "integer" + "type": "integer", + "required": false } } ], @@ -60,9 +57,12 @@ ] } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.4.x.json b/schemas/websocket-validator/3.4.x.json index df5dbd2c..39184feb 100644 --- a/schemas/websocket-validator/3.4.x.json +++ b/schemas/websocket-validator/3.4.x.json @@ -1,31 +1,28 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "default": [ "ws", "wss" ], + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "ws", "wss" - ], - "type": "string" - }, - "type": "set" + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -40,18 +37,18 @@ { "type": { "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "type": "string" } }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, - "type": "string" + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } ], @@ -65,8 +62,8 @@ } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { @@ -75,18 +72,18 @@ { "type": { "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "type": "string" } }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, - "type": "string" + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } ], @@ -100,8 +97,8 @@ } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } } ], @@ -113,8 +110,8 @@ ] } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { @@ -126,18 +123,18 @@ { "type": { "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "type": "string" } }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, - "type": "string" + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } ], @@ -151,8 +148,8 @@ } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { @@ -161,18 +158,18 @@ { "type": { "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "type": "string" } }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, - "type": "string" + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } ], @@ -186,8 +183,8 @@ } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } } ], @@ -199,8 +196,8 @@ ] } ], - "required": false, - "type": "record" + "type": "record", + "required": false } } ], @@ -212,9 +209,12 @@ ] } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.4.x.json b/schemas/xml-threat-protection/3.4.x.json index 5f9354d1..7764e5bb 100644 --- a/schemas/xml-threat-protection/3.4.x.json +++ b/schemas/xml-threat-protection/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,26 +8,26 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing HTTP protocols.", + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true + ] + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -41,14 +38,14 @@ "default": [ "application/xml" ], + "description": "A list of Content-Type values with payloads that must be validated.", + "required": true, + "type": "set", "elements": { - "match": "^[^%s]+%/[^ ;]+$", "required": true, - "type": "string" - }, - "type": "set", - "description": "A list of Content-Type values with payloads that must be validated.", - "required": true + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" + } } }, { @@ -56,14 +53,14 @@ "default": [ ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "required": true, + "type": "set", "elements": { - "match": "^[^%s]+%/[^ ;]+$", "required": true, - "type": "string" - }, - "type": "set", - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", - "required": true + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" + } } }, { @@ -85,216 +82,219 @@ { "max_depth": { "default": 50, + "gt": 0, "type": "integer", - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", "required": true, - "gt": 0 + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." } }, { "max_children": { "default": 100, + "gt": 0, "type": "integer", - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", "required": true, - "gt": 0 + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." } }, { "max_attributes": { "default": 100, + "gt": 0, "type": "integer", - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", "required": true, - "gt": 0 + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." } }, { "max_namespaces": { "default": 20, + "gt": 0, "type": "integer", - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", "required": false, - "gt": 0 + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." } }, { "document": { + "default": 10485760, "gt": 0, - "type": "integer", "description": "Maximum size of the entire document.", "required": true, - "default": 10485760 + "type": "integer" } }, { "buffer": { + "default": 1048576, "gt": 0, - "type": "integer", "description": "Maximum size of the unparsed buffer (see below).", "required": true, - "default": 1048576 + "type": "integer" } }, { "comment": { + "default": 1024, "gt": 0, - "type": "integer", "description": "Maximum size of comments.", "required": true, - "default": 1024 + "type": "integer" } }, { "localname": { + "default": 1024, "gt": 0, - "type": "integer", "description": "Maximum size of the localname. This applies to tags and attributes.", "required": true, - "default": 1024 + "type": "integer" } }, { "prefix": { + "default": 1024, "gt": 0, - "type": "integer", "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "required": false, - "default": 1024 + "type": "integer" } }, { "namespaceuri": { + "default": 1024, "gt": 0, - "type": "integer", "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "required": false, - "default": 1024 + "type": "integer" } }, { "attribute": { + "default": 1048576, "gt": 0, - "type": "integer", "description": "Maximum size of the attribute value.", "required": true, - "default": 1048576 + "type": "integer" } }, { "text": { + "default": 1048576, "gt": 0, - "type": "integer", "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "required": true, - "default": 1048576 + "type": "integer" } }, { "pitarget": { + "default": 1024, "gt": 0, - "type": "integer", "description": "Maximum size of processing instruction targets.", "required": true, - "default": 1024 + "type": "integer" } }, { "pidata": { + "default": 1024, "gt": 0, - "type": "integer", "description": "Maximum size of processing instruction data.", "required": true, - "default": 1024 + "type": "integer" } }, { "entityname": { + "default": 1024, "gt": 0, - "type": "integer", "description": "Maximum size of entity names in EntityDecl.", "required": true, - "default": 1024 + "type": "integer" } }, { "entity": { + "default": 1024, "gt": 0, - "type": "integer", "description": "Maximum size of entity values in EntityDecl.", "required": true, - "default": 1024 + "type": "integer" } }, { "entityproperty": { + "default": 1024, "gt": 0, - "type": "integer", "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "required": true, - "default": 1024 + "type": "integer" } }, { "bla_max_amplification": { "default": 100, + "gt": 1, "type": "number", - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", "required": true, - "gt": 1 + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." } }, { "bla_threshold": { + "default": 8388608, "gt": 1024, - "type": "integer", "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", "required": true, - "default": 8388608 + "type": "integer" } } ], "entity_checks": [ { "conditional": { - "then_match": { - "required": true - }, + "then_field": "max_namespaces", "if_match": { "eq": true }, - "then_field": "max_namespaces", + "then_match": { + "required": true + }, "if_field": "namespace_aware" } }, { "conditional": { - "then_match": { - "required": true - }, + "then_field": "prefix", "if_match": { "eq": true }, - "then_field": "prefix", + "then_match": { + "required": true + }, "if_field": "namespace_aware" } }, { "conditional": { - "then_match": { - "required": true - }, + "then_field": "namespaceuri", "if_match": { "eq": true }, - "then_field": "namespaceuri", + "then_match": { + "required": true + }, "if_field": "namespace_aware" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/zipkin/3.4.x.json b/schemas/zipkin/3.4.x.json index e7df563b..d847ac37 100644 --- a/schemas/zipkin/3.4.x.json +++ b/schemas/zipkin/3.4.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -11,8 +8,10 @@ "http", "https" ], + "required": true, + "description": "A set of strings representing protocols.", + "type": "set", "elements": { - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -25,19 +24,17 @@ "ws", "wss" ], - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { - "type": "foreign", + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumer_groups" + "type": "foreign" } }, { @@ -45,10 +42,10 @@ "fields": [ { "local_service_name": { - "description": "The name of the service as displayed in Zipkin.", "default": "kong", + "type": "string", "required": true, - "type": "string" + "description": "The name of the service as displayed in Zipkin." } }, { @@ -59,47 +56,45 @@ }, { "sample_ratio": { + "default": 0.001, + "type": "number", "between": [ 0, 1 ], - "default": 0.001, - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", - "type": "number" + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " } }, { "default_service_name": { - "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", - "type": "string" + "type": "string", + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." } }, { "include_credential": { - "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", "default": true, + "type": "boolean", "required": true, - "type": "boolean" + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server." } }, { "traceid_byte_count": { "default": 16, "type": "integer", - "description": "The length in bytes of each request's Trace ID.", - "required": true, "one_of": [ 8, 16 - ] + ], + "required": true, + "description": "The length in bytes of each request's Trace ID." } }, { "header_type": { "default": "preserve", "type": "string", - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", - "required": true, "one_of": [ "preserve", "ignore", @@ -109,16 +104,17 @@ "jaeger", "ot", "aws", - "datadog" - ] + "datadog", + "gcp" + ], + "required": true, + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests" } }, { "default_header_type": { "default": "b3", "type": "string", - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", - "required": true, "one_of": [ "b3", "b3-single", @@ -126,26 +122,29 @@ "jaeger", "ot", "aws", - "datadog" - ] + "datadog", + "gcp" + ], + "required": true, + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored." } }, { "tags_header": { - "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", "default": "Zipkin-Tags", + "type": "string", "required": true, - "type": "string" + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property." } }, { "static_tags": { "description": "The tags specified on this property will be added to the generated request traces.", + "type": "array", "elements": { "fields": [ { "name": { - "type": "string", "required": true, "not_one_of": [ "error", @@ -161,63 +160,63 @@ "kong.service", "lc", "peer.hostname" - ] + ], + "type": "string" } }, { "value": { - "required": true, - "type": "string" + "type": "string", + "required": true } } ], "type": "record" - }, - "type": "array" + } } }, { "http_span_name": { "default": "method", "type": "string", - "description": "Specify whether to include the HTTP path in the span name.", - "required": true, "one_of": [ "method", "method_path" - ] + ], + "required": true, + "description": "Specify whether to include the HTTP path in the span name." } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -230,12 +229,12 @@ "phase_duration_flavor": { "default": "annotations", "type": "string", - "description": "Specify whether to include the duration of each phase as an annotation or a tag.", - "required": true, "one_of": [ "annotations", "tags" - ] + ], + "required": true, + "description": "Specify whether to include the duration of each phase as an annotation or a tag." } }, { @@ -243,35 +242,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer" + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number" + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { + "default": 10000, + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer" + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -282,42 +281,45 @@ }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "default": 60, - "type": "number" + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number" + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { + "default": 60, + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number" + "description": "Maximum time in seconds between retries, caps exponential backoff." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file From 8c97c68ec06ade81968b3e4e60532107d1469014 Mon Sep 17 00:00:00 2001 From: "lena.larionova" Date: Wed, 25 Oct 2023 10:23:12 -0700 Subject: [PATCH 017/165] remove 3.5 fields from 3.4 --- schemas/acme/3.4.x.json | 8 - schemas/cors/3.4.x.json | 8 - schemas/mocking/3.4.x.json | 8 - schemas/oas-validation/3.4.x.json | 8 - schemas/openid-connect/3.4.x.json | 1592 +++++++++++------------ schemas/opentelemetry/3.4.x.json | 1 - schemas/proxy-cache-advanced/3.4.x.json | 27 - schemas/proxy-cache/3.4.x.json | 27 - schemas/session/3.4.x.json | 6 - schemas/zipkin/3.4.x.json | 14 +- 10 files changed, 775 insertions(+), 924 deletions(-) diff --git a/schemas/acme/3.4.x.json b/schemas/acme/3.4.x.json index b9ccedd9..965bdb31 100644 --- a/schemas/acme/3.4.x.json +++ b/schemas/acme/3.4.x.json @@ -290,14 +290,6 @@ "type": "string", "description": "A namespace to prepend to all keys stored in Redis." } - }, - { - "scan_count": { - "default": 10, - "description": "The number of keys to return in Redis SCAN calls.", - "type": "number", - "required": false - } } ], "type": "record", diff --git a/schemas/cors/3.4.x.json b/schemas/cors/3.4.x.json index a7c1954a..06e1fac2 100644 --- a/schemas/cors/3.4.x.json +++ b/schemas/cors/3.4.x.json @@ -115,14 +115,6 @@ "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value." } }, - { - "private_network": { - "default": false, - "required": true, - "type": "boolean", - "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value." - } - }, { "preflight_continue": { "default": false, diff --git a/schemas/mocking/3.4.x.json b/schemas/mocking/3.4.x.json index 7e95402a..5a53d3f9 100644 --- a/schemas/mocking/3.4.x.json +++ b/schemas/mocking/3.4.x.json @@ -91,14 +91,6 @@ "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", "type": "boolean" } - }, - { - "include_base_path": { - "default": false, - "required": true, - "description": "Indicates whether to include the base path when performing path match evaluation.", - "type": "boolean" - } } ], "type": "record", diff --git a/schemas/oas-validation/3.4.x.json b/schemas/oas-validation/3.4.x.json index d4d23860..750534e9 100644 --- a/schemas/oas-validation/3.4.x.json +++ b/schemas/oas-validation/3.4.x.json @@ -127,14 +127,6 @@ "required": false, "type": "string" } - }, - { - "include_base_path": { - "default": false, - "description": "Indicates whether to include the base path when performing path match evaluation.", - "required": true, - "type": "boolean" - } } ], "type": "record", diff --git a/schemas/openid-connect/3.4.x.json b/schemas/openid-connect/3.4.x.json index e9291b9b..a2e67232 100644 --- a/schemas/openid-connect/3.4.x.json +++ b/schemas/openid-connect/3.4.x.json @@ -2,23 +2,14 @@ "fields": [ { "consumer": { - "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumers" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -27,82 +18,161 @@ "http", "https" ] - } + }, + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + } + ], + "type": "record", + "required": true, "fields": [ { "issuer": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, "type": "string", - "required": true + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "discovery_headers_names": { - "description": "Extra header names passed to the discovery endpoint.", "required": false, + "type": "array", + "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "discovery_headers_values": { - "description": "Extra header values passed to the discovery endpoint.", "required": false, + "type": "array", + "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "extra_jwks_uris": { - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "required": false, + "type": "set", + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "set" + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "rediscovery_lifetime": { "default": 30, + "type": "number", "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", - "required": false, - "type": "number" + "required": false } }, { "auth_methods": { - "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ], - "type": "array", - "description": "Types of credentials/grants to enable.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -116,37 +186,52 @@ "refresh_token", "session" ] - } + }, + "type": "array", + "description": "Types of credentials/grants to enable.", + "required": false, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] } }, { "client_id": { - "encrypted": true, - "type": "array", - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", - "required": false, "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true, + "required": false } }, { "client_secret": { - "encrypted": true, - "type": "array", - "description": "The client secret.", - "required": false, "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array", + "description": "The client secret.", + "encrypted": true, + "required": false } }, { "client_auth": { - "description": "The authentication method used by the client (plugin) when calling the endpoint.", "required": false, + "type": "array", + "description": "The authentication method used by the client (plugin) when calling the endpoint.", "elements": { "type": "string", "one_of": [ @@ -156,202 +241,202 @@ "private_key_jwt", "none" ] - }, - "type": "array" + } } }, { "client_jwk": { + "required": false, "type": "array", "elements": { + "required": false, + "type": "record", "fields": [ { "issuer": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kty": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "use": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "key_ops": { "required": false, + "type": "array", "elements": { - "type": "string", - "required": false - }, - "type": "array" + "required": false, + "type": "string" + } } }, { "alg": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kid": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5u": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5c": { "required": false, + "type": "array", "elements": { - "type": "string", - "required": false - }, - "type": "array" + "required": false, + "type": "string" + } } }, { "x5t": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5t#S256": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "k": { + "encrypted": true, "type": "string", "referenceable": true, - "encrypted": true, "required": false } }, { "x": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "y": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "crv": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "n": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "e": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "d": { + "encrypted": true, "type": "string", "referenceable": true, - "encrypted": true, "required": false } }, { "p": { + "encrypted": true, "type": "string", "referenceable": true, - "encrypted": true, "required": false } }, { "q": { + "encrypted": true, "type": "string", "referenceable": true, - "encrypted": true, "required": false } }, { "dp": { + "encrypted": true, "type": "string", "referenceable": true, - "encrypted": true, "required": false } }, { "dq": { + "encrypted": true, "type": "string", "referenceable": true, - "encrypted": true, "required": false } }, { "qi": { + "encrypted": true, "type": "string", "referenceable": true, - "encrypted": true, "required": false } }, { "oth": { + "encrypted": true, "type": "string", "referenceable": true, - "encrypted": true, "required": false } }, { "r": { + "encrypted": true, "type": "string", "referenceable": true, - "encrypted": true, "required": false } }, { "t": { + "encrypted": true, "type": "string", "referenceable": true, - "encrypted": true, "required": false } } - ], - "required": false, - "type": "record" - }, - "required": false + ] + } } }, { "client_alg": { + "required": false, "type": "array", "elements": { "type": "string", @@ -370,415 +455,408 @@ "PS512", "EdDSA" ] - }, - "required": false + } } }, { "client_arg": { "default": "client_id", + "type": "string", "description": "The client to use for this request (the selection is made with a request parameter with the same name).", - "required": false, - "type": "string" + "required": false } }, { "redirect_uri": { - "description": "The redirect URI passed to the authorization and token endpoints.", "required": false, + "type": "array", + "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array" + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "login_redirect_uri": { - "description": "Where to redirect the client when `login_action` is set to `redirect`.", "required": false, + "type": "array", + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array" + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "logout_redirect_uri": { - "description": "Where to redirect the client after the logout.", "required": false, + "type": "array", + "description": "Where to redirect the client after the logout.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array" + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "forbidden_redirect_uri": { - "description": "Where to redirect the client on forbidden requests.", "required": false, + "type": "array", + "description": "Where to redirect the client on forbidden requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array" + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "forbidden_error_message": { "default": "Forbidden", + "type": "string", "description": "The error message for the forbidden requests (when not using the redirection).", - "required": false, - "type": "string" + "required": false } }, { "forbidden_destroy_session": { "default": true, + "type": "boolean", "description": "Destroy any active session for the forbidden requests.", - "required": false, - "type": "boolean" - } - }, - { - "unauthorized_destroy_session": { - "default": true, - "description": "Destroy any active session for the unauthorized requests.", - "required": false, - "type": "boolean" + "required": false } }, { "unauthorized_redirect_uri": { - "description": "Where to redirect the client on unauthorized requests.", "required": false, + "type": "array", + "description": "Where to redirect the client on unauthorized requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array" + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "unauthorized_error_message": { "default": "Unauthorized", + "type": "string", "description": "The error message for the unauthorized requests (when not using the redirection).", - "required": false, - "type": "string" + "required": false } }, { "unexpected_redirect_uri": { - "description": "Where to redirect the client when unexpected errors happen with the requests.", "required": false, + "type": "array", + "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array" + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "response_mode": { - "default": "query", "type": "string", + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", + "default": "query", + "required": false, "one_of": [ "query", "form_post", "fragment" - ], - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", - "required": false + ] } }, { "response_type": { - "default": [ - "code" - ], + "elements": { + "type": "string" + }, "type": "array", "description": "The response type passed to the authorization endpoint.", "required": false, - "elements": { - "type": "string" - } + "default": [ + "code" + ] } }, { "scopes": { - "default": [ - "openid" - ], + "elements": { + "type": "string" + }, "type": "array", "description": "The scopes passed to the authorization and token endpoints.", "required": false, - "elements": { - "type": "string" - } + "default": [ + "openid" + ] } }, { "audience": { - "description": "The audience passed to the authorization endpoint.", "required": false, + "type": "array", + "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "issuers_allowed": { - "description": "The issuers allowed to be present in the tokens (`iss` claim).", "required": false, + "type": "array", + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" - }, - "type": "array" + } } }, { "scopes_required": { - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, + "type": "array", + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "scopes_claim": { - "default": [ - "scope" - ], + "elements": { + "type": "string" + }, "type": "array", "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, - "elements": { - "type": "string" - } + "default": [ + "scope" + ] } }, { "audience_required": { - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, + "type": "array", + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "audience_claim": { - "default": [ - "aud" - ], + "elements": { + "type": "string" + }, "type": "array", "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, - "elements": { - "type": "string" - } + "default": [ + "aud" + ] } }, { "groups_required": { - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, + "type": "array", + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "groups_claim": { - "default": [ - "groups" - ], + "elements": { + "type": "string" + }, "type": "array", "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, - "elements": { - "type": "string" - } + "default": [ + "groups" + ] } }, { "roles_required": { - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, + "type": "array", + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "roles_claim": { - "default": [ - "roles" - ], + "elements": { + "type": "string" + }, "type": "array", "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, - "elements": { - "type": "string" - } + "default": [ + "roles" + ] } }, { "domains": { - "description": "The allowed values for the `hd` claim.", "required": false, + "type": "array", + "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "max_age": { - "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "required": false, "type": "number", - "required": false + "description": "The maximum age (in seconds) compared to the `auth_time` claim." } }, { "authenticated_groups_claim": { - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, + "type": "array", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "authorization_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": false, "type": "string", - "required": false + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "authorization_query_args_names": { - "description": "Extra query argument names passed to the authorization endpoint.", "required": false, + "type": "array", + "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "authorization_query_args_values": { - "description": "Extra query argument values passed to the authorization endpoint.", "required": false, + "type": "array", + "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "authorization_query_args_client": { - "description": "Extra query arguments passed from the client to the authorization endpoint.", "required": false, + "type": "array", + "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "authorization_rolling_timeout": { "default": 600, + "type": "number", "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "required": false, - "type": "number" + "required": false } }, { "authorization_cookie_name": { "default": "authorization", + "type": "string", "description": "The authorization cookie name.", - "required": false, - "type": "string" + "required": false } }, { "authorization_cookie_path": { - "default": "/", + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", - "starts_with": "/", - "required": false, - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "default": "/" } }, { "authorization_cookie_domain": { - "description": "The authorization cookie Domain flag.", + "required": false, "type": "string", - "required": false + "description": "The authorization cookie Domain flag." } }, { "authorization_cookie_same_site": { - "default": "Default", "type": "string", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Default", + "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "required": false + ] } }, { "authorization_cookie_http_only": { "default": true, + "type": "boolean", "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "required": false, - "type": "boolean" + "required": false } }, { "authorization_cookie_secure": { - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, "type": "boolean", - "required": false + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "preserve_query_args": { "default": false, + "type": "boolean", "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", - "required": false, - "type": "boolean" + "required": false } }, { "token_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": false, "type": "string", - "required": false + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "token_endpoint_auth_method": { + "required": false, + "type": "string", "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -786,62 +864,61 @@ "client_secret_jwt", "private_key_jwt", "none" - ], - "required": false, - "type": "string" + ] } }, { "token_headers_names": { - "description": "Extra header names passed to the token endpoint.", "required": false, + "type": "array", + "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "token_headers_values": { - "description": "Extra header values passed to the token endpoint.", "required": false, + "type": "array", + "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "token_headers_client": { - "description": "Extra headers passed from the client to the token endpoint.", "required": false, + "type": "array", + "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "token_headers_replay": { - "description": "The names of token endpoint response headers to forward to the downstream client.", "required": false, + "type": "array", + "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "token_headers_prefix": { - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "required": false, "type": "string", - "required": false + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." } }, { "token_headers_grants": { - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", "required": false, + "type": "array", + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", "elements": { "type": "string", "one_of": [ @@ -850,49 +927,50 @@ "authorization_code", "refresh_token" ] - }, - "type": "array" + } } }, { "token_post_args_names": { - "description": "Extra post argument names passed to the token endpoint.", "required": false, + "type": "array", + "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "token_post_args_values": { - "description": "Extra post argument values passed to the token endpoint.", "required": false, + "type": "array", + "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "token_post_args_client": { - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", "required": false, + "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "introspection_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": false, "type": "string", - "required": false + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "introspection_endpoint_auth_method": { + "required": false, + "type": "string", "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -900,117 +978,117 @@ "client_secret_jwt", "private_key_jwt", "none" - ], - "required": false, - "type": "string" + ] } }, { "introspection_hint": { "default": "access_token", + "type": "string", "description": "Introspection hint parameter value passed to the introspection endpoint.", - "required": false, - "type": "string" + "required": false } }, { "introspection_check_active": { "default": true, + "type": "boolean", "description": "Check that the introspection response has an `active` claim with a value of `true`.", - "required": false, - "type": "boolean" + "required": false } }, { "introspection_accept": { - "default": "application/json", "type": "string", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", + "default": "application/json", + "required": false, "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ], - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", - "required": false + ] } }, { "introspection_headers_names": { - "description": "Extra header names passed to the introspection endpoint.", "required": false, + "type": "array", + "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", "required": false, + "type": "array", + "description": "Extra header values passed to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "introspection_headers_client": { - "description": "Extra headers passed from the client to the introspection endpoint.", "required": false, + "type": "array", + "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "introspection_post_args_names": { - "description": "Extra post argument names passed to the introspection endpoint.", "required": false, + "type": "array", + "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "introspection_post_args_values": { - "description": "Extra post argument values passed to the introspection endpoint.", "required": false, + "type": "array", + "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "introspection_post_args_client": { - "description": "Extra post arguments passed from the client to the introspection endpoint.", "required": false, + "type": "array", + "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "introspect_jwt_tokens": { "default": false, + "type": "boolean", "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", - "required": false, - "type": "boolean" + "required": false } }, { "revocation_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": false, "type": "string", - "required": false + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "revocation_endpoint_auth_method": { + "required": false, + "type": "string", "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -1018,239 +1096,236 @@ "client_secret_jwt", "private_key_jwt", "none" - ], - "required": false, - "type": "string" + ] } }, { "end_session_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": false, "type": "string", - "required": false + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "userinfo_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": false, "type": "string", - "required": false + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "userinfo_accept": { - "default": "application/json", "type": "string", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", + "default": "application/json", + "required": false, "one_of": [ "application/json", "application/jwt" - ], - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", - "required": false + ] } }, { "userinfo_headers_names": { - "description": "Extra header names passed to the user info endpoint.", "required": false, + "type": "array", + "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "userinfo_headers_values": { - "description": "Extra header values passed to the user info endpoint.", "required": false, + "type": "array", + "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "userinfo_headers_client": { - "description": "Extra headers passed from the client to the user info endpoint.", "required": false, + "type": "array", + "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "userinfo_query_args_names": { - "description": "Extra query argument names passed to the user info endpoint.", "required": false, + "type": "array", + "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "userinfo_query_args_values": { - "description": "Extra query argument values passed to the user info endpoint.", "required": false, + "type": "array", + "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "userinfo_query_args_client": { - "description": "Extra query arguments passed from the client to the user info endpoint.", "required": false, + "type": "array", + "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "token_exchange_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": false, "type": "string", - "required": false + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "session_secret": { + "referenceable": true, "description": "The session secret.", "encrypted": true, - "referenceable": true, - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_audience": { "default": "default", + "type": "string", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "required": false, - "type": "string" + "required": false } }, { "session_cookie_name": { "default": "session", + "type": "string", "description": "The session cookie name.", - "required": false, - "type": "string" + "required": false } }, { "session_remember": { "default": false, + "type": "boolean", "description": "Enables or disables persistent sessions.", - "required": false, - "type": "boolean" + "required": false } }, { "session_remember_cookie_name": { "default": "remember", + "type": "string", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "required": false, - "type": "string" + "required": false } }, { "session_remember_rolling_timeout": { "default": 604800, + "type": "number", "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", - "required": false, - "type": "number" + "required": false } }, { "session_remember_absolute_timeout": { "default": 2592000, + "type": "number", "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "required": false, - "type": "number" + "required": false } }, { "session_idling_timeout": { "default": 900, + "type": "number", "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", - "required": false, - "type": "number" + "required": false } }, { "session_rolling_timeout": { "default": 3600, + "type": "number", "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "required": false, - "type": "number" + "required": false } }, { "session_absolute_timeout": { "default": 86400, + "type": "number", "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "required": false, - "type": "number" + "required": false } }, { "session_cookie_path": { - "default": "/", + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", - "starts_with": "/", - "required": false, - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "default": "/" } }, { "session_cookie_domain": { - "description": "The session cookie Domain flag.", + "required": false, "type": "string", - "required": false + "description": "The session cookie Domain flag." } }, { "session_cookie_same_site": { - "default": "Lax", "type": "string", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Lax", + "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "required": false + ] } }, { "session_cookie_http_only": { "default": true, + "type": "boolean", "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "required": false, - "type": "boolean" + "required": false } }, { "session_cookie_secure": { - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, "type": "boolean", - "required": false + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "session_request_headers": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -1262,12 +1337,12 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "type": "set" } }, { "session_response_headers": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -1279,255 +1354,248 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "type": "set" } }, { "session_storage": { - "default": "cookie", "type": "string", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", + "default": "cookie", + "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", - "required": false + ] } }, { "session_store_metadata": { "default": false, + "type": "boolean", "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", - "required": false, - "type": "boolean" + "required": false } }, { "session_enforce_same_subject": { "default": false, + "type": "boolean", "description": "When set to `true`, audiences are forced to share the same subject.", - "required": false, - "type": "boolean" + "required": false } }, { "session_hash_subject": { "default": false, + "type": "boolean", "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "required": false, - "type": "boolean" + "required": false } }, { "session_hash_storage_key": { "default": false, + "type": "boolean", "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "required": false, - "type": "boolean" + "required": false } }, { "session_memcached_prefix": { - "description": "The memcached session key prefix.", + "required": false, "type": "string", - "required": false + "description": "The memcached session key prefix." } }, { "session_memcached_socket": { - "description": "The memcached unix socket path.", + "required": false, "type": "string", - "required": false + "description": "The memcached unix socket path." } }, { "session_memcached_host": { "default": "127.0.0.1", + "type": "string", "description": "The memcached host.", - "required": false, - "type": "string" + "required": false } }, { "session_memcached_port": { - "default": 11211, - "type": "integer", "between": [ 0, 65535 ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": false, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 11211 } }, { "session_redis_prefix": { - "description": "The Redis session key prefix.", + "required": false, "type": "string", - "required": false + "description": "The Redis session key prefix." } }, { "session_redis_socket": { - "description": "The Redis unix socket path.", + "required": false, "type": "string", - "required": false + "description": "The Redis unix socket path." } }, { "session_redis_host": { "default": "127.0.0.1", + "type": "string", "description": "The Redis host", - "required": false, - "type": "string" + "required": false } }, { "session_redis_port": { - "default": 6379, - "type": "integer", "between": [ 0, 65535 ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": false, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } }, { "session_redis_username": { - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "referenceable": true, "required": false, + "referenceable": true, + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "type": "string" } }, { "session_redis_password": { + "referenceable": true, "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "referenceable": true, - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_redis_connect_timeout": { - "description": "Session redis connection timeout in milliseconds.", + "required": false, "type": "integer", - "required": false + "description": "Session redis connection timeout in milliseconds." } }, { "session_redis_read_timeout": { - "description": "Session redis read timeout in milliseconds.", + "required": false, "type": "integer", - "required": false + "description": "Session redis read timeout in milliseconds." } }, { "session_redis_send_timeout": { - "description": "Session redis send timeout in milliseconds.", + "required": false, "type": "integer", - "required": false + "description": "Session redis send timeout in milliseconds." } }, { "session_redis_ssl": { "default": false, + "type": "boolean", "description": "Use SSL/TLS for Redis connection.", - "required": false, - "type": "boolean" + "required": false } }, { "session_redis_ssl_verify": { "default": false, + "type": "boolean", "description": "Verify identity provider server certificate.", - "required": false, - "type": "boolean" + "required": false } }, { "session_redis_server_name": { - "description": "The SNI used for connecting the Redis server.", + "required": false, "type": "string", - "required": false + "description": "The SNI used for connecting the Redis server." } }, { "session_redis_cluster_nodes": { - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "required": false, + "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { + "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "required": true, "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1" } }, { "port": { "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" - }, - "type": "array" + ] + } } }, { "session_redis_cluster_max_redirections": { - "description": "The Redis cluster maximum redirects.", + "required": false, "type": "integer", - "required": false + "description": "The Redis cluster maximum redirects." } }, { "reverify": { "default": false, + "type": "boolean", "description": "Specifies whether to always verify tokens stored in the session.", - "required": false, - "type": "boolean" + "required": false } }, { "jwt_session_claim": { "default": "sid", + "type": "string", "description": "The claim to match against the JWT session cookie.", - "required": false, - "type": "string" + "required": false } }, { "jwt_session_cookie": { - "description": "The name of the JWT session cookie.", + "required": false, "type": "string", - "required": false + "description": "The name of the JWT session cookie." } }, { "bearer_token_param_type": { - "default": [ - "header", - "query", - "body" - ], - "type": "array", - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1536,26 +1604,26 @@ "query", "body" ] - } + }, + "type": "array", + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", + "required": false, + "default": [ + "header", + "query", + "body" + ] } }, { "bearer_token_cookie_name": { - "description": "The name of the cookie in which the bearer token is passed.", + "required": false, "type": "string", - "required": false + "description": "The name of the cookie in which the bearer token is passed." } }, { "client_credentials_param_type": { - "default": [ - "header", - "query", - "body" - ], - "type": "array", - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1563,19 +1631,19 @@ "query", "body" ] - } - } - }, - { - "password_param_type": { + }, + "type": "array", + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", + "required": false, "default": [ "header", "query", "body" - ], - "type": "array", - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false, + ] + } + }, + { + "password_param_type": { "elements": { "type": "string", "one_of": [ @@ -1583,19 +1651,19 @@ "query", "body" ] - } - } - }, - { - "id_token_param_type": { + }, + "type": "array", + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false, "default": [ "header", "query", "body" - ], - "type": "array", - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false, + ] + } + }, + { + "id_token_param_type": { "elements": { "type": "string", "one_of": [ @@ -1603,26 +1671,26 @@ "query", "body" ] - } + }, + "type": "array", + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false, + "default": [ + "header", + "query", + "body" + ] } }, { "id_token_param_name": { - "description": "The name of the parameter used to pass the id token.", + "required": false, "type": "string", - "required": false + "description": "The name of the parameter used to pass the id token." } }, { "refresh_token_param_type": { - "default": [ - "header", - "query", - "body" - ], - "type": "array", - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1630,99 +1698,107 @@ "query", "body" ] - } + }, + "type": "array", + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "required": false, + "default": [ + "header", + "query", + "body" + ] } }, { "refresh_token_param_name": { - "description": "The name of the parameter used to pass the refresh token.", + "required": false, "type": "string", - "required": false + "description": "The name of the parameter used to pass the refresh token." } }, { "refresh_tokens": { "default": true, + "type": "boolean", "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", - "required": false, - "type": "boolean" + "required": false } }, { "upstream_headers_claims": { - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, + "type": "array", + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "upstream_headers_names": { - "description": "The upstream header names for the claim values.", "required": false, + "type": "array", + "description": "The upstream header names for the claim values.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "upstream_access_token_header": { "default": "authorization:bearer", + "type": "string", "description": "The upstream access token header.", - "required": false, - "type": "string" + "required": false } }, { "upstream_access_token_jwk_header": { - "description": "The upstream access token JWK header.", + "required": false, "type": "string", - "required": false + "description": "The upstream access token JWK header." } }, { "upstream_id_token_header": { - "description": "The upstream id token header.", + "required": false, "type": "string", - "required": false + "description": "The upstream id token header." } }, { "upstream_id_token_jwk_header": { - "description": "The upstream id token JWK header.", + "required": false, "type": "string", - "required": false + "description": "The upstream id token JWK header." } }, { "upstream_refresh_token_header": { - "description": "The upstream refresh token header.", + "required": false, "type": "string", - "required": false + "description": "The upstream refresh token header." } }, { "upstream_user_info_header": { - "description": "The upstream user info header.", + "required": false, "type": "string", - "required": false + "description": "The upstream user info header." } }, { "upstream_user_info_jwt_header": { - "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "required": false, "type": "string", - "required": false + "description": "The upstream user info JWT header (in case the user info returns a JWT response)." } }, { "upstream_introspection_header": { - "description": "The upstream introspection header.", + "required": false, "type": "string", - "required": false + "description": "The upstream introspection header." } }, { @@ -1733,85 +1809,85 @@ }, { "upstream_session_id_header": { - "description": "The upstream session id header.", + "required": false, "type": "string", - "required": false + "description": "The upstream session id header." } }, { "downstream_headers_claims": { - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, + "type": "array", + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "downstream_headers_names": { - "description": "The downstream header names for the claim values.", "required": false, + "type": "array", + "description": "The downstream header names for the claim values.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "downstream_access_token_header": { - "description": "The downstream access token header.", + "required": false, "type": "string", - "required": false + "description": "The downstream access token header." } }, { "downstream_access_token_jwk_header": { - "description": "The downstream access token JWK header.", + "required": false, "type": "string", - "required": false + "description": "The downstream access token JWK header." } }, { "downstream_id_token_header": { - "description": "The downstream id token header.", + "required": false, "type": "string", - "required": false + "description": "The downstream id token header." } }, { "downstream_id_token_jwk_header": { - "description": "The downstream id token JWK header.", + "required": false, "type": "string", - "required": false + "description": "The downstream id token JWK header." } }, { "downstream_refresh_token_header": { - "description": "The downstream refresh token header.", + "required": false, "type": "string", - "required": false + "description": "The downstream refresh token header." } }, { "downstream_user_info_header": { - "description": "The downstream user info header.", + "required": false, "type": "string", - "required": false + "description": "The downstream user info header." } }, { "downstream_user_info_jwt_header": { - "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "required": false, "type": "string", - "required": false + "description": "The downstream user info JWT header (in case the user info returns a JWT response)." } }, { "downstream_introspection_header": { - "description": "The downstream introspection header.", + "required": false, "type": "string", - "required": false + "description": "The downstream introspection header." } }, { @@ -1822,19 +1898,13 @@ }, { "downstream_session_id_header": { - "description": "The downstream session id header.", + "required": false, "type": "string", - "required": false + "description": "The downstream session id header." } }, { "login_methods": { - "default": [ - "authorization_code" - ], - "type": "array", - "description": "Enable login functionality with specified grants.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1848,30 +1918,30 @@ "refresh_token", "session" ] - } + }, + "type": "array", + "description": "Enable login functionality with specified grants.", + "required": false, + "default": [ + "authorization_code" + ] } }, { "login_action": { - "default": "upstream", "type": "string", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", + "default": "upstream", + "required": false, "one_of": [ "upstream", "response", "redirect" - ], - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", - "required": false + ] } }, { "login_tokens": { - "default": [ - "id_token" - ], - "type": "array", - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1881,51 +1951,50 @@ "tokens", "introspection" ] - } + }, + "type": "array", + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", + "required": false, + "default": [ + "id_token" + ] } }, { "login_redirect_mode": { - "default": "fragment", "type": "string", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", + "default": "fragment", + "required": false, "one_of": [ "query", "fragment" - ], - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", - "required": false + ] } }, { "logout_query_arg": { - "description": "The request query argument that activates the logout.", + "required": false, "type": "string", - "required": false + "description": "The request query argument that activates the logout." } }, { "logout_post_arg": { - "description": "The request body argument that activates the logout.", + "required": false, "type": "string", - "required": false + "description": "The request body argument that activates the logout." } }, { "logout_uri_suffix": { - "description": "The request URI suffix that activates the logout.", + "required": false, "type": "string", - "required": false + "description": "The request URI suffix that activates the logout." } }, { "logout_methods": { - "default": [ - "POST", - "DELETE" - ], - "type": "array", - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1933,52 +2002,52 @@ "GET", "DELETE" ] - } + }, + "type": "array", + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", + "required": false, + "default": [ + "POST", + "DELETE" + ] } }, { "logout_revoke": { "default": false, + "type": "boolean", "description": "Revoke tokens as part of the logout.", - "required": false, - "type": "boolean" + "required": false } }, { "logout_revoke_access_token": { "default": true, + "type": "boolean", "description": "Revoke the access token as part of the logout.", - "required": false, - "type": "boolean" + "required": false } }, { "logout_revoke_refresh_token": { "default": true, + "type": "boolean", "description": "Revoke the refresh token as part of the logout.", - "required": false, - "type": "boolean" + "required": false } }, { "consumer_claim": { - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, + "type": "array", + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "consumer_by": { - "default": [ - "username", - "custom_id" - ], - "type": "array", - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1986,93 +2055,94 @@ "username", "custom_id" ] - } + }, + "type": "array", + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", + "required": false, + "default": [ + "username", + "custom_id" + ] } }, { "consumer_optional": { "default": false, + "type": "boolean", "description": "Do not terminate the request if consumer mapping fails.", - "required": false, - "type": "boolean" + "required": false } }, { "credential_claim": { - "default": [ - "sub" - ], + "elements": { + "type": "string" + }, "type": "array", "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, - "elements": { - "type": "string" - } + "default": [ + "sub" + ] } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "required": false, "type": "string", - "required": false + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "run_on_preflight": { "default": true, + "type": "boolean", "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", - "required": false, - "type": "boolean" + "required": false } }, { "leeway": { "default": 0, + "type": "number", "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", - "required": false, - "type": "number" + "required": false } }, { "verify_parameters": { "default": false, + "type": "boolean", "description": "Verify plugin configuration against discovery.", - "required": false, - "type": "boolean" + "required": false } }, { "verify_nonce": { "default": true, + "type": "boolean", "description": "Verify nonce on authorization code flow.", - "required": false, - "type": "boolean" + "required": false } }, { "verify_claims": { "default": true, + "type": "boolean", "description": "Verify tokens for standard claims.", - "required": false, - "type": "boolean" + "required": false } }, { "verify_signature": { "default": true, + "type": "boolean", "description": "Verify signature of tokens.", - "required": false, - "type": "boolean" + "required": false } }, { "ignore_signature": { - "default": [ - - ], - "type": "array", - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2084,21 +2154,28 @@ "introspection", "userinfo" ] - } + }, + "type": "array", + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", + "required": false, + "default": [ + + ] } }, { "enable_hs_signatures": { "default": false, + "type": "boolean", "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", - "required": false, - "type": "boolean" + "required": false } }, { "disable_session": { - "description": "Disable issuing the session cookie with the specified grants.", "required": false, + "type": "array", + "description": "Disable issuing the session cookie with the specified grants.", "elements": { "type": "string", "one_of": [ @@ -2112,334 +2189,207 @@ "refresh_token", "session" ] - }, - "type": "array" + } } }, { "cache_ttl": { "default": 3600, + "type": "number", "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", - "required": false, - "type": "number" + "required": false } }, { "cache_ttl_max": { - "description": "The maximum cache ttl in seconds (enforced).", + "required": false, "type": "number", - "required": false + "description": "The maximum cache ttl in seconds (enforced)." } }, { "cache_ttl_min": { - "description": "The minimum cache ttl in seconds (enforced).", + "required": false, "type": "number", - "required": false + "description": "The minimum cache ttl in seconds (enforced)." } }, { "cache_ttl_neg": { - "description": "The negative cache ttl in seconds.", + "required": false, "type": "number", - "required": false + "description": "The negative cache ttl in seconds." } }, { "cache_ttl_resurrect": { - "description": "The resurrection ttl in seconds.", + "required": false, "type": "number", - "required": false + "description": "The resurrection ttl in seconds." } }, { "cache_tokens": { "default": true, + "type": "boolean", "description": "Cache the token endpoint requests.", - "required": false, - "type": "boolean" + "required": false } }, { "cache_tokens_salt": { - "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "required": false, - "type": "string" + "type": "string", + "auto": true, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." } }, { "cache_introspection": { "default": true, + "type": "boolean", "description": "Cache the introspection endpoint requests.", - "required": false, - "type": "boolean" + "required": false } }, { "cache_token_exchange": { "default": true, + "type": "boolean", "description": "Cache the token exchange endpoint requests.", - "required": false, - "type": "boolean" + "required": false } }, { "cache_user_info": { "default": true, + "type": "boolean", "description": "Cache the user info requests.", - "required": false, - "type": "boolean" + "required": false } }, { "search_user_info": { "default": false, + "type": "boolean", "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", - "required": false, - "type": "boolean" + "required": false } }, { "hide_credentials": { "default": false, + "type": "boolean", "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", - "required": false, - "type": "boolean" + "required": false } }, { "http_version": { "default": 1.1, - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", "type": "number", + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", "required": false } }, { "http_proxy": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": false, "type": "string", - "required": false + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "http_proxy_authorization": { - "description": "The HTTP proxy authorization.", + "required": false, "type": "string", - "required": false + "description": "The HTTP proxy authorization." } }, { "https_proxy": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": false, "type": "string", - "required": false + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "https_proxy_authorization": { - "description": "The HTTPS proxy authorization.", + "required": false, "type": "string", - "required": false + "description": "The HTTPS proxy authorization." } }, { "no_proxy": { - "description": "Do not use proxy with these hosts.", + "required": false, "type": "string", - "required": false + "description": "Do not use proxy with these hosts." } }, { "keepalive": { "default": true, + "type": "boolean", "description": "Use keepalive with the HTTP client.", - "required": false, - "type": "boolean" + "required": false } }, { "ssl_verify": { "default": false, + "type": "boolean", "description": "Verify identity provider server certificate.", - "required": false, - "type": "boolean" + "required": false } }, { "timeout": { "default": 10000, + "type": "number", "description": "Network IO timeout in milliseconds.", - "required": false, - "type": "number" + "required": false } }, { "display_errors": { "default": false, + "type": "boolean", "description": "Display errors on failure responses.", - "required": false, - "type": "boolean" + "required": false } }, { "by_username_ignore_case": { "default": false, + "type": "boolean", "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", - "required": false, - "type": "boolean" + "required": false } }, { "resolve_distributed_claims": { "default": false, + "type": "boolean", "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", - "required": false, - "type": "boolean" + "required": false } }, { "expose_error_code": { "default": true, - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", - "type": "boolean" + "type": "boolean", + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." } }, { "token_cache_key_include_scope": { "default": false, - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", - "type": "boolean" - } - }, - { - "introspection_token_param_name": { - "default": "token", - "description": "Designate token's parameter name for introspection.", - "required": false, - "type": "string" - } - }, - { - "using_pseudo_issuer": { - "default": false, - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL.", - "type": "boolean" - } - }, - { - "revocation_token_param_name": { - "default": "token", - "description": "Designate token's parameter name for revocation.", - "required": false, - "type": "string" - } - }, - { - "proof_of_possession_mtls": { - "default": "off", - "one_of": [ - "off", - "strict", - "optional" - ], - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", - "type": "string" - } - }, - { - "proof_of_possession_auth_methods_validation": { - "default": true, - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", - "type": "boolean" - } - } - ], - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" + "type": "boolean", + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." } } - ], - "required": true, - "type": "record" + ] } } ], diff --git a/schemas/opentelemetry/3.4.x.json b/schemas/opentelemetry/3.4.x.json index f2e4e312..efad39a9 100644 --- a/schemas/opentelemetry/3.4.x.json +++ b/schemas/opentelemetry/3.4.x.json @@ -206,7 +206,6 @@ "jaeger", "ot", "aws", - "gcp", "datadog" ], "type": "string", diff --git a/schemas/proxy-cache-advanced/3.4.x.json b/schemas/proxy-cache-advanced/3.4.x.json index 084ee9f7..92cc34d7 100644 --- a/schemas/proxy-cache-advanced/3.4.x.json +++ b/schemas/proxy-cache-advanced/3.4.x.json @@ -163,33 +163,6 @@ "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } }, - { - "response_headers": { - "fields": [ - { - "age": { - "default": true, - "type": "boolean" - } - }, - { - "X-Cache-Status": { - "default": true, - "type": "boolean" - } - }, - { - "X-Cache-Key": { - "default": true, - "type": "boolean" - } - } - ], - "type": "record", - "description": "Caching related diagnostic headers that should be included in cached responses", - "required": true - } - }, { "redis": { "fields": [ diff --git a/schemas/proxy-cache/3.4.x.json b/schemas/proxy-cache/3.4.x.json index d1602895..2ddb03dc 100644 --- a/schemas/proxy-cache/3.4.x.json +++ b/schemas/proxy-cache/3.4.x.json @@ -167,33 +167,6 @@ }, "type": "array" } - }, - { - "response_headers": { - "fields": [ - { - "age": { - "default": true, - "type": "boolean" - } - }, - { - "X-Cache-Status": { - "default": true, - "type": "boolean" - } - }, - { - "X-Cache-Key": { - "default": true, - "type": "boolean" - } - } - ], - "description": "Caching related diagnostic headers that should be included in cached responses", - "type": "record", - "required": true - } } ], "type": "record", diff --git a/schemas/session/3.4.x.json b/schemas/session/3.4.x.json index c985ebc2..93c9642a 100644 --- a/schemas/session/3.4.x.json +++ b/schemas/session/3.4.x.json @@ -215,12 +215,6 @@ "type": "set" } }, - { - "read_body_for_logout": { - "default": false, - "type": "boolean" - } - }, { "logout_methods": { "default": [ diff --git a/schemas/zipkin/3.4.x.json b/schemas/zipkin/3.4.x.json index d847ac37..bc8ed607 100644 --- a/schemas/zipkin/3.4.x.json +++ b/schemas/zipkin/3.4.x.json @@ -104,11 +104,8 @@ "jaeger", "ot", "aws", - "datadog", - "gcp" - ], - "required": true, - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests" + "datadog" + ] } }, { @@ -122,11 +119,8 @@ "jaeger", "ot", "aws", - "datadog", - "gcp" - ], - "required": true, - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored." + "datadog" + ] } }, { From ceee19ee2cd8e41ba543c089e14c5bebb4757596 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Mon, 6 Nov 2023 09:21:13 -0800 Subject: [PATCH 018/165] Chore: Regenerate 3.5 schemas (#10) * generate latest plugin schemas from 3.5 release candidate * add missing parameters for ACL and OpenTelemetry plugins --- schemas/acl/3.4.x.json | 7 +- schemas/acl/3.5.x.json | 51 +- schemas/acme/3.5.x.json | 224 ++-- schemas/application-registration/3.5.x.json | 56 +- schemas/aws-lambda/3.5.x.json | 94 +- schemas/azure-functions/3.5.x.json | 58 +- schemas/basic-auth/3.5.x.json | 24 +- schemas/bot-detection/3.5.x.json | 56 +- schemas/canary/3.5.x.json | 80 +- schemas/correlation-id/3.5.x.json | 40 +- schemas/cors/3.5.x.json | 72 +- schemas/datadog/3.5.x.json | 276 ++-- schemas/degraphql/3.5.x.json | 38 +- schemas/exit-transformer/3.5.x.json | 28 +- schemas/file-log/3.5.x.json | 52 +- schemas/forward-proxy/3.5.x.json | 60 +- .../graphql-proxy-cache-advanced/3.5.x.json | 56 +- .../graphql-rate-limiting-advanced/3.5.x.json | 172 +-- schemas/grpc-gateway/3.5.x.json | 36 +- schemas/grpc-web/3.5.x.json | 36 +- schemas/hmac-auth/3.5.x.json | 62 +- schemas/http-log/3.5.x.json | 150 +-- schemas/ip-restriction/3.5.x.json | 58 +- schemas/jq/3.5.x.json | 128 +- schemas/jwe-decrypt/3.5.x.json | 42 +- schemas/jwt-signer/3.5.x.json | 478 +++---- schemas/jwt/3.5.x.json | 88 +- schemas/kafka-log/3.5.x.json | 100 +- schemas/kafka-upstream/3.5.x.json | 96 +- schemas/key-auth-enc/3.5.x.json | 32 +- schemas/key-auth/3.5.x.json | 62 +- schemas/konnect-application-auth/3.5.x.json | 60 +- schemas/ldap-auth-advanced/3.5.x.json | 80 +- schemas/ldap-auth/3.5.x.json | 50 +- schemas/loggly/3.5.x.json | 60 +- schemas/mocking/3.5.x.json | 42 +- schemas/mtls-auth/3.5.x.json | 88 +- schemas/oas-validation/3.5.x.json | 76 +- schemas/oauth2-introspection/3.5.x.json | 72 +- schemas/oauth2/3.5.x.json | 84 +- schemas/opa/3.5.x.json | 62 +- schemas/openid-connect/3.5.x.json | 1190 ++++++++--------- schemas/opentelemetry/3.4.x.json | 3 + schemas/opentelemetry/3.5.x.json | 151 ++- schemas/post-function/3.5.x.json | 112 +- schemas/pre-function/3.5.x.json | 112 +- schemas/prometheus/3.5.x.json | 32 +- schemas/proxy-cache-advanced/3.5.x.json | 204 +-- schemas/proxy-cache/3.5.x.json | 120 +- schemas/rate-limiting-advanced/3.5.x.json | 164 +-- schemas/rate-limiting/3.5.x.json | 120 +- schemas/request-size-limiting/3.5.x.json | 38 +- schemas/request-termination/3.5.x.json | 56 +- .../request-transformer-advanced/3.5.x.json | 64 +- schemas/request-transformer/3.5.x.json | 104 +- schemas/request-validator/3.5.x.json | 102 +- schemas/response-ratelimiting/3.5.x.json | 102 +- .../response-transformer-advanced/3.5.x.json | 74 +- schemas/response-transformer/3.5.x.json | 142 +- schemas/route-by-header/3.5.x.json | 38 +- schemas/route-transformer-advanced/3.5.x.json | 32 +- schemas/saml/3.5.x.json | 270 ++-- schemas/session/3.5.x.json | 94 +- schemas/statsd-advanced/3.5.x.json | 334 ++--- schemas/statsd/3.5.x.json | 276 ++-- schemas/syslog/3.5.x.json | 82 +- schemas/tcp-log/3.5.x.json | 60 +- schemas/tls-handshake-modifier/3.5.x.json | 22 +- schemas/tls-metadata-headers/3.5.x.json | 26 +- schemas/udp-log/3.5.x.json | 52 +- schemas/upstream-timeout/3.5.x.json | 28 +- schemas/vault-auth/3.5.x.json | 66 +- schemas/websocket-size-limit/3.5.x.json | 24 +- schemas/websocket-validator/3.5.x.json | 88 +- schemas/xml-threat-protection/3.5.x.json | 174 +-- schemas/zipkin/3.5.x.json | 184 +-- 76 files changed, 4129 insertions(+), 4097 deletions(-) diff --git a/schemas/acl/3.4.x.json b/schemas/acl/3.4.x.json index 5354dc36..bba99a43 100644 --- a/schemas/acl/3.4.x.json +++ b/schemas/acl/3.4.x.json @@ -45,7 +45,8 @@ "allow": { "type": "array", "elements": { - "type": "string" + "type": "string", + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." } } }, @@ -53,7 +54,8 @@ "deny": { "type": "array", "elements": { - "type": "string" + "type": "string", + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." } } }, @@ -61,6 +63,7 @@ "hide_groups_header": { "default": false, "type": "boolean", + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", "required": true } } diff --git a/schemas/acl/3.5.x.json b/schemas/acl/3.5.x.json index f05a40d2..c529e991 100644 --- a/schemas/acl/3.5.x.json +++ b/schemas/acl/3.5.x.json @@ -3,21 +3,29 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -27,46 +35,41 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "allow": { + "type": "array", "elements": { - "type": "string" - }, - "type": "array" + "type": "string", + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." + } } }, { "deny": { + "type": "array", "elements": { - "type": "string" - }, - "type": "array" + "type": "string", + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." + } } }, { "hide_groups_header": { - "required": true, + "default": false, "type": "boolean", - "default": false + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/acme/3.5.x.json b/schemas/acme/3.5.x.json index 7f964ef7..6410ffaf 100644 --- a/schemas/acme/3.5.x.json +++ b/schemas/acme/3.5.x.json @@ -3,37 +3,45 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { "type": "foreign", - "description": "A reference to the 'services' table with a null value allowed.", "eq": null, - "reference": "services" + "reference": "services", + "description": "A reference to the 'services' table with a null value allowed." } }, { "route": { "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, - "reference": "routes" + "reference": "routes", + "description": "A reference to the 'routes' table with a null value allowed." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -43,52 +51,42 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "account_email": { - "referenceable": true, - "description": "The account identifier. Can be reused in a different plugin instance.", + "match": "%w*%p*@+%w*%.?%w*", + "required": true, "encrypted": true, + "referenceable": true, "type": "string", - "match": "%w*%p*@+%w*%.?%w*", - "required": true + "description": "The account identifier. Can be reused in a different plugin instance." } }, { "account_key": { - "required": false, - "type": "record", "description": "The private key associated with the account.", "fields": [ { "key_id": { - "required": true, + "description": "The Key ID.", "type": "string", - "description": "The Key ID." + "required": true } }, { "key_set": { - "description": "The ID of the key set to associate the Key ID with.", - "type": "string" + "type": "string", + "description": "The ID of the key set to associate the Key ID with." } } - ] + ], + "type": "record", + "required": false } }, { @@ -107,41 +105,41 @@ }, { "eab_kid": { - "encrypted": true, - "type": "string", "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", - "referenceable": true + "referenceable": true, + "type": "string", + "encrypted": true } }, { "eab_hmac_key": { - "encrypted": true, - "type": "string", "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", - "referenceable": true + "referenceable": true, + "type": "string", + "encrypted": true } }, { "cert_type": { - "default": "rsa", - "type": "string", - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", "one_of": [ "rsa", "ecc" - ] + ], + "default": "rsa", + "type": "string", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." } }, { "rsa_key_size": { - "default": 4096, - "type": "number", - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", "one_of": [ 2048, 3072, 4096 - ] + ], + "default": 4096, + "type": "number", + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." } }, { @@ -190,27 +188,23 @@ }, { "storage": { - "default": "shm", - "type": "string", - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", "one_of": [ "kong", "shm", "redis", "consul", "vault" - ] + ], + "default": "shm", + "type": "string", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." } }, { "storage_config": { - "required": true, - "type": "record", "fields": [ { "shm": { - "required": true, - "type": "record", "fields": [ { "shm_name": { @@ -219,27 +213,27 @@ "description": "Name of shared memory zone used for Kong API gateway storage" } } - ] + ], + "type": "record", + "required": true } }, { "kong": { - "required": true, - "type": "record", "fields": [ - ] + ], + "type": "record", + "required": true } }, { "redis": { - "required": true, - "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -254,30 +248,30 @@ }, { "database": { - "description": "The index of the Redis database to use.", - "type": "number" + "type": "number", + "description": "The index of the Redis database to use." } }, { "auth": { + "referenceable": true, "type": "string", - "description": "The Redis password to use for authentication. ", - "referenceable": true + "description": "The Redis password to use for authentication. " } }, { "ssl": { + "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", "default": false, "type": "boolean", - "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", "required": true } }, { "ssl_verify": { + "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", "default": false, "type": "boolean", - "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", "required": true } }, @@ -290,28 +284,28 @@ }, { "namespace": { - "len_min": 0, "type": "string", - "description": "A namespace to prepend to all keys stored in Redis.", + "required": true, + "len_min": 0, "default": "", - "required": true + "description": "A namespace to prepend to all keys stored in Redis." } }, { "scan_count": { + "description": "The number of keys to return in Redis SCAN calls.", "default": 10, "type": "number", - "description": "The number of keys to return in Redis SCAN calls.", "required": false } } - ] + ], + "type": "record", + "required": true } }, { "consul": { - "required": true, - "type": "record", "fields": [ { "https": { @@ -322,8 +316,8 @@ }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -338,30 +332,30 @@ }, { "kv_path": { - "description": "KV prefix path.", - "type": "string" + "type": "string", + "description": "KV prefix path." } }, { "timeout": { - "description": "Timeout in milliseconds.", - "type": "number" + "type": "number", + "description": "Timeout in milliseconds." } }, { "token": { + "referenceable": true, "type": "string", - "description": "Consul ACL token.", - "referenceable": true + "description": "Consul ACL token." } } - ] + ], + "type": "record", + "required": true } }, { "vault": { - "required": true, - "type": "record", "fields": [ { "https": { @@ -372,8 +366,8 @@ }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -388,21 +382,21 @@ }, { "kv_path": { - "description": "KV prefix path.", - "type": "string" + "type": "string", + "description": "KV prefix path." } }, { "timeout": { - "description": "Timeout in milliseconds.", - "type": "number" + "type": "number", + "description": "Timeout in milliseconds." } }, { "token": { + "referenceable": true, "type": "string", - "description": "Consul ACL token.", - "referenceable": true + "description": "Consul ACL token." } }, { @@ -414,49 +408,53 @@ }, { "tls_server_name": { - "description": "SNI used in request, default to host if omitted.", - "type": "string" + "type": "string", + "description": "SNI used in request, default to host if omitted." } }, { "auth_method": { - "default": "token", - "type": "string", - "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", "one_of": [ "token", "kubernetes" - ] + ], + "default": "token", + "type": "string", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'." } }, { "auth_path": { - "description": "Vault's authentication path to use.", - "type": "string" + "type": "string", + "description": "Vault's authentication path to use." } }, { "auth_role": { - "description": "The role to try and assign.", - "type": "string" + "type": "string", + "description": "The role to try and assign." } }, { "jwt_path": { - "description": "The path to the JWT.", - "type": "string" + "type": "string", + "description": "The path to the JWT." } } - ] + ], + "type": "record", + "required": true } } - ] + ], + "type": "record", + "required": true } }, { "preferred_chain": { - "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", - "type": "string" + "type": "string", + "description": "A string value that specifies the preferred certificate chain to use when generating certificates." } }, { @@ -466,25 +464,27 @@ "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." } } - ] + ], + "type": "record", + "required": true } } ], "entity_checks": [ { "conditional": { - "then_field": "config.tos_accepted", "then_match": { "eq": true }, - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "then_field": "config.tos_accepted", "if_match": { "one_of": [ "https://acme-v02.api.letsencrypt.org", "https://acme-staging-v02.api.letsencrypt.org" ] }, - "if_field": "config.api_uri" + "if_field": "config.api_uri", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/" } }, { diff --git a/schemas/application-registration/3.5.x.json b/schemas/application-registration/3.5.x.json index bc2d64f3..84a7e921 100644 --- a/schemas/application-registration/3.5.x.json +++ b/schemas/application-registration/3.5.x.json @@ -3,29 +3,37 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { + "ne": null, "type": "foreign", "on_delete": "cascade", - "ne": null, "reference": "services" } }, { "route": { "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, - "reference": "routes" + "reference": "routes", + "description": "A reference to the 'routes' table with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -35,62 +43,54 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "display_name": { - "unique": true, - "type": "string", + "required": true, "description": "Unique display name used for a Service in the Developer Portal.", - "required": true + "type": "string", + "unique": true } }, { "description": { - "unique": true, + "description": "Unique description displayed in information about a Service in the Developer Portal.", "type": "string", - "description": "Unique description displayed in information about a Service in the Developer Portal." + "unique": true } }, { "auto_approve": { + "required": true, "default": false, "type": "boolean", - "description": "If enabled, all new Service Contracts requests are automatically approved.", - "required": true + "description": "If enabled, all new Service Contracts requests are automatically approved." } }, { "show_issuer": { + "required": true, "default": false, "type": "boolean", - "description": "Displays the **Issuer URL** in the **Service Details** dialog.", - "required": true + "description": "Displays the **Issuer URL** in the **Service Details** dialog." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/aws-lambda/3.5.x.json b/schemas/aws-lambda/3.5.x.json index 1bdba91f..da326b61 100644 --- a/schemas/aws-lambda/3.5.x.json +++ b/schemas/aws-lambda/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,68 +19,58 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "timeout": { "required": true, + "default": 60000, "type": "number", - "description": "An optional timeout in milliseconds when invoking the function.", - "default": 60000 + "description": "An optional timeout in milliseconds when invoking the function." } }, { "keepalive": { "required": true, + "default": 60000, "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "default": 60000 + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "aws_key": { "encrypted": true, "referenceable": true, - "description": "The AWS key credential to be used when invoking the function.", - "type": "string" + "type": "string", + "description": "The AWS key credential to be used when invoking the function." } }, { "aws_secret": { "encrypted": true, "referenceable": true, - "description": "The AWS secret credential to be used when invoking the function. ", - "type": "string" + "type": "string", + "description": "The AWS secret credential to be used when invoking the function. " } }, { "aws_assume_role_arn": { "encrypted": true, "referenceable": true, - "description": "The target AWS IAM role ARN used to invoke the Lambda function.", - "type": "string" + "type": "string", + "description": "The target AWS IAM role ARN used to invoke the Lambda function." } }, { @@ -84,8 +82,8 @@ }, { "aws_region": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -97,56 +95,56 @@ }, { "qualifier": { - "description": "The qualifier to use when invoking the function.", - "type": "string" + "type": "string", + "description": "The qualifier to use when invoking the function." } }, { "invocation_type": { "type": "string", - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", - "default": "RequestResponse", "required": true, "one_of": [ "RequestResponse", "Event", "DryRun" - ] + ], + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun." } }, { "log_type": { "type": "string", - "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", - "default": "Tail", "required": true, "one_of": [ "Tail", "None" - ] + ], + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported." } }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "default": 443, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 443, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "disable_https": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -203,8 +201,8 @@ }, { "proxy_url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { @@ -224,16 +222,18 @@ { "aws_imds_protocol_version": { "type": "string", - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", - "default": "v1", "required": true, "one_of": [ "v1", "v2" - ] + ], + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/azure-functions/3.5.x.json b/schemas/azure-functions/3.5.x.json index 0f181b75..d6d7dc46 100644 --- a/schemas/azure-functions/3.5.x.json +++ b/schemas/azure-functions/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,32 +23,22 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "timeout": { @@ -72,33 +70,33 @@ }, { "apikey": { - "encrypted": true, - "type": "string", "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", - "referenceable": true + "referenceable": true, + "type": "string", + "encrypted": true } }, { "clientid": { - "encrypted": true, - "type": "string", "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", - "referenceable": true + "referenceable": true, + "type": "string", + "encrypted": true } }, { "appname": { - "required": true, + "description": "The Azure app name.", "type": "string", - "description": "The Azure app name." + "required": true } }, { "hostdomain": { - "required": true, - "type": "string", "description": "The domain where the function resides.", - "default": "azurewebsites.net" + "default": "azurewebsites.net", + "type": "string", + "required": true } }, { @@ -110,12 +108,14 @@ }, { "functionname": { - "required": true, + "description": "Name of the Azure function to invoke.", "type": "string", - "description": "Name of the Azure function to invoke." + "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/basic-auth/3.5.x.json b/schemas/basic-auth/3.5.x.json index bb1cf5d0..d3ad618f 100644 --- a/schemas/basic-auth/3.5.x.json +++ b/schemas/basic-auth/3.5.x.json @@ -3,15 +3,14 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, - "type": "set", "default": [ "grpc", "grpcs", @@ -20,6 +19,7 @@ "ws", "wss" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,31 +36,31 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "anonymous": { - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "hide_credentials": { + "required": true, "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", - "required": true + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/bot-detection/3.5.x.json b/schemas/bot-detection/3.5.x.json index 86d31e9f..bdb35f4c 100644 --- a/schemas/bot-detection/3.5.x.json +++ b/schemas/bot-detection/3.5.x.json @@ -3,13 +3,21 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -19,57 +27,49 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "allow": { - "elements": { - "is_regex": true, - "type": "string" - }, - "type": "array", "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "default": [ - ] + ], + "type": "array", + "elements": { + "type": "string", + "is_regex": true + } } }, { "deny": { - "elements": { - "is_regex": true, - "type": "string" - }, - "type": "array", "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "default": [ - ] + ], + "type": "array", + "elements": { + "type": "string", + "is_regex": true + } } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/canary/3.5.x.json b/schemas/canary/3.5.x.json index 26b4448a..157a29c4 100644 --- a/schemas/canary/3.5.x.json +++ b/schemas/canary/3.5.x.json @@ -3,21 +3,29 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -27,15 +35,7 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { @@ -43,25 +43,20 @@ "shorthand_fields": [ { "hash": { - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", - "type": "string" + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." } } ], - "type": "record", - "required": true, "fields": [ { "start": { - "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", - "type": "number" + "type": "number", + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." } }, { "hash": { - "default": "consumer", - "type": "string", - "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", "one_of": [ "consumer", "ip", @@ -69,29 +64,32 @@ "allow", "deny", "header" - ] + ], + "default": "consumer", + "type": "string", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value." } }, { "hash_header": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "duration": { + "gt": 0, "default": 3600, "type": "number", - "description": "The duration of the canary release in seconds.", - "gt": 0 + "description": "The duration of the canary release in seconds." } }, { "steps": { + "gt": 1, "default": 1000, "type": "number", - "description": "The number of steps for the canary release.", - "gt": 1 + "description": "The number of steps for the canary release." } }, { @@ -106,8 +104,8 @@ }, { "upstream_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -129,28 +127,30 @@ }, { "upstream_fallback": { - "required": true, - "type": "boolean", "description": "Specifies whether to fallback to the upstream server if the canary release fails.", - "default": false + "default": false, + "type": "boolean", + "required": true } }, { "groups": { + "description": "The groups allowed to access the canary release.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "The groups allowed to access the canary release." + } } }, { "canary_by_header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/correlation-id/3.5.x.json b/schemas/correlation-id/3.5.x.json index 31e905c2..0508475f 100644 --- a/schemas/correlation-id/3.5.x.json +++ b/schemas/correlation-id/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "header_name": { @@ -44,25 +42,27 @@ }, { "generator": { - "default": "uuid#counter", - "type": "string", - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "one_of": [ "uuid", "uuid#counter", "tracker" - ] + ], + "default": "uuid#counter", + "type": "string", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators)." } }, { "echo_downstream": { + "required": true, "default": false, "type": "boolean", - "description": "Whether to echo the header back to downstream (the client).", - "required": true + "description": "Whether to echo the header back to downstream (the client)." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/cors/3.5.x.json b/schemas/cors/3.5.x.json index 42d55c67..030c5bcf 100644 --- a/schemas/cors/3.5.x.json +++ b/schemas/cors/3.5.x.json @@ -3,15 +3,23 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { - "required": true, + "len_min": 1, "one_of": [ "grpc", "grpcs", @@ -19,61 +27,52 @@ "https" ], "type": "string", - "len_min": 1 + "required": true }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." + } } }, { "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "Value for the `Access-Control-Allow-Headers` header." + } } }, { "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." + } } }, { "methods": { + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", "default": [ "GET", "HEAD", @@ -86,7 +85,6 @@ "CONNECT" ], "type": "array", - "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", "elements": { "type": "string", "one_of": [ @@ -105,35 +103,37 @@ }, { "max_age": { - "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", - "type": "number" + "type": "number", + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." } }, { "credentials": { "required": true, + "default": false, "type": "boolean", - "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", - "default": false + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value." } }, { "private_network": { "required": true, + "default": false, "type": "boolean", - "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", - "default": false + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value." } }, { "preflight_continue": { "required": true, + "default": false, "type": "boolean", - "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", - "default": false + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/datadog/3.5.x.json b/schemas/datadog/3.5.x.json index 6950e0d3..14aa7757 100644 --- a/schemas/datadog/3.5.x.json +++ b/schemas/datadog/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,32 +23,22 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -57,19 +55,19 @@ "host": { "default": "localhost", "referenceable": true, - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "default": 8125, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 8125, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -102,64 +100,62 @@ }, { "retry_count": { - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer" + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." } }, { "queue_size": { - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer" + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." } }, { "flush_timeout": { - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number" + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." } }, { "queue": { - "required": true, - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { @@ -171,56 +167,92 @@ }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." } } - ] + ], + "type": "record", + "required": true } }, { "metrics": { + "type": "array", + "required": true, + "default": [ + { + "sample_rate": 1, + "stat_type": "counter", + "name": "request_count", + "consumer_identifier": "custom_id", + "tags": [ + "app:kong" + ] + }, + { + "name": "latency", + "consumer_identifier": "custom_id", + "tags": [ + "app:kong" + ], + "stat_type": "timer" + }, + { + "name": "request_size", + "consumer_identifier": "custom_id", + "tags": [ + "app:kong" + ], + "stat_type": "timer" + }, + { + "name": "response_size", + "consumer_identifier": "custom_id", + "tags": [ + "app:kong" + ], + "stat_type": "timer" + }, + { + "name": "upstream_latency", + "consumer_identifier": "custom_id", + "tags": [ + "app:kong" + ], + "stat_type": "timer" + }, + { + "name": "kong_latency", + "consumer_identifier": "custom_id", + "tags": [ + "app:kong" + ], + "stat_type": "timer" + } + ], + "description": "List of metrics to be logged.", "elements": { - "entity_checks": [ - { - "conditional": { - "then_field": "sample_rate", - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_match": { - "required": true - }, - "if_field": "stat_type" - } - } - ], - "type": "record", "fields": [ { "name": { "required": true, - "type": "string", - "description": "Datadog metric’s name", "one_of": [ "kong_latency", "latency", @@ -228,14 +260,14 @@ "request_size", "response_size", "upstream_latency" - ] + ], + "type": "string", + "description": "Datadog metric’s name" } }, { "stat_type": { "required": true, - "type": "string", - "description": "Determines what sort of event the metric represents", "one_of": [ "counter", "gauge", @@ -244,17 +276,19 @@ "set", "timer", "distribution" - ] + ], + "type": "string", + "description": "Determines what sort of event the metric represents" } }, { "tags": { + "description": "List of tags", + "type": "array", "elements": { "match": "^.*[^:]$", "type": "string" - }, - "type": "array", - "description": "List of tags" + } } }, { @@ -269,74 +303,40 @@ }, { "consumer_identifier": { - "type": "string", - "description": "Authenticated user detail", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string", + "description": "Authenticated user detail" + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + }, + "if_field": "stat_type" } } ] - }, - "type": "array", - "description": "List of metrics to be logged.", - "required": true, - "default": [ - { - "sample_rate": 1, - "stat_type": "counter", - "name": "request_count", - "consumer_identifier": "custom_id", - "tags": [ - "app:kong" - ] - }, - { - "name": "latency", - "consumer_identifier": "custom_id", - "stat_type": "timer", - "tags": [ - "app:kong" - ] - }, - { - "name": "request_size", - "consumer_identifier": "custom_id", - "stat_type": "timer", - "tags": [ - "app:kong" - ] - }, - { - "name": "response_size", - "consumer_identifier": "custom_id", - "stat_type": "timer", - "tags": [ - "app:kong" - ] - }, - { - "name": "upstream_latency", - "consumer_identifier": "custom_id", - "stat_type": "timer", - "tags": [ - "app:kong" - ] - }, - { - "name": "kong_latency", - "consumer_identifier": "custom_id", - "stat_type": "timer", - "tags": [ - "app:kong" - ] - } - ] + } } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/degraphql/3.5.x.json b/schemas/degraphql/3.5.x.json index 88b03f5f..62526fb7 100644 --- a/schemas/degraphql/3.5.x.json +++ b/schemas/degraphql/3.5.x.json @@ -3,13 +3,21 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -19,35 +27,25 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "graphql_server_path": { - "starts_with": "/", "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": true, + "starts_with": "/", "default": "/graphql", "match_none": [ { @@ -55,10 +53,12 @@ "err": "must not have empty segments" } ], - "required": true + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/exit-transformer/3.5.x.json b/schemas/exit-transformer/3.5.x.json index 271b24b3..9ae7db93 100644 --- a/schemas/exit-transformer/3.5.x.json +++ b/schemas/exit-transformer/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "functions": { @@ -58,7 +56,9 @@ "description": "Determines whether to handle unexpected errors by transforming their responses." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/file-log/3.5.x.json b/schemas/file-log/3.5.x.json index 9e4401a6..7f7b04c2 100644 --- a/schemas/file-log/3.5.x.json +++ b/schemas/file-log/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,65 +23,57 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "path": { "type": "string", - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", "required": true, "err": "not a valid filename", - "match": "^[^*&%%\\`]+$" + "match": "^[^*&%%\\`]+$", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." } }, { "reopen": { "required": true, + "default": false, "type": "boolean", - "description": "Determines whether the log file is closed and reopened on every request.", - "default": false + "description": "Determines whether the log file is closed and reopened on every request." } }, { "custom_fields_by_lua": { - "values": { - "len_min": 1, - "type": "string" + "keys": { + "type": "string", + "len_min": 1 }, "type": "map", - "description": "Lua code as a key-value map", - "keys": { + "values": { "len_min": 1, "type": "string" - } + }, + "description": "Lua code as a key-value map" } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/forward-proxy/3.5.x.json b/schemas/forward-proxy/3.5.x.json index d3080f7f..e1859875 100644 --- a/schemas/forward-proxy/3.5.x.json +++ b/schemas/forward-proxy/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,23 +19,15 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -44,25 +44,24 @@ } } ], - "type": "record", "fields": [ { "x_headers": { "type": "string", - "description": "Determines how to handle headers when forwarding the request.", - "default": "append", "required": true, "one_of": [ "append", "transparent", "delete" - ] + ], + "default": "append", + "description": "Determines how to handle headers when forwarding the request." } }, { "http_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -77,8 +76,8 @@ }, { "https_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -94,39 +93,40 @@ { "proxy_scheme": { "type": "string", - "description": "The proxy scheme to use when connecting. Only `http` is supported.", - "default": "http", "required": true, "one_of": [ "http" - ] + ], + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported." } }, { "auth_username": { - "required": false, - "type": "string", "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", - "referenceable": true + "referenceable": true, + "type": "string", + "required": false } }, { "auth_password": { - "required": false, - "type": "string", "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", - "referenceable": true + "referenceable": true, + "type": "string", + "required": false } }, { "https_verify": { "required": true, + "default": false, "type": "boolean", - "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "default": false + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." } } ], + "type": "record", "required": true, "entity_checks": [ { diff --git a/schemas/graphql-proxy-cache-advanced/3.5.x.json b/schemas/graphql-proxy-cache-advanced/3.5.x.json index 20acb40a..1371b3c2 100644 --- a/schemas/graphql-proxy-cache-advanced/3.5.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,75 +19,67 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "strategy": { "type": "string", - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "required": true, - "default": "memory", "one_of": [ "memory" - ] + ], + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`." } }, { "cache_ttl": { + "gt": 0, "default": 300, "type": "integer", - "description": "TTL in seconds of cache entities. Must be a value greater than 0.", - "gt": 0 + "description": "TTL in seconds of cache entities. Must be a value greater than 0." } }, { "memory": { - "required": true, - "type": "record", "fields": [ { "dictionary_name": { - "required": true, - "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", - "default": "kong_db_cache" + "default": "kong_db_cache", + "type": "string", + "required": true } } - ] + ], + "type": "record", + "required": true } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/graphql-rate-limiting-advanced/3.5.x.json b/schemas/graphql-rate-limiting-advanced/3.5.x.json index 62be0d4c..828a56eb 100644 --- a/schemas/graphql-rate-limiting-advanced/3.5.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,106 +19,96 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "identifier": { "type": "string", - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "required": true, - "default": "consumer", "one_of": [ "ip", "credential", "consumer" - ] + ], + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." } }, { "window_size": { - "required": true, - "type": "array", "description": "One or more window sizes to apply a limit to (defined in seconds).", "elements": { "type": "number" - } + }, + "type": "array", + "required": true } }, { "window_type": { - "default": "sliding", - "type": "string", - "description": "Sets the time window to either `sliding` or `fixed`.", "one_of": [ "fixed", "sliding" - ] + ], + "default": "sliding", + "type": "string", + "description": "Sets the time window to either `sliding` or `fixed`." } }, { "limit": { - "required": true, - "type": "array", "description": "One or more requests-per-window limits to apply.", "elements": { "type": "number" - } + }, + "type": "array", + "required": true } }, { "sync_rate": { - "required": true, + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." + "required": true } }, { "namespace": { - "type": "string", "auto": true, + "type": "string", "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." } }, { "strategy": { "type": "string", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "required": true, - "default": "cluster", "one_of": [ "cluster", "redis" - ] + ], + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." } }, { "dictionary_name": { - "required": true, - "type": "string", "description": "The shared dictionary where counters will be stored until the next sync cycle.", - "default": "kong_rate_limiting_counters" + "default": "kong_rate_limiting_counters", + "type": "string", + "required": true } }, { @@ -122,36 +120,34 @@ }, { "cost_strategy": { - "default": "default", - "type": "string", - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", "one_of": [ "default", "node_quantifier" - ] + ], + "default": "default", + "type": "string", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`." } }, { "score_factor": { + "gt": 0, "type": "number", - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", "required": false, - "gt": 0, - "default": 1 + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." } }, { "max_cost": { - "required": false, - "type": "number", "description": "A defined maximum cost per query. 0 means unlimited.", - "default": 0 + "default": 0, + "type": "number", + "required": false } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_exclusive_sets": { @@ -213,8 +209,8 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -229,13 +225,13 @@ }, { "timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -271,31 +267,31 @@ { "username": { "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "type": "string" + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "password": { - "encrypted": true, - "referenceable": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true } }, { "sentinel_username": { "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "encrypted": true, - "referenceable": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true } }, { @@ -307,13 +303,13 @@ }, { "keepalive_pool_size": { - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." } }, { @@ -328,55 +324,55 @@ }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { "len_min": 1, - "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." } }, { "cluster_addresses": { "len_min": 1, - "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." } }, { "ssl": { - "required": false, - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "default": false + "default": false, + "type": "boolean", + "required": false } }, { "ssl_verify": { - "required": false, - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false + "default": false, + "type": "boolean", + "required": false } }, { @@ -386,10 +382,14 @@ "description": "A string representing an SNI (server name indication) value for TLS." } } - ] + ], + "type": "record", + "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/grpc-gateway/3.5.x.json b/schemas/grpc-gateway/3.5.x.json index fbf66260..4739d952 100644 --- a/schemas/grpc-gateway/3.5.x.json +++ b/schemas/grpc-gateway/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,41 +23,33 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "proto": { - "required": false, + "description": "Describes the gRPC types and methods.", "type": "string", - "description": "Describes the gRPC types and methods." + "required": false } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/grpc-web/3.5.x.json b/schemas/grpc-web/3.5.x.json index 684868ca..94790924 100644 --- a/schemas/grpc-web/3.5.x.json +++ b/schemas/grpc-web/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,32 +23,22 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "proto": { @@ -58,13 +56,15 @@ }, { "allow_origin_header": { + "required": false, "default": "*", "type": "string", - "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", - "required": false + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/hmac-auth/3.5.x.json b/schemas/hmac-auth/3.5.x.json index 70014e9b..8aec8cbe 100644 --- a/schemas/hmac-auth/3.5.x.json +++ b/schemas/hmac-auth/3.5.x.json @@ -3,15 +3,14 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, - "type": "set", "default": [ "grpc", "grpcs", @@ -20,6 +19,7 @@ "ws", "wss" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,60 +36,66 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "hide_credentials": { + "required": true, "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "required": true + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." } }, { "clock_skew": { - "default": 300, "gt": 0, - "description": "Clock skew in seconds to prevent replay attacks.", - "type": "number" + "default": 300, + "type": "number", + "description": "Clock skew in seconds to prevent replay attacks." } }, { "anonymous": { - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", - "type": "string" + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "validate_request_body": { + "required": true, "default": false, "type": "boolean", - "description": "A boolean value telling the plugin to enable body validation.", - "required": true + "description": "A boolean value telling the plugin to enable body validation." } }, { "enforce_headers": { - "elements": { - "type": "string" - }, - "type": "array", "description": "A list of headers that the client should at least use for HTTP signature creation.", "default": [ - ] + ], + "type": "array", + "elements": { + "type": "string" + } } }, { "algorithms": { + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "type": "array", "elements": { "type": "string", "one_of": [ @@ -98,18 +104,12 @@ "hmac-sha384", "hmac-sha512" ] - }, - "type": "array", - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ] + } } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/http-log/3.5.x.json b/schemas/http-log/3.5.x.json index da896d6f..a0133ee6 100644 --- a/schemas/http-log/3.5.x.json +++ b/schemas/http-log/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,31 +23,22 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, "entity_checks": [ { "custom_entity_check": { @@ -51,38 +50,37 @@ } } ], - "type": "record", "fields": [ { "http_endpoint": { - "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "encrypted": true, "type": "string", - "required": true + "encrypted": true, + "referenceable": true, + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "method": { - "default": "POST", - "type": "string", - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", "one_of": [ "POST", "PUT", "PATCH" - ] + ], + "default": "POST", + "type": "string", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`." } }, { "content_type": { - "default": "application/json", - "type": "string", - "description": "Indicates the type of data sent. The only available option is `application/json`.", "one_of": [ "application/json", "application/json; charset=utf-8" - ] + ], + "default": "application/json", + "type": "string", + "description": "Indicates the type of data sent. The only available option is `application/json`." } }, { @@ -101,33 +99,25 @@ }, { "retry_count": { - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer" + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." } }, { "queue_size": { - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer" + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." } }, { "flush_timeout": { - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number" + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." } }, { "headers": { - "values": { - "referenceable": true, - "type": "string" - }, - "type": "map", - "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", "keys": { - "type": "string", - "description": "A string representing an HTTP header name.", "match_none": [ { "pattern": "^[Hh][Oo][Ss][Tt]$", @@ -141,52 +131,58 @@ "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", "err": "cannot contain 'Content-Type' header" } - ] - } + ], + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "map", + "values": { + "type": "string", + "referenceable": true + }, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string." } }, { "queue": { - "required": true, - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { @@ -198,44 +194,48 @@ }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." } } - ] + ], + "type": "record", + "required": true } }, { "custom_fields_by_lua": { - "values": { - "len_min": 1, - "type": "string" + "keys": { + "type": "string", + "len_min": 1 }, "type": "map", - "description": "Lua code as a key-value map", - "keys": { + "values": { "len_min": 1, "type": "string" - } + }, + "description": "Lua code as a key-value map" } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/ip-restriction/3.5.x.json b/schemas/ip-restriction/3.5.x.json index ca61af68..d3d59adc 100644 --- a/schemas/ip-restriction/3.5.x.json +++ b/schemas/ip-restriction/3.5.x.json @@ -2,6 +2,17 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ], + "description": "A set of strings representing protocols.", "elements": { "one_of": [ "grpc", @@ -15,53 +26,40 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" - }, - "type": "set", - "description": "A set of strings representing protocols.", - "default": [ - "http", - "https", - "tcp", - "tls", - "grpc", - "grpcs" - ], - "required": true + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + } } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "allow": { - "elements": { - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "type": "string" - }, + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "type": "array", - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + } } }, { "deny": { - "elements": { - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "type": "string" - }, + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "type": "array", - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + } } }, { @@ -78,7 +76,9 @@ "description": "The message to send as a response body to rejected requests." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/jq/3.5.x.json b/schemas/jq/3.5.x.json index 559e162e..fd328866 100644 --- a/schemas/jq/3.5.x.json +++ b/schemas/jq/3.5.x.json @@ -3,13 +3,21 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -19,21 +27,11 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -45,149 +43,151 @@ "fields": [ { "request_jq_program": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "request_jq_program_options": { - "required": false, - "type": "record", - "default": [ - - ], "fields": [ { "compact_output": { - "required": true, + "default": true, "type": "boolean", - "default": true + "required": true } }, { "raw_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "join_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "ascii_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "sort_keys": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } } - ] + ], + "default": [ + + ], + "type": "record", + "required": false } }, { "request_if_media_type": { "required": false, + "default": [ + "application/json" + ], "type": "array", "elements": { "type": "string" - }, - "default": [ - "application/json" - ] + } } }, { "response_jq_program": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "response_jq_program_options": { - "required": false, - "type": "record", - "default": [ - - ], "fields": [ { "compact_output": { - "required": true, + "default": true, "type": "boolean", - "default": true + "required": true } }, { "raw_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "join_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "ascii_output": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } }, { "sort_keys": { - "required": true, + "default": false, "type": "boolean", - "default": false + "required": true } } - ] + ], + "default": [ + + ], + "type": "record", + "required": false } }, { "response_if_media_type": { "required": false, + "default": [ + "application/json" + ], "type": "array", "elements": { "type": "string" - }, - "default": [ - "application/json" - ] + } } }, { "response_if_status_code": { "required": false, + "default": [ + 200 + ], "type": "array", "elements": { + "type": "integer", "between": [ 100, 599 - ], - "type": "integer" - }, - "default": [ - 200 - ] + ] + } } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/jwe-decrypt/3.5.x.json b/schemas/jwe-decrypt/3.5.x.json index 1992c265..5e7a808b 100644 --- a/schemas/jwe-decrypt/3.5.x.json +++ b/schemas/jwe-decrypt/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,62 +19,52 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "lookup_header_name": { + "description": "The name of the header to look for the JWE token.", "default": "Authorization", "type": "string", - "description": "The name of the header to look for the JWE token.", "required": true } }, { "forward_header_name": { + "description": "The name of the header that is used to set the decrypted value.", "default": "Authorization", "type": "string", - "description": "The name of the header that is used to set the decrypted value.", "required": true } }, { "key_sets": { - "required": true, - "type": "array", "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "elements": { "type": "string" - } + }, + "type": "array", + "required": true } }, { @@ -76,7 +74,9 @@ "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/jwt-signer/3.5.x.json b/schemas/jwt-signer/3.5.x.json index 3c935d36..0f57a4e2 100644 --- a/schemas/jwt-signer/3.5.x.json +++ b/schemas/jwt-signer/3.5.x.json @@ -3,13 +3,21 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -19,127 +27,123 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "realm": { - "required": false, + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "type": "string", - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." + "required": false } }, { "enable_hs_signatures": { - "required": false, - "type": "boolean", "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", - "default": false + "default": false, + "type": "boolean", + "required": false } }, { "enable_instrumentation": { - "required": false, - "type": "boolean", "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", - "default": false + "default": false, + "type": "boolean", + "required": false } }, { "access_token_issuer": { - "required": false, - "type": "string", "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", - "default": "kong" + "default": "kong", + "type": "string", + "required": false } }, { "access_token_keyset": { - "required": false, - "type": "string", "description": "The name of the keyset containing signing keys.", - "default": "kong" + "default": "kong", + "type": "string", + "required": false } }, { "access_token_jwks_uri": { - "required": false, + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "type": "string", - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token." + "required": false } }, { "access_token_request_header": { - "required": false, - "type": "string", "description": "This parameter tells the name of the header where to look for the access token.", - "default": "Authorization" + "default": "Authorization", + "type": "string", + "required": false } }, { "access_token_leeway": { - "required": false, - "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", - "default": 0 + "default": 0, + "type": "number", + "required": false } }, { "access_token_scopes_required": { - "required": false, - "type": "array", "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "access_token_scopes_claim": { - "elements": { - "type": "string" - }, "type": "array", - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "required": false, "default": [ "scope" - ] + ], + "elements": { + "type": "string" + }, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." } }, { "access_token_consumer_claim": { - "required": false, - "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "access_token_consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -148,105 +152,105 @@ "custom_id" ] }, - "type": "array", - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", - "required": false, - "default": [ - "username", - "custom_id" - ] + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." } }, { "access_token_upstream_header": { - "required": false, - "type": "string", "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", - "default": "Authorization:Bearer" + "default": "Authorization:Bearer", + "type": "string", + "required": false } }, { "access_token_upstream_leeway": { - "required": false, - "type": "number", "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", - "default": 0 + "default": 0, + "type": "number", + "required": false } }, { "access_token_introspection_endpoint": { - "required": false, + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "type": "string", - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter." + "required": false } }, { "access_token_introspection_authorization": { - "required": false, + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "type": "string", - "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." + "required": false } }, { "access_token_introspection_body_args": { - "required": false, + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "type": "string", - "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." + "required": false } }, { "access_token_introspection_hint": { - "required": false, - "type": "string", "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", - "default": "access_token" + "default": "access_token", + "type": "string", + "required": false } }, { "access_token_introspection_jwt_claim": { - "required": false, - "type": "array", "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "access_token_introspection_scopes_required": { - "required": false, - "type": "array", "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "access_token_introspection_scopes_claim": { - "elements": { - "type": "string" - }, "type": "array", - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "required": true, "default": [ "scope" - ] + ], + "elements": { + "type": "string" + }, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." } }, { "access_token_introspection_consumer_claim": { - "required": false, - "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "access_token_introspection_consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -255,35 +259,27 @@ "custom_id" ] }, - "type": "array", - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", - "required": false, - "default": [ - "username", - "custom_id" - ] + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." } }, { "access_token_introspection_leeway": { - "required": false, - "type": "number", "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", - "default": 0 + "default": 0, + "type": "number", + "required": false } }, { "access_token_introspection_timeout": { - "required": false, + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "type": "number", - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." + "required": false } }, { "access_token_signing_algorithm": { "type": "string", - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", - "default": "RS256", "required": true, "one_of": [ "HS256", @@ -298,154 +294,162 @@ "PS384", "PS512", "EdDSA" - ] + ], + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." } }, { "access_token_optional": { - "required": false, - "type": "boolean", "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", - "default": false + "default": false, + "type": "boolean", + "required": false } }, { "verify_access_token_signature": { - "required": false, - "type": "boolean", "description": "Quickly turn access token signature verification off and on as needed.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "verify_access_token_expiry": { - "required": false, - "type": "boolean", "description": "Quickly turn access token expiry verification off and on as needed.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "verify_access_token_scopes": { - "required": false, - "type": "boolean", "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "verify_access_token_introspection_expiry": { - "required": false, - "type": "boolean", "description": "Quickly turn access token introspection expiry verification off and on as needed.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "verify_access_token_introspection_scopes": { - "required": false, - "type": "boolean", "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "cache_access_token_introspection": { - "required": false, - "type": "boolean", "description": "Whether to cache access token introspection results.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "trust_access_token_introspection": { - "required": false, - "type": "boolean", "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "enable_access_token_introspection": { - "required": false, - "type": "boolean", "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "channel_token_issuer": { - "required": false, - "type": "string", "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", - "default": "kong" + "default": "kong", + "type": "string", + "required": false } }, { "channel_token_keyset": { - "required": false, - "type": "string", "description": "The name of the keyset containing signing keys.", - "default": "kong" + "default": "kong", + "type": "string", + "required": false } }, { "channel_token_jwks_uri": { - "required": false, + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "type": "string", - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`." + "required": false } }, { "channel_token_request_header": { - "required": false, + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "type": "string", - "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." + "required": false } }, { "channel_token_leeway": { - "required": false, - "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", - "default": 0 + "default": 0, + "type": "number", + "required": false } }, { "channel_token_scopes_required": { - "required": false, - "type": "array", "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "channel_token_scopes_claim": { - "elements": { - "type": "string" - }, "type": "array", - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "required": false, "default": [ "scope" - ] + ], + "elements": { + "type": "string" + }, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." } }, { "channel_token_consumer_claim": { - "required": false, - "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "channel_token_consumer_by": { + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ], + "type": "array", "elements": { "type": "string", "one_of": [ @@ -453,112 +457,112 @@ "username", "custom_id" ] - }, - "type": "array", - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "default": [ - "username", - "custom_id" - ] + } } }, { "channel_token_upstream_header": { - "required": false, + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "type": "string", - "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." + "required": false } }, { "channel_token_upstream_leeway": { - "required": false, - "type": "number", "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", - "default": 0 + "default": 0, + "type": "number", + "required": false } }, { "channel_token_introspection_endpoint": { - "required": false, + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "type": "string", - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead." + "required": false } }, { "channel_token_introspection_authorization": { - "required": false, - "type": "string", "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "elements": { "type": "string" - } + }, + "type": "string", + "required": false } }, { "channel_token_introspection_body_args": { - "required": false, - "type": "string", "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "elements": { "type": "string" - } + }, + "type": "string", + "required": false } }, { "channel_token_introspection_hint": { - "required": false, - "type": "string", "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "elements": { "type": "string" - } + }, + "type": "string", + "required": false } }, { "channel_token_introspection_jwt_claim": { - "required": false, - "type": "array", "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "channel_token_introspection_scopes_required": { - "required": false, - "type": "array", "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "channel_token_introspection_scopes_claim": { - "elements": { - "type": "string" - }, "type": "array", - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "required": false, "default": [ "scope" - ] + ], + "elements": { + "type": "string" + }, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." } }, { "channel_token_introspection_consumer_claim": { - "required": false, - "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "channel_token_introspection_consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -567,35 +571,27 @@ "custom_id" ] }, - "type": "array", - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", - "required": false, - "default": [ - "username", - "custom_id" - ] + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." } }, { "channel_token_introspection_leeway": { - "required": false, - "type": "number", "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", - "default": 0 + "default": 0, + "type": "number", + "required": false } }, { "channel_token_introspection_timeout": { - "required": false, + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "type": "number", - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." + "required": false } }, { "channel_token_signing_algorithm": { "type": "string", - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", - "default": "RS256", "required": true, "one_of": [ "HS256", @@ -610,113 +606,117 @@ "PS384", "PS512", "EdDSA" - ] + ], + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." } }, { "channel_token_optional": { - "required": false, - "type": "boolean", "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", - "default": false + "default": false, + "type": "boolean", + "required": false } }, { "verify_channel_token_signature": { - "required": false, - "type": "boolean", "description": "Quickly turn on/off the channel token signature verification.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "verify_channel_token_expiry": { - "required": false, + "default": true, "type": "boolean", - "default": true + "required": false } }, { "verify_channel_token_scopes": { - "required": false, - "type": "boolean", "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "verify_channel_token_introspection_expiry": { - "required": false, - "type": "boolean", "description": "Quickly turn on/off the channel token introspection expiry verification.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "verify_channel_token_introspection_scopes": { - "required": false, - "type": "boolean", "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "cache_channel_token_introspection": { - "required": false, - "type": "boolean", "description": "Whether to cache channel token introspection results.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "trust_channel_token_introspection": { - "required": false, - "type": "boolean", "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "enable_channel_token_introspection": { - "required": false, - "type": "boolean", "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "add_claims": { - "type": "map", - "description": "Add customized claims if they are not present yet.", "keys": { "type": "string" }, + "type": "map", "required": false, + "default": [ + + ], "values": { "type": "string" }, - "default": [ - - ] + "description": "Add customized claims if they are not present yet." } }, { "set_claims": { - "type": "map", - "description": "Set customized claims. If a claim is already present, it will be overwritten.", "keys": { "type": "string" }, + "type": "map", "required": false, + "default": [ + + ], "values": { "type": "string" }, - "default": [ - - ] + "description": "Set customized claims. If a claim is already present, it will be overwritten." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/jwt/3.5.x.json b/schemas/jwt/3.5.x.json index 577219e4..649659f7 100644 --- a/schemas/jwt/3.5.x.json +++ b/schemas/jwt/3.5.x.json @@ -3,13 +3,21 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -19,52 +27,42 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "uri_param_names": { - "elements": { - "type": "string" - }, - "type": "set", "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "default": [ "jwt" - ] + ], + "type": "set", + "elements": { + "type": "string" + } } }, { "cookie_names": { - "elements": { - "type": "string" - }, - "type": "set", "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "default": [ - ] + ], + "type": "set", + "elements": { + "type": "string" + } } }, { @@ -77,62 +75,64 @@ { "secret_is_base64": { "required": true, + "default": false, "type": "boolean", - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", - "default": false + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." } }, { "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "type": "set", "elements": { "type": "string", "one_of": [ "exp", "nbf" ] - }, - "type": "set", - "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf." + } } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "run_on_preflight": { "required": true, + "default": true, "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", - "default": true + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." } }, { "maximum_expiration": { - "default": 0, - "type": "number", - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", "between": [ 0, 31536000 - ] + ], + "default": 0, + "type": "number", + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future." } }, { "header_names": { - "elements": { - "type": "string" - }, - "type": "set", "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "default": [ "authorization" - ] + ], + "type": "set", + "elements": { + "type": "string" + } } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/kafka-log/3.5.x.json b/schemas/kafka-log/3.5.x.json index 68ac53b0..58310faa 100644 --- a/schemas/kafka-log/3.5.x.json +++ b/schemas/kafka-log/3.5.x.json @@ -3,7 +3,6 @@ { "protocols": { "required": true, - "type": "set", "default": [ "grpc", "grpcs", @@ -12,6 +11,7 @@ "ws", "wss" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -28,15 +28,13 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -49,6 +47,8 @@ "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { "type": "record", "fields": [ @@ -61,19 +61,17 @@ }, { "port": { - "required": true, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] - }, - "type": "set", - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } } }, { @@ -92,41 +90,39 @@ }, { "keepalive": { - "default": 60000, - "type": "integer" + "type": "integer", + "default": 60000 } }, { "keepalive_enabled": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "authentication": { - "required": true, - "type": "record", "fields": [ { "strategy": { "required": false, - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ] + ], + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." } }, { "mechanism": { "required": false, - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`." } }, { @@ -138,36 +134,36 @@ }, { "user": { - "referenceable": true, - "description": "Username for SASL authentication.", + "type": "string", "required": false, + "referenceable": true, "encrypted": true, - "type": "string" + "description": "Username for SASL authentication." } }, { "password": { - "referenceable": true, - "description": "Password for SASL authentication.", + "type": "string", "required": false, + "referenceable": true, "encrypted": true, - "type": "string" + "description": "Password for SASL authentication." } } - ] + ], + "type": "record", + "required": true } }, { "security": { - "required": true, - "type": "record", "fields": [ { "certificate_id": { - "required": false, - "type": "string", + "uuid": true, "description": "UUID of certificate entity for mTLS authentication.", - "uuid": true + "type": "string", + "required": false } }, { @@ -177,27 +173,29 @@ "description": "Enables TLS." } } - ] + ], + "type": "record", + "required": true } }, { "cluster_name": { "required": false, "type": "string", - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "auto": true + "auto": true, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster." } }, { "producer_request_acks": { - "default": 1, - "type": "integer", - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "one_of": [ -1, 0, 1 - ] + ], + "default": 1, + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." } }, { @@ -258,19 +256,21 @@ }, { "custom_fields_by_lua": { - "values": { - "len_min": 1, - "type": "string" + "keys": { + "type": "string", + "len_min": 1 }, "type": "map", - "description": "Lua code as a key-value map", - "keys": { + "values": { "len_min": 1, "type": "string" - } + }, + "description": "Lua code as a key-value map" } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/kafka-upstream/3.5.x.json b/schemas/kafka-upstream/3.5.x.json index 28383b3b..457c24f1 100644 --- a/schemas/kafka-upstream/3.5.x.json +++ b/schemas/kafka-upstream/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -56,6 +54,8 @@ "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { "type": "record", "fields": [ @@ -68,19 +68,17 @@ }, { "port": { - "required": true, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] - }, - "type": "set", - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } } }, { @@ -106,35 +104,33 @@ }, { "keepalive_enabled": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "authentication": { - "required": true, - "type": "record", "fields": [ { "strategy": { "required": false, - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ] + ], + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." } }, { "mechanism": { "required": false, - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`." } }, { @@ -146,36 +142,36 @@ }, { "user": { + "type": "string", + "required": false, "referenceable": true, - "description": "Username for SASL authentication.", "encrypted": true, - "type": "string", - "required": false + "description": "Username for SASL authentication." } }, { "password": { + "type": "string", + "required": false, "referenceable": true, - "description": "Password for SASL authentication.", "encrypted": true, - "type": "string", - "required": false + "description": "Password for SASL authentication." } } - ] + ], + "type": "record", + "required": true } }, { "security": { - "required": true, - "type": "record", "fields": [ { "certificate_id": { "uuid": true, + "required": false, "type": "string", - "description": "UUID of certificate entity for mTLS authentication.", - "required": false + "description": "UUID of certificate entity for mTLS authentication." } }, { @@ -185,7 +181,9 @@ "description": "Enables TLS." } } - ] + ], + "type": "record", + "required": true } }, { @@ -219,21 +217,21 @@ { "cluster_name": { "required": false, - "type": "string", "auto": true, + "type": "string", "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster." } }, { "producer_request_acks": { - "default": 1, - "type": "integer", - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "one_of": [ -1, 0, 1 - ] + ], + "default": 1, + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." } }, { @@ -292,7 +290,9 @@ "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/key-auth-enc/3.5.x.json b/schemas/key-auth-enc/3.5.x.json index 9eb7c796..ad51da84 100644 --- a/schemas/key-auth-enc/3.5.x.json +++ b/schemas/key-auth-enc/3.5.x.json @@ -3,15 +3,14 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, - "type": "set", "default": [ "grpc", "grpcs", @@ -20,6 +19,7 @@ "ws", "wss" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,28 +36,26 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "key_names": { - "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" - }, "type": "array", - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "required": true, "default": [ "apikey" - ] + ], + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." } }, { @@ -69,8 +67,8 @@ }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { @@ -101,7 +99,9 @@ "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/key-auth/3.5.x.json b/schemas/key-auth/3.5.x.json index a7f20f68..1f6f3189 100644 --- a/schemas/key-auth/3.5.x.json +++ b/schemas/key-auth/3.5.x.json @@ -3,15 +3,14 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, - "type": "set", "default": [ "grpc", "grpcs", @@ -20,6 +19,7 @@ "ws", "wss" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,77 +36,77 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "key_names": { - "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" - }, "type": "array", - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "required": true, "default": [ "apikey" - ] + ], + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." } }, { "hide_credentials": { - "required": true, - "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", - "default": false + "default": false, + "type": "boolean", + "required": true } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." } }, { "key_in_header": { - "required": true, - "type": "boolean", "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", - "default": true + "default": true, + "type": "boolean", + "required": true } }, { "key_in_query": { - "required": true, - "type": "boolean", "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", - "default": true + "default": true, + "type": "boolean", + "required": true } }, { "key_in_body": { - "required": true, - "type": "boolean", "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "default": false + "default": false, + "type": "boolean", + "required": true } }, { "run_on_preflight": { - "required": true, - "type": "boolean", "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", - "default": true + "default": true, + "type": "boolean", + "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/konnect-application-auth/3.5.x.json b/schemas/konnect-application-auth/3.5.x.json index 5219f26d..cb644ba9 100644 --- a/schemas/konnect-application-auth/3.5.x.json +++ b/schemas/konnect-application-auth/3.5.x.json @@ -3,21 +3,29 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "route": { "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, - "reference": "routes" + "reference": "routes", + "description": "A reference to the 'routes' table with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -27,68 +35,60 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ ], "fields": [ { "key_names": { - "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" - }, "type": "array", - "description": "The names of the headers containing the API key. You can specify multiple header names.", "required": true, "default": [ "apikey" - ] + ], + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "The names of the headers containing the API key. You can specify multiple header names." } }, { "auth_type": { "type": "string", - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", "required": true, - "default": "openid-connect", "one_of": [ "openid-connect", "key-auth" - ] + ], + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'." } }, { "scope": { - "required": true, - "type": "string", "description": "The unique scope identifier for the plugin configuration.", - "unique": true + "unique": true, + "type": "string", + "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/ldap-auth-advanced/3.5.x.json b/schemas/ldap-auth-advanced/3.5.x.json index f0765e52..d05399e5 100644 --- a/schemas/ldap-auth-advanced/3.5.x.json +++ b/schemas/ldap-auth-advanced/3.5.x.json @@ -3,7 +3,6 @@ { "protocols": { "required": true, - "type": "set", "default": [ "grpc", "grpcs", @@ -12,6 +11,7 @@ "ws", "wss" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -28,23 +28,21 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "ldap_host": { @@ -57,8 +55,8 @@ "ldap_password": { "encrypted": true, "referenceable": true, - "description": "The password to the LDAP server.", - "type": "string" + "type": "string", + "description": "The password to the LDAP server." } }, { @@ -71,32 +69,32 @@ { "bind_dn": { "referenceable": true, - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", - "type": "string" + "type": "string", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." } }, { "ldaps": { + "required": true, "default": false, "type": "boolean", - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "required": true + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." } }, { "start_tls": { + "required": true, "default": false, "type": "boolean", - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "required": true + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." } }, { "verify_ldap_host": { + "required": true, "default": false, "type": "boolean", - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "required": true + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." } }, { @@ -115,10 +113,10 @@ }, { "cache_ttl": { + "required": true, "default": 60, "type": "number", - "description": "Cache expiry time in seconds.", - "required": true + "description": "Cache expiry time in seconds." } }, { @@ -144,10 +142,10 @@ }, { "anonymous": { + "len_min": 0, "default": "", "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "len_min": 0 + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { @@ -159,14 +157,20 @@ }, { "consumer_optional": { + "required": false, "default": false, "type": "boolean", - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", - "required": false + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." } }, { "consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -174,25 +178,19 @@ "custom_id" ] }, - "type": "array", - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", - "required": false, - "default": [ - "username", - "custom_id" - ] + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." } }, { "group_base_dn": { - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", - "type": "string" + "type": "string", + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." } }, { "group_name_attribute": { - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", - "type": "string" + "type": "string", + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." } }, { @@ -204,23 +202,25 @@ }, { "log_search_results": { + "required": false, "default": false, "type": "boolean", - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", - "required": false + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." } }, { "groups_required": { "required": false, - "type": "array", - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/ldap-auth/3.5.x.json b/schemas/ldap-auth/3.5.x.json index 9264dac2..847e2f28 100644 --- a/schemas/ldap-auth/3.5.x.json +++ b/schemas/ldap-auth/3.5.x.json @@ -3,15 +3,14 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, - "type": "set", "default": [ "grpc", "grpcs", @@ -20,6 +19,7 @@ "ws", "wss" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,27 +36,25 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "conditional": { - "then_field": "start_tls", "then_match": { "eq": false }, - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "then_field": "start_tls", "if_match": { "eq": true }, - "if_field": "ldaps" + "if_field": "ldaps", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously" } } ], @@ -70,67 +68,67 @@ }, { "ldap_port": { + "type": "integer", + "required": true, "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 389, - "required": true + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "ldaps": { + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "default": false, "type": "boolean", - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "required": true } }, { "start_tls": { + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "default": false, "type": "boolean", - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "required": true } }, { "verify_ldap_host": { + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "default": false, "type": "boolean", - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "required": true } }, { "base_dn": { - "required": true, + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", "type": "string", - "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com" + "required": true } }, { "attribute": { - "required": true, + "description": "Attribute to be used to search the user; e.g. cn", "type": "string", - "description": "Attribute to be used to search the user; e.g. cn" + "required": true } }, { "cache_ttl": { + "description": "Cache expiry time in seconds.", "default": 60, "type": "number", - "description": "Cache expiry time in seconds.", "required": true } }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "required": true } }, @@ -150,8 +148,8 @@ }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." } }, { @@ -161,7 +159,9 @@ "description": "An optional string to use as part of the Authorization header" } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/loggly/3.5.x.json b/schemas/loggly/3.5.x.json index 36d2212a..69e34b16 100644 --- a/schemas/loggly/3.5.x.json +++ b/schemas/loggly/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,32 +23,22 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "host": { @@ -51,21 +49,21 @@ }, { "port": { - "default": 514, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 514, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "key": { "encrypted": true, + "referenceable": true, "type": "string", - "required": true, - "referenceable": true + "required": true } }, { @@ -145,25 +143,27 @@ }, { "timeout": { - "default": 10000, - "type": "number" + "type": "number", + "default": 10000 } }, { "custom_fields_by_lua": { - "values": { - "len_min": 1, - "type": "string" + "keys": { + "type": "string", + "len_min": 1 }, "type": "map", - "description": "Lua code as a key-value map", - "keys": { + "values": { "len_min": 1, "type": "string" - } + }, + "description": "Lua code as a key-value map" } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/mocking/3.5.x.json b/schemas/mocking/3.5.x.json index e401a6e6..508b44bc 100644 --- a/schemas/mocking/3.5.x.json +++ b/schemas/mocking/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "api_specification_filename": { @@ -79,30 +77,32 @@ }, { "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "type": "array", "elements": { "type": "integer" - }, - "type": "array", - "description": "A global list of the HTTP status codes that can only be selected and returned." + } } }, { "random_status_code": { "required": true, + "default": false, "type": "boolean", - "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", - "default": false + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned." } }, { "include_base_path": { "required": true, + "default": false, "type": "boolean", - "description": "Indicates whether to include the base path when performing path match evaluation.", - "default": false + "description": "Indicates whether to include the base path when performing path match evaluation." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/mtls-auth/3.5.x.json b/schemas/mtls-auth/3.5.x.json index 3c9c1a9b..f4b69ffc 100644 --- a/schemas/mtls-auth/3.5.x.json +++ b/schemas/mtls-auth/3.5.x.json @@ -3,13 +3,21 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -19,29 +27,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -59,12 +57,18 @@ "fields": [ { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -72,73 +76,67 @@ "custom_id" ] }, - "type": "array", - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", - "required": false, - "default": [ - "username", - "custom_id" - ] + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." } }, { "ca_certificates": { "required": true, - "type": "array", - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "elements": { "uuid": true, "type": "string" - } + }, + "type": "array", + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." } }, { "cache_ttl": { "required": true, + "default": 60, "type": "number", - "description": "Cache expiry time in seconds.", - "default": 60 + "description": "Cache expiry time in seconds." } }, { "skip_consumer_lookup": { "required": true, + "default": false, "type": "boolean", - "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", - "default": false + "description": "Skip consumer lookup once certificate is trusted against the configured CA list." } }, { "allow_partial_chain": { "required": true, + "default": false, "type": "boolean", - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", - "default": false + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." } }, { "authenticated_group_by": { "type": "string", - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, - "default": "CN", "one_of": [ "CN", "DN" - ] + ], + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." } }, { "revocation_check_mode": { "type": "string", - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, - "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ] + ], + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." } }, { @@ -164,8 +162,8 @@ }, { "http_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -180,8 +178,8 @@ }, { "https_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -194,7 +192,9 @@ "description": "An integer representing a port number between 0 and 65535, inclusive." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/oas-validation/3.5.x.json b/schemas/oas-validation/3.5.x.json index 6f85afd1..6493145f 100644 --- a/schemas/oas-validation/3.5.x.json +++ b/schemas/oas-validation/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "api_spec": { @@ -44,101 +42,103 @@ }, { "verbose_response": { + "required": false, "default": false, "type": "boolean", - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", - "required": false + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." } }, { "validate_request_body": { + "required": false, "default": true, "type": "boolean", - "description": "If set to true, validates the request body content against the API specification.", - "required": false + "description": "If set to true, validates the request body content against the API specification." } }, { "notify_only_request_validation_failure": { + "required": false, "default": false, "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", - "required": false + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." } }, { "validate_request_header_params": { + "required": false, "default": true, "type": "boolean", - "description": "If set to true, validates HTTP header parameters against the API specification.", - "required": false + "description": "If set to true, validates HTTP header parameters against the API specification." } }, { "validate_request_query_params": { + "required": false, "default": true, "type": "boolean", - "description": "If set to true, validates query parameters against the API specification.", - "required": false + "description": "If set to true, validates query parameters against the API specification." } }, { "validate_request_uri_params": { + "required": false, "default": true, "type": "boolean", - "description": "If set to true, validates URI parameters in the request against the API specification.", - "required": false + "description": "If set to true, validates URI parameters in the request against the API specification." } }, { "validate_response_body": { + "required": false, "default": false, "type": "boolean", - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", - "required": false + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." } }, { "notify_only_response_body_validation_failure": { + "required": false, "default": false, "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", - "required": false + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." } }, { "query_parameter_check": { + "required": true, "default": false, "type": "boolean", - "description": "If set to true, checks if query parameters in the request exist in the API specification.", - "required": true + "description": "If set to true, checks if query parameters in the request exist in the API specification." } }, { "header_parameter_check": { + "required": true, "default": false, "type": "boolean", - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", - "required": true + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." } }, { "allowed_header_parameters": { + "required": false, "default": "Host,Content-Type,User-Agent,Accept,Content-Length", "type": "string", - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", - "required": false + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." } }, { "include_base_path": { + "required": true, "default": false, "type": "boolean", - "description": "Indicates whether to include the base path when performing path match evaluation.", - "required": true + "description": "Indicates whether to include the base path when performing path match evaluation." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/oauth2-introspection/3.5.x.json b/schemas/oauth2-introspection/3.5.x.json index 10ac128c..c1499ce7 100644 --- a/schemas/oauth2-introspection/3.5.x.json +++ b/schemas/oauth2-introspection/3.5.x.json @@ -3,13 +3,21 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -19,29 +27,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "introspection_url": { @@ -59,15 +57,15 @@ }, { "token_type_hint": { - "description": "The `token_type_hint` value to associate to introspection requests.", - "type": "string" + "type": "string", + "description": "The `token_type_hint` value to associate to introspection requests." } }, { "authorization_value": { - "required": true, + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "type": "string", - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." + "required": true } }, { @@ -86,9 +84,9 @@ }, { "introspect_request": { + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", "default": false, "type": "boolean", - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", "required": true } }, @@ -109,53 +107,55 @@ { "anonymous": { "len_min": 0, + "default": "", "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "default": "" + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "consumer_by": { "type": "string", - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "required": true, - "default": "username", "one_of": [ "username", "client_id" - ] + ], + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`." } }, { "custom_introspection_headers": { - "type": "map", - "description": "A list of custom headers to be added in the introspection request.", "keys": { "type": "string" }, + "type": "map", "required": true, + "default": [ + + ], "values": { "type": "string" }, - "default": [ - - ] + "description": "A list of custom headers to be added in the introspection request." } }, { "custom_claims_forward": { - "elements": { - "type": "string" - }, "type": "set", - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "required": true, "default": [ - ] + ], + "elements": { + "type": "string" + }, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/oauth2/3.5.x.json b/schemas/oauth2/3.5.x.json index 01916b09..32335aa3 100644 --- a/schemas/oauth2/3.5.x.json +++ b/schemas/oauth2/3.5.x.json @@ -3,15 +3,14 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, - "type": "set", "default": [ "grpc", "grpcs", @@ -20,6 +19,7 @@ "ws", "wss" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,14 +36,13 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, "entity_checks": [ { "conditional": { @@ -58,103 +57,102 @@ } } ], - "type": "record", "fields": [ { "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." + } } }, { "mandatory_scope": { + "required": true, "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", - "required": true + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user." } }, { "provision_key": { "type": "string", - "description": "The unique key the plugin has generated when it has been added to the Service.", "unique": true, - "required": true, "encrypted": true, - "auto": true + "required": true, + "auto": true, + "description": "The unique key the plugin has generated when it has been added to the Service." } }, { "token_expiration": { + "required": true, "default": 7200, "type": "number", - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", - "required": true + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration." } }, { "enable_authorization_code": { + "required": true, "default": false, "type": "boolean", - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", - "required": true + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1)." } }, { "enable_implicit_grant": { + "required": true, "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", - "required": true + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2)." } }, { "enable_client_credentials": { + "required": true, "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", - "required": true + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4)." } }, { "enable_password_grant": { + "required": true, "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", - "required": true + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3)." } }, { "hide_credentials": { + "required": true, "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "required": true + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." } }, { "accept_http_if_already_terminated": { + "required": true, "default": false, "type": "boolean", - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", - "required": true + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer." } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "global_credentials": { + "required": true, "default": false, "type": "boolean", - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", - "required": true + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`." } }, { @@ -166,22 +164,22 @@ }, { "refresh_token_ttl": { + "type": "number", + "required": true, "between": [ 0, 100000000 ], - "type": "number", - "description": "Time-to-live value for data", "default": 1209600, - "required": true + "description": "Time-to-live value for data" } }, { "reuse_refresh_token": { + "required": true, "default": false, "type": "boolean", - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", - "required": true + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token." } }, { @@ -194,17 +192,19 @@ { "pkce": { "type": "string", - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "required": false, - "default": "lax", "one_of": [ "none", "lax", "strict" - ] + ], + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/opa/3.5.x.json b/schemas/opa/3.5.x.json index 0c974262..b381dd6f 100644 --- a/schemas/opa/3.5.x.json +++ b/schemas/opa/3.5.x.json @@ -3,13 +3,21 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -19,73 +27,63 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "opa_protocol": { - "default": "http", - "type": "string", - "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", "one_of": [ "http", "https" - ] + ], + "default": "http", + "type": "string", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`." } }, { "opa_host": { + "description": "A string representing a host name, such as example.com.", "default": "localhost", "type": "string", - "description": "A string representing a host name, such as example.com.", "required": true } }, { "opa_port": { + "type": "integer", + "required": true, "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 8181, - "required": true + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "opa_path": { - "starts_with": "/", "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "required": true, + "starts_with": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { @@ -111,8 +109,8 @@ }, { "include_body_in_opa_input": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -132,12 +130,14 @@ { "ssl_verify": { "required": true, + "default": true, "type": "boolean", - "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "default": true + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/openid-connect/3.5.x.json b/schemas/openid-connect/3.5.x.json index 9b18a055..8cd4310b 100644 --- a/schemas/openid-connect/3.5.x.json +++ b/schemas/openid-connect/3.5.x.json @@ -3,13 +3,21 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -19,23 +27,15 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -122,8 +122,6 @@ } } ], - "type": "record", - "required": true, "fields": [ { "issuer": { @@ -134,45 +132,59 @@ }, { "discovery_headers_names": { - "required": false, - "type": "array", "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "discovery_headers_values": { - "required": false, - "type": "array", "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "extra_jwks_uris": { - "required": false, - "type": "set", "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "type": "set", + "required": false } }, { "rediscovery_lifetime": { + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "default": 30, "type": "number", - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "required": false } }, { "auth_methods": { + "type": "array", + "required": false, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "description": "Types of credentials/grants to enable.", "elements": { "type": "string", "one_of": [ @@ -186,51 +198,35 @@ "refresh_token", "session" ] - }, - "type": "array", - "description": "Types of credentials/grants to enable.", - "required": false, - "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ] + } } }, { "client_id": { - "elements": { - "referenceable": true, - "type": "string" - }, "type": "array", - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "encrypted": true, - "required": false + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "required": false, + "elements": { + "type": "string", + "referenceable": true + } } }, { "client_secret": { - "elements": { - "referenceable": true, - "type": "string" - }, "type": "array", - "description": "The client secret.", "encrypted": true, - "required": false + "description": "The client secret.", + "required": false, + "elements": { + "type": "string", + "referenceable": true + } } }, { "client_auth": { - "required": false, - "type": "array", "description": "The authentication method used by the client (plugin) when calling the endpoint.", "elements": { "type": "string", @@ -241,7 +237,9 @@ "private_key_jwt", "none" ] - } + }, + "type": "array", + "required": false } }, { @@ -249,25 +247,23 @@ "required": false, "type": "array", "elements": { - "required": false, - "type": "record", "fields": [ { "issuer": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kty": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "use": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -275,27 +271,27 @@ "required": false, "type": "array", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "alg": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kid": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5u": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -303,134 +299,136 @@ "required": false, "type": "array", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "x5t": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5t#S256": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "k": { "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false } }, { "x": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "y": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "crv": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "n": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "e": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "d": { "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false } }, { "p": { "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false } }, { "q": { "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false } }, { "dp": { "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false } }, { "dq": { "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false } }, { "qi": { "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false } }, { "oth": { "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false } }, { "r": { "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false } }, { "t": { "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false } } - ] + ], + "type": "record", + "required": false } } }, @@ -460,286 +458,286 @@ }, { "client_arg": { + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "default": "client_id", "type": "string", - "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "required": false } }, { "redirect_uri": { - "required": false, - "type": "array", "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "type": "array", + "required": false } }, { "login_redirect_uri": { - "required": false, - "type": "array", "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "type": "array", + "required": false } }, { "logout_redirect_uri": { - "required": false, - "type": "array", "description": "Where to redirect the client after the logout.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "type": "array", + "required": false } }, { "forbidden_redirect_uri": { - "required": false, - "type": "array", "description": "Where to redirect the client on forbidden requests.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "type": "array", + "required": false } }, { "forbidden_error_message": { + "description": "The error message for the forbidden requests (when not using the redirection).", "default": "Forbidden", "type": "string", - "description": "The error message for the forbidden requests (when not using the redirection).", "required": false } }, { "forbidden_destroy_session": { + "description": "Destroy any active session for the forbidden requests.", "default": true, "type": "boolean", - "description": "Destroy any active session for the forbidden requests.", "required": false } }, { "unauthorized_destroy_session": { + "description": "Destroy any active session for the unauthorized requests.", "default": true, "type": "boolean", - "description": "Destroy any active session for the unauthorized requests.", "required": false } }, { "unauthorized_redirect_uri": { - "required": false, - "type": "array", "description": "Where to redirect the client on unauthorized requests.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "type": "array", + "required": false } }, { "unauthorized_error_message": { + "description": "The error message for the unauthorized requests (when not using the redirection).", "default": "Unauthorized", "type": "string", - "description": "The error message for the unauthorized requests (when not using the redirection).", "required": false } }, { "unexpected_redirect_uri": { - "required": false, - "type": "array", "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "type": "array", + "required": false } }, { "response_mode": { "type": "string", - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", - "default": "query", "required": false, "one_of": [ "query", "form_post", "fragment" - ] + ], + "default": "query", + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)" } }, { "response_type": { - "elements": { - "type": "string" - }, "type": "array", - "description": "The response type passed to the authorization endpoint.", "required": false, "default": [ "code" - ] + ], + "description": "The response type passed to the authorization endpoint.", + "elements": { + "type": "string" + } } }, { "scopes": { - "elements": { - "type": "string" - }, "type": "array", - "description": "The scopes passed to the authorization and token endpoints.", "required": false, "default": [ "openid" - ] + ], + "description": "The scopes passed to the authorization and token endpoints.", + "elements": { + "type": "string" + } } }, { "audience": { - "required": false, - "type": "array", "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "issuers_allowed": { - "required": false, - "type": "array", "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "scopes_required": { - "required": false, - "type": "array", "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "scopes_claim": { - "elements": { - "type": "string" - }, "type": "array", - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "default": [ "scope" - ] + ], + "description": "The claim that contains the scopes.", + "elements": { + "type": "string" + } } }, { "audience_required": { - "required": false, - "type": "array", "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "audience_claim": { - "elements": { - "type": "string" - }, "type": "array", - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "default": [ "aud" - ] + ], + "description": "The claim that contains the audience.", + "elements": { + "type": "string" + } } }, { "groups_required": { - "required": false, - "type": "array", "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "groups_claim": { - "elements": { - "type": "string" - }, "type": "array", - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "default": [ "groups" - ] + ], + "description": "The claim that contains the groups.", + "elements": { + "type": "string" + } } }, { "roles_required": { - "required": false, - "type": "array", "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "roles_claim": { - "elements": { - "type": "string" - }, "type": "array", - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "default": [ "roles" - ] + ], + "description": "The claim that contains the roles.", + "elements": { + "type": "string" + } } }, { "domains": { - "required": false, - "type": "array", "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "max_age": { - "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "type": "number", - "description": "The maximum age (in seconds) compared to the `auth_time` claim." + "required": false } }, { "authenticated_groups_claim": { - "required": false, - "type": "array", - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { @@ -751,106 +749,106 @@ }, { "authorization_query_args_names": { - "required": false, - "type": "array", "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "authorization_query_args_values": { - "required": false, - "type": "array", "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "authorization_query_args_client": { - "required": false, - "type": "array", "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "authorization_rolling_timeout": { + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "default": 600, "type": "number", - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "required": false } }, { "authorization_cookie_name": { + "description": "The authorization cookie name.", "default": "authorization", "type": "string", - "description": "The authorization cookie name.", "required": false } }, { "authorization_cookie_path": { - "starts_with": "/", "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "required": false, + "starts_with": "/", + "default": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "authorization_cookie_domain": { - "required": false, + "description": "The authorization cookie Domain flag.", "type": "string", - "description": "The authorization cookie Domain flag." + "required": false } }, { "authorization_cookie_same_site": { "type": "string", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "default": "Default", "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "authorization_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "default": true, "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false } }, { "authorization_cookie_secure": { - "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "required": false } }, { "preserve_query_args": { + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "default": false, "type": "boolean", - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "required": false } }, @@ -863,8 +861,6 @@ }, { "token_endpoint_auth_method": { - "required": false, - "type": "string", "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -872,60 +868,60 @@ "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "type": "string", + "required": false } }, { "token_headers_names": { - "required": false, - "type": "array", "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "token_headers_values": { - "required": false, - "type": "array", "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "token_headers_client": { - "required": false, - "type": "array", "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "token_headers_replay": { - "required": false, - "type": "array", "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "token_headers_prefix": { - "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "type": "string", - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." + "required": false } }, { "token_headers_grants": { - "required": false, - "type": "array", "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", "elements": { "type": "string", @@ -935,37 +931,39 @@ "authorization_code", "refresh_token" ] - } + }, + "type": "array", + "required": false } }, { "token_post_args_names": { - "required": false, - "type": "array", "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "token_post_args_values": { - "required": false, - "type": "array", "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "token_post_args_client": { - "required": false, - "type": "array", "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { @@ -977,8 +975,6 @@ }, { "introspection_endpoint_auth_method": { - "required": false, - "type": "string", "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -986,103 +982,105 @@ "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "type": "string", + "required": false } }, { "introspection_hint": { + "description": "Introspection hint parameter value passed to the introspection endpoint.", "default": "access_token", "type": "string", - "description": "Introspection hint parameter value passed to the introspection endpoint.", "required": false } }, { "introspection_check_active": { + "description": "Check that the introspection response has an `active` claim with a value of `true`.", "default": true, "type": "boolean", - "description": "Check that the introspection response has an `active` claim with a value of `true`.", "required": false } }, { "introspection_accept": { "type": "string", - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", - "default": "application/json", "required": false, "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ] + ], + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)" } }, { "introspection_headers_names": { - "required": false, - "type": "array", "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "introspection_headers_values": { - "required": false, - "type": "array", "description": "Extra header values passed to the introspection endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "introspection_headers_client": { - "required": false, - "type": "array", "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "introspection_post_args_names": { - "required": false, - "type": "array", "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "introspection_post_args_values": { - "required": false, - "type": "array", "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "introspection_post_args_client": { - "required": false, - "type": "array", "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "introspect_jwt_tokens": { + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "default": false, "type": "boolean", - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "required": false } }, @@ -1095,8 +1093,6 @@ }, { "revocation_endpoint_auth_method": { - "required": false, - "type": "string", "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -1104,7 +1100,9 @@ "client_secret_jwt", "private_key_jwt", "none" - ] + ], + "type": "string", + "required": false } }, { @@ -1124,73 +1122,73 @@ { "userinfo_accept": { "type": "string", - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", - "default": "application/json", "required": false, "one_of": [ "application/json", "application/jwt" - ] + ], + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)" } }, { "userinfo_headers_names": { - "required": false, - "type": "array", "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "userinfo_headers_values": { - "required": false, - "type": "array", "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "userinfo_headers_client": { - "required": false, - "type": "array", "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "userinfo_query_args_names": { - "required": false, - "type": "array", "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "userinfo_query_args_values": { - "required": false, - "type": "array", "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "userinfo_query_args_client": { - "required": false, - "type": "array", "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { @@ -1202,138 +1200,139 @@ }, { "session_secret": { + "type": "string", + "required": false, "referenceable": true, - "description": "The session secret.", "encrypted": true, - "type": "string", - "required": false + "description": "The session secret." } }, { "session_audience": { + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "default": "default", "type": "string", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "required": false } }, { "session_cookie_name": { + "description": "The session cookie name.", "default": "session", "type": "string", - "description": "The session cookie name.", "required": false } }, { "session_remember": { + "description": "Enables or disables persistent sessions.", "default": false, "type": "boolean", - "description": "Enables or disables persistent sessions.", "required": false } }, { "session_remember_cookie_name": { + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "default": "remember", "type": "string", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "required": false } }, { "session_remember_rolling_timeout": { + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", "default": 604800, "type": "number", - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", "required": false } }, { "session_remember_absolute_timeout": { + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "default": 2592000, "type": "number", - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "required": false } }, { "session_idling_timeout": { + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", "default": 900, "type": "number", - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", "required": false } }, { "session_rolling_timeout": { + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "default": 3600, "type": "number", - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "required": false } }, { "session_absolute_timeout": { + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "default": 86400, "type": "number", - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "required": false } }, { "session_cookie_path": { - "starts_with": "/", "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "required": false, + "starts_with": "/", + "default": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "session_cookie_domain": { - "required": false, + "description": "The session cookie Domain flag.", "type": "string", - "description": "The session cookie Domain flag." + "required": false } }, { "session_cookie_same_site": { "type": "string", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "default": "Lax", "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "session_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "default": true, "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false } }, { "session_cookie_secure": { - "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "required": false } }, { "session_request_headers": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -1345,12 +1344,12 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_response_headers": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -1362,248 +1361,255 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_storage": { "type": "string", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", - "default": "cookie", "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis" } }, { "session_store_metadata": { + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "default": false, "type": "boolean", - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "required": false } }, { "session_enforce_same_subject": { + "description": "When set to `true`, audiences are forced to share the same subject.", "default": false, "type": "boolean", - "description": "When set to `true`, audiences are forced to share the same subject.", "required": false } }, { "session_hash_subject": { + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "default": false, "type": "boolean", - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false } }, { "session_hash_storage_key": { + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "default": false, "type": "boolean", - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false } }, { "session_memcached_prefix": { - "required": false, + "description": "The memcached session key prefix.", "type": "string", - "description": "The memcached session key prefix." + "required": false } }, { "session_memcached_socket": { - "required": false, + "description": "The memcached unix socket path.", "type": "string", - "description": "The memcached unix socket path." + "required": false } }, { "session_memcached_host": { + "description": "The memcached host.", "default": "127.0.0.1", "type": "string", - "description": "The memcached host.", "required": false } }, { "session_memcached_port": { + "type": "integer", + "required": false, "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": false, - "default": 11211 + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { - "required": false, + "description": "The Redis session key prefix.", "type": "string", - "description": "The Redis session key prefix." + "required": false } }, { "session_redis_socket": { - "required": false, + "description": "The Redis unix socket path.", "type": "string", - "description": "The Redis unix socket path." + "required": false } }, { "session_redis_host": { + "description": "The Redis host", "default": "127.0.0.1", "type": "string", - "description": "The Redis host", "required": false } }, { "session_redis_port": { + "type": "integer", + "required": false, "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": false, - "default": 6379 + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { - "required": false, - "referenceable": true, "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "type": "string" + "referenceable": true, + "type": "string", + "required": false } }, { "session_redis_password": { + "type": "string", + "required": false, "referenceable": true, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "type": "string", - "required": false + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis." } }, { "session_redis_connect_timeout": { - "required": false, + "description": "Session redis connection timeout in milliseconds.", "type": "integer", - "description": "Session redis connection timeout in milliseconds." + "required": false } }, { "session_redis_read_timeout": { - "required": false, + "description": "Session redis read timeout in milliseconds.", "type": "integer", - "description": "Session redis read timeout in milliseconds." + "required": false } }, { "session_redis_send_timeout": { - "required": false, + "description": "Session redis send timeout in milliseconds.", "type": "integer", - "description": "Session redis send timeout in milliseconds." + "required": false } }, { "session_redis_ssl": { + "description": "Use SSL/TLS for Redis connection.", "default": false, "type": "boolean", - "description": "Use SSL/TLS for Redis connection.", "required": false } }, { "session_redis_ssl_verify": { + "description": "Verify identity provider server certificate.", "default": false, "type": "boolean", - "description": "Verify identity provider server certificate.", "required": false } }, { "session_redis_server_name": { - "required": false, + "description": "The SNI used for connecting the Redis server.", "type": "string", - "description": "The SNI used for connecting the Redis server." + "required": false } }, { "session_redis_cluster_nodes": { - "required": false, - "type": "array", "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { "type": "record", "fields": [ { "ip": { - "required": true, - "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1" + "default": "127.0.0.1", + "type": "string", + "required": true } }, { "port": { - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] - } + }, + "type": "array", + "required": false } }, { "session_redis_cluster_max_redirections": { - "required": false, + "description": "The Redis cluster maximum redirects.", "type": "integer", - "description": "The Redis cluster maximum redirects." + "required": false } }, { "reverify": { + "description": "Specifies whether to always verify tokens stored in the session.", "default": false, "type": "boolean", - "description": "Specifies whether to always verify tokens stored in the session.", "required": false } }, { "jwt_session_claim": { + "description": "The claim to match against the JWT session cookie.", "default": "sid", "type": "string", - "description": "The claim to match against the JWT session cookie.", "required": false } }, { "jwt_session_cookie": { - "required": false, + "description": "The name of the JWT session cookie.", "type": "string", - "description": "The name of the JWT session cookie." + "required": false } }, { "bearer_token_param_type": { + "type": "array", + "required": false, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", "elements": { "type": "string", "one_of": [ @@ -1612,26 +1618,26 @@ "query", "body" ] - }, - "type": "array", - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", - "required": false, - "default": [ - "header", - "query", - "body" - ] + } } }, { "bearer_token_cookie_name": { - "required": false, + "description": "The name of the cookie in which the bearer token is passed.", "type": "string", - "description": "The name of the cookie in which the bearer token is passed." + "required": false } }, { "client_credentials_param_type": { + "type": "array", + "required": false, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1639,19 +1645,19 @@ "query", "body" ] - }, + } + } + }, + { + "password_param_type": { "type": "array", - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", "required": false, "default": [ "header", "query", "body" - ] - } - }, - { - "password_param_type": { + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1659,19 +1665,19 @@ "query", "body" ] - }, + } + } + }, + { + "id_token_param_type": { "type": "array", - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "required": false, "default": [ "header", "query", "body" - ] - } - }, - { - "id_token_param_type": { + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1679,240 +1685,238 @@ "query", "body" ] - }, - "type": "array", - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false, - "default": [ - "header", - "query", - "body" - ] + } } }, { "id_token_param_name": { - "required": false, + "description": "The name of the parameter used to pass the id token.", "type": "string", - "description": "The name of the parameter used to pass the id token." + "required": false } }, { "refresh_token_param_type": { - "elements": { - "type": "string", - "one_of": [ - "header", - "query", - "body" - ] - }, "type": "array", - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "required": false, "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } } }, { "refresh_token_param_name": { - "required": false, + "description": "The name of the parameter used to pass the refresh token.", "type": "string", - "description": "The name of the parameter used to pass the refresh token." + "required": false } }, { "refresh_tokens": { + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "default": true, "type": "boolean", - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "required": false } }, { "upstream_headers_claims": { - "required": false, - "type": "array", - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "description": "The upstream header claims.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "upstream_headers_names": { - "required": false, - "type": "array", "description": "The upstream header names for the claim values.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "upstream_access_token_header": { + "description": "The upstream access token header.", "default": "authorization:bearer", "type": "string", - "description": "The upstream access token header.", "required": false } }, { "upstream_access_token_jwk_header": { - "required": false, + "description": "The upstream access token JWK header.", "type": "string", - "description": "The upstream access token JWK header." + "required": false } }, { "upstream_id_token_header": { - "required": false, + "description": "The upstream id token header.", "type": "string", - "description": "The upstream id token header." + "required": false } }, { "upstream_id_token_jwk_header": { - "required": false, + "description": "The upstream id token JWK header.", "type": "string", - "description": "The upstream id token JWK header." + "required": false } }, { "upstream_refresh_token_header": { - "required": false, + "description": "The upstream refresh token header.", "type": "string", - "description": "The upstream refresh token header." + "required": false } }, { "upstream_user_info_header": { - "required": false, + "description": "The upstream user info header.", "type": "string", - "description": "The upstream user info header." + "required": false } }, { "upstream_user_info_jwt_header": { - "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "description": "The upstream user info JWT header (in case the user info returns a JWT response)." + "required": false } }, { "upstream_introspection_header": { - "required": false, + "description": "The upstream introspection header.", "type": "string", - "description": "The upstream introspection header." + "required": false } }, { "upstream_introspection_jwt_header": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_session_id_header": { - "required": false, + "description": "The upstream session id header.", "type": "string", - "description": "The upstream session id header." + "required": false } }, { "downstream_headers_claims": { - "required": false, - "type": "array", - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "description": "The downstream header claims.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "downstream_headers_names": { - "required": false, - "type": "array", "description": "The downstream header names for the claim values.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "downstream_access_token_header": { - "required": false, + "description": "The downstream access token header.", "type": "string", - "description": "The downstream access token header." + "required": false } }, { "downstream_access_token_jwk_header": { - "required": false, + "description": "The downstream access token JWK header.", "type": "string", - "description": "The downstream access token JWK header." + "required": false } }, { "downstream_id_token_header": { - "required": false, + "description": "The downstream id token header.", "type": "string", - "description": "The downstream id token header." + "required": false } }, { "downstream_id_token_jwk_header": { - "required": false, + "description": "The downstream id token JWK header.", "type": "string", - "description": "The downstream id token JWK header." + "required": false } }, { "downstream_refresh_token_header": { - "required": false, + "description": "The downstream refresh token header.", "type": "string", - "description": "The downstream refresh token header." + "required": false } }, { "downstream_user_info_header": { - "required": false, + "description": "The downstream user info header.", "type": "string", - "description": "The downstream user info header." + "required": false } }, { "downstream_user_info_jwt_header": { - "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "description": "The downstream user info JWT header (in case the user info returns a JWT response)." + "required": false } }, { "downstream_introspection_header": { - "required": false, + "description": "The downstream introspection header.", "type": "string", - "description": "The downstream introspection header." + "required": false } }, { "downstream_introspection_jwt_header": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_session_id_header": { - "required": false, + "description": "The downstream session id header.", "type": "string", - "description": "The downstream session id header." + "required": false } }, { "login_methods": { + "type": "array", + "required": false, + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", "elements": { "type": "string", "one_of": [ @@ -1926,30 +1930,30 @@ "refresh_token", "session" ] - }, - "type": "array", - "description": "Enable login functionality with specified grants.", - "required": false, - "default": [ - "authorization_code" - ] + } } }, { "login_action": { "type": "string", - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", - "default": "upstream", "required": false, "one_of": [ "upstream", "response", "redirect" - ] + ], + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location" } }, { "login_tokens": { + "type": "array", + "required": false, + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", "elements": { "type": "string", "one_of": [ @@ -1959,50 +1963,51 @@ "tokens", "introspection" ] - }, - "type": "array", - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", - "required": false, - "default": [ - "id_token" - ] + } } }, { "login_redirect_mode": { "type": "string", - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", - "default": "fragment", "required": false, "one_of": [ "query", "fragment" - ] + ], + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)" } }, { "logout_query_arg": { - "required": false, + "description": "The request query argument that activates the logout.", "type": "string", - "description": "The request query argument that activates the logout." + "required": false } }, { "logout_post_arg": { - "required": false, + "description": "The request body argument that activates the logout.", "type": "string", - "description": "The request body argument that activates the logout." + "required": false } }, { "logout_uri_suffix": { - "required": false, + "description": "The request URI suffix that activates the logout.", "type": "string", - "description": "The request URI suffix that activates the logout." + "required": false } }, { "logout_methods": { + "type": "array", + "required": false, + "default": [ + "POST", + "DELETE" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", "elements": { "type": "string", "one_of": [ @@ -2010,52 +2015,52 @@ "GET", "DELETE" ] - }, - "type": "array", - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", - "required": false, - "default": [ - "POST", - "DELETE" - ] + } } }, { "logout_revoke": { + "description": "Revoke tokens as part of the logout.", "default": false, "type": "boolean", - "description": "Revoke tokens as part of the logout.", "required": false } }, { "logout_revoke_access_token": { + "description": "Revoke the access token as part of the logout.", "default": true, "type": "boolean", - "description": "Revoke the access token as part of the logout.", "required": false } }, { "logout_revoke_refresh_token": { + "description": "Revoke the refresh token as part of the logout.", "default": true, "type": "boolean", - "description": "Revoke the refresh token as part of the logout.", "required": false } }, { "consumer_claim": { - "required": false, - "type": "array", - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "description": "The claim used for consumer mapping.", "elements": { "type": "string" - } + }, + "type": "array", + "required": false } }, { "consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", "elements": { "type": "string", "one_of": [ @@ -2063,94 +2068,93 @@ "username", "custom_id" ] - }, - "type": "array", - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", - "required": false, - "default": [ - "username", - "custom_id" - ] + } } }, { "consumer_optional": { + "description": "Do not terminate the request if consumer mapping fails.", "default": false, "type": "boolean", - "description": "Do not terminate the request if consumer mapping fails.", "required": false } }, { "credential_claim": { - "elements": { - "type": "string" - }, "type": "array", - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "default": [ "sub" - ] + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", + "elements": { + "type": "string" + } } }, { "anonymous": { - "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "required": false } }, { "run_on_preflight": { + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "default": true, "type": "boolean", - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "required": false } }, { "leeway": { + "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", "default": 0, "type": "number", - "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", "required": false } }, { "verify_parameters": { + "description": "Verify plugin configuration against discovery.", "default": false, "type": "boolean", - "description": "Verify plugin configuration against discovery.", "required": false } }, { "verify_nonce": { + "description": "Verify nonce on authorization code flow.", "default": true, "type": "boolean", - "description": "Verify nonce on authorization code flow.", "required": false } }, { "verify_claims": { + "description": "Verify tokens for standard claims.", "default": true, "type": "boolean", - "description": "Verify tokens for standard claims.", "required": false } }, { "verify_signature": { + "description": "Verify signature of tokens.", "default": true, "type": "boolean", - "description": "Verify signature of tokens.", "required": false } }, { "ignore_signature": { + "type": "array", + "required": false, + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", "elements": { "type": "string", "one_of": [ @@ -2162,27 +2166,19 @@ "introspection", "userinfo" ] - }, - "type": "array", - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", - "required": false, - "default": [ - - ] + } } }, { "enable_hs_signatures": { + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "default": false, "type": "boolean", - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "required": false } }, { "disable_session": { - "required": false, - "type": "array", "description": "Disable issuing the session cookie with the specified grants.", "elements": { "type": "string", @@ -2197,106 +2193,108 @@ "refresh_token", "session" ] - } + }, + "type": "array", + "required": false } }, { "cache_ttl": { + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "default": 3600, "type": "number", - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "required": false } }, { "cache_ttl_max": { - "required": false, + "description": "The maximum cache ttl in seconds (enforced).", "type": "number", - "description": "The maximum cache ttl in seconds (enforced)." + "required": false } }, { "cache_ttl_min": { - "required": false, + "description": "The minimum cache ttl in seconds (enforced).", "type": "number", - "description": "The minimum cache ttl in seconds (enforced)." + "required": false } }, { "cache_ttl_neg": { - "required": false, + "description": "The negative cache ttl in seconds.", "type": "number", - "description": "The negative cache ttl in seconds." + "required": false } }, { "cache_ttl_resurrect": { - "required": false, + "description": "The resurrection ttl in seconds.", "type": "number", - "description": "The resurrection ttl in seconds." + "required": false } }, { "cache_tokens": { + "description": "Cache the token endpoint requests.", "default": true, "type": "boolean", - "description": "Cache the token endpoint requests.", "required": false } }, { "cache_tokens_salt": { - "required": false, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "type": "string", "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "required": false } }, { "cache_introspection": { + "description": "Cache the introspection endpoint requests.", "default": true, "type": "boolean", - "description": "Cache the introspection endpoint requests.", "required": false } }, { "cache_token_exchange": { + "description": "Cache the token exchange endpoint requests.", "default": true, "type": "boolean", - "description": "Cache the token exchange endpoint requests.", "required": false } }, { "cache_user_info": { + "description": "Cache the user info requests.", "default": true, "type": "boolean", - "description": "Cache the user info requests.", "required": false } }, { "search_user_info": { + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "default": false, "type": "boolean", - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "required": false } }, { "hide_credentials": { + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "default": false, "type": "boolean", - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "required": false } }, { "http_version": { + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", "default": 1.1, "type": "number", - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", "required": false } }, @@ -2309,9 +2307,9 @@ }, { "http_proxy_authorization": { - "required": false, + "description": "The HTTP proxy authorization.", "type": "string", - "description": "The HTTP proxy authorization." + "required": false } }, { @@ -2323,63 +2321,63 @@ }, { "https_proxy_authorization": { - "required": false, + "description": "The HTTPS proxy authorization.", "type": "string", - "description": "The HTTPS proxy authorization." + "required": false } }, { "no_proxy": { - "required": false, + "description": "Do not use proxy with these hosts.", "type": "string", - "description": "Do not use proxy with these hosts." + "required": false } }, { "keepalive": { + "description": "Use keepalive with the HTTP client.", "default": true, "type": "boolean", - "description": "Use keepalive with the HTTP client.", "required": false } }, { "ssl_verify": { + "description": "Verify identity provider server certificate.", "default": false, "type": "boolean", - "description": "Verify identity provider server certificate.", "required": false } }, { "timeout": { + "description": "Network IO timeout in milliseconds.", "default": 10000, "type": "number", - "description": "Network IO timeout in milliseconds.", "required": false } }, { "display_errors": { + "description": "Display errors on failure responses.", "default": false, "type": "boolean", - "description": "Display errors on failure responses.", "required": false } }, { "by_username_ignore_case": { + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "default": false, "type": "boolean", - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "required": false } }, { "resolve_distributed_claims": { + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "default": false, "type": "boolean", - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "required": false } }, @@ -2399,9 +2397,9 @@ }, { "introspection_token_param_name": { + "description": "Designate token's parameter name for introspection.", "default": "token", "type": "string", - "description": "Designate token's parameter name for introspection.", "required": false } }, @@ -2414,22 +2412,22 @@ }, { "revocation_token_param_name": { + "description": "Designate token's parameter name for revocation.", "default": "token", "type": "string", - "description": "Designate token's parameter name for revocation.", "required": false } }, { "proof_of_possession_mtls": { - "default": "off", - "type": "string", - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "one_of": [ "off", "strict", "optional" - ] + ], + "default": "off", + "type": "string", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." } }, { @@ -2439,7 +2437,9 @@ "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/opentelemetry/3.4.x.json b/schemas/opentelemetry/3.4.x.json index efad39a9..a17980f5 100644 --- a/schemas/opentelemetry/3.4.x.json +++ b/schemas/opentelemetry/3.4.x.json @@ -59,6 +59,7 @@ "resource_attributes": { "values": { "type": "string", + "description": "Attributes to add to the OpenTelemetry resource object, following the spec for Semantic Attributes. \nThe following attributes are automatically added:\n- `service.name`: The name of the service (default: `kong`).\n- `service.version`: The version of Kong Gateway.\n- `service.instance.id`: The node ID of Kong Gateway.\n\nYou can use this property to override default attribute values. For example, to override the default for `service.name`, you can specify `{ \"service.name\": \"my-service\" }`.", "required": true }, "keys": { @@ -191,6 +192,7 @@ }, { "http_response_header_for_traceid": { + "description": "Specifies a custom header for the `trace_id`. If set, the plugin sets the corresponding header in the response.", "type": "string" } }, @@ -209,6 +211,7 @@ "datadog" ], "type": "string", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests.", "required": false } } diff --git a/schemas/opentelemetry/3.5.x.json b/schemas/opentelemetry/3.5.x.json index 080800db..155caefc 100644 --- a/schemas/opentelemetry/3.5.x.json +++ b/schemas/opentelemetry/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -47,81 +45,80 @@ "fields": [ { "endpoint": { - "required": true, - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "referenceable": true, + "type": "string", + "required": true } }, { "headers": { + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "map", "values": { "type": "string", "referenceable": true }, - "type": "map", - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", - "keys": { - "description": "A string representing an HTTP header name.", - "type": "string" - } + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend." } }, { "resource_attributes": { - "values": { - "required": true, - "type": "string" + "keys": { + "type": "string", + "description": "Attributes to add to the OpenTelemetry resource object, following the spec for Semantic Attributes. \nThe following attributes are automatically added:\n- `service.name`: The name of the service (default: `kong`).\n- `service.version`: The version of Kong Gateway.\n- `service.instance.id`: The node ID of Kong Gateway.\n\nYou can use this property to override default attribute values. For example, to override the default for `service.name`, you can specify `{ \"service.name\": \"my-service\" }`.", + "required": true }, "type": "map", - "keys": { - "required": true, - "type": "string" + "values": { + "type": "string", + "required": true } } }, { "queue": { - "required": true, - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { @@ -133,84 +130,84 @@ }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." } } - ] + ], + "type": "record", + "required": true } }, { "batch_span_count": { - "description": "The number of spans to be sent in a single batch.", - "type": "integer" + "type": "integer", + "description": "The number of spans to be sent in a single batch." } }, { "batch_flush_delay": { - "description": "The delay, in seconds, between two consecutive batches.", - "type": "integer" + "type": "integer", + "description": "The delay, in seconds, between two consecutive batches." } }, { "connect_timeout": { - "default": 1000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 1000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "http_response_header_for_traceid": { + "description": "Specifies a custom header for the `trace_id`. If set, the plugin sets the corresponding header in the response.", "type": "string" } }, { "header_type": { - "required": false, - "type": "string", - "default": "preserve", "one_of": [ "preserve", "ignore", @@ -222,10 +219,16 @@ "aws", "gcp", "datadog" - ] + ], + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests.", + "type": "string", + "required": false } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/post-function/3.5.x.json b/schemas/post-function/3.5.x.json index 45616adc..4422e7d5 100644 --- a/schemas/post-function/3.5.x.json +++ b/schemas/post-function/3.5.x.json @@ -2,8 +2,6 @@ "fields": [ { "protocols": { - "required": false, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -22,27 +20,37 @@ "https", "ws", "wss" - ] + ], + "type": "set", + "required": false } }, { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -56,156 +64,158 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "certificate": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "rewrite": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "access": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "header_filter": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "body_filter": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "log": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "ws_handshake": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "ws_client_frame": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "ws_upstream_frame": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "ws_close": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/pre-function/3.5.x.json b/schemas/pre-function/3.5.x.json index 45616adc..4422e7d5 100644 --- a/schemas/pre-function/3.5.x.json +++ b/schemas/pre-function/3.5.x.json @@ -2,8 +2,6 @@ "fields": [ { "protocols": { - "required": false, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -22,27 +20,37 @@ "https", "ws", "wss" - ] + ], + "type": "set", + "required": false } }, { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -56,156 +64,158 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "certificate": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "rewrite": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "access": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "header_filter": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "body_filter": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "log": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "ws_handshake": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "ws_client_frame": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "ws_upstream_frame": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "ws_close": { - "required": true, "type": "array", + "required": true, "default": [ ], + "description": "Custom functions, which can be user-defined, are cached and executed sequentially during specific phases: `certificate`, `rewrite`, `access`, `header_filter`, `body_filter`, and `log`.", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/prometheus/3.5.x.json b/schemas/prometheus/3.5.x.json index de535d24..b84e430c 100644 --- a/schemas/prometheus/3.5.x.json +++ b/schemas/prometheus/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,32 +23,22 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "per_consumer": { @@ -77,7 +75,9 @@ "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/proxy-cache-advanced/3.5.x.json b/schemas/proxy-cache-advanced/3.5.x.json index a235d788..82fe8c7c 100644 --- a/schemas/proxy-cache-advanced/3.5.x.json +++ b/schemas/proxy-cache-advanced/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,52 +19,49 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "response_code": { - "len_min": 1, "type": "array", - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "required": true, + "len_min": 1, "default": [ 200, 301, 404 ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "elements": { + "type": "integer", "between": [ 100, 900 - ], - "type": "integer" + ] } } }, { "request_method": { + "type": "array", + "required": true, + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", "elements": { "type": "string", "one_of": [ @@ -66,136 +71,127 @@ "PATCH", "PUT" ] - }, - "type": "array", - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", - "required": true, - "default": [ - "GET", - "HEAD" - ] + } } }, { "content_type": { - "elements": { - "type": "string" - }, "type": "array", - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "required": true, "default": [ "text/plain", "application/json" - ] + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "elements": { + "type": "string" + } } }, { "cache_ttl": { - "default": 300, "gt": 0, - "description": "TTL in seconds of cache entities.", - "type": "integer" + "default": 300, + "type": "integer", + "description": "TTL in seconds of cache entities." } }, { "strategy": { - "required": true, - "type": "string", "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "one_of": [ "memory", "redis" - ] + ], + "type": "string", + "required": true } }, { "cache_control": { + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "default": false, "type": "boolean", - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true } }, { "ignore_uri_case": { + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "default": false, "type": "boolean", - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "required": false } }, { "storage_ttl": { - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", - "type": "integer" + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." } }, { "memory": { - "required": true, - "type": "record", "fields": [ { "dictionary_name": { - "required": true, - "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "default": "kong_db_cache" + "default": "kong_db_cache", + "type": "string", + "required": true } } - ] + ], + "type": "record", + "required": true } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + } } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } } }, { "response_headers": { - "required": true, - "type": "record", "description": "Caching related diagnostic headers that should be included in cached responses", "fields": [ { "age": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Status": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Key": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } } - ] + ], + "type": "record", + "required": true } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_exclusive_sets": { @@ -257,8 +253,8 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -273,13 +269,13 @@ }, { "timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -315,31 +311,31 @@ { "username": { "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "type": "string" + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "password": { - "encrypted": true, - "referenceable": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true } }, { "sentinel_username": { "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "encrypted": true, - "referenceable": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true } }, { @@ -351,13 +347,13 @@ }, { "keepalive_pool_size": { - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." } }, { @@ -372,55 +368,55 @@ }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { "len_min": 1, - "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." } }, { "cluster_addresses": { "len_min": 1, - "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." } }, { "ssl": { - "required": false, - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "default": false + "default": false, + "type": "boolean", + "required": false } }, { "ssl_verify": { - "required": false, - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false + "default": false, + "type": "boolean", + "required": false } }, { @@ -430,7 +426,9 @@ "description": "A string representing an SNI (server name indication) value for TLS." } } - ] + ], + "type": "record", + "required": true } }, { @@ -440,7 +438,9 @@ "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/proxy-cache/3.5.x.json b/schemas/proxy-cache/3.5.x.json index 188e644c..f7096937 100644 --- a/schemas/proxy-cache/3.5.x.json +++ b/schemas/proxy-cache/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,55 +23,52 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "response_code": { - "len_min": 1, "type": "array", - "description": "Upstream response status code considered cacheable.", "required": true, + "len_min": 1, "default": [ 200, 301, 404 ], + "description": "Upstream response status code considered cacheable.", "elements": { + "type": "integer", "between": [ 100, 900 - ], - "type": "integer" + ] } } }, { "request_method": { + "type": "array", + "required": true, + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", "elements": { "type": "string", "one_of": [ @@ -73,53 +78,46 @@ "PATCH", "PUT" ] - }, - "type": "array", - "description": "Downstream request methods considered cacheable.", - "required": true, - "default": [ - "GET", - "HEAD" - ] + } } }, { "content_type": { - "elements": { - "type": "string" - }, "type": "array", - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "required": true, "default": [ "text/plain", "application/json" - ] + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "elements": { + "type": "string" + } } }, { "cache_ttl": { + "gt": 0, "default": 300, "type": "integer", - "description": "TTL, in seconds, of cache entities.", - "gt": 0 + "description": "TTL, in seconds, of cache entities." } }, { "strategy": { - "required": true, - "type": "string", "description": "The backing data store in which to hold cache entities.", "one_of": [ "memory" - ] + ], + "type": "string", + "required": true } }, { "cache_control": { + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "default": false, "type": "boolean", - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true } }, @@ -132,72 +130,74 @@ }, { "storage_ttl": { - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", - "type": "integer" + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." } }, { "memory": { - "required": true, - "type": "record", "fields": [ { "dictionary_name": { + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "default": "kong_db_cache", "type": "string", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true } } - ] + ], + "type": "record", + "required": true } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + } } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } } }, { "response_headers": { - "required": true, - "type": "record", "description": "Caching related diagnostic headers that should be included in cached responses", "fields": [ { "age": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Status": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Key": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } } - ] + ], + "type": "record", + "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/rate-limiting-advanced/3.5.x.json b/schemas/rate-limiting-advanced/3.5.x.json index fe30aaba..b6d9b4c1 100644 --- a/schemas/rate-limiting-advanced/3.5.x.json +++ b/schemas/rate-limiting-advanced/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,28 +19,16 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "identifier": { "type": "string", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", "required": true, - "default": "consumer", "one_of": [ "ip", "credential", @@ -40,73 +36,75 @@ "service", "header", "path" - ] + ], + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`." } }, { "window_size": { "required": true, - "type": "array", - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" - } + }, + "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified." } }, { "window_type": { - "default": "sliding", - "type": "string", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "one_of": [ "fixed", "sliding" - ] + ], + "default": "sliding", + "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." } }, { "limit": { "required": true, - "type": "array", - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" - } + }, + "type": "array", + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified." } }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." } }, { "namespace": { "required": true, + "auto": true, "type": "string", - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "auto": true + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." } }, { "strategy": { "type": "string", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "required": true, - "default": "local", "one_of": [ "cluster", "redis", "local" - ] + ], + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." } }, { "dictionary_name": { + "required": true, "default": "kong_rate_limiting_counters", "type": "string", - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "required": true + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." } }, { @@ -125,27 +123,25 @@ }, { "header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "path": { "starts_with": "/", - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], + "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_exclusive_sets": { @@ -207,8 +203,8 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -223,13 +219,13 @@ }, { "timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -265,31 +261,31 @@ { "username": { "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "type": "string" + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "password": { - "encrypted": true, - "referenceable": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true } }, { "sentinel_username": { "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "encrypted": true, - "referenceable": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true } }, { @@ -301,13 +297,13 @@ }, { "keepalive_pool_size": { - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." } }, { @@ -322,55 +318,55 @@ }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { "len_min": 1, - "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." } }, { "cluster_addresses": { "len_min": 1, - "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." } }, { "ssl": { - "required": false, - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "default": false + "default": false, + "type": "boolean", + "required": false } }, { "ssl_verify": { - "required": false, - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false + "default": false, + "type": "boolean", + "required": false } }, { @@ -380,7 +376,9 @@ "description": "A string representing an SNI (server name indication) value for TLS." } } - ] + ], + "type": "record", + "required": true } }, { @@ -392,11 +390,11 @@ }, { "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`." + } } }, { @@ -408,10 +406,10 @@ }, { "error_code": { + "gt": 0, "default": 429, "type": "number", - "description": "Set a custom error code to return when the rate limit is exceeded.", - "gt": 0 + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { @@ -421,7 +419,9 @@ "description": "Set a custom error message to return when the rate limit is exceeded." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/rate-limiting/3.5.x.json b/schemas/rate-limiting/3.5.x.json index 4476af38..7f1ead9b 100644 --- a/schemas/rate-limiting/3.5.x.json +++ b/schemas/rate-limiting/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,77 +19,64 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "second": { "gt": 0, - "description": "The number of HTTP requests that can be made per second.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per second." } }, { "minute": { "gt": 0, - "description": "The number of HTTP requests that can be made per minute.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per minute." } }, { "hour": { "gt": 0, - "description": "The number of HTTP requests that can be made per hour.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per hour." } }, { "day": { "gt": 0, - "description": "The number of HTTP requests that can be made per day.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per day." } }, { "month": { "gt": 0, - "description": "The number of HTTP requests that can be made per month.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per month." } }, { "year": { "gt": 0, - "description": "The number of HTTP requests that can be made per year.", - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per year." } }, { "limit_by": { - "default": "consumer", - "type": "string", - "description": "The entity that is used when aggregating the limits.", "one_of": [ "consumer", "credential", @@ -89,101 +84,104 @@ "service", "header", "path" - ] + ], + "default": "consumer", + "type": "string", + "description": "The entity that is used when aggregating the limits." } }, { "header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "path": { "starts_with": "/", - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], + "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "policy": { - "len_min": 0, "type": "string", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, "default": "local", "one_of": [ "local", "cluster", "redis" - ] + ], + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { + "required": true, "default": true, "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", - "required": true + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." } }, { "redis_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "redis_port": { - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "redis_password": { "len_min": 0, "referenceable": true, - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", - "type": "string" + "type": "string", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." } }, { "redis_username": { + "referenceable": true, "type": "string", - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.", - "referenceable": true + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired." } }, { "redis_ssl": { + "required": true, "default": false, "type": "boolean", - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", - "required": true + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." } }, { "redis_ssl_verify": { + "required": true, "default": false, "type": "boolean", - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", - "required": true + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly." } }, { "redis_server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", - "type": "string" + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." } }, { @@ -202,18 +200,18 @@ }, { "hide_client_headers": { + "required": true, "default": false, "type": "boolean", - "description": "Optionally hide informative response headers.", - "required": true + "description": "Optionally hide informative response headers." } }, { "error_code": { + "gt": 0, "default": 429, "type": "number", - "description": "Set a custom error code to return when the rate limit is exceeded.", - "gt": 0 + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { @@ -225,13 +223,15 @@ }, { "sync_rate": { + "required": true, "default": -1, "type": "number", - "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", - "required": true + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/request-size-limiting/3.5.x.json b/schemas/request-size-limiting/3.5.x.json index 168c1cb6..abb4d81d 100644 --- a/schemas/request-size-limiting/3.5.x.json +++ b/schemas/request-size-limiting/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "allowed_payload_size": { @@ -45,25 +43,27 @@ { "size_unit": { "type": "string", - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "required": true, - "default": "megabytes", "one_of": [ "megabytes", "kilobytes", "bytes" - ] + ], + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0." } }, { "require_content_length": { "required": true, + "default": false, "type": "boolean", - "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", - "default": false + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/request-termination/3.5.x.json b/schemas/request-termination/3.5.x.json index ffa5c52f..c6dc97b0 100644 --- a/schemas/request-termination/3.5.x.json +++ b/schemas/request-termination/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,75 +19,67 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "status_code": { + "type": "integer", + "required": true, "between": [ 100, 599 ], - "type": "integer", - "description": "The response code to send. Must be an integer between 100 and 599.", "default": 503, - "required": true + "description": "The response code to send. Must be an integer between 100 and 599." } }, { "message": { - "description": "The message to send, if using the default response generator.", - "type": "string" + "type": "string", + "description": "The message to send, if using the default response generator." } }, { "content_type": { - "description": "Content type of the raw response configured with `config.body`.", - "type": "string" + "type": "string", + "description": "Content type of the raw response configured with `config.body`." } }, { "body": { - "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", - "type": "string" + "type": "string", + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." } }, { "echo": { - "required": true, - "type": "boolean", "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", - "default": false + "default": false, + "type": "boolean", + "required": true } }, { "trigger": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/request-transformer-advanced/3.5.x.json b/schemas/request-transformer-advanced/3.5.x.json index 9e2d3b89..b0181b2f 100644 --- a/schemas/request-transformer-advanced/3.5.x.json +++ b/schemas/request-transformer-advanced/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,21 +19,11 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "http_method": { @@ -36,8 +34,6 @@ }, { "remove": { - "required": true, - "type": "record", "fields": [ { "body": { @@ -72,13 +68,13 @@ } } } - ] + ], + "type": "record", + "required": true } }, { "rename": { - "required": true, - "type": "record", "fields": [ { "body": { @@ -116,13 +112,13 @@ } } } - ] + ], + "type": "record", + "required": true } }, { "replace": { - "required": true, - "type": "record", "fields": [ { "body": { @@ -181,13 +177,13 @@ "type": "string" } } - ] + ], + "type": "record", + "required": true } }, { "add": { - "required": true, - "type": "record", "fields": [ { "body": { @@ -241,13 +237,13 @@ } } } - ] + ], + "type": "record", + "required": true } }, { "append": { - "required": true, - "type": "record", "fields": [ { "body": { @@ -301,23 +297,25 @@ } } } - ] + ], + "type": "record", + "required": true } }, { "allow": { - "required": true, - "type": "record", "fields": [ { "body": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } - ] + ], + "type": "record", + "required": true } }, { @@ -327,7 +325,9 @@ "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/request-transformer/3.5.x.json b/schemas/request-transformer/3.5.x.json index 1d9ea3aa..d34a533c 100644 --- a/schemas/request-transformer/3.5.x.json +++ b/schemas/request-transformer/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,24 +23,14 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "http_method": { @@ -43,16 +41,14 @@ }, { "remove": { - "required": true, - "type": "record", "fields": [ { "body": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -61,10 +57,10 @@ { "headers": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -73,30 +69,30 @@ { "querystring": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } - ] + ], + "type": "record", + "required": true } }, { "rename": { - "required": true, - "type": "record", "fields": [ { "body": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -105,43 +101,43 @@ { "headers": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } }, { "querystring": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } - ] + ], + "type": "record", + "required": true } }, { "replace": { - "required": true, - "type": "record", "fields": [ { "body": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -150,23 +146,23 @@ { "headers": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } }, { "querystring": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -177,21 +173,21 @@ "type": "string" } } - ] + ], + "type": "record", + "required": true } }, { "add": { - "required": true, - "type": "record", "fields": [ { "body": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -200,43 +196,43 @@ { "headers": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } }, { "querystring": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } - ] + ], + "type": "record", + "required": true } }, { "append": { - "required": true, - "type": "record", "fields": [ { "body": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -245,32 +241,36 @@ { "headers": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } }, { "querystring": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } - ] + ], + "type": "record", + "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/request-validator/3.5.x.json b/schemas/request-validator/3.5.x.json index 74b56d30..d6edae38 100644 --- a/schemas/request-validator/3.5.x.json +++ b/schemas/request-validator/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -52,64 +50,44 @@ }, { "allowed_content_types": { + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "default": [ "application/json" ], "type": "set", - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "elements": { - "required": true, - "type": "string" + "type": "string", + "required": true } } }, { "version": { "type": "string", - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "required": true, + "default": "kong", "one_of": [ "kong", "draft4" ], - "default": "kong" + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator." } }, { "parameter_schema": { "required": false, - "type": "array", - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", "elements": { - "entity_checks": [ - { - "mutually_required": [ - "style", - "explode", - "schema" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "style", - "in" - ] - } - } - ], - "type": "record", "fields": [ { "in": { - "required": true, - "type": "string", "description": "The location of the parameter.", "one_of": [ "query", "header", "path" - ] + ], + "type": "string", + "required": true } }, { @@ -128,8 +106,6 @@ }, { "style": { - "type": "string", - "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", "one_of": [ "label", "form", @@ -138,34 +114,58 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ] + ], + "type": "string", + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value." } }, { "explode": { - "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", - "type": "boolean" + "type": "boolean", + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." } }, { "schema": { - "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", - "type": "string" + "type": "string", + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating." + } + } + ], + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] } } ] - } + }, + "type": "array", + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." } }, { "verbose_response": { + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "default": false, "type": "boolean", - "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/response-ratelimiting/3.5.x.json b/schemas/response-ratelimiting/3.5.x.json index 68da3ddb..3595a350 100644 --- a/schemas/response-ratelimiting/3.5.x.json +++ b/schemas/response-ratelimiting/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "header_name": { @@ -44,88 +42,88 @@ }, { "limit_by": { - "default": "consumer", - "type": "string", - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "one_of": [ "consumer", "credential", "ip" - ] + ], + "default": "consumer", + "type": "string", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." } }, { "policy": { - "default": "local", - "type": "string", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "one_of": [ "local", "cluster", "redis" - ] + ], + "default": "local", + "type": "string", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { + "required": true, "default": true, "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", - "required": true + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." } }, { "redis_host": { - "description": "When using the `redis` policy, this property specifies the address to the Redis server.", - "type": "string" + "type": "string", + "description": "When using the `redis` policy, this property specifies the address to the Redis server." } }, { "redis_port": { - "default": 6379, - "type": "integer", - "description": "When using the `redis` policy, this property specifies the port of the Redis server.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer", + "description": "When using the `redis` policy, this property specifies the port of the Redis server." } }, { "redis_password": { "len_min": 0, + "referenceable": true, "type": "string", - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", - "referenceable": true + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." } }, { "redis_username": { + "referenceable": true, "type": "string", - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "referenceable": true + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "redis_ssl": { + "required": true, "default": false, "type": "boolean", - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", - "required": true + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." } }, { "redis_ssl_verify": { + "required": true, "default": false, "type": "boolean", - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": true + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "redis_server_name": { - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI).", - "type": "string" + "type": "string", + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI)." } }, { @@ -144,32 +142,29 @@ }, { "block_on_first_violation": { + "required": true, "default": false, "type": "boolean", - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", - "required": true + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." } }, { "hide_client_headers": { + "required": true, "default": false, "type": "boolean", - "description": "Optionally hide informative response headers.", - "required": true + "description": "Optionally hide informative response headers." } }, { "limits": { - "len_min": 1, - "type": "map", - "description": "A map that defines rate limits for the plugin.", "keys": { "type": "string" }, + "type": "map", "required": true, + "len_min": 1, "values": { - "required": true, - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -219,11 +214,16 @@ "gt": 0 } } - ] - } + ], + "type": "record", + "required": true + }, + "description": "A map that defines rate limits for the plugin." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/response-transformer-advanced/3.5.x.json b/schemas/response-transformer-advanced/3.5.x.json index a5a43f82..9a910822 100644 --- a/schemas/response-transformer-advanced/3.5.x.json +++ b/schemas/response-transformer-advanced/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,26 +19,14 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "remove": { - "required": true, - "type": "record", "fields": [ { "json": { @@ -65,13 +61,13 @@ } } } - ] + ], + "type": "record", + "required": true } }, { "rename": { - "required": true, - "type": "record", "fields": [ { "headers": { @@ -96,18 +92,18 @@ } } } - ] + ], + "type": "record", + "required": true } }, { "replace": { - "required": true, - "type": "record", "fields": [ { "body": { - "description": "String with which to replace the entire response body.", - "type": "string" + "type": "string", + "description": "String with which to replace the entire response body." } }, { @@ -159,13 +155,13 @@ } } } - ] + ], + "type": "record", + "required": true } }, { "add": { - "required": true, - "type": "record", "fields": [ { "json": { @@ -216,13 +212,13 @@ } } } - ] + ], + "type": "record", + "required": true } }, { "append": { - "required": true, - "type": "record", "fields": [ { "json": { @@ -273,29 +269,29 @@ } } } - ] + ], + "type": "record", + "required": true } }, { "allow": { - "required": true, - "type": "record", "fields": [ { "json": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } - ] + ], + "type": "record", + "required": true } }, { "transform": { - "required": true, - "type": "record", "fields": [ { "functions": { @@ -330,7 +326,9 @@ } } } - ] + ], + "type": "record", + "required": true } }, { @@ -340,7 +338,9 @@ "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/response-transformer/3.5.x.json b/schemas/response-transformer/3.5.x.json index e6d31513..41769345 100644 --- a/schemas/response-transformer/3.5.x.json +++ b/schemas/response-transformer/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,34 +19,22 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "remove": { - "required": true, - "type": "record", "fields": [ { "json": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } @@ -47,59 +43,65 @@ { "headers": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { "type": "string" } } } - ] + ], + "type": "record", + "required": true } }, { "rename": { - "required": true, - "type": "record", "fields": [ { "headers": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } } - ] + ], + "type": "record", + "required": true } }, { "replace": { - "required": true, - "type": "record", "fields": [ { "json": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } }, { "json_types": { + "type": "array", + "required": true, + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "elements": { "type": "string", "one_of": [ @@ -107,51 +109,51 @@ "number", "string" ] - }, - "type": "array", - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true, - "default": [ - - ] + } } }, { "headers": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } } - ] + ], + "type": "record", + "required": true } }, { "add": { - "required": true, - "type": "record", "fields": [ { "json": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } }, { "json_types": { + "type": "array", + "required": true, + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "elements": { "type": "string", "one_of": [ @@ -159,51 +161,51 @@ "number", "string" ] - }, - "type": "array", - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true, - "default": [ - - ] + } } }, { "headers": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } } - ] + ], + "type": "record", + "required": true } }, { "append": { - "required": true, - "type": "record", "fields": [ { "json": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } }, { "json_types": { + "type": "array", + "required": true, + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "elements": { "type": "string", "one_of": [ @@ -211,32 +213,30 @@ "number", "string" ] - }, - "type": "array", - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true, - "default": [ - - ] + } } }, { "headers": { "required": true, - "type": "array", "default": [ ], + "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" } } } - ] + ], + "type": "record", + "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/route-by-header/3.5.x.json b/schemas/route-by-header/3.5.x.json index 02635b7f..7b442cae 100644 --- a/schemas/route-by-header/3.5.x.json +++ b/schemas/route-by-header/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,54 +19,44 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "rules": { + "description": "Route by header rules.", "default": [ ], "type": "array", - "description": "Route by header rules.", "elements": { "type": "record", "fields": [ { "upstream_name": { - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "condition": { - "len_min": 1, - "type": "map", "keys": { "type": "string" }, + "type": "map", "required": true, + "len_min": 1, "values": { "type": "string" } @@ -68,7 +66,9 @@ } } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/route-transformer-advanced/3.5.x.json b/schemas/route-transformer-advanced/3.5.x.json index 2cbc96c7..6c975272 100644 --- a/schemas/route-transformer-advanced/3.5.x.json +++ b/schemas/route-transformer-advanced/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -61,11 +59,13 @@ }, { "escape_path": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/saml/3.5.x.json b/schemas/saml/3.5.x.json index 6e63d191..a7e16a18 100644 --- a/schemas/saml/3.5.x.json +++ b/schemas/saml/3.5.x.json @@ -3,13 +3,21 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -19,23 +27,15 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -112,21 +112,19 @@ } } ], - "type": "record", - "required": true, "fields": [ { "assertion_consumer_path": { - "starts_with": "/", "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "required": true, + "starts_with": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { @@ -138,263 +136,264 @@ }, { "idp_certificate": { + "type": "string", + "encrypted": true, "referenceable": true, - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", "required": false, - "encrypted": true, - "type": "string" + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." } }, { "response_encryption_key": { + "type": "string", + "encrypted": true, "referenceable": true, - "description": "The private encryption key required to decrypt encrypted assertions.", "required": false, - "encrypted": true, - "type": "string" + "description": "The private encryption key required to decrypt encrypted assertions." } }, { "request_signing_key": { + "type": "string", + "encrypted": true, "referenceable": true, - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", "required": false, - "encrypted": true, - "type": "string" + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." } }, { "request_signing_certificate": { + "type": "string", + "encrypted": true, "referenceable": true, - "description": "The certificate for signing requests.", "required": false, - "encrypted": true, - "type": "string" + "description": "The certificate for signing requests." } }, { "request_signature_algorithm": { "type": "string", - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "required": false, - "default": "SHA256", "one_of": [ "SHA256", "SHA384", "SHA512" - ] + ], + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { "request_digest_algorithm": { "type": "string", - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "required": false, - "default": "SHA256", "one_of": [ "SHA256", "SHA1" - ] + ], + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" } }, { "response_signature_algorithm": { "type": "string", - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "required": false, - "default": "SHA256", "one_of": [ "SHA256", "SHA384", "SHA512" - ] + ], + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { "response_digest_algorithm": { "type": "string", - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "required": false, - "default": "SHA256", "one_of": [ "SHA256", "SHA1" - ] + ], + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" } }, { "issuer": { - "required": true, + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", "type": "string", - "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP." + "required": true } }, { "nameid_format": { "type": "string", - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "required": false, - "default": "EmailAddress", "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" - ] + ], + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" } }, { "validate_assertion_signature": { - "required": false, - "type": "boolean", "description": "Enable signature validation for SAML responses.", - "default": true + "default": true, + "type": "boolean", + "required": false } }, { "anonymous": { - "required": false, + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username." + "required": false } }, { "session_secret": { - "len_min": 32, - "len_max": 32, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "match": "^[0-9a-zA-Z/_+]+$", "referenceable": true, + "type": "string", "required": true, + "len_min": 32, + "len_max": 32, "encrypted": true, - "match": "^[0-9a-zA-Z/_+]+$", - "type": "string" + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." } }, { "session_audience": { + "description": "The session audience, for example \"my-application\"", "default": "default", "type": "string", - "description": "The session audience, for example \"my-application\"", "required": false } }, { "session_cookie_name": { + "description": "The session cookie name.", "default": "session", "type": "string", - "description": "The session cookie name.", "required": false } }, { "session_remember": { + "description": "Enables or disables persistent sessions", "default": false, "type": "boolean", - "description": "Enables or disables persistent sessions", "required": false } }, { "session_remember_cookie_name": { + "description": "Persistent session cookie name", "default": "remember", "type": "string", - "description": "Persistent session cookie name", "required": false } }, { "session_remember_rolling_timeout": { + "description": "Persistent session rolling timeout in seconds.", "default": 604800, "type": "number", - "description": "Persistent session rolling timeout in seconds.", "required": false } }, { "session_remember_absolute_timeout": { + "description": "Persistent session absolute timeout in seconds.", "default": 2592000, "type": "number", - "description": "Persistent session absolute timeout in seconds.", "required": false } }, { "session_idling_timeout": { + "description": "The session cookie idle time in seconds.", "default": 900, "type": "number", - "description": "The session cookie idle time in seconds.", "required": false } }, { "session_rolling_timeout": { + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "default": 3600, "type": "number", - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false } }, { "session_absolute_timeout": { + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "default": 86400, "type": "number", - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false } }, { "session_cookie_path": { - "starts_with": "/", "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "required": false, + "starts_with": "/", + "default": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "session_cookie_domain": { - "required": false, + "description": "The session cookie domain flag.", "type": "string", - "description": "The session cookie domain flag." + "required": false } }, { "session_cookie_same_site": { "type": "string", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "default": "Lax", "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "session_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "default": true, "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false } }, { "session_cookie_secure": { - "required": false, + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "required": false } }, { "session_request_headers": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -406,12 +405,12 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_response_headers": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -423,224 +422,225 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_storage": { "type": "string", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", - "default": "cookie", "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" } }, { "session_store_metadata": { + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "default": false, "type": "boolean", - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "required": false } }, { "session_enforce_same_subject": { + "description": "When set to `true`, audiences are forced to share the same subject.", "default": false, "type": "boolean", - "description": "When set to `true`, audiences are forced to share the same subject.", "required": false } }, { "session_hash_subject": { + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "default": false, "type": "boolean", - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false } }, { "session_hash_storage_key": { + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "default": false, "type": "boolean", - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false } }, { "session_memcached_prefix": { - "required": false, + "description": "The memcached session key prefix.", "type": "string", - "description": "The memcached session key prefix." + "required": false } }, { "session_memcached_socket": { - "required": false, + "description": "The memcached unix socket path.", "type": "string", - "description": "The memcached unix socket path." + "required": false } }, { "session_memcached_host": { + "description": "The memcached host.", "default": "127.0.0.1", "type": "string", - "description": "The memcached host.", "required": false } }, { "session_memcached_port": { + "type": "integer", + "required": false, "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": false, - "default": 11211 + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { - "required": false, + "description": "The Redis session key prefix.", "type": "string", - "description": "The Redis session key prefix." + "required": false } }, { "session_redis_socket": { - "required": false, + "description": "The Redis unix socket path.", "type": "string", - "description": "The Redis unix socket path." + "required": false } }, { "session_redis_host": { + "description": "The Redis host IP.", "default": "127.0.0.1", "type": "string", - "description": "The Redis host IP.", "required": false } }, { "session_redis_port": { + "type": "integer", + "required": false, "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": false, - "default": 6379 + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { - "required": false, - "referenceable": true, "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "type": "string" + "referenceable": true, + "type": "string", + "required": false } }, { "session_redis_password": { + "type": "string", + "encrypted": true, "referenceable": true, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", "required": false, - "encrypted": true, - "type": "string" + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from" } }, { "session_redis_connect_timeout": { - "required": false, + "description": "The Redis connection timeout in milliseconds.", "type": "integer", - "description": "The Redis connection timeout in milliseconds." + "required": false } }, { "session_redis_read_timeout": { - "required": false, + "description": "The Redis read timeout in milliseconds.", "type": "integer", - "description": "The Redis read timeout in milliseconds." + "required": false } }, { "session_redis_send_timeout": { - "required": false, + "description": "The Redis send timeout in milliseconds.", "type": "integer", - "description": "The Redis send timeout in milliseconds." + "required": false } }, { "session_redis_ssl": { + "description": "Use SSL/TLS for the Redis connection.", "default": false, "type": "boolean", - "description": "Use SSL/TLS for the Redis connection.", "required": false } }, { "session_redis_ssl_verify": { + "description": "Verify the Redis server certificate.", "default": false, "type": "boolean", - "description": "Verify the Redis server certificate.", "required": false } }, { "session_redis_server_name": { - "required": false, + "description": "The SNI used for connecting to the Redis server.", "type": "string", - "description": "The SNI used for connecting to the Redis server." + "required": false } }, { "session_redis_cluster_nodes": { - "required": false, - "type": "array", "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { "type": "record", "fields": [ { "ip": { - "required": true, - "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1" + "default": "127.0.0.1", + "type": "string", + "required": true } }, { "port": { - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] - } + }, + "type": "array", + "required": false } }, { "session_redis_cluster_max_redirections": { - "required": false, + "description": "The Redis cluster maximum redirects.", "type": "integer", - "description": "The Redis cluster maximum redirects." + "required": false } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/session/3.5.x.json b/schemas/session/3.5.x.json index 832268ec..f4ed0e3c 100644 --- a/schemas/session/3.5.x.json +++ b/schemas/session/3.5.x.json @@ -3,13 +3,21 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -23,26 +31,18 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -84,28 +84,26 @@ } } ], - "type": "record", - "required": true, "fields": [ { "secret": { - "referenceable": true, - "description": "The secret that is used in keyed HMAC generation.", + "type": "string", "required": false, + "default": "KMMFrVmbW8X1AW0JLXrJMpGnBe4tNc3ESBmsKKe7e5Ia", + "referenceable": true, "encrypted": true, - "type": "string", - "default": "4emYUIRQFQNiaq7oFjHjfmU0XnvKvdUJVFFCcdpskXga" + "description": "The secret that is used in keyed HMAC generation." } }, { "storage": { - "default": "cookie", - "type": "string", - "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", "one_of": [ "cookie", "kong" - ] + ], + "default": "cookie", + "type": "string", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself." } }, { @@ -159,21 +157,21 @@ }, { "cookie_domain": { - "description": "The domain with which the cookie is intended to be exchanged.", - "type": "string" + "type": "string", + "description": "The domain with which the cookie is intended to be exchanged." } }, { "cookie_same_site": { - "default": "Strict", - "type": "string", - "description": "Determines whether and how a cookie may be sent with cross-site requests.", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Strict", + "type": "string", + "description": "Determines whether and how a cookie may be sent with cross-site requests." } }, { @@ -220,6 +218,8 @@ }, { "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set", "elements": { "type": "string", "one_of": [ @@ -231,13 +231,13 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set", - "description": "List of information to include, as headers, in the response to the downstream." + } } }, { "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set", "elements": { "type": "string", "one_of": [ @@ -249,19 +249,23 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set", - "description": "List of information to include, as headers, in the response to the downstream." + } } }, { "read_body_for_logout": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "logout_methods": { + "description": "A set of HTTP methods that the plugin will respond to.", + "default": [ + "POST", + "DELETE" + ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -269,13 +273,7 @@ "POST", "DELETE" ] - }, - "type": "set", - "description": "A set of HTTP methods that the plugin will respond to.", - "default": [ - "POST", - "DELETE" - ] + } } }, { @@ -292,7 +290,9 @@ "description": "The POST argument passed to logout requests. Do not change this property." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/statsd-advanced/3.5.x.json b/schemas/statsd-advanced/3.5.x.json index 57406a81..f8b7e9e7 100644 --- a/schemas/statsd-advanced/3.5.x.json +++ b/schemas/statsd-advanced/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,32 +23,22 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "host": { @@ -51,13 +49,13 @@ }, { "port": { - "default": 8125, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 8125, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -69,152 +67,83 @@ }, { "metrics": { + "description": "List of Metrics to be logged.", "default": [ { "name": "request_count", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { - "name": "latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "latency" }, { - "name": "request_size", - "stat_type": "timer" + "stat_type": "timer", + "name": "request_size" }, { "name": "status_count", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { - "name": "response_size", - "stat_type": "timer" + "stat_type": "timer", + "name": "response_size" }, { - "name": "unique_users", - "stat_type": "set" + "stat_type": "set", + "name": "unique_users" }, { "name": "request_per_user", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { - "name": "upstream_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "upstream_latency" }, { - "name": "kong_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "kong_latency" }, { "name": "status_count_per_user", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { "name": "status_count_per_workspace", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { "name": "status_count_per_user_per_route", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { "name": "shdict_usage", - "sample_rate": 1, - "stat_type": "gauge" + "stat_type": "gauge", + "sample_rate": 1 }, { "name": "cache_datastore_hits_total", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { "name": "cache_datastore_misses_total", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 } ], "type": "array", - "description": "List of Metrics to be logged.", "elements": { - "entity_checks": [ - { - "conditional": { - "then_field": "stat_type", - "if_match": { - "one_of": [ - "unique_users" - ] - }, - "then_match": { - "eq": "set" - }, - "if_field": "name" - } - }, - { - "conditional": { - "then_field": "stat_type", - "if_match": { - "one_of": [ - "request_count", - "status_count", - "request_per_user", - "status_count_per_user", - "status_count_per_workspace", - "status_count_per_user_per_route", - "cache_datastore_hits_total", - "cache_datastore_misses_total" - ] - }, - "then_match": { - "eq": "counter" - }, - "if_field": "name" - } - }, - { - "conditional": { - "then_field": "stat_type", - "if_match": { - "one_of": [ - "shdict_usage" - ] - }, - "then_match": { - "eq": "gauge" - }, - "if_field": "name" - } - }, - { - "conditional": { - "then_field": "sample_rate", - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_match": { - "required": true - }, - "if_field": "stat_type" - } - } - ], - "type": "record", "fields": [ { "name": { - "required": true, - "type": "string", "one_of": [ "kong_latency", "latency", @@ -231,13 +160,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "type": "string", + "required": true } }, { "stat_type": { - "required": true, - "type": "string", "one_of": [ "counter", "gauge", @@ -245,7 +174,9 @@ "meter", "set", "timer" - ] + ], + "type": "string", + "required": true } }, { @@ -284,29 +215,96 @@ ] } } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "stat_type", + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_match": { + "eq": "set" + }, + "if_field": "name" + } + }, + { + "conditional": { + "then_field": "stat_type", + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_match": { + "eq": "counter" + }, + "if_field": "name" + } + }, + { + "conditional": { + "then_field": "stat_type", + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_match": { + "eq": "gauge" + }, + "if_field": "name" + } + }, + { + "conditional": { + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + }, + "if_field": "stat_type" + } + } ] } } }, { "allow_status_codes": { - "elements": { - "match": "^[0-9]+-[0-9]+$", - "type": "string" - }, + "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array", - "description": "List of status code ranges that are allowed to be logged in metrics." + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } } }, { "udp_packet_size": { - "default": 0, - "type": "number", - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", "between": [ 0, 65507 - ] + ], + "default": 0, + "type": "number", + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive)." } }, { @@ -326,84 +324,82 @@ { "consumer_identifier_default": { "type": "string", - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", - "default": "custom_id", "required": true, "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`." } }, { "service_identifier_default": { "type": "string", - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", - "default": "service_name_or_host", "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`." } }, { "workspace_identifier_default": { "type": "string", - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", - "default": "workspace_id", "required": true, "one_of": [ "workspace_id", "workspace_name" - ] + ], + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. " } }, { "queue": { - "required": true, - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { @@ -415,30 +411,34 @@ }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." } } - ] + ], + "type": "record", + "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/statsd/3.5.x.json b/schemas/statsd/3.5.x.json index a28b3666..ff24091c 100644 --- a/schemas/statsd/3.5.x.json +++ b/schemas/statsd/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,32 +23,22 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -62,13 +60,13 @@ }, { "port": { - "default": 8125, - "type": "integer", - "description": "The port of StatsD server to send data to.", "between": [ 0, 65535 - ] + ], + "default": 8125, + "type": "integer", + "description": "The port of StatsD server to send data to." } }, { @@ -80,105 +78,85 @@ }, { "metrics": { + "description": "List of metrics to be logged.", "default": [ { "name": "request_count", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { - "stat_type": "timer", - "name": "latency" + "name": "latency", + "stat_type": "timer" }, { "name": "request_size", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { "name": "status_count", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { "name": "response_size", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { - "stat_type": "set", - "name": "unique_users" + "name": "unique_users", + "stat_type": "set" }, { "name": "request_per_user", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { - "stat_type": "timer", - "name": "upstream_latency" + "name": "upstream_latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "kong_latency" + "name": "kong_latency", + "stat_type": "timer" }, { "name": "status_count_per_user", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { "name": "status_count_per_workspace", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { "name": "status_count_per_user_per_route", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { "name": "shdict_usage", - "sample_rate": 1, - "stat_type": "gauge" + "stat_type": "gauge", + "sample_rate": 1 }, { "name": "cache_datastore_hits_total", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 }, { "name": "cache_datastore_misses_total", - "sample_rate": 1, - "stat_type": "counter" + "stat_type": "counter", + "sample_rate": 1 } ], "type": "array", - "description": "List of metrics to be logged.", "elements": { - "entity_checks": [ - { - "conditional": { - "then_field": "sample_rate", - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_match": { - "required": true - }, - "if_field": "stat_type" - } - } - ], - "type": "record", "fields": [ { "name": { - "required": true, - "type": "string", "description": "StatsD metric’s name.", "one_of": [ "kong_latency", @@ -196,13 +174,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "type": "string", + "required": true } }, { "stat_type": { - "required": true, - "type": "string", "description": "Determines what sort of event a metric represents.", "one_of": [ "counter", @@ -211,47 +189,67 @@ "meter", "set", "timer" - ] + ], + "type": "string", + "required": true } }, { "sample_rate": { "gt": 0, - "description": "Sampling rate", - "type": "number" + "type": "number", + "description": "Sampling rate" } }, { "consumer_identifier": { - "type": "string", - "description": "Authenticated user detail.", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string", + "description": "Authenticated user detail." } }, { "service_identifier": { - "type": "string", - "description": "Service detail.", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "type": "string", + "description": "Service detail." } }, { "workspace_identifier": { - "type": "string", - "description": "Workspace detail.", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "type": "string", + "description": "Workspace detail." + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + }, + "if_field": "stat_type" } } ] @@ -260,70 +258,70 @@ }, { "allow_status_codes": { - "elements": { - "match": "^[0-9]+-[0-9]+$", - "type": "string" - }, + "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array", - "description": "List of status code ranges that are allowed to be logged in metrics." + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } } }, { "udp_packet_size": { - "default": 0, - "type": "number", "between": [ 0, 65507 - ] + ], + "default": 0, + "type": "number" } }, { "use_tcp": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "hostname_in_prefix": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "consumer_identifier_default": { - "default": "custom_id", - "type": "string", - "required": true, "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "default": "custom_id", + "type": "string", + "required": true } }, { "service_identifier_default": { - "default": "service_name_or_host", - "type": "string", - "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "default": "service_name_or_host", + "type": "string", + "required": true } }, { "workspace_identifier_default": { - "default": "workspace_id", - "type": "string", - "required": true, "one_of": [ "workspace_id", "workspace_name" - ] + ], + "default": "workspace_id", + "type": "string", + "required": true } }, { @@ -343,58 +341,56 @@ }, { "tag_style": { - "required": false, - "type": "string", "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ] + ], + "type": "string", + "required": false } }, { "queue": { - "required": true, - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { @@ -406,30 +402,34 @@ }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." } } - ] + ], + "type": "record", + "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/syslog/3.5.x.json b/schemas/syslog/3.5.x.json index 64e94bb4..ce26cb6d 100644 --- a/schemas/syslog/3.5.x.json +++ b/schemas/syslog/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,38 +23,25 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "log_level": { - "required": true, - "type": "string", - "default": "info", "one_of": [ "debug", "info", @@ -56,14 +51,14 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string", + "required": true } }, { "successful_severity": { - "required": true, - "type": "string", - "default": "info", "one_of": [ "debug", "info", @@ -73,14 +68,14 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string", + "required": true } }, { "client_errors_severity": { - "required": true, - "type": "string", - "default": "info", "one_of": [ "debug", "info", @@ -90,14 +85,14 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string", + "required": true } }, { "server_errors_severity": { - "required": true, - "type": "string", - "default": "info", "one_of": [ "debug", "info", @@ -107,29 +102,30 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string", + "required": true } }, { "custom_fields_by_lua": { - "values": { - "len_min": 1, - "type": "string" + "keys": { + "type": "string", + "len_min": 1 }, "type": "map", - "description": "Lua code as a key-value map", - "keys": { + "values": { "len_min": 1, "type": "string" - } + }, + "description": "Lua code as a key-value map" } }, { "facility": { "type": "string", - "description": "The facility is used by the operating system to decide how to handle each log message.", "required": true, - "default": "user", "one_of": [ "auth", "authpriv", @@ -151,10 +147,14 @@ "local5", "local6", "local7" - ] + ], + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/tcp-log/3.5.x.json b/schemas/tcp-log/3.5.x.json index 435c097c..d8cc89f0 100644 --- a/schemas/tcp-log/3.5.x.json +++ b/schemas/tcp-log/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,32 +23,22 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "host": { @@ -51,13 +49,13 @@ }, { "port": { - "required": true, - "type": "integer", - "description": "The port to send data to on the upstream server.", "between": [ 0, 65535 - ] + ], + "required": true, + "type": "integer", + "description": "The port to send data to on the upstream server." } }, { @@ -76,33 +74,35 @@ }, { "tls": { - "required": true, - "type": "boolean", "description": "Indicates whether to perform a TLS handshake against the remote server.", - "default": false + "default": false, + "type": "boolean", + "required": true } }, { "tls_sni": { - "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", - "type": "string" + "type": "string", + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." } }, { "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, "values": { "len_min": 1, "type": "string" }, "type": "map", - "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", - "keys": { - "len_min": 1, - "type": "string" - } + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/tls-handshake-modifier/3.5.x.json b/schemas/tls-handshake-modifier/3.5.x.json index c6fafc79..e84d4318 100644 --- a/schemas/tls-handshake-modifier/3.5.x.json +++ b/schemas/tls-handshake-modifier/3.5.x.json @@ -3,19 +3,19 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, - "type": "set", "default": [ "https", "grpcs" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -29,28 +29,28 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "tls_client_certificate": { "type": "string", - "description": "TLS Client Certificate", "required": false, - "default": "REQUEST", "one_of": [ "REQUEST" - ] + ], + "default": "REQUEST", + "description": "TLS Client Certificate" } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/tls-metadata-headers/3.5.x.json b/schemas/tls-metadata-headers/3.5.x.json index 24fbc95f..15f8cd0c 100644 --- a/schemas/tls-metadata-headers/3.5.x.json +++ b/schemas/tls-metadata-headers/3.5.x.json @@ -3,19 +3,19 @@ { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, - "type": "set", "default": [ "https", "grpcs" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -29,15 +29,13 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "inject_client_cert_details": { @@ -48,45 +46,47 @@ }, { "client_cert_header_name": { + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "default": "X-Client-Cert", "type": "string", - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "required": true } }, { "client_serial_header_name": { + "description": "Define the HTTP header name used for the serial number of the client certificate.", "default": "X-Client-Cert-Serial", "type": "string", - "description": "Define the HTTP header name used for the serial number of the client certificate.", "required": true } }, { "client_cert_issuer_dn_header_name": { + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "default": "X-Client-Cert-Issuer-DN", "type": "string", - "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "required": true } }, { "client_cert_subject_dn_header_name": { + "description": "Define the HTTP header name used for the subject DN of the client certificate.", "default": "X-Client-Cert-Subject-DN", "type": "string", - "description": "Define the HTTP header name used for the subject DN of the client certificate.", "required": true } }, { "client_cert_fingerprint_header_name": { + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "default": "X-Client-Cert-Fingerprint", "type": "string", - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "required": true } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/udp-log/3.5.x.json b/schemas/udp-log/3.5.x.json index 8043e51e..b0315484 100644 --- a/schemas/udp-log/3.5.x.json +++ b/schemas/udp-log/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,32 +23,22 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "host": { @@ -51,13 +49,13 @@ }, { "port": { - "required": true, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -69,19 +67,21 @@ }, { "custom_fields_by_lua": { - "values": { - "len_min": 1, - "type": "string" + "keys": { + "type": "string", + "len_min": 1 }, "type": "map", - "description": "Lua code as a key-value map", - "keys": { + "values": { "len_min": 1, "type": "string" - } + }, + "description": "Lua code as a key-value map" } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/upstream-timeout/3.5.x.json b/schemas/upstream-timeout/3.5.x.json index 60d87640..9ea12fdd 100644 --- a/schemas/upstream-timeout/3.5.x.json +++ b/schemas/upstream-timeout/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "read_timeout": { @@ -65,7 +63,9 @@ "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/vault-auth/3.5.x.json b/schemas/vault-auth/3.5.x.json index 1a9aac1a..d2be4a55 100644 --- a/schemas/vault-auth/3.5.x.json +++ b/schemas/vault-auth/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,68 +19,58 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "access_token_name": { - "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" - }, "type": "string", - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true, "default": "access_token", - "required": true + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } } }, { "secret_token_name": { - "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" - }, "type": "string", - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true, "default": "secret_token", - "required": true + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } } }, { "vault": { - "required": true, - "type": "foreign", "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", - "reference": "vault_auth_vaults" + "type": "foreign", + "reference": "vault_auth_vaults", + "required": true } }, { @@ -84,8 +82,8 @@ }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { @@ -102,7 +100,9 @@ "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/websocket-size-limit/3.5.x.json b/schemas/websocket-size-limit/3.5.x.json index ccea27e7..d1f893b1 100644 --- a/schemas/websocket-size-limit/3.5.x.json +++ b/schemas/websocket-size-limit/3.5.x.json @@ -3,11 +3,11 @@ { "protocols": { "required": true, - "type": "set", "default": [ "ws", "wss" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -20,15 +20,13 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -40,25 +38,27 @@ "fields": [ { "client_max_payload": { - "required": false, - "type": "integer", "between": [ 1, 33554432 - ] + ], + "type": "integer", + "required": false } }, { "upstream_max_payload": { - "required": false, - "type": "integer", "between": [ 1, 33554432 - ] + ], + "type": "integer", + "required": false } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/websocket-validator/3.5.x.json b/schemas/websocket-validator/3.5.x.json index d9c5bd6c..f4c4f89c 100644 --- a/schemas/websocket-validator/3.5.x.json +++ b/schemas/websocket-validator/3.5.x.json @@ -3,11 +3,11 @@ { "protocols": { "required": true, - "type": "set", "default": [ "ws", "wss" ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -20,15 +20,13 @@ { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -40,8 +38,6 @@ "fields": [ { "client": { - "required": false, - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -53,8 +49,6 @@ "fields": [ { "text": { - "required": false, - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -68,28 +62,28 @@ "fields": [ { "type": { - "required": true, - "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ] + ], + "type": "string", + "required": true } }, { "schema": { - "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string", - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + "required": true } } - ] + ], + "type": "record", + "required": false } }, { "binary": { - "required": false, - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -103,31 +97,33 @@ "fields": [ { "type": { - "required": true, - "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ] + ], + "type": "string", + "required": true } }, { "schema": { - "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string", - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + "required": true } } - ] + ], + "type": "record", + "required": false } } - ] + ], + "type": "record", + "required": false } }, { "upstream": { - "required": false, - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -139,8 +135,6 @@ "fields": [ { "text": { - "required": false, - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -154,28 +148,28 @@ "fields": [ { "type": { - "required": true, - "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ] + ], + "type": "string", + "required": true } }, { "schema": { - "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string", - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + "required": true } } - ] + ], + "type": "record", + "required": false } }, { "binary": { - "required": false, - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -189,28 +183,34 @@ "fields": [ { "type": { - "required": true, - "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ] + ], + "type": "string", + "required": true } }, { "schema": { - "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string", - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + "required": true } } - ] + ], + "type": "record", + "required": false } } - ] + ], + "type": "record", + "required": false } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/xml-threat-protection/3.5.x.json b/schemas/xml-threat-protection/3.5.x.json index 03b85a74..5eb6c2f7 100644 --- a/schemas/xml-threat-protection/3.5.x.json +++ b/schemas/xml-threat-protection/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -11,29 +19,19 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "conditional": { @@ -75,222 +73,224 @@ "fields": [ { "checked_content_types": { - "elements": { - "required": true, - "type": "string", - "match": "^[^%s]+%/[^ ;]+$" - }, "type": "set", - "description": "A list of Content-Type values with payloads that must be validated.", "required": true, "default": [ "application/xml" - ] + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "elements": { + "type": "string", + "match": "^[^%s]+%/[^ ;]+$", + "required": true + } } }, { "allowed_content_types": { - "elements": { - "required": true, - "type": "string", - "match": "^[^%s]+%/[^ ;]+$" - }, "type": "set", - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "required": true, "default": [ - ] + ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "elements": { + "type": "string", + "match": "^[^%s]+%/[^ ;]+$", + "required": true + } } }, { "allow_dtd": { + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", "default": false, "type": "boolean", - "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", "required": true } }, { "namespace_aware": { + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", "default": true, "type": "boolean", - "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", "required": true } }, { "max_depth": { + "gt": 0, "type": "integer", - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", "required": true, - "gt": 0, - "default": 50 + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." } }, { "max_children": { + "gt": 0, "type": "integer", - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", "required": true, - "gt": 0, - "default": 100 + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." } }, { "max_attributes": { + "gt": 0, "type": "integer", - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", "required": true, - "gt": 0, - "default": 100 + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." } }, { "max_namespaces": { + "gt": 0, "type": "integer", - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", "required": false, - "gt": 0, - "default": 20 + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." } }, { "document": { + "gt": 0, "type": "integer", - "description": "Maximum size of the entire document.", "required": true, - "gt": 0, - "default": 10485760 + "default": 10485760, + "description": "Maximum size of the entire document." } }, { "buffer": { + "gt": 0, "type": "integer", - "description": "Maximum size of the unparsed buffer (see below).", "required": true, - "gt": 0, - "default": 1048576 + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below)." } }, { "comment": { + "gt": 0, "type": "integer", - "description": "Maximum size of comments.", "required": true, - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of comments." } }, { "localname": { + "gt": 0, "type": "integer", - "description": "Maximum size of the localname. This applies to tags and attributes.", "required": true, - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes." } }, { "prefix": { + "gt": 0, "type": "integer", - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "required": false, - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." } }, { "namespaceuri": { + "gt": 0, "type": "integer", - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "required": false, - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." } }, { "attribute": { + "gt": 0, "type": "integer", - "description": "Maximum size of the attribute value.", "required": true, - "gt": 0, - "default": 1048576 + "default": 1048576, + "description": "Maximum size of the attribute value." } }, { "text": { + "gt": 0, "type": "integer", - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "required": true, - "gt": 0, - "default": 1048576 + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." } }, { "pitarget": { + "gt": 0, "type": "integer", - "description": "Maximum size of processing instruction targets.", "required": true, - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of processing instruction targets." } }, { "pidata": { + "gt": 0, "type": "integer", - "description": "Maximum size of processing instruction data.", "required": true, - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of processing instruction data." } }, { "entityname": { + "gt": 0, "type": "integer", - "description": "Maximum size of entity names in EntityDecl.", "required": true, - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of entity names in EntityDecl." } }, { "entity": { + "gt": 0, "type": "integer", - "description": "Maximum size of entity values in EntityDecl.", "required": true, - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of entity values in EntityDecl." } }, { "entityproperty": { + "gt": 0, "type": "integer", - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "required": true, - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." } }, { "bla_max_amplification": { + "gt": 1, "type": "number", - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", "required": true, - "gt": 1, - "default": 100 + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." } }, { "bla_threshold": { + "gt": 1024, "type": "integer", - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", "required": true, - "gt": 1024, - "default": 8388608 + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." } } - ] + ], + "type": "record", + "required": true } } ], diff --git a/schemas/zipkin/3.5.x.json b/schemas/zipkin/3.5.x.json index 9a8af17c..878b9194 100644 --- a/schemas/zipkin/3.5.x.json +++ b/schemas/zipkin/3.5.x.json @@ -2,6 +2,14 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "one_of": [ "grpc", @@ -15,90 +23,78 @@ "ws", "wss" ], - "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string" + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "type": "set", - "description": "A set of strings representing protocols.", - "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "description": "A set of strings representing protocols." } }, { "consumer_group": { "type": "foreign", + "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "local_service_name": { - "required": true, - "type": "string", "description": "The name of the service as displayed in Zipkin.", - "default": "kong" + "default": "kong", + "type": "string", + "required": true } }, { "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "sample_ratio": { - "default": 0.001, - "type": "number", - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", "between": [ 0, 1 - ] + ], + "default": 0.001, + "type": "number", + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " } }, { "default_service_name": { - "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", - "type": "string" + "type": "string", + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." } }, { "include_credential": { - "required": true, - "type": "boolean", "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", - "default": true + "default": true, + "type": "boolean", + "required": true } }, { "traceid_byte_count": { "type": "integer", - "description": "The length in bytes of each request's Trace ID.", "required": true, - "default": 16, "one_of": [ 8, 16 - ] + ], + "default": 16, + "description": "The length in bytes of each request's Trace ID." } }, { "header_type": { "type": "string", - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "required": true, - "default": "preserve", "one_of": [ "preserve", "ignore", @@ -110,15 +106,15 @@ "aws", "datadog", "gcp" - ] + ], + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests" } }, { "default_header_type": { "type": "string", - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "required": true, - "default": "b3", "one_of": [ "b3", "b3-single", @@ -128,25 +124,28 @@ "aws", "datadog", "gcp" - ] + ], + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored." } }, { "tags_header": { - "required": true, - "type": "string", "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", - "default": "Zipkin-Tags" + "default": "Zipkin-Tags", + "type": "string", + "required": true } }, { "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", + "type": "array", "elements": { "type": "record", "fields": [ { "name": { - "required": true, "type": "string", "not_one_of": [ "error", @@ -162,64 +161,63 @@ "kong.service", "lc", "peer.hostname" - ] + ], + "required": true } }, { "value": { - "required": true, - "type": "string" + "type": "string", + "required": true } } ] - }, - "type": "array", - "description": "The tags specified on this property will be added to the generated request traces." + } } }, { "http_span_name": { "type": "string", - "description": "Specify whether to include the HTTP path in the span name.", "required": true, - "default": "method", "one_of": [ "method", "method_path" - ] + ], + "default": "method", + "description": "Specify whether to include the HTTP path in the span name." } }, { "connect_timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -230,57 +228,55 @@ { "phase_duration_flavor": { "type": "string", - "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "required": true, - "default": "annotations", "one_of": [ "annotations", "tags" - ] + ], + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag." } }, { "queue": { - "required": true, - "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { @@ -292,30 +288,34 @@ }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." } } - ] + ], + "type": "record", + "required": true } } - ] + ], + "type": "record", + "required": true } } ], From 1db591ae8e79a75b9c3f4a8fcd6c313f7435fde3 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Mon, 6 Nov 2023 10:42:59 -0800 Subject: [PATCH 019/165] fix acl and otel schemas (#11) --- schemas/acl/3.4.x.json | 8 ++++---- schemas/acl/3.5.x.json | 8 ++++---- schemas/opentelemetry/3.4.x.json | 2 +- schemas/opentelemetry/3.5.x.json | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/schemas/acl/3.4.x.json b/schemas/acl/3.4.x.json index bba99a43..11667e9c 100644 --- a/schemas/acl/3.4.x.json +++ b/schemas/acl/3.4.x.json @@ -44,18 +44,18 @@ { "allow": { "type": "array", + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { - "type": "string", - "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." + "type": "string" } } }, { "deny": { "type": "array", + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { - "type": "string", - "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." + "type": "string" } } }, diff --git a/schemas/acl/3.5.x.json b/schemas/acl/3.5.x.json index c529e991..e0c813b4 100644 --- a/schemas/acl/3.5.x.json +++ b/schemas/acl/3.5.x.json @@ -44,18 +44,18 @@ { "allow": { "type": "array", + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { - "type": "string", - "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." + "type": "string" } } }, { "deny": { "type": "array", + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { - "type": "string", - "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." + "type": "string" } } }, diff --git a/schemas/opentelemetry/3.4.x.json b/schemas/opentelemetry/3.4.x.json index a17980f5..9210ed58 100644 --- a/schemas/opentelemetry/3.4.x.json +++ b/schemas/opentelemetry/3.4.x.json @@ -57,9 +57,9 @@ }, { "resource_attributes": { + "description": "Attributes to add to the OpenTelemetry resource object, following the spec for Semantic Attributes. \nThe following attributes are automatically added:\n- `service.name`: The name of the service (default: `kong`).\n- `service.version`: The version of Kong Gateway.\n- `service.instance.id`: The node ID of Kong Gateway.\n\nYou can use this property to override default attribute values. For example, to override the default for `service.name`, you can specify `{ \"service.name\": \"my-service\" }`.", "values": { "type": "string", - "description": "Attributes to add to the OpenTelemetry resource object, following the spec for Semantic Attributes. \nThe following attributes are automatically added:\n- `service.name`: The name of the service (default: `kong`).\n- `service.version`: The version of Kong Gateway.\n- `service.instance.id`: The node ID of Kong Gateway.\n\nYou can use this property to override default attribute values. For example, to override the default for `service.name`, you can specify `{ \"service.name\": \"my-service\" }`.", "required": true }, "keys": { diff --git a/schemas/opentelemetry/3.5.x.json b/schemas/opentelemetry/3.5.x.json index 155caefc..c9346512 100644 --- a/schemas/opentelemetry/3.5.x.json +++ b/schemas/opentelemetry/3.5.x.json @@ -67,9 +67,9 @@ }, { "resource_attributes": { + "description": "Attributes to add to the OpenTelemetry resource object, following the spec for Semantic Attributes. \nThe following attributes are automatically added:\n- `service.name`: The name of the service (default: `kong`).\n- `service.version`: The version of Kong Gateway.\n- `service.instance.id`: The node ID of Kong Gateway.\n\nYou can use this property to override default attribute values. For example, to override the default for `service.name`, you can specify `{ \"service.name\": \"my-service\" }`.", "keys": { "type": "string", - "description": "Attributes to add to the OpenTelemetry resource object, following the spec for Semantic Attributes. \nThe following attributes are automatically added:\n- `service.name`: The name of the service (default: `kong`).\n- `service.version`: The version of Kong Gateway.\n- `service.instance.id`: The node ID of Kong Gateway.\n\nYou can use this property to override default attribute values. For example, to override the default for `service.name`, you can specify `{ \"service.name\": \"my-service\" }`.", "required": true }, "type": "map", From 07d658412e6e0b767fb13bf9dcd14d51f6cdc616 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Tue, 28 Nov 2023 14:50:30 -0800 Subject: [PATCH 020/165] feat: new oidc parameter unauthorized_destroy_session in 2.8.x (#12) --- schemas/openid-connect/2.8.x.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/schemas/openid-connect/2.8.x.json b/schemas/openid-connect/2.8.x.json index ce9aec67..03aee07a 100644 --- a/schemas/openid-connect/2.8.x.json +++ b/schemas/openid-connect/2.8.x.json @@ -449,6 +449,14 @@ "description": "Destroy any active session for the forbidden requests." } }, + { + "unauthorized_destroy_session": { + "description": "Destroy any active session for the unauthorized requests.", + "default": true, + "type": "boolean", + "required": false + } + }, { "unauthorized_redirect_uri": { "required": false, @@ -2237,4 +2245,4 @@ } } ] -} \ No newline at end of file +} From 5de41eb5bc939873814dd01ba5f0a1cde97fdc3e Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Tue, 2 Jan 2024 17:15:18 -0300 Subject: [PATCH 021/165] Fix 3.4.x schemas Some values were missing and others were wrong after we backported them from 3.5.x --- schemas/openid-connect/3.4.x.json | 77 ++++++++++++++--------- schemas/proxy-cache-advanced/3.4.x.json | 8 +-- schemas/rate-limiting-advanced/3.4.x.json | 14 ++--- 3 files changed, 57 insertions(+), 42 deletions(-) diff --git a/schemas/openid-connect/3.4.x.json b/schemas/openid-connect/3.4.x.json index a2e67232..6b853e53 100644 --- a/schemas/openid-connect/3.4.x.json +++ b/schemas/openid-connect/3.4.x.json @@ -526,6 +526,14 @@ "required": false } }, + { + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean", + "required": false + } + }, { "unauthorized_redirect_uri": { "required": false, @@ -627,15 +635,15 @@ }, { "scopes_claim": { + "required": false, "elements": { "type": "string" }, - "type": "array", "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "default": [ "scope" - ] + ], + "type": "array" } }, { @@ -650,15 +658,15 @@ }, { "audience_claim": { + "required": false, "elements": { "type": "string" }, - "type": "array", "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "default": [ "aud" - ] + ], + "type": "array" } }, { @@ -673,15 +681,15 @@ }, { "groups_claim": { + "required": false, "elements": { "type": "string" }, - "type": "array", "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "default": [ "groups" - ] + ], + "type": "array" } }, { @@ -696,22 +704,22 @@ }, { "roles_claim": { + "required": false, "elements": { "type": "string" }, - "type": "array", "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "default": [ "roles" - ] + ], + "type": "array" } }, { "domains": { - "required": false, "type": "array", "description": "The allowed values for the `hd` claim.", + "required": false, "elements": { "type": "string" } @@ -719,16 +727,16 @@ }, { "max_age": { - "required": false, "type": "number", - "description": "The maximum age (in seconds) compared to the `auth_time` claim." + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "required": false } }, { "authenticated_groups_claim": { - "required": false, "type": "array", "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" } @@ -774,8 +782,8 @@ { "authorization_rolling_timeout": { "default": 600, - "type": "number", "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", "required": false } }, @@ -1236,40 +1244,40 @@ { "session_remember_rolling_timeout": { "default": 604800, - "type": "number", "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number", "required": false } }, { "session_remember_absolute_timeout": { "default": 2592000, - "type": "number", "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", "required": false } }, { "session_idling_timeout": { "default": 900, - "type": "number", "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number", "required": false } }, { "session_rolling_timeout": { "default": 3600, - "type": "number", "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", "required": false } }, { "session_absolute_timeout": { "default": 86400, - "type": "number", "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", "required": false } }, @@ -1491,23 +1499,23 @@ }, { "session_redis_connect_timeout": { - "required": false, "type": "integer", - "description": "Session redis connection timeout in milliseconds." + "description": "Session redis connection timeout in milliseconds.", + "required": false } }, { "session_redis_read_timeout": { - "required": false, "type": "integer", - "description": "Session redis read timeout in milliseconds." + "description": "Session redis read timeout in milliseconds.", + "required": false } }, { "session_redis_send_timeout": { - "required": false, "type": "integer", - "description": "Session redis send timeout in milliseconds." + "description": "Session redis send timeout in milliseconds.", + "required": false } }, { @@ -2378,8 +2386,8 @@ { "expose_error_code": { "default": true, - "type": "boolean", - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" } }, { @@ -2388,6 +2396,13 @@ "type": "boolean", "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." } + }, + { + "using_pseudo_issuer": { + "type": "boolean", + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL.", + "default": false + } } ] } @@ -2396,4 +2411,4 @@ "entity_checks": [ ] -} \ No newline at end of file +} diff --git a/schemas/proxy-cache-advanced/3.4.x.json b/schemas/proxy-cache-advanced/3.4.x.json index 92cc34d7..67482bfd 100644 --- a/schemas/proxy-cache-advanced/3.4.x.json +++ b/schemas/proxy-cache-advanced/3.4.x.json @@ -262,13 +262,13 @@ }, { "keepalive_pool_size": { - "default": 256, + "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 30, "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -426,4 +426,4 @@ } } ] -} \ No newline at end of file +} diff --git a/schemas/rate-limiting-advanced/3.4.x.json b/schemas/rate-limiting-advanced/3.4.x.json index d6e7100f..04289ce4 100644 --- a/schemas/rate-limiting-advanced/3.4.x.json +++ b/schemas/rate-limiting-advanced/3.4.x.json @@ -80,10 +80,10 @@ }, { "namespace": { - "auto": true, - "type": "string", + "required": true, "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "required": true + "auto": true, + "type": "string" } }, { @@ -239,13 +239,13 @@ }, { "keepalive_pool_size": { - "default": 256, + "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 30, "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -434,4 +434,4 @@ } } ] -} \ No newline at end of file +} From dff9dc238cae399744ae78da0f32ae3686372b87 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 11 Jan 2024 21:14:07 +0000 Subject: [PATCH 022/165] Add renovate.json --- renovate.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 00000000..5db72dd6 --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended" + ] +} From d6de5e697b058b590afb02ef347e20d471845e97 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Wed, 24 Jan 2024 02:35:51 +0100 Subject: [PATCH 023/165] WIP: 3.6.x schemas and examples (#13) * WIP: Copy 3.5.x schemas and examples until 3.6.x is available * Feat: AI plugins (#16) * add ai plugin schemas * generate placeholder example files for ai plugins * generate based on 3.6 image --------- Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Co-authored-by: Lena --- data/referenceable_fields/3.6.x.json | 118 + examples/acl/_3.6.x.yaml | 6 + examples/acme/_3.6.x.yaml | 3 + examples/ai-prompt-decorator/_3.6.x.yaml | 2 + examples/ai-prompt-guard/_3.6.x.yaml | 2 + examples/ai-prompt-template/_3.6.x.yaml | 2 + examples/ai-proxy/_3.6.x.yaml | 2 + examples/ai-request-transformer/_3.6.x.yaml | 2 + examples/ai-response-transformer/_3.6.x.yaml | 2 + examples/app-dynamics/_3.6.x.yaml | 2 + examples/application-registration/_3.6.x.yaml | 7 + examples/aws-lambda/_3.6.x.yaml | 9 + examples/azure-functions/_3.6.x.yaml | 6 + examples/basic-auth/_3.6.x.yaml | 3 + examples/bot-detection/_3.6.x.yaml | 4 + examples/canary/_3.6.x.yaml | 5 + examples/correlation-id/_3.6.x.yaml | 5 + examples/cors/_3.6.x.yaml | 19 + examples/datadog/_3.6.x.yaml | 6 + examples/degraphql/_3.6.x.yaml | 3 + examples/exit-transformer/_3.6.x.yaml | 4 + examples/file-log/_3.6.x.yaml | 3 + examples/forward-proxy/_3.6.x.yaml | 9 + .../graphql-proxy-cache-advanced/_3.6.x.yaml | 3 + .../_3.6.x.yaml | 9 + examples/grpc-gateway/_3.6.x.yaml | 3 + examples/grpc-web/_3.6.x.yaml | 3 + examples/hmac-auth/_3.6.x.yaml | 3 + examples/http-log/_3.6.x.yaml | 8 + examples/ip-restriction/_3.6.x.yaml | 5 + examples/jq/_3.6.x.yaml | 3 + examples/jwe-decrypt/_3.6.x.yaml | 4 + examples/jwt-signer/_3.6.x.yaml | 4 + examples/jwt/_3.6.x.yaml | 4 + examples/kafka-log/_3.6.x.yaml | 3 + examples/kafka-upstream/_3.6.x.yaml | 3 + examples/key-auth-enc/_3.6.x.yaml | 4 + examples/key-auth/_3.6.x.yaml | 4 + examples/konnect-application-auth/_3.6.x.yaml | 3 + examples/ldap-auth-advanced/_3.6.x.yaml | 10 + examples/ldap-auth/_3.6.x.yaml | 8 + examples/loggly/_3.6.x.yaml | 3 + examples/mocking/_3.6.x.yaml | 14 + examples/mtls-auth/_3.6.x.yaml | 6 + examples/oas-validation/_3.6.x.yaml | 29 + examples/oauth2-introspection/_3.6.x.yaml | 5 + examples/oauth2/_3.6.x.yaml | 9 + examples/opa/_3.6.x.yaml | 5 + examples/openid-connect/_3.6.x.yaml | 12 + examples/opentelemetry/_3.6.x.yaml | 5 + examples/post-function/_3.6.x.yaml | 6 + examples/pre-function/_3.6.x.yaml | 6 + examples/prometheus/_3.6.x.yaml | 4 + examples/proxy-cache-advanced/_3.6.x.yaml | 11 + examples/proxy-cache/_3.6.x.yaml | 12 + examples/rate-limiting-advanced/_3.6.x.yaml | 11 + examples/rate-limiting/_3.6.x.yaml | 5 + examples/request-size-limiting/_3.6.x.yaml | 4 + examples/request-termination/_3.6.x.yaml | 4 + .../request-transformer-advanced/_3.6.x.yaml | 43 + examples/request-transformer/_3.6.x.yaml | 36 + examples/request-validator/_3.6.x.yaml | 3 + examples/response-ratelimiting/_3.6.x.yaml | 8 + .../response-transformer-advanced/_3.6.x.yaml | 31 + examples/response-transformer/_3.6.x.yaml | 24 + examples/route-by-header/_3.6.x.yaml | 8 + .../route-transformer-advanced/_3.6.x.yaml | 3 + examples/saml/_3.6.x.yaml | 12 + examples/session/_3.6.x.yaml | 3 + examples/statsd-advanced/_3.6.x.yaml | 7 + examples/statsd/_3.6.x.yaml | 9 + examples/syslog/_3.6.x.yaml | 3 + examples/tcp-log/_3.6.x.yaml | 4 + examples/tls-handshake-modifier/_3.6.x.yaml | 1 + examples/tls-metadata-headers/_3.6.x.yaml | 4 + examples/udp-log/_3.6.x.yaml | 5 + examples/upstream-timeout/_3.6.x.yaml | 5 + examples/vault-auth/_3.6.x.yaml | 4 + examples/websocket-size-limit/_3.6.x.yaml | 4 + examples/websocket-validator/_3.6.x.yaml | 14 + examples/xml-threat-protection/_3.6.x.yaml | 6 + examples/zipkin/_3.6.x.yaml | 5 + schemas/acl/3.6.x.json | 97 + schemas/acme/3.6.x.json | 498 ++++ schemas/ai-prompt-decorator/3.6.x.json | 118 + schemas/ai-prompt-guard/3.6.x.json | 75 + schemas/ai-prompt-template/3.6.x.json | 88 + schemas/ai-proxy/3.6.x.json | 427 +++ schemas/ai-request-transformer/3.6.x.json | 511 ++++ schemas/ai-response-transformer/3.6.x.json | 511 ++++ schemas/app-dynamics/3.6.x.json | 34 + schemas/application-registration/3.6.x.json | 100 + schemas/aws-lambda/3.6.x.json | 255 ++ schemas/azure-functions/3.6.x.json | 125 + schemas/basic-auth/3.6.x.json | 70 + schemas/bot-detection/3.6.x.json | 79 + schemas/canary/3.6.x.json | 190 ++ schemas/correlation-id/3.6.x.json | 72 + schemas/cors/3.6.x.json | 143 + schemas/datadog/3.6.x.json | 346 +++ schemas/degraphql/3.6.x.json | 68 + schemas/exit-transformer/3.6.x.json | 68 + schemas/file-log/3.6.x.json | 83 + schemas/forward-proxy/3.6.x.json | 163 ++ .../graphql-proxy-cache-advanced/3.6.x.json | 89 + .../graphql-rate-limiting-advanced/3.6.x.json | 405 +++ schemas/grpc-gateway/3.6.x.json | 59 + schemas/grpc-web/3.6.x.json | 74 + schemas/hmac-auth/3.6.x.json | 125 + schemas/http-log/3.6.x.json | 245 ++ schemas/ip-restriction/3.6.x.json | 85 + schemas/jq/3.6.x.json | 197 ++ schemas/jwe-decrypt/3.6.x.json | 86 + schemas/jwt-signer/3.6.x.json | 726 +++++ schemas/jwt/3.6.x.json | 153 + schemas/kafka-log/3.6.x.json | 280 ++ schemas/kafka-upstream/3.6.x.json | 302 ++ schemas/key-auth-enc/3.6.x.json | 111 + schemas/key-auth/3.6.x.json | 116 + schemas/konnect-application-auth/3.6.x.json | 2582 +++++++++++++++++ schemas/ldap-auth-advanced/3.6.x.json | 236 ++ schemas/ldap-auth/3.6.x.json | 171 ++ schemas/loggly/3.6.x.json | 173 ++ schemas/mocking/3.6.x.json | 117 + schemas/mtls-auth/3.6.x.json | 204 ++ schemas/oas-validation/3.6.x.json | 148 + schemas/oauth2-introspection/3.6.x.json | 167 ++ schemas/oauth2/3.6.x.json | 214 ++ schemas/opa/3.6.x.json | 147 + schemas/openid-connect/3.6.x.json | 2546 ++++++++++++++++ schemas/opentelemetry/3.6.x.json | 246 ++ schemas/post-function/3.6.x.json | 228 ++ schemas/pre-function/3.6.x.json | 228 ++ schemas/prometheus/3.6.x.json | 87 + schemas/proxy-cache-advanced/3.6.x.json | 448 +++ schemas/proxy-cache/3.6.x.json | 205 ++ schemas/rate-limiting-advanced/3.6.x.json | 438 +++ schemas/rate-limiting/3.6.x.json | 303 ++ schemas/request-size-limiting/3.6.x.json | 73 + schemas/request-termination/3.6.x.json | 81 + .../request-transformer-advanced/3.6.x.json | 337 +++ schemas/request-transformer/3.6.x.json | 280 ++ schemas/request-validator/3.6.x.json | 181 ++ schemas/response-ratelimiting/3.6.x.json | 268 ++ .../response-transformer-advanced/3.6.x.json | 350 +++ schemas/response-transformer/3.6.x.json | 246 ++ schemas/route-by-header/3.6.x.json | 78 + schemas/route-transformer-advanced/3.6.x.json | 75 + schemas/saml/3.6.x.json | 650 +++++ schemas/session/3.6.x.json | 302 ++ schemas/statsd-advanced/3.6.x.json | 448 +++ schemas/statsd/3.6.x.json | 439 +++ schemas/syslog/3.6.x.json | 164 ++ schemas/tcp-log/3.6.x.json | 112 + schemas/tls-handshake-modifier/3.6.x.json | 60 + schemas/tls-metadata-headers/3.6.x.json | 96 + schemas/udp-log/3.6.x.json | 91 + schemas/upstream-timeout/3.6.x.json | 75 + schemas/vault-auth/3.6.x.json | 112 + schemas/websocket-size-limit/3.6.x.json | 68 + schemas/websocket-validator/3.6.x.json | 220 ++ schemas/xml-threat-protection/3.6.x.json | 300 ++ schemas/zipkin/3.6.x.json | 325 +++ 163 files changed, 22194 insertions(+) create mode 100644 data/referenceable_fields/3.6.x.json create mode 100644 examples/acl/_3.6.x.yaml create mode 100644 examples/acme/_3.6.x.yaml create mode 100644 examples/ai-prompt-decorator/_3.6.x.yaml create mode 100644 examples/ai-prompt-guard/_3.6.x.yaml create mode 100644 examples/ai-prompt-template/_3.6.x.yaml create mode 100644 examples/ai-proxy/_3.6.x.yaml create mode 100644 examples/ai-request-transformer/_3.6.x.yaml create mode 100644 examples/ai-response-transformer/_3.6.x.yaml create mode 100644 examples/app-dynamics/_3.6.x.yaml create mode 100644 examples/application-registration/_3.6.x.yaml create mode 100644 examples/aws-lambda/_3.6.x.yaml create mode 100644 examples/azure-functions/_3.6.x.yaml create mode 100644 examples/basic-auth/_3.6.x.yaml create mode 100644 examples/bot-detection/_3.6.x.yaml create mode 100644 examples/canary/_3.6.x.yaml create mode 100644 examples/correlation-id/_3.6.x.yaml create mode 100644 examples/cors/_3.6.x.yaml create mode 100644 examples/datadog/_3.6.x.yaml create mode 100644 examples/degraphql/_3.6.x.yaml create mode 100644 examples/exit-transformer/_3.6.x.yaml create mode 100644 examples/file-log/_3.6.x.yaml create mode 100644 examples/forward-proxy/_3.6.x.yaml create mode 100644 examples/graphql-proxy-cache-advanced/_3.6.x.yaml create mode 100644 examples/graphql-rate-limiting-advanced/_3.6.x.yaml create mode 100644 examples/grpc-gateway/_3.6.x.yaml create mode 100644 examples/grpc-web/_3.6.x.yaml create mode 100644 examples/hmac-auth/_3.6.x.yaml create mode 100644 examples/http-log/_3.6.x.yaml create mode 100644 examples/ip-restriction/_3.6.x.yaml create mode 100644 examples/jq/_3.6.x.yaml create mode 100644 examples/jwe-decrypt/_3.6.x.yaml create mode 100644 examples/jwt-signer/_3.6.x.yaml create mode 100644 examples/jwt/_3.6.x.yaml create mode 100644 examples/kafka-log/_3.6.x.yaml create mode 100644 examples/kafka-upstream/_3.6.x.yaml create mode 100644 examples/key-auth-enc/_3.6.x.yaml create mode 100644 examples/key-auth/_3.6.x.yaml create mode 100644 examples/konnect-application-auth/_3.6.x.yaml create mode 100644 examples/ldap-auth-advanced/_3.6.x.yaml create mode 100644 examples/ldap-auth/_3.6.x.yaml create mode 100644 examples/loggly/_3.6.x.yaml create mode 100644 examples/mocking/_3.6.x.yaml create mode 100644 examples/mtls-auth/_3.6.x.yaml create mode 100644 examples/oas-validation/_3.6.x.yaml create mode 100644 examples/oauth2-introspection/_3.6.x.yaml create mode 100644 examples/oauth2/_3.6.x.yaml create mode 100644 examples/opa/_3.6.x.yaml create mode 100644 examples/openid-connect/_3.6.x.yaml create mode 100644 examples/opentelemetry/_3.6.x.yaml create mode 100644 examples/post-function/_3.6.x.yaml create mode 100644 examples/pre-function/_3.6.x.yaml create mode 100644 examples/prometheus/_3.6.x.yaml create mode 100644 examples/proxy-cache-advanced/_3.6.x.yaml create mode 100644 examples/proxy-cache/_3.6.x.yaml create mode 100644 examples/rate-limiting-advanced/_3.6.x.yaml create mode 100644 examples/rate-limiting/_3.6.x.yaml create mode 100644 examples/request-size-limiting/_3.6.x.yaml create mode 100644 examples/request-termination/_3.6.x.yaml create mode 100644 examples/request-transformer-advanced/_3.6.x.yaml create mode 100644 examples/request-transformer/_3.6.x.yaml create mode 100644 examples/request-validator/_3.6.x.yaml create mode 100644 examples/response-ratelimiting/_3.6.x.yaml create mode 100644 examples/response-transformer-advanced/_3.6.x.yaml create mode 100644 examples/response-transformer/_3.6.x.yaml create mode 100644 examples/route-by-header/_3.6.x.yaml create mode 100644 examples/route-transformer-advanced/_3.6.x.yaml create mode 100644 examples/saml/_3.6.x.yaml create mode 100644 examples/session/_3.6.x.yaml create mode 100644 examples/statsd-advanced/_3.6.x.yaml create mode 100644 examples/statsd/_3.6.x.yaml create mode 100644 examples/syslog/_3.6.x.yaml create mode 100644 examples/tcp-log/_3.6.x.yaml create mode 100644 examples/tls-handshake-modifier/_3.6.x.yaml create mode 100644 examples/tls-metadata-headers/_3.6.x.yaml create mode 100644 examples/udp-log/_3.6.x.yaml create mode 100644 examples/upstream-timeout/_3.6.x.yaml create mode 100644 examples/vault-auth/_3.6.x.yaml create mode 100644 examples/websocket-size-limit/_3.6.x.yaml create mode 100644 examples/websocket-validator/_3.6.x.yaml create mode 100644 examples/xml-threat-protection/_3.6.x.yaml create mode 100644 examples/zipkin/_3.6.x.yaml create mode 100644 schemas/acl/3.6.x.json create mode 100644 schemas/acme/3.6.x.json create mode 100644 schemas/ai-prompt-decorator/3.6.x.json create mode 100644 schemas/ai-prompt-guard/3.6.x.json create mode 100644 schemas/ai-prompt-template/3.6.x.json create mode 100644 schemas/ai-proxy/3.6.x.json create mode 100644 schemas/ai-request-transformer/3.6.x.json create mode 100644 schemas/ai-response-transformer/3.6.x.json create mode 100644 schemas/app-dynamics/3.6.x.json create mode 100644 schemas/application-registration/3.6.x.json create mode 100644 schemas/aws-lambda/3.6.x.json create mode 100644 schemas/azure-functions/3.6.x.json create mode 100644 schemas/basic-auth/3.6.x.json create mode 100644 schemas/bot-detection/3.6.x.json create mode 100644 schemas/canary/3.6.x.json create mode 100644 schemas/correlation-id/3.6.x.json create mode 100644 schemas/cors/3.6.x.json create mode 100644 schemas/datadog/3.6.x.json create mode 100644 schemas/degraphql/3.6.x.json create mode 100644 schemas/exit-transformer/3.6.x.json create mode 100644 schemas/file-log/3.6.x.json create mode 100644 schemas/forward-proxy/3.6.x.json create mode 100644 schemas/graphql-proxy-cache-advanced/3.6.x.json create mode 100644 schemas/graphql-rate-limiting-advanced/3.6.x.json create mode 100644 schemas/grpc-gateway/3.6.x.json create mode 100644 schemas/grpc-web/3.6.x.json create mode 100644 schemas/hmac-auth/3.6.x.json create mode 100644 schemas/http-log/3.6.x.json create mode 100644 schemas/ip-restriction/3.6.x.json create mode 100644 schemas/jq/3.6.x.json create mode 100644 schemas/jwe-decrypt/3.6.x.json create mode 100644 schemas/jwt-signer/3.6.x.json create mode 100644 schemas/jwt/3.6.x.json create mode 100644 schemas/kafka-log/3.6.x.json create mode 100644 schemas/kafka-upstream/3.6.x.json create mode 100644 schemas/key-auth-enc/3.6.x.json create mode 100644 schemas/key-auth/3.6.x.json create mode 100644 schemas/konnect-application-auth/3.6.x.json create mode 100644 schemas/ldap-auth-advanced/3.6.x.json create mode 100644 schemas/ldap-auth/3.6.x.json create mode 100644 schemas/loggly/3.6.x.json create mode 100644 schemas/mocking/3.6.x.json create mode 100644 schemas/mtls-auth/3.6.x.json create mode 100644 schemas/oas-validation/3.6.x.json create mode 100644 schemas/oauth2-introspection/3.6.x.json create mode 100644 schemas/oauth2/3.6.x.json create mode 100644 schemas/opa/3.6.x.json create mode 100644 schemas/openid-connect/3.6.x.json create mode 100644 schemas/opentelemetry/3.6.x.json create mode 100644 schemas/post-function/3.6.x.json create mode 100644 schemas/pre-function/3.6.x.json create mode 100644 schemas/prometheus/3.6.x.json create mode 100644 schemas/proxy-cache-advanced/3.6.x.json create mode 100644 schemas/proxy-cache/3.6.x.json create mode 100644 schemas/rate-limiting-advanced/3.6.x.json create mode 100644 schemas/rate-limiting/3.6.x.json create mode 100644 schemas/request-size-limiting/3.6.x.json create mode 100644 schemas/request-termination/3.6.x.json create mode 100644 schemas/request-transformer-advanced/3.6.x.json create mode 100644 schemas/request-transformer/3.6.x.json create mode 100644 schemas/request-validator/3.6.x.json create mode 100644 schemas/response-ratelimiting/3.6.x.json create mode 100644 schemas/response-transformer-advanced/3.6.x.json create mode 100644 schemas/response-transformer/3.6.x.json create mode 100644 schemas/route-by-header/3.6.x.json create mode 100644 schemas/route-transformer-advanced/3.6.x.json create mode 100644 schemas/saml/3.6.x.json create mode 100644 schemas/session/3.6.x.json create mode 100644 schemas/statsd-advanced/3.6.x.json create mode 100644 schemas/statsd/3.6.x.json create mode 100644 schemas/syslog/3.6.x.json create mode 100644 schemas/tcp-log/3.6.x.json create mode 100644 schemas/tls-handshake-modifier/3.6.x.json create mode 100644 schemas/tls-metadata-headers/3.6.x.json create mode 100644 schemas/udp-log/3.6.x.json create mode 100644 schemas/upstream-timeout/3.6.x.json create mode 100644 schemas/vault-auth/3.6.x.json create mode 100644 schemas/websocket-size-limit/3.6.x.json create mode 100644 schemas/websocket-validator/3.6.x.json create mode 100644 schemas/xml-threat-protection/3.6.x.json create mode 100644 schemas/zipkin/3.6.x.json diff --git a/data/referenceable_fields/3.6.x.json b/data/referenceable_fields/3.6.x.json new file mode 100644 index 00000000..ed1c3d41 --- /dev/null +++ b/data/referenceable_fields/3.6.x.json @@ -0,0 +1,118 @@ +{ + "acme": [ + "config.account_email", + "config.eab_kid", + "config.eab_hmac_key", + "config.storage_config.redis.auth", + "config.storage_config.consul.token", + "config.storage_config.vault.token" + ], + "aws-lambda": [ + "config.aws_key", + "config.aws_secret", + "config.aws_assume_role_arn" + ], + "azure-functions": [ + "config.apikey", + "config.clientid" + ], + "datadog": [ + "config.host" + ], + "forward-proxy": [ + "config.auth_username", + "config.auth_password" + ], + "graphql-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "http-log": [ + "config.http_endpoint", + "config.headers" + ], + "kafka-log": [ + "config.authentication.user", + "config.authentication.password" + ], + "kafka-upstream": [ + "config.authentication.user", + "config.authentication.password" + ], + "ldap-auth-advanced": [ + "config.ldap_password", + "config.bind_dn" + ], + "loggly": [ + "config.key" + ], + "openid-connect": [ + "config.client_id", + "config.client_secret", + "config.client_jwk.k", + "config.client_jwk.d", + "config.client_jwk.p", + "config.client_jwk.q", + "config.client_jwk.dp", + "config.client_jwk.dq", + "config.client_jwk.qi", + "config.client_jwk.oth", + "config.client_jwk.r", + "config.client_jwk.t", + "config.session_secret", + "config.session_redis_username", + "config.session_redis_password" + ], + "opentelemetry": [ + "config.endpoint", + "config.headers" + ], + "proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "rate-limiting": [ + "config.redis_password", + "config.redis_username" + ], + "rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "request-transformer-advanced": [ + "config.rename.body", + "config.rename.headers", + "config.rename.querystring", + "config.replace.body", + "config.replace.headers", + "config.replace.querystring", + "config.add.body", + "config.add.headers", + "config.add.querystring", + "config.append.body", + "config.append.headers", + "config.append.querystring" + ], + "response-ratelimiting": [ + "config.redis_password", + "config.redis_username" + ], + "saml": [ + "config.idp_certificate", + "config.response_encryption_key", + "config.request_signing_key", + "config.request_signing_certificate", + "config.session_secret", + "config.session_redis_username", + "config.session_redis_password" + ], + "session": [ + "config.secret" + ] +} \ No newline at end of file diff --git a/examples/acl/_3.6.x.yaml b/examples/acl/_3.6.x.yaml new file mode 100644 index 00000000..a76559c0 --- /dev/null +++ b/examples/acl/_3.6.x.yaml @@ -0,0 +1,6 @@ +name: acl +config: + allow: + - group1 + - group2 + hide_groups_header: true diff --git a/examples/acme/_3.6.x.yaml b/examples/acme/_3.6.x.yaml new file mode 100644 index 00000000..6b35cddc --- /dev/null +++ b/examples/acme/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: acme +config: + account_email: example@example.com diff --git a/examples/ai-prompt-decorator/_3.6.x.yaml b/examples/ai-prompt-decorator/_3.6.x.yaml new file mode 100644 index 00000000..f87df779 --- /dev/null +++ b/examples/ai-prompt-decorator/_3.6.x.yaml @@ -0,0 +1,2 @@ +name: ai-prompt-decorator +config: {} \ No newline at end of file diff --git a/examples/ai-prompt-guard/_3.6.x.yaml b/examples/ai-prompt-guard/_3.6.x.yaml new file mode 100644 index 00000000..9e6ed565 --- /dev/null +++ b/examples/ai-prompt-guard/_3.6.x.yaml @@ -0,0 +1,2 @@ +name: ai-prompt-guard +config: {} \ No newline at end of file diff --git a/examples/ai-prompt-template/_3.6.x.yaml b/examples/ai-prompt-template/_3.6.x.yaml new file mode 100644 index 00000000..2fd16614 --- /dev/null +++ b/examples/ai-prompt-template/_3.6.x.yaml @@ -0,0 +1,2 @@ +name: ai-prompt-template +config: {} \ No newline at end of file diff --git a/examples/ai-proxy/_3.6.x.yaml b/examples/ai-proxy/_3.6.x.yaml new file mode 100644 index 00000000..331534df --- /dev/null +++ b/examples/ai-proxy/_3.6.x.yaml @@ -0,0 +1,2 @@ +name: ai-proxy +config: {} \ No newline at end of file diff --git a/examples/ai-request-transformer/_3.6.x.yaml b/examples/ai-request-transformer/_3.6.x.yaml new file mode 100644 index 00000000..ad93eef6 --- /dev/null +++ b/examples/ai-request-transformer/_3.6.x.yaml @@ -0,0 +1,2 @@ +name: ai-request-transformer +config: {} \ No newline at end of file diff --git a/examples/ai-response-transformer/_3.6.x.yaml b/examples/ai-response-transformer/_3.6.x.yaml new file mode 100644 index 00000000..f19bc721 --- /dev/null +++ b/examples/ai-response-transformer/_3.6.x.yaml @@ -0,0 +1,2 @@ +name: ai-response-transformer +config: {} \ No newline at end of file diff --git a/examples/app-dynamics/_3.6.x.yaml b/examples/app-dynamics/_3.6.x.yaml new file mode 100644 index 00000000..fb73f97b --- /dev/null +++ b/examples/app-dynamics/_3.6.x.yaml @@ -0,0 +1,2 @@ +name: app-dynamics +config: {} diff --git a/examples/application-registration/_3.6.x.yaml b/examples/application-registration/_3.6.x.yaml new file mode 100644 index 00000000..a52184fb --- /dev/null +++ b/examples/application-registration/_3.6.x.yaml @@ -0,0 +1,7 @@ +name: application-registration +service: SERVICE_NAME +config: + auto_approve: false + description: + display_name: + show_issuer: false diff --git a/examples/aws-lambda/_3.6.x.yaml b/examples/aws-lambda/_3.6.x.yaml new file mode 100644 index 00000000..5eddd18d --- /dev/null +++ b/examples/aws-lambda/_3.6.x.yaml @@ -0,0 +1,9 @@ +name: aws-lambda +config: + aws_key: + aws_secret: + aws_region: + aws_assume_role_arn: + aws_role_session_name: + function_name: + proxy_url: http://my-proxy-server:3128 diff --git a/examples/azure-functions/_3.6.x.yaml b/examples/azure-functions/_3.6.x.yaml new file mode 100644 index 00000000..00f73c86 --- /dev/null +++ b/examples/azure-functions/_3.6.x.yaml @@ -0,0 +1,6 @@ +name: azure-functions +config: + functionname: + appname: + hostdomain: azurewebsites.net + apikey: diff --git a/examples/basic-auth/_3.6.x.yaml b/examples/basic-auth/_3.6.x.yaml new file mode 100644 index 00000000..40fcf8c2 --- /dev/null +++ b/examples/basic-auth/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: basic-auth +config: + hide_credentials: true diff --git a/examples/bot-detection/_3.6.x.yaml b/examples/bot-detection/_3.6.x.yaml new file mode 100644 index 00000000..e4f2eb24 --- /dev/null +++ b/examples/bot-detection/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: bot-detection +config: + deny: + - helloworld diff --git a/examples/canary/_3.6.x.yaml b/examples/canary/_3.6.x.yaml new file mode 100644 index 00000000..928424f8 --- /dev/null +++ b/examples/canary/_3.6.x.yaml @@ -0,0 +1,5 @@ +name: canary +config: + percentage: 50 + upstream_host: example.com + upstream_port: 80 diff --git a/examples/correlation-id/_3.6.x.yaml b/examples/correlation-id/_3.6.x.yaml new file mode 100644 index 00000000..31240989 --- /dev/null +++ b/examples/correlation-id/_3.6.x.yaml @@ -0,0 +1,5 @@ +name: correlation-id +config: + header_name: Kong-Request-ID + generator: uuid#counter + echo_downstream: false diff --git a/examples/cors/_3.6.x.yaml b/examples/cors/_3.6.x.yaml new file mode 100644 index 00000000..c2046281 --- /dev/null +++ b/examples/cors/_3.6.x.yaml @@ -0,0 +1,19 @@ +name: cors +config: + origins: + - http://mockbin.com + methods: + - GET + - POST + headers: + - Accept + - Accept-Version + - Content-Length + - Content-MD5 + - Content-Type + - Date + - X-Auth-Token + exposed_headers: + - X-Auth-Token + credentials: true + max_age: 3600 diff --git a/examples/datadog/_3.6.x.yaml b/examples/datadog/_3.6.x.yaml new file mode 100644 index 00000000..957e300c --- /dev/null +++ b/examples/datadog/_3.6.x.yaml @@ -0,0 +1,6 @@ +name: datadog +config: + host: 127.0.0.1 + port: 8125 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/degraphql/_3.6.x.yaml b/examples/degraphql/_3.6.x.yaml new file mode 100644 index 00000000..84443323 --- /dev/null +++ b/examples/degraphql/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: degraphql +config: + graphql_server_path: '/graphql' diff --git a/examples/exit-transformer/_3.6.x.yaml b/examples/exit-transformer/_3.6.x.yaml new file mode 100644 index 00000000..c7f0c5d4 --- /dev/null +++ b/examples/exit-transformer/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: exit-transformer +config: + functions: + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/file-log/_3.6.x.yaml b/examples/file-log/_3.6.x.yaml new file mode 100644 index 00000000..aefd2bdc --- /dev/null +++ b/examples/file-log/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: file-log +config: + path: /tmp/file.log diff --git a/examples/forward-proxy/_3.6.x.yaml b/examples/forward-proxy/_3.6.x.yaml new file mode 100644 index 00000000..7fb797ca --- /dev/null +++ b/examples/forward-proxy/_3.6.x.yaml @@ -0,0 +1,9 @@ +name: forward-proxy +config: + http_proxy_host: example.com + http_proxy_port: 80 + proxy_scheme: http + auth_username: example_user + auth_password: example_pass + https_verify: false + x_headers: transparent diff --git a/examples/graphql-proxy-cache-advanced/_3.6.x.yaml b/examples/graphql-proxy-cache-advanced/_3.6.x.yaml new file mode 100644 index 00000000..e1ce637b --- /dev/null +++ b/examples/graphql-proxy-cache-advanced/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: graphql-proxy-cache-advanced +config: + strategy: memory diff --git a/examples/graphql-rate-limiting-advanced/_3.6.x.yaml b/examples/graphql-rate-limiting-advanced/_3.6.x.yaml new file mode 100644 index 00000000..10985f83 --- /dev/null +++ b/examples/graphql-rate-limiting-advanced/_3.6.x.yaml @@ -0,0 +1,9 @@ +name: graphql-rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + sync_rate: -1 + namespace: example_namespace + strategy: cluster diff --git a/examples/grpc-gateway/_3.6.x.yaml b/examples/grpc-gateway/_3.6.x.yaml new file mode 100644 index 00000000..36b576ea --- /dev/null +++ b/examples/grpc-gateway/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: grpc-gateway +config: + proto: path/to/hello.proto diff --git a/examples/grpc-web/_3.6.x.yaml b/examples/grpc-web/_3.6.x.yaml new file mode 100644 index 00000000..e4f2c597 --- /dev/null +++ b/examples/grpc-web/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: grpc-web +config: + proto: path/to/hello.proto diff --git a/examples/hmac-auth/_3.6.x.yaml b/examples/hmac-auth/_3.6.x.yaml new file mode 100644 index 00000000..ba1ae19d --- /dev/null +++ b/examples/hmac-auth/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: hmac-auth +config: + hide_credentials: false diff --git a/examples/http-log/_3.6.x.yaml b/examples/http-log/_3.6.x.yaml new file mode 100644 index 00000000..dd88c67c --- /dev/null +++ b/examples/http-log/_3.6.x.yaml @@ -0,0 +1,8 @@ +name: http-log +config: + http_endpoint: http://mockbin.org/bin/:id + method: POST + timeout: 1000 + keepalive: 1000 + flush_timeout: 2 + retry_count: 15 diff --git a/examples/ip-restriction/_3.6.x.yaml b/examples/ip-restriction/_3.6.x.yaml new file mode 100644 index 00000000..4ca5298d --- /dev/null +++ b/examples/ip-restriction/_3.6.x.yaml @@ -0,0 +1,5 @@ +name: ip-restriction +config: + allow: + - 54.13.21.1 + - 143.1.0.0/24 diff --git a/examples/jq/_3.6.x.yaml b/examples/jq/_3.6.x.yaml new file mode 100644 index 00000000..d69ce58d --- /dev/null +++ b/examples/jq/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: jq +config: + request_jq_program: .[0] diff --git a/examples/jwe-decrypt/_3.6.x.yaml b/examples/jwe-decrypt/_3.6.x.yaml new file mode 100644 index 00000000..f413b0e5 --- /dev/null +++ b/examples/jwe-decrypt/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: jwe-decrypt +config: + key_sets: + - dummyID diff --git a/examples/jwt-signer/_3.6.x.yaml b/examples/jwt-signer/_3.6.x.yaml new file mode 100644 index 00000000..71443348 --- /dev/null +++ b/examples/jwt-signer/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: jwt-signer +config: + access_token_introspection_scopes_claim: + - scope diff --git a/examples/jwt/_3.6.x.yaml b/examples/jwt/_3.6.x.yaml new file mode 100644 index 00000000..60fd478d --- /dev/null +++ b/examples/jwt/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: jwt +config: + uri_param_names: + - paramName_2.2.x diff --git a/examples/kafka-log/_3.6.x.yaml b/examples/kafka-log/_3.6.x.yaml new file mode 100644 index 00000000..efb1efa7 --- /dev/null +++ b/examples/kafka-log/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: kafka-log +config: + topic: TOPIC diff --git a/examples/kafka-upstream/_3.6.x.yaml b/examples/kafka-upstream/_3.6.x.yaml new file mode 100644 index 00000000..64ff19e5 --- /dev/null +++ b/examples/kafka-upstream/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: kafka-upstream +config: + topic: TOPIC diff --git a/examples/key-auth-enc/_3.6.x.yaml b/examples/key-auth-enc/_3.6.x.yaml new file mode 100644 index 00000000..9f1a6093 --- /dev/null +++ b/examples/key-auth-enc/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: key-auth-enc +config: + key_names: + - apikey diff --git a/examples/key-auth/_3.6.x.yaml b/examples/key-auth/_3.6.x.yaml new file mode 100644 index 00000000..f8ef72c5 --- /dev/null +++ b/examples/key-auth/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: key-auth +config: + key_names: + - apikey diff --git a/examples/konnect-application-auth/_3.6.x.yaml b/examples/konnect-application-auth/_3.6.x.yaml new file mode 100644 index 00000000..e54993e5 --- /dev/null +++ b/examples/konnect-application-auth/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: konnect-application-auth +config: + scope: 'uuid' diff --git a/examples/ldap-auth-advanced/_3.6.x.yaml b/examples/ldap-auth-advanced/_3.6.x.yaml new file mode 100644 index 00000000..5396d6cf --- /dev/null +++ b/examples/ldap-auth-advanced/_3.6.x.yaml @@ -0,0 +1,10 @@ +name: ldap-auth-advanced +config: + ldap_host: ldap.example.com + ldap_port: 389 + start_tls: true + base_dn: dc=example,dc=com + verify_ldap_host: false + attribute: cn + cache_ttl: 60 + header_type: ldap diff --git a/examples/ldap-auth/_3.6.x.yaml b/examples/ldap-auth/_3.6.x.yaml new file mode 100644 index 00000000..fe95f595 --- /dev/null +++ b/examples/ldap-auth/_3.6.x.yaml @@ -0,0 +1,8 @@ +name: ldap-auth +config: + hide_credentials: true + ldap_host: ldap.example.com + ldap_port: 389 + base_dn: dc=example,dc=com + attribute: cn + header_type: ldap diff --git a/examples/loggly/_3.6.x.yaml b/examples/loggly/_3.6.x.yaml new file mode 100644 index 00000000..186454f8 --- /dev/null +++ b/examples/loggly/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: loggly +config: + key: YOUR_LOGGLY_SERVICE_TOKEN diff --git a/examples/mocking/_3.6.x.yaml b/examples/mocking/_3.6.x.yaml new file mode 100644 index 00000000..549e1f46 --- /dev/null +++ b/examples/mocking/_3.6.x.yaml @@ -0,0 +1,14 @@ +name: mocking +config: + random_delay: true + max_delay_time: 1 + min_delay_time: 0.001 + random_examples: true + api_specification: | + openapi: 3.0.1 + info: + title: OpenAPI 3.0 API + description: This is a simple API + contact: + email: example@example.com + version: 1.0.0 diff --git a/examples/mtls-auth/_3.6.x.yaml b/examples/mtls-auth/_3.6.x.yaml new file mode 100644 index 00000000..4bcdb7fd --- /dev/null +++ b/examples/mtls-auth/_3.6.x.yaml @@ -0,0 +1,6 @@ +name: mtls-auth +config: + ca_certificates: + - fdac360e-7b19-4ade-a553-6dd22937c82f + http_proxy_host: example + http_proxy_port: 80 diff --git a/examples/oas-validation/_3.6.x.yaml b/examples/oas-validation/_3.6.x.yaml new file mode 100644 index 00000000..2eb7dc89 --- /dev/null +++ b/examples/oas-validation/_3.6.x.yaml @@ -0,0 +1,29 @@ +name: oas-validation +config: + api_spec: | + openapi: 3.0.0 + info: + version: "2.19.3" + title: Xero Finance API + description: The Finance API is a collection of endpoints which customers can use in the course of a loan application, which may assist lenders to gain the confidence they need to provide capital. + termsOfService: "https://developer.xero.com/xero-developer-platform-terms-conditions/" + contact: + name: "Xero Platform Team" + email: "api@xero.com" + url: "https://developer.xero.com" + license: + name: MIT + url: 'https://github.com/XeroAPI/Xero-OpenAPI/blob/master/LICENSE' + servers: + - description: Xero API servers + url: https://api.xero.com/finance.xro/1.0 + paths: + /CashValidation: + get: + security: + - OAuth2: [finance.cashvalidation.read] + tags: + - Finance + summary: Get cash validation + operationId: getCashValidation + description: Summarizes the total cash position for each account for an org diff --git a/examples/oauth2-introspection/_3.6.x.yaml b/examples/oauth2-introspection/_3.6.x.yaml new file mode 100644 index 00000000..bdf723af --- /dev/null +++ b/examples/oauth2-introspection/_3.6.x.yaml @@ -0,0 +1,5 @@ +name: oauth2-introspection +config: + introspection_url: https://example-url.com + authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l + consumer_by: username diff --git a/examples/oauth2/_3.6.x.yaml b/examples/oauth2/_3.6.x.yaml new file mode 100644 index 00000000..d733d558 --- /dev/null +++ b/examples/oauth2/_3.6.x.yaml @@ -0,0 +1,9 @@ +name: oauth2 +config: + scopes: + - email + - phone + - address + mandatory_scope: true + provision_key: + enable_authorization_code: true diff --git a/examples/opa/_3.6.x.yaml b/examples/opa/_3.6.x.yaml new file mode 100644 index 00000000..51ff2b78 --- /dev/null +++ b/examples/opa/_3.6.x.yaml @@ -0,0 +1,5 @@ +name: opa +config: + opa_host: localhost + opa_port: 8181 + opa_path: /v1/data/example/kong/allowBoolean diff --git a/examples/openid-connect/_3.6.x.yaml b/examples/openid-connect/_3.6.x.yaml new file mode 100644 index 00000000..69f30114 --- /dev/null +++ b/examples/openid-connect/_3.6.x.yaml @@ -0,0 +1,12 @@ +name: openid-connect +config: + auth_methods: + - authorization_code + - session + issuer: http://example.org + client_id: + - + client_secret: + - + session_secret: + response_mode: form_post diff --git a/examples/opentelemetry/_3.6.x.yaml b/examples/opentelemetry/_3.6.x.yaml new file mode 100644 index 00000000..efacb712 --- /dev/null +++ b/examples/opentelemetry/_3.6.x.yaml @@ -0,0 +1,5 @@ +name: opentelemetry +config: + endpoint: http://opentelemetry.collector:4318/v1/traces + headers: + X-Auth-Token: secret-token diff --git a/examples/post-function/_3.6.x.yaml b/examples/post-function/_3.6.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.6.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/pre-function/_3.6.x.yaml b/examples/pre-function/_3.6.x.yaml new file mode 100644 index 00000000..62ffe4dd --- /dev/null +++ b/examples/pre-function/_3.6.x.yaml @@ -0,0 +1,6 @@ +name: pre-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/prometheus/_3.6.x.yaml b/examples/prometheus/_3.6.x.yaml new file mode 100644 index 00000000..6b7b3b62 --- /dev/null +++ b/examples/prometheus/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: prometheus +config: + per_consumer: false + diff --git a/examples/proxy-cache-advanced/_3.6.x.yaml b/examples/proxy-cache-advanced/_3.6.x.yaml new file mode 100644 index 00000000..d070db76 --- /dev/null +++ b/examples/proxy-cache-advanced/_3.6.x.yaml @@ -0,0 +1,11 @@ +name: proxy-cache-advanced +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + strategy: memory diff --git a/examples/proxy-cache/_3.6.x.yaml b/examples/proxy-cache/_3.6.x.yaml new file mode 100644 index 00000000..ce185e5e --- /dev/null +++ b/examples/proxy-cache/_3.6.x.yaml @@ -0,0 +1,12 @@ +name: proxy-cache +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + cache_ttl: 300 + strategy: memory diff --git a/examples/rate-limiting-advanced/_3.6.x.yaml b/examples/rate-limiting-advanced/_3.6.x.yaml new file mode 100644 index 00000000..7fee7c38 --- /dev/null +++ b/examples/rate-limiting-advanced/_3.6.x.yaml @@ -0,0 +1,11 @@ +name: rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + identifier: consumer + sync_rate: -1 + namespace: example_namespace + strategy: local + hide_client_headers: false diff --git a/examples/rate-limiting/_3.6.x.yaml b/examples/rate-limiting/_3.6.x.yaml new file mode 100644 index 00000000..f43f89fd --- /dev/null +++ b/examples/rate-limiting/_3.6.x.yaml @@ -0,0 +1,5 @@ +name: rate-limiting +config: + second: 5 + hour: 10000 + policy: local diff --git a/examples/request-size-limiting/_3.6.x.yaml b/examples/request-size-limiting/_3.6.x.yaml new file mode 100644 index 00000000..983d6d9e --- /dev/null +++ b/examples/request-size-limiting/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: request-size-limiting +config: + allowed_payload_size: 128 + require_content_length: false diff --git a/examples/request-termination/_3.6.x.yaml b/examples/request-termination/_3.6.x.yaml new file mode 100644 index 00000000..7be67818 --- /dev/null +++ b/examples/request-termination/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: request-termination +config: + status_code: 403 + message: So long and thanks for all the fish! diff --git a/examples/request-transformer-advanced/_3.6.x.yaml b/examples/request-transformer-advanced/_3.6.x.yaml new file mode 100644 index 00000000..999898e7 --- /dev/null +++ b/examples/request-transformer-advanced/_3.6.x.yaml @@ -0,0 +1,43 @@ +name: request-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one + remove: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + remove: + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + rename: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + rename: + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + add: + querystring: + - new-param:some_value + - another-param:some_value + add: + json_types: + - string + - boolean + - number diff --git a/examples/request-transformer/_3.6.x.yaml b/examples/request-transformer/_3.6.x.yaml new file mode 100644 index 00000000..d9e0a346 --- /dev/null +++ b/examples/request-transformer/_3.6.x.yaml @@ -0,0 +1,36 @@ +name: request-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + querystring: + - new-param:some_value + - another-param:some_value + body: + - new-form-param:some_value + - another-form-param:some_value diff --git a/examples/request-validator/_3.6.x.yaml b/examples/request-validator/_3.6.x.yaml new file mode 100644 index 00000000..89251acf --- /dev/null +++ b/examples/request-validator/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: request-validator +config: + body_schema: '[{"name":{"type": "string", "required": true}}]' diff --git a/examples/response-ratelimiting/_3.6.x.yaml b/examples/response-ratelimiting/_3.6.x.yaml new file mode 100644 index 00000000..a3860b2a --- /dev/null +++ b/examples/response-ratelimiting/_3.6.x.yaml @@ -0,0 +1,8 @@ +name: response-ratelimiting +config: + limits: + limit_name: + limits: + limit_name: + minute: 10 + policy: local diff --git a/examples/response-transformer-advanced/_3.6.x.yaml b/examples/response-transformer-advanced/_3.6.x.yaml new file mode 100644 index 00000000..4942c5c5 --- /dev/null +++ b/examples/response-transformer-advanced/_3.6.x.yaml @@ -0,0 +1,31 @@ +name: response-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one:application/json + - x-list-of-values:v1,v2,v3 + - Set-Cookie:/JSESSIONID=.*/ + - x-another-regex://status/$/ + - x-one-more-regex:/^/begin// + remove: + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + add: + json: + - new-json-key:some_value + - another-json-key:some_value + add: + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/response-transformer/_3.6.x.yaml b/examples/response-transformer/_3.6.x.yaml new file mode 100644 index 00000000..aab7075a --- /dev/null +++ b/examples/response-transformer/_3.6.x.yaml @@ -0,0 +1,24 @@ +name: response-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + json: + - new-json-key:some_value + - another-json-key:some_value + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/route-by-header/_3.6.x.yaml b/examples/route-by-header/_3.6.x.yaml new file mode 100644 index 00000000..e2854428 --- /dev/null +++ b/examples/route-by-header/_3.6.x.yaml @@ -0,0 +1,8 @@ +name: route-by-header +config: + rules: + - + upstream_name: bar.domain.com + condition: + location: us-east + diff --git a/examples/route-transformer-advanced/_3.6.x.yaml b/examples/route-transformer-advanced/_3.6.x.yaml new file mode 100644 index 00000000..098f0994 --- /dev/null +++ b/examples/route-transformer-advanced/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: route-transformer-advanced +config: + path: /path diff --git a/examples/saml/_3.6.x.yaml b/examples/saml/_3.6.x.yaml new file mode 100644 index 00000000..18b41c3f --- /dev/null +++ b/examples/saml/_3.6.x.yaml @@ -0,0 +1,12 @@ +name: saml +config: + anonymous: anonymous + assertion_consumer_path: /acs-uri + idp_sso_url: http://example.org/sso-uri + validate_assertion_signature: true + session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + issuer: AzureAD_Identity_ID + idp_certificate: | + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- diff --git a/examples/session/_3.6.x.yaml b/examples/session/_3.6.x.yaml new file mode 100644 index 00000000..1c5100d2 --- /dev/null +++ b/examples/session/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: session +config: + secret: opensesame diff --git a/examples/statsd-advanced/_3.6.x.yaml b/examples/statsd-advanced/_3.6.x.yaml new file mode 100644 index 00000000..cfd68de0 --- /dev/null +++ b/examples/statsd-advanced/_3.6.x.yaml @@ -0,0 +1,7 @@ +name: statsd-advanced +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 diff --git a/examples/statsd/_3.6.x.yaml b/examples/statsd/_3.6.x.yaml new file mode 100644 index 00000000..796222aa --- /dev/null +++ b/examples/statsd/_3.6.x.yaml @@ -0,0 +1,9 @@ +name: statsd +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/syslog/_3.6.x.yaml b/examples/syslog/_3.6.x.yaml new file mode 100644 index 00000000..9cc23ca1 --- /dev/null +++ b/examples/syslog/_3.6.x.yaml @@ -0,0 +1,3 @@ +name: syslog +config: + log_level: info diff --git a/examples/tcp-log/_3.6.x.yaml b/examples/tcp-log/_3.6.x.yaml new file mode 100644 index 00000000..4e155f5a --- /dev/null +++ b/examples/tcp-log/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: tcp-log +config: + host: 127.0.0.1 + port: 9999 diff --git a/examples/tls-handshake-modifier/_3.6.x.yaml b/examples/tls-handshake-modifier/_3.6.x.yaml new file mode 100644 index 00000000..52561153 --- /dev/null +++ b/examples/tls-handshake-modifier/_3.6.x.yaml @@ -0,0 +1 @@ +name: tls-handshake-modifier diff --git a/examples/tls-metadata-headers/_3.6.x.yaml b/examples/tls-metadata-headers/_3.6.x.yaml new file mode 100644 index 00000000..98df21ec --- /dev/null +++ b/examples/tls-metadata-headers/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: tls-metadata-headers +config: + inject_client_cert_details: true + client_cert_header_name: X-Forwarded-Client-Cert diff --git a/examples/udp-log/_3.6.x.yaml b/examples/udp-log/_3.6.x.yaml new file mode 100644 index 00000000..bfd35c0a --- /dev/null +++ b/examples/udp-log/_3.6.x.yaml @@ -0,0 +1,5 @@ +name: udp-log +config: + host: 127.0.0.1 + port: 9999 + timeout: 10000 diff --git a/examples/upstream-timeout/_3.6.x.yaml b/examples/upstream-timeout/_3.6.x.yaml new file mode 100644 index 00000000..962a6cdf --- /dev/null +++ b/examples/upstream-timeout/_3.6.x.yaml @@ -0,0 +1,5 @@ +name: upstream-timeout +config: + connect_timeout: 4000 + send_timeout: 5000 + read_timeout: 5000 diff --git a/examples/vault-auth/_3.6.x.yaml b/examples/vault-auth/_3.6.x.yaml new file mode 100644 index 00000000..8a2e5285 --- /dev/null +++ b/examples/vault-auth/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: vault-auth +config: + vault: + id: 00000000-0000-0000-0000-000000000000 diff --git a/examples/websocket-size-limit/_3.6.x.yaml b/examples/websocket-size-limit/_3.6.x.yaml new file mode 100644 index 00000000..7274d312 --- /dev/null +++ b/examples/websocket-size-limit/_3.6.x.yaml @@ -0,0 +1,4 @@ +name: websocket-size-limit +config: + client_max_payload: 1024 + upstream_max_payload: 16384 diff --git a/examples/websocket-validator/_3.6.x.yaml b/examples/websocket-validator/_3.6.x.yaml new file mode 100644 index 00000000..12fe18ac --- /dev/null +++ b/examples/websocket-validator/_3.6.x.yaml @@ -0,0 +1,14 @@ +name: websocket-validator +config: + client: + text: + type: draft4 + schema: | + { + "type": "object", + "properties": { + "foo": { "type": "string" }, + "bar": { "type": "string" } + }, + "required": [ "foo", "bar" ] + } diff --git a/examples/xml-threat-protection/_3.6.x.yaml b/examples/xml-threat-protection/_3.6.x.yaml new file mode 100644 index 00000000..a25f15fc --- /dev/null +++ b/examples/xml-threat-protection/_3.6.x.yaml @@ -0,0 +1,6 @@ +name: xml-threat-protection +config: + max_depth: 50 + localname: 512 + prefix: 512 + namespaceuri: 1024 diff --git a/examples/zipkin/_3.6.x.yaml b/examples/zipkin/_3.6.x.yaml new file mode 100644 index 00000000..62ab05c8 --- /dev/null +++ b/examples/zipkin/_3.6.x.yaml @@ -0,0 +1,5 @@ +name: zipkin +config: + http_endpoint: http://your.zipkin.collector:9411/api/v2/spans + sample_ratio: 0.001 + include_credential: true diff --git a/schemas/acl/3.6.x.json b/schemas/acl/3.6.x.json new file mode 100644 index 00000000..6e83ac25 --- /dev/null +++ b/schemas/acl/3.6.x.json @@ -0,0 +1,97 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "allow": { + "type": "array", + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "elements": { + "type": "string" + } + } + }, + { + "deny": { + "type": "array", + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "elements": { + "type": "string" + } + } + }, + { + "hide_groups_header": { + "default": false, + "type": "boolean", + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "required": true + } + }, + { + "include_consumer_groups": { + "type": "boolean", + "default": false, + "required": false + } + } + ] + } + } + ], + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/acme/3.6.x.json b/schemas/acme/3.6.x.json new file mode 100644 index 00000000..af38e020 --- /dev/null +++ b/schemas/acme/3.6.x.json @@ -0,0 +1,498 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "service": { + "type": "foreign", + "reference": "services", + "eq": null, + "description": "A reference to the 'services' table with a null value allowed." + } + }, + { + "route": { + "type": "foreign", + "reference": "routes", + "eq": null, + "description": "A reference to the 'routes' table with a null value allowed." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "account_email": { + "match": "%w*%p*@+%w*%.?%w*", + "required": true, + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "The account identifier. Can be reused in a different plugin instance." + } + }, + { + "account_key": { + "description": "The private key associated with the account.", + "type": "record", + "required": false, + "fields": [ + { + "key_id": { + "type": "string", + "required": true, + "description": "The Key ID." + } + }, + { + "key_set": { + "type": "string", + "description": "The ID of the key set to associate the Key ID with." + } + } + ] + } + }, + { + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "tos_accepted": { + "type": "boolean", + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service." + } + }, + { + "eab_kid": { + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA." + } + }, + { + "eab_hmac_key": { + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA." + } + }, + { + "cert_type": { + "type": "string", + "one_of": [ + "rsa", + "ecc" + ], + "default": "rsa", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." + } + }, + { + "rsa_key_size": { + "type": "number", + "one_of": [ + 2048, + 3072, + 4096 + ], + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." + } + }, + { + "renew_threshold_days": { + "type": "number", + "default": 14, + "description": "Days remaining to renew the certificate before it expires." + } + }, + { + "domains": { + "type": "array", + "elements": { + "match_all": [ + { + "pattern": "^[^*]*%*?[^*]*$", + "err": "invalid wildcard: must have at most one wildcard" + } + ], + "type": "string", + "match_any": { + "err": "invalid wildcard: must be placed at leftmost or rightmost label", + "patterns": [ + "^%*%.", + "%.%*$", + "^[^*]*$" + ] + } + }, + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" + } + }, + { + "allow_any_domain": { + "type": "boolean", + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." + } + }, + { + "fail_backoff_minutes": { + "type": "number", + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." + } + }, + { + "storage": { + "type": "string", + "one_of": [ + "kong", + "shm", + "redis", + "consul", + "vault" + ], + "default": "shm", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." + } + }, + { + "storage_config": { + "type": "record", + "required": true, + "fields": [ + { + "shm": { + "type": "record", + "required": true, + "fields": [ + { + "shm_name": { + "type": "string", + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage" + } + } + ] + } + }, + { + "kong": { + "type": "record", + "required": true, + "fields": [ + + ] + } + }, + { + "redis": { + "type": "record", + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "database": { + "type": "number", + "description": "The index of the Redis database to use." + } + }, + { + "auth": { + "referenceable": true, + "type": "string", + "description": "The Redis password to use for authentication. " + } + }, + { + "ssl": { + "default": false, + "type": "boolean", + "required": true, + "description": "Whether to use SSL/TLS encryption when connecting to the Redis server." + } + }, + { + "ssl_verify": { + "default": false, + "type": "boolean", + "required": true, + "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value." + } + }, + { + "ssl_server_name": { + "required": false, + "type": "string", + "description": "The expected server name for the SSL/TLS certificate presented by the Redis server." + } + }, + { + "namespace": { + "type": "string", + "len_min": 0, + "required": true, + "default": "", + "description": "A namespace to prepend to all keys stored in Redis." + } + }, + { + "scan_count": { + "default": 10, + "type": "number", + "required": false, + "description": "The number of keys to return in Redis SCAN calls." + } + } + ] + } + }, + { + "consul": { + "type": "record", + "required": true, + "fields": [ + { + "https": { + "type": "boolean", + "default": false, + "description": "Boolean representation of https." + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "kv_path": { + "type": "string", + "description": "KV prefix path." + } + }, + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds." + } + }, + { + "token": { + "referenceable": true, + "type": "string", + "description": "Consul ACL token." + } + } + ] + } + }, + { + "vault": { + "type": "record", + "required": true, + "fields": [ + { + "https": { + "type": "boolean", + "default": false, + "description": "Boolean representation of https." + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "kv_path": { + "type": "string", + "description": "KV prefix path." + } + }, + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds." + } + }, + { + "token": { + "referenceable": true, + "type": "string", + "description": "Consul ACL token." + } + }, + { + "tls_verify": { + "type": "boolean", + "default": true, + "description": "Turn on TLS verification." + } + }, + { + "tls_server_name": { + "type": "string", + "description": "SNI used in request, default to host if omitted." + } + }, + { + "auth_method": { + "type": "string", + "one_of": [ + "token", + "kubernetes" + ], + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'." + } + }, + { + "auth_path": { + "type": "string", + "description": "Vault's authentication path to use." + } + }, + { + "auth_role": { + "type": "string", + "description": "The role to try and assign." + } + }, + { + "jwt_path": { + "type": "string", + "description": "The path to the JWT." + } + } + ] + } + } + ] + } + }, + { + "preferred_chain": { + "type": "string", + "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + } + }, + { + "enable_ipv4_common_name": { + "type": "boolean", + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." + } + } + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": true + }, + "then_field": "config.tos_accepted", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "if_field": "config.api_uri", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.6.x.json b/schemas/ai-prompt-decorator/3.6.x.json new file mode 100644 index 00000000..afe07263 --- /dev/null +++ b/schemas/ai-prompt-decorator/3.6.x.json @@ -0,0 +1,118 @@ +{ + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "prompts": { + "required": false, + "type": "record", + "fields": [ + { + "prepend": { + "elements": { + "required": false, + "type": "record", + "fields": [ + { + "role": { + "required": true, + "type": "string", + "default": "system", + "one_of": [ + "system", + "assistant", + "user" + ] + } + }, + { + "content": { + "required": true, + "len_min": 1, + "type": "string", + "len_max": 500 + } + } + ] + }, + "type": "array", + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "required": false, + "len_max": 15 + } + }, + { + "append": { + "elements": { + "required": false, + "type": "record", + "fields": [ + { + "role": { + "required": true, + "type": "string", + "default": "system", + "one_of": [ + "system", + "assistant", + "user" + ] + } + }, + { + "content": { + "required": true, + "len_min": 1, + "type": "string", + "len_max": 500 + } + } + ] + }, + "type": "array", + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "required": false, + "len_max": 15 + } + } + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.6.x.json b/schemas/ai-prompt-guard/3.6.x.json new file mode 100644 index 00000000..cf1a6481 --- /dev/null +++ b/schemas/ai-prompt-guard/3.6.x.json @@ -0,0 +1,75 @@ +{ + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "allow_patterns": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ], + "description": "Array of valid patterns, or valid questions from the 'user' role in chat." + } + }, + { + "deny_patterns": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ], + "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat." + } + }, + { + "allow_all_conversation_history": { + "required": true, + "type": "boolean", + "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history." + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-template/3.6.x.json b/schemas/ai-prompt-template/3.6.x.json new file mode 100644 index 00000000..0db1eae6 --- /dev/null +++ b/schemas/ai-prompt-template/3.6.x.json @@ -0,0 +1,88 @@ +{ + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "templates": { + "elements": { + "required": true, + "type": "record", + "fields": [ + { + "name": { + "required": true, + "type": "string", + "description": "Unique name for the template, can be called with `{template://NAME}`" + } + }, + { + "template": { + "required": true, + "type": "string", + "description": "Template string for this request, supports mustache-style `{{placeholders}}`" + } + } + ] + }, + "required": true, + "type": "array", + "description": "Array of templates available to the request context." + } + }, + { + "allow_untemplated_requests": { + "required": true, + "type": "boolean", + "default": true, + "description": "Set true to allow requests that don't call or match any template." + } + }, + { + "log_original_request": { + "required": true, + "type": "boolean", + "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output." + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-proxy/3.6.x.json b/schemas/ai-proxy/3.6.x.json new file mode 100644 index 00000000..a4bbc6c8 --- /dev/null +++ b/schemas/ai-proxy/3.6.x.json @@ -0,0 +1,427 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "service": { + "type": "foreign", + "reference": "services", + "eq": null, + "description": "A reference to the 'services' table with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere" + ] + }, + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_field": "model.provider", + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for llama2 provider" + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for mistral provider" + } + }, + { + "conditional_at_least_one_of": { + "if_match": [ + + ], + "then_at_least_one_of": [ + "model.name" + ], + "if_field": "model.provider", + "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models." + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for anthropic provider" + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + }, + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_field": "model.provider", + "then_err": "must set %s for self-hosted providers/models" + } + } + ], + "required": true, + "fields": [ + { + "route_type": { + "type": "string", + "one_of": [ + "llm/v1/chat", + "llm/v1/completions" + ], + "required": true, + "description": "The model's operation implementation, for this provider." + } + }, + { + "auth": { + "type": "record", + "required": false, + "fields": [ + { + "header_name": { + "type": "string", + "referenceable": true, + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here." + } + }, + { + "header_value": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + } + }, + { + "param_name": { + "type": "string", + "referenceable": true, + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here." + } + }, + { + "param_value": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false, + "description": "Specify the full parameter value for 'param_name'." + } + }, + { + "param_location": { + "type": "string", + "one_of": [ + "query", + "body" + ], + "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." + } + } + ] + } + }, + { + "model": { + "type": "record", + "required": true, + "fields": [ + { + "provider": { + "type": "string", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2" + ], + "required": true, + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats." + } + }, + { + "name": { + "type": "string", + "required": false, + "description": "Model name to execute." + } + }, + { + "options": { + "description": "Key/value settings for the model", + "type": "record", + "required": false, + "fields": [ + { + "max_tokens": { + "required": false, + "type": "integer", + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models." + } + }, + { + "temperature": { + "required": false, + "between": [ + 0, + 5 + ], + "type": "number", + "default": 1, + "description": "Defines the matching temperature, if using chat or completion models." + } + }, + { + "top_p": { + "required": false, + "between": [ + 0, + 1 + ], + "type": "number", + "default": 1, + "description": "Defines the top-p probability mass, if supported." + } + }, + { + "top_k": { + "required": false, + "between": [ + 0, + 500 + ], + "type": "integer", + "default": 0, + "description": "Defines the top-k most likely tokens, if supported." + } + }, + { + "anthropic_version": { + "type": "string", + "required": false, + "description": "Defines the schema/API version, if using Anthropic provider." + } + }, + { + "azure_instance": { + "type": "string", + "required": false, + "description": "Instance name for Azure OpenAI hosted models." + } + }, + { + "azure_api_version": { + "required": false, + "type": "string", + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances." + } + }, + { + "azure_deployment_id": { + "type": "string", + "required": false, + "description": "Deployment ID for Azure OpenAI instances." + } + }, + { + "llama2_format": { + "type": "string", + "one_of": [ + "raw", + "openai", + "ollama" + ], + "required": false, + "description": "If using llama2 provider, select the upstream message format." + } + }, + { + "mistral_format": { + "type": "string", + "one_of": [ + "openai", + "ollama" + ], + "required": false, + "description": "If using mistral provider, select the upstream message format." + } + }, + { + "upstream_url": { + "required": false, + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + } + } + ] + } + } + ] + } + }, + { + "logging": { + "type": "record", + "required": true, + "fields": [ + { + "log_statistics": { + "required": true, + "type": "boolean", + "default": true, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + } + }, + { + "log_payloads": { + "required": true, + "type": "boolean", + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.6.x.json b/schemas/ai-request-transformer/3.6.x.json new file mode 100644 index 00000000..8a5819c8 --- /dev/null +++ b/schemas/ai-request-transformer/3.6.x.json @@ -0,0 +1,511 @@ +{ + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "prompt": { + "required": true, + "type": "string", + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return." + } + }, + { + "transformation_extract_pattern": { + "required": false, + "type": "string", + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure." + } + }, + { + "ssl_verify": { + "required": true, + "type": "boolean", + "default": true, + "description": "Verify the TLS certificate of the AI upstream service." + } + }, + { + "http_timeout": { + "required": true, + "type": "integer", + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service." + } + }, + { + "https_verify": { + "required": true, + "type": "boolean", + "default": true, + "description": "Verify the TLS certificate of the AI upstream service." + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "llm": { + "fields": [ + { + "route_type": { + "required": true, + "description": "The model's operation implementation, for this provider.", + "type": "string", + "one_of": [ + "llm/v1/chat", + "llm/v1/completions" + ] + } + }, + { + "auth": { + "required": false, + "type": "record", + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "referenceable": true + } + }, + { + "header_value": { + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "required": false, + "encrypted": true, + "referenceable": true + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "referenceable": true + } + }, + { + "param_value": { + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "required": false, + "encrypted": true, + "referenceable": true + } + }, + { + "param_location": { + "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", + "one_of": [ + "query", + "body" + ] + } + } + ] + } + }, + { + "model": { + "required": true, + "type": "record", + "fields": [ + { + "provider": { + "required": true, + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2" + ] + } + }, + { + "name": { + "required": false, + "type": "string", + "description": "Model name to execute." + } + }, + { + "options": { + "required": false, + "fields": [ + { + "max_tokens": { + "required": false, + "type": "integer", + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models." + } + }, + { + "temperature": { + "type": "number", + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "between": [ + 0, + 5 + ], + "default": 1 + } + }, + { + "top_p": { + "type": "number", + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "between": [ + 0, + 1 + ], + "default": 1 + } + }, + { + "top_k": { + "type": "integer", + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "between": [ + 0, + 500 + ], + "default": 0 + } + }, + { + "anthropic_version": { + "required": false, + "type": "string", + "description": "Defines the schema/API version, if using Anthropic provider." + } + }, + { + "azure_instance": { + "required": false, + "type": "string", + "description": "Instance name for Azure OpenAI hosted models." + } + }, + { + "azure_api_version": { + "required": false, + "type": "string", + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances." + } + }, + { + "azure_deployment_id": { + "required": false, + "type": "string", + "description": "Deployment ID for Azure OpenAI instances." + } + }, + { + "llama2_format": { + "required": false, + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "required": false, + "description": "If using mistral provider, select the upstream message format.", + "type": "string", + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "required": false, + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + } + } + ], + "type": "record", + "description": "Key/value settings for the model" + } + } + ] + } + }, + { + "logging": { + "required": true, + "type": "record", + "fields": [ + { + "log_statistics": { + "required": true, + "type": "boolean", + "default": true, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + } + }, + { + "log_payloads": { + "required": true, + "type": "boolean", + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + } + } + ] + } + } + ], + "required": true, + "type": "record", + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_match": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere" + ] + }, + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.name" + ], + "if_match": [ + + ], + "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models." + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models" + } + } + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.6.x.json b/schemas/ai-response-transformer/3.6.x.json new file mode 100644 index 00000000..beccee0f --- /dev/null +++ b/schemas/ai-response-transformer/3.6.x.json @@ -0,0 +1,511 @@ +{ + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "prompt": { + "required": false, + "type": "string", + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting." + } + }, + { + "transformation_extract_pattern": { + "required": false, + "type": "string", + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client." + } + }, + { + "parse_llm_response_json_instructions": { + "required": true, + "type": "boolean", + "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions." + } + }, + { + "http_timeout": { + "required": true, + "type": "integer", + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service." + } + }, + { + "https_verify": { + "required": true, + "type": "boolean", + "default": true, + "description": "Verify the TLS certificate of the AI upstream service." + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "llm": { + "fields": [ + { + "route_type": { + "required": true, + "description": "The model's operation implementation, for this provider.", + "type": "string", + "one_of": [ + "llm/v1/chat", + "llm/v1/completions" + ] + } + }, + { + "auth": { + "required": false, + "type": "record", + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "referenceable": true + } + }, + { + "header_value": { + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "required": false, + "encrypted": true, + "referenceable": true + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "referenceable": true + } + }, + { + "param_value": { + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "required": false, + "encrypted": true, + "referenceable": true + } + }, + { + "param_location": { + "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", + "one_of": [ + "query", + "body" + ] + } + } + ] + } + }, + { + "model": { + "required": true, + "type": "record", + "fields": [ + { + "provider": { + "required": true, + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2" + ] + } + }, + { + "name": { + "required": false, + "type": "string", + "description": "Model name to execute." + } + }, + { + "options": { + "required": false, + "fields": [ + { + "max_tokens": { + "required": false, + "type": "integer", + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models." + } + }, + { + "temperature": { + "type": "number", + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "between": [ + 0, + 5 + ], + "default": 1 + } + }, + { + "top_p": { + "type": "number", + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "between": [ + 0, + 1 + ], + "default": 1 + } + }, + { + "top_k": { + "type": "integer", + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "between": [ + 0, + 500 + ], + "default": 0 + } + }, + { + "anthropic_version": { + "required": false, + "type": "string", + "description": "Defines the schema/API version, if using Anthropic provider." + } + }, + { + "azure_instance": { + "required": false, + "type": "string", + "description": "Instance name for Azure OpenAI hosted models." + } + }, + { + "azure_api_version": { + "required": false, + "type": "string", + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances." + } + }, + { + "azure_deployment_id": { + "required": false, + "type": "string", + "description": "Deployment ID for Azure OpenAI instances." + } + }, + { + "llama2_format": { + "required": false, + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "required": false, + "description": "If using mistral provider, select the upstream message format.", + "type": "string", + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "required": false, + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + } + } + ], + "type": "record", + "description": "Key/value settings for the model" + } + } + ] + } + }, + { + "logging": { + "required": true, + "type": "record", + "fields": [ + { + "log_statistics": { + "required": true, + "type": "boolean", + "default": true, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + } + }, + { + "log_payloads": { + "required": true, + "type": "boolean", + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + } + } + ] + } + } + ], + "required": true, + "type": "record", + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_match": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere" + ] + }, + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.name" + ], + "if_match": [ + + ], + "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models." + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models" + } + } + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type" + } + } + ] +} \ No newline at end of file diff --git a/schemas/app-dynamics/3.6.x.json b/schemas/app-dynamics/3.6.x.json new file mode 100644 index 00000000..db9ee9af --- /dev/null +++ b/schemas/app-dynamics/3.6.x.json @@ -0,0 +1,34 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set" + } + }, + { + "config": { + "required": true, + "fields": [ + + ], + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/application-registration/3.6.x.json b/schemas/application-registration/3.6.x.json new file mode 100644 index 00000000..396bd9f5 --- /dev/null +++ b/schemas/application-registration/3.6.x.json @@ -0,0 +1,100 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "service": { + "ne": null, + "type": "foreign", + "reference": "services", + "on_delete": "cascade" + } + }, + { + "route": { + "type": "foreign", + "reference": "routes", + "eq": null, + "description": "A reference to the 'routes' table with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "display_name": { + "unique": true, + "type": "string", + "required": true, + "description": "Unique display name used for a Service in the Developer Portal." + } + }, + { + "description": { + "unique": true, + "type": "string", + "description": "Unique description displayed in information about a Service in the Developer Portal." + } + }, + { + "auto_approve": { + "required": true, + "type": "boolean", + "default": false, + "description": "If enabled, all new Service Contracts requests are automatically approved." + } + }, + { + "show_issuer": { + "required": true, + "type": "boolean", + "default": false, + "description": "Displays the **Issuer URL** in the **Service Details** dialog." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/aws-lambda/3.6.x.json b/schemas/aws-lambda/3.6.x.json new file mode 100644 index 00000000..560c25a1 --- /dev/null +++ b/schemas/aws-lambda/3.6.x.json @@ -0,0 +1,255 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "timeout": { + "type": "number", + "default": 60000, + "required": true, + "description": "An optional timeout in milliseconds when invoking the function." + } + }, + { + "keepalive": { + "type": "number", + "default": 60000, + "required": true, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + } + }, + { + "aws_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The AWS key credential to be used when invoking the function." + } + }, + { + "aws_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The AWS secret credential to be used when invoking the function. " + } + }, + { + "aws_assume_role_arn": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The target AWS IAM role ARN used to invoke the Lambda function." + } + }, + { + "aws_role_session_name": { + "default": "kong", + "type": "string", + "description": "The identifier of the assumed role session." + } + }, + { + "aws_region": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "function_name": { + "type": "string", + "required": false, + "description": "The AWS Lambda function name to invoke." + } + }, + { + "qualifier": { + "type": "string", + "description": "The qualifier to use when invoking the function." + } + }, + { + "invocation_type": { + "required": true, + "type": "string", + "one_of": [ + "RequestResponse", + "Event", + "DryRun" + ], + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun." + } + }, + { + "log_type": { + "required": true, + "type": "string", + "one_of": [ + "Tail", + "None" + ], + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported." + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 443, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "disable_https": { + "type": "boolean", + "default": false + } + }, + { + "unhandled_status": { + "between": [ + 100, + 999 + ], + "type": "integer", + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error." + } + }, + { + "forward_request_method": { + "default": false, + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." + } + }, + { + "forward_request_uri": { + "default": false, + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." + } + }, + { + "forward_request_headers": { + "default": false, + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." + } + }, + { + "forward_request_body": { + "default": false, + "type": "boolean", + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " + } + }, + { + "is_proxy_integration": { + "default": false, + "type": "boolean", + "description": "An optional value that defines whether the response format to receive from the Lambda to this format." + } + }, + { + "awsgateway_compatible": { + "default": false, + "type": "boolean", + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." + } + }, + { + "proxy_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "skip_large_bodies": { + "default": true, + "type": "boolean", + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" + } + }, + { + "base64_encode_body": { + "default": true, + "type": "boolean", + "description": "An optional value that Base64-encodes the request body." + } + }, + { + "aws_imds_protocol_version": { + "required": true, + "type": "string", + "one_of": [ + "v1", + "v2" + ], + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`." + } + } + ] + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/azure-functions/3.6.x.json b/schemas/azure-functions/3.6.x.json new file mode 100644 index 00000000..230f05db --- /dev/null +++ b/schemas/azure-functions/3.6.x.json @@ -0,0 +1,125 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "timeout": { + "default": 600000, + "type": "number", + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server." + } + }, + { + "keepalive": { + "default": 60000, + "type": "number", + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed." + } + }, + { + "https": { + "default": true, + "type": "boolean", + "description": "Use of HTTPS to connect with the Azure Functions server." + } + }, + { + "https_verify": { + "default": false, + "type": "boolean", + "description": "Set to `true` to authenticate the Azure Functions server." + } + }, + { + "apikey": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header." + } + }, + { + "clientid": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header." + } + }, + { + "appname": { + "required": true, + "type": "string", + "description": "The Azure app name." + } + }, + { + "hostdomain": { + "default": "azurewebsites.net", + "required": true, + "type": "string", + "description": "The domain where the function resides." + } + }, + { + "routeprefix": { + "default": "api", + "type": "string", + "description": "Route prefix to use." + } + }, + { + "functionname": { + "required": true, + "type": "string", + "description": "Name of the Azure function to invoke." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/basic-auth/3.6.x.json b/schemas/basic-auth/3.6.x.json new file mode 100644 index 00000000..d13263be --- /dev/null +++ b/schemas/basic-auth/3.6.x.json @@ -0,0 +1,70 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "anonymous": { + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "hide_credentials": { + "default": false, + "type": "boolean", + "required": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/bot-detection/3.6.x.json b/schemas/bot-detection/3.6.x.json new file mode 100644 index 00000000..5065475c --- /dev/null +++ b/schemas/bot-detection/3.6.x.json @@ -0,0 +1,79 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "allow": { + "elements": { + "type": "string", + "is_regex": true + }, + "type": "array", + "default": [ + + ], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header." + } + }, + { + "deny": { + "elements": { + "type": "string", + "is_regex": true + }, + "type": "array", + "default": [ + + ], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/canary/3.6.x.json b/schemas/canary/3.6.x.json new file mode 100644 index 00000000..4714d4b0 --- /dev/null +++ b/schemas/canary/3.6.x.json @@ -0,0 +1,190 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "shorthand_fields": [ + { + "hash": { + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + } + } + ], + "required": true, + "type": "record", + "fields": [ + { + "start": { + "type": "number", + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." + } + }, + { + "hash": { + "default": "consumer", + "one_of": [ + "consumer", + "ip", + "none", + "allow", + "deny", + "header" + ], + "type": "string", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value." + } + }, + { + "hash_header": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "duration": { + "default": 3600, + "gt": 0, + "type": "number", + "description": "The duration of the canary release in seconds." + } + }, + { + "steps": { + "default": 1000, + "gt": 1, + "type": "number", + "description": "The number of steps for the canary release." + } + }, + { + "percentage": { + "between": [ + 0, + 100 + ], + "type": "number", + "description": "The percentage of traffic to be routed to the canary release." + } + }, + { + "upstream_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "upstream_port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "upstream_uri": { + "len_min": 1, + "type": "string", + "description": "The URI of the upstream server to be used for the canary release." + } + }, + { + "upstream_fallback": { + "required": true, + "default": false, + "type": "boolean", + "description": "Specifies whether to fallback to the upstream server if the canary release fails." + } + }, + { + "groups": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "The groups allowed to access the canary release." + } + }, + { + "canary_by_header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "then_field": "config.hash_header", + "if_match": { + "eq": "header" + }, + "then_match": { + "required": true + }, + "if_field": "config.hash" + } + }, + { + "conditional": { + "then_field": "config.upstream_host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "config.upstream_fallback" + } + } + ] +} \ No newline at end of file diff --git a/schemas/correlation-id/3.6.x.json b/schemas/correlation-id/3.6.x.json new file mode 100644 index 00000000..23a1ae12 --- /dev/null +++ b/schemas/correlation-id/3.6.x.json @@ -0,0 +1,72 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "header_name": { + "default": "Kong-Request-ID", + "type": "string", + "description": "The HTTP header name to use for the correlation ID." + } + }, + { + "generator": { + "type": "string", + "one_of": [ + "uuid", + "uuid#counter", + "tracker" + ], + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators)." + } + }, + { + "echo_downstream": { + "type": "boolean", + "required": true, + "default": false, + "description": "Whether to echo the header back to downstream (the client)." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/cors/3.6.x.json b/schemas/cors/3.6.x.json new file mode 100644 index 00000000..cd56c729 --- /dev/null +++ b/schemas/cors/3.6.x.json @@ -0,0 +1,143 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "len_min": 1, + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string", + "required": true + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "origins": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Value for the `Access-Control-Allow-Headers` header." + } + }, + { + "exposed_headers": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." + } + }, + { + "methods": { + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'" + } + }, + { + "max_age": { + "type": "number", + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + } + }, + { + "credentials": { + "type": "boolean", + "required": true, + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value." + } + }, + { + "private_network": { + "type": "boolean", + "required": true, + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value." + } + }, + { + "preflight_continue": { + "type": "boolean", + "required": true, + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/datadog/3.6.x.json b/schemas/datadog/3.6.x.json new file mode 100644 index 00000000..ea4be6ad --- /dev/null +++ b/schemas/datadog/3.6.x.json @@ -0,0 +1,346 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], + "required": true, + "fields": [ + { + "host": { + "default": "localhost", + "referenceable": true, + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 8125, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "prefix": { + "type": "string", + "default": "kong", + "description": "String to be attached as a prefix to a metric's name." + } + }, + { + "service_name_tag": { + "type": "string", + "default": "name", + "description": "String to be attached as the name of the service." + } + }, + { + "status_tag": { + "type": "string", + "default": "status", + "description": "String to be attached as the tag of the HTTP status." + } + }, + { + "consumer_tag": { + "type": "string", + "default": "consumer", + "description": "String to be attached as tag of the consumer." + } + }, + { + "retry_count": { + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." + } + }, + { + "queue_size": { + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." + } + }, + { + "flush_timeout": { + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + } + }, + { + "queue": { + "type": "record", + "required": true, + "fields": [ + { + "max_batch_size": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." + } + }, + { + "max_coalescing_delay": { + "between": [ + 0, + 3600 + ], + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + } + }, + { + "max_entries": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + } + }, + { + "initial_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." + } + }, + { + "max_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + } + ] + } + }, + { + "metrics": { + "required": true, + "type": "array", + "elements": { + "entity_checks": [ + { + "conditional": { + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + }, + "if_field": "stat_type" + } + } + ], + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ], + "required": true, + "description": "Datadog metric’s name" + } + }, + { + "stat_type": { + "type": "string", + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer", + "distribution" + ], + "required": true, + "description": "Determines what sort of event the metric represents" + } + }, + { + "tags": { + "type": "array", + "elements": { + "type": "string", + "match": "^.*[^:]$" + }, + "description": "List of tags" + } + }, + { + "sample_rate": { + "between": [ + 0, + 1 + ], + "type": "number", + "description": "Sampling rate" + } + }, + { + "consumer_identifier": { + "one_of": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string", + "description": "Authenticated user detail" + } + } + ] + }, + "default": [ + { + "tags": [ + "app:kong" + ], + "name": "request_count", + "sample_rate": 1, + "stat_type": "counter", + "consumer_identifier": "custom_id" + }, + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "stat_type": "timer", + "name": "latency" + }, + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "stat_type": "timer", + "name": "request_size" + }, + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "stat_type": "timer", + "name": "response_size" + }, + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "stat_type": "timer", + "name": "kong_latency" + } + ], + "description": "List of metrics to be logged." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/degraphql/3.6.x.json b/schemas/degraphql/3.6.x.json new file mode 100644 index 00000000..b28b09c3 --- /dev/null +++ b/schemas/degraphql/3.6.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "graphql_server_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "starts_with": "/", + "type": "string", + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/exit-transformer/3.6.x.json b/schemas/exit-transformer/3.6.x.json new file mode 100644 index 00000000..1dda7df4 --- /dev/null +++ b/schemas/exit-transformer/3.6.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "functions": { + "type": "array", + "elements": { + "type": "string" + }, + "required": true + } + }, + { + "handle_unknown": { + "type": "boolean", + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses." + } + }, + { + "handle_unexpected": { + "type": "boolean", + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/file-log/3.6.x.json b/schemas/file-log/3.6.x.json new file mode 100644 index 00000000..ff1a4be1 --- /dev/null +++ b/schemas/file-log/3.6.x.json @@ -0,0 +1,83 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "path": { + "match": "^[^*&%%\\`]+$", + "required": true, + "type": "string", + "err": "not a valid filename", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." + } + }, + { + "reopen": { + "type": "boolean", + "required": true, + "default": false, + "description": "Determines whether the log file is closed and reopened on every request." + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "values": { + "len_min": 1, + "type": "string" + }, + "type": "map", + "description": "Lua code as a key-value map" + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/forward-proxy/3.6.x.json b/schemas/forward-proxy/3.6.x.json new file mode 100644 index 00000000..ee73c460 --- /dev/null +++ b/schemas/forward-proxy/3.6.x.json @@ -0,0 +1,163 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "proxy_host": { + "type": "string" + } + }, + { + "proxy_port": { + "type": "integer" + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "required": true, + "fields": [ + { + "x_headers": { + "required": true, + "type": "string", + "one_of": [ + "append", + "transparent", + "delete" + ], + "default": "append", + "description": "Determines how to handle headers when forwarding the request." + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "proxy_scheme": { + "required": true, + "type": "string", + "one_of": [ + "http" + ], + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported." + } + }, + { + "auth_username": { + "type": "string", + "referenceable": true, + "required": false, + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication." + } + }, + { + "auth_password": { + "type": "string", + "referenceable": true, + "required": false, + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication." + } + }, + { + "https_verify": { + "default": false, + "type": "boolean", + "required": true, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.6.x.json b/schemas/graphql-proxy-cache-advanced/3.6.x.json new file mode 100644 index 00000000..900b6cc7 --- /dev/null +++ b/schemas/graphql-proxy-cache-advanced/3.6.x.json @@ -0,0 +1,89 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "strategy": { + "required": true, + "type": "string", + "one_of": [ + "memory" + ], + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`." + } + }, + { + "cache_ttl": { + "type": "integer", + "gt": 0, + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0." + } + }, + { + "memory": { + "type": "record", + "required": true, + "fields": [ + { + "dictionary_name": { + "type": "string", + "required": true, + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template." + } + } + ] + } + }, + { + "vary_headers": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.6.x.json b/schemas/graphql-rate-limiting-advanced/3.6.x.json new file mode 100644 index 00000000..9702bd51 --- /dev/null +++ b/schemas/graphql-rate-limiting-advanced/3.6.x.json @@ -0,0 +1,405 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "identifier": { + "required": true, + "type": "string", + "one_of": [ + "ip", + "credential", + "consumer" + ], + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." + } + }, + { + "window_size": { + "type": "array", + "required": true, + "elements": { + "type": "number" + }, + "description": "One or more window sizes to apply a limit to (defined in seconds)." + } + }, + { + "window_type": { + "type": "string", + "one_of": [ + "fixed", + "sliding" + ], + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`." + } + }, + { + "limit": { + "type": "array", + "required": true, + "elements": { + "type": "number" + }, + "description": "One or more requests-per-window limits to apply." + } + }, + { + "sync_rate": { + "type": "number", + "required": true, + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." + } + }, + { + "namespace": { + "auto": true, + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + } + }, + { + "strategy": { + "required": true, + "type": "string", + "one_of": [ + "cluster", + "redis" + ], + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." + } + }, + { + "dictionary_name": { + "type": "string", + "default": "kong_rate_limiting_counters", + "required": true, + "description": "The shared dictionary where counters will be stored until the next sync cycle." + } + }, + { + "hide_client_headers": { + "default": false, + "type": "boolean", + "description": "Optionally hide informative response headers. Available options: `true` or `false`." + } + }, + { + "cost_strategy": { + "type": "string", + "one_of": [ + "default", + "node_quantifier" + ], + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`." + } + }, + { + "score_factor": { + "gt": 0, + "type": "number", + "required": false, + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." + } + }, + { + "max_cost": { + "type": "number", + "default": 0, + "required": false, + "description": "A defined maximum cost per query. 0 means unlimited." + } + }, + { + "redis": { + "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "referenceable": true, + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "referenceable": true, + "type": "string", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "default": 0, + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_addresses": { + "len_min": 1, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." + } + }, + { + "cluster_addresses": { + "len_min": 1, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "default": false, + "required": false, + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "default": false, + "required": false, + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "required": false, + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/grpc-gateway/3.6.x.json b/schemas/grpc-gateway/3.6.x.json new file mode 100644 index 00000000..e5c44164 --- /dev/null +++ b/schemas/grpc-gateway/3.6.x.json @@ -0,0 +1,59 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "proto": { + "type": "string", + "required": false, + "description": "Describes the gRPC types and methods." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/grpc-web/3.6.x.json b/schemas/grpc-web/3.6.x.json new file mode 100644 index 00000000..83276fac --- /dev/null +++ b/schemas/grpc-web/3.6.x.json @@ -0,0 +1,74 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "proto": { + "type": "string", + "required": false, + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content." + } + }, + { + "pass_stripped_path": { + "required": false, + "type": "boolean", + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service." + } + }, + { + "allow_origin_header": { + "type": "string", + "default": "*", + "required": false, + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/hmac-auth/3.6.x.json b/schemas/hmac-auth/3.6.x.json new file mode 100644 index 00000000..01d6da0d --- /dev/null +++ b/schemas/hmac-auth/3.6.x.json @@ -0,0 +1,125 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "hide_credentials": { + "default": false, + "required": true, + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + } + }, + { + "clock_skew": { + "default": 300, + "gt": 0, + "type": "number", + "description": "Clock skew in seconds to prevent replay attacks." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "validate_request_body": { + "default": false, + "required": true, + "type": "boolean", + "description": "A boolean value telling the plugin to enable body validation." + } + }, + { + "enforce_headers": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ], + "description": "A list of headers that the client should at least use for HTTP signature creation." + } + }, + { + "algorithms": { + "elements": { + "type": "string", + "one_of": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] + }, + "type": "array", + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`" + } + } + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/http-log/3.6.x.json b/schemas/http-log/3.6.x.json new file mode 100644 index 00000000..1e8e78d7 --- /dev/null +++ b/schemas/http-log/3.6.x.json @@ -0,0 +1,245 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "required": true, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], + "type": "record", + "fields": [ + { + "http_endpoint": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "method": { + "default": "POST", + "one_of": [ + "POST", + "PUT", + "PATCH" + ], + "type": "string", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`." + } + }, + { + "content_type": { + "default": "application/json", + "one_of": [ + "application/json", + "application/json; charset=utf-8" + ], + "type": "string", + "description": "Indicates the type of data sent. The only available option is `application/json`." + } + }, + { + "timeout": { + "default": 10000, + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server." + } + }, + { + "keepalive": { + "default": 60000, + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." + } + }, + { + "retry_count": { + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." + } + }, + { + "queue_size": { + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." + } + }, + { + "flush_timeout": { + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + } + }, + { + "headers": { + "keys": { + "match_none": [ + { + "pattern": "^[Hh][Oo][Ss][Tt]$", + "err": "cannot contain 'Host' header" + }, + { + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$", + "err": "cannot contain 'Content-Length' header" + }, + { + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", + "err": "cannot contain 'Content-Type' header" + } + ], + "type": "string", + "description": "A string representing an HTTP header name." + }, + "values": { + "type": "string", + "referenceable": true + }, + "type": "map", + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string." + } + }, + { + "queue": { + "type": "record", + "required": true, + "fields": [ + { + "max_batch_size": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." + } + }, + { + "max_coalescing_delay": { + "between": [ + 0, + 3600 + ], + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + } + }, + { + "max_entries": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + } + }, + { + "initial_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." + } + }, + { + "max_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + } + ] + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "values": { + "len_min": 1, + "type": "string" + }, + "type": "map", + "description": "Lua code as a key-value map" + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ip-restriction/3.6.x.json b/schemas/ip-restriction/3.6.x.json new file mode 100644 index 00000000..5b4e7790 --- /dev/null +++ b/schemas/ip-restriction/3.6.x.json @@ -0,0 +1,85 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "allow": { + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." + } + }, + { + "deny": { + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." + } + }, + { + "status": { + "type": "number", + "required": false, + "description": "The HTTP status of the requests that will be rejected by the plugin." + } + }, + { + "message": { + "type": "string", + "required": false, + "description": "The message to send as a response body to rejected requests." + } + } + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/jq/3.6.x.json b/schemas/jq/3.6.x.json new file mode 100644 index 00000000..44a57883 --- /dev/null +++ b/schemas/jq/3.6.x.json @@ -0,0 +1,197 @@ +{ + "fields": [ + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } + ], + "required": true, + "fields": [ + { + "request_jq_program": { + "type": "string", + "required": false + } + }, + { + "request_jq_program_options": { + "default": [ + + ], + "type": "record", + "required": false, + "fields": [ + { + "compact_output": { + "type": "boolean", + "required": true, + "default": true + } + }, + { + "raw_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "join_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "ascii_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "sort_keys": { + "type": "boolean", + "required": true, + "default": false + } + } + ] + } + }, + { + "request_if_media_type": { + "required": false, + "type": "array", + "default": [ + "application/json" + ], + "elements": { + "type": "string" + } + } + }, + { + "response_jq_program": { + "type": "string", + "required": false + } + }, + { + "response_jq_program_options": { + "default": [ + + ], + "type": "record", + "required": false, + "fields": [ + { + "compact_output": { + "type": "boolean", + "required": true, + "default": true + } + }, + { + "raw_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "join_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "ascii_output": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "sort_keys": { + "type": "boolean", + "required": true, + "default": false + } + } + ] + } + }, + { + "response_if_media_type": { + "required": false, + "type": "array", + "default": [ + "application/json" + ], + "elements": { + "type": "string" + } + } + }, + { + "response_if_status_code": { + "required": false, + "type": "array", + "default": [ + 200 + ], + "elements": { + "type": "integer", + "between": [ + 100, + 599 + ] + } + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.6.x.json b/schemas/jwe-decrypt/3.6.x.json new file mode 100644 index 00000000..83c8a1e4 --- /dev/null +++ b/schemas/jwe-decrypt/3.6.x.json @@ -0,0 +1,86 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "lookup_header_name": { + "default": "Authorization", + "type": "string", + "required": true, + "description": "The name of the header to look for the JWE token." + } + }, + { + "forward_header_name": { + "default": "Authorization", + "type": "string", + "required": true, + "description": "The name of the header that is used to set the decrypted value." + } + }, + { + "key_sets": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token." + } + }, + { + "strict": { + "type": "boolean", + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/jwt-signer/3.6.x.json b/schemas/jwt-signer/3.6.x.json new file mode 100644 index 00000000..a9398113 --- /dev/null +++ b/schemas/jwt-signer/3.6.x.json @@ -0,0 +1,726 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "realm": { + "type": "string", + "required": false, + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." + } + }, + { + "enable_hs_signatures": { + "type": "boolean", + "default": false, + "required": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting." + } + }, + { + "enable_instrumentation": { + "type": "boolean", + "default": false, + "required": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level." + } + }, + { + "access_token_issuer": { + "type": "string", + "default": "kong", + "required": false, + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token." + } + }, + { + "access_token_keyset": { + "type": "string", + "default": "kong", + "required": false, + "description": "The name of the keyset containing signing keys." + } + }, + { + "access_token_jwks_uri": { + "required": false, + "type": "string", + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token." + } + }, + { + "access_token_request_header": { + "type": "string", + "default": "Authorization", + "required": false, + "description": "This parameter tells the name of the header where to look for the access token." + } + }, + { + "access_token_leeway": { + "type": "number", + "default": 0, + "required": false, + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`." + } + }, + { + "access_token_scopes_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." + } + }, + { + "access_token_scopes_claim": { + "type": "array", + "required": false, + "default": [ + "scope" + ], + "elements": { + "type": "string" + }, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." + } + }, + { + "access_token_consumer_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." + } + }, + { + "access_token_consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." + } + }, + { + "access_token_upstream_header": { + "type": "string", + "default": "Authorization:Bearer", + "required": false, + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token." + } + }, + { + "access_token_upstream_leeway": { + "type": "number", + "default": 0, + "required": false, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim." + } + }, + { + "access_token_introspection_endpoint": { + "required": false, + "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter." + } + }, + { + "access_token_introspection_authorization": { + "type": "string", + "required": false, + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." + } + }, + { + "access_token_introspection_body_args": { + "type": "string", + "required": false, + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." + } + }, + { + "access_token_introspection_hint": { + "type": "string", + "default": "access_token", + "required": false, + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`." + } + }, + { + "access_token_introspection_jwt_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." + } + }, + { + "access_token_introspection_scopes_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." + } + }, + { + "access_token_introspection_scopes_claim": { + "type": "array", + "required": true, + "default": [ + "scope" + ], + "elements": { + "type": "string" + }, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." + } + }, + { + "access_token_introspection_consumer_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." + } + }, + { + "access_token_introspection_consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." + } + }, + { + "access_token_introspection_leeway": { + "type": "number", + "default": 0, + "required": false, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`." + } + }, + { + "access_token_introspection_timeout": { + "type": "number", + "required": false, + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." + } + }, + { + "access_token_signing_algorithm": { + "required": true, + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ], + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." + } + }, + { + "access_token_optional": { + "type": "boolean", + "default": false, + "required": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect" + } + }, + { + "verify_access_token_signature": { + "type": "boolean", + "default": true, + "required": false, + "description": "Quickly turn access token signature verification off and on as needed." + } + }, + { + "verify_access_token_expiry": { + "type": "boolean", + "default": true, + "required": false, + "description": "Quickly turn access token expiry verification off and on as needed." + } + }, + { + "verify_access_token_scopes": { + "type": "boolean", + "default": true, + "required": false, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`." + } + }, + { + "verify_access_token_introspection_expiry": { + "type": "boolean", + "default": true, + "required": false, + "description": "Quickly turn access token introspection expiry verification off and on as needed." + } + }, + { + "verify_access_token_introspection_scopes": { + "type": "boolean", + "default": true, + "required": false, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`." + } + }, + { + "cache_access_token_introspection": { + "type": "boolean", + "default": true, + "required": false, + "description": "Whether to cache access token introspection results." + } + }, + { + "trust_access_token_introspection": { + "type": "boolean", + "default": true, + "required": false, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload." + } + }, + { + "enable_access_token_introspection": { + "type": "boolean", + "default": true, + "required": false, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection." + } + }, + { + "channel_token_issuer": { + "type": "string", + "default": "kong", + "required": false, + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token." + } + }, + { + "channel_token_keyset": { + "type": "string", + "default": "kong", + "required": false, + "description": "The name of the keyset containing signing keys." + } + }, + { + "channel_token_jwks_uri": { + "required": false, + "type": "string", + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`." + } + }, + { + "channel_token_request_header": { + "type": "string", + "required": false, + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." + } + }, + { + "channel_token_leeway": { + "type": "number", + "default": 0, + "required": false, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`." + } + }, + { + "channel_token_scopes_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." + } + }, + { + "channel_token_scopes_claim": { + "type": "array", + "required": false, + "default": [ + "scope" + ], + "elements": { + "type": "string" + }, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." + } + }, + { + "channel_token_consumer_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." + } + }, + { + "channel_token_consumer_by": { + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "type": "array", + "default": [ + "username", + "custom_id" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`." + } + }, + { + "channel_token_upstream_header": { + "type": "string", + "required": false, + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." + } + }, + { + "channel_token_upstream_leeway": { + "type": "number", + "default": 0, + "required": false, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim." + } + }, + { + "channel_token_introspection_endpoint": { + "required": false, + "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead." + } + }, + { + "channel_token_introspection_authorization": { + "required": false, + "type": "string", + "elements": { + "type": "string" + }, + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." + } + }, + { + "channel_token_introspection_body_args": { + "required": false, + "type": "string", + "elements": { + "type": "string" + }, + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." + } + }, + { + "channel_token_introspection_hint": { + "required": false, + "type": "string", + "elements": { + "type": "string" + }, + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." + } + }, + { + "channel_token_introspection_jwt_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." + } + }, + { + "channel_token_introspection_scopes_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." + } + }, + { + "channel_token_introspection_scopes_claim": { + "type": "array", + "required": false, + "default": [ + "scope" + ], + "elements": { + "type": "string" + }, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." + } + }, + { + "channel_token_introspection_consumer_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" + } + }, + { + "channel_token_introspection_consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." + } + }, + { + "channel_token_introspection_leeway": { + "type": "number", + "default": 0, + "required": false, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`." + } + }, + { + "channel_token_introspection_timeout": { + "type": "number", + "required": false, + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." + } + }, + { + "channel_token_signing_algorithm": { + "required": true, + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ], + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." + } + }, + { + "channel_token_optional": { + "type": "boolean", + "default": false, + "required": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect" + } + }, + { + "verify_channel_token_signature": { + "type": "boolean", + "default": true, + "required": false, + "description": "Quickly turn on/off the channel token signature verification." + } + }, + { + "verify_channel_token_expiry": { + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_channel_token_scopes": { + "type": "boolean", + "default": true, + "required": false, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`." + } + }, + { + "verify_channel_token_introspection_expiry": { + "type": "boolean", + "default": true, + "required": false, + "description": "Quickly turn on/off the channel token introspection expiry verification." + } + }, + { + "verify_channel_token_introspection_scopes": { + "type": "boolean", + "default": true, + "required": false, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`." + } + }, + { + "cache_channel_token_introspection": { + "type": "boolean", + "default": true, + "required": false, + "description": "Whether to cache channel token introspection results." + } + }, + { + "trust_channel_token_introspection": { + "type": "boolean", + "default": true, + "required": false, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked." + } + }, + { + "enable_channel_token_introspection": { + "type": "boolean", + "default": true, + "required": false, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`." + } + }, + { + "add_claims": { + "required": false, + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "type": "map", + "default": [ + + ], + "description": "Add customized claims if they are not present yet." + } + }, + { + "set_claims": { + "required": false, + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "type": "map", + "default": [ + + ], + "description": "Set customized claims. If a claim is already present, it will be overwritten." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/jwt/3.6.x.json b/schemas/jwt/3.6.x.json new file mode 100644 index 00000000..e73388ed --- /dev/null +++ b/schemas/jwt/3.6.x.json @@ -0,0 +1,153 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "uri_param_names": { + "elements": { + "type": "string" + }, + "type": "set", + "default": [ + "jwt" + ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs." + } + }, + { + "cookie_names": { + "elements": { + "type": "string" + }, + "type": "set", + "default": [ + + ], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs." + } + }, + { + "key_claim_name": { + "type": "string", + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order." + } + }, + { + "secret_is_base64": { + "required": true, + "type": "boolean", + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." + } + }, + { + "claims_to_verify": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "exp", + "nbf" + ] + }, + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "run_on_preflight": { + "required": true, + "type": "boolean", + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." + } + }, + { + "maximum_expiration": { + "between": [ + 0, + 31536000 + ], + "type": "number", + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future." + } + }, + { + "header_names": { + "elements": { + "type": "string" + }, + "type": "set", + "default": [ + "authorization" + ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs." + } + } + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.claims_to_verify", + "if_match": { + "gt": 0 + }, + "then_match": { + "contains": "exp" + }, + "if_field": "config.maximum_expiration" + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-log/3.6.x.json b/schemas/kafka-log/3.6.x.json new file mode 100644 index 00000000..c4c925f6 --- /dev/null +++ b/schemas/kafka-log/3.6.x.json @@ -0,0 +1,280 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "required": true, + "fields": [ + { + "bootstrap_servers": { + "type": "set", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } + }, + { + "topic": { + "type": "string", + "required": true, + "description": "The Kafka topic to publish to." + } + }, + { + "timeout": { + "type": "integer", + "default": 10000, + "description": "Socket timeout in milliseconds." + } + }, + { + "keepalive": { + "type": "integer", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "type": "boolean", + "default": false + } + }, + { + "authentication": { + "type": "record", + "required": true, + "fields": [ + { + "strategy": { + "type": "string", + "one_of": [ + "sasl" + ], + "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." + } + }, + { + "mechanism": { + "type": "string", + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`." + } + }, + { + "tokenauth": { + "type": "boolean", + "required": false, + "description": "Enable this to indicate `DelegationToken` authentication" + } + }, + { + "user": { + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "Username for SASL authentication." + } + }, + { + "password": { + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "Password for SASL authentication." + } + } + ] + } + }, + { + "security": { + "type": "record", + "required": true, + "fields": [ + { + "certificate_id": { + "uuid": true, + "type": "string", + "required": false, + "description": "UUID of certificate entity for mTLS authentication." + } + }, + { + "ssl": { + "type": "boolean", + "required": false, + "description": "Enables TLS." + } + } + ] + } + }, + { + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string", + "required": false, + "auto": true + } + }, + { + "producer_request_acks": { + "type": "integer", + "one_of": [ + -1, + 0, + 1 + ], + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." + } + }, + { + "producer_request_timeout": { + "type": "integer", + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds" + } + }, + { + "producer_request_limits_messages_per_request": { + "type": "integer", + "default": 200, + "description": "Maximum number of messages to include into a single Produce request." + } + }, + { + "producer_request_limits_bytes_per_request": { + "type": "integer", + "default": 1048576, + "description": "Maximum size of a Produce request in bytes." + } + }, + { + "producer_request_retries_max_attempts": { + "type": "integer", + "default": 10, + "description": "Maximum number of retry attempts per single Produce request." + } + }, + { + "producer_request_retries_backoff_timeout": { + "type": "integer", + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds." + } + }, + { + "producer_async": { + "type": "boolean", + "default": true, + "description": "Flag to enable asynchronous mode." + } + }, + { + "producer_async_flush_timeout": { + "type": "integer", + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "type": "integer", + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "values": { + "len_min": 1, + "type": "string" + }, + "type": "map", + "description": "Lua code as a key-value map" + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/kafka-upstream/3.6.x.json b/schemas/kafka-upstream/3.6.x.json new file mode 100644 index 00000000..4fc3056a --- /dev/null +++ b/schemas/kafka-upstream/3.6.x.json @@ -0,0 +1,302 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "required": true, + "fields": [ + { + "bootstrap_servers": { + "type": "set", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } + }, + { + "topic": { + "required": true, + "type": "string", + "description": "The Kafka topic to publish to." + } + }, + { + "timeout": { + "default": 10000, + "type": "integer", + "description": "Socket timeout in milliseconds." + } + }, + { + "keepalive": { + "default": 60000, + "type": "integer", + "description": "Keepalive timeout in milliseconds." + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "authentication": { + "type": "record", + "required": true, + "fields": [ + { + "strategy": { + "required": false, + "one_of": [ + "sasl" + ], + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." + } + }, + { + "mechanism": { + "required": false, + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`." + } + }, + { + "tokenauth": { + "required": false, + "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication." + } + }, + { + "user": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false, + "description": "Username for SASL authentication." + } + }, + { + "password": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false, + "description": "Password for SASL authentication." + } + } + ] + } + }, + { + "security": { + "type": "record", + "required": true, + "fields": [ + { + "certificate_id": { + "uuid": true, + "required": false, + "type": "string", + "description": "UUID of certificate entity for mTLS authentication." + } + }, + { + "ssl": { + "required": false, + "type": "boolean", + "description": "Enables TLS." + } + } + ] + } + }, + { + "forward_method": { + "default": false, + "type": "boolean", + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + } + }, + { + "forward_uri": { + "default": false, + "type": "boolean", + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + } + }, + { + "forward_headers": { + "default": false, + "type": "boolean", + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + } + }, + { + "forward_body": { + "default": true, + "type": "boolean", + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + } + }, + { + "cluster_name": { + "auto": true, + "required": false, + "type": "string", + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster." + } + }, + { + "producer_request_acks": { + "default": 1, + "one_of": [ + -1, + 0, + 1 + ], + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." + } + }, + { + "producer_request_timeout": { + "default": 2000, + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds." + } + }, + { + "producer_request_limits_messages_per_request": { + "default": 200, + "type": "integer", + "description": "Maximum number of messages to include into a single producer request." + } + }, + { + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "type": "integer", + "description": "Maximum size of a Produce request in bytes." + } + }, + { + "producer_request_retries_max_attempts": { + "default": 10, + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request." + } + }, + { + "producer_request_retries_backoff_timeout": { + "default": 100, + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds." + } + }, + { + "producer_async": { + "default": true, + "type": "boolean", + "description": "Flag to enable asynchronous mode." + } + }, + { + "producer_async_flush_timeout": { + "default": 1000, + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/key-auth-enc/3.6.x.json b/schemas/key-auth-enc/3.6.x.json new file mode 100644 index 00000000..437af5bd --- /dev/null +++ b/schemas/key-auth-enc/3.6.x.json @@ -0,0 +1,111 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "default": [ + "apikey" + ], + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + } + }, + { + "hide_credentials": { + "default": false, + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "key_in_header": { + "default": true, + "type": "boolean", + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." + } + }, + { + "key_in_query": { + "default": true, + "type": "boolean", + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." + } + }, + { + "key_in_body": { + "default": false, + "type": "boolean", + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + } + }, + { + "run_on_preflight": { + "default": true, + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/key-auth/3.6.x.json b/schemas/key-auth/3.6.x.json new file mode 100644 index 00000000..76ea1e51 --- /dev/null +++ b/schemas/key-auth/3.6.x.json @@ -0,0 +1,116 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "key_names": { + "type": "array", + "required": true, + "default": [ + "apikey" + ], + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + } + }, + { + "hide_credentials": { + "required": true, + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." + } + }, + { + "key_in_header": { + "required": true, + "type": "boolean", + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." + } + }, + { + "key_in_query": { + "required": true, + "type": "boolean", + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." + } + }, + { + "key_in_body": { + "required": true, + "type": "boolean", + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + } + }, + { + "run_on_preflight": { + "required": true, + "type": "boolean", + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.6.x.json b/schemas/konnect-application-auth/3.6.x.json new file mode 100644 index 00000000..de0b35f6 --- /dev/null +++ b/schemas/konnect-application-auth/3.6.x.json @@ -0,0 +1,2582 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + + ], + "required": true, + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "default": [ + "apikey" + ], + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "The names of the headers containing the API key. You can specify multiple header names." + } + }, + { + "auth_type": { + "type": "string", + "required": true, + "one_of": [ + "openid-connect", + "key-auth", + "v2-strategies" + ], + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'." + } + }, + { + "scope": { + "unique": true, + "required": true, + "type": "string", + "description": "The unique scope identifier for the plugin configuration." + } + }, + { + "v2_strategies": { + "required": false, + "description": "The map of v2 strategies.", + "type": "record", + "default": [ + + ], + "fields": [ + { + "key_auth": { + "type": "array", + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "strategy_id": { + "required": true, + "type": "string", + "description": "The strategy id the config is tied to." + } + }, + { + "config": { + "required": true, + "type": "record", + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "default": [ + "apikey" + ], + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "The names of the headers containing the API key. You can specify multiple header names." + } + } + ] + } + } + ] + }, + "description": "List of key_auth strategies." + } + }, + { + "openid_connect": { + "type": "array", + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "strategy_id": { + "required": true, + "type": "string", + "description": "The strategy id the config is tied to." + } + }, + { + "config": { + "description": "openid-connect plugin configuration.", + "type": "record", + "fields": [ + { + "issuer": { + "required": true, + "type": "string", + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`." + } + }, + { + "using_pseudo_issuer": { + "default": false, + "type": "boolean", + "required": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." + } + }, + { + "discovery_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the discovery endpoint." + } + }, + { + "discovery_headers_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the discovery endpoint." + } + }, + { + "extra_jwks_uris": { + "required": false, + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." + } + }, + { + "rediscovery_lifetime": { + "default": 30, + "type": "number", + "required": false, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + } + }, + { + "auth_methods": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "description": "Types of credentials/grants to enable." + } + }, + { + "client_id": { + "type": "array", + "encrypted": true, + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + } + }, + { + "client_secret": { + "type": "array", + "encrypted": true, + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "description": "The client secret." + } + }, + { + "client_auth": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication)." + } + }, + { + "client_jwk": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "issuer": { + "type": "string", + "required": false + } + }, + { + "kty": { + "type": "string", + "required": false + } + }, + { + "use": { + "type": "string", + "required": false + } + }, + { + "key_ops": { + "required": false, + "elements": { + "type": "string", + "required": false + }, + "type": "array" + } + }, + { + "alg": { + "type": "string", + "required": false + } + }, + { + "kid": { + "type": "string", + "required": false + } + }, + { + "x5u": { + "type": "string", + "required": false + } + }, + { + "x5c": { + "required": false, + "elements": { + "type": "string", + "required": false + }, + "type": "array" + } + }, + { + "x5t": { + "type": "string", + "required": false + } + }, + { + "x5t#S256": { + "type": "string", + "required": false + } + }, + { + "k": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "x": { + "type": "string", + "required": false + } + }, + { + "y": { + "type": "string", + "required": false + } + }, + { + "crv": { + "type": "string", + "required": false + } + }, + { + "n": { + "type": "string", + "required": false + } + }, + { + "e": { + "type": "string", + "required": false + } + }, + { + "d": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "p": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "q": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "dp": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "dq": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "qi": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "oth": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "r": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "t": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + } + ] + }, + "description": "The JWK used for the private_key_jwt authentication." + } + }, + { + "client_alg": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + }, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication." + } + }, + { + "client_arg": { + "default": "client_id", + "type": "string", + "required": false, + "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + } + }, + { + "redirect_uri": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "The redirect URI passed to the authorization and token endpoints." + } + }, + { + "login_redirect_uri": { + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when `login_action` is set to `redirect`." + } + }, + { + "logout_redirect_uri": { + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client after the logout." + } + }, + { + "forbidden_redirect_uri": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on forbidden requests." + } + }, + { + "forbidden_error_message": { + "default": "Forbidden", + "type": "string", + "required": false, + "description": "The error message for the forbidden requests (when not using the redirection)." + } + }, + { + "forbidden_destroy_session": { + "default": true, + "type": "boolean", + "required": false, + "description": "Destroy any active session for the forbidden requests." + } + }, + { + "unauthorized_destroy_session": { + "default": true, + "type": "boolean", + "required": false, + "description": "Destroy any active session for the unauthorized requests." + } + }, + { + "unauthorized_redirect_uri": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on unauthorized requests." + } + }, + { + "unauthorized_error_message": { + "default": "Unauthorized", + "type": "string", + "required": false, + "description": "The error message for the unauthorized requests (when not using the redirection)." + } + }, + { + "unexpected_redirect_uri": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when unexpected errors happen with the requests." + } + }, + { + "response_mode": { + "type": "string", + "required": false, + "one_of": [ + "query", + "form_post", + "fragment" + ], + "default": "query", + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)." + } + }, + { + "response_type": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint." + } + }, + { + "scopes": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "referenceable": true + }, + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints." + } + }, + { + "audience": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The audience passed to the authorization endpoint." + } + }, + { + "issuers_allowed": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim)." + } + }, + { + "scopes_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } + }, + { + "scopes_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "audience_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } + }, + { + "audience_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "groups_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } + }, + { + "groups_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "roles_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } + }, + { + "roles_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "domains": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The allowed values for the `hd` claim." + } + }, + { + "max_age": { + "type": "number", + "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim." + } + }, + { + "authenticated_groups_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "pushed_authorization_request_endpoint": { + "required": false, + "type": "string", + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint." + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false, + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + } + }, + { + "require_pushed_authorization_requests": { + "type": "boolean", + "required": false, + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`)." + } + }, + { + "require_proof_key_for_code_exchange": { + "type": "boolean", + "required": false, + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled)." + } + }, + { + "authorization_endpoint": { + "required": false, + "type": "string", + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint." + } + }, + { + "authorization_query_args_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the authorization endpoint." + } + }, + { + "authorization_query_args_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the authorization endpoint." + } + }, + { + "authorization_query_args_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the authorization endpoint." + } + }, + { + "authorization_rolling_timeout": { + "default": 600, + "type": "number", + "required": false, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + } + }, + { + "authorization_cookie_name": { + "default": "authorization", + "type": "string", + "required": false, + "description": "The authorization cookie name." + } + }, + { + "authorization_cookie_path": { + "required": false, + "type": "string", + "starts_with": "/", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/", + "description": "The authorization cookie Path flag." + } + }, + { + "authorization_cookie_domain": { + "type": "string", + "required": false, + "description": "The authorization cookie Domain flag." + } + }, + { + "authorization_cookie_same_site": { + "type": "string", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + } + }, + { + "authorization_cookie_http_only": { + "default": true, + "type": "boolean", + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + } + }, + { + "authorization_cookie_secure": { + "type": "boolean", + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + } + }, + { + "preserve_query_args": { + "default": false, + "type": "boolean", + "required": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + } + }, + { + "token_endpoint": { + "required": false, + "type": "string", + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint." + } + }, + { + "token_endpoint_auth_method": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false, + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + } + }, + { + "token_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the token endpoint." + } + }, + { + "token_headers_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the token endpoint." + } + }, + { + "token_headers_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the token endpoint." + } + }, + { + "token_headers_replay": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The names of token endpoint response headers to forward to the downstream client." + } + }, + { + "token_headers_prefix": { + "type": "string", + "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." + } + }, + { + "token_headers_grants": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant." + } + }, + { + "token_post_args_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the token endpoint." + } + }, + { + "token_post_args_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the token endpoint." + } + }, + { + "token_post_args_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Reqest Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint." + } + }, + { + "introspection_endpoint": { + "required": false, + "type": "string", + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint." + } + }, + { + "introspection_endpoint_auth_method": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false, + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + } + }, + { + "introspection_hint": { + "default": "access_token", + "type": "string", + "required": false, + "description": "Introspection hint parameter value passed to the introspection endpoint." + } + }, + { + "introspection_check_active": { + "default": true, + "type": "boolean", + "required": false, + "description": "Check that the introspection response has an `active` claim with a value of `true`." + } + }, + { + "introspection_accept": { + "type": "string", + "required": false, + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ], + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)." + } + }, + { + "introspection_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the introspection endpoint." + } + }, + { + "introspection_headers_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the introspection endpoint." + } + }, + { + "introspection_headers_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the introspection endpoint." + } + }, + { + "introspection_post_args_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the introspection endpoint." + } + }, + { + "introspection_post_args_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the introspection endpoint." + } + }, + { + "introspection_post_args_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client to the introspection endpoint." + } + }, + { + "introspect_jwt_tokens": { + "default": false, + "type": "boolean", + "required": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + } + }, + { + "revocation_endpoint": { + "required": false, + "type": "string", + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint." + } + }, + { + "revocation_endpoint_auth_method": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false, + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + } + }, + { + "end_session_endpoint": { + "required": false, + "type": "string", + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint." + } + }, + { + "userinfo_endpoint": { + "required": false, + "type": "string", + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint." + } + }, + { + "userinfo_accept": { + "type": "string", + "required": false, + "one_of": [ + "application/json", + "application/jwt" + ], + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)." + } + }, + { + "userinfo_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the user info endpoint." + } + }, + { + "userinfo_headers_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the user info endpoint." + } + }, + { + "userinfo_headers_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the user info endpoint." + } + }, + { + "userinfo_query_args_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the user info endpoint." + } + }, + { + "userinfo_query_args_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the user info endpoint." + } + }, + { + "userinfo_query_args_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the user info endpoint." + } + }, + { + "token_exchange_endpoint": { + "required": false, + "type": "string", + "description": "The token exchange endpoint." + } + }, + { + "session_secret": { + "type": "string", + "required": false, + "referenceable": true, + "encrypted": true, + "description": "The session secret." + } + }, + { + "session_audience": { + "default": "default", + "type": "string", + "required": false, + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + } + }, + { + "session_cookie_name": { + "default": "session", + "type": "string", + "required": false, + "description": "The session cookie name." + } + }, + { + "session_remember": { + "default": false, + "type": "boolean", + "required": false, + "description": "Enables or disables persistent sessions." + } + }, + { + "session_remember_cookie_name": { + "default": "remember", + "type": "string", + "required": false, + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + } + }, + { + "session_remember_rolling_timeout": { + "default": 604800, + "type": "number", + "required": false, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." + } + }, + { + "session_remember_absolute_timeout": { + "default": 2592000, + "type": "number", + "required": false, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + } + }, + { + "session_idling_timeout": { + "default": 900, + "type": "number", + "required": false, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." + } + }, + { + "session_rolling_timeout": { + "default": 3600, + "type": "number", + "required": false, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + } + }, + { + "session_absolute_timeout": { + "default": 86400, + "type": "number", + "required": false, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + } + }, + { + "session_cookie_path": { + "required": false, + "type": "string", + "starts_with": "/", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/", + "description": "The session cookie Path flag." + } + }, + { + "session_cookie_domain": { + "type": "string", + "required": false, + "description": "The session cookie Domain flag." + } + }, + { + "session_cookie_same_site": { + "type": "string", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + } + }, + { + "session_cookie_http_only": { + "default": true, + "type": "boolean", + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + } + }, + { + "session_cookie_secure": { + "type": "boolean", + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + } + }, + { + "session_request_headers": { + "type": "set", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers." + } + }, + { + "session_response_headers": { + "type": "set", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers." + } + }, + { + "session_storage": { + "type": "string", + "required": false, + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis." + } + }, + { + "session_store_metadata": { + "default": false, + "type": "boolean", + "required": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + } + }, + { + "session_enforce_same_subject": { + "default": false, + "type": "boolean", + "required": false, + "description": "When set to `true`, audiences are forced to share the same subject." + } + }, + { + "session_hash_subject": { + "default": false, + "type": "boolean", + "required": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + } + }, + { + "session_hash_storage_key": { + "default": false, + "type": "boolean", + "required": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + } + }, + { + "session_memcached_prefix": { + "type": "string", + "required": false, + "description": "The memcached session key prefix." + } + }, + { + "session_memcached_socket": { + "type": "string", + "required": false, + "description": "The memcached unix socket path." + } + }, + { + "session_memcached_host": { + "default": "127.0.0.1", + "type": "string", + "required": false, + "description": "The memcached host." + } + }, + { + "session_memcached_port": { + "required": false, + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 11211, + "description": "The memcached port." + } + }, + { + "session_redis_prefix": { + "type": "string", + "required": false, + "description": "The Redis session key prefix." + } + }, + { + "session_redis_socket": { + "type": "string", + "required": false, + "description": "The Redis unix socket path." + } + }, + { + "session_redis_host": { + "default": "127.0.0.1", + "type": "string", + "required": false, + "description": "The Redis host." + } + }, + { + "session_redis_port": { + "required": false, + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 6379, + "description": "The Redis port." + } + }, + { + "session_redis_username": { + "type": "string", + "referenceable": true, + "required": false, + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "session_redis_password": { + "type": "string", + "required": false, + "referenceable": true, + "encrypted": true, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "required": false, + "description": "Session redis connection timeout in milliseconds." + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "required": false, + "description": "Session redis read timeout in milliseconds." + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "required": false, + "description": "Session redis send timeout in milliseconds." + } + }, + { + "session_redis_ssl": { + "default": false, + "type": "boolean", + "required": false, + "description": "Use SSL/TLS for Redis connection." + } + }, + { + "session_redis_ssl_verify": { + "default": false, + "type": "boolean", + "required": false, + "description": "Verify identity provider server certificate." + } + }, + { + "session_redis_server_name": { + "type": "string", + "required": false, + "description": "The SNI used for connecting the Redis server." + } + }, + { + "session_redis_cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ] + }, + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "required": false, + "description": "The Redis cluster maximum redirects." + } + }, + { + "reverify": { + "default": false, + "type": "boolean", + "required": false, + "description": "Specifies whether to always verify tokens stored in the session." + } + }, + { + "jwt_session_claim": { + "default": "sid", + "type": "string", + "required": false, + "description": "The claim to match against the JWT session cookie." + } + }, + { + "jwt_session_cookie": { + "type": "string", + "required": false, + "description": "The name of the JWT session cookie." + } + }, + { + "bearer_token_param_type": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." + } + }, + { + "bearer_token_cookie_name": { + "type": "string", + "required": false, + "description": "The name of the cookie in which the bearer token is passed." + } + }, + { + "client_credentials_param_type": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." + } + }, + { + "password_param_type": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "id_token_param_type": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "id_token_param_name": { + "type": "string", + "required": false, + "description": "The name of the parameter used to pass the id token." + } + }, + { + "refresh_token_param_type": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "refresh_token_param_name": { + "type": "string", + "required": false, + "description": "The name of the parameter used to pass the refresh token." + } + }, + { + "refresh_tokens": { + "default": true, + "type": "boolean", + "required": false, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + } + }, + { + "upstream_headers_claims": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "upstream_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The upstream header names for the claim values." + } + }, + { + "upstream_access_token_header": { + "default": "authorization:bearer", + "type": "string", + "required": false, + "description": "The upstream access token header." + } + }, + { + "upstream_access_token_jwk_header": { + "type": "string", + "required": false, + "description": "The upstream access token JWK header." + } + }, + { + "upstream_id_token_header": { + "type": "string", + "required": false, + "description": "The upstream id token header." + } + }, + { + "upstream_id_token_jwk_header": { + "type": "string", + "required": false, + "description": "The upstream id token JWK header." + } + }, + { + "upstream_refresh_token_header": { + "type": "string", + "required": false, + "description": "The upstream refresh token header." + } + }, + { + "upstream_user_info_header": { + "type": "string", + "required": false, + "description": "The upstream user info header." + } + }, + { + "upstream_user_info_jwt_header": { + "type": "string", + "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response)." + } + }, + { + "upstream_introspection_header": { + "type": "string", + "required": false, + "description": "The upstream introspection header." + } + }, + { + "upstream_introspection_jwt_header": { + "type": "string", + "required": false, + "description": "The upstream introspection JWT header." + } + }, + { + "upstream_session_id_header": { + "type": "string", + "required": false, + "description": "The upstream session id header." + } + }, + { + "downstream_headers_claims": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "downstream_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The downstream header names for the claim values." + } + }, + { + "downstream_access_token_header": { + "type": "string", + "required": false, + "description": "The downstream access token header." + } + }, + { + "downstream_access_token_jwk_header": { + "type": "string", + "required": false, + "description": "The downstream access token JWK header." + } + }, + { + "downstream_id_token_header": { + "type": "string", + "required": false, + "description": "The downstream id token header." + } + }, + { + "downstream_id_token_jwk_header": { + "type": "string", + "required": false, + "description": "The downstream id token JWK header." + } + }, + { + "downstream_refresh_token_header": { + "type": "string", + "required": false, + "description": "The downstream refresh token header." + } + }, + { + "downstream_user_info_header": { + "type": "string", + "required": false, + "description": "The downstream user info header." + } + }, + { + "downstream_user_info_jwt_header": { + "type": "string", + "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response)." + } + }, + { + "downstream_introspection_header": { + "type": "string", + "required": false, + "description": "The downstream introspection header." + } + }, + { + "downstream_introspection_jwt_header": { + "type": "string", + "required": false, + "description": "The downstream introspection JWT header." + } + }, + { + "downstream_session_id_header": { + "type": "string", + "required": false, + "description": "The downstream session id header." + } + }, + { + "login_methods": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants." + } + }, + { + "login_action": { + "type": "string", + "required": false, + "one_of": [ + "upstream", + "response", + "redirect" + ], + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location." + } + }, + { + "login_tokens": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + }, + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." + } + }, + { + "login_redirect_mode": { + "type": "string", + "required": false, + "one_of": [ + "query", + "fragment" + ], + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)." + } + }, + { + "logout_query_arg": { + "type": "string", + "required": false, + "description": "The request query argument that activates the logout." + } + }, + { + "logout_post_arg": { + "type": "string", + "required": false, + "description": "The request body argument that activates the logout." + } + }, + { + "logout_uri_suffix": { + "type": "string", + "required": false, + "description": "The request URI suffix that activates the logout." + } + }, + { + "logout_methods": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + }, + "default": [ + "POST", + "DELETE" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." + } + }, + { + "logout_revoke": { + "default": false, + "type": "boolean", + "required": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." + } + }, + { + "logout_revoke_access_token": { + "default": true, + "type": "boolean", + "required": false, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." + } + }, + { + "logout_revoke_refresh_token": { + "default": true, + "type": "boolean", + "required": false, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." + } + }, + { + "consumer_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." + } + }, + { + "consumer_optional": { + "default": false, + "type": "boolean", + "required": false, + "description": "Do not terminate the request if consumer mapping fails." + } + }, + { + "credential_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "anonymous": { + "type": "string", + "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "run_on_preflight": { + "default": true, + "type": "boolean", + "required": false, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + } + }, + { + "leeway": { + "default": 0, + "type": "number", + "required": false, + "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification." + } + }, + { + "verify_parameters": { + "default": false, + "type": "boolean", + "required": false, + "description": "Verify plugin configuration against discovery." + } + }, + { + "verify_nonce": { + "default": true, + "type": "boolean", + "required": false, + "description": "Verify nonce on authorization code flow." + } + }, + { + "verify_claims": { + "default": true, + "type": "boolean", + "required": false, + "description": "Verify tokens for standard claims." + } + }, + { + "verify_signature": { + "default": true, + "type": "boolean", + "required": false, + "description": "Verify signature of tokens." + } + }, + { + "ignore_signature": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + }, + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." + } + }, + { + "enable_hs_signatures": { + "default": false, + "type": "boolean", + "required": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + } + }, + { + "disable_session": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Disable issuing the session cookie with the specified grants." + } + }, + { + "cache_ttl": { + "default": 3600, + "type": "number", + "required": false, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + } + }, + { + "cache_ttl_max": { + "type": "number", + "required": false, + "description": "The maximum cache ttl in seconds (enforced)." + } + }, + { + "cache_ttl_min": { + "type": "number", + "required": false, + "description": "The minimum cache ttl in seconds (enforced)." + } + }, + { + "cache_ttl_neg": { + "type": "number", + "required": false, + "description": "The negative cache ttl in seconds." + } + }, + { + "cache_ttl_resurrect": { + "type": "number", + "required": false, + "description": "The resurrection ttl in seconds." + } + }, + { + "cache_tokens": { + "default": true, + "type": "boolean", + "required": false, + "description": "Cache the token endpoint requests." + } + }, + { + "cache_tokens_salt": { + "auto": true, + "type": "string", + "required": false, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + } + }, + { + "cache_introspection": { + "default": true, + "type": "boolean", + "required": false, + "description": "Cache the introspection endpoint requests." + } + }, + { + "cache_token_exchange": { + "default": true, + "type": "boolean", + "required": false, + "description": "Cache the token exchange endpoint requests." + } + }, + { + "cache_user_info": { + "default": true, + "type": "boolean", + "required": false, + "description": "Cache the user info requests." + } + }, + { + "search_user_info": { + "default": false, + "type": "boolean", + "required": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + } + }, + { + "hide_credentials": { + "default": false, + "type": "boolean", + "required": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + } + }, + { + "http_version": { + "required": false, + "default": 1.1, + "type": "number", + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0." + } + }, + { + "http_proxy": { + "required": false, + "type": "string", + "description": "The HTTP proxy." + } + }, + { + "http_proxy_authorization": { + "type": "string", + "required": false, + "description": "The HTTP proxy authorization." + } + }, + { + "https_proxy": { + "required": false, + "type": "string", + "description": "The HTTPS proxy." + } + }, + { + "https_proxy_authorization": { + "type": "string", + "required": false, + "description": "The HTTPS proxy authorization." + } + }, + { + "no_proxy": { + "type": "string", + "required": false, + "description": "Do not use proxy with these hosts." + } + }, + { + "keepalive": { + "default": true, + "type": "boolean", + "required": false, + "description": "Use keepalive with the HTTP client." + } + }, + { + "ssl_verify": { + "default": false, + "type": "boolean", + "required": false, + "description": "Verify identity provider server certificate." + } + }, + { + "timeout": { + "default": 10000, + "type": "number", + "required": false, + "description": "Network IO timeout in milliseconds." + } + }, + { + "display_errors": { + "default": false, + "type": "boolean", + "required": false, + "description": "Display errors on failure responses." + } + }, + { + "by_username_ignore_case": { + "default": false, + "type": "boolean", + "required": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + } + }, + { + "resolve_distributed_claims": { + "default": false, + "type": "boolean", + "required": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + } + }, + { + "expose_error_code": { + "type": "boolean", + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + } + }, + { + "token_cache_key_include_scope": { + "type": "boolean", + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + } + }, + { + "introspection_token_param_name": { + "default": "token", + "type": "string", + "required": false, + "description": "Designate token's parameter name for introspection." + } + }, + { + "revocation_token_param_name": { + "default": "token", + "type": "string", + "required": false, + "description": "Designate token's parameter name for revocation." + } + }, + { + "proof_of_possession_mtls": { + "type": "string", + "required": false, + "one_of": [ + "off", + "strict", + "optional" + ], + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." + } + }, + { + "proof_of_possession_auth_methods_validation": { + "default": true, + "type": "boolean", + "required": false, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + } + }, + { + "tls_client_auth_cert_id": { + "uuid": true, + "type": "string", + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "required": false, + "auto": false + } + }, + { + "tls_client_auth_ssl_verify": { + "default": true, + "type": "boolean", + "required": false, + "description": "Verify identity provider server certificate during mTLS client authentication." + } + }, + { + "mtls_token_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "mtls_introspection_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "mtls_revocation_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + } + ] + } + } + ] + }, + "description": "List of openid_connect strategies." + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.6.x.json b/schemas/ldap-auth-advanced/3.6.x.json new file mode 100644 index 00000000..672b08af --- /dev/null +++ b/schemas/ldap-auth-advanced/3.6.x.json @@ -0,0 +1,236 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "ldap_host": { + "type": "string", + "required": true, + "description": "Host on which the LDAP server is running." + } + }, + { + "ldap_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The password to the LDAP server." + } + }, + { + "ldap_port": { + "default": 389, + "type": "number", + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636." + } + }, + { + "bind_dn": { + "referenceable": true, + "type": "string", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." + } + }, + { + "ldaps": { + "type": "boolean", + "default": false, + "required": true, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + } + }, + { + "start_tls": { + "type": "boolean", + "default": false, + "required": true, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + } + }, + { + "verify_ldap_host": { + "type": "boolean", + "default": false, + "required": true, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + } + }, + { + "base_dn": { + "type": "string", + "required": true, + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'." + } + }, + { + "attribute": { + "type": "string", + "required": true, + "description": "Attribute to be used to search the user; e.g., \"cn\"." + } + }, + { + "cache_ttl": { + "type": "number", + "default": 60, + "required": true, + "description": "Cache expiry time in seconds." + } + }, + { + "hide_credentials": { + "default": false, + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + } + }, + { + "timeout": { + "default": 10000, + "type": "number", + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." + } + }, + { + "keepalive": { + "default": 60000, + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." + } + }, + { + "anonymous": { + "len_min": 0, + "default": "", + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "header_type": { + "default": "ldap", + "type": "string", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`." + } + }, + { + "consumer_optional": { + "type": "boolean", + "default": false, + "required": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." + } + }, + { + "consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." + } + }, + { + "group_base_dn": { + "type": "string", + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + } + }, + { + "group_name_attribute": { + "type": "string", + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + } + }, + { + "group_member_attribute": { + "default": "memberOf", + "type": "string", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive." + } + }, + { + "log_search_results": { + "type": "boolean", + "default": false, + "required": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." + } + }, + { + "groups_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result." + } + } + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth/3.6.x.json b/schemas/ldap-auth/3.6.x.json new file mode 100644 index 00000000..c08b5d8f --- /dev/null +++ b/schemas/ldap-auth/3.6.x.json @@ -0,0 +1,171 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": false + }, + "then_field": "start_tls", + "if_match": { + "eq": true + }, + "if_field": "ldaps", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously" + } + } + ], + "required": true, + "fields": [ + { + "ldap_host": { + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "ldap_port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "required": true, + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "ldaps": { + "default": false, + "type": "boolean", + "required": true, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + } + }, + { + "start_tls": { + "default": false, + "type": "boolean", + "required": true, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + } + }, + { + "verify_ldap_host": { + "default": false, + "type": "boolean", + "required": true, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + } + }, + { + "base_dn": { + "type": "string", + "required": true, + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com" + } + }, + { + "attribute": { + "type": "string", + "required": true, + "description": "Attribute to be used to search the user; e.g. cn" + } + }, + { + "cache_ttl": { + "default": 60, + "type": "number", + "required": true, + "description": "Cache expiry time in seconds." + } + }, + { + "hide_credentials": { + "default": false, + "type": "boolean", + "required": true, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + } + }, + { + "timeout": { + "type": "number", + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." + } + }, + { + "keepalive": { + "type": "number", + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + } + }, + { + "header_type": { + "type": "string", + "default": "ldap", + "description": "An optional string to use as part of the Authorization header" + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/loggly/3.6.x.json b/schemas/loggly/3.6.x.json new file mode 100644 index 00000000..68f95648 --- /dev/null +++ b/schemas/loggly/3.6.x.json @@ -0,0 +1,173 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "host": { + "default": "logs-01.loggly.com", + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 514, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "key": { + "type": "string", + "referenceable": true, + "encrypted": true, + "required": true + } + }, + { + "tags": { + "default": [ + "kong" + ], + "elements": { + "type": "string" + }, + "type": "set" + } + }, + { + "log_level": { + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "type": "string", + "default": "info" + } + }, + { + "successful_severity": { + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "type": "string", + "default": "info" + } + }, + { + "client_errors_severity": { + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "type": "string", + "default": "info" + } + }, + { + "server_errors_severity": { + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "type": "string", + "default": "info" + } + }, + { + "timeout": { + "default": 10000, + "type": "number" + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "values": { + "len_min": 1, + "type": "string" + }, + "type": "map", + "description": "Lua code as a key-value map" + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/mocking/3.6.x.json b/schemas/mocking/3.6.x.json new file mode 100644 index 00000000..e5888e96 --- /dev/null +++ b/schemas/mocking/3.6.x.json @@ -0,0 +1,117 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "api_specification_filename": { + "type": "string", + "required": false, + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode." + } + }, + { + "api_specification": { + "type": "string", + "required": false, + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field." + } + }, + { + "random_delay": { + "type": "boolean", + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs." + } + }, + { + "max_delay_time": { + "type": "number", + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`." + } + }, + { + "min_delay_time": { + "type": "number", + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`." + } + }, + { + "random_examples": { + "type": "boolean", + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured." + } + }, + { + "included_status_codes": { + "type": "array", + "elements": { + "type": "integer" + }, + "description": "A global list of the HTTP status codes that can only be selected and returned." + } + }, + { + "random_status_code": { + "required": true, + "type": "boolean", + "default": false, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned." + } + }, + { + "include_base_path": { + "required": true, + "type": "boolean", + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation." + } + } + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/mtls-auth/3.6.x.json b/schemas/mtls-auth/3.6.x.json new file mode 100644 index 00000000..3f4a6fc5 --- /dev/null +++ b/schemas/mtls-auth/3.6.x.json @@ -0,0 +1,204 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "required": true, + "fields": [ + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "type": "array", + "required": false, + "default": [ + "username", + "custom_id" + ], + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + } + }, + { + "ca_certificates": { + "required": true, + "type": "array", + "elements": { + "uuid": true, + "type": "string" + }, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." + } + }, + { + "cache_ttl": { + "default": 60, + "type": "number", + "required": true, + "description": "Cache expiry time in seconds." + } + }, + { + "skip_consumer_lookup": { + "default": false, + "type": "boolean", + "required": true, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list." + } + }, + { + "allow_partial_chain": { + "default": false, + "type": "boolean", + "required": true, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." + } + }, + { + "authenticated_group_by": { + "required": false, + "type": "string", + "one_of": [ + "CN", + "DN" + ], + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." + } + }, + { + "revocation_check_mode": { + "required": false, + "type": "string", + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ], + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." + } + }, + { + "http_timeout": { + "type": "number", + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + } + }, + { + "cert_cache_ttl": { + "type": "number", + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache." + } + }, + { + "send_ca_dn": { + "type": "boolean", + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oas-validation/3.6.x.json b/schemas/oas-validation/3.6.x.json new file mode 100644 index 00000000..ae419e59 --- /dev/null +++ b/schemas/oas-validation/3.6.x.json @@ -0,0 +1,148 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "api_spec": { + "required": true, + "type": "string", + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format." + } + }, + { + "verbose_response": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." + } + }, + { + "validate_request_body": { + "required": false, + "default": true, + "type": "boolean", + "description": "If set to true, validates the request body content against the API specification." + } + }, + { + "notify_only_request_validation_failure": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." + } + }, + { + "validate_request_header_params": { + "required": false, + "default": true, + "type": "boolean", + "description": "If set to true, validates HTTP header parameters against the API specification." + } + }, + { + "validate_request_query_params": { + "required": false, + "default": true, + "type": "boolean", + "description": "If set to true, validates query parameters against the API specification." + } + }, + { + "validate_request_uri_params": { + "required": false, + "default": true, + "type": "boolean", + "description": "If set to true, validates URI parameters in the request against the API specification." + } + }, + { + "validate_response_body": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." + } + }, + { + "notify_only_response_body_validation_failure": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." + } + }, + { + "query_parameter_check": { + "required": true, + "default": false, + "type": "boolean", + "description": "If set to true, checks if query parameters in the request exist in the API specification." + } + }, + { + "header_parameter_check": { + "required": true, + "default": false, + "type": "boolean", + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." + } + }, + { + "allowed_header_parameters": { + "required": false, + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "type": "string", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." + } + }, + { + "include_base_path": { + "required": true, + "default": false, + "type": "boolean", + "description": "Indicates whether to include the base path when performing path match evaluation." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.6.x.json b/schemas/oauth2-introspection/3.6.x.json new file mode 100644 index 00000000..d495fe7c --- /dev/null +++ b/schemas/oauth2-introspection/3.6.x.json @@ -0,0 +1,167 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "introspection_url": { + "required": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "ttl": { + "type": "number", + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." + } + }, + { + "token_type_hint": { + "type": "string", + "description": "The `token_type_hint` value to associate to introspection requests." + } + }, + { + "authorization_value": { + "required": true, + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." + } + }, + { + "timeout": { + "type": "integer", + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server." + } + }, + { + "keepalive": { + "type": "integer", + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + } + }, + { + "introspect_request": { + "type": "boolean", + "required": true, + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request." + } + }, + { + "hide_credentials": { + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." + } + }, + { + "run_on_preflight": { + "type": "boolean", + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." + } + }, + { + "anonymous": { + "len_min": 0, + "default": "", + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "type": "string", + "required": true, + "one_of": [ + "username", + "client_id" + ], + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`." + } + }, + { + "custom_introspection_headers": { + "type": "map", + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "required": true, + "default": [ + + ], + "description": "A list of custom headers to be added in the introspection request." + } + }, + { + "custom_claims_forward": { + "required": true, + "type": "set", + "default": [ + + ], + "elements": { + "type": "string" + }, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oauth2/3.6.x.json b/schemas/oauth2/3.6.x.json new file mode 100644 index 00000000..c122952b --- /dev/null +++ b/schemas/oauth2/3.6.x.json @@ -0,0 +1,214 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "required": true, + "entity_checks": [ + { + "conditional": { + "then_field": "scopes", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "mandatory_scope" + } + } + ], + "type": "record", + "fields": [ + { + "scopes": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." + } + }, + { + "mandatory_scope": { + "required": true, + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user." + } + }, + { + "provision_key": { + "unique": true, + "encrypted": true, + "description": "The unique key the plugin has generated when it has been added to the Service.", + "required": true, + "type": "string", + "auto": true + } + }, + { + "token_expiration": { + "required": true, + "type": "number", + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration." + } + }, + { + "enable_authorization_code": { + "required": true, + "type": "boolean", + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1)." + } + }, + { + "enable_implicit_grant": { + "required": true, + "type": "boolean", + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2)." + } + }, + { + "enable_client_credentials": { + "required": true, + "type": "boolean", + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4)." + } + }, + { + "enable_password_grant": { + "required": true, + "type": "boolean", + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3)." + } + }, + { + "hide_credentials": { + "required": true, + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + } + }, + { + "accept_http_if_already_terminated": { + "required": true, + "type": "boolean", + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "global_credentials": { + "required": true, + "type": "boolean", + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`." + } + }, + { + "auth_header_name": { + "type": "string", + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token." + } + }, + { + "refresh_token_ttl": { + "type": "number", + "between": [ + 0, + 100000000 + ], + "required": true, + "default": 1209600, + "description": "Time-to-live value for data" + } + }, + { + "reuse_refresh_token": { + "required": true, + "type": "boolean", + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token." + } + }, + { + "persistent_refresh_token": { + "required": true, + "default": false, + "type": "boolean" + } + }, + { + "pkce": { + "required": false, + "type": "string", + "one_of": [ + "none", + "lax", + "strict" + ], + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/opa/3.6.x.json b/schemas/opa/3.6.x.json new file mode 100644 index 00000000..b79679bd --- /dev/null +++ b/schemas/opa/3.6.x.json @@ -0,0 +1,147 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "opa_protocol": { + "default": "http", + "one_of": [ + "http", + "https" + ], + "type": "string", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`." + } + }, + { + "opa_host": { + "required": true, + "default": "localhost", + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "opa_port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "required": true, + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "opa_path": { + "type": "string", + "starts_with": "/", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + }, + { + "include_service_in_opa_input": { + "default": false, + "type": "boolean", + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA." + } + }, + { + "include_route_in_opa_input": { + "default": false, + "type": "boolean", + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA." + } + }, + { + "include_consumer_in_opa_input": { + "default": false, + "type": "boolean", + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA." + } + }, + { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + } + }, + { + "include_parsed_json_body_in_opa_input": { + "default": false, + "type": "boolean", + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA." + } + }, + { + "include_uri_captures_in_opa_input": { + "default": false, + "type": "boolean", + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA." + } + }, + { + "ssl_verify": { + "required": true, + "default": true, + "type": "boolean", + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/openid-connect/3.6.x.json b/schemas/openid-connect/3.6.x.json new file mode 100644 index 00000000..dbdba7dc --- /dev/null +++ b/schemas/openid-connect/3.6.x.json @@ -0,0 +1,2546 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + } + ], + "required": true, + "type": "record", + "fields": [ + { + "issuer": { + "required": true, + "type": "string", + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`." + } + }, + { + "using_pseudo_issuer": { + "default": false, + "type": "boolean", + "required": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." + } + }, + { + "discovery_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the discovery endpoint." + } + }, + { + "discovery_headers_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the discovery endpoint." + } + }, + { + "extra_jwks_uris": { + "required": false, + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." + } + }, + { + "rediscovery_lifetime": { + "default": 30, + "type": "number", + "required": false, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + } + }, + { + "auth_methods": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "description": "Types of credentials/grants to enable." + } + }, + { + "client_id": { + "type": "array", + "encrypted": true, + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + } + }, + { + "client_secret": { + "type": "array", + "encrypted": true, + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "description": "The client secret." + } + }, + { + "client_auth": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication)." + } + }, + { + "client_jwk": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "issuer": { + "type": "string", + "required": false + } + }, + { + "kty": { + "type": "string", + "required": false + } + }, + { + "use": { + "type": "string", + "required": false + } + }, + { + "key_ops": { + "required": false, + "elements": { + "type": "string", + "required": false + }, + "type": "array" + } + }, + { + "alg": { + "type": "string", + "required": false + } + }, + { + "kid": { + "type": "string", + "required": false + } + }, + { + "x5u": { + "type": "string", + "required": false + } + }, + { + "x5c": { + "required": false, + "elements": { + "type": "string", + "required": false + }, + "type": "array" + } + }, + { + "x5t": { + "type": "string", + "required": false + } + }, + { + "x5t#S256": { + "type": "string", + "required": false + } + }, + { + "k": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "x": { + "type": "string", + "required": false + } + }, + { + "y": { + "type": "string", + "required": false + } + }, + { + "crv": { + "type": "string", + "required": false + } + }, + { + "n": { + "type": "string", + "required": false + } + }, + { + "e": { + "type": "string", + "required": false + } + }, + { + "d": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "p": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "q": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "dp": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "dq": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "qi": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "oth": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "r": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "t": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string" + } + } + ] + }, + "description": "The JWK used for the private_key_jwt authentication." + } + }, + { + "client_alg": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + }, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication." + } + }, + { + "client_arg": { + "default": "client_id", + "type": "string", + "required": false, + "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + } + }, + { + "redirect_uri": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "The redirect URI passed to the authorization and token endpoints." + } + }, + { + "login_redirect_uri": { + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when `login_action` is set to `redirect`." + } + }, + { + "logout_redirect_uri": { + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client after the logout." + } + }, + { + "forbidden_redirect_uri": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on forbidden requests." + } + }, + { + "forbidden_error_message": { + "default": "Forbidden", + "type": "string", + "required": false, + "description": "The error message for the forbidden requests (when not using the redirection)." + } + }, + { + "forbidden_destroy_session": { + "default": true, + "type": "boolean", + "required": false, + "description": "Destroy any active session for the forbidden requests." + } + }, + { + "unauthorized_destroy_session": { + "default": true, + "type": "boolean", + "required": false, + "description": "Destroy any active session for the unauthorized requests." + } + }, + { + "unauthorized_redirect_uri": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on unauthorized requests." + } + }, + { + "unauthorized_error_message": { + "default": "Unauthorized", + "type": "string", + "required": false, + "description": "The error message for the unauthorized requests (when not using the redirection)." + } + }, + { + "unexpected_redirect_uri": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when unexpected errors happen with the requests." + } + }, + { + "response_mode": { + "type": "string", + "required": false, + "one_of": [ + "query", + "form_post", + "fragment" + ], + "default": "query", + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)." + } + }, + { + "response_type": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint." + } + }, + { + "scopes": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "referenceable": true + }, + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints." + } + }, + { + "audience": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The audience passed to the authorization endpoint." + } + }, + { + "issuers_allowed": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim)." + } + }, + { + "scopes_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } + }, + { + "scopes_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "audience_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } + }, + { + "audience_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "groups_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } + }, + { + "groups_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "roles_required": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } + }, + { + "roles_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "domains": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The allowed values for the `hd` claim." + } + }, + { + "max_age": { + "type": "number", + "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim." + } + }, + { + "authenticated_groups_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "pushed_authorization_request_endpoint": { + "required": false, + "type": "string", + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint." + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false, + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + } + }, + { + "require_pushed_authorization_requests": { + "type": "boolean", + "required": false, + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`)." + } + }, + { + "require_proof_key_for_code_exchange": { + "type": "boolean", + "required": false, + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled)." + } + }, + { + "authorization_endpoint": { + "required": false, + "type": "string", + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint." + } + }, + { + "authorization_query_args_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the authorization endpoint." + } + }, + { + "authorization_query_args_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the authorization endpoint." + } + }, + { + "authorization_query_args_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the authorization endpoint." + } + }, + { + "authorization_rolling_timeout": { + "default": 600, + "type": "number", + "required": false, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + } + }, + { + "authorization_cookie_name": { + "default": "authorization", + "type": "string", + "required": false, + "description": "The authorization cookie name." + } + }, + { + "authorization_cookie_path": { + "required": false, + "type": "string", + "starts_with": "/", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/", + "description": "The authorization cookie Path flag." + } + }, + { + "authorization_cookie_domain": { + "type": "string", + "required": false, + "description": "The authorization cookie Domain flag." + } + }, + { + "authorization_cookie_same_site": { + "type": "string", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + } + }, + { + "authorization_cookie_http_only": { + "default": true, + "type": "boolean", + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + } + }, + { + "authorization_cookie_secure": { + "type": "boolean", + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + } + }, + { + "preserve_query_args": { + "default": false, + "type": "boolean", + "required": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + } + }, + { + "token_endpoint": { + "required": false, + "type": "string", + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint." + } + }, + { + "token_endpoint_auth_method": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false, + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + } + }, + { + "token_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the token endpoint." + } + }, + { + "token_headers_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the token endpoint." + } + }, + { + "token_headers_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the token endpoint." + } + }, + { + "token_headers_replay": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The names of token endpoint response headers to forward to the downstream client." + } + }, + { + "token_headers_prefix": { + "type": "string", + "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." + } + }, + { + "token_headers_grants": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant." + } + }, + { + "token_post_args_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the token endpoint." + } + }, + { + "token_post_args_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the token endpoint." + } + }, + { + "token_post_args_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Reqest Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint." + } + }, + { + "introspection_endpoint": { + "required": false, + "type": "string", + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint." + } + }, + { + "introspection_endpoint_auth_method": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false, + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + } + }, + { + "introspection_hint": { + "default": "access_token", + "type": "string", + "required": false, + "description": "Introspection hint parameter value passed to the introspection endpoint." + } + }, + { + "introspection_check_active": { + "default": true, + "type": "boolean", + "required": false, + "description": "Check that the introspection response has an `active` claim with a value of `true`." + } + }, + { + "introspection_accept": { + "type": "string", + "required": false, + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ], + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)." + } + }, + { + "introspection_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the introspection endpoint." + } + }, + { + "introspection_headers_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the introspection endpoint." + } + }, + { + "introspection_headers_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the introspection endpoint." + } + }, + { + "introspection_post_args_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the introspection endpoint." + } + }, + { + "introspection_post_args_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the introspection endpoint." + } + }, + { + "introspection_post_args_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client to the introspection endpoint." + } + }, + { + "introspect_jwt_tokens": { + "default": false, + "type": "boolean", + "required": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + } + }, + { + "revocation_endpoint": { + "required": false, + "type": "string", + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint." + } + }, + { + "revocation_endpoint_auth_method": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false, + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + } + }, + { + "end_session_endpoint": { + "required": false, + "type": "string", + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint." + } + }, + { + "userinfo_endpoint": { + "required": false, + "type": "string", + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint." + } + }, + { + "userinfo_accept": { + "type": "string", + "required": false, + "one_of": [ + "application/json", + "application/jwt" + ], + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)." + } + }, + { + "userinfo_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the user info endpoint." + } + }, + { + "userinfo_headers_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the user info endpoint." + } + }, + { + "userinfo_headers_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the user info endpoint." + } + }, + { + "userinfo_query_args_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the user info endpoint." + } + }, + { + "userinfo_query_args_values": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the user info endpoint." + } + }, + { + "userinfo_query_args_client": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the user info endpoint." + } + }, + { + "token_exchange_endpoint": { + "required": false, + "type": "string", + "description": "The token exchange endpoint." + } + }, + { + "session_secret": { + "type": "string", + "required": false, + "referenceable": true, + "encrypted": true, + "description": "The session secret." + } + }, + { + "session_audience": { + "default": "default", + "type": "string", + "required": false, + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + } + }, + { + "session_cookie_name": { + "default": "session", + "type": "string", + "required": false, + "description": "The session cookie name." + } + }, + { + "session_remember": { + "default": false, + "type": "boolean", + "required": false, + "description": "Enables or disables persistent sessions." + } + }, + { + "session_remember_cookie_name": { + "default": "remember", + "type": "string", + "required": false, + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + } + }, + { + "session_remember_rolling_timeout": { + "default": 604800, + "type": "number", + "required": false, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." + } + }, + { + "session_remember_absolute_timeout": { + "default": 2592000, + "type": "number", + "required": false, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + } + }, + { + "session_idling_timeout": { + "default": 900, + "type": "number", + "required": false, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." + } + }, + { + "session_rolling_timeout": { + "default": 3600, + "type": "number", + "required": false, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + } + }, + { + "session_absolute_timeout": { + "default": 86400, + "type": "number", + "required": false, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + } + }, + { + "session_cookie_path": { + "required": false, + "type": "string", + "starts_with": "/", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/", + "description": "The session cookie Path flag." + } + }, + { + "session_cookie_domain": { + "type": "string", + "required": false, + "description": "The session cookie Domain flag." + } + }, + { + "session_cookie_same_site": { + "type": "string", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + } + }, + { + "session_cookie_http_only": { + "default": true, + "type": "boolean", + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + } + }, + { + "session_cookie_secure": { + "type": "boolean", + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + } + }, + { + "session_request_headers": { + "type": "set", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers." + } + }, + { + "session_response_headers": { + "type": "set", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers." + } + }, + { + "session_storage": { + "type": "string", + "required": false, + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis." + } + }, + { + "session_store_metadata": { + "default": false, + "type": "boolean", + "required": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + } + }, + { + "session_enforce_same_subject": { + "default": false, + "type": "boolean", + "required": false, + "description": "When set to `true`, audiences are forced to share the same subject." + } + }, + { + "session_hash_subject": { + "default": false, + "type": "boolean", + "required": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + } + }, + { + "session_hash_storage_key": { + "default": false, + "type": "boolean", + "required": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + } + }, + { + "session_memcached_prefix": { + "type": "string", + "required": false, + "description": "The memcached session key prefix." + } + }, + { + "session_memcached_socket": { + "type": "string", + "required": false, + "description": "The memcached unix socket path." + } + }, + { + "session_memcached_host": { + "default": "127.0.0.1", + "type": "string", + "required": false, + "description": "The memcached host." + } + }, + { + "session_memcached_port": { + "required": false, + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 11211, + "description": "The memcached port." + } + }, + { + "session_redis_prefix": { + "type": "string", + "required": false, + "description": "The Redis session key prefix." + } + }, + { + "session_redis_socket": { + "type": "string", + "required": false, + "description": "The Redis unix socket path." + } + }, + { + "session_redis_host": { + "default": "127.0.0.1", + "type": "string", + "required": false, + "description": "The Redis host." + } + }, + { + "session_redis_port": { + "required": false, + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 6379, + "description": "The Redis port." + } + }, + { + "session_redis_username": { + "type": "string", + "referenceable": true, + "required": false, + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "session_redis_password": { + "type": "string", + "required": false, + "referenceable": true, + "encrypted": true, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "required": false, + "description": "Session redis connection timeout in milliseconds." + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "required": false, + "description": "Session redis read timeout in milliseconds." + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "required": false, + "description": "Session redis send timeout in milliseconds." + } + }, + { + "session_redis_ssl": { + "default": false, + "type": "boolean", + "required": false, + "description": "Use SSL/TLS for Redis connection." + } + }, + { + "session_redis_ssl_verify": { + "default": false, + "type": "boolean", + "required": false, + "description": "Verify identity provider server certificate." + } + }, + { + "session_redis_server_name": { + "type": "string", + "required": false, + "description": "The SNI used for connecting the Redis server." + } + }, + { + "session_redis_cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ] + }, + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "required": false, + "description": "The Redis cluster maximum redirects." + } + }, + { + "reverify": { + "default": false, + "type": "boolean", + "required": false, + "description": "Specifies whether to always verify tokens stored in the session." + } + }, + { + "jwt_session_claim": { + "default": "sid", + "type": "string", + "required": false, + "description": "The claim to match against the JWT session cookie." + } + }, + { + "jwt_session_cookie": { + "type": "string", + "required": false, + "description": "The name of the JWT session cookie." + } + }, + { + "bearer_token_param_type": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." + } + }, + { + "bearer_token_cookie_name": { + "type": "string", + "required": false, + "description": "The name of the cookie in which the bearer token is passed." + } + }, + { + "client_credentials_param_type": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." + } + }, + { + "password_param_type": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "id_token_param_type": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "id_token_param_name": { + "type": "string", + "required": false, + "description": "The name of the parameter used to pass the id token." + } + }, + { + "refresh_token_param_type": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "refresh_token_param_name": { + "type": "string", + "required": false, + "description": "The name of the parameter used to pass the refresh token." + } + }, + { + "refresh_tokens": { + "default": true, + "type": "boolean", + "required": false, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + } + }, + { + "upstream_headers_claims": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "upstream_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The upstream header names for the claim values." + } + }, + { + "upstream_access_token_header": { + "default": "authorization:bearer", + "type": "string", + "required": false, + "description": "The upstream access token header." + } + }, + { + "upstream_access_token_jwk_header": { + "type": "string", + "required": false, + "description": "The upstream access token JWK header." + } + }, + { + "upstream_id_token_header": { + "type": "string", + "required": false, + "description": "The upstream id token header." + } + }, + { + "upstream_id_token_jwk_header": { + "type": "string", + "required": false, + "description": "The upstream id token JWK header." + } + }, + { + "upstream_refresh_token_header": { + "type": "string", + "required": false, + "description": "The upstream refresh token header." + } + }, + { + "upstream_user_info_header": { + "type": "string", + "required": false, + "description": "The upstream user info header." + } + }, + { + "upstream_user_info_jwt_header": { + "type": "string", + "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response)." + } + }, + { + "upstream_introspection_header": { + "type": "string", + "required": false, + "description": "The upstream introspection header." + } + }, + { + "upstream_introspection_jwt_header": { + "type": "string", + "required": false, + "description": "The upstream introspection JWT header." + } + }, + { + "upstream_session_id_header": { + "type": "string", + "required": false, + "description": "The upstream session id header." + } + }, + { + "downstream_headers_claims": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "downstream_headers_names": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The downstream header names for the claim values." + } + }, + { + "downstream_access_token_header": { + "type": "string", + "required": false, + "description": "The downstream access token header." + } + }, + { + "downstream_access_token_jwk_header": { + "type": "string", + "required": false, + "description": "The downstream access token JWK header." + } + }, + { + "downstream_id_token_header": { + "type": "string", + "required": false, + "description": "The downstream id token header." + } + }, + { + "downstream_id_token_jwk_header": { + "type": "string", + "required": false, + "description": "The downstream id token JWK header." + } + }, + { + "downstream_refresh_token_header": { + "type": "string", + "required": false, + "description": "The downstream refresh token header." + } + }, + { + "downstream_user_info_header": { + "type": "string", + "required": false, + "description": "The downstream user info header." + } + }, + { + "downstream_user_info_jwt_header": { + "type": "string", + "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response)." + } + }, + { + "downstream_introspection_header": { + "type": "string", + "required": false, + "description": "The downstream introspection header." + } + }, + { + "downstream_introspection_jwt_header": { + "type": "string", + "required": false, + "description": "The downstream introspection JWT header." + } + }, + { + "downstream_session_id_header": { + "type": "string", + "required": false, + "description": "The downstream session id header." + } + }, + { + "login_methods": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants." + } + }, + { + "login_action": { + "type": "string", + "required": false, + "one_of": [ + "upstream", + "response", + "redirect" + ], + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location." + } + }, + { + "login_tokens": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + }, + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." + } + }, + { + "login_redirect_mode": { + "type": "string", + "required": false, + "one_of": [ + "query", + "fragment" + ], + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)." + } + }, + { + "logout_query_arg": { + "type": "string", + "required": false, + "description": "The request query argument that activates the logout." + } + }, + { + "logout_post_arg": { + "type": "string", + "required": false, + "description": "The request body argument that activates the logout." + } + }, + { + "logout_uri_suffix": { + "type": "string", + "required": false, + "description": "The request URI suffix that activates the logout." + } + }, + { + "logout_methods": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + }, + "default": [ + "POST", + "DELETE" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." + } + }, + { + "logout_revoke": { + "default": false, + "type": "boolean", + "required": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." + } + }, + { + "logout_revoke_access_token": { + "default": true, + "type": "boolean", + "required": false, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." + } + }, + { + "logout_revoke_refresh_token": { + "default": true, + "type": "boolean", + "required": false, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." + } + }, + { + "consumer_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." + } + }, + { + "consumer_optional": { + "default": false, + "type": "boolean", + "required": false, + "description": "Do not terminate the request if consumer mapping fails." + } + }, + { + "credential_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "anonymous": { + "type": "string", + "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "run_on_preflight": { + "default": true, + "type": "boolean", + "required": false, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + } + }, + { + "leeway": { + "default": 0, + "type": "number", + "required": false, + "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification." + } + }, + { + "verify_parameters": { + "default": false, + "type": "boolean", + "required": false, + "description": "Verify plugin configuration against discovery." + } + }, + { + "verify_nonce": { + "default": true, + "type": "boolean", + "required": false, + "description": "Verify nonce on authorization code flow." + } + }, + { + "verify_claims": { + "default": true, + "type": "boolean", + "required": false, + "description": "Verify tokens for standard claims." + } + }, + { + "verify_signature": { + "default": true, + "type": "boolean", + "required": false, + "description": "Verify signature of tokens." + } + }, + { + "ignore_signature": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + }, + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." + } + }, + { + "enable_hs_signatures": { + "default": false, + "type": "boolean", + "required": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + } + }, + { + "disable_session": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Disable issuing the session cookie with the specified grants." + } + }, + { + "cache_ttl": { + "default": 3600, + "type": "number", + "required": false, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + } + }, + { + "cache_ttl_max": { + "type": "number", + "required": false, + "description": "The maximum cache ttl in seconds (enforced)." + } + }, + { + "cache_ttl_min": { + "type": "number", + "required": false, + "description": "The minimum cache ttl in seconds (enforced)." + } + }, + { + "cache_ttl_neg": { + "type": "number", + "required": false, + "description": "The negative cache ttl in seconds." + } + }, + { + "cache_ttl_resurrect": { + "type": "number", + "required": false, + "description": "The resurrection ttl in seconds." + } + }, + { + "cache_tokens": { + "default": true, + "type": "boolean", + "required": false, + "description": "Cache the token endpoint requests." + } + }, + { + "cache_tokens_salt": { + "auto": true, + "type": "string", + "required": false, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + } + }, + { + "cache_introspection": { + "default": true, + "type": "boolean", + "required": false, + "description": "Cache the introspection endpoint requests." + } + }, + { + "cache_token_exchange": { + "default": true, + "type": "boolean", + "required": false, + "description": "Cache the token exchange endpoint requests." + } + }, + { + "cache_user_info": { + "default": true, + "type": "boolean", + "required": false, + "description": "Cache the user info requests." + } + }, + { + "search_user_info": { + "default": false, + "type": "boolean", + "required": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + } + }, + { + "hide_credentials": { + "default": false, + "type": "boolean", + "required": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + } + }, + { + "http_version": { + "required": false, + "default": 1.1, + "type": "number", + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0." + } + }, + { + "http_proxy": { + "required": false, + "type": "string", + "description": "The HTTP proxy." + } + }, + { + "http_proxy_authorization": { + "type": "string", + "required": false, + "description": "The HTTP proxy authorization." + } + }, + { + "https_proxy": { + "required": false, + "type": "string", + "description": "The HTTPS proxy." + } + }, + { + "https_proxy_authorization": { + "type": "string", + "required": false, + "description": "The HTTPS proxy authorization." + } + }, + { + "no_proxy": { + "type": "string", + "required": false, + "description": "Do not use proxy with these hosts." + } + }, + { + "keepalive": { + "default": true, + "type": "boolean", + "required": false, + "description": "Use keepalive with the HTTP client." + } + }, + { + "ssl_verify": { + "default": false, + "type": "boolean", + "required": false, + "description": "Verify identity provider server certificate." + } + }, + { + "timeout": { + "default": 10000, + "type": "number", + "required": false, + "description": "Network IO timeout in milliseconds." + } + }, + { + "display_errors": { + "default": false, + "type": "boolean", + "required": false, + "description": "Display errors on failure responses." + } + }, + { + "by_username_ignore_case": { + "default": false, + "type": "boolean", + "required": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + } + }, + { + "resolve_distributed_claims": { + "default": false, + "type": "boolean", + "required": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + } + }, + { + "expose_error_code": { + "type": "boolean", + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + } + }, + { + "token_cache_key_include_scope": { + "type": "boolean", + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + } + }, + { + "introspection_token_param_name": { + "default": "token", + "type": "string", + "required": false, + "description": "Designate token's parameter name for introspection." + } + }, + { + "revocation_token_param_name": { + "default": "token", + "type": "string", + "required": false, + "description": "Designate token's parameter name for revocation." + } + }, + { + "proof_of_possession_mtls": { + "type": "string", + "required": false, + "one_of": [ + "off", + "strict", + "optional" + ], + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." + } + }, + { + "proof_of_possession_auth_methods_validation": { + "default": true, + "type": "boolean", + "required": false, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + } + }, + { + "tls_client_auth_cert_id": { + "uuid": true, + "type": "string", + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "required": false, + "auto": false + } + }, + { + "tls_client_auth_ssl_verify": { + "default": true, + "type": "boolean", + "required": false, + "description": "Verify identity provider server certificate during mTLS client authentication." + } + }, + { + "mtls_token_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "mtls_introspection_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "mtls_revocation_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/opentelemetry/3.6.x.json b/schemas/opentelemetry/3.6.x.json new file mode 100644 index 00000000..d1c94e10 --- /dev/null +++ b/schemas/opentelemetry/3.6.x.json @@ -0,0 +1,246 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "batch_span_count", + "batch_flush_delay" + ] + } + } + ], + "required": true, + "fields": [ + { + "endpoint": { + "required": true, + "referenceable": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "headers": { + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "values": { + "type": "string", + "referenceable": true + }, + "type": "map", + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend." + } + }, + { + "resource_attributes": { + "keys": { + "type": "string", + "required": true + }, + "type": "map", + "values": { + "type": "string", + "required": true + } + } + }, + { + "queue": { + "type": "record", + "required": true, + "fields": [ + { + "max_batch_size": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." + } + }, + { + "max_coalescing_delay": { + "between": [ + 0, + 3600 + ], + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + } + }, + { + "max_entries": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + } + }, + { + "initial_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." + } + }, + { + "max_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + } + ] + } + }, + { + "batch_span_count": { + "type": "integer", + "description": "The number of spans to be sent in a single batch." + } + }, + { + "batch_flush_delay": { + "type": "integer", + "description": "The delay, in seconds, between two consecutive batches." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 1000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "header_type": { + "type": "string", + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "gcp", + "datadog" + ], + "default": "preserve", + "required": false + } + }, + { + "sampling_rate": { + "between": [ + 0, + 1 + ], + "type": "number", + "required": false, + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/post-function/3.6.x.json b/schemas/post-function/3.6.x.json new file mode 100644 index 00000000..3f32fd01 --- /dev/null +++ b/schemas/post-function/3.6.x.json @@ -0,0 +1,228 @@ +{ + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": false, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "certificate": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "rewrite": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "access": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "header_filter": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "body_filter": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "log": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "ws_handshake": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "ws_client_frame": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "ws_upstream_frame": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "ws_close": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/pre-function/3.6.x.json b/schemas/pre-function/3.6.x.json new file mode 100644 index 00000000..3f32fd01 --- /dev/null +++ b/schemas/pre-function/3.6.x.json @@ -0,0 +1,228 @@ +{ + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": false, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "certificate": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "rewrite": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "access": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "header_filter": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "body_filter": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "log": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "ws_handshake": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "ws_client_frame": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "ws_upstream_frame": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "ws_close": { + "required": true, + "type": "array", + "elements": { + "required": false, + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/prometheus/3.6.x.json b/schemas/prometheus/3.6.x.json new file mode 100644 index 00000000..ba89d039 --- /dev/null +++ b/schemas/prometheus/3.6.x.json @@ -0,0 +1,87 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "per_consumer": { + "default": false, + "type": "boolean", + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available." + } + }, + { + "status_code_metrics": { + "default": false, + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported." + } + }, + { + "latency_metrics": { + "default": false, + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported." + } + }, + { + "bandwidth_metrics": { + "default": false, + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported." + } + }, + { + "upstream_health_metrics": { + "default": false, + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.6.x.json b/schemas/proxy-cache-advanced/3.6.x.json new file mode 100644 index 00000000..0c64efc5 --- /dev/null +++ b/schemas/proxy-cache-advanced/3.6.x.json @@ -0,0 +1,448 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "response_code": { + "required": true, + "type": "array", + "len_min": 1, + "default": [ + 200, + 301, + 404 + ], + "elements": { + "type": "integer", + "between": [ + 100, + 900 + ] + }, + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900." + } + }, + { + "request_method": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + }, + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." + } + }, + { + "content_type": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "text/plain", + "application/json" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." + } + }, + { + "cache_ttl": { + "type": "integer", + "gt": 0, + "default": 300, + "description": "TTL in seconds of cache entities." + } + }, + { + "strategy": { + "type": "string", + "one_of": [ + "memory", + "redis" + ], + "required": true, + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`." + } + }, + { + "cache_control": { + "default": false, + "type": "boolean", + "required": true, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + } + }, + { + "ignore_uri_case": { + "default": false, + "type": "boolean", + "required": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI." + } + }, + { + "storage_ttl": { + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "memory": { + "type": "record", + "required": true, + "fields": [ + { + "dictionary_name": { + "default": "kong_db_cache", + "type": "string", + "required": true, + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." + } + } + ] + } + }, + { + "vary_query_params": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + } + }, + { + "vary_headers": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } + }, + { + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", + "required": true, + "fields": [ + { + "age": { + "type": "boolean", + "default": true + } + }, + { + "X-Cache-Status": { + "type": "boolean", + "default": true + } + }, + { + "X-Cache-Key": { + "type": "boolean", + "default": true + } + } + ] + } + }, + { + "redis": { + "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "referenceable": true, + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "referenceable": true, + "type": "string", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "default": 0, + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_addresses": { + "len_min": 1, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." + } + }, + { + "cluster_addresses": { + "len_min": 1, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "default": false, + "required": false, + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "default": false, + "required": false, + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "required": false, + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + } + ] + } + }, + { + "bypass_on_err": { + "type": "boolean", + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." + } + } + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache/3.6.x.json b/schemas/proxy-cache/3.6.x.json new file mode 100644 index 00000000..572b3aac --- /dev/null +++ b/schemas/proxy-cache/3.6.x.json @@ -0,0 +1,205 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "response_code": { + "required": true, + "type": "array", + "len_min": 1, + "default": [ + 200, + 301, + 404 + ], + "elements": { + "type": "integer", + "between": [ + 100, + 900 + ] + }, + "description": "Upstream response status code considered cacheable." + } + }, + { + "request_method": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + }, + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable." + } + }, + { + "content_type": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "text/plain", + "application/json" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value." + } + }, + { + "cache_ttl": { + "type": "integer", + "gt": 0, + "default": 300, + "description": "TTL, in seconds, of cache entities." + } + }, + { + "strategy": { + "type": "string", + "one_of": [ + "memory" + ], + "required": true, + "description": "The backing data store in which to hold cache entities." + } + }, + { + "cache_control": { + "type": "boolean", + "required": true, + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + } + }, + { + "ignore_uri_case": { + "required": false, + "default": false, + "type": "boolean" + } + }, + { + "storage_ttl": { + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "memory": { + "type": "record", + "required": true, + "fields": [ + { + "dictionary_name": { + "type": "string", + "required": true, + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." + } + } + ] + } + }, + { + "vary_query_params": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + } + }, + { + "vary_headers": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } + }, + { + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", + "required": true, + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.6.x.json b/schemas/rate-limiting-advanced/3.6.x.json new file mode 100644 index 00000000..0758466e --- /dev/null +++ b/schemas/rate-limiting-advanced/3.6.x.json @@ -0,0 +1,438 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "identifier": { + "required": true, + "type": "string", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ], + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`." + } + }, + { + "window_size": { + "type": "array", + "required": true, + "elements": { + "type": "number" + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified." + } + }, + { + "window_type": { + "default": "sliding", + "one_of": [ + "fixed", + "sliding" + ], + "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." + } + }, + { + "limit": { + "type": "array", + "required": true, + "elements": { + "type": "number" + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified." + } + }, + { + "sync_rate": { + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + } + }, + { + "namespace": { + "auto": true, + "required": true, + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + } + }, + { + "strategy": { + "required": true, + "type": "string", + "one_of": [ + "cluster", + "redis", + "local" + ], + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." + } + }, + { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "required": true, + "type": "string", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." + } + }, + { + "hide_client_headers": { + "default": false, + "type": "boolean", + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." + } + }, + { + "retry_after_jitter_max": { + "default": 0, + "type": "number", + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "starts_with": "/", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + }, + { + "redis": { + "type": "record", + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "referenceable": true, + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "referenceable": true, + "type": "string", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "default": 0, + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_addresses": { + "len_min": 1, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." + } + }, + { + "cluster_addresses": { + "len_min": 1, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "default": false, + "required": false, + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "default": false, + "required": false, + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "required": false, + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + } + ] + } + }, + { + "enforce_consumer_groups": { + "default": false, + "type": "boolean", + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." + } + }, + { + "consumer_groups": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`." + } + }, + { + "disable_penalty": { + "default": false, + "type": "boolean", + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." + } + }, + { + "error_code": { + "default": 429, + "gt": 0, + "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded." + } + }, + { + "error_message": { + "default": "API rate limit exceeded", + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded." + } + } + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting/3.6.x.json b/schemas/rate-limiting/3.6.x.json new file mode 100644 index 00000000..c8fec16d --- /dev/null +++ b/schemas/rate-limiting/3.6.x.json @@ -0,0 +1,303 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "second": { + "gt": 0, + "type": "number", + "description": "The number of HTTP requests that can be made per second." + } + }, + { + "minute": { + "gt": 0, + "type": "number", + "description": "The number of HTTP requests that can be made per minute." + } + }, + { + "hour": { + "gt": 0, + "type": "number", + "description": "The number of HTTP requests that can be made per hour." + } + }, + { + "day": { + "gt": 0, + "type": "number", + "description": "The number of HTTP requests that can be made per day." + } + }, + { + "month": { + "gt": 0, + "type": "number", + "description": "The number of HTTP requests that can be made per month." + } + }, + { + "year": { + "gt": 0, + "type": "number", + "description": "The number of HTTP requests that can be made per year." + } + }, + { + "limit_by": { + "default": "consumer", + "one_of": [ + "consumer", + "credential", + "ip", + "service", + "header", + "path", + "consumer-group" + ], + "type": "string", + "description": "The entity that is used when aggregating the limits." + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "starts_with": "/", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + }, + { + "policy": { + "type": "string", + "len_min": 0, + "one_of": [ + "local", + "cluster", + "redis" + ], + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + } + }, + { + "fault_tolerant": { + "type": "boolean", + "default": true, + "required": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." + } + }, + { + "redis_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "redis_port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "redis_password": { + "len_min": 0, + "referenceable": true, + "type": "string", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." + } + }, + { + "redis_username": { + "referenceable": true, + "type": "string", + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired." + } + }, + { + "redis_ssl": { + "type": "boolean", + "default": false, + "required": true, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "default": false, + "required": true, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly." + } + }, + { + "redis_server_name": { + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "redis_timeout": { + "default": 2000, + "type": "number", + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." + } + }, + { + "redis_database": { + "default": 0, + "type": "integer", + "description": "When using the `redis` policy, this property specifies the Redis database to use." + } + }, + { + "hide_client_headers": { + "type": "boolean", + "default": false, + "required": true, + "description": "Optionally hide informative response headers." + } + }, + { + "error_code": { + "default": 429, + "gt": 0, + "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded." + } + }, + { + "error_message": { + "default": "API rate limit exceeded", + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded." + } + }, + { + "sync_rate": { + "type": "number", + "default": -1, + "required": true, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." + } + } + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "then_field": "config.redis_host", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.redis_port", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.header_name", + "if_match": { + "eq": "header" + }, + "then_match": { + "required": true + }, + "if_field": "config.limit_by" + } + }, + { + "conditional": { + "then_field": "config.path", + "if_match": { + "eq": "path" + }, + "then_match": { + "required": true + }, + "if_field": "config.limit_by" + } + }, + { + "conditional": { + "then_field": "config.redis_timeout", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-size-limiting/3.6.x.json b/schemas/request-size-limiting/3.6.x.json new file mode 100644 index 00000000..a71771d9 --- /dev/null +++ b/schemas/request-size-limiting/3.6.x.json @@ -0,0 +1,73 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "allowed_payload_size": { + "default": 128, + "type": "integer", + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes)." + } + }, + { + "size_unit": { + "type": "string", + "required": true, + "one_of": [ + "megabytes", + "kilobytes", + "bytes" + ], + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0." + } + }, + { + "require_content_length": { + "required": true, + "default": false, + "type": "boolean", + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-termination/3.6.x.json b/schemas/request-termination/3.6.x.json new file mode 100644 index 00000000..27f1177f --- /dev/null +++ b/schemas/request-termination/3.6.x.json @@ -0,0 +1,81 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "status_code": { + "required": true, + "between": [ + 100, + 599 + ], + "type": "integer", + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599." + } + }, + { + "message": { + "type": "string", + "description": "The message to send, if using the default response generator." + } + }, + { + "content_type": { + "type": "string", + "description": "Content type of the raw response configured with `config.body`." + } + }, + { + "body": { + "type": "string", + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." + } + }, + { + "echo": { + "default": false, + "required": true, + "type": "boolean", + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic." + } + }, + { + "trigger": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.6.x.json b/schemas/request-transformer-advanced/3.6.x.json new file mode 100644 index 00000000..5436e8c8 --- /dev/null +++ b/schemas/request-transformer-advanced/3.6.x.json @@ -0,0 +1,337 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "http_method": { + "match": "^%u+$", + "type": "string", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + } + }, + { + "remove": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ] + } + }, + { + "rename": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + } + ] + } + }, + { + "replace": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "uri": { + "type": "string" + } + } + ] + } + }, + { + "add": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + } + ] + } + }, + { + "append": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + } + ] + } + }, + { + "allow": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "type": "set", + "elements": { + "type": "string" + } + } + } + ] + } + }, + { + "dots_in_keys": { + "default": true, + "type": "boolean", + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-transformer/3.6.x.json b/schemas/request-transformer/3.6.x.json new file mode 100644 index 00000000..47ec0a0c --- /dev/null +++ b/schemas/request-transformer/3.6.x.json @@ -0,0 +1,280 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "http_method": { + "match": "^%u+$", + "type": "string", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + } + }, + { + "remove": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + }, + { + "rename": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + }, + { + "replace": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "uri": { + "type": "string" + } + } + ] + } + }, + { + "add": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + }, + { + "append": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-validator/3.6.x.json b/schemas/request-validator/3.6.x.json new file mode 100644 index 00000000..d6944cf6 --- /dev/null +++ b/schemas/request-validator/3.6.x.json @@ -0,0 +1,181 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ], + "required": true, + "fields": [ + { + "body_schema": { + "type": "string", + "required": false, + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified." + } + }, + { + "allowed_content_types": { + "default": [ + "application/json" + ], + "type": "set", + "elements": { + "required": true, + "type": "string" + }, + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`." + } + }, + { + "version": { + "required": true, + "type": "string", + "one_of": [ + "kong", + "draft4" + ], + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator." + } + }, + { + "parameter_schema": { + "type": "array", + "required": false, + "elements": { + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ], + "type": "record", + "fields": [ + { + "in": { + "type": "string", + "one_of": [ + "query", + "header", + "path" + ], + "required": true, + "description": "The location of the parameter." + } + }, + { + "name": { + "type": "string", + "required": true, + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`." + } + }, + { + "required": { + "type": "boolean", + "required": true, + "description": "Determines whether this parameter is mandatory." + } + }, + { + "style": { + "one_of": [ + "label", + "form", + "matrix", + "simple", + "spaceDelimited", + "pipeDelimited", + "deepObject" + ], + "type": "string", + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value." + } + }, + { + "explode": { + "type": "boolean", + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + } + }, + { + "schema": { + "type": "string", + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating." + } + } + ] + }, + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." + } + }, + { + "verbose_response": { + "required": true, + "type": "boolean", + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors." + } + } + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.6.x.json b/schemas/response-ratelimiting/3.6.x.json new file mode 100644 index 00000000..1bc1f3b3 --- /dev/null +++ b/schemas/response-ratelimiting/3.6.x.json @@ -0,0 +1,268 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "header_name": { + "type": "string", + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters." + } + }, + { + "limit_by": { + "type": "string", + "one_of": [ + "consumer", + "credential", + "ip" + ], + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." + } + }, + { + "policy": { + "type": "string", + "one_of": [ + "local", + "cluster", + "redis" + ], + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + } + }, + { + "fault_tolerant": { + "type": "boolean", + "required": true, + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." + } + }, + { + "redis_host": { + "type": "string", + "description": "When using the `redis` policy, this property specifies the address to the Redis server." + } + }, + { + "redis_port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "When using the `redis` policy, this property specifies the port of the Redis server." + } + }, + { + "redis_password": { + "len_min": 0, + "referenceable": true, + "type": "string", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." + } + }, + { + "redis_username": { + "referenceable": true, + "type": "string", + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "redis_ssl": { + "type": "boolean", + "required": true, + "default": false, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "required": true, + "default": false, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "redis_server_name": { + "type": "string", + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI)." + } + }, + { + "redis_timeout": { + "type": "number", + "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." + } + }, + { + "redis_database": { + "type": "number", + "default": 0, + "description": "When using the `redis` policy, this property specifies Redis database to use." + } + }, + { + "block_on_first_violation": { + "type": "boolean", + "required": true, + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." + } + }, + { + "hide_client_headers": { + "type": "boolean", + "required": true, + "default": false, + "description": "Optionally hide informative response headers." + } + }, + { + "limits": { + "required": true, + "keys": { + "type": "string" + }, + "values": { + "required": true, + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], + "type": "record", + "fields": [ + { + "second": { + "type": "number", + "gt": 0 + } + }, + { + "minute": { + "type": "number", + "gt": 0 + } + }, + { + "hour": { + "type": "number", + "gt": 0 + } + }, + { + "day": { + "type": "number", + "gt": 0 + } + }, + { + "month": { + "type": "number", + "gt": 0 + } + }, + { + "year": { + "type": "number", + "gt": 0 + } + } + ] + }, + "type": "map", + "len_min": 1, + "description": "A map that defines rate limits for the plugin." + } + } + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.redis_host", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.redis_port", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.redis_timeout", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.6.x.json b/schemas/response-transformer-advanced/3.6.x.json new file mode 100644 index 00000000..319c9069 --- /dev/null +++ b/schemas/response-transformer-advanced/3.6.x.json @@ -0,0 +1,350 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "remove": { + "type": "record", + "required": true, + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ] + } + }, + { + "rename": { + "type": "record", + "required": true, + "fields": [ + { + "headers": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ] + } + }, + { + "replace": { + "type": "record", + "required": true, + "fields": [ + { + "body": { + "type": "string", + "description": "String with which to replace the entire response body." + } + }, + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ] + } + }, + { + "add": { + "type": "record", + "required": true, + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ] + } + }, + { + "append": { + "type": "record", + "required": true, + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ] + } + }, + { + "allow": { + "type": "record", + "required": true, + "fields": [ + { + "json": { + "type": "set", + "elements": { + "type": "string" + } + } + } + ] + } + }, + { + "transform": { + "type": "record", + "required": true, + "fields": [ + { + "functions": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ] + } + }, + { + "dots_in_keys": { + "type": "boolean", + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/response-transformer/3.6.x.json b/schemas/response-transformer/3.6.x.json new file mode 100644 index 00000000..842ceeef --- /dev/null +++ b/schemas/response-transformer/3.6.x.json @@ -0,0 +1,246 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "remove": { + "type": "record", + "required": true, + "fields": [ + { + "json": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + }, + { + "rename": { + "type": "record", + "required": true, + "fields": [ + { + "headers": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + }, + { + "replace": { + "type": "record", + "required": true, + "fields": [ + { + "json": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + }, + { + "add": { + "type": "record", + "required": true, + "fields": [ + { + "json": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + }, + { + "append": { + "type": "record", + "required": true, + "fields": [ + { + "json": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + } + }, + { + "headers": { + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/route-by-header/3.6.x.json b/schemas/route-by-header/3.6.x.json new file mode 100644 index 00000000..f72adf8d --- /dev/null +++ b/schemas/route-by-header/3.6.x.json @@ -0,0 +1,78 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "rules": { + "default": [ + + ], + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "upstream_name": { + "required": true, + "type": "string" + } + }, + { + "condition": { + "type": "map", + "len_min": 1, + "keys": { + "type": "string" + }, + "values": { + "type": "string" + }, + "required": true + } + } + ] + }, + "description": "Route by header rules." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.6.x.json b/schemas/route-transformer-advanced/3.6.x.json new file mode 100644 index 00000000..3b086f5d --- /dev/null +++ b/schemas/route-transformer-advanced/3.6.x.json @@ -0,0 +1,75 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } + ], + "required": true, + "fields": [ + { + "path": { + "type": "string" + } + }, + { + "port": { + "type": "string" + } + }, + { + "host": { + "type": "string" + } + }, + { + "escape_path": { + "default": false, + "type": "boolean" + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/saml/3.6.x.json b/schemas/saml/3.6.x.json new file mode 100644 index 00000000..720577a7 --- /dev/null +++ b/schemas/saml/3.6.x.json @@ -0,0 +1,650 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" + } + } + ], + "required": true, + "type": "record", + "fields": [ + { + "assertion_consumer_path": { + "type": "string", + "starts_with": "/", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + }, + { + "idp_sso_url": { + "required": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "idp_certificate": { + "encrypted": true, + "type": "string", + "referenceable": true, + "required": false, + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." + } + }, + { + "response_encryption_key": { + "encrypted": true, + "type": "string", + "referenceable": true, + "required": false, + "description": "The private encryption key required to decrypt encrypted assertions." + } + }, + { + "request_signing_key": { + "encrypted": true, + "type": "string", + "referenceable": true, + "required": false, + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." + } + }, + { + "request_signing_certificate": { + "encrypted": true, + "type": "string", + "referenceable": true, + "required": false, + "description": "The certificate for signing requests." + } + }, + { + "request_signature_algorithm": { + "required": false, + "type": "string", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ], + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" + } + }, + { + "request_digest_algorithm": { + "required": false, + "type": "string", + "one_of": [ + "SHA256", + "SHA1" + ], + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" + } + }, + { + "response_signature_algorithm": { + "required": false, + "type": "string", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ], + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" + } + }, + { + "response_digest_algorithm": { + "required": false, + "type": "string", + "one_of": [ + "SHA256", + "SHA1" + ], + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" + } + }, + { + "issuer": { + "type": "string", + "required": true, + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP." + } + }, + { + "nameid_format": { + "required": false, + "type": "string", + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ], + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" + } + }, + { + "validate_assertion_signature": { + "required": false, + "type": "boolean", + "default": true, + "description": "Enable signature validation for SAML responses." + } + }, + { + "anonymous": { + "type": "string", + "required": false, + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username." + } + }, + { + "session_secret": { + "match": "^[0-9a-zA-Z/_+]+$", + "required": true, + "encrypted": true, + "referenceable": true, + "len_min": 32, + "len_max": 32, + "type": "string", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." + } + }, + { + "session_audience": { + "required": false, + "type": "string", + "default": "default", + "description": "The session audience, for example \"my-application\"" + } + }, + { + "session_cookie_name": { + "required": false, + "type": "string", + "default": "session", + "description": "The session cookie name." + } + }, + { + "session_remember": { + "required": false, + "type": "boolean", + "default": false, + "description": "Enables or disables persistent sessions" + } + }, + { + "session_remember_cookie_name": { + "required": false, + "type": "string", + "default": "remember", + "description": "Persistent session cookie name" + } + }, + { + "session_remember_rolling_timeout": { + "required": false, + "type": "number", + "default": 604800, + "description": "Persistent session rolling timeout in seconds." + } + }, + { + "session_remember_absolute_timeout": { + "required": false, + "type": "number", + "default": 2592000, + "description": "Persistent session absolute timeout in seconds." + } + }, + { + "session_idling_timeout": { + "required": false, + "type": "number", + "default": 900, + "description": "The session cookie idle time in seconds." + } + }, + { + "session_rolling_timeout": { + "required": false, + "type": "number", + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." + } + }, + { + "session_absolute_timeout": { + "required": false, + "type": "number", + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." + } + }, + { + "session_cookie_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": false, + "starts_with": "/", + "type": "string", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + }, + { + "session_cookie_domain": { + "type": "string", + "required": false, + "description": "The session cookie domain flag." + } + }, + { + "session_cookie_same_site": { + "required": false, + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + } + }, + { + "session_cookie_http_only": { + "required": false, + "type": "boolean", + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + } + }, + { + "session_cookie_secure": { + "type": "boolean", + "required": false, + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + } + }, + { + "session_request_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_response_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_storage": { + "required": false, + "type": "string", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" + } + }, + { + "session_store_metadata": { + "required": false, + "type": "boolean", + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject." + } + }, + { + "session_enforce_same_subject": { + "required": false, + "type": "boolean", + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject." + } + }, + { + "session_hash_subject": { + "required": false, + "type": "boolean", + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + } + }, + { + "session_hash_storage_key": { + "required": false, + "type": "boolean", + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + } + }, + { + "session_memcached_prefix": { + "type": "string", + "required": false, + "description": "The memcached session key prefix." + } + }, + { + "session_memcached_socket": { + "type": "string", + "required": false, + "description": "The memcached unix socket path." + } + }, + { + "session_memcached_host": { + "required": false, + "type": "string", + "default": "127.0.0.1", + "description": "The memcached host." + } + }, + { + "session_memcached_port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "required": false, + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "session_redis_prefix": { + "type": "string", + "required": false, + "description": "The Redis session key prefix." + } + }, + { + "session_redis_socket": { + "type": "string", + "required": false, + "description": "The Redis unix socket path." + } + }, + { + "session_redis_host": { + "required": false, + "type": "string", + "default": "127.0.0.1", + "description": "The Redis host IP." + } + }, + { + "session_redis_port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "required": false, + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "session_redis_username": { + "type": "string", + "referenceable": true, + "required": false, + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + } + }, + { + "session_redis_password": { + "encrypted": true, + "type": "string", + "referenceable": true, + "required": false, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from" + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "required": false, + "description": "The Redis connection timeout in milliseconds." + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "required": false, + "description": "The Redis read timeout in milliseconds." + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "required": false, + "description": "The Redis send timeout in milliseconds." + } + }, + { + "session_redis_ssl": { + "required": false, + "type": "boolean", + "default": false, + "description": "Use SSL/TLS for the Redis connection." + } + }, + { + "session_redis_ssl_verify": { + "required": false, + "type": "boolean", + "default": false, + "description": "Verify the Redis server certificate." + } + }, + { + "session_redis_server_name": { + "type": "string", + "required": false, + "description": "The SNI used for connecting to the Redis server." + } + }, + { + "session_redis_cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ] + }, + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "required": false, + "description": "The Redis cluster maximum redirects." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/session/3.6.x.json b/schemas/session/3.6.x.json new file mode 100644 index 00000000..44c3f1d3 --- /dev/null +++ b/schemas/session/3.6.x.json @@ -0,0 +1,302 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "type": "record", + "required": true, + "fields": [ + { + "secret": { + "encrypted": true, + "type": "string", + "required": false, + "referenceable": true, + "default": "8HPEAewYOz6gQmmfqnLsSPwjDJFuHKcyKPeNH2WmzSIi", + "description": "The secret that is used in keyed HMAC generation." + } + }, + { + "storage": { + "type": "string", + "one_of": [ + "cookie", + "kong" + ], + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself." + } + }, + { + "audience": { + "type": "string", + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + } + }, + { + "idling_timeout": { + "type": "number", + "default": 900, + "description": "The session cookie idle time, in seconds." + } + }, + { + "rolling_timeout": { + "type": "number", + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed." + } + }, + { + "absolute_timeout": { + "type": "number", + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid." + } + }, + { + "stale_ttl": { + "type": "number", + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one." + } + }, + { + "cookie_name": { + "type": "string", + "default": "session", + "description": "The name of the cookie." + } + }, + { + "cookie_path": { + "type": "string", + "default": "/", + "description": "The resource in the host where the cookie is available." + } + }, + { + "cookie_domain": { + "type": "string", + "description": "The domain with which the cookie is intended to be exchanged." + } + }, + { + "cookie_same_site": { + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests." + } + }, + { + "cookie_http_only": { + "type": "boolean", + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server." + } + }, + { + "cookie_secure": { + "type": "boolean", + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol." + } + }, + { + "remember": { + "type": "boolean", + "default": false, + "description": "Enables or disables persistent sessions." + } + }, + { + "remember_cookie_name": { + "type": "string", + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + } + }, + { + "remember_rolling_timeout": { + "type": "number", + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds." + } + }, + { + "remember_absolute_timeout": { + "type": "number", + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds." + } + }, + { + "response_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "List of information to include, as headers, in the response to the downstream." + } + }, + { + "request_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "List of information to include, as headers, in the response to the downstream." + } + }, + { + "read_body_for_logout": { + "type": "boolean", + "default": false + } + }, + { + "logout_methods": { + "elements": { + "type": "string", + "one_of": [ + "GET", + "POST", + "DELETE" + ] + }, + "type": "set", + "default": [ + "POST", + "DELETE" + ], + "description": "A set of HTTP methods that the plugin will respond to." + } + }, + { + "logout_query_arg": { + "type": "string", + "default": "session_logout", + "description": "The query argument passed to logout requests." + } + }, + { + "logout_post_arg": { + "type": "string", + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/statsd-advanced/3.6.x.json b/schemas/statsd-advanced/3.6.x.json new file mode 100644 index 00000000..177991c9 --- /dev/null +++ b/schemas/statsd-advanced/3.6.x.json @@ -0,0 +1,448 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "host": { + "default": "localhost", + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 8125, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "prefix": { + "type": "string", + "default": "kong", + "description": "String to prefix to each metric's name." + } + }, + { + "metrics": { + "default": [ + { + "name": "request_count", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "timer", + "name": "request_size" + }, + { + "name": "status_count", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "stat_type": "timer", + "name": "response_size" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "name": "request_per_user", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "name": "status_count_per_user", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "name": "status_count_per_workspace", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "name": "status_count_per_user_per_route", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "name": "shdict_usage", + "stat_type": "gauge", + "sample_rate": 1 + }, + { + "name": "cache_datastore_hits_total", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "name": "cache_datastore_misses_total", + "stat_type": "counter", + "sample_rate": 1 + } + ], + "type": "array", + "elements": { + "entity_checks": [ + { + "conditional": { + "then_field": "stat_type", + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_match": { + "eq": "set" + }, + "if_field": "name" + } + }, + { + "conditional": { + "then_field": "stat_type", + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_match": { + "eq": "counter" + }, + "if_field": "name" + } + }, + { + "conditional": { + "then_field": "stat_type", + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_match": { + "eq": "gauge" + }, + "if_field": "name" + } + }, + { + "conditional": { + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + }, + "if_field": "stat_type" + } + } + ], + "type": "record", + "fields": [ + { + "name": { + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ], + "type": "string", + "required": true + } + }, + { + "stat_type": { + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string", + "required": true + } + }, + { + "sample_rate": { + "type": "number", + "gt": 0 + } + }, + { + "consumer_identifier": { + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ] + }, + "description": "List of Metrics to be logged." + } + }, + { + "allow_status_codes": { + "type": "array", + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "description": "List of status code ranges that are allowed to be logged in metrics." + } + }, + { + "udp_packet_size": { + "between": [ + 0, + 65507 + ], + "type": "number", + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive)." + } + }, + { + "use_tcp": { + "type": "boolean", + "default": false, + "description": "Use TCP instead of UDP." + } + }, + { + "hostname_in_prefix": { + "type": "boolean", + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name." + } + }, + { + "consumer_identifier_default": { + "required": true, + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ], + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`." + } + }, + { + "service_identifier_default": { + "required": true, + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ], + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`." + } + }, + { + "workspace_identifier_default": { + "required": true, + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ], + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. " + } + }, + { + "queue": { + "type": "record", + "required": true, + "fields": [ + { + "max_batch_size": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." + } + }, + { + "max_coalescing_delay": { + "between": [ + 0, + 3600 + ], + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + } + }, + { + "max_entries": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + } + }, + { + "initial_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." + } + }, + { + "max_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/statsd/3.6.x.json b/schemas/statsd/3.6.x.json new file mode 100644 index 00000000..ca91640f --- /dev/null +++ b/schemas/statsd/3.6.x.json @@ -0,0 +1,439 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], + "required": true, + "fields": [ + { + "host": { + "default": "localhost", + "type": "string", + "description": "The IP address or hostname of StatsD server to send data to." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 8125, + "type": "integer", + "description": "The port of StatsD server to send data to." + } + }, + { + "prefix": { + "type": "string", + "default": "kong", + "description": "String to prefix to each metric's name." + } + }, + { + "metrics": { + "default": [ + { + "name": "request_count", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "name": "request_size", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "name": "status_count", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "name": "response_size", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "request_per_user" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "status_count_per_user" + }, + { + "name": "status_count_per_workspace", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "status_count_per_user_per_route" + }, + { + "name": "shdict_usage", + "stat_type": "gauge", + "sample_rate": 1 + }, + { + "name": "cache_datastore_hits_total", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "name": "cache_datastore_misses_total", + "stat_type": "counter", + "sample_rate": 1 + } + ], + "type": "array", + "elements": { + "entity_checks": [ + { + "conditional": { + "then_field": "sample_rate", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_match": { + "required": true + }, + "if_field": "stat_type" + } + } + ], + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ], + "required": true, + "description": "StatsD metric’s name." + } + }, + { + "stat_type": { + "type": "string", + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "required": true, + "description": "Determines what sort of event a metric represents." + } + }, + { + "sample_rate": { + "gt": 0, + "type": "number", + "description": "Sampling rate" + } + }, + { + "consumer_identifier": { + "one_of": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string", + "description": "Authenticated user detail." + } + }, + { + "service_identifier": { + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ], + "type": "string", + "description": "Service detail." + } + }, + { + "workspace_identifier": { + "one_of": [ + "workspace_id", + "workspace_name" + ], + "type": "string", + "description": "Workspace detail." + } + } + ] + }, + "description": "List of metrics to be logged." + } + }, + { + "allow_status_codes": { + "type": "array", + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "description": "List of status code ranges that are allowed to be logged in metrics." + } + }, + { + "udp_packet_size": { + "between": [ + 0, + 65507 + ], + "default": 0, + "type": "number" + } + }, + { + "use_tcp": { + "default": false, + "type": "boolean" + } + }, + { + "hostname_in_prefix": { + "default": false, + "type": "boolean" + } + }, + { + "consumer_identifier_default": { + "default": "custom_id", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string", + "required": true + } + }, + { + "service_identifier_default": { + "default": "service_name_or_host", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ], + "type": "string", + "required": true + } + }, + { + "workspace_identifier_default": { + "default": "workspace_id", + "one_of": [ + "workspace_id", + "workspace_name" + ], + "type": "string", + "required": true + } + }, + { + "retry_count": { + "type": "integer" + } + }, + { + "queue_size": { + "type": "integer" + } + }, + { + "flush_timeout": { + "type": "number" + } + }, + { + "tag_style": { + "one_of": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ], + "required": false, + "type": "string" + } + }, + { + "queue": { + "type": "record", + "required": true, + "fields": [ + { + "max_batch_size": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." + } + }, + { + "max_coalescing_delay": { + "between": [ + 0, + 3600 + ], + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + } + }, + { + "max_entries": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + } + }, + { + "initial_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." + } + }, + { + "max_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/syslog/3.6.x.json b/schemas/syslog/3.6.x.json new file mode 100644 index 00000000..dfdde20d --- /dev/null +++ b/schemas/syslog/3.6.x.json @@ -0,0 +1,164 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "log_level": { + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "type": "string", + "required": true + } + }, + { + "successful_severity": { + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "type": "string", + "required": true + } + }, + { + "client_errors_severity": { + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "type": "string", + "required": true + } + }, + { + "server_errors_severity": { + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "type": "string", + "required": true + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "values": { + "len_min": 1, + "type": "string" + }, + "type": "map", + "description": "Lua code as a key-value map" + } + }, + { + "facility": { + "required": true, + "type": "string", + "one_of": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7" + ], + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tcp-log/3.6.x.json b/schemas/tcp-log/3.6.x.json new file mode 100644 index 00000000..40b74336 --- /dev/null +++ b/schemas/tcp-log/3.6.x.json @@ -0,0 +1,112 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "host": { + "required": true, + "type": "string", + "description": "The IP address or host name to send data to." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "required": true, + "type": "integer", + "description": "The port to send data to on the upstream server." + } + }, + { + "timeout": { + "default": 10000, + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server." + } + }, + { + "keepalive": { + "default": 60000, + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + } + }, + { + "tls": { + "type": "boolean", + "default": false, + "required": true, + "description": "Indicates whether to perform a TLS handshake against the remote server." + } + }, + { + "tls_sni": { + "type": "string", + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "values": { + "len_min": 1, + "type": "string" + }, + "type": "map", + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.6.x.json b/schemas/tls-handshake-modifier/3.6.x.json new file mode 100644 index 00000000..0ad58c9c --- /dev/null +++ b/schemas/tls-handshake-modifier/3.6.x.json @@ -0,0 +1,60 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "default": [ + "https", + "grpcs" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "tls_client_certificate": { + "required": false, + "type": "string", + "one_of": [ + "REQUEST" + ], + "default": "REQUEST", + "description": "TLS Client Certificate" + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.6.x.json b/schemas/tls-metadata-headers/3.6.x.json new file mode 100644 index 00000000..742ee027 --- /dev/null +++ b/schemas/tls-metadata-headers/3.6.x.json @@ -0,0 +1,96 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "default": [ + "https", + "grpcs" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "inject_client_cert_details": { + "default": false, + "type": "boolean", + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." + } + }, + { + "client_cert_header_name": { + "type": "string", + "default": "X-Client-Cert", + "required": true, + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate." + } + }, + { + "client_serial_header_name": { + "type": "string", + "default": "X-Client-Cert-Serial", + "required": true, + "description": "Define the HTTP header name used for the serial number of the client certificate." + } + }, + { + "client_cert_issuer_dn_header_name": { + "type": "string", + "default": "X-Client-Cert-Issuer-DN", + "required": true, + "description": "Define the HTTP header name used for the issuer DN of the client certificate." + } + }, + { + "client_cert_subject_dn_header_name": { + "type": "string", + "default": "X-Client-Cert-Subject-DN", + "required": true, + "description": "Define the HTTP header name used for the subject DN of the client certificate." + } + }, + { + "client_cert_fingerprint_header_name": { + "type": "string", + "default": "X-Client-Cert-Fingerprint", + "required": true, + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/udp-log/3.6.x.json b/schemas/udp-log/3.6.x.json new file mode 100644 index 00000000..fda25f97 --- /dev/null +++ b/schemas/udp-log/3.6.x.json @@ -0,0 +1,91 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "host": { + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "timeout": { + "type": "number", + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server." + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "values": { + "len_min": 1, + "type": "string" + }, + "type": "map", + "description": "Lua code as a key-value map" + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/upstream-timeout/3.6.x.json b/schemas/upstream-timeout/3.6.x.json new file mode 100644 index 00000000..d5f3736f --- /dev/null +++ b/schemas/upstream-timeout/3.6.x.json @@ -0,0 +1,75 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/vault-auth/3.6.x.json b/schemas/vault-auth/3.6.x.json new file mode 100644 index 00000000..d5cc2901 --- /dev/null +++ b/schemas/vault-auth/3.6.x.json @@ -0,0 +1,112 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "access_token_name": { + "required": true, + "type": "string", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + } + }, + { + "secret_token_name": { + "required": true, + "type": "string", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + } + }, + { + "vault": { + "type": "foreign", + "reference": "vault_auth_vaults", + "required": true, + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API." + } + }, + { + "hide_credentials": { + "type": "boolean", + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "tokens_in_body": { + "type": "boolean", + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + } + }, + { + "run_on_preflight": { + "type": "boolean", + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.6.x.json b/schemas/websocket-size-limit/3.6.x.json new file mode 100644 index 00000000..0bdadc6e --- /dev/null +++ b/schemas/websocket-size-limit/3.6.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "default": [ + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], + "required": true, + "fields": [ + { + "client_max_payload": { + "between": [ + 1, + 33554432 + ], + "type": "integer", + "required": false + } + }, + { + "upstream_max_payload": { + "between": [ + 1, + 33554432 + ], + "type": "integer", + "required": false + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/websocket-validator/3.6.x.json b/schemas/websocket-validator/3.6.x.json new file mode 100644 index 00000000..0790af6a --- /dev/null +++ b/schemas/websocket-validator/3.6.x.json @@ -0,0 +1,220 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "default": [ + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], + "required": true, + "fields": [ + { + "client": { + "required": false, + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "type": "record", + "fields": [ + { + "text": { + "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "fields": [ + { + "type": { + "required": true, + "one_of": [ + "draft4" + ], + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + } + }, + { + "schema": { + "required": true, + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + } + } + ] + } + }, + { + "binary": { + "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "fields": [ + { + "type": { + "required": true, + "one_of": [ + "draft4" + ], + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + } + }, + { + "schema": { + "required": true, + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + } + } + ] + } + } + ] + } + }, + { + "upstream": { + "required": false, + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "type": "record", + "fields": [ + { + "text": { + "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "fields": [ + { + "type": { + "required": true, + "one_of": [ + "draft4" + ], + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + } + }, + { + "schema": { + "required": true, + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + } + } + ] + } + }, + { + "binary": { + "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "fields": [ + { + "type": { + "required": true, + "one_of": [ + "draft4" + ], + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + } + }, + { + "schema": { + "required": true, + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." + } + } + ] + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.6.x.json b/schemas/xml-threat-protection/3.6.x.json new file mode 100644 index 00000000..8e28c996 --- /dev/null +++ b/schemas/xml-threat-protection/3.6.x.json @@ -0,0 +1,300 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "max_namespaces", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "namespace_aware" + } + }, + { + "conditional": { + "then_field": "prefix", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "namespace_aware" + } + }, + { + "conditional": { + "then_field": "namespaceuri", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "namespace_aware" + } + } + ], + "required": true, + "fields": [ + { + "checked_content_types": { + "type": "set", + "required": true, + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "type": "string", + "required": true + }, + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated." + } + }, + { + "allowed_content_types": { + "type": "set", + "required": true, + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "type": "string", + "required": true + }, + "default": [ + + ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." + } + }, + { + "allow_dtd": { + "type": "boolean", + "default": false, + "required": true, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed." + } + }, + { + "namespace_aware": { + "type": "boolean", + "default": true, + "required": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such." + } + }, + { + "max_depth": { + "gt": 0, + "type": "integer", + "required": true, + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." + } + }, + { + "max_children": { + "gt": 0, + "type": "integer", + "required": true, + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." + } + }, + { + "max_attributes": { + "gt": 0, + "type": "integer", + "required": true, + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." + } + }, + { + "max_namespaces": { + "gt": 0, + "type": "integer", + "required": false, + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." + } + }, + { + "document": { + "gt": 0, + "required": true, + "type": "integer", + "default": 10485760, + "description": "Maximum size of the entire document." + } + }, + { + "buffer": { + "gt": 0, + "required": true, + "type": "integer", + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below)." + } + }, + { + "comment": { + "gt": 0, + "required": true, + "type": "integer", + "default": 1024, + "description": "Maximum size of comments." + } + }, + { + "localname": { + "gt": 0, + "required": true, + "type": "integer", + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes." + } + }, + { + "prefix": { + "gt": 0, + "required": false, + "type": "integer", + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." + } + }, + { + "namespaceuri": { + "gt": 0, + "required": false, + "type": "integer", + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." + } + }, + { + "attribute": { + "gt": 0, + "required": true, + "type": "integer", + "default": 1048576, + "description": "Maximum size of the attribute value." + } + }, + { + "text": { + "gt": 0, + "required": true, + "type": "integer", + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." + } + }, + { + "pitarget": { + "gt": 0, + "required": true, + "type": "integer", + "default": 1024, + "description": "Maximum size of processing instruction targets." + } + }, + { + "pidata": { + "gt": 0, + "required": true, + "type": "integer", + "default": 1024, + "description": "Maximum size of processing instruction data." + } + }, + { + "entityname": { + "gt": 0, + "required": true, + "type": "integer", + "default": 1024, + "description": "Maximum size of entity names in EntityDecl." + } + }, + { + "entity": { + "gt": 0, + "required": true, + "type": "integer", + "default": 1024, + "description": "Maximum size of entity values in EntityDecl." + } + }, + { + "entityproperty": { + "gt": 0, + "required": true, + "type": "integer", + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." + } + }, + { + "bla_max_amplification": { + "gt": 1, + "type": "number", + "required": true, + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." + } + }, + { + "bla_threshold": { + "gt": 1024, + "required": true, + "type": "integer", + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/zipkin/3.6.x.json b/schemas/zipkin/3.6.x.json new file mode 100644 index 00000000..7fffd55e --- /dev/null +++ b/schemas/zipkin/3.6.x.json @@ -0,0 +1,325 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." + }, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "local_service_name": { + "required": true, + "type": "string", + "default": "kong", + "description": "The name of the service as displayed in Zipkin." + } + }, + { + "http_endpoint": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "sample_ratio": { + "between": [ + 0, + 1 + ], + "type": "number", + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " + } + }, + { + "default_service_name": { + "type": "string", + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + } + }, + { + "include_credential": { + "required": true, + "type": "boolean", + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server." + } + }, + { + "traceid_byte_count": { + "type": "integer", + "required": true, + "one_of": [ + 8, + 16 + ], + "default": 16, + "description": "The length in bytes of each request's Trace ID." + } + }, + { + "header_type": { + "type": "string", + "required": true, + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ], + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests" + } + }, + { + "default_header_type": { + "type": "string", + "required": true, + "one_of": [ + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ], + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored." + } + }, + { + "tags_header": { + "required": true, + "type": "string", + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property." + } + }, + { + "static_tags": { + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "required": true, + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "type": "string" + } + }, + { + "value": { + "type": "string", + "required": true + } + } + ] + }, + "description": "The tags specified on this property will be added to the generated request traces." + } + }, + { + "http_span_name": { + "type": "string", + "required": true, + "one_of": [ + "method", + "method_path" + ], + "default": "method", + "description": "Specify whether to include the HTTP path in the span name." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "phase_duration_flavor": { + "type": "string", + "required": true, + "one_of": [ + "annotations", + "tags" + ], + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag." + } + }, + { + "queue": { + "type": "record", + "required": true, + "fields": [ + { + "max_batch_size": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." + } + }, + { + "max_coalescing_delay": { + "between": [ + 0, + 3600 + ], + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + } + }, + { + "max_entries": { + "between": [ + 1, + 1000000 + ], + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + } + }, + { + "initial_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." + } + }, + { + "max_retry_delay": { + "between": [ + 0.001, + 1000000 + ], + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file From 65fa4ff8102ca6f7ad21bfe7a6d1992b6fd360f4 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Fri, 26 Jan 2024 16:40:01 +0100 Subject: [PATCH 024/165] Add command that generates the plugins' priorities --- README.md | 20 ++++++++++++- lib/api/client.rb | 8 +++++ lib/plugin_priorities.rb | 65 ++++++++++++++++++++++++++++++++++++++++ plugins | 16 ++++++++++ 4 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 lib/plugin_priorities.rb diff --git a/README.md b/README.md index 2cc57961..b51f6120 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,23 @@ For example, running: ``` generates a file `./data/referenceable_fields/3.4.x.json` containing a list of plugins that have referenceable fields, and their corresponding referenceable fields. +### Generate Plugin Priorities + +| Options | Descriptions | +|--------------------------- |-----| +| `version` | **Required**. Kong Gateway release version, e.g. `3.3.x`. | +| `plugins` | **Required**. Space separated list of plugins to use, .e.g. `acme acl`. | +| `host` | Name of the host in which the API is running. Default: `localhost`. | +| `port` | Port in which the API is listening. Default: `8001`. | +| `type` | Whether the API is running the `Enterprise` or `OSS` edition. Enum: `oss` or `ee`. | +| `destination` | Path to the root folder in which the file will be stored. Default: `./data` | + +For example, running: +```bash +./plugins generate_plugin_priorities --type=ee --version 3.4.x --plugins $(ls ./schemas) +``` +generates a file `./data/priorities/ee/3.4.x.json` containing a list of plugins and their corresponded priorities order by priority (desc). + ## Updating the repo after a new release Whenever a new version of Kong Gateway is released, we need run the following commands in order. For all of them, specify all the plugins `--plugins $(ls ./schemas)` @@ -102,4 +119,5 @@ Whenever a new version of Kong Gateway is released, we need run the following co 1. Download Schemas - specify the new version `x.x.x` 1. Copy Examples - specify the previous version `_x.x.y` of the example that gets copied 1. Validate Examples - specify the new version `_x.x.x` -1. Generate Referenceable Fields List - specify the new version `x.x.x` \ No newline at end of file +1. Generate Referenceable Fields List - specify the new version `x.x.x` +1. Generate Priorities List - for `oss` and `ee` and specify the new version `x.x.x` diff --git a/lib/api/client.rb b/lib/api/client.rb index 3b81026d..c7d10016 100644 --- a/lib/api/client.rb +++ b/lib/api/client.rb @@ -30,5 +30,13 @@ def validate_plugin(body) puts e.message end end + + def root + begin + Net::HTTP.get_response(URI("#{@base_url}/")) + rescue Errno::ECONNREFUSED => e + puts e.message + end + end end end diff --git a/lib/plugin_priorities.rb b/lib/plugin_priorities.rb new file mode 100644 index 00000000..1dc191e4 --- /dev/null +++ b/lib/plugin_priorities.rb @@ -0,0 +1,65 @@ +require 'json' +require 'fileutils' +require_relative 'api/client' + +class PluginPriorities + def self.run!(plugins:, options:) + new(plugins:, options:).run! + end + + def initialize(plugins:, options:) + @plugins = plugins + @options = options + @client = API::Client.new(host: @options[:host], port: @options[:port]) + end + + def run! + create_folders + + @res = @client.root + + process_response + end + + private + + def process_response + if success? + @response = JSON.parse(@res.body) + + if @options['verbose'] + puts 'Plugins ordered by priority' + puts JSON.pretty_generate(priorities) + else + puts "#{success? ? '✅' : '❌'}" + end + + write_to_file(priorities) + end + end + + def success? + @res && @res.code == '200' + end + + def priorities + @priorities ||= @response + .dig('plugins', 'available_on_server') + .each_with_object({}) { |(k, v), hash| hash[k] = v['priority'] } + .sort_by { |k, v| -v } + .to_h + end + + def write_to_file(priorities) + File.write(file_path, JSON.pretty_generate(priorities)) + end + + def file_path + "#{@options[:destination]}/priorities/#{@options[:type]}/#{@options[:version]}.json" + end + + def create_folders + FileUtils.mkdir_p("#{@options[:destination]}/priorities/ee") + FileUtils.mkdir_p("#{@options[:destination]}/priorities/oss") + end +end diff --git a/plugins b/plugins index f37f5894..574f78b9 100755 --- a/plugins +++ b/plugins @@ -4,6 +4,7 @@ require_relative 'lib/schema_downloader' require_relative 'lib/example_validator' require_relative 'lib/example_copier' require_relative 'lib/referenceable_fields' +require_relative 'lib/plugin_priorities' class Plugins < Thor class_option :verbose, :type => :boolean @@ -70,6 +71,21 @@ class Plugins < Thor puts 'Done!' end + + desc 'generate_plugin_priorities', 'Generates a json object listing all the plugins and their corresponding priorities' + option :version, aliases: '-v', type: :string, required: true, desc: 'Kong Version' + option :plugins, aliases: '-p', type: :array, required: true, desc: 'List containing the name of the plugins' + option :host, aliases: '-d', type: :string, default: 'localhost', desc: 'Hostname of the server running the API.' + option :port, aliases: '-h', type: :numeric, default: 8001, desc: 'Port number' + option :type, aliases: '-t', enum: %w(oss ee), required: true, desc: 'Specify whether the API running is the OSS or Enterprise version' + option :destination, aliases: '-dest', type: :string, default: './data', desc: 'Destination folder where the json object containing the plugins and their priorities will be written' + def generate_plugin_priorities + puts 'Listing plugins and their priorities...' + + PluginPriorities.run!(plugins: options[:plugins], options: options) + + puts 'Done!' + end end Plugins.start(ARGV) From 9fd4856a252e1b70a96a6fcec55f61304c40b629 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 29 Jan 2024 17:29:38 +0100 Subject: [PATCH 025/165] Change the way priorities are calculated --- README.md | 6 ++-- lib/plugin_priorities.rb | 63 +++++++++++++++++++++++----------------- plugins | 2 +- 3 files changed, 40 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index b51f6120..ad9f445f 100644 --- a/README.md +++ b/README.md @@ -103,14 +103,14 @@ generates a file `./data/referenceable_fields/3.4.x.json` containing a list of p | `plugins` | **Required**. Space separated list of plugins to use, .e.g. `acme acl`. | | `host` | Name of the host in which the API is running. Default: `localhost`. | | `port` | Port in which the API is listening. Default: `8001`. | -| `type` | Whether the API is running the `Enterprise` or `OSS` edition. Enum: `oss` or `ee`. | +| `ee-path` | Path to the local copy of kong enterprise. | | `destination` | Path to the root folder in which the file will be stored. Default: `./data` | For example, running: ```bash -./plugins generate_plugin_priorities --type=ee --version 3.4.x --plugins $(ls ./schemas) +./plugins generate_plugin_priorities --ee-path=../kong-enterprise/ --version 3.4.x --plugins $(ls ./schemas) ``` -generates a file `./data/priorities/ee/3.4.x.json` containing a list of plugins and their corresponded priorities order by priority (desc). +generates a file `./data/priorities/3.4.x.json` containing a list of plugins and their corresponded priorities order by priority (desc). ## Updating the repo after a new release diff --git a/lib/plugin_priorities.rb b/lib/plugin_priorities.rb index 1dc191e4..be69395a 100644 --- a/lib/plugin_priorities.rb +++ b/lib/plugin_priorities.rb @@ -10,42 +10,40 @@ def self.run!(plugins:, options:) def initialize(plugins:, options:) @plugins = plugins @options = options - @client = API::Client.new(host: @options[:host], port: @options[:port]) + @priorities = {} end def run! - create_folders - - @res = @client.root - - process_response + create_folder + fetch_priorities + order_priorities + process_priorities end private - def process_response - if success? - @response = JSON.parse(@res.body) + def fetch_priorities + @plugins.each do |plugin| + handler = handler_file_path(plugin) + next unless handler - if @options['verbose'] - puts 'Plugins ordered by priority' - puts JSON.pretty_generate(priorities) - else - puts "#{success? ? '✅' : '❌'}" - end - - write_to_file(priorities) + priority = File.read(handler)[/PRIORITY\s=\s(\d+)/, 1].to_i + @priorities[plugin] = priority end end - def success? - @res && @res.code == '200' + def process_priorities + if @options['verbose'] + puts 'Plugins ordered by priority' + puts JSON.pretty_generate(@priorities) + end + + write_to_file(@priorities) end - def priorities - @priorities ||= @response - .dig('plugins', 'available_on_server') - .each_with_object({}) { |(k, v), hash| hash[k] = v['priority'] } + def order_priorities + @priorities = @priorities + .select { |k, v| !v.nil? } .sort_by { |k, v| -v } .to_h end @@ -55,11 +53,22 @@ def write_to_file(priorities) end def file_path - "#{@options[:destination]}/priorities/#{@options[:type]}/#{@options[:version]}.json" + "#{@options[:destination]}/priorities/#{@options[:version]}.json" + end + + def create_folder + FileUtils.mkdir_p("#{@options[:destination]}/priorities/") end - def create_folders - FileUtils.mkdir_p("#{@options[:destination]}/priorities/ee") - FileUtils.mkdir_p("#{@options[:destination]}/priorities/oss") + def handler_file_path(plugin) + oss_path = "#{@options[:ee_path]}/kong/plugins/#{plugin}/handler.lua" + ee_path = "#{@options[:ee_path]}/plugins-ee/#{plugin}/kong/plugins/#{plugin}/handler.lua" + if File.exist?(oss_path) + oss_path + elsif File.exist?(ee_path) + ee_path + else + puts "Plugin #{plugin} handler.lua can't be found" + end end end diff --git a/plugins b/plugins index 574f78b9..87394ad7 100755 --- a/plugins +++ b/plugins @@ -77,7 +77,7 @@ class Plugins < Thor option :plugins, aliases: '-p', type: :array, required: true, desc: 'List containing the name of the plugins' option :host, aliases: '-d', type: :string, default: 'localhost', desc: 'Hostname of the server running the API.' option :port, aliases: '-h', type: :numeric, default: 8001, desc: 'Port number' - option :type, aliases: '-t', enum: %w(oss ee), required: true, desc: 'Specify whether the API running is the OSS or Enterprise version' + option :ee_path, type: :string, required: true, desc: 'Path to a local copy of kong ee' option :destination, aliases: '-dest', type: :string, default: './data', desc: 'Destination folder where the json object containing the plugins and their priorities will be written' def generate_plugin_priorities puts 'Listing plugins and their priorities...' From a38e6046f31f3fef1ab2e9f0cc597ca10c024292 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Tue, 30 Jan 2024 09:56:58 +0100 Subject: [PATCH 026/165] Read priorities from EE or OSS source code --- README.md | 7 ++++--- lib/plugin_priorities.rb | 25 ++++++++++++++----------- plugins | 3 ++- 3 files changed, 20 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index ad9f445f..a28964d9 100644 --- a/README.md +++ b/README.md @@ -103,14 +103,15 @@ generates a file `./data/referenceable_fields/3.4.x.json` containing a list of p | `plugins` | **Required**. Space separated list of plugins to use, .e.g. `acme acl`. | | `host` | Name of the host in which the API is running. Default: `localhost`. | | `port` | Port in which the API is listening. Default: `8001`. | -| `ee-path` | Path to the local copy of kong enterprise. | +| `type` | Whether the API is running the `Enterprise` or `OSS` edition. Enum: `oss` or `ee`. | +| `source` | Path to the kong's source code (ee or oss). | | `destination` | Path to the root folder in which the file will be stored. Default: `./data` | For example, running: ```bash -./plugins generate_plugin_priorities --ee-path=../kong-enterprise/ --version 3.4.x --plugins $(ls ./schemas) +./plugins generate_plugin_priorities --type ee --version 3.4.x --plugins $(ls ./schemas) --source ../kong-ee ``` -generates a file `./data/priorities/3.4.x.json` containing a list of plugins and their corresponded priorities order by priority (desc). +generates a file `./data/ee/priorities/3.4.x.json` containing a list of plugins and their corresponded priorities order by priority (desc). ## Updating the repo after a new release diff --git a/lib/plugin_priorities.rb b/lib/plugin_priorities.rb index be69395a..6df4eba6 100644 --- a/lib/plugin_priorities.rb +++ b/lib/plugin_priorities.rb @@ -14,7 +14,7 @@ def initialize(plugins:, options:) end def run! - create_folder + create_folders fetch_priorities order_priorities process_priorities @@ -27,7 +27,7 @@ def fetch_priorities handler = handler_file_path(plugin) next unless handler - priority = File.read(handler)[/PRIORITY\s=\s(\d+)/, 1].to_i + priority = File.read(handler)[/PRIORITY\s=\s(\d+)(,|\s*\n)/, 1].to_i @priorities[plugin] = priority end end @@ -53,20 +53,23 @@ def write_to_file(priorities) end def file_path - "#{@options[:destination]}/priorities/#{@options[:version]}.json" + "#{@options[:destination]}/priorities/#{@options[:type]}/#{@options[:version]}.json" end - def create_folder - FileUtils.mkdir_p("#{@options[:destination]}/priorities/") + def create_folders + FileUtils.mkdir_p("#{@options[:destination]}/priorities/ee/") + FileUtils.mkdir_p("#{@options[:destination]}/priorities/oss/") end def handler_file_path(plugin) - oss_path = "#{@options[:ee_path]}/kong/plugins/#{plugin}/handler.lua" - ee_path = "#{@options[:ee_path]}/plugins-ee/#{plugin}/kong/plugins/#{plugin}/handler.lua" - if File.exist?(oss_path) - oss_path - elsif File.exist?(ee_path) - ee_path + path = if @options[:type] == 'oss' + "#{@options[:source]}/kong/plugins/#{plugin}/handler.lua" + else + ee = "#{@options[:source]}/plugins-ee/#{plugin}/kong/plugins/#{plugin}/handler.lua" + File.exist?(ee) ? ee : "#{@options[:source]}/kong/plugins/#{plugin}/handler.lua" + end + if File.exist?(path) + path else puts "Plugin #{plugin} handler.lua can't be found" end diff --git a/plugins b/plugins index 87394ad7..c49c9849 100755 --- a/plugins +++ b/plugins @@ -77,7 +77,8 @@ class Plugins < Thor option :plugins, aliases: '-p', type: :array, required: true, desc: 'List containing the name of the plugins' option :host, aliases: '-d', type: :string, default: 'localhost', desc: 'Hostname of the server running the API.' option :port, aliases: '-h', type: :numeric, default: 8001, desc: 'Port number' - option :ee_path, type: :string, required: true, desc: 'Path to a local copy of kong ee' + option :type, aliases: '-t', enum: %w(oss ee), required: true, desc: 'Specify whether the API running is the OSS or Enterprise version' + option :source, type: :string, required: true, desc: 'Path to the kong\'s source code (ee or oss).' option :destination, aliases: '-dest', type: :string, default: './data', desc: 'Destination folder where the json object containing the plugins and their priorities will be written' def generate_plugin_priorities puts 'Listing plugins and their priorities...' From 068695efb9d273c4ee607006580aa8bebfa2e4af Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Tue, 30 Jan 2024 09:57:24 +0100 Subject: [PATCH 027/165] Generate priorities --- data/priorities/ee/2.6.x.json | 44 ++++++++++++++++++ data/priorities/ee/2.7.x.json | 66 +++++++++++++++++++++++++++ data/priorities/ee/2.8.x.json | 66 +++++++++++++++++++++++++++ data/priorities/ee/3.0.x.json | 72 +++++++++++++++++++++++++++++ data/priorities/ee/3.1.x.json | 77 +++++++++++++++++++++++++++++++ data/priorities/ee/3.2.x.json | 77 +++++++++++++++++++++++++++++++ data/priorities/ee/3.3.x.json | 77 +++++++++++++++++++++++++++++++ data/priorities/ee/3.4.x.json | 77 +++++++++++++++++++++++++++++++ data/priorities/ee/3.5.x.json | 77 +++++++++++++++++++++++++++++++ data/priorities/ee/3.6.x.json | 83 ++++++++++++++++++++++++++++++++++ data/priorities/oss/2.6.x.json | 35 ++++++++++++++ data/priorities/oss/2.7.x.json | 38 ++++++++++++++++ data/priorities/oss/2.8.x.json | 38 ++++++++++++++++ data/priorities/oss/3.0.x.json | 39 ++++++++++++++++ data/priorities/oss/3.1.x.json | 39 ++++++++++++++++ data/priorities/oss/3.2.x.json | 39 ++++++++++++++++ data/priorities/oss/3.3.x.json | 39 ++++++++++++++++ data/priorities/oss/3.4.x.json | 39 ++++++++++++++++ data/priorities/oss/3.5.x.json | 39 ++++++++++++++++ data/priorities/oss/3.6.x.json | 45 ++++++++++++++++++ 20 files changed, 1106 insertions(+) create mode 100644 data/priorities/ee/2.6.x.json create mode 100644 data/priorities/ee/2.7.x.json create mode 100644 data/priorities/ee/2.8.x.json create mode 100644 data/priorities/ee/3.0.x.json create mode 100644 data/priorities/ee/3.1.x.json create mode 100644 data/priorities/ee/3.2.x.json create mode 100644 data/priorities/ee/3.3.x.json create mode 100644 data/priorities/ee/3.4.x.json create mode 100644 data/priorities/ee/3.5.x.json create mode 100644 data/priorities/ee/3.6.x.json create mode 100644 data/priorities/oss/2.6.x.json create mode 100644 data/priorities/oss/2.7.x.json create mode 100644 data/priorities/oss/2.8.x.json create mode 100644 data/priorities/oss/3.0.x.json create mode 100644 data/priorities/oss/3.1.x.json create mode 100644 data/priorities/oss/3.2.x.json create mode 100644 data/priorities/oss/3.3.x.json create mode 100644 data/priorities/oss/3.4.x.json create mode 100644 data/priorities/oss/3.5.x.json create mode 100644 data/priorities/oss/3.6.x.json diff --git a/data/priorities/ee/2.6.x.json b/data/priorities/ee/2.6.x.json new file mode 100644 index 00000000..70f75052 --- /dev/null +++ b/data/priorities/ee/2.6.x.json @@ -0,0 +1,44 @@ +{ + "correlation-id": 100001, + "bot-detection": 2500, + "cors": 2000, + "route-by-header": 2000, + "session": 1900, + "oauth2-introspection": 1700, + "acme": 1007, + "jwt": 1005, + "oauth2": 1004, + "key-auth": 1003, + "ldap-auth": 1002, + "basic-auth": 1001, + "hmac-auth": 1000, + "grpc-gateway": 998, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 901, + "response-ratelimiting": 900, + "request-transformer-advanced": 802, + "response-transformer-advanced": 800, + "response-transformer": 800, + "aws-lambda": 750, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "forward-proxy": 50, + "canary": 13, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "statsd-advanced": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "pre-function": 0, + "post-function": 0 +} \ No newline at end of file diff --git a/data/priorities/ee/2.7.x.json b/data/priorities/ee/2.7.x.json new file mode 100644 index 00000000..c1597b0f --- /dev/null +++ b/data/priorities/ee/2.7.x.json @@ -0,0 +1,66 @@ +{ + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "route-by-header": 2000, + "session": 1900, + "oauth2-introspection": 1700, + "acme": 1007, + "mtls-auth": 1006, + "jwt": 1005, + "degraphql": 1005, + "oauth2": 1004, + "key-auth": 1003, + "vault-auth": 1003, + "key-auth-enc": 1003, + "ldap-auth": 1002, + "ldap-auth-advanced": 1002, + "basic-auth": 1001, + "hmac-auth": 1000, + "openid-connect": 1000, + "request-validator": 999, + "jwt-signer": 999, + "grpc-gateway": 998, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "opa": 920, + "graphql-rate-limiting-advanced": 902, + "rate-limiting-advanced": 902, + "rate-limiting": 901, + "response-ratelimiting": 900, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer-advanced": 800, + "response-transformer": 800, + "route-transformer-advanced": 800, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "graphql-proxy-cache-advanced": 100, + "proxy-cache-advanced": 100, + "proxy-cache": 100, + "forward-proxy": 50, + "canary": 13, + "prometheus": 13, + "http-log": 12, + "statsd-advanced": 11, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "mocking": 0, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/ee/2.8.x.json b/data/priorities/ee/2.8.x.json new file mode 100644 index 00000000..c1597b0f --- /dev/null +++ b/data/priorities/ee/2.8.x.json @@ -0,0 +1,66 @@ +{ + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "route-by-header": 2000, + "session": 1900, + "oauth2-introspection": 1700, + "acme": 1007, + "mtls-auth": 1006, + "jwt": 1005, + "degraphql": 1005, + "oauth2": 1004, + "key-auth": 1003, + "vault-auth": 1003, + "key-auth-enc": 1003, + "ldap-auth": 1002, + "ldap-auth-advanced": 1002, + "basic-auth": 1001, + "hmac-auth": 1000, + "openid-connect": 1000, + "request-validator": 999, + "jwt-signer": 999, + "grpc-gateway": 998, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "opa": 920, + "graphql-rate-limiting-advanced": 902, + "rate-limiting-advanced": 902, + "rate-limiting": 901, + "response-ratelimiting": 900, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer-advanced": 800, + "response-transformer": 800, + "route-transformer-advanced": 800, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "graphql-proxy-cache-advanced": 100, + "proxy-cache-advanced": 100, + "proxy-cache": 100, + "forward-proxy": 50, + "canary": 13, + "prometheus": 13, + "http-log": 12, + "statsd-advanced": 11, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "mocking": 0, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/ee/3.0.x.json b/data/priorities/ee/3.0.x.json new file mode 100644 index 00000000..f570fed2 --- /dev/null +++ b/data/priorities/ee/3.0.x.json @@ -0,0 +1,72 @@ +{ + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth-enc": 1250, + "key-auth": 1250, + "ldap-auth": 1200, + "ldap-auth-advanced": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "websocket-size-limit": 999, + "websocket-validator": 999, + "request-validator": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "konnect-application-auth": 950, + "opa": 920, + "rate-limiting": 910, + "rate-limiting-advanced": 910, + "graphql-rate-limiting-advanced": 902, + "response-ratelimiting": 900, + "route-by-header": 850, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer-advanced": 800, + "response-transformer": 800, + "route-transformer-advanced": 780, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache-advanced": 100, + "proxy-cache": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "mocking": 0, + "statsd-advanced": 0, + "pre-function": 0, + "post-function": 0 +} \ No newline at end of file diff --git a/data/priorities/ee/3.1.x.json b/data/priorities/ee/3.1.x.json new file mode 100644 index 00000000..0f55b919 --- /dev/null +++ b/data/priorities/ee/3.1.x.json @@ -0,0 +1,77 @@ +{ + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth": 1250, + "key-auth-enc": 1250, + "ldap-auth-advanced": 1200, + "ldap-auth": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "xml-threat-protection": 999, + "request-validator": 999, + "websocket-validator": 999, + "websocket-size-limit": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "konnect-application-auth": 950, + "opa": 920, + "rate-limiting": 910, + "rate-limiting-advanced": 910, + "graphql-rate-limiting-advanced": 902, + "saml": 900, + "response-ratelimiting": 900, + "route-by-header": 850, + "oas-validation": 850, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "pre-function": 0, + "statsd-advanced": 0, + "post-function": 0, + "mocking": 0 +} \ No newline at end of file diff --git a/data/priorities/ee/3.2.x.json b/data/priorities/ee/3.2.x.json new file mode 100644 index 00000000..0f55b919 --- /dev/null +++ b/data/priorities/ee/3.2.x.json @@ -0,0 +1,77 @@ +{ + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth": 1250, + "key-auth-enc": 1250, + "ldap-auth-advanced": 1200, + "ldap-auth": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "xml-threat-protection": 999, + "request-validator": 999, + "websocket-validator": 999, + "websocket-size-limit": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "konnect-application-auth": 950, + "opa": 920, + "rate-limiting": 910, + "rate-limiting-advanced": 910, + "graphql-rate-limiting-advanced": 902, + "saml": 900, + "response-ratelimiting": 900, + "route-by-header": 850, + "oas-validation": 850, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "pre-function": 0, + "statsd-advanced": 0, + "post-function": 0, + "mocking": 0 +} \ No newline at end of file diff --git a/data/priorities/ee/3.3.x.json b/data/priorities/ee/3.3.x.json new file mode 100644 index 00000000..0f55b919 --- /dev/null +++ b/data/priorities/ee/3.3.x.json @@ -0,0 +1,77 @@ +{ + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth": 1250, + "key-auth-enc": 1250, + "ldap-auth-advanced": 1200, + "ldap-auth": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "xml-threat-protection": 999, + "request-validator": 999, + "websocket-validator": 999, + "websocket-size-limit": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "konnect-application-auth": 950, + "opa": 920, + "rate-limiting": 910, + "rate-limiting-advanced": 910, + "graphql-rate-limiting-advanced": 902, + "saml": 900, + "response-ratelimiting": 900, + "route-by-header": 850, + "oas-validation": 850, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "pre-function": 0, + "statsd-advanced": 0, + "post-function": 0, + "mocking": 0 +} \ No newline at end of file diff --git a/data/priorities/ee/3.4.x.json b/data/priorities/ee/3.4.x.json new file mode 100644 index 00000000..df136588 --- /dev/null +++ b/data/priorities/ee/3.4.x.json @@ -0,0 +1,77 @@ +{ + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth-enc": 1250, + "key-auth": 1250, + "ldap-auth-advanced": 1200, + "ldap-auth": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "saml": 1010, + "websocket-size-limit": 999, + "request-validator": 999, + "xml-threat-protection": 999, + "websocket-validator": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "konnect-application-auth": 950, + "opa": 920, + "rate-limiting-advanced": 910, + "rate-limiting": 910, + "graphql-rate-limiting-advanced": 902, + "response-ratelimiting": 900, + "route-by-header": 850, + "oas-validation": 850, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "pre-function": 0, + "statsd-advanced": 0, + "post-function": 0, + "mocking": 0 +} \ No newline at end of file diff --git a/data/priorities/ee/3.5.x.json b/data/priorities/ee/3.5.x.json new file mode 100644 index 00000000..df136588 --- /dev/null +++ b/data/priorities/ee/3.5.x.json @@ -0,0 +1,77 @@ +{ + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth-enc": 1250, + "key-auth": 1250, + "ldap-auth-advanced": 1200, + "ldap-auth": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "saml": 1010, + "websocket-size-limit": 999, + "request-validator": 999, + "xml-threat-protection": 999, + "websocket-validator": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "konnect-application-auth": 950, + "opa": 920, + "rate-limiting-advanced": 910, + "rate-limiting": 910, + "graphql-rate-limiting-advanced": 902, + "response-ratelimiting": 900, + "route-by-header": 850, + "oas-validation": 850, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "pre-function": 0, + "statsd-advanced": 0, + "post-function": 0, + "mocking": 0 +} \ No newline at end of file diff --git a/data/priorities/ee/3.6.x.json b/data/priorities/ee/3.6.x.json new file mode 100644 index 00000000..11ee160a --- /dev/null +++ b/data/priorities/ee/3.6.x.json @@ -0,0 +1,83 @@ +{ + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth": 1250, + "key-auth-enc": 1250, + "ldap-auth": 1200, + "ldap-auth-advanced": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "saml": 1010, + "request-validator": 999, + "websocket-size-limit": 999, + "websocket-validator": 999, + "xml-threat-protection": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "konnect-application-auth": 950, + "acl": 950, + "opa": 920, + "rate-limiting": 910, + "rate-limiting-advanced": 910, + "graphql-rate-limiting-advanced": 902, + "response-ratelimiting": 900, + "route-by-header": 850, + "oas-validation": 850, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "ai-request-transformer": 777, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-response-transformer": 769, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache-advanced": 100, + "proxy-cache": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "statsd-advanced": 0, + "mocking": 0, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/oss/2.6.x.json b/data/priorities/oss/2.6.x.json new file mode 100644 index 00000000..8d0a75f8 --- /dev/null +++ b/data/priorities/oss/2.6.x.json @@ -0,0 +1,35 @@ +{ + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1007, + "jwt": 1005, + "oauth2": 1004, + "key-auth": 1003, + "ldap-auth": 1002, + "basic-auth": 1001, + "hmac-auth": 1000, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 901, + "response-ratelimiting": 900, + "response-transformer": 800, + "aws-lambda": 750, + "proxy-cache": 100, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "pre-function": 0, + "post-function": 0 +} \ No newline at end of file diff --git a/data/priorities/oss/2.7.x.json b/data/priorities/oss/2.7.x.json new file mode 100644 index 00000000..ac751a10 --- /dev/null +++ b/data/priorities/oss/2.7.x.json @@ -0,0 +1,38 @@ +{ + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1007, + "jwt": 1005, + "oauth2": 1004, + "key-auth": 1003, + "ldap-auth": 1002, + "basic-auth": 1001, + "hmac-auth": 1000, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 901, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/oss/2.8.x.json b/data/priorities/oss/2.8.x.json new file mode 100644 index 00000000..ac751a10 --- /dev/null +++ b/data/priorities/oss/2.8.x.json @@ -0,0 +1,38 @@ +{ + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1007, + "jwt": 1005, + "oauth2": 1004, + "key-auth": 1003, + "ldap-auth": 1002, + "basic-auth": 1001, + "hmac-auth": 1000, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 901, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/oss/3.0.x.json b/data/priorities/oss/3.0.x.json new file mode 100644 index 00000000..9e8e0d8e --- /dev/null +++ b/data/priorities/oss/3.0.x.json @@ -0,0 +1,39 @@ +{ + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/oss/3.1.x.json b/data/priorities/oss/3.1.x.json new file mode 100644 index 00000000..9e8e0d8e --- /dev/null +++ b/data/priorities/oss/3.1.x.json @@ -0,0 +1,39 @@ +{ + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/oss/3.2.x.json b/data/priorities/oss/3.2.x.json new file mode 100644 index 00000000..9e8e0d8e --- /dev/null +++ b/data/priorities/oss/3.2.x.json @@ -0,0 +1,39 @@ +{ + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/oss/3.3.x.json b/data/priorities/oss/3.3.x.json new file mode 100644 index 00000000..9e8e0d8e --- /dev/null +++ b/data/priorities/oss/3.3.x.json @@ -0,0 +1,39 @@ +{ + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/oss/3.4.x.json b/data/priorities/oss/3.4.x.json new file mode 100644 index 00000000..9e8e0d8e --- /dev/null +++ b/data/priorities/oss/3.4.x.json @@ -0,0 +1,39 @@ +{ + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/oss/3.5.x.json b/data/priorities/oss/3.5.x.json new file mode 100644 index 00000000..9e8e0d8e --- /dev/null +++ b/data/priorities/oss/3.5.x.json @@ -0,0 +1,39 @@ +{ + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": 0, + "pre-function": 0 +} \ No newline at end of file diff --git a/data/priorities/oss/3.6.x.json b/data/priorities/oss/3.6.x.json new file mode 100644 index 00000000..0255b50b --- /dev/null +++ b/data/priorities/oss/3.6.x.json @@ -0,0 +1,45 @@ +{ + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "ai-request-transformer": 777, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-response-transformer": 769, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "pre-function": 0, + "post-function": 0 +} From 6e8b5b6e2186d02320904842a29e280e26f4ab58 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Wed, 31 Jan 2024 13:17:48 +0100 Subject: [PATCH 028/165] Fix priorities --- data/priorities/ee/2.6.x.json | 14 +++++++------- data/priorities/ee/2.7.x.json | 28 ++++++++++++++-------------- data/priorities/ee/2.8.x.json | 28 ++++++++++++++-------------- data/priorities/ee/3.0.x.json | 14 +++++++------- data/priorities/ee/3.1.x.json | 21 ++++++++++----------- data/priorities/ee/3.2.x.json | 17 ++++++++--------- data/priorities/ee/3.3.x.json | 13 ++++++------- data/priorities/ee/3.4.x.json | 17 ++++++++--------- data/priorities/ee/3.5.x.json | 19 +++++++++---------- data/priorities/ee/3.6.x.json | 23 ++++++++--------------- data/priorities/oss/2.6.x.json | 6 +++--- data/priorities/oss/2.7.x.json | 6 +++--- data/priorities/oss/2.8.x.json | 6 +++--- data/priorities/oss/3.0.x.json | 4 ++-- data/priorities/oss/3.1.x.json | 4 ++-- data/priorities/oss/3.2.x.json | 4 ++-- data/priorities/oss/3.3.x.json | 4 ++-- data/priorities/oss/3.4.x.json | 4 ++-- data/priorities/oss/3.5.x.json | 4 ++-- data/priorities/oss/3.6.x.json | 6 +++--- 20 files changed, 115 insertions(+), 127 deletions(-) diff --git a/data/priorities/ee/2.6.x.json b/data/priorities/ee/2.6.x.json index 70f75052..bf3c8d63 100644 --- a/data/priorities/ee/2.6.x.json +++ b/data/priorities/ee/2.6.x.json @@ -1,8 +1,8 @@ { - "correlation-id": 100001, + "pre-function": 1000000, "bot-detection": 2500, - "cors": 2000, "route-by-header": 2000, + "cors": 2000, "session": 1900, "oauth2-introspection": 1700, "acme": 1007, @@ -20,8 +20,8 @@ "rate-limiting": 901, "response-ratelimiting": 900, "request-transformer-advanced": 802, - "response-transformer-advanced": 800, "response-transformer": 800, + "response-transformer-advanced": 800, "aws-lambda": 750, "proxy-cache": 100, "proxy-cache-advanced": 100, @@ -29,8 +29,8 @@ "canary": 13, "prometheus": 13, "http-log": 12, - "statsd": 11, "statsd-advanced": 11, + "statsd": 11, "datadog": 10, "file-log": 9, "udp-log": 8, @@ -39,6 +39,6 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "pre-function": 0, - "post-function": 0 -} \ No newline at end of file + "correlation-id": 1, + "post-function": -1000 +} diff --git a/data/priorities/ee/2.7.x.json b/data/priorities/ee/2.7.x.json index c1597b0f..6c03c832 100644 --- a/data/priorities/ee/2.7.x.json +++ b/data/priorities/ee/2.7.x.json @@ -1,5 +1,5 @@ { - "correlation-id": 100001, + "pre-function": 1000000, "zipkin": 100000, "exit-transformer": 9999, "bot-detection": 2500, @@ -9,19 +9,19 @@ "oauth2-introspection": 1700, "acme": 1007, "mtls-auth": 1006, - "jwt": 1005, "degraphql": 1005, + "jwt": 1005, "oauth2": 1004, - "key-auth": 1003, - "vault-auth": 1003, "key-auth-enc": 1003, - "ldap-auth": 1002, + "vault-auth": 1003, + "key-auth": 1003, "ldap-auth-advanced": 1002, + "ldap-auth": 1002, "basic-auth": 1001, - "hmac-auth": 1000, "openid-connect": 1000, - "request-validator": 999, + "hmac-auth": 1000, "jwt-signer": 999, + "request-validator": 999, "grpc-gateway": 998, "application-registration": 995, "ip-restriction": 990, @@ -35,16 +35,16 @@ "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, - "response-transformer-advanced": 800, "response-transformer": 800, + "response-transformer-advanced": 800, "route-transformer-advanced": 800, "kafka-upstream": 751, "aws-lambda": 750, "azure-functions": 749, "upstream-timeout": 400, - "graphql-proxy-cache-advanced": 100, - "proxy-cache-advanced": 100, "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 100, "forward-proxy": 50, "canary": 13, "prometheus": 13, @@ -60,7 +60,7 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "mocking": 0, - "post-function": 0, - "pre-function": 0 -} \ No newline at end of file + "correlation-id": 1, + "mocking": -1, + "post-function": -1000 +} diff --git a/data/priorities/ee/2.8.x.json b/data/priorities/ee/2.8.x.json index c1597b0f..6c03c832 100644 --- a/data/priorities/ee/2.8.x.json +++ b/data/priorities/ee/2.8.x.json @@ -1,5 +1,5 @@ { - "correlation-id": 100001, + "pre-function": 1000000, "zipkin": 100000, "exit-transformer": 9999, "bot-detection": 2500, @@ -9,19 +9,19 @@ "oauth2-introspection": 1700, "acme": 1007, "mtls-auth": 1006, - "jwt": 1005, "degraphql": 1005, + "jwt": 1005, "oauth2": 1004, - "key-auth": 1003, - "vault-auth": 1003, "key-auth-enc": 1003, - "ldap-auth": 1002, + "vault-auth": 1003, + "key-auth": 1003, "ldap-auth-advanced": 1002, + "ldap-auth": 1002, "basic-auth": 1001, - "hmac-auth": 1000, "openid-connect": 1000, - "request-validator": 999, + "hmac-auth": 1000, "jwt-signer": 999, + "request-validator": 999, "grpc-gateway": 998, "application-registration": 995, "ip-restriction": 990, @@ -35,16 +35,16 @@ "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, - "response-transformer-advanced": 800, "response-transformer": 800, + "response-transformer-advanced": 800, "route-transformer-advanced": 800, "kafka-upstream": 751, "aws-lambda": 750, "azure-functions": 749, "upstream-timeout": 400, - "graphql-proxy-cache-advanced": 100, - "proxy-cache-advanced": 100, "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 100, "forward-proxy": 50, "canary": 13, "prometheus": 13, @@ -60,7 +60,7 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "mocking": 0, - "post-function": 0, - "pre-function": 0 -} \ No newline at end of file + "correlation-id": 1, + "mocking": -1, + "post-function": -1000 +} diff --git a/data/priorities/ee/3.0.x.json b/data/priorities/ee/3.0.x.json index f570fed2..956dd862 100644 --- a/data/priorities/ee/3.0.x.json +++ b/data/priorities/ee/3.0.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -12,10 +13,10 @@ "jwt": 1450, "oauth2": 1400, "vault-auth": 1350, - "key-auth-enc": 1250, "key-auth": 1250, - "ldap-auth": 1200, + "key-auth-enc": 1250, "ldap-auth-advanced": 1200, + "ldap-auth": 1200, "basic-auth": 1100, "openid-connect": 1050, "hmac-auth": 1030, @@ -29,8 +30,8 @@ "application-registration": 995, "ip-restriction": 990, "request-size-limiting": 951, - "acl": 950, "konnect-application-auth": 950, + "acl": 950, "opa": 920, "rate-limiting": 910, "rate-limiting-advanced": 910, @@ -56,6 +57,7 @@ "prometheus": 13, "http-log": 12, "statsd": 11, + "statsd-advanced": 11, "datadog": 10, "file-log": 9, "udp-log": 8, @@ -65,8 +67,6 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "mocking": 0, - "statsd-advanced": 0, - "pre-function": 0, - "post-function": 0 + "mocking": -1, + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/ee/3.1.x.json b/data/priorities/ee/3.1.x.json index 0f55b919..13b12e68 100644 --- a/data/priorities/ee/3.1.x.json +++ b/data/priorities/ee/3.1.x.json @@ -1,5 +1,5 @@ { - "app-dynamics": 999999, + "pre-function": 1000000, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -16,37 +16,37 @@ "vault-auth": 1350, "key-auth": 1250, "key-auth-enc": 1250, - "ldap-auth-advanced": 1200, "ldap-auth": 1200, + "ldap-auth-advanced": 1200, "basic-auth": 1100, "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, "xml-threat-protection": 999, "request-validator": 999, - "websocket-validator": 999, "websocket-size-limit": 999, + "websocket-validator": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, "application-registration": 995, "ip-restriction": 990, "request-size-limiting": 951, - "acl": 950, "konnect-application-auth": 950, + "acl": 950, "opa": 920, - "rate-limiting": 910, "rate-limiting-advanced": 910, + "rate-limiting": 910, "graphql-rate-limiting-advanced": 902, "saml": 900, "response-ratelimiting": 900, - "route-by-header": 850, "oas-validation": 850, + "route-by-header": 850, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, - "response-transformer": 800, "response-transformer-advanced": 800, + "response-transformer": 800, "route-transformer-advanced": 780, "kafka-upstream": 751, "aws-lambda": 750, @@ -61,6 +61,7 @@ "prometheus": 13, "http-log": 12, "statsd": 11, + "statsd-advanced": 11, "datadog": 10, "file-log": 9, "udp-log": 8, @@ -70,8 +71,6 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "pre-function": 0, - "statsd-advanced": 0, - "post-function": 0, - "mocking": 0 + "mocking": -1, + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/ee/3.2.x.json b/data/priorities/ee/3.2.x.json index 0f55b919..892a222d 100644 --- a/data/priorities/ee/3.2.x.json +++ b/data/priorities/ee/3.2.x.json @@ -1,5 +1,5 @@ { - "app-dynamics": 999999, + "pre-function": 1000000, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -14,18 +14,18 @@ "jwt": 1450, "oauth2": 1400, "vault-auth": 1350, - "key-auth": 1250, "key-auth-enc": 1250, + "key-auth": 1250, "ldap-auth-advanced": 1200, "ldap-auth": 1200, "basic-auth": 1100, "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, - "xml-threat-protection": 999, - "request-validator": 999, "websocket-validator": 999, + "xml-threat-protection": 999, "websocket-size-limit": 999, + "request-validator": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -52,14 +52,15 @@ "aws-lambda": 750, "azure-functions": 749, "upstream-timeout": 400, - "proxy-cache": 100, "proxy-cache-advanced": 100, + "proxy-cache": 100, "graphql-proxy-cache-advanced": 99, "forward-proxy": 50, "canary": 20, "opentelemetry": 14, "prometheus": 13, "http-log": 12, + "statsd-advanced": 11, "statsd": 11, "datadog": 10, "file-log": 9, @@ -70,8 +71,6 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "pre-function": 0, - "statsd-advanced": 0, - "post-function": 0, - "mocking": 0 + "mocking": -1, + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/ee/3.3.x.json b/data/priorities/ee/3.3.x.json index 0f55b919..5066c1f7 100644 --- a/data/priorities/ee/3.3.x.json +++ b/data/priorities/ee/3.3.x.json @@ -1,5 +1,5 @@ { - "app-dynamics": 999999, + "pre-function": 1000000, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -22,9 +22,9 @@ "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, - "xml-threat-protection": 999, "request-validator": 999, "websocket-validator": 999, + "xml-threat-protection": 999, "websocket-size-limit": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, @@ -32,8 +32,8 @@ "application-registration": 995, "ip-restriction": 990, "request-size-limiting": 951, - "acl": 950, "konnect-application-auth": 950, + "acl": 950, "opa": 920, "rate-limiting": 910, "rate-limiting-advanced": 910, @@ -61,6 +61,7 @@ "prometheus": 13, "http-log": 12, "statsd": 11, + "statsd-advanced": 11, "datadog": 10, "file-log": 9, "udp-log": 8, @@ -70,8 +71,6 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "pre-function": 0, - "statsd-advanced": 0, - "post-function": 0, - "mocking": 0 + "mocking": -1, + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/ee/3.4.x.json b/data/priorities/ee/3.4.x.json index df136588..d6a6e5b0 100644 --- a/data/priorities/ee/3.4.x.json +++ b/data/priorities/ee/3.4.x.json @@ -1,5 +1,5 @@ { - "app-dynamics": 999999, + "pre-function": 1000000, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -24,9 +24,9 @@ "jwt-signer": 1020, "saml": 1010, "websocket-size-limit": 999, - "request-validator": 999, - "xml-threat-protection": 999, "websocket-validator": 999, + "xml-threat-protection": 999, + "request-validator": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -36,8 +36,8 @@ "acl": 950, "konnect-application-auth": 950, "opa": 920, - "rate-limiting-advanced": 910, "rate-limiting": 910, + "rate-limiting-advanced": 910, "graphql-rate-limiting-advanced": 902, "response-ratelimiting": 900, "route-by-header": 850, @@ -61,6 +61,7 @@ "prometheus": 13, "http-log": 12, "statsd": 11, + "statsd-advanced": 11, "datadog": 10, "file-log": 9, "udp-log": 8, @@ -70,8 +71,6 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "pre-function": 0, - "statsd-advanced": 0, - "post-function": 0, - "mocking": 0 -} \ No newline at end of file + "mocking": -1, + "post-function": -1000 +} diff --git a/data/priorities/ee/3.5.x.json b/data/priorities/ee/3.5.x.json index df136588..f64d700a 100644 --- a/data/priorities/ee/3.5.x.json +++ b/data/priorities/ee/3.5.x.json @@ -1,5 +1,5 @@ { - "app-dynamics": 999999, + "pre-function": 1000000, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -16,25 +16,25 @@ "vault-auth": 1350, "key-auth-enc": 1250, "key-auth": 1250, - "ldap-auth-advanced": 1200, "ldap-auth": 1200, + "ldap-auth-advanced": 1200, "basic-auth": 1100, "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, "saml": 1010, - "websocket-size-limit": 999, - "request-validator": 999, "xml-threat-protection": 999, + "websocket-size-limit": 999, "websocket-validator": 999, + "request-validator": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, "application-registration": 995, "ip-restriction": 990, "request-size-limiting": 951, - "acl": 950, "konnect-application-auth": 950, + "acl": 950, "opa": 920, "rate-limiting-advanced": 910, "rate-limiting": 910, @@ -45,8 +45,8 @@ "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, - "response-transformer": 800, "response-transformer-advanced": 800, + "response-transformer": 800, "route-transformer-advanced": 780, "kafka-upstream": 751, "aws-lambda": 750, @@ -60,6 +60,7 @@ "opentelemetry": 14, "prometheus": 13, "http-log": 12, + "statsd-advanced": 11, "statsd": 11, "datadog": 10, "file-log": 9, @@ -70,8 +71,6 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "pre-function": 0, - "statsd-advanced": 0, - "post-function": 0, - "mocking": 0 + "mocking": -1, + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/ee/3.6.x.json b/data/priorities/ee/3.6.x.json index 11ee160a..81da5d63 100644 --- a/data/priorities/ee/3.6.x.json +++ b/data/priorities/ee/3.6.x.json @@ -1,5 +1,5 @@ { - "app-dynamics": 999999, + "pre-function": 1000000, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -22,11 +22,10 @@ "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, - "saml": 1010, - "request-validator": 999, "websocket-size-limit": 999, - "websocket-validator": 999, + "request-validator": 999, "xml-threat-protection": 999, + "websocket-validator": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -36,10 +35,11 @@ "konnect-application-auth": 950, "acl": 950, "opa": 920, - "rate-limiting": 910, "rate-limiting-advanced": 910, + "rate-limiting": 910, "graphql-rate-limiting-advanced": 902, "response-ratelimiting": 900, + "saml": 900, "route-by-header": 850, "oas-validation": 850, "jq": 811, @@ -48,12 +48,6 @@ "response-transformer": 800, "response-transformer-advanced": 800, "route-transformer-advanced": 780, - "ai-request-transformer": 777, - "ai-prompt-template": 773, - "ai-prompt-decorator": 772, - "ai-prompt-guard": 771, - "ai-proxy": 770, - "ai-response-transformer": 769, "kafka-upstream": 751, "aws-lambda": 750, "azure-functions": 749, @@ -66,6 +60,7 @@ "opentelemetry": 14, "prometheus": 13, "http-log": 12, + "statsd-advanced": 11, "statsd": 11, "datadog": 10, "file-log": 9, @@ -76,8 +71,6 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "statsd-advanced": 0, - "mocking": 0, - "post-function": 0, - "pre-function": 0 + "mocking": -1, + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/oss/2.6.x.json b/data/priorities/oss/2.6.x.json index 8d0a75f8..fc638e1b 100644 --- a/data/priorities/oss/2.6.x.json +++ b/data/priorities/oss/2.6.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "bot-detection": 2500, "cors": 2000, "session": 1900, @@ -30,6 +31,5 @@ "grpc-web": 3, "request-termination": 2, "correlation-id": 1, - "pre-function": 0, - "post-function": 0 -} \ No newline at end of file + "post-function": -1000 +} diff --git a/data/priorities/oss/2.7.x.json b/data/priorities/oss/2.7.x.json index ac751a10..96da224e 100644 --- a/data/priorities/oss/2.7.x.json +++ b/data/priorities/oss/2.7.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "zipkin": 100000, "bot-detection": 2500, "cors": 2000, @@ -33,6 +34,5 @@ "grpc-web": 3, "request-termination": 2, "correlation-id": 1, - "post-function": 0, - "pre-function": 0 -} \ No newline at end of file + "post-function": -1000 +} diff --git a/data/priorities/oss/2.8.x.json b/data/priorities/oss/2.8.x.json index ac751a10..96da224e 100644 --- a/data/priorities/oss/2.8.x.json +++ b/data/priorities/oss/2.8.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "zipkin": 100000, "bot-detection": 2500, "cors": 2000, @@ -33,6 +34,5 @@ "grpc-web": 3, "request-termination": 2, "correlation-id": 1, - "post-function": 0, - "pre-function": 0 -} \ No newline at end of file + "post-function": -1000 +} diff --git a/data/priorities/oss/3.0.x.json b/data/priorities/oss/3.0.x.json index 9e8e0d8e..273152dd 100644 --- a/data/priorities/oss/3.0.x.json +++ b/data/priorities/oss/3.0.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "zipkin": 100000, "bot-detection": 2500, "cors": 2000, @@ -34,6 +35,5 @@ "grpc-web": 3, "request-termination": 2, "correlation-id": 1, - "post-function": 0, - "pre-function": 0 + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/oss/3.1.x.json b/data/priorities/oss/3.1.x.json index 9e8e0d8e..273152dd 100644 --- a/data/priorities/oss/3.1.x.json +++ b/data/priorities/oss/3.1.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "zipkin": 100000, "bot-detection": 2500, "cors": 2000, @@ -34,6 +35,5 @@ "grpc-web": 3, "request-termination": 2, "correlation-id": 1, - "post-function": 0, - "pre-function": 0 + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/oss/3.2.x.json b/data/priorities/oss/3.2.x.json index 9e8e0d8e..273152dd 100644 --- a/data/priorities/oss/3.2.x.json +++ b/data/priorities/oss/3.2.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "zipkin": 100000, "bot-detection": 2500, "cors": 2000, @@ -34,6 +35,5 @@ "grpc-web": 3, "request-termination": 2, "correlation-id": 1, - "post-function": 0, - "pre-function": 0 + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/oss/3.3.x.json b/data/priorities/oss/3.3.x.json index 9e8e0d8e..273152dd 100644 --- a/data/priorities/oss/3.3.x.json +++ b/data/priorities/oss/3.3.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "zipkin": 100000, "bot-detection": 2500, "cors": 2000, @@ -34,6 +35,5 @@ "grpc-web": 3, "request-termination": 2, "correlation-id": 1, - "post-function": 0, - "pre-function": 0 + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/oss/3.4.x.json b/data/priorities/oss/3.4.x.json index 9e8e0d8e..273152dd 100644 --- a/data/priorities/oss/3.4.x.json +++ b/data/priorities/oss/3.4.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "zipkin": 100000, "bot-detection": 2500, "cors": 2000, @@ -34,6 +35,5 @@ "grpc-web": 3, "request-termination": 2, "correlation-id": 1, - "post-function": 0, - "pre-function": 0 + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/oss/3.5.x.json b/data/priorities/oss/3.5.x.json index 9e8e0d8e..273152dd 100644 --- a/data/priorities/oss/3.5.x.json +++ b/data/priorities/oss/3.5.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "zipkin": 100000, "bot-detection": 2500, "cors": 2000, @@ -34,6 +35,5 @@ "grpc-web": 3, "request-termination": 2, "correlation-id": 1, - "post-function": 0, - "pre-function": 0 + "post-function": -1000 } \ No newline at end of file diff --git a/data/priorities/oss/3.6.x.json b/data/priorities/oss/3.6.x.json index 0255b50b..f1d4cd82 100644 --- a/data/priorities/oss/3.6.x.json +++ b/data/priorities/oss/3.6.x.json @@ -1,4 +1,5 @@ { + "pre-function": 1000000, "zipkin": 100000, "bot-detection": 2500, "cors": 2000, @@ -40,6 +41,5 @@ "grpc-web": 3, "request-termination": 2, "correlation-id": 1, - "pre-function": 0, - "post-function": 0 -} + "post-function": -1000 +} \ No newline at end of file From a94ed063deecc78ae61971d77b539da49ef9f6a9 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Wed, 31 Jan 2024 13:18:54 +0100 Subject: [PATCH 029/165] Use the API to retrieve the plugins' priorities Versions 3.x and up include the plugins' priorities in the API response --- README.md | 5 ++-- lib/plugin_priorities.rb | 60 ++++++++++++++++------------------------ plugins | 1 - 3 files changed, 26 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index a28964d9..b51f6120 100644 --- a/README.md +++ b/README.md @@ -104,14 +104,13 @@ generates a file `./data/referenceable_fields/3.4.x.json` containing a list of p | `host` | Name of the host in which the API is running. Default: `localhost`. | | `port` | Port in which the API is listening. Default: `8001`. | | `type` | Whether the API is running the `Enterprise` or `OSS` edition. Enum: `oss` or `ee`. | -| `source` | Path to the kong's source code (ee or oss). | | `destination` | Path to the root folder in which the file will be stored. Default: `./data` | For example, running: ```bash -./plugins generate_plugin_priorities --type ee --version 3.4.x --plugins $(ls ./schemas) --source ../kong-ee +./plugins generate_plugin_priorities --type=ee --version 3.4.x --plugins $(ls ./schemas) ``` -generates a file `./data/ee/priorities/3.4.x.json` containing a list of plugins and their corresponded priorities order by priority (desc). +generates a file `./data/priorities/ee/3.4.x.json` containing a list of plugins and their corresponded priorities order by priority (desc). ## Updating the repo after a new release diff --git a/lib/plugin_priorities.rb b/lib/plugin_priorities.rb index 6df4eba6..1dc191e4 100644 --- a/lib/plugin_priorities.rb +++ b/lib/plugin_priorities.rb @@ -10,40 +10,42 @@ def self.run!(plugins:, options:) def initialize(plugins:, options:) @plugins = plugins @options = options - @priorities = {} + @client = API::Client.new(host: @options[:host], port: @options[:port]) end def run! create_folders - fetch_priorities - order_priorities - process_priorities + + @res = @client.root + + process_response end private - def fetch_priorities - @plugins.each do |plugin| - handler = handler_file_path(plugin) - next unless handler + def process_response + if success? + @response = JSON.parse(@res.body) - priority = File.read(handler)[/PRIORITY\s=\s(\d+)(,|\s*\n)/, 1].to_i - @priorities[plugin] = priority - end - end + if @options['verbose'] + puts 'Plugins ordered by priority' + puts JSON.pretty_generate(priorities) + else + puts "#{success? ? '✅' : '❌'}" + end - def process_priorities - if @options['verbose'] - puts 'Plugins ordered by priority' - puts JSON.pretty_generate(@priorities) + write_to_file(priorities) end + end - write_to_file(@priorities) + def success? + @res && @res.code == '200' end - def order_priorities - @priorities = @priorities - .select { |k, v| !v.nil? } + def priorities + @priorities ||= @response + .dig('plugins', 'available_on_server') + .each_with_object({}) { |(k, v), hash| hash[k] = v['priority'] } .sort_by { |k, v| -v } .to_h end @@ -57,21 +59,7 @@ def file_path end def create_folders - FileUtils.mkdir_p("#{@options[:destination]}/priorities/ee/") - FileUtils.mkdir_p("#{@options[:destination]}/priorities/oss/") - end - - def handler_file_path(plugin) - path = if @options[:type] == 'oss' - "#{@options[:source]}/kong/plugins/#{plugin}/handler.lua" - else - ee = "#{@options[:source]}/plugins-ee/#{plugin}/kong/plugins/#{plugin}/handler.lua" - File.exist?(ee) ? ee : "#{@options[:source]}/kong/plugins/#{plugin}/handler.lua" - end - if File.exist?(path) - path - else - puts "Plugin #{plugin} handler.lua can't be found" - end + FileUtils.mkdir_p("#{@options[:destination]}/priorities/ee") + FileUtils.mkdir_p("#{@options[:destination]}/priorities/oss") end end diff --git a/plugins b/plugins index c49c9849..574f78b9 100755 --- a/plugins +++ b/plugins @@ -78,7 +78,6 @@ class Plugins < Thor option :host, aliases: '-d', type: :string, default: 'localhost', desc: 'Hostname of the server running the API.' option :port, aliases: '-h', type: :numeric, default: 8001, desc: 'Port number' option :type, aliases: '-t', enum: %w(oss ee), required: true, desc: 'Specify whether the API running is the OSS or Enterprise version' - option :source, type: :string, required: true, desc: 'Path to the kong\'s source code (ee or oss).' option :destination, aliases: '-dest', type: :string, default: './data', desc: 'Destination folder where the json object containing the plugins and their priorities will be written' def generate_plugin_priorities puts 'Listing plugins and their priorities...' From 34aaaa756bebe775ef32fa7103ea67c36082be25 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 1 Feb 2024 19:40:47 +0100 Subject: [PATCH 030/165] Remove param --- README.md | 3 +-- lib/plugin_priorities.rb | 7 +++---- plugins | 3 +-- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index b51f6120..2be28feb 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,6 @@ generates a file `./data/referenceable_fields/3.4.x.json` containing a list of p | Options | Descriptions | |--------------------------- |-----| | `version` | **Required**. Kong Gateway release version, e.g. `3.3.x`. | -| `plugins` | **Required**. Space separated list of plugins to use, .e.g. `acme acl`. | | `host` | Name of the host in which the API is running. Default: `localhost`. | | `port` | Port in which the API is listening. Default: `8001`. | | `type` | Whether the API is running the `Enterprise` or `OSS` edition. Enum: `oss` or `ee`. | @@ -108,7 +107,7 @@ generates a file `./data/referenceable_fields/3.4.x.json` containing a list of p For example, running: ```bash -./plugins generate_plugin_priorities --type=ee --version 3.4.x --plugins $(ls ./schemas) +./plugins generate_plugin_priorities --type=ee --version 3.4.x ``` generates a file `./data/priorities/ee/3.4.x.json` containing a list of plugins and their corresponded priorities order by priority (desc). diff --git a/lib/plugin_priorities.rb b/lib/plugin_priorities.rb index 1dc191e4..ba064610 100644 --- a/lib/plugin_priorities.rb +++ b/lib/plugin_priorities.rb @@ -3,12 +3,11 @@ require_relative 'api/client' class PluginPriorities - def self.run!(plugins:, options:) - new(plugins:, options:).run! + def self.run!(options:) + new(options:).run! end - def initialize(plugins:, options:) - @plugins = plugins + def initialize(options:) @options = options @client = API::Client.new(host: @options[:host], port: @options[:port]) end diff --git a/plugins b/plugins index 574f78b9..2820a809 100755 --- a/plugins +++ b/plugins @@ -74,7 +74,6 @@ class Plugins < Thor desc 'generate_plugin_priorities', 'Generates a json object listing all the plugins and their corresponding priorities' option :version, aliases: '-v', type: :string, required: true, desc: 'Kong Version' - option :plugins, aliases: '-p', type: :array, required: true, desc: 'List containing the name of the plugins' option :host, aliases: '-d', type: :string, default: 'localhost', desc: 'Hostname of the server running the API.' option :port, aliases: '-h', type: :numeric, default: 8001, desc: 'Port number' option :type, aliases: '-t', enum: %w(oss ee), required: true, desc: 'Specify whether the API running is the OSS or Enterprise version' @@ -82,7 +81,7 @@ class Plugins < Thor def generate_plugin_priorities puts 'Listing plugins and their priorities...' - PluginPriorities.run!(plugins: options[:plugins], options: options) + PluginPriorities.run!(options: options) puts 'Done!' end From b44ced368a0907d382b1170842f4ab85a31238ee Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 1 Feb 2024 19:42:24 +0100 Subject: [PATCH 031/165] Remove konnect-application-auth plugin --- data/priorities/ee/3.0.x.json | 3 +-- data/priorities/ee/3.1.x.json | 3 +-- data/priorities/ee/3.2.x.json | 3 +-- data/priorities/ee/3.3.x.json | 3 +-- data/priorities/ee/3.4.x.json | 1 - data/priorities/ee/3.5.x.json | 3 +-- data/priorities/ee/3.6.x.json | 3 +-- 7 files changed, 6 insertions(+), 13 deletions(-) diff --git a/data/priorities/ee/3.0.x.json b/data/priorities/ee/3.0.x.json index 956dd862..957bae5b 100644 --- a/data/priorities/ee/3.0.x.json +++ b/data/priorities/ee/3.0.x.json @@ -30,7 +30,6 @@ "application-registration": 995, "ip-restriction": 990, "request-size-limiting": 951, - "konnect-application-auth": 950, "acl": 950, "opa": 920, "rate-limiting": 910, @@ -69,4 +68,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} \ No newline at end of file +} diff --git a/data/priorities/ee/3.1.x.json b/data/priorities/ee/3.1.x.json index 13b12e68..da945fe7 100644 --- a/data/priorities/ee/3.1.x.json +++ b/data/priorities/ee/3.1.x.json @@ -32,7 +32,6 @@ "application-registration": 995, "ip-restriction": 990, "request-size-limiting": 951, - "konnect-application-auth": 950, "acl": 950, "opa": 920, "rate-limiting-advanced": 910, @@ -73,4 +72,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} \ No newline at end of file +} diff --git a/data/priorities/ee/3.2.x.json b/data/priorities/ee/3.2.x.json index 892a222d..461ee4fe 100644 --- a/data/priorities/ee/3.2.x.json +++ b/data/priorities/ee/3.2.x.json @@ -33,7 +33,6 @@ "ip-restriction": 990, "request-size-limiting": 951, "acl": 950, - "konnect-application-auth": 950, "opa": 920, "rate-limiting": 910, "rate-limiting-advanced": 910, @@ -73,4 +72,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} \ No newline at end of file +} diff --git a/data/priorities/ee/3.3.x.json b/data/priorities/ee/3.3.x.json index 5066c1f7..e3a35377 100644 --- a/data/priorities/ee/3.3.x.json +++ b/data/priorities/ee/3.3.x.json @@ -32,7 +32,6 @@ "application-registration": 995, "ip-restriction": 990, "request-size-limiting": 951, - "konnect-application-auth": 950, "acl": 950, "opa": 920, "rate-limiting": 910, @@ -73,4 +72,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} \ No newline at end of file +} diff --git a/data/priorities/ee/3.4.x.json b/data/priorities/ee/3.4.x.json index d6a6e5b0..d1e904e7 100644 --- a/data/priorities/ee/3.4.x.json +++ b/data/priorities/ee/3.4.x.json @@ -34,7 +34,6 @@ "ip-restriction": 990, "request-size-limiting": 951, "acl": 950, - "konnect-application-auth": 950, "opa": 920, "rate-limiting": 910, "rate-limiting-advanced": 910, diff --git a/data/priorities/ee/3.5.x.json b/data/priorities/ee/3.5.x.json index f64d700a..ae49123a 100644 --- a/data/priorities/ee/3.5.x.json +++ b/data/priorities/ee/3.5.x.json @@ -33,7 +33,6 @@ "application-registration": 995, "ip-restriction": 990, "request-size-limiting": 951, - "konnect-application-auth": 950, "acl": 950, "opa": 920, "rate-limiting-advanced": 910, @@ -73,4 +72,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} \ No newline at end of file +} diff --git a/data/priorities/ee/3.6.x.json b/data/priorities/ee/3.6.x.json index 81da5d63..9e4f0822 100644 --- a/data/priorities/ee/3.6.x.json +++ b/data/priorities/ee/3.6.x.json @@ -32,7 +32,6 @@ "application-registration": 995, "ip-restriction": 990, "request-size-limiting": 951, - "konnect-application-auth": 950, "acl": 950, "opa": 920, "rate-limiting-advanced": 910, @@ -73,4 +72,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} \ No newline at end of file +} From 95a1b68f3389e929408a9b5471079fc2e7f5253a Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 1 Feb 2024 19:49:34 +0100 Subject: [PATCH 032/165] Exclude konnect-application-auth from the priorities --- lib/plugin_priorities.rb | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/plugin_priorities.rb b/lib/plugin_priorities.rb index ba064610..8561c9b9 100644 --- a/lib/plugin_priorities.rb +++ b/lib/plugin_priorities.rb @@ -44,9 +44,13 @@ def success? def priorities @priorities ||= @response .dig('plugins', 'available_on_server') - .each_with_object({}) { |(k, v), hash| hash[k] = v['priority'] } - .sort_by { |k, v| -v } - .to_h + .each_with_object({}) do |(k, v), hash| + next if k == 'konnect-application-auth' + + hash[k] = v['priority'] + end + .sort_by { |k, v| -v } + .to_h end def write_to_file(priorities) From 4ea3faf979b07a15984e14ea52000bc5678e45c1 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 1 Feb 2024 20:10:17 +0100 Subject: [PATCH 033/165] Update priorities --- data/priorities/ee/3.1.x.json | 17 +++++++++-------- data/priorities/ee/3.2.x.json | 17 +++++++++-------- data/priorities/ee/3.3.x.json | 13 +++++++------ data/priorities/ee/3.4.x.json | 13 +++++++------ data/priorities/ee/3.5.x.json | 13 +++++++------ data/priorities/ee/3.6.x.json | 9 +++++---- 6 files changed, 44 insertions(+), 38 deletions(-) diff --git a/data/priorities/ee/3.1.x.json b/data/priorities/ee/3.1.x.json index da945fe7..e0ff31f9 100644 --- a/data/priorities/ee/3.1.x.json +++ b/data/priorities/ee/3.1.x.json @@ -1,5 +1,6 @@ { "pre-function": 1000000, + "app-dynamics": 999999, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -14,18 +15,18 @@ "jwt": 1450, "oauth2": 1400, "vault-auth": 1350, - "key-auth": 1250, "key-auth-enc": 1250, - "ldap-auth": 1200, + "key-auth": 1250, "ldap-auth-advanced": 1200, + "ldap-auth": 1200, "basic-auth": 1100, "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, "xml-threat-protection": 999, - "request-validator": 999, - "websocket-size-limit": 999, "websocket-validator": 999, + "websocket-size-limit": 999, + "request-validator": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -37,10 +38,10 @@ "rate-limiting-advanced": 910, "rate-limiting": 910, "graphql-rate-limiting-advanced": 902, - "saml": 900, "response-ratelimiting": 900, - "oas-validation": 850, + "saml": 900, "route-by-header": 850, + "oas-validation": 850, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, @@ -59,8 +60,8 @@ "opentelemetry": 14, "prometheus": 13, "http-log": 12, - "statsd": 11, "statsd-advanced": 11, + "statsd": 11, "datadog": 10, "file-log": 9, "udp-log": 8, @@ -72,4 +73,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} +} \ No newline at end of file diff --git a/data/priorities/ee/3.2.x.json b/data/priorities/ee/3.2.x.json index 461ee4fe..df26515a 100644 --- a/data/priorities/ee/3.2.x.json +++ b/data/priorities/ee/3.2.x.json @@ -1,5 +1,6 @@ { "pre-function": 1000000, + "app-dynamics": 999999, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -14,18 +15,18 @@ "jwt": 1450, "oauth2": 1400, "vault-auth": 1350, - "key-auth-enc": 1250, "key-auth": 1250, + "key-auth-enc": 1250, "ldap-auth-advanced": 1200, "ldap-auth": 1200, "basic-auth": 1100, "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, - "websocket-validator": 999, + "request-validator": 999, "xml-threat-protection": 999, "websocket-size-limit": 999, - "request-validator": 999, + "websocket-validator": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -34,13 +35,13 @@ "request-size-limiting": 951, "acl": 950, "opa": 920, - "rate-limiting": 910, "rate-limiting-advanced": 910, + "rate-limiting": 910, "graphql-rate-limiting-advanced": 902, "saml": 900, "response-ratelimiting": 900, - "route-by-header": 850, "oas-validation": 850, + "route-by-header": 850, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, @@ -51,16 +52,16 @@ "aws-lambda": 750, "azure-functions": 749, "upstream-timeout": 400, - "proxy-cache-advanced": 100, "proxy-cache": 100, + "proxy-cache-advanced": 100, "graphql-proxy-cache-advanced": 99, "forward-proxy": 50, "canary": 20, "opentelemetry": 14, "prometheus": 13, "http-log": 12, - "statsd-advanced": 11, "statsd": 11, + "statsd-advanced": 11, "datadog": 10, "file-log": 9, "udp-log": 8, @@ -72,4 +73,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} +} \ No newline at end of file diff --git a/data/priorities/ee/3.3.x.json b/data/priorities/ee/3.3.x.json index e3a35377..1b89b4ec 100644 --- a/data/priorities/ee/3.3.x.json +++ b/data/priorities/ee/3.3.x.json @@ -1,5 +1,6 @@ { "pre-function": 1000000, + "app-dynamics": 999999, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -22,10 +23,10 @@ "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, - "request-validator": 999, "websocket-validator": 999, - "xml-threat-protection": 999, "websocket-size-limit": 999, + "xml-threat-protection": 999, + "request-validator": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -34,18 +35,18 @@ "request-size-limiting": 951, "acl": 950, "opa": 920, - "rate-limiting": 910, "rate-limiting-advanced": 910, + "rate-limiting": 910, "graphql-rate-limiting-advanced": 902, "saml": 900, "response-ratelimiting": 900, - "route-by-header": 850, "oas-validation": 850, + "route-by-header": 850, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, - "response-transformer": 800, "response-transformer-advanced": 800, + "response-transformer": 800, "route-transformer-advanced": 780, "kafka-upstream": 751, "aws-lambda": 750, @@ -72,4 +73,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} +} \ No newline at end of file diff --git a/data/priorities/ee/3.4.x.json b/data/priorities/ee/3.4.x.json index d1e904e7..3a3a0a28 100644 --- a/data/priorities/ee/3.4.x.json +++ b/data/priorities/ee/3.4.x.json @@ -1,5 +1,6 @@ { "pre-function": 1000000, + "app-dynamics": 999999, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -14,8 +15,8 @@ "jwt": 1450, "oauth2": 1400, "vault-auth": 1350, - "key-auth-enc": 1250, "key-auth": 1250, + "key-auth-enc": 1250, "ldap-auth-advanced": 1200, "ldap-auth": 1200, "basic-auth": 1100, @@ -23,10 +24,10 @@ "hmac-auth": 1030, "jwt-signer": 1020, "saml": 1010, - "websocket-size-limit": 999, "websocket-validator": 999, - "xml-threat-protection": 999, "request-validator": 999, + "xml-threat-protection": 999, + "websocket-size-limit": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -39,13 +40,13 @@ "rate-limiting-advanced": 910, "graphql-rate-limiting-advanced": 902, "response-ratelimiting": 900, - "route-by-header": 850, "oas-validation": 850, + "route-by-header": 850, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, - "response-transformer": 800, "response-transformer-advanced": 800, + "response-transformer": 800, "route-transformer-advanced": 780, "kafka-upstream": 751, "aws-lambda": 750, @@ -72,4 +73,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} +} \ No newline at end of file diff --git a/data/priorities/ee/3.5.x.json b/data/priorities/ee/3.5.x.json index ae49123a..f02f7ad8 100644 --- a/data/priorities/ee/3.5.x.json +++ b/data/priorities/ee/3.5.x.json @@ -1,5 +1,6 @@ { "pre-function": 1000000, + "app-dynamics": 999999, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -23,10 +24,10 @@ "hmac-auth": 1030, "jwt-signer": 1020, "saml": 1010, + "request-validator": 999, "xml-threat-protection": 999, - "websocket-size-limit": 999, "websocket-validator": 999, - "request-validator": 999, + "websocket-size-limit": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -39,20 +40,20 @@ "rate-limiting": 910, "graphql-rate-limiting-advanced": 902, "response-ratelimiting": 900, - "route-by-header": 850, "oas-validation": 850, + "route-by-header": 850, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, - "response-transformer-advanced": 800, "response-transformer": 800, + "response-transformer-advanced": 800, "route-transformer-advanced": 780, "kafka-upstream": 751, "aws-lambda": 750, "azure-functions": 749, "upstream-timeout": 400, - "proxy-cache": 100, "proxy-cache-advanced": 100, + "proxy-cache": 100, "graphql-proxy-cache-advanced": 99, "forward-proxy": 50, "canary": 20, @@ -72,4 +73,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} +} \ No newline at end of file diff --git a/data/priorities/ee/3.6.x.json b/data/priorities/ee/3.6.x.json index 9e4f0822..3e8bd4d4 100644 --- a/data/priorities/ee/3.6.x.json +++ b/data/priorities/ee/3.6.x.json @@ -1,5 +1,6 @@ { "pre-function": 1000000, + "app-dynamics": 999999, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -14,8 +15,8 @@ "jwt": 1450, "oauth2": 1400, "vault-auth": 1350, - "key-auth": 1250, "key-auth-enc": 1250, + "key-auth": 1250, "ldap-auth": 1200, "ldap-auth-advanced": 1200, "basic-auth": 1100, @@ -37,8 +38,8 @@ "rate-limiting-advanced": 910, "rate-limiting": 910, "graphql-rate-limiting-advanced": 902, - "response-ratelimiting": 900, "saml": 900, + "response-ratelimiting": 900, "route-by-header": 850, "oas-validation": 850, "jq": 811, @@ -59,8 +60,8 @@ "opentelemetry": 14, "prometheus": 13, "http-log": 12, - "statsd-advanced": 11, "statsd": 11, + "statsd-advanced": 11, "datadog": 10, "file-log": 9, "udp-log": 8, @@ -72,4 +73,4 @@ "request-termination": 2, "mocking": -1, "post-function": -1000 -} +} \ No newline at end of file From 3b111d00c820d5eda2ef2874b8e0abee83979059 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 1 Feb 2024 20:11:11 +0100 Subject: [PATCH 034/165] Update readme with a note about generating priorities for EE --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 2be28feb..c7de7186 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,8 @@ generates a file `./data/referenceable_fields/3.4.x.json` containing a list of p | `type` | Whether the API is running the `Enterprise` or `OSS` edition. Enum: `oss` or `ee`. | | `destination` | Path to the root folder in which the file will be stored. Default: `./data` | +NOTE: when generating priorities for enterprise, make sure the appdynamics plugin is installed + For example, running: ```bash ./plugins generate_plugin_priorities --type=ee --version 3.4.x From 9c583539a49616955ccf293f62b083cca88031dc Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 1 Feb 2024 20:25:35 +0100 Subject: [PATCH 035/165] Order plugins first by priority, if they match sort them alphabetically --- lib/plugin_priorities.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/plugin_priorities.rb b/lib/plugin_priorities.rb index 8561c9b9..bf3d27a0 100644 --- a/lib/plugin_priorities.rb +++ b/lib/plugin_priorities.rb @@ -49,7 +49,7 @@ def priorities hash[k] = v['priority'] end - .sort_by { |k, v| -v } + .sort_by { |k, v| [-v, k] } .to_h end From 1b69abff8cc7eea2386609e07c1b94f985e7078e Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Fri, 9 Feb 2024 09:44:01 -0800 Subject: [PATCH 036/165] Chore: generate final 3.6 schemas (#20) * final 3.6 plugin schemas * generate referenceable fields * remove konnect-application-auth from referenceable fields --- data/referenceable_fields/3.6.x.json | 36 +- schemas/acl/3.6.x.json | 76 +- schemas/acme/3.6.x.json | 391 +++-- schemas/ai-prompt-decorator/3.6.x.json | 52 +- schemas/ai-prompt-guard/3.6.x.json | 45 +- schemas/ai-prompt-template/3.6.x.json | 36 +- schemas/ai-proxy/3.6.x.json | 248 +-- schemas/ai-request-transformer/3.6.x.json | 454 +++--- schemas/ai-response-transformer/3.6.x.json | 448 +++--- schemas/application-registration/3.6.x.json | 50 +- schemas/aws-lambda/3.6.x.json | 174 +-- schemas/azure-functions/3.6.x.json | 46 +- schemas/basic-auth/3.6.x.json | 50 +- schemas/bot-detection/3.6.x.json | 48 +- schemas/canary/3.6.x.json | 154 +- schemas/correlation-id/3.6.x.json | 36 +- schemas/cors/3.6.x.json | 90 +- schemas/datadog/3.6.x.json | 178 +-- schemas/degraphql/3.6.x.json | 44 +- schemas/exit-transformer/3.6.x.json | 34 +- schemas/file-log/3.6.x.json | 46 +- schemas/forward-proxy/3.6.x.json | 106 +- .../graphql-proxy-cache-advanced/3.6.x.json | 46 +- .../graphql-rate-limiting-advanced/3.6.x.json | 210 +-- schemas/grpc-gateway/3.6.x.json | 28 +- schemas/grpc-web/3.6.x.json | 34 +- schemas/hmac-auth/3.6.x.json | 74 +- schemas/http-log/3.6.x.json | 142 +- schemas/ip-restriction/3.6.x.json | 54 +- schemas/jq/3.6.x.json | 70 +- schemas/jwe-decrypt/3.6.x.json | 52 +- schemas/jwt-signer/3.6.x.json | 288 ++-- schemas/jwt/3.6.x.json | 96 +- schemas/kafka-log/3.6.x.json | 150 +- schemas/kafka-upstream/3.6.x.json | 142 +- schemas/key-auth-enc/3.6.x.json | 58 +- schemas/key-auth/3.6.x.json | 48 +- schemas/konnect-application-auth/3.6.x.json | 1250 +++++++-------- schemas/ldap-auth-advanced/3.6.x.json | 112 +- schemas/ldap-auth/3.6.x.json | 72 +- schemas/loggly/3.6.x.json | 54 +- schemas/mocking/3.6.x.json | 46 +- schemas/mtls-auth/3.6.x.json | 126 +- schemas/oas-validation/3.6.x.json | 78 +- schemas/oauth2-introspection/3.6.x.json | 100 +- schemas/oauth2/3.6.x.json | 110 +- schemas/opa/3.6.x.json | 70 +- schemas/openid-connect/3.6.x.json | 1352 +++++++++-------- schemas/opentelemetry/3.6.x.json | 152 +- schemas/post-function/3.6.x.json | 158 +- schemas/pre-function/3.6.x.json | 158 +- schemas/prometheus/3.6.x.json | 36 +- schemas/proxy-cache-advanced/3.6.x.json | 222 +-- schemas/proxy-cache/3.6.x.json | 106 +- schemas/rate-limiting-advanced/3.6.x.json | 210 +-- schemas/rate-limiting/3.6.x.json | 393 +++-- schemas/request-size-limiting/3.6.x.json | 40 +- schemas/request-termination/3.6.x.json | 54 +- .../request-transformer-advanced/3.6.x.json | 256 ++-- schemas/request-transformer/3.6.x.json | 158 +- schemas/request-validator/3.6.x.json | 94 +- schemas/response-ratelimiting/3.6.x.json | 375 +++-- .../response-transformer-advanced/3.6.x.json | 222 +-- schemas/response-transformer/3.6.x.json | 166 +- schemas/route-by-header/3.6.x.json | 52 +- schemas/route-transformer-advanced/3.6.x.json | 34 +- schemas/saml/3.6.x.json | 436 +++--- schemas/session/3.6.x.json | 212 +-- schemas/statsd-advanced/3.6.x.json | 342 ++--- schemas/statsd/3.6.x.json | 290 ++-- schemas/syslog/3.6.x.json | 64 +- schemas/tcp-log/3.6.x.json | 50 +- schemas/tls-handshake-modifier/3.6.x.json | 34 +- schemas/tls-metadata-headers/3.6.x.json | 60 +- schemas/udp-log/3.6.x.json | 44 +- schemas/upstream-timeout/3.6.x.json | 48 +- schemas/vault-auth/3.6.x.json | 70 +- schemas/websocket-size-limit/3.6.x.json | 40 +- schemas/websocket-validator/3.6.x.json | 150 +- schemas/xml-threat-protection/3.6.x.json | 116 +- schemas/zipkin/3.6.x.json | 156 +- 81 files changed, 6526 insertions(+), 6176 deletions(-) diff --git a/data/referenceable_fields/3.6.x.json b/data/referenceable_fields/3.6.x.json index ed1c3d41..9727279e 100644 --- a/data/referenceable_fields/3.6.x.json +++ b/data/referenceable_fields/3.6.x.json @@ -3,10 +3,29 @@ "config.account_email", "config.eab_kid", "config.eab_hmac_key", - "config.storage_config.redis.auth", + "config.storage_config.redis.username", + "config.storage_config.redis.password", "config.storage_config.consul.token", "config.storage_config.vault.token" ], + "ai-proxy": [ + "config.auth.header_name", + "config.auth.header_value", + "config.auth.param_name", + "config.auth.param_value" + ], + "ai-request-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value" + ], + "ai-response-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value" + ], "aws-lambda": [ "config.aws_key", "config.aws_secret", @@ -48,6 +67,9 @@ "loggly": [ "config.key" ], + "oauth2-introspection": [ + "config.authorization_value" + ], "openid-connect": [ "config.client_id", "config.client_secret", @@ -61,6 +83,10 @@ "config.client_jwk.oth", "config.client_jwk.r", "config.client_jwk.t", + "config.login_redirect_uri", + "config.logout_redirect_uri", + "config.scopes", + "config.introspection_headers_values", "config.session_secret", "config.session_redis_username", "config.session_redis_password" @@ -76,8 +102,8 @@ "config.redis.sentinel_password" ], "rate-limiting": [ - "config.redis_password", - "config.redis_username" + "config.redis.username", + "config.redis.password" ], "rate-limiting-advanced": [ "config.redis.username", @@ -100,8 +126,8 @@ "config.append.querystring" ], "response-ratelimiting": [ - "config.redis_password", - "config.redis_username" + "config.redis.username", + "config.redis.password" ], "saml": [ "config.idp_certificate", diff --git a/schemas/acl/3.6.x.json b/schemas/acl/3.6.x.json index 6e83ac25..e380950d 100644 --- a/schemas/acl/3.6.x.json +++ b/schemas/acl/3.6.x.json @@ -1,97 +1,97 @@ { + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "allow": { - "type": "array", - "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." } }, { "deny": { - "type": "array", - "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." } }, { "hide_groups_header": { - "default": false, + "required": true, "type": "boolean", - "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", - "required": true + "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service." } }, { "include_consumer_groups": { + "required": false, "type": "boolean", - "default": false, - "required": false + "default": false } } ] } } - ], - "entity_checks": [ - { - "only_one_of": [ - "config.allow", - "config.deny" - ] - }, - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } ] } \ No newline at end of file diff --git a/schemas/acme/3.6.x.json b/schemas/acme/3.6.x.json index af38e020..42123a6d 100644 --- a/schemas/acme/3.6.x.json +++ b/schemas/acme/3.6.x.json @@ -1,91 +1,140 @@ { + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": true + }, + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "if_field": "config.api_uri", + "then_field": "config.tos_accepted" + } + }, + { + "conditional": { + "then_field": "config.storage_config.redis.host", + "if_field": "config.storage", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.storage_config.redis.port", + "if_field": "config.storage", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { - "type": "foreign", "reference": "services", + "type": "foreign", "eq": null, "description": "A reference to the 'services' table with a null value allowed." } }, { "route": { - "type": "foreign", "reference": "routes", + "type": "foreign", "eq": null, "description": "A reference to the 'routes' table with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "account_email": { - "match": "%w*%p*@+%w*%.?%w*", - "required": true, - "type": "string", "referenceable": true, - "encrypted": true, - "description": "The account identifier. Can be reused in a different plugin instance." + "type": "string", + "required": true, + "match": "%w*%p*@+%w*%.?%w*", + "description": "The account identifier. Can be reused in a different plugin instance.", + "encrypted": true } }, { "account_key": { - "description": "The private key associated with the account.", - "type": "record", "required": false, + "type": "record", + "description": "The private key associated with the account.", "fields": [ { "key_id": { - "type": "string", "required": true, + "type": "string", "description": "The Key ID." } }, { "key_set": { - "type": "string", - "description": "The ID of the key set to associate the Key ID with." + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" } } ] @@ -93,67 +142,66 @@ }, { "api_uri": { - "default": "https://acme-v02.api.letsencrypt.org/directory", "type": "string", + "default": "https://acme-v02.api.letsencrypt.org/directory", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "tos_accepted": { "type": "boolean", - "default": false, - "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service." + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "default": false } }, { "eab_kid": { - "type": "string", "referenceable": true, - "encrypted": true, - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA." + "type": "string", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "encrypted": true } }, { "eab_hmac_key": { - "type": "string", "referenceable": true, - "encrypted": true, - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA." + "type": "string", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "encrypted": true } }, { "cert_type": { - "type": "string", "one_of": [ "rsa", "ecc" ], - "default": "rsa", - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." + "type": "string", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "default": "rsa" } }, { "rsa_key_size": { - "type": "number", "one_of": [ 2048, 3072, 4096 ], - "default": 4096, - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." + "type": "number", + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "default": 4096 } }, { "renew_threshold_days": { "type": "number", - "default": 14, - "description": "Days remaining to renew the certificate before it expires." + "description": "Days remaining to renew the certificate before it expires.", + "default": 14 } }, { "domains": { - "type": "array", "elements": { "match_all": [ { @@ -163,34 +211,34 @@ ], "type": "string", "match_any": { - "err": "invalid wildcard: must be placed at leftmost or rightmost label", "patterns": [ "^%*%.", "%.%*$", "^[^*]*$" - ] + ], + "err": "invalid wildcard: must be placed at leftmost or rightmost label" } }, + "type": "array", "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" } }, { "allow_any_domain": { "type": "boolean", - "default": false, - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "default": false } }, { "fail_backoff_minutes": { "type": "number", - "default": 5, - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "default": 5 } }, { "storage": { - "type": "string", "one_of": [ "kong", "shm", @@ -198,25 +246,26 @@ "consul", "vault" ], - "default": "shm", - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." + "type": "string", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "default": "shm" } }, { "storage_config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "shm": { - "type": "record", "required": true, + "type": "record", "fields": [ { "shm_name": { "type": "string", - "default": "kong", - "description": "Name of shared memory zone used for Kong API gateway storage" + "description": "Name of shared memory zone used for Kong API gateway storage", + "default": "kong" } } ] @@ -224,8 +273,8 @@ }, { "kong": { - "type": "record", "required": true, + "type": "record", "fields": [ ] @@ -233,76 +282,145 @@ }, { "redis": { - "type": "record", "required": true, + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], + ] + } + }, + { + "timeout": { + "default": 2000, "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] } }, { - "database": { - "type": "number", - "description": "The index of the Redis database to use." + "username": { + "referenceable": true, + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { - "auth": { + "password": { "referenceable": true, "type": "string", - "description": "The Redis password to use for authentication. " + "len_min": 0, + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 } }, { "ssl": { - "default": false, + "required": false, "type": "boolean", - "required": true, - "description": "Whether to use SSL/TLS encryption when connecting to the Redis server." + "description": "If set to true, uses SSL to connect to Redis.", + "default": false } }, { "ssl_verify": { - "default": false, + "required": false, "type": "boolean", - "required": true, - "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false } }, { - "ssl_server_name": { + "server_name": { "required": false, "type": "string", - "description": "The expected server name for the SSL/TLS certificate presented by the Redis server." + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "extra_options": { + "required": true, + "type": "record", + "description": "Custom ACME Redis options", + "fields": [ + { + "namespace": { + "type": "string", + "default": "", + "len_min": 0, + "required": true, + "description": "A namespace to prepend to all keys stored in Redis." + } + }, + { + "scan_count": { + "required": false, + "type": "number", + "description": "The number of keys to return in Redis SCAN calls.", + "default": 10 + } + } + ] + } + } + ], + "shorthand_fields": [ + { + "auth": { + "translate_backwards": [ + "password" + ], + "type": "string", + "len_min": 0 + } + }, + { + "ssl_server_name": { + "translate_backwards": [ + "server_name" + ], + "type": "string" } }, { "namespace": { + "translate_backwards": [ + "extra_options", + "namespace" + ], "type": "string", - "len_min": 0, - "required": true, - "default": "", - "description": "A namespace to prepend to all keys stored in Redis." + "len_min": 0 } }, { "scan_count": { - "default": 10, - "type": "number", - "required": false, - "description": "The number of keys to return in Redis SCAN calls." + "translate_backwards": [ + "extra_options", + "scan_count" + ], + "type": "integer" } } ] @@ -310,42 +428,42 @@ }, { "consul": { - "type": "record", "required": true, + "type": "record", "fields": [ { "https": { "type": "boolean", - "default": false, - "description": "Boolean representation of https." + "description": "Boolean representation of https.", + "default": false } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { @@ -360,42 +478,42 @@ }, { "vault": { - "type": "record", "required": true, + "type": "record", "fields": [ { "https": { "type": "boolean", - "default": false, - "description": "Boolean representation of https." + "description": "Boolean representation of https.", + "default": false } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { @@ -408,43 +526,43 @@ { "tls_verify": { "type": "boolean", - "default": true, - "description": "Turn on TLS verification." + "description": "Turn on TLS verification.", + "default": true } }, { "tls_server_name": { - "type": "string", - "description": "SNI used in request, default to host if omitted." + "description": "SNI used in request, default to host if omitted.", + "type": "string" } }, { "auth_method": { - "type": "string", "one_of": [ "token", "kubernetes" ], - "default": "token", - "description": "Auth Method, default to token, can be 'token' or 'kubernetes'." + "type": "string", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "default": "token" } }, { "auth_path": { - "type": "string", - "description": "Vault's authentication path to use." + "description": "Vault's authentication path to use.", + "type": "string" } }, { "auth_role": { - "type": "string", - "description": "The role to try and assign." + "description": "The role to try and assign.", + "type": "string" } }, { "jwt_path": { - "type": "string", - "description": "The path to the JWT." + "description": "The path to the JWT.", + "type": "string" } } ] @@ -455,44 +573,19 @@ }, { "preferred_chain": { - "type": "string", - "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" } }, { "enable_ipv4_common_name": { "type": "boolean", - "default": true, - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "default": true } } ] } } - ], - "entity_checks": [ - { - "conditional": { - "then_match": { - "eq": true - }, - "then_field": "config.tos_accepted", - "if_match": { - "one_of": [ - "https://acme-v02.api.letsencrypt.org", - "https://acme-staging-v02.api.letsencrypt.org" - ] - }, - "if_field": "config.api_uri", - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/" - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.storage" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.6.x.json b/schemas/ai-prompt-decorator/3.6.x.json index afe07263..ef88e49e 100644 --- a/schemas/ai-prompt-decorator/3.6.x.json +++ b/schemas/ai-prompt-decorator/3.6.x.json @@ -1,29 +1,39 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } + ], "fields": [ { "protocols": { "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "required": true, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, + "type": "record", "fields": [ { "prompts": { @@ -50,18 +60,18 @@ }, { "content": { - "required": true, - "len_min": 1, + "len_max": 500, "type": "string", - "len_max": 500 + "required": true, + "len_min": 1 } } ] }, "type": "array", + "len_max": 15, "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", - "required": false, - "len_max": 15 + "required": false } }, { @@ -84,35 +94,25 @@ }, { "content": { - "required": true, - "len_min": 1, + "len_max": 500, "type": "string", - "len_max": 500 + "required": true, + "len_min": 1 } } ] }, "type": "array", + "len_max": 15, "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", - "required": false, - "len_max": 15 + "required": false } } ] } } - ], - "type": "record", - "required": true + ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.prompts.prepend", - "config.prompts.append" - ] - } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.6.x.json b/schemas/ai-prompt-guard/3.6.x.json index cf1a6481..387970a4 100644 --- a/schemas/ai-prompt-guard/3.6.x.json +++ b/schemas/ai-prompt-guard/3.6.x.json @@ -1,51 +1,67 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + } + ], "fields": [ { "protocols": { "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "required": true, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, + "type": "record", "fields": [ { "allow_patterns": { "elements": { - "type": "string" + "len_max": 50, + "type": "string", + "len_min": 1 }, "type": "array", "default": [ ], + "len_max": 10, "description": "Array of valid patterns, or valid questions from the 'user' role in chat." } }, { "deny_patterns": { "elements": { - "type": "string" + "len_max": 50, + "type": "string", + "len_min": 1 }, "type": "array", "default": [ ], + "len_max": 10, "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat." } }, @@ -53,21 +69,10 @@ "allow_all_conversation_history": { "required": true, "type": "boolean", - "default": false, - "description": "If true, will ignore all previous chat prompts from the conversation history." + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "default": false } } - ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" ] } } diff --git a/schemas/ai-prompt-template/3.6.x.json b/schemas/ai-prompt-template/3.6.x.json index 0db1eae6..97476bdd 100644 --- a/schemas/ai-prompt-template/3.6.x.json +++ b/schemas/ai-prompt-template/3.6.x.json @@ -1,40 +1,48 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "required": true, + "description": "A set of strings representing HTTP protocols." } }, { "consumer": { - "type": "foreign", "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "type": "foreign", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "required": true, + "type": "record", "fields": [ { "templates": { + "required": true, + "type": "array", + "description": "Array of templates available to the request context.", "elements": { "required": true, "type": "record", @@ -54,10 +62,7 @@ } } ] - }, - "required": true, - "type": "array", - "description": "Array of templates available to the request context." + } } }, { @@ -76,13 +81,8 @@ "description": "Set true to add the original request to the Kong log plugin(s) output." } } - ], - "type": "record", - "required": true + ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-proxy/3.6.x.json b/schemas/ai-proxy/3.6.x.json index a4bbc6c8..87860e6a 100644 --- a/schemas/ai-proxy/3.6.x.json +++ b/schemas/ai-proxy/3.6.x.json @@ -1,49 +1,57 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { - "type": "foreign", "reference": "services", + "type": "foreign", "eq": null, "description": "A reference to the 'services' table with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_field": "model.provider", + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted", "if_match": { "one_of": [ "openai", @@ -51,13 +59,7 @@ "anthropic", "cohere" ] - }, - "then_at_least_one_of": [ - "auth.header_name", - "auth.param_name" - ], - "if_field": "model.provider", - "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + } } }, { @@ -75,177 +77,177 @@ }, { "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, "then_at_least_one_of": [ "model.options.llama2_format" ], "if_field": "model.provider", - "then_err": "must set %s for llama2 provider" + "then_err": "must set %s for llama2 provider", + "if_match": { + "one_of": [ + "llama2" + ] + } } }, { "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "mistral" - ] - }, "then_at_least_one_of": [ "model.options.mistral_format" ], "if_field": "model.provider", - "then_err": "must set %s for mistral provider" + "then_err": "must set %s for mistral provider", + "if_match": { + "one_of": [ + "mistral" + ] + } } }, { "conditional_at_least_one_of": { - "if_match": [ - - ], "then_at_least_one_of": [ "model.name" ], "if_field": "model.provider", - "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models." + "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models.", + "if_match": [ + + ] } }, { "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "anthropic" - ] - }, "then_at_least_one_of": [ "model.options.anthropic_version" ], "if_field": "model.provider", - "then_err": "must set %s for anthropic provider" + "then_err": "must set %s for anthropic provider", + "if_match": { + "one_of": [ + "anthropic" + ] + } } }, { "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, "then_at_least_one_of": [ "model.options.azure_instance" ], "if_field": "model.provider", - "then_err": "must set %s for azure provider" - } - }, - { - "conditional_at_least_one_of": { + "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - }, - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], - "if_field": "model.provider", - "then_err": "must set %s for azure provider" + } } }, { "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - }, + } + } + }, + { + "conditional_at_least_one_of": { "then_at_least_one_of": [ "model.options.azure_deployment_id" ], "if_field": "model.provider", - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } } }, { "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_field": "model.provider", + "then_err": "must set %s for self-hosted providers/models", "if_match": { "one_of": [ "mistral", "llama2" ] - }, - "then_at_least_one_of": [ - "model.options.upstream_url" - ], - "if_field": "model.provider", - "then_err": "must set %s for self-hosted providers/models" + } } } ], - "required": true, + "type": "record", "fields": [ { "route_type": { + "required": true, "type": "string", + "description": "The model's operation implementation, for this provider.", "one_of": [ "llm/v1/chat", "llm/v1/completions" - ], - "required": true, - "description": "The model's operation implementation, for this provider." + ] } }, { "auth": { - "type": "record", "required": false, + "type": "record", "fields": [ { "header_name": { - "type": "string", - "referenceable": true, "required": false, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here." + "type": "string", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true } }, { "header_value": { - "type": "string", - "encrypted": true, "referenceable": true, + "type": "string", "required": false, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true } }, { "param_name": { - "type": "string", - "referenceable": true, "required": false, - "description": "If AI model requires authentication via query parameter, specify its name here." + "type": "string", + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true } }, { "param_value": { - "type": "string", - "encrypted": true, "referenceable": true, + "type": "string", "required": false, - "description": "Specify the full parameter value for 'param_name'." + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true } }, { "param_location": { + "required": false, "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" - ], - "required": false, - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." + ] } } ] @@ -253,12 +255,14 @@ }, { "model": { - "type": "record", "required": true, + "type": "record", "fields": [ { "provider": { + "required": true, "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ "openai", "azure", @@ -266,79 +270,77 @@ "cohere", "mistral", "llama2" - ], - "required": true, - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats." + ] } }, { "name": { - "type": "string", "required": false, + "type": "string", "description": "Model name to execute." } }, { "options": { - "description": "Key/value settings for the model", - "type": "record", "required": false, + "type": "record", + "description": "Key/value settings for the model", "fields": [ { "max_tokens": { "required": false, "type": "integer", - "default": 256, - "description": "Defines the max_tokens, if using chat or completion models." + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256 } }, { "temperature": { - "required": false, + "type": "number", + "default": 1, "between": [ 0, 5 ], - "type": "number", - "default": 1, + "required": false, "description": "Defines the matching temperature, if using chat or completion models." } }, { "top_p": { - "required": false, + "type": "number", + "default": 1, "between": [ 0, 1 ], - "type": "number", - "default": 1, + "required": false, "description": "Defines the top-p probability mass, if supported." } }, { "top_k": { - "required": false, + "type": "integer", + "default": 0, "between": [ 0, 500 ], - "type": "integer", - "default": 0, + "required": false, "description": "Defines the top-k most likely tokens, if supported." } }, { "anthropic_version": { - "type": "string", "required": false, + "type": "string", "description": "Defines the schema/API version, if using Anthropic provider." } }, { "azure_instance": { - "type": "string", "required": false, + "type": "string", "description": "Instance name for Azure OpenAI hosted models." } }, @@ -346,38 +348,38 @@ "azure_api_version": { "required": false, "type": "string", - "default": "2023-05-15", - "description": "'api-version' for Azure OpenAI instances." + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15" } }, { "azure_deployment_id": { - "type": "string", "required": false, + "type": "string", "description": "Deployment ID for Azure OpenAI instances." } }, { "llama2_format": { + "required": false, "type": "string", + "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", "ollama" - ], - "required": false, - "description": "If using llama2 provider, select the upstream message format." + ] } }, { "mistral_format": { + "required": false, "type": "string", + "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" - ], - "required": false, - "description": "If using mistral provider, select the upstream message format." + ] } }, { @@ -395,33 +397,31 @@ }, { "logging": { - "type": "record", "required": true, + "type": "record", "fields": [ { "log_statistics": { "required": true, "type": "boolean", - "default": true, - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": true } }, { "log_payloads": { "required": true, "type": "boolean", - "default": false, - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false } } ] } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.6.x.json b/schemas/ai-request-transformer/3.6.x.json index 8a5819c8..c2c31fb7 100644 --- a/schemas/ai-request-transformer/3.6.x.json +++ b/schemas/ai-request-transformer/3.6.x.json @@ -1,37 +1,68 @@ { + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "if_field": "config.llm.route_type", + "then_field": "config.llm.route_type" + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], "fields": [ { "protocols": { "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "required": true, + "description": "A set of strings representing HTTP protocols." } }, { "consumer": { - "type": "foreign", "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "type": "foreign", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "required": true, + "type": "record", "fields": [ { "prompt": { @@ -47,14 +78,6 @@ "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure." } }, - { - "ssl_verify": { - "required": true, - "type": "boolean", - "default": true, - "description": "Verify the TLS certificate of the AI upstream service." - } - }, { "http_timeout": { "required": true, @@ -73,44 +96,189 @@ }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "llm": { + "entity_checks": [ + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_field": "model.provider", + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted", + "if_match": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere" + ] + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for llama2 provider", + "if_match": { + "one_of": [ + "llama2" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for mistral provider", + "if_match": { + "one_of": [ + "mistral" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.name" + ], + "if_field": "model.provider", + "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models.", + "if_match": [ + + ] + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for anthropic provider", + "if_match": { + "one_of": [ + "anthropic" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_field": "model.provider", + "then_err": "must set %s for self-hosted providers/models", + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + } + } + } + ], + "type": "record", "fields": [ { "route_type": { "required": true, - "description": "The model's operation implementation, for this provider.", "type": "string", + "description": "The model's operation implementation, for this provider.", "one_of": [ "llm/v1/chat", "llm/v1/completions" @@ -125,42 +293,42 @@ { "header_name": { "required": false, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true } }, { "header_value": { + "referenceable": true, "type": "string", - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "encrypted": true, - "referenceable": true + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true } }, { "param_name": { "required": false, - "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", + "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true } }, { "param_value": { + "referenceable": true, "type": "string", - "description": "Specify the full parameter value for 'param_name'.", "required": false, - "encrypted": true, - "referenceable": true + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true } }, { "param_location": { "required": false, - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" @@ -178,8 +346,8 @@ { "provider": { "required": true, - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ "openai", "azure", @@ -200,49 +368,51 @@ { "options": { "required": false, + "type": "record", + "description": "Key/value settings for the model", "fields": [ { "max_tokens": { "required": false, "type": "integer", - "default": 256, - "description": "Defines the max_tokens, if using chat or completion models." + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256 } }, { "temperature": { "type": "number", - "description": "Defines the matching temperature, if using chat or completion models.", - "required": false, + "default": 1, "between": [ 0, 5 ], - "default": 1 + "required": false, + "description": "Defines the matching temperature, if using chat or completion models." } }, { "top_p": { "type": "number", - "description": "Defines the top-p probability mass, if supported.", - "required": false, + "default": 1, "between": [ 0, 1 ], - "default": 1 + "required": false, + "description": "Defines the top-p probability mass, if supported." } }, { "top_k": { "type": "integer", - "description": "Defines the top-k most likely tokens, if supported.", - "required": false, + "default": 0, "between": [ 0, 500 ], - "default": 0 + "required": false, + "description": "Defines the top-k most likely tokens, if supported." } }, { @@ -263,8 +433,8 @@ "azure_api_version": { "required": false, "type": "string", - "default": "2023-05-15", - "description": "'api-version' for Azure OpenAI instances." + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15" } }, { @@ -277,8 +447,8 @@ { "llama2_format": { "required": false, - "description": "If using llama2 provider, select the upstream message format.", "type": "string", + "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", @@ -289,8 +459,8 @@ { "mistral_format": { "required": false, - "description": "If using mistral provider, select the upstream message format.", "type": "string", + "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" @@ -304,9 +474,7 @@ "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." } } - ], - "type": "record", - "description": "Key/value settings for the model" + ] } } ] @@ -321,190 +489,26 @@ "log_statistics": { "required": true, "type": "boolean", - "default": true, - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": true } }, { "log_payloads": { "required": true, "type": "boolean", - "default": false, - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false } } ] } } ], - "required": true, - "type": "record", - "entity_checks": [ - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "auth.header_name", - "auth.param_name" - ], - "if_match": { - "one_of": [ - "openai", - "azure", - "anthropic", - "cohere" - ] - }, - "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" - } - }, - { - "mutually_required": [ - "auth.header_name", - "auth.header_value" - ] - }, - { - "mutually_required": [ - "auth.param_name", - "auth.param_value", - "auth.param_location" - ] - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ], - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for llama2 provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ], - "if_match": { - "one_of": [ - "mistral" - ] - }, - "then_err": "must set %s for mistral provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.name" - ], - "if_match": [ - - ], - "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models." - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], - "if_match": { - "one_of": [ - "anthropic" - ] - }, - "then_err": "must set %s for anthropic provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ], - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ], - "if_match": { - "one_of": [ - "mistral", - "llama2" - ] - }, - "then_err": "must set %s for self-hosted providers/models" - } - } - ] + "required": true } } - ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "conditional": { - "if_field": "config.llm.route_type", - "then_match": { - "eq": "llm/v1/chat" - }, - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_field": "config.llm.route_type" + ] } } ] diff --git a/schemas/ai-response-transformer/3.6.x.json b/schemas/ai-response-transformer/3.6.x.json index beccee0f..9bf49b2d 100644 --- a/schemas/ai-response-transformer/3.6.x.json +++ b/schemas/ai-response-transformer/3.6.x.json @@ -1,41 +1,72 @@ { + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "if_field": "config.llm.route_type", + "then_field": "config.llm.route_type" + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], "fields": [ { "protocols": { "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "required": true, + "description": "A set of strings representing HTTP protocols." } }, { "consumer": { - "type": "foreign", "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "type": "foreign", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "required": true, + "type": "record", "fields": [ { "prompt": { - "required": false, + "required": true, "type": "string", "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting." } @@ -73,44 +104,189 @@ }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "llm": { + "entity_checks": [ + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_field": "model.provider", + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted", + "if_match": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere" + ] + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for llama2 provider", + "if_match": { + "one_of": [ + "llama2" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for mistral provider", + "if_match": { + "one_of": [ + "mistral" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.name" + ], + "if_field": "model.provider", + "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models.", + "if_match": [ + + ] + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for anthropic provider", + "if_match": { + "one_of": [ + "anthropic" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_field": "model.provider", + "then_err": "must set %s for self-hosted providers/models", + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + } + } + } + ], + "type": "record", "fields": [ { "route_type": { "required": true, - "description": "The model's operation implementation, for this provider.", "type": "string", + "description": "The model's operation implementation, for this provider.", "one_of": [ "llm/v1/chat", "llm/v1/completions" @@ -125,42 +301,42 @@ { "header_name": { "required": false, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true } }, { "header_value": { + "referenceable": true, "type": "string", - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "encrypted": true, - "referenceable": true + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true } }, { "param_name": { "required": false, - "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", + "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true } }, { "param_value": { + "referenceable": true, "type": "string", - "description": "Specify the full parameter value for 'param_name'.", "required": false, - "encrypted": true, - "referenceable": true + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true } }, { "param_location": { "required": false, - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" @@ -178,8 +354,8 @@ { "provider": { "required": true, - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ "openai", "azure", @@ -200,49 +376,51 @@ { "options": { "required": false, + "type": "record", + "description": "Key/value settings for the model", "fields": [ { "max_tokens": { "required": false, "type": "integer", - "default": 256, - "description": "Defines the max_tokens, if using chat or completion models." + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256 } }, { "temperature": { "type": "number", - "description": "Defines the matching temperature, if using chat or completion models.", - "required": false, + "default": 1, "between": [ 0, 5 ], - "default": 1 + "required": false, + "description": "Defines the matching temperature, if using chat or completion models." } }, { "top_p": { "type": "number", - "description": "Defines the top-p probability mass, if supported.", - "required": false, + "default": 1, "between": [ 0, 1 ], - "default": 1 + "required": false, + "description": "Defines the top-p probability mass, if supported." } }, { "top_k": { "type": "integer", - "description": "Defines the top-k most likely tokens, if supported.", - "required": false, + "default": 0, "between": [ 0, 500 ], - "default": 0 + "required": false, + "description": "Defines the top-k most likely tokens, if supported." } }, { @@ -263,8 +441,8 @@ "azure_api_version": { "required": false, "type": "string", - "default": "2023-05-15", - "description": "'api-version' for Azure OpenAI instances." + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15" } }, { @@ -277,8 +455,8 @@ { "llama2_format": { "required": false, - "description": "If using llama2 provider, select the upstream message format.", "type": "string", + "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", @@ -289,8 +467,8 @@ { "mistral_format": { "required": false, - "description": "If using mistral provider, select the upstream message format.", "type": "string", + "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" @@ -304,9 +482,7 @@ "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." } } - ], - "type": "record", - "description": "Key/value settings for the model" + ] } } ] @@ -321,190 +497,26 @@ "log_statistics": { "required": true, "type": "boolean", - "default": true, - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": true } }, { "log_payloads": { "required": true, "type": "boolean", - "default": false, - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false } } ] } } ], - "required": true, - "type": "record", - "entity_checks": [ - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "auth.header_name", - "auth.param_name" - ], - "if_match": { - "one_of": [ - "openai", - "azure", - "anthropic", - "cohere" - ] - }, - "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" - } - }, - { - "mutually_required": [ - "auth.header_name", - "auth.header_value" - ] - }, - { - "mutually_required": [ - "auth.param_name", - "auth.param_value", - "auth.param_location" - ] - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ], - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for llama2 provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ], - "if_match": { - "one_of": [ - "mistral" - ] - }, - "then_err": "must set %s for mistral provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.name" - ], - "if_match": [ - - ], - "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models." - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], - "if_match": { - "one_of": [ - "anthropic" - ] - }, - "then_err": "must set %s for anthropic provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ], - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ], - "if_match": { - "one_of": [ - "mistral", - "llama2" - ] - }, - "then_err": "must set %s for self-hosted providers/models" - } - } - ] + "required": true } } - ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "conditional": { - "if_field": "config.llm.route_type", - "then_match": { - "eq": "llm/v1/chat" - }, - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_field": "config.llm.route_type" + ] } } ] diff --git a/schemas/application-registration/3.6.x.json b/schemas/application-registration/3.6.x.json index 396bd9f5..0466f5ba 100644 --- a/schemas/application-registration/3.6.x.json +++ b/schemas/application-registration/3.6.x.json @@ -1,77 +1,80 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { - "ne": null, - "type": "foreign", "reference": "services", - "on_delete": "cascade" + "type": "foreign", + "on_delete": "cascade", + "ne": null } }, { "route": { - "type": "foreign", "reference": "routes", + "type": "foreign", "eq": null, "description": "A reference to the 'routes' table with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "display_name": { - "unique": true, - "type": "string", "required": true, - "description": "Unique display name used for a Service in the Developer Portal." + "unique": true, + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string" } }, { "description": { - "unique": true, "type": "string", - "description": "Unique description displayed in information about a Service in the Developer Portal." + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "unique": true } }, { @@ -93,8 +96,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.6.x.json b/schemas/aws-lambda/3.6.x.json index 560c25a1..9e161eab 100644 --- a/schemas/aws-lambda/3.6.x.json +++ b/schemas/aws-lambda/3.6.x.json @@ -1,255 +1,255 @@ { + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "timeout": { - "type": "number", - "default": 60000, "required": true, - "description": "An optional timeout in milliseconds when invoking the function." + "type": "number", + "description": "An optional timeout in milliseconds when invoking the function.", + "default": 60000 } }, { "keepalive": { - "type": "number", - "default": 60000, "required": true, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000 } }, { "aws_key": { - "encrypted": true, "referenceable": true, "type": "string", - "description": "The AWS key credential to be used when invoking the function." + "description": "The AWS key credential to be used when invoking the function.", + "encrypted": true } }, { "aws_secret": { - "encrypted": true, "referenceable": true, "type": "string", - "description": "The AWS secret credential to be used when invoking the function. " + "description": "The AWS secret credential to be used when invoking the function. ", + "encrypted": true } }, { "aws_assume_role_arn": { - "encrypted": true, "referenceable": true, "type": "string", - "description": "The target AWS IAM role ARN used to invoke the Lambda function." + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "encrypted": true } }, { "aws_role_session_name": { - "default": "kong", "type": "string", - "description": "The identifier of the assumed role session." + "description": "The identifier of the assumed role session.", + "default": "kong" } }, { "aws_region": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "function_name": { - "type": "string", "required": false, + "type": "string", "description": "The AWS Lambda function name to invoke." } }, { "qualifier": { - "type": "string", - "description": "The qualifier to use when invoking the function." + "description": "The qualifier to use when invoking the function.", + "type": "string" } }, { "invocation_type": { - "required": true, "type": "string", + "default": "RequestResponse", + "required": true, + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "one_of": [ "RequestResponse", "Event", "DryRun" - ], - "default": "RequestResponse", - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun." + ] } }, { "log_type": { - "required": true, "type": "string", + "default": "Tail", + "required": true, + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "one_of": [ "Tail", "None" - ], - "default": "Tail", - "description": "The LogType to use when invoking the function. By default, None and Tail are supported." + ] } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 443, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 443, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "disable_https": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "unhandled_status": { + "type": "integer", + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", "between": [ 100, 999 - ], - "type": "integer", - "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error." + ] } }, { "forward_request_method": { - "default": false, "type": "boolean", - "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "default": false } }, { "forward_request_uri": { - "default": false, "type": "boolean", - "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "default": false } }, { "forward_request_headers": { - "default": false, "type": "boolean", - "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "default": false } }, { "forward_request_body": { - "default": false, "type": "boolean", - "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "default": false } }, { "is_proxy_integration": { - "default": false, "type": "boolean", - "description": "An optional value that defines whether the response format to receive from the Lambda to this format." + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "default": false } }, { "awsgateway_compatible": { - "default": false, "type": "boolean", - "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "default": false } }, { "proxy_url": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "skip_large_bodies": { - "default": true, "type": "boolean", - "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "default": true } }, { "base64_encode_body": { - "default": true, "type": "boolean", - "description": "An optional value that Base64-encodes the request body." + "description": "An optional value that Base64-encodes the request body.", + "default": true } }, { "aws_imds_protocol_version": { - "required": true, "type": "string", + "default": "v1", + "required": true, + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "one_of": [ "v1", "v2" - ], - "default": "v1", - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`." + ] } } ] } } - ], - "entity_checks": [ - { - "mutually_required": [ - "config.aws_key", - "config.aws_secret" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "config.proxy_url" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/azure-functions/3.6.x.json b/schemas/azure-functions/3.6.x.json index 230f05db..278e9f48 100644 --- a/schemas/azure-functions/3.6.x.json +++ b/schemas/azure-functions/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,64 +21,72 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "timeout": { - "default": 600000, "type": "number", + "default": 600000, "description": "Timeout in milliseconds before closing a connection to the Azure Functions server." } }, { "keepalive": { - "default": 60000, "type": "number", + "default": 60000, "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed." } }, { "https": { - "default": true, "type": "boolean", + "default": true, "description": "Use of HTTPS to connect with the Azure Functions server." } }, { "https_verify": { - "default": false, "type": "boolean", + "default": false, "description": "Set to `true` to authenticate the Azure Functions server." } }, { "apikey": { "encrypted": true, - "referenceable": true, "type": "string", - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header." + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "referenceable": true } }, { "clientid": { "encrypted": true, - "referenceable": true, "type": "string", - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header." + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "referenceable": true } }, { @@ -95,16 +98,16 @@ }, { "hostdomain": { - "default": "azurewebsites.net", "required": true, "type": "string", + "default": "azurewebsites.net", "description": "The domain where the function resides." } }, { "routeprefix": { - "default": "api", "type": "string", + "default": "api", "description": "Route prefix to use." } }, @@ -118,8 +121,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.6.x.json b/schemas/basic-auth/3.6.x.json index d13263be..73299c81 100644 --- a/schemas/basic-auth/3.6.x.json +++ b/schemas/basic-auth/3.6.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } @@ -12,8 +15,15 @@ "protocols": { "required": true, "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -21,50 +31,48 @@ "https", "ws", "wss" - ] - }, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "hide_credentials": { - "default": false, - "type": "boolean", "required": true, + "type": "boolean", + "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it." } + }, + { + "realm": { + "required": true, + "type": "string", + "default": "service", + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." + } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.6.x.json b/schemas/bot-detection/3.6.x.json index 5065475c..7f32a9c4 100644 --- a/schemas/bot-detection/3.6.x.json +++ b/schemas/bot-detection/3.6.x.json @@ -1,79 +1,79 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "allow": { "elements": { - "type": "string", - "is_regex": true + "is_regex": true, + "type": "string" }, "type": "array", + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "default": [ - ], - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header." + ] } }, { "deny": { "elements": { - "type": "string", - "is_regex": true + "is_regex": true, + "type": "string" }, "type": "array", + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "default": [ - ], - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header." + ] } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/canary/3.6.x.json b/schemas/canary/3.6.x.json index 4714d4b0..74cb7bad 100644 --- a/schemas/canary/3.6.x.json +++ b/schemas/canary/3.6.x.json @@ -1,65 +1,89 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "then_field": "config.hash_header", + "if_field": "config.hash", + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + } + } + }, + { + "conditional": { + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + } + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "shorthand_fields": [ - { - "hash": { - "type": "string", - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." - } - } - ], "required": true, "type": "record", "fields": [ { "start": { - "type": "number", - "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" } }, { "hash": { - "default": "consumer", "one_of": [ "consumer", "ip", @@ -69,122 +93,98 @@ "header" ], "type": "string", - "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value." + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "default": "consumer" } }, { "hash_header": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "duration": { - "default": 3600, "gt": 0, "type": "number", - "description": "The duration of the canary release in seconds." + "description": "The duration of the canary release in seconds.", + "default": 3600 } }, { "steps": { - "default": 1000, "gt": 1, "type": "number", - "description": "The number of steps for the canary release." + "description": "The number of steps for the canary release.", + "default": 1000 } }, { "percentage": { + "type": "number", + "description": "The percentage of traffic to be routed to the canary release.", "between": [ 0, 100 - ], - "type": "number", - "description": "The percentage of traffic to be routed to the canary release." + ] } }, { "upstream_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "upstream_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "upstream_uri": { - "len_min": 1, "type": "string", - "description": "The URI of the upstream server to be used for the canary release." + "description": "The URI of the upstream server to be used for the canary release.", + "len_min": 1 } }, { "upstream_fallback": { "required": true, - "default": false, "type": "boolean", + "default": false, "description": "Specifies whether to fallback to the upstream server if the canary release fails." } }, { "groups": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "The groups allowed to access the canary release." } }, { "canary_by_header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" + } + } + ], + "shorthand_fields": [ + { + "hash": { + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" } } ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.upstream_uri", - "config.upstream_host", - "config.upstream_port" - ] - }, - { - "conditional": { - "then_field": "config.hash_header", - "if_match": { - "eq": "header" - }, - "then_match": { - "required": true - }, - "if_field": "config.hash" - } - }, - { - "conditional": { - "then_field": "config.upstream_host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "config.upstream_fallback" - } - } ] } \ No newline at end of file diff --git a/schemas/correlation-id/3.6.x.json b/schemas/correlation-id/3.6.x.json index 23a1ae12..6acd0dcf 100644 --- a/schemas/correlation-id/3.6.x.json +++ b/schemas/correlation-id/3.6.x.json @@ -1,63 +1,66 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "header_name": { - "default": "Kong-Request-ID", "type": "string", + "default": "Kong-Request-ID", "description": "The HTTP header name to use for the correlation ID." } }, { "generator": { - "type": "string", "one_of": [ "uuid", "uuid#counter", "tracker" ], + "type": "string", "default": "uuid#counter", "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators)." } }, { "echo_downstream": { - "type": "boolean", "required": true, + "type": "boolean", "default": false, "description": "Whether to echo the header back to downstream (the client)." } @@ -65,8 +68,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/cors/3.6.x.json b/schemas/cors/3.6.x.json index cd56c729..2d8f7878 100644 --- a/schemas/cors/3.6.x.json +++ b/schemas/cors/3.6.x.json @@ -1,25 +1,19 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "len_min": 1, "one_of": [ "grpc", "grpcs", @@ -27,67 +21,63 @@ "https" ], "type": "string", - "required": true + "required": true, + "len_min": 1 }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "origins": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." } }, { "headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "Value for the `Access-Control-Allow-Headers` header." } }, { "exposed_headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." } }, { "methods": { - "default": [ - "GET", - "HEAD", - "PUT", - "PATCH", - "POST", - "DELETE", - "OPTIONS", - "TRACE", - "CONNECT" - ], - "type": "array", "elements": { - "type": "string", "one_of": [ "GET", "HEAD", @@ -98,46 +88,56 @@ "OPTIONS", "TRACE", "CONNECT" - ] + ], + "type": "string" }, - "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'" + "type": "array", + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] } }, { "max_age": { - "type": "number", - "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" } }, { "credentials": { - "type": "boolean", "required": true, - "default": false, - "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value." + "type": "boolean", + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "default": false } }, { "private_network": { - "type": "boolean", "required": true, - "default": false, - "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value." + "type": "boolean", + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "default": false } }, { "preflight_continue": { - "type": "boolean", "required": true, - "default": false, - "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service." + "type": "boolean", + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "default": false } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/datadog/3.6.x.json b/schemas/datadog/3.6.x.json index ea4be6ad..3860562d 100644 --- a/schemas/datadog/3.6.x.json +++ b/schemas/datadog/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,20 +21,27 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -51,25 +53,25 @@ } } ], - "required": true, + "type": "record", "fields": [ { "host": { - "default": "localhost", "referenceable": true, "type": "string", + "default": "localhost", "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 8125, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 8125, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -102,64 +104,64 @@ }, { "retry_count": { - "type": "integer", - "description": "Number of times to retry when sending data to the upstream server." + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" } }, { "queue_size": { - "type": "integer", - "description": "Maximum number of log entries to be sent on each message to the upstream server." + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" } }, { "flush_timeout": { - "type": "number", - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { "queue": { - "type": "record", "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + ] } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + ] } }, { "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + ] } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { @@ -171,24 +173,24 @@ }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + ] } }, { "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } ] @@ -196,23 +198,21 @@ }, { "metrics": { - "required": true, - "type": "array", "elements": { "entity_checks": [ { "conditional": { "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + }, "if_match": { "one_of": [ "counter", "gauge" ] - }, - "then_match": { - "required": true - }, - "if_field": "stat_type" + } } } ], @@ -220,7 +220,9 @@ "fields": [ { "name": { + "required": true, "type": "string", + "description": "Datadog metric’s name", "one_of": [ "kong_latency", "latency", @@ -228,14 +230,14 @@ "request_size", "response_size", "upstream_latency" - ], - "required": true, - "description": "Datadog metric’s name" + ] } }, { "stat_type": { + "required": true, "type": "string", + "description": "Determines what sort of event the metric represents", "one_of": [ "counter", "gauge", @@ -244,29 +246,27 @@ "set", "timer", "distribution" - ], - "required": true, - "description": "Determines what sort of event the metric represents" + ] } }, { "tags": { - "type": "array", "elements": { "type": "string", "match": "^.*[^:]$" }, + "type": "array", "description": "List of tags" } }, { "sample_rate": { + "type": "number", + "description": "Sampling rate", "between": [ 0, 1 - ], - "type": "number", - "description": "Sampling rate" + ] } }, { @@ -282,65 +282,65 @@ } ] }, + "type": "array", "default": [ { + "stat_type": "counter", + "consumer_identifier": "custom_id", "tags": [ "app:kong" ], "name": "request_count", - "sample_rate": 1, - "stat_type": "counter", - "consumer_identifier": "custom_id" + "sample_rate": 1 }, { + "stat_type": "timer", + "name": "latency", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "stat_type": "timer", - "name": "latency" + ] }, { + "stat_type": "timer", + "name": "request_size", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "stat_type": "timer", - "name": "request_size" + ] }, { + "stat_type": "timer", + "name": "response_size", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "stat_type": "timer", - "name": "response_size" + ] }, { + "stat_type": "timer", + "name": "upstream_latency", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "stat_type": "timer", - "name": "upstream_latency" + ] }, { + "stat_type": "timer", + "name": "kong_latency", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "stat_type": "timer", - "name": "kong_latency" + ] } ], + "required": true, "description": "List of metrics to be logged." } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/degraphql/3.6.x.json b/schemas/degraphql/3.6.x.json index b28b09c3..941bb303 100644 --- a/schemas/degraphql/3.6.x.json +++ b/schemas/degraphql/3.6.x.json @@ -1,68 +1,68 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "graphql_server_path": { + "type": "string", + "default": "/graphql", + "starts_with": "/", + "required": true, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "required": true, - "starts_with": "/", - "type": "string", - "default": "/graphql", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + ] } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.6.x.json b/schemas/exit-transformer/3.6.x.json index 1dda7df4..2b1e9513 100644 --- a/schemas/exit-transformer/3.6.x.json +++ b/schemas/exit-transformer/3.6.x.json @@ -1,47 +1,50 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "functions": { + "required": true, "type": "array", "elements": { "type": "string" - }, - "required": true + } } }, { @@ -61,8 +64,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/file-log/3.6.x.json b/schemas/file-log/3.6.x.json index ff1a4be1..0838b4dc 100644 --- a/schemas/file-log/3.6.x.json +++ b/schemas/file-log/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,37 +21,45 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "path": { - "match": "^[^*&%%\\`]+$", - "required": true, "type": "string", - "err": "not a valid filename", - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." + "required": true, + "match": "^[^*&%%\\`]+$", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "err": "not a valid filename" } }, { "reopen": { - "type": "boolean", "required": true, - "default": false, - "description": "Determines whether the log file is closed and reopened on every request." + "type": "boolean", + "description": "Determines whether the log file is closed and reopened on every request.", + "default": false } }, { @@ -65,19 +68,16 @@ "type": "string", "len_min": 1 }, + "type": "map", + "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - }, - "type": "map", - "description": "Lua code as a key-value map" + } } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.6.x.json b/schemas/forward-proxy/3.6.x.json index ee73c460..a2aefc56 100644 --- a/schemas/forward-proxy/3.6.x.json +++ b/schemas/forward-proxy/3.6.x.json @@ -1,50 +1,40 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", - "shorthand_fields": [ - { - "proxy_host": { - "type": "string" - } - }, - { - "proxy_port": { - "type": "integer" - } - } - ], "entity_checks": [ { "at_least_one_of": [ @@ -71,93 +61,103 @@ ] } ], + "type": "record", "required": true, "fields": [ { "x_headers": { - "required": true, "type": "string", + "default": "append", + "required": true, + "description": "Determines how to handle headers when forwarding the request.", "one_of": [ "append", "transparent", "delete" - ], - "default": "append", - "description": "Determines how to handle headers when forwarding the request." + ] } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "proxy_scheme": { - "required": true, "type": "string", + "default": "http", + "required": true, + "description": "The proxy scheme to use when connecting. Only `http` is supported.", "one_of": [ "http" - ], - "default": "http", - "description": "The proxy scheme to use when connecting. Only `http` is supported." + ] } }, { "auth_username": { - "type": "string", "referenceable": true, - "required": false, - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication." + "type": "string", + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "required": false } }, { "auth_password": { - "type": "string", "referenceable": true, - "required": false, - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication." + "type": "string", + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "required": false } }, { "https_verify": { - "default": false, - "type": "boolean", "required": true, + "type": "boolean", + "default": false, "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." } } + ], + "shorthand_fields": [ + { + "proxy_host": { + "type": "string" + } + }, + { + "proxy_port": { + "type": "integer" + } + } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.6.x.json b/schemas/graphql-proxy-cache-advanced/3.6.x.json index 900b6cc7..0ba91ea2 100644 --- a/schemas/graphql-proxy-cache-advanced/3.6.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.6.x.json @@ -1,68 +1,71 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "strategy": { - "required": true, "type": "string", + "default": "memory", + "required": true, + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "one_of": [ "memory" - ], - "default": "memory", - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`." + ] } }, { "cache_ttl": { - "type": "integer", "gt": 0, + "type": "integer", "default": 300, "description": "TTL in seconds of cache entities. Must be a value greater than 0." } }, { "memory": { - "type": "record", "required": true, + "type": "record", "fields": [ { "dictionary_name": { - "type": "string", "required": true, + "type": "string", "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template." } @@ -72,18 +75,15 @@ }, { "vary_headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.6.x.json b/schemas/graphql-rate-limiting-advanced/3.6.x.json index 9702bd51..83be4422 100644 --- a/schemas/graphql-rate-limiting-advanced/3.6.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.6.x.json @@ -1,88 +1,97 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "identifier": { - "required": true, "type": "string", + "default": "consumer", + "required": true, + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "one_of": [ "ip", "credential", "consumer" - ], - "default": "consumer", - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." + ] } }, { "window_size": { - "type": "array", "required": true, + "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds).", "elements": { "type": "number" - }, - "description": "One or more window sizes to apply a limit to (defined in seconds)." + } } }, { "window_type": { - "type": "string", "one_of": [ "fixed", "sliding" ], - "default": "sliding", - "description": "Sets the time window to either `sliding` or `fixed`." + "type": "string", + "description": "Sets the time window to either `sliding` or `fixed`.", + "default": "sliding" } }, { "limit": { - "type": "array", "required": true, + "type": "array", + "description": "One or more requests-per-window limits to apply.", "elements": { "type": "number" - }, - "description": "One or more requests-per-window limits to apply." + } } }, { "sync_rate": { - "type": "number", "required": true, + "type": "number", "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." } }, @@ -95,96 +104,95 @@ }, { "strategy": { - "required": true, "type": "string", + "default": "cluster", + "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "one_of": [ "cluster", "redis" - ], - "default": "cluster", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." + ] } }, { "dictionary_name": { - "type": "string", - "default": "kong_rate_limiting_counters", "required": true, - "description": "The shared dictionary where counters will be stored until the next sync cycle." + "type": "string", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "default": false, "type": "boolean", - "description": "Optionally hide informative response headers. Available options: `true` or `false`." + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "default": false } }, { "cost_strategy": { - "type": "string", "one_of": [ "default", "node_quantifier" ], - "default": "default", - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`." + "type": "string", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "default": "default" } }, { "score_factor": { "gt": 0, "type": "number", - "required": false, "default": 1, + "required": false, "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." } }, { "max_cost": { - "type": "number", - "default": 0, "required": false, - "description": "A defined maximum cost per query. 0 means unlimited." + "type": "number", + "description": "A defined maximum cost per query. 0 means unlimited.", + "default": 0 } }, { "redis": { - "type": "record", "entity_checks": [ { "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" + ], + "set2": [ + "host", + "port" ] } }, { "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" ] } }, { "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], "set2": [ "host", "port" - ], - "set1": [ - "cluster_addresses" ] } }, @@ -209,63 +217,63 @@ ] } ], - "required": true, + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "timeout": { + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { @@ -278,9 +286,9 @@ { "password": { "encrypted": true, - "referenceable": true, "type": "string", - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true } }, { @@ -293,43 +301,43 @@ { "sentinel_password": { "encrypted": true, - "referenceable": true, "type": "string", - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true } }, { "database": { - "default": 0, "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "default": 256, "between": [ 1, 2147483646 - ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + ] } }, { "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -345,38 +353,38 @@ }, { "sentinel_addresses": { - "len_min": 1, "elements": { "type": "string" }, "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "cluster_addresses": { - "len_min": 1, "elements": { "type": "string" }, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "ssl": { - "default": false, "required": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "description": "If set to true, uses SSL to connect to Redis.", + "default": false } }, { "ssl_verify": { - "default": false, "required": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false } }, { @@ -386,20 +394,12 @@ "description": "A string representing an SNI (server name indication) value for TLS." } } - ] + ], + "required": true } } ] } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/grpc-gateway/3.6.x.json b/schemas/grpc-gateway/3.6.x.json index e5c44164..0e1beb41 100644 --- a/schemas/grpc-gateway/3.6.x.json +++ b/schemas/grpc-gateway/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,34 +21,39 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "proto": { - "type": "string", "required": false, + "type": "string", "description": "Describes the gRPC types and methods." } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.6.x.json b/schemas/grpc-web/3.6.x.json index 83276fac..e9b434c6 100644 --- a/schemas/grpc-web/3.6.x.json +++ b/schemas/grpc-web/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,26 +21,34 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "proto": { - "type": "string", "required": false, + "type": "string", "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content." } }, @@ -58,17 +61,14 @@ }, { "allow_origin_header": { - "type": "string", - "default": "*", "required": false, - "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client." + "type": "string", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "default": "*" } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.6.x.json b/schemas/hmac-auth/3.6.x.json index 01d6da0d..2fd8cdc7 100644 --- a/schemas/hmac-auth/3.6.x.json +++ b/schemas/hmac-auth/3.6.x.json @@ -1,9 +1,18 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } @@ -12,8 +21,15 @@ "protocols": { "required": true, "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -21,59 +37,52 @@ "https", "ws", "wss" - ] - }, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "hide_credentials": { - "default": false, "required": true, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "default": false } }, { "clock_skew": { - "default": 300, "gt": 0, "type": "number", - "description": "Clock skew in seconds to prevent replay attacks." + "description": "Clock skew in seconds to prevent replay attacks.", + "default": 300 } }, { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "validate_request_body": { - "default": false, "required": true, "type": "boolean", - "description": "A boolean value telling the plugin to enable body validation." + "description": "A boolean value telling the plugin to enable body validation.", + "default": false } }, { @@ -82,44 +91,35 @@ "type": "string" }, "type": "array", + "description": "A list of headers that the client should at least use for HTTP signature creation.", "default": [ - ], - "description": "A list of headers that the client should at least use for HTTP signature creation." + ] } }, { "algorithms": { "elements": { - "type": "string", "one_of": [ "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512" - ] + ], + "type": "string" }, "type": "array", + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", "default": [ "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512" - ], - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`" + ] } } ] } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/http-log/3.6.x.json b/schemas/http-log/3.6.x.json index 1e8e78d7..f0923520 100644 --- a/schemas/http-log/3.6.x.json +++ b/schemas/http-log/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,20 +21,27 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, "entity_checks": [ { "custom_entity_check": { @@ -55,138 +57,138 @@ "fields": [ { "http_endpoint": { + "referenceable": true, "type": "string", "encrypted": true, - "referenceable": true, - "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true } }, { "method": { - "default": "POST", "one_of": [ "POST", "PUT", "PATCH" ], "type": "string", - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`." + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "default": "POST" } }, { "content_type": { - "default": "application/json", "one_of": [ "application/json", "application/json; charset=utf-8" ], "type": "string", - "description": "Indicates the type of data sent. The only available option is `application/json`." + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "default": "application/json" } }, { "timeout": { - "default": 10000, "type": "number", - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 } }, { "keepalive": { - "default": 60000, "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "default": 60000 } }, { "retry_count": { - "type": "integer", - "description": "Number of times to retry when sending data to the upstream server." + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" } }, { "queue_size": { - "type": "integer", - "description": "Maximum number of log entries to be sent on each message to the upstream server." + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" } }, { "flush_timeout": { - "type": "number", - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { "headers": { "keys": { + "type": "string", + "description": "A string representing an HTTP header name.", "match_none": [ { - "pattern": "^[Hh][Oo][Ss][Tt]$", - "err": "cannot contain 'Host' header" + "err": "cannot contain 'Host' header", + "pattern": "^[Hh][Oo][Ss][Tt]$" }, { - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$", - "err": "cannot contain 'Content-Length' header" + "err": "cannot contain 'Content-Length' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" }, { - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", - "err": "cannot contain 'Content-Type' header" + "err": "cannot contain 'Content-Type' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" } - ], - "type": "string", - "description": "A string representing an HTTP header name." - }, - "values": { - "type": "string", - "referenceable": true + ] }, "type": "map", - "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string." + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "values": { + "referenceable": true, + "type": "string" + } } }, { "queue": { - "type": "record", "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + ] } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + ] } }, { "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + ] } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { @@ -198,24 +200,24 @@ }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + ] } }, { "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } ] @@ -227,19 +229,17 @@ "type": "string", "len_min": 1 }, + "type": "map", + "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - }, - "type": "map", - "description": "Lua code as a key-value map" + } } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.6.x.json b/schemas/ip-restriction/3.6.x.json index 5b4e7790..84ef56bc 100644 --- a/schemas/ip-restriction/3.6.x.json +++ b/schemas/ip-restriction/3.6.x.json @@ -1,17 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], "fields": [ { "protocols": { - "type": "set", - "required": true, - "default": [ - "http", - "https", - "tcp", - "tls", - "grpc", - "grpcs" - ], "elements": { "one_of": [ "grpc", @@ -28,58 +26,60 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "allow": { - "type": "array", "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" }, + "type": "array", "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." } }, { "deny": { - "type": "array", "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" }, + "type": "array", "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." } }, { "status": { - "type": "number", "required": false, + "type": "number", "description": "The HTTP status of the requests that will be rejected by the plugin." } }, { "message": { - "type": "string", "required": false, + "type": "string", "description": "The message to send as a response body to rejected requests." } } ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } ] } \ No newline at end of file diff --git a/schemas/jq/3.6.x.json b/schemas/jq/3.6.x.json index 44a57883..03981bbb 100644 --- a/schemas/jq/3.6.x.json +++ b/schemas/jq/3.6.x.json @@ -1,38 +1,40 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -41,54 +43,54 @@ ] } ], - "required": true, + "type": "record", "fields": [ { "request_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "request_jq_program_options": { + "required": false, + "type": "record", "default": [ ], - "type": "record", - "required": false, "fields": [ { "compact_output": { - "type": "boolean", "required": true, + "type": "boolean", "default": true } }, { "raw_output": { - "type": "boolean", "required": true, + "type": "boolean", "default": false } }, { "join_output": { - "type": "boolean", "required": true, + "type": "boolean", "default": false } }, { "ascii_output": { - "type": "boolean", "required": true, + "type": "boolean", "default": false } }, { "sort_keys": { - "type": "boolean", "required": true, + "type": "boolean", "default": false } } @@ -109,50 +111,50 @@ }, { "response_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "response_jq_program_options": { + "required": false, + "type": "record", "default": [ ], - "type": "record", - "required": false, "fields": [ { "compact_output": { - "type": "boolean", "required": true, + "type": "boolean", "default": true } }, { "raw_output": { - "type": "boolean", "required": true, + "type": "boolean", "default": false } }, { "join_output": { - "type": "boolean", "required": true, + "type": "boolean", "default": false } }, { "ascii_output": { - "type": "boolean", "required": true, + "type": "boolean", "default": false } }, { "sort_keys": { - "type": "boolean", "required": true, + "type": "boolean", "default": false } } @@ -187,11 +189,9 @@ } } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.6.x.json b/schemas/jwe-decrypt/3.6.x.json index 83c8a1e4..70ca7b17 100644 --- a/schemas/jwe-decrypt/3.6.x.json +++ b/schemas/jwe-decrypt/3.6.x.json @@ -1,86 +1,86 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "lookup_header_name": { - "default": "Authorization", - "type": "string", "required": true, - "description": "The name of the header to look for the JWE token." + "type": "string", + "description": "The name of the header to look for the JWE token.", + "default": "Authorization" } }, { "forward_header_name": { - "default": "Authorization", - "type": "string", "required": true, - "description": "The name of the header that is used to set the decrypted value." + "type": "string", + "description": "The name of the header that is used to set the decrypted value.", + "default": "Authorization" } }, { "key_sets": { "required": true, "type": "array", + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "elements": { "type": "string" - }, - "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token." + } } }, { "strict": { "type": "boolean", - "default": true, - "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found." + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "default": true } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.6.x.json b/schemas/jwt-signer/3.6.x.json index a9398113..71ac03cd 100644 --- a/schemas/jwt-signer/3.6.x.json +++ b/schemas/jwt-signer/3.6.x.json @@ -1,84 +1,87 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "realm": { - "type": "string", "required": false, + "type": "string", "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." } }, { "enable_hs_signatures": { + "required": false, "type": "boolean", "default": false, - "required": false, "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting." } }, { "enable_instrumentation": { + "required": false, "type": "boolean", "default": false, - "required": false, "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level." } }, { "access_token_issuer": { + "required": false, "type": "string", "default": "kong", - "required": false, "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token." } }, { "access_token_keyset": { + "required": false, "type": "string", "default": "kong", - "required": false, "description": "The name of the keyset containing signing keys." } }, @@ -91,17 +94,17 @@ }, { "access_token_request_header": { + "required": false, "type": "string", "default": "Authorization", - "required": false, "description": "This parameter tells the name of the header where to look for the access token." } }, { "access_token_leeway": { + "required": false, "type": "number", "default": 0, - "required": false, "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`." } }, @@ -109,22 +112,22 @@ "access_token_scopes_required": { "required": false, "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." + } } }, { "access_token_scopes_claim": { + "elements": { + "type": "string" + }, "type": "array", - "required": false, "default": [ "scope" ], - "elements": { - "type": "string" - }, + "required": false, "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." } }, @@ -132,44 +135,44 @@ "access_token_consumer_claim": { "required": false, "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." + } } }, { "access_token_consumer_by": { - "type": "array", - "required": false, - "default": [ - "username", - "custom_id" - ], "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", + "default": [ + "username", + "custom_id" + ], + "required": false, "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." } }, { "access_token_upstream_header": { + "required": false, "type": "string", "default": "Authorization:Bearer", - "required": false, "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token." } }, { "access_token_upstream_leeway": { + "required": false, "type": "number", "default": 0, - "required": false, "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim." } }, @@ -182,23 +185,23 @@ }, { "access_token_introspection_authorization": { - "type": "string", "required": false, + "type": "string", "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." } }, { "access_token_introspection_body_args": { - "type": "string", "required": false, + "type": "string", "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." } }, { "access_token_introspection_hint": { + "required": false, "type": "string", "default": "access_token", - "required": false, "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`." } }, @@ -206,32 +209,32 @@ "access_token_introspection_jwt_claim": { "required": false, "type": "array", + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "elements": { "type": "string" - }, - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." + } } }, { "access_token_introspection_scopes_required": { "required": false, "type": "array", + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." + } } }, { "access_token_introspection_scopes_claim": { + "elements": { + "type": "string" + }, "type": "array", - "required": true, "default": [ "scope" ], - "elements": { - "type": "string" - }, + "required": true, "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." } }, @@ -239,50 +242,52 @@ "access_token_introspection_consumer_claim": { "required": false, "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." + } } }, { "access_token_introspection_consumer_by": { - "type": "array", - "required": false, - "default": [ - "username", - "custom_id" - ], "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", + "default": [ + "username", + "custom_id" + ], + "required": false, "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." } }, { "access_token_introspection_leeway": { + "required": false, "type": "number", "default": 0, - "required": false, "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`." } }, { "access_token_introspection_timeout": { - "type": "number", "required": false, + "type": "number", "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." } }, { "access_token_signing_algorithm": { - "required": true, "type": "string", + "default": "RS256", + "required": true, + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "one_of": [ "HS256", "HS384", @@ -296,96 +301,94 @@ "PS384", "PS512", "EdDSA" - ], - "default": "RS256", - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." + ] } }, { "access_token_optional": { + "required": false, "type": "boolean", "default": false, - "required": false, "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect" } }, { "verify_access_token_signature": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Quickly turn access token signature verification off and on as needed." } }, { "verify_access_token_expiry": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Quickly turn access token expiry verification off and on as needed." } }, { "verify_access_token_scopes": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`." } }, { "verify_access_token_introspection_expiry": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Quickly turn access token introspection expiry verification off and on as needed." } }, { "verify_access_token_introspection_scopes": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`." } }, { "cache_access_token_introspection": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Whether to cache access token introspection results." } }, { "trust_access_token_introspection": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload." } }, { "enable_access_token_introspection": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection." } }, { "channel_token_issuer": { + "required": false, "type": "string", "default": "kong", - "required": false, "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token." } }, { "channel_token_keyset": { + "required": false, "type": "string", "default": "kong", - "required": false, "description": "The name of the keyset containing signing keys." } }, @@ -398,16 +401,16 @@ }, { "channel_token_request_header": { - "type": "string", "required": false, + "type": "string", "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." } }, { "channel_token_leeway": { + "required": false, "type": "number", "default": 0, - "required": false, "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`." } }, @@ -415,22 +418,22 @@ "channel_token_scopes_required": { "required": false, "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." + } } }, { "channel_token_scopes_claim": { + "elements": { + "type": "string" + }, "type": "array", - "required": false, "default": [ "scope" ], - "elements": { - "type": "string" - }, + "required": false, "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." } }, @@ -438,42 +441,42 @@ "channel_token_consumer_claim": { "required": false, "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." + } } }, { "channel_token_consumer_by": { "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, "type": "array", + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`." + ] } }, { "channel_token_upstream_header": { - "type": "string", "required": false, + "type": "string", "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." } }, { "channel_token_upstream_leeway": { + "required": false, "type": "number", "default": 0, - "required": false, "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim." } }, @@ -488,62 +491,62 @@ "channel_token_introspection_authorization": { "required": false, "type": "string", + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "elements": { "type": "string" - }, - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." + } } }, { "channel_token_introspection_body_args": { "required": false, "type": "string", + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "elements": { "type": "string" - }, - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." + } } }, { "channel_token_introspection_hint": { "required": false, "type": "string", + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "elements": { "type": "string" - }, - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." + } } }, { "channel_token_introspection_jwt_claim": { "required": false, "type": "array", + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "elements": { "type": "string" - }, - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." + } } }, { "channel_token_introspection_scopes_required": { "required": false, "type": "array", + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "elements": { "type": "string" - }, - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." + } } }, { "channel_token_introspection_scopes_claim": { + "elements": { + "type": "string" + }, "type": "array", - "required": false, "default": [ "scope" ], - "elements": { - "type": "string" - }, + "required": false, "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." } }, @@ -551,50 +554,52 @@ "channel_token_introspection_consumer_claim": { "required": false, "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" + } } }, { "channel_token_introspection_consumer_by": { - "type": "array", - "required": false, - "default": [ - "username", - "custom_id" - ], "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", + "default": [ + "username", + "custom_id" + ], + "required": false, "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." } }, { "channel_token_introspection_leeway": { + "required": false, "type": "number", "default": 0, - "required": false, "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`." } }, { "channel_token_introspection_timeout": { - "type": "number", "required": false, + "type": "number", "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." } }, { "channel_token_signing_algorithm": { - "required": true, "type": "string", + "default": "RS256", + "required": true, + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "one_of": [ "HS256", "HS384", @@ -608,88 +613,82 @@ "PS384", "PS512", "EdDSA" - ], - "default": "RS256", - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." + ] } }, { "channel_token_optional": { + "required": false, "type": "boolean", "default": false, - "required": false, "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect" } }, { "verify_channel_token_signature": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Quickly turn on/off the channel token signature verification." } }, { "verify_channel_token_expiry": { - "type": "boolean", "required": false, + "type": "boolean", "default": true } }, { "verify_channel_token_scopes": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`." } }, { "verify_channel_token_introspection_expiry": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Quickly turn on/off the channel token introspection expiry verification." } }, { "verify_channel_token_introspection_scopes": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`." } }, { "cache_channel_token_introspection": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Whether to cache channel token introspection results." } }, { "trust_channel_token_introspection": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked." } }, { "enable_channel_token_introspection": { + "required": false, "type": "boolean", "default": true, - "required": false, "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`." } }, { "add_claims": { - "required": false, - "values": { - "type": "string" - }, "keys": { "type": "string" }, @@ -697,15 +696,15 @@ "default": [ ], - "description": "Add customized claims if they are not present yet." + "required": false, + "description": "Add customized claims if they are not present yet.", + "values": { + "type": "string" + } } }, { "set_claims": { - "required": false, - "values": { - "type": "string" - }, "keys": { "type": "string" }, @@ -713,14 +712,15 @@ "default": [ ], - "description": "Set customized claims. If a claim is already present, it will be overwritten." + "required": false, + "description": "Set customized claims. If a claim is already present, it will be overwritten.", + "values": { + "type": "string" + } } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/jwt/3.6.x.json b/schemas/jwt/3.6.x.json index e73388ed..ee578f47 100644 --- a/schemas/jwt/3.6.x.json +++ b/schemas/jwt/3.6.x.json @@ -1,47 +1,61 @@ { + "entity_checks": [ + { + "conditional": { + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration", + "then_match": { + "contains": "exp" + }, + "if_match": { + "gt": 0 + } + } + } + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "uri_param_names": { @@ -49,10 +63,10 @@ "type": "string" }, "type": "set", + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "default": [ "jwt" - ], - "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs." + ] } }, { @@ -61,63 +75,63 @@ "type": "string" }, "type": "set", + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "default": [ - ], - "description": "A list of cookie names that Kong will inspect to retrieve JWTs." + ] } }, { "key_claim_name": { "type": "string", - "default": "iss", - "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order." + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "default": "iss" } }, { "secret_is_base64": { "required": true, "type": "boolean", - "default": false, - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "default": false } }, { "claims_to_verify": { - "type": "set", "elements": { - "type": "string", "one_of": [ "exp", "nbf" - ] + ], + "type": "string" }, + "type": "set", "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf." } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "run_on_preflight": { "required": true, "type": "boolean", - "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "default": true } }, { "maximum_expiration": { + "default": 0, + "type": "number", + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", "between": [ 0, 31536000 - ], - "type": "number", - "default": 0, - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future." + ] } }, { @@ -126,28 +140,14 @@ "type": "string" }, "type": "set", + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "default": [ "authorization" - ], - "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs." + ] } } ] } } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "config.claims_to_verify", - "if_match": { - "gt": 0 - }, - "then_match": { - "contains": "exp" - }, - "if_field": "config.maximum_expiration" - } - } ] } \ No newline at end of file diff --git a/schemas/kafka-log/3.6.x.json b/schemas/kafka-log/3.6.x.json index c4c925f6..f547e455 100644 --- a/schemas/kafka-log/3.6.x.json +++ b/schemas/kafka-log/3.6.x.json @@ -1,11 +1,21 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { "required": true, "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -13,29 +23,21 @@ "https", "ws", "wss" - ] - }, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -45,13 +47,11 @@ } } ], - "required": true, + "type": "record", "fields": [ { "bootstrap_servers": { - "type": "set", "elements": { - "type": "record", "fields": [ { "host": { @@ -62,96 +62,98 @@ }, { "port": { + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "required": true, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } - ] + ], + "type": "record" }, + "type": "set", "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, { "topic": { - "type": "string", "required": true, + "type": "string", "description": "The Kafka topic to publish to." } }, { "timeout": { "type": "integer", - "default": 10000, - "description": "Socket timeout in milliseconds." + "description": "Socket timeout in milliseconds.", + "default": 10000 } }, { "keepalive": { - "type": "integer", - "default": 60000 + "default": 60000, + "type": "integer" } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "authentication": { - "type": "record", "required": true, + "type": "record", "fields": [ { "strategy": { + "required": false, "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ], - "required": false, - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." + ] } }, { "mechanism": { + "required": false, "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "required": false, - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`." + ] } }, { "tokenauth": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Enable this to indicate `DelegationToken` authentication" } }, { "user": { - "required": false, - "type": "string", "referenceable": true, + "type": "string", "encrypted": true, - "description": "Username for SASL authentication." + "description": "Username for SASL authentication.", + "required": false } }, { "password": { - "required": false, - "type": "string", "referenceable": true, + "type": "string", "encrypted": true, - "description": "Password for SASL authentication." + "description": "Password for SASL authentication.", + "required": false } } ] @@ -159,21 +161,21 @@ }, { "security": { - "type": "record", "required": true, + "type": "record", "fields": [ { "certificate_id": { - "uuid": true, - "type": "string", "required": false, - "description": "UUID of certificate entity for mTLS authentication." + "type": "string", + "description": "UUID of certificate entity for mTLS authentication.", + "uuid": true } }, { "ssl": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Enables TLS." } } @@ -182,78 +184,78 @@ }, { "cluster_name": { - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "type": "string", "required": false, + "type": "string", + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "auto": true } }, { "producer_request_acks": { - "type": "integer", "one_of": [ -1, 0, 1 ], - "default": 1, - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1 } }, { "producer_request_timeout": { "type": "integer", - "default": 2000, - "description": "Time to wait for a Produce response in milliseconds" + "description": "Time to wait for a Produce response in milliseconds", + "default": 2000 } }, { "producer_request_limits_messages_per_request": { "type": "integer", - "default": 200, - "description": "Maximum number of messages to include into a single Produce request." + "description": "Maximum number of messages to include into a single Produce request.", + "default": 200 } }, { "producer_request_limits_bytes_per_request": { "type": "integer", - "default": 1048576, - "description": "Maximum size of a Produce request in bytes." + "description": "Maximum size of a Produce request in bytes.", + "default": 1048576 } }, { "producer_request_retries_max_attempts": { "type": "integer", - "default": 10, - "description": "Maximum number of retry attempts per single Produce request." + "description": "Maximum number of retry attempts per single Produce request.", + "default": 10 } }, { "producer_request_retries_backoff_timeout": { "type": "integer", - "default": 100, - "description": "Backoff interval between retry attempts in milliseconds." + "description": "Backoff interval between retry attempts in milliseconds.", + "default": 100 } }, { "producer_async": { "type": "boolean", - "default": true, - "description": "Flag to enable asynchronous mode." + "description": "Flag to enable asynchronous mode.", + "default": true } }, { "producer_async_flush_timeout": { "type": "integer", - "default": 1000, - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "default": 1000 } }, { "producer_async_buffering_limits_messages_in_memory": { "type": "integer", - "default": 50000, - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "default": 50000 } }, { @@ -262,19 +264,17 @@ "type": "string", "len_min": 1 }, + "type": "map", + "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - }, - "type": "map", - "description": "Lua code as a key-value map" + } } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.6.x.json b/schemas/kafka-upstream/3.6.x.json index 4fc3056a..adf9d86e 100644 --- a/schemas/kafka-upstream/3.6.x.json +++ b/schemas/kafka-upstream/3.6.x.json @@ -1,38 +1,40 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -52,13 +54,11 @@ } } ], - "required": true, + "type": "record", "fields": [ { "bootstrap_servers": { - "type": "set", "elements": { - "type": "record", "fields": [ { "host": { @@ -69,17 +69,19 @@ }, { "port": { + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "required": true, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } - ] + ], + "type": "record" }, + "type": "set", "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, @@ -92,16 +94,16 @@ }, { "timeout": { - "default": 10000, "type": "integer", - "description": "Socket timeout in milliseconds." + "description": "Socket timeout in milliseconds.", + "default": 10000 } }, { "keepalive": { - "default": 60000, "type": "integer", - "description": "Keepalive timeout in milliseconds." + "description": "Keepalive timeout in milliseconds.", + "default": 60000 } }, { @@ -112,29 +114,29 @@ }, { "authentication": { - "type": "record", "required": true, + "type": "record", "fields": [ { "strategy": { "required": false, + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ], - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`." + ] } }, { "mechanism": { "required": false, + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`." + ] } }, { @@ -146,20 +148,20 @@ }, { "user": { + "referenceable": true, "type": "string", "encrypted": true, - "referenceable": true, - "required": false, - "description": "Username for SASL authentication." + "description": "Username for SASL authentication.", + "required": false } }, { "password": { + "referenceable": true, "type": "string", "encrypted": true, - "referenceable": true, - "required": false, - "description": "Password for SASL authentication." + "description": "Password for SASL authentication.", + "required": false } } ] @@ -167,15 +169,15 @@ }, { "security": { - "type": "record", "required": true, + "type": "record", "fields": [ { "certificate_id": { - "uuid": true, "required": false, "type": "string", - "description": "UUID of certificate entity for mTLS authentication." + "description": "UUID of certificate entity for mTLS authentication.", + "uuid": true } }, { @@ -190,113 +192,111 @@ }, { "forward_method": { - "default": false, "type": "boolean", - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false } }, { "forward_uri": { - "default": false, "type": "boolean", - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false } }, { "forward_headers": { - "default": false, "type": "boolean", - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false } }, { "forward_body": { - "default": true, "type": "boolean", - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": true } }, { "cluster_name": { "auto": true, - "required": false, "type": "string", - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster." + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false } }, { "producer_request_acks": { - "default": 1, "one_of": [ -1, 0, 1 ], "type": "integer", + "default": 1, "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." } }, { "producer_request_timeout": { - "default": 2000, "type": "integer", - "description": "Time to wait for a Produce response in milliseconds." + "description": "Time to wait for a Produce response in milliseconds.", + "default": 2000 } }, { "producer_request_limits_messages_per_request": { - "default": 200, "type": "integer", - "description": "Maximum number of messages to include into a single producer request." + "description": "Maximum number of messages to include into a single producer request.", + "default": 200 } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, "type": "integer", - "description": "Maximum size of a Produce request in bytes." + "description": "Maximum size of a Produce request in bytes.", + "default": 1048576 } }, { "producer_request_retries_max_attempts": { - "default": 10, "type": "integer", - "description": "Maximum number of retry attempts per single Produce request." + "description": "Maximum number of retry attempts per single Produce request.", + "default": 10 } }, { "producer_request_retries_backoff_timeout": { - "default": 100, "type": "integer", - "description": "Backoff interval between retry attempts in milliseconds." + "description": "Backoff interval between retry attempts in milliseconds.", + "default": 100 } }, { "producer_async": { - "default": true, "type": "boolean", - "description": "Flag to enable asynchronous mode." + "description": "Flag to enable asynchronous mode.", + "default": true } }, { "producer_async_flush_timeout": { - "default": 1000, "type": "integer", - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "default": 1000 } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, "type": "integer", - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "default": 50000 } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.6.x.json b/schemas/key-auth-enc/3.6.x.json index 437af5bd..3f541517 100644 --- a/schemas/key-auth-enc/3.6.x.json +++ b/schemas/key-auth-enc/3.6.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } @@ -12,8 +15,15 @@ "protocols": { "required": true, "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -21,91 +31,81 @@ "https", "ws", "wss" - ] - }, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "key_names": { - "required": true, + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, "type": "array", "default": [ "apikey" ], - "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - }, + "required": true, "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." } }, { "hide_credentials": { - "default": false, "type": "boolean", + "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "key_in_header": { - "default": true, "type": "boolean", + "default": true, "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." } }, { "key_in_query": { - "default": true, "type": "boolean", + "default": true, "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." } }, { "key_in_body": { - "default": false, "type": "boolean", + "default": false, "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { - "default": true, "type": "boolean", + "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/key-auth/3.6.x.json b/schemas/key-auth/3.6.x.json index 76ea1e51..e4340436 100644 --- a/schemas/key-auth/3.6.x.json +++ b/schemas/key-auth/3.6.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } @@ -12,8 +15,15 @@ "protocols": { "required": true, "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -21,42 +31,35 @@ "https", "ws", "wss" - ] - }, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "key_names": { + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, "type": "array", - "required": true, "default": [ "apikey" ], - "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - }, + "required": true, "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." } }, @@ -70,8 +73,8 @@ }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" } }, { @@ -109,8 +112,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.6.x.json b/schemas/konnect-application-auth/3.6.x.json index de0b35f6..7c28be4f 100644 --- a/schemas/konnect-application-auth/3.6.x.json +++ b/schemas/konnect-application-auth/3.6.x.json @@ -1,101 +1,103 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ ], - "required": true, + "type": "record", "fields": [ { "key_names": { - "required": true, + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, "type": "array", "default": [ "apikey" ], - "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - }, + "required": true, "description": "The names of the headers containing the API key. You can specify multiple header names." } }, { "auth_type": { "type": "string", + "default": "openid-connect", "required": true, + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "one_of": [ "openid-connect", "key-auth", "v2-strategies" - ], - "default": "openid-connect", - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'." + ] } }, { "scope": { - "unique": true, "required": true, "type": "string", - "description": "The unique scope identifier for the plugin configuration." + "description": "The unique scope identifier for the plugin configuration.", + "unique": true } }, { "v2_strategies": { - "required": false, - "description": "The map of v2 strategies.", "type": "record", "default": [ ], + "required": false, + "description": "The map of v2 strategies.", "fields": [ { "key_auth": { - "type": "array", "required": false, + "type": "array", + "description": "List of key_auth strategies.", "elements": { - "type": "record", "fields": [ { "strategy_id": { @@ -111,32 +113,32 @@ "fields": [ { "key_names": { - "required": true, + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, "type": "array", "default": [ "apikey" ], - "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - }, + "required": true, "description": "The names of the headers containing the API key. You can specify multiple header names." } } ] } } - ] - }, - "description": "List of key_auth strategies." + ], + "type": "record" + } } }, { "openid_connect": { - "type": "array", "required": false, + "type": "array", + "description": "List of openid_connect strategies.", "elements": { - "type": "record", "fields": [ { "strategy_id": { @@ -147,8 +149,8 @@ }, { "config": { - "description": "openid-connect plugin configuration.", "type": "record", + "description": "openid-connect plugin configuration.", "fields": [ { "issuer": { @@ -159,57 +161,54 @@ }, { "using_pseudo_issuer": { - "default": false, - "type": "boolean", "required": false, - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." + "type": "boolean", + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "default": false } }, { "discovery_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the discovery endpoint." + } } }, { "discovery_headers_values": { "required": false, "type": "array", + "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" - }, - "description": "Extra header values passed to the discovery endpoint." + } } }, { "extra_jwks_uris": { "required": false, "type": "set", + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "rediscovery_lifetime": { - "default": 30, - "type": "number", "required": false, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + "type": "number", + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "default": 30 } }, { "auth_methods": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -220,8 +219,10 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "type": "string" }, + "type": "array", "default": [ "password", "client_credentials", @@ -233,39 +234,40 @@ "refresh_token", "session" ], + "required": false, "description": "Types of credentials/grants to enable." } }, { "client_id": { - "type": "array", - "encrypted": true, - "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "type": "array", + "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true } }, { "client_secret": { - "type": "array", - "encrypted": true, - "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "description": "The client secret." + "type": "array", + "required": false, + "description": "The client secret.", + "encrypted": true } }, { "client_auth": { "required": false, "type": "array", + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", "elements": { - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -274,208 +276,208 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] - }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication)." + ], + "type": "string" + } } }, { "client_jwk": { "required": false, "type": "array", + "description": "The JWK used for the private_key_jwt authentication.", "elements": { - "type": "record", "required": false, + "type": "record", "fields": [ { "issuer": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kty": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "use": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "key_ops": { "required": false, + "type": "array", "elements": { - "type": "string", - "required": false - }, - "type": "array" + "required": false, + "type": "string" + } } }, { "alg": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kid": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5u": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5c": { "required": false, + "type": "array", "elements": { - "type": "string", - "required": false - }, - "type": "array" + "required": false, + "type": "string" + } } }, { "x5t": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5t#S256": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "k": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "x": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "y": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "crv": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "n": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "e": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "d": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "p": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "q": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "dp": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "dq": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "qi": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "oth": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "r": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "t": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } } ] - }, - "description": "The JWK used for the private_key_jwt authentication." + } } }, { "client_alg": { "required": false, "type": "array", + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", "elements": { - "type": "string", "one_of": [ "HS256", "HS384", @@ -490,156 +492,156 @@ "PS384", "PS512", "EdDSA" - ] - }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication." + ], + "type": "string" + } } }, { "client_arg": { - "default": "client_id", - "type": "string", "required": false, - "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + "type": "string", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "default": "client_id" } }, { "redirect_uri": { "required": false, "type": "array", + "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "The redirect URI passed to the authorization and token endpoints." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "login_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { "referenceable": true, "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client when `login_action` is set to `redirect`." + } } }, { "logout_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client after the logout.", "elements": { "referenceable": true, "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client after the logout." + } } }, { "forbidden_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client on forbidden requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on forbidden requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "forbidden_error_message": { - "default": "Forbidden", - "type": "string", "required": false, - "description": "The error message for the forbidden requests (when not using the redirection)." + "type": "string", + "description": "The error message for the forbidden requests (when not using the redirection).", + "default": "Forbidden" } }, { "forbidden_destroy_session": { - "default": true, - "type": "boolean", "required": false, - "description": "Destroy any active session for the forbidden requests." + "type": "boolean", + "description": "Destroy any active session for the forbidden requests.", + "default": true } }, { "unauthorized_destroy_session": { - "default": true, - "type": "boolean", "required": false, - "description": "Destroy any active session for the unauthorized requests." + "type": "boolean", + "description": "Destroy any active session for the unauthorized requests.", + "default": true } }, { "unauthorized_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client on unauthorized requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on unauthorized requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "unauthorized_error_message": { - "default": "Unauthorized", - "type": "string", "required": false, - "description": "The error message for the unauthorized requests (when not using the redirection)." + "type": "string", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "default": "Unauthorized" } }, { "unexpected_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client when unexpected errors happen with the requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "response_mode": { "type": "string", + "default": "query", "required": false, + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it).", "one_of": [ "query", "form_post", "fragment" - ], - "default": "query", - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)." + ] } }, { "response_type": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "code" ], + "required": false, "description": "The response type passed to the authorization endpoint." } }, { "scopes": { - "required": false, - "type": "array", "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, + "type": "array", "default": [ "openid" ], + "required": false, "description": "The scopes passed to the authorization and token endpoints." } }, @@ -647,42 +649,42 @@ "audience": { "required": false, "type": "array", + "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "The audience passed to the authorization endpoint." + } } }, { "issuers_allowed": { "required": false, "type": "array", + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" - }, - "description": "The issuers allowed to be present in the tokens (`iss` claim)." + } } }, { "scopes_required": { "required": false, "type": "array", + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "scopes_claim": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "scope" ], + "required": false, "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, @@ -690,22 +692,22 @@ "audience_required": { "required": false, "type": "array", + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "audience_claim": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "aud" ], + "required": false, "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, @@ -713,22 +715,22 @@ "groups_required": { "required": false, "type": "array", + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "groups_claim": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "groups" ], + "required": false, "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, @@ -736,22 +738,22 @@ "roles_required": { "required": false, "type": "array", + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "roles_claim": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "roles" ], + "required": false, "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, @@ -759,16 +761,16 @@ "domains": { "required": false, "type": "array", + "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" - }, - "description": "The allowed values for the `hd` claim." + } } }, { "max_age": { - "type": "number", "required": false, + "type": "number", "description": "The maximum age (in seconds) compared to the `auth_time` claim." } }, @@ -776,10 +778,10 @@ "authenticated_groups_claim": { "required": false, "type": "array", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { @@ -791,7 +793,9 @@ }, { "pushed_authorization_request_endpoint_auth_method": { + "required": false, "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -800,22 +804,20 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false, - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "require_pushed_authorization_requests": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`)." } }, { "require_proof_key_for_code_exchange": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled)." } }, @@ -830,105 +832,105 @@ "authorization_query_args_names": { "required": false, "type": "array", + "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument names passed to the authorization endpoint." + } } }, { "authorization_query_args_values": { "required": false, "type": "array", + "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the authorization endpoint." + } } }, { "authorization_query_args_client": { "required": false, "type": "array", + "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the authorization endpoint." + } } }, { "authorization_rolling_timeout": { - "default": 600, - "type": "number", "required": false, - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "type": "number", + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 600 } }, { "authorization_cookie_name": { - "default": "authorization", - "type": "string", "required": false, - "description": "The authorization cookie name." + "type": "string", + "description": "The authorization cookie name.", + "default": "authorization" } }, { "authorization_cookie_path": { - "required": false, "type": "string", + "default": "/", "starts_with": "/", + "required": false, + "description": "The authorization cookie Path flag.", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "default": "/", - "description": "The authorization cookie Path flag." + ] } }, { "authorization_cookie_domain": { - "type": "string", "required": false, + "type": "string", "description": "The authorization cookie Domain flag." } }, { "authorization_cookie_same_site": { "type": "string", + "default": "Default", "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "default": "Default", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + ] } }, { "authorization_cookie_http_only": { - "default": true, - "type": "boolean", "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true } }, { "authorization_cookie_secure": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "preserve_query_args": { - "default": false, - "type": "boolean", "required": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + "type": "boolean", + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "default": false } }, { @@ -940,7 +942,9 @@ }, { "token_endpoint_auth_method": { + "required": false, "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -949,55 +953,53 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false, - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "token_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the token endpoint." + } } }, { "token_headers_values": { "required": false, "type": "array", + "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra header values passed to the token endpoint." + } } }, { "token_headers_client": { "required": false, "type": "array", + "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the token endpoint." + } } }, { "token_headers_replay": { "required": false, "type": "array", + "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" - }, - "description": "The names of token endpoint response headers to forward to the downstream client." + } } }, { "token_headers_prefix": { - "type": "string", "required": false, + "type": "string", "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." } }, @@ -1005,46 +1007,46 @@ "token_headers_grants": { "required": false, "type": "array", + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", "authorization_code", "refresh_token" - ] - }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant." + ], + "type": "string" + } } }, { "token_post_args_names": { "required": false, "type": "array", + "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the token endpoint." + } } }, { "token_post_args_values": { "required": false, "type": "array", + "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the token endpoint." + } } }, { "token_post_args_client": { "required": false, "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Reqest Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "elements": { "type": "string" - }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Reqest Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint." + } } }, { @@ -1056,7 +1058,9 @@ }, { "introspection_endpoint_auth_method": { + "required": false, "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1065,106 +1069,106 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false, - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "introspection_hint": { - "default": "access_token", - "type": "string", "required": false, - "description": "Introspection hint parameter value passed to the introspection endpoint." + "type": "string", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "default": "access_token" } }, { "introspection_check_active": { - "default": true, - "type": "boolean", "required": false, - "description": "Check that the introspection response has an `active` claim with a value of `true`." + "type": "boolean", + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "default": true } }, { "introspection_accept": { "type": "string", + "default": "application/json", "required": false, + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ], - "default": "application/json", - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)." + ] } }, { "introspection_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the introspection endpoint." + } } }, { "introspection_headers_values": { - "required": false, - "type": "array", "elements": { + "referenceable": true, "type": "string" }, - "description": "Extra header values passed to the introspection endpoint." + "type": "array", + "required": false, + "description": "Extra header values passed to the introspection endpoint.", + "encrypted": true } }, { "introspection_headers_client": { "required": false, "type": "array", + "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the introspection endpoint." + } } }, { "introspection_post_args_names": { "required": false, "type": "array", + "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the introspection endpoint." + } } }, { "introspection_post_args_values": { "required": false, "type": "array", + "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the introspection endpoint." + } } }, { "introspection_post_args_client": { "required": false, "type": "array", + "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra post arguments passed from the client to the introspection endpoint." + } } }, { "introspect_jwt_tokens": { - "default": false, - "type": "boolean", "required": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + "type": "boolean", + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "default": false } }, { @@ -1176,7 +1180,9 @@ }, { "revocation_endpoint_auth_method": { + "required": false, "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1185,9 +1191,7 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false, - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { @@ -1207,73 +1211,73 @@ { "userinfo_accept": { "type": "string", + "default": "application/json", "required": false, + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/jwt" - ], - "default": "application/json", - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)." + ] } }, { "userinfo_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the user info endpoint." + } } }, { "userinfo_headers_values": { "required": false, "type": "array", + "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra header values passed to the user info endpoint." + } } }, { "userinfo_headers_client": { "required": false, "type": "array", + "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the user info endpoint." + } } }, { "userinfo_query_args_names": { "required": false, "type": "array", + "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument names passed to the user info endpoint." + } } }, { "userinfo_query_args_values": { "required": false, "type": "array", + "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the user info endpoint." + } } }, { "userinfo_query_args_client": { "required": false, "type": "array", + "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the user info endpoint." + } } }, { @@ -1285,142 +1289,142 @@ }, { "session_secret": { + "referenceable": true, "type": "string", "required": false, - "referenceable": true, - "encrypted": true, - "description": "The session secret." + "description": "The session secret.", + "encrypted": true } }, { "session_audience": { - "default": "default", - "type": "string", "required": false, - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default" } }, { "session_cookie_name": { - "default": "session", - "type": "string", "required": false, - "description": "The session cookie name." + "type": "string", + "description": "The session cookie name.", + "default": "session" } }, { "session_remember": { - "default": false, - "type": "boolean", "required": false, - "description": "Enables or disables persistent sessions." + "type": "boolean", + "description": "Enables or disables persistent sessions.", + "default": false } }, { "session_remember_cookie_name": { - "default": "remember", - "type": "string", "required": false, - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember" } }, { "session_remember_rolling_timeout": { - "default": 604800, - "type": "number", "required": false, - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." + "type": "number", + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "default": 604800 } }, { "session_remember_absolute_timeout": { - "default": 2592000, - "type": "number", "required": false, - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "type": "number", + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 2592000 } }, { "session_idling_timeout": { - "default": 900, - "type": "number", "required": false, - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." + "type": "number", + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "default": 900 } }, { "session_rolling_timeout": { - "default": 3600, - "type": "number", "required": false, - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "type": "number", + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 3600 } }, { "session_absolute_timeout": { - "default": 86400, - "type": "number", "required": false, - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "type": "number", + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 86400 } }, { "session_cookie_path": { - "required": false, "type": "string", + "default": "/", "starts_with": "/", + "required": false, + "description": "The session cookie Path flag.", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "default": "/", - "description": "The session cookie Path flag." + ] } }, { "session_cookie_domain": { - "type": "string", "required": false, + "type": "string", "description": "The session cookie Domain flag." } }, { "session_cookie_same_site": { "type": "string", + "default": "Lax", "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "default": "Lax", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + ] } }, { "session_cookie_http_only": { - "default": true, - "type": "boolean", "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true } }, { "session_cookie_secure": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "session_request_headers": { - "type": "set", "required": false, + "type": "set", + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -1429,17 +1433,17 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] - }, - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers." + ], + "type": "string" + } } }, { "session_response_headers": { - "type": "set", "required": false, + "type": "set", + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -1448,183 +1452,183 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] - }, - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers." + ], + "type": "string" + } } }, { "session_storage": { "type": "string", + "default": "cookie", "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "default": "cookie", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis." + ] } }, { "session_store_metadata": { - "default": false, - "type": "boolean", "required": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "default": false } }, { "session_enforce_same_subject": { - "default": false, - "type": "boolean", "required": false, - "description": "When set to `true`, audiences are forced to share the same subject." + "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false } }, { "session_hash_subject": { - "default": false, - "type": "boolean", "required": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false } }, { "session_hash_storage_key": { - "default": false, - "type": "boolean", "required": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false } }, { "session_memcached_prefix": { - "type": "string", "required": false, + "type": "string", "description": "The memcached session key prefix." } }, { "session_memcached_socket": { - "type": "string", "required": false, + "type": "string", "description": "The memcached unix socket path." } }, { "session_memcached_host": { - "default": "127.0.0.1", - "type": "string", "required": false, - "description": "The memcached host." + "type": "string", + "description": "The memcached host.", + "default": "127.0.0.1" } }, { "session_memcached_port": { - "required": false, + "type": "integer", + "default": 11211, "between": [ 0, 65535 ], - "type": "integer", - "default": 11211, + "required": false, "description": "The memcached port." } }, { "session_redis_prefix": { - "type": "string", "required": false, + "type": "string", "description": "The Redis session key prefix." } }, { "session_redis_socket": { - "type": "string", "required": false, + "type": "string", "description": "The Redis unix socket path." } }, { "session_redis_host": { - "default": "127.0.0.1", - "type": "string", "required": false, - "description": "The Redis host." + "type": "string", + "description": "The Redis host.", + "default": "127.0.0.1" } }, { "session_redis_port": { - "required": false, + "type": "integer", + "default": 6379, "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, + "required": false, "description": "The Redis port." } }, { "session_redis_username": { - "type": "string", "referenceable": true, - "required": false, - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "type": "string", + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "required": false } }, { "session_redis_password": { + "referenceable": true, "type": "string", "required": false, - "referenceable": true, - "encrypted": true, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis." + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true } }, { "session_redis_connect_timeout": { - "type": "integer", "required": false, + "type": "integer", "description": "Session redis connection timeout in milliseconds." } }, { "session_redis_read_timeout": { - "type": "integer", "required": false, + "type": "integer", "description": "Session redis read timeout in milliseconds." } }, { "session_redis_send_timeout": { - "type": "integer", "required": false, + "type": "integer", "description": "Session redis send timeout in milliseconds." } }, { "session_redis_ssl": { - "default": false, - "type": "boolean", "required": false, - "description": "Use SSL/TLS for Redis connection." + "type": "boolean", + "description": "Use SSL/TLS for Redis connection.", + "default": false } }, { "session_redis_ssl_verify": { - "default": false, - "type": "boolean", "required": false, - "description": "Verify identity provider server certificate." + "type": "boolean", + "description": "Verify identity provider server certificate.", + "default": false } }, { "session_redis_server_name": { - "type": "string", "required": false, + "type": "string", "description": "The SNI used for connecting the Redis server." } }, @@ -1632,281 +1636,281 @@ "session_redis_cluster_nodes": { "required": false, "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { - "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "required": true, "type": "string", + "default": "127.0.0.1", "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } - ] - }, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." + ], + "type": "record" + } } }, { "session_redis_cluster_max_redirections": { - "type": "integer", "required": false, + "type": "integer", "description": "The Redis cluster maximum redirects." } }, { "reverify": { - "default": false, - "type": "boolean", "required": false, - "description": "Specifies whether to always verify tokens stored in the session." + "type": "boolean", + "description": "Specifies whether to always verify tokens stored in the session.", + "default": false } }, { "jwt_session_claim": { - "default": "sid", - "type": "string", "required": false, - "description": "The claim to match against the JWT session cookie." + "type": "string", + "description": "The claim to match against the JWT session cookie.", + "default": "sid" } }, { "jwt_session_cookie": { - "type": "string", "required": false, + "type": "string", "description": "The name of the JWT session cookie." } }, { "bearer_token_param_type": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "cookie", "query", "body" - ] + ], + "type": "string" }, + "type": "array", "default": [ "header", "query", "body" ], + "required": false, "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." } }, { "bearer_token_cookie_name": { - "type": "string", "required": false, + "type": "string", "description": "The name of the cookie in which the bearer token is passed." } }, { "client_credentials_param_type": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "type": "array", "default": [ "header", "query", "body" ], + "required": false, "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." } }, { "password_param_type": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "type": "array", "default": [ "header", "query", "body" ], + "required": false, "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "id_token_param_type": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "type": "array", "default": [ "header", "query", "body" ], + "required": false, "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "id_token_param_name": { - "type": "string", "required": false, + "type": "string", "description": "The name of the parameter used to pass the id token." } }, { "refresh_token_param_type": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "type": "array", "default": [ "header", "query", "body" ], + "required": false, "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "refresh_token_param_name": { - "type": "string", "required": false, + "type": "string", "description": "The name of the parameter used to pass the refresh token." } }, { "refresh_tokens": { - "default": true, - "type": "boolean", "required": false, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + "type": "boolean", + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "default": true } }, { "upstream_headers_claims": { "required": false, "type": "array", + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "upstream_headers_names": { "required": false, "type": "array", + "description": "The upstream header names for the claim values.", "elements": { "type": "string" - }, - "description": "The upstream header names for the claim values." + } } }, { "upstream_access_token_header": { - "default": "authorization:bearer", - "type": "string", "required": false, - "description": "The upstream access token header." + "type": "string", + "description": "The upstream access token header.", + "default": "authorization:bearer" } }, { "upstream_access_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream access token JWK header." } }, { "upstream_id_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream id token header." } }, { "upstream_id_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream id token JWK header." } }, { "upstream_refresh_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream refresh token header." } }, { "upstream_user_info_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream user info header." } }, { "upstream_user_info_jwt_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream user info JWT header (in case the user info returns a JWT response)." } }, { "upstream_introspection_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream introspection header." } }, { "upstream_introspection_jwt_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream introspection JWT header." } }, { "upstream_session_id_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream session id header." } }, @@ -1914,98 +1918,95 @@ "downstream_headers_claims": { "required": false, "type": "array", + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "downstream_headers_names": { "required": false, "type": "array", + "description": "The downstream header names for the claim values.", "elements": { "type": "string" - }, - "description": "The downstream header names for the claim values." + } } }, { "downstream_access_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream access token header." } }, { "downstream_access_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream access token JWK header." } }, { "downstream_id_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream id token header." } }, { "downstream_id_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream id token JWK header." } }, { "downstream_refresh_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream refresh token header." } }, { "downstream_user_info_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream user info header." } }, { "downstream_user_info_jwt_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream user info JWT header (in case the user info returns a JWT response)." } }, { "downstream_introspection_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream introspection header." } }, { "downstream_introspection_jwt_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream introspection JWT header." } }, { "downstream_session_id_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream session id header." } }, { "login_methods": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -2016,234 +2017,234 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "type": "string" }, + "type": "array", "default": [ "authorization_code" ], + "required": false, "description": "Enable login functionality with specified grants." } }, { "login_action": { "type": "string", + "default": "upstream", "required": false, + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "one_of": [ "upstream", "response", "redirect" - ], - "default": "upstream", - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location." + ] } }, { "login_tokens": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "id_token", "access_token", "refresh_token", "tokens", "introspection" - ] + ], + "type": "string" }, + "type": "array", "default": [ "id_token" ], + "required": false, "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." } }, { "login_redirect_mode": { "type": "string", + "default": "fragment", "required": false, + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "one_of": [ "query", "fragment" - ], - "default": "fragment", - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)." + ] } }, { "logout_query_arg": { - "type": "string", "required": false, + "type": "string", "description": "The request query argument that activates the logout." } }, { "logout_post_arg": { - "type": "string", "required": false, + "type": "string", "description": "The request body argument that activates the logout." } }, { "logout_uri_suffix": { - "type": "string", "required": false, + "type": "string", "description": "The request URI suffix that activates the logout." } }, { "logout_methods": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "POST", "GET", "DELETE" - ] + ], + "type": "string" }, + "type": "array", "default": [ "POST", "DELETE" ], + "required": false, "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." } }, { "logout_revoke": { - "default": false, - "type": "boolean", "required": false, - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." + "type": "boolean", + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "default": false } }, { "logout_revoke_access_token": { - "default": true, - "type": "boolean", "required": false, - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." + "type": "boolean", + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true } }, { "logout_revoke_refresh_token": { - "default": true, - "type": "boolean", "required": false, - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." + "type": "boolean", + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true } }, { "consumer_claim": { "required": false, "type": "array", + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "consumer_by": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", "default": [ "username", "custom_id" ], + "required": false, "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." } }, { "consumer_optional": { - "default": false, - "type": "boolean", "required": false, - "description": "Do not terminate the request if consumer mapping fails." + "type": "boolean", + "description": "Do not terminate the request if consumer mapping fails.", + "default": false } }, { "credential_claim": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "sub" ], + "required": false, "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "anonymous": { - "type": "string", "required": false, + "type": "string", "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "run_on_preflight": { - "default": true, - "type": "boolean", "required": false, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + "type": "boolean", + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "default": true } }, { "leeway": { - "default": 0, - "type": "number", "required": false, - "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification." + "type": "number", + "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", + "default": 0 } }, { "verify_parameters": { - "default": false, - "type": "boolean", "required": false, - "description": "Verify plugin configuration against discovery." + "type": "boolean", + "description": "Verify plugin configuration against discovery.", + "default": false } }, { "verify_nonce": { - "default": true, - "type": "boolean", "required": false, - "description": "Verify nonce on authorization code flow." + "type": "boolean", + "description": "Verify nonce on authorization code flow.", + "default": true } }, { "verify_claims": { - "default": true, - "type": "boolean", "required": false, - "description": "Verify tokens for standard claims." + "type": "boolean", + "description": "Verify tokens for standard claims.", + "default": true } }, { "verify_signature": { - "default": true, - "type": "boolean", "required": false, - "description": "Verify signature of tokens." + "type": "boolean", + "description": "Verify signature of tokens.", + "default": true } }, { "ignore_signature": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -2252,28 +2253,31 @@ "session", "introspection", "userinfo" - ] + ], + "type": "string" }, + "type": "array", "default": [ ], + "required": false, "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." } }, { "enable_hs_signatures": { - "default": false, - "type": "boolean", "required": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + "type": "boolean", + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "default": false } }, { "disable_session": { "required": false, "type": "array", + "description": "Disable issuing the session cookie with the specified grants.", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -2284,108 +2288,108 @@ "kong_oauth2", "refresh_token", "session" - ] - }, - "description": "Disable issuing the session cookie with the specified grants." + ], + "type": "string" + } } }, { "cache_ttl": { - "default": 3600, - "type": "number", "required": false, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + "type": "number", + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "default": 3600 } }, { "cache_ttl_max": { - "type": "number", "required": false, + "type": "number", "description": "The maximum cache ttl in seconds (enforced)." } }, { "cache_ttl_min": { - "type": "number", "required": false, + "type": "number", "description": "The minimum cache ttl in seconds (enforced)." } }, { "cache_ttl_neg": { - "type": "number", "required": false, + "type": "number", "description": "The negative cache ttl in seconds." } }, { "cache_ttl_resurrect": { - "type": "number", "required": false, + "type": "number", "description": "The resurrection ttl in seconds." } }, { "cache_tokens": { - "default": true, - "type": "boolean", "required": false, - "description": "Cache the token endpoint requests." + "type": "boolean", + "description": "Cache the token endpoint requests.", + "default": true } }, { "cache_tokens_salt": { "auto": true, "type": "string", - "required": false, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false } }, { "cache_introspection": { - "default": true, - "type": "boolean", "required": false, - "description": "Cache the introspection endpoint requests." + "type": "boolean", + "description": "Cache the introspection endpoint requests.", + "default": true } }, { "cache_token_exchange": { - "default": true, - "type": "boolean", "required": false, - "description": "Cache the token exchange endpoint requests." + "type": "boolean", + "description": "Cache the token exchange endpoint requests.", + "default": true } }, { "cache_user_info": { - "default": true, - "type": "boolean", "required": false, - "description": "Cache the user info requests." + "type": "boolean", + "description": "Cache the user info requests.", + "default": true } }, { "search_user_info": { - "default": false, - "type": "boolean", "required": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + "type": "boolean", + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "default": false } }, { "hide_credentials": { - "default": false, - "type": "boolean", "required": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + "type": "boolean", + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "default": false } }, { "http_version": { "required": false, - "default": 1.1, "type": "number", + "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0." } }, @@ -2398,8 +2402,8 @@ }, { "http_proxy_authorization": { - "type": "string", "required": false, + "type": "string", "description": "The HTTP proxy authorization." } }, @@ -2412,132 +2416,132 @@ }, { "https_proxy_authorization": { - "type": "string", "required": false, + "type": "string", "description": "The HTTPS proxy authorization." } }, { "no_proxy": { - "type": "string", "required": false, + "type": "string", "description": "Do not use proxy with these hosts." } }, { "keepalive": { - "default": true, - "type": "boolean", "required": false, - "description": "Use keepalive with the HTTP client." + "type": "boolean", + "description": "Use keepalive with the HTTP client.", + "default": true } }, { "ssl_verify": { - "default": false, - "type": "boolean", "required": false, - "description": "Verify identity provider server certificate." + "type": "boolean", + "description": "Verify identity provider server certificate.", + "default": false } }, { "timeout": { - "default": 10000, - "type": "number", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "number", + "description": "Network IO timeout in milliseconds.", + "default": 10000 } }, { "display_errors": { - "default": false, - "type": "boolean", "required": false, - "description": "Display errors on failure responses." + "type": "boolean", + "description": "Display errors on failure responses.", + "default": false } }, { "by_username_ignore_case": { - "default": false, - "type": "boolean", "required": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + "type": "boolean", + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "default": false } }, { "resolve_distributed_claims": { - "default": false, - "type": "boolean", "required": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + "type": "boolean", + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "default": false } }, { "expose_error_code": { "type": "boolean", - "default": true, - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "default": true } }, { "token_cache_key_include_scope": { "type": "boolean", - "default": false, - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "default": false } }, { "introspection_token_param_name": { - "default": "token", - "type": "string", "required": false, - "description": "Designate token's parameter name for introspection." + "type": "string", + "description": "Designate token's parameter name for introspection.", + "default": "token" } }, { "revocation_token_param_name": { - "default": "token", - "type": "string", "required": false, - "description": "Designate token's parameter name for revocation." + "type": "string", + "description": "Designate token's parameter name for revocation.", + "default": "token" } }, { "proof_of_possession_mtls": { "type": "string", + "default": "off", "required": false, + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "one_of": [ "off", "strict", "optional" - ], - "default": "off", - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." + ] } }, { "proof_of_possession_auth_methods_validation": { - "default": true, - "type": "boolean", "required": false, - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + "type": "boolean", + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "default": true } }, { "tls_client_auth_cert_id": { - "uuid": true, "type": "string", + "uuid": true, + "auto": false, "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", - "required": false, - "auto": false + "required": false } }, { "tls_client_auth_ssl_verify": { - "default": true, - "type": "boolean", "required": false, - "description": "Verify identity provider server certificate during mTLS client authentication." + "type": "boolean", + "description": "Verify identity provider server certificate during mTLS client authentication.", + "default": true } }, { @@ -2564,19 +2568,17 @@ ] } } - ] - }, - "description": "List of openid_connect strategies." + ], + "type": "record" + } } } ] } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.6.x.json b/schemas/ldap-auth-advanced/3.6.x.json index 672b08af..b0950806 100644 --- a/schemas/ldap-auth-advanced/3.6.x.json +++ b/schemas/ldap-auth-advanced/3.6.x.json @@ -1,11 +1,27 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { "required": true, "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -13,58 +29,51 @@ "https", "ws", "wss" - ] - }, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "ldap_host": { - "type": "string", "required": true, + "type": "string", "description": "Host on which the LDAP server is running." } }, { "ldap_password": { - "encrypted": true, "referenceable": true, "type": "string", - "description": "The password to the LDAP server." + "description": "The password to the LDAP server.", + "encrypted": true } }, { "ldap_port": { - "default": 389, "type": "number", + "default": 389, "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636." } }, @@ -77,136 +86,136 @@ }, { "ldaps": { + "required": true, "type": "boolean", "default": false, - "required": true, "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." } }, { "start_tls": { + "required": true, "type": "boolean", "default": false, - "required": true, "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." } }, { "verify_ldap_host": { + "required": true, "type": "boolean", "default": false, - "required": true, "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." } }, { "base_dn": { - "type": "string", "required": true, + "type": "string", "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'." } }, { "attribute": { - "type": "string", "required": true, + "type": "string", "description": "Attribute to be used to search the user; e.g., \"cn\"." } }, { "cache_ttl": { + "required": true, "type": "number", "default": 60, - "required": true, "description": "Cache expiry time in seconds." } }, { "hide_credentials": { - "default": false, "type": "boolean", + "default": false, "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." } }, { "timeout": { - "default": 10000, "type": "number", + "default": 10000, "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." } }, { "keepalive": { - "default": 60000, "type": "number", + "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." } }, { "anonymous": { - "len_min": 0, "default": "", "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0 } }, { "header_type": { - "default": "ldap", "type": "string", + "default": "ldap", "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`." } }, { "consumer_optional": { + "required": false, "type": "boolean", "default": false, - "required": false, "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." } }, { "consumer_by": { - "type": "array", - "required": false, - "default": [ - "username", - "custom_id" - ], "elements": { - "type": "string", "one_of": [ "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", + "default": [ + "username", + "custom_id" + ], + "required": false, "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." } }, { "group_base_dn": { - "type": "string", - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" } }, { "group_name_attribute": { - "type": "string", - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" } }, { "group_member_attribute": { - "default": "memberOf", "type": "string", + "default": "memberOf", "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive." } }, { "log_search_results": { + "required": false, "type": "boolean", "default": false, - "required": false, "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." } }, @@ -214,23 +223,14 @@ "groups_required": { "required": false, "type": "array", + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "elements": { "type": "string" - }, - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result." + } } } ] } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ldap-auth/3.6.x.json b/schemas/ldap-auth/3.6.x.json index c08b5d8f..340ad75f 100644 --- a/schemas/ldap-auth/3.6.x.json +++ b/schemas/ldap-auth/3.6.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } @@ -12,8 +15,15 @@ "protocols": { "required": true, "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -21,45 +31,37 @@ "https", "ws", "wss" - ] - }, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "conditional": { "then_match": { "eq": false }, - "then_field": "start_tls", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", "if_match": { "eq": true }, "if_field": "ldaps", - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously" + "then_field": "start_tls" } } ], - "required": true, + "type": "record", "fields": [ { "ldap_host": { @@ -71,66 +73,66 @@ { "ldap_port": { "type": "integer", + "default": 389, "between": [ 0, 65535 ], "required": true, - "default": 389, "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "ldaps": { - "default": false, - "type": "boolean", "required": true, + "type": "boolean", + "default": false, "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." } }, { "start_tls": { - "default": false, - "type": "boolean", "required": true, + "type": "boolean", + "default": false, "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." } }, { "verify_ldap_host": { - "default": false, - "type": "boolean", "required": true, + "type": "boolean", + "default": false, "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." } }, { "base_dn": { - "type": "string", "required": true, + "type": "string", "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com" } }, { "attribute": { - "type": "string", "required": true, + "type": "string", "description": "Attribute to be used to search the user; e.g. cn" } }, { "cache_ttl": { - "default": 60, - "type": "number", "required": true, + "type": "number", + "default": 60, "description": "Cache expiry time in seconds." } }, { "hide_credentials": { - "default": false, - "type": "boolean", "required": true, + "type": "boolean", + "default": false, "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." } }, @@ -150,8 +152,8 @@ }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" } }, { @@ -161,11 +163,9 @@ "description": "An optional string to use as part of the Authorization header" } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/loggly/3.6.x.json b/schemas/loggly/3.6.x.json index 68f95648..f837a43a 100644 --- a/schemas/loggly/3.6.x.json +++ b/schemas/loggly/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,57 +21,65 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "host": { - "default": "logs-01.loggly.com", "type": "string", + "default": "logs-01.loggly.com", "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 514, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 514, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "key": { + "required": true, "type": "string", - "referenceable": true, "encrypted": true, - "required": true + "referenceable": true } }, { "tags": { - "default": [ - "kong" - ], "elements": { "type": "string" }, - "type": "set" + "type": "set", + "default": [ + "kong" + ] } }, { @@ -155,19 +158,16 @@ "type": "string", "len_min": 1 }, + "type": "map", + "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - }, - "type": "map", - "description": "Lua code as a key-value map" + } } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/mocking/3.6.x.json b/schemas/mocking/3.6.x.json index e5888e96..339afb19 100644 --- a/schemas/mocking/3.6.x.json +++ b/schemas/mocking/3.6.x.json @@ -1,51 +1,59 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "api_specification_filename": { - "type": "string", "required": false, + "type": "string", "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode." } }, { "api_specification": { - "type": "string", "required": false, + "type": "string", "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field." } }, @@ -79,10 +87,10 @@ }, { "included_status_codes": { - "type": "array", "elements": { "type": "integer" }, + "type": "array", "description": "A global list of the HTTP status codes that can only be selected and returned." } }, @@ -105,13 +113,5 @@ ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.6.x.json b/schemas/mtls-auth/3.6.x.json index 3f4a6fc5..afe73df6 100644 --- a/schemas/mtls-auth/3.6.x.json +++ b/schemas/mtls-auth/3.6.x.json @@ -1,46 +1,48 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -55,29 +57,29 @@ ] } ], - "required": true, + "type": "record", "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "consumer_by": { - "type": "array", - "required": false, - "default": [ - "username", - "custom_id" - ], "elements": { - "type": "string", "one_of": [ "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", + "default": [ + "username", + "custom_id" + ], + "required": false, "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." } }, @@ -85,120 +87,118 @@ "ca_certificates": { "required": true, "type": "array", + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "elements": { "uuid": true, "type": "string" - }, - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." + } } }, { "cache_ttl": { - "default": 60, - "type": "number", "required": true, - "description": "Cache expiry time in seconds." + "type": "number", + "description": "Cache expiry time in seconds.", + "default": 60 } }, { "skip_consumer_lookup": { - "default": false, - "type": "boolean", "required": true, - "description": "Skip consumer lookup once certificate is trusted against the configured CA list." + "type": "boolean", + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "default": false } }, { "allow_partial_chain": { - "default": false, - "type": "boolean", "required": true, - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." + "type": "boolean", + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "default": false } }, { "authenticated_group_by": { - "required": false, "type": "string", + "default": "CN", + "required": false, + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ "CN", "DN" - ], - "default": "CN", - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." + ] } }, { "revocation_check_mode": { - "required": false, "type": "string", + "default": "IGNORE_CA_ERROR", + "required": false, + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ], - "default": "IGNORE_CA_ERROR", - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." + ] } }, { "http_timeout": { "type": "number", - "default": 30000, - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "default": 30000 } }, { "cert_cache_ttl": { "type": "number", - "default": 60000, - "description": "The length of time in milliseconds between refreshes of the revocation check status cache." + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "default": 60000 } }, { "send_ca_dn": { "type": "boolean", - "default": false, - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "default": false } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.6.x.json b/schemas/oas-validation/3.6.x.json index ae419e59..c685a7f0 100644 --- a/schemas/oas-validation/3.6.x.json +++ b/schemas/oas-validation/3.6.x.json @@ -1,39 +1,42 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "api_spec": { @@ -45,104 +48,101 @@ { "verbose_response": { "required": false, - "default": false, "type": "boolean", - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "default": false } }, { "validate_request_body": { "required": false, - "default": true, "type": "boolean", - "description": "If set to true, validates the request body content against the API specification." + "description": "If set to true, validates the request body content against the API specification.", + "default": true } }, { "notify_only_request_validation_failure": { "required": false, - "default": false, "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "default": false } }, { "validate_request_header_params": { "required": false, - "default": true, "type": "boolean", - "description": "If set to true, validates HTTP header parameters against the API specification." + "description": "If set to true, validates HTTP header parameters against the API specification.", + "default": true } }, { "validate_request_query_params": { "required": false, - "default": true, "type": "boolean", - "description": "If set to true, validates query parameters against the API specification." + "description": "If set to true, validates query parameters against the API specification.", + "default": true } }, { "validate_request_uri_params": { "required": false, - "default": true, "type": "boolean", - "description": "If set to true, validates URI parameters in the request against the API specification." + "description": "If set to true, validates URI parameters in the request against the API specification.", + "default": true } }, { "validate_response_body": { "required": false, - "default": false, "type": "boolean", - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "default": false } }, { "notify_only_response_body_validation_failure": { "required": false, - "default": false, "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "default": false } }, { "query_parameter_check": { "required": true, - "default": false, "type": "boolean", - "description": "If set to true, checks if query parameters in the request exist in the API specification." + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "default": false } }, { "header_parameter_check": { "required": true, - "default": false, "type": "boolean", - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "default": false } }, { "allowed_header_parameters": { "required": false, - "default": "Host,Content-Type,User-Agent,Accept,Content-Length", "type": "string", - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "default": "Host,Content-Type,User-Agent,Accept,Content-Length" } }, { "include_base_path": { "required": true, - "default": false, "type": "boolean", - "description": "Indicates whether to include the base path when performing path match evaluation." + "description": "Indicates whether to include the base path when performing path match evaluation.", + "default": false } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.6.x.json b/schemas/oauth2-introspection/3.6.x.json index d495fe7c..e9b3fe27 100644 --- a/schemas/oauth2-introspection/3.6.x.json +++ b/schemas/oauth2-introspection/3.6.x.json @@ -1,47 +1,50 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "introspection_url": { @@ -53,115 +56,112 @@ { "ttl": { "type": "number", - "default": 30, - "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "default": 30 } }, { "token_type_hint": { - "type": "string", - "description": "The `token_type_hint` value to associate to introspection requests." + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" } }, { "authorization_value": { - "required": true, - "encrypted": true, "referenceable": true, "type": "string", - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." + "required": true, + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "encrypted": true } }, { "timeout": { "type": "integer", - "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 } }, { "keepalive": { "type": "integer", - "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000 } }, { "introspect_request": { - "type": "boolean", "required": true, - "default": false, - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request." + "type": "boolean", + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "default": false } }, { "hide_credentials": { "type": "boolean", - "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "default": false } }, { "run_on_preflight": { "type": "boolean", - "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "default": true } }, { "anonymous": { - "len_min": 0, - "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "default": "", + "len_min": 0 } }, { "consumer_by": { "type": "string", + "default": "username", "required": true, + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "one_of": [ "username", "client_id" - ], - "default": "username", - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`." + ] } }, { "custom_introspection_headers": { - "type": "map", - "values": { - "type": "string" - }, "keys": { "type": "string" }, - "required": true, + "type": "map", "default": [ ], - "description": "A list of custom headers to be added in the introspection request." + "required": true, + "description": "A list of custom headers to be added in the introspection request.", + "values": { + "type": "string" + } } }, { "custom_claims_forward": { - "required": true, + "elements": { + "type": "string" + }, "type": "set", "default": [ ], - "elements": { - "type": "string" - }, + "required": true, "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2/3.6.x.json b/schemas/oauth2/3.6.x.json index c122952b..83c8bfbf 100644 --- a/schemas/oauth2/3.6.x.json +++ b/schemas/oauth2/3.6.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } @@ -12,8 +15,15 @@ "protocols": { "required": true, "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", @@ -21,40 +31,32 @@ "https", "ws", "wss" - ] - }, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, "entity_checks": [ { "conditional": { "then_field": "scopes", - "if_match": { - "eq": true - }, + "if_field": "mandatory_scope", "then_match": { "required": true }, - "if_field": "mandatory_scope" + "if_match": { + "eq": true + } } } ], @@ -62,10 +64,10 @@ "fields": [ { "scopes": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." } }, @@ -73,17 +75,17 @@ "mandatory_scope": { "required": true, "type": "boolean", - "default": false, - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user." + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "default": false } }, { "provision_key": { "unique": true, "encrypted": true, - "description": "The unique key the plugin has generated when it has been added to the Service.", "required": true, "type": "string", + "description": "The unique key the plugin has generated when it has been added to the Service.", "auto": true } }, @@ -91,88 +93,88 @@ "token_expiration": { "required": true, "type": "number", - "default": 7200, - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration." + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "default": 7200 } }, { "enable_authorization_code": { "required": true, "type": "boolean", - "default": false, - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1)." + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "default": false } }, { "enable_implicit_grant": { "required": true, "type": "boolean", - "default": false, - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2)." + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "default": false } }, { "enable_client_credentials": { "required": true, "type": "boolean", - "default": false, - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4)." + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "default": false } }, { "enable_password_grant": { "required": true, "type": "boolean", - "default": false, - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3)." + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "default": false } }, { "hide_credentials": { "required": true, "type": "boolean", - "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "default": false } }, { "accept_http_if_already_terminated": { "required": true, "type": "boolean", - "default": false, - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer." + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "global_credentials": { "required": true, "type": "boolean", - "default": false, - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`." + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "default": false } }, { "auth_header_name": { "type": "string", - "default": "authorization", - "description": "The name of the header that is supposed to carry the access token." + "description": "The name of the header that is supposed to carry the access token.", + "default": "authorization" } }, { "refresh_token_ttl": { "type": "number", + "default": 1209600, "between": [ 0, 100000000 ], "required": true, - "default": 1209600, "description": "Time-to-live value for data" } }, @@ -180,35 +182,33 @@ "reuse_refresh_token": { "required": true, "type": "boolean", - "default": false, - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token." + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "default": false } }, { "persistent_refresh_token": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "pkce": { - "required": false, "type": "string", + "default": "lax", + "required": false, + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "one_of": [ "none", "lax", "strict" - ], - "default": "lax", - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin." + ] } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/opa/3.6.x.json b/schemas/opa/3.6.x.json index b79679bd..b2baf7a3 100644 --- a/schemas/opa/3.6.x.json +++ b/schemas/opa/3.6.x.json @@ -1,76 +1,79 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "opa_protocol": { - "default": "http", "one_of": [ "http", "https" ], "type": "string", - "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`." + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "default": "http" } }, { "opa_host": { "required": true, - "default": "localhost", "type": "string", + "default": "localhost", "description": "A string representing a host name, such as example.com." } }, { "opa_port": { "type": "integer", + "default": 8181, "between": [ 0, 65535 ], "required": true, - "default": 8181, "description": "An integer representing a port number between 0 and 65535, inclusive." } }, @@ -78,35 +81,35 @@ "opa_path": { "type": "string", "starts_with": "/", + "required": true, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "required": true, - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + ] } }, { "include_service_in_opa_input": { - "default": false, "type": "boolean", - "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA." + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "default": false } }, { "include_route_in_opa_input": { - "default": false, "type": "boolean", - "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA." + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "default": false } }, { "include_consumer_in_opa_input": { - "default": false, "type": "boolean", - "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA." + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "default": false } }, { @@ -117,31 +120,28 @@ }, { "include_parsed_json_body_in_opa_input": { - "default": false, "type": "boolean", - "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA." + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "default": false } }, { "include_uri_captures_in_opa_input": { - "default": false, "type": "boolean", - "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA." + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "default": false } }, { "ssl_verify": { "required": true, - "default": true, "type": "boolean", - "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "default": true } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.6.x.json b/schemas/openid-connect/3.6.x.json index dbdba7dc..207b10c8 100644 --- a/schemas/openid-connect/3.6.x.json +++ b/schemas/openid-connect/3.6.x.json @@ -1,127 +1,48 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - } - ], "required": true, "type": "record", "fields": [ @@ -134,57 +55,54 @@ }, { "using_pseudo_issuer": { - "default": false, - "type": "boolean", "required": false, - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." + "type": "boolean", + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "default": false } }, { "discovery_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the discovery endpoint." + } } }, { "discovery_headers_values": { "required": false, "type": "array", + "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" - }, - "description": "Extra header values passed to the discovery endpoint." + } } }, { "extra_jwks_uris": { "required": false, "type": "set", + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "rediscovery_lifetime": { - "default": 30, - "type": "number", "required": false, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + "type": "number", + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "default": 30 } }, { "auth_methods": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -195,8 +113,10 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "type": "string" }, + "type": "array", "default": [ "password", "client_credentials", @@ -208,39 +128,40 @@ "refresh_token", "session" ], + "required": false, "description": "Types of credentials/grants to enable." } }, { "client_id": { - "type": "array", - "encrypted": true, - "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "type": "array", + "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true } }, { "client_secret": { - "type": "array", - "encrypted": true, - "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "description": "The client secret." + "type": "array", + "required": false, + "description": "The client secret.", + "encrypted": true } }, { "client_auth": { "required": false, "type": "array", + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", "elements": { - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -249,208 +170,208 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] - }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication)." + ], + "type": "string" + } } }, { "client_jwk": { "required": false, "type": "array", + "description": "The JWK used for the private_key_jwt authentication.", "elements": { - "type": "record", "required": false, + "type": "record", "fields": [ { "issuer": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kty": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "use": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "key_ops": { "required": false, + "type": "array", "elements": { - "type": "string", - "required": false - }, - "type": "array" + "required": false, + "type": "string" + } } }, { "alg": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kid": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5u": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5c": { "required": false, + "type": "array", "elements": { - "type": "string", - "required": false - }, - "type": "array" + "required": false, + "type": "string" + } } }, { "x5t": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5t#S256": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "k": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "x": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "y": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "crv": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "n": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "e": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "d": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "p": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "q": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "dp": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "dq": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "qi": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "oth": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "r": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "t": { "required": false, - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } } ] - }, - "description": "The JWK used for the private_key_jwt authentication." + } } }, { "client_alg": { "required": false, "type": "array", + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", "elements": { - "type": "string", "one_of": [ "HS256", "HS384", @@ -465,156 +386,156 @@ "PS384", "PS512", "EdDSA" - ] - }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication." + ], + "type": "string" + } } }, { "client_arg": { - "default": "client_id", - "type": "string", "required": false, - "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + "type": "string", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "default": "client_id" } }, { "redirect_uri": { "required": false, "type": "array", + "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "The redirect URI passed to the authorization and token endpoints." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "login_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { "referenceable": true, "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client when `login_action` is set to `redirect`." + } } }, { "logout_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client after the logout.", "elements": { "referenceable": true, "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client after the logout." + } } }, { "forbidden_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client on forbidden requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on forbidden requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "forbidden_error_message": { - "default": "Forbidden", - "type": "string", "required": false, - "description": "The error message for the forbidden requests (when not using the redirection)." + "type": "string", + "description": "The error message for the forbidden requests (when not using the redirection).", + "default": "Forbidden" } }, { "forbidden_destroy_session": { - "default": true, - "type": "boolean", "required": false, - "description": "Destroy any active session for the forbidden requests." + "type": "boolean", + "description": "Destroy any active session for the forbidden requests.", + "default": true } }, { "unauthorized_destroy_session": { - "default": true, - "type": "boolean", "required": false, - "description": "Destroy any active session for the unauthorized requests." + "type": "boolean", + "description": "Destroy any active session for the unauthorized requests.", + "default": true } }, { "unauthorized_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client on unauthorized requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on unauthorized requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "unauthorized_error_message": { - "default": "Unauthorized", - "type": "string", "required": false, - "description": "The error message for the unauthorized requests (when not using the redirection)." + "type": "string", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "default": "Unauthorized" } }, { "unexpected_redirect_uri": { "required": false, "type": "array", + "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client when unexpected errors happen with the requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "response_mode": { "type": "string", + "default": "query", "required": false, + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it).", "one_of": [ "query", "form_post", "fragment" - ], - "default": "query", - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)." + ] } }, { "response_type": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "code" ], + "required": false, "description": "The response type passed to the authorization endpoint." } }, { "scopes": { - "required": false, - "type": "array", "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, + "type": "array", "default": [ "openid" ], + "required": false, "description": "The scopes passed to the authorization and token endpoints." } }, @@ -622,42 +543,42 @@ "audience": { "required": false, "type": "array", + "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "The audience passed to the authorization endpoint." + } } }, { "issuers_allowed": { "required": false, "type": "array", + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" - }, - "description": "The issuers allowed to be present in the tokens (`iss` claim)." + } } }, { "scopes_required": { "required": false, "type": "array", + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "scopes_claim": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "scope" ], + "required": false, "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, @@ -665,22 +586,22 @@ "audience_required": { "required": false, "type": "array", + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "audience_claim": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "aud" ], + "required": false, "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, @@ -688,22 +609,22 @@ "groups_required": { "required": false, "type": "array", + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "groups_claim": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "groups" ], + "required": false, "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, @@ -711,22 +632,22 @@ "roles_required": { "required": false, "type": "array", + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "roles_claim": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "roles" ], + "required": false, "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, @@ -734,16 +655,16 @@ "domains": { "required": false, "type": "array", + "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" - }, - "description": "The allowed values for the `hd` claim." + } } }, { "max_age": { - "type": "number", "required": false, + "type": "number", "description": "The maximum age (in seconds) compared to the `auth_time` claim." } }, @@ -751,10 +672,10 @@ "authenticated_groups_claim": { "required": false, "type": "array", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { @@ -766,7 +687,9 @@ }, { "pushed_authorization_request_endpoint_auth_method": { + "required": false, "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -775,22 +698,20 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false, - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "require_pushed_authorization_requests": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`)." } }, { "require_proof_key_for_code_exchange": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled)." } }, @@ -805,105 +726,105 @@ "authorization_query_args_names": { "required": false, "type": "array", + "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument names passed to the authorization endpoint." + } } }, { "authorization_query_args_values": { "required": false, "type": "array", + "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the authorization endpoint." + } } }, { "authorization_query_args_client": { "required": false, "type": "array", + "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the authorization endpoint." + } } }, { "authorization_rolling_timeout": { - "default": 600, - "type": "number", "required": false, - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "type": "number", + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 600 } }, { "authorization_cookie_name": { - "default": "authorization", - "type": "string", "required": false, - "description": "The authorization cookie name." + "type": "string", + "description": "The authorization cookie name.", + "default": "authorization" } }, { "authorization_cookie_path": { - "required": false, "type": "string", + "default": "/", "starts_with": "/", + "required": false, + "description": "The authorization cookie Path flag.", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "default": "/", - "description": "The authorization cookie Path flag." + ] } }, { "authorization_cookie_domain": { - "type": "string", "required": false, + "type": "string", "description": "The authorization cookie Domain flag." } }, { "authorization_cookie_same_site": { "type": "string", + "default": "Default", "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "default": "Default", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + ] } }, { "authorization_cookie_http_only": { - "default": true, - "type": "boolean", "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true } }, { "authorization_cookie_secure": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "preserve_query_args": { - "default": false, - "type": "boolean", "required": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + "type": "boolean", + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "default": false } }, { @@ -915,7 +836,9 @@ }, { "token_endpoint_auth_method": { + "required": false, "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -924,55 +847,53 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false, - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "token_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the token endpoint." + } } }, { "token_headers_values": { "required": false, "type": "array", + "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra header values passed to the token endpoint." + } } }, { "token_headers_client": { "required": false, "type": "array", + "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the token endpoint." + } } }, { "token_headers_replay": { "required": false, "type": "array", + "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" - }, - "description": "The names of token endpoint response headers to forward to the downstream client." + } } }, { "token_headers_prefix": { - "type": "string", "required": false, + "type": "string", "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." } }, @@ -980,46 +901,46 @@ "token_headers_grants": { "required": false, "type": "array", + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", "authorization_code", "refresh_token" - ] - }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant." + ], + "type": "string" + } } }, { "token_post_args_names": { "required": false, "type": "array", + "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the token endpoint." + } } }, { "token_post_args_values": { "required": false, "type": "array", + "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the token endpoint." + } } }, { "token_post_args_client": { "required": false, "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Reqest Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "elements": { "type": "string" - }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Reqest Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint." + } } }, { @@ -1031,7 +952,9 @@ }, { "introspection_endpoint_auth_method": { + "required": false, "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1040,106 +963,106 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false, - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "introspection_hint": { - "default": "access_token", - "type": "string", "required": false, - "description": "Introspection hint parameter value passed to the introspection endpoint." + "type": "string", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "default": "access_token" } }, { "introspection_check_active": { - "default": true, - "type": "boolean", "required": false, - "description": "Check that the introspection response has an `active` claim with a value of `true`." + "type": "boolean", + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "default": true } }, { "introspection_accept": { "type": "string", + "default": "application/json", "required": false, + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ], - "default": "application/json", - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)." + ] } }, { "introspection_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the introspection endpoint." + } } }, { "introspection_headers_values": { - "required": false, - "type": "array", "elements": { + "referenceable": true, "type": "string" }, - "description": "Extra header values passed to the introspection endpoint." + "type": "array", + "required": false, + "description": "Extra header values passed to the introspection endpoint.", + "encrypted": true } }, { "introspection_headers_client": { "required": false, "type": "array", + "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the introspection endpoint." + } } }, { "introspection_post_args_names": { "required": false, "type": "array", + "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the introspection endpoint." + } } }, { "introspection_post_args_values": { "required": false, "type": "array", + "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the introspection endpoint." + } } }, { "introspection_post_args_client": { "required": false, "type": "array", + "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" - }, - "description": "Extra post arguments passed from the client to the introspection endpoint." + } } }, { "introspect_jwt_tokens": { - "default": false, - "type": "boolean", "required": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + "type": "boolean", + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "default": false } }, { @@ -1151,7 +1074,9 @@ }, { "revocation_endpoint_auth_method": { + "required": false, "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1160,9 +1085,7 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false, - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { @@ -1182,73 +1105,73 @@ { "userinfo_accept": { "type": "string", + "default": "application/json", "required": false, + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/jwt" - ], - "default": "application/json", - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)." + ] } }, { "userinfo_headers_names": { "required": false, "type": "array", + "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra header names passed to the user info endpoint." + } } }, { "userinfo_headers_values": { "required": false, "type": "array", + "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra header values passed to the user info endpoint." + } } }, { "userinfo_headers_client": { "required": false, "type": "array", + "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the user info endpoint." + } } }, { "userinfo_query_args_names": { "required": false, "type": "array", + "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument names passed to the user info endpoint." + } } }, { "userinfo_query_args_values": { "required": false, "type": "array", + "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the user info endpoint." + } } }, { "userinfo_query_args_client": { "required": false, "type": "array", + "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the user info endpoint." + } } }, { @@ -1260,142 +1183,142 @@ }, { "session_secret": { + "referenceable": true, "type": "string", "required": false, - "referenceable": true, - "encrypted": true, - "description": "The session secret." + "description": "The session secret.", + "encrypted": true } }, { "session_audience": { - "default": "default", - "type": "string", "required": false, - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default" } }, { "session_cookie_name": { - "default": "session", - "type": "string", "required": false, - "description": "The session cookie name." + "type": "string", + "description": "The session cookie name.", + "default": "session" } }, { "session_remember": { - "default": false, - "type": "boolean", "required": false, - "description": "Enables or disables persistent sessions." + "type": "boolean", + "description": "Enables or disables persistent sessions.", + "default": false } }, { "session_remember_cookie_name": { - "default": "remember", - "type": "string", "required": false, - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember" } }, { "session_remember_rolling_timeout": { - "default": 604800, - "type": "number", "required": false, - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." + "type": "number", + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "default": 604800 } }, { "session_remember_absolute_timeout": { - "default": 2592000, - "type": "number", "required": false, - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "type": "number", + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 2592000 } }, { "session_idling_timeout": { - "default": 900, - "type": "number", "required": false, - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." + "type": "number", + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "default": 900 } }, { "session_rolling_timeout": { - "default": 3600, - "type": "number", "required": false, - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "type": "number", + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 3600 } }, { "session_absolute_timeout": { - "default": 86400, - "type": "number", "required": false, - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "type": "number", + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 86400 } }, { "session_cookie_path": { - "required": false, "type": "string", + "default": "/", "starts_with": "/", + "required": false, + "description": "The session cookie Path flag.", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "default": "/", - "description": "The session cookie Path flag." + ] } }, { "session_cookie_domain": { - "type": "string", "required": false, + "type": "string", "description": "The session cookie Domain flag." } }, { "session_cookie_same_site": { "type": "string", + "default": "Lax", "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "default": "Lax", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + ] } }, { "session_cookie_http_only": { - "default": true, - "type": "boolean", "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true } }, { "session_cookie_secure": { - "type": "boolean", "required": false, + "type": "boolean", "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "session_request_headers": { - "type": "set", "required": false, + "type": "set", + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -1404,17 +1327,17 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] - }, - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers." + ], + "type": "string" + } } }, { "session_response_headers": { - "type": "set", "required": false, + "type": "set", + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -1423,183 +1346,183 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] - }, - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers." + ], + "type": "string" + } } }, { "session_storage": { "type": "string", + "default": "cookie", "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "default": "cookie", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis." + ] } }, { "session_store_metadata": { - "default": false, - "type": "boolean", "required": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "default": false } }, { "session_enforce_same_subject": { - "default": false, - "type": "boolean", "required": false, - "description": "When set to `true`, audiences are forced to share the same subject." + "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false } }, { "session_hash_subject": { - "default": false, - "type": "boolean", "required": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false } }, { "session_hash_storage_key": { - "default": false, - "type": "boolean", "required": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false } }, { "session_memcached_prefix": { - "type": "string", "required": false, + "type": "string", "description": "The memcached session key prefix." } }, { "session_memcached_socket": { - "type": "string", "required": false, + "type": "string", "description": "The memcached unix socket path." } }, { "session_memcached_host": { - "default": "127.0.0.1", - "type": "string", "required": false, - "description": "The memcached host." + "type": "string", + "description": "The memcached host.", + "default": "127.0.0.1" } }, { "session_memcached_port": { - "required": false, + "type": "integer", + "default": 11211, "between": [ 0, 65535 ], - "type": "integer", - "default": 11211, + "required": false, "description": "The memcached port." } }, { "session_redis_prefix": { - "type": "string", "required": false, + "type": "string", "description": "The Redis session key prefix." } }, { "session_redis_socket": { - "type": "string", "required": false, + "type": "string", "description": "The Redis unix socket path." } }, { "session_redis_host": { - "default": "127.0.0.1", - "type": "string", "required": false, - "description": "The Redis host." + "type": "string", + "description": "The Redis host.", + "default": "127.0.0.1" } }, { "session_redis_port": { - "required": false, + "type": "integer", + "default": 6379, "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, + "required": false, "description": "The Redis port." } }, { "session_redis_username": { - "type": "string", "referenceable": true, - "required": false, - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "type": "string", + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "required": false } }, { "session_redis_password": { + "referenceable": true, "type": "string", "required": false, - "referenceable": true, - "encrypted": true, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis." + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true } }, { "session_redis_connect_timeout": { - "type": "integer", "required": false, + "type": "integer", "description": "Session redis connection timeout in milliseconds." } }, { "session_redis_read_timeout": { - "type": "integer", "required": false, + "type": "integer", "description": "Session redis read timeout in milliseconds." } }, { "session_redis_send_timeout": { - "type": "integer", "required": false, + "type": "integer", "description": "Session redis send timeout in milliseconds." } }, { "session_redis_ssl": { - "default": false, - "type": "boolean", "required": false, - "description": "Use SSL/TLS for Redis connection." + "type": "boolean", + "description": "Use SSL/TLS for Redis connection.", + "default": false } }, { "session_redis_ssl_verify": { - "default": false, - "type": "boolean", "required": false, - "description": "Verify identity provider server certificate." + "type": "boolean", + "description": "Verify identity provider server certificate.", + "default": false } }, { "session_redis_server_name": { - "type": "string", "required": false, + "type": "string", "description": "The SNI used for connecting the Redis server." } }, @@ -1607,281 +1530,281 @@ "session_redis_cluster_nodes": { "required": false, "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { - "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "required": true, "type": "string", + "default": "127.0.0.1", "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } - ] - }, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." + ], + "type": "record" + } } }, { "session_redis_cluster_max_redirections": { - "type": "integer", "required": false, + "type": "integer", "description": "The Redis cluster maximum redirects." } }, { "reverify": { - "default": false, - "type": "boolean", "required": false, - "description": "Specifies whether to always verify tokens stored in the session." + "type": "boolean", + "description": "Specifies whether to always verify tokens stored in the session.", + "default": false } }, { "jwt_session_claim": { - "default": "sid", - "type": "string", "required": false, - "description": "The claim to match against the JWT session cookie." + "type": "string", + "description": "The claim to match against the JWT session cookie.", + "default": "sid" } }, { "jwt_session_cookie": { - "type": "string", "required": false, + "type": "string", "description": "The name of the JWT session cookie." } }, { "bearer_token_param_type": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "cookie", "query", "body" - ] + ], + "type": "string" }, + "type": "array", "default": [ "header", "query", "body" ], + "required": false, "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." } }, { "bearer_token_cookie_name": { - "type": "string", "required": false, + "type": "string", "description": "The name of the cookie in which the bearer token is passed." } }, { "client_credentials_param_type": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "type": "array", "default": [ "header", "query", "body" ], + "required": false, "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." } }, { "password_param_type": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "type": "array", "default": [ "header", "query", "body" ], + "required": false, "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "id_token_param_type": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "type": "array", "default": [ "header", "query", "body" ], + "required": false, "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "id_token_param_name": { - "type": "string", "required": false, + "type": "string", "description": "The name of the parameter used to pass the id token." } }, { "refresh_token_param_type": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "header", "query", "body" - ] + ], + "type": "string" }, + "type": "array", "default": [ "header", "query", "body" ], + "required": false, "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "refresh_token_param_name": { - "type": "string", "required": false, + "type": "string", "description": "The name of the parameter used to pass the refresh token." } }, { "refresh_tokens": { - "default": true, - "type": "boolean", "required": false, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + "type": "boolean", + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "default": true } }, { "upstream_headers_claims": { "required": false, "type": "array", + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "upstream_headers_names": { "required": false, "type": "array", + "description": "The upstream header names for the claim values.", "elements": { "type": "string" - }, - "description": "The upstream header names for the claim values." + } } }, { "upstream_access_token_header": { - "default": "authorization:bearer", - "type": "string", "required": false, - "description": "The upstream access token header." + "type": "string", + "description": "The upstream access token header.", + "default": "authorization:bearer" } }, { "upstream_access_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream access token JWK header." } }, { "upstream_id_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream id token header." } }, { "upstream_id_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream id token JWK header." } }, { "upstream_refresh_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream refresh token header." } }, { "upstream_user_info_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream user info header." } }, { "upstream_user_info_jwt_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream user info JWT header (in case the user info returns a JWT response)." } }, { "upstream_introspection_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream introspection header." } }, { "upstream_introspection_jwt_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream introspection JWT header." } }, { "upstream_session_id_header": { - "type": "string", "required": false, + "type": "string", "description": "The upstream session id header." } }, @@ -1889,98 +1812,95 @@ "downstream_headers_claims": { "required": false, "type": "array", + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "downstream_headers_names": { "required": false, "type": "array", + "description": "The downstream header names for the claim values.", "elements": { "type": "string" - }, - "description": "The downstream header names for the claim values." + } } }, { "downstream_access_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream access token header." } }, { "downstream_access_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream access token JWK header." } }, { "downstream_id_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream id token header." } }, { "downstream_id_token_jwk_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream id token JWK header." } }, { "downstream_refresh_token_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream refresh token header." } }, { "downstream_user_info_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream user info header." } }, { "downstream_user_info_jwt_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream user info JWT header (in case the user info returns a JWT response)." } }, { "downstream_introspection_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream introspection header." } }, { "downstream_introspection_jwt_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream introspection JWT header." } }, { "downstream_session_id_header": { - "type": "string", "required": false, + "type": "string", "description": "The downstream session id header." } }, { "login_methods": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -1991,234 +1911,234 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "type": "string" }, + "type": "array", "default": [ "authorization_code" ], + "required": false, "description": "Enable login functionality with specified grants." } }, { "login_action": { "type": "string", + "default": "upstream", "required": false, + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "one_of": [ "upstream", "response", "redirect" - ], - "default": "upstream", - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location." + ] } }, { "login_tokens": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "id_token", "access_token", "refresh_token", "tokens", "introspection" - ] + ], + "type": "string" }, + "type": "array", "default": [ "id_token" ], + "required": false, "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." } }, { "login_redirect_mode": { "type": "string", + "default": "fragment", "required": false, + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "one_of": [ "query", "fragment" - ], - "default": "fragment", - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)." + ] } }, { "logout_query_arg": { - "type": "string", "required": false, + "type": "string", "description": "The request query argument that activates the logout." } }, { "logout_post_arg": { - "type": "string", "required": false, + "type": "string", "description": "The request body argument that activates the logout." } }, { "logout_uri_suffix": { - "type": "string", "required": false, + "type": "string", "description": "The request URI suffix that activates the logout." } }, { "logout_methods": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "POST", "GET", "DELETE" - ] + ], + "type": "string" }, + "type": "array", "default": [ "POST", "DELETE" ], + "required": false, "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." } }, { "logout_revoke": { - "default": false, - "type": "boolean", "required": false, - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." + "type": "boolean", + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "default": false } }, { "logout_revoke_access_token": { - "default": true, - "type": "boolean", "required": false, - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." + "type": "boolean", + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true } }, { "logout_revoke_refresh_token": { - "default": true, - "type": "boolean", "required": false, - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." + "type": "boolean", + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true } }, { "consumer_claim": { "required": false, "type": "array", + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "consumer_by": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "id", "username", "custom_id" - ] + ], + "type": "string" }, + "type": "array", "default": [ "username", "custom_id" ], + "required": false, "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." } }, { "consumer_optional": { - "default": false, - "type": "boolean", "required": false, - "description": "Do not terminate the request if consumer mapping fails." + "type": "boolean", + "description": "Do not terminate the request if consumer mapping fails.", + "default": false } }, { "credential_claim": { - "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "sub" ], + "required": false, "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "anonymous": { - "type": "string", "required": false, + "type": "string", "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "run_on_preflight": { - "default": true, - "type": "boolean", "required": false, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + "type": "boolean", + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "default": true } }, { "leeway": { - "default": 0, - "type": "number", "required": false, - "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification." + "type": "number", + "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", + "default": 0 } }, { "verify_parameters": { - "default": false, - "type": "boolean", "required": false, - "description": "Verify plugin configuration against discovery." + "type": "boolean", + "description": "Verify plugin configuration against discovery.", + "default": false } }, { "verify_nonce": { - "default": true, - "type": "boolean", "required": false, - "description": "Verify nonce on authorization code flow." + "type": "boolean", + "description": "Verify nonce on authorization code flow.", + "default": true } }, { "verify_claims": { - "default": true, - "type": "boolean", "required": false, - "description": "Verify tokens for standard claims." + "type": "boolean", + "description": "Verify tokens for standard claims.", + "default": true } }, { "verify_signature": { - "default": true, - "type": "boolean", "required": false, - "description": "Verify signature of tokens." + "type": "boolean", + "description": "Verify signature of tokens.", + "default": true } }, { "ignore_signature": { - "required": false, - "type": "array", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -2227,28 +2147,31 @@ "session", "introspection", "userinfo" - ] + ], + "type": "string" }, + "type": "array", "default": [ ], + "required": false, "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." } }, { "enable_hs_signatures": { - "default": false, - "type": "boolean", "required": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + "type": "boolean", + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "default": false } }, { "disable_session": { "required": false, "type": "array", + "description": "Disable issuing the session cookie with the specified grants.", "elements": { - "type": "string", "one_of": [ "password", "client_credentials", @@ -2259,108 +2182,108 @@ "kong_oauth2", "refresh_token", "session" - ] - }, - "description": "Disable issuing the session cookie with the specified grants." + ], + "type": "string" + } } }, { "cache_ttl": { - "default": 3600, - "type": "number", "required": false, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + "type": "number", + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "default": 3600 } }, { "cache_ttl_max": { - "type": "number", "required": false, + "type": "number", "description": "The maximum cache ttl in seconds (enforced)." } }, { "cache_ttl_min": { - "type": "number", "required": false, + "type": "number", "description": "The minimum cache ttl in seconds (enforced)." } }, { "cache_ttl_neg": { - "type": "number", "required": false, + "type": "number", "description": "The negative cache ttl in seconds." } }, { "cache_ttl_resurrect": { - "type": "number", "required": false, + "type": "number", "description": "The resurrection ttl in seconds." } }, { "cache_tokens": { - "default": true, - "type": "boolean", "required": false, - "description": "Cache the token endpoint requests." + "type": "boolean", + "description": "Cache the token endpoint requests.", + "default": true } }, { "cache_tokens_salt": { "auto": true, "type": "string", - "required": false, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false } }, { "cache_introspection": { - "default": true, - "type": "boolean", "required": false, - "description": "Cache the introspection endpoint requests." + "type": "boolean", + "description": "Cache the introspection endpoint requests.", + "default": true } }, { "cache_token_exchange": { - "default": true, - "type": "boolean", "required": false, - "description": "Cache the token exchange endpoint requests." + "type": "boolean", + "description": "Cache the token exchange endpoint requests.", + "default": true } }, { "cache_user_info": { - "default": true, - "type": "boolean", "required": false, - "description": "Cache the user info requests." + "type": "boolean", + "description": "Cache the user info requests.", + "default": true } }, { "search_user_info": { - "default": false, - "type": "boolean", "required": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + "type": "boolean", + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "default": false } }, { "hide_credentials": { - "default": false, - "type": "boolean", "required": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + "type": "boolean", + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "default": false } }, { "http_version": { "required": false, - "default": 1.1, "type": "number", + "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0." } }, @@ -2373,8 +2296,8 @@ }, { "http_proxy_authorization": { - "type": "string", "required": false, + "type": "string", "description": "The HTTP proxy authorization." } }, @@ -2387,132 +2310,132 @@ }, { "https_proxy_authorization": { - "type": "string", "required": false, + "type": "string", "description": "The HTTPS proxy authorization." } }, { "no_proxy": { - "type": "string", "required": false, + "type": "string", "description": "Do not use proxy with these hosts." } }, { "keepalive": { - "default": true, - "type": "boolean", "required": false, - "description": "Use keepalive with the HTTP client." + "type": "boolean", + "description": "Use keepalive with the HTTP client.", + "default": true } }, { "ssl_verify": { - "default": false, - "type": "boolean", "required": false, - "description": "Verify identity provider server certificate." + "type": "boolean", + "description": "Verify identity provider server certificate.", + "default": false } }, { "timeout": { - "default": 10000, - "type": "number", "required": false, - "description": "Network IO timeout in milliseconds." + "type": "number", + "description": "Network IO timeout in milliseconds.", + "default": 10000 } }, { "display_errors": { - "default": false, - "type": "boolean", "required": false, - "description": "Display errors on failure responses." + "type": "boolean", + "description": "Display errors on failure responses.", + "default": false } }, { "by_username_ignore_case": { - "default": false, - "type": "boolean", "required": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + "type": "boolean", + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "default": false } }, { "resolve_distributed_claims": { - "default": false, - "type": "boolean", "required": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + "type": "boolean", + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "default": false } }, { "expose_error_code": { "type": "boolean", - "default": true, - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "default": true } }, { "token_cache_key_include_scope": { "type": "boolean", - "default": false, - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "default": false } }, { "introspection_token_param_name": { - "default": "token", - "type": "string", "required": false, - "description": "Designate token's parameter name for introspection." + "type": "string", + "description": "Designate token's parameter name for introspection.", + "default": "token" } }, { "revocation_token_param_name": { - "default": "token", - "type": "string", "required": false, - "description": "Designate token's parameter name for revocation." + "type": "string", + "description": "Designate token's parameter name for revocation.", + "default": "token" } }, { "proof_of_possession_mtls": { "type": "string", + "default": "off", "required": false, + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "one_of": [ "off", "strict", "optional" - ], - "default": "off", - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." + ] } }, { "proof_of_possession_auth_methods_validation": { - "default": true, - "type": "boolean", "required": false, - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + "type": "boolean", + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "default": true } }, { "tls_client_auth_cert_id": { - "uuid": true, "type": "string", + "uuid": true, + "auto": false, "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", - "required": false, - "auto": false + "required": false } }, { "tls_client_auth_ssl_verify": { - "default": true, - "type": "boolean", "required": false, - "description": "Verify identity provider server certificate during mTLS client authentication." + "type": "boolean", + "description": "Verify identity provider server certificate during mTLS client authentication.", + "default": true } }, { @@ -2536,11 +2459,90 @@ "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." } } + ], + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/opentelemetry/3.6.x.json b/schemas/opentelemetry/3.6.x.json index d1c94e10..756e5607 100644 --- a/schemas/opentelemetry/3.6.x.json +++ b/schemas/opentelemetry/3.6.x.json @@ -1,38 +1,40 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -43,85 +45,85 @@ } } ], - "required": true, + "type": "record", "fields": [ { "endpoint": { - "required": true, "referenceable": true, "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true } }, { "headers": { "keys": { - "type": "string", - "description": "A string representing an HTTP header name." - }, - "values": { - "type": "string", - "referenceable": true + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "map", - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend." + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "values": { + "referenceable": true, + "type": "string" + } } }, { "resource_attributes": { "keys": { - "type": "string", - "required": true + "required": true, + "type": "string" }, "type": "map", "values": { - "type": "string", - "required": true + "required": true, + "type": "string" } } }, { "queue": { - "type": "record", "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + ] } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + ] } }, { "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + ] } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { @@ -133,24 +135,24 @@ }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + ] } }, { "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } ] @@ -158,47 +160,47 @@ }, { "batch_span_count": { - "type": "integer", - "description": "The number of spans to be sent in a single batch." + "description": "The number of spans to be sent in a single batch.", + "type": "integer" } }, { "batch_flush_delay": { - "type": "integer", - "description": "The delay, in seconds, between two consecutive batches." + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" } }, { "connect_timeout": { + "default": 1000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 1000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "read_timeout": { + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { @@ -208,7 +210,9 @@ }, { "header_type": { + "required": false, "type": "string", + "default": "preserve", "one_of": [ "preserve", "ignore", @@ -220,27 +224,23 @@ "aws", "gcp", "datadog" - ], - "default": "preserve", - "required": false + ] } }, { "sampling_rate": { + "required": false, + "type": "number", + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", "between": [ 0, 1 - ], - "type": "number", - "required": false, - "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf." + ] } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/post-function/3.6.x.json b/schemas/post-function/3.6.x.json index 3f32fd01..da553433 100644 --- a/schemas/post-function/3.6.x.json +++ b/schemas/post-function/3.6.x.json @@ -1,18 +1,23 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], "fields": [ { "protocols": { - "elements": { - "type": "string", - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] - }, "required": false, "type": "set", "default": [ @@ -22,35 +27,38 @@ "https", "ws", "wss" - ] + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + } } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -67,162 +75,154 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "certificate": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "rewrite": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "access": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "header_filter": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "body_filter": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "log": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "ws_handshake": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "ws_client_frame": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "ws_upstream_frame": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "ws_close": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } } ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.6.x.json b/schemas/pre-function/3.6.x.json index 3f32fd01..da553433 100644 --- a/schemas/pre-function/3.6.x.json +++ b/schemas/pre-function/3.6.x.json @@ -1,18 +1,23 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], "fields": [ { "protocols": { - "elements": { - "type": "string", - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] - }, "required": false, "type": "set", "default": [ @@ -22,35 +27,38 @@ "https", "ws", "wss" - ] + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "type": "string" + } } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -67,162 +75,154 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "certificate": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "rewrite": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "access": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "header_filter": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "body_filter": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "log": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "ws_handshake": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "ws_client_frame": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "ws_upstream_frame": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } }, { "ws_close": { "required": true, "type": "array", + "default": [ + + ], "elements": { "required": false, "type": "string" - }, - "default": [ - - ] + } } } ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.6.x.json b/schemas/prometheus/3.6.x.json index ba89d039..e6f9921b 100644 --- a/schemas/prometheus/3.6.x.json +++ b/schemas/prometheus/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,62 +21,67 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "per_consumer": { - "default": false, "type": "boolean", + "default": false, "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available." } }, { "status_code_metrics": { - "default": false, "type": "boolean", + "default": false, "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported." } }, { "latency_metrics": { - "default": false, "type": "boolean", + "default": false, "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported." } }, { "bandwidth_metrics": { - "default": false, "type": "boolean", + "default": false, "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported." } }, { "upstream_health_metrics": { - "default": false, "type": "boolean", + "default": false, "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported." } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.6.x.json b/schemas/proxy-cache-advanced/3.6.x.json index 0c64efc5..25f4eaab 100644 --- a/schemas/proxy-cache-advanced/3.6.x.json +++ b/schemas/proxy-cache-advanced/3.6.x.json @@ -1,42 +1,43 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "response_code": { - "required": true, - "type": "array", - "len_min": 1, - "default": [ - 200, - 301, - 404 - ], "elements": { "type": "integer", "between": [ @@ -44,95 +45,103 @@ 900 ] }, + "type": "array", + "default": [ + 200, + 301, + 404 + ], + "len_min": 1, + "required": true, "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900." } }, { "request_method": { - "required": true, - "type": "array", "elements": { - "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ] + ], + "type": "string" }, + "type": "array", "default": [ "GET", "HEAD" ], + "required": true, "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." } }, { "content_type": { - "required": true, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "text/plain", "application/json" ], + "required": true, "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." } }, { "cache_ttl": { - "type": "integer", "gt": 0, + "type": "integer", "default": 300, "description": "TTL in seconds of cache entities." } }, { "strategy": { + "required": true, "type": "string", + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "one_of": [ "memory", "redis" - ], - "required": true, - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`." + ] } }, { "cache_control": { - "default": false, - "type": "boolean", "required": true, + "type": "boolean", + "default": false, "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." } }, { "ignore_uri_case": { - "default": false, - "type": "boolean", "required": false, + "type": "boolean", + "default": false, "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI." } }, { "storage_ttl": { - "type": "integer", - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" } }, { "memory": { - "type": "record", "required": true, + "type": "record", "fields": [ { "dictionary_name": { - "default": "kong_db_cache", - "type": "string", "required": true, + "type": "string", + "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." } } @@ -141,44 +150,44 @@ }, { "vary_query_params": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." } }, { "vary_headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } }, { "response_headers": { - "description": "Caching related diagnostic headers that should be included in cached responses", - "type": "record", "required": true, + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", "fields": [ { "age": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "X-Cache-Status": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "X-Cache-Key": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } } ] @@ -186,41 +195,40 @@ }, { "redis": { - "type": "record", "entity_checks": [ { "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" + ], + "set2": [ + "host", + "port" ] } }, { "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" ] } }, { "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], "set2": [ "host", "port" - ], - "set1": [ - "cluster_addresses" ] } }, @@ -245,63 +253,63 @@ ] } ], - "required": true, + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "timeout": { + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { @@ -314,9 +322,9 @@ { "password": { "encrypted": true, - "referenceable": true, "type": "string", - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true } }, { @@ -329,43 +337,43 @@ { "sentinel_password": { "encrypted": true, - "referenceable": true, "type": "string", - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true } }, { "database": { - "default": 0, "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "default": 256, "between": [ 1, 2147483646 - ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + ] } }, { "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -381,38 +389,38 @@ }, { "sentinel_addresses": { - "len_min": 1, "elements": { "type": "string" }, "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "cluster_addresses": { - "len_min": 1, "elements": { "type": "string" }, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "ssl": { - "default": false, "required": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "description": "If set to true, uses SSL to connect to Redis.", + "default": false } }, { "ssl_verify": { - "default": false, "required": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false } }, { @@ -422,7 +430,8 @@ "description": "A string representing an SNI (server name indication) value for TLS." } } - ] + ], + "required": true } }, { @@ -435,14 +444,5 @@ ] } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/proxy-cache/3.6.x.json b/schemas/proxy-cache/3.6.x.json index 572b3aac..fdff8582 100644 --- a/schemas/proxy-cache/3.6.x.json +++ b/schemas/proxy-cache/3.6.x.json @@ -1,15 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,24 +27,24 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "response_code": { - "required": true, - "type": "array", - "len_min": 1, - "default": [ - 200, - 301, - 404 - ], "elements": { "type": "integer", "between": [ @@ -51,94 +52,102 @@ 900 ] }, + "type": "array", + "default": [ + 200, + 301, + 404 + ], + "len_min": 1, + "required": true, "description": "Upstream response status code considered cacheable." } }, { "request_method": { - "required": true, - "type": "array", "elements": { - "type": "string", "one_of": [ "HEAD", "GET", "POST", "PATCH", "PUT" - ] + ], + "type": "string" }, + "type": "array", "default": [ "GET", "HEAD" ], + "required": true, "description": "Downstream request methods considered cacheable." } }, { "content_type": { - "required": true, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "text/plain", "application/json" ], + "required": true, "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value." } }, { "cache_ttl": { - "type": "integer", "gt": 0, - "default": 300, - "description": "TTL, in seconds, of cache entities." + "type": "integer", + "description": "TTL, in seconds, of cache entities.", + "default": 300 } }, { "strategy": { + "required": true, "type": "string", + "description": "The backing data store in which to hold cache entities.", "one_of": [ "memory" - ], - "required": true, - "description": "The backing data store in which to hold cache entities." + ] } }, { "cache_control": { - "type": "boolean", "required": true, - "default": false, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + "type": "boolean", + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "default": false } }, { "ignore_uri_case": { "required": false, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "storage_ttl": { - "type": "integer", - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" } }, { "memory": { - "type": "record", "required": true, + "type": "record", "fields": [ { "dictionary_name": { - "type": "string", "required": true, - "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "default": "kong_db_cache" } } ] @@ -146,27 +155,27 @@ }, { "vary_query_params": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." } }, { "vary_headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } }, { "response_headers": { - "description": "Caching related diagnostic headers that should be included in cached responses", - "type": "record", "required": true, + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", "fields": [ { "age": { @@ -192,14 +201,5 @@ ] } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.6.x.json b/schemas/rate-limiting-advanced/3.6.x.json index 0758466e..a7c304b5 100644 --- a/schemas/rate-limiting-advanced/3.6.x.json +++ b/schemas/rate-limiting-advanced/3.6.x.json @@ -1,36 +1,47 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "identifier": { - "required": true, "type": "string", + "default": "consumer", + "required": true, + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "one_of": [ "ip", "credential", @@ -39,100 +50,97 @@ "header", "path", "consumer-group" - ], - "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`." + ] } }, { "window_size": { - "type": "array", "required": true, + "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" - }, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified." + } } }, { "window_type": { - "default": "sliding", "one_of": [ "fixed", "sliding" ], "type": "string", + "default": "sliding", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." } }, { "limit": { - "type": "array", "required": true, + "type": "array", + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" - }, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified." + } } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "namespace": { "auto": true, - "required": true, "type": "string", - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "required": true } }, { "strategy": { - "required": true, "type": "string", + "default": "local", + "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", "local" - ], - "default": "local", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." + ] } }, { "dictionary_name": { - "default": "kong_rate_limiting_counters", "required": true, "type": "string", + "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." } }, { "hide_client_headers": { - "default": false, "type": "boolean", + "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." } }, { "retry_after_jitter_max": { - "default": 0, "type": "number", + "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { - "starts_with": "/", "match_none": [ { "pattern": "//", @@ -140,46 +148,46 @@ } ], "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" } }, { "redis": { - "type": "record", "entity_checks": [ { "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" + ], + "set2": [ + "host", + "port" ] } }, { "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" ] } }, { "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], "set2": [ "host", "port" - ], - "set1": [ - "cluster_addresses" ] } }, @@ -204,63 +212,63 @@ ] } ], - "required": true, + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "timeout": { + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { @@ -273,9 +281,9 @@ { "password": { "encrypted": true, - "referenceable": true, "type": "string", - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true } }, { @@ -288,43 +296,43 @@ { "sentinel_password": { "encrypted": true, - "referenceable": true, "type": "string", - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true } }, { "database": { - "default": 0, "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "default": 256, "between": [ 1, 2147483646 - ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + ] } }, { "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -340,38 +348,38 @@ }, { "sentinel_addresses": { - "len_min": 1, "elements": { "type": "string" }, "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "cluster_addresses": { - "len_min": 1, "elements": { "type": "string" }, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "ssl": { - "default": false, "required": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "description": "If set to true, uses SSL to connect to Redis.", + "default": false } }, { "ssl_verify": { - "default": false, "required": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false } }, { @@ -381,58 +389,50 @@ "description": "A string representing an SNI (server name indication) value for TLS." } } - ] + ], + "required": true } }, { "enforce_consumer_groups": { - "default": false, "type": "boolean", + "default": false, "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." } }, { "consumer_groups": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`." } }, { "disable_penalty": { - "default": false, "type": "boolean", + "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." } }, { "error_code": { - "default": 429, "gt": 0, "type": "number", + "default": 429, "description": "Set a custom error code to return when the rate limit is exceeded." } }, { "error_message": { - "default": "API rate limit exceeded", "type": "string", + "default": "API rate limit exceeded", "description": "Set a custom error message to return when the rate limit is exceeded." } } ] } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/rate-limiting/3.6.x.json b/schemas/rate-limiting/3.6.x.json index c8fec16d..6c963b5f 100644 --- a/schemas/rate-limiting/3.6.x.json +++ b/schemas/rate-limiting/3.6.x.json @@ -1,31 +1,103 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.header_name", + "if_field": "config.limit_by", + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + } + } + }, + { + "conditional": { + "then_field": "config.path", + "if_field": "config.limit_by", + "then_match": { + "required": true + }, + "if_match": { + "eq": "path" + } + } + } + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "second": { @@ -71,7 +143,6 @@ }, { "limit_by": { - "default": "consumer", "one_of": [ "consumer", "credential", @@ -82,18 +153,18 @@ "consumer-group" ], "type": "string", + "default": "consumer", "description": "The entity that is used when aggregating the limits." } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { - "starts_with": "/", "match_none": [ { "pattern": "//", @@ -101,203 +172,231 @@ } ], "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" } }, { "policy": { "type": "string", + "default": "local", "len_min": 0, "one_of": [ "local", "cluster", "redis" ], - "default": "local", "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { + "required": true, "type": "boolean", "default": true, - "required": true, "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." } }, { - "redis_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "redis": { + "required": true, + "type": "record", + "description": "Redis configuration", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "referenceable": true, + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "referenceable": true, + "type": "string", + "len_min": 0, + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "ssl": { + "required": false, + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false + } + }, + { + "server_name": { + "required": false, + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + } + ] } }, { - "redis_port": { - "between": [ - 0, - 65535 - ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "hide_client_headers": { + "required": true, + "type": "boolean", + "default": false, + "description": "Optionally hide informative response headers." } }, { - "redis_password": { - "len_min": 0, - "referenceable": true, - "type": "string", - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." + "error_code": { + "gt": 0, + "type": "number", + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { - "redis_username": { - "referenceable": true, + "error_message": { "type": "string", - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired." + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded." } }, { - "redis_ssl": { - "type": "boolean", - "default": false, + "sync_rate": { "required": true, - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." + "type": "number", + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." + } + } + ], + "shorthand_fields": [ + { + "redis_host": { + "translate_backwards": [ + "redis", + "host" + ], + "type": "string" } }, { - "redis_ssl_verify": { - "type": "boolean", - "default": false, - "required": true, - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly." + "redis_port": { + "translate_backwards": [ + "redis", + "port" + ], + "type": "integer" } }, { - "redis_server_name": { + "redis_password": { + "translate_backwards": [ + "redis", + "password" + ], "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "len_min": 0 } }, { - "redis_timeout": { - "default": 2000, - "type": "number", - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." + "redis_username": { + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" } }, { - "redis_database": { - "default": 0, - "type": "integer", - "description": "When using the `redis` policy, this property specifies the Redis database to use." + "redis_ssl": { + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" } }, { - "hide_client_headers": { - "type": "boolean", - "default": false, - "required": true, - "description": "Optionally hide informative response headers." + "redis_ssl_verify": { + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "type": "boolean" } }, { - "error_code": { - "default": 429, - "gt": 0, - "type": "number", - "description": "Set a custom error code to return when the rate limit is exceeded." + "redis_server_name": { + "translate_backwards": [ + "redis", + "server_name" + ], + "type": "string" } }, { - "error_message": { - "default": "API rate limit exceeded", - "type": "string", - "description": "Set a custom error message to return when the rate limit is exceeded." + "redis_timeout": { + "translate_backwards": [ + "redis", + "timeout" + ], + "type": "integer" } }, { - "sync_rate": { - "type": "number", - "default": -1, - "required": true, - "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." + "redis_database": { + "translate_backwards": [ + "redis", + "database" + ], + "type": "integer" } } ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "then_field": "config.redis_host", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis_port", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.header_name", - "if_match": { - "eq": "header" - }, - "then_match": { - "required": true - }, - "if_field": "config.limit_by" - } - }, - { - "conditional": { - "then_field": "config.path", - "if_match": { - "eq": "path" - }, - "then_match": { - "required": true - }, - "if_field": "config.limit_by" - } - }, - { - "conditional": { - "then_field": "config.redis_timeout", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - } ] } \ No newline at end of file diff --git a/schemas/request-size-limiting/3.6.x.json b/schemas/request-size-limiting/3.6.x.json index a71771d9..2ba3aec0 100644 --- a/schemas/request-size-limiting/3.6.x.json +++ b/schemas/request-size-limiting/3.6.x.json @@ -1,73 +1,73 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "allowed_payload_size": { - "default": 128, "type": "integer", + "default": 128, "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes)." } }, { "size_unit": { "type": "string", + "default": "megabytes", "required": true, + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "one_of": [ "megabytes", "kilobytes", "bytes" - ], - "default": "megabytes", - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0." + ] } }, { "require_content_length": { "required": true, - "default": false, "type": "boolean", + "default": false, "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body." } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-termination/3.6.x.json b/schemas/request-termination/3.6.x.json index 27f1177f..bb6a0089 100644 --- a/schemas/request-termination/3.6.x.json +++ b/schemas/request-termination/3.6.x.json @@ -1,81 +1,81 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "status_code": { - "required": true, + "type": "integer", + "default": 503, "between": [ 100, 599 ], - "type": "integer", - "default": 503, + "required": true, "description": "The response code to send. Must be an integer between 100 and 599." } }, { "message": { - "type": "string", - "description": "The message to send, if using the default response generator." + "description": "The message to send, if using the default response generator.", + "type": "string" } }, { "content_type": { - "type": "string", - "description": "Content type of the raw response configured with `config.body`." + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" } }, { "body": { - "type": "string", - "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" } }, { "echo": { - "default": false, "required": true, "type": "boolean", - "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic." + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "default": false } }, { "trigger": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.6.x.json b/schemas/request-transformer-advanced/3.6.x.json index 5436e8c8..fdb450d9 100644 --- a/schemas/request-transformer-advanced/3.6.x.json +++ b/schemas/request-transformer-advanced/3.6.x.json @@ -1,75 +1,78 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "http_method": { "match": "^%u+$", - "type": "string", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string" } }, { "remove": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "querystring": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ] @@ -77,43 +80,43 @@ }, { "rename": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "querystring": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ] @@ -121,59 +124,59 @@ }, { "replace": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "querystring": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { @@ -186,59 +189,59 @@ }, { "add": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "querystring": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ] @@ -246,59 +249,59 @@ }, { "append": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "querystring": { - "default": [ - - ], "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ] @@ -306,15 +309,15 @@ }, { "allow": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } } ] @@ -322,16 +325,13 @@ }, { "dots_in_keys": { - "default": true, "type": "boolean", - "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "default": true } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.6.x.json b/schemas/request-transformer/3.6.x.json index 47ec0a0c..05c01e5c 100644 --- a/schemas/request-transformer/3.6.x.json +++ b/schemas/request-transformer/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,60 +21,68 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "http_method": { "match": "^%u+$", - "type": "string", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string" } }, { "remove": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } }, { "headers": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } }, { "querystring": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } } ] @@ -87,44 +90,44 @@ }, { "rename": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } }, { "headers": { "required": true, "type": "array", + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "default": [ - - ] + } } }, { "querystring": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } } ] @@ -132,44 +135,44 @@ }, { "replace": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } }, { "headers": { "required": true, "type": "array", + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "default": [ - - ] + } } }, { "querystring": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } }, { @@ -182,44 +185,44 @@ }, { "add": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } }, { "headers": { "required": true, "type": "array", + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "default": [ - - ] + } } }, { "querystring": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } } ] @@ -227,44 +230,44 @@ }, { "append": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } }, { "headers": { "required": true, "type": "array", + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "default": [ - - ] + } } }, { "querystring": { "required": true, "type": "array", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } } ] @@ -273,8 +276,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-validator/3.6.x.json b/schemas/request-validator/3.6.x.json index d6944cf6..904fec8c 100644 --- a/schemas/request-validator/3.6.x.json +++ b/schemas/request-validator/3.6.x.json @@ -1,38 +1,46 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -41,44 +49,45 @@ ] } ], - "required": true, + "type": "record", "fields": [ { "body_schema": { - "type": "string", "required": false, + "type": "string", "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified." } }, { "allowed_content_types": { - "default": [ - "application/json" - ], - "type": "set", "elements": { "required": true, "type": "string" }, - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`." + "type": "set", + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "default": [ + "application/json" + ] } }, { "version": { - "required": true, "type": "string", + "default": "kong", + "required": true, + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "one_of": [ "kong", "draft4" - ], - "default": "kong", - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator." + ] } }, { "parameter_schema": { - "type": "array", "required": false, + "type": "array", + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", "elements": { "entity_checks": [ { @@ -101,27 +110,27 @@ "fields": [ { "in": { + "required": true, "type": "string", + "description": "The location of the parameter.", "one_of": [ "query", "header", "path" - ], - "required": true, - "description": "The location of the parameter." + ] } }, { "name": { - "type": "string", "required": true, + "type": "string", "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`." } }, { "required": { - "type": "boolean", "required": true, + "type": "boolean", "description": "Determines whether this parameter is mandatory." } }, @@ -142,39 +151,30 @@ }, { "explode": { - "type": "boolean", - "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" } }, { "schema": { - "type": "string", - "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating." + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" } } ] - }, - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." + } } }, { "verbose_response": { "required": true, "type": "boolean", - "default": false, - "description": "If enabled, the plugin returns more verbose and detailed validation errors." + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "default": false } } - ] - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + ], + "required": true } } ] diff --git a/schemas/response-ratelimiting/3.6.x.json b/schemas/response-ratelimiting/3.6.x.json index 1bc1f3b3..5ab45fb6 100644 --- a/schemas/response-ratelimiting/3.6.x.json +++ b/schemas/response-ratelimiting/3.6.x.json @@ -1,39 +1,77 @@ { + "entity_checks": [ + { + "conditional": { + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + } + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "header_name": { @@ -44,128 +82,145 @@ }, { "limit_by": { - "type": "string", "one_of": [ "consumer", "credential", "ip" ], + "type": "string", "default": "consumer", "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." } }, { "policy": { - "type": "string", "one_of": [ "local", "cluster", "redis" ], + "type": "string", "default": "local", "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { - "type": "boolean", "required": true, + "type": "boolean", "default": true, "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." } }, { - "redis_host": { - "type": "string", - "description": "When using the `redis` policy, this property specifies the address to the Redis server." - } - }, - { - "redis_port": { - "between": [ - 0, - 65535 - ], - "default": 6379, - "type": "integer", - "description": "When using the `redis` policy, this property specifies the port of the Redis server." - } - }, - { - "redis_password": { - "len_min": 0, - "referenceable": true, - "type": "string", - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." - } - }, - { - "redis_username": { - "referenceable": true, - "type": "string", - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." - } - }, - { - "redis_ssl": { - "type": "boolean", + "redis": { "required": true, - "default": false, - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." - } - }, - { - "redis_ssl_verify": { - "type": "boolean", - "required": true, - "default": false, - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." - } - }, - { - "redis_server_name": { - "type": "string", - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI)." - } - }, - { - "redis_timeout": { - "type": "number", - "default": 2000, - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." - } - }, - { - "redis_database": { - "type": "number", - "default": 0, - "description": "When using the `redis` policy, this property specifies Redis database to use." + "type": "record", + "description": "Redis configuration", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "referenceable": true, + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "referenceable": true, + "type": "string", + "len_min": 0, + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "ssl": { + "required": false, + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false + } + }, + { + "server_name": { + "required": false, + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + } + ] } }, { "block_on_first_violation": { - "type": "boolean", "required": true, + "type": "boolean", "default": false, "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." } }, { "hide_client_headers": { - "type": "boolean", "required": true, + "type": "boolean", "default": false, "description": "Optionally hide informative response headers." } }, { "limits": { - "required": true, "keys": { "type": "string" }, + "type": "map", + "len_min": 1, + "required": true, + "description": "A map that defines rate limits for the plugin.", "values": { - "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -182,87 +237,131 @@ "fields": [ { "second": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "minute": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "hour": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "day": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "month": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "year": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } } - ] - }, - "type": "map", - "len_min": 1, - "description": "A map that defines rate limits for the plugin." + ], + "required": true + } + } + } + ], + "shorthand_fields": [ + { + "redis_host": { + "translate_backwards": [ + "redis", + "host" + ], + "type": "string" + } + }, + { + "redis_port": { + "translate_backwards": [ + "redis", + "port" + ], + "type": "integer" + } + }, + { + "redis_password": { + "translate_backwards": [ + "redis", + "password" + ], + "type": "string", + "len_min": 0 + } + }, + { + "redis_username": { + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" + } + }, + { + "redis_ssl": { + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" + } + }, + { + "redis_ssl_verify": { + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "type": "boolean" + } + }, + { + "redis_server_name": { + "translate_backwards": [ + "redis", + "server_name" + ], + "type": "string" + } + }, + { + "redis_timeout": { + "translate_backwards": [ + "redis", + "timeout" + ], + "type": "integer" + } + }, + { + "redis_database": { + "translate_backwards": [ + "redis", + "database" + ], + "type": "integer" } } ] } } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "config.redis_host", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis_port", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis_timeout", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - } ] } \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.6.x.json b/schemas/response-transformer-advanced/3.6.x.json index 319c9069..50264772 100644 --- a/schemas/response-transformer-advanced/3.6.x.json +++ b/schemas/response-transformer-advanced/3.6.x.json @@ -1,68 +1,71 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "remove": { - "type": "record", "required": true, + "type": "record", "fields": [ { "json": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ] @@ -70,30 +73,30 @@ }, { "rename": { - "type": "record", "required": true, + "type": "record", "fields": [ { "headers": { - "default": [ - - ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ] @@ -101,62 +104,62 @@ }, { "replace": { - "type": "record", "required": true, + "type": "record", "fields": [ { "body": { - "type": "string", - "description": "String with which to replace the entire response body." + "description": "String with which to replace the entire response body.", + "type": "string" } }, { "json": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ] @@ -164,56 +167,56 @@ }, { "add": { - "type": "record", "required": true, + "type": "record", "fields": [ { "json": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ] @@ -221,56 +224,56 @@ }, { "append": { - "type": "record", "required": true, + "type": "record", "fields": [ { "json": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ] @@ -278,15 +281,15 @@ }, { "allow": { - "type": "record", "required": true, + "type": "record", "fields": [ { "json": { - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } } ] @@ -294,40 +297,40 @@ }, { "transform": { - "type": "record", "required": true, + "type": "record", "fields": [ { "functions": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ] @@ -343,8 +346,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.6.x.json b/schemas/response-transformer/3.6.x.json index 842ceeef..60b592c4 100644 --- a/schemas/response-transformer/3.6.x.json +++ b/schemas/response-transformer/3.6.x.json @@ -1,59 +1,62 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "remove": { - "type": "record", "required": true, + "type": "record", "fields": [ { "json": { - "type": "array", "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ - ] + ], + "elements": { + "type": "string" + } } }, { "headers": { - "type": "array", "required": true, - "elements": { - "type": "string" - }, + "type": "array", "default": [ - ] + ], + "elements": { + "type": "string" + } } } ] @@ -61,20 +64,20 @@ }, { "rename": { - "type": "record", "required": true, + "type": "record", "fields": [ { "headers": { - "type": "array", "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ - ] + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } } ] @@ -82,51 +85,51 @@ }, { "replace": { - "type": "record", "required": true, + "type": "record", "fields": [ { "json": { - "type": "array", "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ - ] + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } }, { "json_types": { - "required": true, - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, + "type": "array", "default": [ ], + "required": true, "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { "headers": { - "type": "array", "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ - ] + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } } ] @@ -134,51 +137,51 @@ }, { "add": { - "type": "record", "required": true, + "type": "record", "fields": [ { "json": { - "type": "array", "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ - ] + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } }, { "json_types": { - "required": true, - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, + "type": "array", "default": [ ], + "required": true, "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { "headers": { - "type": "array", "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ - ] + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } } ] @@ -186,51 +189,51 @@ }, { "append": { - "type": "record", "required": true, + "type": "record", "fields": [ { "json": { - "type": "array", "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ - ] + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } }, { "json_types": { - "required": true, - "type": "array", "elements": { - "type": "string", "one_of": [ "boolean", "number", "string" - ] + ], + "type": "string" }, + "type": "array", "default": [ ], + "required": true, "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { "headers": { - "type": "array", "required": true, - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, + "type": "array", "default": [ - ] + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + } } } ] @@ -239,8 +242,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.6.x.json b/schemas/route-by-header/3.6.x.json index f72adf8d..f29a072b 100644 --- a/schemas/route-by-header/3.6.x.json +++ b/schemas/route-by-header/3.6.x.json @@ -1,48 +1,46 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "rules": { - "default": [ - - ], - "type": "array", "elements": { - "type": "record", "fields": [ { "upstream_name": { @@ -52,27 +50,29 @@ }, { "condition": { - "type": "map", - "len_min": 1, "keys": { "type": "string" }, + "type": "map", + "len_min": 1, + "required": true, "values": { "type": "string" - }, - "required": true + } } } - ] + ], + "type": "record" }, - "description": "Route by header rules." + "type": "array", + "description": "Route by header rules.", + "default": [ + + ] } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.6.x.json b/schemas/route-transformer-advanced/3.6.x.json index 3b086f5d..1a05a404 100644 --- a/schemas/route-transformer-advanced/3.6.x.json +++ b/schemas/route-transformer-advanced/3.6.x.json @@ -1,38 +1,40 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -42,7 +44,7 @@ ] } ], - "required": true, + "type": "record", "fields": [ { "path": { @@ -65,11 +67,9 @@ "type": "boolean" } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/saml/3.6.x.json b/schemas/saml/3.6.x.json index 720577a7..cc74d5da 100644 --- a/schemas/saml/3.6.x.json +++ b/schemas/saml/3.6.x.json @@ -1,117 +1,48 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "shorthand_fields": [ - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - }, - { - "session_auth_ttl": { - "type": "number" - } - } - ], "required": true, "type": "record", "fields": [ @@ -119,14 +50,14 @@ "assertion_consumer_path": { "type": "string", "starts_with": "/", + "required": true, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "required": true, - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + ] } }, { @@ -138,266 +69,264 @@ }, { "idp_certificate": { - "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false, - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "encrypted": true } }, { "response_encryption_key": { - "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false, - "description": "The private encryption key required to decrypt encrypted assertions." + "description": "The private encryption key required to decrypt encrypted assertions.", + "encrypted": true } }, { "request_signing_key": { - "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false, - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "encrypted": true } }, { "request_signing_certificate": { - "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false, - "description": "The certificate for signing requests." + "description": "The certificate for signing requests.", + "encrypted": true } }, { "request_signature_algorithm": { - "required": false, "type": "string", + "default": "SHA256", + "required": false, + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "one_of": [ "SHA256", "SHA384", "SHA512" - ], - "default": "SHA256", - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" + ] } }, { "request_digest_algorithm": { - "required": false, "type": "string", + "default": "SHA256", + "required": false, + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "one_of": [ "SHA256", "SHA1" - ], - "default": "SHA256", - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" + ] } }, { "response_signature_algorithm": { - "required": false, "type": "string", + "default": "SHA256", + "required": false, + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "one_of": [ "SHA256", "SHA384", "SHA512" - ], - "default": "SHA256", - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" + ] } }, { "response_digest_algorithm": { - "required": false, "type": "string", + "default": "SHA256", + "required": false, + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "one_of": [ "SHA256", "SHA1" - ], - "default": "SHA256", - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" + ] } }, { "issuer": { - "type": "string", "required": true, + "type": "string", "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP." } }, { "nameid_format": { - "required": false, "type": "string", + "default": "EmailAddress", + "required": false, + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" - ], - "default": "EmailAddress", - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" + ] } }, { "validate_assertion_signature": { "required": false, "type": "boolean", - "default": true, - "description": "Enable signature validation for SAML responses." + "description": "Enable signature validation for SAML responses.", + "default": true } }, { "anonymous": { - "type": "string", "required": false, + "type": "string", "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username." } }, { "session_secret": { - "match": "^[0-9a-zA-Z/_+]+$", - "required": true, - "encrypted": true, "referenceable": true, - "len_min": 32, - "len_max": 32, "type": "string", - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." + "len_max": 32, + "len_min": 32, + "encrypted": true, + "match": "^[0-9a-zA-Z/_+]+$", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "required": true } }, { "session_audience": { "required": false, "type": "string", - "default": "default", - "description": "The session audience, for example \"my-application\"" + "description": "The session audience, for example \"my-application\"", + "default": "default" } }, { "session_cookie_name": { "required": false, "type": "string", - "default": "session", - "description": "The session cookie name." + "description": "The session cookie name.", + "default": "session" } }, { "session_remember": { "required": false, "type": "boolean", - "default": false, - "description": "Enables or disables persistent sessions" + "description": "Enables or disables persistent sessions", + "default": false } }, { "session_remember_cookie_name": { "required": false, "type": "string", - "default": "remember", - "description": "Persistent session cookie name" + "description": "Persistent session cookie name", + "default": "remember" } }, { "session_remember_rolling_timeout": { "required": false, "type": "number", - "default": 604800, - "description": "Persistent session rolling timeout in seconds." + "description": "Persistent session rolling timeout in seconds.", + "default": 604800 } }, { "session_remember_absolute_timeout": { "required": false, "type": "number", - "default": 2592000, - "description": "Persistent session absolute timeout in seconds." + "description": "Persistent session absolute timeout in seconds.", + "default": 2592000 } }, { "session_idling_timeout": { "required": false, "type": "number", - "default": 900, - "description": "The session cookie idle time in seconds." + "description": "The session cookie idle time in seconds.", + "default": 900 } }, { "session_rolling_timeout": { "required": false, "type": "number", - "default": 3600, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 3600 } }, { "session_absolute_timeout": { "required": false, "type": "number", - "default": 86400, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 86400 } }, { "session_cookie_path": { + "type": "string", + "default": "/", + "starts_with": "/", + "required": false, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "required": false, - "starts_with": "/", - "type": "string", - "default": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + ] } }, { "session_cookie_domain": { - "type": "string", "required": false, + "type": "string", "description": "The session cookie domain flag." } }, { "session_cookie_same_site": { - "required": false, "type": "string", + "default": "Lax", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "default": "Lax", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + ] } }, { "session_cookie_http_only": { "required": false, "type": "boolean", - "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true } }, { "session_cookie_secure": { - "type": "boolean", "required": false, + "type": "boolean", "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "session_request_headers": { - "type": "set", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -406,15 +335,15 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "session_response_headers": { - "type": "set", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -423,67 +352,69 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] - } + ], + "type": "string" + }, + "type": "set" } }, { "session_storage": { - "required": false, "type": "string", + "default": "cookie", + "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "default": "cookie", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" + ] } }, { "session_store_metadata": { "required": false, "type": "boolean", - "default": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject." + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "default": false } }, { "session_enforce_same_subject": { "required": false, "type": "boolean", - "default": false, - "description": "When set to `true`, audiences are forced to share the same subject." + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false } }, { "session_hash_subject": { "required": false, "type": "boolean", - "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false } }, { "session_hash_storage_key": { "required": false, "type": "boolean", - "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false } }, { "session_memcached_prefix": { - "type": "string", "required": false, + "type": "string", "description": "The memcached session key prefix." } }, { "session_memcached_socket": { - "type": "string", "required": false, + "type": "string", "description": "The memcached unix socket path." } }, @@ -491,33 +422,33 @@ "session_memcached_host": { "required": false, "type": "string", - "default": "127.0.0.1", - "description": "The memcached host." + "description": "The memcached host.", + "default": "127.0.0.1" } }, { "session_memcached_port": { "type": "integer", + "default": 11211, "between": [ 0, 65535 ], "required": false, - "default": 11211, "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { - "type": "string", "required": false, + "type": "string", "description": "The Redis session key prefix." } }, { "session_redis_socket": { - "type": "string", "required": false, + "type": "string", "description": "The Redis unix socket path." } }, @@ -525,57 +456,57 @@ "session_redis_host": { "required": false, "type": "string", - "default": "127.0.0.1", - "description": "The Redis host IP." + "description": "The Redis host IP.", + "default": "127.0.0.1" } }, { "session_redis_port": { "type": "integer", + "default": 6379, "between": [ 0, 65535 ], "required": false, - "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { - "type": "string", - "referenceable": true, "required": false, - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "type": "string", + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "referenceable": true } }, { "session_redis_password": { - "encrypted": true, - "type": "string", "referenceable": true, + "type": "string", "required": false, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from" + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "encrypted": true } }, { "session_redis_connect_timeout": { - "type": "integer", "required": false, + "type": "integer", "description": "The Redis connection timeout in milliseconds." } }, { "session_redis_read_timeout": { - "type": "integer", "required": false, + "type": "integer", "description": "The Redis read timeout in milliseconds." } }, { "session_redis_send_timeout": { - "type": "integer", "required": false, + "type": "integer", "description": "The Redis send timeout in milliseconds." } }, @@ -583,22 +514,22 @@ "session_redis_ssl": { "required": false, "type": "boolean", - "default": false, - "description": "Use SSL/TLS for the Redis connection." + "description": "Use SSL/TLS for the Redis connection.", + "default": false } }, { "session_redis_ssl_verify": { "required": false, "type": "boolean", - "default": false, - "description": "Verify the Redis server certificate." + "description": "Verify the Redis server certificate.", + "default": false } }, { "session_redis_server_name": { - "type": "string", "required": false, + "type": "string", "description": "The SNI used for connecting to the Redis server." } }, @@ -606,45 +537,114 @@ "session_redis_cluster_nodes": { "required": false, "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { - "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "required": true, "type": "string", + "default": "127.0.0.1", "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } - ] - }, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." + ], + "type": "record" + } } }, { "session_redis_cluster_max_redirections": { - "type": "integer", "required": false, + "type": "integer", "description": "The Redis cluster maximum redirects." } } + ], + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" + } + } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/session/3.6.x.json b/schemas/session/3.6.x.json index 44c3f1d3..da2c2901 100644 --- a/schemas/session/3.6.x.json +++ b/schemas/session/3.6.x.json @@ -1,23 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -34,195 +29,164 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "shorthand_fields": [ - { - "cookie_lifetime": { - "type": "number" - } - }, - { - "cookie_idletime": { - "type": "number" - } - }, - { - "cookie_renew": { - "type": "number" - } - }, - { - "cookie_discard": { - "type": "number" - } - }, - { - "cookie_samesite": { - "type": "string" - } - }, - { - "cookie_httponly": { - "type": "boolean" - } - }, - { - "cookie_persistent": { - "type": "boolean" - } - } - ], - "type": "record", "required": true, + "type": "record", "fields": [ { "secret": { - "encrypted": true, - "type": "string", - "required": false, "referenceable": true, - "default": "8HPEAewYOz6gQmmfqnLsSPwjDJFuHKcyKPeNH2WmzSIi", - "description": "The secret that is used in keyed HMAC generation." + "type": "string", + "default": "rvGfd6EK2RJZmJKuGpYQFuExLl10Qe6069Nvih04wT8o", + "encrypted": true, + "description": "The secret that is used in keyed HMAC generation.", + "required": false } }, { "storage": { - "type": "string", "one_of": [ "cookie", "kong" ], - "default": "cookie", - "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself." + "type": "string", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "default": "cookie" } }, { "audience": { "type": "string", - "default": "default", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default" } }, { "idling_timeout": { "type": "number", - "default": 900, - "description": "The session cookie idle time, in seconds." + "description": "The session cookie idle time, in seconds.", + "default": 900 } }, { "rolling_timeout": { "type": "number", - "default": 3600, - "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed." + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "default": 3600 } }, { "absolute_timeout": { "type": "number", - "default": 86400, - "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid." + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 86400 } }, { "stale_ttl": { "type": "number", - "default": 10, - "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one." + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "default": 10 } }, { "cookie_name": { "type": "string", - "default": "session", - "description": "The name of the cookie." + "description": "The name of the cookie.", + "default": "session" } }, { "cookie_path": { "type": "string", - "default": "/", - "description": "The resource in the host where the cookie is available." + "description": "The resource in the host where the cookie is available.", + "default": "/" } }, { "cookie_domain": { - "type": "string", - "description": "The domain with which the cookie is intended to be exchanged." + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" } }, { "cookie_same_site": { - "type": "string", "one_of": [ "Strict", "Lax", "None", "Default" ], - "default": "Strict", - "description": "Determines whether and how a cookie may be sent with cross-site requests." + "type": "string", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "default": "Strict" } }, { "cookie_http_only": { "type": "boolean", - "default": true, - "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server." + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "default": true } }, { "cookie_secure": { "type": "boolean", - "default": true, - "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol." + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "default": true } }, { "remember": { "type": "boolean", - "default": false, - "description": "Enables or disables persistent sessions." + "description": "Enables or disables persistent sessions.", + "default": false } }, { "remember_cookie_name": { "type": "string", - "default": "remember", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember" } }, { "remember_rolling_timeout": { "type": "number", - "default": 604800, - "description": "The persistent session rolling timeout window, in seconds." + "description": "The persistent session rolling timeout window, in seconds.", + "default": 604800 } }, { "remember_absolute_timeout": { "type": "number", - "default": 2592000, - "description": "The persistent session absolute timeout limit, in seconds." + "description": "The persistent session absolute timeout limit, in seconds.", + "default": 2592000 } }, { "response_headers": { - "type": "set", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -231,16 +195,16 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] + ], + "type": "string" }, + "type": "set", "description": "List of information to include, as headers, in the response to the downstream." } }, { "request_headers": { - "type": "set", "elements": { - "type": "string", "one_of": [ "id", "audience", @@ -249,54 +213,90 @@ "idling-timeout", "rolling-timeout", "absolute-timeout" - ] + ], + "type": "string" }, + "type": "set", "description": "List of information to include, as headers, in the response to the downstream." } }, { "read_body_for_logout": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "logout_methods": { "elements": { - "type": "string", "one_of": [ "GET", "POST", "DELETE" - ] + ], + "type": "string" }, "type": "set", + "description": "A set of HTTP methods that the plugin will respond to.", "default": [ "POST", "DELETE" - ], - "description": "A set of HTTP methods that the plugin will respond to." + ] } }, { "logout_query_arg": { "type": "string", - "default": "session_logout", - "description": "The query argument passed to logout requests." + "description": "The query argument passed to logout requests.", + "default": "session_logout" } }, { "logout_post_arg": { "type": "string", - "default": "session_logout", - "description": "The POST argument passed to logout requests. Do not change this property." + "description": "The POST argument passed to logout requests. Do not change this property.", + "default": "session_logout" + } + } + ], + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.6.x.json b/schemas/statsd-advanced/3.6.x.json index 177991c9..667adb88 100644 --- a/schemas/statsd-advanced/3.6.x.json +++ b/schemas/statsd-advanced/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,140 +21,80 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "host": { - "default": "localhost", "type": "string", + "default": "localhost", "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 8125, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 8125, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "prefix": { "type": "string", - "default": "kong", - "description": "String to prefix to each metric's name." + "description": "String to prefix to each metric's name.", + "default": "kong" } }, { "metrics": { - "default": [ - { - "name": "request_count", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "stat_type": "timer", - "name": "latency" - }, - { - "stat_type": "timer", - "name": "request_size" - }, - { - "name": "status_count", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "stat_type": "timer", - "name": "response_size" - }, - { - "stat_type": "set", - "name": "unique_users" - }, - { - "name": "request_per_user", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "stat_type": "timer", - "name": "upstream_latency" - }, - { - "stat_type": "timer", - "name": "kong_latency" - }, - { - "name": "status_count_per_user", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "name": "status_count_per_workspace", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "name": "status_count_per_user_per_route", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "name": "shdict_usage", - "stat_type": "gauge", - "sample_rate": 1 - }, - { - "name": "cache_datastore_hits_total", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "name": "cache_datastore_misses_total", - "stat_type": "counter", - "sample_rate": 1 - } - ], - "type": "array", "elements": { "entity_checks": [ { "conditional": { "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "set" + }, "if_match": { "one_of": [ "unique_users" ] - }, - "then_match": { - "eq": "set" - }, - "if_field": "name" + } } }, { "conditional": { "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "counter" + }, "if_match": { "one_of": [ "request_count", @@ -171,40 +106,36 @@ "cache_datastore_hits_total", "cache_datastore_misses_total" ] - }, - "then_match": { - "eq": "counter" - }, - "if_field": "name" + } } }, { "conditional": { "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "gauge" + }, "if_match": { "one_of": [ "shdict_usage" ] - }, - "then_match": { - "eq": "gauge" - }, - "if_field": "name" + } } }, { "conditional": { "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + }, "if_match": { "one_of": [ "counter", "gauge" ] - }, - "then_match": { - "required": true - }, - "if_field": "stat_type" + } } } ], @@ -212,6 +143,8 @@ "fields": [ { "name": { + "required": true, + "type": "string", "one_of": [ "kong_latency", "latency", @@ -228,13 +161,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "type": "string", - "required": true + ] } }, { "stat_type": { + "required": true, + "type": "string", "one_of": [ "counter", "gauge", @@ -242,168 +175,238 @@ "meter", "set", "timer" - ], - "type": "string", - "required": true + ] } }, { "sample_rate": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "consumer_identifier": { - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string" } }, { "service_identifier": { - "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "type": "string" } }, { "workspace_identifier": { - "type": "string", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "type": "string" } } ] }, - "description": "List of Metrics to be logged." + "type": "array", + "description": "List of Metrics to be logged.", + "default": [ + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_count" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "timer", + "name": "request_size" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count" + }, + { + "stat_type": "timer", + "name": "response_size" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_per_user" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_workspace" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user_per_route" + }, + { + "stat_type": "gauge", + "sample_rate": 1, + "name": "shdict_usage" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_hits_total" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_misses_total" + } + ] } }, { "allow_status_codes": { - "type": "array", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" }, + "type": "array", "description": "List of status code ranges that are allowed to be logged in metrics." } }, { "udp_packet_size": { + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "type": "number", + "default": 0, "between": [ 0, 65507 - ], - "type": "number", - "default": 0, - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive)." + ] } }, { "use_tcp": { "type": "boolean", - "default": false, - "description": "Use TCP instead of UDP." + "description": "Use TCP instead of UDP.", + "default": false } }, { "hostname_in_prefix": { "type": "boolean", - "default": false, - "description": "Include the `hostname` in the `prefix` for each metric name." + "description": "Include the `hostname` in the `prefix` for each metric name.", + "default": false } }, { "consumer_identifier_default": { - "required": true, "type": "string", + "default": "custom_id", + "required": true, + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "one_of": [ "consumer_id", "custom_id", "username" - ], - "default": "custom_id", - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`." + ] } }, { "service_identifier_default": { - "required": true, "type": "string", + "default": "service_name_or_host", + "required": true, + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "default": "service_name_or_host", - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`." + ] } }, { "workspace_identifier_default": { - "required": true, "type": "string", + "default": "workspace_id", + "required": true, + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "one_of": [ "workspace_id", "workspace_name" - ], - "default": "workspace_id", - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. " + ] } }, { "queue": { - "type": "record", "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + ] } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + ] } }, { "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + ] } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { @@ -415,24 +418,24 @@ }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + ] } }, { "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } ] @@ -441,8 +444,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/statsd/3.6.x.json b/schemas/statsd/3.6.x.json index ca91640f..a817ed71 100644 --- a/schemas/statsd/3.6.x.json +++ b/schemas/statsd/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,20 +21,27 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -51,24 +53,24 @@ } } ], - "required": true, + "type": "record", "fields": [ { "host": { - "default": "localhost", "type": "string", + "default": "localhost", "description": "The IP address or hostname of StatsD server to send data to." } }, { "port": { + "default": 8125, + "type": "integer", + "description": "The port of StatsD server to send data to.", "between": [ 0, 65535 - ], - "default": 8125, - "type": "integer", - "description": "The port of StatsD server to send data to." + ] } }, { @@ -80,95 +82,21 @@ }, { "metrics": { - "default": [ - { - "name": "request_count", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "stat_type": "timer", - "name": "latency" - }, - { - "name": "request_size", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "name": "status_count", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "name": "response_size", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "stat_type": "set", - "name": "unique_users" - }, - { - "sample_rate": 1, - "stat_type": "counter", - "name": "request_per_user" - }, - { - "stat_type": "timer", - "name": "upstream_latency" - }, - { - "stat_type": "timer", - "name": "kong_latency" - }, - { - "sample_rate": 1, - "stat_type": "counter", - "name": "status_count_per_user" - }, - { - "name": "status_count_per_workspace", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "sample_rate": 1, - "stat_type": "counter", - "name": "status_count_per_user_per_route" - }, - { - "name": "shdict_usage", - "stat_type": "gauge", - "sample_rate": 1 - }, - { - "name": "cache_datastore_hits_total", - "stat_type": "counter", - "sample_rate": 1 - }, - { - "name": "cache_datastore_misses_total", - "stat_type": "counter", - "sample_rate": 1 - } - ], - "type": "array", "elements": { "entity_checks": [ { "conditional": { "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + }, "if_match": { "one_of": [ "counter", "gauge" ] - }, - "then_match": { - "required": true - }, - "if_field": "stat_type" + } } } ], @@ -176,7 +104,9 @@ "fields": [ { "name": { + "required": true, "type": "string", + "description": "StatsD metric’s name.", "one_of": [ "kong_latency", "latency", @@ -193,14 +123,14 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "required": true, - "description": "StatsD metric’s name." + ] } }, { "stat_type": { + "required": true, "type": "string", + "description": "Determines what sort of event a metric represents.", "one_of": [ "counter", "gauge", @@ -208,9 +138,7 @@ "meter", "set", "timer" - ], - "required": true, - "description": "Determines what sort of event a metric represents." + ] } }, { @@ -255,27 +183,101 @@ } ] }, - "description": "List of metrics to be logged." + "type": "array", + "description": "List of metrics to be logged.", + "default": [ + { + "stat_type": "counter", + "name": "request_count", + "sample_rate": 1 + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "counter", + "name": "request_size", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "response_size", + "sample_rate": 1 + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "stat_type": "counter", + "name": "request_per_user", + "sample_rate": 1 + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "stat_type": "counter", + "name": "status_count_per_user", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_workspace", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_user_per_route", + "sample_rate": 1 + }, + { + "stat_type": "gauge", + "name": "shdict_usage", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_hits_total", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_misses_total", + "sample_rate": 1 + } + ] } }, { "allow_status_codes": { - "type": "array", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" }, + "type": "array", "description": "List of status code ranges that are allowed to be logged in metrics." } }, { "udp_packet_size": { + "type": "number", + "default": 0, "between": [ 0, 65507 - ], - "default": 0, - "type": "number" + ] } }, { @@ -292,38 +294,38 @@ }, { "consumer_identifier_default": { + "required": true, + "type": "string", "default": "custom_id", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string", - "required": true + ] } }, { "service_identifier_default": { + "required": true, + "type": "string", "default": "service_name_or_host", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string", - "required": true + ] } }, { "workspace_identifier_default": { + "required": true, + "type": "string", "default": "workspace_id", "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string", - "required": true + ] } }, { @@ -343,58 +345,58 @@ }, { "tag_style": { + "required": false, + "type": "string", "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ], - "required": false, - "type": "string" + ] } }, { "queue": { - "type": "record", "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + ] } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + ] } }, { "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + ] } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { @@ -406,34 +408,32 @@ }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + ] } }, { "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } ] } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/syslog/3.6.x.json b/schemas/syslog/3.6.x.json index dfdde20d..b739b7d4 100644 --- a/schemas/syslog/3.6.x.json +++ b/schemas/syslog/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,24 +21,34 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "log_level": { + "required": true, + "type": "string", "default": "info", "one_of": [ "debug", @@ -54,13 +59,13 @@ "crit", "alert", "emerg" - ], - "type": "string", - "required": true + ] } }, { "successful_severity": { + "required": true, + "type": "string", "default": "info", "one_of": [ "debug", @@ -71,13 +76,13 @@ "crit", "alert", "emerg" - ], - "type": "string", - "required": true + ] } }, { "client_errors_severity": { + "required": true, + "type": "string", "default": "info", "one_of": [ "debug", @@ -88,13 +93,13 @@ "crit", "alert", "emerg" - ], - "type": "string", - "required": true + ] } }, { "server_errors_severity": { + "required": true, + "type": "string", "default": "info", "one_of": [ "debug", @@ -105,9 +110,7 @@ "crit", "alert", "emerg" - ], - "type": "string", - "required": true + ] } }, { @@ -116,18 +119,20 @@ "type": "string", "len_min": 1 }, + "type": "map", + "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - }, - "type": "map", - "description": "Lua code as a key-value map" + } } }, { "facility": { - "required": true, "type": "string", + "default": "user", + "required": true, + "description": "The facility is used by the operating system to decide how to handle each log message.", "one_of": [ "auth", "authpriv", @@ -149,16 +154,11 @@ "local5", "local6", "local7" - ], - "default": "user", - "description": "The facility is used by the operating system to decide how to handle each log message." + ] } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.6.x.json b/schemas/tcp-log/3.6.x.json index 40b74336..6c41ccc6 100644 --- a/schemas/tcp-log/3.6.x.json +++ b/schemas/tcp-log/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,21 +21,29 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "host": { @@ -51,41 +54,41 @@ }, { "port": { + "required": true, + "type": "integer", + "description": "The port to send data to on the upstream server.", "between": [ 0, 65535 - ], - "required": true, - "type": "integer", - "description": "The port to send data to on the upstream server." + ] } }, { "timeout": { - "default": 10000, "type": "number", + "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { - "default": 60000, "type": "number", + "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "tls": { + "required": true, "type": "boolean", "default": false, - "required": true, "description": "Indicates whether to perform a TLS handshake against the remote server." } }, { "tls_sni": { - "type": "string", - "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" } }, { @@ -94,19 +97,16 @@ "type": "string", "len_min": 1 }, + "type": "map", + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "values": { "len_min": 1, "type": "string" - }, - "type": "map", - "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value." + } } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.6.x.json b/schemas/tls-handshake-modifier/3.6.x.json index 0ad58c9c..0d81e4ff 100644 --- a/schemas/tls-handshake-modifier/3.6.x.json +++ b/schemas/tls-handshake-modifier/3.6.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } @@ -12,49 +15,46 @@ "protocols": { "required": true, "type": "set", + "default": [ + "https", + "grpcs" + ], "elements": { - "type": "string", "one_of": [ "https", "grpcs", "tls" - ] - }, - "default": [ - "https", - "grpcs" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "tls_client_certificate": { - "required": false, "type": "string", + "default": "REQUEST", + "required": false, + "description": "TLS Client Certificate", "one_of": [ "REQUEST" - ], - "default": "REQUEST", - "description": "TLS Client Certificate" + ] } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.6.x.json b/schemas/tls-metadata-headers/3.6.x.json index 742ee027..1fe21c3b 100644 --- a/schemas/tls-metadata-headers/3.6.x.json +++ b/schemas/tls-metadata-headers/3.6.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } @@ -12,85 +15,82 @@ "protocols": { "required": true, "type": "set", + "default": [ + "https", + "grpcs" + ], "elements": { - "type": "string", "one_of": [ "https", "grpcs", "tls" - ] - }, - "default": [ - "https", - "grpcs" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "inject_client_cert_details": { - "default": false, "type": "boolean", - "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "default": false } }, { "client_cert_header_name": { - "type": "string", - "default": "X-Client-Cert", "required": true, - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate." + "type": "string", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "default": "X-Client-Cert" } }, { "client_serial_header_name": { - "type": "string", - "default": "X-Client-Cert-Serial", "required": true, - "description": "Define the HTTP header name used for the serial number of the client certificate." + "type": "string", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "default": "X-Client-Cert-Serial" } }, { "client_cert_issuer_dn_header_name": { - "type": "string", - "default": "X-Client-Cert-Issuer-DN", "required": true, - "description": "Define the HTTP header name used for the issuer DN of the client certificate." + "type": "string", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "default": "X-Client-Cert-Issuer-DN" } }, { "client_cert_subject_dn_header_name": { - "type": "string", - "default": "X-Client-Cert-Subject-DN", "required": true, - "description": "Define the HTTP header name used for the subject DN of the client certificate." + "type": "string", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "default": "X-Client-Cert-Subject-DN" } }, { "client_cert_fingerprint_header_name": { - "type": "string", - "default": "X-Client-Cert-Fingerprint", "required": true, - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate." + "type": "string", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "default": "X-Client-Cert-Fingerprint" } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/udp-log/3.6.x.json b/schemas/udp-log/3.6.x.json index fda25f97..743499c7 100644 --- a/schemas/udp-log/3.6.x.json +++ b/schemas/udp-log/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,21 +21,29 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "host": { @@ -51,20 +54,20 @@ }, { "port": { + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "required": true, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "timeout": { "type": "number", - "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 } }, { @@ -73,19 +76,16 @@ "type": "string", "len_min": 1 }, + "type": "map", + "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - }, - "type": "map", - "description": "Lua code as a key-value map" + } } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/upstream-timeout/3.6.x.json b/schemas/upstream-timeout/3.6.x.json index d5f3736f..35b0cf93 100644 --- a/schemas/upstream-timeout/3.6.x.json +++ b/schemas/upstream-timeout/3.6.x.json @@ -1,75 +1,75 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.6.x.json b/schemas/vault-auth/3.6.x.json index d5cc2901..b5926a25 100644 --- a/schemas/vault-auth/3.6.x.json +++ b/schemas/vault-auth/3.6.x.json @@ -1,112 +1,112 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "access_token_name": { - "required": true, - "type": "string", "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, + "type": "string", "default": "access_token", + "required": true, "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." } }, { "secret_token_name": { - "required": true, - "type": "string", "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, + "type": "string", "default": "secret_token", + "required": true, "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." } }, { "vault": { - "type": "foreign", "reference": "vault_auth_vaults", - "required": true, - "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API." + "type": "foreign", + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "required": true } }, { "hide_credentials": { "type": "boolean", - "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it." + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "tokens_in_body": { "type": "boolean", - "default": false, - "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "default": false } }, { "run_on_preflight": { "type": "boolean", - "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "default": true } } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.6.x.json b/schemas/websocket-size-limit/3.6.x.json index 0bdadc6e..a1045fa6 100644 --- a/schemas/websocket-size-limit/3.6.x.json +++ b/schemas/websocket-size-limit/3.6.x.json @@ -1,33 +1,35 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { "required": true, "type": "set", + "default": [ + "ws", + "wss" + ], "elements": { - "type": "string", "one_of": [ "ws", "wss" - ] - }, - "default": [ - "ws", - "wss" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -36,33 +38,31 @@ ] } ], - "required": true, + "type": "record", "fields": [ { "client_max_payload": { + "required": false, + "type": "integer", "between": [ 1, 33554432 - ], - "type": "integer", - "required": false + ] } }, { "upstream_max_payload": { + "required": false, + "type": "integer", "between": [ 1, 33554432 - ], - "type": "integer", - "required": false + ] } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.6.x.json b/schemas/websocket-validator/3.6.x.json index 0790af6a..e7e9ddde 100644 --- a/schemas/websocket-validator/3.6.x.json +++ b/schemas/websocket-validator/3.6.x.json @@ -1,33 +1,35 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { "required": true, "type": "set", + "default": [ + "ws", + "wss" + ], "elements": { - "type": "string", "one_of": [ "ws", "wss" - ] - }, - "default": [ - "ws", - "wss" - ] + ], + "type": "string" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -36,44 +38,26 @@ ] } ], - "required": true, + "type": "record", "fields": [ { "client": { "required": false, - "entity_checks": [ - { - "at_least_one_of": [ - "text", - "binary" - ] - } - ], "type": "record", "fields": [ { "text": { "required": false, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], "type": "record", "fields": [ { "type": { "required": true, + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + ] } }, { @@ -83,12 +67,7 @@ "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } - ] - } - }, - { - "binary": { - "required": false, + ], "entity_checks": [ { "custom_entity_check": { @@ -98,17 +77,22 @@ ] } } - ], + ] + } + }, + { + "binary": { + "required": false, "type": "record", "fields": [ { "type": { "required": true, + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + ] } }, { @@ -118,15 +102,20 @@ "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } ] } } - ] - } - }, - { - "upstream": { - "required": false, + ], "entity_checks": [ { "at_least_one_of": [ @@ -134,32 +123,27 @@ "binary" ] } - ], + ] + } + }, + { + "upstream": { + "required": false, "type": "record", "fields": [ { "text": { "required": false, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], "type": "record", "fields": [ { "type": { "required": true, + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + ] } }, { @@ -169,12 +153,7 @@ "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } - ] - } - }, - { - "binary": { - "required": false, + ], "entity_checks": [ { "custom_entity_check": { @@ -184,17 +163,22 @@ ] } } - ], + ] + } + }, + { + "binary": { + "required": false, "type": "record", "fields": [ { "type": { "required": true, + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." + ] } }, { @@ -204,17 +188,33 @@ "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } ] } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } ] } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.6.x.json b/schemas/xml-threat-protection/3.6.x.json index 8e28c996..c98f8f67 100644 --- a/schemas/xml-threat-protection/3.6.x.json +++ b/schemas/xml-threat-protection/3.6.x.json @@ -1,121 +1,123 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "entity_checks": [ { "conditional": { "then_field": "max_namespaces", - "if_match": { - "eq": true - }, + "if_field": "namespace_aware", "then_match": { "required": true }, - "if_field": "namespace_aware" + "if_match": { + "eq": true + } } }, { "conditional": { "then_field": "prefix", - "if_match": { - "eq": true - }, + "if_field": "namespace_aware", "then_match": { "required": true }, - "if_field": "namespace_aware" + "if_match": { + "eq": true + } } }, { "conditional": { "then_field": "namespaceuri", - "if_match": { - "eq": true - }, + "if_field": "namespace_aware", "then_match": { "required": true }, - "if_field": "namespace_aware" + "if_match": { + "eq": true + } } } ], - "required": true, + "type": "record", "fields": [ { "checked_content_types": { - "type": "set", - "required": true, "elements": { + "required": true, "match": "^[^%s]+%/[^ ;]+$", - "type": "string", - "required": true + "type": "string" }, + "type": "set", "default": [ "application/xml" ], + "required": true, "description": "A list of Content-Type values with payloads that must be validated." } }, { "allowed_content_types": { - "type": "set", - "required": true, "elements": { + "required": true, "match": "^[^%s]+%/[^ ;]+$", - "type": "string", - "required": true + "type": "string" }, + "type": "set", "default": [ ], + "required": true, "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." } }, { "allow_dtd": { + "required": true, "type": "boolean", "default": false, - "required": true, "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed." } }, { "namespace_aware": { + "required": true, "type": "boolean", "default": true, - "required": true, "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such." } }, @@ -123,8 +125,8 @@ "max_depth": { "gt": 0, "type": "integer", - "required": true, "default": 50, + "required": true, "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." } }, @@ -132,8 +134,8 @@ "max_children": { "gt": 0, "type": "integer", - "required": true, "default": 100, + "required": true, "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." } }, @@ -141,8 +143,8 @@ "max_attributes": { "gt": 0, "type": "integer", - "required": true, "default": 100, + "required": true, "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." } }, @@ -150,125 +152,125 @@ "max_namespaces": { "gt": 0, "type": "integer", - "required": false, "default": 20, + "required": false, "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." } }, { "document": { "gt": 0, - "required": true, "type": "integer", "default": 10485760, + "required": true, "description": "Maximum size of the entire document." } }, { "buffer": { "gt": 0, - "required": true, "type": "integer", "default": 1048576, + "required": true, "description": "Maximum size of the unparsed buffer (see below)." } }, { "comment": { "gt": 0, - "required": true, "type": "integer", "default": 1024, + "required": true, "description": "Maximum size of comments." } }, { "localname": { "gt": 0, - "required": true, "type": "integer", "default": 1024, + "required": true, "description": "Maximum size of the localname. This applies to tags and attributes." } }, { "prefix": { "gt": 0, - "required": false, "type": "integer", "default": 1024, + "required": false, "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." } }, { "namespaceuri": { "gt": 0, - "required": false, "type": "integer", "default": 1024, + "required": false, "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." } }, { "attribute": { "gt": 0, - "required": true, "type": "integer", "default": 1048576, + "required": true, "description": "Maximum size of the attribute value." } }, { "text": { "gt": 0, - "required": true, "type": "integer", "default": 1048576, + "required": true, "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." } }, { "pitarget": { "gt": 0, - "required": true, "type": "integer", "default": 1024, + "required": true, "description": "Maximum size of processing instruction targets." } }, { "pidata": { "gt": 0, - "required": true, "type": "integer", "default": 1024, + "required": true, "description": "Maximum size of processing instruction data." } }, { "entityname": { "gt": 0, - "required": true, "type": "integer", "default": 1024, + "required": true, "description": "Maximum size of entity names in EntityDecl." } }, { "entity": { "gt": 0, - "required": true, "type": "integer", "default": 1024, + "required": true, "description": "Maximum size of entity values in EntityDecl." } }, { "entityproperty": { "gt": 0, - "required": true, "type": "integer", "default": 1024, + "required": true, "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." } }, @@ -276,25 +278,23 @@ "bla_max_amplification": { "gt": 1, "type": "number", - "required": true, "default": 100, + "required": true, "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." } }, { "bla_threshold": { "gt": 1024, - "required": true, "type": "integer", "default": 8388608, + "required": true, "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/zipkin/3.6.x.json b/schemas/zipkin/3.6.x.json index 7fffd55e..ba875690 100644 --- a/schemas/zipkin/3.6.x.json +++ b/schemas/zipkin/3.6.x.json @@ -1,15 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { "one_of": [ "grpc", @@ -26,21 +21,29 @@ "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS." }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, "description": "A set of strings representing protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "required": true, + "type": "record", "fields": [ { "local_service_name": { @@ -52,25 +55,25 @@ }, { "http_endpoint": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "sample_ratio": { + "default": 0.001, + "type": "number", + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", "between": [ 0, 1 - ], - "type": "number", - "default": 0.001, - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " + ] } }, { "default_service_name": { - "type": "string", - "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" } }, { @@ -84,19 +87,21 @@ { "traceid_byte_count": { "type": "integer", + "default": 16, "required": true, + "description": "The length in bytes of each request's Trace ID.", "one_of": [ 8, 16 - ], - "default": 16, - "description": "The length in bytes of each request's Trace ID." + ] } }, { "header_type": { "type": "string", + "default": "preserve", "required": true, + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "one_of": [ "preserve", "ignore", @@ -108,15 +113,15 @@ "aws", "datadog", "gcp" - ], - "default": "preserve", - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests" + ] } }, { "default_header_type": { "type": "string", + "default": "b3", "required": true, + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "one_of": [ "b3", "b3-single", @@ -126,9 +131,7 @@ "aws", "datadog", "gcp" - ], - "default": "b3", - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored." + ] } }, { @@ -141,13 +144,12 @@ }, { "static_tags": { - "type": "array", "elements": { - "type": "record", "fields": [ { "name": { "required": true, + "type": "string", "not_one_of": [ "error", "http.method", @@ -162,64 +164,65 @@ "kong.service", "lc", "peer.hostname" - ], - "type": "string" + ] } }, { "value": { - "type": "string", - "required": true + "required": true, + "type": "string" } } - ] + ], + "type": "record" }, + "type": "array", "description": "The tags specified on this property will be added to the generated request traces." } }, { "http_span_name": { "type": "string", + "default": "method", "required": true, + "description": "Specify whether to include the HTTP path in the span name.", "one_of": [ "method", "method_path" - ], - "default": "method", - "description": "Specify whether to include the HTTP path in the span name." + ] } }, { "connect_timeout": { + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "read_timeout": { + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { @@ -230,57 +233,57 @@ { "phase_duration_flavor": { "type": "string", + "default": "annotations", "required": true, + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "one_of": [ "annotations", "tags" - ], - "default": "annotations", - "description": "Specify whether to include the duration of each phase as an annotation or a tag." + ] } }, { "queue": { - "type": "record", "required": true, + "type": "record", "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + ] } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + ] } }, { "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + ] } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { @@ -292,24 +295,24 @@ }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + ] } }, { "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } ] @@ -318,8 +321,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file From 31d014ea95865de80fc625bf50213eecd542c38e Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Tue, 13 Feb 2024 11:47:12 -0800 Subject: [PATCH 037/165] Feat: Basic examples for AI plugins (#21) * draft examples for ai plugins * update examples --- examples/ai-prompt-decorator/_3.6.x.yaml | 12 +++++++++- examples/ai-prompt-guard/_3.6.x.yaml | 9 +++++++- examples/ai-prompt-template/_3.6.x.yaml | 23 +++++++++++++++++++- examples/ai-proxy/_3.6.x.yaml | 12 +++++++++- examples/ai-request-transformer/_3.6.x.yaml | 18 ++++++++++++++- examples/ai-response-transformer/_3.6.x.yaml | 21 +++++++++++++++++- 6 files changed, 89 insertions(+), 6 deletions(-) diff --git a/examples/ai-prompt-decorator/_3.6.x.yaml b/examples/ai-prompt-decorator/_3.6.x.yaml index f87df779..4e743eb9 100644 --- a/examples/ai-prompt-decorator/_3.6.x.yaml +++ b/examples/ai-prompt-decorator/_3.6.x.yaml @@ -1,2 +1,12 @@ name: ai-prompt-decorator -config: {} \ No newline at end of file +config: + prepend: + - role: "system" + content: "You are data scientist, specialising in survey analytics." + - role: "user" + content: "Classify this test result set as positive, negative, or neutral." + - role: "assistant" + content: "These tests are NEUTRAL." + append: + - role: "user" + content: "Do not mention any real participants name in your justification." diff --git a/examples/ai-prompt-guard/_3.6.x.yaml b/examples/ai-prompt-guard/_3.6.x.yaml index 9e6ed565..bd724506 100644 --- a/examples/ai-prompt-guard/_3.6.x.yaml +++ b/examples/ai-prompt-guard/_3.6.x.yaml @@ -1,2 +1,9 @@ name: ai-prompt-guard -config: {} \ No newline at end of file +config: + allow_all_conversation_history: true + allow_patterns: + - ".*(P|p)ears.*" + - ".*(P|p)eaches.*" + deny_patterns: + - ".*(A|a)pples.*" + - ".*(O|o)ranges.*" diff --git a/examples/ai-prompt-template/_3.6.x.yaml b/examples/ai-prompt-template/_3.6.x.yaml index 2fd16614..1ed007fc 100644 --- a/examples/ai-prompt-template/_3.6.x.yaml +++ b/examples/ai-prompt-template/_3.6.x.yaml @@ -1,2 +1,23 @@ name: ai-prompt-template -config: {} \ No newline at end of file +config: + allow_untemplated_requests: true + templates: + - name: "developer-chat" + template: |- + { + "messages": [ + { + "role": "system", + "content": "You are a {{program}} expert, in {{language}} programming language." + }, + { + "role": "user", + "content": "Write me a {{program}} program." + } + ] + } + - name: "summarize-prompt" + template: |- + { + "prompt": "Summarize the following text for me: {{text}}" + } diff --git a/examples/ai-proxy/_3.6.x.yaml b/examples/ai-proxy/_3.6.x.yaml index 331534df..a16a3dd4 100644 --- a/examples/ai-proxy/_3.6.x.yaml +++ b/examples/ai-proxy/_3.6.x.yaml @@ -1,2 +1,12 @@ name: ai-proxy -config: {} \ No newline at end of file +config: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 512 + temperature: 1.0 diff --git a/examples/ai-request-transformer/_3.6.x.yaml b/examples/ai-request-transformer/_3.6.x.yaml index ad93eef6..b8275ac7 100644 --- a/examples/ai-request-transformer/_3.6.x.yaml +++ b/examples/ai-request-transformer/_3.6.x.yaml @@ -1,2 +1,18 @@ name: ai-request-transformer -config: {} \ No newline at end of file +config: + prompt: "Mask any credit card numbers in my JSON message. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + llm: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + logging: + log_statistics: true + log_payloads: false + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 1024 + temperature: 1.0 diff --git a/examples/ai-response-transformer/_3.6.x.yaml b/examples/ai-response-transformer/_3.6.x.yaml index f19bc721..4c62a8e2 100644 --- a/examples/ai-response-transformer/_3.6.x.yaml +++ b/examples/ai-response-transformer/_3.6.x.yaml @@ -1,2 +1,21 @@ name: ai-response-transformer -config: {} \ No newline at end of file +config: + prompt: "For any city name, put the country that it's in, in brackets next to it. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + parse_llm_response_json_instructions: false + llm: + route_type: "llm/v1/chat" + auth: + header_name: "api-key" + header_value: "" + logging: + log_statistics: true + log_payloads: false + model: + provider: "azure" + name: "gpt-35-turbo" + options: + max_tokens: 1024 + temperature: 1.0 + azure_instance: "azure-openai-instance-name" + azure_deployment_id: "gpt-3-5-deployment" From 2f4b0b477edd7a3f11348ce52d7bc5c51d2d0611 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Fri, 16 Feb 2024 14:52:21 -0800 Subject: [PATCH 038/165] placeholder schemas and examples for 3.7 (#22) --- examples/acl/_3.7.x.yaml | 6 + examples/acme/_3.7.x.yaml | 3 + examples/ai-prompt-decorator/_3.7.x.yaml | 12 + examples/ai-prompt-guard/_3.7.x.yaml | 9 + examples/ai-prompt-template/_3.7.x.yaml | 23 + examples/ai-proxy/_3.7.x.yaml | 12 + examples/ai-request-transformer/_3.7.x.yaml | 18 + examples/ai-response-transformer/_3.7.x.yaml | 21 + examples/app-dynamics/_3.7.x.yaml | 2 + examples/application-registration/_3.7.x.yaml | 7 + examples/aws-lambda/_3.7.x.yaml | 9 + examples/azure-functions/_3.7.x.yaml | 6 + examples/basic-auth/_3.7.x.yaml | 3 + examples/bot-detection/_3.7.x.yaml | 4 + examples/canary/_3.7.x.yaml | 5 + examples/correlation-id/_3.7.x.yaml | 5 + examples/cors/_3.7.x.yaml | 19 + examples/datadog/_3.7.x.yaml | 6 + examples/degraphql/_3.7.x.yaml | 3 + examples/exit-transformer/_3.7.x.yaml | 4 + examples/file-log/_3.7.x.yaml | 3 + examples/forward-proxy/_3.7.x.yaml | 9 + .../graphql-proxy-cache-advanced/_3.7.x.yaml | 3 + .../_3.7.x.yaml | 9 + examples/grpc-gateway/_3.7.x.yaml | 3 + examples/grpc-web/_3.7.x.yaml | 3 + examples/hmac-auth/_3.7.x.yaml | 3 + examples/http-log/_3.7.x.yaml | 8 + examples/ip-restriction/_3.7.x.yaml | 5 + examples/jq/_3.7.x.yaml | 3 + examples/jwe-decrypt/_3.7.x.yaml | 4 + examples/jwt-signer/_3.7.x.yaml | 4 + examples/jwt/_3.7.x.yaml | 4 + examples/kafka-log/_3.7.x.yaml | 3 + examples/kafka-upstream/_3.7.x.yaml | 3 + examples/key-auth-enc/_3.7.x.yaml | 4 + examples/key-auth/_3.7.x.yaml | 4 + examples/konnect-application-auth/_3.7.x.yaml | 3 + examples/ldap-auth-advanced/_3.7.x.yaml | 10 + examples/ldap-auth/_3.7.x.yaml | 8 + examples/loggly/_3.7.x.yaml | 3 + examples/mocking/_3.7.x.yaml | 14 + examples/mtls-auth/_3.7.x.yaml | 6 + examples/oas-validation/_3.7.x.yaml | 29 + examples/oauth2-introspection/_3.7.x.yaml | 5 + examples/oauth2/_3.7.x.yaml | 9 + examples/opa/_3.7.x.yaml | 5 + examples/openid-connect/_3.7.x.yaml | 12 + examples/opentelemetry/_3.7.x.yaml | 5 + examples/post-function/_3.7.x.yaml | 6 + examples/pre-function/_3.7.x.yaml | 6 + examples/prometheus/_3.7.x.yaml | 4 + examples/proxy-cache-advanced/_3.7.x.yaml | 11 + examples/proxy-cache/_3.7.x.yaml | 12 + examples/rate-limiting-advanced/_3.7.x.yaml | 11 + examples/rate-limiting/_3.7.x.yaml | 5 + examples/request-size-limiting/_3.7.x.yaml | 4 + examples/request-termination/_3.7.x.yaml | 4 + .../request-transformer-advanced/_3.7.x.yaml | 43 + examples/request-transformer/_3.7.x.yaml | 36 + examples/request-validator/_3.7.x.yaml | 3 + examples/response-ratelimiting/_3.7.x.yaml | 8 + .../response-transformer-advanced/_3.7.x.yaml | 31 + examples/response-transformer/_3.7.x.yaml | 24 + examples/route-by-header/_3.7.x.yaml | 8 + .../route-transformer-advanced/_3.7.x.yaml | 3 + examples/saml/_3.7.x.yaml | 12 + examples/session/_3.7.x.yaml | 3 + examples/statsd-advanced/_3.7.x.yaml | 7 + examples/statsd/_3.7.x.yaml | 9 + examples/syslog/_3.7.x.yaml | 3 + examples/tcp-log/_3.7.x.yaml | 4 + examples/tls-handshake-modifier/_3.7.x.yaml | 1 + examples/tls-metadata-headers/_3.7.x.yaml | 4 + examples/udp-log/_3.7.x.yaml | 5 + examples/upstream-timeout/_3.7.x.yaml | 5 + examples/vault-auth/_3.7.x.yaml | 4 + examples/websocket-size-limit/_3.7.x.yaml | 4 + examples/websocket-validator/_3.7.x.yaml | 14 + examples/xml-threat-protection/_3.7.x.yaml | 6 + examples/zipkin/_3.7.x.yaml | 5 + schemas/acl/3.7.x.json | 97 + schemas/acme/3.7.x.json | 591 ++++ schemas/ai-prompt-decorator/3.7.x.json | 118 + schemas/ai-prompt-guard/3.7.x.json | 80 + schemas/ai-prompt-template/3.7.x.json | 88 + schemas/ai-proxy/3.7.x.json | 427 +++ schemas/ai-request-transformer/3.7.x.json | 515 ++++ schemas/ai-response-transformer/3.7.x.json | 523 ++++ schemas/app-dynamics/3.7.x.json | 46 + schemas/application-registration/3.7.x.json | 100 + schemas/aws-lambda/3.7.x.json | 255 ++ schemas/azure-functions/3.7.x.json | 125 + schemas/basic-auth/3.7.x.json | 78 + schemas/bot-detection/3.7.x.json | 79 + schemas/canary/3.7.x.json | 190 ++ schemas/correlation-id/3.7.x.json | 72 + schemas/cors/3.7.x.json | 143 + schemas/datadog/3.7.x.json | 346 +++ schemas/degraphql/3.7.x.json | 68 + schemas/exit-transformer/3.7.x.json | 68 + schemas/file-log/3.7.x.json | 83 + schemas/forward-proxy/3.7.x.json | 163 ++ .../graphql-proxy-cache-advanced/3.7.x.json | 89 + .../graphql-rate-limiting-advanced/3.7.x.json | 405 +++ schemas/grpc-gateway/3.7.x.json | 59 + schemas/grpc-web/3.7.x.json | 74 + schemas/hmac-auth/3.7.x.json | 125 + schemas/http-log/3.7.x.json | 245 ++ schemas/ip-restriction/3.7.x.json | 85 + schemas/jq/3.7.x.json | 197 ++ schemas/jwe-decrypt/3.7.x.json | 86 + schemas/jwt-signer/3.7.x.json | 726 +++++ schemas/jwt/3.7.x.json | 153 + schemas/kafka-log/3.7.x.json | 280 ++ schemas/kafka-upstream/3.7.x.json | 302 ++ schemas/key-auth-enc/3.7.x.json | 111 + schemas/key-auth/3.7.x.json | 116 + schemas/konnect-application-auth/3.7.x.json | 2584 +++++++++++++++++ schemas/ldap-auth-advanced/3.7.x.json | 236 ++ schemas/ldap-auth/3.7.x.json | 171 ++ schemas/loggly/3.7.x.json | 173 ++ schemas/mocking/3.7.x.json | 117 + schemas/mtls-auth/3.7.x.json | 204 ++ schemas/oas-validation/3.7.x.json | 148 + schemas/oauth2-introspection/3.7.x.json | 167 ++ schemas/oauth2/3.7.x.json | 214 ++ schemas/opa/3.7.x.json | 147 + schemas/openid-connect/3.7.x.json | 2548 ++++++++++++++++ schemas/opentelemetry/3.7.x.json | 246 ++ schemas/post-function/3.7.x.json | 228 ++ schemas/pre-function/3.7.x.json | 228 ++ schemas/prometheus/3.7.x.json | 87 + schemas/proxy-cache-advanced/3.7.x.json | 448 +++ schemas/proxy-cache/3.7.x.json | 205 ++ schemas/rate-limiting-advanced/3.7.x.json | 438 +++ schemas/rate-limiting/3.7.x.json | 402 +++ schemas/request-size-limiting/3.7.x.json | 73 + schemas/request-termination/3.7.x.json | 81 + .../request-transformer-advanced/3.7.x.json | 337 +++ schemas/request-transformer/3.7.x.json | 280 ++ schemas/request-validator/3.7.x.json | 181 ++ schemas/response-ratelimiting/3.7.x.json | 367 +++ .../response-transformer-advanced/3.7.x.json | 350 +++ schemas/response-transformer/3.7.x.json | 246 ++ schemas/route-by-header/3.7.x.json | 78 + schemas/route-transformer-advanced/3.7.x.json | 75 + schemas/saml/3.7.x.json | 650 +++++ schemas/session/3.7.x.json | 302 ++ schemas/statsd-advanced/3.7.x.json | 448 +++ schemas/statsd/3.7.x.json | 439 +++ schemas/syslog/3.7.x.json | 164 ++ schemas/tcp-log/3.7.x.json | 112 + schemas/tls-handshake-modifier/3.7.x.json | 60 + schemas/tls-metadata-headers/3.7.x.json | 96 + schemas/udp-log/3.7.x.json | 91 + schemas/upstream-timeout/3.7.x.json | 75 + schemas/vault-auth/3.7.x.json | 112 + schemas/websocket-size-limit/3.7.x.json | 68 + schemas/websocket-validator/3.7.x.json | 220 ++ schemas/xml-threat-protection/3.7.x.json | 300 ++ schemas/zipkin/3.7.x.json | 325 +++ 162 files changed, 22495 insertions(+) create mode 100644 examples/acl/_3.7.x.yaml create mode 100644 examples/acme/_3.7.x.yaml create mode 100644 examples/ai-prompt-decorator/_3.7.x.yaml create mode 100644 examples/ai-prompt-guard/_3.7.x.yaml create mode 100644 examples/ai-prompt-template/_3.7.x.yaml create mode 100644 examples/ai-proxy/_3.7.x.yaml create mode 100644 examples/ai-request-transformer/_3.7.x.yaml create mode 100644 examples/ai-response-transformer/_3.7.x.yaml create mode 100644 examples/app-dynamics/_3.7.x.yaml create mode 100644 examples/application-registration/_3.7.x.yaml create mode 100644 examples/aws-lambda/_3.7.x.yaml create mode 100644 examples/azure-functions/_3.7.x.yaml create mode 100644 examples/basic-auth/_3.7.x.yaml create mode 100644 examples/bot-detection/_3.7.x.yaml create mode 100644 examples/canary/_3.7.x.yaml create mode 100644 examples/correlation-id/_3.7.x.yaml create mode 100644 examples/cors/_3.7.x.yaml create mode 100644 examples/datadog/_3.7.x.yaml create mode 100644 examples/degraphql/_3.7.x.yaml create mode 100644 examples/exit-transformer/_3.7.x.yaml create mode 100644 examples/file-log/_3.7.x.yaml create mode 100644 examples/forward-proxy/_3.7.x.yaml create mode 100644 examples/graphql-proxy-cache-advanced/_3.7.x.yaml create mode 100644 examples/graphql-rate-limiting-advanced/_3.7.x.yaml create mode 100644 examples/grpc-gateway/_3.7.x.yaml create mode 100644 examples/grpc-web/_3.7.x.yaml create mode 100644 examples/hmac-auth/_3.7.x.yaml create mode 100644 examples/http-log/_3.7.x.yaml create mode 100644 examples/ip-restriction/_3.7.x.yaml create mode 100644 examples/jq/_3.7.x.yaml create mode 100644 examples/jwe-decrypt/_3.7.x.yaml create mode 100644 examples/jwt-signer/_3.7.x.yaml create mode 100644 examples/jwt/_3.7.x.yaml create mode 100644 examples/kafka-log/_3.7.x.yaml create mode 100644 examples/kafka-upstream/_3.7.x.yaml create mode 100644 examples/key-auth-enc/_3.7.x.yaml create mode 100644 examples/key-auth/_3.7.x.yaml create mode 100644 examples/konnect-application-auth/_3.7.x.yaml create mode 100644 examples/ldap-auth-advanced/_3.7.x.yaml create mode 100644 examples/ldap-auth/_3.7.x.yaml create mode 100644 examples/loggly/_3.7.x.yaml create mode 100644 examples/mocking/_3.7.x.yaml create mode 100644 examples/mtls-auth/_3.7.x.yaml create mode 100644 examples/oas-validation/_3.7.x.yaml create mode 100644 examples/oauth2-introspection/_3.7.x.yaml create mode 100644 examples/oauth2/_3.7.x.yaml create mode 100644 examples/opa/_3.7.x.yaml create mode 100644 examples/openid-connect/_3.7.x.yaml create mode 100644 examples/opentelemetry/_3.7.x.yaml create mode 100644 examples/post-function/_3.7.x.yaml create mode 100644 examples/pre-function/_3.7.x.yaml create mode 100644 examples/prometheus/_3.7.x.yaml create mode 100644 examples/proxy-cache-advanced/_3.7.x.yaml create mode 100644 examples/proxy-cache/_3.7.x.yaml create mode 100644 examples/rate-limiting-advanced/_3.7.x.yaml create mode 100644 examples/rate-limiting/_3.7.x.yaml create mode 100644 examples/request-size-limiting/_3.7.x.yaml create mode 100644 examples/request-termination/_3.7.x.yaml create mode 100644 examples/request-transformer-advanced/_3.7.x.yaml create mode 100644 examples/request-transformer/_3.7.x.yaml create mode 100644 examples/request-validator/_3.7.x.yaml create mode 100644 examples/response-ratelimiting/_3.7.x.yaml create mode 100644 examples/response-transformer-advanced/_3.7.x.yaml create mode 100644 examples/response-transformer/_3.7.x.yaml create mode 100644 examples/route-by-header/_3.7.x.yaml create mode 100644 examples/route-transformer-advanced/_3.7.x.yaml create mode 100644 examples/saml/_3.7.x.yaml create mode 100644 examples/session/_3.7.x.yaml create mode 100644 examples/statsd-advanced/_3.7.x.yaml create mode 100644 examples/statsd/_3.7.x.yaml create mode 100644 examples/syslog/_3.7.x.yaml create mode 100644 examples/tcp-log/_3.7.x.yaml create mode 100644 examples/tls-handshake-modifier/_3.7.x.yaml create mode 100644 examples/tls-metadata-headers/_3.7.x.yaml create mode 100644 examples/udp-log/_3.7.x.yaml create mode 100644 examples/upstream-timeout/_3.7.x.yaml create mode 100644 examples/vault-auth/_3.7.x.yaml create mode 100644 examples/websocket-size-limit/_3.7.x.yaml create mode 100644 examples/websocket-validator/_3.7.x.yaml create mode 100644 examples/xml-threat-protection/_3.7.x.yaml create mode 100644 examples/zipkin/_3.7.x.yaml create mode 100644 schemas/acl/3.7.x.json create mode 100644 schemas/acme/3.7.x.json create mode 100644 schemas/ai-prompt-decorator/3.7.x.json create mode 100644 schemas/ai-prompt-guard/3.7.x.json create mode 100644 schemas/ai-prompt-template/3.7.x.json create mode 100644 schemas/ai-proxy/3.7.x.json create mode 100644 schemas/ai-request-transformer/3.7.x.json create mode 100644 schemas/ai-response-transformer/3.7.x.json create mode 100644 schemas/app-dynamics/3.7.x.json create mode 100644 schemas/application-registration/3.7.x.json create mode 100644 schemas/aws-lambda/3.7.x.json create mode 100644 schemas/azure-functions/3.7.x.json create mode 100644 schemas/basic-auth/3.7.x.json create mode 100644 schemas/bot-detection/3.7.x.json create mode 100644 schemas/canary/3.7.x.json create mode 100644 schemas/correlation-id/3.7.x.json create mode 100644 schemas/cors/3.7.x.json create mode 100644 schemas/datadog/3.7.x.json create mode 100644 schemas/degraphql/3.7.x.json create mode 100644 schemas/exit-transformer/3.7.x.json create mode 100644 schemas/file-log/3.7.x.json create mode 100644 schemas/forward-proxy/3.7.x.json create mode 100644 schemas/graphql-proxy-cache-advanced/3.7.x.json create mode 100644 schemas/graphql-rate-limiting-advanced/3.7.x.json create mode 100644 schemas/grpc-gateway/3.7.x.json create mode 100644 schemas/grpc-web/3.7.x.json create mode 100644 schemas/hmac-auth/3.7.x.json create mode 100644 schemas/http-log/3.7.x.json create mode 100644 schemas/ip-restriction/3.7.x.json create mode 100644 schemas/jq/3.7.x.json create mode 100644 schemas/jwe-decrypt/3.7.x.json create mode 100644 schemas/jwt-signer/3.7.x.json create mode 100644 schemas/jwt/3.7.x.json create mode 100644 schemas/kafka-log/3.7.x.json create mode 100644 schemas/kafka-upstream/3.7.x.json create mode 100644 schemas/key-auth-enc/3.7.x.json create mode 100644 schemas/key-auth/3.7.x.json create mode 100644 schemas/konnect-application-auth/3.7.x.json create mode 100644 schemas/ldap-auth-advanced/3.7.x.json create mode 100644 schemas/ldap-auth/3.7.x.json create mode 100644 schemas/loggly/3.7.x.json create mode 100644 schemas/mocking/3.7.x.json create mode 100644 schemas/mtls-auth/3.7.x.json create mode 100644 schemas/oas-validation/3.7.x.json create mode 100644 schemas/oauth2-introspection/3.7.x.json create mode 100644 schemas/oauth2/3.7.x.json create mode 100644 schemas/opa/3.7.x.json create mode 100644 schemas/openid-connect/3.7.x.json create mode 100644 schemas/opentelemetry/3.7.x.json create mode 100644 schemas/post-function/3.7.x.json create mode 100644 schemas/pre-function/3.7.x.json create mode 100644 schemas/prometheus/3.7.x.json create mode 100644 schemas/proxy-cache-advanced/3.7.x.json create mode 100644 schemas/proxy-cache/3.7.x.json create mode 100644 schemas/rate-limiting-advanced/3.7.x.json create mode 100644 schemas/rate-limiting/3.7.x.json create mode 100644 schemas/request-size-limiting/3.7.x.json create mode 100644 schemas/request-termination/3.7.x.json create mode 100644 schemas/request-transformer-advanced/3.7.x.json create mode 100644 schemas/request-transformer/3.7.x.json create mode 100644 schemas/request-validator/3.7.x.json create mode 100644 schemas/response-ratelimiting/3.7.x.json create mode 100644 schemas/response-transformer-advanced/3.7.x.json create mode 100644 schemas/response-transformer/3.7.x.json create mode 100644 schemas/route-by-header/3.7.x.json create mode 100644 schemas/route-transformer-advanced/3.7.x.json create mode 100644 schemas/saml/3.7.x.json create mode 100644 schemas/session/3.7.x.json create mode 100644 schemas/statsd-advanced/3.7.x.json create mode 100644 schemas/statsd/3.7.x.json create mode 100644 schemas/syslog/3.7.x.json create mode 100644 schemas/tcp-log/3.7.x.json create mode 100644 schemas/tls-handshake-modifier/3.7.x.json create mode 100644 schemas/tls-metadata-headers/3.7.x.json create mode 100644 schemas/udp-log/3.7.x.json create mode 100644 schemas/upstream-timeout/3.7.x.json create mode 100644 schemas/vault-auth/3.7.x.json create mode 100644 schemas/websocket-size-limit/3.7.x.json create mode 100644 schemas/websocket-validator/3.7.x.json create mode 100644 schemas/xml-threat-protection/3.7.x.json create mode 100644 schemas/zipkin/3.7.x.json diff --git a/examples/acl/_3.7.x.yaml b/examples/acl/_3.7.x.yaml new file mode 100644 index 00000000..a76559c0 --- /dev/null +++ b/examples/acl/_3.7.x.yaml @@ -0,0 +1,6 @@ +name: acl +config: + allow: + - group1 + - group2 + hide_groups_header: true diff --git a/examples/acme/_3.7.x.yaml b/examples/acme/_3.7.x.yaml new file mode 100644 index 00000000..6b35cddc --- /dev/null +++ b/examples/acme/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: acme +config: + account_email: example@example.com diff --git a/examples/ai-prompt-decorator/_3.7.x.yaml b/examples/ai-prompt-decorator/_3.7.x.yaml new file mode 100644 index 00000000..4e743eb9 --- /dev/null +++ b/examples/ai-prompt-decorator/_3.7.x.yaml @@ -0,0 +1,12 @@ +name: ai-prompt-decorator +config: + prepend: + - role: "system" + content: "You are data scientist, specialising in survey analytics." + - role: "user" + content: "Classify this test result set as positive, negative, or neutral." + - role: "assistant" + content: "These tests are NEUTRAL." + append: + - role: "user" + content: "Do not mention any real participants name in your justification." diff --git a/examples/ai-prompt-guard/_3.7.x.yaml b/examples/ai-prompt-guard/_3.7.x.yaml new file mode 100644 index 00000000..bd724506 --- /dev/null +++ b/examples/ai-prompt-guard/_3.7.x.yaml @@ -0,0 +1,9 @@ +name: ai-prompt-guard +config: + allow_all_conversation_history: true + allow_patterns: + - ".*(P|p)ears.*" + - ".*(P|p)eaches.*" + deny_patterns: + - ".*(A|a)pples.*" + - ".*(O|o)ranges.*" diff --git a/examples/ai-prompt-template/_3.7.x.yaml b/examples/ai-prompt-template/_3.7.x.yaml new file mode 100644 index 00000000..1ed007fc --- /dev/null +++ b/examples/ai-prompt-template/_3.7.x.yaml @@ -0,0 +1,23 @@ +name: ai-prompt-template +config: + allow_untemplated_requests: true + templates: + - name: "developer-chat" + template: |- + { + "messages": [ + { + "role": "system", + "content": "You are a {{program}} expert, in {{language}} programming language." + }, + { + "role": "user", + "content": "Write me a {{program}} program." + } + ] + } + - name: "summarize-prompt" + template: |- + { + "prompt": "Summarize the following text for me: {{text}}" + } diff --git a/examples/ai-proxy/_3.7.x.yaml b/examples/ai-proxy/_3.7.x.yaml new file mode 100644 index 00000000..a16a3dd4 --- /dev/null +++ b/examples/ai-proxy/_3.7.x.yaml @@ -0,0 +1,12 @@ +name: ai-proxy +config: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 512 + temperature: 1.0 diff --git a/examples/ai-request-transformer/_3.7.x.yaml b/examples/ai-request-transformer/_3.7.x.yaml new file mode 100644 index 00000000..b8275ac7 --- /dev/null +++ b/examples/ai-request-transformer/_3.7.x.yaml @@ -0,0 +1,18 @@ +name: ai-request-transformer +config: + prompt: "Mask any credit card numbers in my JSON message. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + llm: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + logging: + log_statistics: true + log_payloads: false + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 1024 + temperature: 1.0 diff --git a/examples/ai-response-transformer/_3.7.x.yaml b/examples/ai-response-transformer/_3.7.x.yaml new file mode 100644 index 00000000..4c62a8e2 --- /dev/null +++ b/examples/ai-response-transformer/_3.7.x.yaml @@ -0,0 +1,21 @@ +name: ai-response-transformer +config: + prompt: "For any city name, put the country that it's in, in brackets next to it. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + parse_llm_response_json_instructions: false + llm: + route_type: "llm/v1/chat" + auth: + header_name: "api-key" + header_value: "" + logging: + log_statistics: true + log_payloads: false + model: + provider: "azure" + name: "gpt-35-turbo" + options: + max_tokens: 1024 + temperature: 1.0 + azure_instance: "azure-openai-instance-name" + azure_deployment_id: "gpt-3-5-deployment" diff --git a/examples/app-dynamics/_3.7.x.yaml b/examples/app-dynamics/_3.7.x.yaml new file mode 100644 index 00000000..fb73f97b --- /dev/null +++ b/examples/app-dynamics/_3.7.x.yaml @@ -0,0 +1,2 @@ +name: app-dynamics +config: {} diff --git a/examples/application-registration/_3.7.x.yaml b/examples/application-registration/_3.7.x.yaml new file mode 100644 index 00000000..a52184fb --- /dev/null +++ b/examples/application-registration/_3.7.x.yaml @@ -0,0 +1,7 @@ +name: application-registration +service: SERVICE_NAME +config: + auto_approve: false + description: + display_name: + show_issuer: false diff --git a/examples/aws-lambda/_3.7.x.yaml b/examples/aws-lambda/_3.7.x.yaml new file mode 100644 index 00000000..5eddd18d --- /dev/null +++ b/examples/aws-lambda/_3.7.x.yaml @@ -0,0 +1,9 @@ +name: aws-lambda +config: + aws_key: + aws_secret: + aws_region: + aws_assume_role_arn: + aws_role_session_name: + function_name: + proxy_url: http://my-proxy-server:3128 diff --git a/examples/azure-functions/_3.7.x.yaml b/examples/azure-functions/_3.7.x.yaml new file mode 100644 index 00000000..00f73c86 --- /dev/null +++ b/examples/azure-functions/_3.7.x.yaml @@ -0,0 +1,6 @@ +name: azure-functions +config: + functionname: + appname: + hostdomain: azurewebsites.net + apikey: diff --git a/examples/basic-auth/_3.7.x.yaml b/examples/basic-auth/_3.7.x.yaml new file mode 100644 index 00000000..40fcf8c2 --- /dev/null +++ b/examples/basic-auth/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: basic-auth +config: + hide_credentials: true diff --git a/examples/bot-detection/_3.7.x.yaml b/examples/bot-detection/_3.7.x.yaml new file mode 100644 index 00000000..e4f2eb24 --- /dev/null +++ b/examples/bot-detection/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: bot-detection +config: + deny: + - helloworld diff --git a/examples/canary/_3.7.x.yaml b/examples/canary/_3.7.x.yaml new file mode 100644 index 00000000..928424f8 --- /dev/null +++ b/examples/canary/_3.7.x.yaml @@ -0,0 +1,5 @@ +name: canary +config: + percentage: 50 + upstream_host: example.com + upstream_port: 80 diff --git a/examples/correlation-id/_3.7.x.yaml b/examples/correlation-id/_3.7.x.yaml new file mode 100644 index 00000000..31240989 --- /dev/null +++ b/examples/correlation-id/_3.7.x.yaml @@ -0,0 +1,5 @@ +name: correlation-id +config: + header_name: Kong-Request-ID + generator: uuid#counter + echo_downstream: false diff --git a/examples/cors/_3.7.x.yaml b/examples/cors/_3.7.x.yaml new file mode 100644 index 00000000..c2046281 --- /dev/null +++ b/examples/cors/_3.7.x.yaml @@ -0,0 +1,19 @@ +name: cors +config: + origins: + - http://mockbin.com + methods: + - GET + - POST + headers: + - Accept + - Accept-Version + - Content-Length + - Content-MD5 + - Content-Type + - Date + - X-Auth-Token + exposed_headers: + - X-Auth-Token + credentials: true + max_age: 3600 diff --git a/examples/datadog/_3.7.x.yaml b/examples/datadog/_3.7.x.yaml new file mode 100644 index 00000000..957e300c --- /dev/null +++ b/examples/datadog/_3.7.x.yaml @@ -0,0 +1,6 @@ +name: datadog +config: + host: 127.0.0.1 + port: 8125 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/degraphql/_3.7.x.yaml b/examples/degraphql/_3.7.x.yaml new file mode 100644 index 00000000..84443323 --- /dev/null +++ b/examples/degraphql/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: degraphql +config: + graphql_server_path: '/graphql' diff --git a/examples/exit-transformer/_3.7.x.yaml b/examples/exit-transformer/_3.7.x.yaml new file mode 100644 index 00000000..c7f0c5d4 --- /dev/null +++ b/examples/exit-transformer/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: exit-transformer +config: + functions: + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/file-log/_3.7.x.yaml b/examples/file-log/_3.7.x.yaml new file mode 100644 index 00000000..aefd2bdc --- /dev/null +++ b/examples/file-log/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: file-log +config: + path: /tmp/file.log diff --git a/examples/forward-proxy/_3.7.x.yaml b/examples/forward-proxy/_3.7.x.yaml new file mode 100644 index 00000000..7fb797ca --- /dev/null +++ b/examples/forward-proxy/_3.7.x.yaml @@ -0,0 +1,9 @@ +name: forward-proxy +config: + http_proxy_host: example.com + http_proxy_port: 80 + proxy_scheme: http + auth_username: example_user + auth_password: example_pass + https_verify: false + x_headers: transparent diff --git a/examples/graphql-proxy-cache-advanced/_3.7.x.yaml b/examples/graphql-proxy-cache-advanced/_3.7.x.yaml new file mode 100644 index 00000000..e1ce637b --- /dev/null +++ b/examples/graphql-proxy-cache-advanced/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: graphql-proxy-cache-advanced +config: + strategy: memory diff --git a/examples/graphql-rate-limiting-advanced/_3.7.x.yaml b/examples/graphql-rate-limiting-advanced/_3.7.x.yaml new file mode 100644 index 00000000..10985f83 --- /dev/null +++ b/examples/graphql-rate-limiting-advanced/_3.7.x.yaml @@ -0,0 +1,9 @@ +name: graphql-rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + sync_rate: -1 + namespace: example_namespace + strategy: cluster diff --git a/examples/grpc-gateway/_3.7.x.yaml b/examples/grpc-gateway/_3.7.x.yaml new file mode 100644 index 00000000..36b576ea --- /dev/null +++ b/examples/grpc-gateway/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: grpc-gateway +config: + proto: path/to/hello.proto diff --git a/examples/grpc-web/_3.7.x.yaml b/examples/grpc-web/_3.7.x.yaml new file mode 100644 index 00000000..e4f2c597 --- /dev/null +++ b/examples/grpc-web/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: grpc-web +config: + proto: path/to/hello.proto diff --git a/examples/hmac-auth/_3.7.x.yaml b/examples/hmac-auth/_3.7.x.yaml new file mode 100644 index 00000000..ba1ae19d --- /dev/null +++ b/examples/hmac-auth/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: hmac-auth +config: + hide_credentials: false diff --git a/examples/http-log/_3.7.x.yaml b/examples/http-log/_3.7.x.yaml new file mode 100644 index 00000000..dd88c67c --- /dev/null +++ b/examples/http-log/_3.7.x.yaml @@ -0,0 +1,8 @@ +name: http-log +config: + http_endpoint: http://mockbin.org/bin/:id + method: POST + timeout: 1000 + keepalive: 1000 + flush_timeout: 2 + retry_count: 15 diff --git a/examples/ip-restriction/_3.7.x.yaml b/examples/ip-restriction/_3.7.x.yaml new file mode 100644 index 00000000..4ca5298d --- /dev/null +++ b/examples/ip-restriction/_3.7.x.yaml @@ -0,0 +1,5 @@ +name: ip-restriction +config: + allow: + - 54.13.21.1 + - 143.1.0.0/24 diff --git a/examples/jq/_3.7.x.yaml b/examples/jq/_3.7.x.yaml new file mode 100644 index 00000000..d69ce58d --- /dev/null +++ b/examples/jq/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: jq +config: + request_jq_program: .[0] diff --git a/examples/jwe-decrypt/_3.7.x.yaml b/examples/jwe-decrypt/_3.7.x.yaml new file mode 100644 index 00000000..f413b0e5 --- /dev/null +++ b/examples/jwe-decrypt/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: jwe-decrypt +config: + key_sets: + - dummyID diff --git a/examples/jwt-signer/_3.7.x.yaml b/examples/jwt-signer/_3.7.x.yaml new file mode 100644 index 00000000..71443348 --- /dev/null +++ b/examples/jwt-signer/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: jwt-signer +config: + access_token_introspection_scopes_claim: + - scope diff --git a/examples/jwt/_3.7.x.yaml b/examples/jwt/_3.7.x.yaml new file mode 100644 index 00000000..60fd478d --- /dev/null +++ b/examples/jwt/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: jwt +config: + uri_param_names: + - paramName_2.2.x diff --git a/examples/kafka-log/_3.7.x.yaml b/examples/kafka-log/_3.7.x.yaml new file mode 100644 index 00000000..efb1efa7 --- /dev/null +++ b/examples/kafka-log/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: kafka-log +config: + topic: TOPIC diff --git a/examples/kafka-upstream/_3.7.x.yaml b/examples/kafka-upstream/_3.7.x.yaml new file mode 100644 index 00000000..64ff19e5 --- /dev/null +++ b/examples/kafka-upstream/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: kafka-upstream +config: + topic: TOPIC diff --git a/examples/key-auth-enc/_3.7.x.yaml b/examples/key-auth-enc/_3.7.x.yaml new file mode 100644 index 00000000..9f1a6093 --- /dev/null +++ b/examples/key-auth-enc/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: key-auth-enc +config: + key_names: + - apikey diff --git a/examples/key-auth/_3.7.x.yaml b/examples/key-auth/_3.7.x.yaml new file mode 100644 index 00000000..f8ef72c5 --- /dev/null +++ b/examples/key-auth/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: key-auth +config: + key_names: + - apikey diff --git a/examples/konnect-application-auth/_3.7.x.yaml b/examples/konnect-application-auth/_3.7.x.yaml new file mode 100644 index 00000000..e54993e5 --- /dev/null +++ b/examples/konnect-application-auth/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: konnect-application-auth +config: + scope: 'uuid' diff --git a/examples/ldap-auth-advanced/_3.7.x.yaml b/examples/ldap-auth-advanced/_3.7.x.yaml new file mode 100644 index 00000000..5396d6cf --- /dev/null +++ b/examples/ldap-auth-advanced/_3.7.x.yaml @@ -0,0 +1,10 @@ +name: ldap-auth-advanced +config: + ldap_host: ldap.example.com + ldap_port: 389 + start_tls: true + base_dn: dc=example,dc=com + verify_ldap_host: false + attribute: cn + cache_ttl: 60 + header_type: ldap diff --git a/examples/ldap-auth/_3.7.x.yaml b/examples/ldap-auth/_3.7.x.yaml new file mode 100644 index 00000000..fe95f595 --- /dev/null +++ b/examples/ldap-auth/_3.7.x.yaml @@ -0,0 +1,8 @@ +name: ldap-auth +config: + hide_credentials: true + ldap_host: ldap.example.com + ldap_port: 389 + base_dn: dc=example,dc=com + attribute: cn + header_type: ldap diff --git a/examples/loggly/_3.7.x.yaml b/examples/loggly/_3.7.x.yaml new file mode 100644 index 00000000..186454f8 --- /dev/null +++ b/examples/loggly/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: loggly +config: + key: YOUR_LOGGLY_SERVICE_TOKEN diff --git a/examples/mocking/_3.7.x.yaml b/examples/mocking/_3.7.x.yaml new file mode 100644 index 00000000..549e1f46 --- /dev/null +++ b/examples/mocking/_3.7.x.yaml @@ -0,0 +1,14 @@ +name: mocking +config: + random_delay: true + max_delay_time: 1 + min_delay_time: 0.001 + random_examples: true + api_specification: | + openapi: 3.0.1 + info: + title: OpenAPI 3.0 API + description: This is a simple API + contact: + email: example@example.com + version: 1.0.0 diff --git a/examples/mtls-auth/_3.7.x.yaml b/examples/mtls-auth/_3.7.x.yaml new file mode 100644 index 00000000..4bcdb7fd --- /dev/null +++ b/examples/mtls-auth/_3.7.x.yaml @@ -0,0 +1,6 @@ +name: mtls-auth +config: + ca_certificates: + - fdac360e-7b19-4ade-a553-6dd22937c82f + http_proxy_host: example + http_proxy_port: 80 diff --git a/examples/oas-validation/_3.7.x.yaml b/examples/oas-validation/_3.7.x.yaml new file mode 100644 index 00000000..2eb7dc89 --- /dev/null +++ b/examples/oas-validation/_3.7.x.yaml @@ -0,0 +1,29 @@ +name: oas-validation +config: + api_spec: | + openapi: 3.0.0 + info: + version: "2.19.3" + title: Xero Finance API + description: The Finance API is a collection of endpoints which customers can use in the course of a loan application, which may assist lenders to gain the confidence they need to provide capital. + termsOfService: "https://developer.xero.com/xero-developer-platform-terms-conditions/" + contact: + name: "Xero Platform Team" + email: "api@xero.com" + url: "https://developer.xero.com" + license: + name: MIT + url: 'https://github.com/XeroAPI/Xero-OpenAPI/blob/master/LICENSE' + servers: + - description: Xero API servers + url: https://api.xero.com/finance.xro/1.0 + paths: + /CashValidation: + get: + security: + - OAuth2: [finance.cashvalidation.read] + tags: + - Finance + summary: Get cash validation + operationId: getCashValidation + description: Summarizes the total cash position for each account for an org diff --git a/examples/oauth2-introspection/_3.7.x.yaml b/examples/oauth2-introspection/_3.7.x.yaml new file mode 100644 index 00000000..bdf723af --- /dev/null +++ b/examples/oauth2-introspection/_3.7.x.yaml @@ -0,0 +1,5 @@ +name: oauth2-introspection +config: + introspection_url: https://example-url.com + authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l + consumer_by: username diff --git a/examples/oauth2/_3.7.x.yaml b/examples/oauth2/_3.7.x.yaml new file mode 100644 index 00000000..d733d558 --- /dev/null +++ b/examples/oauth2/_3.7.x.yaml @@ -0,0 +1,9 @@ +name: oauth2 +config: + scopes: + - email + - phone + - address + mandatory_scope: true + provision_key: + enable_authorization_code: true diff --git a/examples/opa/_3.7.x.yaml b/examples/opa/_3.7.x.yaml new file mode 100644 index 00000000..51ff2b78 --- /dev/null +++ b/examples/opa/_3.7.x.yaml @@ -0,0 +1,5 @@ +name: opa +config: + opa_host: localhost + opa_port: 8181 + opa_path: /v1/data/example/kong/allowBoolean diff --git a/examples/openid-connect/_3.7.x.yaml b/examples/openid-connect/_3.7.x.yaml new file mode 100644 index 00000000..69f30114 --- /dev/null +++ b/examples/openid-connect/_3.7.x.yaml @@ -0,0 +1,12 @@ +name: openid-connect +config: + auth_methods: + - authorization_code + - session + issuer: http://example.org + client_id: + - + client_secret: + - + session_secret: + response_mode: form_post diff --git a/examples/opentelemetry/_3.7.x.yaml b/examples/opentelemetry/_3.7.x.yaml new file mode 100644 index 00000000..efacb712 --- /dev/null +++ b/examples/opentelemetry/_3.7.x.yaml @@ -0,0 +1,5 @@ +name: opentelemetry +config: + endpoint: http://opentelemetry.collector:4318/v1/traces + headers: + X-Auth-Token: secret-token diff --git a/examples/post-function/_3.7.x.yaml b/examples/post-function/_3.7.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.7.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/pre-function/_3.7.x.yaml b/examples/pre-function/_3.7.x.yaml new file mode 100644 index 00000000..62ffe4dd --- /dev/null +++ b/examples/pre-function/_3.7.x.yaml @@ -0,0 +1,6 @@ +name: pre-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/prometheus/_3.7.x.yaml b/examples/prometheus/_3.7.x.yaml new file mode 100644 index 00000000..6b7b3b62 --- /dev/null +++ b/examples/prometheus/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: prometheus +config: + per_consumer: false + diff --git a/examples/proxy-cache-advanced/_3.7.x.yaml b/examples/proxy-cache-advanced/_3.7.x.yaml new file mode 100644 index 00000000..d070db76 --- /dev/null +++ b/examples/proxy-cache-advanced/_3.7.x.yaml @@ -0,0 +1,11 @@ +name: proxy-cache-advanced +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + strategy: memory diff --git a/examples/proxy-cache/_3.7.x.yaml b/examples/proxy-cache/_3.7.x.yaml new file mode 100644 index 00000000..ce185e5e --- /dev/null +++ b/examples/proxy-cache/_3.7.x.yaml @@ -0,0 +1,12 @@ +name: proxy-cache +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + cache_ttl: 300 + strategy: memory diff --git a/examples/rate-limiting-advanced/_3.7.x.yaml b/examples/rate-limiting-advanced/_3.7.x.yaml new file mode 100644 index 00000000..7fee7c38 --- /dev/null +++ b/examples/rate-limiting-advanced/_3.7.x.yaml @@ -0,0 +1,11 @@ +name: rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + identifier: consumer + sync_rate: -1 + namespace: example_namespace + strategy: local + hide_client_headers: false diff --git a/examples/rate-limiting/_3.7.x.yaml b/examples/rate-limiting/_3.7.x.yaml new file mode 100644 index 00000000..f43f89fd --- /dev/null +++ b/examples/rate-limiting/_3.7.x.yaml @@ -0,0 +1,5 @@ +name: rate-limiting +config: + second: 5 + hour: 10000 + policy: local diff --git a/examples/request-size-limiting/_3.7.x.yaml b/examples/request-size-limiting/_3.7.x.yaml new file mode 100644 index 00000000..983d6d9e --- /dev/null +++ b/examples/request-size-limiting/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: request-size-limiting +config: + allowed_payload_size: 128 + require_content_length: false diff --git a/examples/request-termination/_3.7.x.yaml b/examples/request-termination/_3.7.x.yaml new file mode 100644 index 00000000..7be67818 --- /dev/null +++ b/examples/request-termination/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: request-termination +config: + status_code: 403 + message: So long and thanks for all the fish! diff --git a/examples/request-transformer-advanced/_3.7.x.yaml b/examples/request-transformer-advanced/_3.7.x.yaml new file mode 100644 index 00000000..999898e7 --- /dev/null +++ b/examples/request-transformer-advanced/_3.7.x.yaml @@ -0,0 +1,43 @@ +name: request-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one + remove: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + remove: + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + rename: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + rename: + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + add: + querystring: + - new-param:some_value + - another-param:some_value + add: + json_types: + - string + - boolean + - number diff --git a/examples/request-transformer/_3.7.x.yaml b/examples/request-transformer/_3.7.x.yaml new file mode 100644 index 00000000..d9e0a346 --- /dev/null +++ b/examples/request-transformer/_3.7.x.yaml @@ -0,0 +1,36 @@ +name: request-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + querystring: + - new-param:some_value + - another-param:some_value + body: + - new-form-param:some_value + - another-form-param:some_value diff --git a/examples/request-validator/_3.7.x.yaml b/examples/request-validator/_3.7.x.yaml new file mode 100644 index 00000000..89251acf --- /dev/null +++ b/examples/request-validator/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: request-validator +config: + body_schema: '[{"name":{"type": "string", "required": true}}]' diff --git a/examples/response-ratelimiting/_3.7.x.yaml b/examples/response-ratelimiting/_3.7.x.yaml new file mode 100644 index 00000000..a3860b2a --- /dev/null +++ b/examples/response-ratelimiting/_3.7.x.yaml @@ -0,0 +1,8 @@ +name: response-ratelimiting +config: + limits: + limit_name: + limits: + limit_name: + minute: 10 + policy: local diff --git a/examples/response-transformer-advanced/_3.7.x.yaml b/examples/response-transformer-advanced/_3.7.x.yaml new file mode 100644 index 00000000..4942c5c5 --- /dev/null +++ b/examples/response-transformer-advanced/_3.7.x.yaml @@ -0,0 +1,31 @@ +name: response-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one:application/json + - x-list-of-values:v1,v2,v3 + - Set-Cookie:/JSESSIONID=.*/ + - x-another-regex://status/$/ + - x-one-more-regex:/^/begin// + remove: + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + add: + json: + - new-json-key:some_value + - another-json-key:some_value + add: + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/response-transformer/_3.7.x.yaml b/examples/response-transformer/_3.7.x.yaml new file mode 100644 index 00000000..aab7075a --- /dev/null +++ b/examples/response-transformer/_3.7.x.yaml @@ -0,0 +1,24 @@ +name: response-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + json: + - new-json-key:some_value + - another-json-key:some_value + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/route-by-header/_3.7.x.yaml b/examples/route-by-header/_3.7.x.yaml new file mode 100644 index 00000000..e2854428 --- /dev/null +++ b/examples/route-by-header/_3.7.x.yaml @@ -0,0 +1,8 @@ +name: route-by-header +config: + rules: + - + upstream_name: bar.domain.com + condition: + location: us-east + diff --git a/examples/route-transformer-advanced/_3.7.x.yaml b/examples/route-transformer-advanced/_3.7.x.yaml new file mode 100644 index 00000000..098f0994 --- /dev/null +++ b/examples/route-transformer-advanced/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: route-transformer-advanced +config: + path: /path diff --git a/examples/saml/_3.7.x.yaml b/examples/saml/_3.7.x.yaml new file mode 100644 index 00000000..18b41c3f --- /dev/null +++ b/examples/saml/_3.7.x.yaml @@ -0,0 +1,12 @@ +name: saml +config: + anonymous: anonymous + assertion_consumer_path: /acs-uri + idp_sso_url: http://example.org/sso-uri + validate_assertion_signature: true + session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + issuer: AzureAD_Identity_ID + idp_certificate: | + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- diff --git a/examples/session/_3.7.x.yaml b/examples/session/_3.7.x.yaml new file mode 100644 index 00000000..1c5100d2 --- /dev/null +++ b/examples/session/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: session +config: + secret: opensesame diff --git a/examples/statsd-advanced/_3.7.x.yaml b/examples/statsd-advanced/_3.7.x.yaml new file mode 100644 index 00000000..cfd68de0 --- /dev/null +++ b/examples/statsd-advanced/_3.7.x.yaml @@ -0,0 +1,7 @@ +name: statsd-advanced +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 diff --git a/examples/statsd/_3.7.x.yaml b/examples/statsd/_3.7.x.yaml new file mode 100644 index 00000000..796222aa --- /dev/null +++ b/examples/statsd/_3.7.x.yaml @@ -0,0 +1,9 @@ +name: statsd +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/syslog/_3.7.x.yaml b/examples/syslog/_3.7.x.yaml new file mode 100644 index 00000000..9cc23ca1 --- /dev/null +++ b/examples/syslog/_3.7.x.yaml @@ -0,0 +1,3 @@ +name: syslog +config: + log_level: info diff --git a/examples/tcp-log/_3.7.x.yaml b/examples/tcp-log/_3.7.x.yaml new file mode 100644 index 00000000..4e155f5a --- /dev/null +++ b/examples/tcp-log/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: tcp-log +config: + host: 127.0.0.1 + port: 9999 diff --git a/examples/tls-handshake-modifier/_3.7.x.yaml b/examples/tls-handshake-modifier/_3.7.x.yaml new file mode 100644 index 00000000..52561153 --- /dev/null +++ b/examples/tls-handshake-modifier/_3.7.x.yaml @@ -0,0 +1 @@ +name: tls-handshake-modifier diff --git a/examples/tls-metadata-headers/_3.7.x.yaml b/examples/tls-metadata-headers/_3.7.x.yaml new file mode 100644 index 00000000..98df21ec --- /dev/null +++ b/examples/tls-metadata-headers/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: tls-metadata-headers +config: + inject_client_cert_details: true + client_cert_header_name: X-Forwarded-Client-Cert diff --git a/examples/udp-log/_3.7.x.yaml b/examples/udp-log/_3.7.x.yaml new file mode 100644 index 00000000..bfd35c0a --- /dev/null +++ b/examples/udp-log/_3.7.x.yaml @@ -0,0 +1,5 @@ +name: udp-log +config: + host: 127.0.0.1 + port: 9999 + timeout: 10000 diff --git a/examples/upstream-timeout/_3.7.x.yaml b/examples/upstream-timeout/_3.7.x.yaml new file mode 100644 index 00000000..962a6cdf --- /dev/null +++ b/examples/upstream-timeout/_3.7.x.yaml @@ -0,0 +1,5 @@ +name: upstream-timeout +config: + connect_timeout: 4000 + send_timeout: 5000 + read_timeout: 5000 diff --git a/examples/vault-auth/_3.7.x.yaml b/examples/vault-auth/_3.7.x.yaml new file mode 100644 index 00000000..8a2e5285 --- /dev/null +++ b/examples/vault-auth/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: vault-auth +config: + vault: + id: 00000000-0000-0000-0000-000000000000 diff --git a/examples/websocket-size-limit/_3.7.x.yaml b/examples/websocket-size-limit/_3.7.x.yaml new file mode 100644 index 00000000..7274d312 --- /dev/null +++ b/examples/websocket-size-limit/_3.7.x.yaml @@ -0,0 +1,4 @@ +name: websocket-size-limit +config: + client_max_payload: 1024 + upstream_max_payload: 16384 diff --git a/examples/websocket-validator/_3.7.x.yaml b/examples/websocket-validator/_3.7.x.yaml new file mode 100644 index 00000000..12fe18ac --- /dev/null +++ b/examples/websocket-validator/_3.7.x.yaml @@ -0,0 +1,14 @@ +name: websocket-validator +config: + client: + text: + type: draft4 + schema: | + { + "type": "object", + "properties": { + "foo": { "type": "string" }, + "bar": { "type": "string" } + }, + "required": [ "foo", "bar" ] + } diff --git a/examples/xml-threat-protection/_3.7.x.yaml b/examples/xml-threat-protection/_3.7.x.yaml new file mode 100644 index 00000000..a25f15fc --- /dev/null +++ b/examples/xml-threat-protection/_3.7.x.yaml @@ -0,0 +1,6 @@ +name: xml-threat-protection +config: + max_depth: 50 + localname: 512 + prefix: 512 + namespaceuri: 1024 diff --git a/examples/zipkin/_3.7.x.yaml b/examples/zipkin/_3.7.x.yaml new file mode 100644 index 00000000..62ab05c8 --- /dev/null +++ b/examples/zipkin/_3.7.x.yaml @@ -0,0 +1,5 @@ +name: zipkin +config: + http_endpoint: http://your.zipkin.collector:9411/api/v2/spans + sample_ratio: 0.001 + include_credential: true diff --git a/schemas/acl/3.7.x.json b/schemas/acl/3.7.x.json new file mode 100644 index 00000000..fbabcae0 --- /dev/null +++ b/schemas/acl/3.7.x.json @@ -0,0 +1,97 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allow": { + "type": "array", + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "elements": { + "type": "string" + } + } + }, + { + "deny": { + "type": "array", + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "elements": { + "type": "string" + } + } + }, + { + "hide_groups_header": { + "type": "boolean", + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "default": false, + "required": true + } + }, + { + "include_consumer_groups": { + "type": "boolean", + "default": false, + "required": false + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/acme/3.7.x.json b/schemas/acme/3.7.x.json new file mode 100644 index 00000000..4b5075e9 --- /dev/null +++ b/schemas/acme/3.7.x.json @@ -0,0 +1,591 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "service": { + "type": "foreign", + "reference": "services", + "description": "A reference to the 'services' table with a null value allowed.", + "eq": null + } + }, + { + "route": { + "type": "foreign", + "reference": "routes", + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "account_email": { + "match": "%w*%p*@+%w*%.?%w*", + "required": true, + "type": "string", + "description": "The account identifier. Can be reused in a different plugin instance.", + "encrypted": true, + "referenceable": true + } + }, + { + "account_key": { + "type": "record", + "description": "The private key associated with the account.", + "fields": [ + { + "key_id": { + "type": "string", + "description": "The Key ID.", + "required": true + } + }, + { + "key_set": { + "type": "string", + "description": "The ID of the key set to associate the Key ID with." + } + } + ], + "required": false + } + }, + { + "api_uri": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "default": "https://acme-v02.api.letsencrypt.org/directory" + } + }, + { + "tos_accepted": { + "type": "boolean", + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "default": false + } + }, + { + "eab_kid": { + "referenceable": true, + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "encrypted": true, + "type": "string" + } + }, + { + "eab_hmac_key": { + "referenceable": true, + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "encrypted": true, + "type": "string" + } + }, + { + "cert_type": { + "type": "string", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "default": "rsa", + "one_of": [ + "rsa", + "ecc" + ] + } + }, + { + "rsa_key_size": { + "type": "number", + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "default": 4096, + "one_of": [ + 2048, + 3072, + 4096 + ] + } + }, + { + "renew_threshold_days": { + "type": "number", + "description": "Days remaining to renew the certificate before it expires.", + "default": 14 + } + }, + { + "domains": { + "type": "array", + "elements": { + "type": "string", + "match_any": { + "patterns": [ + "^%*%.", + "%.%*$", + "^[^*]*$" + ], + "err": "invalid wildcard: must be placed at leftmost or rightmost label" + }, + "match_all": [ + { + "pattern": "^[^*]*%*?[^*]*$", + "err": "invalid wildcard: must have at most one wildcard" + } + ] + }, + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" + } + }, + { + "allow_any_domain": { + "type": "boolean", + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "default": false + } + }, + { + "fail_backoff_minutes": { + "type": "number", + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "default": 5 + } + }, + { + "storage": { + "type": "string", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "default": "shm", + "one_of": [ + "kong", + "shm", + "redis", + "consul", + "vault" + ] + } + }, + { + "storage_config": { + "type": "record", + "fields": [ + { + "shm": { + "type": "record", + "fields": [ + { + "shm_name": { + "type": "string", + "description": "Name of shared memory zone used for Kong API gateway storage", + "default": "kong" + } + } + ], + "required": true + } + }, + { + "kong": { + "type": "record", + "fields": [ + + ], + "required": true + } + }, + { + "redis": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 6379, + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 2000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true + } + }, + { + "password": { + "type": "string", + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "len_min": 0 + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false + } + }, + { + "server_name": { + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false + } + }, + { + "extra_options": { + "type": "record", + "description": "Custom ACME Redis options", + "fields": [ + { + "namespace": { + "type": "string", + "default": "", + "required": true, + "description": "A namespace to prepend to all keys stored in Redis.", + "len_min": 0 + } + }, + { + "scan_count": { + "type": "number", + "description": "The number of keys to return in Redis SCAN calls.", + "default": 10, + "required": false + } + } + ], + "required": true + } + } + ], + "shorthand_fields": [ + { + "auth": { + "type": "string", + "translate_backwards": [ + "password" + ], + "len_min": 0 + } + }, + { + "ssl_server_name": { + "type": "string", + "translate_backwards": [ + "server_name" + ] + } + }, + { + "namespace": { + "type": "string", + "translate_backwards": [ + "extra_options", + "namespace" + ], + "len_min": 0 + } + }, + { + "scan_count": { + "type": "integer", + "translate_backwards": [ + "extra_options", + "scan_count" + ] + } + } + ], + "required": true + } + }, + { + "consul": { + "type": "record", + "fields": [ + { + "https": { + "type": "boolean", + "description": "Boolean representation of https.", + "default": false + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "kv_path": { + "type": "string", + "description": "KV prefix path." + } + }, + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds." + } + }, + { + "token": { + "referenceable": true, + "description": "Consul ACL token.", + "type": "string" + } + } + ], + "required": true + } + }, + { + "vault": { + "type": "record", + "fields": [ + { + "https": { + "type": "boolean", + "description": "Boolean representation of https.", + "default": false + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "kv_path": { + "type": "string", + "description": "KV prefix path." + } + }, + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds." + } + }, + { + "token": { + "referenceable": true, + "description": "Consul ACL token.", + "type": "string" + } + }, + { + "tls_verify": { + "type": "boolean", + "description": "Turn on TLS verification.", + "default": true + } + }, + { + "tls_server_name": { + "type": "string", + "description": "SNI used in request, default to host if omitted." + } + }, + { + "auth_method": { + "type": "string", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "default": "token", + "one_of": [ + "token", + "kubernetes" + ] + } + }, + { + "auth_path": { + "type": "string", + "description": "Vault's authentication path to use." + } + }, + { + "auth_role": { + "type": "string", + "description": "The role to try and assign." + } + }, + { + "jwt_path": { + "type": "string", + "description": "The path to the JWT." + } + } + ], + "required": true + } + } + ], + "required": true + } + }, + { + "preferred_chain": { + "type": "string", + "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + } + }, + { + "enable_ipv4_common_name": { + "type": "boolean", + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "default": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": true + }, + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "if_field": "config.api_uri", + "then_field": "config.tos_accepted" + } + }, + { + "conditional": { + "then_field": "config.storage_config.redis.host", + "if_field": "config.storage", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.storage_config.redis.port", + "if_field": "config.storage", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.7.x.json b/schemas/ai-prompt-decorator/3.7.x.json new file mode 100644 index 00000000..8eab08b1 --- /dev/null +++ b/schemas/ai-prompt-decorator/3.7.x.json @@ -0,0 +1,118 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "prompts": { + "type": "record", + "fields": [ + { + "prepend": { + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "role": { + "type": "string", + "one_of": [ + "system", + "assistant", + "user" + ], + "default": "system", + "required": true + } + }, + { + "content": { + "len_max": 500, + "len_min": 1, + "type": "string", + "required": true + } + } + ], + "required": false + }, + "required": false, + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "len_max": 15 + } + }, + { + "append": { + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "role": { + "type": "string", + "one_of": [ + "system", + "assistant", + "user" + ], + "default": "system", + "required": true + } + }, + { + "content": { + "len_max": 500, + "len_min": 1, + "type": "string", + "required": true + } + } + ], + "required": false + }, + "required": false, + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "len_max": 15 + } + } + ], + "required": false + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.7.x.json b/schemas/ai-prompt-guard/3.7.x.json new file mode 100644 index 00000000..fb4cb8f9 --- /dev/null +++ b/schemas/ai-prompt-guard/3.7.x.json @@ -0,0 +1,80 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allow_patterns": { + "type": "array", + "elements": { + "len_max": 50, + "type": "string", + "len_min": 1 + }, + "default": [ + + ], + "description": "Array of valid patterns, or valid questions from the 'user' role in chat.", + "len_max": 10 + } + }, + { + "deny_patterns": { + "type": "array", + "elements": { + "len_max": 50, + "type": "string", + "len_min": 1 + }, + "default": [ + + ], + "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat.", + "len_max": 10 + } + }, + { + "allow_all_conversation_history": { + "type": "boolean", + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-template/3.7.x.json b/schemas/ai-prompt-template/3.7.x.json new file mode 100644 index 00000000..ec49ea9e --- /dev/null +++ b/schemas/ai-prompt-template/3.7.x.json @@ -0,0 +1,88 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "templates": { + "type": "array", + "description": "Array of templates available to the request context.", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "description": "Unique name for the template, can be called with `{template://NAME}`", + "required": true + } + }, + { + "template": { + "type": "string", + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "required": true + } + } + ], + "required": true + }, + "required": true + } + }, + { + "allow_untemplated_requests": { + "type": "boolean", + "description": "Set true to allow requests that don't call or match any template.", + "default": true, + "required": true + } + }, + { + "log_original_request": { + "type": "boolean", + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-proxy/3.7.x.json b/schemas/ai-proxy/3.7.x.json new file mode 100644 index 00000000..88dbd668 --- /dev/null +++ b/schemas/ai-proxy/3.7.x.json @@ -0,0 +1,427 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "service": { + "type": "foreign", + "reference": "services", + "description": "A reference to the 'services' table with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "route_type": { + "type": "string", + "description": "The model's operation implementation, for this provider.", + "one_of": [ + "llm/v1/chat", + "llm/v1/completions" + ], + "required": true + } + }, + { + "auth": { + "type": "record", + "fields": [ + { + "header_name": { + "type": "string", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "required": false + } + }, + { + "header_value": { + "type": "string", + "required": false, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true, + "referenceable": true + } + }, + { + "param_name": { + "type": "string", + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "required": false + } + }, + { + "param_value": { + "type": "string", + "required": false, + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true, + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "one_of": [ + "query", + "body" + ], + "required": false + } + } + ], + "required": false + } + }, + { + "model": { + "type": "record", + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2" + ], + "required": true + } + }, + { + "name": { + "type": "string", + "description": "Model name to execute.", + "required": false + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "fields": [ + { + "max_tokens": { + "type": "integer", + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256, + "required": false + } + }, + { + "temperature": { + "type": "number", + "default": 1, + "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", + "between": [ + 0, + 5 + ] + } + }, + { + "top_p": { + "type": "number", + "default": 1, + "required": false, + "description": "Defines the top-p probability mass, if supported.", + "between": [ + 0, + 1 + ] + } + }, + { + "top_k": { + "type": "integer", + "default": 0, + "required": false, + "description": "Defines the top-k most likely tokens, if supported.", + "between": [ + 0, + 500 + ] + } + }, + { + "anthropic_version": { + "type": "string", + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false + } + }, + { + "azure_instance": { + "type": "string", + "description": "Instance name for Azure OpenAI hosted models.", + "required": false + } + }, + { + "azure_api_version": { + "type": "string", + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "required": false + } + }, + { + "azure_deployment_id": { + "type": "string", + "description": "Deployment ID for Azure OpenAI instances.", + "required": false + } + }, + { + "llama2_format": { + "type": "string", + "description": "If using llama2 provider, select the upstream message format.", + "one_of": [ + "raw", + "openai", + "ollama" + ], + "required": false + } + }, + { + "mistral_format": { + "type": "string", + "description": "If using mistral provider, select the upstream message format.", + "one_of": [ + "openai", + "ollama" + ], + "required": false + } + }, + { + "upstream_url": { + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false + } + } + ], + "required": false + } + } + ], + "required": true + } + }, + { + "logging": { + "type": "record", + "fields": [ + { + "log_statistics": { + "type": "boolean", + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": true, + "required": true + } + }, + { + "log_payloads": { + "type": "boolean", + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_field": "model.provider", + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted", + "if_match": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere" + ] + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for llama2 provider", + "if_match": { + "one_of": [ + "llama2" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for mistral provider", + "if_match": { + "one_of": [ + "mistral" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.name" + ], + "if_field": "model.provider", + "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models.", + "if_match": [ + + ] + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for anthropic provider", + "if_match": { + "one_of": [ + "anthropic" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_field": "model.provider", + "then_err": "must set %s for self-hosted providers/models", + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.7.x.json b/schemas/ai-request-transformer/3.7.x.json new file mode 100644 index 00000000..4ac392d1 --- /dev/null +++ b/schemas/ai-request-transformer/3.7.x.json @@ -0,0 +1,515 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "prompt": { + "type": "string", + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", + "required": true + } + }, + { + "transformation_extract_pattern": { + "type": "string", + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", + "required": false + } + }, + { + "http_timeout": { + "type": "integer", + "description": "Timeout in milliseconds for the AI upstream service.", + "default": 60000, + "required": true + } + }, + { + "https_verify": { + "type": "boolean", + "description": "Verify the TLS certificate of the AI upstream service.", + "default": true, + "required": true + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "llm": { + "type": "record", + "fields": [ + { + "route_type": { + "type": "string", + "description": "The model's operation implementation, for this provider.", + "one_of": [ + "llm/v1/chat", + "llm/v1/completions" + ], + "required": true + } + }, + { + "auth": { + "type": "record", + "fields": [ + { + "header_name": { + "type": "string", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "required": false + } + }, + { + "header_value": { + "type": "string", + "required": false, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true, + "referenceable": true + } + }, + { + "param_name": { + "type": "string", + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "required": false + } + }, + { + "param_value": { + "type": "string", + "required": false, + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true, + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "one_of": [ + "query", + "body" + ], + "required": false + } + } + ], + "required": false + } + }, + { + "model": { + "type": "record", + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2" + ], + "required": true + } + }, + { + "name": { + "type": "string", + "description": "Model name to execute.", + "required": false + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "fields": [ + { + "max_tokens": { + "type": "integer", + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256, + "required": false + } + }, + { + "temperature": { + "type": "number", + "default": 1, + "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", + "between": [ + 0, + 5 + ] + } + }, + { + "top_p": { + "type": "number", + "default": 1, + "required": false, + "description": "Defines the top-p probability mass, if supported.", + "between": [ + 0, + 1 + ] + } + }, + { + "top_k": { + "type": "integer", + "default": 0, + "required": false, + "description": "Defines the top-k most likely tokens, if supported.", + "between": [ + 0, + 500 + ] + } + }, + { + "anthropic_version": { + "type": "string", + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false + } + }, + { + "azure_instance": { + "type": "string", + "description": "Instance name for Azure OpenAI hosted models.", + "required": false + } + }, + { + "azure_api_version": { + "type": "string", + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "required": false + } + }, + { + "azure_deployment_id": { + "type": "string", + "description": "Deployment ID for Azure OpenAI instances.", + "required": false + } + }, + { + "llama2_format": { + "type": "string", + "description": "If using llama2 provider, select the upstream message format.", + "one_of": [ + "raw", + "openai", + "ollama" + ], + "required": false + } + }, + { + "mistral_format": { + "type": "string", + "description": "If using mistral provider, select the upstream message format.", + "one_of": [ + "openai", + "ollama" + ], + "required": false + } + }, + { + "upstream_url": { + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false + } + } + ], + "required": false + } + } + ], + "required": true + } + }, + { + "logging": { + "type": "record", + "fields": [ + { + "log_statistics": { + "type": "boolean", + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": true, + "required": true + } + }, + { + "log_payloads": { + "type": "boolean", + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_field": "model.provider", + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted", + "if_match": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere" + ] + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for llama2 provider", + "if_match": { + "one_of": [ + "llama2" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for mistral provider", + "if_match": { + "one_of": [ + "mistral" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.name" + ], + "if_field": "model.provider", + "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models.", + "if_match": [ + + ] + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for anthropic provider", + "if_match": { + "one_of": [ + "anthropic" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_field": "model.provider", + "then_err": "must set %s for self-hosted providers/models", + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + } + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "if_field": "config.llm.route_type", + "then_field": "config.llm.route_type" + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.7.x.json b/schemas/ai-response-transformer/3.7.x.json new file mode 100644 index 00000000..e996fb55 --- /dev/null +++ b/schemas/ai-response-transformer/3.7.x.json @@ -0,0 +1,523 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "prompt": { + "type": "string", + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", + "required": true + } + }, + { + "transformation_extract_pattern": { + "type": "string", + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", + "required": false + } + }, + { + "parse_llm_response_json_instructions": { + "type": "boolean", + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "default": false, + "required": true + } + }, + { + "http_timeout": { + "type": "integer", + "description": "Timeout in milliseconds for the AI upstream service.", + "default": 60000, + "required": true + } + }, + { + "https_verify": { + "type": "boolean", + "description": "Verify the TLS certificate of the AI upstream service.", + "default": true, + "required": true + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "llm": { + "type": "record", + "fields": [ + { + "route_type": { + "type": "string", + "description": "The model's operation implementation, for this provider.", + "one_of": [ + "llm/v1/chat", + "llm/v1/completions" + ], + "required": true + } + }, + { + "auth": { + "type": "record", + "fields": [ + { + "header_name": { + "type": "string", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "required": false + } + }, + { + "header_value": { + "type": "string", + "required": false, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true, + "referenceable": true + } + }, + { + "param_name": { + "type": "string", + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "required": false + } + }, + { + "param_value": { + "type": "string", + "required": false, + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true, + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "one_of": [ + "query", + "body" + ], + "required": false + } + } + ], + "required": false + } + }, + { + "model": { + "type": "record", + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2" + ], + "required": true + } + }, + { + "name": { + "type": "string", + "description": "Model name to execute.", + "required": false + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "fields": [ + { + "max_tokens": { + "type": "integer", + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256, + "required": false + } + }, + { + "temperature": { + "type": "number", + "default": 1, + "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", + "between": [ + 0, + 5 + ] + } + }, + { + "top_p": { + "type": "number", + "default": 1, + "required": false, + "description": "Defines the top-p probability mass, if supported.", + "between": [ + 0, + 1 + ] + } + }, + { + "top_k": { + "type": "integer", + "default": 0, + "required": false, + "description": "Defines the top-k most likely tokens, if supported.", + "between": [ + 0, + 500 + ] + } + }, + { + "anthropic_version": { + "type": "string", + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false + } + }, + { + "azure_instance": { + "type": "string", + "description": "Instance name for Azure OpenAI hosted models.", + "required": false + } + }, + { + "azure_api_version": { + "type": "string", + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "required": false + } + }, + { + "azure_deployment_id": { + "type": "string", + "description": "Deployment ID for Azure OpenAI instances.", + "required": false + } + }, + { + "llama2_format": { + "type": "string", + "description": "If using llama2 provider, select the upstream message format.", + "one_of": [ + "raw", + "openai", + "ollama" + ], + "required": false + } + }, + { + "mistral_format": { + "type": "string", + "description": "If using mistral provider, select the upstream message format.", + "one_of": [ + "openai", + "ollama" + ], + "required": false + } + }, + { + "upstream_url": { + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false + } + } + ], + "required": false + } + } + ], + "required": true + } + }, + { + "logging": { + "type": "record", + "fields": [ + { + "log_statistics": { + "type": "boolean", + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": true, + "required": true + } + }, + { + "log_payloads": { + "type": "boolean", + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_field": "model.provider", + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted", + "if_match": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere" + ] + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for llama2 provider", + "if_match": { + "one_of": [ + "llama2" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_field": "model.provider", + "then_err": "must set %s for mistral provider", + "if_match": { + "one_of": [ + "mistral" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.name" + ], + "if_field": "model.provider", + "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models.", + "if_match": [ + + ] + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for anthropic provider", + "if_match": { + "one_of": [ + "anthropic" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_field": "model.provider", + "then_err": "must set %s for azure provider", + "if_match": { + "one_of": [ + "azure" + ] + } + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_field": "model.provider", + "then_err": "must set %s for self-hosted providers/models", + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + } + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "if_field": "config.llm.route_type", + "then_field": "config.llm.route_type" + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/app-dynamics/3.7.x.json b/schemas/app-dynamics/3.7.x.json new file mode 100644 index 00000000..380e6ec2 --- /dev/null +++ b/schemas/app-dynamics/3.7.x.json @@ -0,0 +1,46 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/application-registration/3.7.x.json b/schemas/application-registration/3.7.x.json new file mode 100644 index 00000000..a1046779 --- /dev/null +++ b/schemas/application-registration/3.7.x.json @@ -0,0 +1,100 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "service": { + "type": "foreign", + "reference": "services", + "ne": null, + "on_delete": "cascade" + } + }, + { + "route": { + "type": "foreign", + "reference": "routes", + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "display_name": { + "unique": true, + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string", + "required": true + } + }, + { + "description": { + "type": "string", + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "unique": true + } + }, + { + "auto_approve": { + "type": "boolean", + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "default": false, + "required": true + } + }, + { + "show_issuer": { + "type": "boolean", + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/aws-lambda/3.7.x.json b/schemas/aws-lambda/3.7.x.json new file mode 100644 index 00000000..7467cd9d --- /dev/null +++ b/schemas/aws-lambda/3.7.x.json @@ -0,0 +1,255 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when invoking the function.", + "default": 60000, + "required": true + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000, + "required": true + } + }, + { + "aws_key": { + "referenceable": true, + "description": "The AWS key credential to be used when invoking the function.", + "type": "string", + "encrypted": true + } + }, + { + "aws_secret": { + "referenceable": true, + "description": "The AWS secret credential to be used when invoking the function. ", + "type": "string", + "encrypted": true + } + }, + { + "aws_assume_role_arn": { + "referenceable": true, + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "type": "string", + "encrypted": true + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "The identifier of the assumed role session.", + "default": "kong" + } + }, + { + "aws_region": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "function_name": { + "type": "string", + "description": "The AWS Lambda function name to invoke.", + "required": false + } + }, + { + "qualifier": { + "type": "string", + "description": "The qualifier to use when invoking the function." + } + }, + { + "invocation_type": { + "type": "string", + "default": "RequestResponse", + "required": true, + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "one_of": [ + "RequestResponse", + "Event", + "DryRun" + ] + } + }, + { + "log_type": { + "type": "string", + "default": "Tail", + "required": true, + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "one_of": [ + "Tail", + "None" + ] + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 443, + "between": [ + 0, + 65535 + ] + } + }, + { + "disable_https": { + "default": false, + "type": "boolean" + } + }, + { + "unhandled_status": { + "type": "integer", + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "between": [ + 100, + 999 + ] + } + }, + { + "forward_request_method": { + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "default": false + } + }, + { + "forward_request_uri": { + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "default": false + } + }, + { + "forward_request_headers": { + "type": "boolean", + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "default": false + } + }, + { + "forward_request_body": { + "type": "boolean", + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "default": false + } + }, + { + "is_proxy_integration": { + "type": "boolean", + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "default": false + } + }, + { + "awsgateway_compatible": { + "type": "boolean", + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "default": false + } + }, + { + "proxy_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "skip_large_bodies": { + "type": "boolean", + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "default": true + } + }, + { + "base64_encode_body": { + "type": "boolean", + "description": "An optional value that Base64-encodes the request body.", + "default": true + } + }, + { + "aws_imds_protocol_version": { + "type": "string", + "default": "v1", + "required": true, + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "one_of": [ + "v1", + "v2" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/azure-functions/3.7.x.json b/schemas/azure-functions/3.7.x.json new file mode 100644 index 00000000..17e0728b --- /dev/null +++ b/schemas/azure-functions/3.7.x.json @@ -0,0 +1,125 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "default": 600000 + } + }, + { + "keepalive": { + "type": "number", + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "default": 60000 + } + }, + { + "https": { + "type": "boolean", + "description": "Use of HTTPS to connect with the Azure Functions server.", + "default": true + } + }, + { + "https_verify": { + "type": "boolean", + "description": "Set to `true` to authenticate the Azure Functions server.", + "default": false + } + }, + { + "apikey": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header." + } + }, + { + "clientid": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header." + } + }, + { + "appname": { + "type": "string", + "description": "The Azure app name.", + "required": true + } + }, + { + "hostdomain": { + "type": "string", + "description": "The domain where the function resides.", + "default": "azurewebsites.net", + "required": true + } + }, + { + "routeprefix": { + "type": "string", + "description": "Route prefix to use.", + "default": "api" + } + }, + { + "functionname": { + "type": "string", + "description": "Name of the Azure function to invoke.", + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/basic-auth/3.7.x.json b/schemas/basic-auth/3.7.x.json new file mode 100644 index 00000000..d67a60c4 --- /dev/null +++ b/schemas/basic-auth/3.7.x.json @@ -0,0 +1,78 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "anonymous": { + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "default": false, + "required": true + } + }, + { + "realm": { + "type": "string", + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "default": "service", + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/bot-detection/3.7.x.json b/schemas/bot-detection/3.7.x.json new file mode 100644 index 00000000..a14dfba2 --- /dev/null +++ b/schemas/bot-detection/3.7.x.json @@ -0,0 +1,79 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allow": { + "type": "array", + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "default": [ + + ], + "elements": { + "type": "string", + "is_regex": true + } + } + }, + { + "deny": { + "type": "array", + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "default": [ + + ], + "elements": { + "type": "string", + "is_regex": true + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/canary/3.7.x.json b/schemas/canary/3.7.x.json new file mode 100644 index 00000000..2e9e2277 --- /dev/null +++ b/schemas/canary/3.7.x.json @@ -0,0 +1,190 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "start": { + "type": "number", + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." + } + }, + { + "hash": { + "type": "string", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "default": "consumer", + "one_of": [ + "consumer", + "ip", + "none", + "allow", + "deny", + "header" + ] + } + }, + { + "hash_header": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "duration": { + "type": "number", + "description": "The duration of the canary release in seconds.", + "default": 3600, + "gt": 0 + } + }, + { + "steps": { + "type": "number", + "description": "The number of steps for the canary release.", + "default": 1000, + "gt": 1 + } + }, + { + "percentage": { + "type": "number", + "description": "The percentage of traffic to be routed to the canary release.", + "between": [ + 0, + 100 + ] + } + }, + { + "upstream_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "upstream_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "upstream_uri": { + "type": "string", + "description": "The URI of the upstream server to be used for the canary release.", + "len_min": 1 + } + }, + { + "upstream_fallback": { + "type": "boolean", + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "default": false, + "required": true + } + }, + { + "groups": { + "type": "array", + "description": "The groups allowed to access the canary release.", + "elements": { + "type": "string" + } + } + }, + { + "canary_by_header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ], + "shorthand_fields": [ + { + "hash": { + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "then_field": "config.hash_header", + "if_field": "config.hash", + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + } + } + }, + { + "conditional": { + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/correlation-id/3.7.x.json b/schemas/correlation-id/3.7.x.json new file mode 100644 index 00000000..1166c7ce --- /dev/null +++ b/schemas/correlation-id/3.7.x.json @@ -0,0 +1,72 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "header_name": { + "type": "string", + "description": "The HTTP header name to use for the correlation ID.", + "default": "Kong-Request-ID" + } + }, + { + "generator": { + "type": "string", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "default": "uuid#counter", + "one_of": [ + "uuid", + "uuid#counter", + "tracker" + ] + } + }, + { + "echo_downstream": { + "type": "boolean", + "description": "Whether to echo the header back to downstream (the client).", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/cors/3.7.x.json b/schemas/cors/3.7.x.json new file mode 100644 index 00000000..e8a851f5 --- /dev/null +++ b/schemas/cors/3.7.x.json @@ -0,0 +1,143 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "required": true, + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "len_min": 1 + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "origins": { + "type": "array", + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "elements": { + "type": "string" + } + } + }, + { + "headers": { + "type": "array", + "description": "Value for the `Access-Control-Allow-Headers` header.", + "elements": { + "type": "string" + } + } + }, + { + "exposed_headers": { + "type": "array", + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "elements": { + "type": "string" + } + } + }, + { + "methods": { + "type": "array", + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "elements": { + "type": "string", + "one_of": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] + } + } + }, + { + "max_age": { + "type": "number", + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + } + }, + { + "credentials": { + "type": "boolean", + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "default": false, + "required": true + } + }, + { + "private_network": { + "type": "boolean", + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "default": false, + "required": true + } + }, + { + "preflight_continue": { + "type": "boolean", + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/datadog/3.7.x.json b/schemas/datadog/3.7.x.json new file mode 100644 index 00000000..99198f29 --- /dev/null +++ b/schemas/datadog/3.7.x.json @@ -0,0 +1,346 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "referenceable": true, + "description": "A string representing a host name, such as example.com.", + "default": "localhost", + "type": "string" + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 8125, + "between": [ + 0, + 65535 + ] + } + }, + { + "prefix": { + "type": "string", + "description": "String to be attached as a prefix to a metric's name.", + "default": "kong" + } + }, + { + "service_name_tag": { + "type": "string", + "description": "String to be attached as the name of the service.", + "default": "name" + } + }, + { + "status_tag": { + "type": "string", + "description": "String to be attached as the tag of the HTTP status.", + "default": "status" + } + }, + { + "consumer_tag": { + "type": "string", + "description": "String to be attached as tag of the consumer.", + "default": "consumer" + } + }, + { + "retry_count": { + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." + } + }, + { + "queue_size": { + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." + } + }, + { + "flush_timeout": { + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "default": 1, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + }, + { + "metrics": { + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "description": "Datadog metric’s name", + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ], + "required": true + } + }, + { + "stat_type": { + "type": "string", + "description": "Determines what sort of event the metric represents", + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer", + "distribution" + ], + "required": true + } + }, + { + "tags": { + "type": "array", + "description": "List of tags", + "elements": { + "type": "string", + "match": "^.*[^:]$" + } + } + }, + { + "sample_rate": { + "type": "number", + "description": "Sampling rate", + "between": [ + 0, + 1 + ] + } + }, + { + "consumer_identifier": { + "type": "string", + "description": "Authenticated user detail", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + }, + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + } + } + } + ] + }, + "default": [ + { + "tags": [ + "app:kong" + ], + "name": "request_count", + "consumer_identifier": "custom_id", + "stat_type": "counter", + "sample_rate": 1 + }, + { + "consumer_identifier": "custom_id", + "stat_type": "timer", + "name": "latency", + "tags": [ + "app:kong" + ] + }, + { + "consumer_identifier": "custom_id", + "stat_type": "timer", + "name": "request_size", + "tags": [ + "app:kong" + ] + }, + { + "consumer_identifier": "custom_id", + "stat_type": "timer", + "name": "response_size", + "tags": [ + "app:kong" + ] + }, + { + "consumer_identifier": "custom_id", + "stat_type": "timer", + "name": "upstream_latency", + "tags": [ + "app:kong" + ] + }, + { + "consumer_identifier": "custom_id", + "stat_type": "timer", + "name": "kong_latency", + "tags": [ + "app:kong" + ] + } + ], + "required": true, + "description": "List of metrics to be logged." + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/degraphql/3.7.x.json b/schemas/degraphql/3.7.x.json new file mode 100644 index 00000000..397cfec9 --- /dev/null +++ b/schemas/degraphql/3.7.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "graphql_server_path": { + "type": "string", + "default": "/graphql", + "required": true, + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/exit-transformer/3.7.x.json b/schemas/exit-transformer/3.7.x.json new file mode 100644 index 00000000..99dab81e --- /dev/null +++ b/schemas/exit-transformer/3.7.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "functions": { + "type": "array", + "elements": { + "type": "string" + }, + "required": true + } + }, + { + "handle_unknown": { + "type": "boolean", + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "default": false + } + }, + { + "handle_unexpected": { + "type": "boolean", + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "default": false + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/file-log/3.7.x.json b/schemas/file-log/3.7.x.json new file mode 100644 index 00000000..8f656f87 --- /dev/null +++ b/schemas/file-log/3.7.x.json @@ -0,0 +1,83 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "path": { + "match": "^[^*&%%\\`]+$", + "err": "not a valid filename", + "required": true, + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "type": "string" + } + }, + { + "reopen": { + "type": "boolean", + "description": "Determines whether the log file is closed and reopened on every request.", + "default": false, + "required": true + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "keys": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/forward-proxy/3.7.x.json b/schemas/forward-proxy/3.7.x.json new file mode 100644 index 00000000..a57a860c --- /dev/null +++ b/schemas/forward-proxy/3.7.x.json @@ -0,0 +1,163 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "required": true, + "fields": [ + { + "x_headers": { + "type": "string", + "default": "append", + "required": true, + "description": "Determines how to handle headers when forwarding the request.", + "one_of": [ + "append", + "transparent", + "delete" + ] + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "proxy_scheme": { + "type": "string", + "default": "http", + "required": true, + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "one_of": [ + "http" + ] + } + }, + { + "auth_username": { + "type": "string", + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "referenceable": true, + "required": false + } + }, + { + "auth_password": { + "type": "string", + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "referenceable": true, + "required": false + } + }, + { + "https_verify": { + "type": "boolean", + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "default": false, + "required": true + } + } + ], + "shorthand_fields": [ + { + "proxy_host": { + "type": "string" + } + }, + { + "proxy_port": { + "type": "integer" + } + } + ] + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.7.x.json b/schemas/graphql-proxy-cache-advanced/3.7.x.json new file mode 100644 index 00000000..e4af8d5d --- /dev/null +++ b/schemas/graphql-proxy-cache-advanced/3.7.x.json @@ -0,0 +1,89 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "strategy": { + "type": "string", + "default": "memory", + "required": true, + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "one_of": [ + "memory" + ] + } + }, + { + "cache_ttl": { + "type": "integer", + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "default": 300, + "gt": 0 + } + }, + { + "memory": { + "type": "record", + "fields": [ + { + "dictionary_name": { + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "default": "kong_db_cache", + "required": true + } + } + ], + "required": true + } + }, + { + "vary_headers": { + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.7.x.json b/schemas/graphql-rate-limiting-advanced/3.7.x.json new file mode 100644 index 00000000..4ccaf5c8 --- /dev/null +++ b/schemas/graphql-rate-limiting-advanced/3.7.x.json @@ -0,0 +1,405 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "identifier": { + "type": "string", + "default": "consumer", + "required": true, + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "one_of": [ + "ip", + "credential", + "consumer" + ] + } + }, + { + "window_size": { + "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "elements": { + "type": "number" + }, + "required": true + } + }, + { + "window_type": { + "type": "string", + "description": "Sets the time window to either `sliding` or `fixed`.", + "default": "sliding", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "type": "array", + "description": "One or more requests-per-window limits to apply.", + "elements": { + "type": "number" + }, + "required": true + } + }, + { + "sync_rate": { + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "required": true + } + }, + { + "namespace": { + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "auto": true + } + }, + { + "strategy": { + "type": "string", + "default": "cluster", + "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "one_of": [ + "cluster", + "redis" + ] + } + }, + { + "dictionary_name": { + "type": "string", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "default": "kong_rate_limiting_counters", + "required": true + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "default": false + } + }, + { + "cost_strategy": { + "type": "string", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "default": "default", + "one_of": [ + "default", + "node_quantifier" + ] + } + }, + { + "score_factor": { + "type": "number", + "default": 1, + "required": false, + "gt": 0, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." + } + }, + { + "max_cost": { + "type": "number", + "description": "A defined maximum cost per query. 0 means unlimited.", + "default": 0, + "required": false + } + }, + { + "redis": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 2000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + { + "password": { + "referenceable": true, + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + } + }, + { + "sentinel_username": { + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + } + }, + { + "sentinel_password": { + "referenceable": true, + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_addresses": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false + } + }, + { + "server_name": { + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/grpc-gateway/3.7.x.json b/schemas/grpc-gateway/3.7.x.json new file mode 100644 index 00000000..f4083273 --- /dev/null +++ b/schemas/grpc-gateway/3.7.x.json @@ -0,0 +1,59 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "proto": { + "type": "string", + "description": "Describes the gRPC types and methods.", + "required": false + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/grpc-web/3.7.x.json b/schemas/grpc-web/3.7.x.json new file mode 100644 index 00000000..3a7f8666 --- /dev/null +++ b/schemas/grpc-web/3.7.x.json @@ -0,0 +1,74 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "proto": { + "type": "string", + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "required": false + } + }, + { + "pass_stripped_path": { + "type": "boolean", + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "required": false + } + }, + { + "allow_origin_header": { + "type": "string", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "default": "*", + "required": false + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/hmac-auth/3.7.x.json b/schemas/hmac-auth/3.7.x.json new file mode 100644 index 00000000..d952f4a2 --- /dev/null +++ b/schemas/hmac-auth/3.7.x.json @@ -0,0 +1,125 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "default": false, + "required": true + } + }, + { + "clock_skew": { + "type": "number", + "description": "Clock skew in seconds to prevent replay attacks.", + "default": 300, + "gt": 0 + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "validate_request_body": { + "type": "boolean", + "description": "A boolean value telling the plugin to enable body validation.", + "default": false, + "required": true + } + }, + { + "enforce_headers": { + "type": "array", + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "algorithms": { + "type": "array", + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "elements": { + "type": "string", + "one_of": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/http-log/3.7.x.json b/schemas/http-log/3.7.x.json new file mode 100644 index 00000000..022770ee --- /dev/null +++ b/schemas/http-log/3.7.x.json @@ -0,0 +1,245 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "http_endpoint": { + "referenceable": true, + "required": true, + "encrypted": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "method": { + "type": "string", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "default": "POST", + "one_of": [ + "POST", + "PUT", + "PATCH" + ] + } + }, + { + "content_type": { + "type": "string", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "default": "application/json", + "one_of": [ + "application/json", + "application/json; charset=utf-8" + ] + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "default": 60000 + } + }, + { + "retry_count": { + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." + } + }, + { + "queue_size": { + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." + } + }, + { + "flush_timeout": { + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + } + }, + { + "headers": { + "type": "map", + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "keys": { + "type": "string", + "match_none": [ + { + "err": "cannot contain 'Host' header", + "pattern": "^[Hh][Oo][Ss][Tt]$" + }, + { + "err": "cannot contain 'Content-Length' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" + }, + { + "err": "cannot contain 'Content-Type' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" + } + ], + "description": "A string representing an HTTP header name." + }, + "values": { + "referenceable": true, + "type": "string" + } + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "default": 1, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "keys": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ip-restriction/3.7.x.json b/schemas/ip-restriction/3.7.x.json new file mode 100644 index 00000000..0e610083 --- /dev/null +++ b/schemas/ip-restriction/3.7.x.json @@ -0,0 +1,85 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allow": { + "type": "array", + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + } + } + }, + { + "deny": { + "type": "array", + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + } + } + }, + { + "status": { + "type": "number", + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "required": false + } + }, + { + "message": { + "type": "string", + "description": "The message to send as a response body to rejected requests.", + "required": false + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/jq/3.7.x.json b/schemas/jq/3.7.x.json new file mode 100644 index 00000000..347c8014 --- /dev/null +++ b/schemas/jq/3.7.x.json @@ -0,0 +1,197 @@ +{ + "fields": [ + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "request_jq_program": { + "type": "string", + "required": false + } + }, + { + "request_jq_program_options": { + "type": "record", + "fields": [ + { + "compact_output": { + "type": "boolean", + "default": true, + "required": true + } + }, + { + "raw_output": { + "type": "boolean", + "default": false, + "required": true + } + }, + { + "join_output": { + "type": "boolean", + "default": false, + "required": true + } + }, + { + "ascii_output": { + "type": "boolean", + "default": false, + "required": true + } + }, + { + "sort_keys": { + "type": "boolean", + "default": false, + "required": true + } + } + ], + "default": [ + + ], + "required": false + } + }, + { + "request_if_media_type": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "application/json" + ], + "required": false + } + }, + { + "response_jq_program": { + "type": "string", + "required": false + } + }, + { + "response_jq_program_options": { + "type": "record", + "fields": [ + { + "compact_output": { + "type": "boolean", + "default": true, + "required": true + } + }, + { + "raw_output": { + "type": "boolean", + "default": false, + "required": true + } + }, + { + "join_output": { + "type": "boolean", + "default": false, + "required": true + } + }, + { + "ascii_output": { + "type": "boolean", + "default": false, + "required": true + } + }, + { + "sort_keys": { + "type": "boolean", + "default": false, + "required": true + } + } + ], + "default": [ + + ], + "required": false + } + }, + { + "response_if_media_type": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "application/json" + ], + "required": false + } + }, + { + "response_if_status_code": { + "type": "array", + "elements": { + "type": "integer", + "between": [ + 100, + 599 + ] + }, + "default": [ + 200 + ], + "required": false + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.7.x.json b/schemas/jwe-decrypt/3.7.x.json new file mode 100644 index 00000000..8c21fa55 --- /dev/null +++ b/schemas/jwe-decrypt/3.7.x.json @@ -0,0 +1,86 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "lookup_header_name": { + "type": "string", + "description": "The name of the header to look for the JWE token.", + "default": "Authorization", + "required": true + } + }, + { + "forward_header_name": { + "type": "string", + "description": "The name of the header that is used to set the decrypted value.", + "default": "Authorization", + "required": true + } + }, + { + "key_sets": { + "type": "array", + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "elements": { + "type": "string" + }, + "required": true + } + }, + { + "strict": { + "type": "boolean", + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "default": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/jwt-signer/3.7.x.json b/schemas/jwt-signer/3.7.x.json new file mode 100644 index 00000000..a1613bee --- /dev/null +++ b/schemas/jwt-signer/3.7.x.json @@ -0,0 +1,726 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "realm": { + "type": "string", + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "required": false + } + }, + { + "enable_hs_signatures": { + "type": "boolean", + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "default": false, + "required": false + } + }, + { + "enable_instrumentation": { + "type": "boolean", + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "default": false, + "required": false + } + }, + { + "access_token_issuer": { + "type": "string", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "default": "kong", + "required": false + } + }, + { + "access_token_keyset": { + "type": "string", + "description": "The name of the keyset containing signing keys.", + "default": "kong", + "required": false + } + }, + { + "access_token_jwks_uri": { + "type": "string", + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "required": false + } + }, + { + "access_token_request_header": { + "type": "string", + "description": "This parameter tells the name of the header where to look for the access token.", + "default": "Authorization", + "required": false + } + }, + { + "access_token_leeway": { + "type": "number", + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "default": 0, + "required": false + } + }, + { + "access_token_scopes_required": { + "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "access_token_scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "required": false, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." + } + }, + { + "access_token_consumer_claim": { + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "access_token_consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." + } + }, + { + "access_token_upstream_header": { + "type": "string", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "default": "Authorization:Bearer", + "required": false + } + }, + { + "access_token_upstream_leeway": { + "type": "number", + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "default": 0, + "required": false + } + }, + { + "access_token_introspection_endpoint": { + "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "required": false + } + }, + { + "access_token_introspection_authorization": { + "type": "string", + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "required": false + } + }, + { + "access_token_introspection_body_args": { + "type": "string", + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "required": false + } + }, + { + "access_token_introspection_hint": { + "type": "string", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "default": "access_token", + "required": false + } + }, + { + "access_token_introspection_jwt_claim": { + "type": "array", + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "access_token_introspection_scopes_required": { + "type": "array", + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "access_token_introspection_scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "required": true, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." + } + }, + { + "access_token_introspection_consumer_claim": { + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "access_token_introspection_consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." + } + }, + { + "access_token_introspection_leeway": { + "type": "number", + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "default": 0, + "required": false + } + }, + { + "access_token_introspection_timeout": { + "type": "number", + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "required": false + } + }, + { + "access_token_signing_algorithm": { + "type": "string", + "default": "RS256", + "required": true, + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + }, + { + "access_token_optional": { + "type": "boolean", + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "default": false, + "required": false + } + }, + { + "verify_access_token_signature": { + "type": "boolean", + "description": "Quickly turn access token signature verification off and on as needed.", + "default": true, + "required": false + } + }, + { + "verify_access_token_expiry": { + "type": "boolean", + "description": "Quickly turn access token expiry verification off and on as needed.", + "default": true, + "required": false + } + }, + { + "verify_access_token_scopes": { + "type": "boolean", + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "default": true, + "required": false + } + }, + { + "verify_access_token_introspection_expiry": { + "type": "boolean", + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "default": true, + "required": false + } + }, + { + "verify_access_token_introspection_scopes": { + "type": "boolean", + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "default": true, + "required": false + } + }, + { + "cache_access_token_introspection": { + "type": "boolean", + "description": "Whether to cache access token introspection results.", + "default": true, + "required": false + } + }, + { + "trust_access_token_introspection": { + "type": "boolean", + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "default": true, + "required": false + } + }, + { + "enable_access_token_introspection": { + "type": "boolean", + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "default": true, + "required": false + } + }, + { + "channel_token_issuer": { + "type": "string", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "default": "kong", + "required": false + } + }, + { + "channel_token_keyset": { + "type": "string", + "description": "The name of the keyset containing signing keys.", + "default": "kong", + "required": false + } + }, + { + "channel_token_jwks_uri": { + "type": "string", + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "required": false + } + }, + { + "channel_token_request_header": { + "type": "string", + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "required": false + } + }, + { + "channel_token_leeway": { + "type": "number", + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "default": 0, + "required": false + } + }, + { + "channel_token_scopes_required": { + "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "required": false, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." + } + }, + { + "channel_token_consumer_claim": { + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_consumer_by": { + "type": "array", + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ], + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + } + } + }, + { + "channel_token_upstream_header": { + "type": "string", + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "required": false + } + }, + { + "channel_token_upstream_leeway": { + "type": "number", + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "default": 0, + "required": false + } + }, + { + "channel_token_introspection_endpoint": { + "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "required": false + } + }, + { + "channel_token_introspection_authorization": { + "type": "string", + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_body_args": { + "type": "string", + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_hint": { + "type": "string", + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_jwt_claim": { + "type": "array", + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_scopes_required": { + "type": "array", + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "required": false, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." + } + }, + { + "channel_token_introspection_consumer_claim": { + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "channel_token_introspection_consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." + } + }, + { + "channel_token_introspection_leeway": { + "type": "number", + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "default": 0, + "required": false + } + }, + { + "channel_token_introspection_timeout": { + "type": "number", + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "required": false + } + }, + { + "channel_token_signing_algorithm": { + "type": "string", + "default": "RS256", + "required": true, + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + }, + { + "channel_token_optional": { + "type": "boolean", + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "default": false, + "required": false + } + }, + { + "verify_channel_token_signature": { + "type": "boolean", + "description": "Quickly turn on/off the channel token signature verification.", + "default": true, + "required": false + } + }, + { + "verify_channel_token_expiry": { + "type": "boolean", + "default": true, + "required": false + } + }, + { + "verify_channel_token_scopes": { + "type": "boolean", + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "default": true, + "required": false + } + }, + { + "verify_channel_token_introspection_expiry": { + "type": "boolean", + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "default": true, + "required": false + } + }, + { + "verify_channel_token_introspection_scopes": { + "type": "boolean", + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "default": true, + "required": false + } + }, + { + "cache_channel_token_introspection": { + "type": "boolean", + "description": "Whether to cache channel token introspection results.", + "default": true, + "required": false + } + }, + { + "trust_channel_token_introspection": { + "type": "boolean", + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "default": true, + "required": false + } + }, + { + "enable_channel_token_introspection": { + "type": "boolean", + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "default": true, + "required": false + } + }, + { + "add_claims": { + "type": "map", + "keys": { + "type": "string" + }, + "default": [ + + ], + "required": false, + "description": "Add customized claims if they are not present yet.", + "values": { + "type": "string" + } + } + }, + { + "set_claims": { + "type": "map", + "keys": { + "type": "string" + }, + "default": [ + + ], + "required": false, + "description": "Set customized claims. If a claim is already present, it will be overwritten.", + "values": { + "type": "string" + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/jwt/3.7.x.json b/schemas/jwt/3.7.x.json new file mode 100644 index 00000000..e2a32536 --- /dev/null +++ b/schemas/jwt/3.7.x.json @@ -0,0 +1,153 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "uri_param_names": { + "type": "set", + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "default": [ + "jwt" + ], + "elements": { + "type": "string" + } + } + }, + { + "cookie_names": { + "type": "set", + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "key_claim_name": { + "type": "string", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "default": "iss" + } + }, + { + "secret_is_base64": { + "type": "boolean", + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "default": false, + "required": true + } + }, + { + "claims_to_verify": { + "type": "set", + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "elements": { + "type": "string", + "one_of": [ + "exp", + "nbf" + ] + } + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "default": true, + "required": true + } + }, + { + "maximum_expiration": { + "type": "number", + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "default": 0, + "between": [ + 0, + 31536000 + ] + } + }, + { + "header_names": { + "type": "set", + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "default": [ + "authorization" + ], + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration", + "then_match": { + "contains": "exp" + }, + "if_match": { + "gt": 0 + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-log/3.7.x.json b/schemas/kafka-log/3.7.x.json new file mode 100644 index 00000000..b3fd9c9a --- /dev/null +++ b/schemas/kafka-log/3.7.x.json @@ -0,0 +1,280 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "bootstrap_servers": { + "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ] + } + } + ] + } + } + }, + { + "topic": { + "type": "string", + "description": "The Kafka topic to publish to.", + "required": true + } + }, + { + "timeout": { + "type": "integer", + "description": "Socket timeout in milliseconds.", + "default": 10000 + } + }, + { + "keepalive": { + "default": 60000, + "type": "integer" + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "authentication": { + "type": "record", + "fields": [ + { + "strategy": { + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "one_of": [ + "sasl" + ], + "required": false + } + }, + { + "mechanism": { + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "required": false + } + }, + { + "tokenauth": { + "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication", + "required": false + } + }, + { + "user": { + "referenceable": true, + "required": false, + "encrypted": true, + "type": "string", + "description": "Username for SASL authentication." + } + }, + { + "password": { + "referenceable": true, + "required": false, + "encrypted": true, + "type": "string", + "description": "Password for SASL authentication." + } + } + ], + "required": true + } + }, + { + "security": { + "type": "record", + "fields": [ + { + "certificate_id": { + "type": "string", + "description": "UUID of certificate entity for mTLS authentication.", + "uuid": true, + "required": false + } + }, + { + "ssl": { + "type": "boolean", + "description": "Enables TLS.", + "required": false + } + } + ], + "required": true + } + }, + { + "cluster_name": { + "type": "string", + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true, + "required": false + } + }, + { + "producer_request_acks": { + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1, + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds", + "default": 2000 + } + }, + { + "producer_request_limits_messages_per_request": { + "type": "integer", + "description": "Maximum number of messages to include into a single Produce request.", + "default": 200 + } + }, + { + "producer_request_limits_bytes_per_request": { + "type": "integer", + "description": "Maximum size of a Produce request in bytes.", + "default": 1048576 + } + }, + { + "producer_request_retries_max_attempts": { + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request.", + "default": 10 + } + }, + { + "producer_request_retries_backoff_timeout": { + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds.", + "default": 100 + } + }, + { + "producer_async": { + "type": "boolean", + "description": "Flag to enable asynchronous mode.", + "default": true + } + }, + { + "producer_async_flush_timeout": { + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "default": 1000 + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "default": 50000 + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "keys": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/kafka-upstream/3.7.x.json b/schemas/kafka-upstream/3.7.x.json new file mode 100644 index 00000000..5d20e86b --- /dev/null +++ b/schemas/kafka-upstream/3.7.x.json @@ -0,0 +1,302 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "bootstrap_servers": { + "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ] + } + } + ] + } + } + }, + { + "topic": { + "type": "string", + "description": "The Kafka topic to publish to.", + "required": true + } + }, + { + "timeout": { + "type": "integer", + "description": "Socket timeout in milliseconds.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "integer", + "description": "Keepalive timeout in milliseconds.", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "type": "boolean", + "default": false + } + }, + { + "authentication": { + "type": "record", + "fields": [ + { + "strategy": { + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "one_of": [ + "sasl" + ], + "required": false + } + }, + { + "mechanism": { + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "required": false + } + }, + { + "tokenauth": { + "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication.", + "required": false + } + }, + { + "user": { + "referenceable": true, + "required": false, + "description": "Username for SASL authentication.", + "encrypted": true, + "type": "string" + } + }, + { + "password": { + "referenceable": true, + "required": false, + "description": "Password for SASL authentication.", + "encrypted": true, + "type": "string" + } + } + ], + "required": true + } + }, + { + "security": { + "type": "record", + "fields": [ + { + "certificate_id": { + "type": "string", + "description": "UUID of certificate entity for mTLS authentication.", + "uuid": true, + "required": false + } + }, + { + "ssl": { + "type": "boolean", + "description": "Enables TLS.", + "required": false + } + } + ], + "required": true + } + }, + { + "forward_method": { + "type": "boolean", + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false + } + }, + { + "forward_uri": { + "type": "boolean", + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false + } + }, + { + "forward_headers": { + "type": "boolean", + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false + } + }, + { + "forward_body": { + "type": "boolean", + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": true + } + }, + { + "cluster_name": { + "type": "string", + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true, + "required": false + } + }, + { + "producer_request_acks": { + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1, + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds.", + "default": 2000 + } + }, + { + "producer_request_limits_messages_per_request": { + "type": "integer", + "description": "Maximum number of messages to include into a single producer request.", + "default": 200 + } + }, + { + "producer_request_limits_bytes_per_request": { + "type": "integer", + "description": "Maximum size of a Produce request in bytes.", + "default": 1048576 + } + }, + { + "producer_request_retries_max_attempts": { + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request.", + "default": 10 + } + }, + { + "producer_request_retries_backoff_timeout": { + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds.", + "default": 100 + } + }, + { + "producer_async": { + "type": "boolean", + "description": "Flag to enable asynchronous mode.", + "default": true + } + }, + { + "producer_async_flush_timeout": { + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "default": 1000 + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "default": 50000 + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/key-auth-enc/3.7.x.json b/schemas/key-auth-enc/3.7.x.json new file mode 100644 index 00000000..128137a3 --- /dev/null +++ b/schemas/key-auth-enc/3.7.x.json @@ -0,0 +1,111 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "key_names": { + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": [ + "apikey" + ], + "required": true, + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "default": false + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "key_in_header": { + "type": "boolean", + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "default": true + } + }, + { + "key_in_query": { + "type": "boolean", + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "default": true + } + }, + { + "key_in_body": { + "type": "boolean", + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "default": false + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "default": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/key-auth/3.7.x.json b/schemas/key-auth/3.7.x.json new file mode 100644 index 00000000..053f2f7d --- /dev/null +++ b/schemas/key-auth/3.7.x.json @@ -0,0 +1,116 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "key_names": { + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": [ + "apikey" + ], + "required": true, + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "default": false, + "required": true + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." + } + }, + { + "key_in_header": { + "type": "boolean", + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "default": true, + "required": true + } + }, + { + "key_in_query": { + "type": "boolean", + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "default": true, + "required": true + } + }, + { + "key_in_body": { + "type": "boolean", + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "default": false, + "required": true + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "default": true, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.7.x.json b/schemas/konnect-application-auth/3.7.x.json new file mode 100644 index 00000000..d076c137 --- /dev/null +++ b/schemas/konnect-application-auth/3.7.x.json @@ -0,0 +1,2584 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "key_names": { + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": [ + "apikey" + ], + "required": true, + "description": "The names of the headers containing the API key. You can specify multiple header names." + } + }, + { + "auth_type": { + "type": "string", + "default": "openid-connect", + "required": true, + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "one_of": [ + "openid-connect", + "key-auth", + "v2-strategies" + ] + } + }, + { + "scope": { + "type": "string", + "description": "The unique scope identifier for the plugin configuration.", + "unique": true, + "required": true + } + }, + { + "v2_strategies": { + "type": "record", + "default": [ + + ], + "required": false, + "description": "The map of v2 strategies.", + "fields": [ + { + "key_auth": { + "type": "array", + "description": "List of key_auth strategies.", + "elements": { + "type": "record", + "fields": [ + { + "strategy_id": { + "type": "string", + "description": "The strategy id the config is tied to.", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "key_names": { + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": [ + "apikey" + ], + "required": true, + "description": "The names of the headers containing the API key. You can specify multiple header names." + } + } + ], + "required": true + } + } + ] + }, + "required": false + } + }, + { + "openid_connect": { + "type": "array", + "description": "List of openid_connect strategies.", + "elements": { + "type": "record", + "fields": [ + { + "strategy_id": { + "type": "string", + "description": "The strategy id the config is tied to.", + "required": true + } + }, + { + "config": { + "type": "record", + "description": "openid-connect plugin configuration.", + "fields": [ + { + "issuer": { + "type": "string", + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true + } + }, + { + "using_pseudo_issuer": { + "type": "boolean", + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "default": false, + "required": false + } + }, + { + "discovery_headers_names": { + "type": "array", + "description": "Extra header names passed to the discovery endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "discovery_headers_values": { + "type": "array", + "description": "Extra header values passed to the discovery endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "extra_jwks_uris": { + "type": "set", + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "rediscovery_lifetime": { + "type": "number", + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "default": 30, + "required": false + } + }, + { + "auth_methods": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "required": false, + "description": "Types of credentials/grants to enable." + } + }, + { + "client_id": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true + } + }, + { + "client_secret": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "required": false, + "description": "The client secret.", + "encrypted": true + } + }, + { + "client_auth": { + "type": "array", + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "required": false + } + }, + { + "client_jwk": { + "type": "array", + "description": "The JWK used for the private_key_jwt authentication.", + "elements": { + "type": "record", + "fields": [ + { + "issuer": { + "type": "string", + "required": false + } + }, + { + "kty": { + "type": "string", + "required": false + } + }, + { + "use": { + "type": "string", + "required": false + } + }, + { + "key_ops": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "required": false + } + }, + { + "alg": { + "type": "string", + "required": false + } + }, + { + "kid": { + "type": "string", + "required": false + } + }, + { + "x5u": { + "type": "string", + "required": false + } + }, + { + "x5c": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "required": false + } + }, + { + "x5t": { + "type": "string", + "required": false + } + }, + { + "x5t#S256": { + "type": "string", + "required": false + } + }, + { + "k": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "x": { + "type": "string", + "required": false + } + }, + { + "y": { + "type": "string", + "required": false + } + }, + { + "crv": { + "type": "string", + "required": false + } + }, + { + "n": { + "type": "string", + "required": false + } + }, + { + "e": { + "type": "string", + "required": false + } + }, + { + "d": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "p": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "q": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "dp": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "dq": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "qi": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "oth": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "r": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "t": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + } + ], + "required": false + }, + "required": false + } + }, + { + "client_alg": { + "type": "array", + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + }, + "required": false + } + }, + { + "client_arg": { + "type": "string", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "default": "client_id", + "required": false + } + }, + { + "redirect_uri": { + "type": "array", + "description": "The redirect URI passed to the authorization and token endpoints.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "login_redirect_uri": { + "type": "array", + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "elements": { + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "required": false + } + }, + { + "logout_redirect_uri": { + "type": "array", + "description": "Where to redirect the client after the logout.", + "elements": { + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "required": false + } + }, + { + "forbidden_redirect_uri": { + "type": "array", + "description": "Where to redirect the client on forbidden requests.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "forbidden_error_message": { + "type": "string", + "description": "The error message for the forbidden requests (when not using the redirection).", + "default": "Forbidden", + "required": false + } + }, + { + "forbidden_destroy_session": { + "type": "boolean", + "description": "Destroy any active session for the forbidden requests.", + "default": true, + "required": false + } + }, + { + "unauthorized_destroy_session": { + "type": "boolean", + "description": "Destroy any active session for the unauthorized requests.", + "default": true, + "required": false + } + }, + { + "unauthorized_redirect_uri": { + "type": "array", + "description": "Where to redirect the client on unauthorized requests.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "unauthorized_error_message": { + "type": "string", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "default": "Unauthorized", + "required": false + } + }, + { + "unexpected_redirect_uri": { + "type": "array", + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "response_mode": { + "type": "string", + "default": "query", + "required": false, + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it).", + "one_of": [ + "query", + "form_post", + "fragment" + ] + } + }, + { + "response_type": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "code" + ], + "required": false, + "description": "The response type passed to the authorization endpoint." + } + }, + { + "scopes": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + "openid" + ], + "required": false, + "description": "The scopes passed to the authorization and token endpoints." + } + }, + { + "audience": { + "type": "array", + "description": "The audience passed to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "issuers_allowed": { + "type": "array", + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "scopes_required": { + "type": "array", + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "required": false, + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "audience_required": { + "type": "array", + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "audience_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "aud" + ], + "required": false, + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "groups_required": { + "type": "array", + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "groups_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "groups" + ], + "required": false, + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "roles_required": { + "type": "array", + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "roles_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "roles" + ], + "required": false, + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "domains": { + "type": "array", + "description": "The allowed values for the `hd` claim.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "max_age": { + "type": "number", + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "required": false + } + }, + { + "authenticated_groups_claim": { + "type": "array", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "pushed_authorization_request_endpoint": { + "type": "string", + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false + } + }, + { + "require_pushed_authorization_requests": { + "type": "boolean", + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "required": false + } + }, + { + "require_proof_key_for_code_exchange": { + "type": "boolean", + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "required": false + } + }, + { + "authorization_endpoint": { + "type": "string", + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "authorization_query_args_names": { + "type": "array", + "description": "Extra query argument names passed to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "authorization_query_args_values": { + "type": "array", + "description": "Extra query argument values passed to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "authorization_query_args_client": { + "type": "array", + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "authorization_rolling_timeout": { + "type": "number", + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 600, + "required": false + } + }, + { + "authorization_cookie_name": { + "type": "string", + "description": "The authorization cookie name.", + "default": "authorization", + "required": false + } + }, + { + "authorization_cookie_path": { + "type": "string", + "default": "/", + "required": false, + "description": "The authorization cookie Path flag.", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "starts_with": "/" + } + }, + { + "authorization_cookie_domain": { + "type": "string", + "description": "The authorization cookie Domain flag.", + "required": false + } + }, + { + "authorization_cookie_same_site": { + "type": "string", + "default": "Default", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "authorization_cookie_http_only": { + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, + "required": false + } + }, + { + "authorization_cookie_secure": { + "type": "boolean", + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false + } + }, + { + "preserve_query_args": { + "type": "boolean", + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "default": false, + "required": false + } + }, + { + "token_endpoint": { + "type": "string", + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "token_endpoint_auth_method": { + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false + } + }, + { + "token_headers_names": { + "type": "array", + "description": "Extra header names passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_values": { + "type": "array", + "description": "Extra header values passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_client": { + "type": "array", + "description": "Extra headers passed from the client to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_replay": { + "type": "array", + "description": "The names of token endpoint response headers to forward to the downstream client.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_prefix": { + "type": "string", + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "required": false + } + }, + { + "token_headers_grants": { + "type": "array", + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "required": false + } + }, + { + "token_post_args_names": { + "type": "array", + "description": "Extra post argument names passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_post_args_values": { + "type": "array", + "description": "Extra post argument values passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_post_args_client": { + "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Reqest Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_endpoint": { + "type": "string", + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "introspection_endpoint_auth_method": { + "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false + } + }, + { + "introspection_hint": { + "type": "string", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "default": "access_token", + "required": false + } + }, + { + "introspection_check_active": { + "type": "boolean", + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "default": true, + "required": false + } + }, + { + "introspection_accept": { + "type": "string", + "default": "application/json", + "required": false, + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ] + } + }, + { + "introspection_headers_names": { + "type": "array", + "description": "Extra header names passed to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_headers_values": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "required": false, + "description": "Extra header values passed to the introspection endpoint.", + "encrypted": true + } + }, + { + "introspection_headers_client": { + "type": "array", + "description": "Extra headers passed from the client to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_post_args_names": { + "type": "array", + "description": "Extra post argument names passed to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_post_args_values": { + "type": "array", + "description": "Extra post argument values passed to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_post_args_client": { + "type": "array", + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspect_jwt_tokens": { + "type": "boolean", + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "default": false, + "required": false + } + }, + { + "revocation_endpoint": { + "type": "string", + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "revocation_endpoint_auth_method": { + "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false + } + }, + { + "end_session_endpoint": { + "type": "string", + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "userinfo_endpoint": { + "type": "string", + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "userinfo_accept": { + "type": "string", + "default": "application/json", + "required": false, + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/jwt" + ] + } + }, + { + "userinfo_headers_names": { + "type": "array", + "description": "Extra header names passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_headers_values": { + "type": "array", + "description": "Extra header values passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_headers_client": { + "type": "array", + "description": "Extra headers passed from the client to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_query_args_names": { + "type": "array", + "description": "Extra query argument names passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_query_args_values": { + "type": "array", + "description": "Extra query argument values passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_query_args_client": { + "type": "array", + "description": "Extra query arguments passed from the client to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_exchange_endpoint": { + "type": "string", + "description": "The token exchange endpoint.", + "required": false + } + }, + { + "session_secret": { + "type": "string", + "required": false, + "description": "The session secret.", + "referenceable": true, + "encrypted": true + } + }, + { + "session_audience": { + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default", + "required": false + } + }, + { + "session_cookie_name": { + "type": "string", + "description": "The session cookie name.", + "default": "session", + "required": false + } + }, + { + "session_remember": { + "type": "boolean", + "description": "Enables or disables persistent sessions.", + "default": false, + "required": false + } + }, + { + "session_remember_cookie_name": { + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember", + "required": false + } + }, + { + "session_remember_rolling_timeout": { + "type": "number", + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "default": 604800, + "required": false + } + }, + { + "session_remember_absolute_timeout": { + "type": "number", + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 2592000, + "required": false + } + }, + { + "session_idling_timeout": { + "type": "number", + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "default": 900, + "required": false + } + }, + { + "session_rolling_timeout": { + "type": "number", + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 3600, + "required": false + } + }, + { + "session_absolute_timeout": { + "type": "number", + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 86400, + "required": false + } + }, + { + "session_cookie_path": { + "type": "string", + "default": "/", + "required": false, + "description": "The session cookie Path flag.", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "type": "string", + "description": "The session cookie Domain flag.", + "required": false + } + }, + { + "session_cookie_same_site": { + "type": "string", + "default": "Lax", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, + "required": false + } + }, + { + "session_cookie_secure": { + "type": "boolean", + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false + } + }, + { + "session_request_headers": { + "type": "set", + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "required": false + } + }, + { + "session_response_headers": { + "type": "set", + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "required": false + } + }, + { + "session_storage": { + "type": "string", + "default": "cookie", + "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "default": false, + "required": false + } + }, + { + "session_enforce_same_subject": { + "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false, + "required": false + } + }, + { + "session_hash_subject": { + "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false, + "required": false + } + }, + { + "session_hash_storage_key": { + "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false, + "required": false + } + }, + { + "session_memcached_prefix": { + "type": "string", + "description": "The memcached session key prefix.", + "required": false + } + }, + { + "session_memcached_socket": { + "type": "string", + "description": "The memcached unix socket path.", + "required": false + } + }, + { + "session_memcached_host": { + "type": "string", + "description": "The memcached host.", + "default": "127.0.0.1", + "required": false + } + }, + { + "session_memcached_port": { + "type": "integer", + "default": 11211, + "required": false, + "description": "The memcached port.", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_prefix": { + "type": "string", + "description": "The Redis session key prefix.", + "required": false + } + }, + { + "session_redis_socket": { + "type": "string", + "description": "The Redis unix socket path.", + "required": false + } + }, + { + "session_redis_host": { + "type": "string", + "description": "The Redis host.", + "default": "127.0.0.1", + "required": false + } + }, + { + "session_redis_port": { + "type": "integer", + "default": 6379, + "required": false, + "description": "The Redis port.", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_username": { + "referenceable": true, + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "required": false + } + }, + { + "session_redis_password": { + "type": "string", + "required": false, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "encrypted": true + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "description": "Session redis connection timeout in milliseconds.", + "required": false + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "description": "Session redis read timeout in milliseconds.", + "required": false + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "description": "Session redis send timeout in milliseconds.", + "required": false + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "description": "Use SSL/TLS for Redis connection.", + "default": false, + "required": false + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "description": "Verify identity provider server certificate.", + "default": false, + "required": false + } + }, + { + "session_redis_server_name": { + "type": "string", + "description": "The SNI used for connecting the Redis server.", + "required": false + } + }, + { + "session_redis_cluster_nodes": { + "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 6379, + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "required": false + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "description": "The Redis cluster maximum redirects.", + "required": false + } + }, + { + "reverify": { + "type": "boolean", + "description": "Specifies whether to always verify tokens stored in the session.", + "default": false, + "required": false + } + }, + { + "jwt_session_claim": { + "type": "string", + "description": "The claim to match against the JWT session cookie.", + "default": "sid", + "required": false + } + }, + { + "jwt_session_cookie": { + "type": "string", + "description": "The name of the JWT session cookie.", + "required": false + } + }, + { + "bearer_token_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "required": false, + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." + } + }, + { + "bearer_token_cookie_name": { + "type": "string", + "description": "The name of the cookie in which the bearer token is passed.", + "required": false + } + }, + { + "client_credentials_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "required": false, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." + } + }, + { + "password_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "required": false, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "id_token_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "required": false, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "id_token_param_name": { + "type": "string", + "description": "The name of the parameter used to pass the id token.", + "required": false + } + }, + { + "refresh_token_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "required": false, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "refresh_token_param_name": { + "type": "string", + "description": "The name of the parameter used to pass the refresh token.", + "required": false + } + }, + { + "refresh_tokens": { + "type": "boolean", + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "default": true, + "required": false + } + }, + { + "upstream_headers_claims": { + "type": "array", + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "upstream_headers_names": { + "type": "array", + "description": "The upstream header names for the claim values.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "upstream_access_token_header": { + "type": "string", + "description": "The upstream access token header.", + "default": "authorization:bearer", + "required": false + } + }, + { + "upstream_access_token_jwk_header": { + "type": "string", + "description": "The upstream access token JWK header.", + "required": false + } + }, + { + "upstream_id_token_header": { + "type": "string", + "description": "The upstream id token header.", + "required": false + } + }, + { + "upstream_id_token_jwk_header": { + "type": "string", + "description": "The upstream id token JWK header.", + "required": false + } + }, + { + "upstream_refresh_token_header": { + "type": "string", + "description": "The upstream refresh token header.", + "required": false + } + }, + { + "upstream_user_info_header": { + "type": "string", + "description": "The upstream user info header.", + "required": false + } + }, + { + "upstream_user_info_jwt_header": { + "type": "string", + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "required": false + } + }, + { + "upstream_introspection_header": { + "type": "string", + "description": "The upstream introspection header.", + "required": false + } + }, + { + "upstream_introspection_jwt_header": { + "type": "string", + "description": "The upstream introspection JWT header.", + "required": false + } + }, + { + "upstream_session_id_header": { + "type": "string", + "description": "The upstream session id header.", + "required": false + } + }, + { + "downstream_headers_claims": { + "type": "array", + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "downstream_headers_names": { + "type": "array", + "description": "The downstream header names for the claim values.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "downstream_access_token_header": { + "type": "string", + "description": "The downstream access token header.", + "required": false + } + }, + { + "downstream_access_token_jwk_header": { + "type": "string", + "description": "The downstream access token JWK header.", + "required": false + } + }, + { + "downstream_id_token_header": { + "type": "string", + "description": "The downstream id token header.", + "required": false + } + }, + { + "downstream_id_token_jwk_header": { + "type": "string", + "description": "The downstream id token JWK header.", + "required": false + } + }, + { + "downstream_refresh_token_header": { + "type": "string", + "description": "The downstream refresh token header.", + "required": false + } + }, + { + "downstream_user_info_header": { + "type": "string", + "description": "The downstream user info header.", + "required": false + } + }, + { + "downstream_user_info_jwt_header": { + "type": "string", + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "required": false + } + }, + { + "downstream_introspection_header": { + "type": "string", + "description": "The downstream introspection header.", + "required": false + } + }, + { + "downstream_introspection_jwt_header": { + "type": "string", + "description": "The downstream introspection JWT header.", + "required": false + } + }, + { + "downstream_session_id_header": { + "type": "string", + "description": "The downstream session id header.", + "required": false + } + }, + { + "login_methods": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "default": [ + "authorization_code" + ], + "required": false, + "description": "Enable login functionality with specified grants." + } + }, + { + "login_action": { + "type": "string", + "default": "upstream", + "required": false, + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "one_of": [ + "upstream", + "response", + "redirect" + ] + } + }, + { + "login_tokens": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + }, + "default": [ + "id_token" + ], + "required": false, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." + } + }, + { + "login_redirect_mode": { + "type": "string", + "default": "fragment", + "required": false, + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "one_of": [ + "query", + "fragment" + ] + } + }, + { + "logout_query_arg": { + "type": "string", + "description": "The request query argument that activates the logout.", + "required": false + } + }, + { + "logout_post_arg": { + "type": "string", + "description": "The request body argument that activates the logout.", + "required": false + } + }, + { + "logout_uri_suffix": { + "type": "string", + "description": "The request URI suffix that activates the logout.", + "required": false + } + }, + { + "logout_methods": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + }, + "default": [ + "POST", + "DELETE" + ], + "required": false, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." + } + }, + { + "logout_revoke": { + "type": "boolean", + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "default": false, + "required": false + } + }, + { + "logout_revoke_access_token": { + "type": "boolean", + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, + "required": false + } + }, + { + "logout_revoke_refresh_token": { + "type": "boolean", + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, + "required": false + } + }, + { + "consumer_claim": { + "type": "array", + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." + } + }, + { + "consumer_optional": { + "type": "boolean", + "description": "Do not terminate the request if consumer mapping fails.", + "default": false, + "required": false + } + }, + { + "credential_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "sub" + ], + "required": false, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "required": false + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "default": true, + "required": false + } + }, + { + "leeway": { + "type": "number", + "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", + "default": 0, + "required": false + } + }, + { + "verify_parameters": { + "type": "boolean", + "description": "Verify plugin configuration against discovery.", + "default": false, + "required": false + } + }, + { + "verify_nonce": { + "type": "boolean", + "description": "Verify nonce on authorization code flow.", + "default": true, + "required": false + } + }, + { + "verify_claims": { + "type": "boolean", + "description": "Verify tokens for standard claims.", + "default": true, + "required": false + } + }, + { + "verify_signature": { + "type": "boolean", + "description": "Verify signature of tokens.", + "default": true, + "required": false + } + }, + { + "ignore_signature": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + }, + "default": [ + + ], + "required": false, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." + } + }, + { + "enable_hs_signatures": { + "type": "boolean", + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "default": false, + "required": false + } + }, + { + "disable_session": { + "type": "array", + "description": "Disable issuing the session cookie with the specified grants.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "required": false + } + }, + { + "cache_ttl": { + "type": "number", + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "default": 3600, + "required": false + } + }, + { + "cache_ttl_max": { + "type": "number", + "description": "The maximum cache ttl in seconds (enforced).", + "required": false + } + }, + { + "cache_ttl_min": { + "type": "number", + "description": "The minimum cache ttl in seconds (enforced).", + "required": false + } + }, + { + "cache_ttl_neg": { + "type": "number", + "description": "The negative cache ttl in seconds.", + "required": false + } + }, + { + "cache_ttl_resurrect": { + "type": "number", + "description": "The resurrection ttl in seconds.", + "required": false + } + }, + { + "cache_tokens": { + "type": "boolean", + "description": "Cache the token endpoint requests.", + "default": true, + "required": false + } + }, + { + "cache_tokens_salt": { + "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "auto": true, + "required": false + } + }, + { + "cache_introspection": { + "type": "boolean", + "description": "Cache the introspection endpoint requests.", + "default": true, + "required": false + } + }, + { + "cache_token_exchange": { + "type": "boolean", + "description": "Cache the token exchange endpoint requests.", + "default": true, + "required": false + } + }, + { + "cache_user_info": { + "type": "boolean", + "description": "Cache the user info requests.", + "default": true, + "required": false + } + }, + { + "search_user_info": { + "type": "boolean", + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "default": false, + "required": false + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "default": false, + "required": false + } + }, + { + "http_version": { + "type": "number", + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "default": 1.1, + "required": false + } + }, + { + "http_proxy": { + "type": "string", + "description": "The HTTP proxy.", + "required": false + } + }, + { + "http_proxy_authorization": { + "type": "string", + "description": "The HTTP proxy authorization.", + "required": false + } + }, + { + "https_proxy": { + "type": "string", + "description": "The HTTPS proxy.", + "required": false + } + }, + { + "https_proxy_authorization": { + "type": "string", + "description": "The HTTPS proxy authorization.", + "required": false + } + }, + { + "no_proxy": { + "type": "string", + "description": "Do not use proxy with these hosts.", + "required": false + } + }, + { + "keepalive": { + "type": "boolean", + "description": "Use keepalive with the HTTP client.", + "default": true, + "required": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "Verify identity provider server certificate.", + "default": false, + "required": false + } + }, + { + "timeout": { + "type": "number", + "description": "Network IO timeout in milliseconds.", + "default": 10000, + "required": false + } + }, + { + "display_errors": { + "type": "boolean", + "description": "Display errors on failure responses.", + "default": false, + "required": false + } + }, + { + "by_username_ignore_case": { + "type": "boolean", + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "default": false, + "required": false + } + }, + { + "resolve_distributed_claims": { + "type": "boolean", + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "default": false, + "required": false + } + }, + { + "expose_error_code": { + "type": "boolean", + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "default": true + } + }, + { + "token_cache_key_include_scope": { + "type": "boolean", + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "default": false + } + }, + { + "introspection_token_param_name": { + "type": "string", + "description": "Designate token's parameter name for introspection.", + "default": "token", + "required": false + } + }, + { + "revocation_token_param_name": { + "type": "string", + "description": "Designate token's parameter name for revocation.", + "default": "token", + "required": false + } + }, + { + "proof_of_possession_mtls": { + "type": "string", + "default": "off", + "required": false, + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "proof_of_possession_auth_methods_validation": { + "type": "boolean", + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "default": true, + "required": false + } + }, + { + "tls_client_auth_cert_id": { + "type": "string", + "auto": false, + "required": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "uuid": true + } + }, + { + "tls_client_auth_ssl_verify": { + "type": "boolean", + "description": "Verify identity provider server certificate during mTLS client authentication.", + "default": true, + "required": false + } + }, + { + "mtls_token_endpoint": { + "type": "string", + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false + } + }, + { + "mtls_introspection_endpoint": { + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false + } + }, + { + "mtls_revocation_endpoint": { + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false + } + } + ] + } + } + ] + }, + "required": false + } + } + ] + } + } + ], + "entity_checks": [ + + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.7.x.json b/schemas/ldap-auth-advanced/3.7.x.json new file mode 100644 index 00000000..990f1461 --- /dev/null +++ b/schemas/ldap-auth-advanced/3.7.x.json @@ -0,0 +1,236 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "ldap_host": { + "type": "string", + "description": "Host on which the LDAP server is running.", + "required": true + } + }, + { + "ldap_password": { + "referenceable": true, + "encrypted": true, + "description": "The password to the LDAP server.", + "type": "string" + } + }, + { + "ldap_port": { + "type": "number", + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "default": 389 + } + }, + { + "bind_dn": { + "referenceable": true, + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "type": "string" + } + }, + { + "ldaps": { + "type": "boolean", + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "default": false, + "required": true + } + }, + { + "start_tls": { + "type": "boolean", + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "default": false, + "required": true + } + }, + { + "verify_ldap_host": { + "type": "boolean", + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "default": false, + "required": true + } + }, + { + "base_dn": { + "type": "string", + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "required": true + } + }, + { + "attribute": { + "type": "string", + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "required": true + } + }, + { + "cache_ttl": { + "type": "number", + "description": "Cache expiry time in seconds.", + "default": 60, + "required": true + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "default": false + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "default": 60000 + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "default": "", + "len_min": 0 + } + }, + { + "header_type": { + "type": "string", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "default": "ldap" + } + }, + { + "consumer_optional": { + "type": "boolean", + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "default": false, + "required": false + } + }, + { + "consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." + } + }, + { + "group_base_dn": { + "type": "string", + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + } + }, + { + "group_name_attribute": { + "type": "string", + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + } + }, + { + "group_member_attribute": { + "type": "string", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "default": "memberOf" + } + }, + { + "log_search_results": { + "type": "boolean", + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "default": false, + "required": false + } + }, + { + "groups_required": { + "type": "array", + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "elements": { + "type": "string" + }, + "required": false + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth/3.7.x.json b/schemas/ldap-auth/3.7.x.json new file mode 100644 index 00000000..05d6c307 --- /dev/null +++ b/schemas/ldap-auth/3.7.x.json @@ -0,0 +1,171 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "ldap_host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "required": true + } + }, + { + "ldap_port": { + "type": "integer", + "default": 389, + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "ldaps": { + "type": "boolean", + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "default": false, + "required": true + } + }, + { + "start_tls": { + "type": "boolean", + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "default": false, + "required": true + } + }, + { + "verify_ldap_host": { + "type": "boolean", + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "default": false, + "required": true + } + }, + { + "base_dn": { + "type": "string", + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "required": true + } + }, + { + "attribute": { + "type": "string", + "description": "Attribute to be used to search the user; e.g. cn", + "required": true + } + }, + { + "cache_ttl": { + "type": "number", + "description": "Cache expiry time in seconds.", + "default": 60, + "required": true + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "default": false, + "required": true + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "default": 60000 + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + } + }, + { + "header_type": { + "type": "string", + "description": "An optional string to use as part of the Authorization header", + "default": "ldap" + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": false + }, + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "if_match": { + "eq": true + }, + "if_field": "ldaps", + "then_field": "start_tls" + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/loggly/3.7.x.json b/schemas/loggly/3.7.x.json new file mode 100644 index 00000000..05ce4992 --- /dev/null +++ b/schemas/loggly/3.7.x.json @@ -0,0 +1,173 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "logs-01.loggly.com" + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 514, + "between": [ + 0, + 65535 + ] + } + }, + { + "key": { + "referenceable": true, + "encrypted": true, + "type": "string", + "required": true + } + }, + { + "tags": { + "type": "set", + "elements": { + "type": "string" + }, + "default": [ + "kong" + ] + } + }, + { + "log_level": { + "type": "string", + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "successful_severity": { + "type": "string", + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "client_errors_severity": { + "type": "string", + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "server_errors_severity": { + "type": "string", + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "timeout": { + "default": 10000, + "type": "number" + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "keys": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/mocking/3.7.x.json b/schemas/mocking/3.7.x.json new file mode 100644 index 00000000..9cb0314f --- /dev/null +++ b/schemas/mocking/3.7.x.json @@ -0,0 +1,117 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "api_specification_filename": { + "type": "string", + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "required": false + } + }, + { + "api_specification": { + "type": "string", + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "required": false + } + }, + { + "random_delay": { + "type": "boolean", + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "default": false + } + }, + { + "max_delay_time": { + "type": "number", + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "default": 1 + } + }, + { + "min_delay_time": { + "type": "number", + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "default": 0.001 + } + }, + { + "random_examples": { + "type": "boolean", + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "default": false + } + }, + { + "included_status_codes": { + "type": "array", + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "elements": { + "type": "integer" + } + } + }, + { + "random_status_code": { + "type": "boolean", + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "default": false, + "required": true + } + }, + { + "include_base_path": { + "type": "boolean", + "description": "Indicates whether to include the base path when performing path match evaluation.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/mtls-auth/3.7.x.json b/schemas/mtls-auth/3.7.x.json new file mode 100644 index 00000000..facc5bc4 --- /dev/null +++ b/schemas/mtls-auth/3.7.x.json @@ -0,0 +1,204 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + } + }, + { + "ca_certificates": { + "type": "array", + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "elements": { + "type": "string", + "uuid": true + }, + "required": true + } + }, + { + "cache_ttl": { + "type": "number", + "description": "Cache expiry time in seconds.", + "default": 60, + "required": true + } + }, + { + "skip_consumer_lookup": { + "type": "boolean", + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "default": false, + "required": true + } + }, + { + "allow_partial_chain": { + "type": "boolean", + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "default": false, + "required": true + } + }, + { + "authenticated_group_by": { + "type": "string", + "default": "CN", + "required": false, + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "one_of": [ + "CN", + "DN" + ] + } + }, + { + "revocation_check_mode": { + "type": "string", + "default": "IGNORE_CA_ERROR", + "required": false, + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ] + } + }, + { + "http_timeout": { + "type": "number", + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "default": 30000 + } + }, + { + "cert_cache_ttl": { + "type": "number", + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "default": 60000 + } + }, + { + "send_ca_dn": { + "type": "boolean", + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "default": false + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oas-validation/3.7.x.json b/schemas/oas-validation/3.7.x.json new file mode 100644 index 00000000..68e07344 --- /dev/null +++ b/schemas/oas-validation/3.7.x.json @@ -0,0 +1,148 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "api_spec": { + "type": "string", + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format.", + "required": true + } + }, + { + "verbose_response": { + "type": "boolean", + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "default": false, + "required": false + } + }, + { + "validate_request_body": { + "type": "boolean", + "description": "If set to true, validates the request body content against the API specification.", + "default": true, + "required": false + } + }, + { + "notify_only_request_validation_failure": { + "type": "boolean", + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "default": false, + "required": false + } + }, + { + "validate_request_header_params": { + "type": "boolean", + "description": "If set to true, validates HTTP header parameters against the API specification.", + "default": true, + "required": false + } + }, + { + "validate_request_query_params": { + "type": "boolean", + "description": "If set to true, validates query parameters against the API specification.", + "default": true, + "required": false + } + }, + { + "validate_request_uri_params": { + "type": "boolean", + "description": "If set to true, validates URI parameters in the request against the API specification.", + "default": true, + "required": false + } + }, + { + "validate_response_body": { + "type": "boolean", + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "default": false, + "required": false + } + }, + { + "notify_only_response_body_validation_failure": { + "type": "boolean", + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "default": false, + "required": false + } + }, + { + "query_parameter_check": { + "type": "boolean", + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "default": false, + "required": true + } + }, + { + "header_parameter_check": { + "type": "boolean", + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "default": false, + "required": true + } + }, + { + "allowed_header_parameters": { + "type": "string", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "required": false + } + }, + { + "include_base_path": { + "type": "boolean", + "description": "Indicates whether to include the base path when performing path match evaluation.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.7.x.json b/schemas/oauth2-introspection/3.7.x.json new file mode 100644 index 00000000..f9803ef7 --- /dev/null +++ b/schemas/oauth2-introspection/3.7.x.json @@ -0,0 +1,167 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "introspection_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true + } + }, + { + "ttl": { + "type": "number", + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "default": 30 + } + }, + { + "token_type_hint": { + "type": "string", + "description": "The `token_type_hint` value to associate to introspection requests." + } + }, + { + "authorization_value": { + "type": "string", + "required": true, + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "referenceable": true, + "encrypted": true + } + }, + { + "timeout": { + "type": "integer", + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "integer", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000 + } + }, + { + "introspect_request": { + "type": "boolean", + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "default": false, + "required": true + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "default": false + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "default": true + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "default": "", + "len_min": 0 + } + }, + { + "consumer_by": { + "type": "string", + "default": "username", + "required": true, + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "one_of": [ + "username", + "client_id" + ] + } + }, + { + "custom_introspection_headers": { + "type": "map", + "keys": { + "type": "string" + }, + "default": [ + + ], + "required": true, + "description": "A list of custom headers to be added in the introspection request.", + "values": { + "type": "string" + } + } + }, + { + "custom_claims_forward": { + "type": "set", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oauth2/3.7.x.json b/schemas/oauth2/3.7.x.json new file mode 100644 index 00000000..5e5ebc09 --- /dev/null +++ b/schemas/oauth2/3.7.x.json @@ -0,0 +1,214 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "scopes", + "if_field": "mandatory_scope", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + } + ], + "fields": [ + { + "scopes": { + "type": "array", + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "elements": { + "type": "string" + } + } + }, + { + "mandatory_scope": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "default": false, + "required": true + } + }, + { + "provision_key": { + "type": "string", + "auto": true, + "required": true, + "unique": true, + "description": "The unique key the plugin has generated when it has been added to the Service.", + "encrypted": true + } + }, + { + "token_expiration": { + "type": "number", + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "default": 7200, + "required": true + } + }, + { + "enable_authorization_code": { + "type": "boolean", + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "default": false, + "required": true + } + }, + { + "enable_implicit_grant": { + "type": "boolean", + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "default": false, + "required": true + } + }, + { + "enable_client_credentials": { + "type": "boolean", + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "default": false, + "required": true + } + }, + { + "enable_password_grant": { + "type": "boolean", + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "default": false, + "required": true + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "default": false, + "required": true + } + }, + { + "accept_http_if_already_terminated": { + "type": "boolean", + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "default": false, + "required": true + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "global_credentials": { + "type": "boolean", + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "default": false, + "required": true + } + }, + { + "auth_header_name": { + "type": "string", + "description": "The name of the header that is supposed to carry the access token.", + "default": "authorization" + } + }, + { + "refresh_token_ttl": { + "type": "number", + "default": 1209600, + "required": true, + "description": "Time-to-live value for data", + "between": [ + 0, + 100000000 + ] + } + }, + { + "reuse_refresh_token": { + "type": "boolean", + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "default": false, + "required": true + } + }, + { + "persistent_refresh_token": { + "type": "boolean", + "default": false, + "required": true + } + }, + { + "pkce": { + "type": "string", + "default": "lax", + "required": false, + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "one_of": [ + "none", + "lax", + "strict" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/opa/3.7.x.json b/schemas/opa/3.7.x.json new file mode 100644 index 00000000..3fee8653 --- /dev/null +++ b/schemas/opa/3.7.x.json @@ -0,0 +1,147 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "opa_protocol": { + "type": "string", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "default": "http", + "one_of": [ + "http", + "https" + ] + } + }, + { + "opa_host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "localhost", + "required": true + } + }, + { + "opa_port": { + "type": "integer", + "default": 8181, + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "opa_path": { + "type": "string", + "required": true, + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" + } + }, + { + "include_service_in_opa_input": { + "type": "boolean", + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "default": false + } + }, + { + "include_route_in_opa_input": { + "type": "boolean", + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "default": false + } + }, + { + "include_consumer_in_opa_input": { + "type": "boolean", + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "default": false + } + }, + { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + } + }, + { + "include_parsed_json_body_in_opa_input": { + "type": "boolean", + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "default": false + } + }, + { + "include_uri_captures_in_opa_input": { + "type": "boolean", + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "default": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "default": true, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/openid-connect/3.7.x.json b/schemas/openid-connect/3.7.x.json new file mode 100644 index 00000000..ffbfcea7 --- /dev/null +++ b/schemas/openid-connect/3.7.x.json @@ -0,0 +1,2548 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "issuer": { + "type": "string", + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true + } + }, + { + "using_pseudo_issuer": { + "type": "boolean", + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "default": false, + "required": false + } + }, + { + "discovery_headers_names": { + "type": "array", + "description": "Extra header names passed to the discovery endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "discovery_headers_values": { + "type": "array", + "description": "Extra header values passed to the discovery endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "extra_jwks_uris": { + "type": "set", + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "rediscovery_lifetime": { + "type": "number", + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "default": 30, + "required": false + } + }, + { + "auth_methods": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "required": false, + "description": "Types of credentials/grants to enable." + } + }, + { + "client_id": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true + } + }, + { + "client_secret": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "required": false, + "description": "The client secret.", + "encrypted": true + } + }, + { + "client_auth": { + "type": "array", + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "required": false + } + }, + { + "client_jwk": { + "type": "array", + "description": "The JWK used for the private_key_jwt authentication.", + "elements": { + "type": "record", + "fields": [ + { + "issuer": { + "type": "string", + "required": false + } + }, + { + "kty": { + "type": "string", + "required": false + } + }, + { + "use": { + "type": "string", + "required": false + } + }, + { + "key_ops": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "required": false + } + }, + { + "alg": { + "type": "string", + "required": false + } + }, + { + "kid": { + "type": "string", + "required": false + } + }, + { + "x5u": { + "type": "string", + "required": false + } + }, + { + "x5c": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "required": false + } + }, + { + "x5t": { + "type": "string", + "required": false + } + }, + { + "x5t#S256": { + "type": "string", + "required": false + } + }, + { + "k": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "x": { + "type": "string", + "required": false + } + }, + { + "y": { + "type": "string", + "required": false + } + }, + { + "crv": { + "type": "string", + "required": false + } + }, + { + "n": { + "type": "string", + "required": false + } + }, + { + "e": { + "type": "string", + "required": false + } + }, + { + "d": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "p": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "q": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "dp": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "dq": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "qi": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "oth": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "r": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + }, + { + "t": { + "type": "string", + "encrypted": true, + "referenceable": true, + "required": false + } + } + ], + "required": false + }, + "required": false + } + }, + { + "client_alg": { + "type": "array", + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + }, + "required": false + } + }, + { + "client_arg": { + "type": "string", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "default": "client_id", + "required": false + } + }, + { + "redirect_uri": { + "type": "array", + "description": "The redirect URI passed to the authorization and token endpoints.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "login_redirect_uri": { + "type": "array", + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "elements": { + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "required": false + } + }, + { + "logout_redirect_uri": { + "type": "array", + "description": "Where to redirect the client after the logout.", + "elements": { + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "required": false + } + }, + { + "forbidden_redirect_uri": { + "type": "array", + "description": "Where to redirect the client on forbidden requests.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "forbidden_error_message": { + "type": "string", + "description": "The error message for the forbidden requests (when not using the redirection).", + "default": "Forbidden", + "required": false + } + }, + { + "forbidden_destroy_session": { + "type": "boolean", + "description": "Destroy any active session for the forbidden requests.", + "default": true, + "required": false + } + }, + { + "unauthorized_destroy_session": { + "type": "boolean", + "description": "Destroy any active session for the unauthorized requests.", + "default": true, + "required": false + } + }, + { + "unauthorized_redirect_uri": { + "type": "array", + "description": "Where to redirect the client on unauthorized requests.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "unauthorized_error_message": { + "type": "string", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "default": "Unauthorized", + "required": false + } + }, + { + "unexpected_redirect_uri": { + "type": "array", + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "required": false + } + }, + { + "response_mode": { + "type": "string", + "default": "query", + "required": false, + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it).", + "one_of": [ + "query", + "form_post", + "fragment" + ] + } + }, + { + "response_type": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "code" + ], + "required": false, + "description": "The response type passed to the authorization endpoint." + } + }, + { + "scopes": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + "openid" + ], + "required": false, + "description": "The scopes passed to the authorization and token endpoints." + } + }, + { + "audience": { + "type": "array", + "description": "The audience passed to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "issuers_allowed": { + "type": "array", + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "scopes_required": { + "type": "array", + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "scopes_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "scope" + ], + "required": false, + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "audience_required": { + "type": "array", + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "audience_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "aud" + ], + "required": false, + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "groups_required": { + "type": "array", + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "groups_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "groups" + ], + "required": false, + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "roles_required": { + "type": "array", + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "roles_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "roles" + ], + "required": false, + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "domains": { + "type": "array", + "description": "The allowed values for the `hd` claim.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "max_age": { + "type": "number", + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "required": false + } + }, + { + "authenticated_groups_claim": { + "type": "array", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "pushed_authorization_request_endpoint": { + "type": "string", + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false + } + }, + { + "require_pushed_authorization_requests": { + "type": "boolean", + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "required": false + } + }, + { + "require_proof_key_for_code_exchange": { + "type": "boolean", + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "required": false + } + }, + { + "authorization_endpoint": { + "type": "string", + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "authorization_query_args_names": { + "type": "array", + "description": "Extra query argument names passed to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "authorization_query_args_values": { + "type": "array", + "description": "Extra query argument values passed to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "authorization_query_args_client": { + "type": "array", + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "authorization_rolling_timeout": { + "type": "number", + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 600, + "required": false + } + }, + { + "authorization_cookie_name": { + "type": "string", + "description": "The authorization cookie name.", + "default": "authorization", + "required": false + } + }, + { + "authorization_cookie_path": { + "type": "string", + "default": "/", + "required": false, + "description": "The authorization cookie Path flag.", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "starts_with": "/" + } + }, + { + "authorization_cookie_domain": { + "type": "string", + "description": "The authorization cookie Domain flag.", + "required": false + } + }, + { + "authorization_cookie_same_site": { + "type": "string", + "default": "Default", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "authorization_cookie_http_only": { + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, + "required": false + } + }, + { + "authorization_cookie_secure": { + "type": "boolean", + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false + } + }, + { + "preserve_query_args": { + "type": "boolean", + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "default": false, + "required": false + } + }, + { + "token_endpoint": { + "type": "string", + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "token_endpoint_auth_method": { + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false + } + }, + { + "token_headers_names": { + "type": "array", + "description": "Extra header names passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_values": { + "type": "array", + "description": "Extra header values passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_client": { + "type": "array", + "description": "Extra headers passed from the client to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_replay": { + "type": "array", + "description": "The names of token endpoint response headers to forward to the downstream client.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_headers_prefix": { + "type": "string", + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "required": false + } + }, + { + "token_headers_grants": { + "type": "array", + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "required": false + } + }, + { + "token_post_args_names": { + "type": "array", + "description": "Extra post argument names passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_post_args_values": { + "type": "array", + "description": "Extra post argument values passed to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_post_args_client": { + "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Reqest Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_endpoint": { + "type": "string", + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "introspection_endpoint_auth_method": { + "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false + } + }, + { + "introspection_hint": { + "type": "string", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "default": "access_token", + "required": false + } + }, + { + "introspection_check_active": { + "type": "boolean", + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "default": true, + "required": false + } + }, + { + "introspection_accept": { + "type": "string", + "default": "application/json", + "required": false, + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ] + } + }, + { + "introspection_headers_names": { + "type": "array", + "description": "Extra header names passed to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_headers_values": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "required": false, + "description": "Extra header values passed to the introspection endpoint.", + "encrypted": true + } + }, + { + "introspection_headers_client": { + "type": "array", + "description": "Extra headers passed from the client to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_post_args_names": { + "type": "array", + "description": "Extra post argument names passed to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_post_args_values": { + "type": "array", + "description": "Extra post argument values passed to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspection_post_args_client": { + "type": "array", + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "introspect_jwt_tokens": { + "type": "boolean", + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "default": false, + "required": false + } + }, + { + "revocation_endpoint": { + "type": "string", + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "revocation_endpoint_auth_method": { + "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ], + "required": false + } + }, + { + "end_session_endpoint": { + "type": "string", + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "userinfo_endpoint": { + "type": "string", + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "required": false + } + }, + { + "userinfo_accept": { + "type": "string", + "default": "application/json", + "required": false, + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/jwt" + ] + } + }, + { + "userinfo_headers_names": { + "type": "array", + "description": "Extra header names passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_headers_values": { + "type": "array", + "description": "Extra header values passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_headers_client": { + "type": "array", + "description": "Extra headers passed from the client to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_query_args_names": { + "type": "array", + "description": "Extra query argument names passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_query_args_values": { + "type": "array", + "description": "Extra query argument values passed to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "userinfo_query_args_client": { + "type": "array", + "description": "Extra query arguments passed from the client to the user info endpoint.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "token_exchange_endpoint": { + "type": "string", + "description": "The token exchange endpoint.", + "required": false + } + }, + { + "session_secret": { + "type": "string", + "required": false, + "description": "The session secret.", + "referenceable": true, + "encrypted": true + } + }, + { + "session_audience": { + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default", + "required": false + } + }, + { + "session_cookie_name": { + "type": "string", + "description": "The session cookie name.", + "default": "session", + "required": false + } + }, + { + "session_remember": { + "type": "boolean", + "description": "Enables or disables persistent sessions.", + "default": false, + "required": false + } + }, + { + "session_remember_cookie_name": { + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember", + "required": false + } + }, + { + "session_remember_rolling_timeout": { + "type": "number", + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "default": 604800, + "required": false + } + }, + { + "session_remember_absolute_timeout": { + "type": "number", + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 2592000, + "required": false + } + }, + { + "session_idling_timeout": { + "type": "number", + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "default": 900, + "required": false + } + }, + { + "session_rolling_timeout": { + "type": "number", + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 3600, + "required": false + } + }, + { + "session_absolute_timeout": { + "type": "number", + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 86400, + "required": false + } + }, + { + "session_cookie_path": { + "type": "string", + "default": "/", + "required": false, + "description": "The session cookie Path flag.", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "type": "string", + "description": "The session cookie Domain flag.", + "required": false + } + }, + { + "session_cookie_same_site": { + "type": "string", + "default": "Lax", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, + "required": false + } + }, + { + "session_cookie_secure": { + "type": "boolean", + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false + } + }, + { + "session_request_headers": { + "type": "set", + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "required": false + } + }, + { + "session_response_headers": { + "type": "set", + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "required": false + } + }, + { + "session_storage": { + "type": "string", + "default": "cookie", + "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "default": false, + "required": false + } + }, + { + "session_enforce_same_subject": { + "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false, + "required": false + } + }, + { + "session_hash_subject": { + "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false, + "required": false + } + }, + { + "session_hash_storage_key": { + "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false, + "required": false + } + }, + { + "session_memcached_prefix": { + "type": "string", + "description": "The memcached session key prefix.", + "required": false + } + }, + { + "session_memcached_socket": { + "type": "string", + "description": "The memcached unix socket path.", + "required": false + } + }, + { + "session_memcached_host": { + "type": "string", + "description": "The memcached host.", + "default": "127.0.0.1", + "required": false + } + }, + { + "session_memcached_port": { + "type": "integer", + "default": 11211, + "required": false, + "description": "The memcached port.", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_prefix": { + "type": "string", + "description": "The Redis session key prefix.", + "required": false + } + }, + { + "session_redis_socket": { + "type": "string", + "description": "The Redis unix socket path.", + "required": false + } + }, + { + "session_redis_host": { + "type": "string", + "description": "The Redis host.", + "default": "127.0.0.1", + "required": false + } + }, + { + "session_redis_port": { + "type": "integer", + "default": 6379, + "required": false, + "description": "The Redis port.", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_username": { + "referenceable": true, + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "required": false + } + }, + { + "session_redis_password": { + "type": "string", + "required": false, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "encrypted": true + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "description": "Session redis connection timeout in milliseconds.", + "required": false + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "description": "Session redis read timeout in milliseconds.", + "required": false + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "description": "Session redis send timeout in milliseconds.", + "required": false + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "description": "Use SSL/TLS for Redis connection.", + "default": false, + "required": false + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "description": "Verify identity provider server certificate.", + "default": false, + "required": false + } + }, + { + "session_redis_server_name": { + "type": "string", + "description": "The SNI used for connecting the Redis server.", + "required": false + } + }, + { + "session_redis_cluster_nodes": { + "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 6379, + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "required": false + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "description": "The Redis cluster maximum redirects.", + "required": false + } + }, + { + "reverify": { + "type": "boolean", + "description": "Specifies whether to always verify tokens stored in the session.", + "default": false, + "required": false + } + }, + { + "jwt_session_claim": { + "type": "string", + "description": "The claim to match against the JWT session cookie.", + "default": "sid", + "required": false + } + }, + { + "jwt_session_cookie": { + "type": "string", + "description": "The name of the JWT session cookie.", + "required": false + } + }, + { + "bearer_token_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "required": false, + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." + } + }, + { + "bearer_token_cookie_name": { + "type": "string", + "description": "The name of the cookie in which the bearer token is passed.", + "required": false + } + }, + { + "client_credentials_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "required": false, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." + } + }, + { + "password_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "required": false, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "id_token_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "required": false, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "id_token_param_name": { + "type": "string", + "description": "The name of the parameter used to pass the id token.", + "required": false + } + }, + { + "refresh_token_param_type": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "default": [ + "header", + "query", + "body" + ], + "required": false, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + } + }, + { + "refresh_token_param_name": { + "type": "string", + "description": "The name of the parameter used to pass the refresh token.", + "required": false + } + }, + { + "refresh_tokens": { + "type": "boolean", + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "default": true, + "required": false + } + }, + { + "upstream_headers_claims": { + "type": "array", + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "upstream_headers_names": { + "type": "array", + "description": "The upstream header names for the claim values.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "upstream_access_token_header": { + "type": "string", + "description": "The upstream access token header.", + "default": "authorization:bearer", + "required": false + } + }, + { + "upstream_access_token_jwk_header": { + "type": "string", + "description": "The upstream access token JWK header.", + "required": false + } + }, + { + "upstream_id_token_header": { + "type": "string", + "description": "The upstream id token header.", + "required": false + } + }, + { + "upstream_id_token_jwk_header": { + "type": "string", + "description": "The upstream id token JWK header.", + "required": false + } + }, + { + "upstream_refresh_token_header": { + "type": "string", + "description": "The upstream refresh token header.", + "required": false + } + }, + { + "upstream_user_info_header": { + "type": "string", + "description": "The upstream user info header.", + "required": false + } + }, + { + "upstream_user_info_jwt_header": { + "type": "string", + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "required": false + } + }, + { + "upstream_introspection_header": { + "type": "string", + "description": "The upstream introspection header.", + "required": false + } + }, + { + "upstream_introspection_jwt_header": { + "type": "string", + "description": "The upstream introspection JWT header.", + "required": false + } + }, + { + "upstream_session_id_header": { + "type": "string", + "description": "The upstream session id header.", + "required": false + } + }, + { + "downstream_headers_claims": { + "type": "array", + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "downstream_headers_names": { + "type": "array", + "description": "The downstream header names for the claim values.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "downstream_access_token_header": { + "type": "string", + "description": "The downstream access token header.", + "required": false + } + }, + { + "downstream_access_token_jwk_header": { + "type": "string", + "description": "The downstream access token JWK header.", + "required": false + } + }, + { + "downstream_id_token_header": { + "type": "string", + "description": "The downstream id token header.", + "required": false + } + }, + { + "downstream_id_token_jwk_header": { + "type": "string", + "description": "The downstream id token JWK header.", + "required": false + } + }, + { + "downstream_refresh_token_header": { + "type": "string", + "description": "The downstream refresh token header.", + "required": false + } + }, + { + "downstream_user_info_header": { + "type": "string", + "description": "The downstream user info header.", + "required": false + } + }, + { + "downstream_user_info_jwt_header": { + "type": "string", + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "required": false + } + }, + { + "downstream_introspection_header": { + "type": "string", + "description": "The downstream introspection header.", + "required": false + } + }, + { + "downstream_introspection_jwt_header": { + "type": "string", + "description": "The downstream introspection JWT header.", + "required": false + } + }, + { + "downstream_session_id_header": { + "type": "string", + "description": "The downstream session id header.", + "required": false + } + }, + { + "login_methods": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "default": [ + "authorization_code" + ], + "required": false, + "description": "Enable login functionality with specified grants." + } + }, + { + "login_action": { + "type": "string", + "default": "upstream", + "required": false, + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "one_of": [ + "upstream", + "response", + "redirect" + ] + } + }, + { + "login_tokens": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + }, + "default": [ + "id_token" + ], + "required": false, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." + } + }, + { + "login_redirect_mode": { + "type": "string", + "default": "fragment", + "required": false, + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "one_of": [ + "query", + "fragment" + ] + } + }, + { + "logout_query_arg": { + "type": "string", + "description": "The request query argument that activates the logout.", + "required": false + } + }, + { + "logout_post_arg": { + "type": "string", + "description": "The request body argument that activates the logout.", + "required": false + } + }, + { + "logout_uri_suffix": { + "type": "string", + "description": "The request URI suffix that activates the logout.", + "required": false + } + }, + { + "logout_methods": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + }, + "default": [ + "POST", + "DELETE" + ], + "required": false, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." + } + }, + { + "logout_revoke": { + "type": "boolean", + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "default": false, + "required": false + } + }, + { + "logout_revoke_access_token": { + "type": "boolean", + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, + "required": false + } + }, + { + "logout_revoke_refresh_token": { + "type": "boolean", + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, + "required": false + } + }, + { + "consumer_claim": { + "type": "array", + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + }, + "required": false + } + }, + { + "consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." + } + }, + { + "consumer_optional": { + "type": "boolean", + "description": "Do not terminate the request if consumer mapping fails.", + "default": false, + "required": false + } + }, + { + "credential_claim": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "sub" + ], + "required": false, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "required": false + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "default": true, + "required": false + } + }, + { + "leeway": { + "type": "number", + "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", + "default": 0, + "required": false + } + }, + { + "verify_parameters": { + "type": "boolean", + "description": "Verify plugin configuration against discovery.", + "default": false, + "required": false + } + }, + { + "verify_nonce": { + "type": "boolean", + "description": "Verify nonce on authorization code flow.", + "default": true, + "required": false + } + }, + { + "verify_claims": { + "type": "boolean", + "description": "Verify tokens for standard claims.", + "default": true, + "required": false + } + }, + { + "verify_signature": { + "type": "boolean", + "description": "Verify signature of tokens.", + "default": true, + "required": false + } + }, + { + "ignore_signature": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + }, + "default": [ + + ], + "required": false, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." + } + }, + { + "enable_hs_signatures": { + "type": "boolean", + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "default": false, + "required": false + } + }, + { + "disable_session": { + "type": "array", + "description": "Disable issuing the session cookie with the specified grants.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "required": false + } + }, + { + "cache_ttl": { + "type": "number", + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "default": 3600, + "required": false + } + }, + { + "cache_ttl_max": { + "type": "number", + "description": "The maximum cache ttl in seconds (enforced).", + "required": false + } + }, + { + "cache_ttl_min": { + "type": "number", + "description": "The minimum cache ttl in seconds (enforced).", + "required": false + } + }, + { + "cache_ttl_neg": { + "type": "number", + "description": "The negative cache ttl in seconds.", + "required": false + } + }, + { + "cache_ttl_resurrect": { + "type": "number", + "description": "The resurrection ttl in seconds.", + "required": false + } + }, + { + "cache_tokens": { + "type": "boolean", + "description": "Cache the token endpoint requests.", + "default": true, + "required": false + } + }, + { + "cache_tokens_salt": { + "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "auto": true, + "required": false + } + }, + { + "cache_introspection": { + "type": "boolean", + "description": "Cache the introspection endpoint requests.", + "default": true, + "required": false + } + }, + { + "cache_token_exchange": { + "type": "boolean", + "description": "Cache the token exchange endpoint requests.", + "default": true, + "required": false + } + }, + { + "cache_user_info": { + "type": "boolean", + "description": "Cache the user info requests.", + "default": true, + "required": false + } + }, + { + "search_user_info": { + "type": "boolean", + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "default": false, + "required": false + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "default": false, + "required": false + } + }, + { + "http_version": { + "type": "number", + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "default": 1.1, + "required": false + } + }, + { + "http_proxy": { + "type": "string", + "description": "The HTTP proxy.", + "required": false + } + }, + { + "http_proxy_authorization": { + "type": "string", + "description": "The HTTP proxy authorization.", + "required": false + } + }, + { + "https_proxy": { + "type": "string", + "description": "The HTTPS proxy.", + "required": false + } + }, + { + "https_proxy_authorization": { + "type": "string", + "description": "The HTTPS proxy authorization.", + "required": false + } + }, + { + "no_proxy": { + "type": "string", + "description": "Do not use proxy with these hosts.", + "required": false + } + }, + { + "keepalive": { + "type": "boolean", + "description": "Use keepalive with the HTTP client.", + "default": true, + "required": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "Verify identity provider server certificate.", + "default": false, + "required": false + } + }, + { + "timeout": { + "type": "number", + "description": "Network IO timeout in milliseconds.", + "default": 10000, + "required": false + } + }, + { + "display_errors": { + "type": "boolean", + "description": "Display errors on failure responses.", + "default": false, + "required": false + } + }, + { + "by_username_ignore_case": { + "type": "boolean", + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "default": false, + "required": false + } + }, + { + "resolve_distributed_claims": { + "type": "boolean", + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "default": false, + "required": false + } + }, + { + "expose_error_code": { + "type": "boolean", + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "default": true + } + }, + { + "token_cache_key_include_scope": { + "type": "boolean", + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "default": false + } + }, + { + "introspection_token_param_name": { + "type": "string", + "description": "Designate token's parameter name for introspection.", + "default": "token", + "required": false + } + }, + { + "revocation_token_param_name": { + "type": "string", + "description": "Designate token's parameter name for revocation.", + "default": "token", + "required": false + } + }, + { + "proof_of_possession_mtls": { + "type": "string", + "default": "off", + "required": false, + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "proof_of_possession_auth_methods_validation": { + "type": "boolean", + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "default": true, + "required": false + } + }, + { + "tls_client_auth_cert_id": { + "type": "string", + "auto": false, + "required": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "uuid": true + } + }, + { + "tls_client_auth_ssl_verify": { + "type": "boolean", + "description": "Verify identity provider server certificate during mTLS client authentication.", + "default": true, + "required": false + } + }, + { + "mtls_token_endpoint": { + "type": "string", + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false + } + }, + { + "mtls_introspection_endpoint": { + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false + } + }, + { + "mtls_revocation_endpoint": { + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false + } + } + ], + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/opentelemetry/3.7.x.json b/schemas/opentelemetry/3.7.x.json new file mode 100644 index 00000000..caa4824e --- /dev/null +++ b/schemas/opentelemetry/3.7.x.json @@ -0,0 +1,246 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "endpoint": { + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "required": true + } + }, + { + "headers": { + "type": "map", + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "values": { + "type": "string", + "referenceable": true + } + } + }, + { + "resource_attributes": { + "type": "map", + "keys": { + "type": "string", + "required": true + }, + "values": { + "type": "string", + "required": true + } + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "default": 1, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + }, + { + "batch_span_count": { + "type": "integer", + "description": "The number of spans to be sent in a single batch." + } + }, + { + "batch_flush_delay": { + "type": "integer", + "description": "The delay, in seconds, between two consecutive batches." + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 1000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 5000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 5000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "header_type": { + "type": "string", + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "gcp", + "datadog" + ], + "default": "preserve", + "required": false + } + }, + { + "sampling_rate": { + "type": "number", + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "required": false, + "between": [ + 0, + 1 + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "batch_span_count", + "batch_flush_delay" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/post-function/3.7.x.json b/schemas/post-function/3.7.x.json new file mode 100644 index 00000000..aae158bb --- /dev/null +++ b/schemas/post-function/3.7.x.json @@ -0,0 +1,228 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": false + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "certificate": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "rewrite": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "access": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "header_filter": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "body_filter": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "log": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "ws_handshake": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "ws_client_frame": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "ws_upstream_frame": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "ws_close": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/pre-function/3.7.x.json b/schemas/pre-function/3.7.x.json new file mode 100644 index 00000000..aae158bb --- /dev/null +++ b/schemas/pre-function/3.7.x.json @@ -0,0 +1,228 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": false + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "certificate": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "rewrite": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "access": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "header_filter": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "body_filter": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "log": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "ws_handshake": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "ws_client_frame": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "ws_upstream_frame": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + }, + { + "ws_close": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/prometheus/3.7.x.json b/schemas/prometheus/3.7.x.json new file mode 100644 index 00000000..dd8691b7 --- /dev/null +++ b/schemas/prometheus/3.7.x.json @@ -0,0 +1,87 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "per_consumer": { + "type": "boolean", + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "default": false + } + }, + { + "status_code_metrics": { + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "default": false + } + }, + { + "latency_metrics": { + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "default": false + } + }, + { + "bandwidth_metrics": { + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "default": false + } + }, + { + "upstream_health_metrics": { + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "default": false + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.7.x.json b/schemas/proxy-cache-advanced/3.7.x.json new file mode 100644 index 00000000..e5292b48 --- /dev/null +++ b/schemas/proxy-cache-advanced/3.7.x.json @@ -0,0 +1,448 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "response_code": { + "type": "array", + "elements": { + "type": "integer", + "between": [ + 100, + 900 + ] + }, + "default": [ + 200, + 301, + 404 + ], + "required": true, + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "len_min": 1 + } + }, + { + "request_method": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + }, + "default": [ + "GET", + "HEAD" + ], + "required": true, + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." + } + }, + { + "content_type": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "text/plain", + "application/json" + ], + "required": true, + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." + } + }, + { + "cache_ttl": { + "type": "integer", + "description": "TTL in seconds of cache entities.", + "default": 300, + "gt": 0 + } + }, + { + "strategy": { + "type": "string", + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "one_of": [ + "memory", + "redis" + ], + "required": true + } + }, + { + "cache_control": { + "type": "boolean", + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "default": false, + "required": true + } + }, + { + "ignore_uri_case": { + "type": "boolean", + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "default": false, + "required": false + } + }, + { + "storage_ttl": { + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "memory": { + "type": "record", + "fields": [ + { + "dictionary_name": { + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "default": "kong_db_cache", + "required": true + } + } + ], + "required": true + } + }, + { + "vary_query_params": { + "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "elements": { + "type": "string" + } + } + }, + { + "vary_headers": { + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "elements": { + "type": "string" + } + } + }, + { + "response_headers": { + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ], + "required": true + } + }, + { + "redis": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 2000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + { + "password": { + "referenceable": true, + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + } + }, + { + "sentinel_username": { + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + } + }, + { + "sentinel_password": { + "referenceable": true, + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_addresses": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false + } + }, + { + "server_name": { + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "required": true + } + }, + { + "bypass_on_err": { + "type": "boolean", + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "default": false + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache/3.7.x.json b/schemas/proxy-cache/3.7.x.json new file mode 100644 index 00000000..8dee3742 --- /dev/null +++ b/schemas/proxy-cache/3.7.x.json @@ -0,0 +1,205 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "response_code": { + "type": "array", + "elements": { + "type": "integer", + "between": [ + 100, + 900 + ] + }, + "default": [ + 200, + 301, + 404 + ], + "required": true, + "description": "Upstream response status code considered cacheable.", + "len_min": 1 + } + }, + { + "request_method": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + }, + "default": [ + "GET", + "HEAD" + ], + "required": true, + "description": "Downstream request methods considered cacheable." + } + }, + { + "content_type": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + "text/plain", + "application/json" + ], + "required": true, + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value." + } + }, + { + "cache_ttl": { + "gt": 0, + "description": "TTL, in seconds, of cache entities.", + "default": 300, + "type": "integer" + } + }, + { + "strategy": { + "type": "string", + "description": "The backing data store in which to hold cache entities.", + "one_of": [ + "memory" + ], + "required": true + } + }, + { + "cache_control": { + "type": "boolean", + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "default": false, + "required": true + } + }, + { + "ignore_uri_case": { + "type": "boolean", + "default": false, + "required": false + } + }, + { + "storage_ttl": { + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "memory": { + "type": "record", + "fields": [ + { + "dictionary_name": { + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "default": "kong_db_cache", + "required": true + } + } + ], + "required": true + } + }, + { + "vary_query_params": { + "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "elements": { + "type": "string" + } + } + }, + { + "vary_headers": { + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "elements": { + "type": "string" + } + } + }, + { + "response_headers": { + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.7.x.json b/schemas/rate-limiting-advanced/3.7.x.json new file mode 100644 index 00000000..bcef248e --- /dev/null +++ b/schemas/rate-limiting-advanced/3.7.x.json @@ -0,0 +1,438 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "identifier": { + "type": "string", + "default": "consumer", + "required": true, + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "window_size": { + "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "elements": { + "type": "number" + }, + "required": true + } + }, + { + "window_type": { + "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "default": "sliding", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "type": "array", + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "elements": { + "type": "number" + }, + "required": true + } + }, + { + "sync_rate": { + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + } + }, + { + "namespace": { + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "auto": true, + "required": true + } + }, + { + "strategy": { + "type": "string", + "default": "local", + "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "type": "string", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "default": "kong_rate_limiting_counters", + "required": true + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "default": false + } + }, + { + "retry_after_jitter_max": { + "type": "number", + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "default": 0 + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" + } + }, + { + "redis": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 2000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + { + "password": { + "referenceable": true, + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + } + }, + { + "sentinel_username": { + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + } + }, + { + "sentinel_password": { + "referenceable": true, + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_addresses": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false + } + }, + { + "server_name": { + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "required": true + } + }, + { + "enforce_consumer_groups": { + "type": "boolean", + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "default": false + } + }, + { + "consumer_groups": { + "type": "array", + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "elements": { + "type": "string" + } + } + }, + { + "disable_penalty": { + "type": "boolean", + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "default": false + } + }, + { + "error_code": { + "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, + "gt": 0 + } + }, + { + "error_message": { + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded" + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting/3.7.x.json b/schemas/rate-limiting/3.7.x.json new file mode 100644 index 00000000..b4b05cf7 --- /dev/null +++ b/schemas/rate-limiting/3.7.x.json @@ -0,0 +1,402 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "second": { + "gt": 0, + "description": "The number of HTTP requests that can be made per second.", + "type": "number" + } + }, + { + "minute": { + "gt": 0, + "description": "The number of HTTP requests that can be made per minute.", + "type": "number" + } + }, + { + "hour": { + "gt": 0, + "description": "The number of HTTP requests that can be made per hour.", + "type": "number" + } + }, + { + "day": { + "gt": 0, + "description": "The number of HTTP requests that can be made per day.", + "type": "number" + } + }, + { + "month": { + "gt": 0, + "description": "The number of HTTP requests that can be made per month.", + "type": "number" + } + }, + { + "year": { + "gt": 0, + "description": "The number of HTTP requests that can be made per year.", + "type": "number" + } + }, + { + "limit_by": { + "type": "string", + "description": "The entity that is used when aggregating the limits.", + "default": "consumer", + "one_of": [ + "consumer", + "credential", + "ip", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" + } + }, + { + "policy": { + "type": "string", + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "one_of": [ + "local", + "cluster", + "redis" + ], + "len_min": 0 + } + }, + { + "fault_tolerant": { + "type": "boolean", + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "default": true, + "required": true + } + }, + { + "redis": { + "type": "record", + "description": "Redis configuration", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 6379, + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 2000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true + } + }, + { + "password": { + "type": "string", + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "len_min": 0 + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false + } + }, + { + "server_name": { + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false + } + } + ], + "required": true + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers.", + "default": false, + "required": true + } + }, + { + "error_code": { + "gt": 0, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, + "type": "number" + } + }, + { + "error_message": { + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded" + } + }, + { + "sync_rate": { + "type": "number", + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "default": -1, + "required": true + } + } + ], + "shorthand_fields": [ + { + "redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ] + } + }, + { + "redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ] + } + }, + { + "redis_password": { + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "len_min": 0 + } + }, + { + "redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ] + } + }, + { + "redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ] + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ] + } + }, + { + "redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ] + } + }, + { + "redis_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "timeout" + ] + } + }, + { + "redis_database": { + "type": "integer", + "translate_backwards": [ + "redis", + "database" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.header_name", + "if_field": "config.limit_by", + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + } + } + }, + { + "conditional": { + "then_field": "config.path", + "if_field": "config.limit_by", + "then_match": { + "required": true + }, + "if_match": { + "eq": "path" + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-size-limiting/3.7.x.json b/schemas/request-size-limiting/3.7.x.json new file mode 100644 index 00000000..cf7da47a --- /dev/null +++ b/schemas/request-size-limiting/3.7.x.json @@ -0,0 +1,73 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allowed_payload_size": { + "type": "integer", + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "default": 128 + } + }, + { + "size_unit": { + "type": "string", + "default": "megabytes", + "required": true, + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "one_of": [ + "megabytes", + "kilobytes", + "bytes" + ] + } + }, + { + "require_content_length": { + "type": "boolean", + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-termination/3.7.x.json b/schemas/request-termination/3.7.x.json new file mode 100644 index 00000000..ba24710d --- /dev/null +++ b/schemas/request-termination/3.7.x.json @@ -0,0 +1,81 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "status_code": { + "type": "integer", + "default": 503, + "required": true, + "description": "The response code to send. Must be an integer between 100 and 599.", + "between": [ + 100, + 599 + ] + } + }, + { + "message": { + "type": "string", + "description": "The message to send, if using the default response generator." + } + }, + { + "content_type": { + "type": "string", + "description": "Content type of the raw response configured with `config.body`." + } + }, + { + "body": { + "type": "string", + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." + } + }, + { + "echo": { + "type": "boolean", + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "default": false, + "required": true + } + }, + { + "trigger": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.7.x.json b/schemas/request-transformer-advanced/3.7.x.json new file mode 100644 index 00000000..477e4eed --- /dev/null +++ b/schemas/request-transformer-advanced/3.7.x.json @@ -0,0 +1,337 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "http_method": { + "type": "string", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "match": "^%u+$" + } + }, + { + "remove": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "rename": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "replace": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + }, + { + "uri": { + "type": "string" + } + } + ], + "required": true + } + }, + { + "add": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "append": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "querystring": { + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "allow": { + "type": "record", + "fields": [ + { + "body": { + "type": "set", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + }, + { + "dots_in_keys": { + "type": "boolean", + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "default": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-transformer/3.7.x.json b/schemas/request-transformer/3.7.x.json new file mode 100644 index 00000000..8e81f73d --- /dev/null +++ b/schemas/request-transformer/3.7.x.json @@ -0,0 +1,280 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "http_method": { + "type": "string", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "match": "^%u+$" + } + }, + { + "remove": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "querystring": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + }, + { + "rename": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "headers": { + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "querystring": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + }, + { + "replace": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "headers": { + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "querystring": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "uri": { + "type": "string" + } + } + ], + "required": true + } + }, + { + "add": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "headers": { + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "querystring": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + }, + { + "append": { + "type": "record", + "fields": [ + { + "body": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "headers": { + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "querystring": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-validator/3.7.x.json b/schemas/request-validator/3.7.x.json new file mode 100644 index 00000000..b42dd912 --- /dev/null +++ b/schemas/request-validator/3.7.x.json @@ -0,0 +1,181 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "body_schema": { + "type": "string", + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "required": false + } + }, + { + "allowed_content_types": { + "type": "set", + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "default": [ + "application/json" + ], + "elements": { + "type": "string", + "required": true + } + } + }, + { + "version": { + "type": "string", + "default": "kong", + "required": true, + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "one_of": [ + "kong", + "draft4" + ] + } + }, + { + "parameter_schema": { + "type": "array", + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "elements": { + "type": "record", + "fields": [ + { + "in": { + "type": "string", + "description": "The location of the parameter.", + "one_of": [ + "query", + "header", + "path" + ], + "required": true + } + }, + { + "name": { + "type": "string", + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "required": true + } + }, + { + "required": { + "type": "boolean", + "description": "Determines whether this parameter is mandatory.", + "required": true + } + }, + { + "style": { + "type": "string", + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "one_of": [ + "label", + "form", + "matrix", + "simple", + "spaceDelimited", + "pipeDelimited", + "deepObject" + ] + } + }, + { + "explode": { + "type": "boolean", + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + } + }, + { + "schema": { + "type": "string", + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating." + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ] + }, + "required": false + } + }, + { + "verbose_response": { + "type": "boolean", + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "default": false, + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.7.x.json b/schemas/response-ratelimiting/3.7.x.json new file mode 100644 index 00000000..ede9fa94 --- /dev/null +++ b/schemas/response-ratelimiting/3.7.x.json @@ -0,0 +1,367 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "header_name": { + "type": "string", + "description": "The name of the response header used to increment the counters.", + "default": "x-kong-limit" + } + }, + { + "limit_by": { + "type": "string", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "default": "consumer", + "one_of": [ + "consumer", + "credential", + "ip" + ] + } + }, + { + "policy": { + "type": "string", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "default": "local", + "one_of": [ + "local", + "cluster", + "redis" + ] + } + }, + { + "fault_tolerant": { + "type": "boolean", + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "default": true, + "required": true + } + }, + { + "redis": { + "type": "record", + "description": "Redis configuration", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 6379, + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 2000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true + } + }, + { + "password": { + "type": "string", + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "len_min": 0 + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false + } + }, + { + "server_name": { + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false + } + } + ], + "required": true + } + }, + { + "block_on_first_violation": { + "type": "boolean", + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "default": false, + "required": true + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers.", + "default": false, + "required": true + } + }, + { + "limits": { + "type": "map", + "keys": { + "type": "string" + }, + "required": true, + "description": "A map that defines rate limits for the plugin.", + "values": { + "type": "record", + "fields": [ + { + "second": { + "type": "number", + "gt": 0 + } + }, + { + "minute": { + "type": "number", + "gt": 0 + } + }, + { + "hour": { + "type": "number", + "gt": 0 + } + }, + { + "day": { + "type": "number", + "gt": 0 + } + }, + { + "month": { + "type": "number", + "gt": 0 + } + }, + { + "year": { + "type": "number", + "gt": 0 + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], + "required": true + }, + "len_min": 1 + } + } + ], + "shorthand_fields": [ + { + "redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ] + } + }, + { + "redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ] + } + }, + { + "redis_password": { + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "len_min": 0 + } + }, + { + "redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ] + } + }, + { + "redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ] + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ] + } + }, + { + "redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ] + } + }, + { + "redis_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "timeout" + ] + } + }, + { + "redis_database": { + "type": "integer", + "translate_backwards": [ + "redis", + "database" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.7.x.json b/schemas/response-transformer-advanced/3.7.x.json new file mode 100644 index 00000000..e6ac84ed --- /dev/null +++ b/schemas/response-transformer-advanced/3.7.x.json @@ -0,0 +1,350 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "remove": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "rename": { + "type": "record", + "fields": [ + { + "headers": { + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "replace": { + "type": "record", + "fields": [ + { + "body": { + "type": "string", + "description": "String with which to replace the entire response body." + } + }, + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "add": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "append": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ] + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "allow": { + "type": "record", + "fields": [ + { + "json": { + "type": "set", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + }, + { + "transform": { + "type": "record", + "fields": [ + { + "functions": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "if_status": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + } + ], + "required": true + } + }, + { + "dots_in_keys": { + "type": "boolean", + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "default": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/response-transformer/3.7.x.json b/schemas/response-transformer/3.7.x.json new file mode 100644 index 00000000..ef707e6d --- /dev/null +++ b/schemas/response-transformer/3.7.x.json @@ -0,0 +1,246 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "remove": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + }, + { + "rename": { + "type": "record", + "fields": [ + { + "headers": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + }, + { + "replace": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ], + "required": true + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ], + "required": true, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + }, + { + "add": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ], + "required": true + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ], + "required": true, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + }, + { + "append": { + "type": "record", + "fields": [ + { + "json": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ], + "required": true + } + }, + { + "json_types": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "default": [ + + ], + "required": true, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + } + }, + { + "headers": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "default": [ + + ], + "required": true + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/route-by-header/3.7.x.json b/schemas/route-by-header/3.7.x.json new file mode 100644 index 00000000..265c8eee --- /dev/null +++ b/schemas/route-by-header/3.7.x.json @@ -0,0 +1,78 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "rules": { + "type": "array", + "description": "Route by header rules.", + "default": [ + + ], + "elements": { + "type": "record", + "fields": [ + { + "upstream_name": { + "type": "string", + "required": true + } + }, + { + "condition": { + "type": "map", + "keys": { + "type": "string" + }, + "values": { + "type": "string" + }, + "required": true, + "len_min": 1 + } + } + ] + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.7.x.json b/schemas/route-transformer-advanced/3.7.x.json new file mode 100644 index 00000000..5278e97e --- /dev/null +++ b/schemas/route-transformer-advanced/3.7.x.json @@ -0,0 +1,75 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "path": { + "type": "string" + } + }, + { + "port": { + "type": "string" + } + }, + { + "host": { + "type": "string" + } + }, + { + "escape_path": { + "default": false, + "type": "boolean" + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/saml/3.7.x.json b/schemas/saml/3.7.x.json new file mode 100644 index 00000000..9dbe54e1 --- /dev/null +++ b/schemas/saml/3.7.x.json @@ -0,0 +1,650 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "assertion_consumer_path": { + "type": "string", + "required": true, + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" + } + }, + { + "idp_sso_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true + } + }, + { + "idp_certificate": { + "referenceable": true, + "required": false, + "encrypted": true, + "type": "string", + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." + } + }, + { + "response_encryption_key": { + "referenceable": true, + "required": false, + "encrypted": true, + "type": "string", + "description": "The private encryption key required to decrypt encrypted assertions." + } + }, + { + "request_signing_key": { + "referenceable": true, + "required": false, + "encrypted": true, + "type": "string", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." + } + }, + { + "request_signing_certificate": { + "referenceable": true, + "required": false, + "encrypted": true, + "type": "string", + "description": "The certificate for signing requests." + } + }, + { + "request_signature_algorithm": { + "type": "string", + "default": "SHA256", + "required": false, + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "request_digest_algorithm": { + "type": "string", + "default": "SHA256", + "required": false, + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "response_signature_algorithm": { + "type": "string", + "default": "SHA256", + "required": false, + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "response_digest_algorithm": { + "type": "string", + "default": "SHA256", + "required": false, + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "issuer": { + "type": "string", + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "required": true + } + }, + { + "nameid_format": { + "type": "string", + "default": "EmailAddress", + "required": false, + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ] + } + }, + { + "validate_assertion_signature": { + "type": "boolean", + "description": "Enable signature validation for SAML responses.", + "default": true, + "required": false + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "required": false + } + }, + { + "session_secret": { + "len_max": 32, + "referenceable": true, + "match": "^[0-9a-zA-Z/_+]+$", + "required": true, + "encrypted": true, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "type": "string", + "len_min": 32 + } + }, + { + "session_audience": { + "type": "string", + "description": "The session audience, for example \"my-application\"", + "default": "default", + "required": false + } + }, + { + "session_cookie_name": { + "type": "string", + "description": "The session cookie name.", + "default": "session", + "required": false + } + }, + { + "session_remember": { + "type": "boolean", + "description": "Enables or disables persistent sessions", + "default": false, + "required": false + } + }, + { + "session_remember_cookie_name": { + "type": "string", + "description": "Persistent session cookie name", + "default": "remember", + "required": false + } + }, + { + "session_remember_rolling_timeout": { + "type": "number", + "description": "Persistent session rolling timeout in seconds.", + "default": 604800, + "required": false + } + }, + { + "session_remember_absolute_timeout": { + "type": "number", + "description": "Persistent session absolute timeout in seconds.", + "default": 2592000, + "required": false + } + }, + { + "session_idling_timeout": { + "type": "number", + "description": "The session cookie idle time in seconds.", + "default": 900, + "required": false + } + }, + { + "session_rolling_timeout": { + "type": "number", + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 3600, + "required": false + } + }, + { + "session_absolute_timeout": { + "type": "number", + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 86400, + "required": false + } + }, + { + "session_cookie_path": { + "type": "string", + "default": "/", + "required": false, + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "type": "string", + "description": "The session cookie domain flag.", + "required": false + } + }, + { + "session_cookie_same_site": { + "type": "string", + "default": "Lax", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, + "required": false + } + }, + { + "session_cookie_secure": { + "type": "boolean", + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false + } + }, + { + "session_request_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_response_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_storage": { + "type": "string", + "default": "cookie", + "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "default": false, + "required": false + } + }, + { + "session_enforce_same_subject": { + "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false, + "required": false + } + }, + { + "session_hash_subject": { + "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false, + "required": false + } + }, + { + "session_hash_storage_key": { + "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false, + "required": false + } + }, + { + "session_memcached_prefix": { + "type": "string", + "description": "The memcached session key prefix.", + "required": false + } + }, + { + "session_memcached_socket": { + "type": "string", + "description": "The memcached unix socket path.", + "required": false + } + }, + { + "session_memcached_host": { + "type": "string", + "description": "The memcached host.", + "default": "127.0.0.1", + "required": false + } + }, + { + "session_memcached_port": { + "type": "integer", + "default": 11211, + "required": false, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_prefix": { + "type": "string", + "description": "The Redis session key prefix.", + "required": false + } + }, + { + "session_redis_socket": { + "type": "string", + "description": "The Redis unix socket path.", + "required": false + } + }, + { + "session_redis_host": { + "type": "string", + "description": "The Redis host IP.", + "default": "127.0.0.1", + "required": false + } + }, + { + "session_redis_port": { + "type": "integer", + "default": 6379, + "required": false, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_username": { + "type": "string", + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "referenceable": true, + "required": false + } + }, + { + "session_redis_password": { + "referenceable": true, + "required": false, + "encrypted": true, + "type": "string", + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from" + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "description": "The Redis connection timeout in milliseconds.", + "required": false + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "description": "The Redis read timeout in milliseconds.", + "required": false + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "description": "The Redis send timeout in milliseconds.", + "required": false + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "description": "Use SSL/TLS for the Redis connection.", + "default": false, + "required": false + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "description": "Verify the Redis server certificate.", + "default": false, + "required": false + } + }, + { + "session_redis_server_name": { + "type": "string", + "description": "The SNI used for connecting to the Redis server.", + "required": false + } + }, + { + "session_redis_cluster_nodes": { + "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 6379, + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "required": false + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "description": "The Redis cluster maximum redirects.", + "required": false + } + } + ], + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/session/3.7.x.json b/schemas/session/3.7.x.json new file mode 100644 index 00000000..bb8b19ca --- /dev/null +++ b/schemas/session/3.7.x.json @@ -0,0 +1,302 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "secret": { + "type": "string", + "default": "RXgNNJXCPEnI5Dl88JYZHkYm3cNyC56V8v9nvBERTWcj", + "required": false, + "description": "The secret that is used in keyed HMAC generation.", + "encrypted": true, + "referenceable": true + } + }, + { + "storage": { + "type": "string", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "default": "cookie", + "one_of": [ + "cookie", + "kong" + ] + } + }, + { + "audience": { + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default" + } + }, + { + "idling_timeout": { + "type": "number", + "description": "The session cookie idle time, in seconds.", + "default": 900 + } + }, + { + "rolling_timeout": { + "type": "number", + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "default": 3600 + } + }, + { + "absolute_timeout": { + "type": "number", + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 86400 + } + }, + { + "stale_ttl": { + "type": "number", + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "default": 10 + } + }, + { + "cookie_name": { + "type": "string", + "description": "The name of the cookie.", + "default": "session" + } + }, + { + "cookie_path": { + "type": "string", + "description": "The resource in the host where the cookie is available.", + "default": "/" + } + }, + { + "cookie_domain": { + "type": "string", + "description": "The domain with which the cookie is intended to be exchanged." + } + }, + { + "cookie_same_site": { + "type": "string", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "default": "Strict", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "cookie_http_only": { + "type": "boolean", + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "default": true + } + }, + { + "cookie_secure": { + "type": "boolean", + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "default": true + } + }, + { + "remember": { + "type": "boolean", + "description": "Enables or disables persistent sessions.", + "default": false + } + }, + { + "remember_cookie_name": { + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember" + } + }, + { + "remember_rolling_timeout": { + "type": "number", + "description": "The persistent session rolling timeout window, in seconds.", + "default": 604800 + } + }, + { + "remember_absolute_timeout": { + "type": "number", + "description": "The persistent session absolute timeout limit, in seconds.", + "default": 2592000 + } + }, + { + "response_headers": { + "type": "set", + "description": "List of information to include, as headers, in the response to the downstream.", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "request_headers": { + "type": "set", + "description": "List of information to include, as headers, in the response to the downstream.", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "read_body_for_logout": { + "type": "boolean", + "default": false + } + }, + { + "logout_methods": { + "type": "set", + "description": "A set of HTTP methods that the plugin will respond to.", + "default": [ + "POST", + "DELETE" + ], + "elements": { + "type": "string", + "one_of": [ + "GET", + "POST", + "DELETE" + ] + } + } + }, + { + "logout_query_arg": { + "type": "string", + "description": "The query argument passed to logout requests.", + "default": "session_logout" + } + }, + { + "logout_post_arg": { + "type": "string", + "description": "The POST argument passed to logout requests. Do not change this property.", + "default": "session_logout" + } + } + ], + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/statsd-advanced/3.7.x.json b/schemas/statsd-advanced/3.7.x.json new file mode 100644 index 00000000..69880257 --- /dev/null +++ b/schemas/statsd-advanced/3.7.x.json @@ -0,0 +1,448 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "localhost" + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 8125, + "between": [ + 0, + 65535 + ] + } + }, + { + "prefix": { + "type": "string", + "description": "String to prefix to each metric's name.", + "default": "kong" + } + }, + { + "metrics": { + "type": "array", + "description": "List of Metrics to be logged.", + "default": [ + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_count" + }, + { + "name": "latency", + "stat_type": "timer" + }, + { + "name": "request_size", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count" + }, + { + "name": "response_size", + "stat_type": "timer" + }, + { + "name": "unique_users", + "stat_type": "set" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_per_user" + }, + { + "name": "upstream_latency", + "stat_type": "timer" + }, + { + "name": "kong_latency", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_workspace" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user_per_route" + }, + { + "stat_type": "gauge", + "sample_rate": 1, + "name": "shdict_usage" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_hits_total" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_misses_total" + } + ], + "elements": { + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ], + "required": true + } + }, + { + "stat_type": { + "type": "string", + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "required": true + } + }, + { + "sample_rate": { + "type": "number", + "gt": 0 + } + }, + { + "consumer_identifier": { + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "set" + }, + "if_match": { + "one_of": [ + "unique_users" + ] + } + } + }, + { + "conditional": { + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "counter" + }, + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + } + }, + { + "conditional": { + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "gauge" + }, + "if_match": { + "one_of": [ + "shdict_usage" + ] + } + } + }, + { + "conditional": { + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + }, + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + } + } + } + ] + } + } + }, + { + "allow_status_codes": { + "type": "array", + "description": "List of status code ranges that are allowed to be logged in metrics.", + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } + } + }, + { + "udp_packet_size": { + "type": "number", + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "default": 0, + "between": [ + 0, + 65507 + ] + } + }, + { + "use_tcp": { + "type": "boolean", + "description": "Use TCP instead of UDP.", + "default": false + } + }, + { + "hostname_in_prefix": { + "type": "boolean", + "description": "Include the `hostname` in the `prefix` for each metric name.", + "default": false + } + }, + { + "consumer_identifier_default": { + "type": "string", + "default": "custom_id", + "required": true, + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier_default": { + "type": "string", + "default": "service_name_or_host", + "required": true, + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier_default": { + "type": "string", + "default": "workspace_id", + "required": true, + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "default": 1, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/statsd/3.7.x.json b/schemas/statsd/3.7.x.json new file mode 100644 index 00000000..ab47d696 --- /dev/null +++ b/schemas/statsd/3.7.x.json @@ -0,0 +1,439 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "The IP address or hostname of StatsD server to send data to.", + "default": "localhost" + } + }, + { + "port": { + "type": "integer", + "description": "The port of StatsD server to send data to.", + "default": 8125, + "between": [ + 0, + 65535 + ] + } + }, + { + "prefix": { + "type": "string", + "description": "String to prefix to each metric's name.", + "default": "kong" + } + }, + { + "metrics": { + "type": "array", + "description": "List of metrics to be logged.", + "default": [ + { + "stat_type": "counter", + "name": "request_count", + "sample_rate": 1 + }, + { + "name": "latency", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "request_size", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "response_size", + "sample_rate": 1 + }, + { + "name": "unique_users", + "stat_type": "set" + }, + { + "stat_type": "counter", + "name": "request_per_user", + "sample_rate": 1 + }, + { + "name": "upstream_latency", + "stat_type": "timer" + }, + { + "name": "kong_latency", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "status_count_per_user", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_workspace", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_user_per_route", + "sample_rate": 1 + }, + { + "stat_type": "gauge", + "name": "shdict_usage", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_hits_total", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_misses_total", + "sample_rate": 1 + } + ], + "elements": { + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "description": "StatsD metric’s name.", + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ], + "required": true + } + }, + { + "stat_type": { + "type": "string", + "description": "Determines what sort of event a metric represents.", + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "required": true + } + }, + { + "sample_rate": { + "type": "number", + "description": "Sampling rate", + "gt": 0 + } + }, + { + "consumer_identifier": { + "type": "string", + "description": "Authenticated user detail.", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "type": "string", + "description": "Service detail.", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "type": "string", + "description": "Workspace detail.", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + }, + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + } + } + } + ] + } + } + }, + { + "allow_status_codes": { + "type": "array", + "description": "List of status code ranges that are allowed to be logged in metrics.", + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } + } + }, + { + "udp_packet_size": { + "type": "number", + "default": 0, + "between": [ + 0, + 65507 + ] + } + }, + { + "use_tcp": { + "type": "boolean", + "default": false + } + }, + { + "hostname_in_prefix": { + "type": "boolean", + "default": false + } + }, + { + "consumer_identifier_default": { + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ], + "default": "custom_id", + "required": true + } + }, + { + "service_identifier_default": { + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ], + "default": "service_name_or_host", + "required": true + } + }, + { + "workspace_identifier_default": { + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ], + "default": "workspace_id", + "required": true + } + }, + { + "retry_count": { + "type": "integer" + } + }, + { + "queue_size": { + "type": "integer" + } + }, + { + "flush_timeout": { + "type": "number" + } + }, + { + "tag_style": { + "type": "string", + "one_of": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ], + "required": false + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "default": 1, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "retry_count", + "queue_size", + "flush_timeout" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/syslog/3.7.x.json b/schemas/syslog/3.7.x.json new file mode 100644 index 00000000..c306b440 --- /dev/null +++ b/schemas/syslog/3.7.x.json @@ -0,0 +1,164 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "log_level": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "default": "info", + "required": true + } + }, + { + "successful_severity": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "default": "info", + "required": true + } + }, + { + "client_errors_severity": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "default": "info", + "required": true + } + }, + { + "server_errors_severity": { + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ], + "default": "info", + "required": true + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "keys": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + }, + { + "facility": { + "type": "string", + "default": "user", + "required": true, + "description": "The facility is used by the operating system to decide how to handle each log message.", + "one_of": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tcp-log/3.7.x.json b/schemas/tcp-log/3.7.x.json new file mode 100644 index 00000000..222307c2 --- /dev/null +++ b/schemas/tcp-log/3.7.x.json @@ -0,0 +1,112 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "The IP address or host name to send data to.", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "The port to send data to on the upstream server.", + "required": true, + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000 + } + }, + { + "tls": { + "type": "boolean", + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "default": false, + "required": true + } + }, + { + "tls_sni": { + "type": "string", + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "keys": { + "type": "string", + "len_min": 1 + }, + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.7.x.json b/schemas/tls-handshake-modifier/3.7.x.json new file mode 100644 index 00000000..554cd64b --- /dev/null +++ b/schemas/tls-handshake-modifier/3.7.x.json @@ -0,0 +1,60 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "default": [ + "https", + "grpcs" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "tls_client_certificate": { + "type": "string", + "default": "REQUEST", + "required": false, + "description": "TLS Client Certificate", + "one_of": [ + "REQUEST" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.7.x.json b/schemas/tls-metadata-headers/3.7.x.json new file mode 100644 index 00000000..87b1aae5 --- /dev/null +++ b/schemas/tls-metadata-headers/3.7.x.json @@ -0,0 +1,96 @@ +{ + "fields": [ + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "default": [ + "https", + "grpcs" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "inject_client_cert_details": { + "type": "boolean", + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "default": false + } + }, + { + "client_cert_header_name": { + "type": "string", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "default": "X-Client-Cert", + "required": true + } + }, + { + "client_serial_header_name": { + "type": "string", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "default": "X-Client-Cert-Serial", + "required": true + } + }, + { + "client_cert_issuer_dn_header_name": { + "type": "string", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "default": "X-Client-Cert-Issuer-DN", + "required": true + } + }, + { + "client_cert_subject_dn_header_name": { + "type": "string", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "default": "X-Client-Cert-Subject-DN", + "required": true + } + }, + { + "client_cert_fingerprint_header_name": { + "type": "string", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "default": "X-Client-Cert-Fingerprint", + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/udp-log/3.7.x.json b/schemas/udp-log/3.7.x.json new file mode 100644 index 00000000..fb5badb4 --- /dev/null +++ b/schemas/udp-log/3.7.x.json @@ -0,0 +1,91 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 + } + }, + { + "custom_fields_by_lua": { + "type": "map", + "keys": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/upstream-timeout/3.7.x.json b/schemas/upstream-timeout/3.7.x.json new file mode 100644 index 00000000..8f06be02 --- /dev/null +++ b/schemas/upstream-timeout/3.7.x.json @@ -0,0 +1,75 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/vault-auth/3.7.x.json b/schemas/vault-auth/3.7.x.json new file mode 100644 index 00000000..7fab8589 --- /dev/null +++ b/schemas/vault-auth/3.7.x.json @@ -0,0 +1,112 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer": { + "type": "foreign", + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "access_token_name": { + "type": "string", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": "access_token", + "required": true, + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + } + }, + { + "secret_token_name": { + "type": "string", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "default": "secret_token", + "required": true, + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + } + }, + { + "vault": { + "type": "foreign", + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "reference": "vault_auth_vaults", + "required": true + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "default": false + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "tokens_in_body": { + "type": "boolean", + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "default": false + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "default": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.7.x.json b/schemas/websocket-size-limit/3.7.x.json new file mode 100644 index 00000000..8cd19314 --- /dev/null +++ b/schemas/websocket-size-limit/3.7.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "default": [ + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "client_max_payload": { + "type": "integer", + "required": false, + "between": [ + 1, + 33554432 + ] + } + }, + { + "upstream_max_payload": { + "type": "integer", + "required": false, + "between": [ + 1, + 33554432 + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/websocket-validator/3.7.x.json b/schemas/websocket-validator/3.7.x.json new file mode 100644 index 00000000..0c595bd3 --- /dev/null +++ b/schemas/websocket-validator/3.7.x.json @@ -0,0 +1,220 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "default": [ + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "client": { + "type": "record", + "fields": [ + { + "text": { + "type": "record", + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "one_of": [ + "draft4" + ], + "required": true + } + }, + { + "schema": { + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "required": false + } + }, + { + "binary": { + "type": "record", + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "one_of": [ + "draft4" + ], + "required": true + } + }, + { + "schema": { + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "required": false + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "required": false + } + }, + { + "upstream": { + "type": "record", + "fields": [ + { + "text": { + "type": "record", + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "one_of": [ + "draft4" + ], + "required": true + } + }, + { + "schema": { + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "required": false + } + }, + { + "binary": { + "type": "record", + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "one_of": [ + "draft4" + ], + "required": true + } + }, + { + "schema": { + "type": "string", + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "required": false + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "required": false + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.7.x.json b/schemas/xml-threat-protection/3.7.x.json new file mode 100644 index 00000000..2d5ade84 --- /dev/null +++ b/schemas/xml-threat-protection/3.7.x.json @@ -0,0 +1,300 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "checked_content_types": { + "type": "set", + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "type": "string", + "required": true + }, + "default": [ + "application/xml" + ], + "required": true, + "description": "A list of Content-Type values with payloads that must be validated." + } + }, + { + "allowed_content_types": { + "type": "set", + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "type": "string", + "required": true + }, + "default": [ + + ], + "required": true, + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." + } + }, + { + "allow_dtd": { + "type": "boolean", + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "default": false, + "required": true + } + }, + { + "namespace_aware": { + "type": "boolean", + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "default": true, + "required": true + } + }, + { + "max_depth": { + "type": "integer", + "default": 50, + "required": true, + "gt": 0, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." + } + }, + { + "max_children": { + "type": "integer", + "default": 100, + "required": true, + "gt": 0, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." + } + }, + { + "max_attributes": { + "type": "integer", + "default": 100, + "required": true, + "gt": 0, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." + } + }, + { + "max_namespaces": { + "type": "integer", + "default": 20, + "required": false, + "gt": 0, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." + } + }, + { + "document": { + "type": "integer", + "default": 10485760, + "required": true, + "gt": 0, + "description": "Maximum size of the entire document." + } + }, + { + "buffer": { + "type": "integer", + "default": 1048576, + "required": true, + "gt": 0, + "description": "Maximum size of the unparsed buffer (see below)." + } + }, + { + "comment": { + "type": "integer", + "default": 1024, + "required": true, + "gt": 0, + "description": "Maximum size of comments." + } + }, + { + "localname": { + "type": "integer", + "default": 1024, + "required": true, + "gt": 0, + "description": "Maximum size of the localname. This applies to tags and attributes." + } + }, + { + "prefix": { + "type": "integer", + "default": 1024, + "required": false, + "gt": 0, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." + } + }, + { + "namespaceuri": { + "type": "integer", + "default": 1024, + "required": false, + "gt": 0, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." + } + }, + { + "attribute": { + "type": "integer", + "default": 1048576, + "required": true, + "gt": 0, + "description": "Maximum size of the attribute value." + } + }, + { + "text": { + "type": "integer", + "default": 1048576, + "required": true, + "gt": 0, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." + } + }, + { + "pitarget": { + "type": "integer", + "default": 1024, + "required": true, + "gt": 0, + "description": "Maximum size of processing instruction targets." + } + }, + { + "pidata": { + "type": "integer", + "default": 1024, + "required": true, + "gt": 0, + "description": "Maximum size of processing instruction data." + } + }, + { + "entityname": { + "type": "integer", + "default": 1024, + "required": true, + "gt": 0, + "description": "Maximum size of entity names in EntityDecl." + } + }, + { + "entity": { + "type": "integer", + "default": 1024, + "required": true, + "gt": 0, + "description": "Maximum size of entity values in EntityDecl." + } + }, + { + "entityproperty": { + "type": "integer", + "default": 1024, + "required": true, + "gt": 0, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." + } + }, + { + "bla_max_amplification": { + "type": "number", + "default": 100, + "required": true, + "gt": 1, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." + } + }, + { + "bla_threshold": { + "type": "integer", + "default": 8388608, + "required": true, + "gt": 1024, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "max_namespaces", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "conditional": { + "then_field": "prefix", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "conditional": { + "then_field": "namespaceuri", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/zipkin/3.7.x.json b/schemas/zipkin/3.7.x.json new file mode 100644 index 00000000..b6d5da59 --- /dev/null +++ b/schemas/zipkin/3.7.x.json @@ -0,0 +1,325 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "local_service_name": { + "type": "string", + "description": "The name of the service as displayed in Zipkin.", + "default": "kong", + "required": true + } + }, + { + "http_endpoint": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "sample_ratio": { + "type": "number", + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "default": 0.001, + "between": [ + 0, + 1 + ] + } + }, + { + "default_service_name": { + "type": "string", + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + } + }, + { + "include_credential": { + "type": "boolean", + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "default": true, + "required": true + } + }, + { + "traceid_byte_count": { + "type": "integer", + "default": 16, + "required": true, + "description": "The length in bytes of each request's Trace ID.", + "one_of": [ + 8, + 16 + ] + } + }, + { + "header_type": { + "type": "string", + "default": "preserve", + "required": true, + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ] + } + }, + { + "default_header_type": { + "type": "string", + "default": "b3", + "required": true, + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "one_of": [ + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ] + } + }, + { + "tags_header": { + "type": "string", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "default": "Zipkin-Tags", + "required": true + } + }, + { + "static_tags": { + "type": "array", + "description": "The tags specified on this property will be added to the generated request traces.", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "required": true + } + }, + { + "value": { + "type": "string", + "required": true + } + } + ] + } + } + }, + { + "http_span_name": { + "type": "string", + "default": "method", + "required": true, + "description": "Specify whether to include the HTTP path in the span name.", + "one_of": [ + "method", + "method_path" + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 2000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 5000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 5000, + "between": [ + 0, + 2147483646 + ] + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "phase_duration_flavor": { + "type": "string", + "default": "annotations", + "required": true, + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "one_of": [ + "annotations", + "tags" + ] + } + }, + { + "queue": { + "type": "record", + "fields": [ + { + "max_batch_size": { + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "default": 1, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file From 7a05c7e95b7f7f2b28b20a970decd45ab137b28d Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Tue, 20 Feb 2024 09:08:50 -0800 Subject: [PATCH 039/165] generate priorities and ref fields (#23) --- data/priorities/ee/3.7.x.json | 76 ++++++++++++++ data/priorities/oss/3.7.x.json | 45 +++++++++ data/referenceable_fields/3.7.x.json | 144 +++++++++++++++++++++++++++ 3 files changed, 265 insertions(+) create mode 100644 data/priorities/ee/3.7.x.json create mode 100644 data/priorities/oss/3.7.x.json create mode 100644 data/referenceable_fields/3.7.x.json diff --git a/data/priorities/ee/3.7.x.json b/data/priorities/ee/3.7.x.json new file mode 100644 index 00000000..3e8bd4d4 --- /dev/null +++ b/data/priorities/ee/3.7.x.json @@ -0,0 +1,76 @@ +{ + "pre-function": 1000000, + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth-enc": 1250, + "key-auth": 1250, + "ldap-auth": 1200, + "ldap-auth-advanced": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "websocket-size-limit": 999, + "request-validator": 999, + "xml-threat-protection": 999, + "websocket-validator": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "opa": 920, + "rate-limiting-advanced": 910, + "rate-limiting": 910, + "graphql-rate-limiting-advanced": 902, + "saml": 900, + "response-ratelimiting": 900, + "route-by-header": 850, + "oas-validation": 850, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache-advanced": 100, + "proxy-cache": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "statsd-advanced": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "mocking": -1, + "post-function": -1000 +} \ No newline at end of file diff --git a/data/priorities/oss/3.7.x.json b/data/priorities/oss/3.7.x.json new file mode 100644 index 00000000..f1d4cd82 --- /dev/null +++ b/data/priorities/oss/3.7.x.json @@ -0,0 +1,45 @@ +{ + "pre-function": 1000000, + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "ai-request-transformer": 777, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-response-transformer": 769, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": -1000 +} \ No newline at end of file diff --git a/data/referenceable_fields/3.7.x.json b/data/referenceable_fields/3.7.x.json new file mode 100644 index 00000000..9727279e --- /dev/null +++ b/data/referenceable_fields/3.7.x.json @@ -0,0 +1,144 @@ +{ + "acme": [ + "config.account_email", + "config.eab_kid", + "config.eab_hmac_key", + "config.storage_config.redis.username", + "config.storage_config.redis.password", + "config.storage_config.consul.token", + "config.storage_config.vault.token" + ], + "ai-proxy": [ + "config.auth.header_name", + "config.auth.header_value", + "config.auth.param_name", + "config.auth.param_value" + ], + "ai-request-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value" + ], + "ai-response-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value" + ], + "aws-lambda": [ + "config.aws_key", + "config.aws_secret", + "config.aws_assume_role_arn" + ], + "azure-functions": [ + "config.apikey", + "config.clientid" + ], + "datadog": [ + "config.host" + ], + "forward-proxy": [ + "config.auth_username", + "config.auth_password" + ], + "graphql-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "http-log": [ + "config.http_endpoint", + "config.headers" + ], + "kafka-log": [ + "config.authentication.user", + "config.authentication.password" + ], + "kafka-upstream": [ + "config.authentication.user", + "config.authentication.password" + ], + "ldap-auth-advanced": [ + "config.ldap_password", + "config.bind_dn" + ], + "loggly": [ + "config.key" + ], + "oauth2-introspection": [ + "config.authorization_value" + ], + "openid-connect": [ + "config.client_id", + "config.client_secret", + "config.client_jwk.k", + "config.client_jwk.d", + "config.client_jwk.p", + "config.client_jwk.q", + "config.client_jwk.dp", + "config.client_jwk.dq", + "config.client_jwk.qi", + "config.client_jwk.oth", + "config.client_jwk.r", + "config.client_jwk.t", + "config.login_redirect_uri", + "config.logout_redirect_uri", + "config.scopes", + "config.introspection_headers_values", + "config.session_secret", + "config.session_redis_username", + "config.session_redis_password" + ], + "opentelemetry": [ + "config.endpoint", + "config.headers" + ], + "proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "rate-limiting": [ + "config.redis.username", + "config.redis.password" + ], + "rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "request-transformer-advanced": [ + "config.rename.body", + "config.rename.headers", + "config.rename.querystring", + "config.replace.body", + "config.replace.headers", + "config.replace.querystring", + "config.add.body", + "config.add.headers", + "config.add.querystring", + "config.append.body", + "config.append.headers", + "config.append.querystring" + ], + "response-ratelimiting": [ + "config.redis.username", + "config.redis.password" + ], + "saml": [ + "config.idp_certificate", + "config.response_encryption_key", + "config.request_signing_key", + "config.request_signing_certificate", + "config.session_secret", + "config.session_redis_username", + "config.session_redis_password" + ], + "session": [ + "config.secret" + ] +} \ No newline at end of file From d3cf24ba7d63ac0e9f9dc11c905ad3531e8a4f0a Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Mon, 26 Feb 2024 11:18:05 -0800 Subject: [PATCH 040/165] generate schemas for 3.6.1 (#24) --- schemas/ldap-auth-advanced/3.6.x.json | 104 +++++++++++++------------- schemas/opentelemetry/3.6.x.json | 93 ++++++++++++----------- 2 files changed, 100 insertions(+), 97 deletions(-) diff --git a/schemas/ldap-auth-advanced/3.6.x.json b/schemas/ldap-auth-advanced/3.6.x.json index b0950806..8038366c 100644 --- a/schemas/ldap-auth-advanced/3.6.x.json +++ b/schemas/ldap-auth-advanced/3.6.x.json @@ -22,6 +22,7 @@ "wss" ], "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", @@ -29,37 +30,35 @@ "https", "ws", "wss" - ], - "type": "string" + ] } } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", + "reference": "consumer_groups", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "reference": "consumers", "type": "foreign", - "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "reference": "consumers", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { - "required": true, "type": "record", "fields": [ { "ldap_host": { - "required": true, + "description": "Host on which the LDAP server is running.", "type": "string", - "description": "Host on which the LDAP server is running." + "required": true } }, { @@ -72,9 +71,9 @@ }, { "ldap_port": { + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", "type": "number", - "default": 389, - "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636." + "default": 389 } }, { @@ -86,110 +85,110 @@ }, { "ldaps": { - "required": true, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "type": "boolean", "default": false, - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + "required": true } }, { "start_tls": { - "required": true, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "type": "boolean", "default": false, - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + "required": true } }, { "verify_ldap_host": { - "required": true, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "type": "boolean", "default": false, - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + "required": true } }, { "base_dn": { - "required": true, + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", "type": "string", - "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'." + "required": true } }, { "attribute": { - "required": true, + "description": "Attribute to be used to search the user; e.g., \"cn\".", "type": "string", - "description": "Attribute to be used to search the user; e.g., \"cn\"." + "required": true } }, { "cache_ttl": { - "required": true, + "description": "Cache expiry time in seconds.", "type": "number", "default": 60, - "description": "Cache expiry time in seconds." + "required": true } }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "type": "boolean", - "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + "default": false } }, { "timeout": { + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", "type": "number", - "default": 10000, - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." + "default": 10000 } }, { "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", "type": "number", - "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." + "default": 60000 } }, { "anonymous": { - "default": "", + "len_min": 0, "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "len_min": 0 + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "header_type": { + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", "type": "string", - "default": "ldap", - "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`." + "default": "ldap" } }, { "consumer_optional": { - "required": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", "type": "boolean", "default": false, - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." + "required": false } }, { "consumer_by": { - "elements": { - "one_of": [ - "username", - "custom_id" - ], - "type": "string" - }, "type": "array", + "required": false, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "default": [ "username", "custom_id" ], - "required": false, - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + } } }, { @@ -206,30 +205,31 @@ }, { "group_member_attribute": { + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", "type": "string", - "default": "memberOf", - "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive." + "default": "memberOf" } }, { "log_search_results": { - "required": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", "type": "boolean", "default": false, - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." + "required": false } }, { "groups_required": { - "required": false, - "type": "array", "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "type": "array", + "required": false, "elements": { "type": "string" } } } - ] + ], + "required": true } } ] diff --git a/schemas/opentelemetry/3.6.x.json b/schemas/opentelemetry/3.6.x.json index 756e5607..ce5d22bb 100644 --- a/schemas/opentelemetry/3.6.x.json +++ b/schemas/opentelemetry/3.6.x.json @@ -5,30 +5,30 @@ "fields": [ { "protocols": { - "elements": { - "one_of": [ - "grpc", - "grpcs", - "http", - "https" - ], - "type": "string" - }, "type": "set", + "required": true, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" ], - "required": true, - "description": "A set of strings representing HTTP protocols." + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", + "reference": "consumer_groups", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } @@ -57,12 +57,12 @@ }, { "headers": { + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "map", "keys": { "description": "A string representing an HTTP header name.", "type": "string" }, - "type": "map", - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "values": { "referenceable": true, "type": "string" @@ -71,27 +71,29 @@ }, { "resource_attributes": { + "type": "map", "keys": { - "required": true, - "type": "string" + "type": "string", + "required": true }, - "type": "map", "values": { - "required": true, - "type": "string" + "type": "string", + "required": true } } }, { "queue": { - "required": true, + "default": { + "max_batch_size": 200 + }, "type": "record", "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", + "default": 1, "between": [ 1, 1000000 @@ -100,9 +102,9 @@ }, { "max_coalescing_delay": { - "default": 1, - "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", + "default": 1, "between": [ 0, 3600 @@ -111,9 +113,9 @@ }, { "max_entries": { - "default": 10000, - "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", + "default": 10000, "between": [ 1, 1000000 @@ -128,16 +130,16 @@ }, { "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "default": 0.01, "between": [ 0.001, 1000000 @@ -146,16 +148,17 @@ }, { "max_retry_delay": { - "default": 60, - "type": "number", "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "default": 60, "between": [ 0.001, 1000000 ] } } - ] + ], + "required": true } }, { @@ -172,9 +175,9 @@ }, { "connect_timeout": { - "default": 1000, - "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "default": 1000, "between": [ 0, 2147483646 @@ -183,9 +186,9 @@ }, { "send_timeout": { - "default": 5000, - "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "default": 5000, "between": [ 0, 2147483646 @@ -194,9 +197,9 @@ }, { "read_timeout": { - "default": 5000, - "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "default": 5000, "between": [ 0, 2147483646 @@ -210,9 +213,6 @@ }, { "header_type": { - "required": false, - "type": "string", - "default": "preserve", "one_of": [ "preserve", "ignore", @@ -224,14 +224,17 @@ "aws", "gcp", "datadog" - ] + ], + "type": "string", + "default": "preserve", + "required": false } }, { "sampling_rate": { - "required": false, - "type": "number", "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "type": "number", + "required": false, "between": [ 0, 1 From a74910d658aad55e14f463d76417c83401ed7d4d Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Fri, 19 Apr 2024 10:18:45 -0700 Subject: [PATCH 041/165] placeholder schemas and examples for new ai plugins (#25) --- examples/ai-azure-content-safety/_3.7.x.yaml | 9 +++ .../ai-rate-limiting-advanced/_3.7.x.yaml | 12 +++ schemas/ai-azure-content-safety/3.7.x.json | 80 +++++++++++++++++++ schemas/ai-rate-limiting-advanced/3.7.x.json | 80 +++++++++++++++++++ 4 files changed, 181 insertions(+) create mode 100644 examples/ai-azure-content-safety/_3.7.x.yaml create mode 100644 examples/ai-rate-limiting-advanced/_3.7.x.yaml create mode 100644 schemas/ai-azure-content-safety/3.7.x.json create mode 100644 schemas/ai-rate-limiting-advanced/3.7.x.json diff --git a/examples/ai-azure-content-safety/_3.7.x.yaml b/examples/ai-azure-content-safety/_3.7.x.yaml new file mode 100644 index 00000000..025407dc --- /dev/null +++ b/examples/ai-azure-content-safety/_3.7.x.yaml @@ -0,0 +1,9 @@ +name: ai-azure-content-safety +config: + content_safety_url: http//: + azure_use_managed_identity: false + reveal_failure_reason: true + content_safety_key: anything + categories: + - "Hate" + - "Violence" \ No newline at end of file diff --git a/examples/ai-rate-limiting-advanced/_3.7.x.yaml b/examples/ai-rate-limiting-advanced/_3.7.x.yaml new file mode 100644 index 00000000..ba9e8024 --- /dev/null +++ b/examples/ai-rate-limiting-advanced/_3.7.x.yaml @@ -0,0 +1,12 @@ +name: ai-rate-limiting-advanced +config: + model_providers: + - openai + - mistral + model_providers_limit: + - 1000 + - 100 + models_providers_window_size: + - 3600 + - 60 + sync_rate: 10 \ No newline at end of file diff --git a/schemas/ai-azure-content-safety/3.7.x.json b/schemas/ai-azure-content-safety/3.7.x.json new file mode 100644 index 00000000..fb4cb8f9 --- /dev/null +++ b/schemas/ai-azure-content-safety/3.7.x.json @@ -0,0 +1,80 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allow_patterns": { + "type": "array", + "elements": { + "len_max": 50, + "type": "string", + "len_min": 1 + }, + "default": [ + + ], + "description": "Array of valid patterns, or valid questions from the 'user' role in chat.", + "len_max": 10 + } + }, + { + "deny_patterns": { + "type": "array", + "elements": { + "len_max": 50, + "type": "string", + "len_min": 1 + }, + "default": [ + + ], + "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat.", + "len_max": 10 + } + }, + { + "allow_all_conversation_history": { + "type": "boolean", + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-rate-limiting-advanced/3.7.x.json b/schemas/ai-rate-limiting-advanced/3.7.x.json new file mode 100644 index 00000000..fb4cb8f9 --- /dev/null +++ b/schemas/ai-rate-limiting-advanced/3.7.x.json @@ -0,0 +1,80 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "allow_patterns": { + "type": "array", + "elements": { + "len_max": 50, + "type": "string", + "len_min": 1 + }, + "default": [ + + ], + "description": "Array of valid patterns, or valid questions from the 'user' role in chat.", + "len_max": 10 + } + }, + { + "deny_patterns": { + "type": "array", + "elements": { + "len_max": 50, + "type": "string", + "len_min": 1 + }, + "default": [ + + ], + "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat.", + "len_max": 10 + } + }, + { + "allow_all_conversation_history": { + "type": "boolean", + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "default": false, + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + } + ] +} \ No newline at end of file From 340f21c9bb88de79e9714a7556990a791823bb4a Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Fri, 19 Apr 2024 11:05:11 -0700 Subject: [PATCH 042/165] Chore: Patch schema updates (#27) * generate plugin updates for 3.4.3.5 and 3.4.3.6 * generate plugin updates for 3.6.1.3 and 3.6.1.2 --- schemas/acme/3.4.x.json | 148 +-- schemas/acme/3.6.x.json | 170 ++-- schemas/cors/3.4.x.json | 68 +- schemas/degraphql/3.4.x.json | 34 +- schemas/degraphql/3.6.x.json | 32 +- schemas/forward-proxy/3.4.x.json | 86 +- schemas/jwt-signer/3.4.x.json | 342 +++---- schemas/ldap-auth-advanced/3.4.x.json | 74 +- schemas/mtls-auth/3.4.x.json | 130 +-- schemas/oas-validation/3.4.x.json | 82 +- schemas/oas-validation/3.6.x.json | 96 +- schemas/oauth2-introspection/3.4.x.json | 90 +- schemas/openid-connect/3.4.x.json | 1108 +++++++++++---------- schemas/opentelemetry/3.4.x.json | 102 +- schemas/opentelemetry/3.6.x.json | 114 +-- schemas/rate-limiting-advanced/3.4.x.json | 282 +++--- schemas/rate-limiting-advanced/3.6.x.json | 222 ++--- schemas/saml/3.4.x.json | 484 ++++----- 18 files changed, 1854 insertions(+), 1810 deletions(-) diff --git a/schemas/acme/3.4.x.json b/schemas/acme/3.4.x.json index 965bdb31..1471e0e9 100644 --- a/schemas/acme/3.4.x.json +++ b/schemas/acme/3.4.x.json @@ -2,47 +2,39 @@ "fields": [ { "consumer": { - "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumers", "type": "foreign" } }, { "service": { - "reference": "services", "description": "A reference to the 'services' table with a null value allowed.", "eq": null, + "reference": "services", "type": "foreign" } }, { "route": { - "reference": "routes", "description": "A reference to the 'routes' table with a null value allowed.", "eq": null, + "reference": "routes", "type": "foreign" } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -51,7 +43,15 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { @@ -59,16 +59,19 @@ "fields": [ { "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", + "referenceable": true, + "match": "%w*%p*@+%w*%.?%w*", "encrypted": true, "type": "string", - "match": "%w*%p*@+%w*%.?%w*", - "referenceable": true, - "description": "The account identifier. Can be reused in a different plugin instance.", "required": true } }, { "account_key": { + "description": "The private key associated with the account.", + "required": false, + "type": "record", "fields": [ { "key_id": { @@ -83,24 +86,21 @@ "type": "string" } } - ], - "description": "The private key associated with the account.", - "type": "record", - "required": false + ] } }, { "api_uri": { "default": "https://acme-v02.api.letsencrypt.org/directory", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "tos_accepted": { - "default": false, "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -126,8 +126,8 @@ "rsa", "ecc" ], - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", - "type": "string" + "type": "string", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." } }, { @@ -138,24 +138,25 @@ 3072, 4096 ], - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", - "type": "number" + "type": "number", + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." } }, { "renew_threshold_days": { "default": 14, - "description": "Days remaining to renew the certificate before it expires.", - "type": "number" + "type": "number", + "description": "Days remaining to renew the certificate before it expires." } }, { "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", "elements": { "match_all": [ { - "pattern": "^[^*]*%*?[^*]*$", - "err": "invalid wildcard: must have at most one wildcard" + "err": "invalid wildcard: must have at most one wildcard", + "pattern": "^[^*]*%*?[^*]*$" } ], "type": "string", @@ -168,22 +169,21 @@ ] } }, - "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", "type": "array" } }, { "allow_any_domain": { "default": false, - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", - "type": "boolean" + "type": "boolean", + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." } }, { "fail_backoff_minutes": { "default": 5, - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", - "type": "number" + "type": "number", + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." } }, { @@ -196,8 +196,8 @@ "consul", "vault" ], - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", - "type": "string" + "type": "string", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." } }, { @@ -209,8 +209,8 @@ { "shm_name": { "default": "kong", - "description": "Name of shared memory zone used for Kong API gateway storage", - "type": "string" + "type": "string", + "description": "Name of shared memory zone used for Kong API gateway storage" } } ], @@ -232,8 +232,8 @@ "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -254,41 +254,41 @@ }, { "auth": { - "referenceable": true, "description": "The Redis password to use for authentication. ", + "referenceable": true, "type": "string" } }, { "ssl": { - "default": false, "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", + "required": true, "type": "boolean", - "required": true + "default": false } }, { "ssl_verify": { - "default": false, "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", + "required": true, "type": "boolean", - "required": true + "default": false } }, { "ssl_server_name": { + "description": "The expected server name for the SSL/TLS certificate presented by the Redis server.", "required": false, - "type": "string", - "description": "The expected server name for the SSL/TLS certificate presented by the Redis server." + "type": "string" } }, { "namespace": { + "description": "A namespace to prepend to all keys stored in Redis.", "default": "", "required": true, - "len_min": 0, "type": "string", - "description": "A namespace to prepend to all keys stored in Redis." + "len_min": 0 } } ], @@ -301,15 +301,15 @@ "fields": [ { "https": { - "default": false, "description": "Boolean representation of https.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -336,8 +336,8 @@ }, { "token": { - "referenceable": true, "description": "Consul ACL token.", + "referenceable": true, "type": "string" } } @@ -351,15 +351,15 @@ "fields": [ { "https": { - "default": false, "description": "Boolean representation of https.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -386,16 +386,16 @@ }, { "token": { - "referenceable": true, "description": "Consul ACL token.", + "referenceable": true, "type": "string" } }, { "tls_verify": { - "default": true, "description": "Turn on TLS verification.", - "type": "boolean" + "type": "boolean", + "default": true } }, { @@ -406,13 +406,13 @@ }, { "auth_method": { - "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", "one_of": [ "token", "kubernetes" ], - "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", - "type": "string" + "type": "string", + "default": "token" } }, { @@ -445,15 +445,15 @@ }, { "preferred_chain": { - "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", - "type": "string" + "type": "string", + "description": "A string value that specifies the preferred certificate chain to use when generating certificates." } }, { "enable_ipv4_common_name": { "default": true, - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." } } ], @@ -465,18 +465,18 @@ "entity_checks": [ { "conditional": { + "then_field": "config.tos_accepted", "then_match": { "eq": true }, - "then_field": "config.tos_accepted", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", "if_match": { "one_of": [ "https://acme-v02.api.letsencrypt.org", "https://acme-staging-v02.api.letsencrypt.org" ] }, - "if_field": "config.api_uri", - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/" + "if_field": "config.api_uri" } }, { diff --git a/schemas/acme/3.6.x.json b/schemas/acme/3.6.x.json index 42123a6d..13f30055 100644 --- a/schemas/acme/3.6.x.json +++ b/schemas/acme/3.6.x.json @@ -5,39 +5,39 @@ "then_match": { "eq": true }, - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", "if_match": { "one_of": [ "https://acme-v02.api.letsencrypt.org", "https://acme-staging-v02.api.letsencrypt.org" ] }, + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", "if_field": "config.api_uri", "then_field": "config.tos_accepted" } }, { "conditional": { - "then_field": "config.storage_config.redis.host", - "if_field": "config.storage", + "if_match": { + "eq": "redis" + }, "then_match": { "required": true }, - "if_match": { - "eq": "redis" - } + "if_field": "config.storage", + "then_field": "config.storage_config.redis.host" } }, { "conditional": { - "then_field": "config.storage_config.redis.port", - "if_field": "config.storage", + "if_match": { + "eq": "redis" + }, "then_match": { "required": true }, - "if_match": { - "eq": "redis" - } + "if_field": "config.storage", + "then_field": "config.storage_config.redis.port" } }, { @@ -52,67 +52,67 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign" } }, { "service": { "reference": "services", - "type": "foreign", "eq": null, - "description": "A reference to the 'services' table with a null value allowed." + "description": "A reference to the 'services' table with a null value allowed.", + "type": "foreign" } }, { "route": { "reference": "routes", - "type": "foreign", "eq": null, - "description": "A reference to the 'routes' table with a null value allowed." + "description": "A reference to the 'routes' table with a null value allowed.", + "type": "foreign" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "type": "foreign" } }, { "protocols": { + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, - "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "required": true, "type": "record", + "required": true, "fields": [ { "account_email": { "referenceable": true, - "type": "string", "required": true, + "type": "string", "match": "%w*%p*@+%w*%.?%w*", "description": "The account identifier. Can be reused in a different plugin instance.", "encrypted": true @@ -120,14 +120,14 @@ }, { "account_key": { - "required": false, "type": "record", + "required": false, "description": "The private key associated with the account.", "fields": [ { "key_id": { - "required": true, "type": "string", + "required": true, "description": "The Key ID." } }, @@ -143,8 +143,8 @@ { "api_uri": { "type": "string", - "default": "https://acme-v02.api.letsencrypt.org/directory", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "default": "https://acme-v02.api.letsencrypt.org/directory" } }, { @@ -157,38 +157,38 @@ { "eab_kid": { "referenceable": true, - "type": "string", + "encrypted": true, "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", - "encrypted": true + "type": "string" } }, { "eab_hmac_key": { "referenceable": true, - "type": "string", + "encrypted": true, "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", - "encrypted": true + "type": "string" } }, { "cert_type": { + "type": "string", "one_of": [ "rsa", "ecc" ], - "type": "string", "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", "default": "rsa" } }, { "rsa_key_size": { + "type": "number", "one_of": [ 2048, 3072, 4096 ], - "type": "number", "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", "default": 4096 } @@ -202,14 +202,15 @@ }, { "domains": { + "type": "array", "elements": { + "type": "string", "match_all": [ { - "pattern": "^[^*]*%*?[^*]*$", - "err": "invalid wildcard: must have at most one wildcard" + "err": "invalid wildcard: must have at most one wildcard", + "pattern": "^[^*]*%*?[^*]*$" } ], - "type": "string", "match_any": { "patterns": [ "^%*%.", @@ -219,7 +220,6 @@ "err": "invalid wildcard: must be placed at leftmost or rightmost label" } }, - "type": "array", "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" } }, @@ -239,6 +239,7 @@ }, { "storage": { + "type": "string", "one_of": [ "kong", "shm", @@ -246,20 +247,19 @@ "consul", "vault" ], - "type": "string", "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", "default": "shm" } }, { "storage_config": { - "required": true, "type": "record", + "required": true, "fields": [ { "shm": { - "required": true, "type": "record", + "required": true, "fields": [ { "shm_name": { @@ -273,8 +273,8 @@ }, { "kong": { - "required": true, "type": "record", + "required": true, "fields": [ ] @@ -282,20 +282,20 @@ }, { "redis": { - "required": true, "type": "record", + "required": true, "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "default": 6379, "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 6379, "between": [ 0, 65535 @@ -304,9 +304,9 @@ }, { "timeout": { - "default": 2000, "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 2000, "between": [ 0, 2147483646 @@ -315,18 +315,18 @@ }, { "username": { - "referenceable": true, "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true } }, { "password": { "referenceable": true, - "type": "string", - "len_min": 0, "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 } }, { @@ -338,48 +338,48 @@ }, { "ssl": { - "required": false, "type": "boolean", + "required": false, "description": "If set to true, uses SSL to connect to Redis.", "default": false } }, { "ssl_verify": { - "required": false, "type": "boolean", + "required": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false } }, { "server_name": { - "required": false, "type": "string", + "required": false, "description": "A string representing an SNI (server name indication) value for TLS." } }, { "extra_options": { - "required": true, "type": "record", + "required": true, "description": "Custom ACME Redis options", "fields": [ { "namespace": { - "type": "string", - "default": "", - "len_min": 0, "required": true, - "description": "A namespace to prepend to all keys stored in Redis." + "len_min": 0, + "type": "string", + "description": "A namespace to prepend to all keys stored in Redis.", + "default": "" } }, { "scan_count": { - "required": false, "type": "number", - "description": "The number of keys to return in Redis SCAN calls.", - "default": 10 + "required": false, + "default": 10, + "description": "The number of keys to return in Redis SCAN calls." } } ] @@ -389,38 +389,38 @@ "shorthand_fields": [ { "auth": { + "len_min": 0, "translate_backwards": [ "password" ], - "type": "string", - "len_min": 0 + "type": "string" } }, { "ssl_server_name": { + "type": "string", "translate_backwards": [ "server_name" - ], - "type": "string" + ] } }, { "namespace": { + "len_min": 0, "translate_backwards": [ "extra_options", "namespace" ], - "type": "string", - "len_min": 0 + "type": "string" } }, { "scan_count": { + "type": "integer", "translate_backwards": [ "extra_options", "scan_count" - ], - "type": "integer" + ] } } ] @@ -428,8 +428,8 @@ }, { "consul": { - "required": true, "type": "record", + "required": true, "fields": [ { "https": { @@ -440,8 +440,8 @@ }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -469,8 +469,8 @@ { "token": { "referenceable": true, - "type": "string", - "description": "Consul ACL token." + "description": "Consul ACL token.", + "type": "string" } } ] @@ -478,8 +478,8 @@ }, { "vault": { - "required": true, "type": "record", + "required": true, "fields": [ { "https": { @@ -490,8 +490,8 @@ }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -519,8 +519,8 @@ { "token": { "referenceable": true, - "type": "string", - "description": "Consul ACL token." + "description": "Consul ACL token.", + "type": "string" } }, { @@ -538,13 +538,13 @@ }, { "auth_method": { + "type": "string", "one_of": [ "token", "kubernetes" ], - "type": "string", - "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", - "default": "token" + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'." } }, { diff --git a/schemas/cors/3.4.x.json b/schemas/cors/3.4.x.json index 06e1fac2..ea233689 100644 --- a/schemas/cors/3.4.x.json +++ b/schemas/cors/3.4.x.json @@ -2,23 +2,15 @@ "fields": [ { "consumer": { - "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumers", "type": "foreign" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "len_min": 1, "one_of": [ @@ -29,14 +21,22 @@ ], "type": "string", "required": true - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, @@ -72,19 +72,7 @@ }, { "methods": { - "default": [ - "GET", - "HEAD", - "PUT", - "PATCH", - "POST", - "DELETE", - "OPTIONS", - "TRACE", - "CONNECT" - ], "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", - "type": "array", "elements": { "type": "string", "one_of": [ @@ -98,29 +86,49 @@ "TRACE", "CONNECT" ] - } + }, + "type": "array", + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] } }, { "max_age": { - "type": "number", - "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" } }, { "credentials": { - "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "private_network": { + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", "required": true, "type": "boolean", - "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value." + "default": false } }, { "preflight_continue": { - "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", "required": true, "type": "boolean", - "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service." + "default": false } } ], diff --git a/schemas/degraphql/3.4.x.json b/schemas/degraphql/3.4.x.json index 2bd888ab..3b0e32f6 100644 --- a/schemas/degraphql/3.4.x.json +++ b/schemas/degraphql/3.4.x.json @@ -2,23 +2,15 @@ "fields": [ { "consumer": { - "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumers", "type": "foreign" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -27,14 +19,22 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, @@ -43,17 +43,17 @@ "fields": [ { "graphql_server_path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "default": "/graphql", + "required": true, "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "type": "string", - "starts_with": "/", - "required": true, - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string" } } ], diff --git a/schemas/degraphql/3.6.x.json b/schemas/degraphql/3.6.x.json index 941bb303..1a00b027 100644 --- a/schemas/degraphql/3.6.x.json +++ b/schemas/degraphql/3.6.x.json @@ -6,59 +6,59 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign" } }, { "protocols": { + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, - "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "type": "foreign" } }, { "config": { - "required": true, "type": "record", + "required": true, "fields": [ { "graphql_server_path": { - "type": "string", - "default": "/graphql", - "starts_with": "/", "required": true, - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } - ] + ], + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/graphql", + "type": "string" } } ] diff --git a/schemas/forward-proxy/3.4.x.json b/schemas/forward-proxy/3.4.x.json index 68b4c942..e08e2178 100644 --- a/schemas/forward-proxy/3.4.x.json +++ b/schemas/forward-proxy/3.4.x.json @@ -2,15 +2,7 @@ "fields": [ { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -19,38 +11,57 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, { "config": { - "required": true, + "shorthand_fields": [ + { + "proxy_host": { + "type": "string" + } + }, + { + "proxy_port": { + "type": "integer" + } + } + ], "fields": [ { "x_headers": { - "default": "append", - "type": "string", + "description": "Determines how to handle headers when forwarding the request.", "one_of": [ "append", "transparent", "delete" ], - "description": "Determines how to handle headers when forwarding the request.", - "required": true + "default": "append", + "required": true, + "type": "string" } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -65,8 +76,8 @@ }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -81,40 +92,42 @@ }, { "proxy_scheme": { - "default": "http", - "type": "string", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", "one_of": [ "http" ], - "description": "The proxy scheme to use when connecting. Only `http` is supported.", - "required": true + "default": "http", + "required": true, + "type": "string" } }, { "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "required": false, - "referenceable": true, "type": "string", - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication." + "referenceable": true } }, { "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "required": false, - "referenceable": true, "type": "string", - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication." + "referenceable": true } }, { "https_verify": { - "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "required": true, "type": "boolean", - "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." + "default": false } } ], + "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -140,20 +153,7 @@ "https_proxy_port" ] } - ], - "shorthand_fields": [ - { - "proxy_host": { - "type": "string" - } - }, - { - "proxy_port": { - "type": "integer" - } - } - ], - "type": "record" + ] } } ], diff --git a/schemas/jwt-signer/3.4.x.json b/schemas/jwt-signer/3.4.x.json index aa11ec18..1352e33a 100644 --- a/schemas/jwt-signer/3.4.x.json +++ b/schemas/jwt-signer/3.4.x.json @@ -2,23 +2,15 @@ "fields": [ { "consumer": { - "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumers", "type": "foreign" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -27,14 +19,22 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, @@ -43,107 +43,101 @@ "fields": [ { "realm": { - "type": "string", "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", - "required": false + "required": false, + "type": "string" } }, { "enable_hs_signatures": { "default": false, - "type": "boolean", "required": false, + "type": "boolean", "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting." } }, { "enable_instrumentation": { "default": false, - "type": "boolean", "required": false, + "type": "boolean", "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level." } }, { "access_token_issuer": { "default": "kong", - "type": "string", "required": false, + "type": "string", "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token." } }, { "access_token_keyset": { "default": "kong", - "type": "string", "required": false, + "type": "string", "description": "The name of the keyset containing signing keys." } }, { "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "required": false, - "type": "string", - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token." + "type": "string" } }, { "access_token_request_header": { "default": "Authorization", - "type": "string", "required": false, + "type": "string", "description": "This parameter tells the name of the header where to look for the access token." } }, { "access_token_leeway": { "default": 0, - "type": "number", "required": false, + "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`." } }, { "access_token_scopes_required": { - "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "required": false, + "type": "array", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." + } } }, { "access_token_scopes_claim": { + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "elements": { + "type": "string" + }, "default": [ "scope" ], - "type": "array", "required": false, - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", - "elements": { - "type": "string" - } + "type": "array" } }, { "access_token_consumer_claim": { - "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "required": false, + "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." + } } }, { "access_token_consumer_by": { - "default": [ - "username", - "custom_id" - ], - "type": "array", - "required": false, "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "elements": { "type": "string", @@ -152,105 +146,105 @@ "username", "custom_id" ] - } + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "type": "array" } }, { "access_token_upstream_header": { "default": "Authorization:Bearer", - "type": "string", "required": false, + "type": "string", "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token." } }, { "access_token_upstream_leeway": { "default": 0, - "type": "number", "required": false, + "type": "number", "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim." } }, { "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "required": false, - "type": "string", - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter." + "type": "string" } }, { "access_token_introspection_authorization": { - "type": "string", "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", - "required": false + "required": false, + "type": "string" } }, { "access_token_introspection_body_args": { - "type": "string", "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", - "required": false + "required": false, + "type": "string" } }, { "access_token_introspection_hint": { "default": "access_token", - "type": "string", "required": false, + "type": "string", "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`." } }, { "access_token_introspection_jwt_claim": { - "type": "array", + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "required": false, + "type": "array", "elements": { "type": "string" - }, - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." + } } }, { "access_token_introspection_scopes_required": { - "type": "array", + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "required": false, + "type": "array", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." + } } }, { "access_token_introspection_scopes_claim": { + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "elements": { + "type": "string" + }, "default": [ "scope" ], - "type": "array", "required": true, - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", - "elements": { - "type": "string" - } + "type": "array" } }, { "access_token_introspection_consumer_claim": { - "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "required": false, + "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." + } } }, { "access_token_introspection_consumer_by": { - "default": [ - "username", - "custom_id" - ], - "type": "array", - "required": false, "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "elements": { "type": "string", @@ -259,28 +253,33 @@ "username", "custom_id" ] - } + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "type": "array" } }, { "access_token_introspection_leeway": { "default": 0, - "type": "number", "required": false, + "type": "number", "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`." } }, { "access_token_introspection_timeout": { - "type": "number", "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", - "required": false + "required": false, + "type": "number" } }, { "access_token_signing_algorithm": { - "default": "RS256", - "required": true, + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "one_of": [ "HS256", "HS384", @@ -295,161 +294,157 @@ "PS512", "EdDSA" ], - "type": "string", - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." + "default": "RS256", + "required": true, + "type": "string" } }, { "access_token_optional": { "default": false, - "type": "boolean", "required": false, + "type": "boolean", "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect" } }, { "verify_access_token_signature": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Quickly turn access token signature verification off and on as needed." } }, { "verify_access_token_expiry": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Quickly turn access token expiry verification off and on as needed." } }, { "verify_access_token_scopes": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`." } }, { "verify_access_token_introspection_expiry": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Quickly turn access token introspection expiry verification off and on as needed." } }, { "verify_access_token_introspection_scopes": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`." } }, { "cache_access_token_introspection": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Whether to cache access token introspection results." } }, { "trust_access_token_introspection": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload." } }, { "enable_access_token_introspection": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection." } }, { "channel_token_issuer": { "default": "kong", - "type": "string", "required": false, + "type": "string", "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token." } }, { "channel_token_keyset": { "default": "kong", - "type": "string", "required": false, + "type": "string", "description": "The name of the keyset containing signing keys." } }, { "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "required": false, - "type": "string", - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`." + "type": "string" } }, { "channel_token_request_header": { - "type": "string", "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", - "required": false + "required": false, + "type": "string" } }, { "channel_token_leeway": { "default": 0, - "type": "number", "required": false, + "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`." } }, { "channel_token_scopes_required": { - "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "required": false, + "type": "array", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." + } } }, { "channel_token_scopes_claim": { + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "elements": { + "type": "string" + }, "default": [ "scope" ], - "type": "array", "required": false, - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", - "elements": { - "type": "string" - } + "type": "array" } }, { "channel_token_consumer_claim": { - "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "required": false, + "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." + } } }, { "channel_token_consumer_by": { - "default": [ - "username", - "custom_id" - ], "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "type": "array", "elements": { "type": "string", "one_of": [ @@ -457,112 +452,111 @@ "username", "custom_id" ] - } + }, + "type": "array", + "default": [ + "username", + "custom_id" + ] } }, { "channel_token_upstream_header": { - "type": "string", "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", - "required": false + "required": false, + "type": "string" } }, { "channel_token_upstream_leeway": { "default": 0, - "type": "number", "required": false, + "type": "number", "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim." } }, { "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "required": false, - "type": "string", - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead." + "type": "string" } }, { "channel_token_introspection_authorization": { - "type": "string", + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "required": false, + "type": "string", "elements": { "type": "string" - }, - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." + } } }, { "channel_token_introspection_body_args": { - "type": "string", + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "required": false, + "type": "string", "elements": { "type": "string" - }, - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." + } } }, { "channel_token_introspection_hint": { - "type": "string", + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "required": false, + "type": "string", "elements": { "type": "string" - }, - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." + } } }, { "channel_token_introspection_jwt_claim": { - "type": "array", + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "required": false, + "type": "array", "elements": { "type": "string" - }, - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." + } } }, { "channel_token_introspection_scopes_required": { - "type": "array", + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "required": false, + "type": "array", "elements": { "type": "string" - }, - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." + } } }, { "channel_token_introspection_scopes_claim": { + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "elements": { + "type": "string" + }, "default": [ "scope" ], - "type": "array", "required": false, - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", - "elements": { - "type": "string" - } + "type": "array" } }, { "channel_token_introspection_consumer_claim": { - "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "required": false, + "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" + } } }, { "channel_token_introspection_consumer_by": { - "default": [ - "username", - "custom_id" - ], - "type": "array", - "required": false, "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "elements": { "type": "string", @@ -571,28 +565,33 @@ "username", "custom_id" ] - } + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "type": "array" } }, { "channel_token_introspection_leeway": { "default": 0, - "type": "number", "required": false, + "type": "number", "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`." } }, { "channel_token_introspection_timeout": { - "type": "number", "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", - "required": false + "required": false, + "type": "number" } }, { "channel_token_signing_algorithm": { - "default": "RS256", - "required": true, + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "one_of": [ "HS256", "HS384", @@ -607,23 +606,24 @@ "PS512", "EdDSA" ], - "type": "string", - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." + "default": "RS256", + "required": true, + "type": "string" } }, { "channel_token_optional": { "default": false, - "type": "boolean", "required": false, + "type": "boolean", "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect" } }, { "verify_channel_token_signature": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Quickly turn on/off the channel token signature verification." } }, @@ -637,81 +637,81 @@ { "verify_channel_token_scopes": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`." } }, { "verify_channel_token_introspection_expiry": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Quickly turn on/off the channel token introspection expiry verification." } }, { "verify_channel_token_introspection_scopes": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`." } }, { "cache_channel_token_introspection": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Whether to cache channel token introspection results." } }, { "trust_channel_token_introspection": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked." } }, { "enable_channel_token_introspection": { "default": true, - "type": "boolean", "required": false, + "type": "boolean", "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`." } }, { "add_claims": { - "default": [ - - ], + "description": "Add customized claims if they are not present yet.", "keys": { "type": "string" }, + "default": [ + + ], + "required": false, "type": "map", "values": { "type": "string" - }, - "required": false, - "description": "Add customized claims if they are not present yet." + } } }, { "set_claims": { - "default": [ - - ], + "description": "Set customized claims. If a claim is already present, it will be overwritten.", "keys": { "type": "string" }, + "default": [ + + ], + "required": false, "type": "map", "values": { "type": "string" - }, - "required": false, - "description": "Set customized claims. If a claim is already present, it will be overwritten." + } } } ], diff --git a/schemas/ldap-auth-advanced/3.4.x.json b/schemas/ldap-auth-advanced/3.4.x.json index 2e2d779f..e52f9ab1 100644 --- a/schemas/ldap-auth-advanced/3.4.x.json +++ b/schemas/ldap-auth-advanced/3.4.x.json @@ -27,17 +27,17 @@ }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, { "consumer": { - "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumers", "type": "foreign" } }, @@ -46,17 +46,17 @@ "fields": [ { "ldap_host": { - "required": true, "description": "Host on which the LDAP server is running.", + "required": true, "type": "string" } }, { "ldap_password": { - "encrypted": true, + "description": "The password to the LDAP server.", "referenceable": true, "type": "string", - "description": "The password to the LDAP server." + "encrypted": true } }, { @@ -68,55 +68,55 @@ }, { "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", "referenceable": true, - "type": "string", - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." + "type": "string" } }, { "ldaps": { - "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "required": true, "type": "boolean", - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + "default": false } }, { "start_tls": { - "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "required": true, "type": "boolean", - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + "default": false } }, { "verify_ldap_host": { - "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "required": true, "type": "boolean", - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + "default": false } }, { "base_dn": { - "required": true, "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "required": true, "type": "string" } }, { "attribute": { - "required": true, "description": "Attribute to be used to search the user; e.g., \"cn\".", + "required": true, "type": "string" } }, { "cache_ttl": { - "default": 60, + "description": "Cache expiry time in seconds.", "required": true, "type": "number", - "description": "Cache expiry time in seconds." + "default": 60 } }, { @@ -142,10 +142,10 @@ }, { "anonymous": { - "default": "", - "type": "string", "len_min": 0, - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string", + "default": "" } }, { @@ -157,20 +157,14 @@ }, { "consumer_optional": { - "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", "required": false, "type": "boolean", - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." + "default": false } }, { "consumer_by": { - "default": [ - "username", - "custom_id" - ], - "type": "array", - "required": false, "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "elements": { "type": "string", @@ -178,19 +172,25 @@ "username", "custom_id" ] - } + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "type": "array" } }, { "group_base_dn": { - "type": "string", - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" } }, { "group_name_attribute": { - "type": "string", - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" } }, { @@ -202,20 +202,20 @@ }, { "log_search_results": { - "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", "required": false, "type": "boolean", - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." + "default": false } }, { "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result." + } } } ], diff --git a/schemas/mtls-auth/3.4.x.json b/schemas/mtls-auth/3.4.x.json index 3de7176a..10382655 100644 --- a/schemas/mtls-auth/3.4.x.json +++ b/schemas/mtls-auth/3.4.x.json @@ -2,23 +2,15 @@ "fields": [ { "consumer": { - "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumers", "type": "foreign" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -27,129 +19,157 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, { "config": { + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "consumer_by": { - "default": [ - "username", - "custom_id" - ], "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", - "required": false, - "type": "array", "elements": { "type": "string", "one_of": [ "username", "custom_id" ] - } + }, + "default": [ + "username", + "custom_id" + ], + "required": false, + "type": "array" } }, { "ca_certificates": { - "required": true, "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, + "type": "array", "elements": { "type": "string", "uuid": true - }, - "type": "array" + } } }, { "cache_ttl": { - "default": 60, - "required": true, "description": "Cache expiry time in seconds.", - "type": "number" + "required": true, + "type": "number", + "default": 60 } }, { "skip_consumer_lookup": { - "default": false, - "required": true, "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "allow_partial_chain": { - "default": false, - "required": true, "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "authenticated_group_by": { - "default": "CN", - "required": false, + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ "CN", "DN" ], - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "default": "CN", + "required": false, "type": "string" } }, { "revocation_check_mode": { - "default": "IGNORE_CA_ERROR", - "required": false, + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" ], - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "default": "IGNORE_CA_ERROR", + "required": false, "type": "string" } }, { "http_timeout": { - "default": 30000, "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", - "type": "number" + "type": "number", + "default": 30000 } }, { "cert_cache_ttl": { - "default": 60000, "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", - "type": "number" + "type": "number", + "default": 60000 } }, { "send_ca_dn": { - "default": false, "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", - "type": "boolean" + "type": "boolean", + "default": false + } + }, + { + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -164,8 +184,8 @@ }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -179,20 +199,6 @@ } } ], - "entity_checks": [ - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], "type": "record", "required": true } diff --git a/schemas/oas-validation/3.4.x.json b/schemas/oas-validation/3.4.x.json index 750534e9..119657b5 100644 --- a/schemas/oas-validation/3.4.x.json +++ b/schemas/oas-validation/3.4.x.json @@ -2,15 +2,7 @@ "fields": [ { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -19,14 +11,22 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, @@ -35,97 +35,113 @@ "fields": [ { "api_spec": { - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format.", + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", "required": true, "type": "string" } }, { "verbose_response": { - "default": false, "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", "required": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "validate_request_body": { - "default": true, "description": "If set to true, validates the request body content against the API specification.", "required": false, - "type": "boolean" + "type": "boolean", + "default": true } }, { "notify_only_request_validation_failure": { - "default": false, "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", "required": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "validate_request_header_params": { - "default": true, "description": "If set to true, validates HTTP header parameters against the API specification.", "required": false, - "type": "boolean" + "type": "boolean", + "default": true } }, { "validate_request_query_params": { - "default": true, "description": "If set to true, validates query parameters against the API specification.", "required": false, - "type": "boolean" + "type": "boolean", + "default": true } }, { "validate_request_uri_params": { - "default": true, "description": "If set to true, validates URI parameters in the request against the API specification.", "required": false, - "type": "boolean" + "type": "boolean", + "default": true } }, { "validate_response_body": { - "default": false, "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", "required": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "notify_only_response_body_validation_failure": { - "default": false, "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", "required": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "query_parameter_check": { - "default": false, "description": "If set to true, checks if query parameters in the request exist in the API specification.", "required": true, - "type": "boolean" + "type": "boolean", + "default": false } }, { "header_parameter_check": { - "default": false, "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", "required": true, - "type": "boolean" + "type": "boolean", + "default": false } }, { "allowed_header_parameters": { - "default": "Host,Content-Type,User-Agent,Accept,Content-Length", "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", "required": false, - "type": "string" + "type": "string", + "default": "Host,Content-Type,User-Agent,Accept,Content-Length" + } + }, + { + "include_base_path": { + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "api_spec_encoded": { + "description": "Indicates whether the api_spec is URI-Encoded.", + "required": true, + "type": "boolean", + "default": true } } ], diff --git a/schemas/oas-validation/3.6.x.json b/schemas/oas-validation/3.6.x.json index c685a7f0..7adde839 100644 --- a/schemas/oas-validation/3.6.x.json +++ b/schemas/oas-validation/3.6.x.json @@ -5,140 +5,148 @@ "fields": [ { "protocols": { + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, - "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "type": "foreign" } }, { "config": { - "required": true, "type": "record", + "required": true, "fields": [ { "api_spec": { - "required": true, "type": "string", - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format." + "required": true, + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format." } }, { "verbose_response": { - "required": false, "type": "boolean", - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", - "default": false + "required": false, + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." } }, { "validate_request_body": { - "required": false, "type": "boolean", - "description": "If set to true, validates the request body content against the API specification.", - "default": true + "required": false, + "default": true, + "description": "If set to true, validates the request body content against the API specification." } }, { "notify_only_request_validation_failure": { - "required": false, "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", - "default": false + "required": false, + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." } }, { "validate_request_header_params": { - "required": false, "type": "boolean", - "description": "If set to true, validates HTTP header parameters against the API specification.", - "default": true + "required": false, + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification." } }, { "validate_request_query_params": { - "required": false, "type": "boolean", - "description": "If set to true, validates query parameters against the API specification.", - "default": true + "required": false, + "default": true, + "description": "If set to true, validates query parameters against the API specification." } }, { "validate_request_uri_params": { - "required": false, "type": "boolean", - "description": "If set to true, validates URI parameters in the request against the API specification.", - "default": true + "required": false, + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification." } }, { "validate_response_body": { - "required": false, "type": "boolean", - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", - "default": false + "required": false, + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." } }, { "notify_only_response_body_validation_failure": { - "required": false, "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", - "default": false + "required": false, + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." } }, { "query_parameter_check": { - "required": true, "type": "boolean", - "description": "If set to true, checks if query parameters in the request exist in the API specification.", - "default": false + "required": true, + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification." } }, { "header_parameter_check": { - "required": true, "type": "boolean", - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", - "default": false + "required": true, + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." } }, { "allowed_header_parameters": { - "required": false, "type": "string", - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", - "default": "Host,Content-Type,User-Agent,Accept,Content-Length" + "required": false, + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." } }, { "include_base_path": { + "type": "boolean", "required": true, + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation." + } + }, + { + "api_spec_encoded": { "type": "boolean", - "description": "Indicates whether to include the base path when performing path match evaluation.", - "default": false + "required": true, + "default": true, + "description": "Indicates whether the api_spec is URI-Encoded." } } ] diff --git a/schemas/oauth2-introspection/3.4.x.json b/schemas/oauth2-introspection/3.4.x.json index 6bbdbfa5..a5891255 100644 --- a/schemas/oauth2-introspection/3.4.x.json +++ b/schemas/oauth2-introspection/3.4.x.json @@ -2,23 +2,15 @@ "fields": [ { "consumer": { - "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumers", "type": "foreign" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -27,14 +19,22 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, @@ -44,15 +44,15 @@ { "introspection_url": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "ttl": { "default": 30, - "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", - "type": "number" + "type": "number", + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." } }, { @@ -63,94 +63,96 @@ }, { "authorization_value": { - "required": true, + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "referenceable": true, + "encrypted": true, "type": "string", - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." + "required": true } }, { "timeout": { "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "integer" + "type": "integer", + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "type": "integer" + "type": "integer", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "introspect_request": { "default": false, - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", "required": true, - "type": "boolean" + "type": "boolean", + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request." } }, { "hide_credentials": { "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", - "type": "boolean" + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." } }, { "run_on_preflight": { "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "type": "boolean" + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } }, { "anonymous": { "len_min": 0, - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "default": "", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "consumer_by": { - "default": "username", - "type": "string", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "one_of": [ "username", "client_id" ], - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", - "required": true + "default": "username", + "required": true, + "type": "string" } }, { "custom_introspection_headers": { - "default": [ - - ], + "description": "A list of custom headers to be added in the introspection request.", "keys": { "type": "string" }, + "default": [ + + ], "required": true, + "type": "map", "values": { "type": "string" - }, - "description": "A list of custom headers to be added in the introspection request.", - "type": "map" + } } }, { "custom_claims_forward": { + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "elements": { + "type": "string" + }, "default": [ ], - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", - "type": "set", "required": true, - "elements": { - "type": "string" - } + "type": "set" } } ], diff --git a/schemas/openid-connect/3.4.x.json b/schemas/openid-connect/3.4.x.json index 6b853e53..298280d2 100644 --- a/schemas/openid-connect/3.4.x.json +++ b/schemas/openid-connect/3.4.x.json @@ -2,14 +2,15 @@ "fields": [ { "consumer": { - "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "reference": "consumers" + "reference": "consumers", + "type": "foreign" } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -19,23 +20,22 @@ "https" ] }, - "type": "set", - "description": "A set of strings representing HTTP protocols.", - "required": true, "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "required": true, + "type": "set" } }, { "consumer_group": { - "type": "foreign", - "eq": null, "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups" + "eq": null, + "reference": "consumer_groups", + "type": "foreign" } }, { @@ -122,21 +122,19 @@ } } ], - "type": "record", - "required": true, "fields": [ { "issuer": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", "required": false, "type": "array", - "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" } @@ -144,9 +142,9 @@ }, { "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", "required": false, "type": "array", - "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" } @@ -154,9 +152,9 @@ }, { "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "required": false, "type": "set", - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -165,14 +163,15 @@ }, { "rediscovery_lifetime": { - "default": 30, - "type": "number", "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", - "required": false + "required": false, + "type": "number", + "default": 30 } }, { "auth_methods": { + "description": "Types of credentials/grants to enable.", "elements": { "type": "string", "one_of": [ @@ -187,9 +186,6 @@ "session" ] }, - "type": "array", - "description": "Types of credentials/grants to enable.", - "required": false, "default": [ "password", "client_credentials", @@ -200,38 +196,40 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "required": false, + "type": "array" } }, { "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "required": false, "type": "array", - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", - "encrypted": true, - "required": false + "encrypted": true } }, { "client_secret": { + "description": "The client secret.", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "required": false, "type": "array", - "description": "The client secret.", - "encrypted": true, - "required": false + "encrypted": true } }, { "client_auth": { + "description": "The authentication method used by the client (plugin) when calling the endpoint.", "required": false, "type": "array", - "description": "The authentication method used by the client (plugin) when calling the endpoint.", "elements": { "type": "string", "one_of": [ @@ -254,20 +252,20 @@ "fields": [ { "issuer": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kty": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "use": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -275,27 +273,27 @@ "required": false, "type": "array", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "alg": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kid": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5u": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -303,130 +301,130 @@ "required": false, "type": "array", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "x5t": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5t#S256": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "k": { + "referenceable": true, "encrypted": true, "type": "string", - "referenceable": true, "required": false } }, { "x": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "y": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "crv": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "n": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "e": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "d": { + "referenceable": true, "encrypted": true, "type": "string", - "referenceable": true, "required": false } }, { "p": { + "referenceable": true, "encrypted": true, "type": "string", - "referenceable": true, "required": false } }, { "q": { + "referenceable": true, "encrypted": true, "type": "string", - "referenceable": true, "required": false } }, { "dp": { + "referenceable": true, "encrypted": true, "type": "string", - "referenceable": true, "required": false } }, { "dq": { + "referenceable": true, "encrypted": true, "type": "string", - "referenceable": true, "required": false } }, { "qi": { + "referenceable": true, "encrypted": true, "type": "string", - "referenceable": true, "required": false } }, { "oth": { + "referenceable": true, "encrypted": true, "type": "string", - "referenceable": true, "required": false } }, { "r": { + "referenceable": true, "encrypted": true, "type": "string", - "referenceable": true, "required": false } }, { "t": { + "referenceable": true, "encrypted": true, "type": "string", - "referenceable": true, "required": false } } @@ -460,17 +458,17 @@ }, { "client_arg": { - "default": "client_id", - "type": "string", "description": "The client to use for this request (the selection is made with a request parameter with the same name).", - "required": false + "required": false, + "type": "string", + "default": "client_id" } }, { "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", "required": false, "type": "array", - "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -479,31 +477,33 @@ }, { "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "required": false, "type": "array", - "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, "type": "string" } } }, { "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", "required": false, "type": "array", - "description": "Where to redirect the client after the logout.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, "type": "string" } } }, { "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", "required": false, "type": "array", - "description": "Where to redirect the client on forbidden requests.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -512,33 +512,33 @@ }, { "forbidden_error_message": { - "default": "Forbidden", - "type": "string", "description": "The error message for the forbidden requests (when not using the redirection).", - "required": false + "required": false, + "type": "string", + "default": "Forbidden" } }, { "forbidden_destroy_session": { - "default": true, - "type": "boolean", "description": "Destroy any active session for the forbidden requests.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "unauthorized_destroy_session": { - "default": true, "description": "Destroy any active session for the unauthorized requests.", + "required": false, "type": "boolean", - "required": false + "default": true } }, { "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", "required": false, "type": "array", - "description": "Where to redirect the client on unauthorized requests.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -547,17 +547,17 @@ }, { "unauthorized_error_message": { - "default": "Unauthorized", - "type": "string", "description": "The error message for the unauthorized requests (when not using the redirection).", - "required": false + "required": false, + "type": "string", + "default": "Unauthorized" } }, { "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", "required": false, "type": "array", - "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -566,48 +566,49 @@ }, { "response_mode": { - "type": "string", "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", - "default": "query", - "required": false, "one_of": [ "query", "form_post", "fragment" - ] + ], + "default": "query", + "required": false, + "type": "string" } }, { "response_type": { + "description": "The response type passed to the authorization endpoint.", "elements": { "type": "string" }, - "type": "array", - "description": "The response type passed to the authorization endpoint.", - "required": false, "default": [ "code" - ] + ], + "required": false, + "type": "array" } }, { "scopes": { + "description": "The scopes passed to the authorization and token endpoints.", "elements": { - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array", - "description": "The scopes passed to the authorization and token endpoints.", - "required": false, "default": [ "openid" - ] + ], + "required": false, + "type": "array" } }, { "audience": { + "description": "The audience passed to the authorization endpoint.", "required": false, "type": "array", - "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" } @@ -615,9 +616,9 @@ }, { "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "required": false, "type": "array", - "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" } @@ -625,9 +626,9 @@ }, { "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, "type": "array", - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -635,22 +636,22 @@ }, { "scopes_claim": { - "required": false, + "description": "The claim that contains the scopes.", "elements": { "type": "string" }, - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "scope" ], + "required": false, "type": "array" } }, { "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, "type": "array", - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -658,22 +659,22 @@ }, { "audience_claim": { - "required": false, + "description": "The claim that contains the audience.", "elements": { "type": "string" }, - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "aud" ], + "required": false, "type": "array" } }, { "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, "type": "array", - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -681,22 +682,22 @@ }, { "groups_claim": { - "required": false, + "description": "The claim that contains the groups.", "elements": { "type": "string" }, - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "groups" ], + "required": false, "type": "array" } }, { "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, "type": "array", - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -704,22 +705,22 @@ }, { "roles_claim": { - "required": false, + "description": "The claim that contains the roles.", "elements": { "type": "string" }, - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "roles" ], + "required": false, "type": "array" } }, { "domains": { - "type": "array", "description": "The allowed values for the `hd` claim.", "required": false, + "type": "array", "elements": { "type": "string" } @@ -727,16 +728,16 @@ }, { "max_age": { - "type": "number", "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "required": false + "required": false, + "type": "number" } }, { "authenticated_groups_claim": { - "type": "array", - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.", "required": false, + "type": "array", "elements": { "type": "string" } @@ -744,16 +745,16 @@ }, { "authorization_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", "required": false, "type": "array", - "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" } @@ -761,9 +762,9 @@ }, { "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", "required": false, "type": "array", - "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" } @@ -771,9 +772,9 @@ }, { "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", "required": false, "type": "array", - "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" } @@ -781,91 +782,91 @@ }, { "authorization_rolling_timeout": { - "default": 600, - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "description": "Network IO timeout in milliseconds.", + "required": false, "type": "number", - "required": false + "default": 600 } }, { "authorization_cookie_name": { - "default": "authorization", - "type": "string", "description": "The authorization cookie name.", - "required": false + "required": false, + "type": "string", + "default": "authorization" } }, { "authorization_cookie_path": { "starts_with": "/", - "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/", "required": false, "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "default": "/" + "type": "string" } }, { "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", "required": false, - "type": "string", - "description": "The authorization cookie Domain flag." + "type": "string" } }, { "authorization_cookie_same_site": { - "type": "string", "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "default": "Default", - "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Default", + "required": false, + "type": "string" } }, { "authorization_cookie_http_only": { - "default": true, - "type": "boolean", "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, - "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "type": "boolean" } }, { "preserve_query_args": { - "default": false, - "type": "boolean", "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "token_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "required": false, "type": "string", - "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -877,9 +878,9 @@ }, { "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", "required": false, "type": "array", - "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" } @@ -887,9 +888,9 @@ }, { "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", "required": false, "type": "array", - "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" } @@ -897,9 +898,9 @@ }, { "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", "required": false, "type": "array", - "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" } @@ -907,9 +908,9 @@ }, { "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", "required": false, "type": "array", - "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" } @@ -917,16 +918,16 @@ }, { "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "required": false, - "type": "string", - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." + "type": "string" } }, { "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", "required": false, "type": "array", - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", "elements": { "type": "string", "one_of": [ @@ -940,9 +941,9 @@ }, { "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", "required": false, "type": "array", - "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" } @@ -950,9 +951,9 @@ }, { "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", "required": false, "type": "array", - "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" } @@ -960,9 +961,9 @@ }, { "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "required": false, "type": "array", - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", "elements": { "type": "string" } @@ -970,16 +971,16 @@ }, { "introspection_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "required": false, "type": "string", - "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -991,38 +992,38 @@ }, { "introspection_hint": { - "default": "access_token", - "type": "string", "description": "Introspection hint parameter value passed to the introspection endpoint.", - "required": false + "required": false, + "type": "string", + "default": "access_token" } }, { "introspection_check_active": { - "default": true, - "type": "boolean", "description": "Check that the introspection response has an `active` claim with a value of `true`.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "introspection_accept": { - "type": "string", "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", - "default": "application/json", - "required": false, "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ] + ], + "default": "application/json", + "required": false, + "type": "string" } }, { "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", "required": false, "type": "array", - "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" } @@ -1030,19 +1031,21 @@ }, { "introspection_headers_values": { - "required": false, - "type": "array", "description": "Extra header values passed to the introspection endpoint.", "elements": { - "type": "string" - } + "type": "string", + "referenceable": true + }, + "required": false, + "type": "array", + "encrypted": true } }, { "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", "required": false, "type": "array", - "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" } @@ -1050,9 +1053,9 @@ }, { "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", "required": false, "type": "array", - "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" } @@ -1060,9 +1063,9 @@ }, { "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", "required": false, "type": "array", - "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" } @@ -1070,9 +1073,9 @@ }, { "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", "required": false, "type": "array", - "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" } @@ -1080,24 +1083,24 @@ }, { "introspect_jwt_tokens": { - "default": false, - "type": "boolean", "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "revocation_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "required": false, "type": "string", - "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1109,35 +1112,35 @@ }, { "end_session_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "userinfo_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "userinfo_accept": { - "type": "string", "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", - "default": "application/json", - "required": false, "one_of": [ "application/json", "application/jwt" - ] + ], + "default": "application/json", + "required": false, + "type": "string" } }, { "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", "required": false, "type": "array", - "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" } @@ -1145,9 +1148,9 @@ }, { "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", "required": false, "type": "array", - "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" } @@ -1155,9 +1158,9 @@ }, { "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", "required": false, "type": "array", - "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" } @@ -1165,9 +1168,9 @@ }, { "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", "required": false, "type": "array", - "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" } @@ -1175,9 +1178,9 @@ }, { "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", "required": false, "type": "array", - "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" } @@ -1185,9 +1188,9 @@ }, { "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", "required": false, "type": "array", - "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" } @@ -1195,145 +1198,146 @@ }, { "token_exchange_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "session_secret": { - "referenceable": true, "description": "The session secret.", - "encrypted": true, + "referenceable": true, + "required": false, "type": "string", - "required": false + "encrypted": true } }, { "session_audience": { - "default": "default", - "type": "string", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "required": false + "required": false, + "type": "string", + "default": "default" } }, { "session_cookie_name": { - "default": "session", - "type": "string", "description": "The session cookie name.", - "required": false + "required": false, + "type": "string", + "default": "session" } }, { "session_remember": { - "default": false, - "type": "boolean", "description": "Enables or disables persistent sessions.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "session_remember_cookie_name": { - "default": "remember", - "type": "string", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "required": false + "required": false, + "type": "string", + "default": "remember" } }, { "session_remember_rolling_timeout": { - "default": 604800, - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "description": "Network IO timeout in milliseconds.", + "required": false, "type": "number", - "required": false + "default": 604800 } }, { "session_remember_absolute_timeout": { - "default": 2592000, - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "description": "Network IO timeout in milliseconds.", + "required": false, "type": "number", - "required": false + "default": 2592000 } }, { "session_idling_timeout": { - "default": 900, - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "description": "Network IO timeout in milliseconds.", + "required": false, "type": "number", - "required": false + "default": 900 } }, { "session_rolling_timeout": { - "default": 3600, - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "description": "Network IO timeout in milliseconds.", + "required": false, "type": "number", - "required": false + "default": 3600 } }, { "session_absolute_timeout": { - "default": 86400, - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "description": "Network IO timeout in milliseconds.", + "required": false, "type": "number", - "required": false + "default": 86400 } }, { "session_cookie_path": { "starts_with": "/", - "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/", "required": false, "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "default": "/" + "type": "string" } }, { "session_cookie_domain": { + "description": "The session cookie Domain flag.", "required": false, - "type": "string", - "description": "The session cookie Domain flag." + "type": "string" } }, { "session_cookie_same_site": { - "type": "string", "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "default": "Lax", - "required": false, "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Lax", + "required": false, + "type": "string" } }, { "session_cookie_http_only": { - "default": true, - "type": "boolean", "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, - "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "type": "boolean" } }, { "session_request_headers": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -1345,12 +1349,12 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_response_headers": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -1362,76 +1366,75 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_storage": { - "type": "string", "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", - "default": "cookie", - "required": false, "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "default": "cookie", + "required": false, + "type": "string" } }, { "session_store_metadata": { - "default": false, - "type": "boolean", "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "session_enforce_same_subject": { - "default": false, - "type": "boolean", "description": "When set to `true`, audiences are forced to share the same subject.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "session_hash_subject": { - "default": false, - "type": "boolean", "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "session_hash_storage_key": { - "default": false, - "type": "boolean", "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "session_memcached_prefix": { + "description": "The memcached session key prefix.", "required": false, - "type": "string", - "description": "The memcached session key prefix." + "type": "string" } }, { "session_memcached_socket": { + "description": "The memcached unix socket path.", "required": false, - "type": "string", - "description": "The memcached unix socket path." + "type": "string" } }, { "session_memcached_host": { - "default": "127.0.0.1", - "type": "string", "description": "The memcached host.", - "required": false + "required": false, + "type": "string", + "default": "127.0.0.1" } }, { @@ -1440,32 +1443,32 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 11211, "required": false, - "default": 11211 + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { + "description": "The Redis session key prefix.", "required": false, - "type": "string", - "description": "The Redis session key prefix." + "type": "string" } }, { "session_redis_socket": { + "description": "The Redis unix socket path.", "required": false, - "type": "string", - "description": "The Redis unix socket path." + "type": "string" } }, { "session_redis_host": { - "default": "127.0.0.1", - "type": "string", "description": "The Redis host", - "required": false + "required": false, + "type": "string", + "default": "127.0.0.1" } }, { @@ -1474,98 +1477,98 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", + "default": 6379, "required": false, - "default": 6379 + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { - "required": false, - "referenceable": true, "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "session_redis_password": { - "referenceable": true, "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", - "encrypted": true, + "referenceable": true, + "required": false, "type": "string", - "required": false + "encrypted": true } }, { "session_redis_connect_timeout": { - "type": "integer", - "description": "Session redis connection timeout in milliseconds.", - "required": false + "description": "Network IO timeout in milliseconds.", + "required": false, + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", - "description": "Session redis read timeout in milliseconds.", - "required": false + "description": "Network IO timeout in milliseconds.", + "required": false, + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", - "description": "Session redis send timeout in milliseconds.", - "required": false + "description": "Network IO timeout in milliseconds.", + "required": false, + "type": "integer" } }, { "session_redis_ssl": { - "default": false, - "type": "boolean", "description": "Use SSL/TLS for Redis connection.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "session_redis_ssl_verify": { - "default": false, - "type": "boolean", "description": "Verify identity provider server certificate.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "session_redis_server_name": { + "description": "The SNI used for connecting the Redis server.", "required": false, - "type": "string", - "description": "The SNI used for connecting the Redis server." + "type": "string" } }, { "session_redis_cluster_nodes": { + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "required": false, "type": "array", - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { "type": "record", "fields": [ { "ip": { + "description": "A string representing a host name, such as example.com.", "required": true, "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1" } }, { "port": { "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] @@ -1574,36 +1577,37 @@ }, { "session_redis_cluster_max_redirections": { + "description": "The Redis cluster maximum redirects.", "required": false, - "type": "integer", - "description": "The Redis cluster maximum redirects." + "type": "integer" } }, { "reverify": { - "default": false, - "type": "boolean", "description": "Specifies whether to always verify tokens stored in the session.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "jwt_session_claim": { - "default": "sid", - "type": "string", "description": "The claim to match against the JWT session cookie.", - "required": false + "required": false, + "type": "string", + "default": "sid" } }, { "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", "required": false, - "type": "string", - "description": "The name of the JWT session cookie." + "type": "string" } }, { "bearer_token_param_type": { + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", "elements": { "type": "string", "one_of": [ @@ -1613,25 +1617,25 @@ "body" ] }, - "type": "array", - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", - "required": false, "default": [ "header", "query", "body" - ] + ], + "required": false, + "type": "array" } }, { "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", "required": false, - "type": "string", - "description": "The name of the cookie in which the bearer token is passed." + "type": "string" } }, { "client_credentials_param_type": { + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1640,18 +1644,18 @@ "body" ] }, - "type": "array", - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", - "required": false, "default": [ "header", "query", "body" - ] + ], + "required": false, + "type": "array" } }, { "password_param_type": { + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1660,18 +1664,18 @@ "body" ] }, - "type": "array", - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false, "default": [ "header", "query", "body" - ] + ], + "required": false, + "type": "array" } }, { "id_token_param_type": { + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1680,25 +1684,25 @@ "body" ] }, - "type": "array", - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false, "default": [ "header", "query", "body" - ] + ], + "required": false, + "type": "array" } }, { "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", "required": false, - "type": "string", - "description": "The name of the parameter used to pass the id token." + "type": "string" } }, { "refresh_token_param_type": { + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1707,36 +1711,35 @@ "body" ] }, - "type": "array", - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", - "required": false, "default": [ "header", "query", "body" - ] + ], + "required": false, + "type": "array" } }, { "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", "required": false, - "type": "string", - "description": "The name of the parameter used to pass the refresh token." + "type": "string" } }, { "refresh_tokens": { - "default": true, - "type": "boolean", "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "upstream_headers_claims": { + "description": "The upstream header claims.", "required": false, "type": "array", - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" } @@ -1744,9 +1747,9 @@ }, { "upstream_headers_names": { + "description": "The upstream header names for the claim values.", "required": false, "type": "array", - "description": "The upstream header names for the claim values.", "elements": { "type": "string" } @@ -1754,79 +1757,79 @@ }, { "upstream_access_token_header": { - "default": "authorization:bearer", - "type": "string", "description": "The upstream access token header.", - "required": false + "required": false, + "type": "string", + "default": "authorization:bearer" } }, { "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", "required": false, - "type": "string", - "description": "The upstream access token JWK header." + "type": "string" } }, { "upstream_id_token_header": { + "description": "The upstream id token header.", "required": false, - "type": "string", - "description": "The upstream id token header." + "type": "string" } }, { "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", "required": false, - "type": "string", - "description": "The upstream id token JWK header." + "type": "string" } }, { "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", "required": false, - "type": "string", - "description": "The upstream refresh token header." + "type": "string" } }, { "upstream_user_info_header": { + "description": "The upstream user info header.", "required": false, - "type": "string", - "description": "The upstream user info header." + "type": "string" } }, { "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "required": false, - "type": "string", - "description": "The upstream user info JWT header (in case the user info returns a JWT response)." + "type": "string" } }, { "upstream_introspection_header": { + "description": "The upstream introspection header.", "required": false, - "type": "string", - "description": "The upstream introspection header." + "type": "string" } }, { "upstream_introspection_jwt_header": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_session_id_header": { + "description": "The upstream session id header.", "required": false, - "type": "string", - "description": "The upstream session id header." + "type": "string" } }, { "downstream_headers_claims": { + "description": "The downstream header claims.", "required": false, "type": "array", - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" } @@ -1834,9 +1837,9 @@ }, { "downstream_headers_names": { + "description": "The downstream header names for the claim values.", "required": false, "type": "array", - "description": "The downstream header names for the claim values.", "elements": { "type": "string" } @@ -1844,75 +1847,76 @@ }, { "downstream_access_token_header": { + "description": "The downstream access token header.", "required": false, - "type": "string", - "description": "The downstream access token header." + "type": "string" } }, { "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", "required": false, - "type": "string", - "description": "The downstream access token JWK header." + "type": "string" } }, { "downstream_id_token_header": { + "description": "The downstream id token header.", "required": false, - "type": "string", - "description": "The downstream id token header." + "type": "string" } }, { "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", "required": false, - "type": "string", - "description": "The downstream id token JWK header." + "type": "string" } }, { "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", "required": false, - "type": "string", - "description": "The downstream refresh token header." + "type": "string" } }, { "downstream_user_info_header": { + "description": "The downstream user info header.", "required": false, - "type": "string", - "description": "The downstream user info header." + "type": "string" } }, { "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "required": false, - "type": "string", - "description": "The downstream user info JWT header (in case the user info returns a JWT response)." + "type": "string" } }, { "downstream_introspection_header": { + "description": "The downstream introspection header.", "required": false, - "type": "string", - "description": "The downstream introspection header." + "type": "string" } }, { "downstream_introspection_jwt_header": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_session_id_header": { + "description": "The downstream session id header.", "required": false, - "type": "string", - "description": "The downstream session id header." + "type": "string" } }, { "login_methods": { + "description": "Enable login functionality with specified grants.", "elements": { "type": "string", "one_of": [ @@ -1927,29 +1931,29 @@ "session" ] }, - "type": "array", - "description": "Enable login functionality with specified grants.", - "required": false, "default": [ "authorization_code" - ] + ], + "required": false, + "type": "array" } }, { "login_action": { - "type": "string", "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", - "default": "upstream", - "required": false, "one_of": [ "upstream", "response", "redirect" - ] + ], + "default": "upstream", + "required": false, + "type": "string" } }, { "login_tokens": { + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", "elements": { "type": "string", "one_of": [ @@ -1960,49 +1964,49 @@ "introspection" ] }, - "type": "array", - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", - "required": false, "default": [ "id_token" - ] + ], + "required": false, + "type": "array" } }, { "login_redirect_mode": { - "type": "string", "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", - "default": "fragment", - "required": false, "one_of": [ "query", "fragment" - ] + ], + "default": "fragment", + "required": false, + "type": "string" } }, { "logout_query_arg": { + "description": "The request query argument that activates the logout.", "required": false, - "type": "string", - "description": "The request query argument that activates the logout." + "type": "string" } }, { "logout_post_arg": { + "description": "The request body argument that activates the logout.", "required": false, - "type": "string", - "description": "The request body argument that activates the logout." + "type": "string" } }, { "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", "required": false, - "type": "string", - "description": "The request URI suffix that activates the logout." + "type": "string" } }, { "logout_methods": { + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", "elements": { "type": "string", "one_of": [ @@ -2011,44 +2015,43 @@ "DELETE" ] }, - "type": "array", - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", - "required": false, "default": [ "POST", "DELETE" - ] + ], + "required": false, + "type": "array" } }, { "logout_revoke": { - "default": false, - "type": "boolean", "description": "Revoke tokens as part of the logout.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "logout_revoke_access_token": { - "default": true, - "type": "boolean", "description": "Revoke the access token as part of the logout.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "logout_revoke_refresh_token": { - "default": true, - "type": "boolean", "description": "Revoke the refresh token as part of the logout.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "consumer_claim": { + "description": "The claim used for consumer mapping.", "required": false, "type": "array", - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" } @@ -2056,6 +2059,7 @@ }, { "consumer_by": { + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", "elements": { "type": "string", "one_of": [ @@ -2064,93 +2068,93 @@ "custom_id" ] }, - "type": "array", - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", - "required": false, "default": [ "username", "custom_id" - ] + ], + "required": false, + "type": "array" } }, { "consumer_optional": { - "default": false, - "type": "boolean", "description": "Do not terminate the request if consumer mapping fails.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "credential_claim": { + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", "elements": { "type": "string" }, - "type": "array", - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "default": [ "sub" - ] + ], + "required": false, + "type": "array" } }, { "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "required": false, - "type": "string", - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "type": "string" } }, { "run_on_preflight": { - "default": true, - "type": "boolean", "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "leeway": { - "default": 0, + "description": "Allow some leeway (in seconds) on the ttl / expiry verification.", + "required": false, "type": "number", - "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", - "required": false + "default": 0 } }, { "verify_parameters": { - "default": false, - "type": "boolean", "description": "Verify plugin configuration against discovery.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "verify_nonce": { - "default": true, - "type": "boolean", "description": "Verify nonce on authorization code flow.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "verify_claims": { - "default": true, - "type": "boolean", "description": "Verify tokens for standard claims.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "verify_signature": { - "default": true, - "type": "boolean", "description": "Verify signature of tokens.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "ignore_signature": { + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", "elements": { "type": "string", "one_of": [ @@ -2163,27 +2167,26 @@ "userinfo" ] }, - "type": "array", - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", - "required": false, "default": [ - ] + ], + "required": false, + "type": "array" } }, { "enable_hs_signatures": { - "default": false, - "type": "boolean", "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", "required": false, "type": "array", - "description": "Disable issuing the session cookie with the specified grants.", "elements": { "type": "string", "one_of": [ @@ -2202,213 +2205,214 @@ }, { "cache_ttl": { - "default": 3600, - "type": "number", "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", - "required": false + "required": false, + "type": "number", + "default": 3600 } }, { "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", "required": false, - "type": "number", - "description": "The maximum cache ttl in seconds (enforced)." + "type": "number" } }, { "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", "required": false, - "type": "number", - "description": "The minimum cache ttl in seconds (enforced)." + "type": "number" } }, { "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", "required": false, - "type": "number", - "description": "The negative cache ttl in seconds." + "type": "number" } }, { "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", "required": false, - "type": "number", - "description": "The resurrection ttl in seconds." + "type": "number" } }, { "cache_tokens": { - "default": true, - "type": "boolean", "description": "Cache the token endpoint requests.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "required": false, "type": "string", - "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "auto": true } }, { "cache_introspection": { - "default": true, - "type": "boolean", "description": "Cache the introspection endpoint requests.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "cache_token_exchange": { - "default": true, - "type": "boolean", "description": "Cache the token exchange endpoint requests.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "cache_user_info": { - "default": true, - "type": "boolean", "description": "Cache the user info requests.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "search_user_info": { - "default": false, - "type": "boolean", "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "hide_credentials": { - "default": false, - "type": "boolean", "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "http_version": { - "default": 1.1, - "type": "number", "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", - "required": false + "required": false, + "type": "number", + "default": 1.1 } }, { "http_proxy": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", "required": false, - "type": "string", - "description": "The HTTP proxy authorization." + "type": "string" } }, { "https_proxy": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": false, - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", "required": false, - "type": "string", - "description": "The HTTPS proxy authorization." + "type": "string" } }, { "no_proxy": { + "description": "Do not use proxy with these hosts.", "required": false, - "type": "string", - "description": "Do not use proxy with these hosts." + "type": "string" } }, { "keepalive": { - "default": true, - "type": "boolean", "description": "Use keepalive with the HTTP client.", - "required": false + "required": false, + "type": "boolean", + "default": true } }, { "ssl_verify": { - "default": false, - "type": "boolean", "description": "Verify identity provider server certificate.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "timeout": { - "default": 10000, - "type": "number", "description": "Network IO timeout in milliseconds.", - "required": false + "required": false, + "type": "number", + "default": 10000 } }, { "display_errors": { - "default": false, - "type": "boolean", "description": "Display errors on failure responses.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "by_username_ignore_case": { - "default": false, - "type": "boolean", "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "resolve_distributed_claims": { - "default": false, - "type": "boolean", "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "expose_error_code": { "default": true, - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", "type": "boolean" } }, { "token_cache_key_include_scope": { - "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", "type": "boolean", - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "default": false } }, { "using_pseudo_issuer": { - "type": "boolean", "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL.", + "type": "boolean", "default": false } } - ] + ], + "type": "record", + "required": true } } ], "entity_checks": [ ] -} +} \ No newline at end of file diff --git a/schemas/opentelemetry/3.4.x.json b/schemas/opentelemetry/3.4.x.json index 9210ed58..13611063 100644 --- a/schemas/opentelemetry/3.4.x.json +++ b/schemas/opentelemetry/3.4.x.json @@ -2,15 +2,7 @@ "fields": [ { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -19,89 +11,109 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, { "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "batch_span_count", + "batch_flush_delay" + ] + } + } + ], "fields": [ { "endpoint": { - "required": true, - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "referenceable": true, + "type": "string", + "required": true } }, { "headers": { + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "keys": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "map", "values": { "type": "string", "referenceable": true - }, - "keys": { - "type": "string", - "description": "A string representing an HTTP header name." - }, - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", - "type": "map" + } } }, { "resource_attributes": { - "description": "Attributes to add to the OpenTelemetry resource object, following the spec for Semantic Attributes. \nThe following attributes are automatically added:\n- `service.name`: The name of the service (default: `kong`).\n- `service.version`: The version of Kong Gateway.\n- `service.instance.id`: The node ID of Kong Gateway.\n\nYou can use this property to override default attribute values. For example, to override the default for `service.name`, you can specify `{ \"service.name\": \"my-service\" }`.", - "values": { + "keys": { "type": "string", "required": true }, - "keys": { + "type": "map", + "values": { "type": "string", "required": true - }, - "type": "map" + } } }, { "queue": { + "default": { + "max_batch_size": 200 + }, "fields": [ { "max_batch_size": { "default": 1, - "type": "integer", "between": [ 1, 1000000 ], + "type": "integer", "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { "default": 1, - "type": "number", "between": [ 0, 3600 ], + "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { "default": 10000, - "type": "integer", "between": [ 1, 1000000 ], + "type": "integer", "description": "Maximum number of entries that can be waiting on the queue." } }, @@ -121,23 +133,23 @@ { "initial_retry_delay": { "default": 0.01, - "type": "number", "between": [ 0.001, 1000000 ], + "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", "type": "number", "between": [ 0.001, 1000000 - ], - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } ], @@ -160,45 +172,46 @@ { "connect_timeout": { "default": 1000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "http_response_header_for_traceid": { - "description": "Specifies a custom header for the `trace_id`. If set, the plugin sets the corresponding header in the response.", "type": "string" } }, { "header_type": { "default": "preserve", + "required": false, + "type": "string", "one_of": [ "preserve", "ignore", @@ -209,19 +222,6 @@ "ot", "aws", "datadog" - ], - "type": "string", - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests.", - "required": false - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "batch_span_count", - "batch_flush_delay" ] } } diff --git a/schemas/opentelemetry/3.6.x.json b/schemas/opentelemetry/3.6.x.json index ce5d22bb..ea119961 100644 --- a/schemas/opentelemetry/3.6.x.json +++ b/schemas/opentelemetry/3.6.x.json @@ -5,15 +5,8 @@ "fields": [ { "protocols": { - "type": "set", "required": true, - "description": "A set of strings representing HTTP protocols.", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -22,50 +15,48 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "type": "foreign" } }, { "config": { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "batch_span_count", - "batch_flush_delay" - ] - } - } - ], "type": "record", + "required": true, "fields": [ { "endpoint": { "referenceable": true, - "type": "string", + "required": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true + "type": "string" } }, { "headers": { - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "type": "map", "keys": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "values": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } } }, @@ -84,72 +75,73 @@ }, { "queue": { + "type": "record", + "required": true, "default": { "max_batch_size": 200 }, - "type": "record", "fields": [ { "max_batch_size": { - "description": "Maximum number of entries that can be processed at a time.", "type": "integer", - "default": 1, "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be processed at a time.", + "default": 1 } }, { "max_coalescing_delay": { - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "type": "number", - "default": 1, "between": [ 0, 3600 - ] + ], + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1 } }, { "max_entries": { - "description": "Maximum number of entries that can be waiting on the queue.", "type": "integer", - "default": 10000, "between": [ 1, 1000000 - ] + ], + "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000 } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "description": "Time in seconds before the initial retry is made for a failing batch.", "type": "number", - "default": 0.01, "between": [ 0.001, 1000000 - ] + ], + "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01 } }, { "max_retry_delay": { - "description": "Maximum time in seconds between retries, caps exponential backoff.", "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "default": 60, "between": [ 0.001, @@ -157,8 +149,7 @@ ] } } - ], - "required": true + ] } }, { @@ -175,8 +166,8 @@ }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 1000, "between": [ 0, @@ -186,8 +177,8 @@ }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 5000, "between": [ 0, @@ -197,8 +188,8 @@ }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 5000, "between": [ 0, @@ -213,6 +204,9 @@ }, { "header_type": { + "type": "string", + "required": false, + "default": "preserve", "one_of": [ "preserve", "ignore", @@ -224,17 +218,14 @@ "aws", "gcp", "datadog" - ], - "type": "string", - "default": "preserve", - "required": false + ] } }, { "sampling_rate": { - "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", "type": "number", "required": false, + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", "between": [ 0, 1 @@ -242,7 +233,16 @@ } } ], - "required": true + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "batch_span_count", + "batch_flush_delay" + ] + } + } + ] } } ] diff --git a/schemas/rate-limiting-advanced/3.4.x.json b/schemas/rate-limiting-advanced/3.4.x.json index 04289ce4..27267c59 100644 --- a/schemas/rate-limiting-advanced/3.4.x.json +++ b/schemas/rate-limiting-advanced/3.4.x.json @@ -2,15 +2,7 @@ "fields": [ { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -19,7 +11,15 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { @@ -27,8 +27,7 @@ "fields": [ { "identifier": { - "default": "consumer", - "type": "string", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", "one_of": [ "ip", "credential", @@ -37,116 +36,175 @@ "header", "path" ], - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", - "required": true + "default": "consumer", + "required": true, + "type": "string" } }, { "window_size": { - "type": "array", "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array", "elements": { "type": "number" - }, - "required": true + } } }, { "window_type": { - "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "one_of": [ "fixed", "sliding" ], "type": "string", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." + "default": "sliding" } }, { "limit": { - "type": "array", "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array", "elements": { "type": "number" - }, - "required": true + } } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.", "required": true, - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "auto": true, - "type": "string" + "type": "string", + "auto": true } }, { "strategy": { - "default": "local", - "type": "string", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", "local" ], - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", - "required": true + "default": "local", + "required": true, + "type": "string" } }, { "dictionary_name": { - "default": "kong_rate_limiting_counters", - "type": "string", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "required": true + "required": true, + "type": "string", + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", "type": "boolean", - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." + "default": false } }, { "retry_after_jitter_max": { - "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", "type": "number", - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." + "default": 0 } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "type": "string" + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -162,12 +220,12 @@ { "timeout": { "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -202,46 +260,46 @@ }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "referenceable": true, "type": "string" } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "referenceable": true, "type": "string", - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, "type": "string" } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, - "referenceable": true, "type": "string", - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "default": 30, + "type": "integer", "between": [ 1, 2147483646 @@ -250,29 +308,29 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + "type": "string" } }, { @@ -281,8 +339,8 @@ "elements": { "type": "string" }, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array" + "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." } }, { @@ -291,90 +349,32 @@ "elements": { "type": "string" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", - "type": "array" + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." } }, { "ssl": { - "default": false, "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "ssl_verify": { - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "type": "string", - "required": false - } - } - ], - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_addresses" - ] + "required": false, + "type": "string" } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] } ], "type": "record", @@ -383,9 +383,9 @@ }, { "enforce_consumer_groups": { - "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", "type": "boolean", - "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." + "default": false } }, { @@ -399,24 +399,24 @@ }, { "disable_penalty": { - "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", "type": "boolean", - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." + "default": false } }, { "error_code": { - "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", "gt": 0, "type": "number", - "description": "Set a custom error code to return when the rate limit is exceeded." + "default": 429 } }, { "error_message": { - "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", "type": "string", - "description": "Set a custom error message to return when the rate limit is exceeded." + "default": "API rate limit exceeded" } } ], @@ -434,4 +434,4 @@ } } ] -} +} \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.6.x.json b/schemas/rate-limiting-advanced/3.6.x.json index a7c304b5..64689766 100644 --- a/schemas/rate-limiting-advanced/3.6.x.json +++ b/schemas/rate-limiting-advanced/3.6.x.json @@ -11,37 +11,35 @@ "fields": [ { "protocols": { + "required": true, + "type": "set", "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, - "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "required": true, "type": "record", + "required": true, "fields": [ { "identifier": { - "type": "string", - "default": "consumer", "required": true, - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "type": "string", "one_of": [ "ip", "credential", @@ -50,13 +48,15 @@ "header", "path", "consumer-group" - ] + ], + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`." } }, { "window_size": { - "required": true, "type": "array", + "required": true, "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" @@ -65,19 +65,19 @@ }, { "window_type": { + "type": "string", "one_of": [ "fixed", "sliding" ], - "type": "string", "default": "sliding", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." } }, { "limit": { - "required": true, "type": "array", + "required": true, "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" @@ -86,35 +86,35 @@ }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." } }, { "namespace": { - "auto": true, "type": "string", + "required": true, "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "required": true + "auto": true } }, { "strategy": { - "type": "string", - "default": "local", "required": true, - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "type": "string", "one_of": [ "cluster", "redis", "local" - ] + ], + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." } }, { "dictionary_name": { - "required": true, "type": "string", + "required": true, "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." } @@ -135,89 +135,32 @@ }, { "header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "path": { + "type": "string", + "starts_with": "/", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], - "set2": [ - "host", - "port" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - } - ], "type": "record", + "required": true, "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -232,9 +175,9 @@ }, { "timeout": { - "default": 2000, "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "default": 2000, "between": [ 0, 2147483646 @@ -273,30 +216,30 @@ }, { "username": { - "referenceable": true, "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true } }, { "password": { - "encrypted": true, "type": "string", + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true } }, { "sentinel_username": { - "referenceable": true, "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "type": "string", + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true } @@ -304,14 +247,14 @@ { "database": { "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy", - "default": 0 + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, "between": [ 1, @@ -337,60 +280,117 @@ }, { "sentinel_role": { + "type": "string", "one_of": [ "master", "slave", "any" ], - "type": "string", "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_addresses": { + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis.", - "default": false + "required": false, + "default": false, + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { - "required": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false + "required": false, + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "server_name": { - "required": false, "type": "string", + "required": false, "description": "A string representing an SNI (server name indication) value for TLS." } } ], - "required": true + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ] } }, { @@ -402,10 +402,10 @@ }, { "consumer_groups": { + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`." } }, @@ -418,8 +418,8 @@ }, { "error_code": { - "gt": 0, "type": "number", + "gt": 0, "default": 429, "description": "Set a custom error code to return when the rate limit is exceeded." } diff --git a/schemas/saml/3.4.x.json b/schemas/saml/3.4.x.json index f4f01aaf..6980b35a 100644 --- a/schemas/saml/3.4.x.json +++ b/schemas/saml/3.4.x.json @@ -2,23 +2,15 @@ "fields": [ { "consumer": { - "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumers", "type": "foreign" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -27,296 +19,376 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, + "reference": "consumer_groups", "type": "foreign" } }, { "config": { + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" + } + } + ], "fields": [ { "assertion_consumer_path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": true, "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/", - "required": true, "type": "string" } }, { "idp_sso_url": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "idp_certificate": { - "type": "string", - "encrypted": true, - "referenceable": true, "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "referenceable": true, + "encrypted": true, + "type": "string", "required": false } }, { "response_encryption_key": { - "type": "string", - "encrypted": true, - "referenceable": true, "description": "The private encryption key required to decrypt encrypted assertions.", + "referenceable": true, + "encrypted": true, + "type": "string", "required": false } }, { "request_signing_key": { - "type": "string", - "encrypted": true, - "referenceable": true, "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "referenceable": true, + "encrypted": true, + "type": "string", "required": false } }, { "request_signing_certificate": { - "type": "string", - "encrypted": true, - "referenceable": true, "description": "The certificate for signing requests.", + "referenceable": true, + "encrypted": true, + "type": "string", "required": false } }, { "request_signature_algorithm": { - "default": "SHA256", - "required": false, + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "one_of": [ "SHA256", "SHA384", "SHA512" ], - "type": "string", - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" + "default": "SHA256", + "required": false, + "type": "string" } }, { "request_digest_algorithm": { - "default": "SHA256", - "required": false, + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "one_of": [ "SHA256", "SHA1" ], - "type": "string", - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" + "default": "SHA256", + "required": false, + "type": "string" } }, { "response_signature_algorithm": { - "default": "SHA256", - "required": false, + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "one_of": [ "SHA256", "SHA384", "SHA512" ], - "type": "string", - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" + "default": "SHA256", + "required": false, + "type": "string" } }, { "response_digest_algorithm": { - "default": "SHA256", - "required": false, + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "one_of": [ "SHA256", "SHA1" ], - "type": "string", - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" + "default": "SHA256", + "required": false, + "type": "string" } }, { "issuer": { - "required": true, "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "required": true, "type": "string" } }, { "nameid_format": { - "default": "EmailAddress", - "required": false, + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" ], - "type": "string", - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" + "default": "EmailAddress", + "required": false, + "type": "string" } }, { "validate_assertion_signature": { - "default": true, + "description": "Enable signature validation for SAML responses.", "required": false, "type": "boolean", - "description": "Enable signature validation for SAML responses." + "default": true } }, { "anonymous": { - "type": "string", "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", - "required": false + "required": false, + "type": "string" } }, { "session_secret": { - "required": true, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", "referenceable": true, - "type": "string", "match": "^[0-9a-zA-Z/_+]+$", "len_min": 32, - "len_max": 32, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", - "encrypted": true + "encrypted": true, + "required": true, + "type": "string", + "len_max": 32 } }, { "session_audience": { - "default": "default", - "type": "string", + "description": "The session audience, for example \"my-application\"", "required": false, - "description": "The session audience, for example \"my-application\"" + "type": "string", + "default": "default" } }, { "session_cookie_name": { - "default": "session", - "type": "string", + "description": "The session cookie name.", "required": false, - "description": "The session cookie name." + "type": "string", + "default": "session" } }, { "session_remember": { - "default": false, - "type": "boolean", + "description": "Enables or disables persistent sessions", "required": false, - "description": "Enables or disables persistent sessions" + "type": "boolean", + "default": false } }, { "session_remember_cookie_name": { - "default": "remember", - "type": "string", + "description": "Persistent session cookie name", "required": false, - "description": "Persistent session cookie name" + "type": "string", + "default": "remember" } }, { "session_remember_rolling_timeout": { - "default": 604800, - "type": "number", + "description": "Persistent session rolling timeout in seconds.", "required": false, - "description": "Persistent session rolling timeout in seconds." + "type": "number", + "default": 604800 } }, { "session_remember_absolute_timeout": { - "default": 2592000, - "type": "number", + "description": "Persistent session absolute timeout in seconds.", "required": false, - "description": "Persistent session absolute timeout in seconds." + "type": "number", + "default": 2592000 } }, { "session_idling_timeout": { - "default": 900, - "type": "number", + "description": "The session cookie idle time in seconds.", "required": false, - "description": "The session cookie idle time in seconds." + "type": "number", + "default": 900 } }, { "session_rolling_timeout": { - "default": 3600, - "type": "number", + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." + "type": "number", + "default": 3600 } }, { "session_absolute_timeout": { - "default": 86400, - "type": "number", + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." + "type": "number", + "default": 86400 } }, { "session_cookie_path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "default": "/", + "required": false, "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "type": "string", - "starts_with": "/", - "required": false, - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string" } }, { "session_cookie_domain": { - "type": "string", "description": "The session cookie domain flag.", - "required": false + "required": false, + "type": "string" } }, { "session_cookie_same_site": { - "default": "Lax", - "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" ], - "type": "string", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + "default": "Lax", + "required": false, + "type": "string" } }, { "session_cookie_http_only": { - "default": true, - "type": "boolean", + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "boolean", + "default": true } }, { "session_cookie_secure": { - "type": "boolean", "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false + "required": false, + "type": "boolean" } }, { @@ -355,292 +427,220 @@ }, { "session_storage": { - "default": "cookie", - "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "one_of": [ "cookie", "memcache", "memcached", "redis" ], - "type": "string", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" + "default": "cookie", + "required": false, + "type": "string" } }, { "session_store_metadata": { - "default": false, - "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "required": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject." + "type": "boolean", + "default": false } }, { "session_enforce_same_subject": { - "default": false, - "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, - "description": "When set to `true`, audiences are forced to share the same subject." + "type": "boolean", + "default": false } }, { "session_hash_subject": { - "default": false, - "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "type": "boolean", + "default": false } }, { "session_hash_storage_key": { - "default": false, - "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "type": "boolean", + "default": false } }, { "session_memcached_prefix": { - "type": "string", "description": "The memcached session key prefix.", - "required": false + "required": false, + "type": "string" } }, { "session_memcached_socket": { - "type": "string", "description": "The memcached unix socket path.", - "required": false + "required": false, + "type": "string" } }, { "session_memcached_host": { - "default": "127.0.0.1", - "type": "string", + "description": "The memcached host.", "required": false, - "description": "The memcached host." + "type": "string", + "default": "127.0.0.1" } }, { "session_memcached_port": { - "default": 11211, - "type": "integer", "between": [ 0, 65535 ], + "default": 11211, "required": false, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_prefix": { - "type": "string", "description": "The Redis session key prefix.", - "required": false + "required": false, + "type": "string" } }, { "session_redis_socket": { - "type": "string", "description": "The Redis unix socket path.", - "required": false + "required": false, + "type": "string" } }, { "session_redis_host": { - "default": "127.0.0.1", - "type": "string", + "description": "The Redis host IP.", "required": false, - "description": "The Redis host IP." + "type": "string", + "default": "127.0.0.1" } }, { "session_redis_port": { - "default": 6379, - "type": "integer", "between": [ 0, 65535 ], + "default": 6379, "required": false, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "session_redis_username": { - "type": "string", + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "referenceable": true, - "required": false, - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "type": "string", + "required": false } }, { "session_redis_password": { - "type": "string", - "encrypted": true, - "referenceable": true, "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "referenceable": true, + "encrypted": true, + "type": "string", "required": false } }, { "session_redis_connect_timeout": { - "type": "integer", "description": "The Redis connection timeout in milliseconds.", - "required": false + "required": false, + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", "description": "The Redis read timeout in milliseconds.", - "required": false + "required": false, + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", "description": "The Redis send timeout in milliseconds.", - "required": false + "required": false, + "type": "integer" } }, { "session_redis_ssl": { - "default": false, - "type": "boolean", + "description": "Use SSL/TLS for the Redis connection.", "required": false, - "description": "Use SSL/TLS for the Redis connection." + "type": "boolean", + "default": false } }, { "session_redis_ssl_verify": { - "default": false, - "type": "boolean", + "description": "Verify the Redis server certificate.", "required": false, - "description": "Verify the Redis server certificate." + "type": "boolean", + "default": false } }, { "session_redis_server_name": { - "type": "string", "description": "The SNI used for connecting to the Redis server.", - "required": false + "required": false, + "type": "string" } }, { "session_redis_cluster_nodes": { - "type": "array", + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", "required": true, "type": "string", - "description": "A string representing a host name, such as example.com." + "default": "127.0.0.1" } }, { "port": { "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } - ], - "type": "record" - }, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values." + ] + } } }, { "session_redis_cluster_max_redirections": { - "type": "integer", "description": "The Redis cluster maximum redirects.", - "required": false - } - } - ], - "shorthand_fields": [ - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { + "required": false, "type": "integer" } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - }, - { - "session_auth_ttl": { - "type": "number" - } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], From 63038c74f319f4c59b297745855afaeb3227a592 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 18 Apr 2024 17:32:09 +0200 Subject: [PATCH 043/165] Add a github action that dispatches an event when `main` is updated --- .github/workflows/sync-docs.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/sync-docs.yml diff --git a/.github/workflows/sync-docs.yml b/.github/workflows/sync-docs.yml new file mode 100644 index 00000000..bde8cae2 --- /dev/null +++ b/.github/workflows/sync-docs.yml @@ -0,0 +1,17 @@ +name: Sync submodule in docs +on: + push: + branches: + - 'main' + +jobs: + sync-repo: + name: Sync submodule in docs + runs-on: ubuntu-latest + steps: + - name: Repository Dispatch + uses: peter-evans/repository-dispatch@v3 + with: + token: ${{ secrets.PAT }} + repository: Kong/docs.konghq.com + event-type: PLUGINS_UPDATED From 86a69c7515ea20df998baefc8571d52234c1ab56 Mon Sep 17 00:00:00 2001 From: Lena Date: Thu, 2 May 2024 21:05:04 -0700 Subject: [PATCH 044/165] generate real 3.7 plugin schemas, referenceable fields, and priority list --- data/priorities/ee/3.7.x.json | 25 +- data/referenceable_fields/3.7.x.json | 41 +- schemas/acl/3.7.x.json | 32 +- schemas/acme/3.7.x.json | 178 ++- schemas/ai-azure-content-safety/3.7.x.json | 164 +- schemas/ai-prompt-decorator/3.7.x.json | 52 +- schemas/ai-prompt-guard/3.7.x.json | 34 +- schemas/ai-prompt-template/3.7.x.json | 40 +- schemas/ai-proxy/3.7.x.json | 259 +-- schemas/ai-rate-limiting-advanced/3.7.x.json | 447 +++++- schemas/ai-request-transformer/3.7.x.json | 289 ++-- schemas/ai-response-transformer/3.7.x.json | 293 ++-- schemas/application-registration/3.7.x.json | 46 +- schemas/aws-lambda/3.7.x.json | 80 +- schemas/azure-functions/3.7.x.json | 34 +- schemas/basic-auth/3.7.x.json | 26 +- schemas/bot-detection/3.7.x.json | 32 +- schemas/canary/3.7.x.json | 46 +- schemas/correlation-id/3.7.x.json | 22 +- schemas/cors/3.7.x.json | 74 +- schemas/datadog/3.7.x.json | 140 +- schemas/degraphql/3.7.x.json | 20 +- schemas/exit-transformer/3.7.x.json | 18 +- schemas/file-log/3.7.x.json | 24 +- schemas/forward-proxy/3.7.x.json | 60 +- .../graphql-proxy-cache-advanced/3.7.x.json | 279 +++- .../graphql-rate-limiting-advanced/3.7.x.json | 120 +- schemas/grpc-gateway/3.7.x.json | 14 +- schemas/grpc-web/3.7.x.json | 22 +- schemas/hmac-auth/3.7.x.json | 46 +- schemas/http-log/3.7.x.json | 68 +- schemas/ip-restriction/3.7.x.json | 30 +- schemas/jq/3.7.x.json | 88 +- schemas/jwe-decrypt/3.7.x.json | 26 +- schemas/jwt-signer/3.7.x.json | 621 +++++-- schemas/jwt/3.7.x.json | 60 +- schemas/kafka-log/3.7.x.json | 82 +- schemas/kafka-upstream/3.7.x.json | 72 +- schemas/key-auth-enc/3.7.x.json | 34 +- schemas/key-auth/3.7.x.json | 61 +- schemas/konnect-application-auth/3.7.x.json | 1384 ++++++++-------- schemas/ldap-auth-advanced/3.7.x.json | 98 +- schemas/ldap-auth/3.7.x.json | 56 +- schemas/loggly/3.7.x.json | 36 +- schemas/mocking/3.7.x.json | 58 +- schemas/mtls-auth/3.7.x.json | 50 +- schemas/oas-validation/3.7.x.json | 84 +- schemas/oauth2-introspection/3.7.x.json | 52 +- schemas/oauth2/3.7.x.json | 102 +- schemas/opa/3.7.x.json | 46 +- schemas/openid-connect/3.7.x.json | 1420 +++++++++-------- schemas/opentelemetry/3.7.x.json | 165 +- schemas/post-function/3.7.x.json | 118 +- schemas/pre-function/3.7.x.json | 118 +- schemas/prometheus/3.7.x.json | 20 +- schemas/proxy-cache-advanced/3.7.x.json | 150 +- schemas/proxy-cache/3.7.x.json | 86 +- schemas/rate-limiting-advanced/3.7.x.json | 130 +- schemas/rate-limiting/3.7.x.json | 192 ++- schemas/request-size-limiting/3.7.x.json | 16 +- schemas/request-termination/3.7.x.json | 14 +- .../request-transformer-advanced/3.7.x.json | 108 +- schemas/request-transformer/3.7.x.json | 112 +- schemas/request-validator/3.7.x.json | 60 +- schemas/response-ratelimiting/3.7.x.json | 162 +- .../response-transformer-advanced/3.7.x.json | 70 +- schemas/response-transformer/3.7.x.json | 124 +- schemas/route-by-header/3.7.x.json | 32 +- schemas/route-transformer-advanced/3.7.x.json | 14 +- schemas/saml/3.7.x.json | 354 ++-- schemas/session/3.7.x.json | 54 +- schemas/statsd-advanced/3.7.x.json | 230 +-- schemas/statsd/3.7.x.json | 274 ++-- schemas/syslog/3.7.x.json | 38 +- schemas/tcp-log/3.7.x.json | 30 +- schemas/tls-handshake-modifier/3.7.x.json | 14 +- schemas/tls-metadata-headers/3.7.x.json | 34 +- schemas/udp-log/3.7.x.json | 20 +- schemas/upstream-timeout/3.7.x.json | 10 +- schemas/vault-auth/3.7.x.json | 32 +- schemas/websocket-size-limit/3.7.x.json | 14 +- schemas/websocket-validator/3.7.x.json | 154 +- schemas/xml-threat-protection/3.7.x.json | 218 +-- schemas/zipkin/3.7.x.json | 161 +- 84 files changed, 6288 insertions(+), 4525 deletions(-) diff --git a/data/priorities/ee/3.7.x.json b/data/priorities/ee/3.7.x.json index 3e8bd4d4..83411a74 100644 --- a/data/priorities/ee/3.7.x.json +++ b/data/priorities/ee/3.7.x.json @@ -1,6 +1,5 @@ { "pre-function": 1000000, - "app-dynamics": 999999, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -15,18 +14,19 @@ "jwt": 1450, "oauth2": 1400, "vault-auth": 1350, - "key-auth-enc": 1250, "key-auth": 1250, + "key-auth-enc": 1250, "ldap-auth": 1200, "ldap-auth-advanced": 1200, "basic-auth": 1100, "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, - "websocket-size-limit": 999, + "saml": 1010, + "xml-threat-protection": 1008, + "websocket-validator": 1006, + "websocket-size-limit": 1003, "request-validator": 999, - "xml-threat-protection": 999, - "websocket-validator": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -35,25 +35,32 @@ "request-size-limiting": 951, "acl": 950, "opa": 920, - "rate-limiting-advanced": 910, "rate-limiting": 910, + "rate-limiting-advanced": 910, + "ai-rate-limiting-advanced": 905, "graphql-rate-limiting-advanced": 902, - "saml": 900, "response-ratelimiting": 900, "route-by-header": 850, - "oas-validation": 850, + "oas-validation": 840, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, "response-transformer": 800, "response-transformer-advanced": 800, "route-transformer-advanced": 780, + "ai-request-transformer": 777, + "ai-azure-content-safety": 774, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-response-transformer": 769, "kafka-upstream": 751, "aws-lambda": 750, "azure-functions": 749, "upstream-timeout": 400, - "proxy-cache-advanced": 100, "proxy-cache": 100, + "proxy-cache-advanced": 100, "graphql-proxy-cache-advanced": 99, "forward-proxy": 50, "canary": 20, diff --git a/data/referenceable_fields/3.7.x.json b/data/referenceable_fields/3.7.x.json index 9727279e..f59fcd74 100644 --- a/data/referenceable_fields/3.7.x.json +++ b/data/referenceable_fields/3.7.x.json @@ -8,23 +8,42 @@ "config.storage_config.consul.token", "config.storage_config.vault.token" ], + "ai-azure-content-safety": [ + "config.content_safety_url", + "config.content_safety_key" + ], "ai-proxy": [ "config.auth.header_name", "config.auth.header_value", "config.auth.param_name", - "config.auth.param_value" + "config.auth.param_value", + "config.auth.azure_client_id", + "config.auth.azure_client_secret", + "config.auth.azure_tenant_id" + ], + "ai-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" ], "ai-request-transformer": [ "config.llm.auth.header_name", "config.llm.auth.header_value", "config.llm.auth.param_name", - "config.llm.auth.param_value" + "config.llm.auth.param_value", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id" ], "ai-response-transformer": [ "config.llm.auth.header_name", "config.llm.auth.header_value", "config.llm.auth.param_name", - "config.llm.auth.param_value" + "config.llm.auth.param_value", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id" ], "aws-lambda": [ "config.aws_key", @@ -42,6 +61,12 @@ "config.auth_username", "config.auth_password" ], + "graphql-proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], "graphql-rate-limiting-advanced": [ "config.redis.username", "config.redis.password", @@ -52,6 +77,16 @@ "config.http_endpoint", "config.headers" ], + "jwt-signer": [ + "config.access_token_keyset_client_username", + "config.access_token_keyset_client_password", + "config.access_token_jwks_uri_client_username", + "config.access_token_jwks_uri_client_password", + "config.channel_token_keyset_client_username", + "config.channel_token_keyset_client_password", + "config.channel_token_jwks_uri_client_username", + "config.channel_token_jwks_uri_client_password" + ], "kafka-log": [ "config.authentication.user", "config.authentication.password" diff --git a/schemas/acl/3.7.x.json b/schemas/acl/3.7.x.json index fbabcae0..3209ec69 100644 --- a/schemas/acl/3.7.x.json +++ b/schemas/acl/3.7.x.json @@ -2,16 +2,16 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -19,6 +19,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -28,54 +29,53 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "allow": { - "type": "array", - "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." } }, { "deny": { - "type": "array", - "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." } }, { "hide_groups_header": { + "required": true, "type": "boolean", "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", - "default": false, - "required": true + "default": false } }, { "include_consumer_groups": { + "required": false, "type": "boolean", - "default": false, - "required": false + "default": false } } ], + "type": "record", "required": true } } diff --git a/schemas/acme/3.7.x.json b/schemas/acme/3.7.x.json index 4b5075e9..360878bc 100644 --- a/schemas/acme/3.7.x.json +++ b/schemas/acme/3.7.x.json @@ -2,32 +2,32 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "service": { - "type": "foreign", "reference": "services", + "type": "foreign", "description": "A reference to the 'services' table with a null value allowed.", "eq": null } }, { "route": { - "type": "foreign", "reference": "routes", + "type": "foreign", "description": "A reference to the 'routes' table with a null value allowed.", "eq": null } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -35,6 +35,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -44,40 +45,39 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "account_email": { - "match": "%w*%p*@+%w*%.?%w*", + "encrypted": true, + "referenceable": true, "required": true, "type": "string", "description": "The account identifier. Can be reused in a different plugin instance.", - "encrypted": true, - "referenceable": true + "match": "%w*%p*@+%w*%.?%w*" } }, { "account_key": { - "type": "record", + "required": false, "description": "The private key associated with the account.", + "type": "record", "fields": [ { "key_id": { + "required": true, "type": "string", - "description": "The Key ID.", - "required": true + "description": "The Key ID." } }, { @@ -86,8 +86,7 @@ "description": "The ID of the key set to associate the Key ID with." } } - ], - "required": false + ] } }, { @@ -106,25 +105,25 @@ }, { "eab_kid": { - "referenceable": true, - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string", "encrypted": true, - "type": "string" + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "referenceable": true } }, { "eab_hmac_key": { - "referenceable": true, - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string", "encrypted": true, - "type": "string" + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "referenceable": true } }, { "cert_type": { + "default": "rsa", "type": "string", "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", - "default": "rsa", "one_of": [ "rsa", "ecc" @@ -133,9 +132,9 @@ }, { "rsa_key_size": { + "default": 4096, "type": "number", "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", - "default": 4096, "one_of": [ 2048, 3072, @@ -152,9 +151,7 @@ }, { "domains": { - "type": "array", "elements": { - "type": "string", "match_any": { "patterns": [ "^%*%.", @@ -163,6 +160,7 @@ ], "err": "invalid wildcard: must be placed at leftmost or rightmost label" }, + "type": "string", "match_all": [ { "pattern": "^[^*]*%*?[^*]*$", @@ -170,6 +168,7 @@ } ] }, + "type": "array", "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" } }, @@ -189,9 +188,9 @@ }, { "storage": { + "default": "shm", "type": "string", "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", - "default": "shm", "one_of": [ "kong", "shm", @@ -203,11 +202,9 @@ }, { "storage_config": { - "type": "record", "fields": [ { "shm": { - "type": "record", "fields": [ { "shm_name": { @@ -217,21 +214,21 @@ } } ], + "type": "record", "required": true } }, { "kong": { - "type": "record", "fields": [ ], + "type": "record", "required": true } }, { "redis": { - "type": "record", "fields": [ { "host": { @@ -241,9 +238,9 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -252,9 +249,9 @@ }, { "timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -264,72 +261,72 @@ { "username": { "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { - "type": "string", "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "len_min": 0 } }, { "database": { - "type": "integer", "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", "default": 0 } }, { "ssl": { - "type": "boolean", + "required": false, "description": "If set to true, uses SSL to connect to Redis.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "ssl_verify": { - "type": "boolean", + "required": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "server_name": { - "type": "string", + "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "type": "string" } }, { "extra_options": { - "type": "record", - "description": "Custom ACME Redis options", "fields": [ { "namespace": { - "type": "string", - "default": "", - "required": true, "description": "A namespace to prepend to all keys stored in Redis.", - "len_min": 0 + "required": true, + "type": "string", + "len_min": 0, + "default": "" } }, { "scan_count": { + "required": false, "type": "number", "description": "The number of keys to return in Redis SCAN calls.", - "default": 10, - "required": false + "default": 10 } } ], + "description": "Custom ACME Redis options", + "type": "record", "required": true } } @@ -337,15 +334,23 @@ "shorthand_fields": [ { "auth": { + "len_min": 0, + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead" + }, "type": "string", "translate_backwards": [ "password" - ], - "len_min": 0 + ] } }, { "ssl_server_name": { + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead" + }, "type": "string", "translate_backwards": [ "server_name" @@ -354,16 +359,24 @@ }, { "namespace": { + "len_min": 0, + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead" + }, "type": "string", "translate_backwards": [ "extra_options", "namespace" - ], - "len_min": 0 + ] } }, { "scan_count": { + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead" + }, "type": "integer", "translate_backwards": [ "extra_options", @@ -372,12 +385,12 @@ } } ], + "type": "record", "required": true } }, { "consul": { - "type": "record", "fields": [ { "https": { @@ -416,18 +429,18 @@ }, { "token": { + "type": "string", "referenceable": true, - "description": "Consul ACL token.", - "type": "string" + "description": "Consul ACL token." } } ], + "type": "record", "required": true } }, { "vault": { - "type": "record", "fields": [ { "https": { @@ -466,9 +479,9 @@ }, { "token": { + "type": "string", "referenceable": true, - "description": "Consul ACL token.", - "type": "string" + "description": "Consul ACL token." } }, { @@ -486,9 +499,9 @@ }, { "auth_method": { - "type": "string", - "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "type": "string", "one_of": [ "token", "kubernetes" @@ -514,10 +527,12 @@ } } ], + "type": "record", "required": true } } ], + "type": "record", "required": true } }, @@ -535,6 +550,7 @@ } } ], + "type": "record", "required": true } } @@ -542,9 +558,7 @@ "entity_checks": [ { "conditional": { - "then_match": { - "eq": true - }, + "if_field": "config.api_uri", "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", "if_match": { "one_of": [ @@ -552,31 +566,33 @@ "https://acme-staging-v02.api.letsencrypt.org" ] }, - "if_field": "config.api_uri", - "then_field": "config.tos_accepted" + "then_field": "config.tos_accepted", + "then_match": { + "eq": true + } } }, { "conditional": { - "then_field": "config.storage_config.redis.host", "if_field": "config.storage", - "then_match": { - "required": true - }, "if_match": { "eq": "redis" + }, + "then_field": "config.storage_config.redis.host", + "then_match": { + "required": true } } }, { "conditional": { - "then_field": "config.storage_config.redis.port", "if_field": "config.storage", - "then_match": { - "required": true - }, "if_match": { "eq": "redis" + }, + "then_field": "config.storage_config.redis.port", + "then_match": { + "required": true } } }, diff --git a/schemas/ai-azure-content-safety/3.7.x.json b/schemas/ai-azure-content-safety/3.7.x.json index fb4cb8f9..db4bc3fc 100644 --- a/schemas/ai-azure-content-safety/3.7.x.json +++ b/schemas/ai-azure-content-safety/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,69 +13,164 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { - "type": "record", "fields": [ { - "allow_patterns": { - "type": "array", + "content_safety_url": { + "required": true, + "type": "string", + "referenceable": true, + "description": "Full URL, inc protocol, of the Azure Content Safety instance." + } + }, + { + "azure_api_version": { + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "required": true, + "type": "string", + "len_min": 1, + "default": "2023-10-01" + } + }, + { + "azure_use_managed_identity": { + "type": "boolean", + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "default": false + } + }, + { + "azure_client_id": { + "required": false, + "type": "string", + "description": "If `azure_use_managed_identity` is true, set the client ID if required." + } + }, + { + "azure_client_secret": { + "required": false, + "type": "string", + "description": "If `azure_use_managed_identity` is true, set the client secret if required." + } + }, + { + "azure_tenant_id": { + "required": false, + "type": "string", + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required." + } + }, + { + "content_safety_key": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "type": "string" + } + }, + { + "text_source": { + "default": "concatenate_all_content", + "type": "string", + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "one_of": [ + "concatenate_all_content", + "concatenate_user_content" + ] + } + }, + { + "categories": { "elements": { - "len_max": 50, - "type": "string", - "len_min": 1 + "required": true, + "type": "record", + "fields": [ + { + "name": { + "required": true, + "type": "string" + } + }, + { + "rejection_level": { + "required": true, + "type": "integer" + } + } + ] }, - "default": [ - - ], - "description": "Array of valid patterns, or valid questions from the 'user' role in chat.", - "len_max": 10 + "type": "array", + "description": "Array of categories, and their thresholds, to measure on." } }, { - "deny_patterns": { - "type": "array", + "reveal_failure_reason": { + "type": "boolean", + "description": "Set true to tell the caller why their request was rejected, if so.", + "default": true + } + }, + { + "output_type": { + "default": "FourSeverityLevels", + "type": "string", + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "one_of": [ + "FourSeverityLevels", + "EightSeverityLevels" + ] + } + }, + { + "blocklist_names": { "elements": { - "len_max": 50, - "type": "string", - "len_min": 1 + "type": "string" }, - "default": [ - - ], - "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat.", - "len_max": 10 + "type": "array", + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content." } }, { - "allow_all_conversation_history": { + "halt_on_blocklist_hit": { "type": "boolean", - "description": "If true, will ignore all previous chat prompts from the conversation history.", - "default": false, - "required": true + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "default": true } } ], + "type": "record", "required": true } } ], "entity_checks": [ - { - "at_least_one_of": [ - "config.allow_patterns", - "config.deny_patterns" - ] - } + ] } \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.7.x.json b/schemas/ai-prompt-decorator/3.7.x.json index 8eab08b1..1ee146d7 100644 --- a/schemas/ai-prompt-decorator/3.7.x.json +++ b/schemas/ai-prompt-decorator/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,97 +13,96 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "prompts": { + "required": false, "type": "record", "fields": [ { "prepend": { - "type": "array", + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "required": false, "elements": { + "required": false, "type": "record", "fields": [ { "role": { + "required": true, + "default": "system", "type": "string", "one_of": [ "system", "assistant", "user" - ], - "default": "system", - "required": true + ] } }, { "content": { - "len_max": 500, + "required": true, "len_min": 1, "type": "string", - "required": true + "len_max": 500 } } - ], - "required": false + ] }, - "required": false, - "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "type": "array", "len_max": 15 } }, { "append": { - "type": "array", + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "required": false, "elements": { + "required": false, "type": "record", "fields": [ { "role": { + "required": true, + "default": "system", "type": "string", "one_of": [ "system", "assistant", "user" - ], - "default": "system", - "required": true + ] } }, { "content": { - "len_max": 500, + "required": true, "len_min": 1, "type": "string", - "required": true + "len_max": 500 } } - ], - "required": false + ] }, - "required": false, - "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "type": "array", "len_max": 15 } } - ], - "required": false + ] } } ], + "type": "record", "required": true } } diff --git a/schemas/ai-prompt-guard/3.7.x.json b/schemas/ai-prompt-guard/3.7.x.json index fb4cb8f9..69f97e6a 100644 --- a/schemas/ai-prompt-guard/3.7.x.json +++ b/schemas/ai-prompt-guard/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,59 +13,58 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "allow_patterns": { + "default": [ + + ], "type": "array", "elements": { - "len_max": 50, "type": "string", - "len_min": 1 + "len_min": 1, + "len_max": 500 }, - "default": [ - - ], "description": "Array of valid patterns, or valid questions from the 'user' role in chat.", "len_max": 10 } }, { "deny_patterns": { + "default": [ + + ], "type": "array", "elements": { - "len_max": 50, "type": "string", - "len_min": 1 + "len_min": 1, + "len_max": 500 }, - "default": [ - - ], "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat.", "len_max": 10 } }, { "allow_all_conversation_history": { - "type": "boolean", + "required": true, "description": "If true, will ignore all previous chat prompts from the conversation history.", - "default": false, - "required": true + "type": "boolean", + "default": false } } ], + "type": "record", "required": true } } diff --git a/schemas/ai-prompt-template/3.7.x.json b/schemas/ai-prompt-template/3.7.x.json index ec49ea9e..1af322a2 100644 --- a/schemas/ai-prompt-template/3.7.x.json +++ b/schemas/ai-prompt-template/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,72 +13,71 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "templates": { - "type": "array", - "description": "Array of templates available to the request context.", + "required": true, "elements": { + "required": true, "type": "record", "fields": [ { "name": { - "type": "string", + "required": true, "description": "Unique name for the template, can be called with `{template://NAME}`", - "required": true + "type": "string" } }, { "template": { - "type": "string", + "required": true, "description": "Template string for this request, supports mustache-style `{{placeholders}}`", - "required": true + "type": "string" } } - ], - "required": true + ] }, - "required": true + "description": "Array of templates available to the request context.", + "type": "array" } }, { "allow_untemplated_requests": { - "type": "boolean", + "required": true, "description": "Set true to allow requests that don't call or match any template.", - "default": true, - "required": true + "type": "boolean", + "default": true } }, { "log_original_request": { - "type": "boolean", + "required": true, "description": "Set true to add the original request to the Kong log plugin(s) output.", - "default": false, - "required": true + "type": "boolean", + "default": false } } ], + "type": "record", "required": true } } diff --git a/schemas/ai-proxy/3.7.x.json b/schemas/ai-proxy/3.7.x.json index 88dbd668..be44ee57 100644 --- a/schemas/ai-proxy/3.7.x.json +++ b/schemas/ai-proxy/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,106 +13,140 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "service": { - "type": "foreign", "reference": "services", + "type": "foreign", "description": "A reference to the 'services' table with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "route_type": { + "required": true, "type": "string", - "description": "The model's operation implementation, for this provider.", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "one_of": [ "llm/v1/chat", - "llm/v1/completions" - ], - "required": true + "llm/v1/completions", + "preserve" + ] } }, { "auth": { + "required": false, "type": "record", "fields": [ { "header_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "header_value": { - "type": "string", - "required": false, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "encrypted": true, - "referenceable": true + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." } }, { "param_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "param_value": { - "type": "string", - "required": false, - "description": "Specify the full parameter value for 'param_name'.", "encrypted": true, - "referenceable": true + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'." } }, { "param_location": { + "required": false, "type": "string", "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" - ], - "required": false + ] + } + }, + { + "azure_use_managed_identity": { + "required": false, + "type": "boolean", + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" } } - ], - "required": false + ] } }, { "model": { + "required": true, "type": "record", "fields": [ { "provider": { + "required": true, "type": "string", "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ @@ -121,35 +156,47 @@ "cohere", "mistral", "llama2" - ], - "required": true + ] } }, { "name": { + "required": false, "type": "string", - "description": "Model name to execute.", - "required": false + "description": "Model name to execute." } }, { "options": { + "required": false, "type": "record", "description": "Key/value settings for the model", "fields": [ + { + "response_streaming": { + "default": "allow", + "required": false, + "type": "string", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, { "max_tokens": { + "required": false, "type": "integer", "description": "Defines the max_tokens, if using chat or completion models.", - "default": 256, - "required": false + "default": 256 } }, { "temperature": { - "type": "number", - "default": 1, "required": false, + "type": "number", "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, @@ -159,9 +206,8 @@ }, { "top_p": { - "type": "number", - "default": 1, "required": false, + "type": "number", "description": "Defines the top-p probability mass, if supported.", "between": [ 0, @@ -171,9 +217,8 @@ }, { "top_k": { - "type": "integer", - "default": 0, "required": false, + "type": "integer", "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, @@ -183,113 +228,133 @@ }, { "anthropic_version": { + "required": false, "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider.", - "required": false + "description": "Defines the schema/API version, if using Anthropic provider." } }, { "azure_instance": { + "required": false, "type": "string", - "description": "Instance name for Azure OpenAI hosted models.", - "required": false + "description": "Instance name for Azure OpenAI hosted models." } }, { "azure_api_version": { + "required": false, "type": "string", "description": "'api-version' for Azure OpenAI instances.", - "default": "2023-05-15", - "required": false + "default": "2023-05-15" } }, { "azure_deployment_id": { + "required": false, "type": "string", - "description": "Deployment ID for Azure OpenAI instances.", - "required": false + "description": "Deployment ID for Azure OpenAI instances." } }, { "llama2_format": { + "required": false, "type": "string", "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", "ollama" - ], - "required": false + ] } }, { "mistral_format": { + "required": false, "type": "string", "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" - ], - "required": false + ] } }, { "upstream_url": { + "required": false, "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", - "required": false + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + } + }, + { + "upstream_path": { + "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" } } - ], - "required": false + ] } } - ], - "required": true + ] } }, { "logging": { + "required": true, "type": "record", "fields": [ { "log_statistics": { + "required": true, "type": "boolean", "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "default": true, - "required": true + "default": false } }, { "log_payloads": { + "required": true, "type": "boolean", "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "default": false, - "required": true + "default": false } } - ], - "required": true + ] } } ], "entity_checks": [ { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "auth.header_name", "auth.param_name" ], - "if_field": "model.provider", - "then_err": "must set one of %s, and its respective options, when provider is not self-hosted", "if_match": { "one_of": [ "openai", - "azure", "anthropic", "cohere" ] - } + }, + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name", + "auth.azure_use_managed_identity" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set one of %s, and its respective options, when azure provider is set" } }, { @@ -307,116 +372,114 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.llama2_format" ], - "if_field": "model.provider", - "then_err": "must set %s for llama2 provider", "if_match": { "one_of": [ "llama2" ] - } + }, + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.mistral_format" ], - "if_field": "model.provider", - "then_err": "must set %s for mistral provider", "if_match": { "one_of": [ "mistral" ] - } + }, + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "model.name" - ], "if_field": "model.provider", - "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models.", - "if_match": [ - - ] - } - }, - { - "conditional_at_least_one_of": { "then_at_least_one_of": [ "model.options.anthropic_version" ], - "if_field": "model.provider", - "then_err": "must set %s for anthropic provider", "if_match": { "one_of": [ "anthropic" ] - } + }, + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure_instance" ], - "if_field": "model.provider", - "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - } + }, + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure_api_version" ], - "if_field": "model.provider", - "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - } + }, + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure_deployment_id" ], - "if_field": "model.provider", - "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - } + }, + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.upstream_url" ], - "if_field": "model.provider", - "then_err": "must set %s for self-hosted providers/models", "if_match": { "one_of": [ "mistral", "llama2" ] - } + }, + "then_err": "must set %s for self-hosted providers/models" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] } } ], + "type": "record", "required": true } } diff --git a/schemas/ai-rate-limiting-advanced/3.7.x.json b/schemas/ai-rate-limiting-advanced/3.7.x.json index fb4cb8f9..ea346eed 100644 --- a/schemas/ai-rate-limiting-advanced/3.7.x.json +++ b/schemas/ai-rate-limiting-advanced/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,69 +13,451 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { - "allow_patterns": { - "type": "array", + "identifier": { + "default": "consumer", + "required": true, + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "type": "string", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "window_type": { + "default": "sliding", + "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + } + }, + { + "llm_providers": { + "required": true, "elements": { - "len_max": 50, - "type": "string", - "len_min": 1 + "type": "record", + "fields": [ + { + "window_size": { + "required": true, + "type": "number", + "description": "The window size to apply a limit (defined in seconds)." + } + }, + { + "name": { + "required": true, + "type": "string", + "description": "The LLM provider to which the rate limit applies.", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "requestPrompt" + ] + } + }, + { + "limit": { + "required": true, + "type": "number", + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter." + } + } + ] }, - "default": [ - + "type": "array", + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values." + } + }, + { + "strategy": { + "default": "local", + "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "type": "string", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "required": true, + "type": "string", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "default": "kong_rate_limiting_counters" + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "default": false + } + }, + { + "retry_after_jitter_max": { + "type": "number", + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "default": 0 + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } ], - "description": "Array of valid patterns, or valid questions from the 'user' role in chat.", - "len_max": 10 + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" } }, { - "deny_patterns": { - "type": "array", - "elements": { - "len_max": 50, - "type": "string", - "len_min": 1 - }, - "default": [ - + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + } ], - "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat.", - "len_max": 10 + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "type": "record", + "required": true } }, { - "allow_all_conversation_history": { + "disable_penalty": { "type": "boolean", - "description": "If true, will ignore all previous chat prompts from the conversation history.", - "default": false, - "required": true + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "default": false + } + }, + { + "request_prompt_count_function": { + "required": false, + "type": "string", + "description": "If defined, it use custom function to count requests for the request prompt provider" + } + }, + { + "error_code": { + "default": 429, + "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded.", + "gt": 0 + } + }, + { + "error_message": { + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded for provider(s): " + } + }, + { + "error_hide_providers": { + "type": "boolean", + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "default": false + } + }, + { + "tokens_count_strategy": { + "default": "total_tokens", + "required": true, + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "type": "string", + "one_of": [ + "total_tokens", + "prompt_tokens", + "completion_tokens" + ] } } ], + "type": "record", "required": true } } ], "entity_checks": [ { - "at_least_one_of": [ - "config.allow_patterns", - "config.deny_patterns" - ] + "custom_entity_check": { + "field_sources": [ + "config" + ] + } } ] } \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.7.x.json b/schemas/ai-request-transformer/3.7.x.json index 4ac392d1..f57f678f 100644 --- a/schemas/ai-request-transformer/3.7.x.json +++ b/schemas/ai-request-transformer/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,56 +13,54 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "prompt": { + "required": true, "type": "string", - "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", - "required": true + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return." } }, { "transformation_extract_pattern": { + "required": false, "type": "string", - "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", - "required": false + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure." } }, { "http_timeout": { - "type": "integer", + "required": true, "description": "Timeout in milliseconds for the AI upstream service.", - "default": 60000, - "required": true + "type": "integer", + "default": 60000 } }, { "https_verify": { - "type": "boolean", + "required": true, "description": "Verify the TLS certificate of the AI upstream service.", - "default": true, - "required": true + "type": "boolean", + "default": true } }, { @@ -98,78 +97,113 @@ }, { "llm": { - "type": "record", "fields": [ { "route_type": { + "required": true, "type": "string", - "description": "The model's operation implementation, for this provider.", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "one_of": [ "llm/v1/chat", - "llm/v1/completions" - ], - "required": true + "llm/v1/completions", + "preserve" + ] } }, { "auth": { + "required": false, "type": "record", "fields": [ { "header_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "header_value": { - "type": "string", - "required": false, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "encrypted": true, - "referenceable": true + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." } }, { "param_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "param_value": { - "type": "string", - "required": false, - "description": "Specify the full parameter value for 'param_name'.", "encrypted": true, - "referenceable": true + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'." } }, { "param_location": { + "required": false, "type": "string", "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" - ], - "required": false + ] + } + }, + { + "azure_use_managed_identity": { + "required": false, + "type": "boolean", + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" } } - ], - "required": false + ] } }, { "model": { + "required": true, "type": "record", "fields": [ { "provider": { + "required": true, "type": "string", "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ @@ -179,35 +213,47 @@ "cohere", "mistral", "llama2" - ], - "required": true + ] } }, { "name": { + "required": false, "type": "string", - "description": "Model name to execute.", - "required": false + "description": "Model name to execute." } }, { "options": { + "required": false, "type": "record", "description": "Key/value settings for the model", "fields": [ + { + "response_streaming": { + "default": "allow", + "required": false, + "type": "string", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, { "max_tokens": { + "required": false, "type": "integer", "description": "Defines the max_tokens, if using chat or completion models.", - "default": 256, - "required": false + "default": 256 } }, { "temperature": { - "type": "number", - "default": 1, "required": false, + "type": "number", "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, @@ -217,9 +263,8 @@ }, { "top_p": { - "type": "number", - "default": 1, "required": false, + "type": "number", "description": "Defines the top-p probability mass, if supported.", "between": [ 0, @@ -229,9 +274,8 @@ }, { "top_k": { - "type": "integer", - "default": 0, "required": false, + "type": "integer", "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, @@ -241,113 +285,133 @@ }, { "anthropic_version": { + "required": false, "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider.", - "required": false + "description": "Defines the schema/API version, if using Anthropic provider." } }, { "azure_instance": { + "required": false, "type": "string", - "description": "Instance name for Azure OpenAI hosted models.", - "required": false + "description": "Instance name for Azure OpenAI hosted models." } }, { "azure_api_version": { + "required": false, "type": "string", "description": "'api-version' for Azure OpenAI instances.", - "default": "2023-05-15", - "required": false + "default": "2023-05-15" } }, { "azure_deployment_id": { + "required": false, "type": "string", - "description": "Deployment ID for Azure OpenAI instances.", - "required": false + "description": "Deployment ID for Azure OpenAI instances." } }, { "llama2_format": { + "required": false, "type": "string", "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", "ollama" - ], - "required": false + ] } }, { "mistral_format": { + "required": false, "type": "string", "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" - ], - "required": false + ] } }, { "upstream_url": { + "required": false, "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", - "required": false + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + } + }, + { + "upstream_path": { + "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" } } - ], - "required": false + ] } } - ], - "required": true + ] } }, { "logging": { + "required": true, "type": "record", "fields": [ { "log_statistics": { + "required": true, "type": "boolean", "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "default": true, - "required": true + "default": false } }, { "log_payloads": { + "required": true, "type": "boolean", "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "default": false, - "required": true + "default": false } } - ], - "required": true + ] } } ], "entity_checks": [ { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "auth.header_name", "auth.param_name" ], - "if_field": "model.provider", - "then_err": "must set one of %s, and its respective options, when provider is not self-hosted", "if_match": { "one_of": [ "openai", - "azure", "anthropic", "cohere" ] - } + }, + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name", + "auth.azure_use_managed_identity" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set one of %s, and its respective options, when azure provider is set" } }, { @@ -365,120 +429,119 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.llama2_format" ], - "if_field": "model.provider", - "then_err": "must set %s for llama2 provider", "if_match": { "one_of": [ "llama2" ] - } + }, + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.mistral_format" ], - "if_field": "model.provider", - "then_err": "must set %s for mistral provider", "if_match": { "one_of": [ "mistral" ] - } + }, + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "model.name" - ], "if_field": "model.provider", - "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models.", - "if_match": [ - - ] - } - }, - { - "conditional_at_least_one_of": { "then_at_least_one_of": [ "model.options.anthropic_version" ], - "if_field": "model.provider", - "then_err": "must set %s for anthropic provider", "if_match": { "one_of": [ "anthropic" ] - } + }, + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure_instance" ], - "if_field": "model.provider", - "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - } + }, + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure_api_version" ], - "if_field": "model.provider", - "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - } + }, + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure_deployment_id" ], - "if_field": "model.provider", - "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - } + }, + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.upstream_url" ], - "if_field": "model.provider", - "then_err": "must set %s for self-hosted providers/models", "if_match": { "one_of": [ "mistral", "llama2" ] - } + }, + "then_err": "must set %s for self-hosted providers/models" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] } } ], + "type": "record", "required": true } } ], + "type": "record", "required": true } } @@ -486,17 +549,17 @@ "entity_checks": [ { "conditional": { - "then_match": { - "eq": "llm/v1/chat" - }, + "if_field": "config.llm.route_type", "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", "if_match": { "not_one_of": [ "llm/v1/chat" ] }, - "if_field": "config.llm.route_type", - "then_field": "config.llm.route_type" + "then_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } } }, { diff --git a/schemas/ai-response-transformer/3.7.x.json b/schemas/ai-response-transformer/3.7.x.json index e996fb55..488710ce 100644 --- a/schemas/ai-response-transformer/3.7.x.json +++ b/schemas/ai-response-transformer/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,64 +13,62 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "prompt": { + "required": true, "type": "string", - "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", - "required": true + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting." } }, { "transformation_extract_pattern": { + "required": false, "type": "string", - "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", - "required": false + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client." } }, { "parse_llm_response_json_instructions": { + "required": true, "type": "boolean", "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", - "default": false, - "required": true + "default": false } }, { "http_timeout": { - "type": "integer", + "required": true, "description": "Timeout in milliseconds for the AI upstream service.", - "default": 60000, - "required": true + "type": "integer", + "default": 60000 } }, { "https_verify": { - "type": "boolean", + "required": true, "description": "Verify the TLS certificate of the AI upstream service.", - "default": true, - "required": true + "type": "boolean", + "default": true } }, { @@ -106,78 +105,113 @@ }, { "llm": { - "type": "record", "fields": [ { "route_type": { + "required": true, "type": "string", - "description": "The model's operation implementation, for this provider.", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "one_of": [ "llm/v1/chat", - "llm/v1/completions" - ], - "required": true + "llm/v1/completions", + "preserve" + ] } }, { "auth": { + "required": false, "type": "record", "fields": [ { "header_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "header_value": { - "type": "string", - "required": false, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "encrypted": true, - "referenceable": true + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." } }, { "param_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "param_value": { - "type": "string", - "required": false, - "description": "Specify the full parameter value for 'param_name'.", "encrypted": true, - "referenceable": true + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'." } }, { "param_location": { + "required": false, "type": "string", "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" - ], - "required": false + ] + } + }, + { + "azure_use_managed_identity": { + "required": false, + "type": "boolean", + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" } } - ], - "required": false + ] } }, { "model": { + "required": true, "type": "record", "fields": [ { "provider": { + "required": true, "type": "string", "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ @@ -187,35 +221,47 @@ "cohere", "mistral", "llama2" - ], - "required": true + ] } }, { "name": { + "required": false, "type": "string", - "description": "Model name to execute.", - "required": false + "description": "Model name to execute." } }, { "options": { + "required": false, "type": "record", "description": "Key/value settings for the model", "fields": [ + { + "response_streaming": { + "default": "allow", + "required": false, + "type": "string", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, { "max_tokens": { + "required": false, "type": "integer", "description": "Defines the max_tokens, if using chat or completion models.", - "default": 256, - "required": false + "default": 256 } }, { "temperature": { - "type": "number", - "default": 1, "required": false, + "type": "number", "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, @@ -225,9 +271,8 @@ }, { "top_p": { - "type": "number", - "default": 1, "required": false, + "type": "number", "description": "Defines the top-p probability mass, if supported.", "between": [ 0, @@ -237,9 +282,8 @@ }, { "top_k": { - "type": "integer", - "default": 0, "required": false, + "type": "integer", "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, @@ -249,113 +293,133 @@ }, { "anthropic_version": { + "required": false, "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider.", - "required": false + "description": "Defines the schema/API version, if using Anthropic provider." } }, { "azure_instance": { + "required": false, "type": "string", - "description": "Instance name for Azure OpenAI hosted models.", - "required": false + "description": "Instance name for Azure OpenAI hosted models." } }, { "azure_api_version": { + "required": false, "type": "string", "description": "'api-version' for Azure OpenAI instances.", - "default": "2023-05-15", - "required": false + "default": "2023-05-15" } }, { "azure_deployment_id": { + "required": false, "type": "string", - "description": "Deployment ID for Azure OpenAI instances.", - "required": false + "description": "Deployment ID for Azure OpenAI instances." } }, { "llama2_format": { + "required": false, "type": "string", "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", "ollama" - ], - "required": false + ] } }, { "mistral_format": { + "required": false, "type": "string", "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" - ], - "required": false + ] } }, { "upstream_url": { + "required": false, "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", - "required": false + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + } + }, + { + "upstream_path": { + "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" } } - ], - "required": false + ] } } - ], - "required": true + ] } }, { "logging": { + "required": true, "type": "record", "fields": [ { "log_statistics": { + "required": true, "type": "boolean", "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "default": true, - "required": true + "default": false } }, { "log_payloads": { + "required": true, "type": "boolean", "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "default": false, - "required": true + "default": false } } - ], - "required": true + ] } } ], "entity_checks": [ { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "auth.header_name", "auth.param_name" ], - "if_field": "model.provider", - "then_err": "must set one of %s, and its respective options, when provider is not self-hosted", "if_match": { "one_of": [ "openai", - "azure", "anthropic", "cohere" ] - } + }, + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name", + "auth.azure_use_managed_identity" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set one of %s, and its respective options, when azure provider is set" } }, { @@ -373,120 +437,119 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.llama2_format" ], - "if_field": "model.provider", - "then_err": "must set %s for llama2 provider", "if_match": { "one_of": [ "llama2" ] - } + }, + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.mistral_format" ], - "if_field": "model.provider", - "then_err": "must set %s for mistral provider", "if_match": { "one_of": [ "mistral" ] - } + }, + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "model.name" - ], "if_field": "model.provider", - "then_err": "Must set a model name. Refer to https://docs.konghq.com/hub/kong-inc/ai-proxy/ for supported models.", - "if_match": [ - - ] - } - }, - { - "conditional_at_least_one_of": { "then_at_least_one_of": [ "model.options.anthropic_version" ], - "if_field": "model.provider", - "then_err": "must set %s for anthropic provider", "if_match": { "one_of": [ "anthropic" ] - } + }, + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure_instance" ], - "if_field": "model.provider", - "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - } + }, + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure_api_version" ], - "if_field": "model.provider", - "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - } + }, + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure_deployment_id" ], - "if_field": "model.provider", - "then_err": "must set %s for azure provider", "if_match": { "one_of": [ "azure" ] - } + }, + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", "then_at_least_one_of": [ "model.options.upstream_url" ], - "if_field": "model.provider", - "then_err": "must set %s for self-hosted providers/models", "if_match": { "one_of": [ "mistral", "llama2" ] - } + }, + "then_err": "must set %s for self-hosted providers/models" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] } } ], + "type": "record", "required": true } } ], + "type": "record", "required": true } } @@ -494,17 +557,17 @@ "entity_checks": [ { "conditional": { - "then_match": { - "eq": "llm/v1/chat" - }, + "if_field": "config.llm.route_type", "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", "if_match": { "not_one_of": [ "llm/v1/chat" ] }, - "if_field": "config.llm.route_type", - "then_field": "config.llm.route_type" + "then_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } } }, { diff --git a/schemas/application-registration/3.7.x.json b/schemas/application-registration/3.7.x.json index a1046779..604ffb5c 100644 --- a/schemas/application-registration/3.7.x.json +++ b/schemas/application-registration/3.7.x.json @@ -2,24 +2,24 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "service": { - "type": "foreign", "reference": "services", - "ne": null, - "on_delete": "cascade" + "on_delete": "cascade", + "type": "foreign", + "ne": null } }, { "route": { - "type": "foreign", "reference": "routes", + "type": "foreign", "description": "A reference to the 'routes' table with a null value allowed.", "eq": null } @@ -27,6 +27,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -36,60 +37,67 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "display_name": { - "unique": true, + "required": true, "description": "Unique display name used for a Service in the Developer Portal.", "type": "string", - "required": true + "unique": true } }, { "description": { - "type": "string", "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string", "unique": true } }, { "auto_approve": { - "type": "boolean", + "required": true, "description": "If enabled, all new Service Contracts requests are automatically approved.", - "default": false, - "required": true + "type": "boolean", + "default": false } }, { "show_issuer": { - "type": "boolean", + "required": true, "description": "Displays the **Issuer URL** in the **Service Details** dialog.", - "default": false, - "required": true + "type": "boolean", + "default": false + } + }, + { + "enable_proxy_with_consumer_credential": { + "required": true, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean", + "default": false } } ], + "type": "record", "required": true } } diff --git a/schemas/aws-lambda/3.7.x.json b/schemas/aws-lambda/3.7.x.json index 7467cd9d..762af58b 100644 --- a/schemas/aws-lambda/3.7.x.json +++ b/schemas/aws-lambda/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,72 +13,70 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "timeout": { - "type": "number", + "required": true, "description": "An optional timeout in milliseconds when invoking the function.", - "default": 60000, - "required": true + "type": "number", + "default": 60000 } }, { "keepalive": { - "type": "number", + "required": true, "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "default": 60000, - "required": true + "type": "number", + "default": 60000 } }, { "aws_key": { - "referenceable": true, - "description": "The AWS key credential to be used when invoking the function.", "type": "string", - "encrypted": true + "encrypted": true, + "referenceable": true, + "description": "The AWS key credential to be used when invoking the function." } }, { "aws_secret": { - "referenceable": true, - "description": "The AWS secret credential to be used when invoking the function. ", "type": "string", - "encrypted": true + "encrypted": true, + "referenceable": true, + "description": "The AWS secret credential to be used when invoking the function. " } }, { "aws_assume_role_arn": { - "referenceable": true, - "description": "The target AWS IAM role ARN used to invoke the Lambda function.", "type": "string", - "encrypted": true + "encrypted": true, + "referenceable": true, + "description": "The target AWS IAM role ARN used to invoke the Lambda function." } }, { "aws_role_session_name": { - "type": "string", "description": "The identifier of the assumed role session.", + "type": "string", "default": "kong" } }, @@ -89,9 +88,9 @@ }, { "function_name": { - "type": "string", - "description": "The AWS Lambda function name to invoke.", - "required": false + "required": false, + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "type": "string" } }, { @@ -102,10 +101,10 @@ }, { "invocation_type": { - "type": "string", "default": "RequestResponse", "required": true, "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "type": "string", "one_of": [ "RequestResponse", "Event", @@ -115,10 +114,10 @@ }, { "log_type": { - "type": "string", "default": "Tail", "required": true, "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "type": "string", "one_of": [ "Tail", "None" @@ -133,9 +132,9 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -144,14 +143,14 @@ }, { "disable_https": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "unhandled_status": { - "type": "integer", "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer", "between": [ 100, 999 @@ -160,43 +159,43 @@ }, { "forward_request_method": { - "type": "boolean", "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean", "default": false } }, { "forward_request_uri": { - "type": "boolean", "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean", "default": false } }, { "forward_request_headers": { - "type": "boolean", "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean", "default": false } }, { "forward_request_body": { - "type": "boolean", "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean", "default": false } }, { "is_proxy_integration": { - "type": "boolean", "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean", "default": false } }, { "awsgateway_compatible": { - "type": "boolean", "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean", "default": false } }, @@ -208,24 +207,24 @@ }, { "skip_large_bodies": { - "type": "boolean", "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean", "default": true } }, { "base64_encode_body": { - "type": "boolean", "description": "An optional value that Base64-encodes the request body.", + "type": "boolean", "default": true } }, { "aws_imds_protocol_version": { - "type": "string", "default": "v1", "required": true, "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "type": "string", "one_of": [ "v1", "v2" @@ -233,6 +232,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/azure-functions/3.7.x.json b/schemas/azure-functions/3.7.x.json index 17e0728b..351a20c8 100644 --- a/schemas/azure-functions/3.7.x.json +++ b/schemas/azure-functions/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,53 +20,51 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "timeout": { - "type": "number", "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number", "default": 600000 } }, { "keepalive": { - "type": "number", "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number", "default": 60000 } }, { "https": { - "type": "boolean", "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean", "default": true } }, { "https_verify": { - "type": "boolean", "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean", "default": false } }, @@ -87,34 +86,35 @@ }, { "appname": { - "type": "string", + "required": true, "description": "The Azure app name.", - "required": true + "type": "string" } }, { "hostdomain": { - "type": "string", + "required": true, "description": "The domain where the function resides.", - "default": "azurewebsites.net", - "required": true + "type": "string", + "default": "azurewebsites.net" } }, { "routeprefix": { - "type": "string", "description": "Route prefix to use.", + "type": "string", "default": "api" } }, { "functionname": { - "type": "string", + "required": true, "description": "Name of the Azure function to invoke.", - "required": true + "type": "string" } } ], + "type": "record", "required": true } } diff --git a/schemas/basic-auth/3.7.x.json b/schemas/basic-auth/3.7.x.json index d67a60c4..d08c9fbb 100644 --- a/schemas/basic-auth/3.7.x.json +++ b/schemas/basic-auth/3.7.x.json @@ -2,15 +2,15 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,6 +22,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -29,45 +30,44 @@ "https", "ws", "wss" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "hide_credentials": { + "required": true, "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", - "default": false, - "required": true + "default": false } }, { "realm": { + "required": true, "type": "string", - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", - "default": "service", - "required": true + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "default": "service" } } ], + "type": "record", "required": true } } diff --git a/schemas/bot-detection/3.7.x.json b/schemas/bot-detection/3.7.x.json index a14dfba2..f5f0fd1b 100644 --- a/schemas/bot-detection/3.7.x.json +++ b/schemas/bot-detection/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,55 +21,54 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "allow": { "type": "array", - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", - "default": [ - - ], "elements": { "type": "string", "is_regex": true - } + }, + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "default": [ + + ] } }, { "deny": { "type": "array", - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", - "default": [ - - ], "elements": { "type": "string", "is_regex": true - } + }, + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "default": [ + + ] } } ], + "type": "record", "required": true } } diff --git a/schemas/canary/3.7.x.json b/schemas/canary/3.7.x.json index 2e9e2277..29995723 100644 --- a/schemas/canary/3.7.x.json +++ b/schemas/canary/3.7.x.json @@ -2,16 +2,16 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -19,6 +19,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -28,19 +29,17 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "start": { @@ -50,9 +49,9 @@ }, { "hash": { + "default": "consumer", "type": "string", "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", - "default": "consumer", "one_of": [ "consumer", "ip", @@ -71,17 +70,17 @@ }, { "duration": { + "default": 3600, "type": "number", "description": "The duration of the canary release in seconds.", - "default": 3600, "gt": 0 } }, { "steps": { + "default": 1000, "type": "number", "description": "The number of steps for the canary release.", - "default": 1000, "gt": 1 } }, @@ -120,19 +119,19 @@ }, { "upstream_fallback": { + "required": true, "type": "boolean", "description": "Specifies whether to fallback to the upstream server if the canary release fails.", - "default": false, - "required": true + "default": false } }, { "groups": { - "type": "array", - "description": "The groups allowed to access the canary release.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "The groups allowed to access the canary release." } }, { @@ -142,6 +141,7 @@ } } ], + "required": true, "shorthand_fields": [ { "hash": { @@ -150,7 +150,7 @@ } } ], - "required": true + "type": "record" } } ], @@ -164,25 +164,25 @@ }, { "conditional": { - "then_field": "config.hash_header", "if_field": "config.hash", - "then_match": { - "required": true - }, "if_match": { "eq": "header" + }, + "then_field": "config.hash_header", + "then_match": { + "required": true } } }, { "conditional": { - "then_field": "config.upstream_host", "if_field": "config.upstream_fallback", - "then_match": { - "required": true - }, "if_match": { "eq": true + }, + "then_field": "config.upstream_host", + "then_match": { + "required": true } } } diff --git a/schemas/correlation-id/3.7.x.json b/schemas/correlation-id/3.7.x.json index 1166c7ce..359e7014 100644 --- a/schemas/correlation-id/3.7.x.json +++ b/schemas/correlation-id/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,40 +13,38 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "header_name": { - "type": "string", "description": "The HTTP header name to use for the correlation ID.", + "type": "string", "default": "Kong-Request-ID" } }, { "generator": { - "type": "string", - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "type": "string", "one_of": [ "uuid", "uuid#counter", @@ -55,13 +54,14 @@ }, { "echo_downstream": { - "type": "boolean", + "required": true, "description": "Whether to echo the header back to downstream (the client).", - "default": false, - "required": true + "type": "boolean", + "default": false } } ], + "type": "record", "required": true } } diff --git a/schemas/cors/3.7.x.json b/schemas/cors/3.7.x.json index e8a851f5..a9ff5f6b 100644 --- a/schemas/cors/3.7.x.json +++ b/schemas/cors/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,81 +11,68 @@ { "protocols": { "type": "set", + "required": true, "elements": { - "type": "string", "required": true, + "type": "string", + "len_min": 1, "one_of": [ "grpc", "grpcs", "http", "https" - ], - "len_min": 1 + ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "origins": { - "type": "array", - "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." } }, { "headers": { - "type": "array", - "description": "Value for the `Access-Control-Allow-Headers` header.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Value for the `Access-Control-Allow-Headers` header." } }, { "exposed_headers": { - "type": "array", - "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." } }, { "methods": { "type": "array", - "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", - "default": [ - "GET", - "HEAD", - "PUT", - "PATCH", - "POST", - "DELETE", - "OPTIONS", - "TRACE", - "CONNECT" - ], "elements": { "type": "string", "one_of": [ @@ -99,7 +86,19 @@ "TRACE", "CONNECT" ] - } + }, + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] } }, { @@ -110,29 +109,30 @@ }, { "credentials": { + "required": true, "type": "boolean", "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", - "default": false, - "required": true + "default": false } }, { "private_network": { + "required": true, "type": "boolean", "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", - "default": false, - "required": true + "default": false } }, { "preflight_continue": { + "required": true, "type": "boolean", "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", - "default": false, - "required": true + "default": false } } ], + "type": "record", "required": true } } diff --git a/schemas/datadog/3.7.x.json b/schemas/datadog/3.7.x.json index 99198f29..58c1186f 100644 --- a/schemas/datadog/3.7.x.json +++ b/schemas/datadog/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,41 +20,39 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "host": { - "referenceable": true, "description": "A string representing a host name, such as example.com.", - "default": "localhost", - "type": "string" + "type": "string", + "referenceable": true, + "default": "localhost" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -62,59 +61,73 @@ }, { "prefix": { - "type": "string", "description": "String to be attached as a prefix to a metric's name.", + "type": "string", "default": "kong" } }, { "service_name_tag": { - "type": "string", "description": "String to be attached as the name of the service.", + "type": "string", "default": "name" } }, { "status_tag": { - "type": "string", "description": "String to be attached as the tag of the HTTP status.", + "type": "string", "default": "status" } }, { "consumer_tag": { - "type": "string", "description": "String to be attached as tag of the consumer.", + "type": "string", "default": "consumer" } }, { "retry_count": { - "type": "integer", - "description": "Number of times to retry when sending data to the upstream server." + "deprecation": { + "old_default": 10, + "removal_in_version": "4.0", + "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead" + }, + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" } }, { "queue_size": { - "type": "integer", - "description": "Maximum number of log entries to be sent on each message to the upstream server." + "deprecation": { + "old_default": 1, + "removal_in_version": "4.0", + "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + }, + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" } }, { "flush_timeout": { - "type": "number", - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + "deprecation": { + "old_default": 2, + "removal_in_version": "4.0", + "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + }, + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -123,9 +136,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -134,9 +147,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -158,9 +171,9 @@ }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -169,9 +182,9 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", "description": "Maximum time in seconds between retries, caps exponential backoff.", - "default": 60, "between": [ 0.001, 1000000 @@ -179,19 +192,21 @@ } } ], + "type": "record", "required": true } }, { "metrics": { "type": "array", + "required": true, "elements": { - "type": "record", "fields": [ { "name": { - "type": "string", + "required": true, "description": "Datadog metric’s name", + "type": "string", "one_of": [ "kong_latency", "latency", @@ -199,14 +214,14 @@ "request_size", "response_size", "upstream_latency" - ], - "required": true + ] } }, { "stat_type": { - "type": "string", + "required": true, "description": "Determines what sort of event the metric represents", + "type": "string", "one_of": [ "counter", "gauge", @@ -215,24 +230,23 @@ "set", "timer", "distribution" - ], - "required": true + ] } }, { "tags": { - "type": "array", - "description": "List of tags", "elements": { "type": "string", "match": "^.*[^:]$" - } + }, + "description": "List of tags", + "type": "array" } }, { "sample_rate": { - "type": "number", "description": "Sampling rate", + "type": "number", "between": [ 0, 1 @@ -241,8 +255,8 @@ }, { "consumer_identifier": { - "type": "string", "description": "Authenticated user detail", + "type": "string", "one_of": [ "consumer_id", "custom_id", @@ -254,88 +268,78 @@ "entity_checks": [ { "conditional": { - "then_field": "sample_rate", "if_field": "stat_type", - "then_match": { - "required": true - }, "if_match": { "one_of": [ "counter", "gauge" ] + }, + "then_field": "sample_rate", + "then_match": { + "required": true } } } - ] + ], + "type": "record" }, + "description": "List of metrics to be logged.", "default": [ { + "stat_type": "counter", "tags": [ "app:kong" ], - "name": "request_count", "consumer_identifier": "custom_id", - "stat_type": "counter", + "name": "request_count", "sample_rate": 1 }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "name": "latency", "tags": [ "app:kong" - ] + ], + "consumer_identifier": "custom_id" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "name": "request_size", "tags": [ "app:kong" - ] + ], + "consumer_identifier": "custom_id" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "name": "response_size", "tags": [ "app:kong" - ] + ], + "consumer_identifier": "custom_id" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "name": "upstream_latency", "tags": [ "app:kong" - ] + ], + "consumer_identifier": "custom_id" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "name": "kong_latency", "tags": [ "app:kong" - ] + ], + "consumer_identifier": "custom_id" } - ], - "required": true, - "description": "List of metrics to be logged." - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" ] } } ], + "type": "record", "required": true } } diff --git a/schemas/degraphql/3.7.x.json b/schemas/degraphql/3.7.x.json index 397cfec9..cd491eea 100644 --- a/schemas/degraphql/3.7.x.json +++ b/schemas/degraphql/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,33 +21,28 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "graphql_server_path": { - "type": "string", - "default": "/graphql", - "required": true, "match_none": [ { "pattern": "//", @@ -54,10 +50,14 @@ } ], "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/" + "required": true, + "type": "string", + "starts_with": "/", + "default": "/graphql" } } ], + "type": "record", "required": true } } diff --git a/schemas/exit-transformer/3.7.x.json b/schemas/exit-transformer/3.7.x.json index 99dab81e..793e86c4 100644 --- a/schemas/exit-transformer/3.7.x.json +++ b/schemas/exit-transformer/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,52 +13,51 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "functions": { - "type": "array", + "required": true, "elements": { "type": "string" }, - "required": true + "type": "array" } }, { "handle_unknown": { - "type": "boolean", "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean", "default": false } }, { "handle_unexpected": { - "type": "boolean", "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean", "default": false } } ], + "type": "record", "required": true } } diff --git a/schemas/file-log/3.7.x.json b/schemas/file-log/3.7.x.json index 8f656f87..0439ef6d 100644 --- a/schemas/file-log/3.7.x.json +++ b/schemas/file-log/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,52 +20,50 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "path": { - "match": "^[^*&%%\\`]+$", - "err": "not a valid filename", - "required": true, "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", - "type": "string" + "required": true, + "match": "^[^*&%%\\`]+$", + "type": "string", + "err": "not a valid filename" } }, { "reopen": { + "required": true, "type": "boolean", "description": "Determines whether the log file is closed and reopened on every request.", - "default": false, - "required": true + "default": false } }, { "custom_fields_by_lua": { - "type": "map", "keys": { "type": "string", "len_min": 1 }, + "type": "map", "description": "Lua code as a key-value map", "values": { "type": "string", @@ -73,6 +72,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/forward-proxy/3.7.x.json b/schemas/forward-proxy/3.7.x.json index a57a860c..1e52a284 100644 --- a/schemas/forward-proxy/3.7.x.json +++ b/schemas/forward-proxy/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,27 +13,25 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -59,13 +58,32 @@ ] } ], - "required": true, + "shorthand_fields": [ + { + "proxy_host": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" + } + } + }, + { + "proxy_port": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" + } + } + } + ], "fields": [ { "x_headers": { - "type": "string", "default": "append", "required": true, + "type": "string", "description": "Determines how to handle headers when forwarding the request.", "one_of": [ "append", @@ -108,9 +126,9 @@ }, { "proxy_scheme": { - "type": "string", "default": "http", "required": true, + "type": "string", "description": "The proxy scheme to use when connecting. Only `http` is supported.", "one_of": [ "http" @@ -119,41 +137,31 @@ }, { "auth_username": { - "type": "string", + "required": false, "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "referenceable": true, - "required": false + "type": "string" } }, { "auth_password": { - "type": "string", + "required": false, "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "referenceable": true, - "required": false + "type": "string" } }, { "https_verify": { + "required": true, "type": "boolean", "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "default": false, - "required": true + "default": false } } ], - "shorthand_fields": [ - { - "proxy_host": { - "type": "string" - } - }, - { - "proxy_port": { - "type": "integer" - } - } - ] + "type": "record", + "required": true } } ], diff --git a/schemas/graphql-proxy-cache-advanced/3.7.x.json b/schemas/graphql-proxy-cache-advanced/3.7.x.json index e4af8d5d..b2d602c8 100644 --- a/schemas/graphql-proxy-cache-advanced/3.7.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,73 +13,321 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "strategy": { - "type": "string", "default": "memory", "required": true, "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "type": "string", "one_of": [ - "memory" + "memory", + "redis" ] } }, { "cache_ttl": { + "gt": 0, "type": "integer", "description": "TTL in seconds of cache entities. Must be a value greater than 0.", - "default": 300, - "gt": 0 + "default": 300 } }, { "memory": { - "type": "record", "fields": [ { "dictionary_name": { + "required": true, "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", - "default": "kong_db_cache", - "required": true + "default": "kong_db_cache" + } + } + ], + "type": "record", + "required": true + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "type": "record", "required": true } }, + { + "bypass_on_err": { + "type": "boolean", + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "default": false + } + }, { "vary_headers": { - "type": "array", - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } } ], + "type": "record", "required": true } } diff --git a/schemas/graphql-rate-limiting-advanced/3.7.x.json b/schemas/graphql-rate-limiting-advanced/3.7.x.json index 4ccaf5c8..80e4f015 100644 --- a/schemas/graphql-rate-limiting-advanced/3.7.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,33 +13,31 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "identifier": { - "type": "string", "default": "consumer", "required": true, + "type": "string", "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "one_of": [ "ip", @@ -49,19 +48,19 @@ }, { "window_size": { - "type": "array", - "description": "One or more window sizes to apply a limit to (defined in seconds).", + "required": true, "elements": { "type": "number" }, - "required": true + "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds)." } }, { "window_type": { + "default": "sliding", "type": "string", "description": "Sets the time window to either `sliding` or `fixed`.", - "default": "sliding", "one_of": [ "fixed", "sliding" @@ -70,33 +69,33 @@ }, { "limit": { - "type": "array", - "description": "One or more requests-per-window limits to apply.", + "required": true, "elements": { "type": "number" }, - "required": true + "type": "array", + "description": "One or more requests-per-window limits to apply." } }, { "sync_rate": { + "required": true, "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", - "required": true + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." } }, { "namespace": { + "auto": true, "type": "string", - "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "auto": true + "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." } }, { "strategy": { - "type": "string", "default": "cluster", "required": true, + "type": "string", "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "one_of": [ "cluster", @@ -106,10 +105,10 @@ }, { "dictionary_name": { + "required": true, "type": "string", "description": "The shared dictionary where counters will be stored until the next sync cycle.", - "default": "kong_rate_limiting_counters", - "required": true + "default": "kong_rate_limiting_counters" } }, { @@ -121,9 +120,9 @@ }, { "cost_strategy": { + "default": "default", "type": "string", "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", - "default": "default", "one_of": [ "default", "node_quantifier" @@ -132,24 +131,23 @@ }, { "score_factor": { - "type": "number", - "default": 1, - "required": false, "gt": 0, - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." + "required": false, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "type": "number", + "default": 1 } }, { "max_cost": { + "required": false, "type": "number", "description": "A defined maximum cost per query. 0 means unlimited.", - "default": 0, - "required": false + "default": 0 } }, { "redis": { - "type": "record", "fields": [ { "host": { @@ -169,9 +167,9 @@ }, { "timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -210,31 +208,31 @@ }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, "type": "string" } }, { "password": { - "referenceable": true, - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true, "type": "string" } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, "type": "string" } }, { "sentinel_password": { - "referenceable": true, - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true, "type": "string" } }, @@ -247,9 +245,9 @@ }, { "keepalive_pool_size": { + "default": 256, "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "between": [ 1, 2147483646 @@ -274,8 +272,8 @@ }, { "sentinel_role": { - "type": "string", "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", @@ -285,82 +283,82 @@ }, { "sentinel_addresses": { - "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "cluster_addresses": { - "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "ssl": { - "type": "boolean", + "required": false, "description": "If set to true, uses SSL to connect to Redis.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "ssl_verify": { - "type": "boolean", + "required": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "server_name": { - "type": "string", + "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "type": "string" } } ], "entity_checks": [ { "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "host", - "port" ] } }, { "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" ] } }, { "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], "set2": [ "host", "port" + ], + "set1": [ + "cluster_addresses" ] } }, @@ -385,10 +383,12 @@ ] } ], + "type": "record", "required": true } } ], + "type": "record", "required": true } } diff --git a/schemas/grpc-gateway/3.7.x.json b/schemas/grpc-gateway/3.7.x.json index f4083273..28a35684 100644 --- a/schemas/grpc-gateway/3.7.x.json +++ b/schemas/grpc-gateway/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,36 +20,35 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "proto": { + "required": false, "type": "string", - "description": "Describes the gRPC types and methods.", - "required": false + "description": "Describes the gRPC types and methods." } } ], + "type": "record", "required": true } } diff --git a/schemas/grpc-web/3.7.x.json b/schemas/grpc-web/3.7.x.json index 3a7f8666..ea23b872 100644 --- a/schemas/grpc-web/3.7.x.json +++ b/schemas/grpc-web/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,51 +20,50 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "proto": { + "required": false, "type": "string", - "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", - "required": false + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content." } }, { "pass_stripped_path": { + "required": false, "type": "boolean", - "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", - "required": false + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service." } }, { "allow_origin_header": { + "required": false, "type": "string", "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", - "default": "*", - "required": false + "default": "*" } } ], + "type": "record", "required": true } } diff --git a/schemas/hmac-auth/3.7.x.json b/schemas/hmac-auth/3.7.x.json index d952f4a2..f95b6922 100644 --- a/schemas/hmac-auth/3.7.x.json +++ b/schemas/hmac-auth/3.7.x.json @@ -2,15 +2,15 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,6 +22,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -29,35 +30,33 @@ "https", "ws", "wss" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "hide_credentials": { + "required": true, "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "default": false, - "required": true + "default": false } }, { "clock_skew": { + "default": 300, "type": "number", "description": "Clock skew in seconds to prevent replay attacks.", - "default": 300, "gt": 0 } }, @@ -69,34 +68,27 @@ }, { "validate_request_body": { + "required": true, "type": "boolean", "description": "A boolean value telling the plugin to enable body validation.", - "default": false, - "required": true + "default": false } }, { "enforce_headers": { "type": "array", + "elements": { + "type": "string" + }, "description": "A list of headers that the client should at least use for HTTP signature creation.", "default": [ - ], - "elements": { - "type": "string" - } + ] } }, { "algorithms": { "type": "array", - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ], "elements": { "type": "string", "one_of": [ @@ -105,10 +97,18 @@ "hmac-sha384", "hmac-sha512" ] - } + }, + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] } } ], + "type": "record", "required": true } } diff --git a/schemas/http-log/3.7.x.json b/schemas/http-log/3.7.x.json index 022770ee..de991dd0 100644 --- a/schemas/http-log/3.7.x.json +++ b/schemas/http-log/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,42 +20,40 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "http_endpoint": { + "encrypted": true, "referenceable": true, "required": true, - "encrypted": true, "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "method": { + "default": "POST", "type": "string", "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", - "default": "POST", "one_of": [ "POST", "PUT", @@ -64,9 +63,9 @@ }, { "content_type": { + "default": "application/json", "type": "string", "description": "Indicates the type of data sent. The only available option is `application/json`.", - "default": "application/json", "one_of": [ "application/json", "application/json; charset=utf-8" @@ -89,28 +88,40 @@ }, { "retry_count": { + "deprecation": { + "old_default": 10, + "removal_in_version": "4.0", + "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead" + }, "type": "integer", "description": "Number of times to retry when sending data to the upstream server." } }, { "queue_size": { + "deprecation": { + "old_default": 1, + "removal_in_version": "4.0", + "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + }, "type": "integer", "description": "Maximum number of log entries to be sent on each message to the upstream server." } }, { "flush_timeout": { + "deprecation": { + "old_default": 2, + "removal_in_version": "4.0", + "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + }, "type": "number", "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." } }, { "headers": { - "type": "map", - "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", "keys": { - "type": "string", "match_none": [ { "err": "cannot contain 'Host' header", @@ -125,23 +136,25 @@ "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" } ], - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, + "type": "map", + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", "values": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } } }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -150,9 +163,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -161,9 +174,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -185,9 +198,9 @@ }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -196,9 +209,9 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", "description": "Maximum time in seconds between retries, caps exponential backoff.", - "default": 60, "between": [ 0.001, 1000000 @@ -206,16 +219,17 @@ } } ], + "type": "record", "required": true } }, { "custom_fields_by_lua": { - "type": "map", "keys": { "type": "string", "len_min": 1 }, + "type": "map", "description": "Lua code as a key-value map", "values": { "type": "string", @@ -224,17 +238,7 @@ } } ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" - ] - } - } - ], + "type": "record", "required": true } } diff --git a/schemas/ip-restriction/3.7.x.json b/schemas/ip-restriction/3.7.x.json index 0e610083..029b175e 100644 --- a/schemas/ip-restriction/3.7.x.json +++ b/schemas/ip-restriction/3.7.x.json @@ -2,7 +2,8 @@ "fields": [ { "protocols": { - "type": "set", + "description": "A set of strings representing protocols.", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,6 +20,7 @@ "wss" ] }, + "type": "set", "default": [ "http", "https", @@ -26,50 +28,48 @@ "tls", "grpc", "grpcs" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "allow": { - "type": "array", - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." - } + }, + "type": "array", + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." } }, { "deny": { - "type": "array", - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." - } + }, + "type": "array", + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." } }, { "status": { + "required": false, "type": "number", - "description": "The HTTP status of the requests that will be rejected by the plugin.", - "required": false + "description": "The HTTP status of the requests that will be rejected by the plugin." } }, { "message": { + "required": false, "type": "string", - "description": "The message to send as a response body to rejected requests.", - "required": false + "description": "The message to send as a response body to rejected requests." } } ], + "type": "record", "required": true } } diff --git a/schemas/jq/3.7.x.json b/schemas/jq/3.7.x.json index 347c8014..733feb0f 100644 --- a/schemas/jq/3.7.x.json +++ b/schemas/jq/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,151 +21,149 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "request_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "request_jq_program_options": { - "type": "record", + "required": false, "fields": [ { "compact_output": { + "required": true, "type": "boolean", - "default": true, - "required": true + "default": true } }, { "raw_output": { + "required": true, "type": "boolean", - "default": false, - "required": true + "default": false } }, { "join_output": { + "required": true, "type": "boolean", - "default": false, - "required": true + "default": false } }, { "ascii_output": { + "required": true, "type": "boolean", - "default": false, - "required": true + "default": false } }, { "sort_keys": { + "required": true, "type": "boolean", - "default": false, - "required": true + "default": false } } ], + "type": "record", "default": [ - ], - "required": false + ] } }, { "request_if_media_type": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "type": "array", "default": [ "application/json" - ], - "required": false + ] } }, { "response_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "response_jq_program_options": { - "type": "record", + "required": false, "fields": [ { "compact_output": { + "required": true, "type": "boolean", - "default": true, - "required": true + "default": true } }, { "raw_output": { + "required": true, "type": "boolean", - "default": false, - "required": true + "default": false } }, { "join_output": { + "required": true, "type": "boolean", - "default": false, - "required": true + "default": false } }, { "ascii_output": { + "required": true, "type": "boolean", - "default": false, - "required": true + "default": false } }, { "sort_keys": { + "required": true, "type": "boolean", - "default": false, - "required": true + "default": false } } ], + "type": "record", "default": [ - ], - "required": false + ] } }, { "response_if_media_type": { - "type": "array", + "required": false, "elements": { "type": "string" }, + "type": "array", "default": [ "application/json" - ], - "required": false + ] } }, { "response_if_status_code": { - "type": "array", + "required": false, "elements": { "type": "integer", "between": [ @@ -172,10 +171,10 @@ 599 ] }, + "type": "array", "default": [ 200 - ], - "required": false + ] } } ], @@ -187,6 +186,7 @@ ] } ], + "type": "record", "required": true } } diff --git a/schemas/jwe-decrypt/3.7.x.json b/schemas/jwe-decrypt/3.7.x.json index 8c21fa55..4822044d 100644 --- a/schemas/jwe-decrypt/3.7.x.json +++ b/schemas/jwe-decrypt/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,60 +13,58 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "lookup_header_name": { + "required": true, "type": "string", "description": "The name of the header to look for the JWE token.", - "default": "Authorization", - "required": true + "default": "Authorization" } }, { "forward_header_name": { + "required": true, "type": "string", "description": "The name of the header that is used to set the decrypted value.", - "default": "Authorization", - "required": true + "default": "Authorization" } }, { "key_sets": { - "type": "array", - "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "required": true, "elements": { "type": "string" }, - "required": true + "type": "array", + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token." } }, { @@ -76,6 +75,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/jwt-signer/3.7.x.json b/schemas/jwt-signer/3.7.x.json index a1613bee..e6cc6eb6 100644 --- a/schemas/jwt-signer/3.7.x.json +++ b/schemas/jwt-signer/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,126 +21,191 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "realm": { + "required": false, "type": "string", - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", - "required": false + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." } }, { "enable_hs_signatures": { + "required": false, "type": "boolean", "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", - "default": false, - "required": false + "default": false } }, { "enable_instrumentation": { + "required": false, "type": "boolean", "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", - "default": false, - "required": false + "default": false } }, { "access_token_issuer": { + "required": false, "type": "string", "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", - "default": "kong", - "required": false + "default": "kong" } }, { "access_token_keyset": { + "required": false, "type": "string", "description": "The name of the keyset containing signing keys.", - "default": "kong", - "required": false + "default": "kong" + } + }, + { + "access_token_keyset_client_username": { + "required": false, + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "referenceable": true, + "type": "string" + } + }, + { + "access_token_keyset_client_password": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`" + } + }, + { + "access_token_keyset_client_certificate": { + "required": false, + "type": "foreign", + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "reference": "certificates" + } + }, + { + "access_token_keyset_rotate_period": { + "required": false, + "type": "number", + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "default": 0 } }, { "access_token_jwks_uri": { + "required": false, "type": "string", - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", - "required": false + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token." + } + }, + { + "access_token_jwks_uri_client_username": { + "required": false, + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "referenceable": true, + "type": "string" + } + }, + { + "access_token_jwks_uri_client_password": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`" + } + }, + { + "access_token_jwks_uri_client_certificate": { + "required": false, + "type": "foreign", + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "reference": "certificates" + } + }, + { + "access_token_jwks_uri_rotate_period": { + "required": false, + "type": "number", + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "default": 0 } }, { "access_token_request_header": { + "required": false, "type": "string", "description": "This parameter tells the name of the header where to look for the access token.", - "default": "Authorization", - "required": false + "default": "Authorization" } }, { "access_token_leeway": { + "required": false, "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", - "default": 0, - "required": false + "default": 0 } }, { "access_token_scopes_required": { - "type": "array", - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." } }, { "access_token_scopes_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "default": [ "scope" - ], - "required": false, - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." + ] } }, { "access_token_consumer_claim": { - "type": "array", - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." } }, { "access_token_consumer_by": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -148,105 +214,105 @@ "custom_id" ] }, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "default": [ "username", "custom_id" - ], - "required": false, - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." + ] } }, { "access_token_upstream_header": { + "required": false, "type": "string", "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", - "default": "Authorization:Bearer", - "required": false + "default": "Authorization:Bearer" } }, { "access_token_upstream_leeway": { + "required": false, "type": "number", "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", - "default": 0, - "required": false + "default": 0 } }, { "access_token_introspection_endpoint": { + "required": false, "type": "string", - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", - "required": false + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter." } }, { "access_token_introspection_authorization": { + "required": false, "type": "string", - "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", - "required": false + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." } }, { "access_token_introspection_body_args": { + "required": false, "type": "string", - "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", - "required": false + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." } }, { "access_token_introspection_hint": { + "required": false, "type": "string", "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", - "default": "access_token", - "required": false + "default": "access_token" } }, { "access_token_introspection_jwt_claim": { - "type": "array", - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "array", + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." } }, { "access_token_introspection_scopes_required": { - "type": "array", - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "array", + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." } }, { "access_token_introspection_scopes_claim": { "type": "array", + "required": true, "elements": { "type": "string" }, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "default": [ "scope" - ], - "required": true, - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." + ] } }, { "access_token_introspection_consumer_claim": { - "type": "array", - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." } }, { "access_token_introspection_consumer_by": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -255,34 +321,33 @@ "custom_id" ] }, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "default": [ "username", "custom_id" - ], - "required": false, - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." + ] } }, { "access_token_introspection_leeway": { + "required": false, "type": "number", "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", - "default": 0, - "required": false + "default": 0 } }, { "access_token_introspection_timeout": { + "required": false, "type": "number", - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", - "required": false + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." } }, { "access_token_signing_algorithm": { - "type": "string", "default": "RS256", "required": true, + "type": "string", "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "one_of": [ "HS256", @@ -300,157 +365,270 @@ ] } }, + { + "add_access_token_claims": { + "keys": { + "type": "string" + }, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "set_access_token_claims": { + "keys": { + "type": "string" + }, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "remove_access_token_claims": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "remove claims. It should be an array, and each element is a claim key string.", + "default": [ + + ] + } + }, + { + "original_access_token_upstream_header": { + "required": false, + "type": "string", + "description": "The HTTP header name used to store the original access token." + } + }, { "access_token_optional": { + "required": false, "type": "boolean", "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", - "default": false, - "required": false + "default": false } }, { "verify_access_token_signature": { + "required": false, "type": "boolean", "description": "Quickly turn access token signature verification off and on as needed.", - "default": true, - "required": false + "default": true } }, { "verify_access_token_expiry": { + "required": false, "type": "boolean", "description": "Quickly turn access token expiry verification off and on as needed.", - "default": true, - "required": false + "default": true } }, { "verify_access_token_scopes": { + "required": false, "type": "boolean", "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", - "default": true, - "required": false + "default": true } }, { "verify_access_token_introspection_expiry": { + "required": false, "type": "boolean", "description": "Quickly turn access token introspection expiry verification off and on as needed.", - "default": true, - "required": false + "default": true } }, { "verify_access_token_introspection_scopes": { + "required": false, "type": "boolean", "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", - "default": true, - "required": false + "default": true } }, { "cache_access_token_introspection": { + "required": false, "type": "boolean", "description": "Whether to cache access token introspection results.", - "default": true, - "required": false + "default": true } }, { "trust_access_token_introspection": { + "required": false, "type": "boolean", "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", - "default": true, - "required": false + "default": true } }, { "enable_access_token_introspection": { + "required": false, "type": "boolean", "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", - "default": true, - "required": false + "default": true } }, { "channel_token_issuer": { + "required": false, "type": "string", "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", - "default": "kong", - "required": false + "default": "kong" } }, { "channel_token_keyset": { + "required": false, "type": "string", "description": "The name of the keyset containing signing keys.", - "default": "kong", - "required": false + "default": "kong" + } + }, + { + "channel_token_keyset_client_username": { + "required": false, + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "referenceable": true, + "type": "string" + } + }, + { + "channel_token_keyset_client_password": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`" + } + }, + { + "channel_token_keyset_client_certificate": { + "required": false, + "type": "foreign", + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "reference": "certificates" + } + }, + { + "channel_token_keyset_rotate_period": { + "required": false, + "type": "number", + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "default": 0 } }, { "channel_token_jwks_uri": { + "required": false, + "type": "string", + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`." + } + }, + { + "channel_token_jwks_uri_client_username": { + "required": false, + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "referenceable": true, + "type": "string" + } + }, + { + "channel_token_jwks_uri_client_password": { + "encrypted": true, + "referenceable": true, + "required": false, "type": "string", - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", - "required": false + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`" + } + }, + { + "channel_token_jwks_uri_client_certificate": { + "required": false, + "type": "foreign", + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "reference": "certificates" + } + }, + { + "channel_token_jwks_uri_rotate_period": { + "required": false, + "type": "number", + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "default": 0 } }, { "channel_token_request_header": { + "required": false, "type": "string", - "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", - "required": false + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." } }, { "channel_token_leeway": { + "required": false, "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", - "default": 0, - "required": false + "default": 0 } }, { "channel_token_scopes_required": { - "type": "array", - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." } }, { "channel_token_scopes_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "default": [ "scope" - ], - "required": false, - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." + ] } }, { "channel_token_consumer_claim": { - "type": "array", - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." } }, { "channel_token_consumer_by": { "type": "array", - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "default": [ - "username", - "custom_id" - ], "elements": { "type": "string", "one_of": [ @@ -458,107 +636,113 @@ "username", "custom_id" ] - } + }, + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ] } }, { "channel_token_upstream_header": { + "required": false, "type": "string", - "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", - "required": false + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." } }, { "channel_token_upstream_leeway": { + "required": false, "type": "number", "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", - "default": 0, - "required": false + "default": 0 } }, { "channel_token_introspection_endpoint": { + "required": false, "type": "string", - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", - "required": false + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead." } }, { "channel_token_introspection_authorization": { - "type": "string", - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "string", + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." } }, { "channel_token_introspection_body_args": { - "type": "string", - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "string", + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." } }, { "channel_token_introspection_hint": { - "type": "string", - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "string", + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." } }, { "channel_token_introspection_jwt_claim": { - "type": "array", - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "array", + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." } }, { "channel_token_introspection_scopes_required": { - "type": "array", - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "array", + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." } }, { "channel_token_introspection_scopes_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "default": [ "scope" - ], - "required": false, - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." + ] } }, { "channel_token_introspection_consumer_claim": { - "type": "array", - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "required": false, "elements": { "type": "string" }, - "required": false + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" } }, { "channel_token_introspection_consumer_by": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -567,34 +751,33 @@ "custom_id" ] }, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "default": [ "username", "custom_id" - ], - "required": false, - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." + ] } }, { "channel_token_introspection_leeway": { + "required": false, "type": "number", "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", - "default": 0, - "required": false + "default": 0 } }, { "channel_token_introspection_timeout": { + "required": false, "type": "number", - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", - "required": false + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." } }, { "channel_token_signing_algorithm": { - "type": "string", "default": "RS256", "required": true, + "type": "string", "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "one_of": [ "HS256", @@ -612,115 +795,203 @@ ] } }, + { + "add_channel_token_claims": { + "keys": { + "type": "string" + }, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "set_channel_token_claims": { + "keys": { + "type": "string" + }, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "remove_channel_token_claims": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "remove claims. It should be an array, and each element is a claim key string.", + "default": [ + + ] + } + }, + { + "original_channel_token_upstream_header": { + "required": false, + "type": "string", + "description": "The HTTP header name used to store the original channel token." + } + }, { "channel_token_optional": { + "required": false, "type": "boolean", "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", - "default": false, - "required": false + "default": false } }, { "verify_channel_token_signature": { + "required": false, "type": "boolean", "description": "Quickly turn on/off the channel token signature verification.", - "default": true, - "required": false + "default": true } }, { "verify_channel_token_expiry": { + "required": false, "type": "boolean", - "default": true, - "required": false + "default": true } }, { "verify_channel_token_scopes": { + "required": false, "type": "boolean", "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", - "default": true, - "required": false + "default": true } }, { "verify_channel_token_introspection_expiry": { + "required": false, "type": "boolean", "description": "Quickly turn on/off the channel token introspection expiry verification.", - "default": true, - "required": false + "default": true } }, { "verify_channel_token_introspection_scopes": { + "required": false, "type": "boolean", "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", - "default": true, - "required": false + "default": true } }, { "cache_channel_token_introspection": { + "required": false, "type": "boolean", "description": "Whether to cache channel token introspection results.", - "default": true, - "required": false + "default": true } }, { "trust_channel_token_introspection": { + "required": false, "type": "boolean", "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", - "default": true, - "required": false + "default": true } }, { "enable_channel_token_introspection": { + "required": false, "type": "boolean", "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", - "default": true, - "required": false + "default": true } }, { "add_claims": { - "type": "map", "keys": { "type": "string" }, - "default": [ - - ], + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "description": "Add customized claims if they are not present yet.", "values": { "type": "string" - } + }, + "type": "map", + "default": [ + + ] } }, { "set_claims": { - "type": "map", "keys": { "type": "string" }, - "default": [ - - ], + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "description": "Set customized claims. If a claim is already present, it will be overwritten.", "values": { "type": "string" - } + }, + "type": "map", + "default": [ + + ] } } ], + "entity_checks": [ + { + "mutually_required": [ + "access_token_jwks_uri_client_username", + "access_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "access_token_keyset_client_username", + "access_token_keyset_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_jwks_uri_client_username", + "channel_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_keyset_client_username", + "channel_token_keyset_client_password" + ] + } + ], + "type": "record", "required": true } } ], "entity_checks": [ - + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/jwt/3.7.x.json b/schemas/jwt/3.7.x.json index e2a32536..a33e407e 100644 --- a/schemas/jwt/3.7.x.json +++ b/schemas/jwt/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,50 +21,48 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "uri_param_names": { "type": "set", + "elements": { + "type": "string" + }, "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "default": [ "jwt" - ], - "elements": { - "type": "string" - } + ] } }, { "cookie_names": { "type": "set", + "elements": { + "type": "string" + }, "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "default": [ - ], - "elements": { - "type": "string" - } + ] } }, { @@ -75,23 +74,23 @@ }, { "secret_is_base64": { + "required": true, "type": "boolean", "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", - "default": false, - "required": true + "default": false } }, { "claims_to_verify": { - "type": "set", - "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", "elements": { "type": "string", "one_of": [ "exp", "nbf" ] - } + }, + "type": "set", + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf." } }, { @@ -102,17 +101,17 @@ }, { "run_on_preflight": { + "required": true, "type": "boolean", "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", - "default": true, - "required": true + "default": true } }, { "maximum_expiration": { + "default": 0, "type": "number", "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", - "default": 0, "between": [ 0, 31536000 @@ -122,16 +121,17 @@ { "header_names": { "type": "set", + "elements": { + "type": "string" + }, "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "default": [ "authorization" - ], - "elements": { - "type": "string" - } + ] } } ], + "type": "record", "required": true } } @@ -139,13 +139,13 @@ "entity_checks": [ { "conditional": { - "then_field": "config.claims_to_verify", "if_field": "config.maximum_expiration", - "then_match": { - "contains": "exp" - }, "if_match": { "gt": 0 + }, + "then_field": "config.claims_to_verify", + "then_match": { + "contains": "exp" } } } diff --git a/schemas/kafka-log/3.7.x.json b/schemas/kafka-log/3.7.x.json index b3fd9c9a..fe4b936f 100644 --- a/schemas/kafka-log/3.7.x.json +++ b/schemas/kafka-log/3.7.x.json @@ -2,7 +2,7 @@ "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -14,6 +14,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -21,41 +22,37 @@ "https", "ws", "wss" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "bootstrap_servers": { - "type": "set", - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { "type": "record", "fields": [ { "host": { - "type": "string", + "required": true, "description": "A string representing a host name, such as example.com.", - "required": true + "type": "string" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -63,14 +60,16 @@ } } ] - } + }, + "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, { "topic": { + "required": true, "type": "string", - "description": "The Kafka topic to publish to.", - "required": true + "description": "The Kafka topic to publish to." } }, { @@ -82,107 +81,107 @@ }, { "keepalive": { - "default": 60000, - "type": "integer" + "type": "integer", + "default": 60000 } }, { "keepalive_enabled": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "authentication": { - "type": "record", "fields": [ { "strategy": { + "required": false, "type": "string", "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ], - "required": false + ] } }, { "mechanism": { + "required": false, "type": "string", "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "required": false + ] } }, { "tokenauth": { + "required": false, "type": "boolean", - "description": "Enable this to indicate `DelegationToken` authentication", - "required": false + "description": "Enable this to indicate `DelegationToken` authentication" } }, { "user": { + "encrypted": true, "referenceable": true, "required": false, - "encrypted": true, - "type": "string", - "description": "Username for SASL authentication." + "description": "Username for SASL authentication.", + "type": "string" } }, { "password": { + "encrypted": true, "referenceable": true, "required": false, - "encrypted": true, - "type": "string", - "description": "Password for SASL authentication." + "description": "Password for SASL authentication.", + "type": "string" } } ], + "type": "record", "required": true } }, { "security": { - "type": "record", "fields": [ { "certificate_id": { + "required": false, "type": "string", "description": "UUID of certificate entity for mTLS authentication.", - "uuid": true, - "required": false + "uuid": true } }, { "ssl": { + "required": false, "type": "boolean", - "description": "Enables TLS.", - "required": false + "description": "Enables TLS." } } ], + "type": "record", "required": true } }, { "cluster_name": { - "type": "string", - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, "auto": true, - "required": false + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" } }, { "producer_request_acks": { + "default": 1, "type": "integer", "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", - "default": 1, "one_of": [ -1, 0, @@ -248,11 +247,11 @@ }, { "custom_fields_by_lua": { - "type": "map", "keys": { "type": "string", "len_min": 1 }, + "type": "map", "description": "Lua code as a key-value map", "values": { "type": "string", @@ -270,6 +269,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/kafka-upstream/3.7.x.json b/schemas/kafka-upstream/3.7.x.json index 5d20e86b..5cec5052 100644 --- a/schemas/kafka-upstream/3.7.x.json +++ b/schemas/kafka-upstream/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,47 +13,43 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "bootstrap_servers": { - "type": "set", - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { "type": "record", "fields": [ { "host": { - "type": "string", + "required": true, "description": "A string representing a host name, such as example.com.", - "required": true + "type": "string" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -60,14 +57,16 @@ } } ] - } + }, + "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, { "topic": { + "required": true, "type": "string", - "description": "The Kafka topic to publish to.", - "required": true + "description": "The Kafka topic to publish to." } }, { @@ -92,79 +91,79 @@ }, { "authentication": { - "type": "record", "fields": [ { "strategy": { + "required": false, "type": "string", "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ], - "required": false + ] } }, { "mechanism": { + "required": false, "type": "string", "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "required": false + ] } }, { "tokenauth": { + "required": false, "type": "boolean", - "description": "Enable this to indicate `DelegationToken` authentication.", - "required": false + "description": "Enable this to indicate `DelegationToken` authentication." } }, { "user": { + "encrypted": true, "referenceable": true, "required": false, - "description": "Username for SASL authentication.", - "encrypted": true, - "type": "string" + "type": "string", + "description": "Username for SASL authentication." } }, { "password": { + "encrypted": true, "referenceable": true, "required": false, - "description": "Password for SASL authentication.", - "encrypted": true, - "type": "string" + "type": "string", + "description": "Password for SASL authentication." } } ], + "type": "record", "required": true } }, { "security": { - "type": "record", "fields": [ { "certificate_id": { - "type": "string", + "required": false, "description": "UUID of certificate entity for mTLS authentication.", "uuid": true, - "required": false + "type": "string" } }, { "ssl": { + "required": false, "type": "boolean", - "description": "Enables TLS.", - "required": false + "description": "Enables TLS." } } ], + "type": "record", "required": true } }, @@ -198,17 +197,17 @@ }, { "cluster_name": { - "type": "string", + "required": false, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "auto": true, - "required": false + "type": "string", + "auto": true } }, { "producer_request_acks": { + "default": 1, "type": "integer", "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", - "default": 1, "one_of": [ -1, 0, @@ -292,6 +291,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/key-auth-enc/3.7.x.json b/schemas/key-auth-enc/3.7.x.json index 128137a3..ea7ddea3 100644 --- a/schemas/key-auth-enc/3.7.x.json +++ b/schemas/key-auth-enc/3.7.x.json @@ -2,15 +2,15 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,6 +22,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -29,78 +30,77 @@ "https", "ws", "wss" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "key_names": { - "type": "array", + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, + "type": "array", "default": [ "apikey" - ], - "required": true, - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + ] } }, { "hide_credentials": { - "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean", "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "key_in_header": { - "type": "boolean", "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean", "default": true } }, { "key_in_query": { - "type": "boolean", "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean", "default": true } }, { "key_in_body": { - "type": "boolean", "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean", "default": false } }, { "run_on_preflight": { - "type": "boolean", "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean", "default": true } } ], + "type": "record", "required": true } } diff --git a/schemas/key-auth/3.7.x.json b/schemas/key-auth/3.7.x.json index 053f2f7d..77952bad 100644 --- a/schemas/key-auth/3.7.x.json +++ b/schemas/key-auth/3.7.x.json @@ -2,15 +2,15 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,6 +22,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -29,83 +30,89 @@ "https", "ws", "wss" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "key_names": { - "type": "array", + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, + "type": "array", "default": [ "apikey" - ], - "required": true, - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + ] } }, { "hide_credentials": { - "type": "boolean", + "required": true, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", - "default": false, - "required": true + "type": "boolean", + "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" } }, { "key_in_header": { - "type": "boolean", + "required": true, "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", - "default": true, - "required": true + "type": "boolean", + "default": true } }, { "key_in_query": { - "type": "boolean", + "required": true, "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", - "default": true, - "required": true + "type": "boolean", + "default": true } }, { "key_in_body": { - "type": "boolean", + "required": true, "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "default": false, - "required": true + "type": "boolean", + "default": false } }, { "run_on_preflight": { - "type": "boolean", + "required": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", - "default": true, - "required": true + "type": "boolean", + "default": true + } + }, + { + "realm": { + "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" } } ], + "type": "record", "required": true } } diff --git a/schemas/konnect-application-auth/3.7.x.json b/schemas/konnect-application-auth/3.7.x.json index d076c137..64fa1dc3 100644 --- a/schemas/konnect-application-auth/3.7.x.json +++ b/schemas/konnect-application-auth/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,48 +21,46 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "key_names": { - "type": "array", + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, + "type": "array", "default": [ "apikey" - ], - "required": true, - "description": "The names of the headers containing the API key. You can specify multiple header names." + ] } }, { "auth_type": { - "type": "string", "default": "openid-connect", "required": true, "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "type": "string", "one_of": [ "openid-connect", "key-auth", @@ -71,138 +70,131 @@ }, { "scope": { + "required": true, "type": "string", "description": "The unique scope identifier for the plugin configuration.", - "unique": true, - "required": true + "unique": true } }, { "v2_strategies": { "type": "record", - "default": [ - - ], - "required": false, - "description": "The map of v2 strategies.", "fields": [ { "key_auth": { - "type": "array", - "description": "List of key_auth strategies.", + "required": false, "elements": { "type": "record", "fields": [ { "strategy_id": { + "required": true, "type": "string", - "description": "The strategy id the config is tied to.", - "required": true + "description": "The strategy id the config is tied to." } }, { "config": { + "required": true, "type": "record", "fields": [ { "key_names": { - "type": "array", + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, + "type": "array", "default": [ "apikey" - ], - "required": true, - "description": "The names of the headers containing the API key. You can specify multiple header names." + ] } } - ], - "required": true + ] } } ] }, - "required": false + "type": "array", + "description": "List of key_auth strategies." } }, { "openid_connect": { - "type": "array", - "description": "List of openid_connect strategies.", + "required": false, "elements": { "type": "record", "fields": [ { "strategy_id": { + "required": true, "type": "string", - "description": "The strategy id the config is tied to.", - "required": true + "description": "The strategy id the config is tied to." } }, { "config": { - "type": "record", - "description": "openid-connect plugin configuration.", "fields": [ { "issuer": { + "required": true, "type": "string", - "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", - "required": true + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`." } }, { "using_pseudo_issuer": { - "type": "boolean", + "required": false, "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "discovery_headers_names": { - "type": "array", - "description": "Extra header names passed to the discovery endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the discovery endpoint.", + "type": "array" } }, { "discovery_headers_values": { - "type": "array", - "description": "Extra header values passed to the discovery endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header values passed to the discovery endpoint.", + "type": "array" } }, { "extra_jwks_uris": { - "type": "set", - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "type": "set" } }, { "rediscovery_lifetime": { - "type": "number", + "required": false, "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", - "default": 30, - "required": false + "type": "number", + "default": 30 } }, { "auth_methods": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -217,6 +209,7 @@ "session" ] }, + "description": "Types of credentials/grants to enable.", "default": [ "password", "client_credentials", @@ -227,39 +220,36 @@ "kong_oauth2", "refresh_token", "session" - ], - "required": false, - "description": "Types of credentials/grants to enable." + ] } }, { "client_id": { - "type": "array", + "encrypted": true, + "required": false, "elements": { "referenceable": true, "type": "string" }, - "required": false, "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", - "encrypted": true + "type": "array" } }, { "client_secret": { - "type": "array", + "encrypted": true, + "required": false, "elements": { "referenceable": true, "type": "string" }, - "required": false, "description": "The client secret.", - "encrypted": true + "type": "array" } }, { "client_auth": { - "type": "array", - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "required": false, "elements": { "type": "string", "one_of": [ @@ -272,14 +262,15 @@ "none" ] }, - "required": false + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "type": "array" } }, { "client_jwk": { - "type": "array", - "description": "The JWK used for the private_key_jwt authentication.", + "required": false, "elements": { + "required": false, "type": "record", "fields": [ { @@ -302,12 +293,12 @@ }, { "key_ops": { - "type": "array", + "required": false, "elements": { "type": "string", "required": false }, - "required": false + "type": "array" } }, { @@ -330,12 +321,12 @@ }, { "x5c": { - "type": "array", + "required": false, "elements": { "type": "string", "required": false }, - "required": false + "type": "array" } }, { @@ -352,10 +343,10 @@ }, { "k": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { @@ -390,86 +381,85 @@ }, { "d": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "p": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "q": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "dp": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "dq": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "qi": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "oth": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "r": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "t": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } } - ], - "required": false + ] }, - "required": false + "description": "The JWK used for the private_key_jwt authentication.", + "type": "array" } }, { "client_alg": { - "type": "array", - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "required": false, "elements": { "type": "string", "one_of": [ @@ -488,307 +478,313 @@ "EdDSA" ] }, - "required": false + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "type": "array" } }, { "client_arg": { - "type": "string", + "required": false, "description": "The client to use for this request (the selection is made with a request parameter with the same name).", - "default": "client_id", - "required": false + "type": "string", + "default": "client_id" } }, { "redirect_uri": { - "type": "array", - "description": "The redirect URI passed to the authorization and token endpoints.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "The redirect URI passed to the authorization and token endpoints.", + "type": "array" } }, { "login_redirect_uri": { - "type": "array", - "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "required": false, "elements": { - "referenceable": true, + "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "referenceable": true }, - "required": false + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array" } }, { "logout_redirect_uri": { - "type": "array", - "description": "Where to redirect the client after the logout.", + "required": false, "elements": { - "referenceable": true, + "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "referenceable": true }, - "required": false + "description": "Where to redirect the client after the logout.", + "type": "array" } }, { "forbidden_redirect_uri": { - "type": "array", - "description": "Where to redirect the client on forbidden requests.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client on forbidden requests.", + "type": "array" } }, { "forbidden_error_message": { - "type": "string", + "required": false, "description": "The error message for the forbidden requests (when not using the redirection).", - "default": "Forbidden", - "required": false + "type": "string", + "default": "Forbidden" } }, { "forbidden_destroy_session": { - "type": "boolean", + "required": false, "description": "Destroy any active session for the forbidden requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "unauthorized_destroy_session": { - "type": "boolean", + "required": false, "description": "Destroy any active session for the unauthorized requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "unauthorized_redirect_uri": { - "type": "array", - "description": "Where to redirect the client on unauthorized requests.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client on unauthorized requests.", + "type": "array" } }, { "unauthorized_error_message": { - "type": "string", + "required": false, "description": "The error message for the unauthorized requests (when not using the redirection).", - "default": "Unauthorized", - "required": false + "type": "string", + "default": "Unauthorized" } }, { "unexpected_redirect_uri": { - "type": "array", - "description": "Where to redirect the client when unexpected errors happen with the requests.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "type": "array" } }, { "response_mode": { - "type": "string", "default": "query", "required": false, - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it).", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "type": "string", "one_of": [ "query", "form_post", - "fragment" + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" ] } }, { "response_type": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The response type passed to the authorization endpoint.", "default": [ "code" - ], - "required": false, - "description": "The response type passed to the authorization endpoint." + ] } }, { "scopes": { "type": "array", + "required": false, "elements": { "referenceable": true, "type": "string" }, + "description": "The scopes passed to the authorization and token endpoints.", "default": [ "openid" - ], - "required": false, - "description": "The scopes passed to the authorization and token endpoints." + ] } }, { "audience": { - "type": "array", - "description": "The audience passed to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The audience passed to the authorization endpoint.", + "type": "array" } }, { "issuers_allowed": { - "type": "array", - "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array" } }, { "scopes_required": { - "type": "array", - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" } }, { "scopes_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "scope" - ], - "required": false, - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "audience_required": { - "type": "array", - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" } }, { "audience_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "aud" - ], - "required": false, - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "groups_required": { - "type": "array", - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" } }, { "groups_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "groups" - ], - "required": false, - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "roles_required": { - "type": "array", - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" } }, { "roles_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "roles" - ], - "required": false, - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "domains": { - "type": "array", - "description": "The allowed values for the `hd` claim.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The allowed values for the `hd` claim.", + "type": "array" } }, { "max_age": { - "type": "number", + "required": false, "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "required": false + "type": "number" } }, { "authenticated_groups_claim": { - "type": "array", - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" } }, { "pushed_authorization_request_endpoint": { + "required": false, "type": "string", - "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint." } }, { "pushed_authorization_request_endpoint_auth_method": { - "type": "string", + "required": false, "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -797,105 +793,111 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false + ] } }, { "require_pushed_authorization_requests": { - "type": "boolean", + "required": false, "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", - "required": false + "type": "boolean" } }, { "require_proof_key_for_code_exchange": { - "type": "boolean", + "required": false, "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", - "required": false + "type": "boolean" + } + }, + { + "require_signed_request_object": { + "required": false, + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" } }, { "authorization_endpoint": { + "required": false, "type": "string", - "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint." } }, { "authorization_query_args_names": { - "type": "array", - "description": "Extra query argument names passed to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query argument names passed to the authorization endpoint.", + "type": "array" } }, { "authorization_query_args_values": { - "type": "array", - "description": "Extra query argument values passed to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query argument values passed to the authorization endpoint.", + "type": "array" } }, { "authorization_query_args_client": { - "type": "array", - "description": "Extra query arguments passed from the client to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array" } }, { "authorization_rolling_timeout": { - "type": "number", + "required": false, "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "default": 600, - "required": false + "type": "number", + "default": 600 } }, { "authorization_cookie_name": { - "type": "string", + "required": false, "description": "The authorization cookie name.", - "default": "authorization", - "required": false + "type": "string", + "default": "authorization" } }, { "authorization_cookie_path": { - "type": "string", - "default": "/", - "required": false, - "description": "The authorization cookie Path flag.", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "starts_with": "/" + "description": "The authorization cookie Path flag.", + "required": false, + "type": "string", + "starts_with": "/", + "default": "/" } }, { "authorization_cookie_domain": { - "type": "string", + "required": false, "description": "The authorization cookie Domain flag.", - "required": false + "type": "string" } }, { "authorization_cookie_same_site": { - "type": "string", "default": "Default", "required": false, "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", "one_of": [ "Strict", "Lax", @@ -906,38 +908,39 @@ }, { "authorization_cookie_http_only": { - "type": "boolean", + "required": false, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "authorization_cookie_secure": { - "type": "boolean", + "required": false, "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false + "type": "boolean" } }, { "preserve_query_args": { - "type": "boolean", + "required": false, "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "token_endpoint": { + "required": false, "type": "string", - "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint." } }, { "token_endpoint_auth_method": { - "type": "string", + "required": false, "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -946,61 +949,59 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false + ] } }, { "token_headers_names": { - "type": "array", - "description": "Extra header names passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the token endpoint.", + "type": "array" } }, { "token_headers_values": { - "type": "array", - "description": "Extra header values passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header values passed to the token endpoint.", + "type": "array" } }, { "token_headers_client": { - "type": "array", - "description": "Extra headers passed from the client to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array" } }, { "token_headers_replay": { - "type": "array", - "description": "The names of token endpoint response headers to forward to the downstream client.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The names of token endpoint response headers to forward to the downstream client.", + "type": "array" } }, { "token_headers_prefix": { - "type": "string", + "required": false, "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", - "required": false + "type": "string" } }, { "token_headers_grants": { - "type": "array", - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1010,50 +1011,52 @@ "refresh_token" ] }, - "required": false + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "type": "array" } }, { "token_post_args_names": { - "type": "array", - "description": "Extra post argument names passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra post argument names passed to the token endpoint.", + "type": "array" } }, { "token_post_args_values": { - "type": "array", - "description": "Extra post argument values passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra post argument values passed to the token endpoint.", + "type": "array" } }, { "token_post_args_client": { - "type": "array", - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Reqest Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "type": "array" } }, { "introspection_endpoint": { + "required": false, "type": "string", - "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint." } }, { "introspection_endpoint_auth_method": { - "type": "string", + "required": false, "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1062,32 +1065,31 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false + ] } }, { "introspection_hint": { - "type": "string", + "required": false, "description": "Introspection hint parameter value passed to the introspection endpoint.", - "default": "access_token", - "required": false + "type": "string", + "default": "access_token" } }, { "introspection_check_active": { - "type": "boolean", + "required": false, "description": "Check that the introspection response has an `active` claim with a value of `true`.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "introspection_accept": { - "type": "string", "default": "application/json", "required": false, "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "type": "string", "one_of": [ "application/json", "application/token-introspection+jwt", @@ -1097,85 +1099,86 @@ }, { "introspection_headers_names": { - "type": "array", - "description": "Extra header names passed to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the introspection endpoint.", + "type": "array" } }, { "introspection_headers_values": { - "type": "array", + "encrypted": true, + "required": false, "elements": { "referenceable": true, "type": "string" }, - "required": false, "description": "Extra header values passed to the introspection endpoint.", - "encrypted": true + "type": "array" } }, { "introspection_headers_client": { - "type": "array", - "description": "Extra headers passed from the client to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra headers passed from the client to the introspection endpoint.", + "type": "array" } }, { "introspection_post_args_names": { - "type": "array", - "description": "Extra post argument names passed to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra post argument names passed to the introspection endpoint.", + "type": "array" } }, { "introspection_post_args_values": { - "type": "array", - "description": "Extra post argument values passed to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array" } }, { "introspection_post_args_client": { - "type": "array", - "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array" } }, { "introspect_jwt_tokens": { - "type": "boolean", + "required": false, "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "revocation_endpoint": { + "required": false, "type": "string", - "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint." } }, { "revocation_endpoint_auth_method": { - "type": "string", + "required": false, "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1184,30 +1187,29 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false + ] } }, { "end_session_endpoint": { + "required": false, "type": "string", - "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint." } }, { "userinfo_endpoint": { + "required": false, "type": "string", - "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint." } }, { "userinfo_accept": { - "type": "string", "default": "application/json", "required": false, "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "type": "string", "one_of": [ "application/json", "application/jwt" @@ -1216,180 +1218,180 @@ }, { "userinfo_headers_names": { - "type": "array", - "description": "Extra header names passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the user info endpoint.", + "type": "array" } }, { "userinfo_headers_values": { - "type": "array", - "description": "Extra header values passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header values passed to the user info endpoint.", + "type": "array" } }, { "userinfo_headers_client": { - "type": "array", - "description": "Extra headers passed from the client to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra headers passed from the client to the user info endpoint.", + "type": "array" } }, { "userinfo_query_args_names": { - "type": "array", - "description": "Extra query argument names passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query argument names passed to the user info endpoint.", + "type": "array" } }, { "userinfo_query_args_values": { - "type": "array", - "description": "Extra query argument values passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query argument values passed to the user info endpoint.", + "type": "array" } }, { "userinfo_query_args_client": { - "type": "array", - "description": "Extra query arguments passed from the client to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query arguments passed from the client to the user info endpoint.", + "type": "array" } }, { "token_exchange_endpoint": { + "required": false, "type": "string", - "description": "The token exchange endpoint.", - "required": false + "description": "The token exchange endpoint." } }, { "session_secret": { - "type": "string", + "encrypted": true, + "referenceable": true, "required": false, "description": "The session secret.", - "referenceable": true, - "encrypted": true + "type": "string" } }, { "session_audience": { - "type": "string", + "required": false, "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "default": "default", - "required": false + "type": "string", + "default": "default" } }, { "session_cookie_name": { - "type": "string", + "required": false, "description": "The session cookie name.", - "default": "session", - "required": false + "type": "string", + "default": "session" } }, { "session_remember": { - "type": "boolean", + "required": false, "description": "Enables or disables persistent sessions.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_remember_cookie_name": { - "type": "string", + "required": false, "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "default": "remember", - "required": false + "type": "string", + "default": "remember" } }, { "session_remember_rolling_timeout": { - "type": "number", + "required": false, "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", - "default": 604800, - "required": false + "type": "number", + "default": 604800 } }, { "session_remember_absolute_timeout": { - "type": "number", + "required": false, "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "default": 2592000, - "required": false + "type": "number", + "default": 2592000 } }, { "session_idling_timeout": { - "type": "number", + "required": false, "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", - "default": 900, - "required": false + "type": "number", + "default": 900 } }, { "session_rolling_timeout": { - "type": "number", + "required": false, "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "default": 3600, - "required": false + "type": "number", + "default": 3600 } }, { "session_absolute_timeout": { - "type": "number", + "required": false, "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "default": 86400, - "required": false + "type": "number", + "default": 86400 } }, { "session_cookie_path": { - "type": "string", - "default": "/", - "required": false, - "description": "The session cookie Path flag.", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "starts_with": "/" + "description": "The session cookie Path flag.", + "required": false, + "type": "string", + "starts_with": "/", + "default": "/" } }, { "session_cookie_domain": { - "type": "string", + "required": false, "description": "The session cookie Domain flag.", - "required": false + "type": "string" } }, { "session_cookie_same_site": { - "type": "string", "default": "Lax", "required": false, "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", "one_of": [ "Strict", "Lax", @@ -1400,23 +1402,22 @@ }, { "session_cookie_http_only": { - "type": "boolean", + "required": false, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "session_cookie_secure": { - "type": "boolean", + "required": false, "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false + "type": "boolean" } }, { "session_request_headers": { - "type": "set", - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1429,13 +1430,13 @@ "absolute-timeout" ] }, - "required": false + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "type": "set" } }, { "session_response_headers": { - "type": "set", - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1448,15 +1449,16 @@ "absolute-timeout" ] }, - "required": false + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "type": "set" } }, { "session_storage": { - "type": "string", "default": "cookie", "required": false, "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "type": "string", "one_of": [ "cookie", "memcache", @@ -1467,64 +1469,64 @@ }, { "session_store_metadata": { - "type": "boolean", + "required": false, "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_enforce_same_subject": { - "type": "boolean", + "required": false, "description": "When set to `true`, audiences are forced to share the same subject.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_hash_subject": { - "type": "boolean", + "required": false, "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_hash_storage_key": { - "type": "boolean", + "required": false, "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_memcached_prefix": { - "type": "string", + "required": false, "description": "The memcached session key prefix.", - "required": false + "type": "string" } }, { "session_memcached_socket": { - "type": "string", + "required": false, "description": "The memcached unix socket path.", - "required": false + "type": "string" } }, { "session_memcached_host": { - "type": "string", + "required": false, "description": "The memcached host.", - "default": "127.0.0.1", - "required": false + "type": "string", + "default": "127.0.0.1" } }, { "session_memcached_port": { - "type": "integer", "default": 11211, "required": false, "description": "The memcached port.", + "type": "integer", "between": [ 0, 65535 @@ -1533,32 +1535,32 @@ }, { "session_redis_prefix": { - "type": "string", + "required": false, "description": "The Redis session key prefix.", - "required": false + "type": "string" } }, { "session_redis_socket": { - "type": "string", + "required": false, "description": "The Redis unix socket path.", - "required": false + "type": "string" } }, { "session_redis_host": { - "type": "string", + "required": false, "description": "The Redis host.", - "default": "127.0.0.1", - "required": false + "type": "string", + "default": "127.0.0.1" } }, { "session_redis_port": { - "type": "integer", "default": 6379, "required": false, "description": "The Redis port.", + "type": "integer", "between": [ 0, 65535 @@ -1567,85 +1569,84 @@ }, { "session_redis_username": { - "referenceable": true, + "required": false, "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "required": false + "referenceable": true } }, { "session_redis_password": { - "type": "string", + "encrypted": true, + "referenceable": true, "required": false, "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "encrypted": true + "type": "string" } }, { "session_redis_connect_timeout": { - "type": "integer", + "required": false, "description": "Session redis connection timeout in milliseconds.", - "required": false + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", + "required": false, "description": "Session redis read timeout in milliseconds.", - "required": false + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", + "required": false, "description": "Session redis send timeout in milliseconds.", - "required": false + "type": "integer" } }, { "session_redis_ssl": { - "type": "boolean", + "required": false, "description": "Use SSL/TLS for Redis connection.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_redis_ssl_verify": { - "type": "boolean", + "required": false, "description": "Verify identity provider server certificate.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_redis_server_name": { - "type": "string", + "required": false, "description": "The SNI used for connecting the Redis server.", - "required": false + "type": "string" } }, { "session_redis_cluster_nodes": { - "type": "array", - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "required": false, "elements": { "type": "record", "fields": [ { "ip": { + "required": true, "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "required": true + "default": "127.0.0.1" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -1654,42 +1655,44 @@ } ] }, - "required": false + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "type": "array" } }, { "session_redis_cluster_max_redirections": { - "type": "integer", + "required": false, "description": "The Redis cluster maximum redirects.", - "required": false + "type": "integer" } }, { "reverify": { - "type": "boolean", + "required": false, "description": "Specifies whether to always verify tokens stored in the session.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "jwt_session_claim": { - "type": "string", + "required": false, "description": "The claim to match against the JWT session cookie.", - "default": "sid", - "required": false + "type": "string", + "default": "sid" } }, { "jwt_session_cookie": { - "type": "string", + "required": false, "description": "The name of the JWT session cookie.", - "required": false + "type": "string" } }, { "bearer_token_param_type": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1699,25 +1702,25 @@ "body" ] }, + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "default": [ "header", "query", "body" - ], - "required": false, - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." + ] } }, { "bearer_token_cookie_name": { - "type": "string", + "required": false, "description": "The name of the cookie in which the bearer token is passed.", - "required": false + "type": "string" } }, { "client_credentials_param_type": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1726,18 +1729,18 @@ "body" ] }, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "default": [ "header", "query", "body" - ], - "required": false, - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." + ] } }, { "password_param_type": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1746,18 +1749,18 @@ "body" ] }, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "default": [ "header", "query", "body" - ], - "required": false, - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_type": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1766,25 +1769,25 @@ "body" ] }, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "default": [ "header", "query", "body" - ], - "required": false, - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_name": { - "type": "string", + "required": false, "description": "The name of the parameter used to pass the id token.", - "required": false + "type": "string" } }, { "refresh_token_param_type": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1793,214 +1796,214 @@ "body" ] }, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "default": [ "header", "query", "body" - ], - "required": false, - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "refresh_token_param_name": { - "type": "string", + "required": false, "description": "The name of the parameter used to pass the refresh token.", - "required": false + "type": "string" } }, { "refresh_tokens": { - "type": "boolean", + "required": false, "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "upstream_headers_claims": { - "type": "array", - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" } }, { "upstream_headers_names": { - "type": "array", - "description": "The upstream header names for the claim values.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The upstream header names for the claim values.", + "type": "array" } }, { "upstream_access_token_header": { - "type": "string", + "required": false, "description": "The upstream access token header.", - "default": "authorization:bearer", - "required": false + "type": "string", + "default": "authorization:bearer" } }, { "upstream_access_token_jwk_header": { - "type": "string", + "required": false, "description": "The upstream access token JWK header.", - "required": false + "type": "string" } }, { "upstream_id_token_header": { - "type": "string", + "required": false, "description": "The upstream id token header.", - "required": false + "type": "string" } }, { "upstream_id_token_jwk_header": { - "type": "string", + "required": false, "description": "The upstream id token JWK header.", - "required": false + "type": "string" } }, { "upstream_refresh_token_header": { - "type": "string", + "required": false, "description": "The upstream refresh token header.", - "required": false + "type": "string" } }, { "upstream_user_info_header": { - "type": "string", + "required": false, "description": "The upstream user info header.", - "required": false + "type": "string" } }, { "upstream_user_info_jwt_header": { - "type": "string", + "required": false, "description": "The upstream user info JWT header (in case the user info returns a JWT response).", - "required": false + "type": "string" } }, { "upstream_introspection_header": { - "type": "string", + "required": false, "description": "The upstream introspection header.", - "required": false + "type": "string" } }, { "upstream_introspection_jwt_header": { - "type": "string", + "required": false, "description": "The upstream introspection JWT header.", - "required": false + "type": "string" } }, { "upstream_session_id_header": { - "type": "string", + "required": false, "description": "The upstream session id header.", - "required": false + "type": "string" } }, { "downstream_headers_claims": { - "type": "array", - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" } }, { "downstream_headers_names": { - "type": "array", - "description": "The downstream header names for the claim values.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The downstream header names for the claim values.", + "type": "array" } }, { "downstream_access_token_header": { - "type": "string", + "required": false, "description": "The downstream access token header.", - "required": false + "type": "string" } }, { "downstream_access_token_jwk_header": { - "type": "string", + "required": false, "description": "The downstream access token JWK header.", - "required": false + "type": "string" } }, { "downstream_id_token_header": { - "type": "string", + "required": false, "description": "The downstream id token header.", - "required": false + "type": "string" } }, { "downstream_id_token_jwk_header": { - "type": "string", + "required": false, "description": "The downstream id token JWK header.", - "required": false + "type": "string" } }, { "downstream_refresh_token_header": { - "type": "string", + "required": false, "description": "The downstream refresh token header.", - "required": false + "type": "string" } }, { "downstream_user_info_header": { - "type": "string", + "required": false, "description": "The downstream user info header.", - "required": false + "type": "string" } }, { "downstream_user_info_jwt_header": { - "type": "string", + "required": false, "description": "The downstream user info JWT header (in case the user info returns a JWT response).", - "required": false + "type": "string" } }, { "downstream_introspection_header": { - "type": "string", + "required": false, "description": "The downstream introspection header.", - "required": false + "type": "string" } }, { "downstream_introspection_jwt_header": { - "type": "string", + "required": false, "description": "The downstream introspection JWT header.", - "required": false + "type": "string" } }, { "downstream_session_id_header": { - "type": "string", + "required": false, "description": "The downstream session id header.", - "required": false + "type": "string" } }, { "login_methods": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2015,19 +2018,18 @@ "session" ] }, + "description": "Enable login functionality with specified grants.", "default": [ "authorization_code" - ], - "required": false, - "description": "Enable login functionality with specified grants." + ] } }, { "login_action": { - "type": "string", "default": "upstream", "required": false, "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "type": "string", "one_of": [ "upstream", "response", @@ -2038,6 +2040,7 @@ { "login_tokens": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2048,19 +2051,18 @@ "introspection" ] }, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "default": [ "id_token" - ], - "required": false, - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." + ] } }, { "login_redirect_mode": { - "type": "string", "default": "fragment", "required": false, "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "type": "string", "one_of": [ "query", "fragment" @@ -2069,28 +2071,29 @@ }, { "logout_query_arg": { - "type": "string", + "required": false, "description": "The request query argument that activates the logout.", - "required": false + "type": "string" } }, { "logout_post_arg": { - "type": "string", + "required": false, "description": "The request body argument that activates the logout.", - "required": false + "type": "string" } }, { "logout_uri_suffix": { - "type": "string", + "required": false, "description": "The request URI suffix that activates the logout.", - "required": false + "type": "string" } }, { "logout_methods": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2099,51 +2102,51 @@ "DELETE" ] }, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "default": [ "POST", "DELETE" - ], - "required": false, - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." + ] } }, { "logout_revoke": { - "type": "boolean", + "required": false, "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "logout_revoke_access_token": { - "type": "boolean", + "required": false, "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "logout_revoke_refresh_token": { - "type": "boolean", + "required": false, "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "consumer_claim": { - "type": "array", - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" } }, { "consumer_by": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2152,93 +2155,93 @@ "custom_id" ] }, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "default": [ "username", "custom_id" - ], - "required": false, - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." + ] } }, { "consumer_optional": { - "type": "boolean", + "required": false, "description": "Do not terminate the request if consumer mapping fails.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "credential_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "sub" - ], - "required": false, - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "anonymous": { - "type": "string", + "required": false, "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "required": false + "type": "string" } }, { "run_on_preflight": { - "type": "boolean", + "required": false, "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "leeway": { + "required": false, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", "type": "number", - "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", - "default": 0, - "required": false + "default": 0 } }, { "verify_parameters": { - "type": "boolean", + "required": false, "description": "Verify plugin configuration against discovery.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "verify_nonce": { - "type": "boolean", + "required": false, "description": "Verify nonce on authorization code flow.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "verify_claims": { - "type": "boolean", + "required": false, "description": "Verify tokens for standard claims.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "verify_signature": { - "type": "boolean", + "required": false, "description": "Verify signature of tokens.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "ignore_signature": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2251,25 +2254,23 @@ "userinfo" ] }, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "default": [ - ], - "required": false, - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." + ] } }, { "enable_hs_signatures": { - "type": "boolean", + "required": false, "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "disable_session": { - "type": "array", - "description": "Disable issuing the session cookie with the specified grants.", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2284,228 +2285,229 @@ "session" ] }, - "required": false + "description": "Disable issuing the session cookie with the specified grants.", + "type": "array" } }, { "cache_ttl": { - "type": "number", + "required": false, "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", - "default": 3600, - "required": false + "type": "number", + "default": 3600 } }, { "cache_ttl_max": { - "type": "number", + "required": false, "description": "The maximum cache ttl in seconds (enforced).", - "required": false + "type": "number" } }, { "cache_ttl_min": { - "type": "number", + "required": false, "description": "The minimum cache ttl in seconds (enforced).", - "required": false + "type": "number" } }, { "cache_ttl_neg": { - "type": "number", + "required": false, "description": "The negative cache ttl in seconds.", - "required": false + "type": "number" } }, { "cache_ttl_resurrect": { - "type": "number", + "required": false, "description": "The resurrection ttl in seconds.", - "required": false + "type": "number" } }, { "cache_tokens": { - "type": "boolean", + "required": false, "description": "Cache the token endpoint requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "cache_tokens_salt": { - "type": "string", - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false, "auto": true, - "required": false + "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." } }, { "cache_introspection": { - "type": "boolean", + "required": false, "description": "Cache the introspection endpoint requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "cache_token_exchange": { - "type": "boolean", + "required": false, "description": "Cache the token exchange endpoint requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "cache_user_info": { - "type": "boolean", + "required": false, "description": "Cache the user info requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "search_user_info": { - "type": "boolean", + "required": false, "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "hide_credentials": { - "type": "boolean", + "required": false, "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "http_version": { + "required": false, "type": "number", "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", - "default": 1.1, - "required": false + "default": 1.1 } }, { "http_proxy": { + "required": false, "type": "string", - "description": "The HTTP proxy.", - "required": false + "description": "The HTTP proxy." } }, { "http_proxy_authorization": { - "type": "string", + "required": false, "description": "The HTTP proxy authorization.", - "required": false + "type": "string" } }, { "https_proxy": { + "required": false, "type": "string", - "description": "The HTTPS proxy.", - "required": false + "description": "The HTTPS proxy." } }, { "https_proxy_authorization": { - "type": "string", + "required": false, "description": "The HTTPS proxy authorization.", - "required": false + "type": "string" } }, { "no_proxy": { - "type": "string", + "required": false, "description": "Do not use proxy with these hosts.", - "required": false + "type": "string" } }, { "keepalive": { - "type": "boolean", + "required": false, "description": "Use keepalive with the HTTP client.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "ssl_verify": { + "required": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", "type": "boolean", - "description": "Verify identity provider server certificate.", - "default": false, - "required": false + "default": false } }, { "timeout": { - "type": "number", + "required": false, "description": "Network IO timeout in milliseconds.", - "default": 10000, - "required": false + "type": "number", + "default": 10000 } }, { "display_errors": { - "type": "boolean", + "required": false, "description": "Display errors on failure responses.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "by_username_ignore_case": { - "type": "boolean", + "required": false, "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "resolve_distributed_claims": { - "type": "boolean", + "required": false, "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "expose_error_code": { - "type": "boolean", "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean", "default": true } }, { "token_cache_key_include_scope": { - "type": "boolean", "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean", "default": false } }, { "introspection_token_param_name": { - "type": "string", + "required": false, "description": "Designate token's parameter name for introspection.", - "default": "token", - "required": false + "type": "string", + "default": "token" } }, { "revocation_token_param_name": { - "type": "string", + "required": false, "description": "Designate token's parameter name for revocation.", - "default": "token", - "required": false + "type": "string", + "default": "token" } }, { "proof_of_possession_mtls": { - "type": "string", "default": "off", "required": false, "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "type": "string", "one_of": [ "off", "strict", @@ -2515,58 +2517,95 @@ }, { "proof_of_possession_auth_methods_validation": { - "type": "boolean", + "required": false, "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "tls_client_auth_cert_id": { - "type": "string", - "auto": false, + "uuid": true, "required": false, "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", - "uuid": true + "type": "string", + "auto": false } }, { "tls_client_auth_ssl_verify": { - "type": "boolean", + "required": false, "description": "Verify identity provider server certificate during mTLS client authentication.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "mtls_token_endpoint": { + "required": false, "type": "string", - "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." } }, { "mtls_introspection_endpoint": { + "required": false, "type": "string", - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." } }, { "mtls_revocation_endpoint": { + "required": false, "type": "string", - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "proof_of_possession_dpop": { + "default": "off", + "required": false, + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "type": "string", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "dpop_use_nonce": { + "required": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean", + "default": false + } + }, + { + "dpop_proof_lifetime": { + "required": false, + "type": "number", + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "default": 300 } } - ] + ], + "type": "record", + "description": "openid-connect plugin configuration." } } ] }, - "required": false + "type": "array", + "description": "List of openid_connect strategies." } } + ], + "required": false, + "description": "The map of v2 strategies.", + "default": [ + ] } } @@ -2574,6 +2613,7 @@ "entity_checks": [ ], + "type": "record", "required": true } } diff --git a/schemas/ldap-auth-advanced/3.7.x.json b/schemas/ldap-auth-advanced/3.7.x.json index 990f1461..27b9b0cc 100644 --- a/schemas/ldap-auth-advanced/3.7.x.json +++ b/schemas/ldap-auth-advanced/3.7.x.json @@ -2,7 +2,7 @@ "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -14,6 +14,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -21,123 +22,121 @@ "https", "ws", "wss" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "ldap_host": { - "type": "string", + "required": true, "description": "Host on which the LDAP server is running.", - "required": true + "type": "string" } }, { "ldap_password": { - "referenceable": true, + "type": "string", "encrypted": true, - "description": "The password to the LDAP server.", - "type": "string" + "referenceable": true, + "description": "The password to the LDAP server." } }, { "ldap_port": { - "type": "number", "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number", "default": 389 } }, { "bind_dn": { + "type": "string", "referenceable": true, - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", - "type": "string" + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." } }, { "ldaps": { - "type": "boolean", + "required": true, "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "default": false, - "required": true + "type": "boolean", + "default": false } }, { "start_tls": { - "type": "boolean", + "required": true, "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "default": false, - "required": true + "type": "boolean", + "default": false } }, { "verify_ldap_host": { - "type": "boolean", + "required": true, "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "default": false, - "required": true + "type": "boolean", + "default": false } }, { "base_dn": { - "type": "string", + "required": true, "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", - "required": true + "type": "string" } }, { "attribute": { - "type": "string", + "required": true, "description": "Attribute to be used to search the user; e.g., \"cn\".", - "required": true + "type": "string" } }, { "cache_ttl": { - "type": "number", + "required": true, "description": "Cache expiry time in seconds.", - "default": 60, - "required": true + "type": "number", + "default": 60 } }, { "hide_credentials": { - "type": "boolean", "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean", "default": false } }, { "timeout": { - "type": "number", "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number", "default": 10000 } }, { "keepalive": { - "type": "number", "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number", "default": 60000 } }, @@ -145,28 +144,29 @@ "anonymous": { "type": "string", "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "default": "", - "len_min": 0 + "len_min": 0, + "default": "" } }, { "header_type": { - "type": "string", "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string", "default": "ldap" } }, { "consumer_optional": { - "type": "boolean", + "required": false, "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "consumer_by": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -174,12 +174,11 @@ "custom_id" ] }, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "default": [ "username", "custom_id" - ], - "required": false, - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." + ] } }, { @@ -196,30 +195,31 @@ }, { "group_member_attribute": { - "type": "string", "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string", "default": "memberOf" } }, { "log_search_results": { - "type": "boolean", + "required": false, "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "groups_required": { - "type": "array", - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "type": "array" } } ], + "type": "record", "required": true } } diff --git a/schemas/ldap-auth/3.7.x.json b/schemas/ldap-auth/3.7.x.json index 05d6c307..7ed76d47 100644 --- a/schemas/ldap-auth/3.7.x.json +++ b/schemas/ldap-auth/3.7.x.json @@ -2,15 +2,15 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,6 +22,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -29,35 +30,33 @@ "https", "ws", "wss" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "ldap_host": { - "type": "string", + "required": true, "description": "A string representing a host name, such as example.com.", - "required": true + "type": "string" } }, { "ldap_port": { - "type": "integer", "default": 389, "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -66,56 +65,56 @@ }, { "ldaps": { + "required": true, "type": "boolean", "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "default": false, - "required": true + "default": false } }, { "start_tls": { + "required": true, "type": "boolean", "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "default": false, - "required": true + "default": false } }, { "verify_ldap_host": { + "required": true, "type": "boolean", "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "default": false, - "required": true + "default": false } }, { "base_dn": { + "required": true, "type": "string", - "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", - "required": true + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com" } }, { "attribute": { + "required": true, "type": "string", - "description": "Attribute to be used to search the user; e.g. cn", - "required": true + "description": "Attribute to be used to search the user; e.g. cn" } }, { "cache_ttl": { + "required": true, "type": "number", "description": "Cache expiry time in seconds.", - "default": 60, - "required": true + "default": 60 } }, { "hide_credentials": { + "required": true, "type": "boolean", "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "default": false, - "required": true + "default": false } }, { @@ -149,18 +148,19 @@ "entity_checks": [ { "conditional": { - "then_match": { - "eq": false - }, + "if_field": "ldaps", "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", "if_match": { "eq": true }, - "if_field": "ldaps", - "then_field": "start_tls" + "then_field": "start_tls", + "then_match": { + "eq": false + } } } ], + "type": "record", "required": true } } diff --git a/schemas/loggly/3.7.x.json b/schemas/loggly/3.7.x.json index 05ce4992..7f635842 100644 --- a/schemas/loggly/3.7.x.json +++ b/schemas/loggly/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,27 +20,25 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "host": { @@ -50,9 +49,9 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -61,18 +60,18 @@ }, { "key": { - "referenceable": true, + "required": true, "encrypted": true, - "type": "string", - "required": true + "referenceable": true, + "type": "string" } }, { "tags": { - "type": "set", "elements": { "type": "string" }, + "type": "set", "default": [ "kong" ] @@ -80,8 +79,8 @@ }, { "log_level": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -96,8 +95,8 @@ }, { "successful_severity": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -112,8 +111,8 @@ }, { "client_errors_severity": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -128,8 +127,8 @@ }, { "server_errors_severity": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -144,17 +143,17 @@ }, { "timeout": { - "default": 10000, - "type": "number" + "type": "number", + "default": 10000 } }, { "custom_fields_by_lua": { - "type": "map", "keys": { "type": "string", "len_min": 1 }, + "type": "map", "description": "Lua code as a key-value map", "values": { "type": "string", @@ -163,6 +162,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/mocking/3.7.x.json b/schemas/mocking/3.7.x.json index 9cb0314f..20ed3e0d 100644 --- a/schemas/mocking/3.7.x.json +++ b/schemas/mocking/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,96 +13,109 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "api_specification_filename": { - "type": "string", + "required": false, "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", - "required": false + "type": "string" } }, { "api_specification": { - "type": "string", + "required": false, "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", - "required": false + "type": "string" } }, { "random_delay": { - "type": "boolean", "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean", "default": false } }, { "max_delay_time": { - "type": "number", "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number", "default": 1 } }, { "min_delay_time": { - "type": "number", "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number", "default": 0.001 } }, { "random_examples": { - "type": "boolean", "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean", "default": false } }, { "included_status_codes": { - "type": "array", - "description": "A global list of the HTTP status codes that can only be selected and returned.", "elements": { "type": "integer" - } + }, + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "type": "array" } }, { "random_status_code": { - "type": "boolean", + "required": true, "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", - "default": false, - "required": true + "type": "boolean", + "default": false } }, { "include_base_path": { - "type": "boolean", + "required": true, "description": "Indicates whether to include the base path when performing path match evaluation.", - "default": false, - "required": true + "type": "boolean", + "default": false + } + }, + { + "custom_base_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": false, + "type": "string", + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "starts_with": "/" } } ], + "type": "record", "required": true } } diff --git a/schemas/mtls-auth/3.7.x.json b/schemas/mtls-auth/3.7.x.json index facc5bc4..d5b8d80d 100644 --- a/schemas/mtls-auth/3.7.x.json +++ b/schemas/mtls-auth/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,27 +21,25 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "anonymous": { @@ -51,6 +50,7 @@ { "consumer_by": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -58,54 +58,53 @@ "custom_id" ] }, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "default": [ "username", "custom_id" - ], - "required": false, - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + ] } }, { "ca_certificates": { - "type": "array", - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, "elements": { - "type": "string", - "uuid": true + "uuid": true, + "type": "string" }, - "required": true + "type": "array", + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." } }, { "cache_ttl": { + "required": true, "type": "number", "description": "Cache expiry time in seconds.", - "default": 60, - "required": true + "default": 60 } }, { "skip_consumer_lookup": { + "required": true, "type": "boolean", "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", - "default": false, - "required": true + "default": false } }, { "allow_partial_chain": { + "required": true, "type": "boolean", "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", - "default": false, - "required": true + "default": false } }, { "authenticated_group_by": { - "type": "string", "default": "CN", "required": false, + "type": "string", "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ "CN", @@ -115,9 +114,9 @@ }, { "revocation_check_mode": { - "type": "string", "default": "IGNORE_CA_ERROR", "required": false, + "type": "string", "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ "SKIP", @@ -147,6 +146,12 @@ "default": false } }, + { + "default_consumer": { + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, { "http_proxy_host": { "type": "string", @@ -194,6 +199,7 @@ ] } ], + "type": "record", "required": true } } diff --git a/schemas/oas-validation/3.7.x.json b/schemas/oas-validation/3.7.x.json index 68e07344..6eaf71b8 100644 --- a/schemas/oas-validation/3.7.x.json +++ b/schemas/oas-validation/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,132 +13,153 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "api_spec": { + "required": true, "type": "string", - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format.", - "required": true + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format." } }, { "verbose_response": { + "required": false, "type": "boolean", "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", - "default": false, - "required": false + "default": false } }, { "validate_request_body": { + "required": false, "type": "boolean", "description": "If set to true, validates the request body content against the API specification.", - "default": true, - "required": false + "default": true } }, { "notify_only_request_validation_failure": { + "required": false, "type": "boolean", "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", - "default": false, - "required": false + "default": false } }, { "validate_request_header_params": { + "required": false, "type": "boolean", "description": "If set to true, validates HTTP header parameters against the API specification.", - "default": true, - "required": false + "default": true } }, { "validate_request_query_params": { + "required": false, "type": "boolean", "description": "If set to true, validates query parameters against the API specification.", - "default": true, - "required": false + "default": true } }, { "validate_request_uri_params": { + "required": false, "type": "boolean", "description": "If set to true, validates URI parameters in the request against the API specification.", - "default": true, - "required": false + "default": true } }, { "validate_response_body": { + "required": false, "type": "boolean", "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", - "default": false, - "required": false + "default": false } }, { "notify_only_response_body_validation_failure": { + "required": false, "type": "boolean", "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", - "default": false, - "required": false + "default": false } }, { "query_parameter_check": { + "required": true, "type": "boolean", "description": "If set to true, checks if query parameters in the request exist in the API specification.", - "default": false, - "required": true + "default": false } }, { "header_parameter_check": { + "required": true, "type": "boolean", "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", - "default": false, - "required": true + "default": false } }, { "allowed_header_parameters": { + "required": false, "type": "string", "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", - "default": "Host,Content-Type,User-Agent,Accept,Content-Length", - "required": false + "default": "Host,Content-Type,User-Agent,Accept,Content-Length" } }, { "include_base_path": { + "required": true, "type": "boolean", "description": "Indicates whether to include the base path when performing path match evaluation.", - "default": false, - "required": true + "default": false + } + }, + { + "api_spec_encoded": { + "required": true, + "type": "boolean", + "description": "Indicates whether the api_spec is URI-Encoded.", + "default": true + } + }, + { + "custom_base_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": false, + "type": "string", + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "starts_with": "/" } } ], + "type": "record", "required": true } } diff --git a/schemas/oauth2-introspection/3.7.x.json b/schemas/oauth2-introspection/3.7.x.json index f9803ef7..8cca5e87 100644 --- a/schemas/oauth2-introspection/3.7.x.json +++ b/schemas/oauth2-introspection/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,33 +21,31 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "introspection_url": { - "type": "string", + "required": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true + "type": "string" } }, { @@ -64,11 +63,11 @@ }, { "authorization_value": { - "type": "string", - "required": true, - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "encrypted": true, "referenceable": true, - "encrypted": true + "required": true, + "type": "string", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." } }, { @@ -87,10 +86,10 @@ }, { "introspect_request": { + "required": true, "type": "boolean", "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", - "default": false, - "required": true + "default": false } }, { @@ -109,17 +108,17 @@ }, { "anonymous": { + "len_min": 0, "type": "string", "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "default": "", - "len_min": 0 + "default": "" } }, { "consumer_by": { - "type": "string", "default": "username", "required": true, + "type": "string", "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "one_of": [ "username", @@ -129,34 +128,35 @@ }, { "custom_introspection_headers": { - "type": "map", "keys": { "type": "string" }, - "default": [ - - ], - "required": true, "description": "A list of custom headers to be added in the introspection request.", + "required": true, "values": { "type": "string" - } + }, + "type": "map", + "default": [ + + ] } }, { "custom_claims_forward": { "type": "set", + "required": true, "elements": { "type": "string" }, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "default": [ - ], - "required": true, - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." + ] } } ], + "type": "record", "required": true } } diff --git a/schemas/oauth2/3.7.x.json b/schemas/oauth2/3.7.x.json index 5e5ebc09..5e18a9f5 100644 --- a/schemas/oauth2/3.7.x.json +++ b/schemas/oauth2/3.7.x.json @@ -2,15 +2,15 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,6 +22,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -29,117 +30,101 @@ "https", "ws", "wss" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", - "entity_checks": [ - { - "conditional": { - "then_field": "scopes", - "if_field": "mandatory_scope", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - } - ], "fields": [ { "scopes": { - "type": "array", - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." } }, { "mandatory_scope": { + "required": true, "type": "boolean", "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", - "default": false, - "required": true + "default": false } }, { "provision_key": { - "type": "string", - "auto": true, - "required": true, + "encrypted": true, "unique": true, + "required": true, + "auto": true, "description": "The unique key the plugin has generated when it has been added to the Service.", - "encrypted": true + "type": "string" } }, { "token_expiration": { + "required": true, "type": "number", "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", - "default": 7200, - "required": true + "default": 7200 } }, { "enable_authorization_code": { + "required": true, "type": "boolean", "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", - "default": false, - "required": true + "default": false } }, { "enable_implicit_grant": { + "required": true, "type": "boolean", "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", - "default": false, - "required": true + "default": false } }, { "enable_client_credentials": { + "required": true, "type": "boolean", "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", - "default": false, - "required": true + "default": false } }, { "enable_password_grant": { + "required": true, "type": "boolean", "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", - "default": false, - "required": true + "default": false } }, { "hide_credentials": { + "required": true, "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "default": false, - "required": true + "default": false } }, { "accept_http_if_already_terminated": { + "required": true, "type": "boolean", "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", - "default": false, - "required": true + "default": false } }, { @@ -150,10 +135,10 @@ }, { "global_credentials": { + "required": true, "type": "boolean", "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", - "default": false, - "required": true + "default": false } }, { @@ -165,10 +150,10 @@ }, { "refresh_token_ttl": { - "type": "number", "default": 1209600, "required": true, "description": "Time-to-live value for data", + "type": "number", "between": [ 0, 100000000 @@ -177,24 +162,24 @@ }, { "reuse_refresh_token": { + "required": true, "type": "boolean", "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", - "default": false, - "required": true + "default": false } }, { "persistent_refresh_token": { + "required": true, "type": "boolean", - "default": false, - "required": true + "default": false } }, { "pkce": { - "type": "string", "default": "lax", "required": false, + "type": "string", "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "one_of": [ "none", @@ -204,6 +189,21 @@ } } ], + "entity_checks": [ + { + "conditional": { + "if_field": "mandatory_scope", + "if_match": { + "eq": true + }, + "then_field": "scopes", + "then_match": { + "required": true + } + } + } + ], + "type": "record", "required": true } } diff --git a/schemas/opa/3.7.x.json b/schemas/opa/3.7.x.json index 3fee8653..cd3a0fb8 100644 --- a/schemas/opa/3.7.x.json +++ b/schemas/opa/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,33 +21,31 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "opa_protocol": { - "type": "string", - "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "type": "string", "one_of": [ "http", "https" @@ -55,18 +54,18 @@ }, { "opa_host": { + "required": true, "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "localhost", - "required": true + "default": "localhost" } }, { "opa_port": { - "type": "integer", "default": 8181, "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -75,68 +74,69 @@ }, { "opa_path": { - "type": "string", - "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], + "required": true, + "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "starts_with": "/" } }, { "include_service_in_opa_input": { - "type": "boolean", "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean", "default": false } }, { "include_route_in_opa_input": { - "type": "boolean", "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean", "default": false } }, { "include_consumer_in_opa_input": { - "type": "boolean", "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean", "default": false } }, { "include_body_in_opa_input": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "include_parsed_json_body_in_opa_input": { - "type": "boolean", "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean", "default": false } }, { "include_uri_captures_in_opa_input": { - "type": "boolean", "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean", "default": false } }, { "ssl_verify": { - "type": "boolean", + "required": true, "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "default": true, - "required": true + "type": "boolean", + "default": true } } ], + "type": "record", "required": true } } diff --git a/schemas/openid-connect/3.7.x.json b/schemas/openid-connect/3.7.x.json index ffbfcea7..d9870d72 100644 --- a/schemas/openid-connect/3.7.x.json +++ b/schemas/openid-connect/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,85 +21,84 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "issuer": { + "required": true, "type": "string", - "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", - "required": true + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`." } }, { "using_pseudo_issuer": { - "type": "boolean", + "required": false, "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "discovery_headers_names": { - "type": "array", - "description": "Extra header names passed to the discovery endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the discovery endpoint.", + "type": "array" } }, { "discovery_headers_values": { - "type": "array", - "description": "Extra header values passed to the discovery endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header values passed to the discovery endpoint.", + "type": "array" } }, { "extra_jwks_uris": { - "type": "set", - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "type": "set" } }, { "rediscovery_lifetime": { - "type": "number", + "required": false, "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", - "default": 30, - "required": false + "type": "number", + "default": 30 } }, { "auth_methods": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -113,6 +113,7 @@ "session" ] }, + "description": "Types of credentials/grants to enable.", "default": [ "password", "client_credentials", @@ -123,39 +124,36 @@ "kong_oauth2", "refresh_token", "session" - ], - "required": false, - "description": "Types of credentials/grants to enable." + ] } }, { "client_id": { - "type": "array", + "encrypted": true, + "required": false, "elements": { "referenceable": true, "type": "string" }, - "required": false, "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", - "encrypted": true + "type": "array" } }, { "client_secret": { - "type": "array", + "encrypted": true, + "required": false, "elements": { "referenceable": true, "type": "string" }, - "required": false, "description": "The client secret.", - "encrypted": true + "type": "array" } }, { "client_auth": { - "type": "array", - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "required": false, "elements": { "type": "string", "one_of": [ @@ -168,14 +166,15 @@ "none" ] }, - "required": false + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "type": "array" } }, { "client_jwk": { - "type": "array", - "description": "The JWK used for the private_key_jwt authentication.", + "required": false, "elements": { + "required": false, "type": "record", "fields": [ { @@ -198,12 +197,12 @@ }, { "key_ops": { - "type": "array", + "required": false, "elements": { "type": "string", "required": false }, - "required": false + "type": "array" } }, { @@ -226,12 +225,12 @@ }, { "x5c": { - "type": "array", + "required": false, "elements": { "type": "string", "required": false }, - "required": false + "type": "array" } }, { @@ -248,10 +247,10 @@ }, { "k": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { @@ -286,86 +285,85 @@ }, { "d": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "p": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "q": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "dp": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "dq": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "qi": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "oth": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "r": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } }, { "t": { - "type": "string", + "required": false, "encrypted": true, - "referenceable": true, - "required": false + "type": "string", + "referenceable": true } } - ], - "required": false + ] }, - "required": false + "description": "The JWK used for the private_key_jwt authentication.", + "type": "array" } }, { "client_alg": { - "type": "array", - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "required": false, "elements": { "type": "string", "one_of": [ @@ -384,307 +382,313 @@ "EdDSA" ] }, - "required": false + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "type": "array" } }, { "client_arg": { - "type": "string", + "required": false, "description": "The client to use for this request (the selection is made with a request parameter with the same name).", - "default": "client_id", - "required": false + "type": "string", + "default": "client_id" } }, { "redirect_uri": { - "type": "array", - "description": "The redirect URI passed to the authorization and token endpoints.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "The redirect URI passed to the authorization and token endpoints.", + "type": "array" } }, { "login_redirect_uri": { - "type": "array", - "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "required": false, "elements": { - "referenceable": true, + "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "referenceable": true }, - "required": false + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array" } }, { "logout_redirect_uri": { - "type": "array", - "description": "Where to redirect the client after the logout.", + "required": false, "elements": { - "referenceable": true, + "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "referenceable": true }, - "required": false + "description": "Where to redirect the client after the logout.", + "type": "array" } }, { "forbidden_redirect_uri": { - "type": "array", - "description": "Where to redirect the client on forbidden requests.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client on forbidden requests.", + "type": "array" } }, { "forbidden_error_message": { - "type": "string", + "required": false, "description": "The error message for the forbidden requests (when not using the redirection).", - "default": "Forbidden", - "required": false + "type": "string", + "default": "Forbidden" } }, { "forbidden_destroy_session": { - "type": "boolean", + "required": false, "description": "Destroy any active session for the forbidden requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "unauthorized_destroy_session": { - "type": "boolean", + "required": false, "description": "Destroy any active session for the unauthorized requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "unauthorized_redirect_uri": { - "type": "array", - "description": "Where to redirect the client on unauthorized requests.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client on unauthorized requests.", + "type": "array" } }, { "unauthorized_error_message": { - "type": "string", + "required": false, "description": "The error message for the unauthorized requests (when not using the redirection).", - "default": "Unauthorized", - "required": false + "type": "string", + "default": "Unauthorized" } }, { "unexpected_redirect_uri": { - "type": "array", - "description": "Where to redirect the client when unexpected errors happen with the requests.", + "required": false, "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "required": false + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "type": "array" } }, { "response_mode": { - "type": "string", "default": "query", "required": false, - "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it).", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "type": "string", "one_of": [ "query", "form_post", - "fragment" + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" ] } }, { "response_type": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The response type passed to the authorization endpoint.", "default": [ "code" - ], - "required": false, - "description": "The response type passed to the authorization endpoint." + ] } }, { "scopes": { "type": "array", + "required": false, "elements": { "referenceable": true, "type": "string" }, + "description": "The scopes passed to the authorization and token endpoints.", "default": [ "openid" - ], - "required": false, - "description": "The scopes passed to the authorization and token endpoints." + ] } }, { "audience": { - "type": "array", - "description": "The audience passed to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The audience passed to the authorization endpoint.", + "type": "array" } }, { "issuers_allowed": { - "type": "array", - "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array" } }, { "scopes_required": { - "type": "array", - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" } }, { "scopes_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "scope" - ], - "required": false, - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "audience_required": { - "type": "array", - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" } }, { "audience_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "aud" - ], - "required": false, - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "groups_required": { - "type": "array", - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" } }, { "groups_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "groups" - ], - "required": false, - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "roles_required": { - "type": "array", - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" } }, { "roles_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "roles" - ], - "required": false, - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "domains": { - "type": "array", - "description": "The allowed values for the `hd` claim.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The allowed values for the `hd` claim.", + "type": "array" } }, { "max_age": { - "type": "number", + "required": false, "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "required": false + "type": "number" } }, { "authenticated_groups_claim": { - "type": "array", - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" } }, { "pushed_authorization_request_endpoint": { + "required": false, "type": "string", - "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint." } }, { "pushed_authorization_request_endpoint_auth_method": { - "type": "string", + "required": false, "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -693,105 +697,111 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false + ] } }, { "require_pushed_authorization_requests": { - "type": "boolean", + "required": false, "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", - "required": false + "type": "boolean" } }, { "require_proof_key_for_code_exchange": { - "type": "boolean", + "required": false, "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", - "required": false + "type": "boolean" + } + }, + { + "require_signed_request_object": { + "required": false, + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" } }, { "authorization_endpoint": { + "required": false, "type": "string", - "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint." } }, { "authorization_query_args_names": { - "type": "array", - "description": "Extra query argument names passed to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query argument names passed to the authorization endpoint.", + "type": "array" } }, { "authorization_query_args_values": { - "type": "array", - "description": "Extra query argument values passed to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query argument values passed to the authorization endpoint.", + "type": "array" } }, { "authorization_query_args_client": { - "type": "array", - "description": "Extra query arguments passed from the client to the authorization endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array" } }, { "authorization_rolling_timeout": { - "type": "number", + "required": false, "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "default": 600, - "required": false + "type": "number", + "default": 600 } }, { "authorization_cookie_name": { - "type": "string", + "required": false, "description": "The authorization cookie name.", - "default": "authorization", - "required": false + "type": "string", + "default": "authorization" } }, { "authorization_cookie_path": { - "type": "string", - "default": "/", - "required": false, - "description": "The authorization cookie Path flag.", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "starts_with": "/" + "description": "The authorization cookie Path flag.", + "required": false, + "type": "string", + "starts_with": "/", + "default": "/" } }, { "authorization_cookie_domain": { - "type": "string", + "required": false, "description": "The authorization cookie Domain flag.", - "required": false + "type": "string" } }, { "authorization_cookie_same_site": { - "type": "string", "default": "Default", "required": false, "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", "one_of": [ "Strict", "Lax", @@ -802,38 +812,39 @@ }, { "authorization_cookie_http_only": { - "type": "boolean", + "required": false, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "authorization_cookie_secure": { - "type": "boolean", + "required": false, "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false + "type": "boolean" } }, { "preserve_query_args": { - "type": "boolean", + "required": false, "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "token_endpoint": { + "required": false, "type": "string", - "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint." } }, { "token_endpoint_auth_method": { - "type": "string", + "required": false, "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -842,61 +853,59 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false + ] } }, { "token_headers_names": { - "type": "array", - "description": "Extra header names passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the token endpoint.", + "type": "array" } }, { "token_headers_values": { - "type": "array", - "description": "Extra header values passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header values passed to the token endpoint.", + "type": "array" } }, { "token_headers_client": { - "type": "array", - "description": "Extra headers passed from the client to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array" } }, { "token_headers_replay": { - "type": "array", - "description": "The names of token endpoint response headers to forward to the downstream client.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The names of token endpoint response headers to forward to the downstream client.", + "type": "array" } }, { "token_headers_prefix": { - "type": "string", + "required": false, "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", - "required": false + "type": "string" } }, { "token_headers_grants": { - "type": "array", - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "required": false, "elements": { "type": "string", "one_of": [ @@ -906,50 +915,52 @@ "refresh_token" ] }, - "required": false + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "type": "array" } }, { "token_post_args_names": { - "type": "array", - "description": "Extra post argument names passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra post argument names passed to the token endpoint.", + "type": "array" } }, { "token_post_args_values": { - "type": "array", - "description": "Extra post argument values passed to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra post argument values passed to the token endpoint.", + "type": "array" } }, { "token_post_args_client": { - "type": "array", - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Reqest Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "type": "array" } }, { "introspection_endpoint": { + "required": false, "type": "string", - "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint." } }, { "introspection_endpoint_auth_method": { - "type": "string", + "required": false, "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -958,32 +969,31 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false + ] } }, { "introspection_hint": { - "type": "string", + "required": false, "description": "Introspection hint parameter value passed to the introspection endpoint.", - "default": "access_token", - "required": false + "type": "string", + "default": "access_token" } }, { "introspection_check_active": { - "type": "boolean", + "required": false, "description": "Check that the introspection response has an `active` claim with a value of `true`.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "introspection_accept": { - "type": "string", "default": "application/json", "required": false, "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "type": "string", "one_of": [ "application/json", "application/token-introspection+jwt", @@ -993,85 +1003,86 @@ }, { "introspection_headers_names": { - "type": "array", - "description": "Extra header names passed to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the introspection endpoint.", + "type": "array" } }, { "introspection_headers_values": { - "type": "array", + "encrypted": true, + "required": false, "elements": { "referenceable": true, "type": "string" }, - "required": false, "description": "Extra header values passed to the introspection endpoint.", - "encrypted": true + "type": "array" } }, { "introspection_headers_client": { - "type": "array", - "description": "Extra headers passed from the client to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra headers passed from the client to the introspection endpoint.", + "type": "array" } }, { "introspection_post_args_names": { - "type": "array", - "description": "Extra post argument names passed to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra post argument names passed to the introspection endpoint.", + "type": "array" } }, { "introspection_post_args_values": { - "type": "array", - "description": "Extra post argument values passed to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array" } }, { "introspection_post_args_client": { - "type": "array", - "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array" } }, { "introspect_jwt_tokens": { - "type": "boolean", + "required": false, "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "revocation_endpoint": { + "required": false, "type": "string", - "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint." } }, { "revocation_endpoint_auth_method": { - "type": "string", + "required": false, "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1080,30 +1091,29 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "required": false + ] } }, { "end_session_endpoint": { + "required": false, "type": "string", - "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint." } }, { "userinfo_endpoint": { + "required": false, "type": "string", - "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", - "required": false + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint." } }, { "userinfo_accept": { - "type": "string", "default": "application/json", "required": false, "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "type": "string", "one_of": [ "application/json", "application/jwt" @@ -1112,180 +1122,180 @@ }, { "userinfo_headers_names": { - "type": "array", - "description": "Extra header names passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header names passed to the user info endpoint.", + "type": "array" } }, { "userinfo_headers_values": { - "type": "array", - "description": "Extra header values passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra header values passed to the user info endpoint.", + "type": "array" } }, { "userinfo_headers_client": { - "type": "array", - "description": "Extra headers passed from the client to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra headers passed from the client to the user info endpoint.", + "type": "array" } }, { "userinfo_query_args_names": { - "type": "array", - "description": "Extra query argument names passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query argument names passed to the user info endpoint.", + "type": "array" } }, { "userinfo_query_args_values": { - "type": "array", - "description": "Extra query argument values passed to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query argument values passed to the user info endpoint.", + "type": "array" } }, { "userinfo_query_args_client": { - "type": "array", - "description": "Extra query arguments passed from the client to the user info endpoint.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "Extra query arguments passed from the client to the user info endpoint.", + "type": "array" } }, { "token_exchange_endpoint": { + "required": false, "type": "string", - "description": "The token exchange endpoint.", - "required": false + "description": "The token exchange endpoint." } }, { "session_secret": { - "type": "string", + "encrypted": true, + "referenceable": true, "required": false, "description": "The session secret.", - "referenceable": true, - "encrypted": true + "type": "string" } }, { "session_audience": { - "type": "string", + "required": false, "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "default": "default", - "required": false + "type": "string", + "default": "default" } }, { "session_cookie_name": { - "type": "string", + "required": false, "description": "The session cookie name.", - "default": "session", - "required": false + "type": "string", + "default": "session" } }, { "session_remember": { - "type": "boolean", + "required": false, "description": "Enables or disables persistent sessions.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_remember_cookie_name": { - "type": "string", + "required": false, "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "default": "remember", - "required": false + "type": "string", + "default": "remember" } }, { "session_remember_rolling_timeout": { - "type": "number", + "required": false, "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", - "default": 604800, - "required": false + "type": "number", + "default": 604800 } }, { "session_remember_absolute_timeout": { - "type": "number", + "required": false, "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "default": 2592000, - "required": false + "type": "number", + "default": 2592000 } }, { "session_idling_timeout": { - "type": "number", + "required": false, "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", - "default": 900, - "required": false + "type": "number", + "default": 900 } }, { "session_rolling_timeout": { - "type": "number", + "required": false, "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "default": 3600, - "required": false + "type": "number", + "default": 3600 } }, { "session_absolute_timeout": { - "type": "number", + "required": false, "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "default": 86400, - "required": false + "type": "number", + "default": 86400 } }, { "session_cookie_path": { - "type": "string", - "default": "/", - "required": false, - "description": "The session cookie Path flag.", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "starts_with": "/" + "description": "The session cookie Path flag.", + "required": false, + "type": "string", + "starts_with": "/", + "default": "/" } }, { "session_cookie_domain": { - "type": "string", + "required": false, "description": "The session cookie Domain flag.", - "required": false + "type": "string" } }, { "session_cookie_same_site": { - "type": "string", "default": "Lax", "required": false, "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", "one_of": [ "Strict", "Lax", @@ -1296,23 +1306,22 @@ }, { "session_cookie_http_only": { - "type": "boolean", + "required": false, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "session_cookie_secure": { - "type": "boolean", + "required": false, "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false + "type": "boolean" } }, { "session_request_headers": { - "type": "set", - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1325,13 +1334,13 @@ "absolute-timeout" ] }, - "required": false + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "type": "set" } }, { "session_response_headers": { - "type": "set", - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1344,15 +1353,16 @@ "absolute-timeout" ] }, - "required": false + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "type": "set" } }, { "session_storage": { - "type": "string", "default": "cookie", "required": false, "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "type": "string", "one_of": [ "cookie", "memcache", @@ -1363,64 +1373,64 @@ }, { "session_store_metadata": { - "type": "boolean", + "required": false, "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_enforce_same_subject": { - "type": "boolean", + "required": false, "description": "When set to `true`, audiences are forced to share the same subject.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_hash_subject": { - "type": "boolean", + "required": false, "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_hash_storage_key": { - "type": "boolean", + "required": false, "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_memcached_prefix": { - "type": "string", + "required": false, "description": "The memcached session key prefix.", - "required": false + "type": "string" } }, { "session_memcached_socket": { - "type": "string", + "required": false, "description": "The memcached unix socket path.", - "required": false + "type": "string" } }, { "session_memcached_host": { - "type": "string", + "required": false, "description": "The memcached host.", - "default": "127.0.0.1", - "required": false + "type": "string", + "default": "127.0.0.1" } }, { "session_memcached_port": { - "type": "integer", "default": 11211, "required": false, "description": "The memcached port.", + "type": "integer", "between": [ 0, 65535 @@ -1429,32 +1439,32 @@ }, { "session_redis_prefix": { - "type": "string", + "required": false, "description": "The Redis session key prefix.", - "required": false + "type": "string" } }, { "session_redis_socket": { - "type": "string", + "required": false, "description": "The Redis unix socket path.", - "required": false + "type": "string" } }, { "session_redis_host": { - "type": "string", + "required": false, "description": "The Redis host.", - "default": "127.0.0.1", - "required": false + "type": "string", + "default": "127.0.0.1" } }, { "session_redis_port": { - "type": "integer", "default": 6379, "required": false, "description": "The Redis port.", + "type": "integer", "between": [ 0, 65535 @@ -1463,85 +1473,84 @@ }, { "session_redis_username": { - "referenceable": true, + "required": false, "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "required": false + "referenceable": true } }, { "session_redis_password": { - "type": "string", + "encrypted": true, + "referenceable": true, "required": false, "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "encrypted": true + "type": "string" } }, { "session_redis_connect_timeout": { - "type": "integer", + "required": false, "description": "Session redis connection timeout in milliseconds.", - "required": false + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", + "required": false, "description": "Session redis read timeout in milliseconds.", - "required": false + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", + "required": false, "description": "Session redis send timeout in milliseconds.", - "required": false + "type": "integer" } }, { "session_redis_ssl": { - "type": "boolean", + "required": false, "description": "Use SSL/TLS for Redis connection.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_redis_ssl_verify": { - "type": "boolean", + "required": false, "description": "Verify identity provider server certificate.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_redis_server_name": { - "type": "string", + "required": false, "description": "The SNI used for connecting the Redis server.", - "required": false + "type": "string" } }, { "session_redis_cluster_nodes": { - "type": "array", - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "required": false, "elements": { "type": "record", "fields": [ { "ip": { + "required": true, "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "required": true + "default": "127.0.0.1" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -1550,42 +1559,44 @@ } ] }, - "required": false + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "type": "array" } }, { "session_redis_cluster_max_redirections": { - "type": "integer", + "required": false, "description": "The Redis cluster maximum redirects.", - "required": false + "type": "integer" } }, { "reverify": { - "type": "boolean", + "required": false, "description": "Specifies whether to always verify tokens stored in the session.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "jwt_session_claim": { - "type": "string", + "required": false, "description": "The claim to match against the JWT session cookie.", - "default": "sid", - "required": false + "type": "string", + "default": "sid" } }, { "jwt_session_cookie": { - "type": "string", + "required": false, "description": "The name of the JWT session cookie.", - "required": false + "type": "string" } }, { "bearer_token_param_type": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1595,25 +1606,25 @@ "body" ] }, + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "default": [ "header", "query", "body" - ], - "required": false, - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." + ] } }, { "bearer_token_cookie_name": { - "type": "string", + "required": false, "description": "The name of the cookie in which the bearer token is passed.", - "required": false + "type": "string" } }, { "client_credentials_param_type": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1622,18 +1633,18 @@ "body" ] }, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "default": [ "header", "query", "body" - ], - "required": false, - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." + ] } }, { "password_param_type": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1642,18 +1653,18 @@ "body" ] }, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "default": [ "header", "query", "body" - ], - "required": false, - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_type": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1662,25 +1673,25 @@ "body" ] }, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "default": [ "header", "query", "body" - ], - "required": false, - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_name": { - "type": "string", + "required": false, "description": "The name of the parameter used to pass the id token.", - "required": false + "type": "string" } }, { "refresh_token_param_type": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1689,214 +1700,214 @@ "body" ] }, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "default": [ "header", "query", "body" - ], - "required": false, - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "refresh_token_param_name": { - "type": "string", + "required": false, "description": "The name of the parameter used to pass the refresh token.", - "required": false + "type": "string" } }, { "refresh_tokens": { - "type": "boolean", + "required": false, "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "upstream_headers_claims": { - "type": "array", - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" } }, { "upstream_headers_names": { - "type": "array", - "description": "The upstream header names for the claim values.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The upstream header names for the claim values.", + "type": "array" } }, { "upstream_access_token_header": { - "type": "string", + "required": false, "description": "The upstream access token header.", - "default": "authorization:bearer", - "required": false + "type": "string", + "default": "authorization:bearer" } }, { "upstream_access_token_jwk_header": { - "type": "string", + "required": false, "description": "The upstream access token JWK header.", - "required": false + "type": "string" } }, { "upstream_id_token_header": { - "type": "string", + "required": false, "description": "The upstream id token header.", - "required": false + "type": "string" } }, { "upstream_id_token_jwk_header": { - "type": "string", + "required": false, "description": "The upstream id token JWK header.", - "required": false + "type": "string" } }, { "upstream_refresh_token_header": { - "type": "string", + "required": false, "description": "The upstream refresh token header.", - "required": false + "type": "string" } }, { "upstream_user_info_header": { - "type": "string", + "required": false, "description": "The upstream user info header.", - "required": false + "type": "string" } }, { "upstream_user_info_jwt_header": { - "type": "string", + "required": false, "description": "The upstream user info JWT header (in case the user info returns a JWT response).", - "required": false + "type": "string" } }, { "upstream_introspection_header": { - "type": "string", + "required": false, "description": "The upstream introspection header.", - "required": false + "type": "string" } }, { "upstream_introspection_jwt_header": { - "type": "string", + "required": false, "description": "The upstream introspection JWT header.", - "required": false + "type": "string" } }, { "upstream_session_id_header": { - "type": "string", + "required": false, "description": "The upstream session id header.", - "required": false + "type": "string" } }, { "downstream_headers_claims": { - "type": "array", - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" } }, { "downstream_headers_names": { - "type": "array", - "description": "The downstream header names for the claim values.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The downstream header names for the claim values.", + "type": "array" } }, { "downstream_access_token_header": { - "type": "string", + "required": false, "description": "The downstream access token header.", - "required": false + "type": "string" } }, { "downstream_access_token_jwk_header": { - "type": "string", + "required": false, "description": "The downstream access token JWK header.", - "required": false + "type": "string" } }, { "downstream_id_token_header": { - "type": "string", + "required": false, "description": "The downstream id token header.", - "required": false + "type": "string" } }, { "downstream_id_token_jwk_header": { - "type": "string", + "required": false, "description": "The downstream id token JWK header.", - "required": false + "type": "string" } }, { "downstream_refresh_token_header": { - "type": "string", + "required": false, "description": "The downstream refresh token header.", - "required": false + "type": "string" } }, { "downstream_user_info_header": { - "type": "string", + "required": false, "description": "The downstream user info header.", - "required": false + "type": "string" } }, { "downstream_user_info_jwt_header": { - "type": "string", + "required": false, "description": "The downstream user info JWT header (in case the user info returns a JWT response).", - "required": false + "type": "string" } }, { "downstream_introspection_header": { - "type": "string", + "required": false, "description": "The downstream introspection header.", - "required": false + "type": "string" } }, { "downstream_introspection_jwt_header": { - "type": "string", + "required": false, "description": "The downstream introspection JWT header.", - "required": false + "type": "string" } }, { "downstream_session_id_header": { - "type": "string", + "required": false, "description": "The downstream session id header.", - "required": false + "type": "string" } }, { "login_methods": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1911,19 +1922,18 @@ "session" ] }, + "description": "Enable login functionality with specified grants.", "default": [ "authorization_code" - ], - "required": false, - "description": "Enable login functionality with specified grants." + ] } }, { "login_action": { - "type": "string", "default": "upstream", "required": false, "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "type": "string", "one_of": [ "upstream", "response", @@ -1934,6 +1944,7 @@ { "login_tokens": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1944,19 +1955,18 @@ "introspection" ] }, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "default": [ "id_token" - ], - "required": false, - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." + ] } }, { "login_redirect_mode": { - "type": "string", "default": "fragment", "required": false, "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "type": "string", "one_of": [ "query", "fragment" @@ -1965,28 +1975,29 @@ }, { "logout_query_arg": { - "type": "string", + "required": false, "description": "The request query argument that activates the logout.", - "required": false + "type": "string" } }, { "logout_post_arg": { - "type": "string", + "required": false, "description": "The request body argument that activates the logout.", - "required": false + "type": "string" } }, { "logout_uri_suffix": { - "type": "string", + "required": false, "description": "The request URI suffix that activates the logout.", - "required": false + "type": "string" } }, { "logout_methods": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1995,51 +2006,51 @@ "DELETE" ] }, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "default": [ "POST", "DELETE" - ], - "required": false, - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." + ] } }, { "logout_revoke": { - "type": "boolean", + "required": false, "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "logout_revoke_access_token": { - "type": "boolean", + "required": false, "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "logout_revoke_refresh_token": { - "type": "boolean", + "required": false, "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "consumer_claim": { - "type": "array", - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, "elements": { "type": "string" }, - "required": false + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" } }, { "consumer_by": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2048,93 +2059,93 @@ "custom_id" ] }, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "default": [ "username", "custom_id" - ], - "required": false, - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." + ] } }, { "consumer_optional": { - "type": "boolean", + "required": false, "description": "Do not terminate the request if consumer mapping fails.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "credential_claim": { "type": "array", + "required": false, "elements": { "type": "string" }, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "default": [ "sub" - ], - "required": false, - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "anonymous": { - "type": "string", + "required": false, "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "required": false + "type": "string" } }, { "run_on_preflight": { - "type": "boolean", + "required": false, "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "leeway": { + "required": false, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", "type": "number", - "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", - "default": 0, - "required": false + "default": 0 } }, { "verify_parameters": { - "type": "boolean", + "required": false, "description": "Verify plugin configuration against discovery.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "verify_nonce": { - "type": "boolean", + "required": false, "description": "Verify nonce on authorization code flow.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "verify_claims": { - "type": "boolean", + "required": false, "description": "Verify tokens for standard claims.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "verify_signature": { - "type": "boolean", + "required": false, "description": "Verify signature of tokens.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "ignore_signature": { "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2147,25 +2158,23 @@ "userinfo" ] }, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "default": [ - ], - "required": false, - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." + ] } }, { "enable_hs_signatures": { - "type": "boolean", + "required": false, "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "disable_session": { - "type": "array", - "description": "Disable issuing the session cookie with the specified grants.", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2180,228 +2189,229 @@ "session" ] }, - "required": false + "description": "Disable issuing the session cookie with the specified grants.", + "type": "array" } }, { "cache_ttl": { - "type": "number", + "required": false, "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", - "default": 3600, - "required": false + "type": "number", + "default": 3600 } }, { "cache_ttl_max": { - "type": "number", + "required": false, "description": "The maximum cache ttl in seconds (enforced).", - "required": false + "type": "number" } }, { "cache_ttl_min": { - "type": "number", + "required": false, "description": "The minimum cache ttl in seconds (enforced).", - "required": false + "type": "number" } }, { "cache_ttl_neg": { - "type": "number", + "required": false, "description": "The negative cache ttl in seconds.", - "required": false + "type": "number" } }, { "cache_ttl_resurrect": { - "type": "number", + "required": false, "description": "The resurrection ttl in seconds.", - "required": false + "type": "number" } }, { "cache_tokens": { - "type": "boolean", + "required": false, "description": "Cache the token endpoint requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "cache_tokens_salt": { - "type": "string", - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false, "auto": true, - "required": false + "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." } }, { "cache_introspection": { - "type": "boolean", + "required": false, "description": "Cache the introspection endpoint requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "cache_token_exchange": { - "type": "boolean", + "required": false, "description": "Cache the token exchange endpoint requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "cache_user_info": { - "type": "boolean", + "required": false, "description": "Cache the user info requests.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "search_user_info": { - "type": "boolean", + "required": false, "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "hide_credentials": { - "type": "boolean", + "required": false, "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "http_version": { + "required": false, "type": "number", "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", - "default": 1.1, - "required": false + "default": 1.1 } }, { "http_proxy": { + "required": false, "type": "string", - "description": "The HTTP proxy.", - "required": false + "description": "The HTTP proxy." } }, { "http_proxy_authorization": { - "type": "string", + "required": false, "description": "The HTTP proxy authorization.", - "required": false + "type": "string" } }, { "https_proxy": { + "required": false, "type": "string", - "description": "The HTTPS proxy.", - "required": false + "description": "The HTTPS proxy." } }, { "https_proxy_authorization": { - "type": "string", + "required": false, "description": "The HTTPS proxy authorization.", - "required": false + "type": "string" } }, { "no_proxy": { - "type": "string", + "required": false, "description": "Do not use proxy with these hosts.", - "required": false + "type": "string" } }, { "keepalive": { - "type": "boolean", + "required": false, "description": "Use keepalive with the HTTP client.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "ssl_verify": { + "required": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", "type": "boolean", - "description": "Verify identity provider server certificate.", - "default": false, - "required": false + "default": false } }, { "timeout": { - "type": "number", + "required": false, "description": "Network IO timeout in milliseconds.", - "default": 10000, - "required": false + "type": "number", + "default": 10000 } }, { "display_errors": { - "type": "boolean", + "required": false, "description": "Display errors on failure responses.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "by_username_ignore_case": { - "type": "boolean", + "required": false, "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "resolve_distributed_claims": { - "type": "boolean", + "required": false, "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "expose_error_code": { - "type": "boolean", "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean", "default": true } }, { "token_cache_key_include_scope": { - "type": "boolean", "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean", "default": false } }, { "introspection_token_param_name": { - "type": "string", + "required": false, "description": "Designate token's parameter name for introspection.", - "default": "token", - "required": false + "type": "string", + "default": "token" } }, { "revocation_token_param_name": { - "type": "string", + "required": false, "description": "Designate token's parameter name for revocation.", - "default": "token", - "required": false + "type": "string", + "default": "token" } }, { "proof_of_possession_mtls": { - "type": "string", "default": "off", "required": false, "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "type": "string", "one_of": [ "off", "strict", @@ -2411,134 +2421,228 @@ }, { "proof_of_possession_auth_methods_validation": { - "type": "boolean", + "required": false, "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "tls_client_auth_cert_id": { - "type": "string", - "auto": false, + "uuid": true, "required": false, "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", - "uuid": true + "type": "string", + "auto": false } }, { "tls_client_auth_ssl_verify": { - "type": "boolean", + "required": false, "description": "Verify identity provider server certificate during mTLS client authentication.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "mtls_token_endpoint": { + "required": false, "type": "string", - "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." } }, { "mtls_introspection_endpoint": { + "required": false, "type": "string", - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." } }, { "mtls_revocation_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "proof_of_possession_dpop": { + "default": "off", + "required": false, + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "type": "string", - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "dpop_use_nonce": { + "required": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean", + "default": false + } + }, + { + "dpop_proof_lifetime": { + "required": false, + "type": "number", + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "default": 300 } } ], + "required": true, "shorthand_fields": [ { "authorization_cookie_lifetime": { - "type": "number" + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" + } } }, { "authorization_cookie_samesite": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" + } } }, { "authorization_cookie_httponly": { - "type": "boolean" + "type": "boolean", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" + } } }, { "session_cookie_lifetime": { - "type": "number" + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" + } } }, { "session_cookie_idletime": { - "type": "number" + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" + } } }, { "session_cookie_samesite": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" + } } }, { "session_cookie_httponly": { - "type": "boolean" + "type": "boolean", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" + } } }, { "session_memcache_prefix": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" + } } }, { "session_memcache_socket": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" + } } }, { "session_memcache_host": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" + } } }, { "session_memcache_port": { - "type": "integer" + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" + } } }, { "session_redis_cluster_maxredirections": { - "type": "integer" + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_cluster_maxredirections is deprecated, please use config.session_redis_cluster_max_redirections instead" + } } }, { "session_cookie_renew": { - "type": "number" + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" + } } }, { "session_cookie_maxsize": { - "type": "integer" + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" + } } }, { "session_strategy": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" + } } }, { "session_compressor": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" + } } } ], - "required": true + "type": "record" } } ], diff --git a/schemas/opentelemetry/3.7.x.json b/schemas/opentelemetry/3.7.x.json index caa4824e..5d917906 100644 --- a/schemas/opentelemetry/3.7.x.json +++ b/schemas/opentelemetry/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,44 +13,42 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "endpoint": { - "referenceable": true, + "required": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string", - "required": true + "referenceable": true, + "type": "string" } }, { "headers": { - "type": "map", - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "keys": { "type": "string", "description": "A string representing an HTTP header name." }, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "map", "values": { "type": "string", "referenceable": true @@ -58,11 +57,11 @@ }, { "resource_attributes": { - "type": "map", "keys": { "type": "string", "required": true }, + "type": "map", "values": { "type": "string", "required": true @@ -71,13 +70,12 @@ }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -86,9 +84,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -97,9 +95,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -121,9 +119,9 @@ }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -132,9 +130,9 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", "description": "Maximum time in seconds between retries, caps exponential backoff.", - "default": 60, "between": [ 0.001, 1000000 @@ -142,26 +140,40 @@ } } ], - "required": true + "required": true, + "type": "record", + "default": { + "max_batch_size": 200 + } } }, { "batch_span_count": { - "type": "integer", - "description": "The number of spans to be sent in a single batch." + "deprecation": { + "old_default": 200, + "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + }, + "description": "The number of spans to be sent in a single batch.", + "type": "integer" } }, { "batch_flush_delay": { - "type": "integer", - "description": "The delay, in seconds, between two consecutive batches." + "deprecation": { + "old_default": 3, + "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + }, + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -170,9 +182,9 @@ }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -181,9 +193,9 @@ }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -197,6 +209,13 @@ }, { "header_type": { + "default": "preserve", + "required": false, + "deprecation": { + "old_default": "preserve", + "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, "type": "string", "one_of": [ "preserve", @@ -209,33 +228,97 @@ "aws", "gcp", "datadog" - ], - "default": "preserve", - "required": false + ] } }, { "sampling_rate": { - "type": "number", - "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", "required": false, + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "type": "number", "between": [ 0, 1 ] } - } - ], - "entity_checks": [ + }, { - "custom_entity_check": { - "field_sources": [ - "batch_span_count", - "batch_flush_delay" - ] + "propagation": { + "fields": [ + { + "extract": { + "elements": { + "type": "string", + "one_of": [ + "b3", + "gcp", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + }, + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array" + } + }, + { + "clear": { + "elements": { + "type": "string" + }, + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array" + } + }, + { + "inject": { + "elements": { + "type": "string", + "one_of": [ + "preserve", + "b3", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + }, + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array" + } + }, + { + "default_format": { + "required": true, + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", + "one_of": [ + "b3", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + } + } + ], + "required": true, + "type": "record", + "default": { + "default_format": "w3c" + } } } ], + "type": "record", "required": true } } diff --git a/schemas/post-function/3.7.x.json b/schemas/post-function/3.7.x.json index aae158bb..b1717b8b 100644 --- a/schemas/post-function/3.7.x.json +++ b/schemas/post-function/3.7.x.json @@ -2,7 +2,7 @@ "fields": [ { "protocols": { - "type": "set", + "required": false, "elements": { "type": "string", "one_of": [ @@ -14,6 +14,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -21,22 +22,21 @@ "https", "ws", "wss" - ], - "required": false + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -44,6 +44,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -60,151 +61,150 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "certificate": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "rewrite": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "access": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "header_filter": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "body_filter": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "log": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "ws_handshake": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "ws_client_frame": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "ws_upstream_frame": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "ws_close": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } } diff --git a/schemas/pre-function/3.7.x.json b/schemas/pre-function/3.7.x.json index aae158bb..b1717b8b 100644 --- a/schemas/pre-function/3.7.x.json +++ b/schemas/pre-function/3.7.x.json @@ -2,7 +2,7 @@ "fields": [ { "protocols": { - "type": "set", + "required": false, "elements": { "type": "string", "one_of": [ @@ -14,6 +14,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -21,22 +22,21 @@ "https", "ws", "wss" - ], - "required": false + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -44,6 +44,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -60,151 +61,150 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "certificate": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "rewrite": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "access": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "header_filter": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "body_filter": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "log": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "ws_handshake": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "ws_client_frame": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "ws_upstream_frame": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "ws_close": { - "type": "array", + "required": true, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } } diff --git a/schemas/prometheus/3.7.x.json b/schemas/prometheus/3.7.x.json index dd8691b7..bf375f1e 100644 --- a/schemas/prometheus/3.7.x.json +++ b/schemas/prometheus/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,64 +20,63 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "per_consumer": { - "type": "boolean", "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean", "default": false } }, { "status_code_metrics": { - "type": "boolean", "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean", "default": false } }, { "latency_metrics": { + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", "default": false } }, { "bandwidth_metrics": { + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", "default": false } }, { "upstream_health_metrics": { + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", "default": false } } ], + "type": "record", "required": true } } diff --git a/schemas/proxy-cache-advanced/3.7.x.json b/schemas/proxy-cache-advanced/3.7.x.json index e5292b48..e0e93d10 100644 --- a/schemas/proxy-cache-advanced/3.7.x.json +++ b/schemas/proxy-cache-advanced/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,23 +13,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "response_code": { "type": "array", + "len_min": 1, + "required": true, "elements": { "type": "integer", "between": [ @@ -36,19 +37,18 @@ 900 ] }, + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "default": [ 200, 301, 404 - ], - "required": true, - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", - "len_min": 1 + ] } }, { "request_method": { - "type": "array", + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "required": true, "elements": { "type": "string", "one_of": [ @@ -59,61 +59,60 @@ "PUT" ] }, + "type": "array", "default": [ "GET", "HEAD" - ], - "required": true, - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." + ] } }, { "content_type": { - "type": "array", + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ "text/plain", "application/json" - ], - "required": true, - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." + ] } }, { "cache_ttl": { + "default": 300, "type": "integer", "description": "TTL in seconds of cache entities.", - "default": 300, "gt": 0 } }, { "strategy": { - "type": "string", + "required": true, "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "type": "string", "one_of": [ "memory", "redis" - ], - "required": true + ] } }, { "cache_control": { + "required": true, "type": "boolean", "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "default": false, - "required": true + "default": false } }, { "ignore_uri_case": { - "type": "boolean", + "required": false, "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { @@ -124,68 +123,67 @@ }, { "memory": { - "type": "record", "fields": [ { "dictionary_name": { + "required": true, "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "default": "kong_db_cache", - "required": true + "default": "kong_db_cache" } } ], + "type": "record", "required": true } }, { "vary_query_params": { - "type": "array", - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." } }, { "vary_headers": { - "type": "array", - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } }, { "response_headers": { - "type": "record", - "description": "Caching related diagnostic headers that should be included in cached responses", "fields": [ { "age": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Status": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Key": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } } ], + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", "required": true } }, { "redis": { - "type": "record", "fields": [ { "host": { @@ -205,9 +203,9 @@ }, { "timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -246,31 +244,31 @@ }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, "type": "string" } }, { "password": { - "referenceable": true, - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true, "type": "string" } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, "type": "string" } }, { "sentinel_password": { - "referenceable": true, - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true, "type": "string" } }, @@ -283,9 +281,9 @@ }, { "keepalive_pool_size": { + "default": 256, "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "between": [ 1, 2147483646 @@ -310,8 +308,8 @@ }, { "sentinel_role": { - "type": "string", "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", @@ -321,82 +319,82 @@ }, { "sentinel_addresses": { - "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "cluster_addresses": { - "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "ssl": { - "type": "boolean", + "required": false, "description": "If set to true, uses SSL to connect to Redis.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "ssl_verify": { - "type": "boolean", + "required": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "server_name": { - "type": "string", + "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "type": "string" } } ], "entity_checks": [ { "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "host", - "port" ] } }, { "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" ] } }, { "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], "set2": [ "host", "port" + ], + "set1": [ + "cluster_addresses" ] } }, @@ -421,6 +419,7 @@ ] } ], + "type": "record", "required": true } }, @@ -432,6 +431,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/proxy-cache/3.7.x.json b/schemas/proxy-cache/3.7.x.json index 8dee3742..6137f9bc 100644 --- a/schemas/proxy-cache/3.7.x.json +++ b/schemas/proxy-cache/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,23 +20,23 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "response_code": { - "type": "array", + "len_min": 1, + "description": "Upstream response status code considered cacheable.", + "required": true, "elements": { "type": "integer", "between": [ @@ -43,19 +44,18 @@ 900 ] }, + "type": "array", "default": [ 200, 301, 404 - ], - "required": true, - "description": "Upstream response status code considered cacheable.", - "len_min": 1 + ] } }, { "request_method": { - "type": "array", + "description": "Downstream request methods considered cacheable.", + "required": true, "elements": { "type": "string", "one_of": [ @@ -66,59 +66,58 @@ "PUT" ] }, + "type": "array", "default": [ "GET", "HEAD" - ], - "required": true, - "description": "Downstream request methods considered cacheable." + ] } }, { "content_type": { - "type": "array", + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ "text/plain", "application/json" - ], - "required": true, - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value." + ] } }, { "cache_ttl": { - "gt": 0, - "description": "TTL, in seconds, of cache entities.", "default": 300, - "type": "integer" + "type": "integer", + "description": "TTL, in seconds, of cache entities.", + "gt": 0 } }, { "strategy": { + "required": true, "type": "string", "description": "The backing data store in which to hold cache entities.", "one_of": [ "memory" - ], - "required": true + ] } }, { "cache_control": { + "required": true, "type": "boolean", "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "default": false, - "required": true + "default": false } }, { "ignore_uri_case": { + "required": false, "type": "boolean", - "default": false, - "required": false + "default": false } }, { @@ -129,66 +128,67 @@ }, { "memory": { - "type": "record", "fields": [ { "dictionary_name": { + "required": true, "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "default": "kong_db_cache", - "required": true + "default": "kong_db_cache" } } ], + "type": "record", "required": true } }, { "vary_query_params": { - "type": "array", - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." } }, { "vary_headers": { - "type": "array", - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" - } + }, + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } }, { "response_headers": { - "type": "record", - "description": "Caching related diagnostic headers that should be included in cached responses", "fields": [ { "age": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Status": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Key": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } } ], + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", "required": true } } ], + "type": "record", "required": true } } diff --git a/schemas/rate-limiting-advanced/3.7.x.json b/schemas/rate-limiting-advanced/3.7.x.json index bcef248e..ed32d32a 100644 --- a/schemas/rate-limiting-advanced/3.7.x.json +++ b/schemas/rate-limiting-advanced/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,25 +13,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "identifier": { - "type": "string", "default": "consumer", "required": true, + "type": "string", "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "one_of": [ "ip", @@ -45,19 +44,19 @@ }, { "window_size": { - "type": "array", - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, "elements": { "type": "number" }, - "required": true + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "type": "array" } }, { "window_type": { - "type": "string", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", "one_of": [ "fixed", "sliding" @@ -66,12 +65,12 @@ }, { "limit": { - "type": "array", - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, "elements": { "type": "number" }, - "required": true + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "type": "array" } }, { @@ -82,17 +81,17 @@ }, { "namespace": { - "type": "string", - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", "auto": true, - "required": true + "required": true, + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." } }, { "strategy": { - "type": "string", "default": "local", "required": true, + "type": "string", "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", @@ -103,23 +102,23 @@ }, { "dictionary_name": { - "type": "string", + "required": true, "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "default": "kong_rate_limiting_counters", - "required": true + "type": "string", + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "type": "boolean", "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean", "default": false } }, { "retry_after_jitter_max": { - "type": "number", "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number", "default": 0 } }, @@ -131,20 +130,19 @@ }, { "path": { - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], + "starts_with": "/", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/" + "type": "string" } }, { "redis": { - "type": "record", "fields": [ { "host": { @@ -164,9 +162,9 @@ }, { "timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -205,31 +203,31 @@ }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, "type": "string" } }, { "password": { - "referenceable": true, - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true, "type": "string" } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, "type": "string" } }, { "sentinel_password": { - "referenceable": true, - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true, "type": "string" } }, @@ -242,9 +240,9 @@ }, { "keepalive_pool_size": { + "default": 256, "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "between": [ 1, 2147483646 @@ -269,8 +267,8 @@ }, { "sentinel_role": { - "type": "string", "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", @@ -280,82 +278,82 @@ }, { "sentinel_addresses": { - "type": "array", + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "cluster_addresses": { - "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "elements": { "type": "string" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "type": "array", "len_min": 1 } }, { "ssl": { - "type": "boolean", + "required": false, "description": "If set to true, uses SSL to connect to Redis.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "ssl_verify": { - "type": "boolean", + "required": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "server_name": { - "type": "string", + "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "type": "string" } } ], "entity_checks": [ { "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "host", - "port" ] } }, { "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" ] } }, { "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], "set2": [ "host", "port" + ], + "set1": [ + "cluster_addresses" ] } }, @@ -380,48 +378,50 @@ ] } ], + "type": "record", "required": true } }, { "enforce_consumer_groups": { - "type": "boolean", "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean", "default": false } }, { "consumer_groups": { - "type": "array", - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "elements": { "type": "string" - } + }, + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "type": "array" } }, { "disable_penalty": { - "type": "boolean", "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean", "default": false } }, { "error_code": { - "type": "number", - "description": "Set a custom error code to return when the rate limit is exceeded.", "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number", "gt": 0 } }, { "error_message": { - "type": "string", "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string", "default": "API rate limit exceeded" } } ], + "type": "record", "required": true } } diff --git a/schemas/rate-limiting/3.7.x.json b/schemas/rate-limiting/3.7.x.json index b4b05cf7..79c762c6 100644 --- a/schemas/rate-limiting/3.7.x.json +++ b/schemas/rate-limiting/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,67 +13,65 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "second": { - "gt": 0, "description": "The number of HTTP requests that can be made per second.", - "type": "number" + "type": "number", + "gt": 0 } }, { "minute": { - "gt": 0, "description": "The number of HTTP requests that can be made per minute.", - "type": "number" + "type": "number", + "gt": 0 } }, { "hour": { - "gt": 0, "description": "The number of HTTP requests that can be made per hour.", - "type": "number" + "type": "number", + "gt": 0 } }, { "day": { - "gt": 0, "description": "The number of HTTP requests that can be made per day.", - "type": "number" + "type": "number", + "gt": 0 } }, { "month": { - "gt": 0, "description": "The number of HTTP requests that can be made per month.", - "type": "number" + "type": "number", + "gt": 0 } }, { "year": { - "gt": 0, "description": "The number of HTTP requests that can be made per year.", - "type": "number" + "type": "number", + "gt": 0 } }, { "limit_by": { - "type": "string", - "description": "The entity that is used when aggregating the limits.", "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "type": "string", "one_of": [ "consumer", "credential", @@ -92,42 +91,40 @@ }, { "path": { - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], + "starts_with": "/", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/" + "type": "string" } }, { "policy": { - "type": "string", "default": "local", "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, + "type": "string", "one_of": [ "local", "cluster", "redis" - ], - "len_min": 0 + ] } }, { "fault_tolerant": { - "type": "boolean", + "required": true, "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", - "default": true, - "required": true + "type": "boolean", + "default": true } }, { "redis": { - "type": "record", - "description": "Redis configuration", "fields": [ { "host": { @@ -137,9 +134,9 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -148,9 +145,9 @@ }, { "timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -160,88 +157,95 @@ { "username": { "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { - "type": "string", "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "len_min": 0 } }, { "database": { - "type": "integer", "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", "default": 0 } }, { "ssl": { - "type": "boolean", + "required": false, "description": "If set to true, uses SSL to connect to Redis.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "ssl_verify": { - "type": "boolean", + "required": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "server_name": { - "type": "string", + "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "type": "string" } } ], + "description": "Redis configuration", + "type": "record", "required": true } }, { "hide_client_headers": { - "type": "boolean", + "required": true, "description": "Optionally hide informative response headers.", - "default": false, - "required": true + "type": "boolean", + "default": false } }, { "error_code": { - "gt": 0, - "description": "Set a custom error code to return when the rate limit is exceeded.", "default": 429, - "type": "number" + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number", + "gt": 0 } }, { "error_message": { - "type": "string", "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string", "default": "API rate limit exceeded" } }, { "sync_rate": { - "type": "number", + "required": true, "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", - "default": -1, - "required": true + "type": "number", + "default": -1 } } ], + "required": true, "shorthand_fields": [ { "redis_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead" + }, "type": "string", "translate_backwards": [ "redis", @@ -251,6 +255,10 @@ }, { "redis_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead" + }, "type": "integer", "translate_backwards": [ "redis", @@ -260,16 +268,24 @@ }, { "redis_password": { + "len_min": 0, + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead" + }, "type": "string", "translate_backwards": [ "redis", "password" - ], - "len_min": 0 + ] } }, { "redis_username": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead" + }, "type": "string", "translate_backwards": [ "redis", @@ -279,6 +295,10 @@ }, { "redis_ssl": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead" + }, "type": "boolean", "translate_backwards": [ "redis", @@ -288,6 +308,10 @@ }, { "redis_ssl_verify": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead" + }, "type": "boolean", "translate_backwards": [ "redis", @@ -297,6 +321,10 @@ }, { "redis_server_name": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead" + }, "type": "string", "translate_backwards": [ "redis", @@ -306,6 +334,10 @@ }, { "redis_timeout": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead" + }, "type": "integer", "translate_backwards": [ "redis", @@ -315,6 +347,10 @@ }, { "redis_database": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead" + }, "type": "integer", "translate_backwards": [ "redis", @@ -323,7 +359,7 @@ } } ], - "required": true + "type": "record" } } ], @@ -340,61 +376,61 @@ }, { "conditional": { - "then_field": "config.redis.host", "if_field": "config.policy", - "then_match": { - "required": true - }, "if_match": { "eq": "redis" + }, + "then_field": "config.redis.host", + "then_match": { + "required": true } } }, { "conditional": { - "then_field": "config.redis.port", "if_field": "config.policy", - "then_match": { - "required": true - }, "if_match": { "eq": "redis" + }, + "then_field": "config.redis.port", + "then_match": { + "required": true } } }, { "conditional": { - "then_field": "config.redis.timeout", "if_field": "config.policy", - "then_match": { - "required": true - }, "if_match": { "eq": "redis" + }, + "then_field": "config.redis.timeout", + "then_match": { + "required": true } } }, { "conditional": { - "then_field": "config.header_name", "if_field": "config.limit_by", - "then_match": { - "required": true - }, "if_match": { "eq": "header" + }, + "then_field": "config.header_name", + "then_match": { + "required": true } } }, { "conditional": { - "then_field": "config.path", "if_field": "config.limit_by", - "then_match": { - "required": true - }, "if_match": { "eq": "path" + }, + "then_field": "config.path", + "then_match": { + "required": true } } } diff --git a/schemas/request-size-limiting/3.7.x.json b/schemas/request-size-limiting/3.7.x.json index cf7da47a..cb8c641c 100644 --- a/schemas/request-size-limiting/3.7.x.json +++ b/schemas/request-size-limiting/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,27 +13,25 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "allowed_payload_size": { @@ -43,9 +42,9 @@ }, { "size_unit": { - "type": "string", "default": "megabytes", "required": true, + "type": "string", "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "one_of": [ "megabytes", @@ -56,13 +55,14 @@ }, { "require_content_length": { + "required": true, "type": "boolean", "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", - "default": false, - "required": true + "default": false } } ], + "type": "record", "required": true } } diff --git a/schemas/request-termination/3.7.x.json b/schemas/request-termination/3.7.x.json index ba24710d..e716bea1 100644 --- a/schemas/request-termination/3.7.x.json +++ b/schemas/request-termination/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,26 +13,24 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "status_code": { - "type": "integer", "default": 503, "required": true, "description": "The response code to send. Must be an integer between 100 and 599.", + "type": "integer", "between": [ 100, 599 @@ -58,10 +57,10 @@ }, { "echo": { + "required": true, "type": "boolean", "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", - "default": false, - "required": true + "default": false } }, { @@ -71,6 +70,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/request-transformer-advanced/3.7.x.json b/schemas/request-transformer-advanced/3.7.x.json index 477e4eed..82c1b004 100644 --- a/schemas/request-transformer-advanced/3.7.x.json +++ b/schemas/request-transformer-advanced/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,37 +13,34 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "http_method": { - "type": "string", + "match": "^%u+$", "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", - "match": "^%u+$" + "type": "string" } }, { "remove": { - "type": "record", "fields": [ { "body": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -50,10 +48,10 @@ }, { "headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -61,30 +59,30 @@ }, { "querystring": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] } } ], + "type": "record", "required": true } }, { "rename": { - "type": "record", "fields": [ { "body": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -92,11 +90,11 @@ }, { "headers": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -104,31 +102,31 @@ }, { "querystring": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] } } ], + "type": "record", "required": true } }, { "replace": { - "type": "record", "fields": [ { "body": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -136,11 +134,11 @@ }, { "headers": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -148,11 +146,11 @@ }, { "querystring": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -160,7 +158,6 @@ }, { "json_types": { - "type": "array", "elements": { "type": "string", "one_of": [ @@ -169,6 +166,7 @@ "string" ] }, + "type": "array", "default": [ ] @@ -180,20 +178,20 @@ } } ], + "type": "record", "required": true } }, { "add": { - "type": "record", "fields": [ { "body": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -201,11 +199,11 @@ }, { "headers": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -213,11 +211,11 @@ }, { "querystring": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -225,7 +223,6 @@ }, { "json_types": { - "type": "array", "elements": { "type": "string", "one_of": [ @@ -234,26 +231,27 @@ "string" ] }, + "type": "array", "default": [ ] } } ], + "type": "record", "required": true } }, { "append": { - "type": "record", "fields": [ { "body": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -261,11 +259,11 @@ }, { "headers": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -273,11 +271,11 @@ }, { "querystring": { - "type": "array", "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, + "type": "array", "default": [ ] @@ -285,7 +283,6 @@ }, { "json_types": { - "type": "array", "elements": { "type": "string", "one_of": [ @@ -294,18 +291,19 @@ "string" ] }, + "type": "array", "default": [ ] } } ], + "type": "record", "required": true } }, { "allow": { - "type": "record", "fields": [ { "body": { @@ -316,6 +314,7 @@ } } ], + "type": "record", "required": true } }, @@ -327,6 +326,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/request-transformer/3.7.x.json b/schemas/request-transformer/3.7.x.json index 8e81f73d..4de5fa5e 100644 --- a/schemas/request-transformer/3.7.x.json +++ b/schemas/request-transformer/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,155 +20,152 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "http_method": { - "type": "string", + "match": "^%u+$", "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", - "match": "^%u+$" + "type": "string" } }, { "remove": { - "type": "record", "fields": [ { "body": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "headers": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "querystring": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } }, { "rename": { - "type": "record", "fields": [ { "body": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "headers": { - "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "querystring": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } }, { "replace": { - "type": "record", "fields": [ { "body": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "headers": { - "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "querystring": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { @@ -176,100 +174,102 @@ } } ], + "type": "record", "required": true } }, { "add": { - "type": "record", "fields": [ { "body": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "headers": { - "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "querystring": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } }, { "append": { - "type": "record", "fields": [ { "body": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "headers": { - "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "querystring": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } } ], + "type": "record", "required": true } } diff --git a/schemas/request-validator/3.7.x.json b/schemas/request-validator/3.7.x.json index b42dd912..e5214db3 100644 --- a/schemas/request-validator/3.7.x.json +++ b/schemas/request-validator/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,91 +13,87 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "body_schema": { + "required": false, "type": "string", - "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", - "required": false + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified." } }, { "allowed_content_types": { "type": "set", + "elements": { + "required": true, + "type": "string" + }, "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "default": [ "application/json" - ], - "elements": { - "type": "string", - "required": true - } + ] } }, { "version": { - "type": "string", - "default": "kong", - "required": true, - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "one_of": [ "kong", "draft4" - ] + ], + "required": true, + "type": "string", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "default": "kong" } }, { "parameter_schema": { - "type": "array", - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "required": false, "elements": { - "type": "record", "fields": [ { "in": { + "required": true, "type": "string", "description": "The location of the parameter.", "one_of": [ "query", "header", "path" - ], - "required": true + ] } }, { "name": { + "required": true, "type": "string", - "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", - "required": true + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`." } }, { "required": { + "required": true, "type": "boolean", - "description": "Determines whether this parameter is mandatory.", - "required": true + "description": "Determines whether this parameter is mandatory." } }, { @@ -143,17 +140,19 @@ ] } } - ] + ], + "type": "record" }, - "required": false + "type": "array", + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." } }, { "verbose_response": { + "required": true, "type": "boolean", "description": "If enabled, the plugin returns more verbose and detailed validation errors.", - "default": false, - "required": true + "default": false } } ], @@ -165,6 +164,7 @@ ] } ], + "type": "record", "required": true } } diff --git a/schemas/response-ratelimiting/3.7.x.json b/schemas/response-ratelimiting/3.7.x.json index ede9fa94..bee283f1 100644 --- a/schemas/response-ratelimiting/3.7.x.json +++ b/schemas/response-ratelimiting/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,27 +13,25 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "header_name": { @@ -43,9 +42,9 @@ }, { "limit_by": { + "default": "consumer", "type": "string", "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", - "default": "consumer", "one_of": [ "consumer", "credential", @@ -55,9 +54,9 @@ }, { "policy": { + "default": "local", "type": "string", "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", - "default": "local", "one_of": [ "local", "cluster", @@ -67,16 +66,14 @@ }, { "fault_tolerant": { + "required": true, "type": "boolean", "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", - "default": true, - "required": true + "default": true } }, { "redis": { - "type": "record", - "description": "Redis configuration", "fields": [ { "host": { @@ -86,9 +83,9 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -97,9 +94,9 @@ }, { "timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -109,78 +106,94 @@ { "username": { "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { - "type": "string", "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "len_min": 0 } }, { "database": { - "type": "integer", "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", "default": 0 } }, { "ssl": { - "type": "boolean", + "required": false, "description": "If set to true, uses SSL to connect to Redis.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "ssl_verify": { - "type": "boolean", + "required": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "server_name": { - "type": "string", + "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "type": "string" } } ], + "description": "Redis configuration", + "type": "record", "required": true } }, { "block_on_first_violation": { + "required": true, "type": "boolean", "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", - "default": false, - "required": true + "default": false } }, { "hide_client_headers": { + "required": true, "type": "boolean", "description": "Optionally hide informative response headers.", - "default": false, - "required": true + "default": false } }, { "limits": { - "type": "map", "keys": { "type": "string" }, + "len_min": 1, "required": true, "description": "A map that defines rate limits for the plugin.", + "type": "map", "values": { + "required": true, + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], "type": "record", "fields": [ { @@ -219,28 +232,18 @@ "gt": 0 } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "second", - "minute", - "hour", - "day", - "month", - "year" - ] - } - ], - "required": true - }, - "len_min": 1 + ] + } } } ], "shorthand_fields": [ { "redis_host": { + "deprecation": { + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + }, "type": "string", "translate_backwards": [ "redis", @@ -250,6 +253,10 @@ }, { "redis_port": { + "deprecation": { + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + }, "type": "integer", "translate_backwards": [ "redis", @@ -259,16 +266,24 @@ }, { "redis_password": { + "len_min": 0, + "deprecation": { + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + }, "type": "string", "translate_backwards": [ "redis", "password" - ], - "len_min": 0 + ] } }, { "redis_username": { + "deprecation": { + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0" + }, "type": "string", "translate_backwards": [ "redis", @@ -278,6 +293,10 @@ }, { "redis_ssl": { + "deprecation": { + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + }, "type": "boolean", "translate_backwards": [ "redis", @@ -287,6 +306,10 @@ }, { "redis_ssl_verify": { + "deprecation": { + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + }, "type": "boolean", "translate_backwards": [ "redis", @@ -296,6 +319,10 @@ }, { "redis_server_name": { + "deprecation": { + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + }, "type": "string", "translate_backwards": [ "redis", @@ -305,6 +332,10 @@ }, { "redis_timeout": { + "deprecation": { + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0" + }, "type": "integer", "translate_backwards": [ "redis", @@ -314,6 +345,10 @@ }, { "redis_database": { + "deprecation": { + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0" + }, "type": "integer", "translate_backwards": [ "redis", @@ -322,6 +357,7 @@ } } ], + "type": "record", "required": true } } @@ -329,37 +365,37 @@ "entity_checks": [ { "conditional": { - "then_field": "config.redis.host", "if_field": "config.policy", - "then_match": { - "required": true - }, "if_match": { "eq": "redis" + }, + "then_field": "config.redis.host", + "then_match": { + "required": true } } }, { "conditional": { - "then_field": "config.redis.port", "if_field": "config.policy", - "then_match": { - "required": true - }, "if_match": { "eq": "redis" + }, + "then_field": "config.redis.port", + "then_match": { + "required": true } } }, { "conditional": { - "then_field": "config.redis.timeout", "if_field": "config.policy", - "then_match": { - "required": true - }, "if_match": { "eq": "redis" + }, + "then_field": "config.redis.timeout", + "then_match": { + "required": true } } } diff --git a/schemas/response-transformer-advanced/3.7.x.json b/schemas/response-transformer-advanced/3.7.x.json index e6ac84ed..30740564 100644 --- a/schemas/response-transformer-advanced/3.7.x.json +++ b/schemas/response-transformer-advanced/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,30 +13,27 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "remove": { - "type": "record", "fields": [ { "json": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -43,10 +41,10 @@ }, { "headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -54,30 +52,30 @@ }, { "if_status": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] } } ], + "type": "record", "required": true } }, { "rename": { - "type": "record", "fields": [ { "headers": { - "type": "array", "elements": { - "match": "^[^:]+:.*$", - "type": "string" + "type": "string", + "match": "^[^:]+:.*$" }, + "type": "array", "default": [ ] @@ -85,35 +83,35 @@ }, { "if_status": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] } } ], + "type": "record", "required": true } }, { "replace": { - "type": "record", "fields": [ { "body": { - "type": "string", - "description": "String with which to replace the entire response body." + "description": "String with which to replace the entire response body.", + "type": "string" } }, { "json": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -121,7 +119,6 @@ }, { "json_types": { - "type": "array", "elements": { "type": "string", "one_of": [ @@ -130,6 +127,7 @@ "string" ] }, + "type": "array", "default": [ ] @@ -137,10 +135,10 @@ }, { "headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -148,29 +146,29 @@ }, { "if_status": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] } } ], + "type": "record", "required": true } }, { "add": { - "type": "record", "fields": [ { "json": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -178,7 +176,6 @@ }, { "json_types": { - "type": "array", "elements": { "type": "string", "one_of": [ @@ -187,6 +184,7 @@ "string" ] }, + "type": "array", "default": [ ] @@ -194,10 +192,10 @@ }, { "headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -205,29 +203,29 @@ }, { "if_status": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] } } ], + "type": "record", "required": true } }, { "append": { - "type": "record", "fields": [ { "json": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -235,7 +233,6 @@ }, { "json_types": { - "type": "array", "elements": { "type": "string", "one_of": [ @@ -244,6 +241,7 @@ "string" ] }, + "type": "array", "default": [ ] @@ -251,10 +249,10 @@ }, { "headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -262,22 +260,22 @@ }, { "if_status": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] } } ], + "type": "record", "required": true } }, { "allow": { - "type": "record", "fields": [ { "json": { @@ -288,19 +286,19 @@ } } ], + "type": "record", "required": true } }, { "transform": { - "type": "record", "fields": [ { "functions": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -308,10 +306,10 @@ }, { "if_status": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] @@ -319,16 +317,17 @@ }, { "json": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ] } } ], + "type": "record", "required": true } }, @@ -340,6 +339,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/response-transformer/3.7.x.json b/schemas/response-transformer/3.7.x.json index ef707e6d..67d2c9ec 100644 --- a/schemas/response-transformer/3.7.x.json +++ b/schemas/response-transformer/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,93 +13,91 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "remove": { - "type": "record", "fields": [ { "json": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "headers": { - "type": "array", + "required": true, "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } }, { "rename": { - "type": "record", "fields": [ { "headers": { - "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } }, { "replace": { - "type": "record", "fields": [ { "json": { - "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "json_types": { - "type": "array", + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, "elements": { "type": "string", "one_of": [ @@ -107,50 +106,50 @@ "string" ] }, + "type": "array", "default": [ - ], - "required": true, - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { - "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } }, { "add": { - "type": "record", "fields": [ { "json": { - "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "json_types": { - "type": "array", + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, "elements": { "type": "string", "one_of": [ @@ -159,50 +158,50 @@ "string" ] }, + "type": "array", "default": [ - ], - "required": true, - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { - "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } }, { "append": { - "type": "record", "fields": [ { "json": { - "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } }, { "json_types": { - "type": "array", + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, "elements": { "type": "string", "one_of": [ @@ -211,31 +210,32 @@ "string" ] }, + "type": "array", "default": [ - ], - "required": true, - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { - "type": "array", + "required": true, "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ - ], - "required": true + ] } } ], + "type": "record", "required": true } } ], + "type": "record", "required": true } } diff --git a/schemas/route-by-header/3.7.x.json b/schemas/route-by-header/3.7.x.json index 265c8eee..d782454b 100644 --- a/schemas/route-by-header/3.7.x.json +++ b/schemas/route-by-header/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,62 +13,61 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "rules": { - "type": "array", "description": "Route by header rules.", - "default": [ - - ], "elements": { "type": "record", "fields": [ { "upstream_name": { - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "condition": { - "type": "map", "keys": { "type": "string" }, + "required": true, + "type": "map", + "len_min": 1, "values": { "type": "string" - }, - "required": true, - "len_min": 1 + } } } ] - } + }, + "type": "array", + "default": [ + + ] } } ], + "type": "record", "required": true } } diff --git a/schemas/route-transformer-advanced/3.7.x.json b/schemas/route-transformer-advanced/3.7.x.json index 5278e97e..65d20343 100644 --- a/schemas/route-transformer-advanced/3.7.x.json +++ b/schemas/route-transformer-advanced/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,27 +13,25 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "path": { @@ -51,8 +50,8 @@ }, { "escape_path": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } ], @@ -65,6 +64,7 @@ ] } ], + "type": "record", "required": true } } diff --git a/schemas/saml/3.7.x.json b/schemas/saml/3.7.x.json index 9dbe54e1..443de58e 100644 --- a/schemas/saml/3.7.x.json +++ b/schemas/saml/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -20,91 +21,89 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "assertion_consumer_path": { - "type": "string", - "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], + "required": true, + "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "starts_with": "/" } }, { "idp_sso_url": { - "type": "string", + "required": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true + "type": "string" } }, { "idp_certificate": { + "encrypted": true, "referenceable": true, "required": false, - "encrypted": true, - "type": "string", - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "type": "string" } }, { "response_encryption_key": { + "encrypted": true, "referenceable": true, "required": false, - "encrypted": true, - "type": "string", - "description": "The private encryption key required to decrypt encrypted assertions." + "description": "The private encryption key required to decrypt encrypted assertions.", + "type": "string" } }, { "request_signing_key": { + "encrypted": true, "referenceable": true, "required": false, - "encrypted": true, - "type": "string", - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "type": "string" } }, { "request_signing_certificate": { + "encrypted": true, "referenceable": true, "required": false, - "encrypted": true, - "type": "string", - "description": "The certificate for signing requests." + "description": "The certificate for signing requests.", + "type": "string" } }, { "request_signature_algorithm": { - "type": "string", "default": "SHA256", "required": false, "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "type": "string", "one_of": [ "SHA256", "SHA384", @@ -114,10 +113,10 @@ }, { "request_digest_algorithm": { - "type": "string", "default": "SHA256", "required": false, "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "type": "string", "one_of": [ "SHA256", "SHA1" @@ -126,10 +125,10 @@ }, { "response_signature_algorithm": { - "type": "string", "default": "SHA256", "required": false, "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "type": "string", "one_of": [ "SHA256", "SHA384", @@ -139,10 +138,10 @@ }, { "response_digest_algorithm": { - "type": "string", "default": "SHA256", "required": false, "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "type": "string", "one_of": [ "SHA256", "SHA1" @@ -151,17 +150,17 @@ }, { "issuer": { - "type": "string", + "required": true, "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", - "required": true + "type": "string" } }, { "nameid_format": { - "type": "string", "default": "EmailAddress", "required": false, "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "type": "string", "one_of": [ "Unspecified", "EmailAddress", @@ -172,108 +171,105 @@ }, { "validate_assertion_signature": { - "type": "boolean", + "required": false, "description": "Enable signature validation for SAML responses.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "anonymous": { - "type": "string", + "required": false, "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", - "required": false + "type": "string" } }, { "session_secret": { - "len_max": 32, - "referenceable": true, "match": "^[0-9a-zA-Z/_+]+$", - "required": true, "encrypted": true, + "referenceable": true, "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "required": true, + "len_min": 32, "type": "string", - "len_min": 32 + "len_max": 32 } }, { "session_audience": { - "type": "string", + "required": false, "description": "The session audience, for example \"my-application\"", - "default": "default", - "required": false + "type": "string", + "default": "default" } }, { "session_cookie_name": { - "type": "string", + "required": false, "description": "The session cookie name.", - "default": "session", - "required": false + "type": "string", + "default": "session" } }, { "session_remember": { - "type": "boolean", + "required": false, "description": "Enables or disables persistent sessions", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_remember_cookie_name": { - "type": "string", + "required": false, "description": "Persistent session cookie name", - "default": "remember", - "required": false + "type": "string", + "default": "remember" } }, { "session_remember_rolling_timeout": { - "type": "number", + "required": false, "description": "Persistent session rolling timeout in seconds.", - "default": 604800, - "required": false + "type": "number", + "default": 604800 } }, { "session_remember_absolute_timeout": { - "type": "number", + "required": false, "description": "Persistent session absolute timeout in seconds.", - "default": 2592000, - "required": false + "type": "number", + "default": 2592000 } }, { "session_idling_timeout": { - "type": "number", + "required": false, "description": "The session cookie idle time in seconds.", - "default": 900, - "required": false + "type": "number", + "default": 900 } }, { "session_rolling_timeout": { - "type": "number", + "required": false, "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "default": 3600, - "required": false + "type": "number", + "default": 3600 } }, { "session_absolute_timeout": { - "type": "number", + "required": false, "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "default": 86400, - "required": false + "type": "number", + "default": 86400 } }, { "session_cookie_path": { - "type": "string", - "default": "/", - "required": false, "match_none": [ { "pattern": "//", @@ -281,22 +277,25 @@ } ], "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/" + "required": false, + "type": "string", + "starts_with": "/", + "default": "/" } }, { "session_cookie_domain": { - "type": "string", + "required": false, "description": "The session cookie domain flag.", - "required": false + "type": "string" } }, { "session_cookie_same_site": { - "type": "string", "default": "Lax", "required": false, "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", "one_of": [ "Strict", "Lax", @@ -307,17 +306,17 @@ }, { "session_cookie_http_only": { - "type": "boolean", + "required": false, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "default": true, - "required": false + "type": "boolean", + "default": true } }, { "session_cookie_secure": { - "type": "boolean", + "required": false, "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false + "type": "boolean" } }, { @@ -356,10 +355,10 @@ }, { "session_storage": { - "type": "string", "default": "cookie", "required": false, "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "type": "string", "one_of": [ "cookie", "memcache", @@ -370,64 +369,64 @@ }, { "session_store_metadata": { - "type": "boolean", + "required": false, "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_enforce_same_subject": { - "type": "boolean", + "required": false, "description": "When set to `true`, audiences are forced to share the same subject.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_hash_subject": { - "type": "boolean", + "required": false, "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_hash_storage_key": { - "type": "boolean", + "required": false, "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_memcached_prefix": { - "type": "string", + "required": false, "description": "The memcached session key prefix.", - "required": false + "type": "string" } }, { "session_memcached_socket": { - "type": "string", + "required": false, "description": "The memcached unix socket path.", - "required": false + "type": "string" } }, { "session_memcached_host": { - "type": "string", + "required": false, "description": "The memcached host.", - "default": "127.0.0.1", - "required": false + "type": "string", + "default": "127.0.0.1" } }, { "session_memcached_port": { - "type": "integer", "default": 11211, "required": false, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -436,32 +435,32 @@ }, { "session_redis_prefix": { - "type": "string", + "required": false, "description": "The Redis session key prefix.", - "required": false + "type": "string" } }, { "session_redis_socket": { - "type": "string", + "required": false, "description": "The Redis unix socket path.", - "required": false + "type": "string" } }, { "session_redis_host": { - "type": "string", + "required": false, "description": "The Redis host IP.", - "default": "127.0.0.1", - "required": false + "type": "string", + "default": "127.0.0.1" } }, { "session_redis_port": { - "type": "integer", "default": 6379, "required": false, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -470,85 +469,84 @@ }, { "session_redis_username": { + "required": false, "type": "string", - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "referenceable": true, - "required": false + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "session_redis_password": { + "encrypted": true, "referenceable": true, "required": false, - "encrypted": true, - "type": "string", - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from" + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "type": "string" } }, { "session_redis_connect_timeout": { - "type": "integer", + "required": false, "description": "The Redis connection timeout in milliseconds.", - "required": false + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", + "required": false, "description": "The Redis read timeout in milliseconds.", - "required": false + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", + "required": false, "description": "The Redis send timeout in milliseconds.", - "required": false + "type": "integer" } }, { "session_redis_ssl": { - "type": "boolean", + "required": false, "description": "Use SSL/TLS for the Redis connection.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_redis_ssl_verify": { - "type": "boolean", + "required": false, "description": "Verify the Redis server certificate.", - "default": false, - "required": false + "type": "boolean", + "default": false } }, { "session_redis_server_name": { - "type": "string", + "required": false, "description": "The SNI used for connecting to the Redis server.", - "required": false + "type": "string" } }, { "session_redis_cluster_nodes": { - "type": "array", - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "required": false, "elements": { "type": "record", "fields": [ { "ip": { + "required": true, "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "required": true + "default": "127.0.0.1" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -557,90 +555,148 @@ } ] }, - "required": false + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "type": "array" } }, { "session_redis_cluster_max_redirections": { - "type": "integer", + "required": false, "description": "The Redis cluster maximum redirects.", - "required": false + "type": "integer" } } ], + "required": true, "shorthand_fields": [ { "session_cookie_lifetime": { - "type": "number" + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" + } } }, { "session_cookie_idletime": { - "type": "number" + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" + } } }, { "session_cookie_samesite": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" + } } }, { "session_cookie_httponly": { - "type": "boolean" + "type": "boolean", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" + } } }, { "session_memcache_prefix": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" + } } }, { "session_memcache_socket": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" + } } }, { "session_memcache_host": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" + } } }, { "session_memcache_port": { - "type": "integer" + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" + } } }, { "session_redis_cluster_maxredirections": { - "type": "integer" + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_cluster_maxredirections is deprecated, please use config.session_redis_cluster_max_redirections instead" + } } }, { "session_cookie_renew": { - "type": "number" + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" + } } }, { "session_cookie_maxsize": { - "type": "integer" + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" + } } }, { "session_strategy": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" + } } }, { "session_compressor": { - "type": "string" + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" + } } }, { "session_auth_ttl": { - "type": "number" + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_auth_ttl option does not exist anymore" + } } } ], - "required": true + "type": "record" } } ], diff --git a/schemas/session/3.7.x.json b/schemas/session/3.7.x.json index bb8b19ca..db316884 100644 --- a/schemas/session/3.7.x.json +++ b/schemas/session/3.7.x.json @@ -2,8 +2,8 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } @@ -11,6 +11,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -27,43 +28,41 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "secret": { - "type": "string", - "default": "RXgNNJXCPEnI5Dl88JYZHkYm3cNyC56V8v9nvBERTWcj", + "encrypted": true, + "referenceable": true, "required": false, + "type": "string", "description": "The secret that is used in keyed HMAC generation.", - "encrypted": true, - "referenceable": true + "default": "4Xkz87KN9Mdq3BsyMOndCz3cjxVWxf4ndnK6tPTGKhYd" } }, { "storage": { + "default": "cookie", "type": "string", "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", - "default": "cookie", "one_of": [ "cookie", "kong" @@ -121,15 +120,15 @@ }, { "cookie_domain": { - "type": "string", - "description": "The domain with which the cookie is intended to be exchanged." + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" } }, { "cookie_same_site": { - "type": "string", - "description": "Determines whether and how a cookie may be sent with cross-site requests.", "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "type": "string", "one_of": [ "Strict", "Lax", @@ -182,8 +181,6 @@ }, { "response_headers": { - "type": "set", - "description": "List of information to include, as headers, in the response to the downstream.", "elements": { "type": "string", "one_of": [ @@ -195,13 +192,13 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" } }, { "request_headers": { - "type": "set", - "description": "List of information to include, as headers, in the response to the downstream.", "elements": { "type": "string", "one_of": [ @@ -213,7 +210,9 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" } }, { @@ -224,12 +223,7 @@ }, { "logout_methods": { - "type": "set", "description": "A set of HTTP methods that the plugin will respond to.", - "default": [ - "POST", - "DELETE" - ], "elements": { "type": "string", "one_of": [ @@ -237,7 +231,12 @@ "POST", "DELETE" ] - } + }, + "type": "set", + "default": [ + "POST", + "DELETE" + ] } }, { @@ -292,6 +291,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/statsd-advanced/3.7.x.json b/schemas/statsd-advanced/3.7.x.json index 69880257..0d0f2104 100644 --- a/schemas/statsd-advanced/3.7.x.json +++ b/schemas/statsd-advanced/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,27 +20,25 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "host": { @@ -50,9 +49,9 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -69,83 +68,11 @@ { "metrics": { "type": "array", - "description": "List of Metrics to be logged.", - "default": [ - { - "stat_type": "counter", - "sample_rate": 1, - "name": "request_count" - }, - { - "name": "latency", - "stat_type": "timer" - }, - { - "name": "request_size", - "stat_type": "timer" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "status_count" - }, - { - "name": "response_size", - "stat_type": "timer" - }, - { - "name": "unique_users", - "stat_type": "set" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "request_per_user" - }, - { - "name": "upstream_latency", - "stat_type": "timer" - }, - { - "name": "kong_latency", - "stat_type": "timer" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_user" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_workspace" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_user_per_route" - }, - { - "stat_type": "gauge", - "sample_rate": 1, - "name": "shdict_usage" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "cache_datastore_hits_total" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "cache_datastore_misses_total" - } - ], "elements": { - "type": "record", "fields": [ { "name": { + "required": true, "type": "string", "one_of": [ "kong_latency", @@ -163,12 +90,12 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "required": true + ] } }, { "stat_type": { + "required": true, "type": "string", "one_of": [ "counter", @@ -177,8 +104,7 @@ "meter", "set", "timer" - ], - "required": true + ] } }, { @@ -221,25 +147,21 @@ "entity_checks": [ { "conditional": { - "then_field": "stat_type", "if_field": "name", - "then_match": { - "eq": "set" - }, "if_match": { "one_of": [ "unique_users" ] + }, + "then_field": "stat_type", + "then_match": { + "eq": "set" } } }, { "conditional": { - "then_field": "stat_type", "if_field": "name", - "then_match": { - "eq": "counter" - }, "if_match": { "one_of": [ "request_count", @@ -251,57 +173,134 @@ "cache_datastore_hits_total", "cache_datastore_misses_total" ] + }, + "then_field": "stat_type", + "then_match": { + "eq": "counter" } } }, { "conditional": { - "then_field": "stat_type", "if_field": "name", - "then_match": { - "eq": "gauge" - }, "if_match": { "one_of": [ "shdict_usage" ] + }, + "then_field": "stat_type", + "then_match": { + "eq": "gauge" } } }, { "conditional": { - "then_field": "sample_rate", "if_field": "stat_type", - "then_match": { - "required": true - }, "if_match": { "one_of": [ "counter", "gauge" ] + }, + "then_field": "sample_rate", + "then_match": { + "required": true } } } - ] - } + ], + "type": "record" + }, + "description": "List of Metrics to be logged.", + "default": [ + { + "stat_type": "counter", + "name": "request_count", + "sample_rate": 1 + }, + { + "name": "latency", + "stat_type": "timer" + }, + { + "name": "request_size", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "status_count", + "sample_rate": 1 + }, + { + "name": "response_size", + "stat_type": "timer" + }, + { + "name": "unique_users", + "stat_type": "set" + }, + { + "stat_type": "counter", + "name": "request_per_user", + "sample_rate": 1 + }, + { + "name": "upstream_latency", + "stat_type": "timer" + }, + { + "name": "kong_latency", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "status_count_per_user", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_workspace", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_user_per_route", + "sample_rate": 1 + }, + { + "stat_type": "gauge", + "name": "shdict_usage", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_hits_total", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_misses_total", + "sample_rate": 1 + } + ] } }, { "allow_status_codes": { - "type": "array", - "description": "List of status code ranges that are allowed to be logged in metrics.", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" - } + }, + "type": "array", + "description": "List of status code ranges that are allowed to be logged in metrics." } }, { "udp_packet_size": { + "default": 0, "type": "number", "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", - "default": 0, "between": [ 0, 65507 @@ -324,10 +323,10 @@ }, { "consumer_identifier_default": { - "type": "string", "default": "custom_id", "required": true, "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "type": "string", "one_of": [ "consumer_id", "custom_id", @@ -337,10 +336,10 @@ }, { "service_identifier_default": { - "type": "string", "default": "service_name_or_host", "required": true, "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "type": "string", "one_of": [ "service_id", "service_name", @@ -351,10 +350,10 @@ }, { "workspace_identifier_default": { - "type": "string", "default": "workspace_id", "required": true, "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "type": "string", "one_of": [ "workspace_id", "workspace_name" @@ -363,13 +362,12 @@ }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -378,9 +376,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -389,9 +387,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -413,9 +411,9 @@ }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -424,9 +422,9 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", "description": "Maximum time in seconds between retries, caps exponential backoff.", - "default": 60, "between": [ 0.001, 1000000 @@ -434,10 +432,12 @@ } } ], + "type": "record", "required": true } } ], + "type": "record", "required": true } } diff --git a/schemas/statsd/3.7.x.json b/schemas/statsd/3.7.x.json index ab47d696..b2741422 100644 --- a/schemas/statsd/3.7.x.json +++ b/schemas/statsd/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,40 +20,38 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "host": { - "type": "string", "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string", "default": "localhost" } }, { "port": { - "type": "integer", - "description": "The port of StatsD server to send data to.", "default": 8125, + "description": "The port of StatsD server to send data to.", + "type": "integer", "between": [ 0, 65535 @@ -61,95 +60,21 @@ }, { "prefix": { - "type": "string", "description": "String to prefix to each metric's name.", + "type": "string", "default": "kong" } }, { "metrics": { - "type": "array", "description": "List of metrics to be logged.", - "default": [ - { - "stat_type": "counter", - "name": "request_count", - "sample_rate": 1 - }, - { - "name": "latency", - "stat_type": "timer" - }, - { - "stat_type": "counter", - "name": "request_size", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "response_size", - "sample_rate": 1 - }, - { - "name": "unique_users", - "stat_type": "set" - }, - { - "stat_type": "counter", - "name": "request_per_user", - "sample_rate": 1 - }, - { - "name": "upstream_latency", - "stat_type": "timer" - }, - { - "name": "kong_latency", - "stat_type": "timer" - }, - { - "stat_type": "counter", - "name": "status_count_per_user", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count_per_workspace", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count_per_user_per_route", - "sample_rate": 1 - }, - { - "stat_type": "gauge", - "name": "shdict_usage", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "cache_datastore_hits_total", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "cache_datastore_misses_total", - "sample_rate": 1 - } - ], "elements": { - "type": "record", "fields": [ { "name": { - "type": "string", + "required": true, "description": "StatsD metric’s name.", + "type": "string", "one_of": [ "kong_latency", "latency", @@ -166,14 +91,14 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "required": true + ] } }, { "stat_type": { - "type": "string", + "required": true, "description": "Determines what sort of event a metric represents.", + "type": "string", "one_of": [ "counter", "gauge", @@ -181,21 +106,20 @@ "meter", "set", "timer" - ], - "required": true + ] } }, { "sample_rate": { - "type": "number", "description": "Sampling rate", + "type": "number", "gt": 0 } }, { "consumer_identifier": { - "type": "string", "description": "Authenticated user detail.", + "type": "string", "one_of": [ "consumer_id", "custom_id", @@ -205,8 +129,8 @@ }, { "service_identifier": { - "type": "string", "description": "Service detail.", + "type": "string", "one_of": [ "service_id", "service_name", @@ -217,8 +141,8 @@ }, { "workspace_identifier": { - "type": "string", "description": "Workspace detail.", + "type": "string", "one_of": [ "workspace_id", "workspace_name" @@ -229,37 +153,112 @@ "entity_checks": [ { "conditional": { - "then_field": "sample_rate", "if_field": "stat_type", - "then_match": { - "required": true - }, "if_match": { "one_of": [ "counter", "gauge" ] + }, + "then_field": "sample_rate", + "then_match": { + "required": true } } } - ] - } + ], + "type": "record" + }, + "type": "array", + "default": [ + { + "stat_type": "counter", + "name": "request_count", + "sample_rate": 1 + }, + { + "name": "latency", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "request_size", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "response_size", + "sample_rate": 1 + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "stat_type": "counter", + "name": "request_per_user", + "sample_rate": 1 + }, + { + "name": "upstream_latency", + "stat_type": "timer" + }, + { + "name": "kong_latency", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "status_count_per_user", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_workspace", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_user_per_route", + "sample_rate": 1 + }, + { + "stat_type": "gauge", + "name": "shdict_usage", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_hits_total", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_misses_total", + "sample_rate": 1 + } + ] } }, { "allow_status_codes": { - "type": "array", - "description": "List of status code ranges that are allowed to be logged in metrics.", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" - } + }, + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array" } }, { "udp_packet_size": { - "type": "number", "default": 0, + "type": "number", "between": [ 0, 65507 @@ -280,76 +279,90 @@ }, { "consumer_identifier_default": { + "required": true, + "default": "custom_id", "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "default": "custom_id", - "required": true + ] } }, { "service_identifier_default": { + "required": true, + "default": "service_name_or_host", "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "default": "service_name_or_host", - "required": true + ] } }, { "workspace_identifier_default": { + "required": true, + "default": "workspace_id", "type": "string", "one_of": [ "workspace_id", "workspace_name" - ], - "default": "workspace_id", - "required": true + ] } }, { "retry_count": { - "type": "integer" + "type": "integer", + "deprecation": { + "old_default": 10, + "removal_in_version": "4.0", + "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead" + } } }, { "queue_size": { - "type": "integer" + "type": "integer", + "deprecation": { + "old_default": 1, + "removal_in_version": "4.0", + "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + } } }, { "flush_timeout": { - "type": "number" + "type": "number", + "deprecation": { + "old_default": 2, + "removal_in_version": "4.0", + "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + } } }, { "tag_style": { + "required": false, "type": "string", "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ], - "required": false + ] } }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -358,9 +371,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -369,9 +382,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -393,9 +406,9 @@ }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -404,9 +417,9 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", "description": "Maximum time in seconds between retries, caps exponential backoff.", - "default": 60, "between": [ 0.001, 1000000 @@ -414,21 +427,12 @@ } } ], + "type": "record", "required": true } } ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "retry_count", - "queue_size", - "flush_timeout" - ] - } - } - ], + "type": "record", "required": true } } diff --git a/schemas/syslog/3.7.x.json b/schemas/syslog/3.7.x.json index c306b440..b6825600 100644 --- a/schemas/syslog/3.7.x.json +++ b/schemas/syslog/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,30 +20,30 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "log_level": { + "required": true, + "default": "info", "type": "string", "one_of": [ "debug", @@ -53,13 +54,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "required": true + ] } }, { "successful_severity": { + "required": true, + "default": "info", "type": "string", "one_of": [ "debug", @@ -70,13 +71,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "required": true + ] } }, { "client_errors_severity": { + "required": true, + "default": "info", "type": "string", "one_of": [ "debug", @@ -87,13 +88,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "required": true + ] } }, { "server_errors_severity": { + "required": true, + "default": "info", "type": "string", "one_of": [ "debug", @@ -104,18 +105,16 @@ "crit", "alert", "emerg" - ], - "default": "info", - "required": true + ] } }, { "custom_fields_by_lua": { - "type": "map", "keys": { "type": "string", "len_min": 1 }, + "type": "map", "description": "Lua code as a key-value map", "values": { "type": "string", @@ -125,10 +124,10 @@ }, { "facility": { - "type": "string", "default": "user", "required": true, "description": "The facility is used by the operating system to decide how to handle each log message.", + "type": "string", "one_of": [ "auth", "authpriv", @@ -154,6 +153,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/tcp-log/3.7.x.json b/schemas/tcp-log/3.7.x.json index 222307c2..ac50f9ad 100644 --- a/schemas/tcp-log/3.7.x.json +++ b/schemas/tcp-log/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,40 +20,38 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "host": { + "required": true, "type": "string", - "description": "The IP address or host name to send data to.", - "required": true + "description": "The IP address or host name to send data to." } }, { "port": { - "type": "integer", - "description": "The port to send data to on the upstream server.", "required": true, + "description": "The port to send data to on the upstream server.", + "type": "integer", "between": [ 0, 65535 @@ -75,10 +74,10 @@ }, { "tls": { + "required": true, "type": "boolean", "description": "Indicates whether to perform a TLS handshake against the remote server.", - "default": false, - "required": true + "default": false } }, { @@ -89,19 +88,20 @@ }, { "custom_fields_by_lua": { - "type": "map", - "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", - "keys": { + "values": { "type": "string", "len_min": 1 }, - "values": { + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "map", + "keys": { "type": "string", "len_min": 1 } } } ], + "type": "record", "required": true } } diff --git a/schemas/tls-handshake-modifier/3.7.x.json b/schemas/tls-handshake-modifier/3.7.x.json index 554cd64b..b200a2ad 100644 --- a/schemas/tls-handshake-modifier/3.7.x.json +++ b/schemas/tls-handshake-modifier/3.7.x.json @@ -2,15 +2,15 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -19,37 +19,37 @@ "tls" ] }, + "type": "set", "default": [ "https", "grpcs" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "tls_client_certificate": { - "type": "string", "default": "REQUEST", "required": false, "description": "TLS Client Certificate", + "type": "string", "one_of": [ "REQUEST" ] } } ], + "type": "record", "required": true } } diff --git a/schemas/tls-metadata-headers/3.7.x.json b/schemas/tls-metadata-headers/3.7.x.json index 87b1aae5..507b8f50 100644 --- a/schemas/tls-metadata-headers/3.7.x.json +++ b/schemas/tls-metadata-headers/3.7.x.json @@ -2,15 +2,15 @@ "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -19,73 +19,73 @@ "tls" ] }, + "type": "set", "default": [ "https", "grpcs" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "inject_client_cert_details": { - "type": "boolean", "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean", "default": false } }, { "client_cert_header_name": { + "required": true, "type": "string", "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", - "default": "X-Client-Cert", - "required": true + "default": "X-Client-Cert" } }, { "client_serial_header_name": { + "required": true, "type": "string", "description": "Define the HTTP header name used for the serial number of the client certificate.", - "default": "X-Client-Cert-Serial", - "required": true + "default": "X-Client-Cert-Serial" } }, { "client_cert_issuer_dn_header_name": { + "required": true, "type": "string", "description": "Define the HTTP header name used for the issuer DN of the client certificate.", - "default": "X-Client-Cert-Issuer-DN", - "required": true + "default": "X-Client-Cert-Issuer-DN" } }, { "client_cert_subject_dn_header_name": { + "required": true, "type": "string", "description": "Define the HTTP header name used for the subject DN of the client certificate.", - "default": "X-Client-Cert-Subject-DN", - "required": true + "default": "X-Client-Cert-Subject-DN" } }, { "client_cert_fingerprint_header_name": { + "required": true, "type": "string", "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", - "default": "X-Client-Cert-Fingerprint", - "required": true + "default": "X-Client-Cert-Fingerprint" } } ], + "type": "record", "required": true } } diff --git a/schemas/udp-log/3.7.x.json b/schemas/udp-log/3.7.x.json index fb5badb4..fd6c991c 100644 --- a/schemas/udp-log/3.7.x.json +++ b/schemas/udp-log/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,40 +20,38 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "host": { - "type": "string", + "required": true, "description": "A string representing a host name, such as example.com.", - "required": true + "type": "string" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 @@ -68,11 +67,11 @@ }, { "custom_fields_by_lua": { - "type": "map", "keys": { "type": "string", "len_min": 1 }, + "type": "map", "description": "Lua code as a key-value map", "values": { "type": "string", @@ -81,6 +80,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/upstream-timeout/3.7.x.json b/schemas/upstream-timeout/3.7.x.json index 8f06be02..5db2c5aa 100644 --- a/schemas/upstream-timeout/3.7.x.json +++ b/schemas/upstream-timeout/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,27 +13,25 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "read_timeout": { @@ -65,6 +64,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/vault-auth/3.7.x.json b/schemas/vault-auth/3.7.x.json index 7fab8589..515b0d93 100644 --- a/schemas/vault-auth/3.7.x.json +++ b/schemas/vault-auth/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,66 +13,64 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "consumer": { - "type": "foreign", "reference": "consumers", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "access_token_name": { - "type": "string", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, - "default": "access_token", - "required": true, - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + "type": "string", + "default": "access_token" } }, { "secret_token_name": { - "type": "string", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, - "default": "secret_token", - "required": true, - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + "type": "string", + "default": "secret_token" } }, { "vault": { + "required": true, "type": "foreign", "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", - "reference": "vault_auth_vaults", - "required": true + "reference": "vault_auth_vaults" } }, { @@ -102,6 +101,7 @@ } } ], + "type": "record", "required": true } } diff --git a/schemas/websocket-size-limit/3.7.x.json b/schemas/websocket-size-limit/3.7.x.json index 8cd19314..e6aaf3fc 100644 --- a/schemas/websocket-size-limit/3.7.x.json +++ b/schemas/websocket-size-limit/3.7.x.json @@ -2,7 +2,7 @@ "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -10,29 +10,28 @@ "wss" ] }, + "type": "set", "default": [ "ws", "wss" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "client_max_payload": { - "type": "integer", "required": false, + "type": "integer", "between": [ 1, 33554432 @@ -41,8 +40,8 @@ }, { "upstream_max_payload": { - "type": "integer", "required": false, + "type": "integer", "between": [ 1, 33554432 @@ -58,6 +57,7 @@ ] } ], + "type": "record", "required": true } } diff --git a/schemas/websocket-validator/3.7.x.json b/schemas/websocket-validator/3.7.x.json index 0c595bd3..635cffa7 100644 --- a/schemas/websocket-validator/3.7.x.json +++ b/schemas/websocket-validator/3.7.x.json @@ -2,7 +2,7 @@ "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -10,51 +10,75 @@ "wss" ] }, + "type": "set", "default": [ "ws", "wss" - ], - "required": true + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "client": { + "required": false, + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], "type": "record", "fields": [ { "text": { + "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], "type": "record", "fields": [ { "type": { - "type": "string", + "required": true, "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" - ], - "required": true + ] } }, { "schema": { - "type": "string", + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "required": true + "type": "string" } } - ], + ] + } + }, + { + "binary": { + "required": false, "entity_checks": [ { "custom_entity_check": { @@ -65,45 +89,34 @@ } } ], - "required": false - } - }, - { - "binary": { "type": "record", "fields": [ { "type": { - "type": "string", + "required": true, "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" - ], - "required": true + ] } }, { "schema": { - "type": "string", + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "required": true + "type": "string" } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], - "required": false + ] } } - ], + ] + } + }, + { + "upstream": { + "required": false, "entity_checks": [ { "at_least_one_of": [ @@ -112,35 +125,46 @@ ] } ], - "required": false - } - }, - { - "upstream": { "type": "record", "fields": [ { "text": { + "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], "type": "record", "fields": [ { "type": { - "type": "string", + "required": true, "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" - ], - "required": true + ] } }, { "schema": { - "type": "string", + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "required": true + "type": "string" } } - ], + ] + } + }, + { + "binary": { + "required": false, "entity_checks": [ { "custom_entity_check": { @@ -151,54 +175,29 @@ } } ], - "required": false - } - }, - { - "binary": { "type": "record", "fields": [ { "type": { - "type": "string", + "required": true, "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" - ], - "required": true + ] } }, { "schema": { - "type": "string", + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "required": true + "type": "string" } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], - "required": false + ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "text", - "binary" - ] - } - ], - "required": false + ] } } ], @@ -210,6 +209,7 @@ ] } ], + "type": "record", "required": true } } diff --git a/schemas/xml-threat-protection/3.7.x.json b/schemas/xml-threat-protection/3.7.x.json index 2d5ade84..56b5cdf3 100644 --- a/schemas/xml-threat-protection/3.7.x.json +++ b/schemas/xml-threat-protection/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,284 +13,283 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "checked_content_types": { "type": "set", + "required": true, "elements": { - "match": "^[^%s]+%/[^ ;]+$", + "required": true, "type": "string", - "required": true + "match": "^[^%s]+%/[^ ;]+$" }, + "description": "A list of Content-Type values with payloads that must be validated.", "default": [ "application/xml" - ], - "required": true, - "description": "A list of Content-Type values with payloads that must be validated." + ] } }, { "allowed_content_types": { "type": "set", + "required": true, "elements": { - "match": "^[^%s]+%/[^ ;]+$", + "required": true, "type": "string", - "required": true + "match": "^[^%s]+%/[^ ;]+$" }, + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "default": [ - ], - "required": true, - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." + ] } }, { "allow_dtd": { - "type": "boolean", + "required": true, "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", - "default": false, - "required": true + "type": "boolean", + "default": false } }, { "namespace_aware": { - "type": "boolean", + "required": true, "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", - "default": true, - "required": true + "type": "boolean", + "default": true } }, { "max_depth": { - "type": "integer", - "default": 50, - "required": true, "gt": 0, - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." + "required": true, + "type": "integer", + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "default": 50 } }, { "max_children": { - "type": "integer", - "default": 100, - "required": true, "gt": 0, - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." + "required": true, + "type": "integer", + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "default": 100 } }, { "max_attributes": { - "type": "integer", - "default": 100, - "required": true, "gt": 0, - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." + "required": true, + "type": "integer", + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "default": 100 } }, { "max_namespaces": { - "type": "integer", - "default": 20, - "required": false, "gt": 0, - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." + "required": false, + "type": "integer", + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "default": 20 } }, { "document": { - "type": "integer", - "default": 10485760, - "required": true, "gt": 0, - "description": "Maximum size of the entire document." + "required": true, + "description": "Maximum size of the entire document.", + "type": "integer", + "default": 10485760 } }, { "buffer": { - "type": "integer", - "default": 1048576, - "required": true, "gt": 0, - "description": "Maximum size of the unparsed buffer (see below)." + "required": true, + "description": "Maximum size of the unparsed buffer (see below).", + "type": "integer", + "default": 1048576 } }, { "comment": { - "type": "integer", - "default": 1024, - "required": true, "gt": 0, - "description": "Maximum size of comments." + "required": true, + "description": "Maximum size of comments.", + "type": "integer", + "default": 1024 } }, { "localname": { - "type": "integer", - "default": 1024, - "required": true, "gt": 0, - "description": "Maximum size of the localname. This applies to tags and attributes." + "required": true, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "type": "integer", + "default": 1024 } }, { "prefix": { - "type": "integer", - "default": 1024, - "required": false, "gt": 0, - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." + "required": false, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "type": "integer", + "default": 1024 } }, { "namespaceuri": { - "type": "integer", - "default": 1024, - "required": false, "gt": 0, - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." + "required": false, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "type": "integer", + "default": 1024 } }, { "attribute": { - "type": "integer", - "default": 1048576, - "required": true, "gt": 0, - "description": "Maximum size of the attribute value." + "required": true, + "description": "Maximum size of the attribute value.", + "type": "integer", + "default": 1048576 } }, { "text": { - "type": "integer", - "default": 1048576, - "required": true, "gt": 0, - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." + "required": true, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "type": "integer", + "default": 1048576 } }, { "pitarget": { - "type": "integer", - "default": 1024, - "required": true, "gt": 0, - "description": "Maximum size of processing instruction targets." + "required": true, + "description": "Maximum size of processing instruction targets.", + "type": "integer", + "default": 1024 } }, { "pidata": { - "type": "integer", - "default": 1024, - "required": true, "gt": 0, - "description": "Maximum size of processing instruction data." + "required": true, + "description": "Maximum size of processing instruction data.", + "type": "integer", + "default": 1024 } }, { "entityname": { - "type": "integer", - "default": 1024, - "required": true, "gt": 0, - "description": "Maximum size of entity names in EntityDecl." + "required": true, + "description": "Maximum size of entity names in EntityDecl.", + "type": "integer", + "default": 1024 } }, { "entity": { - "type": "integer", - "default": 1024, - "required": true, "gt": 0, - "description": "Maximum size of entity values in EntityDecl." + "required": true, + "description": "Maximum size of entity values in EntityDecl.", + "type": "integer", + "default": 1024 } }, { "entityproperty": { - "type": "integer", - "default": 1024, - "required": true, "gt": 0, - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." + "required": true, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "type": "integer", + "default": 1024 } }, { "bla_max_amplification": { - "type": "number", - "default": 100, - "required": true, "gt": 1, - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." + "required": true, + "type": "number", + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "default": 100 } }, { "bla_threshold": { - "type": "integer", - "default": 8388608, - "required": true, "gt": 1024, - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." + "required": true, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "type": "integer", + "default": 8388608 } } ], "entity_checks": [ { "conditional": { - "then_field": "max_namespaces", "if_field": "namespace_aware", - "then_match": { - "required": true - }, "if_match": { "eq": true + }, + "then_field": "max_namespaces", + "then_match": { + "required": true } } }, { "conditional": { - "then_field": "prefix", "if_field": "namespace_aware", - "then_match": { - "required": true - }, "if_match": { "eq": true + }, + "then_field": "prefix", + "then_match": { + "required": true } } }, { "conditional": { - "then_field": "namespaceuri", "if_field": "namespace_aware", - "then_match": { - "required": true - }, "if_match": { "eq": true + }, + "then_field": "namespaceuri", + "then_match": { + "required": true } } } ], + "type": "record", "required": true } } diff --git a/schemas/zipkin/3.7.x.json b/schemas/zipkin/3.7.x.json index b6d5da59..389af427 100644 --- a/schemas/zipkin/3.7.x.json +++ b/schemas/zipkin/3.7.x.json @@ -3,6 +3,7 @@ { "protocols": { "type": "set", + "required": true, "elements": { "type": "string", "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -19,34 +20,32 @@ "wss" ] }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ], - "required": true, - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { - "type": "record", "fields": [ { "local_service_name": { + "required": true, "type": "string", "description": "The name of the service as displayed in Zipkin.", - "default": "kong", - "required": true + "default": "kong" } }, { @@ -57,9 +56,9 @@ }, { "sample_ratio": { + "default": 0.001, "type": "number", "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", - "default": 0.001, "between": [ 0, 1 @@ -74,17 +73,17 @@ }, { "include_credential": { + "required": true, "type": "boolean", "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", - "default": true, - "required": true + "default": true } }, { "traceid_byte_count": { - "type": "integer", "default": 16, "required": true, + "type": "integer", "description": "The length in bytes of each request's Trace ID.", "one_of": [ 8, @@ -94,10 +93,15 @@ }, { "header_type": { - "type": "string", "default": "preserve", - "required": true, "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "required": true, + "deprecation": { + "old_default": "preserve", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, + "type": "string", "one_of": [ "preserve", "ignore", @@ -114,10 +118,15 @@ }, { "default_header_type": { - "type": "string", "default": "b3", - "required": true, "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "required": true, + "deprecation": { + "old_default": "b3", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", + "removal_in_version": "4.0" + }, + "type": "string", "one_of": [ "b3", "b3-single", @@ -132,21 +141,20 @@ }, { "tags_header": { + "required": true, "type": "string", "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", - "default": "Zipkin-Tags", - "required": true + "default": "Zipkin-Tags" } }, { "static_tags": { - "type": "array", - "description": "The tags specified on this property will be added to the generated request traces.", "elements": { "type": "record", "fields": [ { "name": { + "required": true, "type": "string", "not_one_of": [ "error", @@ -162,25 +170,26 @@ "kong.service", "lc", "peer.hostname" - ], - "required": true + ] } }, { "value": { - "type": "string", - "required": true + "required": true, + "type": "string" } } ] - } + }, + "type": "array", + "description": "The tags specified on this property will be added to the generated request traces." } }, { "http_span_name": { - "type": "string", "default": "method", "required": true, + "type": "string", "description": "Specify whether to include the HTTP path in the span name.", "one_of": [ "method", @@ -190,9 +199,9 @@ }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -201,9 +210,9 @@ }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -212,9 +221,9 @@ }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 @@ -228,9 +237,9 @@ }, { "phase_duration_flavor": { - "type": "string", "default": "annotations", "required": true, + "type": "string", "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "one_of": [ "annotations", @@ -240,13 +249,12 @@ }, { "queue": { - "type": "record", "fields": [ { "max_batch_size": { + "default": 1, "type": "integer", "description": "Maximum number of entries that can be processed at a time.", - "default": 1, "between": [ 1, 1000000 @@ -255,9 +263,9 @@ }, { "max_coalescing_delay": { + "default": 1, "type": "number", "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "default": 1, "between": [ 0, 3600 @@ -266,9 +274,9 @@ }, { "max_entries": { + "default": 10000, "type": "integer", "description": "Maximum number of entries that can be waiting on the queue.", - "default": 10000, "between": [ 1, 1000000 @@ -290,9 +298,9 @@ }, { "initial_retry_delay": { + "default": 0.01, "type": "number", "description": "Time in seconds before the initial retry is made for a failing batch.", - "default": 0.01, "between": [ 0.001, 1000000 @@ -301,9 +309,9 @@ }, { "max_retry_delay": { + "default": 60, "type": "number", "description": "Maximum time in seconds between retries, caps exponential backoff.", - "default": 60, "between": [ 0.001, 1000000 @@ -311,10 +319,87 @@ } } ], + "type": "record", "required": true } + }, + { + "propagation": { + "fields": [ + { + "extract": { + "elements": { + "type": "string", + "one_of": [ + "b3", + "gcp", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + }, + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array" + } + }, + { + "clear": { + "elements": { + "type": "string" + }, + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array" + } + }, + { + "inject": { + "elements": { + "type": "string", + "one_of": [ + "preserve", + "b3", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + }, + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array" + } + }, + { + "default_format": { + "required": true, + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", + "one_of": [ + "b3", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + } + } + ], + "required": true, + "type": "record", + "default": { + "default_format": "b3" + } + } } ], + "type": "record", "required": true } } From 9ba4225c295f1600aeb4d409e76832cf6be0d44f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 23 Apr 2024 14:02:47 +0000 Subject: [PATCH 045/165] Update dependency ruby to v3.3.1 --- .ruby-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ruby-version b/.ruby-version index ef538c28..bea438e9 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.1.2 +3.3.1 From 70fe802bcd5da7c03532beccc790563a16bfdda9 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 15 May 2024 10:05:53 -0700 Subject: [PATCH 046/165] regenerate plugin priorities and schemas for 3.6.1.4 (#29) --- data/priorities/ee/3.6.x.json | 23 ++- schemas/application-registration/3.6.x.json | 60 +++--- schemas/mtls-auth/3.6.x.json | 122 ++++++------ schemas/oas-validation/3.6.x.json | 60 +++--- schemas/rate-limiting-advanced/3.6.x.json | 200 +++++++++---------- schemas/websocket-size-limit/3.6.x.json | 30 +-- schemas/websocket-validator/3.6.x.json | 30 +-- schemas/xml-threat-protection/3.6.x.json | 204 ++++++++++---------- 8 files changed, 374 insertions(+), 355 deletions(-) diff --git a/data/priorities/ee/3.6.x.json b/data/priorities/ee/3.6.x.json index 3e8bd4d4..9374139f 100644 --- a/data/priorities/ee/3.6.x.json +++ b/data/priorities/ee/3.6.x.json @@ -1,6 +1,5 @@ { "pre-function": 1000000, - "app-dynamics": 999999, "correlation-id": 100001, "zipkin": 100000, "exit-transformer": 9999, @@ -15,18 +14,19 @@ "jwt": 1450, "oauth2": 1400, "vault-auth": 1350, - "key-auth-enc": 1250, "key-auth": 1250, + "key-auth-enc": 1250, "ldap-auth": 1200, "ldap-auth-advanced": 1200, "basic-auth": 1100, "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, - "websocket-size-limit": 999, + "saml": 1010, + "xml-threat-protection": 1008, + "websocket-validator": 1006, + "websocket-size-limit": 1003, "request-validator": 999, - "xml-threat-protection": 999, - "websocket-validator": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -35,25 +35,30 @@ "request-size-limiting": 951, "acl": 950, "opa": 920, - "rate-limiting-advanced": 910, "rate-limiting": 910, + "rate-limiting-advanced": 910, "graphql-rate-limiting-advanced": 902, - "saml": 900, "response-ratelimiting": 900, "route-by-header": 850, - "oas-validation": 850, + "oas-validation": 840, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, "response-transformer": 800, "response-transformer-advanced": 800, "route-transformer-advanced": 780, + "ai-request-transformer": 777, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-response-transformer": 769, "kafka-upstream": 751, "aws-lambda": 750, "azure-functions": 749, "upstream-timeout": 400, - "proxy-cache-advanced": 100, "proxy-cache": 100, + "proxy-cache-advanced": 100, "graphql-proxy-cache-advanced": 99, "forward-proxy": 50, "canary": 20, diff --git a/schemas/application-registration/3.6.x.json b/schemas/application-registration/3.6.x.json index 0466f5ba..6ea24c2e 100644 --- a/schemas/application-registration/3.6.x.json +++ b/schemas/application-registration/3.6.x.json @@ -1,100 +1,108 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { + "eq": null, "reference": "consumers", "type": "foreign", - "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { "reference": "services", + "ne": null, "type": "foreign", - "on_delete": "cascade", - "ne": null + "on_delete": "cascade" } }, { "route": { + "eq": null, "reference": "routes", "type": "foreign", - "eq": null, "description": "A reference to the 'routes' table with a null value allowed." } }, { "protocols": { + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { + "eq": null, "reference": "consumer_groups", "type": "foreign", - "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "type": "record", "fields": [ { "display_name": { "required": true, "unique": true, - "description": "Unique display name used for a Service in the Developer Portal.", - "type": "string" + "type": "string", + "description": "Unique display name used for a Service in the Developer Portal." } }, { "description": { "type": "string", - "description": "Unique description displayed in information about a Service in the Developer Portal.", - "unique": true + "unique": true, + "description": "Unique description displayed in information about a Service in the Developer Portal." } }, { "auto_approve": { "required": true, - "type": "boolean", "default": false, + "type": "boolean", "description": "If enabled, all new Service Contracts requests are automatically approved." } }, { "show_issuer": { "required": true, - "type": "boolean", "default": false, + "type": "boolean", "description": "Displays the **Issuer URL** in the **Service Details** dialog." } + }, + { + "enable_proxy_with_consumer_credential": { + "required": true, + "default": false, + "type": "boolean", + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential" + } } - ] + ], + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.6.x.json b/schemas/mtls-auth/3.6.x.json index afe73df6..2f36db97 100644 --- a/schemas/mtls-auth/3.6.x.json +++ b/schemas/mtls-auth/3.6.x.json @@ -1,63 +1,45 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { + "eq": null, "reference": "consumers", "type": "foreign", - "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { + "eq": null, "reference": "consumer_groups", "type": "foreign", - "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "entity_checks": [ - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], - "type": "record", "fields": [ { "anonymous": { @@ -67,19 +49,19 @@ }, { "consumer_by": { + "required": false, + "default": [ + "username", + "custom_id" + ], "elements": { + "type": "string", "one_of": [ "username", "custom_id" - ], - "type": "string" + ] }, "type": "array", - "default": [ - "username", - "custom_id" - ], - "required": false, "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." } }, @@ -87,42 +69,42 @@ "ca_certificates": { "required": true, "type": "array", - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "elements": { "uuid": true, "type": "string" - } + }, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." } }, { "cache_ttl": { "required": true, "type": "number", - "description": "Cache expiry time in seconds.", - "default": 60 + "default": 60, + "description": "Cache expiry time in seconds." } }, { "skip_consumer_lookup": { "required": true, "type": "boolean", - "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", - "default": false + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list." } }, { "allow_partial_chain": { "required": true, "type": "boolean", - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", - "default": false + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." } }, { "authenticated_group_by": { - "type": "string", - "default": "CN", "required": false, + "default": "CN", + "type": "string", "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ "CN", @@ -132,9 +114,9 @@ }, { "revocation_check_mode": { - "type": "string", - "default": "IGNORE_CA_ERROR", "required": false, + "default": "IGNORE_CA_ERROR", + "type": "string", "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ "SKIP", @@ -145,23 +127,29 @@ }, { "http_timeout": { + "default": 30000, "type": "number", - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", - "default": 30000 + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." } }, { "cert_cache_ttl": { + "default": 60000, "type": "number", - "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", - "default": 60000 + "description": "The length of time in milliseconds between refreshes of the revocation check status cache." } }, { "send_ca_dn": { + "default": false, "type": "boolean", - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", - "default": false + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." + } + }, + { + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { @@ -173,11 +161,11 @@ { "http_proxy_port": { "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -189,16 +177,34 @@ { "https_proxy_port": { "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.6.x.json b/schemas/oas-validation/3.6.x.json index 7adde839..01ab03de 100644 --- a/schemas/oas-validation/3.6.x.json +++ b/schemas/oas-validation/3.6.x.json @@ -1,12 +1,14 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { "required": true, - "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -16,141 +18,139 @@ "https" ] }, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], + "type": "set", "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", - "required": true, "fields": [ { "api_spec": { - "type": "string", "required": true, + "type": "string", "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format." } }, { "verbose_response": { - "type": "boolean", "required": false, "default": false, + "type": "boolean", "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." } }, { "validate_request_body": { - "type": "boolean", "required": false, "default": true, + "type": "boolean", "description": "If set to true, validates the request body content against the API specification." } }, { "notify_only_request_validation_failure": { - "type": "boolean", "required": false, "default": false, + "type": "boolean", "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." } }, { "validate_request_header_params": { - "type": "boolean", "required": false, "default": true, + "type": "boolean", "description": "If set to true, validates HTTP header parameters against the API specification." } }, { "validate_request_query_params": { - "type": "boolean", "required": false, "default": true, + "type": "boolean", "description": "If set to true, validates query parameters against the API specification." } }, { "validate_request_uri_params": { - "type": "boolean", "required": false, "default": true, + "type": "boolean", "description": "If set to true, validates URI parameters in the request against the API specification." } }, { "validate_response_body": { - "type": "boolean", "required": false, "default": false, + "type": "boolean", "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." } }, { "notify_only_response_body_validation_failure": { - "type": "boolean", "required": false, "default": false, + "type": "boolean", "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." } }, { "query_parameter_check": { - "type": "boolean", "required": true, "default": false, + "type": "boolean", "description": "If set to true, checks if query parameters in the request exist in the API specification." } }, { "header_parameter_check": { - "type": "boolean", "required": true, "default": false, + "type": "boolean", "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." } }, { "allowed_header_parameters": { - "type": "string", "required": false, "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "type": "string", "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." } }, { "include_base_path": { - "type": "boolean", "required": true, "default": false, + "type": "boolean", "description": "Indicates whether to include the base path when performing path match evaluation." } }, { "api_spec_encoded": { - "type": "boolean", "required": true, "default": true, + "type": "boolean", "description": "Indicates whether the api_spec is URI-Encoded." } } - ] + ], + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.6.x.json b/schemas/rate-limiting-advanced/3.6.x.json index 64689766..6343a43d 100644 --- a/schemas/rate-limiting-advanced/3.6.x.json +++ b/schemas/rate-limiting-advanced/3.6.x.json @@ -1,18 +1,14 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { "required": true, - "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -22,24 +18,19 @@ "https" ] }, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], + "type": "set", "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", - "required": true, "fields": [ { "identifier": { "required": true, + "default": "consumer", "type": "string", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "one_of": [ "ip", "credential", @@ -48,74 +39,72 @@ "header", "path", "consumer-group" - ], - "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`." + ] } }, { "window_size": { - "type": "array", "required": true, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "type": "array", "elements": { "type": "number" - } + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified." } }, { "window_type": { + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "default": "sliding", "type": "string", "one_of": [ "fixed", "sliding" - ], - "default": "sliding", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." + ] } }, { "limit": { - "type": "array", "required": true, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "type": "array", "elements": { "type": "number" - } + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified." } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "namespace": { - "type": "string", "required": true, - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "auto": true + "type": "string", + "auto": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." } }, { "strategy": { "required": true, + "default": "local", "type": "string", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", "local" - ], - "default": "local", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." + ] } }, { "dictionary_name": { - "type": "string", "required": true, "default": "kong_rate_limiting_counters", + "type": "string", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." } }, @@ -135,141 +124,139 @@ }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { - "type": "string", - "starts_with": "/", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "type": "string", + "starts_with": "/", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { - "type": "record", - "required": true, "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "default": 2000, + "type": "integer", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "connect_timeout": { "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { - "type": "string", "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "sentinel_username": { "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "type": "string", "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true + "referenceable": true, + "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { - "type": "integer", "default": 0, + "type": "integer", "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ] + ], + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." } }, { "keepalive_backlog": { "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ] + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -281,92 +268,93 @@ { "sentinel_role": { "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_addresses": { - "type": "array", "elements": { "type": "string" }, - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", - "len_min": 1 + "type": "array", + "len_min": 1, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." } }, { "cluster_addresses": { - "type": "array", "elements": { "type": "string" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", - "len_min": 1 + "type": "array", + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." } }, { "ssl": { - "type": "boolean", "required": false, + "type": "boolean", "default": false, "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { - "type": "boolean", "required": false, + "type": "boolean", "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "server_name": { - "type": "string", "required": false, + "type": "string", "description": "A string representing an SNI (server name indication) value for TLS." } } ], + "type": "record", "entity_checks": [ { "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "host", - "port" ] } }, { "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_addresses" - ], - "set2": [ - "cluster_addresses" ] } }, { "mutually_exclusive_sets": { - "set1": [ - "cluster_addresses" - ], "set2": [ "host", "port" + ], + "set1": [ + "cluster_addresses" ] } }, @@ -390,7 +378,8 @@ "read_timeout" ] } - ] + ], + "required": true } }, { @@ -402,10 +391,10 @@ }, { "consumer_groups": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`." } }, @@ -418,9 +407,9 @@ }, { "error_code": { - "type": "number", "gt": 0, "default": 429, + "type": "number", "description": "Set a custom error code to return when the rate limit is exceeded." } }, @@ -431,6 +420,17 @@ "description": "Set a custom error message to return when the rate limit is exceeded." } } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" ] } } diff --git a/schemas/websocket-size-limit/3.6.x.json b/schemas/websocket-size-limit/3.6.x.json index a1045fa6..0b2e8a8d 100644 --- a/schemas/websocket-size-limit/3.6.x.json +++ b/schemas/websocket-size-limit/3.6.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -12,33 +9,24 @@ "wss" ], "elements": { + "type": "string", "one_of": [ "ws", "wss" - ], - "type": "string" + ] } } }, { "consumer_group": { + "eq": null, "reference": "consumer_groups", "type": "foreign", - "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "entity_checks": [ - { - "at_least_one_of": [ - "client_max_payload", - "upstream_max_payload" - ] - } - ], - "type": "record", "fields": [ { "client_max_payload": { @@ -61,8 +49,20 @@ } } ], + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.6.x.json b/schemas/websocket-validator/3.6.x.json index e7e9ddde..3ba38643 100644 --- a/schemas/websocket-validator/3.6.x.json +++ b/schemas/websocket-validator/3.6.x.json @@ -1,7 +1,4 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { @@ -12,33 +9,24 @@ "wss" ], "elements": { + "type": "string", "one_of": [ "ws", "wss" - ], - "type": "string" + ] } } }, { "consumer_group": { + "eq": null, "reference": "consumer_groups", "type": "foreign", - "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "entity_checks": [ - { - "at_least_one_of": [ - "client", - "upstream" - ] - } - ], - "type": "record", "fields": [ { "client": { @@ -213,8 +201,20 @@ } } ], + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.6.x.json b/schemas/xml-threat-protection/3.6.x.json index c98f8f67..2d2d1f7c 100644 --- a/schemas/xml-threat-protection/3.6.x.json +++ b/schemas/xml-threat-protection/3.6.x.json @@ -1,107 +1,65 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { + "eq": null, "reference": "consumer_groups", "type": "foreign", - "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "entity_checks": [ - { - "conditional": { - "then_field": "max_namespaces", - "if_field": "namespace_aware", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "conditional": { - "then_field": "prefix", - "if_field": "namespace_aware", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "conditional": { - "then_field": "namespaceuri", - "if_field": "namespace_aware", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - } - ], - "type": "record", "fields": [ { "checked_content_types": { + "required": true, + "default": [ + "application/xml" + ], "elements": { "required": true, - "match": "^[^%s]+%/[^ ;]+$", - "type": "string" + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" }, "type": "set", - "default": [ - "application/xml" - ], - "required": true, "description": "A list of Content-Type values with payloads that must be validated." } }, { "allowed_content_types": { + "required": true, + "default": [ + + ], "elements": { "required": true, - "match": "^[^%s]+%/[^ ;]+$", - "type": "string" + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" }, "type": "set", - "default": [ - - ], - "required": true, "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." } }, @@ -123,178 +81,220 @@ }, { "max_depth": { + "required": true, + "default": 50, "gt": 0, "type": "integer", - "default": 50, - "required": true, "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." } }, { "max_children": { + "required": true, + "default": 100, "gt": 0, "type": "integer", - "default": 100, - "required": true, "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." } }, { "max_attributes": { + "required": true, + "default": 100, "gt": 0, "type": "integer", - "default": 100, - "required": true, "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." } }, { "max_namespaces": { + "required": false, + "default": 20, "gt": 0, "type": "integer", - "default": 20, - "required": false, "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." } }, { "document": { + "required": true, + "default": 10485760, "gt": 0, "type": "integer", - "default": 10485760, - "required": true, "description": "Maximum size of the entire document." } }, { "buffer": { + "required": true, + "default": 1048576, "gt": 0, "type": "integer", - "default": 1048576, - "required": true, "description": "Maximum size of the unparsed buffer (see below)." } }, { "comment": { + "required": true, + "default": 1024, "gt": 0, "type": "integer", - "default": 1024, - "required": true, "description": "Maximum size of comments." } }, { "localname": { + "required": true, + "default": 1024, "gt": 0, "type": "integer", - "default": 1024, - "required": true, "description": "Maximum size of the localname. This applies to tags and attributes." } }, { "prefix": { + "required": false, + "default": 1024, "gt": 0, "type": "integer", - "default": 1024, - "required": false, "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." } }, { "namespaceuri": { + "required": false, + "default": 1024, "gt": 0, "type": "integer", - "default": 1024, - "required": false, "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." } }, { "attribute": { + "required": true, + "default": 1048576, "gt": 0, "type": "integer", - "default": 1048576, - "required": true, "description": "Maximum size of the attribute value." } }, { "text": { + "required": true, + "default": 1048576, "gt": 0, "type": "integer", - "default": 1048576, - "required": true, "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." } }, { "pitarget": { + "required": true, + "default": 1024, "gt": 0, "type": "integer", - "default": 1024, - "required": true, "description": "Maximum size of processing instruction targets." } }, { "pidata": { + "required": true, + "default": 1024, "gt": 0, "type": "integer", - "default": 1024, - "required": true, "description": "Maximum size of processing instruction data." } }, { "entityname": { + "required": true, + "default": 1024, "gt": 0, "type": "integer", - "default": 1024, - "required": true, "description": "Maximum size of entity names in EntityDecl." } }, { "entity": { + "required": true, + "default": 1024, "gt": 0, "type": "integer", - "default": 1024, - "required": true, "description": "Maximum size of entity values in EntityDecl." } }, { "entityproperty": { + "required": true, + "default": 1024, "gt": 0, "type": "integer", - "default": 1024, - "required": true, "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." } }, { "bla_max_amplification": { + "required": true, + "default": 100, "gt": 1, "type": "number", - "default": 100, - "required": true, "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." } }, { "bla_threshold": { + "required": true, + "default": 8388608, "gt": 1024, "type": "integer", - "default": 8388608, - "required": true, "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." } } ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "max_namespaces", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "namespace_aware" + } + }, + { + "conditional": { + "then_field": "prefix", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "namespace_aware" + } + }, + { + "conditional": { + "then_field": "namespaceuri", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "namespace_aware" + } + } + ], "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file From 3796815abecc446ea389e79cd8c5e934603b4a4e Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 16 May 2024 09:50:39 -0700 Subject: [PATCH 047/165] generate schemas, referenceable fields, and priorities for 3.4.3.8 (#30) --- data/priorities/ee/3.4.x.json | 12 +- data/referenceable_fields/3.4.x.json | 7 + schemas/oas-validation/3.4.x.json | 116 ++++---- schemas/rate-limiting-advanced/3.4.x.json | 306 +++++++++++----------- schemas/websocket-size-limit/3.4.x.json | 30 +-- schemas/websocket-validator/3.4.x.json | 86 +++--- schemas/xml-threat-protection/3.4.x.json | 194 +++++++------- 7 files changed, 379 insertions(+), 372 deletions(-) diff --git a/data/priorities/ee/3.4.x.json b/data/priorities/ee/3.4.x.json index 3a3a0a28..627c04f8 100644 --- a/data/priorities/ee/3.4.x.json +++ b/data/priorities/ee/3.4.x.json @@ -17,17 +17,17 @@ "vault-auth": 1350, "key-auth": 1250, "key-auth-enc": 1250, - "ldap-auth-advanced": 1200, "ldap-auth": 1200, + "ldap-auth-advanced": 1200, "basic-auth": 1100, "openid-connect": 1050, "hmac-auth": 1030, "jwt-signer": 1020, "saml": 1010, - "websocket-validator": 999, + "xml-threat-protection": 1008, + "websocket-validator": 1006, + "websocket-size-limit": 1003, "request-validator": 999, - "xml-threat-protection": 999, - "websocket-size-limit": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -40,13 +40,13 @@ "rate-limiting-advanced": 910, "graphql-rate-limiting-advanced": 902, "response-ratelimiting": 900, - "oas-validation": 850, "route-by-header": 850, + "oas-validation": 840, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, - "response-transformer-advanced": 800, "response-transformer": 800, + "response-transformer-advanced": 800, "route-transformer-advanced": 780, "kafka-upstream": 751, "aws-lambda": 750, diff --git a/data/referenceable_fields/3.4.x.json b/data/referenceable_fields/3.4.x.json index ed1c3d41..93298c02 100644 --- a/data/referenceable_fields/3.4.x.json +++ b/data/referenceable_fields/3.4.x.json @@ -48,6 +48,9 @@ "loggly": [ "config.key" ], + "oauth2-introspection": [ + "config.authorization_value" + ], "openid-connect": [ "config.client_id", "config.client_secret", @@ -61,6 +64,10 @@ "config.client_jwk.oth", "config.client_jwk.r", "config.client_jwk.t", + "config.login_redirect_uri", + "config.logout_redirect_uri", + "config.scopes", + "config.introspection_headers_values", "config.session_secret", "config.session_redis_username", "config.session_redis_password" diff --git a/schemas/oas-validation/3.4.x.json b/schemas/oas-validation/3.4.x.json index 119657b5..f4f4483c 100644 --- a/schemas/oas-validation/3.4.x.json +++ b/schemas/oas-validation/3.4.x.json @@ -2,151 +2,151 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, - "type": "set" + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null, + "type": "foreign", "reference": "consumer_groups", - "type": "foreign" + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "type": "record", + "required": true, "fields": [ { "api_spec": { - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "type": "string", "required": true, - "type": "string" + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format." } }, { "verbose_response": { - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", - "required": false, + "default": false, "type": "boolean", - "default": false + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "required": false } }, { "validate_request_body": { - "description": "If set to true, validates the request body content against the API specification.", - "required": false, + "default": true, "type": "boolean", - "default": true + "description": "If set to true, validates the request body content against the API specification.", + "required": false } }, { "notify_only_request_validation_failure": { - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", - "required": false, + "default": false, "type": "boolean", - "default": false + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "required": false } }, { "validate_request_header_params": { - "description": "If set to true, validates HTTP header parameters against the API specification.", - "required": false, + "default": true, "type": "boolean", - "default": true + "description": "If set to true, validates HTTP header parameters against the API specification.", + "required": false } }, { "validate_request_query_params": { - "description": "If set to true, validates query parameters against the API specification.", - "required": false, + "default": true, "type": "boolean", - "default": true + "description": "If set to true, validates query parameters against the API specification.", + "required": false } }, { "validate_request_uri_params": { - "description": "If set to true, validates URI parameters in the request against the API specification.", - "required": false, + "default": true, "type": "boolean", - "default": true + "description": "If set to true, validates URI parameters in the request against the API specification.", + "required": false } }, { "validate_response_body": { - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", - "required": false, + "default": false, "type": "boolean", - "default": false + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "required": false } }, { "notify_only_response_body_validation_failure": { - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", - "required": false, + "default": false, "type": "boolean", - "default": false + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "required": false } }, { "query_parameter_check": { - "description": "If set to true, checks if query parameters in the request exist in the API specification.", - "required": true, + "default": false, "type": "boolean", - "default": false + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "required": true } }, { "header_parameter_check": { - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", - "required": true, + "default": false, "type": "boolean", - "default": false + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "required": true } }, { "allowed_header_parameters": { - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", - "required": false, + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", "type": "string", - "default": "Host,Content-Type,User-Agent,Accept,Content-Length" + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "required": false } }, { "include_base_path": { - "description": "Indicates whether to include the base path when performing path match evaluation.", - "required": true, + "default": false, "type": "boolean", - "default": false + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true } }, { "api_spec_encoded": { - "description": "Indicates whether the api_spec is URI-Encoded.", - "required": true, + "default": true, "type": "boolean", - "default": true + "description": "Indicates whether the api_spec is URI-Encoded.", + "required": true } } - ], - "type": "record", - "required": true + ] } } ], diff --git a/schemas/rate-limiting-advanced/3.4.x.json b/schemas/rate-limiting-advanced/3.4.x.json index 27267c59..91b91d54 100644 --- a/schemas/rate-limiting-advanced/3.4.x.json +++ b/schemas/rate-limiting-advanced/3.4.x.json @@ -2,32 +2,32 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string" }, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "required": true, - "type": "set" + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "type": "record", "fields": [ { "identifier": { - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", "one_of": [ "ip", "credential", @@ -36,40 +36,41 @@ "header", "path" ], - "default": "consumer", + "type": "string", "required": true, - "type": "string" + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`." } }, { "window_size": { - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "required": true, "type": "array", "elements": { "type": "number" - } + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified." } }, { "window_type": { - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "one_of": [ "fixed", "sliding" ], - "type": "string", - "default": "sliding" + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string" } }, { "limit": { - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "required": true, "type": "array", "elements": { "type": "number" - } + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified." } }, { @@ -80,45 +81,45 @@ }, { "namespace": { - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.", - "required": true, + "auto": true, "type": "string", - "auto": true + "required": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace." } }, { "strategy": { - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", "local" ], - "default": "local", + "type": "string", "required": true, - "type": "string" + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." } }, { "dictionary_name": { "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "default": "kong_rate_limiting_counters", "required": true, - "type": "string", - "default": "kong_rate_limiting_counters" + "type": "string" } }, { "hide_client_headers": { + "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "retry_after_jitter_max": { + "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "type": "number", - "default": 0 + "type": "number" } }, { @@ -129,77 +130,19 @@ }, { "path": { - "starts_with": "/", + "type": "string", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" } }, { "redis": { - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_addresses" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - } - ], "fields": [ { "host": { @@ -209,97 +152,97 @@ }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "timeout": { "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "referenceable": true, - "type": "string" + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "referenceable": true, - "type": "string" + "type": "string", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0 } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "default": 30, "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", "between": [ 1, 2147483646 @@ -308,8 +251,8 @@ }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", "between": [ 0, 2147483646 @@ -318,109 +261,166 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "one_of": [ "master", "slave", "any" ], - "type": "string" + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_addresses": { - "len_min": 1, "elements": { "type": "string" }, "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "cluster_addresses": { - "len_min": 1, "elements": { "type": "string" }, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", - "required": false, + "default": false, "type": "boolean", - "default": false + "required": false, + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, + "default": false, "type": "boolean", - "default": false + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } } ], "type": "record", - "required": true + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ] } }, { "enforce_consumer_groups": { + "default": false, "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "consumer_groups": { + "type": "array", "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "elements": { "type": "string" - }, - "type": "array" + } } }, { "disable_penalty": { + "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "error_code": { - "description": "Set a custom error code to return when the rate limit is exceeded.", "gt": 0, - "type": "number", - "default": 429 + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number" } }, { "error_message": { + "default": "API rate limit exceeded", "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string", - "default": "API rate limit exceeded" + "type": "string" } } ], - "type": "record", "required": true } } diff --git a/schemas/websocket-size-limit/3.4.x.json b/schemas/websocket-size-limit/3.4.x.json index a2aae773..47ad20fa 100644 --- a/schemas/websocket-size-limit/3.4.x.json +++ b/schemas/websocket-size-limit/3.4.x.json @@ -6,23 +6,23 @@ "ws", "wss" ], - "required": true, "type": "set", "elements": { - "type": "string", "one_of": [ "ws", "wss" - ] - } + ], + "type": "string" + }, + "required": true } }, { "consumer_group": { + "type": "foreign", "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -30,25 +30,27 @@ "fields": [ { "client_max_payload": { + "type": "integer", + "required": false, "between": [ 1, 33554432 - ], - "type": "integer", - "required": false + ] } }, { "upstream_max_payload": { + "type": "integer", + "required": false, "between": [ 1, 33554432 - ], - "type": "integer", - "required": false + ] } } ], + "type": "record", + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -56,9 +58,7 @@ "upstream_max_payload" ] } - ], - "type": "record", - "required": true + ] } } ], diff --git a/schemas/websocket-validator/3.4.x.json b/schemas/websocket-validator/3.4.x.json index 39184feb..19ec51fd 100644 --- a/schemas/websocket-validator/3.4.x.json +++ b/schemas/websocket-validator/3.4.x.json @@ -6,23 +6,23 @@ "ws", "wss" ], - "required": true, "type": "set", "elements": { - "type": "string", "one_of": [ "ws", "wss" - ] - } + ], + "type": "string" + }, + "required": true } }, { "consumer_group": { + "type": "foreign", "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -30,24 +30,28 @@ "fields": [ { "client": { + "required": false, + "type": "record", "fields": [ { "text": { + "required": false, + "type": "record", "fields": [ { "type": { - "required": true, "one_of": [ "draft4" ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + "type": "string", + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "required": true, "type": "string", + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } @@ -61,28 +65,28 @@ ] } } - ], - "type": "record", - "required": false + ] } }, { "binary": { + "required": false, + "type": "record", "fields": [ { "type": { - "required": true, "one_of": [ "draft4" ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + "type": "string", + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "required": true, "type": "string", + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } @@ -96,9 +100,7 @@ ] } } - ], - "type": "record", - "required": false + ] } } ], @@ -109,31 +111,33 @@ "binary" ] } - ], - "type": "record", - "required": false + ] } }, { "upstream": { + "required": false, + "type": "record", "fields": [ { "text": { + "required": false, + "type": "record", "fields": [ { "type": { - "required": true, "one_of": [ "draft4" ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + "type": "string", + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "required": true, "type": "string", + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } @@ -147,28 +151,28 @@ ] } } - ], - "type": "record", - "required": false + ] } }, { "binary": { + "required": false, + "type": "record", "fields": [ { "type": { - "required": true, "one_of": [ "draft4" ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + "type": "string", + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported." } }, { "schema": { - "required": true, "type": "string", + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`." } } @@ -182,9 +186,7 @@ ] } } - ], - "type": "record", - "required": false + ] } } ], @@ -195,12 +197,12 @@ "binary" ] } - ], - "type": "record", - "required": false + ] } } ], + "type": "record", + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -208,9 +210,7 @@ "upstream" ] } - ], - "type": "record", - "required": true + ] } } ], diff --git a/schemas/xml-threat-protection/3.4.x.json b/schemas/xml-threat-protection/3.4.x.json index 7764e5bb..0ac63044 100644 --- a/schemas/xml-threat-protection/3.4.x.json +++ b/schemas/xml-threat-protection/3.4.x.json @@ -2,32 +2,32 @@ "fields": [ { "protocols": { + "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "required": true, - "description": "A set of strings representing HTTP protocols.", - "type": "set", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] - } + ], + "type": "string" + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { + "type": "foreign", "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null, - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,262 +35,262 @@ "fields": [ { "checked_content_types": { + "type": "set", + "required": true, "default": [ "application/xml" ], "description": "A list of Content-Type values with payloads that must be validated.", - "required": true, - "type": "set", "elements": { - "required": true, "type": "string", + "required": true, "match": "^[^%s]+%/[^ ;]+$" } } }, { "allowed_content_types": { + "type": "set", + "required": true, "default": [ ], "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", - "required": true, - "type": "set", "elements": { - "required": true, "type": "string", + "required": true, "match": "^[^%s]+%/[^ ;]+$" } } }, { "allow_dtd": { + "required": true, "default": false, "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", - "required": true, "type": "boolean" } }, { "namespace_aware": { + "required": true, "default": true, "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", - "required": true, "type": "boolean" } }, { "max_depth": { - "default": 50, - "gt": 0, "type": "integer", "required": true, + "gt": 0, + "default": 50, "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." } }, { "max_children": { - "default": 100, - "gt": 0, "type": "integer", "required": true, + "gt": 0, + "default": 100, "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." } }, { "max_attributes": { - "default": 100, - "gt": 0, "type": "integer", "required": true, + "gt": 0, + "default": 100, "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." } }, { "max_namespaces": { - "default": 20, - "gt": 0, "type": "integer", "required": false, + "gt": 0, + "default": 20, "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." } }, { "document": { - "default": 10485760, - "gt": 0, - "description": "Maximum size of the entire document.", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 10485760, + "description": "Maximum size of the entire document." } }, { "buffer": { - "default": 1048576, - "gt": 0, - "description": "Maximum size of the unparsed buffer (see below).", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below)." } }, { "comment": { - "default": 1024, - "gt": 0, - "description": "Maximum size of comments.", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 1024, + "description": "Maximum size of comments." } }, { "localname": { - "default": 1024, - "gt": 0, - "description": "Maximum size of the localname. This applies to tags and attributes.", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes." } }, { "prefix": { - "default": 1024, - "gt": 0, - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "type": "integer", "required": false, - "type": "integer" + "gt": 0, + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." } }, { "namespaceuri": { - "default": 1024, - "gt": 0, - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "type": "integer", "required": false, - "type": "integer" + "gt": 0, + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." } }, { "attribute": { - "default": 1048576, - "gt": 0, - "description": "Maximum size of the attribute value.", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 1048576, + "description": "Maximum size of the attribute value." } }, { "text": { - "default": 1048576, - "gt": 0, - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." } }, { "pitarget": { - "default": 1024, - "gt": 0, - "description": "Maximum size of processing instruction targets.", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 1024, + "description": "Maximum size of processing instruction targets." } }, { "pidata": { - "default": 1024, - "gt": 0, - "description": "Maximum size of processing instruction data.", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 1024, + "description": "Maximum size of processing instruction data." } }, { "entityname": { - "default": 1024, - "gt": 0, - "description": "Maximum size of entity names in EntityDecl.", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 1024, + "description": "Maximum size of entity names in EntityDecl." } }, { "entity": { - "default": 1024, - "gt": 0, - "description": "Maximum size of entity values in EntityDecl.", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 1024, + "description": "Maximum size of entity values in EntityDecl." } }, { "entityproperty": { - "default": 1024, - "gt": 0, - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "type": "integer", "required": true, - "type": "integer" + "gt": 0, + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." } }, { "bla_max_amplification": { - "default": 100, - "gt": 1, "type": "number", "required": true, + "gt": 1, + "default": 100, "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." } }, { "bla_threshold": { - "default": 8388608, - "gt": 1024, - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "type": "integer", "required": true, - "type": "integer" + "gt": 1024, + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." } } ], + "type": "record", + "required": true, "entity_checks": [ { "conditional": { "then_field": "max_namespaces", - "if_match": { - "eq": true - }, + "if_field": "namespace_aware", "then_match": { "required": true }, - "if_field": "namespace_aware" + "if_match": { + "eq": true + } } }, { "conditional": { "then_field": "prefix", - "if_match": { - "eq": true - }, + "if_field": "namespace_aware", "then_match": { "required": true }, - "if_field": "namespace_aware" + "if_match": { + "eq": true + } } }, { "conditional": { "then_field": "namespaceuri", - "if_match": { - "eq": true - }, + "if_field": "namespace_aware", "then_match": { "required": true }, - "if_field": "namespace_aware" + "if_match": { + "eq": true + } } } - ], - "type": "record", - "required": true + ] } } ], From 24ec90c37ac9366c69cac90aa978a07e89cc5eab Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Mon, 20 May 2024 08:17:38 -0700 Subject: [PATCH 048/165] generate schemas and priorities for 3.5.0.4 (#31) --- data/priorities/ee/3.5.x.json | 16 +- schemas/acme/3.5.x.json | 200 +-- schemas/degraphql/3.5.x.json | 24 +- schemas/forward-proxy/3.5.x.json | 52 +- .../graphql-rate-limiting-advanced/3.5.x.json | 284 ++-- schemas/jwt-signer/3.5.x.json | 382 ++--- schemas/ldap-auth-advanced/3.5.x.json | 134 +- schemas/mtls-auth/3.5.x.json | 106 +- schemas/oas-validation/3.5.x.json | 72 +- schemas/oauth2-introspection/3.5.x.json | 60 +- schemas/openid-connect/3.5.x.json | 1227 +++++++++-------- schemas/opentelemetry/3.5.x.json | 138 +- schemas/rate-limiting-advanced/3.5.x.json | 296 ++-- schemas/rate-limiting/3.5.x.json | 238 ++-- schemas/response-ratelimiting/3.5.x.json | 178 +-- schemas/saml/3.5.x.json | 446 +++--- schemas/websocket-size-limit/3.5.x.json | 50 +- schemas/websocket-validator/3.5.x.json | 176 +-- schemas/xml-threat-protection/3.5.x.json | 234 ++-- 19 files changed, 2167 insertions(+), 2146 deletions(-) diff --git a/data/priorities/ee/3.5.x.json b/data/priorities/ee/3.5.x.json index f02f7ad8..627c04f8 100644 --- a/data/priorities/ee/3.5.x.json +++ b/data/priorities/ee/3.5.x.json @@ -15,8 +15,8 @@ "jwt": 1450, "oauth2": 1400, "vault-auth": 1350, - "key-auth-enc": 1250, "key-auth": 1250, + "key-auth-enc": 1250, "ldap-auth": 1200, "ldap-auth-advanced": 1200, "basic-auth": 1100, @@ -24,10 +24,10 @@ "hmac-auth": 1030, "jwt-signer": 1020, "saml": 1010, + "xml-threat-protection": 1008, + "websocket-validator": 1006, + "websocket-size-limit": 1003, "request-validator": 999, - "xml-threat-protection": 999, - "websocket-validator": 999, - "websocket-size-limit": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, @@ -36,12 +36,12 @@ "request-size-limiting": 951, "acl": 950, "opa": 920, - "rate-limiting-advanced": 910, "rate-limiting": 910, + "rate-limiting-advanced": 910, "graphql-rate-limiting-advanced": 902, "response-ratelimiting": 900, - "oas-validation": 850, "route-by-header": 850, + "oas-validation": 840, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, @@ -52,16 +52,16 @@ "aws-lambda": 750, "azure-functions": 749, "upstream-timeout": 400, - "proxy-cache-advanced": 100, "proxy-cache": 100, + "proxy-cache-advanced": 100, "graphql-proxy-cache-advanced": 99, "forward-proxy": 50, "canary": 20, "opentelemetry": 14, "prometheus": 13, "http-log": 12, - "statsd-advanced": 11, "statsd": 11, + "statsd-advanced": 11, "datadog": 10, "file-log": 9, "udp-log": 8, diff --git a/schemas/acme/3.5.x.json b/schemas/acme/3.5.x.json index 6410ffaf..44890b85 100644 --- a/schemas/acme/3.5.x.json +++ b/schemas/acme/3.5.x.json @@ -1,41 +1,66 @@ { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "then_match": { + "eq": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ], "fields": [ { "consumer": { "type": "foreign", "eq": null, - "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumers" } }, { "service": { "type": "foreign", "eq": null, - "reference": "services", - "description": "A reference to the 'services' table with a null value allowed." + "description": "A reference to the 'services' table with a null value allowed.", + "reference": "services" } }, { "route": { "type": "foreign", "eq": null, - "reference": "routes", - "description": "A reference to the 'routes' table with a null value allowed." + "description": "A reference to the 'routes' table with a null value allowed.", + "reference": "routes" } }, { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -59,23 +84,25 @@ "fields": [ { "account_email": { - "match": "%w*%p*@+%w*%.?%w*", - "required": true, "encrypted": true, - "referenceable": true, "type": "string", - "description": "The account identifier. Can be reused in a different plugin instance." + "match": "%w*%p*@+%w*%.?%w*", + "referenceable": true, + "description": "The account identifier. Can be reused in a different plugin instance.", + "required": true } }, { "account_key": { + "required": false, "description": "The private key associated with the account.", + "type": "record", "fields": [ { "key_id": { - "description": "The Key ID.", + "required": true, "type": "string", - "required": true + "description": "The Key ID." } }, { @@ -84,39 +111,37 @@ "description": "The ID of the key set to associate the Key ID with." } } - ], - "type": "record", - "required": false + ] } }, { "api_uri": { - "default": "https://acme-v02.api.letsencrypt.org/directory", "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "default": "https://acme-v02.api.letsencrypt.org/directory" } }, { "tos_accepted": { - "default": false, "type": "boolean", - "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service." + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "default": false } }, { "eab_kid": { + "encrypted": true, "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", - "referenceable": true, "type": "string", - "encrypted": true + "referenceable": true } }, { "eab_hmac_key": { + "encrypted": true, "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", - "referenceable": true, "type": "string", - "encrypted": true + "referenceable": true } }, { @@ -125,9 +150,9 @@ "rsa", "ecc" ], - "default": "rsa", "type": "string", - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "default": "rsa" } }, { @@ -137,16 +162,16 @@ 3072, 4096 ], - "default": 4096, "type": "number", - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "default": 4096 } }, { "renew_threshold_days": { - "default": 14, "type": "number", - "description": "Days remaining to renew the certificate before it expires." + "description": "Days remaining to renew the certificate before it expires.", + "default": 14 } }, { @@ -174,16 +199,16 @@ }, { "allow_any_domain": { - "default": false, "type": "boolean", - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "default": false } }, { "fail_backoff_minutes": { - "default": 5, "type": "number", - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "default": 5 } }, { @@ -195,9 +220,9 @@ "consul", "vault" ], - "default": "shm", "type": "string", - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "default": "shm" } }, { @@ -208,9 +233,9 @@ "fields": [ { "shm_name": { - "default": "kong", "type": "string", - "description": "Name of shared memory zone used for Kong API gateway storage" + "description": "Name of shared memory zone used for Kong API gateway storage", + "default": "kong" } } ], @@ -238,12 +263,12 @@ }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -261,42 +286,42 @@ }, { "ssl": { - "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", - "default": false, + "required": true, "type": "boolean", - "required": true + "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", + "default": false } }, { "ssl_verify": { - "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", - "default": false, + "required": true, "type": "boolean", - "required": true + "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", + "default": false } }, { "ssl_server_name": { "required": false, - "type": "string", - "description": "The expected server name for the SSL/TLS certificate presented by the Redis server." + "description": "The expected server name for the SSL/TLS certificate presented by the Redis server.", + "type": "string" } }, { "namespace": { - "type": "string", "required": true, - "len_min": 0, + "type": "string", "default": "", - "description": "A namespace to prepend to all keys stored in Redis." + "description": "A namespace to prepend to all keys stored in Redis.", + "len_min": 0 } }, { "scan_count": { - "description": "The number of keys to return in Redis SCAN calls.", - "default": 10, + "required": false, "type": "number", - "required": false + "description": "The number of keys to return in Redis SCAN calls.", + "default": 10 } } ], @@ -309,9 +334,9 @@ "fields": [ { "https": { - "default": false, "type": "boolean", - "description": "Boolean representation of https." + "description": "Boolean representation of https.", + "default": false } }, { @@ -322,12 +347,12 @@ }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -359,9 +384,9 @@ "fields": [ { "https": { - "default": false, "type": "boolean", - "description": "Boolean representation of https." + "description": "Boolean representation of https.", + "default": false } }, { @@ -372,12 +397,12 @@ }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -401,9 +426,9 @@ }, { "tls_verify": { - "default": true, "type": "boolean", - "description": "Turn on TLS verification." + "description": "Turn on TLS verification.", + "default": true } }, { @@ -418,9 +443,9 @@ "token", "kubernetes" ], - "default": "token", "type": "string", - "description": "Auth Method, default to token, can be 'token' or 'kubernetes'." + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "default": "token" } }, { @@ -453,15 +478,15 @@ }, { "preferred_chain": { - "type": "string", - "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" } }, { "enable_ipv4_common_name": { - "default": true, "type": "boolean", - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "default": true } } ], @@ -469,30 +494,5 @@ "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "then_match": { - "eq": true - }, - "then_field": "config.tos_accepted", - "if_match": { - "one_of": [ - "https://acme-v02.api.letsencrypt.org", - "https://acme-staging-v02.api.letsencrypt.org" - ] - }, - "if_field": "config.api_uri", - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/" - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.storage" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/degraphql/3.5.x.json b/schemas/degraphql/3.5.x.json index 62526fb7..1fbc8904 100644 --- a/schemas/degraphql/3.5.x.json +++ b/schemas/degraphql/3.5.x.json @@ -1,17 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "type": "foreign", "eq": null, - "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumers" } }, { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -33,9 +36,9 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { @@ -43,17 +46,17 @@ "fields": [ { "graphql_server_path": { - "type": "string", "required": true, - "starts_with": "/", - "default": "/graphql", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string", + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" } } ], @@ -61,8 +64,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.5.x.json b/schemas/forward-proxy/3.5.x.json index e1859875..cc2a251e 100644 --- a/schemas/forward-proxy/3.5.x.json +++ b/schemas/forward-proxy/3.5.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -25,13 +28,15 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { + "required": true, + "type": "record", "shorthand_fields": [ { "proxy_host": { @@ -47,14 +52,14 @@ "fields": [ { "x_headers": { - "type": "string", "required": true, + "type": "string", + "default": "append", "one_of": [ "append", "transparent", "delete" ], - "default": "append", "description": "Determines how to handle headers when forwarding the request." } }, @@ -66,12 +71,12 @@ }, { "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -82,52 +87,50 @@ }, { "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "proxy_scheme": { - "type": "string", "required": true, + "type": "string", + "default": "http", "one_of": [ "http" ], - "default": "http", "description": "The proxy scheme to use when connecting. Only `http` is supported." } }, { "auth_username": { - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "referenceable": true, - "type": "string", - "required": false + "required": false, + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" } }, { "auth_password": { - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "referenceable": true, - "type": "string", - "required": false + "required": false, + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" } }, { "https_verify": { "required": true, - "default": false, "type": "boolean", - "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate." + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "default": false } } ], - "type": "record", - "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -156,8 +159,5 @@ ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.5.x.json b/schemas/graphql-rate-limiting-advanced/3.5.x.json index 828a56eb..7d61f1fb 100644 --- a/schemas/graphql-rate-limiting-advanced/3.5.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.5.x.json @@ -1,9 +1,18 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -25,9 +34,9 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { @@ -35,25 +44,25 @@ "fields": [ { "identifier": { - "type": "string", "required": true, + "type": "string", + "default": "consumer", "one_of": [ "ip", "credential", "consumer" ], - "default": "consumer", "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." } }, { "window_size": { + "required": true, "description": "One or more window sizes to apply a limit to (defined in seconds).", + "type": "array", "elements": { "type": "number" - }, - "type": "array", - "required": true + } } }, { @@ -62,26 +71,26 @@ "fixed", "sliding" ], - "default": "sliding", "type": "string", - "description": "Sets the time window to either `sliding` or `fixed`." + "description": "Sets the time window to either `sliding` or `fixed`.", + "default": "sliding" } }, { "limit": { + "required": true, "description": "One or more requests-per-window limits to apply.", + "type": "array", "elements": { "type": "number" - }, - "type": "array", - "required": true + } } }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "required": true, "type": "number", - "required": true + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." } }, { @@ -93,29 +102,29 @@ }, { "strategy": { - "type": "string", "required": true, + "type": "string", + "default": "cluster", "one_of": [ "cluster", "redis" ], - "default": "cluster", "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." } }, { "dictionary_name": { - "description": "The shared dictionary where counters will be stored until the next sync cycle.", - "default": "kong_rate_limiting_counters", + "required": true, "type": "string", - "required": true + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "default": false, "type": "boolean", - "description": "Optionally hide informative response headers. Available options: `true` or `false`." + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "default": false } }, { @@ -124,88 +133,30 @@ "default", "node_quantifier" ], - "default": "default", "type": "string", - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`." + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "default": "default" } }, { "score_factor": { - "gt": 0, - "type": "number", "required": false, + "type": "number", "default": 1, - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "gt": 0 } }, { "max_cost": { - "description": "A defined maximum cost per query. 0 means unlimited.", - "default": 0, + "required": false, "type": "number", - "required": false + "description": "A defined maximum cost per query. 0 means unlimited.", + "default": 0 } }, { "redis": { - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_addresses" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - } - ], "fields": [ { "host": { @@ -215,117 +166,117 @@ }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "username": { "referenceable": true, - "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "sentinel_username": { "referenceable": true, - "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" } }, { "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 - ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + ] } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -335,44 +286,44 @@ "slave", "any" ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_addresses": { - "len_min": 1, "elements": { "type": "string" }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_addresses": { - "len_min": 1, "elements": { "type": "string" }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { + "required": false, "description": "If set to true, uses SSL to connect to Redis.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "ssl_verify": { + "required": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { @@ -383,6 +334,64 @@ } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], "type": "record", "required": true } @@ -392,14 +401,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.5.x.json b/schemas/jwt-signer/3.5.x.json index 0f57a4e2..adf2ea3c 100644 --- a/schemas/jwt-signer/3.5.x.json +++ b/schemas/jwt-signer/3.5.x.json @@ -1,17 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "type": "foreign", "eq": null, - "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumers" } }, { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -33,9 +36,9 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { @@ -43,80 +46,80 @@ "fields": [ { "realm": { - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "required": false, "type": "string", - "required": false + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." } }, { "enable_hs_signatures": { - "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "default": false } }, { "enable_instrumentation": { - "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "default": false } }, { "access_token_issuer": { - "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", - "default": "kong", + "required": false, "type": "string", - "required": false + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "default": "kong" } }, { "access_token_keyset": { - "description": "The name of the keyset containing signing keys.", - "default": "kong", + "required": false, "type": "string", - "required": false + "description": "The name of the keyset containing signing keys.", + "default": "kong" } }, { "access_token_jwks_uri": { + "required": false, "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", - "type": "string", - "required": false + "type": "string" } }, { "access_token_request_header": { - "description": "This parameter tells the name of the header where to look for the access token.", - "default": "Authorization", + "required": false, "type": "string", - "required": false + "description": "This parameter tells the name of the header where to look for the access token.", + "default": "Authorization" } }, { "access_token_leeway": { - "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", - "default": 0, + "required": false, "type": "number", - "required": false + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "default": 0 } }, { "access_token_scopes_required": { + "required": false, "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "access_token_scopes_claim": { - "type": "array", "required": false, + "type": "array", "default": [ "scope" ], @@ -128,18 +131,18 @@ }, { "access_token_consumer_claim": { + "required": false, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "access_token_consumer_by": { - "type": "array", "required": false, + "type": "array", "default": [ "username", "custom_id" @@ -157,73 +160,73 @@ }, { "access_token_upstream_header": { - "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", - "default": "Authorization:Bearer", + "required": false, "type": "string", - "required": false + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "default": "Authorization:Bearer" } }, { "access_token_upstream_leeway": { - "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", - "default": 0, + "required": false, "type": "number", - "required": false + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "default": 0 } }, { "access_token_introspection_endpoint": { + "required": false, "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", - "type": "string", - "required": false + "type": "string" } }, { "access_token_introspection_authorization": { - "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "required": false, "type": "string", - "required": false + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." } }, { "access_token_introspection_body_args": { - "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "required": false, "type": "string", - "required": false + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." } }, { "access_token_introspection_hint": { - "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", - "default": "access_token", + "required": false, "type": "string", - "required": false + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "default": "access_token" } }, { "access_token_introspection_jwt_claim": { + "required": false, "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "access_token_introspection_scopes_required": { + "required": false, "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "access_token_introspection_scopes_claim": { - "type": "array", "required": true, + "type": "array", "default": [ "scope" ], @@ -235,18 +238,18 @@ }, { "access_token_introspection_consumer_claim": { + "required": false, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "access_token_introspection_consumer_by": { - "type": "array", "required": false, + "type": "array", "default": [ "username", "custom_id" @@ -264,23 +267,24 @@ }, { "access_token_introspection_leeway": { - "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", - "default": 0, + "required": false, "type": "number", - "required": false + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "default": 0 } }, { "access_token_introspection_timeout": { - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "required": false, "type": "number", - "required": false + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." } }, { "access_token_signing_algorithm": { - "type": "string", "required": true, + "type": "string", + "default": "RS256", "one_of": [ "HS256", "HS384", @@ -295,134 +299,133 @@ "PS512", "EdDSA" ], - "default": "RS256", "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." } }, { "access_token_optional": { - "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "default": false } }, { "verify_access_token_signature": { - "description": "Quickly turn access token signature verification off and on as needed.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Quickly turn access token signature verification off and on as needed.", + "default": true } }, { "verify_access_token_expiry": { - "description": "Quickly turn access token expiry verification off and on as needed.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Quickly turn access token expiry verification off and on as needed.", + "default": true } }, { "verify_access_token_scopes": { - "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "default": true } }, { "verify_access_token_introspection_expiry": { - "description": "Quickly turn access token introspection expiry verification off and on as needed.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "default": true } }, { "verify_access_token_introspection_scopes": { - "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "default": true } }, { "cache_access_token_introspection": { - "description": "Whether to cache access token introspection results.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Whether to cache access token introspection results.", + "default": true } }, { "trust_access_token_introspection": { - "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "default": true } }, { "enable_access_token_introspection": { - "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "default": true } }, { "channel_token_issuer": { - "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", - "default": "kong", + "required": false, "type": "string", - "required": false + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "default": "kong" } }, { "channel_token_keyset": { - "description": "The name of the keyset containing signing keys.", - "default": "kong", + "required": false, "type": "string", - "required": false + "description": "The name of the keyset containing signing keys.", + "default": "kong" } }, { "channel_token_jwks_uri": { + "required": false, "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", - "type": "string", - "required": false + "type": "string" } }, { "channel_token_request_header": { - "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "required": false, "type": "string", - "required": false + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." } }, { "channel_token_leeway": { - "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", - "default": 0, + "required": false, "type": "number", - "required": false + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "default": 0 } }, { "channel_token_scopes_required": { + "required": false, "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "channel_token_scopes_claim": { - "type": "array", "required": false, + "type": "array", "default": [ "scope" ], @@ -434,22 +437,16 @@ }, { "channel_token_consumer_claim": { + "required": false, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "channel_token_consumer_by": { - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "default": [ - "username", - "custom_id" - ], - "type": "array", "elements": { "type": "string", "one_of": [ @@ -457,85 +454,91 @@ "username", "custom_id" ] - } + }, + "type": "array", + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ] } }, { "channel_token_upstream_header": { - "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "required": false, "type": "string", - "required": false + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." } }, { "channel_token_upstream_leeway": { - "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", - "default": 0, + "required": false, "type": "number", - "required": false + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "default": 0 } }, { "channel_token_introspection_endpoint": { + "required": false, "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", - "type": "string", - "required": false + "type": "string" } }, { "channel_token_introspection_authorization": { + "required": false, "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "type": "string", "elements": { "type": "string" - }, - "type": "string", - "required": false + } } }, { "channel_token_introspection_body_args": { + "required": false, "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "type": "string", "elements": { "type": "string" - }, - "type": "string", - "required": false + } } }, { "channel_token_introspection_hint": { + "required": false, "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "type": "string", "elements": { "type": "string" - }, - "type": "string", - "required": false + } } }, { "channel_token_introspection_jwt_claim": { + "required": false, "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "channel_token_introspection_scopes_required": { + "required": false, "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "channel_token_introspection_scopes_claim": { - "type": "array", "required": false, + "type": "array", "default": [ "scope" ], @@ -547,18 +550,18 @@ }, { "channel_token_introspection_consumer_claim": { + "required": false, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "type": "array", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "channel_token_introspection_consumer_by": { - "type": "array", "required": false, + "type": "array", "default": [ "username", "custom_id" @@ -576,23 +579,24 @@ }, { "channel_token_introspection_leeway": { - "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", - "default": 0, + "required": false, "type": "number", - "required": false + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "default": 0 } }, { "channel_token_introspection_timeout": { - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "required": false, "type": "number", - "required": false + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." } }, { "channel_token_signing_algorithm": { - "type": "string", "required": true, + "type": "string", + "default": "RS256", "one_of": [ "HS256", "HS384", @@ -607,111 +611,110 @@ "PS512", "EdDSA" ], - "default": "RS256", "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." } }, { "channel_token_optional": { - "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "default": false } }, { "verify_channel_token_signature": { - "description": "Quickly turn on/off the channel token signature verification.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Quickly turn on/off the channel token signature verification.", + "default": true } }, { "verify_channel_token_expiry": { - "default": true, + "required": false, "type": "boolean", - "required": false + "default": true } }, { "verify_channel_token_scopes": { - "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "default": true } }, { "verify_channel_token_introspection_expiry": { - "description": "Quickly turn on/off the channel token introspection expiry verification.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "default": true } }, { "verify_channel_token_introspection_scopes": { - "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "default": true } }, { "cache_channel_token_introspection": { - "description": "Whether to cache channel token introspection results.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Whether to cache channel token introspection results.", + "default": true } }, { "trust_channel_token_introspection": { - "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "default": true } }, { "enable_channel_token_introspection": { - "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "default": true } }, { "add_claims": { + "required": false, "keys": { "type": "string" }, - "type": "map", - "required": false, "default": [ ], "values": { "type": "string" }, - "description": "Add customized claims if they are not present yet." + "description": "Add customized claims if they are not present yet.", + "type": "map" } }, { "set_claims": { + "required": false, "keys": { "type": "string" }, - "type": "map", - "required": false, "default": [ ], "values": { "type": "string" }, - "description": "Set customized claims. If a claim is already present, it will be overwritten." + "description": "Set customized claims. If a claim is already present, it will be overwritten.", + "type": "map" } } ], @@ -719,8 +722,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.5.x.json b/schemas/ldap-auth-advanced/3.5.x.json index d05399e5..6c2f0e5d 100644 --- a/schemas/ldap-auth-advanced/3.5.x.json +++ b/schemas/ldap-auth-advanced/3.5.x.json @@ -1,17 +1,17 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "type": "set", "elements": { "type": "string", "one_of": [ @@ -22,23 +22,32 @@ "ws", "wss" ] - } + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] } }, { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "consumer": { "type": "foreign", "eq": null, - "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumers" } }, { @@ -47,126 +56,126 @@ { "ldap_host": { "required": true, - "type": "string", - "description": "Host on which the LDAP server is running." + "description": "Host on which the LDAP server is running.", + "type": "string" } }, { "ldap_password": { - "encrypted": true, "referenceable": true, "type": "string", - "description": "The password to the LDAP server." + "description": "The password to the LDAP server.", + "encrypted": true } }, { "ldap_port": { - "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", "type": "number", - "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636." + "default": 389 } }, { "bind_dn": { "referenceable": true, - "type": "string", - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "type": "string" } }, { "ldaps": { "required": true, - "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "type": "boolean", - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + "default": false } }, { "start_tls": { "required": true, - "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "type": "boolean", - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + "default": false } }, { "verify_ldap_host": { "required": true, - "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "type": "boolean", - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + "default": false } }, { "base_dn": { "required": true, - "type": "string", - "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'." + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "type": "string" } }, { "attribute": { "required": true, - "type": "string", - "description": "Attribute to be used to search the user; e.g., \"cn\"." + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "type": "string" } }, { "cache_ttl": { "required": true, - "default": 60, + "description": "Cache expiry time in seconds.", "type": "number", - "description": "Cache expiry time in seconds." + "default": 60 } }, { "hide_credentials": { - "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + "default": false } }, { "timeout": { - "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", "type": "number", - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." + "default": 10000 } }, { "keepalive": { - "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." + "default": 60000 } }, { "anonymous": { "len_min": 0, - "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "default": "" } }, { "header_type": { - "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", "type": "string", - "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`." + "default": "ldap" } }, { "consumer_optional": { "required": false, - "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", "type": "boolean", - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." + "default": false } }, { "consumer_by": { - "type": "array", "required": false, + "type": "array", "default": [ "username", "custom_id" @@ -183,39 +192,39 @@ }, { "group_base_dn": { - "type": "string", - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" } }, { "group_name_attribute": { - "type": "string", - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" } }, { "group_member_attribute": { - "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", "type": "string", - "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive." + "default": "memberOf" } }, { "log_search_results": { "required": false, - "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", "type": "boolean", - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." + "default": false } }, { "groups_required": { "required": false, + "type": "array", + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "elements": { "type": "string" - }, - "type": "array", - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result." + } } } ], @@ -223,14 +232,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.5.x.json b/schemas/mtls-auth/3.5.x.json index f4b69ffc..1a3adb56 100644 --- a/schemas/mtls-auth/3.5.x.json +++ b/schemas/mtls-auth/3.5.x.json @@ -1,17 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "type": "foreign", "eq": null, - "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumers" } }, { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -33,27 +36,13 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { - "entity_checks": [ - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], "fields": [ { "anonymous": { @@ -63,8 +52,8 @@ }, { "consumer_by": { - "type": "array", "required": false, + "type": "array", "default": [ "username", "custom_id" @@ -82,82 +71,88 @@ { "ca_certificates": { "required": true, - "elements": { - "uuid": true, - "type": "string" - }, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "type": "array", - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." + "elements": { + "type": "string", + "uuid": true + } } }, { "cache_ttl": { "required": true, - "default": 60, "type": "number", - "description": "Cache expiry time in seconds." + "description": "Cache expiry time in seconds.", + "default": 60 } }, { "skip_consumer_lookup": { "required": true, - "default": false, "type": "boolean", - "description": "Skip consumer lookup once certificate is trusted against the configured CA list." + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "default": false } }, { "allow_partial_chain": { "required": true, - "default": false, "type": "boolean", - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "default": false } }, { "authenticated_group_by": { - "type": "string", "required": false, + "type": "string", + "default": "CN", "one_of": [ "CN", "DN" ], - "default": "CN", "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." } }, { "revocation_check_mode": { - "type": "string", "required": false, + "type": "string", + "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" ], - "default": "IGNORE_CA_ERROR", "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." } }, { "http_timeout": { - "default": 30000, "type": "number", - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "default": 30000 } }, { "cert_cache_ttl": { - "default": 60000, "type": "number", - "description": "The length of time in milliseconds between refreshes of the revocation check status cache." + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "default": 60000 } }, { "send_ca_dn": { - "default": false, "type": "boolean", - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "default": false + } + }, + { + "default_consumer": { + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { @@ -168,12 +163,12 @@ }, { "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -184,21 +179,32 @@ }, { "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } ], + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], "type": "record", "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.5.x.json b/schemas/oas-validation/3.5.x.json index 6493145f..8fab93c8 100644 --- a/schemas/oas-validation/3.5.x.json +++ b/schemas/oas-validation/3.5.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -25,9 +28,9 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { @@ -36,104 +39,112 @@ { "api_spec": { "required": true, - "type": "string", - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URL encoded to preserve the YAML format." + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "type": "string" } }, { "verbose_response": { "required": false, - "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", "type": "boolean", - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." + "default": false } }, { "validate_request_body": { "required": false, - "default": true, + "description": "If set to true, validates the request body content against the API specification.", "type": "boolean", - "description": "If set to true, validates the request body content against the API specification." + "default": true } }, { "notify_only_request_validation_failure": { "required": false, - "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." + "default": false } }, { "validate_request_header_params": { "required": false, - "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", "type": "boolean", - "description": "If set to true, validates HTTP header parameters against the API specification." + "default": true } }, { "validate_request_query_params": { "required": false, - "default": true, + "description": "If set to true, validates query parameters against the API specification.", "type": "boolean", - "description": "If set to true, validates query parameters against the API specification." + "default": true } }, { "validate_request_uri_params": { "required": false, - "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", "type": "boolean", - "description": "If set to true, validates URI parameters in the request against the API specification." + "default": true } }, { "validate_response_body": { "required": false, - "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", "type": "boolean", - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." + "default": false } }, { "notify_only_response_body_validation_failure": { "required": false, - "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." + "default": false } }, { "query_parameter_check": { "required": true, - "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", "type": "boolean", - "description": "If set to true, checks if query parameters in the request exist in the API specification." + "default": false } }, { "header_parameter_check": { "required": true, - "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", "type": "boolean", - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." + "default": false } }, { "allowed_header_parameters": { "required": false, - "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", "type": "string", - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." + "default": "Host,Content-Type,User-Agent,Accept,Content-Length" } }, { "include_base_path": { "required": true, - "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean", + "default": false + } + }, + { + "api_spec_encoded": { + "required": true, + "description": "Indicates whether the api_spec is URI-Encoded.", "type": "boolean", - "description": "Indicates whether to include the base path when performing path match evaluation." + "default": true } } ], @@ -141,8 +152,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.5.x.json b/schemas/oauth2-introspection/3.5.x.json index c1499ce7..7d74b297 100644 --- a/schemas/oauth2-introspection/3.5.x.json +++ b/schemas/oauth2-introspection/3.5.x.json @@ -1,17 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "type": "foreign", "eq": null, - "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumers" } }, { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -33,9 +36,9 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { @@ -50,9 +53,9 @@ }, { "ttl": { - "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", "type": "number", - "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." + "default": 30 } }, { @@ -63,87 +66,89 @@ }, { "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "encrypted": true, "type": "string", + "referenceable": true, + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "required": true } }, { "timeout": { - "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "integer", - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "default": 10000 } }, { "keepalive": { - "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "type": "integer", - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "default": 60000 } }, { "introspect_request": { + "required": true, "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", - "default": false, "type": "boolean", - "required": true + "default": false } }, { "hide_credentials": { - "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." + "default": false } }, { "run_on_preflight": { - "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." + "default": true } }, { "anonymous": { - "len_min": 0, "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "len_min": 0 } }, { "consumer_by": { - "type": "string", "required": true, + "type": "string", + "default": "username", "one_of": [ "username", "client_id" ], - "default": "username", "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`." } }, { "custom_introspection_headers": { + "required": true, "keys": { "type": "string" }, - "type": "map", - "required": true, "default": [ ], "values": { "type": "string" }, - "description": "A list of custom headers to be added in the introspection request." + "description": "A list of custom headers to be added in the introspection request.", + "type": "map" } }, { "custom_claims_forward": { - "type": "set", "required": true, + "type": "set", "default": [ ], @@ -158,8 +163,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.5.x.json b/schemas/openid-connect/3.5.x.json index 8cd4310b..3bb53c89 100644 --- a/schemas/openid-connect/3.5.x.json +++ b/schemas/openid-connect/3.5.x.json @@ -1,17 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "type": "foreign", "eq": null, - "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumers" } }, { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -33,95 +36,14 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - } - ], + "required": true, "fields": [ { "issuer": { @@ -132,47 +54,47 @@ }, { "discovery_headers_names": { + "required": false, + "type": "array", "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "discovery_headers_values": { + "required": false, + "type": "array", "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "extra_jwks_uris": { + "required": false, + "type": "set", "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "set", - "required": false + } } }, { "rediscovery_lifetime": { + "required": false, "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", - "default": 30, "type": "number", - "required": false + "default": 30 } }, { "auth_methods": { - "type": "array", "required": false, + "type": "array", "default": [ "password", "client_credentials", @@ -184,7 +106,6 @@ "refresh_token", "session" ], - "description": "Types of credentials/grants to enable.", "elements": { "type": "string", "one_of": [ @@ -198,35 +119,38 @@ "refresh_token", "session" ] - } + }, + "description": "Types of credentials/grants to enable." } }, { "client_id": { - "type": "array", - "encrypted": true, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "required": false, + "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true } }, { "client_secret": { - "type": "array", - "encrypted": true, - "description": "The client secret.", "required": false, + "type": "array", "elements": { - "type": "string", - "referenceable": true - } + "referenceable": true, + "type": "string" + }, + "description": "The client secret.", + "encrypted": true } }, { "client_auth": { + "required": false, + "type": "array", "description": "The authentication method used by the client (plugin) when calling the endpoint.", "elements": { "type": "string", @@ -237,9 +161,7 @@ "private_key_jwt", "none" ] - }, - "type": "array", - "required": false + } } }, { @@ -247,6 +169,8 @@ "required": false, "type": "array", "elements": { + "required": false, + "type": "record", "fields": [ { "issuer": { @@ -318,10 +242,10 @@ }, { "k": { + "required": false, "encrypted": true, - "referenceable": true, "type": "string", - "required": false + "referenceable": true } }, { @@ -356,79 +280,77 @@ }, { "d": { + "required": false, "encrypted": true, - "referenceable": true, "type": "string", - "required": false + "referenceable": true } }, { "p": { + "required": false, "encrypted": true, - "referenceable": true, "type": "string", - "required": false + "referenceable": true } }, { "q": { + "required": false, "encrypted": true, - "referenceable": true, "type": "string", - "required": false + "referenceable": true } }, { "dp": { + "required": false, "encrypted": true, - "referenceable": true, "type": "string", - "required": false + "referenceable": true } }, { "dq": { + "required": false, "encrypted": true, - "referenceable": true, "type": "string", - "required": false + "referenceable": true } }, { "qi": { + "required": false, "encrypted": true, - "referenceable": true, "type": "string", - "required": false + "referenceable": true } }, { "oth": { + "required": false, "encrypted": true, - "referenceable": true, "type": "string", - "required": false + "referenceable": true } }, { "r": { + "required": false, "encrypted": true, - "referenceable": true, "type": "string", - "required": false + "referenceable": true } }, { "t": { + "required": false, "encrypted": true, - "referenceable": true, "type": "string", - "required": false + "referenceable": true } } - ], - "type": "record", - "required": false + ] } } }, @@ -458,286 +380,289 @@ }, { "client_arg": { + "required": false, "description": "The client to use for this request (the selection is made with a request parameter with the same name).", - "default": "client_id", "type": "string", - "required": false + "default": "client_id" } }, { "redirect_uri": { + "required": false, + "type": "array", "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array", - "required": false + } } }, { "login_redirect_uri": { + "required": false, + "type": "array", "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { + "referenceable": true, "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array", - "required": false + } } }, { "logout_redirect_uri": { + "required": false, + "type": "array", "description": "Where to redirect the client after the logout.", "elements": { + "referenceable": true, "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array", - "required": false + } } }, { "forbidden_redirect_uri": { + "required": false, + "type": "array", "description": "Where to redirect the client on forbidden requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array", - "required": false + } } }, { "forbidden_error_message": { + "required": false, "description": "The error message for the forbidden requests (when not using the redirection).", - "default": "Forbidden", "type": "string", - "required": false + "default": "Forbidden" } }, { "forbidden_destroy_session": { + "required": false, "description": "Destroy any active session for the forbidden requests.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "unauthorized_destroy_session": { + "required": false, "description": "Destroy any active session for the unauthorized requests.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "unauthorized_redirect_uri": { + "required": false, + "type": "array", "description": "Where to redirect the client on unauthorized requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array", - "required": false + } } }, { "unauthorized_error_message": { + "required": false, "description": "The error message for the unauthorized requests (when not using the redirection).", - "default": "Unauthorized", "type": "string", - "required": false + "default": "Unauthorized" } }, { "unexpected_redirect_uri": { + "required": false, + "type": "array", "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "type": "array", - "required": false + } } }, { "response_mode": { - "type": "string", "required": false, + "type": "string", + "default": "query", "one_of": [ "query", "form_post", "fragment" ], - "default": "query", "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)" } }, { "response_type": { - "type": "array", "required": false, + "type": "array", "default": [ "code" ], - "description": "The response type passed to the authorization endpoint.", "elements": { "type": "string" - } + }, + "description": "The response type passed to the authorization endpoint." } }, { "scopes": { - "type": "array", "required": false, + "type": "array", "default": [ "openid" ], - "description": "The scopes passed to the authorization and token endpoints.", "elements": { + "referenceable": true, "type": "string" - } + }, + "description": "The scopes passed to the authorization and token endpoints." } }, { "audience": { + "required": false, + "type": "array", "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "issuers_allowed": { + "required": false, + "type": "array", "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "scopes_required": { + "required": false, + "type": "array", "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "scopes_claim": { - "type": "array", "required": false, + "type": "array", "default": [ "scope" ], - "description": "The claim that contains the scopes.", "elements": { "type": "string" - } + }, + "description": "The claim that contains the scopes." } }, { "audience_required": { + "required": false, + "type": "array", "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "audience_claim": { - "type": "array", "required": false, + "type": "array", "default": [ "aud" ], - "description": "The claim that contains the audience.", "elements": { "type": "string" - } + }, + "description": "The claim that contains the audience." } }, { "groups_required": { + "required": false, + "type": "array", "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "groups_claim": { - "type": "array", "required": false, + "type": "array", "default": [ "groups" ], - "description": "The claim that contains the groups.", "elements": { "type": "string" - } + }, + "description": "The claim that contains the groups." } }, { "roles_required": { + "required": false, + "type": "array", "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "roles_claim": { - "type": "array", "required": false, + "type": "array", "default": [ "roles" ], - "description": "The claim that contains the roles.", "elements": { "type": "string" - } + }, + "description": "The claim that contains the roles." } }, { "domains": { + "required": false, + "type": "array", "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "max_age": { + "required": false, "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "type": "number", - "required": false + "type": "number" } }, { "authenticated_groups_claim": { + "required": false, + "type": "array", "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { @@ -749,107 +674,107 @@ }, { "authorization_query_args_names": { + "required": false, + "type": "array", "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "authorization_query_args_values": { + "required": false, + "type": "array", "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "authorization_query_args_client": { + "required": false, + "type": "array", "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "authorization_rolling_timeout": { + "required": false, "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "default": 600, "type": "number", - "required": false + "default": 600 } }, { "authorization_cookie_name": { + "required": false, "description": "The authorization cookie name.", - "default": "authorization", "type": "string", - "required": false + "default": "authorization" } }, { "authorization_cookie_path": { - "type": "string", "required": false, - "starts_with": "/", - "default": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" } }, { "authorization_cookie_domain": { + "required": false, "description": "The authorization cookie Domain flag.", - "type": "string", - "required": false + "type": "string" } }, { "authorization_cookie_same_site": { - "type": "string", "required": false, + "type": "string", + "default": "Default", "one_of": [ "Strict", "Lax", "None", "Default" ], - "default": "Default", "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "authorization_cookie_http_only": { + "required": false, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "authorization_cookie_secure": { + "required": false, "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean", - "required": false + "type": "boolean" } }, { "preserve_query_args": { + "required": false, "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { @@ -861,6 +786,8 @@ }, { "token_endpoint_auth_method": { + "required": false, + "type": "string", "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -868,60 +795,60 @@ "client_secret_jwt", "private_key_jwt", "none" - ], - "type": "string", - "required": false + ] } }, { "token_headers_names": { + "required": false, + "type": "array", "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "token_headers_values": { + "required": false, + "type": "array", "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "token_headers_client": { + "required": false, + "type": "array", "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "token_headers_replay": { + "required": false, + "type": "array", "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "token_headers_prefix": { + "required": false, "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", - "type": "string", - "required": false + "type": "string" } }, { "token_headers_grants": { + "required": false, + "type": "array", "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", "elements": { "type": "string", @@ -931,39 +858,37 @@ "authorization_code", "refresh_token" ] - }, - "type": "array", - "required": false + } } }, { "token_post_args_names": { + "required": false, + "type": "array", "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "token_post_args_values": { + "required": false, + "type": "array", "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "token_post_args_client": { - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Request Body - Query parameters This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", + "required": false, + "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { @@ -975,6 +900,8 @@ }, { "introspection_endpoint_auth_method": { + "required": false, + "type": "string", "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -982,106 +909,106 @@ "client_secret_jwt", "private_key_jwt", "none" - ], - "type": "string", - "required": false + ] } }, { "introspection_hint": { + "required": false, "description": "Introspection hint parameter value passed to the introspection endpoint.", - "default": "access_token", "type": "string", - "required": false + "default": "access_token" } }, { "introspection_check_active": { + "required": false, "description": "Check that the introspection response has an `active` claim with a value of `true`.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "introspection_accept": { - "type": "string", "required": false, + "type": "string", + "default": "application/json", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" ], - "default": "application/json", "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)" } }, { "introspection_headers_names": { + "required": false, + "type": "array", "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "required": false, + "type": "array", "elements": { + "referenceable": true, "type": "string" }, - "type": "array", - "required": false + "description": "Extra header values passed to the introspection endpoint.", + "encrypted": true } }, { "introspection_headers_client": { + "required": false, + "type": "array", "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "introspection_post_args_names": { + "required": false, + "type": "array", "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "introspection_post_args_values": { + "required": false, + "type": "array", "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "introspection_post_args_client": { + "required": false, + "type": "array", "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "introspect_jwt_tokens": { + "required": false, "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", - "default": false, "type": "boolean", - "required": false + "default": false } }, { @@ -1093,6 +1020,8 @@ }, { "revocation_endpoint_auth_method": { + "required": false, + "type": "string", "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", "one_of": [ "client_secret_basic", @@ -1100,9 +1029,7 @@ "client_secret_jwt", "private_key_jwt", "none" - ], - "type": "string", - "required": false + ] } }, { @@ -1121,74 +1048,74 @@ }, { "userinfo_accept": { - "type": "string", "required": false, + "type": "string", + "default": "application/json", "one_of": [ "application/json", "application/jwt" ], - "default": "application/json", "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)" } }, { "userinfo_headers_names": { + "required": false, + "type": "array", "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "userinfo_headers_values": { + "required": false, + "type": "array", "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "userinfo_headers_client": { + "required": false, + "type": "array", "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "userinfo_query_args_names": { + "required": false, + "type": "array", "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "userinfo_query_args_values": { + "required": false, + "type": "array", "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "userinfo_query_args_client": { + "required": false, + "type": "array", "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { @@ -1200,134 +1127,134 @@ }, { "session_secret": { - "type": "string", "required": false, + "type": "string", "referenceable": true, - "encrypted": true, - "description": "The session secret." + "description": "The session secret.", + "encrypted": true } }, { "session_audience": { + "required": false, "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "default": "default", "type": "string", - "required": false + "default": "default" } }, { "session_cookie_name": { + "required": false, "description": "The session cookie name.", - "default": "session", "type": "string", - "required": false + "default": "session" } }, { "session_remember": { + "required": false, "description": "Enables or disables persistent sessions.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "session_remember_cookie_name": { + "required": false, "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "default": "remember", "type": "string", - "required": false + "default": "remember" } }, { "session_remember_rolling_timeout": { + "required": false, "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", - "default": 604800, "type": "number", - "required": false + "default": 604800 } }, { "session_remember_absolute_timeout": { + "required": false, "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "default": 2592000, "type": "number", - "required": false + "default": 2592000 } }, { "session_idling_timeout": { + "required": false, "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", - "default": 900, "type": "number", - "required": false + "default": 900 } }, { "session_rolling_timeout": { + "required": false, "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "default": 3600, "type": "number", - "required": false + "default": 3600 } }, { "session_absolute_timeout": { + "required": false, "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "default": 86400, "type": "number", - "required": false + "default": 86400 } }, { "session_cookie_path": { - "type": "string", "required": false, - "starts_with": "/", - "default": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" } }, { "session_cookie_domain": { + "required": false, "description": "The session cookie Domain flag.", - "type": "string", - "required": false + "type": "string" } }, { "session_cookie_same_site": { - "type": "string", "required": false, + "type": "string", + "default": "Lax", "one_of": [ "Strict", "Lax", "None", "Default" ], - "default": "Lax", "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "session_cookie_http_only": { + "required": false, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "session_cookie_secure": { + "required": false, "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean", - "required": false + "type": "boolean" } }, { @@ -1366,250 +1293,249 @@ }, { "session_storage": { - "type": "string", "required": false, + "type": "string", + "default": "cookie", "one_of": [ "cookie", "memcache", "memcached", "redis" ], - "default": "cookie", "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis" } }, { "session_store_metadata": { + "required": false, "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "session_enforce_same_subject": { + "required": false, "description": "When set to `true`, audiences are forced to share the same subject.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "session_hash_subject": { + "required": false, "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "session_hash_storage_key": { + "required": false, "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "session_memcached_prefix": { + "required": false, "description": "The memcached session key prefix.", - "type": "string", - "required": false + "type": "string" } }, { "session_memcached_socket": { + "required": false, "description": "The memcached unix socket path.", - "type": "string", - "required": false + "type": "string" } }, { "session_memcached_host": { + "required": false, "description": "The memcached host.", - "default": "127.0.0.1", "type": "string", - "required": false + "default": "127.0.0.1" } }, { "session_memcached_port": { - "type": "integer", "required": false, + "type": "integer", + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "session_redis_prefix": { + "required": false, "description": "The Redis session key prefix.", - "type": "string", - "required": false + "type": "string" } }, { "session_redis_socket": { + "required": false, "description": "The Redis unix socket path.", - "type": "string", - "required": false + "type": "string" } }, { "session_redis_host": { + "required": false, "description": "The Redis host", - "default": "127.0.0.1", "type": "string", - "required": false + "default": "127.0.0.1" } }, { "session_redis_port": { - "type": "integer", "required": false, + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "session_redis_username": { - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "required": false, "referenceable": true, "type": "string", - "required": false + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." } }, { "session_redis_password": { - "type": "string", "required": false, + "type": "string", "referenceable": true, - "encrypted": true, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis." + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true } }, { "session_redis_connect_timeout": { + "required": false, "description": "Session redis connection timeout in milliseconds.", - "type": "integer", - "required": false + "type": "integer" } }, { "session_redis_read_timeout": { + "required": false, "description": "Session redis read timeout in milliseconds.", - "type": "integer", - "required": false + "type": "integer" } }, { "session_redis_send_timeout": { + "required": false, "description": "Session redis send timeout in milliseconds.", - "type": "integer", - "required": false + "type": "integer" } }, { "session_redis_ssl": { + "required": false, "description": "Use SSL/TLS for Redis connection.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "session_redis_ssl_verify": { + "required": false, "description": "Verify identity provider server certificate.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "session_redis_server_name": { + "required": false, "description": "The SNI used for connecting the Redis server.", - "type": "string", - "required": false + "type": "string" } }, { "session_redis_cluster_nodes": { + "required": false, + "type": "array", "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", "elements": { "type": "record", "fields": [ { "ip": { + "required": true, "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", "type": "string", - "required": true + "default": "127.0.0.1" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } ] - }, - "type": "array", - "required": false + } } }, { "session_redis_cluster_max_redirections": { + "required": false, "description": "The Redis cluster maximum redirects.", - "type": "integer", - "required": false + "type": "integer" } }, { "reverify": { + "required": false, "description": "Specifies whether to always verify tokens stored in the session.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "jwt_session_claim": { + "required": false, "description": "The claim to match against the JWT session cookie.", - "default": "sid", "type": "string", - "required": false + "default": "sid" } }, { "jwt_session_cookie": { + "required": false, "description": "The name of the JWT session cookie.", - "type": "string", - "required": false + "type": "string" } }, { "bearer_token_param_type": { - "type": "array", "required": false, + "type": "array", "default": [ "header", "query", "body" ], - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", "elements": { "type": "string", "one_of": [ @@ -1618,26 +1544,26 @@ "query", "body" ] - } + }, + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`" } }, { "bearer_token_cookie_name": { + "required": false, "description": "The name of the cookie in which the bearer token is passed.", - "type": "string", - "required": false + "type": "string" } }, { "client_credentials_param_type": { - "type": "array", "required": false, + "type": "array", "default": [ "header", "query", "body" ], - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1645,19 +1571,19 @@ "query", "body" ] - } + }, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body" } }, { "password_param_type": { - "type": "array", "required": false, + "type": "array", "default": [ "header", "query", "body" ], - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1665,19 +1591,19 @@ "query", "body" ] - } + }, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body" } }, { "id_token_param_type": { - "type": "array", "required": false, + "type": "array", "default": [ "header", "query", "body" ], - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1685,26 +1611,26 @@ "query", "body" ] - } + }, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body" } }, { "id_token_param_name": { + "required": false, "description": "The name of the parameter used to pass the id token.", - "type": "string", - "required": false + "type": "string" } }, { "refresh_token_param_type": { - "type": "array", "required": false, + "type": "array", "default": [ "header", "query", "body" ], - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", "elements": { "type": "string", "one_of": [ @@ -1712,99 +1638,100 @@ "query", "body" ] - } + }, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body" } }, { "refresh_token_param_name": { + "required": false, "description": "The name of the parameter used to pass the refresh token.", - "type": "string", - "required": false + "type": "string" } }, { "refresh_tokens": { + "required": false, "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "upstream_headers_claims": { + "required": false, + "type": "array", "description": "The upstream header claims.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "upstream_headers_names": { + "required": false, + "type": "array", "description": "The upstream header names for the claim values.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "upstream_access_token_header": { + "required": false, "description": "The upstream access token header.", - "default": "authorization:bearer", "type": "string", - "required": false + "default": "authorization:bearer" } }, { "upstream_access_token_jwk_header": { + "required": false, "description": "The upstream access token JWK header.", - "type": "string", - "required": false + "type": "string" } }, { "upstream_id_token_header": { + "required": false, "description": "The upstream id token header.", - "type": "string", - "required": false + "type": "string" } }, { "upstream_id_token_jwk_header": { + "required": false, "description": "The upstream id token JWK header.", - "type": "string", - "required": false + "type": "string" } }, { "upstream_refresh_token_header": { + "required": false, "description": "The upstream refresh token header.", - "type": "string", - "required": false + "type": "string" } }, { "upstream_user_info_header": { + "required": false, "description": "The upstream user info header.", - "type": "string", - "required": false + "type": "string" } }, { "upstream_user_info_jwt_header": { + "required": false, "description": "The upstream user info JWT header (in case the user info returns a JWT response).", - "type": "string", - "required": false + "type": "string" } }, { "upstream_introspection_header": { + "required": false, "description": "The upstream introspection header.", - "type": "string", - "required": false + "type": "string" } }, { @@ -1815,85 +1742,85 @@ }, { "upstream_session_id_header": { + "required": false, "description": "The upstream session id header.", - "type": "string", - "required": false + "type": "string" } }, { "downstream_headers_claims": { + "required": false, + "type": "array", "description": "The downstream header claims.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "downstream_headers_names": { + "required": false, + "type": "array", "description": "The downstream header names for the claim values.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "downstream_access_token_header": { + "required": false, "description": "The downstream access token header.", - "type": "string", - "required": false + "type": "string" } }, { "downstream_access_token_jwk_header": { + "required": false, "description": "The downstream access token JWK header.", - "type": "string", - "required": false + "type": "string" } }, { "downstream_id_token_header": { + "required": false, "description": "The downstream id token header.", - "type": "string", - "required": false + "type": "string" } }, { "downstream_id_token_jwk_header": { + "required": false, "description": "The downstream id token JWK header.", - "type": "string", - "required": false + "type": "string" } }, { "downstream_refresh_token_header": { + "required": false, "description": "The downstream refresh token header.", - "type": "string", - "required": false + "type": "string" } }, { "downstream_user_info_header": { + "required": false, "description": "The downstream user info header.", - "type": "string", - "required": false + "type": "string" } }, { "downstream_user_info_jwt_header": { + "required": false, "description": "The downstream user info JWT header (in case the user info returns a JWT response).", - "type": "string", - "required": false + "type": "string" } }, { "downstream_introspection_header": { + "required": false, "description": "The downstream introspection header.", - "type": "string", - "required": false + "type": "string" } }, { @@ -1904,19 +1831,18 @@ }, { "downstream_session_id_header": { + "required": false, "description": "The downstream session id header.", - "type": "string", - "required": false + "type": "string" } }, { "login_methods": { - "type": "array", "required": false, + "type": "array", "default": [ "authorization_code" ], - "description": "Enable login functionality with specified grants.", "elements": { "type": "string", "one_of": [ @@ -1930,30 +1856,30 @@ "refresh_token", "session" ] - } + }, + "description": "Enable login functionality with specified grants." } }, { "login_action": { - "type": "string", "required": false, + "type": "string", + "default": "upstream", "one_of": [ "upstream", "response", "redirect" ], - "default": "upstream", "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location" } }, { "login_tokens": { - "type": "array", "required": false, + "type": "array", "default": [ "id_token" ], - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", "elements": { "type": "string", "one_of": [ @@ -1963,51 +1889,51 @@ "tokens", "introspection" ] - } + }, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response" } }, { "login_redirect_mode": { - "type": "string", "required": false, + "type": "string", + "default": "fragment", "one_of": [ "query", "fragment" ], - "default": "fragment", "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)" } }, { "logout_query_arg": { + "required": false, "description": "The request query argument that activates the logout.", - "type": "string", - "required": false + "type": "string" } }, { "logout_post_arg": { + "required": false, "description": "The request body argument that activates the logout.", - "type": "string", - "required": false + "type": "string" } }, { "logout_uri_suffix": { + "required": false, "description": "The request URI suffix that activates the logout.", - "type": "string", - "required": false + "type": "string" } }, { "logout_methods": { - "type": "array", "required": false, + "type": "array", "default": [ "POST", "DELETE" ], - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", "elements": { "type": "string", "one_of": [ @@ -2015,52 +1941,52 @@ "GET", "DELETE" ] - } + }, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method" } }, { "logout_revoke": { + "required": false, "description": "Revoke tokens as part of the logout.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "logout_revoke_access_token": { + "required": false, "description": "Revoke the access token as part of the logout.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "logout_revoke_refresh_token": { + "required": false, "description": "Revoke the refresh token as part of the logout.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "consumer_claim": { + "required": false, + "type": "array", "description": "The claim used for consumer mapping.", "elements": { "type": "string" - }, - "type": "array", - "required": false + } } }, { "consumer_by": { - "type": "array", "required": false, + "type": "array", "default": [ "username", "custom_id" ], - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", "elements": { "type": "string", "one_of": [ @@ -2068,93 +1994,93 @@ "username", "custom_id" ] - } + }, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`" } }, { "consumer_optional": { + "required": false, "description": "Do not terminate the request if consumer mapping fails.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "credential_claim": { - "type": "array", "required": false, + "type": "array", "default": [ "sub" ], - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", "elements": { "type": "string" - } + }, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used." } }, { "anonymous": { + "required": false, "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string", - "required": false + "type": "string" } }, { "run_on_preflight": { + "required": false, "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "leeway": { + "required": false, "description": "Allow some leeway (in seconds) on the iat claim and ttl / expiry verification.", - "default": 0, "type": "number", - "required": false + "default": 0 } }, { "verify_parameters": { + "required": false, "description": "Verify plugin configuration against discovery.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "verify_nonce": { + "required": false, "description": "Verify nonce on authorization code flow.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "verify_claims": { + "required": false, "description": "Verify tokens for standard claims.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "verify_signature": { + "required": false, "description": "Verify signature of tokens.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "ignore_signature": { - "type": "array", "required": false, + "type": "array", "default": [ ], - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", "elements": { "type": "string", "one_of": [ @@ -2166,19 +2092,22 @@ "introspection", "userinfo" ] - } + }, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication" } }, { "enable_hs_signatures": { + "required": false, "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "disable_session": { + "required": false, + "type": "array", "description": "Disable issuing the session cookie with the specified grants.", "elements": { "type": "string", @@ -2193,109 +2122,107 @@ "refresh_token", "session" ] - }, - "type": "array", - "required": false + } } }, { "cache_ttl": { + "required": false, "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", - "default": 3600, "type": "number", - "required": false + "default": 3600 } }, { "cache_ttl_max": { + "required": false, "description": "The maximum cache ttl in seconds (enforced).", - "type": "number", - "required": false + "type": "number" } }, { "cache_ttl_min": { + "required": false, "description": "The minimum cache ttl in seconds (enforced).", - "type": "number", - "required": false + "type": "number" } }, { "cache_ttl_neg": { + "required": false, "description": "The negative cache ttl in seconds.", - "type": "number", - "required": false + "type": "number" } }, { "cache_ttl_resurrect": { + "required": false, "description": "The resurrection ttl in seconds.", - "type": "number", - "required": false + "type": "number" } }, { "cache_tokens": { + "required": false, "description": "Cache the token endpoint requests.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "cache_tokens_salt": { - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", - "type": "string", + "required": false, "auto": true, - "required": false + "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." } }, { "cache_introspection": { + "required": false, "description": "Cache the introspection endpoint requests.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "cache_token_exchange": { + "required": false, "description": "Cache the token exchange endpoint requests.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "cache_user_info": { + "required": false, "description": "Cache the user info requests.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "search_user_info": { + "required": false, "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "hide_credentials": { + "required": false, "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "http_version": { + "required": false, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", - "default": 1.1, "type": "number", - "required": false + "default": 1.1 } }, { @@ -2307,9 +2234,9 @@ }, { "http_proxy_authorization": { + "required": false, "description": "The HTTP proxy authorization.", - "type": "string", - "required": false + "type": "string" } }, { @@ -2321,101 +2248,101 @@ }, { "https_proxy_authorization": { + "required": false, "description": "The HTTPS proxy authorization.", - "type": "string", - "required": false + "type": "string" } }, { "no_proxy": { + "required": false, "description": "Do not use proxy with these hosts.", - "type": "string", - "required": false + "type": "string" } }, { "keepalive": { + "required": false, "description": "Use keepalive with the HTTP client.", - "default": true, "type": "boolean", - "required": false + "default": true } }, { "ssl_verify": { + "required": false, "description": "Verify identity provider server certificate.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "timeout": { + "required": false, "description": "Network IO timeout in milliseconds.", - "default": 10000, "type": "number", - "required": false + "default": 10000 } }, { "display_errors": { + "required": false, "description": "Display errors on failure responses.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "by_username_ignore_case": { + "required": false, "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "resolve_distributed_claims": { + "required": false, "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "expose_error_code": { - "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", "type": "boolean", - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + "default": true } }, { "token_cache_key_include_scope": { - "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", "type": "boolean", - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "default": false } }, { "introspection_token_param_name": { + "required": false, "description": "Designate token's parameter name for introspection.", - "default": "token", "type": "string", - "required": false + "default": "token" } }, { "using_pseudo_issuer": { - "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL.", "type": "boolean", - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL." + "default": false } }, { "revocation_token_param_name": { + "required": false, "description": "Designate token's parameter name for revocation.", - "default": "token", "type": "string", - "required": false + "default": "token" } }, { @@ -2425,25 +2352,103 @@ "strict", "optional" ], - "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "type": "string", - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." + "default": "off" } }, { "proof_of_possession_auth_methods_validation": { - "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", "type": "boolean", - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + "default": true } } ], "type": "record", - "required": true + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + } + ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/opentelemetry/3.5.x.json b/schemas/opentelemetry/3.5.x.json index c9346512..a43d7b02 100644 --- a/schemas/opentelemetry/3.5.x.json +++ b/schemas/opentelemetry/3.5.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -25,57 +28,46 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "batch_span_count", - "batch_flush_delay" - ] - } - } - ], "fields": [ { "endpoint": { + "required": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true, "type": "string", - "required": true + "referenceable": true } }, { "headers": { - "keys": { - "type": "string", - "description": "A string representing an HTTP header name." + "values": { + "referenceable": true, + "type": "string" }, "type": "map", - "values": { + "keys": { "type": "string", - "referenceable": true + "description": "A string representing an HTTP header name." }, "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend." } }, { "resource_attributes": { - "description": "Attributes to add to the OpenTelemetry resource object, following the spec for Semantic Attributes. \nThe following attributes are automatically added:\n- `service.name`: The name of the service (default: `kong`).\n- `service.version`: The version of Kong Gateway.\n- `service.instance.id`: The node ID of Kong Gateway.\n\nYou can use this property to override default attribute values. For example, to override the default for `service.name`, you can specify `{ \"service.name\": \"my-service\" }`.", - "keys": { - "type": "string", - "required": true + "values": { + "required": true, + "type": "string" }, "type": "map", - "values": { - "type": "string", - "required": true + "keys": { + "required": true, + "type": "string" } } }, @@ -84,35 +76,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + ] } }, { "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + ] } }, { "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + ] } }, { @@ -123,36 +115,39 @@ }, { "max_retry_time": { - "default": 60, "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 } }, { "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + ] } }, { "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + ] } } ], + "required": true, "type": "record", - "required": true + "default": { + "max_batch_size": 200 + } } }, { @@ -169,45 +164,45 @@ }, { "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "default": 1000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "default": 5000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "http_response_header_for_traceid": { - "description": "Specifies a custom header for the `trace_id`. If set, the plugin sets the corresponding header in the response.", "type": "string" } }, { "header_type": { + "required": false, "one_of": [ "preserve", "ignore", @@ -220,10 +215,18 @@ "gcp", "datadog" ], - "default": "preserve", - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests.", "type": "string", - "required": false + "default": "preserve" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "batch_span_count", + "batch_flush_delay" + ] } } ], @@ -231,8 +234,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.5.x.json b/schemas/rate-limiting-advanced/3.5.x.json index b6d9b4c1..14ed04f8 100644 --- a/schemas/rate-limiting-advanced/3.5.x.json +++ b/schemas/rate-limiting-advanced/3.5.x.json @@ -1,9 +1,18 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -27,8 +36,9 @@ "fields": [ { "identifier": { - "type": "string", "required": true, + "type": "string", + "default": "consumer", "one_of": [ "ip", "credential", @@ -37,18 +47,17 @@ "header", "path" ], - "default": "consumer", "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`." } }, { "window_size": { "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "type": "array", "elements": { "type": "number" - }, - "type": "array", - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified." + } } }, { @@ -57,68 +66,68 @@ "fixed", "sliding" ], - "default": "sliding", "type": "string", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters." + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "default": "sliding" } }, { "limit": { "required": true, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "type": "array", "elements": { "type": "number" - }, - "type": "array", - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified." + } } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "namespace": { - "required": true, "auto": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", "type": "string", - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + "required": true } }, { "strategy": { - "type": "string", "required": true, + "type": "string", + "default": "local", "one_of": [ "cluster", "redis", "local" ], - "default": "local", "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." } }, { "dictionary_name": { "required": true, - "default": "kong_rate_limiting_counters", "type": "string", - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "default": false, "type": "boolean", - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "default": false } }, { "retry_after_jitter_max": { - "default": 0, "type": "number", - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "default": 0 } }, { @@ -129,7 +138,7 @@ }, { "path": { - "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", @@ -137,69 +146,11 @@ } ], "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "starts_with": "/" } }, { "redis": { - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_addresses" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - } - ], "fields": [ { "host": { @@ -209,117 +160,117 @@ }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "username": { "referenceable": true, - "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "sentinel_username": { "referenceable": true, - "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" } }, { "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "encrypted": true, "type": "string", - "encrypted": true + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 - ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + ] } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -329,44 +280,44 @@ "slave", "any" ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_addresses": { - "len_min": 1, "elements": { "type": "string" }, + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array", - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_addresses": { - "len_min": 1, "elements": { "type": "string" }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { + "required": false, "description": "If set to true, uses SSL to connect to Redis.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { "ssl_verify": { + "required": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, "type": "boolean", - "required": false + "default": false } }, { @@ -377,46 +328,104 @@ } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ], + "set2": [ + "cluster_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_addresses" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], "type": "record", "required": true } }, { "enforce_consumer_groups": { - "default": false, "type": "boolean", - "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "default": false } }, { "consumer_groups": { - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", - "type": "array", "elements": { "type": "string" - } + }, + "type": "array", + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`." } }, { "disable_penalty": { - "default": false, "type": "boolean", - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "default": false } }, { "error_code": { "gt": 0, - "default": 429, "type": "number", - "description": "Set a custom error code to return when the rate limit is exceeded." + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429 } }, { "error_message": { - "default": "API rate limit exceeded", "type": "string", - "description": "Set a custom error message to return when the rate limit is exceeded." + "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded" } } ], @@ -424,14 +433,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/rate-limiting/3.5.x.json b/schemas/rate-limiting/3.5.x.json index 7f1ead9b..295b8035 100644 --- a/schemas/rate-limiting/3.5.x.json +++ b/schemas/rate-limiting/3.5.x.json @@ -1,9 +1,81 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "then_field": "config.redis_host", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis_port", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.header_name", + "if_field": "config.limit_by", + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + } + } + }, + { + "conditional": { + "then_field": "config.path", + "if_field": "config.limit_by", + "then_match": { + "required": true + }, + "if_match": { + "eq": "path" + } + } + }, + { + "conditional": { + "then_field": "config.redis_timeout", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -25,9 +97,9 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { @@ -36,43 +108,43 @@ { "second": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per second." + "description": "The number of HTTP requests that can be made per second.", + "type": "number" } }, { "minute": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per minute." + "description": "The number of HTTP requests that can be made per minute.", + "type": "number" } }, { "hour": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per hour." + "description": "The number of HTTP requests that can be made per hour.", + "type": "number" } }, { "day": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per day." + "description": "The number of HTTP requests that can be made per day.", + "type": "number" } }, { "month": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per month." + "description": "The number of HTTP requests that can be made per month.", + "type": "number" } }, { "year": { "gt": 0, - "type": "number", - "description": "The number of HTTP requests that can be made per year." + "description": "The number of HTTP requests that can be made per year.", + "type": "number" } }, { @@ -85,9 +157,9 @@ "header", "path" ], - "default": "consumer", + "description": "The entity that is used when aggregating the limits.", "type": "string", - "description": "The entity that is used when aggregating the limits." + "default": "consumer" } }, { @@ -98,7 +170,7 @@ }, { "path": { - "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", @@ -106,28 +178,28 @@ } ], "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "starts_with": "/" } }, { "policy": { "type": "string", - "len_min": 0, "default": "local", "one_of": [ "local", "cluster", "redis" ], - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0 } }, { "fault_tolerant": { "required": true, - "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." + "default": true } }, { @@ -138,44 +210,44 @@ }, { "redis_port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "redis_password": { - "len_min": 0, "referenceable": true, + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", "type": "string", - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." + "len_min": 0 } }, { "redis_username": { "referenceable": true, - "type": "string", - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired." + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.", + "type": "string" } }, { "redis_ssl": { "required": true, - "default": false, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", "type": "boolean", - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." + "default": false } }, { "redis_ssl_verify": { "required": true, - "default": false, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", "type": "boolean", - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly." + "default": false } }, { @@ -186,47 +258,47 @@ }, { "redis_timeout": { - "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", "type": "number", - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." + "default": 2000 } }, { "redis_database": { - "default": 0, + "description": "When using the `redis` policy, this property specifies the Redis database to use.", "type": "integer", - "description": "When using the `redis` policy, this property specifies the Redis database to use." + "default": 0 } }, { "hide_client_headers": { "required": true, - "default": false, + "description": "Optionally hide informative response headers.", "type": "boolean", - "description": "Optionally hide informative response headers." + "default": false } }, { "error_code": { "gt": 0, - "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", "type": "number", - "description": "Set a custom error code to return when the rate limit is exceeded." + "default": 429 } }, { "error_message": { - "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", "type": "string", - "description": "Set a custom error message to return when the rate limit is exceeded." + "default": "API rate limit exceeded" } }, { "sync_rate": { "required": true, - "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", "type": "number", - "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." + "default": -1 } } ], @@ -234,77 +306,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "then_field": "config.redis_host", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis_port", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.header_name", - "if_match": { - "eq": "header" - }, - "then_match": { - "required": true - }, - "if_field": "config.limit_by" - } - }, - { - "conditional": { - "then_field": "config.path", - "if_match": { - "eq": "path" - }, - "then_match": { - "required": true - }, - "if_field": "config.limit_by" - } - }, - { - "conditional": { - "then_field": "config.redis_timeout", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - } ] } \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.5.x.json b/schemas/response-ratelimiting/3.5.x.json index 3595a350..5335fca2 100644 --- a/schemas/response-ratelimiting/3.5.x.json +++ b/schemas/response-ratelimiting/3.5.x.json @@ -1,9 +1,47 @@ { + "entity_checks": [ + { + "conditional": { + "then_field": "config.redis_host", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis_port", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + }, + { + "conditional": { + "then_field": "config.redis_timeout", + "if_field": "config.policy", + "then_match": { + "required": true + }, + "if_match": { + "eq": "redis" + } + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -25,9 +63,9 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { @@ -35,9 +73,9 @@ "fields": [ { "header_name": { - "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", "type": "string", - "description": "The name of the response header used to increment the counters." + "default": "x-kong-limit" } }, { @@ -47,9 +85,9 @@ "credential", "ip" ], - "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "type": "string", - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." + "default": "consumer" } }, { @@ -59,17 +97,17 @@ "cluster", "redis" ], - "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "type": "string", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + "default": "local" } }, { "fault_tolerant": { "required": true, - "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." + "default": true } }, { @@ -80,44 +118,44 @@ }, { "redis_port": { + "default": 6379, + "description": "When using the `redis` policy, this property specifies the port of the Redis server.", + "type": "integer", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer", - "description": "When using the `redis` policy, this property specifies the port of the Redis server." + ] } }, { "redis_password": { - "len_min": 0, "referenceable": true, + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", "type": "string", - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server." + "len_min": 0 } }, { "redis_username": { "referenceable": true, - "type": "string", - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`." + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "redis_ssl": { "required": true, - "default": false, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", "type": "boolean", - "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server." + "default": false } }, { "redis_ssl_verify": { "required": true, - "default": false, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "default": false } }, { @@ -128,43 +166,41 @@ }, { "redis_timeout": { - "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", "type": "number", - "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server." + "default": 2000 } }, { "redis_database": { - "default": 0, + "description": "When using the `redis` policy, this property specifies Redis database to use.", "type": "number", - "description": "When using the `redis` policy, this property specifies Redis database to use." + "default": 0 } }, { "block_on_first_violation": { "required": true, - "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "type": "boolean", - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." + "default": false } }, { "hide_client_headers": { "required": true, - "default": false, + "description": "Optionally hide informative response headers.", "type": "boolean", - "description": "Optionally hide informative response headers." + "default": false } }, { "limits": { - "keys": { - "type": "string" - }, - "type": "map", "required": true, + "type": "map", "len_min": 1, "values": { + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -177,48 +213,50 @@ ] } ], + "type": "record", "fields": [ { "second": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "minute": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "hour": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "day": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "month": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "year": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } } - ], - "type": "record", - "required": true + ] }, - "description": "A map that defines rate limits for the plugin." + "description": "A map that defines rate limits for the plugin.", + "keys": { + "type": "string" + } } } ], @@ -226,43 +264,5 @@ "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "config.redis_host", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis_port", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis_timeout", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - } ] } \ No newline at end of file diff --git a/schemas/saml/3.5.x.json b/schemas/saml/3.5.x.json index a7e16a18..2157566c 100644 --- a/schemas/saml/3.5.x.json +++ b/schemas/saml/3.5.x.json @@ -1,17 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "type": "foreign", "eq": null, - "reference": "consumers", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumers" } }, { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -33,97 +36,26 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { - "shorthand_fields": [ - { - "session_cookie_lifetime": { - "type": "number" - } - }, - { - "session_cookie_idletime": { - "type": "number" - } - }, - { - "session_cookie_samesite": { - "type": "string" - } - }, - { - "session_cookie_httponly": { - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "type": "string" - } - }, - { - "session_memcache_socket": { - "type": "string" - } - }, - { - "session_memcache_host": { - "type": "string" - } - }, - { - "session_memcache_port": { - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer" - } - }, - { - "session_cookie_renew": { - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "type": "integer" - } - }, - { - "session_strategy": { - "type": "string" - } - }, - { - "session_compressor": { - "type": "string" - } - }, - { - "session_auth_ttl": { - "type": "number" - } - } - ], + "required": true, "fields": [ { "assertion_consumer_path": { - "type": "string", "required": true, - "starts_with": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], + "type": "string", + "starts_with": "/", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, @@ -136,259 +68,259 @@ }, { "idp_certificate": { + "required": false, "type": "string", - "encrypted": true, "referenceable": true, - "required": false, - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "encrypted": true } }, { "response_encryption_key": { + "required": false, "type": "string", - "encrypted": true, "referenceable": true, - "required": false, - "description": "The private encryption key required to decrypt encrypted assertions." + "description": "The private encryption key required to decrypt encrypted assertions.", + "encrypted": true } }, { "request_signing_key": { + "required": false, "type": "string", - "encrypted": true, "referenceable": true, - "required": false, - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "encrypted": true } }, { "request_signing_certificate": { + "required": false, "type": "string", - "encrypted": true, "referenceable": true, - "required": false, - "description": "The certificate for signing requests." + "description": "The certificate for signing requests.", + "encrypted": true } }, { "request_signature_algorithm": { - "type": "string", "required": false, + "type": "string", + "default": "SHA256", "one_of": [ "SHA256", "SHA384", "SHA512" ], - "default": "SHA256", "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { "request_digest_algorithm": { - "type": "string", "required": false, + "type": "string", + "default": "SHA256", "one_of": [ "SHA256", "SHA1" ], - "default": "SHA256", "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" } }, { "response_signature_algorithm": { - "type": "string", "required": false, + "type": "string", + "default": "SHA256", "one_of": [ "SHA256", "SHA384", "SHA512" ], - "default": "SHA256", "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { "response_digest_algorithm": { - "type": "string", "required": false, + "type": "string", + "default": "SHA256", "one_of": [ "SHA256", "SHA1" ], - "default": "SHA256", "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" } }, { "issuer": { - "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "required": true, "type": "string", - "required": true + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP." } }, { "nameid_format": { - "type": "string", "required": false, + "type": "string", + "default": "EmailAddress", "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" ], - "default": "EmailAddress", "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" } }, { "validate_assertion_signature": { - "description": "Enable signature validation for SAML responses.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Enable signature validation for SAML responses.", + "default": true } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "required": false, "type": "string", - "required": false + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username." } }, { "session_secret": { - "match": "^[0-9a-zA-Z/_+]+$", + "required": true, "referenceable": true, "type": "string", - "required": true, "len_min": 32, "len_max": 32, - "encrypted": true, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." + "match": "^[0-9a-zA-Z/_+]+$", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "encrypted": true } }, { "session_audience": { - "description": "The session audience, for example \"my-application\"", - "default": "default", + "required": false, "type": "string", - "required": false + "description": "The session audience, for example \"my-application\"", + "default": "default" } }, { "session_cookie_name": { - "description": "The session cookie name.", - "default": "session", + "required": false, "type": "string", - "required": false + "description": "The session cookie name.", + "default": "session" } }, { "session_remember": { - "description": "Enables or disables persistent sessions", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "Enables or disables persistent sessions", + "default": false } }, { "session_remember_cookie_name": { - "description": "Persistent session cookie name", - "default": "remember", + "required": false, "type": "string", - "required": false + "description": "Persistent session cookie name", + "default": "remember" } }, { "session_remember_rolling_timeout": { - "description": "Persistent session rolling timeout in seconds.", - "default": 604800, + "required": false, "type": "number", - "required": false + "description": "Persistent session rolling timeout in seconds.", + "default": 604800 } }, { "session_remember_absolute_timeout": { - "description": "Persistent session absolute timeout in seconds.", - "default": 2592000, + "required": false, "type": "number", - "required": false + "description": "Persistent session absolute timeout in seconds.", + "default": 2592000 } }, { "session_idling_timeout": { - "description": "The session cookie idle time in seconds.", - "default": 900, + "required": false, "type": "number", - "required": false + "description": "The session cookie idle time in seconds.", + "default": 900 } }, { "session_rolling_timeout": { - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "default": 3600, + "required": false, "type": "number", - "required": false + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 3600 } }, { "session_absolute_timeout": { - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "default": 86400, + "required": false, "type": "number", - "required": false + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 86400 } }, { "session_cookie_path": { - "type": "string", "required": false, - "starts_with": "/", - "default": "/", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" } }, { "session_cookie_domain": { - "description": "The session cookie domain flag.", + "required": false, "type": "string", - "required": false + "description": "The session cookie domain flag." } }, { "session_cookie_same_site": { - "type": "string", "required": false, + "type": "string", + "default": "Lax", "one_of": [ "Strict", "Lax", "None", "Default" ], - "default": "Lax", "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "session_cookie_http_only": { - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "default": true, + "required": false, "type": "boolean", - "required": false + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true } }, { "session_cookie_secure": { - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, "type": "boolean", - "required": false + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { @@ -427,224 +359,292 @@ }, { "session_storage": { - "type": "string", "required": false, + "type": "string", + "default": "cookie", "one_of": [ "cookie", "memcache", "memcached", "redis" ], - "default": "cookie", "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" } }, { "session_store_metadata": { - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "default": false } }, { "session_enforce_same_subject": { - "description": "When set to `true`, audiences are forced to share the same subject.", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false } }, { "session_hash_subject": { - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false } }, { "session_hash_storage_key": { - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false } }, { "session_memcached_prefix": { - "description": "The memcached session key prefix.", + "required": false, "type": "string", - "required": false + "description": "The memcached session key prefix." } }, { "session_memcached_socket": { - "description": "The memcached unix socket path.", + "required": false, "type": "string", - "required": false + "description": "The memcached unix socket path." } }, { "session_memcached_host": { - "description": "The memcached host.", - "default": "127.0.0.1", + "required": false, "type": "string", - "required": false + "description": "The memcached host.", + "default": "127.0.0.1" } }, { "session_memcached_port": { - "type": "integer", "required": false, + "type": "integer", + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "session_redis_prefix": { - "description": "The Redis session key prefix.", + "required": false, "type": "string", - "required": false + "description": "The Redis session key prefix." } }, { "session_redis_socket": { - "description": "The Redis unix socket path.", + "required": false, "type": "string", - "required": false + "description": "The Redis unix socket path." } }, { "session_redis_host": { - "description": "The Redis host IP.", - "default": "127.0.0.1", + "required": false, "type": "string", - "required": false + "description": "The Redis host IP.", + "default": "127.0.0.1" } }, { "session_redis_port": { - "type": "integer", "required": false, + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "session_redis_username": { - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", "referenceable": true, - "type": "string", - "required": false + "required": false, + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" } }, { "session_redis_password": { + "required": false, "type": "string", - "encrypted": true, "referenceable": true, - "required": false, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from" + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "encrypted": true } }, { "session_redis_connect_timeout": { - "description": "The Redis connection timeout in milliseconds.", + "required": false, "type": "integer", - "required": false + "description": "The Redis connection timeout in milliseconds." } }, { "session_redis_read_timeout": { - "description": "The Redis read timeout in milliseconds.", + "required": false, "type": "integer", - "required": false + "description": "The Redis read timeout in milliseconds." } }, { "session_redis_send_timeout": { - "description": "The Redis send timeout in milliseconds.", + "required": false, "type": "integer", - "required": false + "description": "The Redis send timeout in milliseconds." } }, { "session_redis_ssl": { - "description": "Use SSL/TLS for the Redis connection.", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "Use SSL/TLS for the Redis connection.", + "default": false } }, { "session_redis_ssl_verify": { - "description": "Verify the Redis server certificate.", - "default": false, + "required": false, "type": "boolean", - "required": false + "description": "Verify the Redis server certificate.", + "default": false } }, { "session_redis_server_name": { - "description": "The SNI used for connecting to the Redis server.", + "required": false, "type": "string", - "required": false + "description": "The SNI used for connecting to the Redis server." } }, { "session_redis_cluster_nodes": { + "required": false, "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "type": "array", "elements": { "type": "record", "fields": [ { "ip": { + "required": true, "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", "type": "string", - "required": true + "default": "127.0.0.1" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } ] - }, - "type": "array", - "required": false + } } }, { "session_redis_cluster_max_redirections": { - "description": "The Redis cluster maximum redirects.", + "required": false, "type": "integer", - "required": false + "description": "The Redis cluster maximum redirects." } } ], "type": "record", - "required": true + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number" + } + }, + { + "session_cookie_idletime": { + "type": "number" + } + }, + { + "session_cookie_samesite": { + "type": "string" + } + }, + { + "session_cookie_httponly": { + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "type": "string" + } + }, + { + "session_memcache_socket": { + "type": "string" + } + }, + { + "session_memcache_host": { + "type": "string" + } + }, + { + "session_memcache_port": { + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer" + } + }, + { + "session_cookie_renew": { + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "type": "integer" + } + }, + { + "session_strategy": { + "type": "string" + } + }, + { + "session_compressor": { + "type": "string" + } + }, + { + "session_auth_ttl": { + "type": "number" + } + } + ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.5.x.json b/schemas/websocket-size-limit/3.5.x.json index d1f893b1..8108ed2f 100644 --- a/schemas/websocket-size-limit/3.5.x.json +++ b/schemas/websocket-size-limit/3.5.x.json @@ -1,68 +1,68 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { "required": true, - "default": [ - "ws", - "wss" - ], - "type": "set", "elements": { "type": "string", "one_of": [ "ws", "wss" ] - } + }, + "type": "set", + "default": [ + "ws", + "wss" + ] } }, { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { - "entity_checks": [ - { - "at_least_one_of": [ - "client_max_payload", - "upstream_max_payload" - ] - } - ], "fields": [ { "client_max_payload": { + "required": false, + "type": "integer", "between": [ 1, 33554432 - ], - "type": "integer", - "required": false + ] } }, { "upstream_max_payload": { + "required": false, + "type": "integer", "between": [ 1, 33554432 - ], - "type": "integer", - "required": false + ] } } ], + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], "type": "record", "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.5.x.json b/schemas/websocket-validator/3.5.x.json index f4c4f89c..1643e60c 100644 --- a/schemas/websocket-validator/3.5.x.json +++ b/schemas/websocket-validator/3.5.x.json @@ -1,89 +1,63 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { "required": true, - "default": [ - "ws", - "wss" - ], - "type": "set", "elements": { "type": "string", "one_of": [ "ws", "wss" ] - } + }, + "type": "set", + "default": [ + "ws", + "wss" + ] } }, { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { - "entity_checks": [ - { - "at_least_one_of": [ - "client", - "upstream" - ] - } - ], "fields": [ { "client": { - "entity_checks": [ - { - "at_least_one_of": [ - "text", - "binary" - ] - } - ], + "required": false, "fields": [ { "text": { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], + "required": false, "fields": [ { "type": { + "required": true, + "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "type": "string", - "required": true + ] } }, { "schema": { + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string", - "required": true + "type": "string" } } ], "type": "record", - "required": false - } - }, - { - "binary": { "entity_checks": [ { "custom_entity_check": { @@ -93,37 +67,46 @@ ] } } - ], + ] + } + }, + { + "binary": { + "required": false, "fields": [ { "type": { + "required": true, + "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "type": "string", - "required": true + ] } }, { "schema": { + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string", - "required": true + "type": "string" } } ], "type": "record", - "required": false + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ] } } ], "type": "record", - "required": false - } - }, - { - "upstream": { "entity_checks": [ { "at_least_one_of": [ @@ -131,45 +114,36 @@ "binary" ] } - ], + ] + } + }, + { + "upstream": { + "required": false, "fields": [ { "text": { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], + "required": false, "fields": [ { "type": { + "required": true, + "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "type": "string", - "required": true + ] } }, { "schema": { + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string", - "required": true + "type": "string" } } ], "type": "record", - "required": false - } - }, - { - "binary": { "entity_checks": [ { "custom_entity_check": { @@ -179,42 +153,68 @@ ] } } - ], + ] + } + }, + { + "binary": { + "required": false, "fields": [ { "type": { + "required": true, + "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" - ], - "type": "string", - "required": true + ] } }, { "schema": { + "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string", - "required": true + "type": "string" } } ], "type": "record", - "required": false + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ] } } ], "type": "record", - "required": false + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ] } } ], + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], "type": "record", "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.5.x.json b/schemas/xml-threat-protection/3.5.x.json index 5eb6c2f7..29f6f914 100644 --- a/schemas/xml-threat-protection/3.5.x.json +++ b/schemas/xml-threat-protection/3.5.x.json @@ -1,9 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, + "type": "set", "default": [ "grpc", "grpcs", @@ -25,267 +28,267 @@ { "consumer_group": { "type": "foreign", - "reference": "consumer_groups", "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups" } }, { "config": { - "entity_checks": [ - { - "conditional": { - "then_field": "max_namespaces", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "namespace_aware" - } - }, - { - "conditional": { - "then_field": "prefix", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "namespace_aware" - } - }, - { - "conditional": { - "then_field": "namespaceuri", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "namespace_aware" - } - } - ], "fields": [ { "checked_content_types": { - "type": "set", "required": true, + "type": "set", "default": [ "application/xml" ], - "description": "A list of Content-Type values with payloads that must be validated.", "elements": { + "required": true, "type": "string", - "match": "^[^%s]+%/[^ ;]+$", - "required": true - } + "match": "^[^%s]+%/[^ ;]+$" + }, + "description": "A list of Content-Type values with payloads that must be validated." } }, { "allowed_content_types": { - "type": "set", "required": true, + "type": "set", "default": [ ], - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "elements": { + "required": true, "type": "string", - "match": "^[^%s]+%/[^ ;]+$", - "required": true - } + "match": "^[^%s]+%/[^ ;]+$" + }, + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." } }, { "allow_dtd": { - "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", - "default": false, + "required": true, "type": "boolean", - "required": true + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "default": false } }, { "namespace_aware": { - "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", - "default": true, + "required": true, "type": "boolean", - "required": true + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "default": true } }, { "max_depth": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 50, - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "gt": 0 } }, { "max_children": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 100, - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "gt": 0 } }, { "max_attributes": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 100, - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "gt": 0 } }, { "max_namespaces": { - "gt": 0, - "type": "integer", "required": false, + "type": "integer", "default": 20, - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "gt": 0 } }, { "document": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 10485760, - "description": "Maximum size of the entire document." + "description": "Maximum size of the entire document.", + "gt": 0 } }, { "buffer": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 1048576, - "description": "Maximum size of the unparsed buffer (see below)." + "description": "Maximum size of the unparsed buffer (see below).", + "gt": 0 } }, { "comment": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 1024, - "description": "Maximum size of comments." + "description": "Maximum size of comments.", + "gt": 0 } }, { "localname": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 1024, - "description": "Maximum size of the localname. This applies to tags and attributes." + "description": "Maximum size of the localname. This applies to tags and attributes.", + "gt": 0 } }, { "prefix": { - "gt": 0, - "type": "integer", "required": false, + "type": "integer", "default": 1024, - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "gt": 0 } }, { "namespaceuri": { - "gt": 0, - "type": "integer", "required": false, + "type": "integer", "default": 1024, - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "gt": 0 } }, { "attribute": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 1048576, - "description": "Maximum size of the attribute value." + "description": "Maximum size of the attribute value.", + "gt": 0 } }, { "text": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 1048576, - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "gt": 0 } }, { "pitarget": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 1024, - "description": "Maximum size of processing instruction targets." + "description": "Maximum size of processing instruction targets.", + "gt": 0 } }, { "pidata": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 1024, - "description": "Maximum size of processing instruction data." + "description": "Maximum size of processing instruction data.", + "gt": 0 } }, { "entityname": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 1024, - "description": "Maximum size of entity names in EntityDecl." + "description": "Maximum size of entity names in EntityDecl.", + "gt": 0 } }, { "entity": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 1024, - "description": "Maximum size of entity values in EntityDecl." + "description": "Maximum size of entity values in EntityDecl.", + "gt": 0 } }, { "entityproperty": { - "gt": 0, - "type": "integer", "required": true, + "type": "integer", "default": 1024, - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "gt": 0 } }, { "bla_max_amplification": { - "gt": 1, - "type": "number", "required": true, + "type": "number", "default": 100, - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "gt": 1 } }, { "bla_threshold": { - "gt": 1024, - "type": "integer", "required": true, + "type": "integer", "default": 8388608, - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "gt": 1024 + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "max_namespaces", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "conditional": { + "then_field": "prefix", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "conditional": { + "then_field": "namespaceuri", + "if_field": "namespace_aware", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } } } ], @@ -293,8 +296,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file From ff1fe0f3dec70494bd890259bfaefe0edef6f596 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 30 May 2024 08:41:57 +0000 Subject: [PATCH 049/165] Update dependency ruby to v3.3.2 --- .ruby-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ruby-version b/.ruby-version index bea438e9..47725433 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.3.1 +3.3.2 From cf33cf0f7f1b2c4fef630ec4ef1fe0cf5eb290ac Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 3 Jun 2024 16:25:55 +0200 Subject: [PATCH 050/165] Create 3.8.x examples from 3.7.x --- examples/acl/_3.8.x.yaml | 6 +++ examples/acme/_3.8.x.yaml | 3 ++ examples/ai-azure-content-safety/_3.8.x.yaml | 9 ++++ examples/ai-prompt-decorator/_3.8.x.yaml | 12 ++++++ examples/ai-prompt-guard/_3.8.x.yaml | 9 ++++ examples/ai-prompt-template/_3.8.x.yaml | 23 ++++++++++ examples/ai-proxy/_3.8.x.yaml | 12 ++++++ .../ai-rate-limiting-advanced/_3.8.x.yaml | 12 ++++++ examples/ai-request-transformer/_3.8.x.yaml | 18 ++++++++ examples/ai-response-transformer/_3.8.x.yaml | 21 +++++++++ examples/app-dynamics/_3.8.x.yaml | 2 + examples/application-registration/_3.8.x.yaml | 7 +++ examples/aws-lambda/_3.8.x.yaml | 9 ++++ examples/azure-functions/_3.8.x.yaml | 6 +++ examples/basic-auth/_3.8.x.yaml | 3 ++ examples/bot-detection/_3.8.x.yaml | 4 ++ examples/canary/_3.8.x.yaml | 5 +++ examples/correlation-id/_3.8.x.yaml | 5 +++ examples/cors/_3.8.x.yaml | 19 ++++++++ examples/datadog/_3.8.x.yaml | 6 +++ examples/degraphql/_3.8.x.yaml | 3 ++ examples/exit-transformer/_3.8.x.yaml | 4 ++ examples/file-log/_3.8.x.yaml | 3 ++ examples/forward-proxy/_3.8.x.yaml | 9 ++++ .../graphql-proxy-cache-advanced/_3.8.x.yaml | 3 ++ .../_3.8.x.yaml | 9 ++++ examples/grpc-gateway/_3.8.x.yaml | 3 ++ examples/grpc-web/_3.8.x.yaml | 3 ++ examples/hmac-auth/_3.8.x.yaml | 3 ++ examples/http-log/_3.8.x.yaml | 8 ++++ examples/ip-restriction/_3.8.x.yaml | 5 +++ examples/jq/_3.8.x.yaml | 3 ++ examples/jwe-decrypt/_3.8.x.yaml | 4 ++ examples/jwt-signer/_3.8.x.yaml | 4 ++ examples/jwt/_3.8.x.yaml | 4 ++ examples/kafka-log/_3.8.x.yaml | 3 ++ examples/kafka-upstream/_3.8.x.yaml | 3 ++ examples/key-auth-enc/_3.8.x.yaml | 4 ++ examples/key-auth/_3.8.x.yaml | 4 ++ examples/konnect-application-auth/_3.8.x.yaml | 3 ++ examples/ldap-auth-advanced/_3.8.x.yaml | 10 +++++ examples/ldap-auth/_3.8.x.yaml | 8 ++++ examples/loggly/_3.8.x.yaml | 3 ++ examples/mocking/_3.8.x.yaml | 14 ++++++ examples/mtls-auth/_3.8.x.yaml | 6 +++ examples/oas-validation/_3.8.x.yaml | 29 +++++++++++++ examples/oauth2-introspection/_3.8.x.yaml | 5 +++ examples/oauth2/_3.8.x.yaml | 9 ++++ examples/opa/_3.8.x.yaml | 5 +++ examples/openid-connect/_3.8.x.yaml | 12 ++++++ examples/opentelemetry/_3.8.x.yaml | 5 +++ examples/post-function/_3.8.x.yaml | 6 +++ examples/pre-function/_3.8.x.yaml | 6 +++ examples/prometheus/_3.8.x.yaml | 4 ++ examples/proxy-cache-advanced/_3.8.x.yaml | 11 +++++ examples/proxy-cache/_3.8.x.yaml | 12 ++++++ examples/rate-limiting-advanced/_3.8.x.yaml | 11 +++++ examples/rate-limiting/_3.8.x.yaml | 5 +++ examples/request-size-limiting/_3.8.x.yaml | 4 ++ examples/request-termination/_3.8.x.yaml | 4 ++ .../request-transformer-advanced/_3.8.x.yaml | 43 +++++++++++++++++++ examples/request-transformer/_3.8.x.yaml | 36 ++++++++++++++++ examples/request-validator/_3.8.x.yaml | 3 ++ examples/response-ratelimiting/_3.8.x.yaml | 8 ++++ .../response-transformer-advanced/_3.8.x.yaml | 31 +++++++++++++ examples/response-transformer/_3.8.x.yaml | 24 +++++++++++ examples/route-by-header/_3.8.x.yaml | 8 ++++ .../route-transformer-advanced/_3.8.x.yaml | 3 ++ examples/saml/_3.8.x.yaml | 12 ++++++ examples/session/_3.8.x.yaml | 3 ++ examples/statsd-advanced/_3.8.x.yaml | 7 +++ examples/statsd/_3.8.x.yaml | 9 ++++ examples/syslog/_3.8.x.yaml | 3 ++ examples/tcp-log/_3.8.x.yaml | 4 ++ examples/tls-handshake-modifier/_3.8.x.yaml | 1 + examples/tls-metadata-headers/_3.8.x.yaml | 4 ++ examples/udp-log/_3.8.x.yaml | 5 +++ examples/upstream-timeout/_3.8.x.yaml | 5 +++ examples/vault-auth/_3.8.x.yaml | 4 ++ examples/websocket-size-limit/_3.8.x.yaml | 4 ++ examples/websocket-validator/_3.8.x.yaml | 14 ++++++ examples/xml-threat-protection/_3.8.x.yaml | 6 +++ examples/zipkin/_3.8.x.yaml | 5 +++ 83 files changed, 687 insertions(+) create mode 100644 examples/acl/_3.8.x.yaml create mode 100644 examples/acme/_3.8.x.yaml create mode 100644 examples/ai-azure-content-safety/_3.8.x.yaml create mode 100644 examples/ai-prompt-decorator/_3.8.x.yaml create mode 100644 examples/ai-prompt-guard/_3.8.x.yaml create mode 100644 examples/ai-prompt-template/_3.8.x.yaml create mode 100644 examples/ai-proxy/_3.8.x.yaml create mode 100644 examples/ai-rate-limiting-advanced/_3.8.x.yaml create mode 100644 examples/ai-request-transformer/_3.8.x.yaml create mode 100644 examples/ai-response-transformer/_3.8.x.yaml create mode 100644 examples/app-dynamics/_3.8.x.yaml create mode 100644 examples/application-registration/_3.8.x.yaml create mode 100644 examples/aws-lambda/_3.8.x.yaml create mode 100644 examples/azure-functions/_3.8.x.yaml create mode 100644 examples/basic-auth/_3.8.x.yaml create mode 100644 examples/bot-detection/_3.8.x.yaml create mode 100644 examples/canary/_3.8.x.yaml create mode 100644 examples/correlation-id/_3.8.x.yaml create mode 100644 examples/cors/_3.8.x.yaml create mode 100644 examples/datadog/_3.8.x.yaml create mode 100644 examples/degraphql/_3.8.x.yaml create mode 100644 examples/exit-transformer/_3.8.x.yaml create mode 100644 examples/file-log/_3.8.x.yaml create mode 100644 examples/forward-proxy/_3.8.x.yaml create mode 100644 examples/graphql-proxy-cache-advanced/_3.8.x.yaml create mode 100644 examples/graphql-rate-limiting-advanced/_3.8.x.yaml create mode 100644 examples/grpc-gateway/_3.8.x.yaml create mode 100644 examples/grpc-web/_3.8.x.yaml create mode 100644 examples/hmac-auth/_3.8.x.yaml create mode 100644 examples/http-log/_3.8.x.yaml create mode 100644 examples/ip-restriction/_3.8.x.yaml create mode 100644 examples/jq/_3.8.x.yaml create mode 100644 examples/jwe-decrypt/_3.8.x.yaml create mode 100644 examples/jwt-signer/_3.8.x.yaml create mode 100644 examples/jwt/_3.8.x.yaml create mode 100644 examples/kafka-log/_3.8.x.yaml create mode 100644 examples/kafka-upstream/_3.8.x.yaml create mode 100644 examples/key-auth-enc/_3.8.x.yaml create mode 100644 examples/key-auth/_3.8.x.yaml create mode 100644 examples/konnect-application-auth/_3.8.x.yaml create mode 100644 examples/ldap-auth-advanced/_3.8.x.yaml create mode 100644 examples/ldap-auth/_3.8.x.yaml create mode 100644 examples/loggly/_3.8.x.yaml create mode 100644 examples/mocking/_3.8.x.yaml create mode 100644 examples/mtls-auth/_3.8.x.yaml create mode 100644 examples/oas-validation/_3.8.x.yaml create mode 100644 examples/oauth2-introspection/_3.8.x.yaml create mode 100644 examples/oauth2/_3.8.x.yaml create mode 100644 examples/opa/_3.8.x.yaml create mode 100644 examples/openid-connect/_3.8.x.yaml create mode 100644 examples/opentelemetry/_3.8.x.yaml create mode 100644 examples/post-function/_3.8.x.yaml create mode 100644 examples/pre-function/_3.8.x.yaml create mode 100644 examples/prometheus/_3.8.x.yaml create mode 100644 examples/proxy-cache-advanced/_3.8.x.yaml create mode 100644 examples/proxy-cache/_3.8.x.yaml create mode 100644 examples/rate-limiting-advanced/_3.8.x.yaml create mode 100644 examples/rate-limiting/_3.8.x.yaml create mode 100644 examples/request-size-limiting/_3.8.x.yaml create mode 100644 examples/request-termination/_3.8.x.yaml create mode 100644 examples/request-transformer-advanced/_3.8.x.yaml create mode 100644 examples/request-transformer/_3.8.x.yaml create mode 100644 examples/request-validator/_3.8.x.yaml create mode 100644 examples/response-ratelimiting/_3.8.x.yaml create mode 100644 examples/response-transformer-advanced/_3.8.x.yaml create mode 100644 examples/response-transformer/_3.8.x.yaml create mode 100644 examples/route-by-header/_3.8.x.yaml create mode 100644 examples/route-transformer-advanced/_3.8.x.yaml create mode 100644 examples/saml/_3.8.x.yaml create mode 100644 examples/session/_3.8.x.yaml create mode 100644 examples/statsd-advanced/_3.8.x.yaml create mode 100644 examples/statsd/_3.8.x.yaml create mode 100644 examples/syslog/_3.8.x.yaml create mode 100644 examples/tcp-log/_3.8.x.yaml create mode 100644 examples/tls-handshake-modifier/_3.8.x.yaml create mode 100644 examples/tls-metadata-headers/_3.8.x.yaml create mode 100644 examples/udp-log/_3.8.x.yaml create mode 100644 examples/upstream-timeout/_3.8.x.yaml create mode 100644 examples/vault-auth/_3.8.x.yaml create mode 100644 examples/websocket-size-limit/_3.8.x.yaml create mode 100644 examples/websocket-validator/_3.8.x.yaml create mode 100644 examples/xml-threat-protection/_3.8.x.yaml create mode 100644 examples/zipkin/_3.8.x.yaml diff --git a/examples/acl/_3.8.x.yaml b/examples/acl/_3.8.x.yaml new file mode 100644 index 00000000..a76559c0 --- /dev/null +++ b/examples/acl/_3.8.x.yaml @@ -0,0 +1,6 @@ +name: acl +config: + allow: + - group1 + - group2 + hide_groups_header: true diff --git a/examples/acme/_3.8.x.yaml b/examples/acme/_3.8.x.yaml new file mode 100644 index 00000000..6b35cddc --- /dev/null +++ b/examples/acme/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: acme +config: + account_email: example@example.com diff --git a/examples/ai-azure-content-safety/_3.8.x.yaml b/examples/ai-azure-content-safety/_3.8.x.yaml new file mode 100644 index 00000000..025407dc --- /dev/null +++ b/examples/ai-azure-content-safety/_3.8.x.yaml @@ -0,0 +1,9 @@ +name: ai-azure-content-safety +config: + content_safety_url: http//: + azure_use_managed_identity: false + reveal_failure_reason: true + content_safety_key: anything + categories: + - "Hate" + - "Violence" \ No newline at end of file diff --git a/examples/ai-prompt-decorator/_3.8.x.yaml b/examples/ai-prompt-decorator/_3.8.x.yaml new file mode 100644 index 00000000..4e743eb9 --- /dev/null +++ b/examples/ai-prompt-decorator/_3.8.x.yaml @@ -0,0 +1,12 @@ +name: ai-prompt-decorator +config: + prepend: + - role: "system" + content: "You are data scientist, specialising in survey analytics." + - role: "user" + content: "Classify this test result set as positive, negative, or neutral." + - role: "assistant" + content: "These tests are NEUTRAL." + append: + - role: "user" + content: "Do not mention any real participants name in your justification." diff --git a/examples/ai-prompt-guard/_3.8.x.yaml b/examples/ai-prompt-guard/_3.8.x.yaml new file mode 100644 index 00000000..bd724506 --- /dev/null +++ b/examples/ai-prompt-guard/_3.8.x.yaml @@ -0,0 +1,9 @@ +name: ai-prompt-guard +config: + allow_all_conversation_history: true + allow_patterns: + - ".*(P|p)ears.*" + - ".*(P|p)eaches.*" + deny_patterns: + - ".*(A|a)pples.*" + - ".*(O|o)ranges.*" diff --git a/examples/ai-prompt-template/_3.8.x.yaml b/examples/ai-prompt-template/_3.8.x.yaml new file mode 100644 index 00000000..1ed007fc --- /dev/null +++ b/examples/ai-prompt-template/_3.8.x.yaml @@ -0,0 +1,23 @@ +name: ai-prompt-template +config: + allow_untemplated_requests: true + templates: + - name: "developer-chat" + template: |- + { + "messages": [ + { + "role": "system", + "content": "You are a {{program}} expert, in {{language}} programming language." + }, + { + "role": "user", + "content": "Write me a {{program}} program." + } + ] + } + - name: "summarize-prompt" + template: |- + { + "prompt": "Summarize the following text for me: {{text}}" + } diff --git a/examples/ai-proxy/_3.8.x.yaml b/examples/ai-proxy/_3.8.x.yaml new file mode 100644 index 00000000..a16a3dd4 --- /dev/null +++ b/examples/ai-proxy/_3.8.x.yaml @@ -0,0 +1,12 @@ +name: ai-proxy +config: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 512 + temperature: 1.0 diff --git a/examples/ai-rate-limiting-advanced/_3.8.x.yaml b/examples/ai-rate-limiting-advanced/_3.8.x.yaml new file mode 100644 index 00000000..ba9e8024 --- /dev/null +++ b/examples/ai-rate-limiting-advanced/_3.8.x.yaml @@ -0,0 +1,12 @@ +name: ai-rate-limiting-advanced +config: + model_providers: + - openai + - mistral + model_providers_limit: + - 1000 + - 100 + models_providers_window_size: + - 3600 + - 60 + sync_rate: 10 \ No newline at end of file diff --git a/examples/ai-request-transformer/_3.8.x.yaml b/examples/ai-request-transformer/_3.8.x.yaml new file mode 100644 index 00000000..b8275ac7 --- /dev/null +++ b/examples/ai-request-transformer/_3.8.x.yaml @@ -0,0 +1,18 @@ +name: ai-request-transformer +config: + prompt: "Mask any credit card numbers in my JSON message. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + llm: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + logging: + log_statistics: true + log_payloads: false + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 1024 + temperature: 1.0 diff --git a/examples/ai-response-transformer/_3.8.x.yaml b/examples/ai-response-transformer/_3.8.x.yaml new file mode 100644 index 00000000..4c62a8e2 --- /dev/null +++ b/examples/ai-response-transformer/_3.8.x.yaml @@ -0,0 +1,21 @@ +name: ai-response-transformer +config: + prompt: "For any city name, put the country that it's in, in brackets next to it. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + parse_llm_response_json_instructions: false + llm: + route_type: "llm/v1/chat" + auth: + header_name: "api-key" + header_value: "" + logging: + log_statistics: true + log_payloads: false + model: + provider: "azure" + name: "gpt-35-turbo" + options: + max_tokens: 1024 + temperature: 1.0 + azure_instance: "azure-openai-instance-name" + azure_deployment_id: "gpt-3-5-deployment" diff --git a/examples/app-dynamics/_3.8.x.yaml b/examples/app-dynamics/_3.8.x.yaml new file mode 100644 index 00000000..fb73f97b --- /dev/null +++ b/examples/app-dynamics/_3.8.x.yaml @@ -0,0 +1,2 @@ +name: app-dynamics +config: {} diff --git a/examples/application-registration/_3.8.x.yaml b/examples/application-registration/_3.8.x.yaml new file mode 100644 index 00000000..a52184fb --- /dev/null +++ b/examples/application-registration/_3.8.x.yaml @@ -0,0 +1,7 @@ +name: application-registration +service: SERVICE_NAME +config: + auto_approve: false + description: + display_name: + show_issuer: false diff --git a/examples/aws-lambda/_3.8.x.yaml b/examples/aws-lambda/_3.8.x.yaml new file mode 100644 index 00000000..5eddd18d --- /dev/null +++ b/examples/aws-lambda/_3.8.x.yaml @@ -0,0 +1,9 @@ +name: aws-lambda +config: + aws_key: + aws_secret: + aws_region: + aws_assume_role_arn: + aws_role_session_name: + function_name: + proxy_url: http://my-proxy-server:3128 diff --git a/examples/azure-functions/_3.8.x.yaml b/examples/azure-functions/_3.8.x.yaml new file mode 100644 index 00000000..00f73c86 --- /dev/null +++ b/examples/azure-functions/_3.8.x.yaml @@ -0,0 +1,6 @@ +name: azure-functions +config: + functionname: + appname: + hostdomain: azurewebsites.net + apikey: diff --git a/examples/basic-auth/_3.8.x.yaml b/examples/basic-auth/_3.8.x.yaml new file mode 100644 index 00000000..40fcf8c2 --- /dev/null +++ b/examples/basic-auth/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: basic-auth +config: + hide_credentials: true diff --git a/examples/bot-detection/_3.8.x.yaml b/examples/bot-detection/_3.8.x.yaml new file mode 100644 index 00000000..e4f2eb24 --- /dev/null +++ b/examples/bot-detection/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: bot-detection +config: + deny: + - helloworld diff --git a/examples/canary/_3.8.x.yaml b/examples/canary/_3.8.x.yaml new file mode 100644 index 00000000..928424f8 --- /dev/null +++ b/examples/canary/_3.8.x.yaml @@ -0,0 +1,5 @@ +name: canary +config: + percentage: 50 + upstream_host: example.com + upstream_port: 80 diff --git a/examples/correlation-id/_3.8.x.yaml b/examples/correlation-id/_3.8.x.yaml new file mode 100644 index 00000000..31240989 --- /dev/null +++ b/examples/correlation-id/_3.8.x.yaml @@ -0,0 +1,5 @@ +name: correlation-id +config: + header_name: Kong-Request-ID + generator: uuid#counter + echo_downstream: false diff --git a/examples/cors/_3.8.x.yaml b/examples/cors/_3.8.x.yaml new file mode 100644 index 00000000..c2046281 --- /dev/null +++ b/examples/cors/_3.8.x.yaml @@ -0,0 +1,19 @@ +name: cors +config: + origins: + - http://mockbin.com + methods: + - GET + - POST + headers: + - Accept + - Accept-Version + - Content-Length + - Content-MD5 + - Content-Type + - Date + - X-Auth-Token + exposed_headers: + - X-Auth-Token + credentials: true + max_age: 3600 diff --git a/examples/datadog/_3.8.x.yaml b/examples/datadog/_3.8.x.yaml new file mode 100644 index 00000000..957e300c --- /dev/null +++ b/examples/datadog/_3.8.x.yaml @@ -0,0 +1,6 @@ +name: datadog +config: + host: 127.0.0.1 + port: 8125 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/degraphql/_3.8.x.yaml b/examples/degraphql/_3.8.x.yaml new file mode 100644 index 00000000..84443323 --- /dev/null +++ b/examples/degraphql/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: degraphql +config: + graphql_server_path: '/graphql' diff --git a/examples/exit-transformer/_3.8.x.yaml b/examples/exit-transformer/_3.8.x.yaml new file mode 100644 index 00000000..c7f0c5d4 --- /dev/null +++ b/examples/exit-transformer/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: exit-transformer +config: + functions: + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/file-log/_3.8.x.yaml b/examples/file-log/_3.8.x.yaml new file mode 100644 index 00000000..aefd2bdc --- /dev/null +++ b/examples/file-log/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: file-log +config: + path: /tmp/file.log diff --git a/examples/forward-proxy/_3.8.x.yaml b/examples/forward-proxy/_3.8.x.yaml new file mode 100644 index 00000000..7fb797ca --- /dev/null +++ b/examples/forward-proxy/_3.8.x.yaml @@ -0,0 +1,9 @@ +name: forward-proxy +config: + http_proxy_host: example.com + http_proxy_port: 80 + proxy_scheme: http + auth_username: example_user + auth_password: example_pass + https_verify: false + x_headers: transparent diff --git a/examples/graphql-proxy-cache-advanced/_3.8.x.yaml b/examples/graphql-proxy-cache-advanced/_3.8.x.yaml new file mode 100644 index 00000000..e1ce637b --- /dev/null +++ b/examples/graphql-proxy-cache-advanced/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: graphql-proxy-cache-advanced +config: + strategy: memory diff --git a/examples/graphql-rate-limiting-advanced/_3.8.x.yaml b/examples/graphql-rate-limiting-advanced/_3.8.x.yaml new file mode 100644 index 00000000..10985f83 --- /dev/null +++ b/examples/graphql-rate-limiting-advanced/_3.8.x.yaml @@ -0,0 +1,9 @@ +name: graphql-rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + sync_rate: -1 + namespace: example_namespace + strategy: cluster diff --git a/examples/grpc-gateway/_3.8.x.yaml b/examples/grpc-gateway/_3.8.x.yaml new file mode 100644 index 00000000..36b576ea --- /dev/null +++ b/examples/grpc-gateway/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: grpc-gateway +config: + proto: path/to/hello.proto diff --git a/examples/grpc-web/_3.8.x.yaml b/examples/grpc-web/_3.8.x.yaml new file mode 100644 index 00000000..e4f2c597 --- /dev/null +++ b/examples/grpc-web/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: grpc-web +config: + proto: path/to/hello.proto diff --git a/examples/hmac-auth/_3.8.x.yaml b/examples/hmac-auth/_3.8.x.yaml new file mode 100644 index 00000000..ba1ae19d --- /dev/null +++ b/examples/hmac-auth/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: hmac-auth +config: + hide_credentials: false diff --git a/examples/http-log/_3.8.x.yaml b/examples/http-log/_3.8.x.yaml new file mode 100644 index 00000000..dd88c67c --- /dev/null +++ b/examples/http-log/_3.8.x.yaml @@ -0,0 +1,8 @@ +name: http-log +config: + http_endpoint: http://mockbin.org/bin/:id + method: POST + timeout: 1000 + keepalive: 1000 + flush_timeout: 2 + retry_count: 15 diff --git a/examples/ip-restriction/_3.8.x.yaml b/examples/ip-restriction/_3.8.x.yaml new file mode 100644 index 00000000..4ca5298d --- /dev/null +++ b/examples/ip-restriction/_3.8.x.yaml @@ -0,0 +1,5 @@ +name: ip-restriction +config: + allow: + - 54.13.21.1 + - 143.1.0.0/24 diff --git a/examples/jq/_3.8.x.yaml b/examples/jq/_3.8.x.yaml new file mode 100644 index 00000000..d69ce58d --- /dev/null +++ b/examples/jq/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: jq +config: + request_jq_program: .[0] diff --git a/examples/jwe-decrypt/_3.8.x.yaml b/examples/jwe-decrypt/_3.8.x.yaml new file mode 100644 index 00000000..f413b0e5 --- /dev/null +++ b/examples/jwe-decrypt/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: jwe-decrypt +config: + key_sets: + - dummyID diff --git a/examples/jwt-signer/_3.8.x.yaml b/examples/jwt-signer/_3.8.x.yaml new file mode 100644 index 00000000..71443348 --- /dev/null +++ b/examples/jwt-signer/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: jwt-signer +config: + access_token_introspection_scopes_claim: + - scope diff --git a/examples/jwt/_3.8.x.yaml b/examples/jwt/_3.8.x.yaml new file mode 100644 index 00000000..60fd478d --- /dev/null +++ b/examples/jwt/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: jwt +config: + uri_param_names: + - paramName_2.2.x diff --git a/examples/kafka-log/_3.8.x.yaml b/examples/kafka-log/_3.8.x.yaml new file mode 100644 index 00000000..efb1efa7 --- /dev/null +++ b/examples/kafka-log/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: kafka-log +config: + topic: TOPIC diff --git a/examples/kafka-upstream/_3.8.x.yaml b/examples/kafka-upstream/_3.8.x.yaml new file mode 100644 index 00000000..64ff19e5 --- /dev/null +++ b/examples/kafka-upstream/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: kafka-upstream +config: + topic: TOPIC diff --git a/examples/key-auth-enc/_3.8.x.yaml b/examples/key-auth-enc/_3.8.x.yaml new file mode 100644 index 00000000..9f1a6093 --- /dev/null +++ b/examples/key-auth-enc/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: key-auth-enc +config: + key_names: + - apikey diff --git a/examples/key-auth/_3.8.x.yaml b/examples/key-auth/_3.8.x.yaml new file mode 100644 index 00000000..f8ef72c5 --- /dev/null +++ b/examples/key-auth/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: key-auth +config: + key_names: + - apikey diff --git a/examples/konnect-application-auth/_3.8.x.yaml b/examples/konnect-application-auth/_3.8.x.yaml new file mode 100644 index 00000000..e54993e5 --- /dev/null +++ b/examples/konnect-application-auth/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: konnect-application-auth +config: + scope: 'uuid' diff --git a/examples/ldap-auth-advanced/_3.8.x.yaml b/examples/ldap-auth-advanced/_3.8.x.yaml new file mode 100644 index 00000000..5396d6cf --- /dev/null +++ b/examples/ldap-auth-advanced/_3.8.x.yaml @@ -0,0 +1,10 @@ +name: ldap-auth-advanced +config: + ldap_host: ldap.example.com + ldap_port: 389 + start_tls: true + base_dn: dc=example,dc=com + verify_ldap_host: false + attribute: cn + cache_ttl: 60 + header_type: ldap diff --git a/examples/ldap-auth/_3.8.x.yaml b/examples/ldap-auth/_3.8.x.yaml new file mode 100644 index 00000000..fe95f595 --- /dev/null +++ b/examples/ldap-auth/_3.8.x.yaml @@ -0,0 +1,8 @@ +name: ldap-auth +config: + hide_credentials: true + ldap_host: ldap.example.com + ldap_port: 389 + base_dn: dc=example,dc=com + attribute: cn + header_type: ldap diff --git a/examples/loggly/_3.8.x.yaml b/examples/loggly/_3.8.x.yaml new file mode 100644 index 00000000..186454f8 --- /dev/null +++ b/examples/loggly/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: loggly +config: + key: YOUR_LOGGLY_SERVICE_TOKEN diff --git a/examples/mocking/_3.8.x.yaml b/examples/mocking/_3.8.x.yaml new file mode 100644 index 00000000..549e1f46 --- /dev/null +++ b/examples/mocking/_3.8.x.yaml @@ -0,0 +1,14 @@ +name: mocking +config: + random_delay: true + max_delay_time: 1 + min_delay_time: 0.001 + random_examples: true + api_specification: | + openapi: 3.0.1 + info: + title: OpenAPI 3.0 API + description: This is a simple API + contact: + email: example@example.com + version: 1.0.0 diff --git a/examples/mtls-auth/_3.8.x.yaml b/examples/mtls-auth/_3.8.x.yaml new file mode 100644 index 00000000..4bcdb7fd --- /dev/null +++ b/examples/mtls-auth/_3.8.x.yaml @@ -0,0 +1,6 @@ +name: mtls-auth +config: + ca_certificates: + - fdac360e-7b19-4ade-a553-6dd22937c82f + http_proxy_host: example + http_proxy_port: 80 diff --git a/examples/oas-validation/_3.8.x.yaml b/examples/oas-validation/_3.8.x.yaml new file mode 100644 index 00000000..2eb7dc89 --- /dev/null +++ b/examples/oas-validation/_3.8.x.yaml @@ -0,0 +1,29 @@ +name: oas-validation +config: + api_spec: | + openapi: 3.0.0 + info: + version: "2.19.3" + title: Xero Finance API + description: The Finance API is a collection of endpoints which customers can use in the course of a loan application, which may assist lenders to gain the confidence they need to provide capital. + termsOfService: "https://developer.xero.com/xero-developer-platform-terms-conditions/" + contact: + name: "Xero Platform Team" + email: "api@xero.com" + url: "https://developer.xero.com" + license: + name: MIT + url: 'https://github.com/XeroAPI/Xero-OpenAPI/blob/master/LICENSE' + servers: + - description: Xero API servers + url: https://api.xero.com/finance.xro/1.0 + paths: + /CashValidation: + get: + security: + - OAuth2: [finance.cashvalidation.read] + tags: + - Finance + summary: Get cash validation + operationId: getCashValidation + description: Summarizes the total cash position for each account for an org diff --git a/examples/oauth2-introspection/_3.8.x.yaml b/examples/oauth2-introspection/_3.8.x.yaml new file mode 100644 index 00000000..bdf723af --- /dev/null +++ b/examples/oauth2-introspection/_3.8.x.yaml @@ -0,0 +1,5 @@ +name: oauth2-introspection +config: + introspection_url: https://example-url.com + authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l + consumer_by: username diff --git a/examples/oauth2/_3.8.x.yaml b/examples/oauth2/_3.8.x.yaml new file mode 100644 index 00000000..d733d558 --- /dev/null +++ b/examples/oauth2/_3.8.x.yaml @@ -0,0 +1,9 @@ +name: oauth2 +config: + scopes: + - email + - phone + - address + mandatory_scope: true + provision_key: + enable_authorization_code: true diff --git a/examples/opa/_3.8.x.yaml b/examples/opa/_3.8.x.yaml new file mode 100644 index 00000000..51ff2b78 --- /dev/null +++ b/examples/opa/_3.8.x.yaml @@ -0,0 +1,5 @@ +name: opa +config: + opa_host: localhost + opa_port: 8181 + opa_path: /v1/data/example/kong/allowBoolean diff --git a/examples/openid-connect/_3.8.x.yaml b/examples/openid-connect/_3.8.x.yaml new file mode 100644 index 00000000..69f30114 --- /dev/null +++ b/examples/openid-connect/_3.8.x.yaml @@ -0,0 +1,12 @@ +name: openid-connect +config: + auth_methods: + - authorization_code + - session + issuer: http://example.org + client_id: + - + client_secret: + - + session_secret: + response_mode: form_post diff --git a/examples/opentelemetry/_3.8.x.yaml b/examples/opentelemetry/_3.8.x.yaml new file mode 100644 index 00000000..efacb712 --- /dev/null +++ b/examples/opentelemetry/_3.8.x.yaml @@ -0,0 +1,5 @@ +name: opentelemetry +config: + endpoint: http://opentelemetry.collector:4318/v1/traces + headers: + X-Auth-Token: secret-token diff --git a/examples/post-function/_3.8.x.yaml b/examples/post-function/_3.8.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.8.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/pre-function/_3.8.x.yaml b/examples/pre-function/_3.8.x.yaml new file mode 100644 index 00000000..62ffe4dd --- /dev/null +++ b/examples/pre-function/_3.8.x.yaml @@ -0,0 +1,6 @@ +name: pre-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/prometheus/_3.8.x.yaml b/examples/prometheus/_3.8.x.yaml new file mode 100644 index 00000000..6b7b3b62 --- /dev/null +++ b/examples/prometheus/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: prometheus +config: + per_consumer: false + diff --git a/examples/proxy-cache-advanced/_3.8.x.yaml b/examples/proxy-cache-advanced/_3.8.x.yaml new file mode 100644 index 00000000..d070db76 --- /dev/null +++ b/examples/proxy-cache-advanced/_3.8.x.yaml @@ -0,0 +1,11 @@ +name: proxy-cache-advanced +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + strategy: memory diff --git a/examples/proxy-cache/_3.8.x.yaml b/examples/proxy-cache/_3.8.x.yaml new file mode 100644 index 00000000..ce185e5e --- /dev/null +++ b/examples/proxy-cache/_3.8.x.yaml @@ -0,0 +1,12 @@ +name: proxy-cache +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + cache_ttl: 300 + strategy: memory diff --git a/examples/rate-limiting-advanced/_3.8.x.yaml b/examples/rate-limiting-advanced/_3.8.x.yaml new file mode 100644 index 00000000..7fee7c38 --- /dev/null +++ b/examples/rate-limiting-advanced/_3.8.x.yaml @@ -0,0 +1,11 @@ +name: rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + identifier: consumer + sync_rate: -1 + namespace: example_namespace + strategy: local + hide_client_headers: false diff --git a/examples/rate-limiting/_3.8.x.yaml b/examples/rate-limiting/_3.8.x.yaml new file mode 100644 index 00000000..f43f89fd --- /dev/null +++ b/examples/rate-limiting/_3.8.x.yaml @@ -0,0 +1,5 @@ +name: rate-limiting +config: + second: 5 + hour: 10000 + policy: local diff --git a/examples/request-size-limiting/_3.8.x.yaml b/examples/request-size-limiting/_3.8.x.yaml new file mode 100644 index 00000000..983d6d9e --- /dev/null +++ b/examples/request-size-limiting/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: request-size-limiting +config: + allowed_payload_size: 128 + require_content_length: false diff --git a/examples/request-termination/_3.8.x.yaml b/examples/request-termination/_3.8.x.yaml new file mode 100644 index 00000000..7be67818 --- /dev/null +++ b/examples/request-termination/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: request-termination +config: + status_code: 403 + message: So long and thanks for all the fish! diff --git a/examples/request-transformer-advanced/_3.8.x.yaml b/examples/request-transformer-advanced/_3.8.x.yaml new file mode 100644 index 00000000..999898e7 --- /dev/null +++ b/examples/request-transformer-advanced/_3.8.x.yaml @@ -0,0 +1,43 @@ +name: request-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one + remove: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + remove: + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + rename: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + rename: + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + add: + querystring: + - new-param:some_value + - another-param:some_value + add: + json_types: + - string + - boolean + - number diff --git a/examples/request-transformer/_3.8.x.yaml b/examples/request-transformer/_3.8.x.yaml new file mode 100644 index 00000000..d9e0a346 --- /dev/null +++ b/examples/request-transformer/_3.8.x.yaml @@ -0,0 +1,36 @@ +name: request-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + querystring: + - new-param:some_value + - another-param:some_value + body: + - new-form-param:some_value + - another-form-param:some_value diff --git a/examples/request-validator/_3.8.x.yaml b/examples/request-validator/_3.8.x.yaml new file mode 100644 index 00000000..89251acf --- /dev/null +++ b/examples/request-validator/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: request-validator +config: + body_schema: '[{"name":{"type": "string", "required": true}}]' diff --git a/examples/response-ratelimiting/_3.8.x.yaml b/examples/response-ratelimiting/_3.8.x.yaml new file mode 100644 index 00000000..a3860b2a --- /dev/null +++ b/examples/response-ratelimiting/_3.8.x.yaml @@ -0,0 +1,8 @@ +name: response-ratelimiting +config: + limits: + limit_name: + limits: + limit_name: + minute: 10 + policy: local diff --git a/examples/response-transformer-advanced/_3.8.x.yaml b/examples/response-transformer-advanced/_3.8.x.yaml new file mode 100644 index 00000000..4942c5c5 --- /dev/null +++ b/examples/response-transformer-advanced/_3.8.x.yaml @@ -0,0 +1,31 @@ +name: response-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one:application/json + - x-list-of-values:v1,v2,v3 + - Set-Cookie:/JSESSIONID=.*/ + - x-another-regex://status/$/ + - x-one-more-regex:/^/begin// + remove: + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + add: + json: + - new-json-key:some_value + - another-json-key:some_value + add: + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/response-transformer/_3.8.x.yaml b/examples/response-transformer/_3.8.x.yaml new file mode 100644 index 00000000..aab7075a --- /dev/null +++ b/examples/response-transformer/_3.8.x.yaml @@ -0,0 +1,24 @@ +name: response-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + json: + - new-json-key:some_value + - another-json-key:some_value + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/route-by-header/_3.8.x.yaml b/examples/route-by-header/_3.8.x.yaml new file mode 100644 index 00000000..e2854428 --- /dev/null +++ b/examples/route-by-header/_3.8.x.yaml @@ -0,0 +1,8 @@ +name: route-by-header +config: + rules: + - + upstream_name: bar.domain.com + condition: + location: us-east + diff --git a/examples/route-transformer-advanced/_3.8.x.yaml b/examples/route-transformer-advanced/_3.8.x.yaml new file mode 100644 index 00000000..098f0994 --- /dev/null +++ b/examples/route-transformer-advanced/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: route-transformer-advanced +config: + path: /path diff --git a/examples/saml/_3.8.x.yaml b/examples/saml/_3.8.x.yaml new file mode 100644 index 00000000..18b41c3f --- /dev/null +++ b/examples/saml/_3.8.x.yaml @@ -0,0 +1,12 @@ +name: saml +config: + anonymous: anonymous + assertion_consumer_path: /acs-uri + idp_sso_url: http://example.org/sso-uri + validate_assertion_signature: true + session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + issuer: AzureAD_Identity_ID + idp_certificate: | + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- diff --git a/examples/session/_3.8.x.yaml b/examples/session/_3.8.x.yaml new file mode 100644 index 00000000..1c5100d2 --- /dev/null +++ b/examples/session/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: session +config: + secret: opensesame diff --git a/examples/statsd-advanced/_3.8.x.yaml b/examples/statsd-advanced/_3.8.x.yaml new file mode 100644 index 00000000..cfd68de0 --- /dev/null +++ b/examples/statsd-advanced/_3.8.x.yaml @@ -0,0 +1,7 @@ +name: statsd-advanced +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 diff --git a/examples/statsd/_3.8.x.yaml b/examples/statsd/_3.8.x.yaml new file mode 100644 index 00000000..796222aa --- /dev/null +++ b/examples/statsd/_3.8.x.yaml @@ -0,0 +1,9 @@ +name: statsd +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/syslog/_3.8.x.yaml b/examples/syslog/_3.8.x.yaml new file mode 100644 index 00000000..9cc23ca1 --- /dev/null +++ b/examples/syslog/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: syslog +config: + log_level: info diff --git a/examples/tcp-log/_3.8.x.yaml b/examples/tcp-log/_3.8.x.yaml new file mode 100644 index 00000000..4e155f5a --- /dev/null +++ b/examples/tcp-log/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: tcp-log +config: + host: 127.0.0.1 + port: 9999 diff --git a/examples/tls-handshake-modifier/_3.8.x.yaml b/examples/tls-handshake-modifier/_3.8.x.yaml new file mode 100644 index 00000000..52561153 --- /dev/null +++ b/examples/tls-handshake-modifier/_3.8.x.yaml @@ -0,0 +1 @@ +name: tls-handshake-modifier diff --git a/examples/tls-metadata-headers/_3.8.x.yaml b/examples/tls-metadata-headers/_3.8.x.yaml new file mode 100644 index 00000000..98df21ec --- /dev/null +++ b/examples/tls-metadata-headers/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: tls-metadata-headers +config: + inject_client_cert_details: true + client_cert_header_name: X-Forwarded-Client-Cert diff --git a/examples/udp-log/_3.8.x.yaml b/examples/udp-log/_3.8.x.yaml new file mode 100644 index 00000000..bfd35c0a --- /dev/null +++ b/examples/udp-log/_3.8.x.yaml @@ -0,0 +1,5 @@ +name: udp-log +config: + host: 127.0.0.1 + port: 9999 + timeout: 10000 diff --git a/examples/upstream-timeout/_3.8.x.yaml b/examples/upstream-timeout/_3.8.x.yaml new file mode 100644 index 00000000..962a6cdf --- /dev/null +++ b/examples/upstream-timeout/_3.8.x.yaml @@ -0,0 +1,5 @@ +name: upstream-timeout +config: + connect_timeout: 4000 + send_timeout: 5000 + read_timeout: 5000 diff --git a/examples/vault-auth/_3.8.x.yaml b/examples/vault-auth/_3.8.x.yaml new file mode 100644 index 00000000..8a2e5285 --- /dev/null +++ b/examples/vault-auth/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: vault-auth +config: + vault: + id: 00000000-0000-0000-0000-000000000000 diff --git a/examples/websocket-size-limit/_3.8.x.yaml b/examples/websocket-size-limit/_3.8.x.yaml new file mode 100644 index 00000000..7274d312 --- /dev/null +++ b/examples/websocket-size-limit/_3.8.x.yaml @@ -0,0 +1,4 @@ +name: websocket-size-limit +config: + client_max_payload: 1024 + upstream_max_payload: 16384 diff --git a/examples/websocket-validator/_3.8.x.yaml b/examples/websocket-validator/_3.8.x.yaml new file mode 100644 index 00000000..12fe18ac --- /dev/null +++ b/examples/websocket-validator/_3.8.x.yaml @@ -0,0 +1,14 @@ +name: websocket-validator +config: + client: + text: + type: draft4 + schema: | + { + "type": "object", + "properties": { + "foo": { "type": "string" }, + "bar": { "type": "string" } + }, + "required": [ "foo", "bar" ] + } diff --git a/examples/xml-threat-protection/_3.8.x.yaml b/examples/xml-threat-protection/_3.8.x.yaml new file mode 100644 index 00000000..a25f15fc --- /dev/null +++ b/examples/xml-threat-protection/_3.8.x.yaml @@ -0,0 +1,6 @@ +name: xml-threat-protection +config: + max_depth: 50 + localname: 512 + prefix: 512 + namespaceuri: 1024 diff --git a/examples/zipkin/_3.8.x.yaml b/examples/zipkin/_3.8.x.yaml new file mode 100644 index 00000000..62ab05c8 --- /dev/null +++ b/examples/zipkin/_3.8.x.yaml @@ -0,0 +1,5 @@ +name: zipkin +config: + http_endpoint: http://your.zipkin.collector:9411/api/v2/spans + sample_ratio: 0.001 + include_credential: true From af5379ede00b1f29866f81b9c0d05292b064232f Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 3 Jun 2024 16:30:54 +0200 Subject: [PATCH 051/165] Create 3.8.x schemas from 3.7.x --- schemas/acl/3.8.x.json | 97 + schemas/acme/3.8.x.json | 607 ++++ schemas/ai-azure-content-safety/3.8.x.json | 176 ++ schemas/ai-prompt-decorator/3.8.x.json | 118 + schemas/ai-prompt-guard/3.8.x.json | 80 + schemas/ai-prompt-template/3.8.x.json | 88 + schemas/ai-proxy/3.8.x.json | 490 +++ schemas/ai-rate-limiting-advanced/3.8.x.json | 463 +++ schemas/ai-request-transformer/3.8.x.json | 578 ++++ schemas/ai-response-transformer/3.8.x.json | 586 ++++ schemas/app-dynamics/3.8.x.json | 46 + schemas/application-registration/3.8.x.json | 108 + schemas/aws-lambda/3.8.x.json | 255 ++ schemas/azure-functions/3.8.x.json | 125 + schemas/basic-auth/3.8.x.json | 78 + schemas/bot-detection/3.8.x.json | 79 + schemas/canary/3.8.x.json | 190 ++ schemas/correlation-id/3.8.x.json | 72 + schemas/cors/3.8.x.json | 143 + schemas/datadog-tracing/3.8.x.json | 103 + schemas/datadog/3.8.x.json | 350 +++ schemas/degraphql/3.8.x.json | 68 + schemas/exit-transformer/3.8.x.json | 68 + schemas/file-log/3.8.x.json | 83 + schemas/forward-proxy/3.8.x.json | 171 ++ .../graphql-proxy-cache-advanced/3.8.x.json | 338 +++ .../graphql-rate-limiting-advanced/3.8.x.json | 405 +++ schemas/grpc-gateway/3.8.x.json | 59 + schemas/grpc-web/3.8.x.json | 74 + schemas/hmac-auth/3.8.x.json | 125 + schemas/http-log/3.8.x.json | 249 ++ schemas/ip-restriction/3.8.x.json | 85 + schemas/jq/3.8.x.json | 197 ++ schemas/jwe-decrypt/3.8.x.json | 86 + schemas/jwt-signer/3.8.x.json | 997 +++++++ schemas/jwt/3.8.x.json | 153 + schemas/kafka-log/3.8.x.json | 280 ++ schemas/kafka-upstream/3.8.x.json | 302 ++ schemas/key-auth-enc/3.8.x.json | 111 + schemas/key-auth/3.8.x.json | 123 + schemas/konnect-application-auth/3.8.x.json | 2624 ++++++++++++++++ schemas/ldap-auth-advanced/3.8.x.json | 236 ++ schemas/ldap-auth/3.8.x.json | 171 ++ schemas/loggly/3.8.x.json | 173 ++ schemas/mocking/3.8.x.json | 131 + schemas/mtls-auth/3.8.x.json | 210 ++ schemas/oas-validation/3.8.x.json | 170 ++ schemas/oauth2-introspection/3.8.x.json | 167 ++ schemas/oauth2/3.8.x.json | 214 ++ schemas/opa/3.8.x.json | 147 + schemas/openid-connect/3.8.x.json | 2652 +++++++++++++++++ schemas/opentelemetry/3.8.x.json | 329 ++ schemas/post-function/3.8.x.json | 228 ++ schemas/pre-function/3.8.x.json | 228 ++ schemas/prometheus/3.8.x.json | 87 + schemas/proxy-cache-advanced/3.8.x.json | 448 +++ schemas/proxy-cache/3.8.x.json | 205 ++ schemas/rate-limiting-advanced/3.8.x.json | 438 +++ schemas/rate-limiting/3.8.x.json | 438 +++ schemas/request-size-limiting/3.8.x.json | 73 + schemas/request-termination/3.8.x.json | 81 + .../request-transformer-advanced/3.8.x.json | 337 +++ schemas/request-transformer/3.8.x.json | 280 ++ schemas/request-validator/3.8.x.json | 181 ++ schemas/response-ratelimiting/3.8.x.json | 403 +++ .../response-transformer-advanced/3.8.x.json | 350 +++ schemas/response-transformer/3.8.x.json | 246 ++ schemas/route-by-header/3.8.x.json | 78 + schemas/route-transformer-advanced/3.8.x.json | 75 + schemas/saml/3.8.x.json | 706 +++++ schemas/session/3.8.x.json | 302 ++ schemas/statsd-advanced/3.8.x.json | 448 +++ schemas/statsd/3.8.x.json | 443 +++ schemas/syslog/3.8.x.json | 164 + schemas/tcp-log/3.8.x.json | 112 + schemas/tls-handshake-modifier/3.8.x.json | 60 + schemas/tls-metadata-headers/3.8.x.json | 96 + schemas/udp-log/3.8.x.json | 91 + schemas/upstream-timeout/3.8.x.json | 75 + schemas/vault-auth/3.8.x.json | 112 + schemas/websocket-size-limit/3.8.x.json | 68 + schemas/websocket-validator/3.8.x.json | 220 ++ schemas/xml-threat-protection/3.8.x.json | 300 ++ schemas/zipkin/3.8.x.json | 410 +++ 84 files changed, 23813 insertions(+) create mode 100644 schemas/acl/3.8.x.json create mode 100644 schemas/acme/3.8.x.json create mode 100644 schemas/ai-azure-content-safety/3.8.x.json create mode 100644 schemas/ai-prompt-decorator/3.8.x.json create mode 100644 schemas/ai-prompt-guard/3.8.x.json create mode 100644 schemas/ai-prompt-template/3.8.x.json create mode 100644 schemas/ai-proxy/3.8.x.json create mode 100644 schemas/ai-rate-limiting-advanced/3.8.x.json create mode 100644 schemas/ai-request-transformer/3.8.x.json create mode 100644 schemas/ai-response-transformer/3.8.x.json create mode 100644 schemas/app-dynamics/3.8.x.json create mode 100644 schemas/application-registration/3.8.x.json create mode 100644 schemas/aws-lambda/3.8.x.json create mode 100644 schemas/azure-functions/3.8.x.json create mode 100644 schemas/basic-auth/3.8.x.json create mode 100644 schemas/bot-detection/3.8.x.json create mode 100644 schemas/canary/3.8.x.json create mode 100644 schemas/correlation-id/3.8.x.json create mode 100644 schemas/cors/3.8.x.json create mode 100644 schemas/datadog-tracing/3.8.x.json create mode 100644 schemas/datadog/3.8.x.json create mode 100644 schemas/degraphql/3.8.x.json create mode 100644 schemas/exit-transformer/3.8.x.json create mode 100644 schemas/file-log/3.8.x.json create mode 100644 schemas/forward-proxy/3.8.x.json create mode 100644 schemas/graphql-proxy-cache-advanced/3.8.x.json create mode 100644 schemas/graphql-rate-limiting-advanced/3.8.x.json create mode 100644 schemas/grpc-gateway/3.8.x.json create mode 100644 schemas/grpc-web/3.8.x.json create mode 100644 schemas/hmac-auth/3.8.x.json create mode 100644 schemas/http-log/3.8.x.json create mode 100644 schemas/ip-restriction/3.8.x.json create mode 100644 schemas/jq/3.8.x.json create mode 100644 schemas/jwe-decrypt/3.8.x.json create mode 100644 schemas/jwt-signer/3.8.x.json create mode 100644 schemas/jwt/3.8.x.json create mode 100644 schemas/kafka-log/3.8.x.json create mode 100644 schemas/kafka-upstream/3.8.x.json create mode 100644 schemas/key-auth-enc/3.8.x.json create mode 100644 schemas/key-auth/3.8.x.json create mode 100644 schemas/konnect-application-auth/3.8.x.json create mode 100644 schemas/ldap-auth-advanced/3.8.x.json create mode 100644 schemas/ldap-auth/3.8.x.json create mode 100644 schemas/loggly/3.8.x.json create mode 100644 schemas/mocking/3.8.x.json create mode 100644 schemas/mtls-auth/3.8.x.json create mode 100644 schemas/oas-validation/3.8.x.json create mode 100644 schemas/oauth2-introspection/3.8.x.json create mode 100644 schemas/oauth2/3.8.x.json create mode 100644 schemas/opa/3.8.x.json create mode 100644 schemas/openid-connect/3.8.x.json create mode 100644 schemas/opentelemetry/3.8.x.json create mode 100644 schemas/post-function/3.8.x.json create mode 100644 schemas/pre-function/3.8.x.json create mode 100644 schemas/prometheus/3.8.x.json create mode 100644 schemas/proxy-cache-advanced/3.8.x.json create mode 100644 schemas/proxy-cache/3.8.x.json create mode 100644 schemas/rate-limiting-advanced/3.8.x.json create mode 100644 schemas/rate-limiting/3.8.x.json create mode 100644 schemas/request-size-limiting/3.8.x.json create mode 100644 schemas/request-termination/3.8.x.json create mode 100644 schemas/request-transformer-advanced/3.8.x.json create mode 100644 schemas/request-transformer/3.8.x.json create mode 100644 schemas/request-validator/3.8.x.json create mode 100644 schemas/response-ratelimiting/3.8.x.json create mode 100644 schemas/response-transformer-advanced/3.8.x.json create mode 100644 schemas/response-transformer/3.8.x.json create mode 100644 schemas/route-by-header/3.8.x.json create mode 100644 schemas/route-transformer-advanced/3.8.x.json create mode 100644 schemas/saml/3.8.x.json create mode 100644 schemas/session/3.8.x.json create mode 100644 schemas/statsd-advanced/3.8.x.json create mode 100644 schemas/statsd/3.8.x.json create mode 100644 schemas/syslog/3.8.x.json create mode 100644 schemas/tcp-log/3.8.x.json create mode 100644 schemas/tls-handshake-modifier/3.8.x.json create mode 100644 schemas/tls-metadata-headers/3.8.x.json create mode 100644 schemas/udp-log/3.8.x.json create mode 100644 schemas/upstream-timeout/3.8.x.json create mode 100644 schemas/vault-auth/3.8.x.json create mode 100644 schemas/websocket-size-limit/3.8.x.json create mode 100644 schemas/websocket-validator/3.8.x.json create mode 100644 schemas/xml-threat-protection/3.8.x.json create mode 100644 schemas/zipkin/3.8.x.json diff --git a/schemas/acl/3.8.x.json b/schemas/acl/3.8.x.json new file mode 100644 index 00000000..3209ec69 --- /dev/null +++ b/schemas/acl/3.8.x.json @@ -0,0 +1,97 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "allow": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." + } + }, + { + "deny": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." + } + }, + { + "hide_groups_header": { + "required": true, + "type": "boolean", + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "default": false + } + }, + { + "include_consumer_groups": { + "required": false, + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/acme/3.8.x.json b/schemas/acme/3.8.x.json new file mode 100644 index 00000000..360878bc --- /dev/null +++ b/schemas/acme/3.8.x.json @@ -0,0 +1,607 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "service": { + "reference": "services", + "type": "foreign", + "description": "A reference to the 'services' table with a null value allowed.", + "eq": null + } + }, + { + "route": { + "reference": "routes", + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "account_email": { + "encrypted": true, + "referenceable": true, + "required": true, + "type": "string", + "description": "The account identifier. Can be reused in a different plugin instance.", + "match": "%w*%p*@+%w*%.?%w*" + } + }, + { + "account_key": { + "required": false, + "description": "The private key associated with the account.", + "type": "record", + "fields": [ + { + "key_id": { + "required": true, + "type": "string", + "description": "The Key ID." + } + }, + { + "key_set": { + "type": "string", + "description": "The ID of the key set to associate the Key ID with." + } + } + ] + } + }, + { + "api_uri": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "default": "https://acme-v02.api.letsencrypt.org/directory" + } + }, + { + "tos_accepted": { + "type": "boolean", + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "default": false + } + }, + { + "eab_kid": { + "type": "string", + "encrypted": true, + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "referenceable": true + } + }, + { + "eab_hmac_key": { + "type": "string", + "encrypted": true, + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "referenceable": true + } + }, + { + "cert_type": { + "default": "rsa", + "type": "string", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "one_of": [ + "rsa", + "ecc" + ] + } + }, + { + "rsa_key_size": { + "default": 4096, + "type": "number", + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "one_of": [ + 2048, + 3072, + 4096 + ] + } + }, + { + "renew_threshold_days": { + "type": "number", + "description": "Days remaining to renew the certificate before it expires.", + "default": 14 + } + }, + { + "domains": { + "elements": { + "match_any": { + "patterns": [ + "^%*%.", + "%.%*$", + "^[^*]*$" + ], + "err": "invalid wildcard: must be placed at leftmost or rightmost label" + }, + "type": "string", + "match_all": [ + { + "pattern": "^[^*]*%*?[^*]*$", + "err": "invalid wildcard: must have at most one wildcard" + } + ] + }, + "type": "array", + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" + } + }, + { + "allow_any_domain": { + "type": "boolean", + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "default": false + } + }, + { + "fail_backoff_minutes": { + "type": "number", + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "default": 5 + } + }, + { + "storage": { + "default": "shm", + "type": "string", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "one_of": [ + "kong", + "shm", + "redis", + "consul", + "vault" + ] + } + }, + { + "storage_config": { + "fields": [ + { + "shm": { + "fields": [ + { + "shm_name": { + "type": "string", + "description": "Name of shared memory zone used for Kong API gateway storage", + "default": "kong" + } + } + ], + "type": "record", + "required": true + } + }, + { + "kong": { + "fields": [ + + ], + "type": "record", + "required": true + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "type": "string", + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + }, + { + "extra_options": { + "fields": [ + { + "namespace": { + "description": "A namespace to prepend to all keys stored in Redis.", + "required": true, + "type": "string", + "len_min": 0, + "default": "" + } + }, + { + "scan_count": { + "required": false, + "type": "number", + "description": "The number of keys to return in Redis SCAN calls.", + "default": 10 + } + } + ], + "description": "Custom ACME Redis options", + "type": "record", + "required": true + } + } + ], + "shorthand_fields": [ + { + "auth": { + "len_min": 0, + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead" + }, + "type": "string", + "translate_backwards": [ + "password" + ] + } + }, + { + "ssl_server_name": { + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead" + }, + "type": "string", + "translate_backwards": [ + "server_name" + ] + } + }, + { + "namespace": { + "len_min": 0, + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead" + }, + "type": "string", + "translate_backwards": [ + "extra_options", + "namespace" + ] + } + }, + { + "scan_count": { + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead" + }, + "type": "integer", + "translate_backwards": [ + "extra_options", + "scan_count" + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "consul": { + "fields": [ + { + "https": { + "type": "boolean", + "description": "Boolean representation of https.", + "default": false + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "kv_path": { + "type": "string", + "description": "KV prefix path." + } + }, + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds." + } + }, + { + "token": { + "type": "string", + "referenceable": true, + "description": "Consul ACL token." + } + } + ], + "type": "record", + "required": true + } + }, + { + "vault": { + "fields": [ + { + "https": { + "type": "boolean", + "description": "Boolean representation of https.", + "default": false + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "kv_path": { + "type": "string", + "description": "KV prefix path." + } + }, + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds." + } + }, + { + "token": { + "type": "string", + "referenceable": true, + "description": "Consul ACL token." + } + }, + { + "tls_verify": { + "type": "boolean", + "description": "Turn on TLS verification.", + "default": true + } + }, + { + "tls_server_name": { + "type": "string", + "description": "SNI used in request, default to host if omitted." + } + }, + { + "auth_method": { + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "type": "string", + "one_of": [ + "token", + "kubernetes" + ] + } + }, + { + "auth_path": { + "type": "string", + "description": "Vault's authentication path to use." + } + }, + { + "auth_role": { + "type": "string", + "description": "The role to try and assign." + } + }, + { + "jwt_path": { + "type": "string", + "description": "The path to the JWT." + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + }, + { + "preferred_chain": { + "type": "string", + "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + } + }, + { + "enable_ipv4_common_name": { + "type": "boolean", + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.api_uri", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_field": "config.tos_accepted", + "then_match": { + "eq": true + } + } + }, + { + "conditional": { + "if_field": "config.storage", + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.storage", + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-azure-content-safety/3.8.x.json b/schemas/ai-azure-content-safety/3.8.x.json new file mode 100644 index 00000000..db4bc3fc --- /dev/null +++ b/schemas/ai-azure-content-safety/3.8.x.json @@ -0,0 +1,176 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "content_safety_url": { + "required": true, + "type": "string", + "referenceable": true, + "description": "Full URL, inc protocol, of the Azure Content Safety instance." + } + }, + { + "azure_api_version": { + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "required": true, + "type": "string", + "len_min": 1, + "default": "2023-10-01" + } + }, + { + "azure_use_managed_identity": { + "type": "boolean", + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "default": false + } + }, + { + "azure_client_id": { + "required": false, + "type": "string", + "description": "If `azure_use_managed_identity` is true, set the client ID if required." + } + }, + { + "azure_client_secret": { + "required": false, + "type": "string", + "description": "If `azure_use_managed_identity` is true, set the client secret if required." + } + }, + { + "azure_tenant_id": { + "required": false, + "type": "string", + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required." + } + }, + { + "content_safety_key": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "type": "string" + } + }, + { + "text_source": { + "default": "concatenate_all_content", + "type": "string", + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "one_of": [ + "concatenate_all_content", + "concatenate_user_content" + ] + } + }, + { + "categories": { + "elements": { + "required": true, + "type": "record", + "fields": [ + { + "name": { + "required": true, + "type": "string" + } + }, + { + "rejection_level": { + "required": true, + "type": "integer" + } + } + ] + }, + "type": "array", + "description": "Array of categories, and their thresholds, to measure on." + } + }, + { + "reveal_failure_reason": { + "type": "boolean", + "description": "Set true to tell the caller why their request was rejected, if so.", + "default": true + } + }, + { + "output_type": { + "default": "FourSeverityLevels", + "type": "string", + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "one_of": [ + "FourSeverityLevels", + "EightSeverityLevels" + ] + } + }, + { + "blocklist_names": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content." + } + }, + { + "halt_on_blocklist_hit": { + "type": "boolean", + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.8.x.json b/schemas/ai-prompt-decorator/3.8.x.json new file mode 100644 index 00000000..1ee146d7 --- /dev/null +++ b/schemas/ai-prompt-decorator/3.8.x.json @@ -0,0 +1,118 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "prompts": { + "required": false, + "type": "record", + "fields": [ + { + "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "required": false, + "elements": { + "required": false, + "type": "record", + "fields": [ + { + "role": { + "required": true, + "default": "system", + "type": "string", + "one_of": [ + "system", + "assistant", + "user" + ] + } + }, + { + "content": { + "required": true, + "len_min": 1, + "type": "string", + "len_max": 500 + } + } + ] + }, + "type": "array", + "len_max": 15 + } + }, + { + "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "required": false, + "elements": { + "required": false, + "type": "record", + "fields": [ + { + "role": { + "required": true, + "default": "system", + "type": "string", + "one_of": [ + "system", + "assistant", + "user" + ] + } + }, + { + "content": { + "required": true, + "len_min": 1, + "type": "string", + "len_max": 500 + } + } + ] + }, + "type": "array", + "len_max": 15 + } + } + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.8.x.json b/schemas/ai-prompt-guard/3.8.x.json new file mode 100644 index 00000000..69f97e6a --- /dev/null +++ b/schemas/ai-prompt-guard/3.8.x.json @@ -0,0 +1,80 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "allow_patterns": { + "default": [ + + ], + "type": "array", + "elements": { + "type": "string", + "len_min": 1, + "len_max": 500 + }, + "description": "Array of valid patterns, or valid questions from the 'user' role in chat.", + "len_max": 10 + } + }, + { + "deny_patterns": { + "default": [ + + ], + "type": "array", + "elements": { + "type": "string", + "len_min": 1, + "len_max": 500 + }, + "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat.", + "len_max": 10 + } + }, + { + "allow_all_conversation_history": { + "required": true, + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-template/3.8.x.json b/schemas/ai-prompt-template/3.8.x.json new file mode 100644 index 00000000..1af322a2 --- /dev/null +++ b/schemas/ai-prompt-template/3.8.x.json @@ -0,0 +1,88 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "templates": { + "required": true, + "elements": { + "required": true, + "type": "record", + "fields": [ + { + "name": { + "required": true, + "description": "Unique name for the template, can be called with `{template://NAME}`", + "type": "string" + } + }, + { + "template": { + "required": true, + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "type": "string" + } + } + ] + }, + "description": "Array of templates available to the request context.", + "type": "array" + } + }, + { + "allow_untemplated_requests": { + "required": true, + "description": "Set true to allow requests that don't call or match any template.", + "type": "boolean", + "default": true + } + }, + { + "log_original_request": { + "required": true, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-proxy/3.8.x.json b/schemas/ai-proxy/3.8.x.json new file mode 100644 index 00000000..be44ee57 --- /dev/null +++ b/schemas/ai-proxy/3.8.x.json @@ -0,0 +1,490 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "service": { + "reference": "services", + "type": "foreign", + "description": "A reference to the 'services' table with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "route_type": { + "required": true, + "type": "string", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "required": false, + "type": "record", + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'." + } + }, + { + "param_location": { + "required": false, + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "required": false, + "type": "boolean", + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + } + ] + } + }, + { + "model": { + "required": true, + "type": "record", + "fields": [ + { + "provider": { + "required": true, + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2" + ] + } + }, + { + "name": { + "required": false, + "type": "string", + "description": "Model name to execute." + } + }, + { + "options": { + "required": false, + "type": "record", + "description": "Key/value settings for the model", + "fields": [ + { + "response_streaming": { + "default": "allow", + "required": false, + "type": "string", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, + { + "max_tokens": { + "required": false, + "type": "integer", + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256 + } + }, + { + "temperature": { + "required": false, + "type": "number", + "description": "Defines the matching temperature, if using chat or completion models.", + "between": [ + 0, + 5 + ] + } + }, + { + "top_p": { + "required": false, + "type": "number", + "description": "Defines the top-p probability mass, if supported.", + "between": [ + 0, + 1 + ] + } + }, + { + "top_k": { + "required": false, + "type": "integer", + "description": "Defines the top-k most likely tokens, if supported.", + "between": [ + 0, + 500 + ] + } + }, + { + "anthropic_version": { + "required": false, + "type": "string", + "description": "Defines the schema/API version, if using Anthropic provider." + } + }, + { + "azure_instance": { + "required": false, + "type": "string", + "description": "Instance name for Azure OpenAI hosted models." + } + }, + { + "azure_api_version": { + "required": false, + "type": "string", + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15" + } + }, + { + "azure_deployment_id": { + "required": false, + "type": "string", + "description": "Deployment ID for Azure OpenAI instances." + } + }, + { + "llama2_format": { + "required": false, + "type": "string", + "description": "If using llama2 provider, select the upstream message format.", + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "required": false, + "type": "string", + "description": "If using mistral provider, select the upstream message format.", + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "required": false, + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + } + }, + { + "upstream_path": { + "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + } + } + ] + } + } + ] + } + }, + { + "logging": { + "required": true, + "type": "record", + "fields": [ + { + "log_statistics": { + "required": true, + "type": "boolean", + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false + } + }, + { + "log_payloads": { + "required": true, + "type": "boolean", + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false + } + } + ] + } + } + ], + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_match": { + "one_of": [ + "openai", + "anthropic", + "cohere" + ] + }, + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name", + "auth.azure_use_managed_identity" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set one of %s, and its respective options, when azure provider is set" + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-rate-limiting-advanced/3.8.x.json b/schemas/ai-rate-limiting-advanced/3.8.x.json new file mode 100644 index 00000000..ea346eed --- /dev/null +++ b/schemas/ai-rate-limiting-advanced/3.8.x.json @@ -0,0 +1,463 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "default": "consumer", + "required": true, + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "type": "string", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "window_type": { + "default": "sliding", + "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + } + }, + { + "llm_providers": { + "required": true, + "elements": { + "type": "record", + "fields": [ + { + "window_size": { + "required": true, + "type": "number", + "description": "The window size to apply a limit (defined in seconds)." + } + }, + { + "name": { + "required": true, + "type": "string", + "description": "The LLM provider to which the rate limit applies.", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "requestPrompt" + ] + } + }, + { + "limit": { + "required": true, + "type": "number", + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter." + } + } + ] + }, + "type": "array", + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values." + } + }, + { + "strategy": { + "default": "local", + "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "type": "string", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "required": true, + "type": "string", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "default": "kong_rate_limiting_counters" + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "default": false + } + }, + { + "retry_after_jitter_max": { + "type": "number", + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "default": 0 + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "type": "record", + "required": true + } + }, + { + "disable_penalty": { + "type": "boolean", + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "default": false + } + }, + { + "request_prompt_count_function": { + "required": false, + "type": "string", + "description": "If defined, it use custom function to count requests for the request prompt provider" + } + }, + { + "error_code": { + "default": 429, + "type": "number", + "description": "Set a custom error code to return when the rate limit is exceeded.", + "gt": 0 + } + }, + { + "error_message": { + "type": "string", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded for provider(s): " + } + }, + { + "error_hide_providers": { + "type": "boolean", + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "default": false + } + }, + { + "tokens_count_strategy": { + "default": "total_tokens", + "required": true, + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "type": "string", + "one_of": [ + "total_tokens", + "prompt_tokens", + "completion_tokens" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.8.x.json b/schemas/ai-request-transformer/3.8.x.json new file mode 100644 index 00000000..f57f678f --- /dev/null +++ b/schemas/ai-request-transformer/3.8.x.json @@ -0,0 +1,578 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "prompt": { + "required": true, + "type": "string", + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return." + } + }, + { + "transformation_extract_pattern": { + "required": false, + "type": "string", + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure." + } + }, + { + "http_timeout": { + "required": true, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer", + "default": 60000 + } + }, + { + "https_verify": { + "required": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean", + "default": true + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "llm": { + "fields": [ + { + "route_type": { + "required": true, + "type": "string", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "required": false, + "type": "record", + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'." + } + }, + { + "param_location": { + "required": false, + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "required": false, + "type": "boolean", + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + } + ] + } + }, + { + "model": { + "required": true, + "type": "record", + "fields": [ + { + "provider": { + "required": true, + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2" + ] + } + }, + { + "name": { + "required": false, + "type": "string", + "description": "Model name to execute." + } + }, + { + "options": { + "required": false, + "type": "record", + "description": "Key/value settings for the model", + "fields": [ + { + "response_streaming": { + "default": "allow", + "required": false, + "type": "string", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, + { + "max_tokens": { + "required": false, + "type": "integer", + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256 + } + }, + { + "temperature": { + "required": false, + "type": "number", + "description": "Defines the matching temperature, if using chat or completion models.", + "between": [ + 0, + 5 + ] + } + }, + { + "top_p": { + "required": false, + "type": "number", + "description": "Defines the top-p probability mass, if supported.", + "between": [ + 0, + 1 + ] + } + }, + { + "top_k": { + "required": false, + "type": "integer", + "description": "Defines the top-k most likely tokens, if supported.", + "between": [ + 0, + 500 + ] + } + }, + { + "anthropic_version": { + "required": false, + "type": "string", + "description": "Defines the schema/API version, if using Anthropic provider." + } + }, + { + "azure_instance": { + "required": false, + "type": "string", + "description": "Instance name for Azure OpenAI hosted models." + } + }, + { + "azure_api_version": { + "required": false, + "type": "string", + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15" + } + }, + { + "azure_deployment_id": { + "required": false, + "type": "string", + "description": "Deployment ID for Azure OpenAI instances." + } + }, + { + "llama2_format": { + "required": false, + "type": "string", + "description": "If using llama2 provider, select the upstream message format.", + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "required": false, + "type": "string", + "description": "If using mistral provider, select the upstream message format.", + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "required": false, + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + } + }, + { + "upstream_path": { + "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + } + } + ] + } + } + ] + } + }, + { + "logging": { + "required": true, + "type": "record", + "fields": [ + { + "log_statistics": { + "required": true, + "type": "boolean", + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false + } + }, + { + "log_payloads": { + "required": true, + "type": "boolean", + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false + } + } + ] + } + } + ], + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_match": { + "one_of": [ + "openai", + "anthropic", + "cohere" + ] + }, + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name", + "auth.azure_use_managed_identity" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set one of %s, and its respective options, when azure provider is set" + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.llm.route_type", + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.8.x.json b/schemas/ai-response-transformer/3.8.x.json new file mode 100644 index 00000000..488710ce --- /dev/null +++ b/schemas/ai-response-transformer/3.8.x.json @@ -0,0 +1,586 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "prompt": { + "required": true, + "type": "string", + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting." + } + }, + { + "transformation_extract_pattern": { + "required": false, + "type": "string", + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client." + } + }, + { + "parse_llm_response_json_instructions": { + "required": true, + "type": "boolean", + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "default": false + } + }, + { + "http_timeout": { + "required": true, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer", + "default": 60000 + } + }, + { + "https_verify": { + "required": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean", + "default": true + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "llm": { + "fields": [ + { + "route_type": { + "required": true, + "type": "string", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "required": false, + "type": "record", + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'." + } + }, + { + "param_location": { + "required": false, + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "required": false, + "type": "boolean", + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + } + ] + } + }, + { + "model": { + "required": true, + "type": "record", + "fields": [ + { + "provider": { + "required": true, + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2" + ] + } + }, + { + "name": { + "required": false, + "type": "string", + "description": "Model name to execute." + } + }, + { + "options": { + "required": false, + "type": "record", + "description": "Key/value settings for the model", + "fields": [ + { + "response_streaming": { + "default": "allow", + "required": false, + "type": "string", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, + { + "max_tokens": { + "required": false, + "type": "integer", + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256 + } + }, + { + "temperature": { + "required": false, + "type": "number", + "description": "Defines the matching temperature, if using chat or completion models.", + "between": [ + 0, + 5 + ] + } + }, + { + "top_p": { + "required": false, + "type": "number", + "description": "Defines the top-p probability mass, if supported.", + "between": [ + 0, + 1 + ] + } + }, + { + "top_k": { + "required": false, + "type": "integer", + "description": "Defines the top-k most likely tokens, if supported.", + "between": [ + 0, + 500 + ] + } + }, + { + "anthropic_version": { + "required": false, + "type": "string", + "description": "Defines the schema/API version, if using Anthropic provider." + } + }, + { + "azure_instance": { + "required": false, + "type": "string", + "description": "Instance name for Azure OpenAI hosted models." + } + }, + { + "azure_api_version": { + "required": false, + "type": "string", + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15" + } + }, + { + "azure_deployment_id": { + "required": false, + "type": "string", + "description": "Deployment ID for Azure OpenAI instances." + } + }, + { + "llama2_format": { + "required": false, + "type": "string", + "description": "If using llama2 provider, select the upstream message format.", + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "required": false, + "type": "string", + "description": "If using mistral provider, select the upstream message format.", + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "required": false, + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + } + }, + { + "upstream_path": { + "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + } + } + ] + } + } + ] + } + }, + { + "logging": { + "required": true, + "type": "record", + "fields": [ + { + "log_statistics": { + "required": true, + "type": "boolean", + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false + } + }, + { + "log_payloads": { + "required": true, + "type": "boolean", + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false + } + } + ] + } + } + ], + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name" + ], + "if_match": { + "one_of": [ + "openai", + "anthropic", + "cohere" + ] + }, + "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "auth.header_name", + "auth.param_name", + "auth.azure_use_managed_identity" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set one of %s, and its respective options, when azure provider is set" + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_match": { + "one_of": [ + "mistral", + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.llm.route_type", + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/app-dynamics/3.8.x.json b/schemas/app-dynamics/3.8.x.json new file mode 100644 index 00000000..380e6ec2 --- /dev/null +++ b/schemas/app-dynamics/3.8.x.json @@ -0,0 +1,46 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "type": "foreign", + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "type": "record", + "fields": [ + + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/application-registration/3.8.x.json b/schemas/application-registration/3.8.x.json new file mode 100644 index 00000000..604ffb5c --- /dev/null +++ b/schemas/application-registration/3.8.x.json @@ -0,0 +1,108 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "service": { + "reference": "services", + "on_delete": "cascade", + "type": "foreign", + "ne": null + } + }, + { + "route": { + "reference": "routes", + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "display_name": { + "required": true, + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string", + "unique": true + } + }, + { + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string", + "unique": true + } + }, + { + "auto_approve": { + "required": true, + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "type": "boolean", + "default": false + } + }, + { + "show_issuer": { + "required": true, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "type": "boolean", + "default": false + } + }, + { + "enable_proxy_with_consumer_credential": { + "required": true, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/aws-lambda/3.8.x.json b/schemas/aws-lambda/3.8.x.json new file mode 100644 index 00000000..762af58b --- /dev/null +++ b/schemas/aws-lambda/3.8.x.json @@ -0,0 +1,255 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "timeout": { + "required": true, + "description": "An optional timeout in milliseconds when invoking the function.", + "type": "number", + "default": 60000 + } + }, + { + "keepalive": { + "required": true, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "aws_key": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The AWS key credential to be used when invoking the function." + } + }, + { + "aws_secret": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The AWS secret credential to be used when invoking the function. " + } + }, + { + "aws_assume_role_arn": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The target AWS IAM role ARN used to invoke the Lambda function." + } + }, + { + "aws_role_session_name": { + "description": "The identifier of the assumed role session.", + "type": "string", + "default": "kong" + } + }, + { + "aws_region": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "function_name": { + "required": false, + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "type": "string" + } + }, + { + "qualifier": { + "type": "string", + "description": "The qualifier to use when invoking the function." + } + }, + { + "invocation_type": { + "default": "RequestResponse", + "required": true, + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "type": "string", + "one_of": [ + "RequestResponse", + "Event", + "DryRun" + ] + } + }, + { + "log_type": { + "default": "Tail", + "required": true, + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "type": "string", + "one_of": [ + "Tail", + "None" + ] + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "disable_https": { + "type": "boolean", + "default": false + } + }, + { + "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer", + "between": [ + 100, + 999 + ] + } + }, + { + "forward_request_method": { + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean", + "default": false + } + }, + { + "forward_request_uri": { + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean", + "default": false + } + }, + { + "forward_request_headers": { + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean", + "default": false + } + }, + { + "forward_request_body": { + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean", + "default": false + } + }, + { + "is_proxy_integration": { + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean", + "default": false + } + }, + { + "awsgateway_compatible": { + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean", + "default": false + } + }, + { + "proxy_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "skip_large_bodies": { + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean", + "default": true + } + }, + { + "base64_encode_body": { + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean", + "default": true + } + }, + { + "aws_imds_protocol_version": { + "default": "v1", + "required": true, + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "type": "string", + "one_of": [ + "v1", + "v2" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/azure-functions/3.8.x.json b/schemas/azure-functions/3.8.x.json new file mode 100644 index 00000000..351a20c8 --- /dev/null +++ b/schemas/azure-functions/3.8.x.json @@ -0,0 +1,125 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "timeout": { + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number", + "default": 600000 + } + }, + { + "keepalive": { + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "https": { + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean", + "default": true + } + }, + { + "https_verify": { + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean", + "default": false + } + }, + { + "apikey": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header." + } + }, + { + "clientid": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header." + } + }, + { + "appname": { + "required": true, + "description": "The Azure app name.", + "type": "string" + } + }, + { + "hostdomain": { + "required": true, + "description": "The domain where the function resides.", + "type": "string", + "default": "azurewebsites.net" + } + }, + { + "routeprefix": { + "description": "Route prefix to use.", + "type": "string", + "default": "api" + } + }, + { + "functionname": { + "required": true, + "description": "Name of the Azure function to invoke.", + "type": "string" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/basic-auth/3.8.x.json b/schemas/basic-auth/3.8.x.json new file mode 100644 index 00000000..d08c9fbb --- /dev/null +++ b/schemas/basic-auth/3.8.x.json @@ -0,0 +1,78 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "hide_credentials": { + "required": true, + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "default": false + } + }, + { + "realm": { + "required": true, + "type": "string", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "default": "service" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/bot-detection/3.8.x.json b/schemas/bot-detection/3.8.x.json new file mode 100644 index 00000000..f5f0fd1b --- /dev/null +++ b/schemas/bot-detection/3.8.x.json @@ -0,0 +1,79 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "allow": { + "type": "array", + "elements": { + "type": "string", + "is_regex": true + }, + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "default": [ + + ] + } + }, + { + "deny": { + "type": "array", + "elements": { + "type": "string", + "is_regex": true + }, + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/canary/3.8.x.json b/schemas/canary/3.8.x.json new file mode 100644 index 00000000..29995723 --- /dev/null +++ b/schemas/canary/3.8.x.json @@ -0,0 +1,190 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "start": { + "type": "number", + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." + } + }, + { + "hash": { + "default": "consumer", + "type": "string", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "one_of": [ + "consumer", + "ip", + "none", + "allow", + "deny", + "header" + ] + } + }, + { + "hash_header": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "duration": { + "default": 3600, + "type": "number", + "description": "The duration of the canary release in seconds.", + "gt": 0 + } + }, + { + "steps": { + "default": 1000, + "type": "number", + "description": "The number of steps for the canary release.", + "gt": 1 + } + }, + { + "percentage": { + "type": "number", + "description": "The percentage of traffic to be routed to the canary release.", + "between": [ + 0, + 100 + ] + } + }, + { + "upstream_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "upstream_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "upstream_uri": { + "type": "string", + "description": "The URI of the upstream server to be used for the canary release.", + "len_min": 1 + } + }, + { + "upstream_fallback": { + "required": true, + "type": "boolean", + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "default": false + } + }, + { + "groups": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "The groups allowed to access the canary release." + } + }, + { + "canary_by_header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ], + "required": true, + "shorthand_fields": [ + { + "hash": { + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_field": "config.hash", + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.upstream_fallback", + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host", + "then_match": { + "required": true + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/correlation-id/3.8.x.json b/schemas/correlation-id/3.8.x.json new file mode 100644 index 00000000..359e7014 --- /dev/null +++ b/schemas/correlation-id/3.8.x.json @@ -0,0 +1,72 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "header_name": { + "description": "The HTTP header name to use for the correlation ID.", + "type": "string", + "default": "Kong-Request-ID" + } + }, + { + "generator": { + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "type": "string", + "one_of": [ + "uuid", + "uuid#counter", + "tracker" + ] + } + }, + { + "echo_downstream": { + "required": true, + "description": "Whether to echo the header back to downstream (the client).", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/cors/3.8.x.json b/schemas/cors/3.8.x.json new file mode 100644 index 00000000..a9ff5f6b --- /dev/null +++ b/schemas/cors/3.8.x.json @@ -0,0 +1,143 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "required": true, + "type": "string", + "len_min": 1, + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "origins": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." + } + }, + { + "headers": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Value for the `Access-Control-Allow-Headers` header." + } + }, + { + "exposed_headers": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." + } + }, + { + "methods": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] + } + }, + { + "max_age": { + "type": "number", + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + } + }, + { + "credentials": { + "required": true, + "type": "boolean", + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "default": false + } + }, + { + "private_network": { + "required": true, + "type": "boolean", + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "default": false + } + }, + { + "preflight_continue": { + "required": true, + "type": "boolean", + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/datadog-tracing/3.8.x.json b/schemas/datadog-tracing/3.8.x.json new file mode 100644 index 00000000..450d1bc3 --- /dev/null +++ b/schemas/datadog-tracing/3.8.x.json @@ -0,0 +1,103 @@ +{ + "fields": [ + { + "consumer": { + "eq": null, + "type": "foreign", + "reference": "consumers" + } + }, + { + "protocols": { + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "endpoint": { + "type": "string", + "referenceable": true + } + }, + { + "service_name": { + "required": true, + "type": "string", + "default": "kong" + } + }, + { + "environment": { + "type": "string", + "default": "none" + } + }, + { + "batch_span_count": { + "required": true, + "type": "integer", + "default": 200 + } + }, + { + "batch_flush_delay": { + "required": true, + "type": "integer", + "default": 3 + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 1000 + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 5000 + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 5000 + } + } + ], + "type": "record", + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/datadog/3.8.x.json b/schemas/datadog/3.8.x.json new file mode 100644 index 00000000..58c1186f --- /dev/null +++ b/schemas/datadog/3.8.x.json @@ -0,0 +1,350 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string", + "referenceable": true, + "default": "localhost" + } + }, + { + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "prefix": { + "description": "String to be attached as a prefix to a metric's name.", + "type": "string", + "default": "kong" + } + }, + { + "service_name_tag": { + "description": "String to be attached as the name of the service.", + "type": "string", + "default": "name" + } + }, + { + "status_tag": { + "description": "String to be attached as the tag of the HTTP status.", + "type": "string", + "default": "status" + } + }, + { + "consumer_tag": { + "description": "String to be attached as tag of the consumer.", + "type": "string", + "default": "consumer" + } + }, + { + "retry_count": { + "deprecation": { + "old_default": 10, + "removal_in_version": "4.0", + "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead" + }, + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + } + }, + { + "queue_size": { + "deprecation": { + "old_default": 1, + "removal_in_version": "4.0", + "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + }, + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + } + }, + { + "flush_timeout": { + "deprecation": { + "old_default": 2, + "removal_in_version": "4.0", + "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + }, + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "metrics": { + "type": "array", + "required": true, + "elements": { + "fields": [ + { + "name": { + "required": true, + "description": "Datadog metric’s name", + "type": "string", + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ] + } + }, + { + "stat_type": { + "required": true, + "description": "Determines what sort of event the metric represents", + "type": "string", + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer", + "distribution" + ] + } + }, + { + "tags": { + "elements": { + "type": "string", + "match": "^.*[^:]$" + }, + "description": "List of tags", + "type": "array" + } + }, + { + "sample_rate": { + "description": "Sampling rate", + "type": "number", + "between": [ + 0, + 1 + ] + } + }, + { + "consumer_identifier": { + "description": "Authenticated user detail", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "stat_type", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "then_match": { + "required": true + } + } + } + ], + "type": "record" + }, + "description": "List of metrics to be logged.", + "default": [ + { + "stat_type": "counter", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "request_count", + "sample_rate": 1 + }, + { + "stat_type": "timer", + "name": "latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "request_size", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "response_size", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "upstream_latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "kong_latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + } + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/degraphql/3.8.x.json b/schemas/degraphql/3.8.x.json new file mode 100644 index 00000000..cd491eea --- /dev/null +++ b/schemas/degraphql/3.8.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "graphql_server_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": true, + "type": "string", + "starts_with": "/", + "default": "/graphql" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/exit-transformer/3.8.x.json b/schemas/exit-transformer/3.8.x.json new file mode 100644 index 00000000..793e86c4 --- /dev/null +++ b/schemas/exit-transformer/3.8.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "functions": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "handle_unknown": { + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean", + "default": false + } + }, + { + "handle_unexpected": { + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/file-log/3.8.x.json b/schemas/file-log/3.8.x.json new file mode 100644 index 00000000..0439ef6d --- /dev/null +++ b/schemas/file-log/3.8.x.json @@ -0,0 +1,83 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "path": { + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "required": true, + "match": "^[^*&%%\\`]+$", + "type": "string", + "err": "not a valid filename" + } + }, + { + "reopen": { + "required": true, + "type": "boolean", + "description": "Determines whether the log file is closed and reopened on every request.", + "default": false + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/forward-proxy/3.8.x.json b/schemas/forward-proxy/3.8.x.json new file mode 100644 index 00000000..1e52a284 --- /dev/null +++ b/schemas/forward-proxy/3.8.x.json @@ -0,0 +1,171 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "shorthand_fields": [ + { + "proxy_host": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" + } + } + }, + { + "proxy_port": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" + } + } + } + ], + "fields": [ + { + "x_headers": { + "default": "append", + "required": true, + "type": "string", + "description": "Determines how to handle headers when forwarding the request.", + "one_of": [ + "append", + "transparent", + "delete" + ] + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "proxy_scheme": { + "default": "http", + "required": true, + "type": "string", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "one_of": [ + "http" + ] + } + }, + { + "auth_username": { + "required": false, + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "referenceable": true, + "type": "string" + } + }, + { + "auth_password": { + "required": false, + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "referenceable": true, + "type": "string" + } + }, + { + "https_verify": { + "required": true, + "type": "boolean", + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.8.x.json b/schemas/graphql-proxy-cache-advanced/3.8.x.json new file mode 100644 index 00000000..b2d602c8 --- /dev/null +++ b/schemas/graphql-proxy-cache-advanced/3.8.x.json @@ -0,0 +1,338 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "strategy": { + "default": "memory", + "required": true, + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "type": "string", + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "cache_ttl": { + "gt": 0, + "type": "integer", + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "default": 300 + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "required": true, + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "default": "kong_db_cache" + } + } + ], + "type": "record", + "required": true + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "type": "record", + "required": true + } + }, + { + "bypass_on_err": { + "type": "boolean", + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "default": false + } + }, + { + "vary_headers": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.8.x.json b/schemas/graphql-rate-limiting-advanced/3.8.x.json new file mode 100644 index 00000000..80e4f015 --- /dev/null +++ b/schemas/graphql-rate-limiting-advanced/3.8.x.json @@ -0,0 +1,405 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "default": "consumer", + "required": true, + "type": "string", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "one_of": [ + "ip", + "credential", + "consumer" + ] + } + }, + { + "window_size": { + "required": true, + "elements": { + "type": "number" + }, + "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds)." + } + }, + { + "window_type": { + "default": "sliding", + "type": "string", + "description": "Sets the time window to either `sliding` or `fixed`.", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "required": true, + "elements": { + "type": "number" + }, + "type": "array", + "description": "One or more requests-per-window limits to apply." + } + }, + { + "sync_rate": { + "required": true, + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." + } + }, + { + "namespace": { + "auto": true, + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + } + }, + { + "strategy": { + "default": "cluster", + "required": true, + "type": "string", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "one_of": [ + "cluster", + "redis" + ] + } + }, + { + "dictionary_name": { + "required": true, + "type": "string", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "default": "kong_rate_limiting_counters" + } + }, + { + "hide_client_headers": { + "type": "boolean", + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "default": false + } + }, + { + "cost_strategy": { + "default": "default", + "type": "string", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "one_of": [ + "default", + "node_quantifier" + ] + } + }, + { + "score_factor": { + "gt": 0, + "required": false, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "type": "number", + "default": 1 + } + }, + { + "max_cost": { + "required": false, + "type": "number", + "description": "A defined maximum cost per query. 0 means unlimited.", + "default": 0 + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/grpc-gateway/3.8.x.json b/schemas/grpc-gateway/3.8.x.json new file mode 100644 index 00000000..28a35684 --- /dev/null +++ b/schemas/grpc-gateway/3.8.x.json @@ -0,0 +1,59 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "proto": { + "required": false, + "type": "string", + "description": "Describes the gRPC types and methods." + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/grpc-web/3.8.x.json b/schemas/grpc-web/3.8.x.json new file mode 100644 index 00000000..ea23b872 --- /dev/null +++ b/schemas/grpc-web/3.8.x.json @@ -0,0 +1,74 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "proto": { + "required": false, + "type": "string", + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content." + } + }, + { + "pass_stripped_path": { + "required": false, + "type": "boolean", + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service." + } + }, + { + "allow_origin_header": { + "required": false, + "type": "string", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "default": "*" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/hmac-auth/3.8.x.json b/schemas/hmac-auth/3.8.x.json new file mode 100644 index 00000000..f95b6922 --- /dev/null +++ b/schemas/hmac-auth/3.8.x.json @@ -0,0 +1,125 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "hide_credentials": { + "required": true, + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "default": false + } + }, + { + "clock_skew": { + "default": 300, + "type": "number", + "description": "Clock skew in seconds to prevent replay attacks.", + "gt": 0 + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "validate_request_body": { + "required": true, + "type": "boolean", + "description": "A boolean value telling the plugin to enable body validation.", + "default": false + } + }, + { + "enforce_headers": { + "type": "array", + "elements": { + "type": "string" + }, + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "default": [ + + ] + } + }, + { + "algorithms": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] + }, + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/http-log/3.8.x.json b/schemas/http-log/3.8.x.json new file mode 100644 index 00000000..de991dd0 --- /dev/null +++ b/schemas/http-log/3.8.x.json @@ -0,0 +1,249 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "http_endpoint": { + "encrypted": true, + "referenceable": true, + "required": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "method": { + "default": "POST", + "type": "string", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "one_of": [ + "POST", + "PUT", + "PATCH" + ] + } + }, + { + "content_type": { + "default": "application/json", + "type": "string", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "one_of": [ + "application/json", + "application/json; charset=utf-8" + ] + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "default": 60000 + } + }, + { + "retry_count": { + "deprecation": { + "old_default": 10, + "removal_in_version": "4.0", + "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead" + }, + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." + } + }, + { + "queue_size": { + "deprecation": { + "old_default": 1, + "removal_in_version": "4.0", + "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + }, + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." + } + }, + { + "flush_timeout": { + "deprecation": { + "old_default": 2, + "removal_in_version": "4.0", + "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + }, + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + } + }, + { + "headers": { + "keys": { + "match_none": [ + { + "err": "cannot contain 'Host' header", + "pattern": "^[Hh][Oo][Ss][Tt]$" + }, + { + "err": "cannot contain 'Content-Length' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" + }, + { + "err": "cannot contain 'Content-Type' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" + } + ], + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "map", + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "values": { + "type": "string", + "referenceable": true + } + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ip-restriction/3.8.x.json b/schemas/ip-restriction/3.8.x.json new file mode 100644 index 00000000..029b175e --- /dev/null +++ b/schemas/ip-restriction/3.8.x.json @@ -0,0 +1,85 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ] + } + }, + { + "config": { + "fields": [ + { + "allow": { + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "type": "array", + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." + } + }, + { + "deny": { + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "type": "array", + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." + } + }, + { + "status": { + "required": false, + "type": "number", + "description": "The HTTP status of the requests that will be rejected by the plugin." + } + }, + { + "message": { + "required": false, + "type": "string", + "description": "The message to send as a response body to rejected requests." + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/jq/3.8.x.json b/schemas/jq/3.8.x.json new file mode 100644 index 00000000..733feb0f --- /dev/null +++ b/schemas/jq/3.8.x.json @@ -0,0 +1,197 @@ +{ + "fields": [ + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "request_jq_program": { + "required": false, + "type": "string" + } + }, + { + "request_jq_program_options": { + "required": false, + "fields": [ + { + "compact_output": { + "required": true, + "type": "boolean", + "default": true + } + }, + { + "raw_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "join_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "ascii_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "sort_keys": { + "required": true, + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "default": [ + + ] + } + }, + { + "request_if_media_type": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "application/json" + ] + } + }, + { + "response_jq_program": { + "required": false, + "type": "string" + } + }, + { + "response_jq_program_options": { + "required": false, + "fields": [ + { + "compact_output": { + "required": true, + "type": "boolean", + "default": true + } + }, + { + "raw_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "join_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "ascii_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "sort_keys": { + "required": true, + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "default": [ + + ] + } + }, + { + "response_if_media_type": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "application/json" + ] + } + }, + { + "response_if_status_code": { + "required": false, + "elements": { + "type": "integer", + "between": [ + 100, + 599 + ] + }, + "type": "array", + "default": [ + 200 + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.8.x.json b/schemas/jwe-decrypt/3.8.x.json new file mode 100644 index 00000000..4822044d --- /dev/null +++ b/schemas/jwe-decrypt/3.8.x.json @@ -0,0 +1,86 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "lookup_header_name": { + "required": true, + "type": "string", + "description": "The name of the header to look for the JWE token.", + "default": "Authorization" + } + }, + { + "forward_header_name": { + "required": true, + "type": "string", + "description": "The name of the header that is used to set the decrypted value.", + "default": "Authorization" + } + }, + { + "key_sets": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token." + } + }, + { + "strict": { + "type": "boolean", + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/jwt-signer/3.8.x.json b/schemas/jwt-signer/3.8.x.json new file mode 100644 index 00000000..e6cc6eb6 --- /dev/null +++ b/schemas/jwt-signer/3.8.x.json @@ -0,0 +1,997 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "realm": { + "required": false, + "type": "string", + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." + } + }, + { + "enable_hs_signatures": { + "required": false, + "type": "boolean", + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "default": false + } + }, + { + "enable_instrumentation": { + "required": false, + "type": "boolean", + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "default": false + } + }, + { + "access_token_issuer": { + "required": false, + "type": "string", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "default": "kong" + } + }, + { + "access_token_keyset": { + "required": false, + "type": "string", + "description": "The name of the keyset containing signing keys.", + "default": "kong" + } + }, + { + "access_token_keyset_client_username": { + "required": false, + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "referenceable": true, + "type": "string" + } + }, + { + "access_token_keyset_client_password": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`" + } + }, + { + "access_token_keyset_client_certificate": { + "required": false, + "type": "foreign", + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "reference": "certificates" + } + }, + { + "access_token_keyset_rotate_period": { + "required": false, + "type": "number", + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "default": 0 + } + }, + { + "access_token_jwks_uri": { + "required": false, + "type": "string", + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token." + } + }, + { + "access_token_jwks_uri_client_username": { + "required": false, + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "referenceable": true, + "type": "string" + } + }, + { + "access_token_jwks_uri_client_password": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`" + } + }, + { + "access_token_jwks_uri_client_certificate": { + "required": false, + "type": "foreign", + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "reference": "certificates" + } + }, + { + "access_token_jwks_uri_rotate_period": { + "required": false, + "type": "number", + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "default": 0 + } + }, + { + "access_token_request_header": { + "required": false, + "type": "string", + "description": "This parameter tells the name of the header where to look for the access token.", + "default": "Authorization" + } + }, + { + "access_token_leeway": { + "required": false, + "type": "number", + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "default": 0 + } + }, + { + "access_token_scopes_required": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." + } + }, + { + "access_token_scopes_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "default": [ + "scope" + ] + } + }, + { + "access_token_consumer_claim": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." + } + }, + { + "access_token_consumer_by": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "access_token_upstream_header": { + "required": false, + "type": "string", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "default": "Authorization:Bearer" + } + }, + { + "access_token_upstream_leeway": { + "required": false, + "type": "number", + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "default": 0 + } + }, + { + "access_token_introspection_endpoint": { + "required": false, + "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter." + } + }, + { + "access_token_introspection_authorization": { + "required": false, + "type": "string", + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." + } + }, + { + "access_token_introspection_body_args": { + "required": false, + "type": "string", + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." + } + }, + { + "access_token_introspection_hint": { + "required": false, + "type": "string", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "default": "access_token" + } + }, + { + "access_token_introspection_jwt_claim": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." + } + }, + { + "access_token_introspection_scopes_required": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." + } + }, + { + "access_token_introspection_scopes_claim": { + "type": "array", + "required": true, + "elements": { + "type": "string" + }, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "default": [ + "scope" + ] + } + }, + { + "access_token_introspection_consumer_claim": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." + } + }, + { + "access_token_introspection_consumer_by": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "access_token_introspection_leeway": { + "required": false, + "type": "number", + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "default": 0 + } + }, + { + "access_token_introspection_timeout": { + "required": false, + "type": "number", + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." + } + }, + { + "access_token_signing_algorithm": { + "default": "RS256", + "required": true, + "type": "string", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + }, + { + "add_access_token_claims": { + "keys": { + "type": "string" + }, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "set_access_token_claims": { + "keys": { + "type": "string" + }, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "remove_access_token_claims": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "remove claims. It should be an array, and each element is a claim key string.", + "default": [ + + ] + } + }, + { + "original_access_token_upstream_header": { + "required": false, + "type": "string", + "description": "The HTTP header name used to store the original access token." + } + }, + { + "access_token_optional": { + "required": false, + "type": "boolean", + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "default": false + } + }, + { + "verify_access_token_signature": { + "required": false, + "type": "boolean", + "description": "Quickly turn access token signature verification off and on as needed.", + "default": true + } + }, + { + "verify_access_token_expiry": { + "required": false, + "type": "boolean", + "description": "Quickly turn access token expiry verification off and on as needed.", + "default": true + } + }, + { + "verify_access_token_scopes": { + "required": false, + "type": "boolean", + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "default": true + } + }, + { + "verify_access_token_introspection_expiry": { + "required": false, + "type": "boolean", + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "default": true + } + }, + { + "verify_access_token_introspection_scopes": { + "required": false, + "type": "boolean", + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "default": true + } + }, + { + "cache_access_token_introspection": { + "required": false, + "type": "boolean", + "description": "Whether to cache access token introspection results.", + "default": true + } + }, + { + "trust_access_token_introspection": { + "required": false, + "type": "boolean", + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "default": true + } + }, + { + "enable_access_token_introspection": { + "required": false, + "type": "boolean", + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "default": true + } + }, + { + "channel_token_issuer": { + "required": false, + "type": "string", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "default": "kong" + } + }, + { + "channel_token_keyset": { + "required": false, + "type": "string", + "description": "The name of the keyset containing signing keys.", + "default": "kong" + } + }, + { + "channel_token_keyset_client_username": { + "required": false, + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "referenceable": true, + "type": "string" + } + }, + { + "channel_token_keyset_client_password": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`" + } + }, + { + "channel_token_keyset_client_certificate": { + "required": false, + "type": "foreign", + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "reference": "certificates" + } + }, + { + "channel_token_keyset_rotate_period": { + "required": false, + "type": "number", + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "default": 0 + } + }, + { + "channel_token_jwks_uri": { + "required": false, + "type": "string", + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`." + } + }, + { + "channel_token_jwks_uri_client_username": { + "required": false, + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "referenceable": true, + "type": "string" + } + }, + { + "channel_token_jwks_uri_client_password": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`" + } + }, + { + "channel_token_jwks_uri_client_certificate": { + "required": false, + "type": "foreign", + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "reference": "certificates" + } + }, + { + "channel_token_jwks_uri_rotate_period": { + "required": false, + "type": "number", + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "default": 0 + } + }, + { + "channel_token_request_header": { + "required": false, + "type": "string", + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." + } + }, + { + "channel_token_leeway": { + "required": false, + "type": "number", + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "default": 0 + } + }, + { + "channel_token_scopes_required": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." + } + }, + { + "channel_token_scopes_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "default": [ + "scope" + ] + } + }, + { + "channel_token_consumer_claim": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." + } + }, + { + "channel_token_consumer_by": { + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "channel_token_upstream_header": { + "required": false, + "type": "string", + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." + } + }, + { + "channel_token_upstream_leeway": { + "required": false, + "type": "number", + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "default": 0 + } + }, + { + "channel_token_introspection_endpoint": { + "required": false, + "type": "string", + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead." + } + }, + { + "channel_token_introspection_authorization": { + "required": false, + "elements": { + "type": "string" + }, + "type": "string", + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." + } + }, + { + "channel_token_introspection_body_args": { + "required": false, + "elements": { + "type": "string" + }, + "type": "string", + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." + } + }, + { + "channel_token_introspection_hint": { + "required": false, + "elements": { + "type": "string" + }, + "type": "string", + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." + } + }, + { + "channel_token_introspection_jwt_claim": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." + } + }, + { + "channel_token_introspection_scopes_required": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." + } + }, + { + "channel_token_introspection_scopes_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "default": [ + "scope" + ] + } + }, + { + "channel_token_introspection_consumer_claim": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" + } + }, + { + "channel_token_introspection_consumer_by": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "channel_token_introspection_leeway": { + "required": false, + "type": "number", + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "default": 0 + } + }, + { + "channel_token_introspection_timeout": { + "required": false, + "type": "number", + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." + } + }, + { + "channel_token_signing_algorithm": { + "default": "RS256", + "required": true, + "type": "string", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + }, + { + "add_channel_token_claims": { + "keys": { + "type": "string" + }, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "set_channel_token_claims": { + "keys": { + "type": "string" + }, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "remove_channel_token_claims": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "remove claims. It should be an array, and each element is a claim key string.", + "default": [ + + ] + } + }, + { + "original_channel_token_upstream_header": { + "required": false, + "type": "string", + "description": "The HTTP header name used to store the original channel token." + } + }, + { + "channel_token_optional": { + "required": false, + "type": "boolean", + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "default": false + } + }, + { + "verify_channel_token_signature": { + "required": false, + "type": "boolean", + "description": "Quickly turn on/off the channel token signature verification.", + "default": true + } + }, + { + "verify_channel_token_expiry": { + "required": false, + "type": "boolean", + "default": true + } + }, + { + "verify_channel_token_scopes": { + "required": false, + "type": "boolean", + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "default": true + } + }, + { + "verify_channel_token_introspection_expiry": { + "required": false, + "type": "boolean", + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "default": true + } + }, + { + "verify_channel_token_introspection_scopes": { + "required": false, + "type": "boolean", + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "default": true + } + }, + { + "cache_channel_token_introspection": { + "required": false, + "type": "boolean", + "description": "Whether to cache channel token introspection results.", + "default": true + } + }, + { + "trust_channel_token_introspection": { + "required": false, + "type": "boolean", + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "default": true + } + }, + { + "enable_channel_token_introspection": { + "required": false, + "type": "boolean", + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "default": true + } + }, + { + "add_claims": { + "keys": { + "type": "string" + }, + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "set_claims": { + "keys": { + "type": "string" + }, + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "access_token_jwks_uri_client_username", + "access_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "access_token_keyset_client_username", + "access_token_keyset_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_jwks_uri_client_username", + "channel_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_keyset_client_username", + "channel_token_keyset_client_password" + ] + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwt/3.8.x.json b/schemas/jwt/3.8.x.json new file mode 100644 index 00000000..a33e407e --- /dev/null +++ b/schemas/jwt/3.8.x.json @@ -0,0 +1,153 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "uri_param_names": { + "type": "set", + "elements": { + "type": "string" + }, + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "default": [ + "jwt" + ] + } + }, + { + "cookie_names": { + "type": "set", + "elements": { + "type": "string" + }, + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "default": [ + + ] + } + }, + { + "key_claim_name": { + "type": "string", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "default": "iss" + } + }, + { + "secret_is_base64": { + "required": true, + "type": "boolean", + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "default": false + } + }, + { + "claims_to_verify": { + "elements": { + "type": "string", + "one_of": [ + "exp", + "nbf" + ] + }, + "type": "set", + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "run_on_preflight": { + "required": true, + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "default": true + } + }, + { + "maximum_expiration": { + "default": 0, + "type": "number", + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "between": [ + 0, + 31536000 + ] + } + }, + { + "header_names": { + "type": "set", + "elements": { + "type": "string" + }, + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "default": [ + "authorization" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.maximum_expiration", + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify", + "then_match": { + "contains": "exp" + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-log/3.8.x.json b/schemas/kafka-log/3.8.x.json new file mode 100644 index 00000000..fe4b936f --- /dev/null +++ b/schemas/kafka-log/3.8.x.json @@ -0,0 +1,280 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "bootstrap_servers": { + "elements": { + "type": "record", + "fields": [ + { + "host": { + "required": true, + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } + }, + { + "topic": { + "required": true, + "type": "string", + "description": "The Kafka topic to publish to." + } + }, + { + "timeout": { + "type": "integer", + "description": "Socket timeout in milliseconds.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "integer", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "type": "boolean", + "default": false + } + }, + { + "authentication": { + "fields": [ + { + "strategy": { + "required": false, + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "one_of": [ + "sasl" + ] + } + }, + { + "mechanism": { + "required": false, + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ] + } + }, + { + "tokenauth": { + "required": false, + "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication" + } + }, + { + "user": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "Username for SASL authentication.", + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "Password for SASL authentication.", + "type": "string" + } + } + ], + "type": "record", + "required": true + } + }, + { + "security": { + "fields": [ + { + "certificate_id": { + "required": false, + "type": "string", + "description": "UUID of certificate entity for mTLS authentication.", + "uuid": true + } + }, + { + "ssl": { + "required": false, + "type": "boolean", + "description": "Enables TLS." + } + } + ], + "type": "record", + "required": true + } + }, + { + "cluster_name": { + "required": false, + "auto": true, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + } + }, + { + "producer_request_acks": { + "default": 1, + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds", + "default": 2000 + } + }, + { + "producer_request_limits_messages_per_request": { + "type": "integer", + "description": "Maximum number of messages to include into a single Produce request.", + "default": 200 + } + }, + { + "producer_request_limits_bytes_per_request": { + "type": "integer", + "description": "Maximum size of a Produce request in bytes.", + "default": 1048576 + } + }, + { + "producer_request_retries_max_attempts": { + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request.", + "default": 10 + } + }, + { + "producer_request_retries_backoff_timeout": { + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds.", + "default": 100 + } + }, + { + "producer_async": { + "type": "boolean", + "description": "Flag to enable asynchronous mode.", + "default": true + } + }, + { + "producer_async_flush_timeout": { + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "default": 1000 + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "default": 50000 + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/kafka-upstream/3.8.x.json b/schemas/kafka-upstream/3.8.x.json new file mode 100644 index 00000000..5cec5052 --- /dev/null +++ b/schemas/kafka-upstream/3.8.x.json @@ -0,0 +1,302 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "bootstrap_servers": { + "elements": { + "type": "record", + "fields": [ + { + "host": { + "required": true, + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } + }, + { + "topic": { + "required": true, + "type": "string", + "description": "The Kafka topic to publish to." + } + }, + { + "timeout": { + "type": "integer", + "description": "Socket timeout in milliseconds.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "integer", + "description": "Keepalive timeout in milliseconds.", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "type": "boolean", + "default": false + } + }, + { + "authentication": { + "fields": [ + { + "strategy": { + "required": false, + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "one_of": [ + "sasl" + ] + } + }, + { + "mechanism": { + "required": false, + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ] + } + }, + { + "tokenauth": { + "required": false, + "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication." + } + }, + { + "user": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "Username for SASL authentication." + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "Password for SASL authentication." + } + } + ], + "type": "record", + "required": true + } + }, + { + "security": { + "fields": [ + { + "certificate_id": { + "required": false, + "description": "UUID of certificate entity for mTLS authentication.", + "uuid": true, + "type": "string" + } + }, + { + "ssl": { + "required": false, + "type": "boolean", + "description": "Enables TLS." + } + } + ], + "type": "record", + "required": true + } + }, + { + "forward_method": { + "type": "boolean", + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false + } + }, + { + "forward_uri": { + "type": "boolean", + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false + } + }, + { + "forward_headers": { + "type": "boolean", + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false + } + }, + { + "forward_body": { + "type": "boolean", + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": true + } + }, + { + "cluster_name": { + "required": false, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string", + "auto": true + } + }, + { + "producer_request_acks": { + "default": 1, + "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "type": "integer", + "description": "Time to wait for a Produce response in milliseconds.", + "default": 2000 + } + }, + { + "producer_request_limits_messages_per_request": { + "type": "integer", + "description": "Maximum number of messages to include into a single producer request.", + "default": 200 + } + }, + { + "producer_request_limits_bytes_per_request": { + "type": "integer", + "description": "Maximum size of a Produce request in bytes.", + "default": 1048576 + } + }, + { + "producer_request_retries_max_attempts": { + "type": "integer", + "description": "Maximum number of retry attempts per single Produce request.", + "default": 10 + } + }, + { + "producer_request_retries_backoff_timeout": { + "type": "integer", + "description": "Backoff interval between retry attempts in milliseconds.", + "default": 100 + } + }, + { + "producer_async": { + "type": "boolean", + "description": "Flag to enable asynchronous mode.", + "default": true + } + }, + { + "producer_async_flush_timeout": { + "type": "integer", + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "default": 1000 + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "type": "integer", + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "default": 50000 + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/key-auth-enc/3.8.x.json b/schemas/key-auth-enc/3.8.x.json new file mode 100644 index 00000000..ea7ddea3 --- /dev/null +++ b/schemas/key-auth-enc/3.8.x.json @@ -0,0 +1,111 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true, + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "array", + "default": [ + "apikey" + ] + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean", + "default": false + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "key_in_header": { + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean", + "default": true + } + }, + { + "key_in_query": { + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean", + "default": true + } + }, + { + "key_in_body": { + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean", + "default": false + } + }, + { + "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/key-auth/3.8.x.json b/schemas/key-auth/3.8.x.json new file mode 100644 index 00000000..77952bad --- /dev/null +++ b/schemas/key-auth/3.8.x.json @@ -0,0 +1,123 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true, + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "array", + "default": [ + "apikey" + ] + } + }, + { + "hide_credentials": { + "required": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean", + "default": false + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + } + }, + { + "key_in_header": { + "required": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean", + "default": true + } + }, + { + "key_in_query": { + "required": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean", + "default": true + } + }, + { + "key_in_body": { + "required": true, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean", + "default": false + } + }, + { + "run_on_preflight": { + "required": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean", + "default": true + } + }, + { + "realm": { + "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.8.x.json b/schemas/konnect-application-auth/3.8.x.json new file mode 100644 index 00000000..64fa1dc3 --- /dev/null +++ b/schemas/konnect-application-auth/3.8.x.json @@ -0,0 +1,2624 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "required": true, + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "array", + "default": [ + "apikey" + ] + } + }, + { + "auth_type": { + "default": "openid-connect", + "required": true, + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "type": "string", + "one_of": [ + "openid-connect", + "key-auth", + "v2-strategies" + ] + } + }, + { + "scope": { + "required": true, + "type": "string", + "description": "The unique scope identifier for the plugin configuration.", + "unique": true + } + }, + { + "v2_strategies": { + "type": "record", + "fields": [ + { + "key_auth": { + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "strategy_id": { + "required": true, + "type": "string", + "description": "The strategy id the config is tied to." + } + }, + { + "config": { + "required": true, + "type": "record", + "fields": [ + { + "key_names": { + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "required": true, + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "array", + "default": [ + "apikey" + ] + } + } + ] + } + } + ] + }, + "type": "array", + "description": "List of key_auth strategies." + } + }, + { + "openid_connect": { + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "strategy_id": { + "required": true, + "type": "string", + "description": "The strategy id the config is tied to." + } + }, + { + "config": { + "fields": [ + { + "issuer": { + "required": true, + "type": "string", + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`." + } + }, + { + "using_pseudo_issuer": { + "required": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean", + "default": false + } + }, + { + "discovery_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the discovery endpoint.", + "type": "array" + } + }, + { + "discovery_headers_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the discovery endpoint.", + "type": "array" + } + }, + { + "extra_jwks_uris": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "type": "set" + } + }, + { + "rediscovery_lifetime": { + "required": false, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number", + "default": 30 + } + }, + { + "auth_methods": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Types of credentials/grants to enable.", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + }, + { + "client_id": { + "encrypted": true, + "required": false, + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "type": "array" + } + }, + { + "client_secret": { + "encrypted": true, + "required": false, + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client secret.", + "type": "array" + } + }, + { + "client_auth": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "type": "array" + } + }, + { + "client_jwk": { + "required": false, + "elements": { + "required": false, + "type": "record", + "fields": [ + { + "issuer": { + "type": "string", + "required": false + } + }, + { + "kty": { + "type": "string", + "required": false + } + }, + { + "use": { + "type": "string", + "required": false + } + }, + { + "key_ops": { + "required": false, + "elements": { + "type": "string", + "required": false + }, + "type": "array" + } + }, + { + "alg": { + "type": "string", + "required": false + } + }, + { + "kid": { + "type": "string", + "required": false + } + }, + { + "x5u": { + "type": "string", + "required": false + } + }, + { + "x5c": { + "required": false, + "elements": { + "type": "string", + "required": false + }, + "type": "array" + } + }, + { + "x5t": { + "type": "string", + "required": false + } + }, + { + "x5t#S256": { + "type": "string", + "required": false + } + }, + { + "k": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "x": { + "type": "string", + "required": false + } + }, + { + "y": { + "type": "string", + "required": false + } + }, + { + "crv": { + "type": "string", + "required": false + } + }, + { + "n": { + "type": "string", + "required": false + } + }, + { + "e": { + "type": "string", + "required": false + } + }, + { + "d": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "p": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "q": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "dp": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "dq": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "qi": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "oth": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "r": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "t": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + } + ] + }, + "description": "The JWK used for the private_key_jwt authentication.", + "type": "array" + } + }, + { + "client_alg": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + }, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "type": "array" + } + }, + { + "client_arg": { + "required": false, + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string", + "default": "client_id" + } + }, + { + "redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "The redirect URI passed to the authorization and token endpoints.", + "type": "array" + } + }, + { + "login_redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true + }, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array" + } + }, + { + "logout_redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true + }, + "description": "Where to redirect the client after the logout.", + "type": "array" + } + }, + { + "forbidden_redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on forbidden requests.", + "type": "array" + } + }, + { + "forbidden_error_message": { + "required": false, + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string", + "default": "Forbidden" + } + }, + { + "forbidden_destroy_session": { + "required": false, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean", + "default": true + } + }, + { + "unauthorized_destroy_session": { + "required": false, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean", + "default": true + } + }, + { + "unauthorized_redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on unauthorized requests.", + "type": "array" + } + }, + { + "unauthorized_error_message": { + "required": false, + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string", + "default": "Unauthorized" + } + }, + { + "unexpected_redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "type": "array" + } + }, + { + "response_mode": { + "default": "query", + "required": false, + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "type": "string", + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ] + } + }, + { + "response_type": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The response type passed to the authorization endpoint.", + "default": [ + "code" + ] + } + }, + { + "scopes": { + "type": "array", + "required": false, + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The scopes passed to the authorization and token endpoints.", + "default": [ + "openid" + ] + } + }, + { + "audience": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The audience passed to the authorization endpoint.", + "type": "array" + } + }, + { + "issuers_allowed": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array" + } + }, + { + "scopes_required": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" + } + }, + { + "scopes_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "scope" + ] + } + }, + { + "audience_required": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" + } + }, + { + "audience_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "aud" + ] + } + }, + { + "groups_required": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" + } + }, + { + "groups_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "groups" + ] + } + }, + { + "roles_required": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" + } + }, + { + "roles_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "roles" + ] + } + }, + { + "domains": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The allowed values for the `hd` claim.", + "type": "array" + } + }, + { + "max_age": { + "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + } + }, + { + "authenticated_groups_claim": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" + } + }, + { + "pushed_authorization_request_endpoint": { + "required": false, + "type": "string", + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint." + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "required": false, + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "require_pushed_authorization_requests": { + "required": false, + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + } + }, + { + "require_proof_key_for_code_exchange": { + "required": false, + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + } + }, + { + "require_signed_request_object": { + "required": false, + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + } + }, + { + "authorization_endpoint": { + "required": false, + "type": "string", + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint." + } + }, + { + "authorization_query_args_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the authorization endpoint.", + "type": "array" + } + }, + { + "authorization_query_args_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the authorization endpoint.", + "type": "array" + } + }, + { + "authorization_query_args_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array" + } + }, + { + "authorization_rolling_timeout": { + "required": false, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", + "default": 600 + } + }, + { + "authorization_cookie_name": { + "required": false, + "description": "The authorization cookie name.", + "type": "string", + "default": "authorization" + } + }, + { + "authorization_cookie_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "The authorization cookie Path flag.", + "required": false, + "type": "string", + "starts_with": "/", + "default": "/" + } + }, + { + "authorization_cookie_domain": { + "required": false, + "description": "The authorization cookie Domain flag.", + "type": "string" + } + }, + { + "authorization_cookie_same_site": { + "default": "Default", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "authorization_cookie_http_only": { + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", + "default": true + } + }, + { + "authorization_cookie_secure": { + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + } + }, + { + "preserve_query_args": { + "required": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean", + "default": false + } + }, + { + "token_endpoint": { + "required": false, + "type": "string", + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint." + } + }, + { + "token_endpoint_auth_method": { + "required": false, + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "token_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the token endpoint.", + "type": "array" + } + }, + { + "token_headers_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the token endpoint.", + "type": "array" + } + }, + { + "token_headers_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array" + } + }, + { + "token_headers_replay": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The names of token endpoint response headers to forward to the downstream client.", + "type": "array" + } + }, + { + "token_headers_prefix": { + "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + } + }, + { + "token_headers_grants": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "type": "array" + } + }, + { + "token_post_args_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the token endpoint.", + "type": "array" + } + }, + { + "token_post_args_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the token endpoint.", + "type": "array" + } + }, + { + "token_post_args_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "type": "array" + } + }, + { + "introspection_endpoint": { + "required": false, + "type": "string", + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint." + } + }, + { + "introspection_endpoint_auth_method": { + "required": false, + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "introspection_hint": { + "required": false, + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string", + "default": "access_token" + } + }, + { + "introspection_check_active": { + "required": false, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean", + "default": true + } + }, + { + "introspection_accept": { + "default": "application/json", + "required": false, + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "type": "string", + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ] + } + }, + { + "introspection_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the introspection endpoint.", + "type": "array" + } + }, + { + "introspection_headers_values": { + "encrypted": true, + "required": false, + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "Extra header values passed to the introspection endpoint.", + "type": "array" + } + }, + { + "introspection_headers_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the introspection endpoint.", + "type": "array" + } + }, + { + "introspection_post_args_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the introspection endpoint.", + "type": "array" + } + }, + { + "introspection_post_args_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array" + } + }, + { + "introspection_post_args_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array" + } + }, + { + "introspect_jwt_tokens": { + "required": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean", + "default": false + } + }, + { + "revocation_endpoint": { + "required": false, + "type": "string", + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint." + } + }, + { + "revocation_endpoint_auth_method": { + "required": false, + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "end_session_endpoint": { + "required": false, + "type": "string", + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint." + } + }, + { + "userinfo_endpoint": { + "required": false, + "type": "string", + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint." + } + }, + { + "userinfo_accept": { + "default": "application/json", + "required": false, + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "type": "string", + "one_of": [ + "application/json", + "application/jwt" + ] + } + }, + { + "userinfo_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the user info endpoint.", + "type": "array" + } + }, + { + "userinfo_headers_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the user info endpoint.", + "type": "array" + } + }, + { + "userinfo_headers_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the user info endpoint.", + "type": "array" + } + }, + { + "userinfo_query_args_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the user info endpoint.", + "type": "array" + } + }, + { + "userinfo_query_args_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the user info endpoint.", + "type": "array" + } + }, + { + "userinfo_query_args_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the user info endpoint.", + "type": "array" + } + }, + { + "token_exchange_endpoint": { + "required": false, + "type": "string", + "description": "The token exchange endpoint." + } + }, + { + "session_secret": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "The session secret.", + "type": "string" + } + }, + { + "session_audience": { + "required": false, + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string", + "default": "default" + } + }, + { + "session_cookie_name": { + "required": false, + "description": "The session cookie name.", + "type": "string", + "default": "session" + } + }, + { + "session_remember": { + "required": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean", + "default": false + } + }, + { + "session_remember_cookie_name": { + "required": false, + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string", + "default": "remember" + } + }, + { + "session_remember_rolling_timeout": { + "required": false, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number", + "default": 604800 + } + }, + { + "session_remember_absolute_timeout": { + "required": false, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", + "default": 2592000 + } + }, + { + "session_idling_timeout": { + "required": false, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number", + "default": 900 + } + }, + { + "session_rolling_timeout": { + "required": false, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", + "default": 3600 + } + }, + { + "session_absolute_timeout": { + "required": false, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", + "default": 86400 + } + }, + { + "session_cookie_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "The session cookie Path flag.", + "required": false, + "type": "string", + "starts_with": "/", + "default": "/" + } + }, + { + "session_cookie_domain": { + "required": false, + "description": "The session cookie Domain flag.", + "type": "string" + } + }, + { + "session_cookie_same_site": { + "default": "Lax", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", + "default": true + } + }, + { + "session_cookie_secure": { + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + } + }, + { + "session_request_headers": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "type": "set" + } + }, + { + "session_response_headers": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "type": "set" + } + }, + { + "session_storage": { + "default": "cookie", + "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "type": "string", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "required": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean", + "default": false + } + }, + { + "session_enforce_same_subject": { + "required": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean", + "default": false + } + }, + { + "session_hash_subject": { + "required": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean", + "default": false + } + }, + { + "session_hash_storage_key": { + "required": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean", + "default": false + } + }, + { + "session_memcached_prefix": { + "required": false, + "description": "The memcached session key prefix.", + "type": "string" + } + }, + { + "session_memcached_socket": { + "required": false, + "description": "The memcached unix socket path.", + "type": "string" + } + }, + { + "session_memcached_host": { + "required": false, + "description": "The memcached host.", + "type": "string", + "default": "127.0.0.1" + } + }, + { + "session_memcached_port": { + "default": 11211, + "required": false, + "description": "The memcached port.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_prefix": { + "required": false, + "description": "The Redis session key prefix.", + "type": "string" + } + }, + { + "session_redis_socket": { + "required": false, + "description": "The Redis unix socket path.", + "type": "string" + } + }, + { + "session_redis_host": { + "required": false, + "description": "The Redis host.", + "type": "string", + "default": "127.0.0.1" + } + }, + { + "session_redis_port": { + "default": 6379, + "required": false, + "description": "The Redis port.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_username": { + "required": false, + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "session_redis_password": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + } + }, + { + "session_redis_connect_timeout": { + "required": false, + "description": "Session redis connection timeout in milliseconds.", + "type": "integer" + } + }, + { + "session_redis_read_timeout": { + "required": false, + "description": "Session redis read timeout in milliseconds.", + "type": "integer" + } + }, + { + "session_redis_send_timeout": { + "required": false, + "description": "Session redis send timeout in milliseconds.", + "type": "integer" + } + }, + { + "session_redis_ssl": { + "required": false, + "description": "Use SSL/TLS for Redis connection.", + "type": "boolean", + "default": false + } + }, + { + "session_redis_ssl_verify": { + "required": false, + "description": "Verify identity provider server certificate.", + "type": "boolean", + "default": false + } + }, + { + "session_redis_server_name": { + "required": false, + "description": "The SNI used for connecting the Redis server.", + "type": "string" + } + }, + { + "session_redis_cluster_nodes": { + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "type": "array" + } + }, + { + "session_redis_cluster_max_redirections": { + "required": false, + "description": "The Redis cluster maximum redirects.", + "type": "integer" + } + }, + { + "reverify": { + "required": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean", + "default": false + } + }, + { + "jwt_session_claim": { + "required": false, + "description": "The claim to match against the JWT session cookie.", + "type": "string", + "default": "sid" + } + }, + { + "jwt_session_cookie": { + "required": false, + "description": "The name of the JWT session cookie.", + "type": "string" + } + }, + { + "bearer_token_param_type": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + }, + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "bearer_token_cookie_name": { + "required": false, + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + } + }, + { + "client_credentials_param_type": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "password_param_type": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "id_token_param_type": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "id_token_param_name": { + "required": false, + "description": "The name of the parameter used to pass the id token.", + "type": "string" + } + }, + { + "refresh_token_param_type": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "refresh_token_param_name": { + "required": false, + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + } + }, + { + "refresh_tokens": { + "required": false, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean", + "default": true + } + }, + { + "upstream_headers_claims": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" + } + }, + { + "upstream_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The upstream header names for the claim values.", + "type": "array" + } + }, + { + "upstream_access_token_header": { + "required": false, + "description": "The upstream access token header.", + "type": "string", + "default": "authorization:bearer" + } + }, + { + "upstream_access_token_jwk_header": { + "required": false, + "description": "The upstream access token JWK header.", + "type": "string" + } + }, + { + "upstream_id_token_header": { + "required": false, + "description": "The upstream id token header.", + "type": "string" + } + }, + { + "upstream_id_token_jwk_header": { + "required": false, + "description": "The upstream id token JWK header.", + "type": "string" + } + }, + { + "upstream_refresh_token_header": { + "required": false, + "description": "The upstream refresh token header.", + "type": "string" + } + }, + { + "upstream_user_info_header": { + "required": false, + "description": "The upstream user info header.", + "type": "string" + } + }, + { + "upstream_user_info_jwt_header": { + "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + } + }, + { + "upstream_introspection_header": { + "required": false, + "description": "The upstream introspection header.", + "type": "string" + } + }, + { + "upstream_introspection_jwt_header": { + "required": false, + "description": "The upstream introspection JWT header.", + "type": "string" + } + }, + { + "upstream_session_id_header": { + "required": false, + "description": "The upstream session id header.", + "type": "string" + } + }, + { + "downstream_headers_claims": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" + } + }, + { + "downstream_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The downstream header names for the claim values.", + "type": "array" + } + }, + { + "downstream_access_token_header": { + "required": false, + "description": "The downstream access token header.", + "type": "string" + } + }, + { + "downstream_access_token_jwk_header": { + "required": false, + "description": "The downstream access token JWK header.", + "type": "string" + } + }, + { + "downstream_id_token_header": { + "required": false, + "description": "The downstream id token header.", + "type": "string" + } + }, + { + "downstream_id_token_jwk_header": { + "required": false, + "description": "The downstream id token JWK header.", + "type": "string" + } + }, + { + "downstream_refresh_token_header": { + "required": false, + "description": "The downstream refresh token header.", + "type": "string" + } + }, + { + "downstream_user_info_header": { + "required": false, + "description": "The downstream user info header.", + "type": "string" + } + }, + { + "downstream_user_info_jwt_header": { + "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + } + }, + { + "downstream_introspection_header": { + "required": false, + "description": "The downstream introspection header.", + "type": "string" + } + }, + { + "downstream_introspection_jwt_header": { + "required": false, + "description": "The downstream introspection JWT header.", + "type": "string" + } + }, + { + "downstream_session_id_header": { + "required": false, + "description": "The downstream session id header.", + "type": "string" + } + }, + { + "login_methods": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Enable login functionality with specified grants.", + "default": [ + "authorization_code" + ] + } + }, + { + "login_action": { + "default": "upstream", + "required": false, + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "type": "string", + "one_of": [ + "upstream", + "response", + "redirect" + ] + } + }, + { + "login_tokens": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + }, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "default": [ + "id_token" + ] + } + }, + { + "login_redirect_mode": { + "default": "fragment", + "required": false, + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "type": "string", + "one_of": [ + "query", + "fragment" + ] + } + }, + { + "logout_query_arg": { + "required": false, + "description": "The request query argument that activates the logout.", + "type": "string" + } + }, + { + "logout_post_arg": { + "required": false, + "description": "The request body argument that activates the logout.", + "type": "string" + } + }, + { + "logout_uri_suffix": { + "required": false, + "description": "The request URI suffix that activates the logout.", + "type": "string" + } + }, + { + "logout_methods": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + }, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "default": [ + "POST", + "DELETE" + ] + } + }, + { + "logout_revoke": { + "required": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean", + "default": false + } + }, + { + "logout_revoke_access_token": { + "required": false, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean", + "default": true + } + }, + { + "logout_revoke_refresh_token": { + "required": false, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean", + "default": true + } + }, + { + "consumer_claim": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" + } + }, + { + "consumer_by": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "consumer_optional": { + "required": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean", + "default": false + } + }, + { + "credential_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "sub" + ] + } + }, + { + "anonymous": { + "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "run_on_preflight": { + "required": false, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean", + "default": true + } + }, + { + "leeway": { + "required": false, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number", + "default": 0 + } + }, + { + "verify_parameters": { + "required": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean", + "default": false + } + }, + { + "verify_nonce": { + "required": false, + "description": "Verify nonce on authorization code flow.", + "type": "boolean", + "default": true + } + }, + { + "verify_claims": { + "required": false, + "description": "Verify tokens for standard claims.", + "type": "boolean", + "default": true + } + }, + { + "verify_signature": { + "required": false, + "description": "Verify signature of tokens.", + "type": "boolean", + "default": true + } + }, + { + "ignore_signature": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + }, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "default": [ + + ] + } + }, + { + "enable_hs_signatures": { + "required": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean", + "default": false + } + }, + { + "disable_session": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Disable issuing the session cookie with the specified grants.", + "type": "array" + } + }, + { + "cache_ttl": { + "required": false, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number", + "default": 3600 + } + }, + { + "cache_ttl_max": { + "required": false, + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + } + }, + { + "cache_ttl_min": { + "required": false, + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + } + }, + { + "cache_ttl_neg": { + "required": false, + "description": "The negative cache ttl in seconds.", + "type": "number" + } + }, + { + "cache_ttl_resurrect": { + "required": false, + "description": "The resurrection ttl in seconds.", + "type": "number" + } + }, + { + "cache_tokens": { + "required": false, + "description": "Cache the token endpoint requests.", + "type": "boolean", + "default": true + } + }, + { + "cache_tokens_salt": { + "required": false, + "auto": true, + "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + } + }, + { + "cache_introspection": { + "required": false, + "description": "Cache the introspection endpoint requests.", + "type": "boolean", + "default": true + } + }, + { + "cache_token_exchange": { + "required": false, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean", + "default": true + } + }, + { + "cache_user_info": { + "required": false, + "description": "Cache the user info requests.", + "type": "boolean", + "default": true + } + }, + { + "search_user_info": { + "required": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean", + "default": false + } + }, + { + "hide_credentials": { + "required": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean", + "default": false + } + }, + { + "http_version": { + "required": false, + "type": "number", + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "default": 1.1 + } + }, + { + "http_proxy": { + "required": false, + "type": "string", + "description": "The HTTP proxy." + } + }, + { + "http_proxy_authorization": { + "required": false, + "description": "The HTTP proxy authorization.", + "type": "string" + } + }, + { + "https_proxy": { + "required": false, + "type": "string", + "description": "The HTTPS proxy." + } + }, + { + "https_proxy_authorization": { + "required": false, + "description": "The HTTPS proxy authorization.", + "type": "string" + } + }, + { + "no_proxy": { + "required": false, + "description": "Do not use proxy with these hosts.", + "type": "string" + } + }, + { + "keepalive": { + "required": false, + "description": "Use keepalive with the HTTP client.", + "type": "boolean", + "default": true + } + }, + { + "ssl_verify": { + "required": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean", + "default": false + } + }, + { + "timeout": { + "required": false, + "description": "Network IO timeout in milliseconds.", + "type": "number", + "default": 10000 + } + }, + { + "display_errors": { + "required": false, + "description": "Display errors on failure responses.", + "type": "boolean", + "default": false + } + }, + { + "by_username_ignore_case": { + "required": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean", + "default": false + } + }, + { + "resolve_distributed_claims": { + "required": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean", + "default": false + } + }, + { + "expose_error_code": { + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean", + "default": true + } + }, + { + "token_cache_key_include_scope": { + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean", + "default": false + } + }, + { + "introspection_token_param_name": { + "required": false, + "description": "Designate token's parameter name for introspection.", + "type": "string", + "default": "token" + } + }, + { + "revocation_token_param_name": { + "required": false, + "description": "Designate token's parameter name for revocation.", + "type": "string", + "default": "token" + } + }, + { + "proof_of_possession_mtls": { + "default": "off", + "required": false, + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "type": "string", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "proof_of_possession_auth_methods_validation": { + "required": false, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean", + "default": true + } + }, + { + "tls_client_auth_cert_id": { + "uuid": true, + "required": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "auto": false + } + }, + { + "tls_client_auth_ssl_verify": { + "required": false, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean", + "default": true + } + }, + { + "mtls_token_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "mtls_introspection_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "mtls_revocation_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "proof_of_possession_dpop": { + "default": "off", + "required": false, + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "type": "string", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "dpop_use_nonce": { + "required": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean", + "default": false + } + }, + { + "dpop_proof_lifetime": { + "required": false, + "type": "number", + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "default": 300 + } + } + ], + "type": "record", + "description": "openid-connect plugin configuration." + } + } + ] + }, + "type": "array", + "description": "List of openid_connect strategies." + } + } + ], + "required": false, + "description": "The map of v2 strategies.", + "default": [ + + ] + } + } + ], + "entity_checks": [ + + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.8.x.json b/schemas/ldap-auth-advanced/3.8.x.json new file mode 100644 index 00000000..27b9b0cc --- /dev/null +++ b/schemas/ldap-auth-advanced/3.8.x.json @@ -0,0 +1,236 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "ldap_host": { + "required": true, + "description": "Host on which the LDAP server is running.", + "type": "string" + } + }, + { + "ldap_password": { + "type": "string", + "encrypted": true, + "referenceable": true, + "description": "The password to the LDAP server." + } + }, + { + "ldap_port": { + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number", + "default": 389 + } + }, + { + "bind_dn": { + "type": "string", + "referenceable": true, + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." + } + }, + { + "ldaps": { + "required": true, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean", + "default": false + } + }, + { + "start_tls": { + "required": true, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean", + "default": false + } + }, + { + "verify_ldap_host": { + "required": true, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean", + "default": false + } + }, + { + "base_dn": { + "required": true, + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "type": "string" + } + }, + { + "attribute": { + "required": true, + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "type": "string" + } + }, + { + "cache_ttl": { + "required": true, + "description": "Cache expiry time in seconds.", + "type": "number", + "default": 60 + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean", + "default": false + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number", + "default": 10000 + } + }, + { + "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0, + "default": "" + } + }, + { + "header_type": { + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string", + "default": "ldap" + } + }, + { + "consumer_optional": { + "required": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean", + "default": false + } + }, + { + "consumer_by": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "group_base_dn": { + "type": "string", + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + } + }, + { + "group_name_attribute": { + "type": "string", + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + } + }, + { + "group_member_attribute": { + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string", + "default": "memberOf" + } + }, + { + "log_search_results": { + "required": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean", + "default": false + } + }, + { + "groups_required": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "type": "array" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth/3.8.x.json b/schemas/ldap-auth/3.8.x.json new file mode 100644 index 00000000..7ed76d47 --- /dev/null +++ b/schemas/ldap-auth/3.8.x.json @@ -0,0 +1,171 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "ldap_host": { + "required": true, + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "ldap_port": { + "default": 389, + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "ldaps": { + "required": true, + "type": "boolean", + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "default": false + } + }, + { + "start_tls": { + "required": true, + "type": "boolean", + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "default": false + } + }, + { + "verify_ldap_host": { + "required": true, + "type": "boolean", + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "default": false + } + }, + { + "base_dn": { + "required": true, + "type": "string", + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com" + } + }, + { + "attribute": { + "required": true, + "type": "string", + "description": "Attribute to be used to search the user; e.g. cn" + } + }, + { + "cache_ttl": { + "required": true, + "type": "number", + "description": "Cache expiry time in seconds.", + "default": 60 + } + }, + { + "hide_credentials": { + "required": true, + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "default": false + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "default": 60000 + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + } + }, + { + "header_type": { + "type": "string", + "description": "An optional string to use as part of the Authorization header", + "default": "ldap" + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "ldaps", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "if_match": { + "eq": true + }, + "then_field": "start_tls", + "then_match": { + "eq": false + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/loggly/3.8.x.json b/schemas/loggly/3.8.x.json new file mode 100644 index 00000000..7f635842 --- /dev/null +++ b/schemas/loggly/3.8.x.json @@ -0,0 +1,173 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "logs-01.loggly.com" + } + }, + { + "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "key": { + "required": true, + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "tags": { + "elements": { + "type": "string" + }, + "type": "set", + "default": [ + "kong" + ] + } + }, + { + "log_level": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "successful_severity": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "client_errors_severity": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "server_errors_severity": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "timeout": { + "type": "number", + "default": 10000 + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/mocking/3.8.x.json b/schemas/mocking/3.8.x.json new file mode 100644 index 00000000..20ed3e0d --- /dev/null +++ b/schemas/mocking/3.8.x.json @@ -0,0 +1,131 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "api_specification_filename": { + "required": false, + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "type": "string" + } + }, + { + "api_specification": { + "required": false, + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "type": "string" + } + }, + { + "random_delay": { + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean", + "default": false + } + }, + { + "max_delay_time": { + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number", + "default": 1 + } + }, + { + "min_delay_time": { + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number", + "default": 0.001 + } + }, + { + "random_examples": { + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean", + "default": false + } + }, + { + "included_status_codes": { + "elements": { + "type": "integer" + }, + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "type": "array" + } + }, + { + "random_status_code": { + "required": true, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean", + "default": false + } + }, + { + "include_base_path": { + "required": true, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean", + "default": false + } + }, + { + "custom_base_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": false, + "type": "string", + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "starts_with": "/" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/mtls-auth/3.8.x.json b/schemas/mtls-auth/3.8.x.json new file mode 100644 index 00000000..d5b8d80d --- /dev/null +++ b/schemas/mtls-auth/3.8.x.json @@ -0,0 +1,210 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "ca_certificates": { + "required": true, + "elements": { + "uuid": true, + "type": "string" + }, + "type": "array", + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." + } + }, + { + "cache_ttl": { + "required": true, + "type": "number", + "description": "Cache expiry time in seconds.", + "default": 60 + } + }, + { + "skip_consumer_lookup": { + "required": true, + "type": "boolean", + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "default": false + } + }, + { + "allow_partial_chain": { + "required": true, + "type": "boolean", + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "default": false + } + }, + { + "authenticated_group_by": { + "default": "CN", + "required": false, + "type": "string", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "one_of": [ + "CN", + "DN" + ] + } + }, + { + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "required": false, + "type": "string", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ] + } + }, + { + "http_timeout": { + "type": "number", + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "default": 30000 + } + }, + { + "cert_cache_ttl": { + "type": "number", + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "default": 60000 + } + }, + { + "send_ca_dn": { + "type": "boolean", + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "default": false + } + }, + { + "default_consumer": { + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oas-validation/3.8.x.json b/schemas/oas-validation/3.8.x.json new file mode 100644 index 00000000..6eaf71b8 --- /dev/null +++ b/schemas/oas-validation/3.8.x.json @@ -0,0 +1,170 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "api_spec": { + "required": true, + "type": "string", + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format." + } + }, + { + "verbose_response": { + "required": false, + "type": "boolean", + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "default": false + } + }, + { + "validate_request_body": { + "required": false, + "type": "boolean", + "description": "If set to true, validates the request body content against the API specification.", + "default": true + } + }, + { + "notify_only_request_validation_failure": { + "required": false, + "type": "boolean", + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "default": false + } + }, + { + "validate_request_header_params": { + "required": false, + "type": "boolean", + "description": "If set to true, validates HTTP header parameters against the API specification.", + "default": true + } + }, + { + "validate_request_query_params": { + "required": false, + "type": "boolean", + "description": "If set to true, validates query parameters against the API specification.", + "default": true + } + }, + { + "validate_request_uri_params": { + "required": false, + "type": "boolean", + "description": "If set to true, validates URI parameters in the request against the API specification.", + "default": true + } + }, + { + "validate_response_body": { + "required": false, + "type": "boolean", + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "default": false + } + }, + { + "notify_only_response_body_validation_failure": { + "required": false, + "type": "boolean", + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "default": false + } + }, + { + "query_parameter_check": { + "required": true, + "type": "boolean", + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "default": false + } + }, + { + "header_parameter_check": { + "required": true, + "type": "boolean", + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "default": false + } + }, + { + "allowed_header_parameters": { + "required": false, + "type": "string", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "default": "Host,Content-Type,User-Agent,Accept,Content-Length" + } + }, + { + "include_base_path": { + "required": true, + "type": "boolean", + "description": "Indicates whether to include the base path when performing path match evaluation.", + "default": false + } + }, + { + "api_spec_encoded": { + "required": true, + "type": "boolean", + "description": "Indicates whether the api_spec is URI-Encoded.", + "default": true + } + }, + { + "custom_base_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": false, + "type": "string", + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "starts_with": "/" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.8.x.json b/schemas/oauth2-introspection/3.8.x.json new file mode 100644 index 00000000..8cca5e87 --- /dev/null +++ b/schemas/oauth2-introspection/3.8.x.json @@ -0,0 +1,167 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "introspection_url": { + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "ttl": { + "type": "number", + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "default": 30 + } + }, + { + "token_type_hint": { + "type": "string", + "description": "The `token_type_hint` value to associate to introspection requests." + } + }, + { + "authorization_value": { + "encrypted": true, + "referenceable": true, + "required": true, + "type": "string", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." + } + }, + { + "timeout": { + "type": "integer", + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "integer", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000 + } + }, + { + "introspect_request": { + "required": true, + "type": "boolean", + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "default": false + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "default": false + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "default": true + } + }, + { + "anonymous": { + "len_min": 0, + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "default": "" + } + }, + { + "consumer_by": { + "default": "username", + "required": true, + "type": "string", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "one_of": [ + "username", + "client_id" + ] + } + }, + { + "custom_introspection_headers": { + "keys": { + "type": "string" + }, + "description": "A list of custom headers to be added in the introspection request.", + "required": true, + "values": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "custom_claims_forward": { + "type": "set", + "required": true, + "elements": { + "type": "string" + }, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oauth2/3.8.x.json b/schemas/oauth2/3.8.x.json new file mode 100644 index 00000000..5e18a9f5 --- /dev/null +++ b/schemas/oauth2/3.8.x.json @@ -0,0 +1,214 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "scopes": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." + } + }, + { + "mandatory_scope": { + "required": true, + "type": "boolean", + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "default": false + } + }, + { + "provision_key": { + "encrypted": true, + "unique": true, + "required": true, + "auto": true, + "description": "The unique key the plugin has generated when it has been added to the Service.", + "type": "string" + } + }, + { + "token_expiration": { + "required": true, + "type": "number", + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "default": 7200 + } + }, + { + "enable_authorization_code": { + "required": true, + "type": "boolean", + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "default": false + } + }, + { + "enable_implicit_grant": { + "required": true, + "type": "boolean", + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "default": false + } + }, + { + "enable_client_credentials": { + "required": true, + "type": "boolean", + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "default": false + } + }, + { + "enable_password_grant": { + "required": true, + "type": "boolean", + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "default": false + } + }, + { + "hide_credentials": { + "required": true, + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "default": false + } + }, + { + "accept_http_if_already_terminated": { + "required": true, + "type": "boolean", + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "default": false + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + } + }, + { + "global_credentials": { + "required": true, + "type": "boolean", + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "default": false + } + }, + { + "auth_header_name": { + "type": "string", + "description": "The name of the header that is supposed to carry the access token.", + "default": "authorization" + } + }, + { + "refresh_token_ttl": { + "default": 1209600, + "required": true, + "description": "Time-to-live value for data", + "type": "number", + "between": [ + 0, + 100000000 + ] + } + }, + { + "reuse_refresh_token": { + "required": true, + "type": "boolean", + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "default": false + } + }, + { + "persistent_refresh_token": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "pkce": { + "default": "lax", + "required": false, + "type": "string", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "one_of": [ + "none", + "lax", + "strict" + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "mandatory_scope", + "if_match": { + "eq": true + }, + "then_field": "scopes", + "then_match": { + "required": true + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/opa/3.8.x.json b/schemas/opa/3.8.x.json new file mode 100644 index 00000000..cd3a0fb8 --- /dev/null +++ b/schemas/opa/3.8.x.json @@ -0,0 +1,147 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "type": "string", + "one_of": [ + "http", + "https" + ] + } + }, + { + "opa_host": { + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "localhost" + } + }, + { + "opa_port": { + "default": 8181, + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "opa_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" + } + }, + { + "include_service_in_opa_input": { + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_route_in_opa_input": { + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_consumer_in_opa_input": { + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_body_in_opa_input": { + "type": "boolean", + "default": false + } + }, + { + "include_parsed_json_body_in_opa_input": { + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_uri_captures_in_opa_input": { + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/openid-connect/3.8.x.json b/schemas/openid-connect/3.8.x.json new file mode 100644 index 00000000..d9870d72 --- /dev/null +++ b/schemas/openid-connect/3.8.x.json @@ -0,0 +1,2652 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "issuer": { + "required": true, + "type": "string", + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`." + } + }, + { + "using_pseudo_issuer": { + "required": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean", + "default": false + } + }, + { + "discovery_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the discovery endpoint.", + "type": "array" + } + }, + { + "discovery_headers_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the discovery endpoint.", + "type": "array" + } + }, + { + "extra_jwks_uris": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "type": "set" + } + }, + { + "rediscovery_lifetime": { + "required": false, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number", + "default": 30 + } + }, + { + "auth_methods": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Types of credentials/grants to enable.", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + }, + { + "client_id": { + "encrypted": true, + "required": false, + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "type": "array" + } + }, + { + "client_secret": { + "encrypted": true, + "required": false, + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client secret.", + "type": "array" + } + }, + { + "client_auth": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "type": "array" + } + }, + { + "client_jwk": { + "required": false, + "elements": { + "required": false, + "type": "record", + "fields": [ + { + "issuer": { + "type": "string", + "required": false + } + }, + { + "kty": { + "type": "string", + "required": false + } + }, + { + "use": { + "type": "string", + "required": false + } + }, + { + "key_ops": { + "required": false, + "elements": { + "type": "string", + "required": false + }, + "type": "array" + } + }, + { + "alg": { + "type": "string", + "required": false + } + }, + { + "kid": { + "type": "string", + "required": false + } + }, + { + "x5u": { + "type": "string", + "required": false + } + }, + { + "x5c": { + "required": false, + "elements": { + "type": "string", + "required": false + }, + "type": "array" + } + }, + { + "x5t": { + "type": "string", + "required": false + } + }, + { + "x5t#S256": { + "type": "string", + "required": false + } + }, + { + "k": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "x": { + "type": "string", + "required": false + } + }, + { + "y": { + "type": "string", + "required": false + } + }, + { + "crv": { + "type": "string", + "required": false + } + }, + { + "n": { + "type": "string", + "required": false + } + }, + { + "e": { + "type": "string", + "required": false + } + }, + { + "d": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "p": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "q": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "dp": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "dq": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "qi": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "oth": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "r": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "t": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + } + ] + }, + "description": "The JWK used for the private_key_jwt authentication.", + "type": "array" + } + }, + { + "client_alg": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + }, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "type": "array" + } + }, + { + "client_arg": { + "required": false, + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string", + "default": "client_id" + } + }, + { + "redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "The redirect URI passed to the authorization and token endpoints.", + "type": "array" + } + }, + { + "login_redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true + }, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array" + } + }, + { + "logout_redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true + }, + "description": "Where to redirect the client after the logout.", + "type": "array" + } + }, + { + "forbidden_redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on forbidden requests.", + "type": "array" + } + }, + { + "forbidden_error_message": { + "required": false, + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string", + "default": "Forbidden" + } + }, + { + "forbidden_destroy_session": { + "required": false, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean", + "default": true + } + }, + { + "unauthorized_destroy_session": { + "required": false, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean", + "default": true + } + }, + { + "unauthorized_redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on unauthorized requests.", + "type": "array" + } + }, + { + "unauthorized_error_message": { + "required": false, + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string", + "default": "Unauthorized" + } + }, + { + "unexpected_redirect_uri": { + "required": false, + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "type": "array" + } + }, + { + "response_mode": { + "default": "query", + "required": false, + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "type": "string", + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ] + } + }, + { + "response_type": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The response type passed to the authorization endpoint.", + "default": [ + "code" + ] + } + }, + { + "scopes": { + "type": "array", + "required": false, + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The scopes passed to the authorization and token endpoints.", + "default": [ + "openid" + ] + } + }, + { + "audience": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The audience passed to the authorization endpoint.", + "type": "array" + } + }, + { + "issuers_allowed": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array" + } + }, + { + "scopes_required": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" + } + }, + { + "scopes_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "scope" + ] + } + }, + { + "audience_required": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" + } + }, + { + "audience_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "aud" + ] + } + }, + { + "groups_required": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" + } + }, + { + "groups_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "groups" + ] + } + }, + { + "roles_required": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" + } + }, + { + "roles_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "roles" + ] + } + }, + { + "domains": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The allowed values for the `hd` claim.", + "type": "array" + } + }, + { + "max_age": { + "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + } + }, + { + "authenticated_groups_claim": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" + } + }, + { + "pushed_authorization_request_endpoint": { + "required": false, + "type": "string", + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint." + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "required": false, + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "require_pushed_authorization_requests": { + "required": false, + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + } + }, + { + "require_proof_key_for_code_exchange": { + "required": false, + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + } + }, + { + "require_signed_request_object": { + "required": false, + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + } + }, + { + "authorization_endpoint": { + "required": false, + "type": "string", + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint." + } + }, + { + "authorization_query_args_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the authorization endpoint.", + "type": "array" + } + }, + { + "authorization_query_args_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the authorization endpoint.", + "type": "array" + } + }, + { + "authorization_query_args_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array" + } + }, + { + "authorization_rolling_timeout": { + "required": false, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", + "default": 600 + } + }, + { + "authorization_cookie_name": { + "required": false, + "description": "The authorization cookie name.", + "type": "string", + "default": "authorization" + } + }, + { + "authorization_cookie_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "The authorization cookie Path flag.", + "required": false, + "type": "string", + "starts_with": "/", + "default": "/" + } + }, + { + "authorization_cookie_domain": { + "required": false, + "description": "The authorization cookie Domain flag.", + "type": "string" + } + }, + { + "authorization_cookie_same_site": { + "default": "Default", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "authorization_cookie_http_only": { + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", + "default": true + } + }, + { + "authorization_cookie_secure": { + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + } + }, + { + "preserve_query_args": { + "required": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean", + "default": false + } + }, + { + "token_endpoint": { + "required": false, + "type": "string", + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint." + } + }, + { + "token_endpoint_auth_method": { + "required": false, + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "token_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the token endpoint.", + "type": "array" + } + }, + { + "token_headers_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the token endpoint.", + "type": "array" + } + }, + { + "token_headers_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array" + } + }, + { + "token_headers_replay": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The names of token endpoint response headers to forward to the downstream client.", + "type": "array" + } + }, + { + "token_headers_prefix": { + "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + } + }, + { + "token_headers_grants": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "type": "array" + } + }, + { + "token_post_args_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the token endpoint.", + "type": "array" + } + }, + { + "token_post_args_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the token endpoint.", + "type": "array" + } + }, + { + "token_post_args_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "type": "array" + } + }, + { + "introspection_endpoint": { + "required": false, + "type": "string", + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint." + } + }, + { + "introspection_endpoint_auth_method": { + "required": false, + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "introspection_hint": { + "required": false, + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string", + "default": "access_token" + } + }, + { + "introspection_check_active": { + "required": false, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean", + "default": true + } + }, + { + "introspection_accept": { + "default": "application/json", + "required": false, + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "type": "string", + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ] + } + }, + { + "introspection_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the introspection endpoint.", + "type": "array" + } + }, + { + "introspection_headers_values": { + "encrypted": true, + "required": false, + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "Extra header values passed to the introspection endpoint.", + "type": "array" + } + }, + { + "introspection_headers_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the introspection endpoint.", + "type": "array" + } + }, + { + "introspection_post_args_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the introspection endpoint.", + "type": "array" + } + }, + { + "introspection_post_args_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array" + } + }, + { + "introspection_post_args_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array" + } + }, + { + "introspect_jwt_tokens": { + "required": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean", + "default": false + } + }, + { + "revocation_endpoint": { + "required": false, + "type": "string", + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint." + } + }, + { + "revocation_endpoint_auth_method": { + "required": false, + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "end_session_endpoint": { + "required": false, + "type": "string", + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint." + } + }, + { + "userinfo_endpoint": { + "required": false, + "type": "string", + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint." + } + }, + { + "userinfo_accept": { + "default": "application/json", + "required": false, + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "type": "string", + "one_of": [ + "application/json", + "application/jwt" + ] + } + }, + { + "userinfo_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the user info endpoint.", + "type": "array" + } + }, + { + "userinfo_headers_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the user info endpoint.", + "type": "array" + } + }, + { + "userinfo_headers_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the user info endpoint.", + "type": "array" + } + }, + { + "userinfo_query_args_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the user info endpoint.", + "type": "array" + } + }, + { + "userinfo_query_args_values": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the user info endpoint.", + "type": "array" + } + }, + { + "userinfo_query_args_client": { + "required": false, + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the user info endpoint.", + "type": "array" + } + }, + { + "token_exchange_endpoint": { + "required": false, + "type": "string", + "description": "The token exchange endpoint." + } + }, + { + "session_secret": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "The session secret.", + "type": "string" + } + }, + { + "session_audience": { + "required": false, + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string", + "default": "default" + } + }, + { + "session_cookie_name": { + "required": false, + "description": "The session cookie name.", + "type": "string", + "default": "session" + } + }, + { + "session_remember": { + "required": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean", + "default": false + } + }, + { + "session_remember_cookie_name": { + "required": false, + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string", + "default": "remember" + } + }, + { + "session_remember_rolling_timeout": { + "required": false, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number", + "default": 604800 + } + }, + { + "session_remember_absolute_timeout": { + "required": false, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", + "default": 2592000 + } + }, + { + "session_idling_timeout": { + "required": false, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number", + "default": 900 + } + }, + { + "session_rolling_timeout": { + "required": false, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", + "default": 3600 + } + }, + { + "session_absolute_timeout": { + "required": false, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", + "default": 86400 + } + }, + { + "session_cookie_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "The session cookie Path flag.", + "required": false, + "type": "string", + "starts_with": "/", + "default": "/" + } + }, + { + "session_cookie_domain": { + "required": false, + "description": "The session cookie Domain flag.", + "type": "string" + } + }, + { + "session_cookie_same_site": { + "default": "Lax", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", + "default": true + } + }, + { + "session_cookie_secure": { + "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + } + }, + { + "session_request_headers": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "type": "set" + } + }, + { + "session_response_headers": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "type": "set" + } + }, + { + "session_storage": { + "default": "cookie", + "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "type": "string", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "required": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean", + "default": false + } + }, + { + "session_enforce_same_subject": { + "required": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean", + "default": false + } + }, + { + "session_hash_subject": { + "required": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean", + "default": false + } + }, + { + "session_hash_storage_key": { + "required": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean", + "default": false + } + }, + { + "session_memcached_prefix": { + "required": false, + "description": "The memcached session key prefix.", + "type": "string" + } + }, + { + "session_memcached_socket": { + "required": false, + "description": "The memcached unix socket path.", + "type": "string" + } + }, + { + "session_memcached_host": { + "required": false, + "description": "The memcached host.", + "type": "string", + "default": "127.0.0.1" + } + }, + { + "session_memcached_port": { + "default": 11211, + "required": false, + "description": "The memcached port.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_prefix": { + "required": false, + "description": "The Redis session key prefix.", + "type": "string" + } + }, + { + "session_redis_socket": { + "required": false, + "description": "The Redis unix socket path.", + "type": "string" + } + }, + { + "session_redis_host": { + "required": false, + "description": "The Redis host.", + "type": "string", + "default": "127.0.0.1" + } + }, + { + "session_redis_port": { + "default": 6379, + "required": false, + "description": "The Redis port.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_username": { + "required": false, + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "session_redis_password": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + } + }, + { + "session_redis_connect_timeout": { + "required": false, + "description": "Session redis connection timeout in milliseconds.", + "type": "integer" + } + }, + { + "session_redis_read_timeout": { + "required": false, + "description": "Session redis read timeout in milliseconds.", + "type": "integer" + } + }, + { + "session_redis_send_timeout": { + "required": false, + "description": "Session redis send timeout in milliseconds.", + "type": "integer" + } + }, + { + "session_redis_ssl": { + "required": false, + "description": "Use SSL/TLS for Redis connection.", + "type": "boolean", + "default": false + } + }, + { + "session_redis_ssl_verify": { + "required": false, + "description": "Verify identity provider server certificate.", + "type": "boolean", + "default": false + } + }, + { + "session_redis_server_name": { + "required": false, + "description": "The SNI used for connecting the Redis server.", + "type": "string" + } + }, + { + "session_redis_cluster_nodes": { + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "type": "array" + } + }, + { + "session_redis_cluster_max_redirections": { + "required": false, + "description": "The Redis cluster maximum redirects.", + "type": "integer" + } + }, + { + "reverify": { + "required": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean", + "default": false + } + }, + { + "jwt_session_claim": { + "required": false, + "description": "The claim to match against the JWT session cookie.", + "type": "string", + "default": "sid" + } + }, + { + "jwt_session_cookie": { + "required": false, + "description": "The name of the JWT session cookie.", + "type": "string" + } + }, + { + "bearer_token_param_type": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + }, + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "bearer_token_cookie_name": { + "required": false, + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + } + }, + { + "client_credentials_param_type": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "password_param_type": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "id_token_param_type": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "id_token_param_name": { + "required": false, + "description": "The name of the parameter used to pass the id token.", + "type": "string" + } + }, + { + "refresh_token_param_type": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "refresh_token_param_name": { + "required": false, + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + } + }, + { + "refresh_tokens": { + "required": false, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean", + "default": true + } + }, + { + "upstream_headers_claims": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" + } + }, + { + "upstream_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The upstream header names for the claim values.", + "type": "array" + } + }, + { + "upstream_access_token_header": { + "required": false, + "description": "The upstream access token header.", + "type": "string", + "default": "authorization:bearer" + } + }, + { + "upstream_access_token_jwk_header": { + "required": false, + "description": "The upstream access token JWK header.", + "type": "string" + } + }, + { + "upstream_id_token_header": { + "required": false, + "description": "The upstream id token header.", + "type": "string" + } + }, + { + "upstream_id_token_jwk_header": { + "required": false, + "description": "The upstream id token JWK header.", + "type": "string" + } + }, + { + "upstream_refresh_token_header": { + "required": false, + "description": "The upstream refresh token header.", + "type": "string" + } + }, + { + "upstream_user_info_header": { + "required": false, + "description": "The upstream user info header.", + "type": "string" + } + }, + { + "upstream_user_info_jwt_header": { + "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + } + }, + { + "upstream_introspection_header": { + "required": false, + "description": "The upstream introspection header.", + "type": "string" + } + }, + { + "upstream_introspection_jwt_header": { + "required": false, + "description": "The upstream introspection JWT header.", + "type": "string" + } + }, + { + "upstream_session_id_header": { + "required": false, + "description": "The upstream session id header.", + "type": "string" + } + }, + { + "downstream_headers_claims": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" + } + }, + { + "downstream_headers_names": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The downstream header names for the claim values.", + "type": "array" + } + }, + { + "downstream_access_token_header": { + "required": false, + "description": "The downstream access token header.", + "type": "string" + } + }, + { + "downstream_access_token_jwk_header": { + "required": false, + "description": "The downstream access token JWK header.", + "type": "string" + } + }, + { + "downstream_id_token_header": { + "required": false, + "description": "The downstream id token header.", + "type": "string" + } + }, + { + "downstream_id_token_jwk_header": { + "required": false, + "description": "The downstream id token JWK header.", + "type": "string" + } + }, + { + "downstream_refresh_token_header": { + "required": false, + "description": "The downstream refresh token header.", + "type": "string" + } + }, + { + "downstream_user_info_header": { + "required": false, + "description": "The downstream user info header.", + "type": "string" + } + }, + { + "downstream_user_info_jwt_header": { + "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + } + }, + { + "downstream_introspection_header": { + "required": false, + "description": "The downstream introspection header.", + "type": "string" + } + }, + { + "downstream_introspection_jwt_header": { + "required": false, + "description": "The downstream introspection JWT header.", + "type": "string" + } + }, + { + "downstream_session_id_header": { + "required": false, + "description": "The downstream session id header.", + "type": "string" + } + }, + { + "login_methods": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Enable login functionality with specified grants.", + "default": [ + "authorization_code" + ] + } + }, + { + "login_action": { + "default": "upstream", + "required": false, + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "type": "string", + "one_of": [ + "upstream", + "response", + "redirect" + ] + } + }, + { + "login_tokens": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + }, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "default": [ + "id_token" + ] + } + }, + { + "login_redirect_mode": { + "default": "fragment", + "required": false, + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "type": "string", + "one_of": [ + "query", + "fragment" + ] + } + }, + { + "logout_query_arg": { + "required": false, + "description": "The request query argument that activates the logout.", + "type": "string" + } + }, + { + "logout_post_arg": { + "required": false, + "description": "The request body argument that activates the logout.", + "type": "string" + } + }, + { + "logout_uri_suffix": { + "required": false, + "description": "The request URI suffix that activates the logout.", + "type": "string" + } + }, + { + "logout_methods": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + }, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "default": [ + "POST", + "DELETE" + ] + } + }, + { + "logout_revoke": { + "required": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean", + "default": false + } + }, + { + "logout_revoke_access_token": { + "required": false, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean", + "default": true + } + }, + { + "logout_revoke_refresh_token": { + "required": false, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean", + "default": true + } + }, + { + "consumer_claim": { + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array" + } + }, + { + "consumer_by": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "consumer_optional": { + "required": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean", + "default": false + } + }, + { + "credential_claim": { + "type": "array", + "required": false, + "elements": { + "type": "string" + }, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "sub" + ] + } + }, + { + "anonymous": { + "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "run_on_preflight": { + "required": false, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean", + "default": true + } + }, + { + "leeway": { + "required": false, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number", + "default": 0 + } + }, + { + "verify_parameters": { + "required": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean", + "default": false + } + }, + { + "verify_nonce": { + "required": false, + "description": "Verify nonce on authorization code flow.", + "type": "boolean", + "default": true + } + }, + { + "verify_claims": { + "required": false, + "description": "Verify tokens for standard claims.", + "type": "boolean", + "default": true + } + }, + { + "verify_signature": { + "required": false, + "description": "Verify signature of tokens.", + "type": "boolean", + "default": true + } + }, + { + "ignore_signature": { + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + }, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "default": [ + + ] + } + }, + { + "enable_hs_signatures": { + "required": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean", + "default": false + } + }, + { + "disable_session": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Disable issuing the session cookie with the specified grants.", + "type": "array" + } + }, + { + "cache_ttl": { + "required": false, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number", + "default": 3600 + } + }, + { + "cache_ttl_max": { + "required": false, + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + } + }, + { + "cache_ttl_min": { + "required": false, + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + } + }, + { + "cache_ttl_neg": { + "required": false, + "description": "The negative cache ttl in seconds.", + "type": "number" + } + }, + { + "cache_ttl_resurrect": { + "required": false, + "description": "The resurrection ttl in seconds.", + "type": "number" + } + }, + { + "cache_tokens": { + "required": false, + "description": "Cache the token endpoint requests.", + "type": "boolean", + "default": true + } + }, + { + "cache_tokens_salt": { + "required": false, + "auto": true, + "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + } + }, + { + "cache_introspection": { + "required": false, + "description": "Cache the introspection endpoint requests.", + "type": "boolean", + "default": true + } + }, + { + "cache_token_exchange": { + "required": false, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean", + "default": true + } + }, + { + "cache_user_info": { + "required": false, + "description": "Cache the user info requests.", + "type": "boolean", + "default": true + } + }, + { + "search_user_info": { + "required": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean", + "default": false + } + }, + { + "hide_credentials": { + "required": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean", + "default": false + } + }, + { + "http_version": { + "required": false, + "type": "number", + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "default": 1.1 + } + }, + { + "http_proxy": { + "required": false, + "type": "string", + "description": "The HTTP proxy." + } + }, + { + "http_proxy_authorization": { + "required": false, + "description": "The HTTP proxy authorization.", + "type": "string" + } + }, + { + "https_proxy": { + "required": false, + "type": "string", + "description": "The HTTPS proxy." + } + }, + { + "https_proxy_authorization": { + "required": false, + "description": "The HTTPS proxy authorization.", + "type": "string" + } + }, + { + "no_proxy": { + "required": false, + "description": "Do not use proxy with these hosts.", + "type": "string" + } + }, + { + "keepalive": { + "required": false, + "description": "Use keepalive with the HTTP client.", + "type": "boolean", + "default": true + } + }, + { + "ssl_verify": { + "required": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean", + "default": false + } + }, + { + "timeout": { + "required": false, + "description": "Network IO timeout in milliseconds.", + "type": "number", + "default": 10000 + } + }, + { + "display_errors": { + "required": false, + "description": "Display errors on failure responses.", + "type": "boolean", + "default": false + } + }, + { + "by_username_ignore_case": { + "required": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean", + "default": false + } + }, + { + "resolve_distributed_claims": { + "required": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean", + "default": false + } + }, + { + "expose_error_code": { + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean", + "default": true + } + }, + { + "token_cache_key_include_scope": { + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean", + "default": false + } + }, + { + "introspection_token_param_name": { + "required": false, + "description": "Designate token's parameter name for introspection.", + "type": "string", + "default": "token" + } + }, + { + "revocation_token_param_name": { + "required": false, + "description": "Designate token's parameter name for revocation.", + "type": "string", + "default": "token" + } + }, + { + "proof_of_possession_mtls": { + "default": "off", + "required": false, + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "type": "string", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "proof_of_possession_auth_methods_validation": { + "required": false, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean", + "default": true + } + }, + { + "tls_client_auth_cert_id": { + "uuid": true, + "required": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "auto": false + } + }, + { + "tls_client_auth_ssl_verify": { + "required": false, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean", + "default": true + } + }, + { + "mtls_token_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "mtls_introspection_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "mtls_revocation_endpoint": { + "required": false, + "type": "string", + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + } + }, + { + "proof_of_possession_dpop": { + "default": "off", + "required": false, + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "type": "string", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "dpop_use_nonce": { + "required": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean", + "default": false + } + }, + { + "dpop_proof_lifetime": { + "required": false, + "type": "number", + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "default": 300 + } + } + ], + "required": true, + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" + } + } + }, + { + "authorization_cookie_samesite": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" + } + } + }, + { + "authorization_cookie_httponly": { + "type": "boolean", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" + } + } + }, + { + "session_cookie_lifetime": { + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" + } + } + }, + { + "session_cookie_idletime": { + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" + } + } + }, + { + "session_cookie_samesite": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" + } + } + }, + { + "session_cookie_httponly": { + "type": "boolean", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" + } + } + }, + { + "session_memcache_prefix": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" + } + } + }, + { + "session_memcache_socket": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" + } + } + }, + { + "session_memcache_host": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" + } + } + }, + { + "session_memcache_port": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" + } + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_cluster_maxredirections is deprecated, please use config.session_redis_cluster_max_redirections instead" + } + } + }, + { + "session_cookie_renew": { + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" + } + } + }, + { + "session_cookie_maxsize": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" + } + } + }, + { + "session_strategy": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" + } + } + }, + { + "session_compressor": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" + } + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/opentelemetry/3.8.x.json b/schemas/opentelemetry/3.8.x.json new file mode 100644 index 00000000..5d917906 --- /dev/null +++ b/schemas/opentelemetry/3.8.x.json @@ -0,0 +1,329 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "endpoint": { + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + } + }, + { + "headers": { + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "map", + "values": { + "type": "string", + "referenceable": true + } + } + }, + { + "resource_attributes": { + "keys": { + "type": "string", + "required": true + }, + "type": "map", + "values": { + "type": "string", + "required": true + } + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "required": true, + "type": "record", + "default": { + "max_batch_size": 200 + } + } + }, + { + "batch_span_count": { + "deprecation": { + "old_default": 200, + "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + }, + "description": "The number of spans to be sent in a single batch.", + "type": "integer" + } + }, + { + "batch_flush_delay": { + "deprecation": { + "old_default": 3, + "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + }, + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "header_type": { + "default": "preserve", + "required": false, + "deprecation": { + "old_default": "preserve", + "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, + "type": "string", + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "gcp", + "datadog" + ] + } + }, + { + "sampling_rate": { + "required": false, + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "type": "number", + "between": [ + 0, + 1 + ] + } + }, + { + "propagation": { + "fields": [ + { + "extract": { + "elements": { + "type": "string", + "one_of": [ + "b3", + "gcp", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + }, + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array" + } + }, + { + "clear": { + "elements": { + "type": "string" + }, + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array" + } + }, + { + "inject": { + "elements": { + "type": "string", + "one_of": [ + "preserve", + "b3", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + }, + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array" + } + }, + { + "default_format": { + "required": true, + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", + "one_of": [ + "b3", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + } + } + ], + "required": true, + "type": "record", + "default": { + "default_format": "w3c" + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/post-function/3.8.x.json b/schemas/post-function/3.8.x.json new file mode 100644 index 00000000..b1717b8b --- /dev/null +++ b/schemas/post-function/3.8.x.json @@ -0,0 +1,228 @@ +{ + "fields": [ + { + "protocols": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "certificate": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "rewrite": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "access": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "header_filter": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "body_filter": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "log": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "ws_handshake": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "ws_client_frame": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "ws_upstream_frame": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "ws_close": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/pre-function/3.8.x.json b/schemas/pre-function/3.8.x.json new file mode 100644 index 00000000..b1717b8b --- /dev/null +++ b/schemas/pre-function/3.8.x.json @@ -0,0 +1,228 @@ +{ + "fields": [ + { + "protocols": { + "required": false, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "certificate": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "rewrite": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "access": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "header_filter": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "body_filter": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "log": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "ws_handshake": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "ws_client_frame": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "ws_upstream_frame": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "ws_close": { + "required": true, + "elements": { + "required": false, + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/prometheus/3.8.x.json b/schemas/prometheus/3.8.x.json new file mode 100644 index 00000000..bf375f1e --- /dev/null +++ b/schemas/prometheus/3.8.x.json @@ -0,0 +1,87 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "per_consumer": { + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean", + "default": false + } + }, + { + "status_code_metrics": { + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean", + "default": false + } + }, + { + "latency_metrics": { + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean", + "default": false + } + }, + { + "bandwidth_metrics": { + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean", + "default": false + } + }, + { + "upstream_health_metrics": { + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.8.x.json b/schemas/proxy-cache-advanced/3.8.x.json new file mode 100644 index 00000000..e0e93d10 --- /dev/null +++ b/schemas/proxy-cache-advanced/3.8.x.json @@ -0,0 +1,448 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "response_code": { + "type": "array", + "len_min": 1, + "required": true, + "elements": { + "type": "integer", + "between": [ + 100, + 900 + ] + }, + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "default": [ + 200, + 301, + 404 + ] + } + }, + { + "request_method": { + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + }, + "type": "array", + "default": [ + "GET", + "HEAD" + ] + } + }, + { + "content_type": { + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "text/plain", + "application/json" + ] + } + }, + { + "cache_ttl": { + "default": 300, + "type": "integer", + "description": "TTL in seconds of cache entities.", + "gt": 0 + } + }, + { + "strategy": { + "required": true, + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "type": "string", + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "cache_control": { + "required": true, + "type": "boolean", + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "default": false + } + }, + { + "ignore_uri_case": { + "required": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "type": "boolean", + "default": false + } + }, + { + "storage_ttl": { + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "required": true, + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "default": "kong_db_cache" + } + } + ], + "type": "record", + "required": true + } + }, + { + "vary_query_params": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + } + }, + { + "vary_headers": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } + }, + { + "response_headers": { + "fields": [ + { + "age": { + "type": "boolean", + "default": true + } + }, + { + "X-Cache-Status": { + "type": "boolean", + "default": true + } + }, + { + "X-Cache-Key": { + "type": "boolean", + "default": true + } + } + ], + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", + "required": true + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "type": "record", + "required": true + } + }, + { + "bypass_on_err": { + "type": "boolean", + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache/3.8.x.json b/schemas/proxy-cache/3.8.x.json new file mode 100644 index 00000000..6137f9bc --- /dev/null +++ b/schemas/proxy-cache/3.8.x.json @@ -0,0 +1,205 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "response_code": { + "len_min": 1, + "description": "Upstream response status code considered cacheable.", + "required": true, + "elements": { + "type": "integer", + "between": [ + 100, + 900 + ] + }, + "type": "array", + "default": [ + 200, + 301, + 404 + ] + } + }, + { + "request_method": { + "description": "Downstream request methods considered cacheable.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + }, + "type": "array", + "default": [ + "GET", + "HEAD" + ] + } + }, + { + "content_type": { + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "text/plain", + "application/json" + ] + } + }, + { + "cache_ttl": { + "default": 300, + "type": "integer", + "description": "TTL, in seconds, of cache entities.", + "gt": 0 + } + }, + { + "strategy": { + "required": true, + "type": "string", + "description": "The backing data store in which to hold cache entities.", + "one_of": [ + "memory" + ] + } + }, + { + "cache_control": { + "required": true, + "type": "boolean", + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "default": false + } + }, + { + "ignore_uri_case": { + "required": false, + "type": "boolean", + "default": false + } + }, + { + "storage_ttl": { + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "required": true, + "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "default": "kong_db_cache" + } + } + ], + "type": "record", + "required": true + } + }, + { + "vary_query_params": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + } + }, + { + "vary_headers": { + "elements": { + "type": "string" + }, + "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } + }, + { + "response_headers": { + "fields": [ + { + "age": { + "type": "boolean", + "default": true + } + }, + { + "X-Cache-Status": { + "type": "boolean", + "default": true + } + }, + { + "X-Cache-Key": { + "type": "boolean", + "default": true + } + } + ], + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.8.x.json b/schemas/rate-limiting-advanced/3.8.x.json new file mode 100644 index 00000000..ed32d32a --- /dev/null +++ b/schemas/rate-limiting-advanced/3.8.x.json @@ -0,0 +1,438 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "default": "consumer", + "required": true, + "type": "string", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "window_size": { + "required": true, + "elements": { + "type": "number" + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "type": "array" + } + }, + { + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "required": true, + "elements": { + "type": "number" + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "type": "array" + } + }, + { + "sync_rate": { + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + } + }, + { + "namespace": { + "auto": true, + "required": true, + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + } + }, + { + "strategy": { + "default": "local", + "required": true, + "type": "string", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "required": true, + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string", + "default": "kong_rate_limiting_counters" + } + }, + { + "hide_client_headers": { + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean", + "default": false + } + }, + { + "retry_after_jitter_max": { + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number", + "default": 0 + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "elements": { + "type": "string" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_addresses" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_addresses" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_addresses" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "type": "record", + "required": true + } + }, + { + "enforce_consumer_groups": { + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean", + "default": false + } + }, + { + "consumer_groups": { + "elements": { + "type": "string" + }, + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "type": "array" + } + }, + { + "disable_penalty": { + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean", + "default": false + } + }, + { + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number", + "gt": 0 + } + }, + { + "error_message": { + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string", + "default": "API rate limit exceeded" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting/3.8.x.json b/schemas/rate-limiting/3.8.x.json new file mode 100644 index 00000000..79c762c6 --- /dev/null +++ b/schemas/rate-limiting/3.8.x.json @@ -0,0 +1,438 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "second": { + "description": "The number of HTTP requests that can be made per second.", + "type": "number", + "gt": 0 + } + }, + { + "minute": { + "description": "The number of HTTP requests that can be made per minute.", + "type": "number", + "gt": 0 + } + }, + { + "hour": { + "description": "The number of HTTP requests that can be made per hour.", + "type": "number", + "gt": 0 + } + }, + { + "day": { + "description": "The number of HTTP requests that can be made per day.", + "type": "number", + "gt": 0 + } + }, + { + "month": { + "description": "The number of HTTP requests that can be made per month.", + "type": "number", + "gt": 0 + } + }, + { + "year": { + "description": "The number of HTTP requests that can be made per year.", + "type": "number", + "gt": 0 + } + }, + { + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "type": "string", + "one_of": [ + "consumer", + "credential", + "ip", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + } + }, + { + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, + "type": "string", + "one_of": [ + "local", + "cluster", + "redis" + ] + } + }, + { + "fault_tolerant": { + "required": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean", + "default": true + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "type": "string", + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + } + ], + "description": "Redis configuration", + "type": "record", + "required": true + } + }, + { + "hide_client_headers": { + "required": true, + "description": "Optionally hide informative response headers.", + "type": "boolean", + "default": false + } + }, + { + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number", + "gt": 0 + } + }, + { + "error_message": { + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string", + "default": "API rate limit exceeded" + } + }, + { + "sync_rate": { + "required": true, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "type": "number", + "default": -1 + } + } + ], + "required": true, + "shorthand_fields": [ + { + "redis_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead" + }, + "type": "string", + "translate_backwards": [ + "redis", + "host" + ] + } + }, + { + "redis_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead" + }, + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ] + } + }, + { + "redis_password": { + "len_min": 0, + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead" + }, + "type": "string", + "translate_backwards": [ + "redis", + "password" + ] + } + }, + { + "redis_username": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead" + }, + "type": "string", + "translate_backwards": [ + "redis", + "username" + ] + } + }, + { + "redis_ssl": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead" + }, + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ] + } + }, + { + "redis_ssl_verify": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead" + }, + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ] + } + }, + { + "redis_server_name": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead" + }, + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ] + } + }, + { + "redis_timeout": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead" + }, + "type": "integer", + "translate_backwards": [ + "redis", + "timeout" + ] + } + }, + { + "redis_database": { + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead" + }, + "type": "integer", + "translate_backwards": [ + "redis", + "database" + ] + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.limit_by", + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.limit_by", + "if_match": { + "eq": "path" + }, + "then_field": "config.path", + "then_match": { + "required": true + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-size-limiting/3.8.x.json b/schemas/request-size-limiting/3.8.x.json new file mode 100644 index 00000000..cb8c641c --- /dev/null +++ b/schemas/request-size-limiting/3.8.x.json @@ -0,0 +1,73 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "allowed_payload_size": { + "type": "integer", + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "default": 128 + } + }, + { + "size_unit": { + "default": "megabytes", + "required": true, + "type": "string", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "one_of": [ + "megabytes", + "kilobytes", + "bytes" + ] + } + }, + { + "require_content_length": { + "required": true, + "type": "boolean", + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-termination/3.8.x.json b/schemas/request-termination/3.8.x.json new file mode 100644 index 00000000..e716bea1 --- /dev/null +++ b/schemas/request-termination/3.8.x.json @@ -0,0 +1,81 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "status_code": { + "default": 503, + "required": true, + "description": "The response code to send. Must be an integer between 100 and 599.", + "type": "integer", + "between": [ + 100, + 599 + ] + } + }, + { + "message": { + "type": "string", + "description": "The message to send, if using the default response generator." + } + }, + { + "content_type": { + "type": "string", + "description": "Content type of the raw response configured with `config.body`." + } + }, + { + "body": { + "type": "string", + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." + } + }, + { + "echo": { + "required": true, + "type": "boolean", + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "default": false + } + }, + { + "trigger": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.8.x.json b/schemas/request-transformer-advanced/3.8.x.json new file mode 100644 index 00000000..82c1b004 --- /dev/null +++ b/schemas/request-transformer-advanced/3.8.x.json @@ -0,0 +1,337 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "http_method": { + "match": "^%u+$", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string" + } + }, + { + "remove": { + "fields": [ + { + "body": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "querystring": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "rename": { + "fields": [ + { + "body": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "querystring": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "replace": { + "fields": [ + { + "body": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "querystring": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "json_types": { + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "uri": { + "type": "string" + } + } + ], + "type": "record", + "required": true + } + }, + { + "add": { + "fields": [ + { + "body": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "querystring": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "json_types": { + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "append": { + "fields": [ + { + "body": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "querystring": { + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + + ] + } + }, + { + "json_types": { + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "allow": { + "fields": [ + { + "body": { + "type": "set", + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "dots_in_keys": { + "type": "boolean", + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-transformer/3.8.x.json b/schemas/request-transformer/3.8.x.json new file mode 100644 index 00000000..4de5fa5e --- /dev/null +++ b/schemas/request-transformer/3.8.x.json @@ -0,0 +1,280 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "http_method": { + "match": "^%u+$", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string" + } + }, + { + "remove": { + "fields": [ + { + "body": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "querystring": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "rename": { + "fields": [ + { + "body": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "querystring": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "replace": { + "fields": [ + { + "body": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "querystring": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "uri": { + "type": "string" + } + } + ], + "type": "record", + "required": true + } + }, + { + "add": { + "fields": [ + { + "body": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "querystring": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "append": { + "fields": [ + { + "body": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "querystring": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-validator/3.8.x.json b/schemas/request-validator/3.8.x.json new file mode 100644 index 00000000..e5214db3 --- /dev/null +++ b/schemas/request-validator/3.8.x.json @@ -0,0 +1,181 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "body_schema": { + "required": false, + "type": "string", + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified." + } + }, + { + "allowed_content_types": { + "type": "set", + "elements": { + "required": true, + "type": "string" + }, + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "default": [ + "application/json" + ] + } + }, + { + "version": { + "one_of": [ + "kong", + "draft4" + ], + "required": true, + "type": "string", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "default": "kong" + } + }, + { + "parameter_schema": { + "required": false, + "elements": { + "fields": [ + { + "in": { + "required": true, + "type": "string", + "description": "The location of the parameter.", + "one_of": [ + "query", + "header", + "path" + ] + } + }, + { + "name": { + "required": true, + "type": "string", + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`." + } + }, + { + "required": { + "required": true, + "type": "boolean", + "description": "Determines whether this parameter is mandatory." + } + }, + { + "style": { + "type": "string", + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "one_of": [ + "label", + "form", + "matrix", + "simple", + "spaceDelimited", + "pipeDelimited", + "deepObject" + ] + } + }, + { + "explode": { + "type": "boolean", + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + } + }, + { + "schema": { + "type": "string", + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating." + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ], + "type": "record" + }, + "type": "array", + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." + } + }, + { + "verbose_response": { + "required": true, + "type": "boolean", + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "default": false + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.8.x.json b/schemas/response-ratelimiting/3.8.x.json new file mode 100644 index 00000000..bee283f1 --- /dev/null +++ b/schemas/response-ratelimiting/3.8.x.json @@ -0,0 +1,403 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "header_name": { + "type": "string", + "description": "The name of the response header used to increment the counters.", + "default": "x-kong-limit" + } + }, + { + "limit_by": { + "default": "consumer", + "type": "string", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "one_of": [ + "consumer", + "credential", + "ip" + ] + } + }, + { + "policy": { + "default": "local", + "type": "string", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "one_of": [ + "local", + "cluster", + "redis" + ] + } + }, + { + "fault_tolerant": { + "required": true, + "type": "boolean", + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "default": true + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "username": { + "type": "string", + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + } + ], + "description": "Redis configuration", + "type": "record", + "required": true + } + }, + { + "block_on_first_violation": { + "required": true, + "type": "boolean", + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "default": false + } + }, + { + "hide_client_headers": { + "required": true, + "type": "boolean", + "description": "Optionally hide informative response headers.", + "default": false + } + }, + { + "limits": { + "keys": { + "type": "string" + }, + "len_min": 1, + "required": true, + "description": "A map that defines rate limits for the plugin.", + "type": "map", + "values": { + "required": true, + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], + "type": "record", + "fields": [ + { + "second": { + "type": "number", + "gt": 0 + } + }, + { + "minute": { + "type": "number", + "gt": 0 + } + }, + { + "hour": { + "type": "number", + "gt": 0 + } + }, + { + "day": { + "type": "number", + "gt": 0 + } + }, + { + "month": { + "type": "number", + "gt": 0 + } + }, + { + "year": { + "type": "number", + "gt": 0 + } + } + ] + } + } + } + ], + "shorthand_fields": [ + { + "redis_host": { + "deprecation": { + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + }, + "type": "string", + "translate_backwards": [ + "redis", + "host" + ] + } + }, + { + "redis_port": { + "deprecation": { + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + }, + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ] + } + }, + { + "redis_password": { + "len_min": 0, + "deprecation": { + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + }, + "type": "string", + "translate_backwards": [ + "redis", + "password" + ] + } + }, + { + "redis_username": { + "deprecation": { + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0" + }, + "type": "string", + "translate_backwards": [ + "redis", + "username" + ] + } + }, + { + "redis_ssl": { + "deprecation": { + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + }, + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ] + } + }, + { + "redis_ssl_verify": { + "deprecation": { + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + }, + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ] + } + }, + { + "redis_server_name": { + "deprecation": { + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + }, + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ] + } + }, + { + "redis_timeout": { + "deprecation": { + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0" + }, + "type": "integer", + "translate_backwards": [ + "redis", + "timeout" + ] + } + }, + { + "redis_database": { + "deprecation": { + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0" + }, + "type": "integer", + "translate_backwards": [ + "redis", + "database" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "then_match": { + "required": true + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.8.x.json b/schemas/response-transformer-advanced/3.8.x.json new file mode 100644 index 00000000..30740564 --- /dev/null +++ b/schemas/response-transformer-advanced/3.8.x.json @@ -0,0 +1,350 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "remove": { + "fields": [ + { + "json": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "if_status": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "rename": { + "fields": [ + { + "headers": { + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "if_status": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "replace": { + "fields": [ + { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + } + }, + { + "json": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "json_types": { + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "if_status": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "add": { + "fields": [ + { + "json": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "json_types": { + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "if_status": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "append": { + "fields": [ + { + "json": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "json_types": { + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "if_status": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "allow": { + "fields": [ + { + "json": { + "type": "set", + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "transform": { + "fields": [ + { + "functions": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "if_status": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "json": { + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "dots_in_keys": { + "type": "boolean", + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/response-transformer/3.8.x.json b/schemas/response-transformer/3.8.x.json new file mode 100644 index 00000000..67d2c9ec --- /dev/null +++ b/schemas/response-transformer/3.8.x.json @@ -0,0 +1,246 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "remove": { + "fields": [ + { + "json": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "rename": { + "fields": [ + { + "headers": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "replace": { + "fields": [ + { + "json": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "add": { + "fields": [ + { + "json": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "append": { + "fields": [ + { + "json": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/route-by-header/3.8.x.json b/schemas/route-by-header/3.8.x.json new file mode 100644 index 00000000..d782454b --- /dev/null +++ b/schemas/route-by-header/3.8.x.json @@ -0,0 +1,78 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "rules": { + "description": "Route by header rules.", + "elements": { + "type": "record", + "fields": [ + { + "upstream_name": { + "required": true, + "type": "string" + } + }, + { + "condition": { + "keys": { + "type": "string" + }, + "required": true, + "type": "map", + "len_min": 1, + "values": { + "type": "string" + } + } + } + ] + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.8.x.json b/schemas/route-transformer-advanced/3.8.x.json new file mode 100644 index 00000000..65d20343 --- /dev/null +++ b/schemas/route-transformer-advanced/3.8.x.json @@ -0,0 +1,75 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "path": { + "type": "string" + } + }, + { + "port": { + "type": "string" + } + }, + { + "host": { + "type": "string" + } + }, + { + "escape_path": { + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/saml/3.8.x.json b/schemas/saml/3.8.x.json new file mode 100644 index 00000000..443de58e --- /dev/null +++ b/schemas/saml/3.8.x.json @@ -0,0 +1,706 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "assertion_consumer_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/" + } + }, + { + "idp_sso_url": { + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "idp_certificate": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "type": "string" + } + }, + { + "response_encryption_key": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "The private encryption key required to decrypt encrypted assertions.", + "type": "string" + } + }, + { + "request_signing_key": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "type": "string" + } + }, + { + "request_signing_certificate": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "The certificate for signing requests.", + "type": "string" + } + }, + { + "request_signature_algorithm": { + "default": "SHA256", + "required": false, + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "type": "string", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "request_digest_algorithm": { + "default": "SHA256", + "required": false, + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "type": "string", + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "response_signature_algorithm": { + "default": "SHA256", + "required": false, + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "type": "string", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "response_digest_algorithm": { + "default": "SHA256", + "required": false, + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "type": "string", + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "issuer": { + "required": true, + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "type": "string" + } + }, + { + "nameid_format": { + "default": "EmailAddress", + "required": false, + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "type": "string", + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ] + } + }, + { + "validate_assertion_signature": { + "required": false, + "description": "Enable signature validation for SAML responses.", + "type": "boolean", + "default": true + } + }, + { + "anonymous": { + "required": false, + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "type": "string" + } + }, + { + "session_secret": { + "match": "^[0-9a-zA-Z/_+]+$", + "encrypted": true, + "referenceable": true, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "required": true, + "len_min": 32, + "type": "string", + "len_max": 32 + } + }, + { + "session_audience": { + "required": false, + "description": "The session audience, for example \"my-application\"", + "type": "string", + "default": "default" + } + }, + { + "session_cookie_name": { + "required": false, + "description": "The session cookie name.", + "type": "string", + "default": "session" + } + }, + { + "session_remember": { + "required": false, + "description": "Enables or disables persistent sessions", + "type": "boolean", + "default": false + } + }, + { + "session_remember_cookie_name": { + "required": false, + "description": "Persistent session cookie name", + "type": "string", + "default": "remember" + } + }, + { + "session_remember_rolling_timeout": { + "required": false, + "description": "Persistent session rolling timeout in seconds.", + "type": "number", + "default": 604800 + } + }, + { + "session_remember_absolute_timeout": { + "required": false, + "description": "Persistent session absolute timeout in seconds.", + "type": "number", + "default": 2592000 + } + }, + { + "session_idling_timeout": { + "required": false, + "description": "The session cookie idle time in seconds.", + "type": "number", + "default": 900 + } + }, + { + "session_rolling_timeout": { + "required": false, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number", + "default": 3600 + } + }, + { + "session_absolute_timeout": { + "required": false, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number", + "default": 86400 + } + }, + { + "session_cookie_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "required": false, + "type": "string", + "starts_with": "/", + "default": "/" + } + }, + { + "session_cookie_domain": { + "required": false, + "description": "The session cookie domain flag.", + "type": "string" + } + }, + { + "session_cookie_same_site": { + "default": "Lax", + "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", + "default": true + } + }, + { + "session_cookie_secure": { + "required": false, + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + } + }, + { + "session_request_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_response_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_storage": { + "default": "cookie", + "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "type": "string", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "required": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean", + "default": false + } + }, + { + "session_enforce_same_subject": { + "required": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean", + "default": false + } + }, + { + "session_hash_subject": { + "required": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean", + "default": false + } + }, + { + "session_hash_storage_key": { + "required": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean", + "default": false + } + }, + { + "session_memcached_prefix": { + "required": false, + "description": "The memcached session key prefix.", + "type": "string" + } + }, + { + "session_memcached_socket": { + "required": false, + "description": "The memcached unix socket path.", + "type": "string" + } + }, + { + "session_memcached_host": { + "required": false, + "description": "The memcached host.", + "type": "string", + "default": "127.0.0.1" + } + }, + { + "session_memcached_port": { + "default": 11211, + "required": false, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_prefix": { + "required": false, + "description": "The Redis session key prefix.", + "type": "string" + } + }, + { + "session_redis_socket": { + "required": false, + "description": "The Redis unix socket path.", + "type": "string" + } + }, + { + "session_redis_host": { + "required": false, + "description": "The Redis host IP.", + "type": "string", + "default": "127.0.0.1" + } + }, + { + "session_redis_port": { + "default": 6379, + "required": false, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "session_redis_username": { + "required": false, + "type": "string", + "referenceable": true, + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + } + }, + { + "session_redis_password": { + "encrypted": true, + "referenceable": true, + "required": false, + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "type": "string" + } + }, + { + "session_redis_connect_timeout": { + "required": false, + "description": "The Redis connection timeout in milliseconds.", + "type": "integer" + } + }, + { + "session_redis_read_timeout": { + "required": false, + "description": "The Redis read timeout in milliseconds.", + "type": "integer" + } + }, + { + "session_redis_send_timeout": { + "required": false, + "description": "The Redis send timeout in milliseconds.", + "type": "integer" + } + }, + { + "session_redis_ssl": { + "required": false, + "description": "Use SSL/TLS for the Redis connection.", + "type": "boolean", + "default": false + } + }, + { + "session_redis_ssl_verify": { + "required": false, + "description": "Verify the Redis server certificate.", + "type": "boolean", + "default": false + } + }, + { + "session_redis_server_name": { + "required": false, + "description": "The SNI used for connecting to the Redis server.", + "type": "string" + } + }, + { + "session_redis_cluster_nodes": { + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + } + ] + }, + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "type": "array" + } + }, + { + "session_redis_cluster_max_redirections": { + "required": false, + "description": "The Redis cluster maximum redirects.", + "type": "integer" + } + } + ], + "required": true, + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" + } + } + }, + { + "session_cookie_idletime": { + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" + } + } + }, + { + "session_cookie_samesite": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" + } + } + }, + { + "session_cookie_httponly": { + "type": "boolean", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" + } + } + }, + { + "session_memcache_prefix": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" + } + } + }, + { + "session_memcache_socket": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" + } + } + }, + { + "session_memcache_host": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" + } + } + }, + { + "session_memcache_port": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" + } + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_cluster_maxredirections is deprecated, please use config.session_redis_cluster_max_redirections instead" + } + } + }, + { + "session_cookie_renew": { + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" + } + } + }, + { + "session_cookie_maxsize": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" + } + } + }, + { + "session_strategy": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" + } + } + }, + { + "session_compressor": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" + } + } + }, + { + "session_auth_ttl": { + "type": "number", + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_auth_ttl option does not exist anymore" + } + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/session/3.8.x.json b/schemas/session/3.8.x.json new file mode 100644 index 00000000..db316884 --- /dev/null +++ b/schemas/session/3.8.x.json @@ -0,0 +1,302 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "secret": { + "encrypted": true, + "referenceable": true, + "required": false, + "type": "string", + "description": "The secret that is used in keyed HMAC generation.", + "default": "4Xkz87KN9Mdq3BsyMOndCz3cjxVWxf4ndnK6tPTGKhYd" + } + }, + { + "storage": { + "default": "cookie", + "type": "string", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "one_of": [ + "cookie", + "kong" + ] + } + }, + { + "audience": { + "type": "string", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default" + } + }, + { + "idling_timeout": { + "type": "number", + "description": "The session cookie idle time, in seconds.", + "default": 900 + } + }, + { + "rolling_timeout": { + "type": "number", + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "default": 3600 + } + }, + { + "absolute_timeout": { + "type": "number", + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 86400 + } + }, + { + "stale_ttl": { + "type": "number", + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "default": 10 + } + }, + { + "cookie_name": { + "type": "string", + "description": "The name of the cookie.", + "default": "session" + } + }, + { + "cookie_path": { + "type": "string", + "description": "The resource in the host where the cookie is available.", + "default": "/" + } + }, + { + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + } + }, + { + "cookie_same_site": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "cookie_http_only": { + "type": "boolean", + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "default": true + } + }, + { + "cookie_secure": { + "type": "boolean", + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "default": true + } + }, + { + "remember": { + "type": "boolean", + "description": "Enables or disables persistent sessions.", + "default": false + } + }, + { + "remember_cookie_name": { + "type": "string", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember" + } + }, + { + "remember_rolling_timeout": { + "type": "number", + "description": "The persistent session rolling timeout window, in seconds.", + "default": 604800 + } + }, + { + "remember_absolute_timeout": { + "type": "number", + "description": "The persistent session absolute timeout limit, in seconds.", + "default": 2592000 + } + }, + { + "response_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" + } + }, + { + "request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" + } + }, + { + "read_body_for_logout": { + "type": "boolean", + "default": false + } + }, + { + "logout_methods": { + "description": "A set of HTTP methods that the plugin will respond to.", + "elements": { + "type": "string", + "one_of": [ + "GET", + "POST", + "DELETE" + ] + }, + "type": "set", + "default": [ + "POST", + "DELETE" + ] + } + }, + { + "logout_query_arg": { + "type": "string", + "description": "The query argument passed to logout requests.", + "default": "session_logout" + } + }, + { + "logout_post_arg": { + "type": "string", + "description": "The POST argument passed to logout requests. Do not change this property.", + "default": "session_logout" + } + } + ], + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/statsd-advanced/3.8.x.json b/schemas/statsd-advanced/3.8.x.json new file mode 100644 index 00000000..0d0f2104 --- /dev/null +++ b/schemas/statsd-advanced/3.8.x.json @@ -0,0 +1,448 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "localhost" + } + }, + { + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "prefix": { + "type": "string", + "description": "String to prefix to each metric's name.", + "default": "kong" + } + }, + { + "metrics": { + "type": "array", + "elements": { + "fields": [ + { + "name": { + "required": true, + "type": "string", + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "required": true, + "type": "string", + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "type": "number", + "gt": 0 + } + }, + { + "consumer_identifier": { + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "name", + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_field": "stat_type", + "then_match": { + "eq": "set" + } + } + }, + { + "conditional": { + "if_field": "name", + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_field": "stat_type", + "then_match": { + "eq": "counter" + } + } + }, + { + "conditional": { + "if_field": "name", + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_field": "stat_type", + "then_match": { + "eq": "gauge" + } + } + }, + { + "conditional": { + "if_field": "stat_type", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "then_match": { + "required": true + } + } + } + ], + "type": "record" + }, + "description": "List of Metrics to be logged.", + "default": [ + { + "stat_type": "counter", + "name": "request_count", + "sample_rate": 1 + }, + { + "name": "latency", + "stat_type": "timer" + }, + { + "name": "request_size", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "status_count", + "sample_rate": 1 + }, + { + "name": "response_size", + "stat_type": "timer" + }, + { + "name": "unique_users", + "stat_type": "set" + }, + { + "stat_type": "counter", + "name": "request_per_user", + "sample_rate": 1 + }, + { + "name": "upstream_latency", + "stat_type": "timer" + }, + { + "name": "kong_latency", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "status_count_per_user", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_workspace", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_user_per_route", + "sample_rate": 1 + }, + { + "stat_type": "gauge", + "name": "shdict_usage", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_hits_total", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_misses_total", + "sample_rate": 1 + } + ] + } + }, + { + "allow_status_codes": { + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "type": "array", + "description": "List of status code ranges that are allowed to be logged in metrics." + } + }, + { + "udp_packet_size": { + "default": 0, + "type": "number", + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "between": [ + 0, + 65507 + ] + } + }, + { + "use_tcp": { + "type": "boolean", + "description": "Use TCP instead of UDP.", + "default": false + } + }, + { + "hostname_in_prefix": { + "type": "boolean", + "description": "Include the `hostname` in the `prefix` for each metric name.", + "default": false + } + }, + { + "consumer_identifier_default": { + "default": "custom_id", + "required": true, + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier_default": { + "default": "service_name_or_host", + "required": true, + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier_default": { + "default": "workspace_id", + "required": true, + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/statsd/3.8.x.json b/schemas/statsd/3.8.x.json new file mode 100644 index 00000000..b2741422 --- /dev/null +++ b/schemas/statsd/3.8.x.json @@ -0,0 +1,443 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string", + "default": "localhost" + } + }, + { + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "prefix": { + "description": "String to prefix to each metric's name.", + "type": "string", + "default": "kong" + } + }, + { + "metrics": { + "description": "List of metrics to be logged.", + "elements": { + "fields": [ + { + "name": { + "required": true, + "description": "StatsD metric’s name.", + "type": "string", + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "required": true, + "description": "Determines what sort of event a metric represents.", + "type": "string", + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "description": "Sampling rate", + "type": "number", + "gt": 0 + } + }, + { + "consumer_identifier": { + "description": "Authenticated user detail.", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "description": "Service detail.", + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "description": "Workspace detail.", + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "stat_type", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "then_match": { + "required": true + } + } + } + ], + "type": "record" + }, + "type": "array", + "default": [ + { + "stat_type": "counter", + "name": "request_count", + "sample_rate": 1 + }, + { + "name": "latency", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "request_size", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "response_size", + "sample_rate": 1 + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "stat_type": "counter", + "name": "request_per_user", + "sample_rate": 1 + }, + { + "name": "upstream_latency", + "stat_type": "timer" + }, + { + "name": "kong_latency", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "status_count_per_user", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_workspace", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_user_per_route", + "sample_rate": 1 + }, + { + "stat_type": "gauge", + "name": "shdict_usage", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_hits_total", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_misses_total", + "sample_rate": 1 + } + ] + } + }, + { + "allow_status_codes": { + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array" + } + }, + { + "udp_packet_size": { + "default": 0, + "type": "number", + "between": [ + 0, + 65507 + ] + } + }, + { + "use_tcp": { + "type": "boolean", + "default": false + } + }, + { + "hostname_in_prefix": { + "type": "boolean", + "default": false + } + }, + { + "consumer_identifier_default": { + "required": true, + "default": "custom_id", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier_default": { + "required": true, + "default": "service_name_or_host", + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier_default": { + "required": true, + "default": "workspace_id", + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + }, + { + "retry_count": { + "type": "integer", + "deprecation": { + "old_default": 10, + "removal_in_version": "4.0", + "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead" + } + } + }, + { + "queue_size": { + "type": "integer", + "deprecation": { + "old_default": 1, + "removal_in_version": "4.0", + "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + } + } + }, + { + "flush_timeout": { + "type": "number", + "deprecation": { + "old_default": 2, + "removal_in_version": "4.0", + "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + } + } + }, + { + "tag_style": { + "required": false, + "type": "string", + "one_of": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ] + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/syslog/3.8.x.json b/schemas/syslog/3.8.x.json new file mode 100644 index 00000000..b6825600 --- /dev/null +++ b/schemas/syslog/3.8.x.json @@ -0,0 +1,164 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "log_level": { + "required": true, + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "successful_severity": { + "required": true, + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "client_errors_severity": { + "required": true, + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "server_errors_severity": { + "required": true, + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + }, + { + "facility": { + "default": "user", + "required": true, + "description": "The facility is used by the operating system to decide how to handle each log message.", + "type": "string", + "one_of": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tcp-log/3.8.x.json b/schemas/tcp-log/3.8.x.json new file mode 100644 index 00000000..ac50f9ad --- /dev/null +++ b/schemas/tcp-log/3.8.x.json @@ -0,0 +1,112 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "host": { + "required": true, + "type": "string", + "description": "The IP address or host name to send data to." + } + }, + { + "port": { + "required": true, + "description": "The port to send data to on the upstream server.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 + } + }, + { + "keepalive": { + "type": "number", + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000 + } + }, + { + "tls": { + "required": true, + "type": "boolean", + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "default": false + } + }, + { + "tls_sni": { + "type": "string", + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." + } + }, + { + "custom_fields_by_lua": { + "values": { + "type": "string", + "len_min": 1 + }, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "map", + "keys": { + "type": "string", + "len_min": 1 + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.8.x.json b/schemas/tls-handshake-modifier/3.8.x.json new file mode 100644 index 00000000..b200a2ad --- /dev/null +++ b/schemas/tls-handshake-modifier/3.8.x.json @@ -0,0 +1,60 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "type": "set", + "default": [ + "https", + "grpcs" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "tls_client_certificate": { + "default": "REQUEST", + "required": false, + "description": "TLS Client Certificate", + "type": "string", + "one_of": [ + "REQUEST" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.8.x.json b/schemas/tls-metadata-headers/3.8.x.json new file mode 100644 index 00000000..507b8f50 --- /dev/null +++ b/schemas/tls-metadata-headers/3.8.x.json @@ -0,0 +1,96 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "type": "set", + "default": [ + "https", + "grpcs" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "inject_client_cert_details": { + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean", + "default": false + } + }, + { + "client_cert_header_name": { + "required": true, + "type": "string", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "default": "X-Client-Cert" + } + }, + { + "client_serial_header_name": { + "required": true, + "type": "string", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "default": "X-Client-Cert-Serial" + } + }, + { + "client_cert_issuer_dn_header_name": { + "required": true, + "type": "string", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "default": "X-Client-Cert-Issuer-DN" + } + }, + { + "client_cert_subject_dn_header_name": { + "required": true, + "type": "string", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "default": "X-Client-Cert-Subject-DN" + } + }, + { + "client_cert_fingerprint_header_name": { + "required": true, + "type": "string", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "default": "X-Client-Cert-Fingerprint" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/udp-log/3.8.x.json b/schemas/udp-log/3.8.x.json new file mode 100644 index 00000000..fd6c991c --- /dev/null +++ b/schemas/udp-log/3.8.x.json @@ -0,0 +1,91 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "host": { + "required": true, + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "timeout": { + "type": "number", + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000 + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "description": "Lua code as a key-value map", + "values": { + "type": "string", + "len_min": 1 + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/upstream-timeout/3.8.x.json b/schemas/upstream-timeout/3.8.x.json new file mode 100644 index 00000000..5db2c5aa --- /dev/null +++ b/schemas/upstream-timeout/3.8.x.json @@ -0,0 +1,75 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/vault-auth/3.8.x.json b/schemas/vault-auth/3.8.x.json new file mode 100644 index 00000000..515b0d93 --- /dev/null +++ b/schemas/vault-auth/3.8.x.json @@ -0,0 +1,112 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "access_token_name": { + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true, + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "string", + "default": "access_token" + } + }, + { + "secret_token_name": { + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true, + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "string", + "default": "secret_token" + } + }, + { + "vault": { + "required": true, + "type": "foreign", + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "reference": "vault_auth_vaults" + } + }, + { + "hide_credentials": { + "type": "boolean", + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "default": false + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "tokens_in_body": { + "type": "boolean", + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "default": false + } + }, + { + "run_on_preflight": { + "type": "boolean", + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.8.x.json b/schemas/websocket-size-limit/3.8.x.json new file mode 100644 index 00000000..e6aaf3fc --- /dev/null +++ b/schemas/websocket-size-limit/3.8.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "client_max_payload": { + "required": false, + "type": "integer", + "between": [ + 1, + 33554432 + ] + } + }, + { + "upstream_max_payload": { + "required": false, + "type": "integer", + "between": [ + 1, + 33554432 + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/websocket-validator/3.8.x.json b/schemas/websocket-validator/3.8.x.json new file mode 100644 index 00000000..635cffa7 --- /dev/null +++ b/schemas/websocket-validator/3.8.x.json @@ -0,0 +1,220 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "ws", + "wss" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "client": { + "required": false, + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "type": "record", + "fields": [ + { + "text": { + "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "fields": [ + { + "type": { + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + } + } + ] + } + }, + { + "binary": { + "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "fields": [ + { + "type": { + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + } + } + ] + } + } + ] + } + }, + { + "upstream": { + "required": false, + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "type": "record", + "fields": [ + { + "text": { + "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "fields": [ + { + "type": { + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + } + } + ] + } + }, + { + "binary": { + "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "fields": [ + { + "type": { + "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + } + } + ] + } + } + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.8.x.json b/schemas/xml-threat-protection/3.8.x.json new file mode 100644 index 00000000..56b5cdf3 --- /dev/null +++ b/schemas/xml-threat-protection/3.8.x.json @@ -0,0 +1,300 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "checked_content_types": { + "type": "set", + "required": true, + "elements": { + "required": true, + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" + }, + "description": "A list of Content-Type values with payloads that must be validated.", + "default": [ + "application/xml" + ] + } + }, + { + "allowed_content_types": { + "type": "set", + "required": true, + "elements": { + "required": true, + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" + }, + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "default": [ + + ] + } + }, + { + "allow_dtd": { + "required": true, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean", + "default": false + } + }, + { + "namespace_aware": { + "required": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean", + "default": true + } + }, + { + "max_depth": { + "gt": 0, + "required": true, + "type": "integer", + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "default": 50 + } + }, + { + "max_children": { + "gt": 0, + "required": true, + "type": "integer", + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "default": 100 + } + }, + { + "max_attributes": { + "gt": 0, + "required": true, + "type": "integer", + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "default": 100 + } + }, + { + "max_namespaces": { + "gt": 0, + "required": false, + "type": "integer", + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "default": 20 + } + }, + { + "document": { + "gt": 0, + "required": true, + "description": "Maximum size of the entire document.", + "type": "integer", + "default": 10485760 + } + }, + { + "buffer": { + "gt": 0, + "required": true, + "description": "Maximum size of the unparsed buffer (see below).", + "type": "integer", + "default": 1048576 + } + }, + { + "comment": { + "gt": 0, + "required": true, + "description": "Maximum size of comments.", + "type": "integer", + "default": 1024 + } + }, + { + "localname": { + "gt": 0, + "required": true, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "type": "integer", + "default": 1024 + } + }, + { + "prefix": { + "gt": 0, + "required": false, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "type": "integer", + "default": 1024 + } + }, + { + "namespaceuri": { + "gt": 0, + "required": false, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "type": "integer", + "default": 1024 + } + }, + { + "attribute": { + "gt": 0, + "required": true, + "description": "Maximum size of the attribute value.", + "type": "integer", + "default": 1048576 + } + }, + { + "text": { + "gt": 0, + "required": true, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "type": "integer", + "default": 1048576 + } + }, + { + "pitarget": { + "gt": 0, + "required": true, + "description": "Maximum size of processing instruction targets.", + "type": "integer", + "default": 1024 + } + }, + { + "pidata": { + "gt": 0, + "required": true, + "description": "Maximum size of processing instruction data.", + "type": "integer", + "default": 1024 + } + }, + { + "entityname": { + "gt": 0, + "required": true, + "description": "Maximum size of entity names in EntityDecl.", + "type": "integer", + "default": 1024 + } + }, + { + "entity": { + "gt": 0, + "required": true, + "description": "Maximum size of entity values in EntityDecl.", + "type": "integer", + "default": 1024 + } + }, + { + "entityproperty": { + "gt": 0, + "required": true, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "type": "integer", + "default": 1024 + } + }, + { + "bla_max_amplification": { + "gt": 1, + "required": true, + "type": "number", + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "default": 100 + } + }, + { + "bla_threshold": { + "gt": 1024, + "required": true, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "type": "integer", + "default": 8388608 + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "namespace_aware", + "if_match": { + "eq": true + }, + "then_field": "max_namespaces", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "namespace_aware", + "if_match": { + "eq": true + }, + "then_field": "prefix", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "namespace_aware", + "if_match": { + "eq": true + }, + "then_field": "namespaceuri", + "then_match": { + "required": true + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/zipkin/3.8.x.json b/schemas/zipkin/3.8.x.json new file mode 100644 index 00000000..389af427 --- /dev/null +++ b/schemas/zipkin/3.8.x.json @@ -0,0 +1,410 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "description": "A set of strings representing protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "local_service_name": { + "required": true, + "type": "string", + "description": "The name of the service as displayed in Zipkin.", + "default": "kong" + } + }, + { + "http_endpoint": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "sample_ratio": { + "default": 0.001, + "type": "number", + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "between": [ + 0, + 1 + ] + } + }, + { + "default_service_name": { + "type": "string", + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + } + }, + { + "include_credential": { + "required": true, + "type": "boolean", + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "default": true + } + }, + { + "traceid_byte_count": { + "default": 16, + "required": true, + "type": "integer", + "description": "The length in bytes of each request's Trace ID.", + "one_of": [ + 8, + 16 + ] + } + }, + { + "header_type": { + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "required": true, + "deprecation": { + "old_default": "preserve", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, + "type": "string", + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ] + } + }, + { + "default_header_type": { + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "required": true, + "deprecation": { + "old_default": "b3", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", + "removal_in_version": "4.0" + }, + "type": "string", + "one_of": [ + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ] + } + }, + { + "tags_header": { + "required": true, + "type": "string", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "default": "Zipkin-Tags" + } + }, + { + "static_tags": { + "elements": { + "type": "record", + "fields": [ + { + "name": { + "required": true, + "type": "string", + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ] + } + }, + { + "value": { + "required": true, + "type": "string" + } + } + ] + }, + "type": "array", + "description": "The tags specified on this property will be added to the generated request traces." + } + }, + { + "http_span_name": { + "default": "method", + "required": true, + "type": "string", + "description": "Specify whether to include the HTTP path in the span name.", + "one_of": [ + "method", + "method_path" + ] + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "phase_duration_flavor": { + "default": "annotations", + "required": true, + "type": "string", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "one_of": [ + "annotations", + "tags" + ] + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_coalescing_delay": { + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ] + } + }, + { + "max_entries": { + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ] + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "type": "number", + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60 + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ] + } + }, + { + "max_retry_delay": { + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "propagation": { + "fields": [ + { + "extract": { + "elements": { + "type": "string", + "one_of": [ + "b3", + "gcp", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + }, + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array" + } + }, + { + "clear": { + "elements": { + "type": "string" + }, + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array" + } + }, + { + "inject": { + "elements": { + "type": "string", + "one_of": [ + "preserve", + "b3", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + }, + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array" + } + }, + { + "default_format": { + "required": true, + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", + "one_of": [ + "b3", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog" + ] + } + } + ], + "required": true, + "type": "record", + "default": { + "default_format": "b3" + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file From b690fe903ba1f00d3c63890900773fad797dfabf Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 3 Jun 2024 16:31:25 +0200 Subject: [PATCH 052/165] Add a command that copies the latest schemas --- lib/schema_copier.rb | 35 +++++++++++++++++++++++++++++++++++ plugins | 15 +++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 lib/schema_copier.rb diff --git a/lib/schema_copier.rb b/lib/schema_copier.rb new file mode 100644 index 00000000..abd7dfef --- /dev/null +++ b/lib/schema_copier.rb @@ -0,0 +1,35 @@ +require 'fileutils' + +class SchemaCopier + def self.run!(plugin:, options:) + new(plugin:, options:).run! + end + + def initialize(plugin:, options:) + @plugin = plugin + @options = options + end + + def run! + unless File.exist?("#{@options['source']}/#{@plugin}") + puts "#{@options['source']}/#{@plugin} does not exist" + return + end + if latest_example.nil? || !File.exist?(latest_example) + puts "Latest schema for #{@plugin} does not exist" + return + end + + FileUtils.cp(latest_example, new_path) + end + + private + + def latest_example + @latest_example ||= Dir["#{@options['source']}/#{@plugin}/*.json"].sort.last + end + + def new_path + [@options['source'], @plugin, "#{@options[:version]}.json"].join('/') + end +end diff --git a/plugins b/plugins index 2820a809..46525e67 100755 --- a/plugins +++ b/plugins @@ -3,6 +3,7 @@ require 'thor' require_relative 'lib/schema_downloader' require_relative 'lib/example_validator' require_relative 'lib/example_copier' +require_relative 'lib/schema_copier' require_relative 'lib/referenceable_fields' require_relative 'lib/plugin_priorities' @@ -59,6 +60,20 @@ class Plugins < Thor puts 'Done!' end + desc 'copy_schemas', 'Copy latest schemas' + option :version, aliases: '-v', type: :string, required: true, default: 'index', desc: 'Kong Version' + option :plugins, aliases: '-p', type: :array, required: true, desc: 'List containing the name of the plugins' + option :source, aliases: '-s', type: :string, default: './schemas', desc: 'Source folder containing the schemas' + def copy_schemas + puts 'Copying schemas...' + + options[:plugins].each do |plugin| + SchemaCopier.run!(plugin:, options:) + end + + puts 'Done!' + end + desc 'generate_referenceable_fields_list', 'Generates a json object listing all the referenceable fields for each plugin' option :version, aliases: '-v', type: :string, required: true, desc: 'Kong Version' option :plugins, aliases: '-p', type: :array, required: true, desc: 'List containing the name of the plugins' From 9cd219a88fa2e4dcdd75058135b307a91fd82ce4 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 3 Jun 2024 16:35:08 +0200 Subject: [PATCH 053/165] Update Readme with `copy_schemas` instructions --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index c7de7186..388b933c 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,22 @@ For example, running: ``` generates a file `./data/priorities/ee/3.4.x.json` containing a list of plugins and their corresponded priorities order by priority (desc). +### Copy Schemas + +Copies the last (ordered by version) schema file stored in `//` and writes it to `//`. + +| Options | Descriptions | +|--------------------------- |-----| +| `version` | **Required**. Kong Gateway release version, e.g. `3.3.x`. The new example file is named after it. | +| `plugins` | **Required**. Space separated list of plugins to use, .e.g. `acme acl`. | +| `source` | Path to the root folder containing the exisitng examples. Default: `./schemas`. | + +For example, running: +```bash +./plugins copy_schemas --version 3.5.x --plugins acme +``` +copies the previous schema (assuming the previous version is `3.4.x`, it copies `./schemas/acme/3.4.x.json`) and generates a new file `./schemas/acme/3.5.x.json` + ## Updating the repo after a new release Whenever a new version of Kong Gateway is released, we need run the following commands in order. For all of them, specify all the plugins `--plugins $(ls ./schemas)` From 8b34c6a8c055220cec7b01ae0e5466bd7b2fb08b Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Wed, 5 Jun 2024 08:42:41 +0200 Subject: [PATCH 054/165] Add plugin priorities and referenceable fields for 3.8.x --- data/priorities/ee/3.8.x.json | 82 +++++++++++ data/priorities/oss/3.8.x.json | 45 ++++++ data/referenceable_fields/3.8.x.json | 203 +++++++++++++++++++++++++++ 3 files changed, 330 insertions(+) create mode 100644 data/priorities/ee/3.8.x.json create mode 100644 data/priorities/oss/3.8.x.json create mode 100644 data/referenceable_fields/3.8.x.json diff --git a/data/priorities/ee/3.8.x.json b/data/priorities/ee/3.8.x.json new file mode 100644 index 00000000..8c1de9a7 --- /dev/null +++ b/data/priorities/ee/3.8.x.json @@ -0,0 +1,82 @@ +{ + "pre-function": 1000000, + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth": 1250, + "key-auth-enc": 1250, + "ldap-auth": 1200, + "ldap-auth-advanced": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "saml": 1010, + "request-validator": 999, + "websocket-size-limit": 999, + "websocket-validator": 999, + "xml-threat-protection": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "application-registration": 995, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "opa": 920, + "rate-limiting": 910, + "rate-limiting-advanced": 910, + "graphql-rate-limiting-advanced": 902, + "response-ratelimiting": 900, + "oas-validation": 850, + "route-by-header": 850, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "ai-request-transformer": 777, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-response-transformer": 769, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "statsd-advanced": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "mocking": -1, + "post-function": -1000 +} \ No newline at end of file diff --git a/data/priorities/oss/3.8.x.json b/data/priorities/oss/3.8.x.json new file mode 100644 index 00000000..f1d4cd82 --- /dev/null +++ b/data/priorities/oss/3.8.x.json @@ -0,0 +1,45 @@ +{ + "pre-function": 1000000, + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "ai-request-transformer": 777, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-response-transformer": 769, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": -1000 +} \ No newline at end of file diff --git a/data/referenceable_fields/3.8.x.json b/data/referenceable_fields/3.8.x.json new file mode 100644 index 00000000..0d023ee6 --- /dev/null +++ b/data/referenceable_fields/3.8.x.json @@ -0,0 +1,203 @@ +{ + "acme": [ + "config.account_email", + "config.eab_kid", + "config.eab_hmac_key", + "config.storage_config.redis.username", + "config.storage_config.redis.password", + "config.storage_config.consul.token", + "config.storage_config.vault.token" + ], + "ai-azure-content-safety": [ + "config.content_safety_url", + "config.content_safety_key" + ], + "ai-proxy": [ + "config.auth.header_name", + "config.auth.header_value", + "config.auth.param_name", + "config.auth.param_value", + "config.auth.azure_client_id", + "config.auth.azure_client_secret", + "config.auth.azure_tenant_id" + ], + "ai-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "ai-request-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id" + ], + "ai-response-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id" + ], + "aws-lambda": [ + "config.aws_key", + "config.aws_secret", + "config.aws_assume_role_arn" + ], + "azure-functions": [ + "config.apikey", + "config.clientid" + ], + "datadog": [ + "config.host" + ], + "datadog-tracing": [ + "config.endpoint" + ], + "forward-proxy": [ + "config.auth_username", + "config.auth_password" + ], + "graphql-proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "graphql-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "http-log": [ + "config.http_endpoint", + "config.headers" + ], + "jwt-signer": [ + "config.access_token_keyset_client_username", + "config.access_token_keyset_client_password", + "config.access_token_jwks_uri_client_username", + "config.access_token_jwks_uri_client_password", + "config.channel_token_keyset_client_username", + "config.channel_token_keyset_client_password", + "config.channel_token_jwks_uri_client_username", + "config.channel_token_jwks_uri_client_password" + ], + "kafka-log": [ + "config.authentication.user", + "config.authentication.password" + ], + "kafka-upstream": [ + "config.authentication.user", + "config.authentication.password" + ], + "konnect-application-auth": [ + "config.v2_strategies.openid_connect.config.client_id", + "config.v2_strategies.openid_connect.config.client_secret", + "config.v2_strategies.openid_connect.config.client_jwk.k", + "config.v2_strategies.openid_connect.config.client_jwk.d", + "config.v2_strategies.openid_connect.config.client_jwk.p", + "config.v2_strategies.openid_connect.config.client_jwk.q", + "config.v2_strategies.openid_connect.config.client_jwk.dp", + "config.v2_strategies.openid_connect.config.client_jwk.dq", + "config.v2_strategies.openid_connect.config.client_jwk.qi", + "config.v2_strategies.openid_connect.config.client_jwk.oth", + "config.v2_strategies.openid_connect.config.client_jwk.r", + "config.v2_strategies.openid_connect.config.client_jwk.t", + "config.v2_strategies.openid_connect.config.login_redirect_uri", + "config.v2_strategies.openid_connect.config.logout_redirect_uri", + "config.v2_strategies.openid_connect.config.scopes", + "config.v2_strategies.openid_connect.config.introspection_headers_values", + "config.v2_strategies.openid_connect.config.session_secret", + "config.v2_strategies.openid_connect.config.session_redis_username", + "config.v2_strategies.openid_connect.config.session_redis_password" + ], + "ldap-auth-advanced": [ + "config.ldap_password", + "config.bind_dn" + ], + "loggly": [ + "config.key" + ], + "oauth2-introspection": [ + "config.authorization_value" + ], + "openid-connect": [ + "config.client_id", + "config.client_secret", + "config.client_jwk.k", + "config.client_jwk.d", + "config.client_jwk.p", + "config.client_jwk.q", + "config.client_jwk.dp", + "config.client_jwk.dq", + "config.client_jwk.qi", + "config.client_jwk.oth", + "config.client_jwk.r", + "config.client_jwk.t", + "config.login_redirect_uri", + "config.logout_redirect_uri", + "config.scopes", + "config.introspection_headers_values", + "config.session_secret", + "config.session_redis_username", + "config.session_redis_password" + ], + "opentelemetry": [ + "config.endpoint", + "config.headers" + ], + "proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "rate-limiting": [ + "config.redis.username", + "config.redis.password" + ], + "rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "request-transformer-advanced": [ + "config.rename.body", + "config.rename.headers", + "config.rename.querystring", + "config.replace.body", + "config.replace.headers", + "config.replace.querystring", + "config.add.body", + "config.add.headers", + "config.add.querystring", + "config.append.body", + "config.append.headers", + "config.append.querystring" + ], + "response-ratelimiting": [ + "config.redis.username", + "config.redis.password" + ], + "saml": [ + "config.idp_certificate", + "config.response_encryption_key", + "config.request_signing_key", + "config.request_signing_certificate", + "config.session_secret", + "config.session_redis_username", + "config.session_redis_password" + ], + "session": [ + "config.secret" + ] +} \ No newline at end of file From 05be7eea8195ab55d970c7b55cf8f78a8ccea399 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 12 Jun 2024 03:08:32 +0000 Subject: [PATCH 055/165] Update dependency ruby to v3.3.3 --- .ruby-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ruby-version b/.ruby-version index 47725433..619b5376 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.3.2 +3.3.3 From 605ed5c2f51592d8f659648ff20e01f51a437323 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 23 May 2024 16:01:32 +0200 Subject: [PATCH 056/165] feat: Add Workflow (and re-usable steps) that runs the `download-schemas` command --- .github/reusable-steps/cleanup/action.yml | 8 +++ .../download-quickstart-script/action.yml | 10 ++++ .../reusable-steps/install-deps/action.yml | 10 ++++ .github/reusable-steps/run-kong-ee/action.yml | 33 ++++++++++++ .../reusable-steps/run-kong-oss/action.yml | 21 ++++++++ .github/workflows/download-schemas.yml | 53 +++++++++++++++++++ Gemfile | 3 ++ Gemfile.lock | 14 +++++ 8 files changed, 152 insertions(+) create mode 100644 .github/reusable-steps/cleanup/action.yml create mode 100644 .github/reusable-steps/download-quickstart-script/action.yml create mode 100644 .github/reusable-steps/install-deps/action.yml create mode 100644 .github/reusable-steps/run-kong-ee/action.yml create mode 100644 .github/reusable-steps/run-kong-oss/action.yml create mode 100644 .github/workflows/download-schemas.yml create mode 100644 Gemfile create mode 100644 Gemfile.lock diff --git a/.github/reusable-steps/cleanup/action.yml b/.github/reusable-steps/cleanup/action.yml new file mode 100644 index 00000000..142b9592 --- /dev/null +++ b/.github/reusable-steps/cleanup/action.yml @@ -0,0 +1,8 @@ +name: Run Quickstart cleanup +description: Runs ./quickstart.sh -d +runs: + using: composite + steps: + - shell: bash + run: | + ./quickstart.sh -d diff --git a/.github/reusable-steps/download-quickstart-script/action.yml b/.github/reusable-steps/download-quickstart-script/action.yml new file mode 100644 index 00000000..8d9040a5 --- /dev/null +++ b/.github/reusable-steps/download-quickstart-script/action.yml @@ -0,0 +1,10 @@ +name: Download Quickstart script +description: Downloads https://get.konghq.com/quickstart +runs: + using: composite + steps: + - name: Donwload script + shell: bash + run: | + curl -Ls get.konghq.com/quickstart -o quickstart.sh + chmod +x quickstart.sh diff --git a/.github/reusable-steps/install-deps/action.yml b/.github/reusable-steps/install-deps/action.yml new file mode 100644 index 00000000..ca3efd4a --- /dev/null +++ b/.github/reusable-steps/install-deps/action.yml @@ -0,0 +1,10 @@ +name: Install deps +runs: + using: composite + steps: + - name: Set up Ruby + shell: bash + uses: ruby/setup-ruby@v1 + with: + ruby-version: .ruby-version + bundler-cache: true diff --git a/.github/reusable-steps/run-kong-ee/action.yml b/.github/reusable-steps/run-kong-ee/action.yml new file mode 100644 index 00000000..25748628 --- /dev/null +++ b/.github/reusable-steps/run-kong-ee/action.yml @@ -0,0 +1,33 @@ +name: Run Kong EE +inputs: + op-token: + required: true + kong-image-tag: + required: true + description: | + Kong Docker image tag to run, 3.6.1.4. + kong-image-name: + description: | + Kong Docker image name to use, e.g. kong-gateway, kong-gateway-dev. + +runs: + using: composite + steps: + - name: Download quickstart script + shell: bash + uses: ./.github/reusable-steps/download-quickstart-script + - name: Download Kong License + shell: bash + uses: Kong/kong-license@master + id: getLicense + with: + op-token: ${{ inputs.op-token }} + - name: Run Kong + shell: bash + env: + KONG_PLUGINS: 'bundled,app-dynamics' + KONG_LICENSE_DATA: ${{ steps.getLicense.outputs.license }} + KONG_IMAGE_TAG: ${{ inputs.kong-image-tag }} + KONG_IMAGE_NAME: ${{ inputs.kong-image-name }} + run: | + ./quickstart.sh -e "KONG_LICENSE_DATA" -e "KONG_PLUGINS" -e "KONG_IMAGE_TAG" -e "KONG_IMAGE_NAME" diff --git a/.github/reusable-steps/run-kong-oss/action.yml b/.github/reusable-steps/run-kong-oss/action.yml new file mode 100644 index 00000000..82e37af6 --- /dev/null +++ b/.github/reusable-steps/run-kong-oss/action.yml @@ -0,0 +1,21 @@ +name: Run Kong OSS +inputs: + kong-image-tag: + required: true + description: | + Kong Docker image tag to run, 3.6.1. + +runs: + using: composite + steps: + - name: Download quickstart script + shell: bash + uses: ./.github/reusable-steps/download-quickstart-script + - name: Run Kong + shell: bash + env: + KONG_PLUGINS: 'bundled' + KONG_IMAGE_TAG: ${{ inputs.kong-image-tag }} + KONG_IMAGE_NAME: 'kong' + run: | + ./quickstart.sh -e "KONG_PLUGINS" -e "KONG_IMAGE_TAG" -e "KONG_IMAGE_NAME" diff --git a/.github/workflows/download-schemas.yml b/.github/workflows/download-schemas.yml new file mode 100644 index 00000000..a932fc66 --- /dev/null +++ b/.github/workflows/download-schemas.yml @@ -0,0 +1,53 @@ +name: Download Schemas +on: + workflow_dispatch: + inputs: + kong-image-tag: + required: true + type: string + description: | + Kong Docker image tag to run, 3.6.1.4. + version: + required: true + type: string + description: | + Kong Gateway release, e.x. 3.4.x. + Used by some commands for storing files in the corresponding folder. + kong-image-name: + type: choice + description: | + Kong Docker image name to use, e.g. kong-gateway, kong-gateway-dev. + options: + - kong-gateway + - kong-gateway-dev + +jobs: + download-schemas: + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@v4 + - name: Install dependencies + uses: ./.github/reusable-steps/install-deps + - name: Run Kong EE + uses: ./.github/reusable-steps/run-kong-ee + with: + op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + kong-image-tag: ${{ github.event.inputs.kong-image-tag }} + kong-image-name: ${{ github.event.inputs.kong-image-name }} + - name: Run download_schemas + run: | + bundle exec ./plugins download_schemas --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + token: ${{ secrets.PAT }} + title: "Download Schemas for ${{ github.event.inputs.version }}" + branch: download-schemas + commit-message: "Download Schemas for ${{ github.event.inputs.version }}" + delete-branch: true + with: + add-paths: | + ./schemas/* + - name: Cleanup + if: always() + uses: ./.github/reusable-steps/cleanup diff --git a/Gemfile b/Gemfile new file mode 100644 index 00000000..028b878a --- /dev/null +++ b/Gemfile @@ -0,0 +1,3 @@ +source 'https://rubygems.org' + +gem 'thor' diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 00000000..3caf6622 --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,14 @@ +GEM + remote: https://rubygems.org/ + specs: + thor (1.3.1) + +PLATFORMS + arm64-darwin-23 + ruby + +DEPENDENCIES + thor + +BUNDLED WITH + 2.5.9 From 0939b6ad405ae980a908b2a84591d8b097546d2e Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Fri, 21 Jun 2024 10:21:22 -0700 Subject: [PATCH 057/165] Chore: gateway patches 06 2024 (#37) * schema for request validator in 3.7.1.0 and 3.6.1.5 * update schema for app reg plugin in 3.5.0.5 --- schemas/application-registration/3.5.x.json | 8 +++ schemas/request-validator/3.6.x.json | 8 +++ schemas/request-validator/3.7.x.json | 70 ++++++++++++--------- 3 files changed, 55 insertions(+), 31 deletions(-) diff --git a/schemas/application-registration/3.5.x.json b/schemas/application-registration/3.5.x.json index 84a7e921..2416ffe5 100644 --- a/schemas/application-registration/3.5.x.json +++ b/schemas/application-registration/3.5.x.json @@ -87,6 +87,14 @@ "type": "boolean", "description": "Displays the **Issuer URL** in the **Service Details** dialog." } + }, + { + "enable_proxy_with_consumer_credential": { + "required": true, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean", + "default": false + } } ], "type": "record", diff --git a/schemas/request-validator/3.6.x.json b/schemas/request-validator/3.6.x.json index 904fec8c..a15acec3 100644 --- a/schemas/request-validator/3.6.x.json +++ b/schemas/request-validator/3.6.x.json @@ -172,6 +172,14 @@ "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "default": false } + }, + { + "content_type_parameter_validation": { + "default": true, + "required": true, + "description": "Determines whether to enable parameters validation of request content-type.", + "type": "boolean" + } } ], "required": true diff --git a/schemas/request-validator/3.7.x.json b/schemas/request-validator/3.7.x.json index e5214db3..6a4c7c46 100644 --- a/schemas/request-validator/3.7.x.json +++ b/schemas/request-validator/3.7.x.json @@ -2,8 +2,12 @@ "fields": [ { "protocols": { - "type": "set", - "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -13,21 +17,17 @@ "https" ] }, + "type": "set", "description": "A set of strings representing HTTP protocols.", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "type": "foreign" } }, { @@ -42,27 +42,27 @@ }, { "allowed_content_types": { - "type": "set", - "elements": { - "required": true, - "type": "string" - }, - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "default": [ "application/json" - ] + ], + "elements": { + "type": "string", + "required": true + }, + "type": "set", + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`." } }, { "version": { + "default": "kong", "one_of": [ "kong", "draft4" ], - "required": true, - "type": "string", "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", - "default": "kong" + "required": true, + "type": "string" } }, { @@ -73,13 +73,13 @@ { "in": { "required": true, - "type": "string", "description": "The location of the parameter.", "one_of": [ "query", "header", "path" - ] + ], + "type": "string" } }, { @@ -99,7 +99,6 @@ { "style": { "type": "string", - "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", "one_of": [ "label", "form", @@ -108,13 +107,14 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ] + ], + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value." } }, { "explode": { - "type": "boolean", - "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" } }, { @@ -143,16 +143,24 @@ ], "type": "record" }, - "type": "array", - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "array" } }, { "verbose_response": { + "default": false, "required": true, - "type": "boolean", "description": "If enabled, the plugin returns more verbose and detailed validation errors.", - "default": false + "type": "boolean" + } + }, + { + "content_type_parameter_validation": { + "default": true, + "required": true, + "description": "Determines whether to enable parameters validation of request content-type.", + "type": "boolean" } } ], From 912aadb5e03f9c83d7157e8499e140fe080e22d1 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 1 Jul 2024 12:54:45 +0200 Subject: [PATCH 058/165] Fix download-schemas action The action's parameters should be nested under `with`. --- .github/workflows/download-schemas.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/download-schemas.yml b/.github/workflows/download-schemas.yml index a932fc66..7bc2f32e 100644 --- a/.github/workflows/download-schemas.yml +++ b/.github/workflows/download-schemas.yml @@ -40,12 +40,12 @@ jobs: bundle exec ./plugins download_schemas --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose - name: Create Pull Request uses: peter-evans/create-pull-request@v6 - token: ${{ secrets.PAT }} - title: "Download Schemas for ${{ github.event.inputs.version }}" - branch: download-schemas - commit-message: "Download Schemas for ${{ github.event.inputs.version }}" - delete-branch: true with: + token: ${{ secrets.PAT }} + title: "Download Schemas for ${{ github.event.inputs.version }}" + branch: download-schemas + commit-message: "Download Schemas for ${{ github.event.inputs.version }}" + delete-branch: true add-paths: | ./schemas/* - name: Cleanup From c989cc00c356632c320dd81fc66ab989d3282a39 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Tue, 2 Jul 2024 16:56:49 +0200 Subject: [PATCH 059/165] Fix composite actions steps If a step in a composite action has the key `uses` it shouldn't have the `shell` key, otherwise it errors. Steps that don't have the `uses` key, must have the `shell` key. --- .github/reusable-steps/install-deps/action.yml | 1 - .github/reusable-steps/run-kong-ee/action.yml | 2 -- .github/reusable-steps/run-kong-oss/action.yml | 1 - 3 files changed, 4 deletions(-) diff --git a/.github/reusable-steps/install-deps/action.yml b/.github/reusable-steps/install-deps/action.yml index ca3efd4a..3b076a1d 100644 --- a/.github/reusable-steps/install-deps/action.yml +++ b/.github/reusable-steps/install-deps/action.yml @@ -3,7 +3,6 @@ runs: using: composite steps: - name: Set up Ruby - shell: bash uses: ruby/setup-ruby@v1 with: ruby-version: .ruby-version diff --git a/.github/reusable-steps/run-kong-ee/action.yml b/.github/reusable-steps/run-kong-ee/action.yml index 25748628..ec69f601 100644 --- a/.github/reusable-steps/run-kong-ee/action.yml +++ b/.github/reusable-steps/run-kong-ee/action.yml @@ -14,10 +14,8 @@ runs: using: composite steps: - name: Download quickstart script - shell: bash uses: ./.github/reusable-steps/download-quickstart-script - name: Download Kong License - shell: bash uses: Kong/kong-license@master id: getLicense with: diff --git a/.github/reusable-steps/run-kong-oss/action.yml b/.github/reusable-steps/run-kong-oss/action.yml index 82e37af6..a8a1a749 100644 --- a/.github/reusable-steps/run-kong-oss/action.yml +++ b/.github/reusable-steps/run-kong-oss/action.yml @@ -9,7 +9,6 @@ runs: using: composite steps: - name: Download quickstart script - shell: bash uses: ./.github/reusable-steps/download-quickstart-script - name: Run Kong shell: bash From 32b904bb107abf0763429e67782e95c9c02b8c41 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 9 Jul 2024 03:50:18 +0000 Subject: [PATCH 060/165] Update dependency ruby to v3.3.4 --- .ruby-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ruby-version b/.ruby-version index 619b5376..a0891f56 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.3.3 +3.3.4 From e9376b81db74204fbbd7fd2435ca6622cfd839fa Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 25 Jul 2024 12:10:19 -0700 Subject: [PATCH 061/165] update example to split endpoint into two new ones (#38) --- examples/opentelemetry/_3.8.x.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/opentelemetry/_3.8.x.yaml b/examples/opentelemetry/_3.8.x.yaml index efacb712..02aeaa66 100644 --- a/examples/opentelemetry/_3.8.x.yaml +++ b/examples/opentelemetry/_3.8.x.yaml @@ -1,5 +1,6 @@ name: opentelemetry config: - endpoint: http://opentelemetry.collector:4318/v1/traces + traces_endpoint: http://opentelemetry.collector:4318/v1/traces + logs_endpoint: http://opentelemetry.collector:4318/v1/logs headers: X-Auth-Token: secret-token From 32815f813fcd5ef021e5110370e6d586d0df47a4 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 25 Jul 2024 12:10:30 -0700 Subject: [PATCH 062/165] fix AI RLA examples based on real config (#44) --- examples/ai-rate-limiting-advanced/_3.7.x.yaml | 17 +++++++---------- examples/ai-rate-limiting-advanced/_3.8.x.yaml | 17 +++++++---------- 2 files changed, 14 insertions(+), 20 deletions(-) diff --git a/examples/ai-rate-limiting-advanced/_3.7.x.yaml b/examples/ai-rate-limiting-advanced/_3.7.x.yaml index ba9e8024..9831356c 100644 --- a/examples/ai-rate-limiting-advanced/_3.7.x.yaml +++ b/examples/ai-rate-limiting-advanced/_3.7.x.yaml @@ -1,12 +1,9 @@ name: ai-rate-limiting-advanced config: - model_providers: - - openai - - mistral - model_providers_limit: - - 1000 - - 100 - models_providers_window_size: - - 3600 - - 60 - sync_rate: 10 \ No newline at end of file + llm_providers: + - name: openai + limit: 1000 + window_size: 3600 + - name: mistral + limit: 100 + window_size: 60 diff --git a/examples/ai-rate-limiting-advanced/_3.8.x.yaml b/examples/ai-rate-limiting-advanced/_3.8.x.yaml index ba9e8024..9831356c 100644 --- a/examples/ai-rate-limiting-advanced/_3.8.x.yaml +++ b/examples/ai-rate-limiting-advanced/_3.8.x.yaml @@ -1,12 +1,9 @@ name: ai-rate-limiting-advanced config: - model_providers: - - openai - - mistral - model_providers_limit: - - 1000 - - 100 - models_providers_window_size: - - 3600 - - 60 - sync_rate: 10 \ No newline at end of file + llm_providers: + - name: openai + limit: 1000 + window_size: 3600 + - name: mistral + limit: 100 + window_size: 60 From 94cc7303639522edde1262a47f8faf70f9ba4b68 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Wed, 3 Jul 2024 11:57:56 +0200 Subject: [PATCH 063/165] Standardize the way we pass versions to comands We no longer need to prefix them with an `_` --- README.md | 8 ++++---- lib/example_validator.rb | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 388b933c..bff915f6 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ Validates plugin examples config against the plugin schema using the [Admin API] | Options | Descriptions | |--------------------------- |-----| -| `version` | **Required**. Kong Gateway release version, e.g. `_3.3.x`. | +| `version` | **Required**. Kong Gateway release version, e.g. `3.3.x`. | | `plugins` | **Required**. Space separated list of plugins to use, .e.g. `acme acl`. | | `host` | Name of the host in which the API is running. Default: `localhost`. | | `port` | Port in which the API is listening. Default: `8001`. | @@ -59,7 +59,7 @@ Validates plugin examples config against the plugin schema using the [Admin API] For example, running: ``` -./plugins validate_examples --version _3.4.x --plugins acme --verbose +./plugins validate_examples --version 3.4.x --plugins acme --verbose ``` reads the file `./examples/acme/_3.4.x.yaml` and validates it against the schema using the API. @@ -134,7 +134,7 @@ copies the previous schema (assuming the previous version is `3.4.x`, it copies Whenever a new version of Kong Gateway is released, we need run the following commands in order. For all of them, specify all the plugins `--plugins $(ls ./schemas)` 1. Download Schemas - specify the new version `x.x.x` -1. Copy Examples - specify the previous version `_x.x.y` of the example that gets copied -1. Validate Examples - specify the new version `_x.x.x` +1. Copy Examples - specify the previous version `x.x.y` of the example that gets copied +1. Validate Examples - specify the new version `x.x.x` 1. Generate Referenceable Fields List - specify the new version `x.x.x` 1. Generate Priorities List - for `oss` and `ee` and specify the new version `x.x.x` diff --git a/lib/example_validator.rb b/lib/example_validator.rb index 5410d4f5..63b45a3f 100644 --- a/lib/example_validator.rb +++ b/lib/example_validator.rb @@ -50,6 +50,6 @@ def request_body end def file_path - File.join(@options[:source], @plugin, "#{@options[:version]}.yaml") + File.join(@options[:source], @plugin, "_#{@options[:version]}.yaml") end end From f53b67a2479bace1d9e682242acfa6eb869e71af Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Wed, 3 Jul 2024 12:19:49 +0200 Subject: [PATCH 064/165] Add github actions to run all the commands --- .github/workflows/copy-examples.yml | 32 ++++++++++ .github/workflows/copy-schemas.yml | 32 ++++++++++ .../workflows/generate-plugin-priorities.yml | 58 +++++++++++++++++++ .../generate-referenceable-fields.yml | 53 +++++++++++++++++ .github/workflows/validate_examples.yml | 43 ++++++++++++++ 5 files changed, 218 insertions(+) create mode 100644 .github/workflows/copy-examples.yml create mode 100644 .github/workflows/copy-schemas.yml create mode 100644 .github/workflows/generate-plugin-priorities.yml create mode 100644 .github/workflows/generate-referenceable-fields.yml create mode 100644 .github/workflows/validate_examples.yml diff --git a/.github/workflows/copy-examples.yml b/.github/workflows/copy-examples.yml new file mode 100644 index 00000000..1c6a035a --- /dev/null +++ b/.github/workflows/copy-examples.yml @@ -0,0 +1,32 @@ +name: Copy Latest Examples +on: + workflow_dispatch: + inputs: + version: + required: true + type: string + description: | + Kong Gateway release, e.x. 3.4.x. + Used by some commands for storing files in the corresponding folder. + +jobs: + copy-examples: + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@v4 + - name: Install dependencies + uses: ./.github/reusable-steps/install-deps + - name: Run copy_examples + run: | + bundle exec ./plugins copy_examples --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.PAT }} + title: "Copy latest examples to ${{ github.event.inputs.version }}" + branch: copy-latest-examples + commit-message: "Copy latest examples to ${{ github.event.inputs.version }}" + delete-branch: true + add-paths: | + ./examples/* diff --git a/.github/workflows/copy-schemas.yml b/.github/workflows/copy-schemas.yml new file mode 100644 index 00000000..db1a288a --- /dev/null +++ b/.github/workflows/copy-schemas.yml @@ -0,0 +1,32 @@ +name: Copy Latest Schemas +on: + workflow_dispatch: + inputs: + version: + required: true + type: string + description: | + Kong Gateway release, e.x. 3.4.x. + Used by some commands for storing files in the corresponding folder. + +jobs: + copy-schemas: + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@v4 + - name: Install dependencies + uses: ./.github/reusable-steps/install-deps + - name: Run copy_schemas + run: | + bundle exec ./plugins copy_schemas --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.PAT }} + title: "Copy latest schemas to ${{ github.event.inputs.version }}" + branch: copy-latest-schemas + commit-message: "Copy latest schemas to ${{ github.event.inputs.version }}" + delete-branch: true + add-paths: | + ./schemas/* diff --git a/.github/workflows/generate-plugin-priorities.yml b/.github/workflows/generate-plugin-priorities.yml new file mode 100644 index 00000000..a7f29346 --- /dev/null +++ b/.github/workflows/generate-plugin-priorities.yml @@ -0,0 +1,58 @@ +name: Generate Plugin Priorities +on: + workflow_dispatch: + inputs: + kong-image-tag: + required: true + type: string + description: | + Kong Docker image tag to run, 3.6.1.4. + version: + required: true + type: string + description: | + Kong Gateway release, e.x. 3.4.x. + Used by some commands for storing files in the corresponding folder. + kong-edition: + required: true + type: choice + options: + - oss + - ee + description: Whether the API running is the OSS or Enterprise version + +jobs: + generate-plugin-priorities: + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@v4 + - name: Install dependencies + uses: ./.github/reusable-steps/install-deps + - name: Run Kong EE + if: ${{ github.event.inputs.kong-edition == 'ee' }} + uses: ./.github/reusable-steps/run-kong-ee + with: + op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + kong-image-tag: ${{ github.event.inputs.kong-image-tag }} + - name: Run Kong OSS + if: ${{ github.event.inputs.kong-edition == 'oss' }} + uses: ./.github/reusable-steps/run-kong-oss + with: + kong-image-tag: ${{ github.event.inputs.kong-image-tag }} + - name: Run generate_plugin_priorities + run: | + bundle exec ./plugins generate_plugin_priorities --type=${{ github.event.inputs.kong-edition }} --version=${{ github.event.inputs.version }} --verbose + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.PAT }} + title: "Plugin Priorities for ${{ github.event.inputs.version }}" + branch: plugin-priorities + commit-message: "Plugin Priorities for ${{ github.event.inputs.version }}" + delete-branch: true + add-paths: | + ./data/priorities/* + - name: Cleanup + if: always() + uses: ./.github/reusable-steps/cleanup diff --git a/.github/workflows/generate-referenceable-fields.yml b/.github/workflows/generate-referenceable-fields.yml new file mode 100644 index 00000000..341adb23 --- /dev/null +++ b/.github/workflows/generate-referenceable-fields.yml @@ -0,0 +1,53 @@ +name: Generate Referenceable Fields +on: + workflow_dispatch: + inputs: + kong-image-tag: + required: true + type: string + description: | + Kong Docker image tag to run, 3.6.1.4. + version: + required: true + type: string + description: | + Kong Gateway release, e.x. 3.4.x. + Used by some commands for storing files in the corresponding folder. + kong-image-name: + type: choice + description: | + Kong Docker image name to use, e.g. kong-gateway, kong-gateway-dev. + options: + - kong-gateway + - kong-gateway-dev + +jobs: + generate-referenceable-fields: + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@v4 + - name: Install dependencies + uses: ./.github/reusable-steps/install-deps + - name: Run Kong EE + uses: ./.github/reusable-steps/run-kong-ee + with: + op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + kong-image-tag: ${{ github.event.inputs.kong-image-tag }} + kong-image-name: ${{ github.event.inputs.kong-image-name }} + - name: Run generate_referenceable_fields_list + run: | + bundle exec ./plugins generate_referenceable_fields_list --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.PAT }} + title: "Referenceable fields for ${{ github.event.inputs.version }}" + branch: referenceable-fields + commit-message: "Referenceable fields for ${{ github.event.inputs.version }}" + delete-branch: true + add-paths: | + ./data/referenceable_fields/* + - name: Cleanup + if: always() + uses: ./.github/reusable-steps/cleanup diff --git a/.github/workflows/validate_examples.yml b/.github/workflows/validate_examples.yml new file mode 100644 index 00000000..15323038 --- /dev/null +++ b/.github/workflows/validate_examples.yml @@ -0,0 +1,43 @@ +name: Validate Examples +on: + workflow_dispatch: + inputs: + kong-image-tag: + required: true + type: string + description: | + Kong Docker image tag to run, 3.6.1.4. + version: + required: true + type: string + description: | + Kong Gateway release, e.x. 3.4.x. + Used by some commands for storing files in the corresponding folder. + kong-image-name: + type: choice + description: | + Kong Docker image name to use, e.g. kong-gateway, kong-gateway-dev. + options: + - kong-gateway + - kong-gateway-dev + +jobs: + validate-examples: + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@v4 + - name: Install dependencies + uses: ./.github/reusable-steps/install-deps + - name: Run Kong EE + uses: ./.github/reusable-steps/run-kong-ee + with: + op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + kong-image-tag: ${{ github.event.inputs.kong-image-tag }} + kong-image-name: ${{ github.event.inputs.kong-image-name }} + - name: Run validate_examples + run: | + bundle exec ./plugins validate_examples --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose + - name: Cleanup + if: always() + uses: ./.github/reusable-steps/cleanup From 4b8dc94693d5700d0e8db0ecb0072179fc09beea Mon Sep 17 00:00:00 2001 From: lena-larionova Date: Wed, 7 Aug 2024 09:45:54 -0700 Subject: [PATCH 065/165] add missing prompts key --- examples/ai-prompt-decorator/_3.6.x.yaml | 21 +++++++++++---------- examples/ai-prompt-decorator/_3.7.x.yaml | 21 +++++++++++---------- examples/ai-prompt-decorator/_3.8.x.yaml | 21 +++++++++++---------- 3 files changed, 33 insertions(+), 30 deletions(-) diff --git a/examples/ai-prompt-decorator/_3.6.x.yaml b/examples/ai-prompt-decorator/_3.6.x.yaml index 4e743eb9..50a84994 100644 --- a/examples/ai-prompt-decorator/_3.6.x.yaml +++ b/examples/ai-prompt-decorator/_3.6.x.yaml @@ -1,12 +1,13 @@ name: ai-prompt-decorator config: - prepend: - - role: "system" - content: "You are data scientist, specialising in survey analytics." - - role: "user" - content: "Classify this test result set as positive, negative, or neutral." - - role: "assistant" - content: "These tests are NEUTRAL." - append: - - role: "user" - content: "Do not mention any real participants name in your justification." + prompts: + prepend: + - role: "system" + content: "You are data scientist, specialising in survey analytics." + - role: "user" + content: "Classify this test result set as positive, negative, or neutral." + - role: "assistant" + content: "These tests are NEUTRAL." + append: + - role: "user" + content: "Do not mention any real participants name in your justification." diff --git a/examples/ai-prompt-decorator/_3.7.x.yaml b/examples/ai-prompt-decorator/_3.7.x.yaml index 4e743eb9..50a84994 100644 --- a/examples/ai-prompt-decorator/_3.7.x.yaml +++ b/examples/ai-prompt-decorator/_3.7.x.yaml @@ -1,12 +1,13 @@ name: ai-prompt-decorator config: - prepend: - - role: "system" - content: "You are data scientist, specialising in survey analytics." - - role: "user" - content: "Classify this test result set as positive, negative, or neutral." - - role: "assistant" - content: "These tests are NEUTRAL." - append: - - role: "user" - content: "Do not mention any real participants name in your justification." + prompts: + prepend: + - role: "system" + content: "You are data scientist, specialising in survey analytics." + - role: "user" + content: "Classify this test result set as positive, negative, or neutral." + - role: "assistant" + content: "These tests are NEUTRAL." + append: + - role: "user" + content: "Do not mention any real participants name in your justification." diff --git a/examples/ai-prompt-decorator/_3.8.x.yaml b/examples/ai-prompt-decorator/_3.8.x.yaml index 4e743eb9..50a84994 100644 --- a/examples/ai-prompt-decorator/_3.8.x.yaml +++ b/examples/ai-prompt-decorator/_3.8.x.yaml @@ -1,12 +1,13 @@ name: ai-prompt-decorator config: - prepend: - - role: "system" - content: "You are data scientist, specialising in survey analytics." - - role: "user" - content: "Classify this test result set as positive, negative, or neutral." - - role: "assistant" - content: "These tests are NEUTRAL." - append: - - role: "user" - content: "Do not mention any real participants name in your justification." + prompts: + prepend: + - role: "system" + content: "You are data scientist, specialising in survey analytics." + - role: "user" + content: "Classify this test result set as positive, negative, or neutral." + - role: "assistant" + content: "These tests are NEUTRAL." + append: + - role: "user" + content: "Do not mention any real participants name in your justification." From 8299940f01b860bc18b80ead4dda918c60dbaba2 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 14 Aug 2024 13:58:32 -0700 Subject: [PATCH 066/165] generate schema and validate example for new header cert auth plugin (#46) --- examples/header-cert-auth/_3.8.x.yaml | 7 + schemas/header-cert-auth/3.8.x.json | 229 ++++++++++++++++++++++++++ 2 files changed, 236 insertions(+) create mode 100644 examples/header-cert-auth/_3.8.x.yaml create mode 100644 schemas/header-cert-auth/3.8.x.json diff --git a/examples/header-cert-auth/_3.8.x.yaml b/examples/header-cert-auth/_3.8.x.yaml new file mode 100644 index 00000000..0bbd7799 --- /dev/null +++ b/examples/header-cert-auth/_3.8.x.yaml @@ -0,0 +1,7 @@ +name: header-cert-auth +config: + ca_certificates: + - "0D769DE8-7CC0-4541-989B-F9C23E20054C" + certificate_header_name: ssl-client-cert + certificate_header_format: base64_encoded + secure_source: false \ No newline at end of file diff --git a/schemas/header-cert-auth/3.8.x.json b/schemas/header-cert-auth/3.8.x.json new file mode 100644 index 00000000..edd98ff6 --- /dev/null +++ b/schemas/header-cert-auth/3.8.x.json @@ -0,0 +1,229 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "type": "record", + "fields": [ + { + "certificate_header_name": { + "type": "string", + "required": true, + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy." + } + }, + { + "certificate_header_format": { + "type": "string", + "required": true, + "one_of": [ + "base64_encoded", + "url_encoded" + ], + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`." + } + }, + { + "secure_source": { + "required": true, + "type": "boolean", + "default": true, + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option)." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "type": "array", + "elements": { + "one_of": [ + "username", + "custom_id" + ], + "type": "string" + }, + "required": false, + "default": [ + "username", + "custom_id" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + } + }, + { + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, + "type": "array", + "elements": { + "uuid": true, + "type": "string" + } + } + }, + { + "cache_ttl": { + "type": "number", + "required": true, + "default": 60, + "description": "Cache expiry time in seconds." + } + }, + { + "skip_consumer_lookup": { + "type": "boolean", + "required": true, + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list." + } + }, + { + "allow_partial_chain": { + "type": "boolean", + "required": true, + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." + } + }, + { + "authenticated_group_by": { + "required": false, + "one_of": [ + "CN", + "DN" + ], + "type": "string", + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." + } + }, + { + "revocation_check_mode": { + "required": false, + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ], + "type": "string", + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." + } + }, + { + "http_timeout": { + "type": "number", + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + } + }, + { + "cert_cache_ttl": { + "type": "number", + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache." + } + }, + { + "default_consumer": { + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "http_proxy_port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "https_proxy_port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file From 8d6f51cd6be93cff59b1f58335e6c70b8880a1ab Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 14 Aug 2024 13:58:41 -0700 Subject: [PATCH 067/165] generate schema and validate example for new ai proxy advanced plugin (#47) --- examples/ai-proxy-advanced/_3.8.x.yaml | 15 + schemas/ai-proxy-advanced/3.8.x.json | 1127 ++++++++++++++++++++++++ 2 files changed, 1142 insertions(+) create mode 100644 examples/ai-proxy-advanced/_3.8.x.yaml create mode 100644 schemas/ai-proxy-advanced/3.8.x.json diff --git a/examples/ai-proxy-advanced/_3.8.x.yaml b/examples/ai-proxy-advanced/_3.8.x.yaml new file mode 100644 index 00000000..54acb74f --- /dev/null +++ b/examples/ai-proxy-advanced/_3.8.x.yaml @@ -0,0 +1,15 @@ +name: ai-proxy-advanced +config: + targets: + - route_type: llm/v1/chat + auth: + header_name: Authorization + header_value: Bearer token + model: + provider: openai + - route_type: llm/v1/chat + model: + provider: llama2 + options: + llama2_format: openai + upstream_url: http://httpbin diff --git a/schemas/ai-proxy-advanced/3.8.x.json b/schemas/ai-proxy-advanced/3.8.x.json new file mode 100644 index 00000000..500ad146 --- /dev/null +++ b/schemas/ai-proxy-advanced/3.8.x.json @@ -0,0 +1,1127 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "balancer": { + "required": true, + "fields": [ + { + "algorithm": { + "default": "round-robin", + "type": "string", + "one_of": [ + "round-robin", + "lowest-latency", + "lowest-usage", + "consistent-hashing", + "semantic" + ], + "description": "Which load balancing algorithm to use." + } + }, + { + "tokens_count_strategy": { + "default": "total-tokens", + "type": "string", + "one_of": [ + "total-tokens", + "prompt-tokens", + "completion-tokens" + ], + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`." + } + }, + { + "latency_strategy": { + "default": "tpot", + "type": "string", + "one_of": [ + "tpot", + "e2e" + ], + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`." + } + }, + { + "hash_on_header": { + "type": "string", + "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing." + } + }, + { + "slots": { + "between": [ + 10, + 65536 + ], + "type": "integer", + "default": 10000, + "description": "The number of slots in the load balancer algorithm." + } + }, + { + "retries": { + "between": [ + 0, + 32767 + ], + "type": "integer", + "default": 5, + "description": "The number of retries to execute upon failure to proxy." + } + }, + { + "connect_timeout": { + "between": [ + 1, + 2147483646 + ], + "default": 60000, + "type": "integer" + } + }, + { + "write_timeout": { + "between": [ + 1, + 2147483646 + ], + "default": 60000, + "type": "integer" + } + }, + { + "read_timeout": { + "between": [ + 1, + 2147483646 + ], + "default": 60000, + "type": "integer" + } + } + ], + "type": "record" + } + }, + { + "embeddings": { + "required": false, + "fields": [ + { + "auth": { + "required": false, + "fields": [ + { + "password": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string", + "description": "authentication password" + } + }, + { + "token": { + "required": false, + "referenceable": true, + "encrypted": true, + "type": "string", + "description": "authentication token" + } + } + ], + "type": "record" + } + }, + { + "provider": { + "required": true, + "type": "string", + "one_of": [ + "mistralai", + "openai" + ], + "description": "which provider to use for embeddings" + } + }, + { + "name": { + "required": true, + "type": "string", + "one_of": [ + "text-embedding-3-large", + "text-embedding-3-small", + "mistral-embed" + ], + "description": "which AI model to use for generating embeddings" + } + }, + { + "upstream_url": { + "type": "string", + "required": false, + "description": "upstream url for the embeddings" + } + } + ], + "type": "record" + } + }, + { + "vectordb": { + "required": false, + "fields": [ + { + "strategy": { + "required": true, + "type": "string", + "one_of": [ + "redis" + ], + "description": "which vector database driver to use" + } + }, + { + "dimensions": { + "type": "integer", + "required": true, + "description": "the desired dimensionality for the vectors" + } + }, + { + "threshold": { + "type": "number", + "required": true, + "description": "the default similarity threshold for accepting semantic search results (float)" + } + }, + { + "distance_metric": { + "required": true, + "type": "string", + "one_of": [ + "cosine", + "euclidean" + ], + "description": "the distance metric to use for vector searches" + } + }, + { + "redis": { + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + { + "sentinel_addresses": { + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" + } + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ], + "set2": [ + "cluster_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_nodes" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ], + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "connect_timeout": { + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "type": "string", + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "encrypted": true, + "type": "string", + "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "type": "string", + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "encrypted": true, + "type": "string", + "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "type": "integer", + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "type": "integer", + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + } + }, + { + "keepalive_backlog": { + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_nodes": { + "type": "array", + "elements": { + "fields": [ + { + "host": { + "type": "string", + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + } + }, + { + "cluster_nodes": { + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "type": "string", + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "required": false, + "type": "boolean", + "default": false, + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "required": false, + "type": "boolean", + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "type": "string", + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "cluster_max_redirections": { + "required": false, + "type": "integer", + "default": 5, + "description": "Maximum retry attempts for redirection." + } + } + ], + "required": true + } + } + ], + "type": "record" + } + }, + { + "max_request_body_size": { + "type": "integer", + "gt": 0, + "default": 8192, + "description": "max allowed body size allowed to be introspected" + } + }, + { + "model_name_header": { + "type": "boolean", + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header" + } + }, + { + "targets": { + "type": "array", + "required": true, + "elements": { + "type": "record", + "fields": [ + { + "route_type": { + "required": true, + "type": "string", + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation." + } + }, + { + "auth": { + "required": false, + "fields": [ + { + "header_name": { + "required": false, + "type": "string", + "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here." + } + }, + { + "header_value": { + "type": "string", + "referenceable": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "required": false, + "encrypted": true + } + }, + { + "param_name": { + "required": false, + "type": "string", + "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here." + } + }, + { + "param_value": { + "type": "string", + "referenceable": true, + "description": "Specify the full parameter value for 'param_name'.", + "required": false, + "encrypted": true + } + }, + { + "param_location": { + "required": false, + "type": "string", + "one_of": [ + "query", + "body" + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." + } + }, + { + "azure_use_managed_identity": { + "required": false, + "type": "boolean", + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models." + } + }, + { + "azure_client_id": { + "required": false, + "type": "string", + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID." + } + }, + { + "azure_client_secret": { + "type": "string", + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "required": false, + "encrypted": true + } + }, + { + "azure_tenant_id": { + "required": false, + "type": "string", + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID." + } + }, + { + "gcp_use_service_account": { + "required": false, + "type": "boolean", + "default": false, + "description": "Use service account auth for GCP-based providers and models." + } + }, + { + "gcp_service_account_json": { + "type": "string", + "referenceable": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "required": false, + "encrypted": true + } + }, + { + "aws_access_key_id": { + "type": "string", + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "required": false, + "encrypted": true + } + }, + { + "aws_secret_access_key": { + "type": "string", + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "required": false, + "encrypted": true + } + } + ], + "type": "record" + } + }, + { + "model": { + "required": true, + "fields": [ + { + "provider": { + "required": true, + "type": "string", + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock" + ], + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats." + } + }, + { + "name": { + "type": "string", + "required": false, + "description": "Model name to execute." + } + }, + { + "options": { + "required": false, + "type": "record", + "fields": [ + { + "max_tokens": { + "required": false, + "type": "integer", + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models." + } + }, + { + "input_cost": { + "gt": 0, + "type": "number", + "required": false, + "description": "Defines the cost per 1M tokens in your prompt." + } + }, + { + "output_cost": { + "gt": 0, + "type": "number", + "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI." + } + }, + { + "temperature": { + "between": [ + 0, + 5 + ], + "type": "number", + "required": false, + "description": "Defines the matching temperature, if using chat or completion models." + } + }, + { + "top_p": { + "between": [ + 0, + 1 + ], + "type": "number", + "required": false, + "description": "Defines the top-p probability mass, if supported." + } + }, + { + "top_k": { + "between": [ + 0, + 500 + ], + "type": "integer", + "required": false, + "description": "Defines the top-k most likely tokens, if supported." + } + }, + { + "anthropic_version": { + "type": "string", + "required": false, + "description": "Defines the schema/API version, if using Anthropic provider." + } + }, + { + "azure_instance": { + "type": "string", + "required": false, + "description": "Instance name for Azure OpenAI hosted models." + } + }, + { + "azure_api_version": { + "required": false, + "type": "string", + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances." + } + }, + { + "azure_deployment_id": { + "type": "string", + "required": false, + "description": "Deployment ID for Azure OpenAI instances." + } + }, + { + "llama2_format": { + "required": false, + "type": "string", + "one_of": [ + "raw", + "openai", + "ollama" + ], + "description": "If using llama2 provider, select the upstream message format." + } + }, + { + "mistral_format": { + "required": false, + "type": "string", + "one_of": [ + "openai", + "ollama" + ], + "description": "If using mistral provider, select the upstream message format." + } + }, + { + "upstream_url": { + "required": false, + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + } + }, + { + "upstream_path": { + "type": "string", + "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type." + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "required": false, + "fields": [ + { + "api_endpoint": { + "type": "string", + "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." + } + }, + { + "project_id": { + "type": "string", + "required": false, + "description": "If running Gemini on Vertex, specify the project ID." + } + }, + { + "location_id": { + "type": "string", + "required": false, + "description": "If running Gemini on Vertex, specify the location ID." + } + } + ], + "type": "record" + } + }, + { + "bedrock": { + "required": false, + "fields": [ + { + "aws_region": { + "type": "string", + "required": false, + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option." + } + } + ], + "type": "record" + } + } + ], + "description": "Key/value settings for the model" + } + } + ], + "type": "record" + } + }, + { + "weight": { + "between": [ + 1, + 65535 + ], + "type": "integer", + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535)." + } + }, + { + "description": { + "type": "string", + "required": false, + "description": "The semantic description of the target, required if using semantic load balancing." + } + }, + { + "logging": { + "required": true, + "fields": [ + { + "log_statistics": { + "required": true, + "type": "boolean", + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + } + }, + { + "log_payloads": { + "required": true, + "type": "boolean", + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider" + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider" + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider" + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider" + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider" + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider" + } + }, + { + "conditional_at_least_one_of": { + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ] + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + } + ] +} \ No newline at end of file From d1e2e44fc8e07e6efcd7de835be554765a866765 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 14 Aug 2024 13:58:52 -0700 Subject: [PATCH 068/165] generate schema and validate example for new ai semantic prompt guard plugin (#48) --- examples/ai-semantic-prompt-guard/_3.8.x.yaml | 18 + schemas/ai-semantic-prompt-guard/3.8.x.json | 548 ++++++++++++++++++ 2 files changed, 566 insertions(+) create mode 100644 examples/ai-semantic-prompt-guard/_3.8.x.yaml create mode 100644 schemas/ai-semantic-prompt-guard/3.8.x.json diff --git a/examples/ai-semantic-prompt-guard/_3.8.x.yaml b/examples/ai-semantic-prompt-guard/_3.8.x.yaml new file mode 100644 index 00000000..aceb96eb --- /dev/null +++ b/examples/ai-semantic-prompt-guard/_3.8.x.yaml @@ -0,0 +1,18 @@ +name: ai-semantic-prompt-guard +config: + embeddings: + provider: openai + name: text-embedding-3-large + vectordb: + strategy: redis + distance_metric: cosine + threshold: 0.5 + dimensions: 1024 + redis: + host: localhost + port: 6379 + rules: + match_all_conversation_history: true + allow_prompts: + - "[1] = string.rep('x', 501)" + deny_prompts: {} diff --git a/schemas/ai-semantic-prompt-guard/3.8.x.json b/schemas/ai-semantic-prompt-guard/3.8.x.json new file mode 100644 index 00000000..9f44a3f6 --- /dev/null +++ b/schemas/ai-semantic-prompt-guard/3.8.x.json @@ -0,0 +1,548 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "embeddings": { + "required": true, + "fields": [ + { + "auth": { + "required": false, + "fields": [ + { + "password": { + "type": "string", + "referenceable": true, + "description": "authentication password", + "required": false, + "encrypted": true + } + }, + { + "token": { + "type": "string", + "referenceable": true, + "description": "authentication token", + "required": false, + "encrypted": true + } + } + ], + "type": "record" + } + }, + { + "provider": { + "required": true, + "type": "string", + "one_of": [ + "mistralai", + "openai" + ], + "description": "which provider to use for embeddings" + } + }, + { + "name": { + "required": true, + "type": "string", + "one_of": [ + "text-embedding-3-large", + "text-embedding-3-small", + "mistral-embed" + ], + "description": "which AI model to use for generating embeddings" + } + }, + { + "upstream_url": { + "required": false, + "type": "string", + "description": "upstream url for the embeddings" + } + } + ], + "type": "record" + } + }, + { + "vectordb": { + "required": true, + "fields": [ + { + "strategy": { + "required": true, + "type": "string", + "one_of": [ + "redis" + ], + "description": "which vector database driver to use" + } + }, + { + "dimensions": { + "required": true, + "type": "integer", + "description": "the desired dimensionality for the vectors" + } + }, + { + "threshold": { + "required": true, + "type": "number", + "description": "the default similarity threshold for accepting semantic search results (float)" + } + }, + { + "distance_metric": { + "required": true, + "type": "string", + "one_of": [ + "cosine", + "euclidean" + ], + "description": "the distance metric to use for vector searches" + } + }, + { + "redis": { + "required": true, + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + { + "sentinel_addresses": { + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "connect_timeout": { + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "type": "string", + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "type": "string", + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "type": "integer", + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "type": "integer", + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_nodes": { + "type": "array", + "elements": { + "fields": [ + { + "host": { + "type": "string", + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + } + }, + { + "cluster_nodes": { + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "type": "string", + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "required": false, + "type": "boolean", + "default": false, + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "required": false, + "type": "boolean", + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "required": false, + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "cluster_max_redirections": { + "required": false, + "type": "integer", + "default": 5, + "description": "Maximum retry attempts for redirection." + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ], + "set2": [ + "cluster_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_nodes" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ] + } + } + ], + "type": "record" + } + }, + { + "search": { + "type": "record", + "fields": [ + { + "threshold": { + "type": "number", + "required": false, + "default": 0.5, + "description": "Threshold for the similarity score to be considered a match." + } + } + ], + "required": false + } + }, + { + "rules": { + "type": "record", + "fields": [ + { + "match_all_conversation_history": { + "type": "boolean", + "required": false, + "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history." + } + }, + { + "allow_prompts": { + "required": false, + "elements": { + "len_min": 1, + "len_max": 500, + "type": "string" + }, + "len_max": 100, + "type": "array", + "description": "List of prompts to allow." + } + }, + { + "deny_prompts": { + "required": false, + "elements": { + "len_min": 1, + "len_max": 500, + "type": "string" + }, + "len_max": 100, + "type": "array", + "description": "List of prompts to deny." + } + }, + { + "max_request_body_size": { + "type": "integer", + "gt": 0, + "default": 8192, + "description": "max allowed body size allowed to be introspected" + } + }, + { + "match_all_roles": { + "type": "boolean", + "required": true, + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history." + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } + ] +} \ No newline at end of file From bda23cd690cf857e22552a49e3cf9b822e12ad89 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 14 Aug 2024 13:59:02 -0700 Subject: [PATCH 069/165] generate schema and validate example for new ai semantic cache plugin (#49) --- examples/ai-semantic-cache/_3.8.x.yaml | 10 + schemas/ai-semantic-cache/3.8.x.json | 542 +++++++++++++++++++++++++ 2 files changed, 552 insertions(+) create mode 100644 examples/ai-semantic-cache/_3.8.x.yaml create mode 100644 schemas/ai-semantic-cache/3.8.x.json diff --git a/examples/ai-semantic-cache/_3.8.x.yaml b/examples/ai-semantic-cache/_3.8.x.yaml new file mode 100644 index 00000000..76da1240 --- /dev/null +++ b/examples/ai-semantic-cache/_3.8.x.yaml @@ -0,0 +1,10 @@ +name: ai-semantic-cache +config: + embeddings: + provider: openai + name: text-embedding-3-large + vectordb: + dimensions: 1024 + distance_metric: cosine + strategy: redis + threshold: 0.1 \ No newline at end of file diff --git a/schemas/ai-semantic-cache/3.8.x.json b/schemas/ai-semantic-cache/3.8.x.json new file mode 100644 index 00000000..e1a4b634 --- /dev/null +++ b/schemas/ai-semantic-cache/3.8.x.json @@ -0,0 +1,542 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "message_countback": { + "between": [ + 1, + 10 + ], + "type": "number", + "default": 1, + "description": "Number of messages in the chat history to Vectorize/Cache" + } + }, + { + "ignore_system_prompts": { + "type": "boolean", + "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request" + } + }, + { + "ignore_assistant_prompts": { + "type": "boolean", + "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request" + } + }, + { + "stop_on_failure": { + "required": true, + "type": "boolean", + "default": false, + "description": "Halt the LLM request process in case of a caching system failure" + } + }, + { + "storage_ttl": { + "gt": 0, + "type": "integer", + "default": 300, + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "cache_ttl": { + "gt": 0, + "type": "integer", + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0." + } + }, + { + "cache_control": { + "required": true, + "type": "boolean", + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + } + }, + { + "exact_caching": { + "required": true, + "type": "boolean", + "default": false, + "description": "When enabled, a first check for exact query will be done. It will impact DB size" + } + }, + { + "embeddings": { + "required": true, + "fields": [ + { + "auth": { + "required": false, + "fields": [ + { + "password": { + "type": "string", + "referenceable": true, + "description": "authentication password", + "required": false, + "encrypted": true + } + }, + { + "token": { + "type": "string", + "referenceable": true, + "description": "authentication token", + "required": false, + "encrypted": true + } + } + ], + "type": "record" + } + }, + { + "provider": { + "required": true, + "type": "string", + "one_of": [ + "mistralai", + "openai" + ], + "description": "which provider to use for embeddings" + } + }, + { + "name": { + "required": true, + "type": "string", + "one_of": [ + "text-embedding-3-large", + "text-embedding-3-small", + "mistral-embed" + ], + "description": "which AI model to use for generating embeddings" + } + }, + { + "upstream_url": { + "required": false, + "type": "string", + "description": "upstream url for the embeddings" + } + } + ], + "type": "record" + } + }, + { + "vectordb": { + "required": true, + "fields": [ + { + "strategy": { + "required": true, + "type": "string", + "one_of": [ + "redis" + ], + "description": "which vector database driver to use" + } + }, + { + "dimensions": { + "required": true, + "type": "integer", + "description": "the desired dimensionality for the vectors" + } + }, + { + "threshold": { + "required": true, + "type": "number", + "description": "the default similarity threshold for accepting semantic search results (float)" + } + }, + { + "distance_metric": { + "required": true, + "type": "string", + "one_of": [ + "cosine", + "euclidean" + ], + "description": "the distance metric to use for vector searches" + } + }, + { + "redis": { + "required": true, + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + { + "sentinel_addresses": { + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "connect_timeout": { + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "type": "string", + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "type": "string", + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "type": "integer", + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "type": "integer", + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_nodes": { + "type": "array", + "elements": { + "fields": [ + { + "host": { + "type": "string", + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + } + }, + { + "cluster_nodes": { + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "type": "string", + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "required": false, + "type": "boolean", + "default": false, + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "required": false, + "type": "boolean", + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "required": false, + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "cluster_max_redirections": { + "required": false, + "type": "integer", + "default": 5, + "description": "Maximum retry attempts for redirection." + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ], + "set2": [ + "cluster_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_nodes" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + } + ] + } + } + ], + "type": "record" + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file From 0880c50eabf092f51dd0fc96ccda1577ffe2d59a Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 14 Aug 2024 13:59:15 -0700 Subject: [PATCH 070/165] generate schema and validate example for new json threat protection plugin (#51) --- examples/json-threat-protection/_3.8.x.yaml | 11 ++ schemas/json-threat-protection/3.8.x.json | 164 ++++++++++++++++++++ 2 files changed, 175 insertions(+) create mode 100644 examples/json-threat-protection/_3.8.x.yaml create mode 100644 schemas/json-threat-protection/3.8.x.json diff --git a/examples/json-threat-protection/_3.8.x.yaml b/examples/json-threat-protection/_3.8.x.yaml new file mode 100644 index 00000000..787fdad7 --- /dev/null +++ b/examples/json-threat-protection/_3.8.x.yaml @@ -0,0 +1,11 @@ +name: json-threat-protection +config: + max_body_size: 10 + max_container_depth: 1 + max_object_entry_count: 2 + max_object_entry_name_length: 3 + max_array_element_count: 4 + max_string_value_length: 5 + enforcement_mode: block + error_status_code: 400 + error_message: BadRequest \ No newline at end of file diff --git a/schemas/json-threat-protection/3.8.x.json b/schemas/json-threat-protection/3.8.x.json new file mode 100644 index 00000000..09ee0f32 --- /dev/null +++ b/schemas/json-threat-protection/3.8.x.json @@ -0,0 +1,164 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "max_body_size": { + "type": "integer", + "required": false, + "between": [ + -1, + 2147483648 + ], + "default": 8192, + "description": "Max size of the request body. -1 means unlimited." + } + }, + { + "max_container_depth": { + "type": "integer", + "required": false, + "between": [ + -1, + 2147483648 + ], + "default": -1, + "description": "Max nested depth of objects and arrays. -1 means unlimited." + } + }, + { + "max_object_entry_count": { + "type": "integer", + "required": false, + "between": [ + -1, + 2147483648 + ], + "default": -1, + "description": "Max number of entries in an object. -1 means unlimited." + } + }, + { + "max_object_entry_name_length": { + "type": "integer", + "required": false, + "between": [ + -1, + 2147483648 + ], + "default": -1, + "description": "Max string length of object name. -1 means unlimited." + } + }, + { + "max_array_element_count": { + "type": "integer", + "required": false, + "between": [ + -1, + 2147483648 + ], + "default": -1, + "description": "Max number of elements in an array. -1 means unlimited." + } + }, + { + "max_string_value_length": { + "type": "integer", + "required": false, + "between": [ + -1, + 2147483648 + ], + "default": -1, + "description": "Max string value length. -1 means unlimited." + } + }, + { + "enforcement_mode": { + "required": false, + "one_of": [ + "block", + "log_only" + ], + "type": "string", + "default": "block", + "description": "Enforcement mode of the security policy." + } + }, + { + "error_status_code": { + "type": "integer", + "required": false, + "between": [ + 400, + 499 + ], + "default": 400, + "description": "The response status code when validation fails." + } + }, + { + "error_message": { + "type": "string", + "required": false, + "default": "Bad Request", + "description": "The response message when validation fails" + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] + } + } + ] +} \ No newline at end of file From 061fd3c7014cc12fbc490e8702c531f300c0bc05 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 14 Aug 2024 13:59:28 -0700 Subject: [PATCH 071/165] generate schema and validate example for new standard webhooks plugin (#50) --- examples/standard-webhooks/_3.8.x.yaml | 3 ++ schemas/standard-webhooks/3.8.x.json | 63 ++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 examples/standard-webhooks/_3.8.x.yaml create mode 100644 schemas/standard-webhooks/3.8.x.json diff --git a/examples/standard-webhooks/_3.8.x.yaml b/examples/standard-webhooks/_3.8.x.yaml new file mode 100644 index 00000000..e2e66d71 --- /dev/null +++ b/examples/standard-webhooks/_3.8.x.yaml @@ -0,0 +1,3 @@ +name: standard-webhooks +config: + secret_v1: example-secret diff --git a/schemas/standard-webhooks/3.8.x.json b/schemas/standard-webhooks/3.8.x.json new file mode 100644 index 00000000..7e92df27 --- /dev/null +++ b/schemas/standard-webhooks/3.8.x.json @@ -0,0 +1,63 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "secret_v1": { + "required": true, + "referenceable": true, + "description": "Webhook secret", + "type": "string", + "encrypted": true + } + }, + { + "tolerance_second": { + "required": true, + "gt": -1, + "type": "integer", + "default": 300, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response." + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file From 705ed93af4478bf7b22c77106c34cdda3ef5aa08 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 21 Aug 2024 09:55:30 -0700 Subject: [PATCH 072/165] generate schema and validate example for new confluent plugin (#52) --- examples/confluent/_3.8.x.yaml | 9 ++ schemas/confluent/3.8.x.json | 253 +++++++++++++++++++++++++++++++++ 2 files changed, 262 insertions(+) create mode 100644 examples/confluent/_3.8.x.yaml create mode 100644 schemas/confluent/3.8.x.json diff --git a/examples/confluent/_3.8.x.yaml b/examples/confluent/_3.8.x.yaml new file mode 100644 index 00000000..d4bd8e82 --- /dev/null +++ b/examples/confluent/_3.8.x.yaml @@ -0,0 +1,9 @@ +name: confluent +config: + bootstrap_servers: + - host: example.com + port: 80 + producer_async: false + topic: 'kong-test' + cluster_api_key: CONFLUENT_CLUSTER_API_KEY + cluster_api_secret: CONFLUENT_CLUSTER_API_SECRET \ No newline at end of file diff --git a/schemas/confluent/3.8.x.json b/schemas/confluent/3.8.x.json new file mode 100644 index 00000000..c2fd4fd5 --- /dev/null +++ b/schemas/confluent/3.8.x.json @@ -0,0 +1,253 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "required": true + } + }, + { + "consumer_group": { + "description": "Custom type for representing a foreign key with a null value allowed.", + "reference": "consumer_groups", + "type": "foreign", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "required": true, + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "required": true, + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ] + } + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string", + "required": true + } + }, + { + "timeout": { + "description": "Socket timeout in milliseconds.", + "type": "integer", + "default": 10000 + } + }, + { + "keepalive": { + "description": "Keepalive timeout in milliseconds.", + "type": "integer", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "type": "boolean", + "default": false + } + }, + { + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", + "encrypted": true, + "required": true, + "type": "string", + "referenceable": true + } + }, + { + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", + "encrypted": true, + "required": true, + "type": "string", + "referenceable": true + } + }, + { + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "forward_method": { + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_uri": { + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_headers": { + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_body": { + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": true + } + }, + { + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true, + "type": "string", + "required": false + } + }, + { + "producer_request_acks": { + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "one_of": [ + -1, + 0, + 1 + ], + "type": "integer", + "default": 1 + } + }, + { + "producer_request_timeout": { + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer", + "default": 2000 + } + }, + { + "producer_request_limits_messages_per_request": { + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer", + "default": 200 + } + }, + { + "producer_request_limits_bytes_per_request": { + "description": "Maximum size of a Produce request in bytes.", + "type": "integer", + "default": 1048576 + } + }, + { + "producer_request_retries_max_attempts": { + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer", + "default": 10 + } + }, + { + "producer_request_retries_backoff_timeout": { + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer", + "default": 100 + } + }, + { + "producer_async": { + "description": "Flag to enable asynchronous mode.", + "type": "boolean", + "default": true + } + }, + { + "producer_async_flush_timeout": { + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer", + "default": 1000 + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer", + "default": 50000 + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + } + ], + "type": "record", + "required": true + } + } + ] +} \ No newline at end of file From a15dc8f409a23ef2f5ea14991dcf483e119f7ffa Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 22 Aug 2024 07:31:45 -0700 Subject: [PATCH 073/165] generate schema and validate example for new upstream-oauth plugin (#53) --- examples/upstream-oauth/_3.8.x.yaml | 12 + schemas/upstream-oauth/3.8.x.json | 749 ++++++++++++++++++++++++++++ 2 files changed, 761 insertions(+) create mode 100644 examples/upstream-oauth/_3.8.x.yaml create mode 100644 schemas/upstream-oauth/3.8.x.json diff --git a/examples/upstream-oauth/_3.8.x.yaml b/examples/upstream-oauth/_3.8.x.yaml new file mode 100644 index 00000000..2c80a4ac --- /dev/null +++ b/examples/upstream-oauth/_3.8.x.yaml @@ -0,0 +1,12 @@ +name: upstream-oauth +config: + oauth: + token_endpoint: "http://test.test" + grant_type: client_credentials + client_id: CLIENT_CREDENTIALS_GRANT_POST_AUTH_CLIENT_ID + client_secret: CLIENT_CREDENTIALS_GRANT_POST_AUTH_CLIENT_SECRET + scopes: + - "openid" + - "profile" + behavior: + upstream_access_token_header_name: X-Custom-Auth \ No newline at end of file diff --git a/schemas/upstream-oauth/3.8.x.json b/schemas/upstream-oauth/3.8.x.json new file mode 100644 index 00000000..eb370814 --- /dev/null +++ b/schemas/upstream-oauth/3.8.x.json @@ -0,0 +1,749 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "client": { + "fields": [ + { + "auth_method": { + "required": true, + "default": "client_secret_post", + "type": "string", + "one_of": [ + "client_secret_post", + "client_secret_basic", + "client_secret_jwt", + "none" + ] + } + }, + { + "client_secret_jwt_alg": { + "required": true, + "default": "HS512", + "type": "string", + "one_of": [ + "HS512", + "HS256" + ] + } + }, + { + "http_version": { + "required": false, + "default": 1.1, + "type": "number" + } + }, + { + "http_proxy": { + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "http_proxy_authorization": { + "type": "string", + "required": false + } + }, + { + "https_proxy": { + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "https_proxy_authorization": { + "type": "string", + "required": false + } + }, + { + "no_proxy": { + "type": "string", + "required": false + } + }, + { + "timeout": { + "required": true, + "default": 10000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "keep_alive": { + "required": true, + "default": true, + "type": "boolean" + } + }, + { + "ssl_verify": { + "required": false, + "default": false, + "type": "boolean" + } + } + ], + "type": "record", + "required": true + } + }, + { + "oauth": { + "fields": [ + { + "token_endpoint": { + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "token_headers": { + "required": true, + "default": [ + + ], + "type": "map", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "values": { + "type": "string", + "referenceable": true + } + } + }, + { + "token_post_args": { + "required": true, + "default": [ + + ], + "type": "map", + "keys": { + "type": "string" + }, + "values": { + "type": "string", + "referenceable": true + } + } + }, + { + "grant_type": { + "required": true, + "default": "client_credentials", + "type": "string", + "one_of": [ + "client_credentials", + "password" + ] + } + }, + { + "client_id": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "client_secret": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "username": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "password": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "scopes": { + "required": false, + "default": [ + "openid" + ], + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "audience": { + "required": false, + "default": [ + + ], + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "cache": { + "fields": [ + { + "strategy": { + "required": true, + "default": "memory", + "type": "string", + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "required": true, + "default": "kong_db_cache", + "type": "string" + } + } + ], + "type": "record", + "required": true + } + }, + { + "redis": { + "required": true, + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true + } + }, + { + "database": { + "default": 0, + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + } + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + } + } + }, + { + "ssl": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + }, + { + "cluster_max_redirections": { + "required": false, + "default": 5, + "type": "integer", + "description": "Maximum retry attempts for redirection." + } + }, + { + "connection_is_proxied": { + "required": false, + "default": false, + "type": "boolean", + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ] + } + }, + { + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ] + } + }, + { + "eagerly_expire": { + "required": true, + "default": 5, + "gt": -1, + "type": "integer" + } + }, + { + "default_ttl": { + "default": 3600, + "gt": 0, + "type": "number" + } + } + ], + "type": "record", + "required": true + } + }, + { + "behavior": { + "fields": [ + { + "upstream_access_token_header_name": { + "required": true, + "len_min": 0, + "type": "string", + "default": "Authorization" + } + }, + { + "idp_error_response_status_code": { + "required": true, + "default": 502, + "type": "integer", + "between": [ + 500, + 599 + ] + } + }, + { + "idp_error_response_content_type": { + "required": true, + "len_min": 0, + "type": "string", + "default": "application/json; charset=utf-8" + } + }, + { + "idp_error_response_message": { + "required": true, + "len_min": 0, + "type": "string", + "default": "Failed to authenticate request to upstream" + } + }, + { + "idp_error_response_body_template": { + "required": true, + "len_min": 0, + "type": "string", + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }" + } + }, + { + "purge_token_on_upstream_status_codes": { + "default": [ + 401 + ], + "type": "array", + "elements": { + "type": "integer", + "between": [ + 100, + 599 + ] + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ] +} \ No newline at end of file From 50d743a79b8c098616a9b73231bf5b3305f14b3d Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Wed, 28 Aug 2024 23:42:15 +0200 Subject: [PATCH 074/165] Download Schemas for 3.8.x (#55) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- schemas/acl/3.8.x.json | 72 +- schemas/acme/3.8.x.json | 406 +-- schemas/ai-azure-content-safety/3.8.x.json | 92 +- schemas/ai-prompt-decorator/3.8.x.json | 70 +- schemas/ai-prompt-guard/3.8.x.json | 86 +- schemas/ai-prompt-template/3.8.x.json | 56 +- schemas/ai-proxy-advanced/3.8.x.json | 688 +++-- schemas/ai-proxy/3.8.x.json | 393 ++- schemas/ai-rate-limiting-advanced/3.8.x.json | 452 ++- schemas/ai-request-transformer/3.8.x.json | 441 +-- schemas/ai-response-transformer/3.8.x.json | 447 +-- schemas/ai-semantic-cache/3.8.x.json | 517 ++-- schemas/ai-semantic-prompt-guard/3.8.x.json | 531 ++-- schemas/app-dynamics/3.8.x.json | 18 +- schemas/aws-lambda/3.8.x.json | 158 +- schemas/azure-functions/3.8.x.json | 64 +- schemas/basic-auth/3.8.x.json | 48 +- schemas/bot-detection/3.8.x.json | 44 +- schemas/canary/3.8.x.json | 122 +- schemas/confluent/3.8.x.json | 140 +- schemas/correlation-id/3.8.x.json | 37 +- schemas/cors/3.8.x.json | 84 +- schemas/datadog/3.8.x.json | 211 +- schemas/degraphql/3.8.x.json | 34 +- schemas/exit-transformer/3.8.x.json | 30 +- schemas/file-log/3.8.x.json | 44 +- schemas/forward-proxy/3.8.x.json | 94 +- .../graphql-proxy-cache-advanced/3.8.x.json | 379 ++- .../graphql-rate-limiting-advanced/3.8.x.json | 417 ++- schemas/grpc-gateway/3.8.x.json | 28 +- schemas/grpc-web/3.8.x.json | 40 +- schemas/header-cert-auth/3.8.x.json | 120 +- schemas/hmac-auth/3.8.x.json | 97 +- schemas/http-log/3.8.x.json | 169 +- schemas/ip-restriction/3.8.x.json | 42 +- schemas/jq/3.8.x.json | 106 +- schemas/json-threat-protection/3.8.x.json | 56 +- schemas/jwe-decrypt/3.8.x.json | 42 +- schemas/jwt-signer/3.8.x.json | 434 +-- schemas/jwt/3.8.x.json | 111 +- schemas/kafka-log/3.8.x.json | 156 +- schemas/kafka-upstream/3.8.x.json | 140 +- schemas/key-auth-enc/3.8.x.json | 75 +- schemas/key-auth/3.8.x.json | 64 +- schemas/konnect-application-auth/3.8.x.json | 2043 ++++++++----- schemas/ldap-auth-advanced/3.8.x.json | 131 +- schemas/ldap-auth/3.8.x.json | 97 +- schemas/loggly/3.8.x.json | 82 +- schemas/mocking/3.8.x.json | 70 +- schemas/mtls-auth/3.8.x.json | 88 +- schemas/oas-validation/3.8.x.json | 80 +- schemas/oauth2-introspection/3.8.x.json | 84 +- schemas/oauth2/3.8.x.json | 123 +- schemas/opa/3.8.x.json | 74 +- schemas/openid-connect/3.8.x.json | 2556 +++++++++++------ schemas/opentelemetry/3.8.x.json | 240 +- schemas/post-function/3.8.x.json | 158 +- schemas/pre-function/3.8.x.json | 158 +- schemas/prometheus/3.8.x.json | 55 +- schemas/proxy-cache-advanced/3.8.x.json | 423 ++- schemas/proxy-cache/3.8.x.json | 104 +- schemas/rate-limiting-advanced/3.8.x.json | 425 ++- schemas/rate-limiting/3.8.x.json | 494 ++-- schemas/request-size-limiting/3.8.x.json | 36 +- schemas/request-termination/3.8.x.json | 38 +- .../request-transformer-advanced/3.8.x.json | 244 +- schemas/request-transformer/3.8.x.json | 166 +- schemas/request-validator/3.8.x.json | 82 +- schemas/response-ratelimiting/3.8.x.json | 256 +- .../response-transformer-advanced/3.8.x.json | 220 +- schemas/response-transformer/3.8.x.json | 131 +- schemas/route-by-header/3.8.x.json | 42 +- schemas/route-transformer-advanced/3.8.x.json | 22 +- schemas/saml/3.8.x.json | 1333 ++++++--- schemas/session/3.8.x.json | 142 +- schemas/standard-webhooks/3.8.x.json | 26 +- schemas/statsd-advanced/3.8.x.json | 327 ++- schemas/statsd/3.8.x.json | 355 +-- schemas/syslog/3.8.x.json | 58 +- schemas/tcp-log/3.8.x.json | 64 +- schemas/tls-handshake-modifier/3.8.x.json | 38 +- schemas/tls-metadata-headers/3.8.x.json | 56 +- schemas/udp-log/3.8.x.json | 44 +- schemas/upstream-oauth/3.8.x.json | 472 ++- schemas/upstream-timeout/3.8.x.json | 40 +- schemas/vault-auth/3.8.x.json | 52 +- schemas/websocket-size-limit/3.8.x.json | 34 +- schemas/websocket-validator/3.8.x.json | 160 +- schemas/xml-threat-protection/3.8.x.json | 182 +- schemas/zipkin/3.8.x.json | 237 +- 90 files changed, 11911 insertions(+), 8286 deletions(-) diff --git a/schemas/acl/3.8.x.json b/schemas/acl/3.8.x.json index 3209ec69..f0f2fd1a 100644 --- a/schemas/acl/3.8.x.json +++ b/schemas/acl/3.8.x.json @@ -1,24 +1,37 @@ { + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -29,13 +42,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -43,55 +57,49 @@ "fields": [ { "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string" }, - "type": "array", - "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." + "type": "array" } }, { "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string" }, - "type": "array", - "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified." + "type": "array" } }, { "hide_groups_header": { "required": true, + "default": false, "type": "boolean", - "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", - "default": false + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service." } }, { "include_consumer_groups": { "required": false, + "default": false, + "type": "boolean" + } + }, + { + "always_use_authenticated_groups": { + "required": true, + "default": false, "type": "boolean", - "default": false + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "only_one_of": [ - "config.allow", - "config.deny" - ] - }, - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } ] } \ No newline at end of file diff --git a/schemas/acme/3.8.x.json b/schemas/acme/3.8.x.json index 360878bc..411e23d6 100644 --- a/schemas/acme/3.8.x.json +++ b/schemas/acme/3.8.x.json @@ -1,40 +1,88 @@ { + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": true + }, + "then_field": "config.tos_accepted", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "if_field": "config.api_uri", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/" + } + }, + { + "conditional": { + "then_field": "config.storage_config.redis.host", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.storage" + } + }, + { + "conditional": { + "then_field": "config.storage_config.redis.port", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.storage" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { - "reference": "services", "type": "foreign", - "description": "A reference to the 'services' table with a null value allowed.", - "eq": null + "reference": "services", + "eq": null, + "description": "A reference to the 'services' table with a null value allowed." } }, { "route": { - "reference": "routes", "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed.", - "eq": null + "reference": "routes", + "eq": null, + "description": "A reference to the 'routes' table with a null value allowed." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -45,13 +93,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -59,145 +108,145 @@ "fields": [ { "account_email": { - "encrypted": true, - "referenceable": true, "required": true, + "referenceable": true, + "match": "%w*%p*@+%w*%.?%w*", "type": "string", - "description": "The account identifier. Can be reused in a different plugin instance.", - "match": "%w*%p*@+%w*%.?%w*" + "encrypted": true, + "description": "The account identifier. Can be reused in a different plugin instance." } }, { "account_key": { "required": false, - "description": "The private key associated with the account.", "type": "record", "fields": [ { "key_id": { "required": true, - "type": "string", - "description": "The Key ID." + "description": "The Key ID.", + "type": "string" } }, { "key_set": { - "type": "string", - "description": "The ID of the key set to associate the Key ID with." + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" } } - ] + ], + "description": "The private key associated with the account." } }, { "api_uri": { - "type": "string", + "default": "https://acme-v02.api.letsencrypt.org/directory", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "default": "https://acme-v02.api.letsencrypt.org/directory" + "type": "string" } }, { "tos_accepted": { - "type": "boolean", + "default": false, "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", - "default": false + "type": "boolean" } }, { "eab_kid": { "type": "string", + "referenceable": true, "encrypted": true, - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", - "referenceable": true + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA." } }, { "eab_hmac_key": { "type": "string", + "referenceable": true, "encrypted": true, - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", - "referenceable": true + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA." } }, { "cert_type": { - "default": "rsa", "type": "string", - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "default": "rsa", "one_of": [ "rsa", "ecc" - ] + ], + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." } }, { "rsa_key_size": { - "default": 4096, "type": "number", - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "default": 4096, "one_of": [ 2048, 3072, 4096 - ] + ], + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." } }, { "renew_threshold_days": { + "default": 14, "type": "number", - "description": "Days remaining to renew the certificate before it expires.", - "default": 14 + "description": "Days remaining to renew the certificate before it expires." } }, { "domains": { + "type": "array", "elements": { - "match_any": { - "patterns": [ - "^%*%.", - "%.%*$", - "^[^*]*$" - ], - "err": "invalid wildcard: must be placed at leftmost or rightmost label" - }, - "type": "string", "match_all": [ { "pattern": "^[^*]*%*?[^*]*$", "err": "invalid wildcard: must have at most one wildcard" } - ] + ], + "type": "string", + "match_any": { + "err": "invalid wildcard: must be placed at leftmost or rightmost label", + "patterns": [ + "^%*%.", + "%.%*$", + "^[^*]*$" + ] + } }, - "type": "array", "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" } }, { "allow_any_domain": { + "default": false, "type": "boolean", - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", - "default": false + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." } }, { "fail_backoff_minutes": { + "default": 5, "type": "number", - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", - "default": 5 + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." } }, { "storage": { - "default": "shm", "type": "string", - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "default": "shm", "one_of": [ "kong", "shm", "redis", "consul", "vault" - ] + ], + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." } }, { @@ -208,14 +257,14 @@ "fields": [ { "shm_name": { + "default": "kong", "type": "string", - "description": "Name of shared memory zone used for Kong API gateway storage", - "default": "kong" + "description": "Name of shared memory zone used for Kong API gateway storage" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -223,8 +272,8 @@ "fields": [ ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -238,63 +287,63 @@ }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { - "encrypted": true, "referenceable": true, + "len_min": 0, "type": "string", - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "len_min": 0 + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer", - "default": 0 + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "ssl": { "required": false, - "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { @@ -309,84 +358,84 @@ "fields": [ { "namespace": { - "description": "A namespace to prepend to all keys stored in Redis.", "required": true, "type": "string", + "default": "", "len_min": 0, - "default": "" + "description": "A namespace to prepend to all keys stored in Redis." } }, { "scan_count": { "required": false, - "type": "number", + "default": 10, "description": "The number of keys to return in Redis SCAN calls.", - "default": 10 + "type": "number" } } ], "description": "Custom ACME Redis options", - "type": "record", - "required": true + "required": true, + "type": "record" } } ], + "required": true, "shorthand_fields": [ { "auth": { - "len_min": 0, "deprecation": { - "removal_in_version": "4.0", - "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead" + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", + "removal_in_version": "4.0" }, - "type": "string", + "len_min": 0, "translate_backwards": [ "password" - ] + ], + "type": "string" } }, { "ssl_server_name": { "deprecation": { - "removal_in_version": "4.0", - "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead" + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", + "removal_in_version": "4.0" }, - "type": "string", "translate_backwards": [ "server_name" - ] + ], + "type": "string" } }, { "namespace": { - "len_min": 0, "deprecation": { - "removal_in_version": "4.0", - "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead" + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", + "removal_in_version": "4.0" }, - "type": "string", + "len_min": 0, "translate_backwards": [ "extra_options", "namespace" - ] + ], + "type": "string" } }, { "scan_count": { "deprecation": { - "removal_in_version": "4.0", - "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead" + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", + "removal_in_version": "4.0" }, - "type": "integer", "translate_backwards": [ "extra_options", "scan_count" - ] + ], + "type": "integer" } } ], - "type": "record", - "required": true + "type": "record" } }, { @@ -394,9 +443,9 @@ "fields": [ { "https": { - "type": "boolean", + "default": false, "description": "Boolean representation of https.", - "default": false + "type": "boolean" } }, { @@ -407,36 +456,36 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { "token": { - "type": "string", "referenceable": true, - "description": "Consul ACL token." + "description": "Consul ACL token.", + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -444,9 +493,9 @@ "fields": [ { "https": { - "type": "boolean", + "default": false, "description": "Boolean representation of https.", - "default": false + "type": "boolean" } }, { @@ -457,83 +506,83 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { "token": { - "type": "string", "referenceable": true, - "description": "Consul ACL token." + "description": "Consul ACL token.", + "type": "string" } }, { "tls_verify": { - "type": "boolean", + "default": true, "description": "Turn on TLS verification.", - "default": true + "type": "boolean" } }, { "tls_server_name": { - "type": "string", - "description": "SNI used in request, default to host if omitted." + "description": "SNI used in request, default to host if omitted.", + "type": "string" } }, { "auth_method": { - "default": "token", "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", - "type": "string", + "default": "token", "one_of": [ "token", "kubernetes" - ] + ], + "type": "string" } }, { "auth_path": { - "type": "string", - "description": "Vault's authentication path to use." + "description": "Vault's authentication path to use.", + "type": "string" } }, { "auth_role": { - "type": "string", - "description": "The role to try and assign." + "description": "The role to try and assign.", + "type": "string" } }, { "jwt_path": { - "type": "string", - "description": "The path to the JWT." + "description": "The path to the JWT.", + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -544,63 +593,14 @@ }, { "enable_ipv4_common_name": { + "default": true, "type": "boolean", - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", - "default": true + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "conditional": { - "if_field": "config.api_uri", - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", - "if_match": { - "one_of": [ - "https://acme-v02.api.letsencrypt.org", - "https://acme-staging-v02.api.letsencrypt.org" - ] - }, - "then_field": "config.tos_accepted", - "then_match": { - "eq": true - } - } - }, - { - "conditional": { - "if_field": "config.storage", - "if_match": { - "eq": "redis" - }, - "then_field": "config.storage_config.redis.host", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.storage", - "if_match": { - "eq": "redis" - }, - "then_field": "config.storage_config.redis.port", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.storage" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-azure-content-safety/3.8.x.json b/schemas/ai-azure-content-safety/3.8.x.json index db4bc3fc..8aaf5b9e 100644 --- a/schemas/ai-azure-content-safety/3.8.x.json +++ b/schemas/ai-azure-content-safety/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,29 +15,30 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -44,73 +47,73 @@ { "content_safety_url": { "required": true, - "type": "string", "referenceable": true, - "description": "Full URL, inc protocol, of the Azure Content Safety instance." + "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "type": "string" } }, { "azure_api_version": { - "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", "required": true, - "type": "string", "len_min": 1, - "default": "2023-10-01" + "default": "2023-10-01", + "type": "string", + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format." } }, { "azure_use_managed_identity": { + "default": false, "type": "boolean", - "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", - "default": false + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity" } }, { "azure_client_id": { "required": false, - "type": "string", - "description": "If `azure_use_managed_identity` is true, set the client ID if required." + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", + "type": "string" } }, { "azure_client_secret": { "required": false, - "type": "string", - "description": "If `azure_use_managed_identity` is true, set the client secret if required." + "description": "If `azure_use_managed_identity` is true, set the client secret if required.", + "type": "string" } }, { "azure_tenant_id": { "required": false, - "type": "string", - "description": "If `azure_use_managed_identity` is true, set the tenant ID if required." + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", + "type": "string" } }, { "content_safety_key": { - "encrypted": true, - "referenceable": true, "required": false, - "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety." } }, { "text_source": { - "default": "concatenate_all_content", "type": "string", - "description": "Select where to pick the 'text' for the Azure Content Services request.", + "default": "concatenate_all_content", "one_of": [ "concatenate_all_content", "concatenate_user_content" - ] + ], + "description": "Select where to pick the 'text' for the Azure Content Services request." } }, { "categories": { + "type": "array", "elements": { "required": true, - "type": "record", "fields": [ { "name": { @@ -124,53 +127,50 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "type": "array", "description": "Array of categories, and their thresholds, to measure on." } }, { "reveal_failure_reason": { - "type": "boolean", + "default": true, "description": "Set true to tell the caller why their request was rejected, if so.", - "default": true + "type": "boolean" } }, { "output_type": { - "default": "FourSeverityLevels", "type": "string", - "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "default": "FourSeverityLevels", "one_of": [ "FourSeverityLevels", "EightSeverityLevels" - ] + ], + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories" } }, { "blocklist_names": { + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", "elements": { "type": "string" }, - "type": "array", - "description": "Use these configured blocklists (in Azure Content Services) when inspecting content." + "type": "array" } }, { "halt_on_blocklist_hit": { - "type": "boolean", + "default": true, "description": "Tells Azure to reject the request if any blocklist filter is hit.", - "default": true + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.8.x.json b/schemas/ai-prompt-decorator/3.8.x.json index 1ee146d7..8feb59df 100644 --- a/schemas/ai-prompt-decorator/3.8.x.json +++ b/schemas/ai-prompt-decorator/3.8.x.json @@ -1,8 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,13 +20,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -28,91 +36,91 @@ { "prompts": { "required": false, - "type": "record", "fields": [ { "prepend": { - "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", "required": false, "elements": { "required": false, - "type": "record", "fields": [ { "role": { "required": true, "default": "system", - "type": "string", "one_of": [ "system", "assistant", "user" - ] + ], + "type": "string" } }, { "content": { "required": true, - "len_min": 1, "type": "string", - "len_max": 500 + "len_max": 500, + "len_min": 1 } } - ] + ], + "type": "record" }, "type": "array", - "len_max": 15 + "len_max": 15, + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages." } }, { "append": { - "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", "required": false, "elements": { "required": false, - "type": "record", "fields": [ { "role": { "required": true, "default": "system", - "type": "string", "one_of": [ "system", "assistant", "user" - ] + ], + "type": "string" } }, { "content": { "required": true, - "len_min": 1, "type": "string", - "len_max": 500 + "len_max": 500, + "len_min": 1 } } - ] + ], + "type": "record" }, "type": "array", - "len_max": 15 + "len_max": 15, + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages." } } - ] + ], + "type": "record" + } + }, + { + "max_request_body_size": { + "gt": 0, + "default": 8192, + "type": "integer", + "description": "max allowed body size allowed to be introspected" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.prompts.prepend", - "config.prompts.append" - ] - } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.8.x.json b/schemas/ai-prompt-guard/3.8.x.json index 69f97e6a..a25b0ad5 100644 --- a/schemas/ai-prompt-guard/3.8.x.json +++ b/schemas/ai-prompt-guard/3.8.x.json @@ -1,8 +1,27 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + }, + { + "conditional": { + "then_field": "config.allow_all_conversation_history", + "if_match": { + "eq": true + }, + "then_match": { + "eq": false + }, + "if_field": "config.match_all_roles" + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,13 +32,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,54 +47,58 @@ "fields": [ { "allow_patterns": { - "default": [ - - ], - "type": "array", + "required": false, "elements": { + "len_max": 500, "type": "string", - "len_min": 1, - "len_max": 500 + "len_min": 1 }, - "description": "Array of valid patterns, or valid questions from the 'user' role in chat.", - "len_max": 10 + "type": "array", + "len_max": 10, + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat." } }, { "deny_patterns": { - "default": [ - - ], - "type": "array", + "required": false, "elements": { + "len_max": 500, "type": "string", - "len_min": 1, - "len_max": 500 + "len_min": 1 }, - "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat.", - "len_max": 10 + "type": "array", + "len_max": 10, + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat." } }, { "allow_all_conversation_history": { "required": true, - "description": "If true, will ignore all previous chat prompts from the conversation history.", + "default": false, + "type": "boolean", + "description": "If true, will ignore all previous chat prompts from the conversation history." + } + }, + { + "max_request_body_size": { + "gt": 0, + "default": 8192, + "type": "integer", + "description": "max allowed body size allowed to be introspected" + } + }, + { + "match_all_roles": { + "required": true, + "default": false, "type": "boolean", - "default": false + "description": "If true, will match all roles in addition to 'user' role in conversation history." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow_patterns", - "config.deny_patterns" - ] - } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-template/3.8.x.json b/schemas/ai-prompt-template/3.8.x.json index 1af322a2..3ca73289 100644 --- a/schemas/ai-prompt-template/3.8.x.json +++ b/schemas/ai-prompt-template/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] - } - }, - { - "consumer": { - "reference": "consumers", - "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -36,53 +31,58 @@ { "templates": { "required": true, + "type": "array", "elements": { "required": true, - "type": "record", "fields": [ { "name": { "required": true, - "description": "Unique name for the template, can be called with `{template://NAME}`", - "type": "string" + "type": "string", + "description": "Unique name for the template, can be called with `{template://NAME}`" } }, { "template": { "required": true, - "description": "Template string for this request, supports mustache-style `{{placeholders}}`", - "type": "string" + "type": "string", + "description": "Template string for this request, supports mustache-style `{{placeholders}}`" } } - ] + ], + "type": "record" }, - "description": "Array of templates available to the request context.", - "type": "array" + "description": "Array of templates available to the request context." } }, { "allow_untemplated_requests": { "required": true, - "description": "Set true to allow requests that don't call or match any template.", + "default": true, "type": "boolean", - "default": true + "description": "Set true to allow requests that don't call or match any template." } }, { "log_original_request": { "required": true, - "description": "Set true to add the original request to the Kong log plugin(s) output.", + "default": false, "type": "boolean", - "default": false + "description": "Set true to add the original request to the Kong log plugin(s) output." + } + }, + { + "max_request_body_size": { + "gt": 0, + "default": 8192, + "type": "integer", + "description": "max allowed body size allowed to be introspected" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-proxy-advanced/3.8.x.json b/schemas/ai-proxy-advanced/3.8.x.json index 500ad146..f3bdf316 100644 --- a/schemas/ai-proxy-advanced/3.8.x.json +++ b/schemas/ai-proxy-advanced/3.8.x.json @@ -1,16 +1,33 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + } + ], "fields": [ { "protocols": { "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", "default": [ @@ -24,7 +41,6 @@ }, { "config": { - "type": "record", "fields": [ { "balancer": { @@ -32,8 +48,8 @@ "fields": [ { "algorithm": { - "default": "round-robin", "type": "string", + "default": "round-robin", "one_of": [ "round-robin", "lowest-latency", @@ -46,8 +62,8 @@ }, { "tokens_count_strategy": { - "default": "total-tokens", "type": "string", + "default": "total-tokens", "one_of": [ "total-tokens", "prompt-tokens", @@ -58,8 +74,8 @@ }, { "latency_strategy": { - "default": "tpot", "type": "string", + "default": "tpot", "one_of": [ "tpot", "e2e" @@ -69,8 +85,8 @@ }, { "hash_on_header": { - "type": "string", "default": "X-Kong-LLM-Request-ID", + "type": "string", "description": "The header to use for consistent-hashing." } }, @@ -80,8 +96,8 @@ 10, 65536 ], - "type": "integer", "default": 10000, + "type": "integer", "description": "The number of slots in the load balancer algorithm." } }, @@ -91,8 +107,8 @@ 0, 32767 ], - "type": "integer", "default": 5, + "type": "integer", "description": "The number of retries to execute upon failure to proxy." } }, @@ -139,21 +155,124 @@ "required": false, "fields": [ { - "password": { + "header_name": { "required": false, "referenceable": true, + "type": "string", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here." + } + }, + { + "header_value": { + "required": false, + "referenceable": true, + "type": "string", "encrypted": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + } + }, + { + "param_name": { + "required": false, + "referenceable": true, "type": "string", - "description": "authentication password" + "description": "If AI model requires authentication via query parameter, specify its name here." } }, { - "token": { + "param_value": { "required": false, "referenceable": true, + "type": "string", "encrypted": true, + "description": "Specify the full parameter value for 'param_name'." + } + }, + { + "param_location": { + "required": false, + "one_of": [ + "query", + "body" + ], "type": "string", - "description": "authentication token" + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." + } + }, + { + "azure_use_managed_identity": { + "required": false, + "default": false, + "type": "boolean", + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models." + } + }, + { + "azure_client_id": { + "required": false, + "referenceable": true, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID." + } + }, + { + "azure_client_secret": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + } + }, + { + "azure_tenant_id": { + "required": false, + "referenceable": true, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID." + } + }, + { + "gcp_use_service_account": { + "required": false, + "default": false, + "type": "boolean", + "description": "Use service account auth for GCP-based providers and models." + } + }, + { + "gcp_service_account_json": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + } + }, + { + "aws_access_key_id": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + } + }, + { + "aws_secret_access_key": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + } + }, + { + "allow_override": { + "required": false, + "default": false, + "type": "boolean", + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin." } } ], @@ -161,33 +280,50 @@ } }, { - "provider": { + "model": { "required": true, - "type": "string", - "one_of": [ - "mistralai", - "openai" - ], - "description": "which provider to use for embeddings" - } - }, - { - "name": { - "required": true, - "type": "string", - "one_of": [ - "text-embedding-3-large", - "text-embedding-3-small", - "mistral-embed" + "fields": [ + { + "provider": { + "required": true, + "one_of": [ + "openai", + "mistral" + ], + "type": "string", + "description": "AI provider format to use for embeddings API" + } + }, + { + "name": { + "required": true, + "one_of": [ + "text-embedding-3-large", + "text-embedding-3-small", + "mistral-embed" + ], + "type": "string", + "description": "Model name to execute." + } + }, + { + "options": { + "required": false, + "description": "Key/value settings for the model", + "fields": [ + { + "upstream_url": { + "required": false, + "type": "string", + "description": "upstream url for the embeddings" + } + } + ], + "type": "record" + } + } ], - "description": "which AI model to use for generating embeddings" - } - }, - { - "upstream_url": { - "type": "string", - "required": false, - "description": "upstream url for the embeddings" + "type": "record" } } ], @@ -201,115 +337,75 @@ { "strategy": { "required": true, - "type": "string", "one_of": [ "redis" ], + "type": "string", "description": "which vector database driver to use" } }, { "dimensions": { - "type": "integer", "required": true, + "type": "integer", "description": "the desired dimensionality for the vectors" } }, { "threshold": { - "type": "number", "required": true, + "type": "number", "description": "the default similarity threshold for accepting semantic search results (float)" } }, { "distance_metric": { "required": true, - "type": "string", "one_of": [ "cosine", "euclidean" ], + "type": "string", "description": "the distance metric to use for vector searches" } }, { "redis": { - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - }, - "translate_backwards": [ - "connect_timeout" - ], - "type": "integer" - } - }, - { - "sentinel_addresses": { - "len_min": 1, - "type": "array", - "deprecation": { - "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - }, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "len_min": 1, - "type": "array", - "deprecation": { - "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - }, - "elements": { - "type": "string" - } - } - } - ], + "required": true, "entity_checks": [ { "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_nodes" - ], - "set2": [ - "host", - "port" ] } }, { "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_nodes" - ], - "set2": [ - "cluster_nodes" ] } }, { "mutually_exclusive_sets": { - "set1": [ - "cluster_nodes" - ], "set2": [ "host", "port" + ], + "set1": [ + "cluster_nodes" ] } }, @@ -332,8 +428,48 @@ "send_timeout", "read_timeout" ] + }, + { + "conditional": { + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } } ], + "type": "record", "fields": [ { "host": { @@ -347,77 +483,77 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "connect_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { - "encrypted": true, "type": "string", "referenceable": true, + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "sentinel_username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "encrypted": true, "type": "string", "referenceable": true, + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { - "type": "integer", "default": 0, + "type": "integer", "description": "Database to use for the Redis connection when using the `redis` strategy" } }, @@ -427,19 +563,19 @@ 1, 2147483646 ], - "type": "integer", "default": 256, + "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." } }, { "keepalive_backlog": { - "type": "integer", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { @@ -450,36 +586,36 @@ }, { "sentinel_role": { - "type": "string", "one_of": [ "master", "slave", "any" ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_nodes": { - "type": "array", + "required": false, "elements": { "fields": [ { "host": { - "type": "string", "required": true, "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive." } } @@ -487,31 +623,31 @@ "type": "record" }, "len_min": 1, - "required": false, + "type": "array", "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "type": "array", + "required": false, "elements": { "fields": [ { "ip": { - "type": "string", "required": true, "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive." } } @@ -519,43 +655,90 @@ "type": "record" }, "len_min": 1, - "required": false, + "type": "array", "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { "required": false, - "type": "boolean", "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { "required": false, - "type": "boolean", "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "server_name": { - "type": "string", "required": false, + "type": "string", "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { "required": false, - "type": "integer", "default": 5, - "description": "Maximum retry attempts for redirection." + "description": "Maximum retry attempts for redirection.", + "type": "integer" + } + }, + { + "connection_is_proxied": { + "required": false, + "default": false, + "type": "boolean", + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." } } ], - "required": true + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + { + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + } + ] } } ], @@ -564,35 +747,33 @@ }, { "max_request_body_size": { - "type": "integer", "gt": 0, "default": 8192, + "type": "integer", "description": "max allowed body size allowed to be introspected" } }, { "model_name_header": { - "type": "boolean", "default": true, + "type": "boolean", "description": "Display the model name selected in the X-Kong-LLM-Model response header" } }, { "targets": { - "type": "array", "required": true, "elements": { - "type": "record", "fields": [ { "route_type": { "required": true, - "type": "string", "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" ], + "type": "string", "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation." } }, @@ -603,114 +784,122 @@ { "header_name": { "required": false, - "type": "string", "referenceable": true, + "type": "string", "description": "If AI model requires authentication via Authorization or API key header, specify its name here." } }, { "header_value": { - "type": "string", - "referenceable": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "encrypted": true + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." } }, { "param_name": { "required": false, - "type": "string", "referenceable": true, + "type": "string", "description": "If AI model requires authentication via query parameter, specify its name here." } }, { "param_value": { - "type": "string", - "referenceable": true, - "description": "Specify the full parameter value for 'param_name'.", "required": false, - "encrypted": true + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Specify the full parameter value for 'param_name'." } }, { "param_location": { "required": false, - "type": "string", "one_of": [ "query", "body" ], + "type": "string", "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." } }, { "azure_use_managed_identity": { "required": false, - "type": "boolean", "default": false, + "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models." } }, { "azure_client_id": { "required": false, - "type": "string", "referenceable": true, + "type": "string", "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID." } }, { "azure_client_secret": { - "type": "string", - "referenceable": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "encrypted": true + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." } }, { "azure_tenant_id": { "required": false, - "type": "string", "referenceable": true, + "type": "string", "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID." } }, { "gcp_use_service_account": { "required": false, - "type": "boolean", "default": false, + "type": "boolean", "description": "Use service account auth for GCP-based providers and models." } }, { "gcp_service_account_json": { - "type": "string", - "referenceable": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "encrypted": true + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." } }, { "aws_access_key_id": { - "type": "string", - "referenceable": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "encrypted": true + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." } }, { "aws_secret_access_key": { - "type": "string", + "required": false, "referenceable": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + } + }, + { + "allow_override": { "required": false, - "encrypted": true + "default": false, + "type": "boolean", + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin." } } ], @@ -724,7 +913,6 @@ { "provider": { "required": true, - "type": "string", "one_of": [ "openai", "azure", @@ -735,127 +923,128 @@ "gemini", "bedrock" ], + "type": "string", "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats." } }, { "name": { - "type": "string", "required": false, + "type": "string", "description": "Model name to execute." } }, { "options": { "required": false, - "type": "record", + "description": "Key/value settings for the model", "fields": [ { "max_tokens": { "required": false, - "type": "integer", "default": 256, + "type": "integer", "description": "Defines the max_tokens, if using chat or completion models." } }, { "input_cost": { - "gt": 0, - "type": "number", "required": false, + "type": "number", + "gt": 0, "description": "Defines the cost per 1M tokens in your prompt." } }, { "output_cost": { - "gt": 0, - "type": "number", "required": false, + "type": "number", + "gt": 0, "description": "Defines the cost per 1M tokens in the output of the AI." } }, { "temperature": { + "required": false, + "type": "number", "between": [ 0, 5 ], - "type": "number", - "required": false, "description": "Defines the matching temperature, if using chat or completion models." } }, { "top_p": { + "required": false, + "type": "number", "between": [ 0, 1 ], - "type": "number", - "required": false, "description": "Defines the top-p probability mass, if supported." } }, { "top_k": { + "required": false, + "type": "integer", "between": [ 0, 500 ], - "type": "integer", - "required": false, "description": "Defines the top-k most likely tokens, if supported." } }, { "anthropic_version": { - "type": "string", "required": false, + "type": "string", "description": "Defines the schema/API version, if using Anthropic provider." } }, { "azure_instance": { - "type": "string", "required": false, + "type": "string", "description": "Instance name for Azure OpenAI hosted models." } }, { "azure_api_version": { "required": false, - "type": "string", "default": "2023-05-15", + "type": "string", "description": "'api-version' for Azure OpenAI instances." } }, { "azure_deployment_id": { - "type": "string", "required": false, + "type": "string", "description": "Deployment ID for Azure OpenAI instances." } }, { "llama2_format": { "required": false, - "type": "string", "one_of": [ "raw", "openai", "ollama" ], + "type": "string", "description": "If using llama2 provider, select the upstream message format." } }, { "mistral_format": { "required": false, - "type": "string", "one_of": [ "openai", "ollama" ], + "type": "string", "description": "If using mistral provider, select the upstream message format." } }, @@ -868,46 +1057,46 @@ }, { "upstream_path": { - "type": "string", "required": false, - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type." + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" } }, { "gemini": { - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } - ], "required": false, "fields": [ { "api_endpoint": { - "type": "string", "required": false, + "type": "string", "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." } }, { "project_id": { - "type": "string", "required": false, + "type": "string", "description": "If running Gemini on Vertex, specify the project ID." } }, { "location_id": { - "type": "string", "required": false, + "type": "string", "description": "If running Gemini on Vertex, specify the location ID." } } ], + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], "type": "record" } }, @@ -917,9 +1106,9 @@ "fields": [ { "aws_region": { - "type": "string", "required": false, - "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option." + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" } } ], @@ -927,7 +1116,7 @@ } } ], - "description": "Key/value settings for the model" + "type": "record" } } ], @@ -940,15 +1129,15 @@ 1, 65535 ], - "type": "integer", "default": 100, + "type": "integer", "description": "The weight this target gets within the upstream loadbalancer (1-65535)." } }, { "description": { - "type": "string", "required": false, + "type": "string", "description": "The semantic description of the target, required if using semantic load balancing." } }, @@ -959,16 +1148,16 @@ { "log_statistics": { "required": true, - "type": "boolean", "default": false, + "type": "boolean", "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." } }, { "log_payloads": { "required": true, - "type": "boolean", "default": false, + "type": "boolean", "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." } } @@ -977,7 +1166,24 @@ } } ], + "required": true, "entity_checks": [ + { + "conditional": { + "if_field": "model.provider", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "then_match": { + "eq": false + }, + "then_err": "bedrock and gemini only support auth.allow_override = false" + } + }, { "mutually_required": [ "auth.header_name", @@ -993,100 +1199,100 @@ }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "model.options.llama2_format" - ], "if_match": { "one_of": [ "llama2" ] }, "then_err": "must set %s for llama2 provider", - "if_field": "model.provider" + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] } }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "model.options.mistral_format" - ], "if_match": { "one_of": [ "mistral" ] }, "then_err": "must set %s for mistral provider", - "if_field": "model.provider" + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] } }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], "if_match": { "one_of": [ "anthropic" ] }, "then_err": "must set %s for anthropic provider", - "if_field": "model.provider" + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] } }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "model.options.azure_instance" - ], "if_match": { "one_of": [ "azure" ] }, "then_err": "must set %s for azure provider", - "if_field": "model.provider" + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] } }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], "if_match": { "one_of": [ "azure" ] }, "then_err": "must set %s for azure provider", - "if_field": "model.provider" + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] } }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], "if_match": { "one_of": [ "azure" ] }, "then_err": "must set %s for azure provider", - "if_field": "model.provider" + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] } }, { "conditional_at_least_one_of": { - "then_at_least_one_of": [ - "model.options.upstream_url" - ], "if_match": { "one_of": [ "llama2" ] }, "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider" + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] } }, { @@ -1098,29 +1304,15 @@ ] } } - ] - } + ], + "type": "record" + }, + "type": "array" } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.targets" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.targets", - "config.balancer" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-proxy/3.8.x.json b/schemas/ai-proxy/3.8.x.json index be44ee57..c8a3294d 100644 --- a/schemas/ai-proxy/3.8.x.json +++ b/schemas/ai-proxy/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,29 +15,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] - } - }, - { - "consumer": { - "reference": "consumers", - "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null - } - }, - { - "service": { - "reference": "services", - "type": "foreign", - "description": "A reference to the 'services' table with a null value allowed.", - "eq": null + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -44,119 +31,163 @@ { "route_type": { "required": true, - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ] + ], + "type": "string", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation." } }, { "auth": { "required": false, - "type": "record", "fields": [ { "header_name": { "required": false, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, - "type": "string" + "type": "string", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here." } }, { "header_value": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." } }, { "param_name": { "required": false, - "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, - "type": "string" + "type": "string", + "description": "If AI model requires authentication via query parameter, specify its name here." } }, { "param_value": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "Specify the full parameter value for 'param_name'." } }, { "param_location": { "required": false, - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" - ] + ], + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." } }, { "azure_use_managed_identity": { "required": false, + "default": false, "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "default": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models." } }, { "azure_client_id": { "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "referenceable": true, - "type": "string" + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID." } }, { "azure_client_secret": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." } }, { "azure_tenant_id": { "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "referenceable": true, - "type": "string" + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID." + } + }, + { + "gcp_use_service_account": { + "required": false, + "default": false, + "type": "boolean", + "description": "Use service account auth for GCP-based providers and models." + } + }, + { + "gcp_service_account_json": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + } + }, + { + "aws_access_key_id": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + } + }, + { + "aws_secret_access_key": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + } + }, + { + "allow_override": { + "required": false, + "default": false, + "type": "boolean", + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin." } } - ] + ], + "type": "record" } }, { "model": { "required": true, - "type": "record", "fields": [ { "provider": { "required": true, - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ "openai", "azure", "anthropic", "cohere", "mistral", - "llama2" - ] + "llama2", + "gemini", + "bedrock" + ], + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats." } }, { @@ -169,61 +200,63 @@ { "options": { "required": false, - "type": "record", "description": "Key/value settings for the model", "fields": [ { - "response_streaming": { - "default": "allow", + "max_tokens": { "required": false, - "type": "string", - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", - "one_of": [ - "allow", - "deny", - "always" - ] + "default": 256, + "type": "integer", + "description": "Defines the max_tokens, if using chat or completion models." } }, { - "max_tokens": { + "input_cost": { "required": false, - "type": "integer", - "description": "Defines the max_tokens, if using chat or completion models.", - "default": 256 + "type": "number", + "gt": 0, + "description": "Defines the cost per 1M tokens in your prompt." + } + }, + { + "output_cost": { + "required": false, + "type": "number", + "gt": 0, + "description": "Defines the cost per 1M tokens in the output of the AI." } }, { "temperature": { "required": false, "type": "number", - "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, 5 - ] + ], + "description": "Defines the matching temperature, if using chat or completion models." } }, { "top_p": { "required": false, "type": "number", - "description": "Defines the top-p probability mass, if supported.", "between": [ 0, 1 - ] + ], + "description": "Defines the top-p probability mass, if supported." } }, { "top_k": { "required": false, "type": "integer", - "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, 500 - ] + ], + "description": "Defines the top-k most likely tokens, if supported." } }, { @@ -243,9 +276,9 @@ { "azure_api_version": { "required": false, + "default": "2023-05-15", "type": "string", - "description": "'api-version' for Azure OpenAI instances.", - "default": "2023-05-15" + "description": "'api-version' for Azure OpenAI instances." } }, { @@ -258,24 +291,24 @@ { "llama2_format": { "required": false, - "type": "string", - "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", "ollama" - ] + ], + "type": "string", + "description": "If using llama2 provider, select the upstream message format." } }, { "mistral_format": { "required": false, - "type": "string", - "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" - ] + ], + "type": "string", + "description": "If using mistral provider, select the upstream message format." } }, { @@ -291,70 +324,137 @@ "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "type": "string" } + }, + { + "gemini": { + "required": false, + "fields": [ + { + "api_endpoint": { + "required": false, + "type": "string", + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." + } + }, + { + "project_id": { + "required": false, + "type": "string", + "description": "If running Gemini on Vertex, specify the project ID." + } + }, + { + "location_id": { + "required": false, + "type": "string", + "description": "If running Gemini on Vertex, specify the location ID." + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record" + } + }, + { + "bedrock": { + "required": false, + "fields": [ + { + "aws_region": { + "required": false, + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + } + ], + "type": "record" + } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } }, { "logging": { "required": true, - "type": "record", "fields": [ { "log_statistics": { "required": true, + "default": false, "type": "boolean", - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "default": false + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." } }, { "log_payloads": { "required": true, + "default": false, "type": "boolean", - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "default": false + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." } } - ] + ], + "type": "record" } - } - ], - "entity_checks": [ + }, { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "auth.header_name", - "auth.param_name" + "response_streaming": { + "required": false, + "type": "string", + "default": "allow", + "one_of": [ + "allow", + "deny", + "always" ], - "if_match": { - "one_of": [ - "openai", - "anthropic", - "cohere" - ] - }, - "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events." } }, { - "conditional_at_least_one_of": { + "max_request_body_size": { + "gt": 0, + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "type": "integer" + } + }, + { + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + } + } + ], + "required": true, + "entity_checks": [ + { + "conditional": { "if_field": "model.provider", - "then_at_least_one_of": [ - "auth.header_name", - "auth.param_name", - "auth.azure_use_managed_identity" - ], "if_match": { "one_of": [ - "azure" + "bedrock", + "gemini" ] }, - "then_err": "must set one of %s, and its respective options, when azure provider is set" + "then_field": "auth.allow_override", + "then_match": { + "eq": false + }, + "then_err": "bedrock and gemini only support auth.allow_override = false" } }, { @@ -372,101 +472,100 @@ }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider" + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider" + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider" + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ], "if_match": { "one_of": [ - "mistral", "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models" + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] } }, { @@ -479,12 +578,8 @@ } } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-rate-limiting-advanced/3.8.x.json b/schemas/ai-rate-limiting-advanced/3.8.x.json index ea346eed..9d8f08dd 100644 --- a/schemas/ai-rate-limiting-advanced/3.8.x.json +++ b/schemas/ai-rate-limiting-advanced/3.8.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,13 +21,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,10 +36,9 @@ "fields": [ { "identifier": { - "default": "consumer", "required": true, - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "type": "string", + "default": "consumer", "one_of": [ "ip", "credential", @@ -39,44 +47,43 @@ "header", "path", "consumer-group" - ] + ], + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`." } }, { "window_type": { - "default": "sliding", - "type": "string", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "default": "sliding", "one_of": [ "fixed", "sliding" - ] + ], + "type": "string" } }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." } }, { "llm_providers": { "required": true, + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", "elements": { - "type": "record", "fields": [ { "window_size": { "required": true, - "type": "number", - "description": "The window size to apply a limit (defined in seconds)." + "description": "The window size to apply a limit (defined in seconds).", + "type": "number" } }, { "name": { "required": true, - "type": "string", - "description": "The LLM provider to which the rate limit applies.", "one_of": [ "openai", "azure", @@ -84,56 +91,60 @@ "cohere", "mistral", "llama2", + "bedrock", + "gemini", "requestPrompt" - ] + ], + "description": "The LLM provider to which the rate limit applies.", + "type": "string" } }, { "limit": { "required": true, - "type": "number", - "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter." + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", + "type": "number" } } - ] + ], + "type": "record" }, - "type": "array", - "description": "The provider config. Takes an array of `name`, `limit` and `window size` values." + "type": "array" } }, { "strategy": { - "default": "local", "required": true, - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", + "default": "local", "one_of": [ "cluster", "redis", "local" - ] + ], + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." } }, { "dictionary_name": { "required": true, - "type": "string", + "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "default": "kong_rate_limiting_counters" + "type": "string" } }, { "hide_client_headers": { - "type": "boolean", + "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "default": false + "type": "boolean" } }, { "retry_after_jitter_max": { - "type": "number", + "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "default": 0 + "type": "number" } }, { @@ -144,19 +155,118 @@ }, { "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "type": "string" } }, { "redis": { + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "connection_is_proxied" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { @@ -166,164 +276,200 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] - } - }, - { - "timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + ], "type": "integer", - "between": [ - 0, - 2147483646 - ] + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "database": { - "type": "integer", + "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "default": 0 + "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer" } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { - "sentinel_addresses": { - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "sentinel_nodes": { + "required": false, "elements": { - "type": "string" + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { - "cluster_addresses": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "cluster_nodes": { + "required": false, "elements": { - "type": "string" + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { "required": false, + "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "ssl_verify": { "required": false, + "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean", - "default": false + "type": "boolean" } }, { @@ -332,131 +478,119 @@ "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } - } - ], - "entity_checks": [ + }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "cluster_max_redirections": { + "required": false, + "default": 5, + "type": "integer", + "description": "Maximum retry attempts for redirection." } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "connection_is_proxied": { + "required": false, + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" } - }, + } + ], + "shorthand_fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" ], - "set1": [ - "cluster_addresses" - ] + "type": "integer" } }, { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } }, { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } } - ], - "type": "record", - "required": true + ] } }, { "disable_penalty": { - "type": "boolean", + "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", - "default": false + "type": "boolean" } }, { "request_prompt_count_function": { "required": false, - "type": "string", - "description": "If defined, it use custom function to count requests for the request prompt provider" + "description": "If defined, it use custom function to count requests for the request prompt provider", + "type": "string" } }, { "error_code": { + "gt": 0, "default": 429, - "type": "number", "description": "Set a custom error code to return when the rate limit is exceeded.", - "gt": 0 + "type": "number" } }, { "error_message": { - "type": "string", + "default": "API rate limit exceeded for provider(s): ", "description": "Set a custom error message to return when the rate limit is exceeded.", - "default": "API rate limit exceeded for provider(s): " + "type": "string" } }, { "error_hide_providers": { - "type": "boolean", + "default": false, "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", - "default": false + "type": "boolean" } }, { "tokens_count_strategy": { - "default": "total_tokens", "required": true, - "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", "type": "string", + "default": "total_tokens", "one_of": [ "total_tokens", "prompt_tokens", - "completion_tokens" - ] + "completion_tokens", + "cost" + ], + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`." } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-request-transformer/3.8.x.json b/schemas/ai-request-transformer/3.8.x.json index f57f678f..029d7e40 100644 --- a/schemas/ai-request-transformer/3.8.x.json +++ b/schemas/ai-request-transformer/3.8.x.json @@ -1,8 +1,36 @@ { + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": "llm/v1/chat" + }, + "then_field": "config.llm.route_type", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "if_field": "config.llm.route_type", + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins" + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +41,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -50,17 +79,25 @@ { "http_timeout": { "required": true, + "default": 60000, "description": "Timeout in milliseconds for the AI upstream service.", - "type": "integer", - "default": 60000 + "type": "integer" } }, { "https_verify": { "required": true, + "default": true, "description": "Verify the TLS certificate of the AI upstream service.", - "type": "boolean", - "default": true + "type": "boolean" + } + }, + { + "max_request_body_size": { + "gt": 0, + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "type": "integer" } }, { @@ -71,12 +108,12 @@ }, { "http_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -87,12 +124,12 @@ }, { "https_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -101,317 +138,402 @@ { "route_type": { "required": true, - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ] + ], + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string" } }, { "auth": { "required": false, - "type": "record", "fields": [ { "header_name": { "required": false, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string" } }, { "header_value": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." } }, { "param_name": { "required": false, - "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string" } }, { "param_value": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "Specify the full parameter value for 'param_name'." } }, { "param_location": { "required": false, - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" - ] + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string" } }, { "azure_use_managed_identity": { "required": false, - "type": "boolean", + "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "default": false + "type": "boolean" } }, { "azure_client_id": { "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string" } }, { "azure_client_secret": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." } }, { "azure_tenant_id": { "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string" } + }, + { + "gcp_use_service_account": { + "required": false, + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + } + }, + { + "aws_access_key_id": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + } + }, + { + "aws_secret_access_key": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + } + }, + { + "allow_override": { + "required": false, + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + } } - ] + ], + "type": "record" } }, { "model": { "required": true, - "type": "record", "fields": [ { "provider": { "required": true, - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ "openai", "azure", "anthropic", "cohere", "mistral", - "llama2" - ] + "llama2", + "gemini", + "bedrock" + ], + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string" } }, { "name": { "required": false, - "type": "string", - "description": "Model name to execute." + "description": "Model name to execute.", + "type": "string" } }, { "options": { "required": false, "type": "record", - "description": "Key/value settings for the model", "fields": [ { - "response_streaming": { - "default": "allow", + "max_tokens": { "required": false, - "type": "string", - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", - "one_of": [ - "allow", - "deny", - "always" - ] + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" } }, { - "max_tokens": { + "input_cost": { "required": false, - "type": "integer", - "description": "Defines the max_tokens, if using chat or completion models.", - "default": 256 + "description": "Defines the cost per 1M tokens in your prompt.", + "gt": 0, + "type": "number" + } + }, + { + "output_cost": { + "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "gt": 0, + "type": "number" } }, { "temperature": { "required": false, - "type": "number", "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, 5 - ] + ], + "type": "number" } }, { "top_p": { "required": false, - "type": "number", "description": "Defines the top-p probability mass, if supported.", "between": [ 0, 1 - ] + ], + "type": "number" } }, { "top_k": { "required": false, - "type": "integer", "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, 500 - ] + ], + "type": "integer" } }, { "anthropic_version": { "required": false, - "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider." + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" } }, { "azure_instance": { "required": false, - "type": "string", - "description": "Instance name for Azure OpenAI hosted models." + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" } }, { "azure_api_version": { "required": false, - "type": "string", + "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", - "default": "2023-05-15" + "type": "string" } }, { "azure_deployment_id": { "required": false, - "type": "string", - "description": "Deployment ID for Azure OpenAI instances." + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" } }, { "llama2_format": { "required": false, - "type": "string", - "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", "ollama" - ] + ], + "description": "If using llama2 provider, select the upstream message format.", + "type": "string" } }, { "mistral_format": { "required": false, - "type": "string", - "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" - ] + ], + "description": "If using mistral provider, select the upstream message format.", + "type": "string" } }, { "upstream_url": { "required": false, - "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" } }, { "upstream_path": { "required": false, - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "type": "string" + "type": "string", + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type." + } + }, + { + "gemini": { + "required": false, + "fields": [ + { + "api_endpoint": { + "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + } + }, + { + "project_id": { + "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + { + "location_id": { + "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record" + } + }, + { + "bedrock": { + "required": false, + "fields": [ + { + "aws_region": { + "required": false, + "type": "string", + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option." + } + } + ], + "type": "record" } } - ] + ], + "description": "Key/value settings for the model" } } - ] + ], + "type": "record" } }, { "logging": { "required": true, - "type": "record", "fields": [ { "log_statistics": { "required": true, - "type": "boolean", + "default": false, "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "default": false + "type": "boolean" } }, { "log_payloads": { "required": true, - "type": "boolean", + "default": false, "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "default": false + "type": "boolean" } } - ] + ], + "type": "record" } } ], + "required": true, "entity_checks": [ { - "conditional_at_least_one_of": { + "conditional": { "if_field": "model.provider", - "then_at_least_one_of": [ - "auth.header_name", - "auth.param_name" - ], "if_match": { "one_of": [ - "openai", - "anthropic", - "cohere" + "bedrock", + "gemini" ] }, - "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "auth.header_name", - "auth.param_name", - "auth.azure_use_managed_identity" - ], - "if_match": { - "one_of": [ - "azure" - ] + "then_field": "auth.allow_override", + "then_match": { + "eq": false }, - "then_err": "must set one of %s, and its respective options, when azure provider is set" + "then_err": "bedrock and gemini only support auth.allow_override = false" } }, { @@ -429,100 +551,99 @@ }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ], "if_match": { "one_of": [ "llama2" ] }, + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_field": "model.provider", "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ], "if_match": { "one_of": [ "mistral" ] }, + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_field": "model.provider", "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], "if_match": { "one_of": [ "anthropic" ] }, + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_field": "model.provider", "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ], "if_match": { "one_of": [ "azure" ] }, + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], "if_match": { "one_of": [ "azure" ] }, + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], "if_match": { "one_of": [ "azure" ] }, + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ], "if_match": { "one_of": [ - "mistral", "llama2" ] }, + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_field": "model.provider", "then_err": "must set %s for self-hosted providers/models" } }, @@ -536,43 +657,13 @@ } } ], - "type": "record", - "required": true + "type": "record" } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "conditional": { - "if_field": "config.llm.route_type", - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_field": "config.llm.route_type", - "then_match": { - "eq": "llm/v1/chat" - } + "required": true, + "type": "record" } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] } ] } \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.8.x.json b/schemas/ai-response-transformer/3.8.x.json index 488710ce..671f26c1 100644 --- a/schemas/ai-response-transformer/3.8.x.json +++ b/schemas/ai-response-transformer/3.8.x.json @@ -1,8 +1,36 @@ { + "entity_checks": [ + { + "conditional": { + "then_match": { + "eq": "llm/v1/chat" + }, + "then_field": "config.llm.route_type", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "if_field": "config.llm.route_type", + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins" + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +41,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] - } - }, - { - "consumer": { - "reference": "consumers", - "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -50,25 +71,33 @@ { "parse_llm_response_json_instructions": { "required": true, + "default": false, "type": "boolean", - "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", - "default": false + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions." } }, { "http_timeout": { "required": true, - "description": "Timeout in milliseconds for the AI upstream service.", + "default": 60000, "type": "integer", - "default": 60000 + "description": "Timeout in milliseconds for the AI upstream service." } }, { "https_verify": { "required": true, - "description": "Verify the TLS certificate of the AI upstream service.", + "default": true, "type": "boolean", - "default": true + "description": "Verify the TLS certificate of the AI upstream service." + } + }, + { + "max_request_body_size": { + "gt": 0, + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "type": "integer" } }, { @@ -79,12 +108,12 @@ }, { "http_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -95,12 +124,12 @@ }, { "https_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -109,317 +138,402 @@ { "route_type": { "required": true, - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ] + ], + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string" } }, { "auth": { "required": false, - "type": "record", "fields": [ { "header_name": { "required": false, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string" } }, { "header_value": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." } }, { "param_name": { "required": false, - "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string" } }, { "param_value": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "Specify the full parameter value for 'param_name'." } }, { "param_location": { "required": false, - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" - ] + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string" } }, { "azure_use_managed_identity": { "required": false, - "type": "boolean", + "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "default": false + "type": "boolean" } }, { "azure_client_id": { "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string" } }, { "azure_client_secret": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." } }, { "azure_tenant_id": { "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string" } + }, + { + "gcp_use_service_account": { + "required": false, + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + } + }, + { + "aws_access_key_id": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + } + }, + { + "aws_secret_access_key": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + } + }, + { + "allow_override": { + "required": false, + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + } } - ] + ], + "type": "record" } }, { "model": { "required": true, - "type": "record", "fields": [ { "provider": { "required": true, - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ "openai", "azure", "anthropic", "cohere", "mistral", - "llama2" - ] + "llama2", + "gemini", + "bedrock" + ], + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string" } }, { "name": { "required": false, - "type": "string", - "description": "Model name to execute." + "description": "Model name to execute.", + "type": "string" } }, { "options": { "required": false, "type": "record", - "description": "Key/value settings for the model", "fields": [ { - "response_streaming": { - "default": "allow", + "max_tokens": { "required": false, - "type": "string", - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", - "one_of": [ - "allow", - "deny", - "always" - ] + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" } }, { - "max_tokens": { + "input_cost": { "required": false, - "type": "integer", - "description": "Defines the max_tokens, if using chat or completion models.", - "default": 256 + "description": "Defines the cost per 1M tokens in your prompt.", + "gt": 0, + "type": "number" + } + }, + { + "output_cost": { + "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "gt": 0, + "type": "number" } }, { "temperature": { "required": false, - "type": "number", "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, 5 - ] + ], + "type": "number" } }, { "top_p": { "required": false, - "type": "number", "description": "Defines the top-p probability mass, if supported.", "between": [ 0, 1 - ] + ], + "type": "number" } }, { "top_k": { "required": false, - "type": "integer", "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, 500 - ] + ], + "type": "integer" } }, { "anthropic_version": { "required": false, - "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider." + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" } }, { "azure_instance": { "required": false, - "type": "string", - "description": "Instance name for Azure OpenAI hosted models." + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" } }, { "azure_api_version": { "required": false, - "type": "string", + "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", - "default": "2023-05-15" + "type": "string" } }, { "azure_deployment_id": { "required": false, - "type": "string", - "description": "Deployment ID for Azure OpenAI instances." + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" } }, { "llama2_format": { "required": false, - "type": "string", - "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", "ollama" - ] + ], + "description": "If using llama2 provider, select the upstream message format.", + "type": "string" } }, { "mistral_format": { "required": false, - "type": "string", - "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" - ] + ], + "description": "If using mistral provider, select the upstream message format.", + "type": "string" } }, { "upstream_url": { "required": false, - "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" } }, { "upstream_path": { "required": false, - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "type": "string" + "type": "string", + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type." + } + }, + { + "gemini": { + "required": false, + "fields": [ + { + "api_endpoint": { + "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + } + }, + { + "project_id": { + "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + { + "location_id": { + "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record" + } + }, + { + "bedrock": { + "required": false, + "fields": [ + { + "aws_region": { + "required": false, + "type": "string", + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option." + } + } + ], + "type": "record" } } - ] + ], + "description": "Key/value settings for the model" } } - ] + ], + "type": "record" } }, { "logging": { "required": true, - "type": "record", "fields": [ { "log_statistics": { "required": true, - "type": "boolean", + "default": false, "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "default": false + "type": "boolean" } }, { "log_payloads": { "required": true, - "type": "boolean", + "default": false, "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "default": false + "type": "boolean" } } - ] + ], + "type": "record" } } ], + "required": true, "entity_checks": [ { - "conditional_at_least_one_of": { + "conditional": { "if_field": "model.provider", - "then_at_least_one_of": [ - "auth.header_name", - "auth.param_name" - ], "if_match": { "one_of": [ - "openai", - "anthropic", - "cohere" + "bedrock", + "gemini" ] }, - "then_err": "must set one of %s, and its respective options, when provider is not self-hosted" - } - }, - { - "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "auth.header_name", - "auth.param_name", - "auth.azure_use_managed_identity" - ], - "if_match": { - "one_of": [ - "azure" - ] + "then_field": "auth.allow_override", + "then_match": { + "eq": false }, - "then_err": "must set one of %s, and its respective options, when azure provider is set" + "then_err": "bedrock and gemini only support auth.allow_override = false" } }, { @@ -437,100 +551,99 @@ }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ], "if_match": { "one_of": [ "llama2" ] }, + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_field": "model.provider", "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ], "if_match": { "one_of": [ "mistral" ] }, + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_field": "model.provider", "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], "if_match": { "one_of": [ "anthropic" ] }, + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_field": "model.provider", "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ], "if_match": { "one_of": [ "azure" ] }, + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], "if_match": { "one_of": [ "azure" ] }, + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], "if_match": { "one_of": [ "azure" ] }, + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ], "if_match": { "one_of": [ - "mistral", "llama2" ] }, + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_field": "model.provider", "then_err": "must set %s for self-hosted providers/models" } }, @@ -544,43 +657,13 @@ } } ], - "type": "record", - "required": true + "type": "record" } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "conditional": { - "if_field": "config.llm.route_type", - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_field": "config.llm.route_type", - "then_match": { - "eq": "llm/v1/chat" - } + "required": true, + "type": "record" } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] } ] } \ No newline at end of file diff --git a/schemas/ai-semantic-cache/3.8.x.json b/schemas/ai-semantic-cache/3.8.x.json index e1a4b634..e7824407 100644 --- a/schemas/ai-semantic-cache/3.8.x.json +++ b/schemas/ai-semantic-cache/3.8.x.json @@ -1,16 +1,19 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", "default": [ @@ -24,78 +27,69 @@ }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", + "reference": "consumer_groups", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "fields": [ { "message_countback": { "between": [ 1, - 10 + 1000 ], - "type": "number", "default": 1, + "type": "number", "description": "Number of messages in the chat history to Vectorize/Cache" } }, { "ignore_system_prompts": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Ignore and discard any system prompts when Vectorizing the request" } }, { "ignore_assistant_prompts": { - "type": "boolean", "default": false, + "type": "boolean", "description": "Ignore and discard any assistant prompts when Vectorizing the request" } }, { "stop_on_failure": { "required": true, - "type": "boolean", "default": false, + "type": "boolean", "description": "Halt the LLM request process in case of a caching system failure" } }, - { - "storage_ttl": { - "gt": 0, - "type": "integer", - "default": 300, - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." - } - }, { "cache_ttl": { "gt": 0, - "type": "integer", "default": 300, + "type": "integer", "description": "TTL in seconds of cache entities. Must be a value greater than 0." } }, { "cache_control": { "required": true, - "type": "boolean", "default": false, + "type": "boolean", "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." } }, { "exact_caching": { "required": true, - "type": "boolean", "default": false, + "type": "boolean", "description": "When enabled, a first check for exact query will be done. It will impact DB size" } }, @@ -108,21 +102,124 @@ "required": false, "fields": [ { - "password": { + "header_name": { + "required": false, + "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + } + }, + { + "header_value": { + "required": false, + "referenceable": true, "type": "string", + "encrypted": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + } + }, + { + "param_name": { + "required": false, "referenceable": true, - "description": "authentication password", + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + } + }, + { + "param_value": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Specify the full parameter value for 'param_name'." + } + }, + { + "param_location": { + "required": false, + "one_of": [ + "query", + "body" + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string" + } + }, + { + "azure_use_managed_identity": { + "required": false, + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + } + }, + { + "azure_client_id": { + "required": false, + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + } + }, + { + "azure_client_secret": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + } + }, + { + "azure_tenant_id": { + "required": false, + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + } + }, + { + "gcp_use_service_account": { + "required": false, + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + } + }, + { + "gcp_service_account_json": { "required": false, - "encrypted": true + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." } }, { - "token": { + "aws_access_key_id": { + "required": false, + "referenceable": true, "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + } + }, + { + "aws_secret_access_key": { + "required": false, "referenceable": true, - "description": "authentication token", + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + } + }, + { + "allow_override": { "required": false, - "encrypted": true + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" } } ], @@ -130,33 +227,50 @@ } }, { - "provider": { - "required": true, - "type": "string", - "one_of": [ - "mistralai", - "openai" - ], - "description": "which provider to use for embeddings" - } - }, - { - "name": { + "model": { "required": true, - "type": "string", - "one_of": [ - "text-embedding-3-large", - "text-embedding-3-small", - "mistral-embed" + "fields": [ + { + "provider": { + "required": true, + "one_of": [ + "openai", + "mistral" + ], + "description": "AI provider format to use for embeddings API", + "type": "string" + } + }, + { + "name": { + "required": true, + "one_of": [ + "text-embedding-3-large", + "text-embedding-3-small", + "mistral-embed" + ], + "description": "Model name to execute.", + "type": "string" + } + }, + { + "options": { + "required": false, + "type": "record", + "fields": [ + { + "upstream_url": { + "required": false, + "description": "upstream url for the embeddings", + "type": "string" + } + } + ], + "description": "Key/value settings for the model" + } + } ], - "description": "which AI model to use for generating embeddings" - } - }, - { - "upstream_url": { - "required": false, - "type": "string", - "description": "upstream url for the embeddings" + "type": "record" } } ], @@ -170,78 +284,135 @@ { "strategy": { "required": true, - "type": "string", "one_of": [ "redis" ], - "description": "which vector database driver to use" + "description": "which vector database driver to use", + "type": "string" } }, { "dimensions": { "required": true, - "type": "integer", - "description": "the desired dimensionality for the vectors" + "description": "the desired dimensionality for the vectors", + "type": "integer" } }, { "threshold": { "required": true, - "type": "number", - "description": "the default similarity threshold for accepting semantic search results (float)" + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" } }, { "distance_metric": { "required": true, - "type": "string", "one_of": [ "cosine", "euclidean" ], - "description": "the distance metric to use for vector searches" + "description": "the distance metric to use for vector searches", + "type": "string" } }, { "redis": { "required": true, - "shorthand_fields": [ + "entity_checks": [ { - "timeout": { - "deprecation": { - "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - }, - "translate_backwards": [ - "connect_timeout" + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" ], - "type": "integer" + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] } }, { - "sentinel_addresses": { - "len_min": 1, - "type": "array", - "deprecation": { - "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - }, - "elements": { - "type": "string" - } + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] } }, { - "cluster_addresses": { - "len_min": 1, - "type": "array", - "deprecation": { - "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_match": { + "eq": true }, - "elements": { - "type": "string" - } + "then_match": { + "required": true + }, + "if_field": "connection_is_proxied" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], @@ -249,88 +420,88 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "encrypted": true, + "type": "string" } }, { "sentinel_username": { - "type": "string", "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "encrypted": true, + "type": "string" } }, { "database": { - "type": "integer", "default": 0, - "description": "Database to use for the Redis connection when using the `redis` strategy" + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" } }, { @@ -339,9 +510,9 @@ 1, 2147483646 ], - "type": "integer", "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer" } }, { @@ -362,167 +533,157 @@ }, { "sentinel_role": { - "type": "string", "one_of": [ "master", "slave", "any" ], + "type": "string", "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_nodes": { - "type": "array", + "required": false, "elements": { "fields": [ { "host": { - "type": "string", "required": true, "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } ], "type": "record" }, + "type": "array", "len_min": 1, - "required": false, "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "type": "array", + "required": false, "elements": { "fields": [ { "ip": { - "type": "string", "required": true, "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } ], "type": "record" }, + "type": "array", "len_min": 1, - "required": false, "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { "required": false, - "type": "boolean", "default": false, - "description": "If set to true, uses SSL to connect to Redis." + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" } }, { "ssl_verify": { "required": false, - "type": "boolean", "default": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" } }, { "server_name": { "required": false, - "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" } }, { "cluster_max_redirections": { "required": false, - "type": "integer", "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection." } + }, + { + "connection_is_proxied": { + "required": false, + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + } } ], - "entity_checks": [ + "shorthand_fields": [ { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" ], - "set2": [ - "host", - "port" - ] + "type": "integer" } }, { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ], - "set2": [ - "cluster_nodes" - ] + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { - "mutually_exclusive_sets": { - "set1": [ - "cluster_nodes" - ], - "set2": [ - "host", - "port" - ] + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] } ] } @@ -532,11 +693,9 @@ } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-semantic-prompt-guard/3.8.x.json b/schemas/ai-semantic-prompt-guard/3.8.x.json index 9f44a3f6..644c2f6b 100644 --- a/schemas/ai-semantic-prompt-guard/3.8.x.json +++ b/schemas/ai-semantic-prompt-guard/3.8.x.json @@ -1,16 +1,24 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } + ], "fields": [ { "protocols": { "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", "default": [ @@ -24,7 +32,6 @@ }, { "config": { - "type": "record", "fields": [ { "embeddings": { @@ -35,21 +42,124 @@ "required": false, "fields": [ { - "password": { + "header_name": { + "required": false, + "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + } + }, + { + "header_value": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + } + }, + { + "param_name": { + "required": false, + "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + } + }, + { + "param_value": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Specify the full parameter value for 'param_name'." + } + }, + { + "param_location": { + "required": false, + "one_of": [ + "query", + "body" + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string" + } + }, + { + "azure_use_managed_identity": { + "required": false, + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + } + }, + { + "azure_client_id": { + "required": false, + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + } + }, + { + "azure_client_secret": { + "required": false, + "referenceable": true, "type": "string", + "encrypted": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + } + }, + { + "azure_tenant_id": { + "required": false, "referenceable": true, - "description": "authentication password", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + } + }, + { + "gcp_use_service_account": { "required": false, - "encrypted": true + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" } }, { - "token": { + "gcp_service_account_json": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + } + }, + { + "aws_access_key_id": { + "required": false, + "referenceable": true, "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + } + }, + { + "aws_secret_access_key": { + "required": false, "referenceable": true, - "description": "authentication token", + "type": "string", + "encrypted": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + } + }, + { + "allow_override": { "required": false, - "encrypted": true + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" } } ], @@ -57,33 +167,50 @@ } }, { - "provider": { - "required": true, - "type": "string", - "one_of": [ - "mistralai", - "openai" - ], - "description": "which provider to use for embeddings" - } - }, - { - "name": { + "model": { "required": true, - "type": "string", - "one_of": [ - "text-embedding-3-large", - "text-embedding-3-small", - "mistral-embed" + "fields": [ + { + "provider": { + "required": true, + "one_of": [ + "openai", + "mistral" + ], + "description": "AI provider format to use for embeddings API", + "type": "string" + } + }, + { + "name": { + "required": true, + "one_of": [ + "text-embedding-3-large", + "text-embedding-3-small", + "mistral-embed" + ], + "description": "Model name to execute.", + "type": "string" + } + }, + { + "options": { + "required": false, + "type": "record", + "fields": [ + { + "upstream_url": { + "required": false, + "description": "upstream url for the embeddings", + "type": "string" + } + } + ], + "description": "Key/value settings for the model" + } + } ], - "description": "which AI model to use for generating embeddings" - } - }, - { - "upstream_url": { - "required": false, - "type": "string", - "description": "upstream url for the embeddings" + "type": "record" } } ], @@ -97,78 +224,135 @@ { "strategy": { "required": true, - "type": "string", "one_of": [ "redis" ], - "description": "which vector database driver to use" + "description": "which vector database driver to use", + "type": "string" } }, { "dimensions": { "required": true, - "type": "integer", - "description": "the desired dimensionality for the vectors" + "description": "the desired dimensionality for the vectors", + "type": "integer" } }, { "threshold": { "required": true, - "type": "number", - "description": "the default similarity threshold for accepting semantic search results (float)" + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" } }, { "distance_metric": { "required": true, - "type": "string", "one_of": [ "cosine", "euclidean" ], - "description": "the distance metric to use for vector searches" + "description": "the distance metric to use for vector searches", + "type": "string" } }, { "redis": { "required": true, - "shorthand_fields": [ + "entity_checks": [ { - "timeout": { - "deprecation": { - "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - }, - "translate_backwards": [ - "connect_timeout" + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" ], - "type": "integer" + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] } }, { - "sentinel_addresses": { - "len_min": 1, - "type": "array", - "deprecation": { - "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - }, - "elements": { - "type": "string" - } + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] } }, { - "cluster_addresses": { - "len_min": 1, - "type": "array", - "deprecation": { - "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_match": { + "eq": true }, - "elements": { - "type": "string" - } + "then_match": { + "required": true + }, + "if_field": "connection_is_proxied" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], @@ -176,88 +360,88 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "encrypted": true, + "type": "string" } }, { "sentinel_username": { - "type": "string", "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "encrypted": true, + "type": "string" } }, { "database": { - "type": "integer", "default": 0, - "description": "Database to use for the Redis connection when using the `redis` strategy" + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" } }, { @@ -266,9 +450,9 @@ 1, 2147483646 ], - "type": "integer", "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer" } }, { @@ -289,167 +473,157 @@ }, { "sentinel_role": { - "type": "string", "one_of": [ "master", "slave", "any" ], + "type": "string", "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_nodes": { - "type": "array", + "required": false, "elements": { "fields": [ { "host": { - "type": "string", "required": true, "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } ], "type": "record" }, + "type": "array", "len_min": 1, - "required": false, "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "type": "array", + "required": false, "elements": { "fields": [ { "ip": { - "type": "string", "required": true, "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", "between": [ 0, 65535 ], "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } ], "type": "record" }, + "type": "array", "len_min": 1, - "required": false, "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { "required": false, - "type": "boolean", "default": false, - "description": "If set to true, uses SSL to connect to Redis." + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" } }, { "ssl_verify": { "required": false, - "type": "boolean", "default": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" } }, { "server_name": { "required": false, - "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" } }, { "cluster_max_redirections": { "required": false, - "type": "integer", "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection." } + }, + { + "connection_is_proxied": { + "required": false, + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + } } ], - "entity_checks": [ + "shorthand_fields": [ { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" ], - "set2": [ - "host", - "port" - ] + "type": "integer" } }, { - "mutually_exclusive_sets": { - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ], - "set2": [ - "cluster_nodes" - ] + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { - "mutually_exclusive_sets": { - "set1": [ - "cluster_nodes" - ], - "set2": [ - "host", - "port" - ] + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] } ] } @@ -460,29 +634,29 @@ }, { "search": { - "type": "record", + "required": false, "fields": [ { "threshold": { - "type": "number", "required": false, "default": 0.5, + "type": "number", "description": "Threshold for the similarity score to be considered a match." } } ], - "required": false + "type": "record" } }, { "rules": { - "type": "record", + "required": true, "fields": [ { "match_all_conversation_history": { - "type": "boolean", "required": false, "default": false, + "type": "boolean", "description": "If false, will ignore all previous chat prompts from the conversation history." } }, @@ -490,12 +664,12 @@ "allow_prompts": { "required": false, "elements": { - "len_min": 1, "len_max": 500, - "type": "string" + "type": "string", + "len_min": 1 }, - "len_max": 100, "type": "array", + "len_max": 100, "description": "List of prompts to allow." } }, @@ -503,46 +677,39 @@ "deny_prompts": { "required": false, "elements": { - "len_min": 1, "len_max": 500, - "type": "string" + "type": "string", + "len_min": 1 }, - "len_max": 100, "type": "array", + "len_max": 100, "description": "List of prompts to deny." } }, { "max_request_body_size": { - "type": "integer", "gt": 0, "default": 8192, + "type": "integer", "description": "max allowed body size allowed to be introspected" } }, { "match_all_roles": { - "type": "boolean", "required": true, "default": false, - "description": "If true, will match all roles in addition to 'user' role in conversation history." + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" } } ], - "required": true + "type": "record" } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.rules.allow_prompts", - "config.rules.deny_prompts" - ] - } ] } \ No newline at end of file diff --git a/schemas/app-dynamics/3.8.x.json b/schemas/app-dynamics/3.8.x.json index 380e6ec2..8a2ed0f1 100644 --- a/schemas/app-dynamics/3.8.x.json +++ b/schemas/app-dynamics/3.8.x.json @@ -1,8 +1,11 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -12,13 +15,13 @@ "https" ] }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" ], - "required": true, "description": "A set of strings representing HTTP protocols." } }, @@ -26,21 +29,18 @@ "consumer_group": { "type": "foreign", "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "fields": [ ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.8.x.json b/schemas/aws-lambda/3.8.x.json index 762af58b..85411178 100644 --- a/schemas/aws-lambda/3.8.x.json +++ b/schemas/aws-lambda/3.8.x.json @@ -1,8 +1,22 @@ { + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +27,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -36,48 +51,54 @@ { "timeout": { "required": true, - "description": "An optional timeout in milliseconds when invoking the function.", + "default": 60000, "type": "number", - "default": 60000 + "description": "An optional timeout in milliseconds when invoking the function." } }, { "keepalive": { "required": true, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000, "type": "number", - "default": 60000 + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "aws_key": { - "type": "string", - "encrypted": true, + "description": "The AWS key credential to be used when invoking the function.", "referenceable": true, - "description": "The AWS key credential to be used when invoking the function." + "encrypted": true, + "type": "string" } }, { "aws_secret": { - "type": "string", - "encrypted": true, + "description": "The AWS secret credential to be used when invoking the function. ", "referenceable": true, - "description": "The AWS secret credential to be used when invoking the function. " + "encrypted": true, + "type": "string" } }, { "aws_assume_role_arn": { "type": "string", - "encrypted": true, "referenceable": true, + "encrypted": true, "description": "The target AWS IAM role ARN used to invoke the Lambda function." } }, { "aws_role_session_name": { - "description": "The identifier of the assumed role session.", + "default": "kong", "type": "string", - "default": "kong" + "description": "The identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { @@ -89,8 +110,8 @@ { "function_name": { "required": false, - "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", - "type": "string" + "type": "string", + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported." } }, { @@ -101,27 +122,27 @@ }, { "invocation_type": { - "default": "RequestResponse", "required": true, - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "type": "string", + "default": "RequestResponse", "one_of": [ "RequestResponse", "Event", "DryRun" - ] + ], + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun." } }, { "log_type": { - "default": "Tail", "required": true, - "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "type": "string", + "default": "Tail", "one_of": [ "Tail", "None" - ] + ], + "description": "The LogType to use when invoking the function. By default, None and Tail are supported." } }, { @@ -132,13 +153,13 @@ }, { "port": { - "default": 443, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { @@ -149,54 +170,54 @@ }, { "unhandled_status": { - "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", - "type": "integer", "between": [ 100, 999 - ] + ], + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer" } }, { "forward_request_method": { - "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "default": false, "type": "boolean", - "default": false + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." } }, { "forward_request_uri": { - "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "default": false, "type": "boolean", - "default": false + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." } }, { "forward_request_headers": { - "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "default": false, "type": "boolean", - "default": false + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." } }, { "forward_request_body": { - "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "default": false, "type": "boolean", - "default": false + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " } }, { "is_proxy_integration": { - "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "default": false, "type": "boolean", - "default": false + "description": "An optional value that defines whether the response format to receive from the Lambda to this format." } }, { "awsgateway_compatible": { - "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "default": false, "type": "boolean", - "default": false + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." } }, { @@ -207,48 +228,45 @@ }, { "skip_large_bodies": { - "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "default": true, "type": "boolean", - "default": true + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" } }, { "base64_encode_body": { - "description": "An optional value that Base64-encodes the request body.", + "default": true, "type": "boolean", - "default": true + "description": "An optional value that Base64-encodes the request body." } }, { "aws_imds_protocol_version": { - "default": "v1", "required": true, - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "type": "string", + "default": "v1", "one_of": [ "v1", "v2" - ] + ], + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`." + } + }, + { + "empty_arrays_mode": { + "required": true, + "type": "string", + "default": "legacy", + "one_of": [ + "legacy", + "correct" + ], + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response" } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "mutually_required": [ - "config.aws_key", - "config.aws_secret" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "config.proxy_url" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/azure-functions/3.8.x.json b/schemas/azure-functions/3.8.x.json index 351a20c8..a82affc2 100644 --- a/schemas/azure-functions/3.8.x.json +++ b/schemas/azure-functions/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -42,46 +45,46 @@ "fields": [ { "timeout": { + "default": 600000, "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", - "type": "number", - "default": 600000 + "type": "number" } }, { "keepalive": { + "default": 60000, "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", - "type": "number", - "default": 60000 + "type": "number" } }, { "https": { + "default": true, "description": "Use of HTTPS to connect with the Azure Functions server.", - "type": "boolean", - "default": true + "type": "boolean" } }, { "https_verify": { + "default": false, "description": "Set to `true` to authenticate the Azure Functions server.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "apikey": { - "type": "string", - "encrypted": true, + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", "referenceable": true, - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header." + "encrypted": true, + "type": "string" } }, { "clientid": { - "type": "string", - "encrypted": true, + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", "referenceable": true, - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header." + "encrypted": true, + "type": "string" } }, { @@ -94,16 +97,16 @@ { "hostdomain": { "required": true, + "default": "azurewebsites.net", "description": "The domain where the function resides.", - "type": "string", - "default": "azurewebsites.net" + "type": "string" } }, { "routeprefix": { + "default": "api", "description": "Route prefix to use.", - "type": "string", - "default": "api" + "type": "string" } }, { @@ -114,12 +117,9 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.8.x.json b/schemas/basic-auth/3.8.x.json index d08c9fbb..007ea436 100644 --- a/schemas/basic-auth/3.8.x.json +++ b/schemas/basic-auth/3.8.x.json @@ -1,16 +1,27 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -22,23 +33,15 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -53,26 +56,23 @@ { "hide_credentials": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", - "default": false + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it." } }, { "realm": { "required": true, + "default": "service", "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "default": "service" + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.8.x.json b/schemas/bot-detection/3.8.x.json index f5f0fd1b..7eb652d0 100644 --- a/schemas/bot-detection/3.8.x.json +++ b/schemas/bot-detection/3.8.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,21 +23,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -44,36 +47,33 @@ { "allow": { "type": "array", + "default": [ + + ], "elements": { "type": "string", "is_regex": true }, - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", - "default": [ - - ] + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header." } }, { "deny": { "type": "array", + "default": [ + + ], "elements": { "type": "string", "is_regex": true }, - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", - "default": [ - - ] + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/canary/3.8.x.json b/schemas/canary/3.8.x.json index 29995723..22a12eec 100644 --- a/schemas/canary/3.8.x.json +++ b/schemas/canary/3.8.x.json @@ -1,24 +1,56 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "then_field": "config.hash_header", + "if_match": { + "eq": "header" + }, + "then_match": { + "required": true + }, + "if_field": "config.hash" + } + }, + { + "conditional": { + "then_field": "config.upstream_host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "config.upstream_fallback" + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -29,17 +61,19 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "start": { @@ -49,9 +83,8 @@ }, { "hash": { - "default": "consumer", - "type": "string", "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "default": "consumer", "one_of": [ "consumer", "ip", @@ -59,7 +92,8 @@ "allow", "deny", "header" - ] + ], + "type": "string" } }, { @@ -70,28 +104,28 @@ }, { "duration": { + "gt": 0, "default": 3600, - "type": "number", "description": "The duration of the canary release in seconds.", - "gt": 0 + "type": "number" } }, { "steps": { + "gt": 1, "default": 1000, - "type": "number", "description": "The number of steps for the canary release.", - "gt": 1 + "type": "number" } }, { "percentage": { - "type": "number", - "description": "The percentage of traffic to be routed to the canary release.", "between": [ 0, 100 - ] + ], + "type": "number", + "description": "The percentage of traffic to be routed to the canary release." } }, { @@ -102,35 +136,35 @@ }, { "upstream_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "upstream_uri": { + "len_min": 1, "type": "string", - "description": "The URI of the upstream server to be used for the canary release.", - "len_min": 1 + "description": "The URI of the upstream server to be used for the canary release." } }, { "upstream_fallback": { "required": true, - "type": "boolean", + "default": false, "description": "Specifies whether to fallback to the upstream server if the canary release fails.", - "default": false + "type": "boolean" } }, { "groups": { + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "The groups allowed to access the canary release." } }, @@ -141,7 +175,6 @@ } } ], - "required": true, "shorthand_fields": [ { "hash": { @@ -153,38 +186,5 @@ "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.upstream_uri", - "config.upstream_host", - "config.upstream_port" - ] - }, - { - "conditional": { - "if_field": "config.hash", - "if_match": { - "eq": "header" - }, - "then_field": "config.hash_header", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.upstream_fallback", - "if_match": { - "eq": true - }, - "then_field": "config.upstream_host", - "then_match": { - "required": true - } - } - } ] } \ No newline at end of file diff --git a/schemas/confluent/3.8.x.json b/schemas/confluent/3.8.x.json index c2fd4fd5..280db66d 100644 --- a/schemas/confluent/3.8.x.json +++ b/schemas/confluent/3.8.x.json @@ -5,14 +5,7 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,15 +15,22 @@ "https" ] }, - "required": true + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "description": "Custom type for representing a foreign key with a null value allowed.", - "reference": "consumer_groups", "type": "foreign", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -39,51 +39,51 @@ { "bootstrap_servers": { "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", - "type": "set", "elements": { - "type": "record", "fields": [ { "host": { "required": true, - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ] - } + ], + "type": "record" + }, + "type": "set" } }, { "topic": { - "description": "The Kafka topic to publish to.", + "required": true, "type": "string", - "required": true + "description": "The Kafka topic to publish to." } }, { "timeout": { - "description": "Socket timeout in milliseconds.", + "default": 10000, "type": "integer", - "default": 10000 + "description": "Socket timeout in milliseconds." } }, { "keepalive": { - "description": "Keepalive timeout in milliseconds.", + "default": 60000, "type": "integer", - "default": 60000 + "description": "Keepalive timeout in milliseconds." } }, { @@ -94,145 +94,146 @@ }, { "cluster_api_key": { - "description": "Username/Apikey for SASL authentication.", - "encrypted": true, "required": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Username/Apikey for SASL authentication." } }, { "cluster_api_secret": { - "description": "Password/ApiSecret for SASL authentication.", - "encrypted": true, "required": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Password/ApiSecret for SASL authentication." } }, { "confluent_cloud_api_key": { - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", - "encrypted": true, "required": false, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc." } }, { "confluent_cloud_api_secret": { - "description": "The corresponding secret for the Confluent Cloud API key.", - "encrypted": true, "required": false, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "description": "The corresponding secret for the Confluent Cloud API key." } }, { "forward_method": { - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false, "type": "boolean", - "default": false + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_uri": { - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false, "type": "boolean", - "default": false + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_headers": { - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false, "type": "boolean", - "default": false + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_body": { - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": true, "type": "boolean", - "default": true + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "cluster_name": { - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "auto": true, + "required": false, "type": "string", - "required": false + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true } }, { "producer_request_acks": { - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", + "default": 1, "one_of": [ -1, 0, 1 ], - "type": "integer", - "default": 1 + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." } }, { "producer_request_timeout": { - "description": "Time to wait for a Produce response in milliseconds.", + "default": 2000, "type": "integer", - "default": 2000 + "description": "Time to wait for a Produce response in milliseconds." } }, { "producer_request_limits_messages_per_request": { - "description": "Maximum number of messages to include into a single producer request.", + "default": 200, "type": "integer", - "default": 200 + "description": "Maximum number of messages to include into a single producer request." } }, { "producer_request_limits_bytes_per_request": { - "description": "Maximum size of a Produce request in bytes.", + "default": 1048576, "type": "integer", - "default": 1048576 + "description": "Maximum size of a Produce request in bytes." } }, { "producer_request_retries_max_attempts": { - "description": "Maximum number of retry attempts per single Produce request.", + "default": 10, "type": "integer", - "default": 10 + "description": "Maximum number of retry attempts per single Produce request." } }, { "producer_request_retries_backoff_timeout": { - "description": "Backoff interval between retry attempts in milliseconds.", + "default": 100, "type": "integer", - "default": 100 + "description": "Backoff interval between retry attempts in milliseconds." } }, { "producer_async": { - "description": "Flag to enable asynchronous mode.", + "default": true, "type": "boolean", - "default": true + "description": "Flag to enable asynchronous mode." } }, { "producer_async_flush_timeout": { - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "default": 1000, "type": "integer", - "default": 1000 + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." } }, { "producer_async_buffering_limits_messages_in_memory": { - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "default": 50000, "type": "integer", - "default": 50000 + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." } } ], + "required": true, "entity_checks": [ { "custom_entity_check": { @@ -245,8 +246,7 @@ } } ], - "type": "record", - "required": true + "type": "record" } } ] diff --git a/schemas/correlation-id/3.8.x.json b/schemas/correlation-id/3.8.x.json index 359e7014..47df16c0 100644 --- a/schemas/correlation-id/3.8.x.json +++ b/schemas/correlation-id/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,38 +38,36 @@ "fields": [ { "header_name": { - "description": "The HTTP header name to use for the correlation ID.", + "default": "Kong-Request-ID", "type": "string", - "default": "Kong-Request-ID" + "description": "The HTTP header name to use for the correlation ID." } }, { "generator": { - "default": "uuid#counter", - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "required": true, "type": "string", + "default": "uuid#counter", "one_of": [ "uuid", "uuid#counter", "tracker" - ] + ], + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators)." } }, { "echo_downstream": { "required": true, - "description": "Whether to echo the header back to downstream (the client).", + "default": false, "type": "boolean", - "default": false + "description": "Whether to echo the header back to downstream (the client)." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/cors/3.8.x.json b/schemas/cors/3.8.x.json index a9ff5f6b..b0a4bf78 100644 --- a/schemas/cors/3.8.x.json +++ b/schemas/cors/3.8.x.json @@ -1,43 +1,46 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "required": true, - "type": "string", - "len_min": 1, "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string", + "len_min": 1 }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -45,34 +48,45 @@ "fields": [ { "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", "elements": { "type": "string" }, - "type": "array", - "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes." + "type": "array" } }, { "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", "elements": { "type": "string" }, - "type": "array", - "description": "Value for the `Access-Control-Allow-Headers` header." + "type": "array" } }, { "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", "elements": { "type": "string" }, - "type": "array", - "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed." + "type": "array" } }, { "methods": { - "type": "array", + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ], "elements": { "type": "string", "one_of": [ @@ -87,18 +101,7 @@ "CONNECT" ] }, - "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", - "default": [ - "GET", - "HEAD", - "PUT", - "PATCH", - "POST", - "DELETE", - "OPTIONS", - "TRACE", - "CONNECT" - ] + "type": "array" } }, { @@ -110,34 +113,31 @@ { "credentials": { "required": true, - "type": "boolean", + "default": false, "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", - "default": false + "type": "boolean" } }, { "private_network": { "required": true, - "type": "boolean", + "default": false, "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", - "default": false + "type": "boolean" } }, { "preflight_continue": { "required": true, - "type": "boolean", + "default": false, "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", - "default": false + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/datadog/3.8.x.json b/schemas/datadog/3.8.x.json index 58c1186f..d464b6cb 100644 --- a/schemas/datadog/3.8.x.json +++ b/schemas/datadog/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,81 +46,81 @@ { "host": { "description": "A string representing a host name, such as example.com.", - "type": "string", "referenceable": true, - "default": "localhost" + "default": "localhost", + "type": "string" } }, { "port": { - "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "prefix": { + "default": "kong", "description": "String to be attached as a prefix to a metric's name.", - "type": "string", - "default": "kong" + "type": "string" } }, { "service_name_tag": { + "default": "name", "description": "String to be attached as the name of the service.", - "type": "string", - "default": "name" + "type": "string" } }, { "status_tag": { + "default": "status", "description": "String to be attached as the tag of the HTTP status.", - "type": "string", - "default": "status" + "type": "string" } }, { "consumer_tag": { + "default": "consumer", "description": "String to be attached as tag of the consumer.", - "type": "string", - "default": "consumer" + "type": "string" } }, { "retry_count": { "deprecation": { - "old_default": 10, + "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", "removal_in_version": "4.0", - "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead" + "old_default": 10 }, - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer" + "type": "integer", + "description": "Number of times to retry when sending data to the upstream server." } }, { "queue_size": { "deprecation": { - "old_default": 1, + "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0", - "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + "old_default": 1 }, - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer" + "type": "integer", + "description": "Maximum number of log entries to be sent on each message to the upstream server." } }, { "flush_timeout": { "deprecation": { - "old_default": 2, + "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0", - "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + "old_default": 2 }, - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number" + "type": "number", + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." } }, { @@ -125,35 +128,35 @@ "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -164,49 +167,57 @@ }, { "max_retry_time": { + "default": 60, "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + }, + { + "concurrency_limit": { + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ], + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "metrics": { - "type": "array", "required": true, "elements": { "fields": [ { "name": { "required": true, - "description": "Datadog metric’s name", - "type": "string", "one_of": [ "kong_latency", "latency", @@ -214,14 +225,14 @@ "request_size", "response_size", "upstream_latency" - ] + ], + "description": "Datadog metric’s name", + "type": "string" } }, { "stat_type": { "required": true, - "description": "Determines what sort of event the metric represents", - "type": "string", "one_of": [ "counter", "gauge", @@ -230,121 +241,121 @@ "set", "timer", "distribution" - ] + ], + "description": "Determines what sort of event the metric represents", + "type": "string" } }, { "tags": { + "type": "array", "elements": { - "type": "string", - "match": "^.*[^:]$" + "match": "^.*[^:]$", + "type": "string" }, - "description": "List of tags", - "type": "array" + "description": "List of tags" } }, { "sample_rate": { - "description": "Sampling rate", - "type": "number", "between": [ 0, 1 - ] + ], + "type": "number", + "description": "Sampling rate" } }, { "consumer_identifier": { - "description": "Authenticated user detail", - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string", + "description": "Authenticated user detail" } } ], "entity_checks": [ { "conditional": { - "if_field": "stat_type", + "then_field": "sample_rate", "if_match": { "one_of": [ "counter", "gauge" ] }, - "then_field": "sample_rate", "then_match": { "required": true - } + }, + "if_field": "stat_type" } } ], "type": "record" }, - "description": "List of metrics to be logged.", + "type": "array", "default": [ { + "sample_rate": 1, "stat_type": "counter", + "name": "request_count", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "request_count", - "sample_rate": 1 + ] }, { + "consumer_identifier": "custom_id", "stat_type": "timer", - "name": "latency", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id" + "name": "latency" }, { + "consumer_identifier": "custom_id", "stat_type": "timer", - "name": "request_size", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id" + "name": "request_size" }, { + "consumer_identifier": "custom_id", "stat_type": "timer", - "name": "response_size", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id" + "name": "response_size" }, { + "consumer_identifier": "custom_id", "stat_type": "timer", - "name": "upstream_latency", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id" + "name": "upstream_latency" }, { + "consumer_identifier": "custom_id", "stat_type": "timer", - "name": "kong_latency", "tags": [ "app:kong" ], - "consumer_identifier": "custom_id" + "name": "kong_latency" } - ] + ], + "description": "List of metrics to be logged." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/degraphql/3.8.x.json b/schemas/degraphql/3.8.x.json index cd491eea..8748c73e 100644 --- a/schemas/degraphql/3.8.x.json +++ b/schemas/degraphql/3.8.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,21 +23,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,26 +46,23 @@ "fields": [ { "graphql_server_path": { + "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "required": true, "type": "string", "starts_with": "/", - "default": "/graphql" + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.8.x.json b/schemas/exit-transformer/3.8.x.json index 793e86c4..2d523008 100644 --- a/schemas/exit-transformer/3.8.x.json +++ b/schemas/exit-transformer/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -44,25 +47,22 @@ }, { "handle_unknown": { + "default": false, "description": "Determines whether to handle unknown status codes by transforming their responses.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "handle_unexpected": { + "default": false, "description": "Determines whether to handle unexpected errors by transforming their responses.", - "type": "boolean", - "default": false + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/file-log/3.8.x.json b/schemas/file-log/3.8.x.json index 0439ef6d..0bd1604b 100644 --- a/schemas/file-log/3.8.x.json +++ b/schemas/file-log/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -42,19 +45,19 @@ "fields": [ { "path": { - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", "required": true, "match": "^[^*&%%\\`]+$", "type": "string", - "err": "not a valid filename" + "err": "not a valid filename", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." } }, { "reopen": { "required": true, + "default": false, "type": "boolean", - "description": "Determines whether the log file is closed and reopened on every request.", - "default": false + "description": "Determines whether the log file is closed and reopened on every request." } }, { @@ -63,21 +66,18 @@ "type": "string", "len_min": 1 }, - "type": "map", "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - } + "len_min": 1, + "type": "string" + }, + "type": "map" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.8.x.json b/schemas/forward-proxy/3.8.x.json index 1e52a284..a606ccd7 100644 --- a/schemas/forward-proxy/3.8.x.json +++ b/schemas/forward-proxy/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,25 +15,27 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -58,38 +62,19 @@ ] } ], - "shorthand_fields": [ - { - "proxy_host": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" - } - } - }, - { - "proxy_port": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" - } - } - } - ], + "type": "record", "fields": [ { "x_headers": { - "default": "append", "required": true, "type": "string", - "description": "Determines how to handle headers when forwarding the request.", + "default": "append", "one_of": [ "append", "transparent", "delete" - ] + ], + "description": "Determines how to handle headers when forwarding the request." } }, { @@ -100,12 +85,12 @@ }, { "http_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -116,56 +101,71 @@ }, { "https_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "proxy_scheme": { - "default": "http", "required": true, "type": "string", - "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "default": "http", "one_of": [ "http" - ] + ], + "description": "The proxy scheme to use when connecting. Only `http` is supported." } }, { "auth_username": { "required": false, - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "referenceable": true, + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "type": "string" } }, { "auth_password": { "required": false, - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "referenceable": true, + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "type": "string" } }, { "https_verify": { "required": true, - "type": "boolean", + "default": false, "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "default": false + "type": "boolean" } } ], - "type": "record", - "required": true + "shorthand_fields": [ + { + "proxy_host": { + "deprecation": { + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "proxy_port": { + "deprecation": { + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" + } + } + ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.8.x.json b/schemas/graphql-proxy-cache-advanced/3.8.x.json index b2d602c8..d165e82c 100644 --- a/schemas/graphql-proxy-cache-advanced/3.8.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,22 +38,22 @@ "fields": [ { "strategy": { - "default": "memory", "required": true, - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "type": "string", + "default": "memory", "one_of": [ "memory", "redis" - ] + ], + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`." } }, { "cache_ttl": { "gt": 0, - "type": "integer", + "default": 300, "description": "TTL in seconds of cache entities. Must be a value greater than 0.", - "default": 300 + "type": "integer" } }, { @@ -59,18 +62,117 @@ { "dictionary_name": { "required": true, - "type": "string", + "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", - "default": "kong_db_cache" + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "redis": { + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "connection_is_proxied" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { @@ -80,164 +182,200 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] - } - }, - { - "timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + ], "type": "integer", - "between": [ - 0, - 2147483646 - ] + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "database": { - "type": "integer", + "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "default": 0 + "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer" } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { - "sentinel_addresses": { - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "sentinel_nodes": { + "required": false, "elements": { - "type": "string" + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { - "cluster_addresses": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "cluster_nodes": { + "required": false, "elements": { - "type": "string" + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { "required": false, + "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "ssl_verify": { "required": false, + "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean", - "default": false + "type": "boolean" } }, { @@ -246,93 +384,86 @@ "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } - } - ], - "entity_checks": [ + }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "cluster_max_redirections": { + "required": false, + "default": 5, + "type": "integer", + "description": "Maximum retry attempts for redirection." } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "connection_is_proxied": { + "required": false, + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" } - }, + } + ], + "shorthand_fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" ], - "set1": [ - "cluster_addresses" - ] + "type": "integer" } }, { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } }, { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } } - ], - "type": "record", - "required": true + ] } }, { "bypass_on_err": { - "type": "boolean", + "default": false, "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", - "default": false + "type": "boolean" } }, { "vary_headers": { + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.8.x.json b/schemas/graphql-rate-limiting-advanced/3.8.x.json index 80e4f015..bf90f6f7 100644 --- a/schemas/graphql-rate-limiting-advanced/3.8.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.8.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +21,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,45 +44,45 @@ "fields": [ { "identifier": { - "default": "consumer", "required": true, "type": "string", - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "default": "consumer", "one_of": [ "ip", "credential", "consumer" - ] + ], + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." } }, { "window_size": { "required": true, + "type": "array", "elements": { "type": "number" }, - "type": "array", "description": "One or more window sizes to apply a limit to (defined in seconds)." } }, { "window_type": { - "default": "sliding", "type": "string", - "description": "Sets the time window to either `sliding` or `fixed`.", + "default": "sliding", "one_of": [ "fixed", "sliding" - ] + ], + "description": "Sets the time window to either `sliding` or `fixed`." } }, { "limit": { "required": true, + "type": "array", "elements": { "type": "number" }, - "type": "array", "description": "One or more requests-per-window limits to apply." } }, @@ -86,68 +95,167 @@ }, { "namespace": { - "auto": true, "type": "string", - "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + "auto": true, + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." } }, { "strategy": { - "default": "cluster", "required": true, "type": "string", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "default": "cluster", "one_of": [ "cluster", "redis" - ] + ], + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." } }, { "dictionary_name": { "required": true, + "default": "kong_rate_limiting_counters", "type": "string", - "description": "The shared dictionary where counters will be stored until the next sync cycle.", - "default": "kong_rate_limiting_counters" + "description": "The shared dictionary where counters will be stored until the next sync cycle." } }, { "hide_client_headers": { + "default": false, "type": "boolean", - "description": "Optionally hide informative response headers. Available options: `true` or `false`.", - "default": false + "description": "Optionally hide informative response headers. Available options: `true` or `false`." } }, { "cost_strategy": { - "default": "default", "type": "string", - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "default": "default", "one_of": [ "default", "node_quantifier" - ] + ], + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`." } }, { "score_factor": { "gt": 0, - "required": false, - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", "type": "number", - "default": 1 + "default": 1, + "required": false, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." } }, { "max_cost": { "required": false, + "default": 0, "type": "number", - "description": "A defined maximum cost per query. 0 means unlimited.", - "default": 0 + "description": "A defined maximum cost per query. 0 means unlimited." } }, { "redis": { + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "connection_is_proxied" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { @@ -157,164 +265,200 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] - } - }, - { - "timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + ], "type": "integer", - "between": [ - 0, - 2147483646 - ] + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "database": { - "type": "integer", + "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "default": 0 + "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer" } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { - "sentinel_addresses": { - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "sentinel_nodes": { + "required": false, "elements": { - "type": "string" + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { - "cluster_addresses": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "cluster_nodes": { + "required": false, "elements": { - "type": "string" + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { "required": false, + "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "ssl_verify": { "required": false, + "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean", - "default": false + "type": "boolean" } }, { @@ -323,82 +467,69 @@ "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } - } - ], - "entity_checks": [ + }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "cluster_max_redirections": { + "required": false, + "default": 5, + "type": "integer", + "description": "Maximum retry attempts for redirection." } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "connection_is_proxied": { + "required": false, + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" } - }, + } + ], + "shorthand_fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" ], - "set1": [ - "cluster_addresses" - ] + "type": "integer" } }, { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } }, { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } } - ], - "type": "record", - "required": true + ] } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/grpc-gateway/3.8.x.json b/schemas/grpc-gateway/3.8.x.json index 28a35684..03ba8d81 100644 --- a/schemas/grpc-gateway/3.8.x.json +++ b/schemas/grpc-gateway/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -48,12 +51,9 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.8.x.json b/schemas/grpc-web/3.8.x.json index ea23b872..377e7a32 100644 --- a/schemas/grpc-web/3.8.x.json +++ b/schemas/grpc-web/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,32 +46,29 @@ { "proto": { "required": false, - "type": "string", - "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content." + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string" } }, { "pass_stripped_path": { "required": false, - "type": "boolean", - "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service." + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "type": "boolean" } }, { "allow_origin_header": { "required": false, - "type": "string", + "default": "*", "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", - "default": "*" + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/header-cert-auth/3.8.x.json b/schemas/header-cert-auth/3.8.x.json index edd98ff6..80ece429 100644 --- a/schemas/header-cert-auth/3.8.x.json +++ b/schemas/header-cert-auth/3.8.x.json @@ -1,24 +1,27 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", "default": [ @@ -32,73 +35,58 @@ }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", + "reference": "consumer_groups", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "entity_checks": [ - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], - "type": "record", "fields": [ { "certificate_header_name": { - "type": "string", "required": true, + "type": "string", "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy." } }, { "certificate_header_format": { - "type": "string", "required": true, "one_of": [ "base64_encoded", "url_encoded" ], + "type": "string", "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`." } }, { "secure_source": { "required": true, - "type": "boolean", "default": true, - "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option)." + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "type": "boolean" } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "consumer_by": { - "type": "array", + "required": false, "elements": { + "type": "string", "one_of": [ "username", "custom_id" - ], - "type": "string" + ] }, - "required": false, + "type": "array", "default": [ "username", "custom_id" @@ -108,122 +96,134 @@ }, { "ca_certificates": { - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "required": true, - "type": "array", + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "elements": { "uuid": true, "type": "string" - } + }, + "type": "array" } }, { "cache_ttl": { - "type": "number", "required": true, "default": 60, - "description": "Cache expiry time in seconds." + "description": "Cache expiry time in seconds.", + "type": "number" } }, { "skip_consumer_lookup": { - "type": "boolean", "required": true, "default": false, - "description": "Skip consumer lookup once certificate is trusted against the configured CA list." + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" } }, { "allow_partial_chain": { - "type": "boolean", "required": true, "default": false, - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" } }, { "authenticated_group_by": { "required": false, + "type": "string", + "default": "CN", "one_of": [ "CN", "DN" ], - "type": "string", - "default": "CN", "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." } }, { "revocation_check_mode": { "required": false, + "type": "string", + "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" ], - "type": "string", - "default": "IGNORE_CA_ERROR", "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." } }, { "http_timeout": { - "type": "number", "default": 30000, - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" } }, { "cert_cache_ttl": { - "type": "number", "default": 60000, - "description": "The length of time in milliseconds between refreshes of the revocation check status cache." + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" } }, { "default_consumer": { - "type": "string", - "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "http_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "http_proxy_port": { - "type": "integer", "between": [ 0, 65535 ], + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "https_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "https_proxy_port": { - "type": "integer", "between": [ 0, 65535 ], + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], - "required": true + "required": true, + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.8.x.json b/schemas/hmac-auth/3.8.x.json index f95b6922..5fdc7d3a 100644 --- a/schemas/hmac-auth/3.8.x.json +++ b/schemas/hmac-auth/3.8.x.json @@ -1,16 +1,33 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -22,23 +39,15 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -47,17 +56,17 @@ { "hide_credentials": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "default": false + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." } }, { "clock_skew": { + "gt": 0, "default": 300, "type": "number", - "description": "Clock skew in seconds to prevent replay attacks.", - "gt": 0 + "description": "Clock skew in seconds to prevent replay attacks." } }, { @@ -69,26 +78,32 @@ { "validate_request_body": { "required": true, + "default": false, "type": "boolean", - "description": "A boolean value telling the plugin to enable body validation.", - "default": false + "description": "A boolean value telling the plugin to enable body validation." } }, { "enforce_headers": { - "type": "array", - "elements": { - "type": "string" - }, "description": "A list of headers that the client should at least use for HTTP signature creation.", "default": [ - ] + ], + "elements": { + "type": "string" + }, + "type": "array" } }, { "algorithms": { - "type": "array", + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], "elements": { "type": "string", "one_of": [ @@ -98,27 +113,19 @@ "hmac-sha512" ] }, - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ] + "type": "array" + } + }, + { + "realm": { + "required": false, + "type": "string", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/http-log/3.8.x.json b/schemas/http-log/3.8.x.json index de991dd0..f45f2232 100644 --- a/schemas/http-log/3.8.x.json +++ b/schemas/http-log/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -42,108 +45,108 @@ "fields": [ { "http_endpoint": { - "encrypted": true, - "referenceable": true, "required": true, + "referenceable": true, "type": "string", + "encrypted": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "method": { - "default": "POST", "type": "string", - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "default": "POST", "one_of": [ "POST", "PUT", "PATCH" - ] + ], + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`." } }, { "content_type": { - "default": "application/json", "type": "string", - "description": "Indicates the type of data sent. The only available option is `application/json`.", + "default": "application/json", "one_of": [ "application/json", "application/json; charset=utf-8" - ] + ], + "description": "Indicates the type of data sent. The only available option is `application/json`." } }, { "timeout": { + "default": 10000, "type": "number", - "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "default": 10000 + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { + "default": 60000, "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", - "default": 60000 + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." } }, { "retry_count": { "deprecation": { - "old_default": 10, + "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", "removal_in_version": "4.0", - "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead" + "old_default": 10 }, - "type": "integer", - "description": "Number of times to retry when sending data to the upstream server." + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" } }, { "queue_size": { "deprecation": { - "old_default": 1, + "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0", - "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + "old_default": 1 }, - "type": "integer", - "description": "Maximum number of log entries to be sent on each message to the upstream server." + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" } }, { "flush_timeout": { "deprecation": { - "old_default": 2, + "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0", - "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + "old_default": 2 }, - "type": "number", - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { "headers": { + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "map", + "values": { + "referenceable": true, + "type": "string" + }, "keys": { + "description": "A string representing an HTTP header name.", "match_none": [ { - "err": "cannot contain 'Host' header", - "pattern": "^[Hh][Oo][Ss][Tt]$" + "pattern": "^[Hh][Oo][Ss][Tt]$", + "err": "cannot contain 'Host' header" }, { - "err": "cannot contain 'Content-Length' header", - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$", + "err": "cannot contain 'Content-Length' header" }, { - "err": "cannot contain 'Content-Type' header", - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", + "err": "cannot contain 'Content-Type' header" } ], - "description": "A string representing an HTTP header name.", "type": "string" - }, - "type": "map", - "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", - "values": { - "type": "string", - "referenceable": true } } }, @@ -152,35 +155,35 @@ "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -191,36 +194,47 @@ }, { "max_retry_time": { + "default": 60, "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + }, + { + "concurrency_limit": { + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ], + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -229,21 +243,18 @@ "type": "string", "len_min": 1 }, - "type": "map", "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - } + "len_min": 1, + "type": "string" + }, + "type": "map" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.8.x.json b/schemas/ip-restriction/3.8.x.json index 029b175e..a8c4562e 100644 --- a/schemas/ip-restriction/3.8.x.json +++ b/schemas/ip-restriction/3.8.x.json @@ -1,12 +1,17 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,7 +23,9 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, "type": "set", "default": [ @@ -28,7 +35,8 @@ "tls", "grpc", "grpcs" - ] + ], + "description": "A set of strings representing protocols." } }, { @@ -36,50 +44,42 @@ "fields": [ { "allow": { + "type": "array", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." }, - "type": "array", "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." } }, { "deny": { + "type": "array", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." }, - "type": "array", "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." } }, { "status": { "required": false, - "type": "number", - "description": "The HTTP status of the requests that will be rejected by the plugin." + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "type": "number" } }, { "message": { "required": false, - "type": "string", - "description": "The message to send as a response body to rejected requests." + "description": "The message to send as a response body to rejected requests.", + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } ] } \ No newline at end of file diff --git a/schemas/jq/3.8.x.json b/schemas/jq/3.8.x.json index 733feb0f..3e8a828f 100644 --- a/schemas/jq/3.8.x.json +++ b/schemas/jq/3.8.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,13 +23,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -42,59 +45,59 @@ { "request_jq_program_options": { "required": false, + "default": [ + + ], "fields": [ { "compact_output": { "required": true, - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "raw_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "join_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "ascii_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "sort_keys": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } ], - "type": "record", - "default": [ - - ] + "type": "record" } }, { "request_if_media_type": { "required": false, + "default": [ + "application/json" + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - "application/json" - ] + "type": "array" } }, { @@ -106,78 +109,79 @@ { "response_jq_program_options": { "required": false, + "default": [ + + ], "fields": [ { "compact_output": { "required": true, - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "raw_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "join_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "ascii_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "sort_keys": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } ], - "type": "record", - "default": [ - - ] + "type": "record" } }, { "response_if_media_type": { "required": false, + "default": [ + "application/json" + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - "application/json" - ] + "type": "array" } }, { "response_if_status_code": { "required": false, + "default": [ + 200 + ], "elements": { - "type": "integer", "between": [ 100, 599 - ] + ], + "type": "integer" }, - "type": "array", - "default": [ - 200 - ] + "type": "array" } } ], + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -186,12 +190,8 @@ ] } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/json-threat-protection/3.8.x.json b/schemas/json-threat-protection/3.8.x.json index 09ee0f32..e430db6c 100644 --- a/schemas/json-threat-protection/3.8.x.json +++ b/schemas/json-threat-protection/3.8.x.json @@ -1,24 +1,34 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", "default": [ @@ -32,20 +42,19 @@ }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", + "reference": "consumer_groups", "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "type": "record", "fields": [ { "max_body_size": { - "type": "integer", "required": false, + "type": "integer", "between": [ -1, 2147483648 @@ -56,8 +65,8 @@ }, { "max_container_depth": { - "type": "integer", "required": false, + "type": "integer", "between": [ -1, 2147483648 @@ -68,8 +77,8 @@ }, { "max_object_entry_count": { - "type": "integer", "required": false, + "type": "integer", "between": [ -1, 2147483648 @@ -80,8 +89,8 @@ }, { "max_object_entry_name_length": { - "type": "integer", "required": false, + "type": "integer", "between": [ -1, 2147483648 @@ -92,8 +101,8 @@ }, { "max_array_element_count": { - "type": "integer", "required": false, + "type": "integer", "between": [ -1, 2147483648 @@ -104,8 +113,8 @@ }, { "max_string_value_length": { - "type": "integer", "required": false, + "type": "integer", "between": [ -1, 2147483648 @@ -117,19 +126,19 @@ { "enforcement_mode": { "required": false, + "type": "string", + "default": "block", "one_of": [ "block", "log_only" ], - "type": "string", - "default": "block", "description": "Enforcement mode of the security policy." } }, { "error_status_code": { - "type": "integer", "required": false, + "type": "integer", "between": [ 400, 499 @@ -140,24 +149,15 @@ }, { "error_message": { - "type": "string", "required": false, "default": "Bad Request", + "type": "string", "description": "The response message when validation fails" } } ], - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.max_body_size", - "config.max_container_depth" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/jwe-decrypt/3.8.x.json b/schemas/jwe-decrypt/3.8.x.json index 4822044d..b408e686 100644 --- a/schemas/jwe-decrypt/3.8.x.json +++ b/schemas/jwe-decrypt/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,29 +15,30 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -44,43 +47,40 @@ { "lookup_header_name": { "required": true, + "default": "Authorization", "type": "string", - "description": "The name of the header to look for the JWE token.", - "default": "Authorization" + "description": "The name of the header to look for the JWE token." } }, { "forward_header_name": { "required": true, + "default": "Authorization", "type": "string", - "description": "The name of the header that is used to set the decrypted value.", - "default": "Authorization" + "description": "The name of the header that is used to set the decrypted value." } }, { "key_sets": { "required": true, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token." } }, { "strict": { + "default": true, "type": "boolean", - "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", - "default": true + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.8.x.json b/schemas/jwt-signer/3.8.x.json index e6cc6eb6..7a375f7d 100644 --- a/schemas/jwt-signer/3.8.x.json +++ b/schemas/jwt-signer/3.8.x.json @@ -1,16 +1,27 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" + ] + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,25 +32,27 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "required": true, "fields": [ { "realm": { @@ -51,160 +64,159 @@ { "enable_hs_signatures": { "required": false, + "default": false, "type": "boolean", - "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", - "default": false + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting." } }, { "enable_instrumentation": { "required": false, + "default": false, "type": "boolean", - "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", - "default": false + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level." } }, { "access_token_issuer": { "required": false, + "default": "kong", "type": "string", - "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", - "default": "kong" + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token." } }, { "access_token_keyset": { "required": false, + "default": "kong", "type": "string", - "description": "The name of the keyset containing signing keys.", - "default": "kong" + "description": "The name of the keyset containing signing keys." } }, { "access_token_keyset_client_username": { "required": false, - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", "referenceable": true, - "type": "string" + "type": "string", + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`" } }, { "access_token_keyset_client_password": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`" } }, { "access_token_keyset_client_certificate": { "required": false, + "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", - "reference": "certificates" + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth." } }, { "access_token_keyset_rotate_period": { "required": false, + "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", - "default": 0 + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation." } }, { "access_token_jwks_uri": { "required": false, - "type": "string", - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token." + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "type": "string" } }, { "access_token_jwks_uri_client_username": { "required": false, - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", "referenceable": true, - "type": "string" + "type": "string", + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`" } }, { "access_token_jwks_uri_client_password": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`" } }, { "access_token_jwks_uri_client_certificate": { "required": false, + "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", - "reference": "certificates" + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth." } }, { "access_token_jwks_uri_rotate_period": { "required": false, + "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", - "default": 0 + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation." } }, { "access_token_request_header": { "required": false, + "default": "Authorization", "type": "string", - "description": "This parameter tells the name of the header where to look for the access token.", - "default": "Authorization" + "description": "This parameter tells the name of the header where to look for the access token." } }, { "access_token_leeway": { "required": false, + "default": 0, "type": "number", - "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", - "default": 0 + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`." } }, { "access_token_scopes_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." } }, { "access_token_scopes_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "type": "array", "default": [ "scope" - ] + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." } }, { "access_token_consumer_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." } }, { "access_token_consumer_by": { - "type": "array", "required": false, "elements": { "type": "string", @@ -214,34 +226,35 @@ "custom_id" ] }, - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "type": "array", "default": [ "username", "custom_id" - ] + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." } }, { "access_token_upstream_header": { "required": false, + "default": "Authorization:Bearer", "type": "string", - "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", - "default": "Authorization:Bearer" + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token." } }, { "access_token_upstream_leeway": { "required": false, + "default": 0, "type": "number", - "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", - "default": 0 + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim." } }, { "access_token_introspection_endpoint": { "required": false, - "type": "string", - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter." + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "type": "string" } }, { @@ -261,57 +274,56 @@ { "access_token_introspection_hint": { "required": false, + "default": "access_token", "type": "string", - "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", - "default": "access_token" + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`." } }, { "access_token_introspection_jwt_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." } }, { "access_token_introspection_scopes_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." } }, { "access_token_introspection_scopes_claim": { - "type": "array", "required": true, "elements": { "type": "string" }, - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "type": "array", "default": [ "scope" - ] + ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." } }, { "access_token_introspection_consumer_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." } }, { "access_token_introspection_consumer_by": { - "type": "array", "required": false, "elements": { "type": "string", @@ -321,19 +333,20 @@ "custom_id" ] }, - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "type": "array", "default": [ "username", "custom_id" - ] + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." } }, { "access_token_introspection_leeway": { "required": false, + "default": 0, "type": "number", - "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", - "default": 0 + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`." } }, { @@ -345,10 +358,9 @@ }, { "access_token_signing_algorithm": { - "default": "RS256", "required": true, "type": "string", - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "default": "RS256", "one_of": [ "HS256", "HS384", @@ -362,52 +374,53 @@ "PS384", "PS512", "EdDSA" - ] + ], + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." } }, { "add_access_token_claims": { + "required": false, + "type": "map", "keys": { "type": "string" }, - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, + "default": [ + + ], "values": { "type": "string" }, - "type": "map", - "default": [ - - ] + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." } }, { "set_access_token_claims": { + "required": false, + "type": "map", "keys": { "type": "string" }, - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, + "default": [ + + ], "values": { "type": "string" }, - "type": "map", - "default": [ - - ] + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." } }, { "remove_access_token_claims": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "remove claims. It should be an array, and each element is a claim key string.", + "type": "array", "default": [ - ] + ], + "description": "remove claims. It should be an array, and each element is a claim key string." } }, { @@ -420,162 +433,162 @@ { "access_token_optional": { "required": false, + "default": false, "type": "boolean", - "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", - "default": false + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect" } }, { "verify_access_token_signature": { "required": false, + "default": true, "type": "boolean", - "description": "Quickly turn access token signature verification off and on as needed.", - "default": true + "description": "Quickly turn access token signature verification off and on as needed." } }, { "verify_access_token_expiry": { "required": false, + "default": true, "type": "boolean", - "description": "Quickly turn access token expiry verification off and on as needed.", - "default": true + "description": "Quickly turn access token expiry verification off and on as needed." } }, { "verify_access_token_scopes": { "required": false, + "default": true, "type": "boolean", - "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", - "default": true + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`." } }, { "verify_access_token_introspection_expiry": { "required": false, + "default": true, "type": "boolean", - "description": "Quickly turn access token introspection expiry verification off and on as needed.", - "default": true + "description": "Quickly turn access token introspection expiry verification off and on as needed." } }, { "verify_access_token_introspection_scopes": { "required": false, + "default": true, "type": "boolean", - "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", - "default": true + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`." } }, { "cache_access_token_introspection": { "required": false, + "default": true, "type": "boolean", - "description": "Whether to cache access token introspection results.", - "default": true + "description": "Whether to cache access token introspection results." } }, { "trust_access_token_introspection": { "required": false, + "default": true, "type": "boolean", - "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", - "default": true + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload." } }, { "enable_access_token_introspection": { "required": false, + "default": true, "type": "boolean", - "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", - "default": true + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection." } }, { "channel_token_issuer": { "required": false, + "default": "kong", "type": "string", - "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", - "default": "kong" + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token." } }, { "channel_token_keyset": { "required": false, + "default": "kong", "type": "string", - "description": "The name of the keyset containing signing keys.", - "default": "kong" + "description": "The name of the keyset containing signing keys." } }, { "channel_token_keyset_client_username": { "required": false, - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", "referenceable": true, - "type": "string" + "type": "string", + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`" } }, { "channel_token_keyset_client_password": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`" } }, { "channel_token_keyset_client_certificate": { "required": false, + "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", - "reference": "certificates" + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth." } }, { "channel_token_keyset_rotate_period": { "required": false, + "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", - "default": 0 + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation." } }, { "channel_token_jwks_uri": { "required": false, - "type": "string", - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`." + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "type": "string" } }, { "channel_token_jwks_uri_client_username": { "required": false, - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", "referenceable": true, - "type": "string" + "type": "string", + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`" } }, { "channel_token_jwks_uri_client_password": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`" } }, { "channel_token_jwks_uri_client_certificate": { "required": false, + "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", - "reference": "certificates" + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth." } }, { "channel_token_jwks_uri_rotate_period": { "required": false, + "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", - "default": 0 + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation." } }, { @@ -588,47 +601,51 @@ { "channel_token_leeway": { "required": false, + "default": 0, "type": "number", - "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", - "default": 0 + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`." } }, { "channel_token_scopes_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." } }, { "channel_token_scopes_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "type": "array", "default": [ "scope" - ] + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." } }, { "channel_token_consumer_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." } }, { "channel_token_consumer_by": { - "type": "array", + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -637,11 +654,7 @@ "custom_id" ] }, - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "default": [ - "username", - "custom_id" - ] + "type": "array" } }, { @@ -654,94 +667,93 @@ { "channel_token_upstream_leeway": { "required": false, + "default": 0, "type": "number", - "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", - "default": 0 + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim." } }, { "channel_token_introspection_endpoint": { "required": false, - "type": "string", - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead." + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "type": "string" } }, { "channel_token_introspection_authorization": { "required": false, + "type": "string", "elements": { "type": "string" }, - "type": "string", "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." } }, { "channel_token_introspection_body_args": { "required": false, + "type": "string", "elements": { "type": "string" }, - "type": "string", "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." } }, { "channel_token_introspection_hint": { "required": false, + "type": "string", "elements": { "type": "string" }, - "type": "string", "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." } }, { "channel_token_introspection_jwt_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." } }, { "channel_token_introspection_scopes_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." } }, { "channel_token_introspection_scopes_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "type": "array", "default": [ "scope" - ] + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." } }, { "channel_token_introspection_consumer_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" } }, { "channel_token_introspection_consumer_by": { - "type": "array", "required": false, "elements": { "type": "string", @@ -751,19 +763,20 @@ "custom_id" ] }, - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "type": "array", "default": [ "username", "custom_id" - ] + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." } }, { "channel_token_introspection_leeway": { "required": false, + "default": 0, "type": "number", - "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", - "default": 0 + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`." } }, { @@ -775,10 +788,9 @@ }, { "channel_token_signing_algorithm": { - "default": "RS256", "required": true, "type": "string", - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "default": "RS256", "one_of": [ "HS256", "HS384", @@ -792,52 +804,53 @@ "PS384", "PS512", "EdDSA" - ] + ], + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." } }, { "add_channel_token_claims": { + "required": false, + "type": "map", "keys": { "type": "string" }, - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, + "default": [ + + ], "values": { "type": "string" }, - "type": "map", - "default": [ - - ] + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." } }, { "set_channel_token_claims": { + "required": false, + "type": "map", "keys": { "type": "string" }, - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, + "default": [ + + ], "values": { "type": "string" }, - "type": "map", - "default": [ - - ] + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." } }, { "remove_channel_token_claims": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "remove claims. It should be an array, and each element is a claim key string.", + "type": "array", "default": [ - ] + ], + "description": "remove claims. It should be an array, and each element is a claim key string." } }, { @@ -850,104 +863,104 @@ { "channel_token_optional": { "required": false, + "default": false, "type": "boolean", - "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", - "default": false + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect" } }, { "verify_channel_token_signature": { "required": false, + "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token signature verification.", - "default": true + "description": "Quickly turn on/off the channel token signature verification." } }, { "verify_channel_token_expiry": { "required": false, - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "verify_channel_token_scopes": { "required": false, + "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", - "default": true + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`." } }, { "verify_channel_token_introspection_expiry": { "required": false, + "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token introspection expiry verification.", - "default": true + "description": "Quickly turn on/off the channel token introspection expiry verification." } }, { "verify_channel_token_introspection_scopes": { "required": false, + "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", - "default": true + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`." } }, { "cache_channel_token_introspection": { "required": false, + "default": true, "type": "boolean", - "description": "Whether to cache channel token introspection results.", - "default": true + "description": "Whether to cache channel token introspection results." } }, { "trust_channel_token_introspection": { "required": false, + "default": true, "type": "boolean", - "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", - "default": true + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked." } }, { "enable_channel_token_introspection": { "required": false, + "default": true, "type": "boolean", - "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", - "default": true + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`." } }, { "add_claims": { + "required": false, + "type": "map", "keys": { "type": "string" }, - "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, + "default": [ + + ], "values": { "type": "string" }, - "type": "map", - "default": [ - - ] + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." } }, { "set_claims": { + "required": false, + "type": "map", "keys": { "type": "string" }, - "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, + "default": [ + + ], "values": { "type": "string" }, - "type": "map", - "default": [ - - ] + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." } } ], @@ -977,20 +990,7 @@ ] } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.access_token_upstream_header", - "config.channel_token_upstream_header", - "config.original_access_token_upstream_header", - "config.original_channel_token_upstream_header" - ] + "type": "record" } } ] diff --git a/schemas/jwt/3.8.x.json b/schemas/jwt/3.8.x.json index a33e407e..7093c8fb 100644 --- a/schemas/jwt/3.8.x.json +++ b/schemas/jwt/3.8.x.json @@ -1,16 +1,29 @@ { + "entity_checks": [ + { + "conditional": { + "then_field": "config.claims_to_verify", + "if_match": { + "gt": 0 + }, + "then_match": { + "contains": "exp" + }, + "if_field": "config.maximum_expiration" + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,21 +34,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,45 +57,46 @@ "fields": [ { "uri_param_names": { - "type": "set", - "elements": { - "type": "string" - }, "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "default": [ "jwt" - ] + ], + "elements": { + "type": "string" + }, + "type": "set" } }, { "cookie_names": { - "type": "set", - "elements": { - "type": "string" - }, "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "default": [ - ] + ], + "elements": { + "type": "string" + }, + "type": "set" } }, { "key_claim_name": { + "default": "iss", "type": "string", - "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", - "default": "iss" + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order." } }, { "secret_is_base64": { "required": true, + "default": false, "type": "boolean", - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", - "default": false + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." } }, { "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", "elements": { "type": "string", "one_of": [ @@ -89,8 +104,7 @@ "nbf" ] }, - "type": "set", - "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf." + "type": "set" } }, { @@ -102,51 +116,44 @@ { "run_on_preflight": { "required": true, + "default": true, "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", - "default": true + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." } }, { "maximum_expiration": { - "default": 0, - "type": "number", - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", "between": [ 0, 31536000 - ] + ], + "default": 0, + "type": "number", + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future." } }, { "header_names": { - "type": "set", - "elements": { - "type": "string" - }, "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "default": [ "authorization" - ] + ], + "elements": { + "type": "string" + }, + "type": "set" + } + }, + { + "realm": { + "required": false, + "type": "string", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "conditional": { - "if_field": "config.maximum_expiration", - "if_match": { - "gt": 0 - }, - "then_field": "config.claims_to_verify", - "then_match": { - "contains": "exp" - } + "required": true, + "type": "record" } } ] diff --git a/schemas/kafka-log/3.8.x.json b/schemas/kafka-log/3.8.x.json index fe4b936f..e6b4d0d1 100644 --- a/schemas/kafka-log/3.8.x.json +++ b/schemas/kafka-log/3.8.x.json @@ -1,8 +1,19 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -14,23 +25,15 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -38,8 +41,8 @@ "fields": [ { "bootstrap_servers": { + "type": "set", "elements": { - "type": "record", "fields": [ { "host": { @@ -52,43 +55,43 @@ "port": { "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer" } } - ] + ], + "type": "record" }, - "type": "set", "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, { "topic": { "required": true, - "type": "string", - "description": "The Kafka topic to publish to." + "description": "The Kafka topic to publish to.", + "type": "string" } }, { "timeout": { - "type": "integer", + "default": 10000, "description": "Socket timeout in milliseconds.", - "default": 10000 + "type": "integer" } }, { "keepalive": { - "type": "integer", - "default": 60000 + "default": 60000, + "type": "integer" } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { @@ -97,53 +100,53 @@ { "strategy": { "required": false, - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ] + ], + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string" } }, { "mechanism": { "required": false, - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "type": "string" } }, { "tokenauth": { "required": false, - "type": "boolean", - "description": "Enable this to indicate `DelegationToken` authentication" + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" } }, { "user": { - "encrypted": true, - "referenceable": true, "required": false, - "description": "Username for SASL authentication.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Username for SASL authentication." } }, { "password": { - "encrypted": true, - "referenceable": true, "required": false, - "description": "Password for SASL authentication.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "Password for SASL authentication." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -152,97 +155,97 @@ { "certificate_id": { "required": false, - "type": "string", + "uuid": true, "description": "UUID of certificate entity for mTLS authentication.", - "uuid": true + "type": "string" } }, { "ssl": { "required": false, - "type": "boolean", - "description": "Enables TLS." + "description": "Enables TLS.", + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "cluster_name": { "required": false, - "auto": true, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true, "type": "string" } }, { "producer_request_acks": { - "default": 1, - "type": "integer", "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1, "one_of": [ -1, 0, 1 - ] + ], + "type": "integer" } }, { "producer_request_timeout": { - "type": "integer", + "default": 2000, "description": "Time to wait for a Produce response in milliseconds", - "default": 2000 + "type": "integer" } }, { "producer_request_limits_messages_per_request": { - "type": "integer", + "default": 200, "description": "Maximum number of messages to include into a single Produce request.", - "default": 200 + "type": "integer" } }, { "producer_request_limits_bytes_per_request": { - "type": "integer", + "default": 1048576, "description": "Maximum size of a Produce request in bytes.", - "default": 1048576 + "type": "integer" } }, { "producer_request_retries_max_attempts": { - "type": "integer", + "default": 10, "description": "Maximum number of retry attempts per single Produce request.", - "default": 10 + "type": "integer" } }, { "producer_request_retries_backoff_timeout": { - "type": "integer", + "default": 100, "description": "Backoff interval between retry attempts in milliseconds.", - "default": 100 + "type": "integer" } }, { "producer_async": { - "type": "boolean", + "default": true, "description": "Flag to enable asynchronous mode.", - "default": true + "type": "boolean" } }, { "producer_async_flush_timeout": { - "type": "integer", + "default": 1000, "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "default": 1000 + "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { - "type": "integer", + "default": 50000, "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "default": 50000 + "type": "integer" } }, { @@ -251,15 +254,16 @@ "type": "string", "len_min": 1 }, - "type": "map", "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - } + "len_min": 1, + "type": "string" + }, + "type": "map" } } ], + "required": true, "entity_checks": [ { "custom_entity_check": { @@ -269,12 +273,8 @@ } } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.8.x.json b/schemas/kafka-upstream/3.8.x.json index 5cec5052..135fc96f 100644 --- a/schemas/kafka-upstream/3.8.x.json +++ b/schemas/kafka-upstream/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,8 +38,8 @@ "fields": [ { "bootstrap_servers": { + "type": "set", "elements": { - "type": "record", "fields": [ { "host": { @@ -49,38 +52,38 @@ "port": { "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer" } } - ] + ], + "type": "record" }, - "type": "set", "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." } }, { "topic": { "required": true, - "type": "string", - "description": "The Kafka topic to publish to." + "description": "The Kafka topic to publish to.", + "type": "string" } }, { "timeout": { - "type": "integer", + "default": 10000, "description": "Socket timeout in milliseconds.", - "default": 10000 + "type": "integer" } }, { "keepalive": { - "type": "integer", + "default": 60000, "description": "Keepalive timeout in milliseconds.", - "default": 60000 + "type": "integer" } }, { @@ -95,53 +98,53 @@ { "strategy": { "required": false, - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" - ] + ], + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string" } }, { "mechanism": { "required": false, - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "type": "string" } }, { "tokenauth": { "required": false, - "type": "boolean", - "description": "Enable this to indicate `DelegationToken` authentication." + "description": "Enable this to indicate `DelegationToken` authentication.", + "type": "boolean" } }, { "user": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "Username for SASL authentication." } }, { "password": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", + "encrypted": true, "description": "Password for SASL authentication." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -150,128 +153,129 @@ { "certificate_id": { "required": false, - "description": "UUID of certificate entity for mTLS authentication.", "uuid": true, + "description": "UUID of certificate entity for mTLS authentication.", "type": "string" } }, { "ssl": { "required": false, - "type": "boolean", - "description": "Enables TLS." + "description": "Enables TLS.", + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "forward_method": { - "type": "boolean", + "default": false, "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "default": false + "type": "boolean" } }, { "forward_uri": { - "type": "boolean", + "default": false, "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "default": false + "type": "boolean" } }, { "forward_headers": { - "type": "boolean", + "default": false, "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "default": false + "type": "boolean" } }, { "forward_body": { - "type": "boolean", + "default": true, "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "default": true + "type": "boolean" } }, { "cluster_name": { "required": false, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "type": "string", - "auto": true + "auto": true, + "type": "string" } }, { "producer_request_acks": { - "default": 1, - "type": "integer", "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1, "one_of": [ -1, 0, 1 - ] + ], + "type": "integer" } }, { "producer_request_timeout": { - "type": "integer", + "default": 2000, "description": "Time to wait for a Produce response in milliseconds.", - "default": 2000 + "type": "integer" } }, { "producer_request_limits_messages_per_request": { - "type": "integer", + "default": 200, "description": "Maximum number of messages to include into a single producer request.", - "default": 200 + "type": "integer" } }, { "producer_request_limits_bytes_per_request": { - "type": "integer", + "default": 1048576, "description": "Maximum size of a Produce request in bytes.", - "default": 1048576 + "type": "integer" } }, { "producer_request_retries_max_attempts": { - "type": "integer", + "default": 10, "description": "Maximum number of retry attempts per single Produce request.", - "default": 10 + "type": "integer" } }, { "producer_request_retries_backoff_timeout": { - "type": "integer", + "default": 100, "description": "Backoff interval between retry attempts in milliseconds.", - "default": 100 + "type": "integer" } }, { "producer_async": { - "type": "boolean", + "default": true, "description": "Flag to enable asynchronous mode.", - "default": true + "type": "boolean" } }, { "producer_async_flush_timeout": { - "type": "integer", + "default": 1000, "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "default": 1000 + "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { - "type": "integer", + "default": 50000, "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "default": 50000 + "type": "integer" } } ], + "required": true, "entity_checks": [ { "custom_entity_check": { @@ -291,12 +295,8 @@ } } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.8.x.json b/schemas/key-auth-enc/3.8.x.json index ea7ddea3..dda5896c 100644 --- a/schemas/key-auth-enc/3.8.x.json +++ b/schemas/key-auth-enc/3.8.x.json @@ -1,16 +1,27 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -22,23 +33,15 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -46,7 +49,6 @@ "fields": [ { "key_names": { - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "required": true, "elements": { "type": "string", @@ -55,57 +57,62 @@ "type": "array", "default": [ "apikey" - ] + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "default": false, "type": "boolean", - "default": false + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "key_in_header": { - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "default": true, "type": "boolean", - "default": true + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." } }, { "key_in_query": { - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "default": true, "type": "boolean", - "default": true + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." } }, { "key_in_body": { - "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "default": false, "type": "boolean", - "default": false + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "default": true, "type": "boolean", - "default": true + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." + } + }, + { + "realm": { + "required": false, + "type": "string", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/key-auth/3.8.x.json b/schemas/key-auth/3.8.x.json index 77952bad..709fec51 100644 --- a/schemas/key-auth/3.8.x.json +++ b/schemas/key-auth/3.8.x.json @@ -1,16 +1,27 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -22,23 +33,15 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -46,7 +49,6 @@ "fields": [ { "key_names": { - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "required": true, "elements": { "type": "string", @@ -55,15 +57,16 @@ "type": "array", "default": [ "apikey" - ] + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." } }, { "hide_credentials": { "required": true, + "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", - "type": "boolean", - "default": false + "type": "boolean" } }, { @@ -75,33 +78,33 @@ { "key_in_header": { "required": true, + "default": true, "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", - "type": "boolean", - "default": true + "type": "boolean" } }, { "key_in_query": { "required": true, + "default": true, "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", - "type": "boolean", - "default": true + "type": "boolean" } }, { "key_in_body": { "required": true, + "default": false, "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "run_on_preflight": { "required": true, + "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", - "type": "boolean", - "default": true + "type": "boolean" } }, { @@ -112,12 +115,9 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.8.x.json b/schemas/konnect-application-auth/3.8.x.json index 64fa1dc3..10c57bca 100644 --- a/schemas/konnect-application-auth/3.8.x.json +++ b/schemas/konnect-application-auth/3.8.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,21 +23,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,7 +46,6 @@ "fields": [ { "key_names": { - "description": "The names of the headers containing the API key. You can specify multiple header names.", "required": true, "elements": { "type": "string", @@ -52,39 +54,41 @@ "type": "array", "default": [ "apikey" - ] + ], + "description": "The names of the headers containing the API key. You can specify multiple header names." } }, { "auth_type": { - "default": "openid-connect", "required": true, - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "type": "string", + "default": "openid-connect", "one_of": [ "openid-connect", "key-auth", "v2-strategies" - ] + ], + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'." } }, { "scope": { "required": true, "type": "string", - "description": "The unique scope identifier for the plugin configuration.", - "unique": true + "unique": true, + "description": "The unique scope identifier for the plugin configuration." } }, { "v2_strategies": { + "required": false, "type": "record", "fields": [ { "key_auth": { "required": false, + "type": "array", "elements": { - "type": "record", "fields": [ { "strategy_id": { @@ -96,11 +100,9 @@ { "config": { "required": true, - "type": "record", "fields": [ { "key_names": { - "description": "The names of the headers containing the API key. You can specify multiple header names.", "required": true, "elements": { "type": "string", @@ -109,23 +111,25 @@ "type": "array", "default": [ "apikey" - ] + ], + "description": "The names of the headers containing the API key. You can specify multiple header names." } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" }, - "type": "array", "description": "List of key_auth strategies." } }, { "openid_connect": { "required": false, + "type": "array", "elements": { - "type": "record", "fields": [ { "strategy_id": { @@ -140,60 +144,59 @@ { "issuer": { "required": true, - "type": "string", - "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`." + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" } }, { "using_pseudo_issuer": { "required": false, - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "default": false, "type": "boolean", - "default": false + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." } }, { "discovery_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the discovery endpoint.", - "type": "array" + "description": "Extra header names passed to the discovery endpoint." } }, { "discovery_headers_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the discovery endpoint.", - "type": "array" + "description": "Extra header values passed to the discovery endpoint." } }, { "extra_jwks_uris": { "required": false, + "type": "set", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", - "type": "set" + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." } }, { "rediscovery_lifetime": { "required": false, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "default": 30, "type": "number", - "default": 30 + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." } }, { "auth_methods": { - "type": "array", "required": false, "elements": { "type": "string", @@ -209,7 +212,7 @@ "session" ] }, - "description": "Types of credentials/grants to enable.", + "type": "array", "default": [ "password", "client_credentials", @@ -220,36 +223,38 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "description": "Types of credentials/grants to enable." } }, { "client_id": { - "encrypted": true, "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", - "type": "array" + "type": "array", + "encrypted": true, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." } }, { "client_secret": { - "encrypted": true, "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "The client secret.", - "type": "array" + "type": "array", + "encrypted": true, + "description": "The client secret." } }, { "client_auth": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -262,204 +267,204 @@ "none" ] }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "type": "array" + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication)." } }, { "client_jwk": { "required": false, + "type": "array", "elements": { "required": false, - "type": "record", "fields": [ { "issuer": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kty": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "use": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "key_ops": { "required": false, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "type": "array" } }, { "alg": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kid": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5u": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5c": { "required": false, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "type": "array" } }, { "x5t": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5t#S256": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "k": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "x": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "y": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "crv": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "n": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "e": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "d": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "p": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "q": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "dp": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "dq": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "qi": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "oth": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "r": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "t": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } } - ] + ], + "type": "record" }, - "description": "The JWK used for the private_key_jwt authentication.", - "type": "array" + "description": "The JWK used for the private_key_jwt authentication." } }, { "client_alg": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -478,124 +483,122 @@ "EdDSA" ] }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "type": "array" + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication." } }, { "client_arg": { "required": false, - "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "default": "client_id", "type": "string", - "default": "client_id" + "description": "The client to use for this request (the selection is made with a request parameter with the same name)." } }, { "redirect_uri": { "required": false, + "type": "array", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "The redirect URI passed to the authorization and token endpoints.", - "type": "array" + "description": "The redirect URI passed to the authorization and token endpoints." } }, { "login_redirect_uri": { "required": false, + "type": "array", "elements": { - "type": "string", + "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true + "type": "string" }, - "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "type": "array" + "description": "Where to redirect the client when `login_action` is set to `redirect`." } }, { "logout_redirect_uri": { "required": false, + "type": "array", "elements": { - "type": "string", + "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true + "type": "string" }, - "description": "Where to redirect the client after the logout.", - "type": "array" + "description": "Where to redirect the client after the logout." } }, { "forbidden_redirect_uri": { "required": false, + "type": "array", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client on forbidden requests.", - "type": "array" + "description": "Where to redirect the client on forbidden requests." } }, { "forbidden_error_message": { "required": false, - "description": "The error message for the forbidden requests (when not using the redirection).", + "default": "Forbidden", "type": "string", - "default": "Forbidden" + "description": "The error message for the forbidden requests (when not using the redirection)." } }, { "forbidden_destroy_session": { "required": false, - "description": "Destroy any active session for the forbidden requests.", + "default": true, "type": "boolean", - "default": true + "description": "Destroy any active session for the forbidden requests." } }, { "unauthorized_destroy_session": { "required": false, - "description": "Destroy any active session for the unauthorized requests.", + "default": true, "type": "boolean", - "default": true + "description": "Destroy any active session for the unauthorized requests." } }, { "unauthorized_redirect_uri": { "required": false, + "type": "array", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client on unauthorized requests.", - "type": "array" + "description": "Where to redirect the client on unauthorized requests." } }, { "unauthorized_error_message": { "required": false, - "description": "The error message for the unauthorized requests (when not using the redirection).", + "default": "Unauthorized", "type": "string", - "default": "Unauthorized" + "description": "The error message for the unauthorized requests (when not using the redirection)." } }, { "unexpected_redirect_uri": { "required": false, + "type": "array", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client when unexpected errors happen with the requests.", - "type": "array" + "description": "Where to redirect the client when unexpected errors happen with the requests." } }, { "response_mode": { - "default": "query", "required": false, - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "type": "string", + "default": "query", "one_of": [ "query", "form_post", @@ -604,187 +607,186 @@ "form_post.jwt", "fragment.jwt", "jwt" - ] + ], + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type." } }, { "response_type": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The response type passed to the authorization endpoint.", + "type": "array", "default": [ "code" - ] + ], + "description": "The response type passed to the authorization endpoint." } }, { "scopes": { - "type": "array", "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "The scopes passed to the authorization and token endpoints.", + "type": "array", "default": [ "openid" - ] + ], + "description": "The scopes passed to the authorization and token endpoints." } }, { "audience": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The audience passed to the authorization endpoint.", - "type": "array" + "description": "The audience passed to the authorization endpoint." } }, { "issuers_allowed": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "type": "array" + "description": "The issuers allowed to be present in the tokens (`iss` claim)." } }, { "scopes_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array" + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "scopes_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "default": [ "scope" - ] + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "audience_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array" + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "audience_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "default": [ "aud" - ] + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "groups_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array" + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "groups_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "default": [ "groups" - ] + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "roles_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array" + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "roles_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "default": [ "roles" - ] + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "domains": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The allowed values for the `hd` claim.", - "type": "array" + "description": "The allowed values for the `hd` claim." } }, { "max_age": { "required": false, - "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "type": "number" + "type": "number", + "description": "The maximum age (in seconds) compared to the `auth_time` claim." } }, { "authenticated_groups_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array" + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "pushed_authorization_request_endpoint": { "required": false, - "type": "string", - "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint." + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "pushed_authorization_request_endpoint_auth_method": { "required": false, - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -793,154 +795,154 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" } }, { "require_pushed_authorization_requests": { "required": false, - "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", - "type": "boolean" + "type": "boolean", + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`)." } }, { "require_proof_key_for_code_exchange": { "required": false, - "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", - "type": "boolean" + "type": "boolean", + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled)." } }, { "require_signed_request_object": { "required": false, - "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", - "type": "boolean" + "type": "boolean", + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled)." } }, { "authorization_endpoint": { "required": false, - "type": "string", - "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint." + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "authorization_query_args_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the authorization endpoint.", - "type": "array" + "description": "Extra query argument names passed to the authorization endpoint." } }, { "authorization_query_args_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the authorization endpoint.", - "type": "array" + "description": "Extra query argument values passed to the authorization endpoint." } }, { "authorization_query_args_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the authorization endpoint.", - "type": "array" + "description": "Extra query arguments passed from the client to the authorization endpoint." } }, { "authorization_rolling_timeout": { "required": false, - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 600, "type": "number", - "default": 600 + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." } }, { "authorization_cookie_name": { "required": false, - "description": "The authorization cookie name.", + "default": "authorization", "type": "string", - "default": "authorization" + "description": "The authorization cookie name." } }, { "authorization_cookie_path": { + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "description": "The authorization cookie Path flag.", - "required": false, "type": "string", "starts_with": "/", - "default": "/" + "default": "/", + "description": "The authorization cookie Path flag." } }, { "authorization_cookie_domain": { "required": false, - "description": "The authorization cookie Domain flag.", - "type": "string" + "type": "string", + "description": "The authorization cookie Domain flag." } }, { "authorization_cookie_same_site": { - "default": "Default", "required": false, - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", + "default": "Default", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "authorization_cookie_http_only": { "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean", - "default": true + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "authorization_cookie_secure": { "required": false, - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean" + "type": "boolean", + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "preserve_query_args": { "required": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "default": false, "type": "boolean", - "default": false + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." } }, { "token_endpoint": { "required": false, - "type": "string", - "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint." + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "token_endpoint_auth_method": { "required": false, - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -949,59 +951,62 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" } }, { "token_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the token endpoint.", - "type": "array" + "description": "Extra header names passed to the token endpoint." } }, { "token_headers_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the token endpoint.", - "type": "array" + "description": "Extra header values passed to the token endpoint." } }, { "token_headers_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the token endpoint.", - "type": "array" + "description": "Extra headers passed from the client to the token endpoint." } }, { "token_headers_replay": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The names of token endpoint response headers to forward to the downstream client.", - "type": "array" + "description": "The names of token endpoint response headers to forward to the downstream client." } }, { "token_headers_prefix": { "required": false, - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", - "type": "string" + "type": "string", + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." } }, { "token_headers_grants": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -1011,52 +1016,49 @@ "refresh_token" ] }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", - "type": "array" + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant." } }, { "token_post_args_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the token endpoint.", - "type": "array" + "description": "Extra post argument names passed to the token endpoint." } }, { "token_post_args_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the token endpoint.", - "type": "array" + "description": "Extra post argument values passed to the token endpoint." } }, { "token_post_args_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", - "type": "array" + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint." } }, { "introspection_endpoint": { "required": false, - "type": "string", - "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint." + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "introspection_endpoint_auth_method": { "required": false, - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1065,120 +1067,120 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" } }, { "introspection_hint": { "required": false, - "description": "Introspection hint parameter value passed to the introspection endpoint.", + "default": "access_token", "type": "string", - "default": "access_token" + "description": "Introspection hint parameter value passed to the introspection endpoint." } }, { "introspection_check_active": { "required": false, - "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "default": true, "type": "boolean", - "default": true + "description": "Check that the introspection response has an `active` claim with a value of `true`." } }, { "introspection_accept": { - "default": "application/json", "required": false, - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "type": "string", + "default": "application/json", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ] + ], + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)." } }, { "introspection_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the introspection endpoint.", - "type": "array" + "description": "Extra header names passed to the introspection endpoint." } }, { "introspection_headers_values": { - "encrypted": true, "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "Extra header values passed to the introspection endpoint.", - "type": "array" + "type": "array", + "encrypted": true, + "description": "Extra header values passed to the introspection endpoint." } }, { "introspection_headers_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the introspection endpoint.", - "type": "array" + "description": "Extra headers passed from the client to the introspection endpoint." } }, { "introspection_post_args_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the introspection endpoint.", - "type": "array" + "description": "Extra post argument names passed to the introspection endpoint." } }, { "introspection_post_args_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the introspection endpoint.", - "type": "array" + "description": "Extra post argument values passed to the introspection endpoint." } }, { "introspection_post_args_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client to the introspection endpoint.", - "type": "array" + "description": "Extra post arguments passed from the client to the introspection endpoint." } }, { "introspect_jwt_tokens": { "required": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "default": false, "type": "boolean", - "default": false + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." } }, { "revocation_endpoint": { "required": false, - "type": "string", - "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint." + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "revocation_endpoint_auth_method": { "required": false, - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1187,237 +1189,240 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" } }, { "end_session_endpoint": { "required": false, - "type": "string", - "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint." + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "userinfo_endpoint": { "required": false, - "type": "string", - "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint." + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "userinfo_accept": { - "default": "application/json", "required": false, - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "type": "string", + "default": "application/json", "one_of": [ "application/json", "application/jwt" - ] + ], + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)." } }, { "userinfo_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the user info endpoint.", - "type": "array" + "description": "Extra header names passed to the user info endpoint." } }, { "userinfo_headers_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the user info endpoint.", - "type": "array" + "description": "Extra header values passed to the user info endpoint." } }, { "userinfo_headers_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the user info endpoint.", - "type": "array" + "description": "Extra headers passed from the client to the user info endpoint." } }, { "userinfo_query_args_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the user info endpoint.", - "type": "array" + "description": "Extra query argument names passed to the user info endpoint." } }, { "userinfo_query_args_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the user info endpoint.", - "type": "array" + "description": "Extra query argument values passed to the user info endpoint." } }, { "userinfo_query_args_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the user info endpoint.", - "type": "array" + "description": "Extra query arguments passed from the client to the user info endpoint." } }, { "token_exchange_endpoint": { "required": false, - "type": "string", - "description": "The token exchange endpoint." + "description": "The token exchange endpoint.", + "type": "string" } }, { "session_secret": { - "encrypted": true, - "referenceable": true, "required": false, - "description": "The session secret.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "The session secret." } }, { "session_audience": { "required": false, - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default", "type": "string", - "default": "default" + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." } }, { "session_cookie_name": { "required": false, - "description": "The session cookie name.", + "default": "session", "type": "string", - "default": "session" + "description": "The session cookie name." } }, { "session_remember": { "required": false, - "description": "Enables or disables persistent sessions.", + "default": false, "type": "boolean", - "default": false + "description": "Enables or disables persistent sessions." } }, { "session_remember_cookie_name": { "required": false, - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember", "type": "string", - "default": "remember" + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." } }, { "session_remember_rolling_timeout": { "required": false, - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "default": 604800, "type": "number", - "default": 604800 + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." } }, { "session_remember_absolute_timeout": { "required": false, - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 2592000, "type": "number", - "default": 2592000 + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." } }, { "session_idling_timeout": { "required": false, - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "default": 900, "type": "number", - "default": 900 + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." } }, { "session_rolling_timeout": { "required": false, - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 3600, "type": "number", - "default": 3600 + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." } }, { "session_absolute_timeout": { "required": false, - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 86400, "type": "number", - "default": 86400 + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." } }, { "session_cookie_path": { + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "description": "The session cookie Path flag.", - "required": false, "type": "string", "starts_with": "/", - "default": "/" + "default": "/", + "description": "The session cookie Path flag." } }, { "session_cookie_domain": { "required": false, - "description": "The session cookie Domain flag.", - "type": "string" + "type": "string", + "description": "The session cookie Domain flag." } }, { "session_cookie_same_site": { - "default": "Lax", "required": false, - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", + "default": "Lax", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "session_cookie_http_only": { "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean", - "default": true + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "session_cookie_secure": { "required": false, - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean" + "type": "boolean", + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "session_request_headers": { "required": false, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "elements": { "type": "string", "one_of": [ @@ -1430,13 +1435,13 @@ "absolute-timeout" ] }, - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "type": "set" } }, { "session_response_headers": { "required": false, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "elements": { "type": "string", "one_of": [ @@ -1449,249 +1454,500 @@ "absolute-timeout" ] }, - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "type": "set" } }, { "session_storage": { - "default": "cookie", "required": false, - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "type": "string", + "default": "cookie", "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis." } }, { "session_store_metadata": { "required": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "default": false, "type": "boolean", - "default": false + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." } }, { "session_enforce_same_subject": { "required": false, - "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false, "type": "boolean", - "default": false + "description": "When set to `true`, audiences are forced to share the same subject." } }, { "session_hash_subject": { "required": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false, "type": "boolean", - "default": false + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." } }, { "session_hash_storage_key": { "required": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false, "type": "boolean", - "default": false + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." } }, { "session_memcached_prefix": { "required": false, - "description": "The memcached session key prefix.", - "type": "string" + "type": "string", + "description": "The memcached session key prefix." } }, { "session_memcached_socket": { "required": false, - "description": "The memcached unix socket path.", - "type": "string" + "type": "string", + "description": "The memcached unix socket path." } }, { "session_memcached_host": { "required": false, - "description": "The memcached host.", + "default": "127.0.0.1", "type": "string", - "default": "127.0.0.1" + "description": "The memcached host." } }, { "session_memcached_port": { - "default": 11211, - "required": false, - "description": "The memcached port.", - "type": "integer", - "between": [ - 0, - 65535 - ] - } - }, - { - "session_redis_prefix": { - "required": false, - "description": "The Redis session key prefix.", - "type": "string" - } - }, - { - "session_redis_socket": { - "required": false, - "description": "The Redis unix socket path.", - "type": "string" - } - }, - { - "session_redis_host": { - "required": false, - "description": "The Redis host.", - "type": "string", - "default": "127.0.0.1" - } - }, - { - "session_redis_port": { - "default": 6379, "required": false, - "description": "The Redis port.", "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 11211, + "description": "The memcached port." } }, { - "session_redis_username": { - "required": false, - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true - } - }, - { - "session_redis_password": { - "encrypted": true, - "referenceable": true, - "required": false, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", - "type": "string" - } - }, - { - "session_redis_connect_timeout": { - "required": false, - "description": "Session redis connection timeout in milliseconds.", - "type": "integer" - } - }, - { - "session_redis_read_timeout": { - "required": false, - "description": "Session redis read timeout in milliseconds.", - "type": "integer" - } - }, - { - "session_redis_send_timeout": { - "required": false, - "description": "Session redis send timeout in milliseconds.", - "type": "integer" - } - }, - { - "session_redis_ssl": { - "required": false, - "description": "Use SSL/TLS for Redis connection.", - "type": "boolean", - "default": false - } - }, - { - "session_redis_ssl_verify": { - "required": false, - "description": "Verify identity provider server certificate.", - "type": "boolean", - "default": false - } - }, - { - "session_redis_server_name": { - "required": false, - "description": "The SNI used for connecting the Redis server.", - "type": "string" - } - }, - { - "session_redis_cluster_nodes": { - "required": false, - "elements": { - "type": "record", - "fields": [ - { - "ip": { - "required": true, - "type": "string", - "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1" - } - }, - { - "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "between": [ - 0, - 65535 - ] + "redis": { + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true } } - ] - }, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", - "type": "array" - } - }, - { - "session_redis_cluster_max_redirections": { - "required": false, - "description": "The Redis cluster maximum redirects.", - "type": "integer" + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "referenceable": true, + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "referenceable": true, + "type": "string", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "default": 0, + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "one_of": [ + "master", + "slave", + "any" + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "elements": { + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "type": "array", + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + } + }, + { + "cluster_nodes": { + "required": false, + "elements": { + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "required": false, + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "cluster_max_redirections": { + "required": false, + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + } + }, + { + "connection_is_proxied": { + "required": false, + "default": false, + "type": "boolean", + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + } + }, + { + "prefix": { + "required": false, + "type": "string", + "description": "The Redis session key prefix." + } + }, + { + "socket": { + "required": false, + "type": "string", + "description": "The Redis unix socket path." + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + { + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + } + ] } }, { "reverify": { "required": false, - "description": "Specifies whether to always verify tokens stored in the session.", + "default": false, "type": "boolean", - "default": false + "description": "Specifies whether to always verify tokens stored in the session." } }, { "jwt_session_claim": { "required": false, - "description": "The claim to match against the JWT session cookie.", + "default": "sid", "type": "string", - "default": "sid" + "description": "The claim to match against the JWT session cookie." } }, { "jwt_session_cookie": { "required": false, - "description": "The name of the JWT session cookie.", - "type": "string" + "type": "string", + "description": "The name of the JWT session cookie." } }, { "bearer_token_param_type": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1702,24 +1958,24 @@ "body" ] }, - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "type": "array", "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." } }, { "bearer_token_cookie_name": { "required": false, - "description": "The name of the cookie in which the bearer token is passed.", - "type": "string" + "type": "string", + "description": "The name of the cookie in which the bearer token is passed." } }, { "client_credentials_param_type": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1729,17 +1985,17 @@ "body" ] }, - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "type": "array", "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." } }, { "password_param_type": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1749,17 +2005,17 @@ "body" ] }, - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "id_token_param_type": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1769,24 +2025,24 @@ "body" ] }, - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "id_token_param_name": { "required": false, - "description": "The name of the parameter used to pass the id token.", - "type": "string" + "type": "string", + "description": "The name of the parameter used to pass the id token." } }, { "refresh_token_param_type": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1796,213 +2052,213 @@ "body" ] }, - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "refresh_token_param_name": { "required": false, - "description": "The name of the parameter used to pass the refresh token.", - "type": "string" + "type": "string", + "description": "The name of the parameter used to pass the refresh token." } }, { "refresh_tokens": { "required": false, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "default": true, "type": "boolean", - "default": true + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." } }, { "upstream_headers_claims": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array" + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "upstream_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The upstream header names for the claim values.", - "type": "array" + "description": "The upstream header names for the claim values." } }, { "upstream_access_token_header": { "required": false, - "description": "The upstream access token header.", + "default": "authorization:bearer", "type": "string", - "default": "authorization:bearer" + "description": "The upstream access token header." } }, { "upstream_access_token_jwk_header": { "required": false, - "description": "The upstream access token JWK header.", - "type": "string" + "type": "string", + "description": "The upstream access token JWK header." } }, { "upstream_id_token_header": { "required": false, - "description": "The upstream id token header.", - "type": "string" + "type": "string", + "description": "The upstream id token header." } }, { "upstream_id_token_jwk_header": { "required": false, - "description": "The upstream id token JWK header.", - "type": "string" + "type": "string", + "description": "The upstream id token JWK header." } }, { "upstream_refresh_token_header": { "required": false, - "description": "The upstream refresh token header.", - "type": "string" + "type": "string", + "description": "The upstream refresh token header." } }, { "upstream_user_info_header": { "required": false, - "description": "The upstream user info header.", - "type": "string" + "type": "string", + "description": "The upstream user info header." } }, { "upstream_user_info_jwt_header": { "required": false, - "description": "The upstream user info JWT header (in case the user info returns a JWT response).", - "type": "string" + "type": "string", + "description": "The upstream user info JWT header (in case the user info returns a JWT response)." } }, { "upstream_introspection_header": { "required": false, - "description": "The upstream introspection header.", - "type": "string" + "type": "string", + "description": "The upstream introspection header." } }, { "upstream_introspection_jwt_header": { "required": false, - "description": "The upstream introspection JWT header.", - "type": "string" + "type": "string", + "description": "The upstream introspection JWT header." } }, { "upstream_session_id_header": { "required": false, - "description": "The upstream session id header.", - "type": "string" + "type": "string", + "description": "The upstream session id header." } }, { "downstream_headers_claims": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array" + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "downstream_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The downstream header names for the claim values.", - "type": "array" + "description": "The downstream header names for the claim values." } }, { "downstream_access_token_header": { "required": false, - "description": "The downstream access token header.", - "type": "string" + "type": "string", + "description": "The downstream access token header." } }, { "downstream_access_token_jwk_header": { "required": false, - "description": "The downstream access token JWK header.", - "type": "string" + "type": "string", + "description": "The downstream access token JWK header." } }, { "downstream_id_token_header": { "required": false, - "description": "The downstream id token header.", - "type": "string" + "type": "string", + "description": "The downstream id token header." } }, { "downstream_id_token_jwk_header": { "required": false, - "description": "The downstream id token JWK header.", - "type": "string" + "type": "string", + "description": "The downstream id token JWK header." } }, { "downstream_refresh_token_header": { "required": false, - "description": "The downstream refresh token header.", - "type": "string" + "type": "string", + "description": "The downstream refresh token header." } }, { "downstream_user_info_header": { "required": false, - "description": "The downstream user info header.", - "type": "string" + "type": "string", + "description": "The downstream user info header." } }, { "downstream_user_info_jwt_header": { "required": false, - "description": "The downstream user info JWT header (in case the user info returns a JWT response).", - "type": "string" + "type": "string", + "description": "The downstream user info JWT header (in case the user info returns a JWT response)." } }, { "downstream_introspection_header": { "required": false, - "description": "The downstream introspection header.", - "type": "string" + "type": "string", + "description": "The downstream introspection header." } }, { "downstream_introspection_jwt_header": { "required": false, - "description": "The downstream introspection JWT header.", - "type": "string" + "type": "string", + "description": "The downstream introspection JWT header." } }, { "downstream_session_id_header": { "required": false, - "description": "The downstream session id header.", - "type": "string" + "type": "string", + "description": "The downstream session id header." } }, { "login_methods": { - "type": "array", "required": false, "elements": { "type": "string", @@ -2018,28 +2274,28 @@ "session" ] }, - "description": "Enable login functionality with specified grants.", + "type": "array", "default": [ "authorization_code" - ] + ], + "description": "Enable login functionality with specified grants." } }, { "login_action": { - "default": "upstream", "required": false, - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "type": "string", + "default": "upstream", "one_of": [ "upstream", "response", "redirect" - ] + ], + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location." } }, { "login_tokens": { - "type": "array", "required": false, "elements": { "type": "string", @@ -2051,48 +2307,48 @@ "introspection" ] }, - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "type": "array", "default": [ "id_token" - ] + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." } }, { "login_redirect_mode": { - "default": "fragment", "required": false, - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "type": "string", + "default": "fragment", "one_of": [ "query", "fragment" - ] + ], + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)." } }, { "logout_query_arg": { "required": false, - "description": "The request query argument that activates the logout.", - "type": "string" + "type": "string", + "description": "The request query argument that activates the logout." } }, { "logout_post_arg": { "required": false, - "description": "The request body argument that activates the logout.", - "type": "string" + "type": "string", + "description": "The request body argument that activates the logout." } }, { "logout_uri_suffix": { "required": false, - "description": "The request URI suffix that activates the logout.", - "type": "string" + "type": "string", + "description": "The request URI suffix that activates the logout." } }, { "logout_methods": { - "type": "array", "required": false, "elements": { "type": "string", @@ -2102,50 +2358,50 @@ "DELETE" ] }, - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "type": "array", "default": [ "POST", "DELETE" - ] + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." } }, { "logout_revoke": { "required": false, - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "default": false, "type": "boolean", - "default": false + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." } }, { "logout_revoke_access_token": { "required": false, - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean", - "default": true + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." } }, { "logout_revoke_refresh_token": { "required": false, - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean", - "default": true + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." } }, { "consumer_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array" + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "consumer_by": { - "type": "array", "required": false, "elements": { "type": "string", @@ -2155,92 +2411,92 @@ "custom_id" ] }, - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "type": "array", "default": [ "username", "custom_id" - ] + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." } }, { "consumer_optional": { "required": false, - "description": "Do not terminate the request if consumer mapping fails.", + "default": false, "type": "boolean", - "default": false + "description": "Do not terminate the request if consumer mapping fails." } }, { "credential_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "default": [ "sub" - ] + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "anonymous": { "required": false, - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "run_on_preflight": { "required": false, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "default": true, "type": "boolean", - "default": true + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." } }, { "leeway": { "required": false, - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "default": 0, "type": "number", - "default": 0 + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims" } }, { "verify_parameters": { "required": false, - "description": "Verify plugin configuration against discovery.", + "default": false, "type": "boolean", - "default": false + "description": "Verify plugin configuration against discovery." } }, { "verify_nonce": { "required": false, - "description": "Verify nonce on authorization code flow.", + "default": true, "type": "boolean", - "default": true + "description": "Verify nonce on authorization code flow." } }, { "verify_claims": { "required": false, - "description": "Verify tokens for standard claims.", + "default": true, "type": "boolean", - "default": true + "description": "Verify tokens for standard claims." } }, { "verify_signature": { "required": false, - "description": "Verify signature of tokens.", + "default": true, "type": "boolean", - "default": true + "description": "Verify signature of tokens." } }, { "ignore_signature": { - "type": "array", "required": false, "elements": { "type": "string", @@ -2254,23 +2510,25 @@ "userinfo" ] }, - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "type": "array", "default": [ - ] + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." } }, { "enable_hs_signatures": { "required": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "default": false, "type": "boolean", - "default": false + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." } }, { "disable_session": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -2285,340 +2543,729 @@ "session" ] }, - "description": "Disable issuing the session cookie with the specified grants.", - "type": "array" + "description": "Disable issuing the session cookie with the specified grants." } }, { "cache_ttl": { "required": false, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "default": 3600, "type": "number", - "default": 3600 + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." } }, { "cache_ttl_max": { "required": false, - "description": "The maximum cache ttl in seconds (enforced).", - "type": "number" + "type": "number", + "description": "The maximum cache ttl in seconds (enforced)." } }, { "cache_ttl_min": { "required": false, - "description": "The minimum cache ttl in seconds (enforced).", - "type": "number" + "type": "number", + "description": "The minimum cache ttl in seconds (enforced)." } }, { "cache_ttl_neg": { "required": false, - "description": "The negative cache ttl in seconds.", - "type": "number" + "type": "number", + "description": "The negative cache ttl in seconds." } }, { "cache_ttl_resurrect": { "required": false, - "description": "The resurrection ttl in seconds.", - "type": "number" + "type": "number", + "description": "The resurrection ttl in seconds." } }, { "cache_tokens": { "required": false, - "description": "Cache the token endpoint requests.", + "default": true, "type": "boolean", - "default": true + "description": "Cache the token endpoint requests." } }, { "cache_tokens_salt": { "required": false, - "auto": true, "type": "string", + "auto": true, "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." } }, { "cache_introspection": { "required": false, - "description": "Cache the introspection endpoint requests.", + "default": true, "type": "boolean", - "default": true + "description": "Cache the introspection endpoint requests." } }, { "cache_token_exchange": { "required": false, - "description": "Cache the token exchange endpoint requests.", + "default": true, "type": "boolean", - "default": true + "description": "Cache the token exchange endpoint requests." } }, { "cache_user_info": { "required": false, - "description": "Cache the user info requests.", + "default": true, "type": "boolean", - "default": true + "description": "Cache the user info requests." } }, { "search_user_info": { "required": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "default": false, "type": "boolean", - "default": false + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." } }, { "hide_credentials": { "required": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "default": false, "type": "boolean", - "default": false + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." } }, { "http_version": { "required": false, - "type": "number", + "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", - "default": 1.1 + "type": "number" } }, { "http_proxy": { "required": false, - "type": "string", - "description": "The HTTP proxy." + "description": "The HTTP proxy.", + "type": "string" } }, { "http_proxy_authorization": { "required": false, - "description": "The HTTP proxy authorization.", - "type": "string" + "type": "string", + "description": "The HTTP proxy authorization." } }, { "https_proxy": { "required": false, - "type": "string", - "description": "The HTTPS proxy." + "description": "The HTTPS proxy.", + "type": "string" } }, { "https_proxy_authorization": { "required": false, - "description": "The HTTPS proxy authorization.", - "type": "string" + "type": "string", + "description": "The HTTPS proxy authorization." } }, { "no_proxy": { "required": false, - "description": "Do not use proxy with these hosts.", - "type": "string" + "type": "string", + "description": "Do not use proxy with these hosts." } }, { "keepalive": { "required": false, - "description": "Use keepalive with the HTTP client.", + "default": true, "type": "boolean", - "default": true + "description": "Use keepalive with the HTTP client." } }, { "ssl_verify": { "required": false, - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "default": false, "type": "boolean", - "default": false + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`." } }, { "timeout": { "required": false, - "description": "Network IO timeout in milliseconds.", + "default": 10000, "type": "number", - "default": 10000 + "description": "Network IO timeout in milliseconds." } }, { "display_errors": { "required": false, - "description": "Display errors on failure responses.", + "default": false, "type": "boolean", - "default": false + "description": "Display errors on failure responses." } }, { "by_username_ignore_case": { "required": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "default": false, "type": "boolean", - "default": false + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." } }, { "resolve_distributed_claims": { "required": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "default": false, "type": "boolean", - "default": false + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." } }, { "expose_error_code": { - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "default": true, "type": "boolean", - "default": true + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." } }, { "token_cache_key_include_scope": { - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "default": false, "type": "boolean", - "default": false + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." } }, { "introspection_token_param_name": { "required": false, - "description": "Designate token's parameter name for introspection.", + "default": "token", "type": "string", - "default": "token" + "description": "Designate token's parameter name for introspection." } }, { "revocation_token_param_name": { "required": false, - "description": "Designate token's parameter name for revocation.", + "default": "token", "type": "string", - "default": "token" + "description": "Designate token's parameter name for revocation." } }, { "proof_of_possession_mtls": { - "default": "off", "required": false, - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "type": "string", + "default": "off", "one_of": [ "off", "strict", "optional" - ] + ], + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." } }, { "proof_of_possession_auth_methods_validation": { "required": false, - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "default": true, "type": "boolean", - "default": true + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." } }, { "tls_client_auth_cert_id": { - "uuid": true, "required": false, - "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", "type": "string", - "auto": false + "uuid": true, + "auto": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server." } }, { "tls_client_auth_ssl_verify": { "required": false, - "description": "Verify identity provider server certificate during mTLS client authentication.", + "default": true, "type": "boolean", - "default": true + "description": "Verify identity provider server certificate during mTLS client authentication." } }, { "mtls_token_endpoint": { "required": false, - "type": "string", - "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" } }, { "mtls_introspection_endpoint": { "required": false, - "type": "string", - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" } }, { "mtls_revocation_endpoint": { "required": false, - "type": "string", - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" } }, { "proof_of_possession_dpop": { - "default": "off", "required": false, - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "type": "string", + "default": "off", "one_of": [ "off", "strict", "optional" - ] + ], + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof." } }, { "dpop_use_nonce": { "required": false, - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "default": false, "type": "boolean", - "default": false + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime." } }, { "dpop_proof_lifetime": { "required": false, + "default": 300, "type": "number", - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", - "default": 300 + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise." + } + }, + { + "claims_forbidden": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "If given, these claims are forbidden in the token payload." + } + }, + { + "cluster_cache_strategy": { + "required": false, + "type": "string", + "default": "off", + "one_of": [ + "off", + "redis" + ], + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared." + } + }, + { + "cluster_cache_redis": { + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "connection_is_proxied" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "username": { + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "sentinel_username": { + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_nodes": { + "required": false, + "elements": { + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + } + }, + { + "cluster_nodes": { + "required": false, + "elements": { + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "required": false, + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + } + }, + { + "ssl_verify": { + "required": false, + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + }, + { + "cluster_max_redirections": { + "required": false, + "default": 5, + "type": "integer", + "description": "Maximum retry attempts for redirection." + } + }, + { + "connection_is_proxied": { + "required": false, + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + { + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + } + ] } } ], - "type": "record", - "description": "openid-connect plugin configuration." + "description": "openid-connect plugin configuration.", + "type": "record" } } - ] + ], + "type": "record" }, - "type": "array", "description": "List of openid_connect strategies." } } ], - "required": false, - "description": "The map of v2 strategies.", "default": [ - ] + ], + "description": "The map of v2 strategies." } } ], + "required": true, "entity_checks": [ ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.8.x.json b/schemas/ldap-auth-advanced/3.8.x.json index 27b9b0cc..542f5c10 100644 --- a/schemas/ldap-auth-advanced/3.8.x.json +++ b/schemas/ldap-auth-advanced/3.8.x.json @@ -1,8 +1,25 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -14,31 +31,23 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -53,48 +62,48 @@ }, { "ldap_password": { - "type": "string", - "encrypted": true, + "description": "The password to the LDAP server.", "referenceable": true, - "description": "The password to the LDAP server." + "encrypted": true, + "type": "string" } }, { "ldap_port": { + "default": 389, "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", - "type": "number", - "default": 389 + "type": "number" } }, { "bind_dn": { - "type": "string", "referenceable": true, - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "type": "string" } }, { "ldaps": { "required": true, + "default": false, "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "start_tls": { "required": true, + "default": false, "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "verify_ldap_host": { "required": true, + "default": false, "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "type": "boolean", - "default": false + "type": "boolean" } }, { @@ -114,58 +123,57 @@ { "cache_ttl": { "required": true, + "default": 60, "description": "Cache expiry time in seconds.", - "type": "number", - "default": 60 + "type": "number" } }, { "hide_credentials": { + "default": false, "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "timeout": { + "default": 10000, "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number", - "default": 10000 + "type": "number" } }, { "keepalive": { + "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number", - "default": 60000 + "type": "number" } }, { "anonymous": { - "type": "string", "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "len_min": 0, - "default": "" + "default": "", + "type": "string", + "len_min": 0 } }, { "header_type": { + "default": "ldap", "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", - "type": "string", - "default": "ldap" + "type": "string" } }, { "consumer_optional": { "required": false, + "default": false, "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "consumer_by": { - "type": "array", "required": false, "elements": { "type": "string", @@ -174,11 +182,12 @@ "custom_id" ] }, - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "type": "array", "default": [ "username", "custom_id" - ] + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." } }, { @@ -195,41 +204,39 @@ }, { "group_member_attribute": { + "default": "memberOf", "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", - "type": "string", - "default": "memberOf" + "type": "string" } }, { "log_search_results": { "required": false, + "default": false, "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "groups_required": { "required": false, + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "elements": { "type": "string" }, - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "type": "array" } + }, + { + "realm": { + "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/ldap-auth/3.8.x.json b/schemas/ldap-auth/3.8.x.json index 7ed76d47..97c09274 100644 --- a/schemas/ldap-auth/3.8.x.json +++ b/schemas/ldap-auth/3.8.x.json @@ -1,16 +1,27 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -22,23 +33,15 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -53,38 +56,38 @@ }, { "ldap_port": { - "default": 389, "required": true, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "ldaps": { "required": true, + "default": false, "type": "boolean", - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "default": false + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." } }, { "start_tls": { "required": true, + "default": false, "type": "boolean", - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "default": false + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." } }, { "verify_ldap_host": { "required": true, + "default": false, "type": "boolean", - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "default": false + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." } }, { @@ -104,31 +107,31 @@ { "cache_ttl": { "required": true, + "default": 60, "type": "number", - "description": "Cache expiry time in seconds.", - "default": 60 + "description": "Cache expiry time in seconds." } }, { "hide_credentials": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "default": false + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." } }, { "timeout": { + "default": 10000, "type": "number", - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "default": 10000 + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." } }, { "keepalive": { + "default": 60000, "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "default": 60000 + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." } }, { @@ -139,33 +142,37 @@ }, { "header_type": { + "default": "ldap", + "type": "string", + "description": "An optional string to use as part of the Authorization header" + } + }, + { + "realm": { + "required": false, "type": "string", - "description": "An optional string to use as part of the Authorization header", - "default": "ldap" + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." } } ], + "required": true, "entity_checks": [ { "conditional": { - "if_field": "ldaps", - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "then_match": { + "eq": false + }, + "then_field": "start_tls", "if_match": { "eq": true }, - "then_field": "start_tls", - "then_match": { - "eq": false - } + "if_field": "ldaps", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously" } } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/loggly/3.8.x.json b/schemas/loggly/3.8.x.json index 7f635842..38d91448 100644 --- a/schemas/loggly/3.8.x.json +++ b/schemas/loggly/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -42,45 +45,43 @@ "fields": [ { "host": { - "type": "string", + "default": "logs-01.loggly.com", "description": "A string representing a host name, such as example.com.", - "default": "logs-01.loggly.com" + "type": "string" } }, { "port": { - "default": 514, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "key": { "required": true, - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "tags": { + "default": [ + "kong" + ], "elements": { "type": "string" }, - "type": "set", - "default": [ - "kong" - ] + "type": "set" } }, { "log_level": { - "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -90,13 +91,13 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string" } }, { "successful_severity": { - "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -106,13 +107,13 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string" } }, { "client_errors_severity": { - "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -122,13 +123,13 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string" } }, { "server_errors_severity": { - "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -138,7 +139,9 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string" } }, { @@ -153,21 +156,18 @@ "type": "string", "len_min": 1 }, - "type": "map", "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - } + "len_min": 1, + "type": "string" + }, + "type": "map" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/mocking/3.8.x.json b/schemas/mocking/3.8.x.json index 20ed3e0d..ae499b46 100644 --- a/schemas/mocking/3.8.x.json +++ b/schemas/mocking/3.8.x.json @@ -1,8 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +20,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,89 +51,81 @@ { "api_specification": { "required": false, - "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", - "type": "string" + "type": "string", + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field." } }, { "random_delay": { + "default": false, "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "max_delay_time": { + "default": 1, "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", - "type": "number", - "default": 1 + "type": "number" } }, { "min_delay_time": { + "default": 0.001, "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", - "type": "number", - "default": 0.001 + "type": "number" } }, { "random_examples": { + "default": false, "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "included_status_codes": { + "type": "array", "elements": { "type": "integer" }, - "description": "A global list of the HTTP status codes that can only be selected and returned.", - "type": "array" + "description": "A global list of the HTTP status codes that can only be selected and returned." } }, { "random_status_code": { "required": true, + "default": false, "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "include_base_path": { "required": true, + "default": false, "description": "Indicates whether to include the base path when performing path match evaluation.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "custom_base_path": { + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": false, "type": "string", - "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", - "starts_with": "/" + "starts_with": "/", + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.8.x.json b/schemas/mtls-auth/3.8.x.json index d5b8d80d..0785c215 100644 --- a/schemas/mtls-auth/3.8.x.json +++ b/schemas/mtls-auth/3.8.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,21 +23,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -49,7 +52,6 @@ }, { "consumer_by": { - "type": "array", "required": false, "elements": { "type": "string", @@ -58,92 +60,93 @@ "custom_id" ] }, - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "type": "array", "default": [ "username", "custom_id" - ] + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." } }, { "ca_certificates": { "required": true, + "type": "array", "elements": { - "uuid": true, - "type": "string" + "type": "string", + "uuid": true }, - "type": "array", "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." } }, { "cache_ttl": { "required": true, + "default": 60, "type": "number", - "description": "Cache expiry time in seconds.", - "default": 60 + "description": "Cache expiry time in seconds." } }, { "skip_consumer_lookup": { "required": true, + "default": false, "type": "boolean", - "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", - "default": false + "description": "Skip consumer lookup once certificate is trusted against the configured CA list." } }, { "allow_partial_chain": { "required": true, + "default": false, "type": "boolean", - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", - "default": false + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." } }, { "authenticated_group_by": { - "default": "CN", "required": false, "type": "string", - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "default": "CN", "one_of": [ "CN", "DN" - ] + ], + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." } }, { "revocation_check_mode": { - "default": "IGNORE_CA_ERROR", "required": false, "type": "string", - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ] + ], + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." } }, { "http_timeout": { + "default": 30000, "type": "number", - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", - "default": 30000 + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." } }, { "cert_cache_ttl": { + "default": 60000, "type": "number", - "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", - "default": 60000 + "description": "The length of time in milliseconds between refreshes of the revocation check status cache." } }, { "send_ca_dn": { + "default": false, "type": "boolean", - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", - "default": false + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." } }, { @@ -160,12 +163,12 @@ }, { "http_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -176,15 +179,16 @@ }, { "https_proxy_port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], + "required": true, "entity_checks": [ { "mutually_required": [ @@ -199,12 +203,8 @@ ] } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.8.x.json b/schemas/oas-validation/3.8.x.json index 6eaf71b8..35f99dd3 100644 --- a/schemas/oas-validation/3.8.x.json +++ b/schemas/oas-validation/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,128 +46,125 @@ { "verbose_response": { "required": false, + "default": false, "type": "boolean", - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", - "default": false + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." } }, { "validate_request_body": { "required": false, + "default": true, "type": "boolean", - "description": "If set to true, validates the request body content against the API specification.", - "default": true + "description": "If set to true, validates the request body content against the API specification." } }, { "notify_only_request_validation_failure": { "required": false, + "default": false, "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", - "default": false + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." } }, { "validate_request_header_params": { "required": false, + "default": true, "type": "boolean", - "description": "If set to true, validates HTTP header parameters against the API specification.", - "default": true + "description": "If set to true, validates HTTP header parameters against the API specification." } }, { "validate_request_query_params": { "required": false, + "default": true, "type": "boolean", - "description": "If set to true, validates query parameters against the API specification.", - "default": true + "description": "If set to true, validates query parameters against the API specification." } }, { "validate_request_uri_params": { "required": false, + "default": true, "type": "boolean", - "description": "If set to true, validates URI parameters in the request against the API specification.", - "default": true + "description": "If set to true, validates URI parameters in the request against the API specification." } }, { "validate_response_body": { "required": false, + "default": false, "type": "boolean", - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", - "default": false + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." } }, { "notify_only_response_body_validation_failure": { "required": false, + "default": false, "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", - "default": false + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." } }, { "query_parameter_check": { "required": true, + "default": false, "type": "boolean", - "description": "If set to true, checks if query parameters in the request exist in the API specification.", - "default": false + "description": "If set to true, checks if query parameters in the request exist in the API specification." } }, { "header_parameter_check": { "required": true, + "default": false, "type": "boolean", - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", - "default": false + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." } }, { "allowed_header_parameters": { "required": false, + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", "type": "string", - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", - "default": "Host,Content-Type,User-Agent,Accept,Content-Length" + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." } }, { "include_base_path": { "required": true, + "default": false, "type": "boolean", - "description": "Indicates whether to include the base path when performing path match evaluation.", - "default": false + "description": "Indicates whether to include the base path when performing path match evaluation." } }, { "api_spec_encoded": { "required": true, + "default": true, "type": "boolean", - "description": "Indicates whether the api_spec is URI-Encoded.", - "default": true + "description": "Indicates whether the api_spec is URI-Encoded." } }, { "custom_base_path": { + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": false, "type": "string", - "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", - "starts_with": "/" + "starts_with": "/", + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.8.x.json b/schemas/oauth2-introspection/3.8.x.json index 8cca5e87..89a4a764 100644 --- a/schemas/oauth2-introspection/3.8.x.json +++ b/schemas/oauth2-introspection/3.8.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,21 +23,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -50,9 +53,9 @@ }, { "ttl": { + "default": 30, "type": "number", - "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", - "default": 30 + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." } }, { @@ -63,105 +66,102 @@ }, { "authorization_value": { - "encrypted": true, - "referenceable": true, "required": true, + "referenceable": true, "type": "string", + "encrypted": true, "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." } }, { "timeout": { + "default": 10000, "type": "integer", - "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "default": 10000 + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { + "default": 60000, "type": "integer", - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "default": 60000 + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "introspect_request": { "required": true, + "default": false, "type": "boolean", - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", - "default": false + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request." } }, { "hide_credentials": { + "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", - "default": false + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." } }, { "run_on_preflight": { + "default": true, "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "default": true + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } }, { "anonymous": { "len_min": 0, + "default": "", "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "default": "" + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "consumer_by": { - "default": "username", "required": true, "type": "string", - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "default": "username", "one_of": [ "username", "client_id" - ] + ], + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`." } }, { "custom_introspection_headers": { + "required": true, + "type": "map", "keys": { "type": "string" }, - "description": "A list of custom headers to be added in the introspection request.", - "required": true, + "default": [ + + ], "values": { "type": "string" }, - "type": "map", - "default": [ - - ] + "description": "A list of custom headers to be added in the introspection request." } }, { "custom_claims_forward": { - "type": "set", "required": true, "elements": { "type": "string" }, - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "type": "set", "default": [ - ] + ], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2/3.8.x.json b/schemas/oauth2/3.8.x.json index 5e18a9f5..cbacf7c3 100644 --- a/schemas/oauth2/3.8.x.json +++ b/schemas/oauth2/3.8.x.json @@ -1,16 +1,27 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -22,109 +33,102 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "required": true, "fields": [ { "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "elements": { "type": "string" }, - "type": "array", - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required." + "type": "array" } }, { "mandatory_scope": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", - "default": false + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user." } }, { "provision_key": { - "encrypted": true, - "unique": true, "required": true, "auto": true, "description": "The unique key the plugin has generated when it has been added to the Service.", - "type": "string" + "type": "string", + "encrypted": true, + "unique": true } }, { "token_expiration": { "required": true, + "default": 7200, "type": "number", - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", - "default": 7200 + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration." } }, { "enable_authorization_code": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", - "default": false + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1)." } }, { "enable_implicit_grant": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", - "default": false + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2)." } }, { "enable_client_credentials": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", - "default": false + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4)." } }, { "enable_password_grant": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", - "default": false + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3)." } }, { "hide_credentials": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "default": false + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." } }, { "accept_http_if_already_terminated": { "required": true, + "default": false, "type": "boolean", - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", - "default": false + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer." } }, { @@ -136,79 +140,82 @@ { "global_credentials": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", - "default": false + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`." } }, { "auth_header_name": { + "default": "authorization", "type": "string", - "description": "The name of the header that is supposed to carry the access token.", - "default": "authorization" + "description": "The name of the header that is supposed to carry the access token." } }, { "refresh_token_ttl": { - "default": 1209600, "required": true, - "description": "Time-to-live value for data", "type": "number", "between": [ 0, 100000000 - ] + ], + "default": 1209600, + "description": "Time-to-live value for data" } }, { "reuse_refresh_token": { "required": true, + "default": false, "type": "boolean", - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", - "default": false + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token." } }, { "persistent_refresh_token": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "pkce": { - "default": "lax", "required": false, "type": "string", - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "default": "lax", "one_of": [ "none", "lax", "strict" - ] + ], + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin." + } + }, + { + "realm": { + "required": false, + "type": "string", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." } } ], "entity_checks": [ { "conditional": { - "if_field": "mandatory_scope", + "then_field": "scopes", "if_match": { "eq": true }, - "then_field": "scopes", "then_match": { "required": true - } + }, + "if_field": "mandatory_scope" } } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/opa/3.8.x.json b/schemas/opa/3.8.x.json index cd3a0fb8..448b6cb1 100644 --- a/schemas/opa/3.8.x.json +++ b/schemas/opa/3.8.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,21 +23,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,68 +46,68 @@ "fields": [ { "opa_protocol": { - "default": "http", "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", - "type": "string", + "default": "http", "one_of": [ "http", "https" - ] + ], + "type": "string" } }, { "opa_host": { "required": true, - "type": "string", + "default": "localhost", "description": "A string representing a host name, such as example.com.", - "default": "localhost" + "type": "string" } }, { "opa_port": { - "default": 8181, "required": true, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "opa_path": { + "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": true, "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/" + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "include_service_in_opa_input": { + "default": false, "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "include_route_in_opa_input": { + "default": false, "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "include_consumer_in_opa_input": { + "default": false, "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", - "type": "boolean", - "default": false + "type": "boolean" } }, { @@ -115,33 +118,30 @@ }, { "include_parsed_json_body_in_opa_input": { + "default": false, "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "include_uri_captures_in_opa_input": { + "default": false, "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "ssl_verify": { "required": true, + "default": true, "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "type": "boolean", - "default": true + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.8.x.json b/schemas/openid-connect/3.8.x.json index d9870d72..480ff114 100644 --- a/schemas/openid-connect/3.8.x.json +++ b/schemas/openid-connect/3.8.x.json @@ -1,16 +1,24 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,83 +29,427 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "required": true, + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_redis_prefix": { + "deprecation": { + "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "prefix" + ], + "type": "string" + } + }, + { + "session_redis_socket": { + "deprecation": { + "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "socket" + ], + "type": "string" + } + }, + { + "session_redis_host": { + "deprecation": { + "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "host" + ], + "type": "string" + } + }, + { + "session_redis_port": { + "deprecation": { + "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "port" + ], + "type": "integer" + } + }, + { + "session_redis_username": { + "deprecation": { + "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" + } + }, + { + "session_redis_password": { + "deprecation": { + "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "password" + ], + "type": "string" + } + }, + { + "session_redis_connect_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "connect_timeout" + ], + "type": "integer" + } + }, + { + "session_redis_read_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "read_timeout" + ], + "type": "integer" + } + }, + { + "session_redis_send_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "send_timeout" + ], + "type": "integer" + } + }, + { + "session_redis_ssl": { + "deprecation": { + "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" + } + }, + { + "session_redis_ssl_verify": { + "deprecation": { + "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "type": "boolean" + } + }, + { + "session_redis_server_name": { + "deprecation": { + "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "server_name" + ], + "type": "string" + } + }, + { + "session_redis_cluster_nodes": { + "deprecation": { + "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0" + }, + "elements": { + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" + }, + "translate_backwards": [ + "redis", + "cluster_nodes" + ], + "type": "array" + } + }, + { + "session_redis_cluster_max_redirections": { + "deprecation": { + "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "type": "integer" + } + } + ], "fields": [ { "issuer": { "required": true, - "type": "string", - "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`." + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" } }, { "using_pseudo_issuer": { "required": false, - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "default": false, "type": "boolean", - "default": false + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." } }, { "discovery_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the discovery endpoint.", - "type": "array" + "description": "Extra header names passed to the discovery endpoint." } }, { "discovery_headers_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the discovery endpoint.", - "type": "array" + "description": "Extra header values passed to the discovery endpoint." } }, { "extra_jwks_uris": { "required": false, + "type": "set", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", - "type": "set" + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." } }, { "rediscovery_lifetime": { "required": false, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "default": 30, "type": "number", - "default": 30 + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." } }, { "auth_methods": { - "type": "array", "required": false, "elements": { "type": "string", @@ -113,7 +465,7 @@ "session" ] }, - "description": "Types of credentials/grants to enable.", + "type": "array", "default": [ "password", "client_credentials", @@ -124,36 +476,38 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "description": "Types of credentials/grants to enable." } }, { "client_id": { - "encrypted": true, "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", - "type": "array" + "type": "array", + "encrypted": true, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." } }, { "client_secret": { - "encrypted": true, "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "The client secret.", - "type": "array" + "type": "array", + "encrypted": true, + "description": "The client secret." } }, { "client_auth": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -166,204 +520,204 @@ "none" ] }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "type": "array" + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication)." } }, { "client_jwk": { "required": false, + "type": "array", "elements": { "required": false, - "type": "record", "fields": [ { "issuer": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kty": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "use": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "key_ops": { "required": false, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "type": "array" } }, { "alg": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kid": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5u": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5c": { "required": false, "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "type": "array" } }, { "x5t": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5t#S256": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "k": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "x": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "y": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "crv": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "n": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "e": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "d": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "p": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "q": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "dp": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "dq": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "qi": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "oth": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "r": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "t": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } } - ] + ], + "type": "record" }, - "description": "The JWK used for the private_key_jwt authentication.", - "type": "array" + "description": "The JWK used for the private_key_jwt authentication." } }, { "client_alg": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -382,124 +736,122 @@ "EdDSA" ] }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "type": "array" + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication." } }, { "client_arg": { "required": false, - "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "default": "client_id", "type": "string", - "default": "client_id" + "description": "The client to use for this request (the selection is made with a request parameter with the same name)." } }, { "redirect_uri": { "required": false, + "type": "array", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "The redirect URI passed to the authorization and token endpoints.", - "type": "array" + "description": "The redirect URI passed to the authorization and token endpoints." } }, { "login_redirect_uri": { "required": false, + "type": "array", "elements": { - "type": "string", + "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true + "type": "string" }, - "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "type": "array" + "description": "Where to redirect the client when `login_action` is set to `redirect`." } }, { "logout_redirect_uri": { "required": false, + "type": "array", "elements": { - "type": "string", + "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true + "type": "string" }, - "description": "Where to redirect the client after the logout.", - "type": "array" + "description": "Where to redirect the client after the logout." } }, { "forbidden_redirect_uri": { "required": false, + "type": "array", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client on forbidden requests.", - "type": "array" + "description": "Where to redirect the client on forbidden requests." } }, { "forbidden_error_message": { "required": false, - "description": "The error message for the forbidden requests (when not using the redirection).", + "default": "Forbidden", "type": "string", - "default": "Forbidden" + "description": "The error message for the forbidden requests (when not using the redirection)." } }, { "forbidden_destroy_session": { "required": false, - "description": "Destroy any active session for the forbidden requests.", + "default": true, "type": "boolean", - "default": true + "description": "Destroy any active session for the forbidden requests." } }, { "unauthorized_destroy_session": { "required": false, - "description": "Destroy any active session for the unauthorized requests.", + "default": true, "type": "boolean", - "default": true + "description": "Destroy any active session for the unauthorized requests." } }, { "unauthorized_redirect_uri": { "required": false, + "type": "array", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client on unauthorized requests.", - "type": "array" + "description": "Where to redirect the client on unauthorized requests." } }, { "unauthorized_error_message": { "required": false, - "description": "The error message for the unauthorized requests (when not using the redirection).", + "default": "Unauthorized", "type": "string", - "default": "Unauthorized" + "description": "The error message for the unauthorized requests (when not using the redirection)." } }, { "unexpected_redirect_uri": { "required": false, + "type": "array", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client when unexpected errors happen with the requests.", - "type": "array" + "description": "Where to redirect the client when unexpected errors happen with the requests." } }, { "response_mode": { - "default": "query", "required": false, - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "type": "string", + "default": "query", "one_of": [ "query", "form_post", @@ -508,187 +860,186 @@ "form_post.jwt", "fragment.jwt", "jwt" - ] + ], + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type." } }, { "response_type": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The response type passed to the authorization endpoint.", + "type": "array", "default": [ "code" - ] + ], + "description": "The response type passed to the authorization endpoint." } }, { "scopes": { - "type": "array", "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "The scopes passed to the authorization and token endpoints.", + "type": "array", "default": [ "openid" - ] + ], + "description": "The scopes passed to the authorization and token endpoints." } }, { "audience": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The audience passed to the authorization endpoint.", - "type": "array" + "description": "The audience passed to the authorization endpoint." } }, { "issuers_allowed": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "type": "array" + "description": "The issuers allowed to be present in the tokens (`iss` claim)." } }, { "scopes_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array" + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "scopes_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "default": [ "scope" - ] + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "audience_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array" + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "audience_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "default": [ "aud" - ] + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "groups_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array" + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "groups_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "default": [ "groups" - ] + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "roles_required": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array" + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." } }, { "roles_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "default": [ "roles" - ] + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "domains": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The allowed values for the `hd` claim.", - "type": "array" + "description": "The allowed values for the `hd` claim." } }, { "max_age": { "required": false, - "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "type": "number" + "type": "number", + "description": "The maximum age (in seconds) compared to the `auth_time` claim." } }, { "authenticated_groups_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array" + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "pushed_authorization_request_endpoint": { "required": false, - "type": "string", - "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint." + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "pushed_authorization_request_endpoint_auth_method": { "required": false, - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -697,154 +1048,154 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" } }, { "require_pushed_authorization_requests": { "required": false, - "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", - "type": "boolean" + "type": "boolean", + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`)." } }, { "require_proof_key_for_code_exchange": { "required": false, - "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", - "type": "boolean" + "type": "boolean", + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled)." } }, { "require_signed_request_object": { "required": false, - "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", - "type": "boolean" + "type": "boolean", + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled)." } }, { "authorization_endpoint": { "required": false, - "type": "string", - "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint." + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "authorization_query_args_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the authorization endpoint.", - "type": "array" + "description": "Extra query argument names passed to the authorization endpoint." } }, { "authorization_query_args_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the authorization endpoint.", - "type": "array" + "description": "Extra query argument values passed to the authorization endpoint." } }, { "authorization_query_args_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the authorization endpoint.", - "type": "array" + "description": "Extra query arguments passed from the client to the authorization endpoint." } }, { "authorization_rolling_timeout": { "required": false, - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 600, "type": "number", - "default": 600 + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." } }, { "authorization_cookie_name": { "required": false, - "description": "The authorization cookie name.", + "default": "authorization", "type": "string", - "default": "authorization" + "description": "The authorization cookie name." } }, { "authorization_cookie_path": { + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "description": "The authorization cookie Path flag.", - "required": false, "type": "string", "starts_with": "/", - "default": "/" + "default": "/", + "description": "The authorization cookie Path flag." } }, { "authorization_cookie_domain": { "required": false, - "description": "The authorization cookie Domain flag.", - "type": "string" + "type": "string", + "description": "The authorization cookie Domain flag." } }, { "authorization_cookie_same_site": { - "default": "Default", "required": false, - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", + "default": "Default", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "authorization_cookie_http_only": { "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean", - "default": true + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "authorization_cookie_secure": { "required": false, - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean" + "type": "boolean", + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "preserve_query_args": { "required": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "default": false, "type": "boolean", - "default": false + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." } }, { "token_endpoint": { "required": false, - "type": "string", - "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint." + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "token_endpoint_auth_method": { "required": false, - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -853,59 +1204,62 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" } }, { "token_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the token endpoint.", - "type": "array" + "description": "Extra header names passed to the token endpoint." } }, { "token_headers_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the token endpoint.", - "type": "array" + "description": "Extra header values passed to the token endpoint." } }, { "token_headers_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the token endpoint.", - "type": "array" + "description": "Extra headers passed from the client to the token endpoint." } }, { "token_headers_replay": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The names of token endpoint response headers to forward to the downstream client.", - "type": "array" + "description": "The names of token endpoint response headers to forward to the downstream client." } }, { "token_headers_prefix": { "required": false, - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", - "type": "string" + "type": "string", + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." } }, { "token_headers_grants": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -915,52 +1269,49 @@ "refresh_token" ] }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", - "type": "array" + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant." } }, { "token_post_args_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the token endpoint.", - "type": "array" + "description": "Extra post argument names passed to the token endpoint." } }, { "token_post_args_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the token endpoint.", - "type": "array" + "description": "Extra post argument values passed to the token endpoint." } }, { "token_post_args_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", - "type": "array" + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint." } }, { "introspection_endpoint": { "required": false, - "type": "string", - "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint." + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "introspection_endpoint_auth_method": { "required": false, - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -969,120 +1320,120 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" } }, { "introspection_hint": { "required": false, - "description": "Introspection hint parameter value passed to the introspection endpoint.", + "default": "access_token", "type": "string", - "default": "access_token" + "description": "Introspection hint parameter value passed to the introspection endpoint." } }, { "introspection_check_active": { "required": false, - "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "default": true, "type": "boolean", - "default": true + "description": "Check that the introspection response has an `active` claim with a value of `true`." } }, { "introspection_accept": { - "default": "application/json", "required": false, - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "type": "string", + "default": "application/json", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ] + ], + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)." } }, { "introspection_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the introspection endpoint.", - "type": "array" + "description": "Extra header names passed to the introspection endpoint." } }, { "introspection_headers_values": { - "encrypted": true, "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "Extra header values passed to the introspection endpoint.", - "type": "array" + "type": "array", + "encrypted": true, + "description": "Extra header values passed to the introspection endpoint." } }, { "introspection_headers_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the introspection endpoint.", - "type": "array" + "description": "Extra headers passed from the client to the introspection endpoint." } }, { "introspection_post_args_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the introspection endpoint.", - "type": "array" + "description": "Extra post argument names passed to the introspection endpoint." } }, { "introspection_post_args_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the introspection endpoint.", - "type": "array" + "description": "Extra post argument values passed to the introspection endpoint." } }, { "introspection_post_args_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client to the introspection endpoint.", - "type": "array" + "description": "Extra post arguments passed from the client to the introspection endpoint." } }, { "introspect_jwt_tokens": { "required": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "default": false, "type": "boolean", - "default": false + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." } }, { "revocation_endpoint": { "required": false, - "type": "string", - "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint." + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "revocation_endpoint_auth_method": { "required": false, - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1091,256 +1442,240 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" } }, { "end_session_endpoint": { "required": false, - "type": "string", - "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint." + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "userinfo_endpoint": { "required": false, - "type": "string", - "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint." + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" } }, { "userinfo_accept": { - "default": "application/json", "required": false, - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "type": "string", + "default": "application/json", "one_of": [ "application/json", "application/jwt" - ] + ], + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)." } }, { "userinfo_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the user info endpoint.", - "type": "array" + "description": "Extra header names passed to the user info endpoint." } }, { "userinfo_headers_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the user info endpoint.", - "type": "array" + "description": "Extra header values passed to the user info endpoint." } }, { "userinfo_headers_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the user info endpoint.", - "type": "array" + "description": "Extra headers passed from the client to the user info endpoint." } }, { "userinfo_query_args_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the user info endpoint.", - "type": "array" + "description": "Extra query argument names passed to the user info endpoint." } }, { "userinfo_query_args_values": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the user info endpoint.", - "type": "array" + "description": "Extra query argument values passed to the user info endpoint." } }, { "userinfo_query_args_client": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the user info endpoint.", - "type": "array" + "description": "Extra query arguments passed from the client to the user info endpoint." } }, { "token_exchange_endpoint": { "required": false, - "type": "string", - "description": "The token exchange endpoint." + "description": "The token exchange endpoint.", + "type": "string" } }, { "session_secret": { - "encrypted": true, - "referenceable": true, "required": false, - "description": "The session secret.", - "type": "string" + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "The session secret." } }, { "session_audience": { "required": false, - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default", "type": "string", - "default": "default" + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." } }, { "session_cookie_name": { "required": false, - "description": "The session cookie name.", + "default": "session", "type": "string", - "default": "session" + "description": "The session cookie name." } }, { "session_remember": { "required": false, - "description": "Enables or disables persistent sessions.", + "default": false, "type": "boolean", - "default": false + "description": "Enables or disables persistent sessions." } }, { "session_remember_cookie_name": { "required": false, - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember", "type": "string", - "default": "remember" + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." } }, { "session_remember_rolling_timeout": { "required": false, - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "default": 604800, "type": "number", - "default": 604800 + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." } }, { "session_remember_absolute_timeout": { "required": false, - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 2592000, "type": "number", - "default": 2592000 + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." } }, { "session_idling_timeout": { "required": false, - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "default": 900, "type": "number", - "default": 900 + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." } }, { "session_rolling_timeout": { "required": false, - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 3600, "type": "number", - "default": 3600 + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." } }, { "session_absolute_timeout": { "required": false, - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 86400, "type": "number", - "default": 86400 + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." } }, { "session_cookie_path": { + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "description": "The session cookie Path flag.", - "required": false, "type": "string", "starts_with": "/", - "default": "/" + "default": "/", + "description": "The session cookie Path flag." } }, { "session_cookie_domain": { "required": false, - "description": "The session cookie Domain flag.", - "type": "string" + "type": "string", + "description": "The session cookie Domain flag." } }, { "session_cookie_same_site": { - "default": "Lax", "required": false, - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", + "default": "Lax", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } }, { "session_cookie_http_only": { "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean", - "default": true + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "session_cookie_secure": { "required": false, - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean" + "type": "boolean", + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." } }, { "session_request_headers": { "required": false, - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - }, "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", - "type": "set" - } - }, - { - "session_response_headers": { - "required": false, "elements": { "type": "string", "one_of": [ @@ -1348,254 +1683,524 @@ "audience", "subject", "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - }, - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", - "type": "set" - } - }, - { - "session_storage": { - "default": "cookie", - "required": false, - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", - "type": "string", - "one_of": [ - "cookie", - "memcache", - "memcached", - "redis" - ] - } - }, - { - "session_store_metadata": { - "required": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", - "type": "boolean", - "default": false - } - }, - { - "session_enforce_same_subject": { - "required": false, - "description": "When set to `true`, audiences are forced to share the same subject.", - "type": "boolean", - "default": false - } - }, - { - "session_hash_subject": { - "required": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "type": "boolean", - "default": false - } - }, - { - "session_hash_storage_key": { - "required": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "type": "boolean", - "default": false - } - }, - { - "session_memcached_prefix": { - "required": false, - "description": "The memcached session key prefix.", - "type": "string" - } - }, - { - "session_memcached_socket": { - "required": false, - "description": "The memcached unix socket path.", - "type": "string" - } - }, - { - "session_memcached_host": { - "required": false, - "description": "The memcached host.", - "type": "string", - "default": "127.0.0.1" - } - }, - { - "session_memcached_port": { - "default": 11211, - "required": false, - "description": "The memcached port.", - "type": "integer", - "between": [ - 0, - 65535 - ] - } - }, - { - "session_redis_prefix": { - "required": false, - "description": "The Redis session key prefix.", - "type": "string" + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "type": "set" } }, { - "session_redis_socket": { + "session_response_headers": { "required": false, - "description": "The Redis unix socket path.", - "type": "string" + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "type": "set" } }, { - "session_redis_host": { + "session_storage": { "required": false, - "description": "The Redis host.", "type": "string", - "default": "127.0.0.1" - } - }, - { - "session_redis_port": { - "default": 6379, - "required": false, - "description": "The Redis port.", - "type": "integer", - "between": [ - 0, - 65535 - ] + "default": "cookie", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis." } }, { - "session_redis_username": { + "session_store_metadata": { "required": false, - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "default": false, + "type": "boolean", + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." } }, { - "session_redis_password": { - "encrypted": true, - "referenceable": true, + "session_enforce_same_subject": { "required": false, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", - "type": "string" + "default": false, + "type": "boolean", + "description": "When set to `true`, audiences are forced to share the same subject." } }, { - "session_redis_connect_timeout": { + "session_hash_subject": { "required": false, - "description": "Session redis connection timeout in milliseconds.", - "type": "integer" + "default": false, + "type": "boolean", + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." } }, { - "session_redis_read_timeout": { + "session_hash_storage_key": { "required": false, - "description": "Session redis read timeout in milliseconds.", - "type": "integer" + "default": false, + "type": "boolean", + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." } }, { - "session_redis_send_timeout": { + "session_memcached_prefix": { "required": false, - "description": "Session redis send timeout in milliseconds.", - "type": "integer" + "type": "string", + "description": "The memcached session key prefix." } }, { - "session_redis_ssl": { + "session_memcached_socket": { "required": false, - "description": "Use SSL/TLS for Redis connection.", - "type": "boolean", - "default": false + "type": "string", + "description": "The memcached unix socket path." } }, { - "session_redis_ssl_verify": { + "session_memcached_host": { "required": false, - "description": "Verify identity provider server certificate.", - "type": "boolean", - "default": false + "default": "127.0.0.1", + "type": "string", + "description": "The memcached host." } }, { - "session_redis_server_name": { + "session_memcached_port": { "required": false, - "description": "The SNI used for connecting the Redis server.", - "type": "string" + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 11211, + "description": "The memcached port." } }, { - "session_redis_cluster_nodes": { - "required": false, - "elements": { - "type": "record", - "fields": [ - { - "ip": { - "required": true, - "type": "string", - "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1" - } - }, - { - "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "between": [ - 0, - 65535 - ] + "redis": { + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true } } - ] - }, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", - "type": "array" - } - }, - { - "session_redis_cluster_max_redirections": { - "required": false, - "description": "The Redis cluster maximum redirects.", - "type": "integer" + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "referenceable": true, + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "referenceable": true, + "type": "string", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "default": 0, + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "one_of": [ + "master", + "slave", + "any" + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "elements": { + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "type": "array", + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + } + }, + { + "cluster_nodes": { + "required": false, + "elements": { + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "required": false, + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "cluster_max_redirections": { + "required": false, + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + } + }, + { + "connection_is_proxied": { + "required": false, + "default": false, + "type": "boolean", + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + } + }, + { + "prefix": { + "required": false, + "type": "string", + "description": "The Redis session key prefix." + } + }, + { + "socket": { + "required": false, + "type": "string", + "description": "The Redis unix socket path." + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + { + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + } + ] } }, { "reverify": { "required": false, - "description": "Specifies whether to always verify tokens stored in the session.", + "default": false, "type": "boolean", - "default": false + "description": "Specifies whether to always verify tokens stored in the session." } }, { "jwt_session_claim": { "required": false, - "description": "The claim to match against the JWT session cookie.", + "default": "sid", "type": "string", - "default": "sid" + "description": "The claim to match against the JWT session cookie." } }, { "jwt_session_cookie": { "required": false, - "description": "The name of the JWT session cookie.", - "type": "string" + "type": "string", + "description": "The name of the JWT session cookie." } }, { "bearer_token_param_type": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1606,24 +2211,24 @@ "body" ] }, - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "type": "array", "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." } }, { "bearer_token_cookie_name": { "required": false, - "description": "The name of the cookie in which the bearer token is passed.", - "type": "string" + "type": "string", + "description": "The name of the cookie in which the bearer token is passed." } }, { "client_credentials_param_type": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1633,17 +2238,17 @@ "body" ] }, - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "type": "array", "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." } }, { "password_param_type": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1653,17 +2258,17 @@ "body" ] }, - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "id_token_param_type": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1673,24 +2278,24 @@ "body" ] }, - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "id_token_param_name": { "required": false, - "description": "The name of the parameter used to pass the id token.", - "type": "string" + "type": "string", + "description": "The name of the parameter used to pass the id token." } }, { "refresh_token_param_type": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1700,213 +2305,213 @@ "body" ] }, - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", "default": [ "header", "query", "body" - ] + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." } }, { "refresh_token_param_name": { "required": false, - "description": "The name of the parameter used to pass the refresh token.", - "type": "string" + "type": "string", + "description": "The name of the parameter used to pass the refresh token." } }, { "refresh_tokens": { "required": false, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "default": true, "type": "boolean", - "default": true + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." } }, { "upstream_headers_claims": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array" + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "upstream_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The upstream header names for the claim values.", - "type": "array" + "description": "The upstream header names for the claim values." } }, { "upstream_access_token_header": { "required": false, - "description": "The upstream access token header.", + "default": "authorization:bearer", "type": "string", - "default": "authorization:bearer" + "description": "The upstream access token header." } }, { "upstream_access_token_jwk_header": { "required": false, - "description": "The upstream access token JWK header.", - "type": "string" + "type": "string", + "description": "The upstream access token JWK header." } }, { "upstream_id_token_header": { "required": false, - "description": "The upstream id token header.", - "type": "string" + "type": "string", + "description": "The upstream id token header." } }, { "upstream_id_token_jwk_header": { "required": false, - "description": "The upstream id token JWK header.", - "type": "string" + "type": "string", + "description": "The upstream id token JWK header." } }, { "upstream_refresh_token_header": { "required": false, - "description": "The upstream refresh token header.", - "type": "string" + "type": "string", + "description": "The upstream refresh token header." } }, { "upstream_user_info_header": { "required": false, - "description": "The upstream user info header.", - "type": "string" + "type": "string", + "description": "The upstream user info header." } }, { "upstream_user_info_jwt_header": { "required": false, - "description": "The upstream user info JWT header (in case the user info returns a JWT response).", - "type": "string" + "type": "string", + "description": "The upstream user info JWT header (in case the user info returns a JWT response)." } }, { "upstream_introspection_header": { "required": false, - "description": "The upstream introspection header.", - "type": "string" + "type": "string", + "description": "The upstream introspection header." } }, { "upstream_introspection_jwt_header": { "required": false, - "description": "The upstream introspection JWT header.", - "type": "string" + "type": "string", + "description": "The upstream introspection JWT header." } }, { "upstream_session_id_header": { "required": false, - "description": "The upstream session id header.", - "type": "string" + "type": "string", + "description": "The upstream session id header." } }, { "downstream_headers_claims": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array" + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "downstream_headers_names": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The downstream header names for the claim values.", - "type": "array" + "description": "The downstream header names for the claim values." } }, { "downstream_access_token_header": { "required": false, - "description": "The downstream access token header.", - "type": "string" + "type": "string", + "description": "The downstream access token header." } }, { "downstream_access_token_jwk_header": { "required": false, - "description": "The downstream access token JWK header.", - "type": "string" + "type": "string", + "description": "The downstream access token JWK header." } }, { "downstream_id_token_header": { "required": false, - "description": "The downstream id token header.", - "type": "string" + "type": "string", + "description": "The downstream id token header." } }, { "downstream_id_token_jwk_header": { "required": false, - "description": "The downstream id token JWK header.", - "type": "string" + "type": "string", + "description": "The downstream id token JWK header." } }, { "downstream_refresh_token_header": { "required": false, - "description": "The downstream refresh token header.", - "type": "string" + "type": "string", + "description": "The downstream refresh token header." } }, { "downstream_user_info_header": { "required": false, - "description": "The downstream user info header.", - "type": "string" + "type": "string", + "description": "The downstream user info header." } }, { "downstream_user_info_jwt_header": { "required": false, - "description": "The downstream user info JWT header (in case the user info returns a JWT response).", - "type": "string" + "type": "string", + "description": "The downstream user info JWT header (in case the user info returns a JWT response)." } }, { "downstream_introspection_header": { "required": false, - "description": "The downstream introspection header.", - "type": "string" + "type": "string", + "description": "The downstream introspection header." } }, { "downstream_introspection_jwt_header": { "required": false, - "description": "The downstream introspection JWT header.", - "type": "string" + "type": "string", + "description": "The downstream introspection JWT header." } }, { "downstream_session_id_header": { "required": false, - "description": "The downstream session id header.", - "type": "string" + "type": "string", + "description": "The downstream session id header." } }, { "login_methods": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1922,28 +2527,28 @@ "session" ] }, - "description": "Enable login functionality with specified grants.", + "type": "array", "default": [ "authorization_code" - ] + ], + "description": "Enable login functionality with specified grants." } }, { "login_action": { - "default": "upstream", "required": false, - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "type": "string", + "default": "upstream", "one_of": [ "upstream", "response", "redirect" - ] + ], + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location." } }, { "login_tokens": { - "type": "array", "required": false, "elements": { "type": "string", @@ -1955,48 +2560,48 @@ "introspection" ] }, - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "type": "array", "default": [ "id_token" - ] + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." } }, { "login_redirect_mode": { - "default": "fragment", "required": false, - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "type": "string", + "default": "fragment", "one_of": [ "query", "fragment" - ] + ], + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)." } }, { "logout_query_arg": { "required": false, - "description": "The request query argument that activates the logout.", - "type": "string" + "type": "string", + "description": "The request query argument that activates the logout." } }, { "logout_post_arg": { "required": false, - "description": "The request body argument that activates the logout.", - "type": "string" + "type": "string", + "description": "The request body argument that activates the logout." } }, { "logout_uri_suffix": { "required": false, - "description": "The request URI suffix that activates the logout.", - "type": "string" + "type": "string", + "description": "The request URI suffix that activates the logout." } }, { "logout_methods": { - "type": "array", "required": false, "elements": { "type": "string", @@ -2006,50 +2611,50 @@ "DELETE" ] }, - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "type": "array", "default": [ "POST", "DELETE" - ] + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." } }, { "logout_revoke": { "required": false, - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "default": false, "type": "boolean", - "default": false + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." } }, { "logout_revoke_access_token": { "required": false, - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean", - "default": true + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." } }, { "logout_revoke_refresh_token": { "required": false, - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean", - "default": true + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." } }, { "consumer_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array" + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "consumer_by": { - "type": "array", "required": false, "elements": { "type": "string", @@ -2059,92 +2664,92 @@ "custom_id" ] }, - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "type": "array", "default": [ "username", "custom_id" - ] + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." } }, { "consumer_optional": { "required": false, - "description": "Do not terminate the request if consumer mapping fails.", + "default": false, "type": "boolean", - "default": false + "description": "Do not terminate the request if consumer mapping fails." } }, { "credential_claim": { - "type": "array", "required": false, "elements": { "type": "string" }, - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "default": [ "sub" - ] + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." } }, { "anonymous": { "required": false, - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "run_on_preflight": { "required": false, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "default": true, "type": "boolean", - "default": true + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." } }, { "leeway": { "required": false, - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "default": 0, "type": "number", - "default": 0 + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims" } }, { "verify_parameters": { "required": false, - "description": "Verify plugin configuration against discovery.", + "default": false, "type": "boolean", - "default": false + "description": "Verify plugin configuration against discovery." } }, { "verify_nonce": { "required": false, - "description": "Verify nonce on authorization code flow.", + "default": true, "type": "boolean", - "default": true + "description": "Verify nonce on authorization code flow." } }, { "verify_claims": { "required": false, - "description": "Verify tokens for standard claims.", + "default": true, "type": "boolean", - "default": true + "description": "Verify tokens for standard claims." } }, { "verify_signature": { "required": false, - "description": "Verify signature of tokens.", + "default": true, "type": "boolean", - "default": true + "description": "Verify signature of tokens." } }, { "ignore_signature": { - "type": "array", "required": false, "elements": { "type": "string", @@ -2158,23 +2763,25 @@ "userinfo" ] }, - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "type": "array", "default": [ - ] + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." } }, { "enable_hs_signatures": { "required": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "default": false, "type": "boolean", - "default": false + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." } }, { "disable_session": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -2189,464 +2796,707 @@ "session" ] }, - "description": "Disable issuing the session cookie with the specified grants.", - "type": "array" + "description": "Disable issuing the session cookie with the specified grants." } }, { "cache_ttl": { "required": false, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "default": 3600, "type": "number", - "default": 3600 + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." } }, { "cache_ttl_max": { "required": false, - "description": "The maximum cache ttl in seconds (enforced).", - "type": "number" + "type": "number", + "description": "The maximum cache ttl in seconds (enforced)." } }, { "cache_ttl_min": { "required": false, - "description": "The minimum cache ttl in seconds (enforced).", - "type": "number" + "type": "number", + "description": "The minimum cache ttl in seconds (enforced)." } }, { "cache_ttl_neg": { "required": false, - "description": "The negative cache ttl in seconds.", - "type": "number" + "type": "number", + "description": "The negative cache ttl in seconds." } }, { "cache_ttl_resurrect": { "required": false, - "description": "The resurrection ttl in seconds.", - "type": "number" + "type": "number", + "description": "The resurrection ttl in seconds." } }, { "cache_tokens": { "required": false, - "description": "Cache the token endpoint requests.", + "default": true, "type": "boolean", - "default": true + "description": "Cache the token endpoint requests." } }, { "cache_tokens_salt": { "required": false, - "auto": true, "type": "string", + "auto": true, "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." } }, { "cache_introspection": { "required": false, - "description": "Cache the introspection endpoint requests.", + "default": true, "type": "boolean", - "default": true + "description": "Cache the introspection endpoint requests." } }, { "cache_token_exchange": { "required": false, - "description": "Cache the token exchange endpoint requests.", + "default": true, "type": "boolean", - "default": true + "description": "Cache the token exchange endpoint requests." } }, { "cache_user_info": { "required": false, - "description": "Cache the user info requests.", + "default": true, "type": "boolean", - "default": true + "description": "Cache the user info requests." } }, { "search_user_info": { "required": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "default": false, "type": "boolean", - "default": false + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." } }, { "hide_credentials": { "required": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "default": false, "type": "boolean", - "default": false + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." } }, { "http_version": { "required": false, - "type": "number", + "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", - "default": 1.1 + "type": "number" } }, { "http_proxy": { "required": false, - "type": "string", - "description": "The HTTP proxy." + "description": "The HTTP proxy.", + "type": "string" } }, { "http_proxy_authorization": { "required": false, - "description": "The HTTP proxy authorization.", - "type": "string" + "type": "string", + "description": "The HTTP proxy authorization." } }, { "https_proxy": { "required": false, - "type": "string", - "description": "The HTTPS proxy." + "description": "The HTTPS proxy.", + "type": "string" } }, { "https_proxy_authorization": { "required": false, - "description": "The HTTPS proxy authorization.", - "type": "string" + "type": "string", + "description": "The HTTPS proxy authorization." } }, { "no_proxy": { "required": false, - "description": "Do not use proxy with these hosts.", - "type": "string" + "type": "string", + "description": "Do not use proxy with these hosts." } }, { "keepalive": { "required": false, - "description": "Use keepalive with the HTTP client.", + "default": true, "type": "boolean", - "default": true + "description": "Use keepalive with the HTTP client." } }, { "ssl_verify": { "required": false, - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "default": false, "type": "boolean", - "default": false + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`." } }, { "timeout": { "required": false, - "description": "Network IO timeout in milliseconds.", + "default": 10000, "type": "number", - "default": 10000 + "description": "Network IO timeout in milliseconds." } }, { "display_errors": { "required": false, - "description": "Display errors on failure responses.", + "default": false, "type": "boolean", - "default": false + "description": "Display errors on failure responses." } }, { "by_username_ignore_case": { "required": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "default": false, "type": "boolean", - "default": false + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." } }, { "resolve_distributed_claims": { "required": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "default": false, "type": "boolean", - "default": false + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." } }, { "expose_error_code": { - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "default": true, "type": "boolean", - "default": true + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." } }, { "token_cache_key_include_scope": { - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "default": false, "type": "boolean", - "default": false + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." } }, { "introspection_token_param_name": { "required": false, - "description": "Designate token's parameter name for introspection.", + "default": "token", "type": "string", - "default": "token" + "description": "Designate token's parameter name for introspection." } }, { "revocation_token_param_name": { "required": false, - "description": "Designate token's parameter name for revocation.", + "default": "token", "type": "string", - "default": "token" + "description": "Designate token's parameter name for revocation." } }, { "proof_of_possession_mtls": { - "default": "off", "required": false, - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "type": "string", + "default": "off", "one_of": [ "off", "strict", "optional" - ] + ], + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." } }, { "proof_of_possession_auth_methods_validation": { "required": false, - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "default": true, "type": "boolean", - "default": true + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." } }, { "tls_client_auth_cert_id": { - "uuid": true, "required": false, - "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", "type": "string", - "auto": false + "uuid": true, + "auto": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server." } }, { "tls_client_auth_ssl_verify": { "required": false, - "description": "Verify identity provider server certificate during mTLS client authentication.", + "default": true, "type": "boolean", - "default": true + "description": "Verify identity provider server certificate during mTLS client authentication." } }, { "mtls_token_endpoint": { "required": false, - "type": "string", - "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" } }, { "mtls_introspection_endpoint": { "required": false, - "type": "string", - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" } }, { "mtls_revocation_endpoint": { "required": false, - "type": "string", - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint." + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" } }, { "proof_of_possession_dpop": { - "default": "off", "required": false, - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "type": "string", + "default": "off", "one_of": [ "off", "strict", "optional" - ] + ], + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof." } }, { "dpop_use_nonce": { "required": false, - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "default": false, "type": "boolean", - "default": false + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime." } }, { "dpop_proof_lifetime": { "required": false, + "default": 300, "type": "number", - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", - "default": 300 - } - } - ], - "required": true, - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "type": "number", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" - } - } - }, - { - "authorization_cookie_samesite": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" - } - } - }, - { - "authorization_cookie_httponly": { - "type": "boolean", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" - } - } - }, - { - "session_cookie_lifetime": { - "type": "number", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" - } - } - }, - { - "session_cookie_idletime": { - "type": "number", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" - } - } - }, - { - "session_cookie_samesite": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" - } - } - }, - { - "session_cookie_httponly": { - "type": "boolean", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" - } - } - }, - { - "session_memcache_prefix": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" - } - } - }, - { - "session_memcache_socket": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" - } - } - }, - { - "session_memcache_host": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" - } - } - }, - { - "session_memcache_port": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" - } - } - }, - { - "session_redis_cluster_maxredirections": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_redis_cluster_maxredirections is deprecated, please use config.session_redis_cluster_max_redirections instead" - } - } - }, - { - "session_cookie_renew": { - "type": "number", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_renew option does not exist anymore" - } + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise." } }, { - "session_cookie_maxsize": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" - } + "claims_forbidden": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "If given, these claims are forbidden in the token payload." } }, { - "session_strategy": { + "cluster_cache_strategy": { + "required": false, "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_strategy option does not exist anymore" - } + "default": "off", + "one_of": [ + "off", + "redis" + ], + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared." } }, { - "session_compressor": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_compressor option does not exist anymore" - } + "cluster_cache_redis": { + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "connection_is_proxied" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "username": { + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "sentinel_username": { + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "encrypted": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_nodes": { + "required": false, + "elements": { + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + } + }, + { + "cluster_nodes": { + "required": false, + "elements": { + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "required": false, + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + } + }, + { + "ssl_verify": { + "required": false, + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + }, + { + "cluster_max_redirections": { + "required": false, + "default": 5, + "type": "integer", + "description": "Maximum retry attempts for redirection." + } + }, + { + "connection_is_proxied": { + "required": false, + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + { + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + } + ] } } ], "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/opentelemetry/3.8.x.json b/schemas/opentelemetry/3.8.x.json index 5d917906..e7c1e33c 100644 --- a/schemas/opentelemetry/3.8.x.json +++ b/schemas/opentelemetry/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,59 +15,76 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "required": true, + "entity_checks": [ + { + "at_least_one_of": [ + "traces_endpoint", + "logs_endpoint" + ] + } + ], + "type": "record", "fields": [ { - "endpoint": { - "required": true, + "traces_endpoint": { + "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "logs_endpoint": { "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" } }, { "headers": { - "keys": { - "type": "string", - "description": "A string representing an HTTP header name." - }, - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "type": "map", + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "values": { "type": "string", "referenceable": true + }, + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." } } }, { "resource_attributes": { "keys": { - "type": "string", - "required": true + "required": true, + "type": "string" }, - "type": "map", "values": { - "type": "string", - "required": true - } + "required": true, + "type": "string" + }, + "type": "map" } }, { @@ -73,35 +92,35 @@ "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -112,94 +131,105 @@ }, { "max_retry_time": { + "default": 60, "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + }, + { + "concurrency_limit": { + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ], + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], - "required": true, - "type": "record", "default": { "max_batch_size": 200 - } + }, + "required": true, + "type": "record" } }, { "batch_span_count": { "deprecation": { - "old_default": 200, "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "old_default": 200 }, - "description": "The number of spans to be sent in a single batch.", - "type": "integer" + "type": "integer", + "description": "The number of spans to be sent in a single batch." } }, { "batch_flush_delay": { "deprecation": { - "old_default": 3, "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "old_default": 3 }, - "description": "The delay, in seconds, between two consecutive batches.", - "type": "integer" + "type": "integer", + "description": "The delay, in seconds, between two consecutive batches." } }, { "connect_timeout": { - "default": 1000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -209,14 +239,14 @@ }, { "header_type": { - "default": "preserve", "required": false, + "type": "string", "deprecation": { - "old_default": "preserve", "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "old_default": "preserve" }, - "type": "string", + "default": "preserve", "one_of": [ "preserve", "ignore", @@ -235,11 +265,11 @@ "sampling_rate": { "required": false, "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", - "type": "number", "between": [ 0, 1 - ] + ], + "type": "number" } }, { @@ -247,83 +277,91 @@ "fields": [ { "extract": { + "type": "array", "elements": { "type": "string", "one_of": [ - "b3", - "gcp", - "jaeger", "aws", "ot", "w3c", - "datadog" + "datadog", + "b3", + "gcp", + "jaeger" ] }, - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", - "type": "array" + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID." } }, { "clear": { + "type": "array", "elements": { "type": "string" }, - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", - "type": "array" + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared." } }, { "inject": { + "type": "array", "elements": { "type": "string", "one_of": [ "preserve", - "b3", - "gcp", - "b3-single", - "jaeger", "aws", "ot", "w3c", - "datadog" + "datadog", + "b3", + "gcp", + "b3-single", + "jaeger" ] }, - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", - "type": "array" + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests." } }, { "default_format": { "required": true, - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", - "type": "string", "one_of": [ - "b3", - "gcp", - "b3-single", - "jaeger", "aws", "ot", "w3c", - "datadog" - ] + "datadog", + "b3", + "gcp", + "b3-single", + "jaeger" + ], + "type": "string", + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`." } } ], - "required": true, - "type": "record", "default": { "default_format": "w3c" - } + }, + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "shorthand_fields": [ + { + "endpoint": { + "deprecation": { + "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead", + "removal_in_version": "4.0" + }, + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/post-function/3.8.x.json b/schemas/post-function/3.8.x.json index b1717b8b..6f23c173 100644 --- a/schemas/post-function/3.8.x.json +++ b/schemas/post-function/3.8.x.json @@ -1,8 +1,32 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], "fields": [ { "protocols": { "required": false, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -14,40 +38,29 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + "type": "set" } }, { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -59,15 +72,18 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { @@ -76,153 +92,137 @@ { "certificate": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "rewrite": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "access": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "header_filter": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "body_filter": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "log": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "ws_handshake": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "ws_client_frame": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "ws_upstream_frame": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "ws_close": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.8.x.json b/schemas/pre-function/3.8.x.json index b1717b8b..6f23c173 100644 --- a/schemas/pre-function/3.8.x.json +++ b/schemas/pre-function/3.8.x.json @@ -1,8 +1,32 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], "fields": [ { "protocols": { "required": false, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -14,40 +38,29 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + "type": "set" } }, { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -59,15 +72,18 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { @@ -76,153 +92,137 @@ { "certificate": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "rewrite": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "access": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "header_filter": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "body_filter": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "log": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "ws_handshake": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "ws_client_frame": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "ws_upstream_frame": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "ws_close": { "required": true, + "default": [ + + ], "elements": { "required": false, "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.8.x.json b/schemas/prometheus/3.8.x.json index bf375f1e..477afdae 100644 --- a/schemas/prometheus/3.8.x.json +++ b/schemas/prometheus/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -42,46 +45,50 @@ "fields": [ { "per_consumer": { - "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "default": false, "type": "boolean", - "default": false + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available." } }, { "status_code_metrics": { - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "default": false, + "type": "boolean", + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported." + } + }, + { + "ai_metrics": { + "default": false, "type": "boolean", - "default": false + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported." } }, { "latency_metrics": { - "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "default": false, "type": "boolean", - "default": false + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported." } }, { "bandwidth_metrics": { - "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "default": false, "type": "boolean", - "default": false + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported." } }, { "upstream_health_metrics": { - "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "default": false, "type": "boolean", - "default": false + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.8.x.json b/schemas/proxy-cache-advanced/3.8.x.json index e0e93d10..81c6b90d 100644 --- a/schemas/proxy-cache-advanced/3.8.x.json +++ b/schemas/proxy-cache-advanced/3.8.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,13 +21,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,27 +36,26 @@ "fields": [ { "response_code": { - "type": "array", - "len_min": 1, "required": true, "elements": { - "type": "integer", "between": [ 100, 900 - ] + ], + "type": "integer" }, - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "type": "array", "default": [ 200, 301, 404 - ] + ], + "len_min": 1, + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900." } }, { "request_method": { - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", "required": true, "elements": { "type": "string", @@ -63,12 +71,12 @@ "default": [ "GET", "HEAD" - ] + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." } }, { "content_type": { - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "required": true, "elements": { "type": "string" @@ -77,42 +85,43 @@ "default": [ "text/plain", "application/json" - ] + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." } }, { "cache_ttl": { + "gt": 0, "default": 300, "type": "integer", - "description": "TTL in seconds of cache entities.", - "gt": 0 + "description": "TTL in seconds of cache entities." } }, { "strategy": { "required": true, - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", - "type": "string", "one_of": [ "memory", "redis" - ] + ], + "type": "string", + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`." } }, { "cache_control": { "required": true, + "default": false, "type": "boolean", - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "default": false + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." } }, { "ignore_uri_case": { "required": false, - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "default": false, "type": "boolean", - "default": false + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI." } }, { @@ -127,32 +136,32 @@ { "dictionary_name": { "required": true, + "default": "kong_db_cache", "type": "string", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "default": "kong_db_cache" + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" }, - "type": "array", - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + "type": "array" } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" }, - "type": "array", - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + "type": "array" } }, { @@ -178,12 +187,111 @@ } ], "description": "Caching related diagnostic headers that should be included in cached responses", - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "redis": { + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "connection_is_proxied" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { @@ -193,164 +301,200 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] - } - }, - { - "timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + ], "type": "integer", - "between": [ - 0, - 2147483646 - ] + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "database": { - "type": "integer", + "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "default": 0 + "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer" } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { - "sentinel_addresses": { - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "sentinel_nodes": { + "required": false, "elements": { - "type": "string" + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { - "cluster_addresses": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "cluster_nodes": { + "required": false, "elements": { - "type": "string" + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { "required": false, + "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "ssl_verify": { "required": false, + "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean", - "default": false + "type": "boolean" } }, { @@ -359,89 +503,76 @@ "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } - } - ], - "entity_checks": [ + }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "cluster_max_redirections": { + "required": false, + "default": 5, + "type": "integer", + "description": "Maximum retry attempts for redirection." } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "connection_is_proxied": { + "required": false, + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" } - }, + } + ], + "shorthand_fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" ], - "set1": [ - "cluster_addresses" - ] + "type": "integer" } }, { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } }, { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } } - ], - "type": "record", - "required": true + ] } }, { "bypass_on_err": { + "default": false, "type": "boolean", - "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", - "default": false + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/proxy-cache/3.8.x.json b/schemas/proxy-cache/3.8.x.json index 6137f9bc..63a21dc4 100644 --- a/schemas/proxy-cache/3.8.x.json +++ b/schemas/proxy-cache/3.8.x.json @@ -1,12 +1,18 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,15 +24,18 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { @@ -34,27 +43,26 @@ "fields": [ { "response_code": { - "len_min": 1, - "description": "Upstream response status code considered cacheable.", "required": true, "elements": { - "type": "integer", "between": [ 100, 900 - ] + ], + "type": "integer" }, - "type": "array", + "len_min": 1, "default": [ 200, 301, 404 - ] + ], + "type": "array", + "description": "Upstream response status code considered cacheable." } }, { "request_method": { - "description": "Downstream request methods considered cacheable.", "required": true, "elements": { "type": "string", @@ -70,12 +78,12 @@ "default": [ "GET", "HEAD" - ] + ], + "description": "Downstream request methods considered cacheable." } }, { "content_type": { - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "required": true, "elements": { "type": "string" @@ -84,46 +92,47 @@ "default": [ "text/plain", "application/json" - ] + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value." } }, { "cache_ttl": { + "gt": 0, "default": 300, - "type": "integer", "description": "TTL, in seconds, of cache entities.", - "gt": 0 + "type": "integer" } }, { "strategy": { "required": true, - "type": "string", - "description": "The backing data store in which to hold cache entities.", "one_of": [ "memory" - ] + ], + "description": "The backing data store in which to hold cache entities.", + "type": "string" } }, { "cache_control": { "required": true, - "type": "boolean", + "default": false, "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "default": false + "type": "boolean" } }, { "ignore_uri_case": { "required": false, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "storage_ttl": { - "type": "integer", - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" } }, { @@ -132,31 +141,31 @@ { "dictionary_name": { "required": true, - "type": "string", + "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "default": "kong_db_cache" + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "vary_query_params": { + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." } }, { "vary_headers": { + "type": "array", "elements": { "type": "string" }, - "type": "array", "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." } }, @@ -165,40 +174,31 @@ "fields": [ { "age": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "X-Cache-Status": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "X-Cache-Key": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } } ], - "description": "Caching related diagnostic headers that should be included in cached responses", "type": "record", - "required": true + "required": true, + "description": "Caching related diagnostic headers that should be included in cached responses" } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/rate-limiting-advanced/3.8.x.json b/schemas/rate-limiting-advanced/3.8.x.json index ed32d32a..71551003 100644 --- a/schemas/rate-limiting-advanced/3.8.x.json +++ b/schemas/rate-limiting-advanced/3.8.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,13 +21,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,10 +36,9 @@ "fields": [ { "identifier": { - "default": "consumer", "required": true, "type": "string", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "default": "consumer", "one_of": [ "ip", "credential", @@ -39,37 +47,38 @@ "header", "path", "consumer-group" - ] + ], + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`." } }, { "window_size": { "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" }, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "type": "array" } }, { "window_type": { - "default": "sliding", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", - "type": "string", + "default": "sliding", "one_of": [ "fixed", "sliding" - ] + ], + "type": "string" } }, { "limit": { "required": true, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" }, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "type": "array" } }, @@ -81,45 +90,45 @@ }, { "namespace": { - "auto": true, "required": true, - "type": "string", - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + "auto": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" } }, { "strategy": { - "default": "local", "required": true, "type": "string", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "default": "local", "one_of": [ "cluster", "redis", "local" - ] + ], + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." } }, { "dictionary_name": { "required": true, + "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "type": "string", - "default": "kong_rate_limiting_counters" + "type": "string" } }, { "hide_client_headers": { + "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "retry_after_jitter_max": { + "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "type": "number", - "default": 0 + "type": "number" } }, { @@ -130,19 +139,118 @@ }, { "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "type": "string" } }, { "redis": { + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "connection_is_proxied" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { @@ -152,164 +260,200 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] - } - }, - { - "timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + ], "type": "integer", - "between": [ - 0, - 2147483646 - ] + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "encrypted": true, "referenceable": true, + "encrypted": true, "type": "string" } }, { "database": { - "type": "integer", + "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "default": 0 + "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ] + ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer" } }, { "keepalive_backlog": { - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { - "sentinel_addresses": { - "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "sentinel_nodes": { + "required": false, "elements": { - "type": "string" + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { - "cluster_addresses": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "cluster_nodes": { + "required": false, "elements": { - "type": "string" + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { "required": false, + "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "ssl_verify": { "required": false, + "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean", - "default": false + "type": "boolean" } }, { @@ -318,120 +462,107 @@ "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } - } - ], - "entity_checks": [ + }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "cluster_max_redirections": { + "required": false, + "default": 5, + "type": "integer", + "description": "Maximum retry attempts for redirection." } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_addresses" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] + "connection_is_proxied": { + "required": false, + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" } - }, + } + ], + "shorthand_fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" ], - "set1": [ - "cluster_addresses" - ] + "type": "integer" } }, { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_addresses" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } }, { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } } - ], - "type": "record", - "required": true + ] } }, { "enforce_consumer_groups": { + "default": false, "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "consumer_groups": { + "type": "array", "elements": { "type": "string" }, - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", - "type": "array" + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`." } }, { "disable_penalty": { + "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", - "type": "boolean", - "default": false + "type": "boolean" } }, { "error_code": { + "gt": 0, "default": 429, "description": "Set a custom error code to return when the rate limit is exceeded.", - "type": "number", - "gt": 0 + "type": "number" } }, { "error_message": { + "default": "API rate limit exceeded", "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string", - "default": "API rate limit exceeded" + "type": "string" } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "required": true, + "type": "record" } } ] diff --git a/schemas/rate-limiting/3.8.x.json b/schemas/rate-limiting/3.8.x.json index 79c762c6..88995bca 100644 --- a/schemas/rate-limiting/3.8.x.json +++ b/schemas/rate-limiting/3.8.x.json @@ -1,8 +1,79 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "then_field": "config.redis.host", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.redis.port", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.redis.timeout", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.header_name", + "if_match": { + "eq": "header" + }, + "then_match": { + "required": true + }, + "if_field": "config.limit_by" + } + }, + { + "conditional": { + "then_field": "config.path", + "if_match": { + "eq": "path" + }, + "then_match": { + "required": true + }, + "if_field": "config.limit_by" + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,65 +84,186 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, + "shorthand_fields": [ + { + "redis_host": { + "deprecation": { + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "host" + ], + "type": "string" + } + }, + { + "redis_port": { + "deprecation": { + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "port" + ], + "type": "integer" + } + }, + { + "redis_password": { + "deprecation": { + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + }, + "len_min": 0, + "translate_backwards": [ + "redis", + "password" + ], + "type": "string" + } + }, + { + "redis_username": { + "deprecation": { + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" + } + }, + { + "redis_ssl": { + "deprecation": { + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" + } + }, + { + "redis_ssl_verify": { + "deprecation": { + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "type": "boolean" + } + }, + { + "redis_server_name": { + "deprecation": { + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "server_name" + ], + "type": "string" + } + }, + { + "redis_timeout": { + "deprecation": { + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "timeout" + ], + "type": "integer" + } + }, + { + "redis_database": { + "deprecation": { + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "database" + ], + "type": "integer" + } + } + ], "fields": [ { "second": { - "description": "The number of HTTP requests that can be made per second.", + "gt": 0, "type": "number", - "gt": 0 + "description": "The number of HTTP requests that can be made per second." } }, { "minute": { - "description": "The number of HTTP requests that can be made per minute.", + "gt": 0, "type": "number", - "gt": 0 + "description": "The number of HTTP requests that can be made per minute." } }, { "hour": { - "description": "The number of HTTP requests that can be made per hour.", + "gt": 0, "type": "number", - "gt": 0 + "description": "The number of HTTP requests that can be made per hour." } }, { "day": { - "description": "The number of HTTP requests that can be made per day.", + "gt": 0, "type": "number", - "gt": 0 + "description": "The number of HTTP requests that can be made per day." } }, { "month": { - "description": "The number of HTTP requests that can be made per month.", + "gt": 0, "type": "number", - "gt": 0 + "description": "The number of HTTP requests that can be made per month." } }, { "year": { - "description": "The number of HTTP requests that can be made per year.", + "gt": 0, "type": "number", - "gt": 0 + "description": "The number of HTTP requests that can be made per year." } }, { "limit_by": { - "default": "consumer", - "description": "The entity that is used when aggregating the limits.", "type": "string", + "default": "consumer", "one_of": [ "consumer", "credential", @@ -80,7 +272,8 @@ "header", "path", "consumer-group" - ] + ], + "description": "The entity that is used when aggregating the limits." } }, { @@ -91,36 +284,36 @@ }, { "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "type": "string" } }, { "policy": { - "default": "local", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", - "len_min": 0, "type": "string", + "default": "local", "one_of": [ "local", "cluster", "redis" - ] + ], + "len_min": 0, + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { "required": true, - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "default": true, "type": "boolean", - "default": true + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." } }, { @@ -134,63 +327,63 @@ }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { - "encrypted": true, "referenceable": true, + "len_min": 0, "type": "string", - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "len_min": 0 + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer", - "default": 0 + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "ssl": { "required": false, - "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { @@ -202,237 +395,44 @@ } ], "description": "Redis configuration", - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "hide_client_headers": { "required": true, - "description": "Optionally hide informative response headers.", + "default": false, "type": "boolean", - "default": false + "description": "Optionally hide informative response headers." } }, { "error_code": { + "gt": 0, "default": 429, - "description": "Set a custom error code to return when the rate limit is exceeded.", "type": "number", - "gt": 0 + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { "error_message": { - "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded", "type": "string", - "default": "API rate limit exceeded" + "description": "Set a custom error message to return when the rate limit is exceeded." } }, { "sync_rate": { "required": true, - "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "default": -1, "type": "number", - "default": -1 - } - } - ], - "required": true, - "shorthand_fields": [ - { - "redis_host": { - "deprecation": { - "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead" - }, - "type": "string", - "translate_backwards": [ - "redis", - "host" - ] - } - }, - { - "redis_port": { - "deprecation": { - "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead" - }, - "type": "integer", - "translate_backwards": [ - "redis", - "port" - ] - } - }, - { - "redis_password": { - "len_min": 0, - "deprecation": { - "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead" - }, - "type": "string", - "translate_backwards": [ - "redis", - "password" - ] - } - }, - { - "redis_username": { - "deprecation": { - "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead" - }, - "type": "string", - "translate_backwards": [ - "redis", - "username" - ] - } - }, - { - "redis_ssl": { - "deprecation": { - "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead" - }, - "type": "boolean", - "translate_backwards": [ - "redis", - "ssl" - ] - } - }, - { - "redis_ssl_verify": { - "deprecation": { - "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead" - }, - "type": "boolean", - "translate_backwards": [ - "redis", - "ssl_verify" - ] - } - }, - { - "redis_server_name": { - "deprecation": { - "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead" - }, - "type": "string", - "translate_backwards": [ - "redis", - "server_name" - ] - } - }, - { - "redis_timeout": { - "deprecation": { - "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead" - }, - "type": "integer", - "translate_backwards": [ - "redis", - "timeout" - ] - } - }, - { - "redis_database": { - "deprecation": { - "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead" - }, - "type": "integer", - "translate_backwards": [ - "redis", - "database" - ] + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." } } ], "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.host", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.port", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.timeout", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.limit_by", - "if_match": { - "eq": "header" - }, - "then_field": "config.header_name", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.limit_by", - "if_match": { - "eq": "path" - }, - "then_field": "config.path", - "then_match": { - "required": true - } - } - } ] } \ No newline at end of file diff --git a/schemas/request-size-limiting/3.8.x.json b/schemas/request-size-limiting/3.8.x.json index cb8c641c..5e0fa712 100644 --- a/schemas/request-size-limiting/3.8.x.json +++ b/schemas/request-size-limiting/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,39 +38,36 @@ "fields": [ { "allowed_payload_size": { + "default": 128, "type": "integer", - "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", - "default": 128 + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes)." } }, { "size_unit": { - "default": "megabytes", "required": true, "type": "string", - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "default": "megabytes", "one_of": [ "megabytes", "kilobytes", "bytes" - ] + ], + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0." } }, { "require_content_length": { "required": true, + "default": false, "type": "boolean", - "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", - "default": false + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-termination/3.8.x.json b/schemas/request-termination/3.8.x.json index e716bea1..427081f9 100644 --- a/schemas/request-termination/3.8.x.json +++ b/schemas/request-termination/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,13 +15,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,40 +30,40 @@ "fields": [ { "status_code": { - "default": 503, "required": true, - "description": "The response code to send. Must be an integer between 100 and 599.", "type": "integer", "between": [ 100, 599 - ] + ], + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599." } }, { "message": { - "type": "string", - "description": "The message to send, if using the default response generator." + "description": "The message to send, if using the default response generator.", + "type": "string" } }, { "content_type": { - "type": "string", - "description": "Content type of the raw response configured with `config.body`." + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" } }, { "body": { - "type": "string", - "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" } }, { "echo": { "required": true, + "default": false, "type": "boolean", - "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", - "default": false + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic." } }, { @@ -70,12 +73,9 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.8.x.json b/schemas/request-transformer-advanced/3.8.x.json index 82c1b004..06a0820f 100644 --- a/schemas/request-transformer-advanced/3.8.x.json +++ b/schemas/request-transformer-advanced/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,13 +15,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,9 +30,9 @@ "fields": [ { "http_method": { + "type": "string", "match": "^%u+$", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", - "type": "string" + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." } }, { @@ -37,40 +40,40 @@ "fields": [ { "body": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "querystring": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -78,43 +81,43 @@ "fields": [ { "body": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "headers": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "querystring": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -122,42 +125,45 @@ "fields": [ { "body": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "headers": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "querystring": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "json_types": { + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -166,10 +172,7 @@ "string" ] }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { @@ -178,8 +181,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -187,42 +190,45 @@ "fields": [ { "body": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "headers": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "querystring": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "json_types": { + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -231,15 +237,12 @@ "string" ] }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -247,42 +250,45 @@ "fields": [ { "body": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "headers": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "querystring": { - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", "default": [ - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" } }, { "json_types": { + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -291,15 +297,12 @@ "string" ] }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -307,31 +310,28 @@ "fields": [ { "body": { - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "dots_in_keys": { + "default": true, "type": "boolean", - "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", - "default": true + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.8.x.json b/schemas/request-transformer/3.8.x.json index 4de5fa5e..c7ef2fe2 100644 --- a/schemas/request-transformer/3.8.x.json +++ b/schemas/request-transformer/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,15 +18,18 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { @@ -34,9 +37,9 @@ "fields": [ { "http_method": { + "type": "string", "match": "^%u+$", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", - "type": "string" + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." } }, { @@ -45,42 +48,42 @@ { "body": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "querystring": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -89,43 +92,43 @@ { "body": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "querystring": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -134,38 +137,38 @@ { "body": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "querystring": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { @@ -174,8 +177,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -184,43 +187,43 @@ { "body": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "querystring": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -229,52 +232,49 @@ { "body": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "querystring": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-validator/3.8.x.json b/schemas/request-validator/3.8.x.json index e5214db3..868edddf 100644 --- a/schemas/request-validator/3.8.x.json +++ b/schemas/request-validator/3.8.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +21,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -42,44 +51,45 @@ }, { "allowed_content_types": { - "type": "set", + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "default": [ + "application/json" + ], "elements": { "required": true, "type": "string" }, - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", - "default": [ - "application/json" - ] + "type": "set" } }, { "version": { + "required": true, + "type": "string", "one_of": [ "kong", "draft4" ], - "required": true, - "type": "string", - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", - "default": "kong" + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator." } }, { "parameter_schema": { "required": false, + "type": "array", "elements": { "fields": [ { "in": { "required": true, - "type": "string", - "description": "The location of the parameter.", "one_of": [ "query", "header", "path" - ] + ], + "type": "string", + "description": "The location of the parameter." } }, { @@ -98,8 +108,6 @@ }, { "style": { - "type": "string", - "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", "one_of": [ "label", "form", @@ -108,7 +116,9 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ] + ], + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "type": "string" } }, { @@ -119,8 +129,8 @@ }, { "schema": { - "type": "string", - "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating." + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" } } ], @@ -143,19 +153,27 @@ ], "type": "record" }, - "type": "array", "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." } }, { "verbose_response": { "required": true, + "default": false, "type": "boolean", - "description": "If enabled, the plugin returns more verbose and detailed validation errors.", - "default": false + "description": "If enabled, the plugin returns more verbose and detailed validation errors." + } + }, + { + "content_type_parameter_validation": { + "required": true, + "default": true, + "type": "boolean", + "description": "Determines whether to enable parameters validation of request content-type." } } ], + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -164,17 +182,7 @@ ] } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] + "type": "record" } } ] diff --git a/schemas/response-ratelimiting/3.8.x.json b/schemas/response-ratelimiting/3.8.x.json index bee283f1..f069f160 100644 --- a/schemas/response-ratelimiting/3.8.x.json +++ b/schemas/response-ratelimiting/3.8.x.json @@ -1,8 +1,45 @@ { + "entity_checks": [ + { + "conditional": { + "then_field": "config.redis.host", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.redis.port", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + }, + { + "conditional": { + "then_field": "config.redis.timeout", + "if_match": { + "eq": "redis" + }, + "then_match": { + "required": true + }, + "if_field": "config.policy" + } + } + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +50,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,41 +73,41 @@ "fields": [ { "header_name": { + "default": "x-kong-limit", "type": "string", - "description": "The name of the response header used to increment the counters.", - "default": "x-kong-limit" + "description": "The name of the response header used to increment the counters." } }, { "limit_by": { - "default": "consumer", "type": "string", - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "default": "consumer", "one_of": [ "consumer", "credential", "ip" - ] + ], + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." } }, { "policy": { - "default": "local", "type": "string", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "default": "local", "one_of": [ "local", "cluster", "redis" - ] + ], + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { "required": true, + "default": true, "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", - "default": true + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." } }, { @@ -83,63 +121,63 @@ }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "username": { - "type": "string", "referenceable": true, + "type": "string", "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { - "encrypted": true, "referenceable": true, + "len_min": 0, "type": "string", - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "len_min": 0 + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer", - "default": 0 + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "ssl": { "required": false, - "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis." } }, { "ssl_verify": { "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { @@ -151,92 +189,93 @@ } ], "description": "Redis configuration", - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "block_on_first_violation": { "required": true, + "default": false, "type": "boolean", - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", - "default": false + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." } }, { "hide_client_headers": { "required": true, + "default": false, "type": "boolean", - "description": "Optionally hide informative response headers.", - "default": false + "description": "Optionally hide informative response headers." } }, { "limits": { + "required": true, "keys": { "type": "string" }, "len_min": 1, - "required": true, - "description": "A map that defines rate limits for the plugin.", "type": "map", "values": { "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "second", - "minute", - "hour", - "day", - "month", - "year" - ] - } - ], - "type": "record", "fields": [ { "second": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "minute": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "hour": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "day": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "month": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "year": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } } - ] - } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], + "type": "record" + }, + "description": "A map that defines rate limits for the plugin." } } ], + "required": true, "shorthand_fields": [ { "redis_host": { @@ -244,11 +283,11 @@ "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", "removal_in_version": "4.0" }, - "type": "string", "translate_backwards": [ "redis", "host" - ] + ], + "type": "string" } }, { @@ -257,25 +296,25 @@ "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", "removal_in_version": "4.0" }, - "type": "integer", "translate_backwards": [ "redis", "port" - ] + ], + "type": "integer" } }, { "redis_password": { - "len_min": 0, "deprecation": { "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", "removal_in_version": "4.0" }, - "type": "string", + "len_min": 0, "translate_backwards": [ "redis", "password" - ] + ], + "type": "string" } }, { @@ -284,11 +323,11 @@ "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", "removal_in_version": "4.0" }, - "type": "string", "translate_backwards": [ "redis", "username" - ] + ], + "type": "string" } }, { @@ -297,11 +336,11 @@ "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", "removal_in_version": "4.0" }, - "type": "boolean", "translate_backwards": [ "redis", "ssl" - ] + ], + "type": "boolean" } }, { @@ -310,11 +349,11 @@ "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", "removal_in_version": "4.0" }, - "type": "boolean", "translate_backwards": [ "redis", "ssl_verify" - ] + ], + "type": "boolean" } }, { @@ -323,11 +362,11 @@ "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", "removal_in_version": "4.0" }, - "type": "string", "translate_backwards": [ "redis", "server_name" - ] + ], + "type": "string" } }, { @@ -336,11 +375,11 @@ "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", "removal_in_version": "4.0" }, - "type": "integer", "translate_backwards": [ "redis", "timeout" - ] + ], + "type": "integer" } }, { @@ -349,54 +388,15 @@ "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", "removal_in_version": "4.0" }, - "type": "integer", "translate_backwards": [ "redis", "database" - ] + ], + "type": "integer" } } ], - "type": "record", - "required": true - } - } - ], - "entity_checks": [ - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.host", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.port", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.timeout", - "then_match": { - "required": true - } + "type": "record" } } ] diff --git a/schemas/response-transformer-advanced/3.8.x.json b/schemas/response-transformer-advanced/3.8.x.json index 30740564..29ea518b 100644 --- a/schemas/response-transformer-advanced/3.8.x.json +++ b/schemas/response-transformer-advanced/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,13 +15,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -30,40 +33,40 @@ "fields": [ { "json": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -71,30 +74,30 @@ "fields": [ { "headers": { - "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, - "type": "array", "default": [ - ] + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -102,23 +105,26 @@ "fields": [ { "body": { - "description": "String with which to replace the entire response body.", - "type": "string" + "type": "string", + "description": "String with which to replace the entire response body." } }, { "json": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json_types": { + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -127,37 +133,34 @@ "string" ] }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -165,17 +168,20 @@ "fields": [ { "json": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json_types": { + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -184,37 +190,34 @@ "string" ] }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -222,17 +225,20 @@ "fields": [ { "json": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json_types": { + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -241,37 +247,34 @@ "string" ] }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -279,15 +282,15 @@ "fields": [ { "json": { - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -295,56 +298,53 @@ "fields": [ { "functions": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "dots_in_keys": { + "default": true, "type": "boolean", - "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", - "default": true + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.8.x.json b/schemas/response-transformer/3.8.x.json index 67d2c9ec..8a18c974 100644 --- a/schemas/response-transformer/3.8.x.json +++ b/schemas/response-transformer/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,13 +15,14 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -31,51 +34,64 @@ { "json": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { "required": true, + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "rename": { "fields": [ { - "headers": { + "json": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", + "type": "array" + } + }, + { + "headers": { + "required": true, "default": [ - ] + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -84,19 +100,18 @@ { "json": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json_types": { - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "required": true, "elements": { "type": "string", @@ -109,25 +124,26 @@ "type": "array", "default": [ - ] + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { "headers": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -136,19 +152,18 @@ { "json": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json_types": { - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "required": true, "elements": { "type": "string", @@ -161,25 +176,26 @@ "type": "array", "default": [ - ] + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { "headers": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -188,19 +204,18 @@ { "json": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json_types": { - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "required": true, "elements": { "type": "string", @@ -213,34 +228,32 @@ "type": "array", "default": [ - ] + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." } }, { "headers": { "required": true, + "default": [ + + ], "elements": { "match": "^[^:]+:.*$", "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.8.x.json b/schemas/route-by-header/3.8.x.json index d782454b..f677e3c1 100644 --- a/schemas/route-by-header/3.8.x.json +++ b/schemas/route-by-header/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -36,8 +39,10 @@ { "rules": { "description": "Route by header rules.", + "default": [ + + ], "elements": { - "type": "record", "fields": [ { "upstream_name": { @@ -47,32 +52,27 @@ }, { "condition": { - "keys": { - "type": "string" - }, "required": true, - "type": "map", "len_min": 1, + "type": "map", "values": { "type": "string" + }, + "keys": { + "type": "string" } } } - ] + ], + "type": "record" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.8.x.json b/schemas/route-transformer-advanced/3.8.x.json index 65d20343..b21a71d6 100644 --- a/schemas/route-transformer-advanced/3.8.x.json +++ b/schemas/route-transformer-advanced/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -55,6 +58,7 @@ } } ], + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -64,12 +68,8 @@ ] } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/saml/3.8.x.json b/schemas/saml/3.8.x.json index 443de58e..2e0448aa 100644 --- a/schemas/saml/3.8.x.json +++ b/schemas/saml/3.8.x.json @@ -1,16 +1,24 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -21,686 +29,1147 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "fields": [ + "required": true, + "shorthand_fields": [ { - "assertion_consumer_path": { - "match_none": [ - { - "pattern": "//", - "err": "must not have empty segments" - } - ], - "required": true, - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "starts_with": "/" + "session_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" } }, { - "idp_sso_url": { - "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "session_cookie_idletime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" } }, { - "idp_certificate": { - "encrypted": true, - "referenceable": true, - "required": false, - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "session_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + }, "type": "string" } }, { - "response_encryption_key": { - "encrypted": true, - "referenceable": true, - "required": false, - "description": "The private encryption key required to decrypt encrypted assertions.", - "type": "string" + "session_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" } }, { - "request_signing_key": { - "encrypted": true, - "referenceable": true, - "required": false, - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "session_memcache_prefix": { + "deprecation": { + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + }, "type": "string" } }, { - "request_signing_certificate": { - "encrypted": true, - "referenceable": true, - "required": false, - "description": "The certificate for signing requests.", + "session_memcache_socket": { + "deprecation": { + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + }, "type": "string" } }, { - "request_signature_algorithm": { - "default": "SHA256", - "required": false, - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", - "type": "string", - "one_of": [ - "SHA256", - "SHA384", - "SHA512" - ] + "session_memcache_host": { + "deprecation": { + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + }, + "type": "string" } }, { - "request_digest_algorithm": { - "default": "SHA256", - "required": false, - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", - "type": "string", - "one_of": [ - "SHA256", - "SHA1" - ] + "session_memcache_port": { + "deprecation": { + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" } }, { - "response_signature_algorithm": { - "default": "SHA256", - "required": false, - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", - "type": "string", - "one_of": [ - "SHA256", - "SHA384", - "SHA512" - ] + "session_cookie_renew": { + "deprecation": { + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" } }, { - "response_digest_algorithm": { - "default": "SHA256", - "required": false, - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", - "type": "string", - "one_of": [ - "SHA256", - "SHA1" - ] + "session_cookie_maxsize": { + "deprecation": { + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "integer" } }, { - "issuer": { - "required": true, - "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "session_strategy": { + "deprecation": { + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + }, "type": "string" } }, { - "nameid_format": { - "default": "EmailAddress", - "required": false, - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", - "type": "string", - "one_of": [ - "Unspecified", - "EmailAddress", - "Persistent", - "Transient" - ] + "session_compressor": { + "deprecation": { + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" } }, { - "validate_assertion_signature": { - "required": false, - "description": "Enable signature validation for SAML responses.", - "type": "boolean", - "default": true + "session_auth_ttl": { + "deprecation": { + "message": "openid-connect: config.session_auth_ttl option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" } }, { - "anonymous": { - "required": false, - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "session_redis_prefix": { + "deprecation": { + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "prefix" + ], "type": "string" } }, { - "session_secret": { - "match": "^[0-9a-zA-Z/_+]+$", - "encrypted": true, - "referenceable": true, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", - "required": true, - "len_min": 32, - "type": "string", - "len_max": 32 - } - }, - { - "session_audience": { - "required": false, - "description": "The session audience, for example \"my-application\"", - "type": "string", - "default": "default" + "session_redis_socket": { + "deprecation": { + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "socket" + ], + "type": "string" } }, { - "session_cookie_name": { - "required": false, - "description": "The session cookie name.", - "type": "string", - "default": "session" + "session_redis_host": { + "deprecation": { + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "host" + ], + "type": "string" } }, { - "session_remember": { - "required": false, - "description": "Enables or disables persistent sessions", - "type": "boolean", - "default": false + "session_redis_port": { + "deprecation": { + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "port" + ], + "type": "integer" } }, { - "session_remember_cookie_name": { - "required": false, - "description": "Persistent session cookie name", - "type": "string", - "default": "remember" + "session_redis_username": { + "deprecation": { + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" } }, { - "session_remember_rolling_timeout": { - "required": false, - "description": "Persistent session rolling timeout in seconds.", - "type": "number", - "default": 604800 + "session_redis_password": { + "deprecation": { + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "password" + ], + "type": "string" } }, { - "session_remember_absolute_timeout": { - "required": false, - "description": "Persistent session absolute timeout in seconds.", - "type": "number", - "default": 2592000 + "session_redis_connect_timeout": { + "deprecation": { + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "connect_timeout" + ], + "type": "integer" } }, { - "session_idling_timeout": { - "required": false, - "description": "The session cookie idle time in seconds.", - "type": "number", - "default": 900 + "session_redis_read_timeout": { + "deprecation": { + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "read_timeout" + ], + "type": "integer" } }, { - "session_rolling_timeout": { - "required": false, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "type": "number", - "default": 3600 + "session_redis_send_timeout": { + "deprecation": { + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "send_timeout" + ], + "type": "integer" } }, { - "session_absolute_timeout": { - "required": false, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "type": "number", - "default": 86400 + "session_redis_ssl": { + "deprecation": { + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" } }, { - "session_cookie_path": { - "match_none": [ - { - "pattern": "//", - "err": "must not have empty segments" - } + "session_redis_ssl_verify": { + "deprecation": { + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "ssl_verify" ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "required": false, - "type": "string", - "starts_with": "/", - "default": "/" + "type": "boolean" } }, { - "session_cookie_domain": { - "required": false, - "description": "The session cookie domain flag.", + "session_redis_server_name": { + "deprecation": { + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "server_name" + ], "type": "string" } }, { - "session_cookie_same_site": { - "default": "Lax", - "required": false, - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "type": "string", - "one_of": [ - "Strict", - "Lax", - "None", - "Default" - ] + "session_redis_cluster_nodes": { + "deprecation": { + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0" + }, + "elements": { + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" + }, + "translate_backwards": [ + "redis", + "cluster_nodes" + ], + "type": "array" } }, { - "session_cookie_http_only": { - "required": false, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "type": "boolean", - "default": true + "session_redis_cluster_max_redirections": { + "deprecation": { + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "type": "integer" } }, { - "session_cookie_secure": { - "required": false, - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean" + "session_redis_cluster_maxredirections": { + "deprecation": { + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "type": "integer" + } + } + ], + "fields": [ + { + "assertion_consumer_path": { + "required": true, + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "type": "string", + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { - "session_request_headers": { - "type": "set", - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - } + "idp_sso_url": { + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { - "session_response_headers": { - "type": "set", - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - } + "idp_certificate": { + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." } }, { - "session_storage": { - "default": "cookie", + "response_encryption_key": { "required": false, - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "referenceable": true, "type": "string", - "one_of": [ - "cookie", - "memcache", - "memcached", - "redis" - ] + "encrypted": true, + "description": "The private encryption key required to decrypt encrypted assertions." } }, { - "session_store_metadata": { + "request_signing_key": { "required": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", - "type": "boolean", - "default": false + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." } }, { - "session_enforce_same_subject": { + "request_signing_certificate": { "required": false, - "description": "When set to `true`, audiences are forced to share the same subject.", - "type": "boolean", - "default": false + "referenceable": true, + "type": "string", + "encrypted": true, + "description": "The certificate for signing requests." } }, { - "session_hash_subject": { + "request_signature_algorithm": { "required": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "type": "boolean", - "default": false + "type": "string", + "default": "SHA256", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ], + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { - "session_hash_storage_key": { + "request_digest_algorithm": { "required": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "type": "boolean", - "default": false + "type": "string", + "default": "SHA256", + "one_of": [ + "SHA256", + "SHA1" + ], + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" } }, { - "session_memcached_prefix": { + "response_signature_algorithm": { "required": false, - "description": "The memcached session key prefix.", - "type": "string" + "type": "string", + "default": "SHA256", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ], + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" } }, { - "session_memcached_socket": { + "response_digest_algorithm": { "required": false, - "description": "The memcached unix socket path.", + "type": "string", + "default": "SHA256", + "one_of": [ + "SHA256", + "SHA1" + ], + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" + } + }, + { + "issuer": { + "required": true, + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", "type": "string" } }, { - "session_memcached_host": { + "nameid_format": { "required": false, - "description": "The memcached host.", "type": "string", - "default": "127.0.0.1" + "default": "EmailAddress", + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ], + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" } }, { - "session_memcached_port": { - "default": 11211, + "validate_assertion_signature": { "required": false, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "between": [ - 0, - 65535 - ] + "default": true, + "description": "Enable signature validation for SAML responses.", + "type": "boolean" } }, { - "session_redis_prefix": { + "anonymous": { "required": false, - "description": "The Redis session key prefix.", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", "type": "string" } }, { - "session_redis_socket": { - "required": false, - "description": "The Redis unix socket path.", - "type": "string" + "session_secret": { + "required": true, + "referenceable": true, + "match": "^[0-9a-zA-Z/_+]+$", + "type": "string", + "len_max": 32, + "len_min": 32, + "encrypted": true, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." } }, { - "session_redis_host": { + "session_audience": { "required": false, - "description": "The Redis host IP.", - "type": "string", - "default": "127.0.0.1" + "default": "default", + "description": "The session audience, for example \"my-application\"", + "type": "string" } }, { - "session_redis_port": { - "default": 6379, + "session_cookie_name": { "required": false, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "between": [ - 0, - 65535 - ] + "default": "session", + "description": "The session cookie name.", + "type": "string" } }, { - "session_redis_username": { + "session_remember": { "required": false, - "type": "string", - "referenceable": true, - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`." + "default": false, + "description": "Enables or disables persistent sessions", + "type": "boolean" } }, { - "session_redis_password": { - "encrypted": true, - "referenceable": true, + "session_remember_cookie_name": { "required": false, - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "default": "remember", + "description": "Persistent session cookie name", "type": "string" } }, { - "session_redis_connect_timeout": { + "session_remember_rolling_timeout": { "required": false, - "description": "The Redis connection timeout in milliseconds.", - "type": "integer" + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "type": "number" } }, { - "session_redis_read_timeout": { + "session_remember_absolute_timeout": { "required": false, - "description": "The Redis read timeout in milliseconds.", - "type": "integer" + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "type": "number" } }, { - "session_redis_send_timeout": { + "session_idling_timeout": { "required": false, - "description": "The Redis send timeout in milliseconds.", - "type": "integer" + "default": 900, + "description": "The session cookie idle time in seconds.", + "type": "number" } }, { - "session_redis_ssl": { + "session_rolling_timeout": { "required": false, - "description": "Use SSL/TLS for the Redis connection.", - "type": "boolean", - "default": false + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" } }, { - "session_redis_ssl_verify": { + "session_absolute_timeout": { "required": false, - "description": "Verify the Redis server certificate.", - "type": "boolean", - "default": false + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" } }, { - "session_redis_server_name": { + "session_cookie_path": { "required": false, - "description": "The SNI used for connecting to the Redis server.", - "type": "string" + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "type": "string", + "starts_with": "/", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { - "session_redis_cluster_nodes": { + "session_cookie_domain": { "required": false, - "elements": { - "type": "record", - "fields": [ - { - "ip": { - "required": true, - "type": "string", - "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1" - } - }, - { - "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", - "between": [ - 0, - 65535 - ] - } - } - ] - }, - "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", - "type": "array" + "description": "The session cookie domain flag.", + "type": "string" } }, { - "session_redis_cluster_max_redirections": { + "session_cookie_same_site": { "required": false, - "description": "The Redis cluster maximum redirects.", - "type": "integer" + "type": "string", + "default": "Lax", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." } - } - ], - "required": true, - "shorthand_fields": [ + }, { - "session_cookie_lifetime": { - "type": "number", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" - } + "session_cookie_http_only": { + "required": false, + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" } }, { - "session_cookie_idletime": { - "type": "number", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" - } + "session_cookie_secure": { + "required": false, + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" } }, { - "session_cookie_samesite": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" - } + "session_request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "type": "set" } }, { - "session_cookie_httponly": { - "type": "boolean", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" - } + "session_response_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "type": "set" } }, { - "session_memcache_prefix": { + "session_storage": { + "required": false, "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" - } + "default": "cookie", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" } }, { - "session_memcache_socket": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" - } + "session_store_metadata": { + "required": false, + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean" } }, { - "session_memcache_host": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" - } + "session_enforce_same_subject": { + "required": false, + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" } }, { - "session_memcache_port": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" - } + "session_hash_subject": { + "required": false, + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" } }, { - "session_redis_cluster_maxredirections": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_redis_cluster_maxredirections is deprecated, please use config.session_redis_cluster_max_redirections instead" - } + "session_hash_storage_key": { + "required": false, + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" } }, { - "session_cookie_renew": { - "type": "number", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_renew option does not exist anymore" - } + "session_memcached_prefix": { + "required": false, + "description": "The memcached session key prefix.", + "type": "string" } }, { - "session_cookie_maxsize": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" - } + "session_memcached_socket": { + "required": false, + "description": "The memcached unix socket path.", + "type": "string" } }, { - "session_strategy": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_strategy option does not exist anymore" - } + "session_memcached_host": { + "required": false, + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" } }, { - "session_compressor": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_compressor option does not exist anymore" - } + "session_memcached_port": { + "required": false, + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { - "session_auth_ttl": { - "type": "number", - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_auth_ttl option does not exist anymore" - } + "redis": { + "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "referenceable": true, + "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + } + }, + { + "password": { + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "referenceable": true, + "type": "string", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + } + }, + { + "sentinel_password": { + "type": "string", + "referenceable": true, + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "default": 0, + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "default": 256, + "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "one_of": [ + "master", + "slave", + "any" + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "elements": { + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "type": "array", + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + } + }, + { + "cluster_nodes": { + "required": false, + "elements": { + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "len_min": 1, + "type": "array", + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + } + }, + { + "ssl": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "required": false, + "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "cluster_max_redirections": { + "required": false, + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + } + }, + { + "connection_is_proxied": { + "required": false, + "default": false, + "type": "boolean", + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + } + }, + { + "prefix": { + "required": false, + "description": "The Redis session key prefix.", + "type": "string" + } + }, + { + "socket": { + "required": false, + "description": "The Redis unix socket path.", + "type": "string" + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + { + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + } + ] } } ], "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/session/3.8.x.json b/schemas/session/3.8.x.json index db316884..4bd0b51b 100644 --- a/schemas/session/3.8.x.json +++ b/schemas/session/3.8.x.json @@ -1,20 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -26,23 +26,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -50,137 +53,138 @@ "fields": [ { "secret": { - "encrypted": true, - "referenceable": true, "required": false, + "referenceable": true, "type": "string", - "description": "The secret that is used in keyed HMAC generation.", - "default": "4Xkz87KN9Mdq3BsyMOndCz3cjxVWxf4ndnK6tPTGKhYd" + "default": "jJoUL7vTfOhDYLGGEM4Dwk8E8Ahh3KwRHsDVdtqtOYIc", + "encrypted": true, + "description": "The secret that is used in keyed HMAC generation." } }, { "storage": { - "default": "cookie", - "type": "string", "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "default": "cookie", "one_of": [ "cookie", "kong" - ] + ], + "type": "string" } }, { "audience": { - "type": "string", + "default": "default", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "default": "default" + "type": "string" } }, { "idling_timeout": { - "type": "number", + "default": 900, "description": "The session cookie idle time, in seconds.", - "default": 900 + "type": "number" } }, { "rolling_timeout": { - "type": "number", + "default": 3600, "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", - "default": 3600 + "type": "number" } }, { "absolute_timeout": { - "type": "number", + "default": 86400, "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", - "default": 86400 + "type": "number" } }, { "stale_ttl": { - "type": "number", + "default": 10, "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", - "default": 10 + "type": "number" } }, { "cookie_name": { - "type": "string", + "default": "session", "description": "The name of the cookie.", - "default": "session" + "type": "string" } }, { "cookie_path": { - "type": "string", + "default": "/", "description": "The resource in the host where the cookie is available.", - "default": "/" + "type": "string" } }, { "cookie_domain": { - "description": "The domain with which the cookie is intended to be exchanged.", - "type": "string" + "type": "string", + "description": "The domain with which the cookie is intended to be exchanged." } }, { "cookie_same_site": { - "default": "Strict", "description": "Determines whether and how a cookie may be sent with cross-site requests.", - "type": "string", + "default": "Strict", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "type": "string" } }, { "cookie_http_only": { - "type": "boolean", + "default": true, "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", - "default": true + "type": "boolean" } }, { "cookie_secure": { - "type": "boolean", + "default": true, "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", - "default": true + "type": "boolean" } }, { "remember": { - "type": "boolean", + "default": false, "description": "Enables or disables persistent sessions.", - "default": false + "type": "boolean" } }, { "remember_cookie_name": { - "type": "string", + "default": "remember", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "default": "remember" + "type": "string" } }, { "remember_rolling_timeout": { - "type": "number", + "default": 604800, "description": "The persistent session rolling timeout window, in seconds.", - "default": 604800 + "type": "number" } }, { "remember_absolute_timeout": { - "type": "number", + "default": 2592000, "description": "The persistent session absolute timeout limit, in seconds.", - "default": 2592000 + "type": "number" } }, { "response_headers": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -193,12 +197,12 @@ "absolute-timeout" ] }, - "description": "List of information to include, as headers, in the response to the downstream.", - "type": "set" + "description": "List of information to include, as headers, in the response to the downstream." } }, { "request_headers": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -211,19 +215,22 @@ "absolute-timeout" ] }, - "description": "List of information to include, as headers, in the response to the downstream.", - "type": "set" + "description": "List of information to include, as headers, in the response to the downstream." } }, { "read_body_for_logout": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "logout_methods": { - "description": "A set of HTTP methods that the plugin will respond to.", + "type": "set", + "default": [ + "POST", + "DELETE" + ], "elements": { "type": "string", "one_of": [ @@ -232,28 +239,25 @@ "DELETE" ] }, - "type": "set", - "default": [ - "POST", - "DELETE" - ] + "description": "A set of HTTP methods that the plugin will respond to." } }, { "logout_query_arg": { - "type": "string", + "default": "session_logout", "description": "The query argument passed to logout requests.", - "default": "session_logout" + "type": "string" } }, { "logout_post_arg": { - "type": "string", + "default": "session_logout", "description": "The POST argument passed to logout requests. Do not change this property.", - "default": "session_logout" + "type": "string" } } ], + "required": true, "shorthand_fields": [ { "cookie_lifetime": { @@ -291,12 +295,8 @@ } } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/standard-webhooks/3.8.x.json b/schemas/standard-webhooks/3.8.x.json index 7e92df27..13c11260 100644 --- a/schemas/standard-webhooks/3.8.x.json +++ b/schemas/standard-webhooks/3.8.x.json @@ -1,24 +1,27 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "type": "set", "default": [ @@ -32,32 +35,29 @@ }, { "config": { - "type": "record", "fields": [ { "secret_v1": { "required": true, "referenceable": true, - "description": "Webhook secret", "type": "string", - "encrypted": true + "encrypted": true, + "description": "Webhook secret" } }, { "tolerance_second": { - "required": true, "gt": -1, "type": "integer", "default": 300, + "required": true, "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response." } } ], - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.8.x.json b/schemas/statsd-advanced/3.8.x.json index 0d0f2104..76c8d2a5 100644 --- a/schemas/statsd-advanced/3.8.x.json +++ b/schemas/statsd-advanced/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -42,38 +45,108 @@ "fields": [ { "host": { - "type": "string", + "default": "localhost", "description": "A string representing a host name, such as example.com.", - "default": "localhost" + "type": "string" } }, { "port": { - "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "prefix": { + "default": "kong", "type": "string", - "description": "String to prefix to each metric's name.", - "default": "kong" + "description": "String to prefix to each metric's name." } }, { "metrics": { - "type": "array", + "description": "List of Metrics to be logged.", + "default": [ + { + "sample_rate": 1, + "stat_type": "counter", + "name": "request_count" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "timer", + "name": "request_size" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "status_count" + }, + { + "stat_type": "timer", + "name": "response_size" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "request_per_user" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "status_count_per_user" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "status_count_per_workspace" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "status_count_per_user_per_route" + }, + { + "sample_rate": 1, + "stat_type": "gauge", + "name": "shdict_usage" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "cache_datastore_hits_total" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "cache_datastore_misses_total" + } + ], "elements": { "fields": [ { "name": { "required": true, - "type": "string", "one_of": [ "kong_latency", "latency", @@ -90,13 +163,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "type": "string" } }, { "stat_type": { "required": true, - "type": "string", "one_of": [ "counter", "gauge", @@ -104,13 +177,14 @@ "meter", "set", "timer" - ] + ], + "type": "string" } }, { "sample_rate": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { @@ -147,21 +221,21 @@ "entity_checks": [ { "conditional": { - "if_field": "name", + "then_field": "stat_type", "if_match": { "one_of": [ "unique_users" ] }, - "then_field": "stat_type", "then_match": { "eq": "set" - } + }, + "if_field": "name" } }, { "conditional": { - "if_field": "name", + "then_field": "stat_type", "if_match": { "one_of": [ "request_count", @@ -174,190 +248,119 @@ "cache_datastore_misses_total" ] }, - "then_field": "stat_type", "then_match": { "eq": "counter" - } + }, + "if_field": "name" } }, { "conditional": { - "if_field": "name", + "then_field": "stat_type", "if_match": { "one_of": [ "shdict_usage" ] }, - "then_field": "stat_type", "then_match": { "eq": "gauge" - } + }, + "if_field": "name" } }, { "conditional": { - "if_field": "stat_type", + "then_field": "sample_rate", "if_match": { "one_of": [ "counter", "gauge" ] }, - "then_field": "sample_rate", "then_match": { "required": true - } + }, + "if_field": "stat_type" } } ], "type": "record" }, - "description": "List of Metrics to be logged.", - "default": [ - { - "stat_type": "counter", - "name": "request_count", - "sample_rate": 1 - }, - { - "name": "latency", - "stat_type": "timer" - }, - { - "name": "request_size", - "stat_type": "timer" - }, - { - "stat_type": "counter", - "name": "status_count", - "sample_rate": 1 - }, - { - "name": "response_size", - "stat_type": "timer" - }, - { - "name": "unique_users", - "stat_type": "set" - }, - { - "stat_type": "counter", - "name": "request_per_user", - "sample_rate": 1 - }, - { - "name": "upstream_latency", - "stat_type": "timer" - }, - { - "name": "kong_latency", - "stat_type": "timer" - }, - { - "stat_type": "counter", - "name": "status_count_per_user", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count_per_workspace", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count_per_user_per_route", - "sample_rate": 1 - }, - { - "stat_type": "gauge", - "name": "shdict_usage", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "cache_datastore_hits_total", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "cache_datastore_misses_total", - "sample_rate": 1 - } - ] + "type": "array" } }, { "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", "elements": { - "type": "string", - "match": "^[0-9]+-[0-9]+$" + "match": "^[0-9]+-[0-9]+$", + "type": "string" }, - "type": "array", - "description": "List of status code ranges that are allowed to be logged in metrics." + "type": "array" } }, { "udp_packet_size": { - "default": 0, - "type": "number", - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", "between": [ 0, 65507 - ] + ], + "default": 0, + "type": "number", + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive)." } }, { "use_tcp": { + "default": false, "type": "boolean", - "description": "Use TCP instead of UDP.", - "default": false + "description": "Use TCP instead of UDP." } }, { "hostname_in_prefix": { + "default": false, "type": "boolean", - "description": "Include the `hostname` in the `prefix` for each metric name.", - "default": false + "description": "Include the `hostname` in the `prefix` for each metric name." } }, { "consumer_identifier_default": { - "default": "custom_id", "required": true, - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "type": "string", + "default": "custom_id", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`." } }, { "service_identifier_default": { - "default": "service_name_or_host", "required": true, - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "type": "string", + "default": "service_name_or_host", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`." } }, { "workspace_identifier_default": { - "default": "workspace_id", "required": true, - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "type": "string", + "default": "workspace_id", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. " } }, { @@ -365,35 +368,35 @@ "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -404,45 +407,53 @@ }, { "max_retry_time": { + "default": 60, "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + }, + { + "concurrency_limit": { + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ], + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/statsd/3.8.x.json b/schemas/statsd/3.8.x.json index b2741422..2b2e0d1b 100644 --- a/schemas/statsd/3.8.x.json +++ b/schemas/statsd/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -42,39 +45,110 @@ "fields": [ { "host": { + "default": "localhost", "description": "The IP address or hostname of StatsD server to send data to.", - "type": "string", - "default": "localhost" + "type": "string" } }, { "port": { - "default": 8125, - "description": "The port of StatsD server to send data to.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 8125, + "description": "The port of StatsD server to send data to.", + "type": "integer" } }, { "prefix": { + "default": "kong", "description": "String to prefix to each metric's name.", - "type": "string", - "default": "kong" + "type": "string" } }, { "metrics": { - "description": "List of metrics to be logged.", + "type": "array", + "default": [ + { + "sample_rate": 1, + "stat_type": "counter", + "name": "request_count" + }, + { + "name": "latency", + "stat_type": "timer" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "request_size" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "status_count" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "response_size" + }, + { + "name": "unique_users", + "stat_type": "set" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "request_per_user" + }, + { + "name": "upstream_latency", + "stat_type": "timer" + }, + { + "name": "kong_latency", + "stat_type": "timer" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "status_count_per_user" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "status_count_per_workspace" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "status_count_per_user_per_route" + }, + { + "sample_rate": 1, + "stat_type": "gauge", + "name": "shdict_usage" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "cache_datastore_hits_total" + }, + { + "sample_rate": 1, + "stat_type": "counter", + "name": "cache_datastore_misses_total" + } + ], "elements": { "fields": [ { "name": { "required": true, - "description": "StatsD metric’s name.", - "type": "string", "one_of": [ "kong_latency", "latency", @@ -91,14 +165,14 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "description": "StatsD metric’s name.", + "type": "string" } }, { "stat_type": { "required": true, - "description": "Determines what sort of event a metric represents.", - "type": "string", "one_of": [ "counter", "gauge", @@ -106,253 +180,182 @@ "meter", "set", "timer" - ] + ], + "description": "Determines what sort of event a metric represents.", + "type": "string" } }, { "sample_rate": { + "gt": 0, "description": "Sampling rate", - "type": "number", - "gt": 0 + "type": "number" } }, { "consumer_identifier": { - "description": "Authenticated user detail.", - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string", + "description": "Authenticated user detail." } }, { "service_identifier": { - "description": "Service detail.", - "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "type": "string", + "description": "Service detail." } }, { "workspace_identifier": { - "description": "Workspace detail.", - "type": "string", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "type": "string", + "description": "Workspace detail." } } ], "entity_checks": [ { "conditional": { - "if_field": "stat_type", + "then_field": "sample_rate", "if_match": { "one_of": [ "counter", "gauge" ] }, - "then_field": "sample_rate", "then_match": { "required": true - } + }, + "if_field": "stat_type" } } ], "type": "record" }, - "type": "array", - "default": [ - { - "stat_type": "counter", - "name": "request_count", - "sample_rate": 1 - }, - { - "name": "latency", - "stat_type": "timer" - }, - { - "stat_type": "counter", - "name": "request_size", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "response_size", - "sample_rate": 1 - }, - { - "stat_type": "set", - "name": "unique_users" - }, - { - "stat_type": "counter", - "name": "request_per_user", - "sample_rate": 1 - }, - { - "name": "upstream_latency", - "stat_type": "timer" - }, - { - "name": "kong_latency", - "stat_type": "timer" - }, - { - "stat_type": "counter", - "name": "status_count_per_user", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count_per_workspace", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count_per_user_per_route", - "sample_rate": 1 - }, - { - "stat_type": "gauge", - "name": "shdict_usage", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "cache_datastore_hits_total", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "cache_datastore_misses_total", - "sample_rate": 1 - } - ] + "description": "List of metrics to be logged." } }, { "allow_status_codes": { + "type": "array", "elements": { - "type": "string", - "match": "^[0-9]+-[0-9]+$" + "match": "^[0-9]+-[0-9]+$", + "type": "string" }, - "description": "List of status code ranges that are allowed to be logged in metrics.", - "type": "array" + "description": "List of status code ranges that are allowed to be logged in metrics." } }, { "udp_packet_size": { - "default": 0, - "type": "number", "between": [ 0, 65507 - ] + ], + "default": 0, + "type": "number" } }, { "use_tcp": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "hostname_in_prefix": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "consumer_identifier_default": { "required": true, "default": "custom_id", - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string" } }, { "service_identifier_default": { "required": true, "default": "service_name_or_host", - "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "type": "string" } }, { "workspace_identifier_default": { "required": true, "default": "workspace_id", - "type": "string", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "type": "string" } }, { "retry_count": { - "type": "integer", "deprecation": { - "old_default": 10, + "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", "removal_in_version": "4.0", - "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead" - } + "old_default": 10 + }, + "type": "integer" } }, { "queue_size": { - "type": "integer", "deprecation": { - "old_default": 1, + "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0", - "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead" - } + "old_default": 1 + }, + "type": "integer" } }, { "flush_timeout": { - "type": "number", "deprecation": { - "old_default": 2, + "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0", - "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" - } + "old_default": 2 + }, + "type": "number" } }, { "tag_style": { "required": false, - "type": "string", "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ] + ], + "type": "string" } }, { @@ -360,35 +363,35 @@ "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -399,45 +402,53 @@ }, { "max_retry_time": { + "default": 60, "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + }, + { + "concurrency_limit": { + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ], + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/syslog/3.8.x.json b/schemas/syslog/3.8.x.json index b6825600..8521cf22 100644 --- a/schemas/syslog/3.8.x.json +++ b/schemas/syslog/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -44,7 +47,6 @@ "log_level": { "required": true, "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -54,14 +56,14 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "successful_severity": { "required": true, "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -71,14 +73,14 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "client_errors_severity": { "required": true, "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -88,14 +90,14 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { "server_errors_severity": { "required": true, "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -105,7 +107,8 @@ "crit", "alert", "emerg" - ] + ], + "type": "string" } }, { @@ -114,20 +117,19 @@ "type": "string", "len_min": 1 }, - "type": "map", "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - } + "len_min": 1, + "type": "string" + }, + "type": "map" } }, { "facility": { - "default": "user", "required": true, - "description": "The facility is used by the operating system to decide how to handle each log message.", "type": "string", + "default": "user", "one_of": [ "auth", "authpriv", @@ -149,16 +151,14 @@ "local5", "local6", "local7" - ] + ], + "description": "The facility is used by the operating system to decide how to handle each log message." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.8.x.json b/schemas/tcp-log/3.8.x.json index ac50f9ad..ec1ef0a7 100644 --- a/schemas/tcp-log/3.8.x.json +++ b/schemas/tcp-log/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,70 +46,67 @@ { "host": { "required": true, - "type": "string", - "description": "The IP address or host name to send data to." + "description": "The IP address or host name to send data to.", + "type": "string" } }, { "port": { "required": true, "description": "The port to send data to on the upstream server.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer" } }, { "timeout": { - "type": "number", + "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "default": 10000 + "type": "number" } }, { "keepalive": { - "type": "number", + "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "default": 60000 + "type": "number" } }, { "tls": { "required": true, - "type": "boolean", + "default": false, "description": "Indicates whether to perform a TLS handshake against the remote server.", - "default": false + "type": "boolean" } }, { "tls_sni": { - "type": "string", - "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" } }, { "custom_fields_by_lua": { - "values": { - "type": "string", - "len_min": 1 - }, - "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "type": "map", "keys": { "type": "string", "len_min": 1 - } + }, + "values": { + "len_min": 1, + "type": "string" + }, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.8.x.json b/schemas/tls-handshake-modifier/3.8.x.json index b200a2ad..e3e7e4a0 100644 --- a/schemas/tls-handshake-modifier/3.8.x.json +++ b/schemas/tls-handshake-modifier/3.8.x.json @@ -1,16 +1,23 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "default": [ + "https", + "grpcs" + ], "elements": { "type": "string", "one_of": [ @@ -19,19 +26,15 @@ "tls" ] }, - "type": "set", - "default": [ - "https", - "grpcs" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -39,22 +42,19 @@ "fields": [ { "tls_client_certificate": { - "default": "REQUEST", "required": false, - "description": "TLS Client Certificate", "type": "string", + "default": "REQUEST", "one_of": [ "REQUEST" - ] + ], + "description": "TLS Client Certificate" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.8.x.json b/schemas/tls-metadata-headers/3.8.x.json index 507b8f50..432788dc 100644 --- a/schemas/tls-metadata-headers/3.8.x.json +++ b/schemas/tls-metadata-headers/3.8.x.json @@ -1,16 +1,23 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "default": [ + "https", + "grpcs" + ], "elements": { "type": "string", "one_of": [ @@ -19,19 +26,15 @@ "tls" ] }, - "type": "set", - "default": [ - "https", - "grpcs" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -39,58 +42,55 @@ "fields": [ { "inject_client_cert_details": { - "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "default": false, "type": "boolean", - "default": false + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." } }, { "client_cert_header_name": { "required": true, + "default": "X-Client-Cert", "type": "string", - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", - "default": "X-Client-Cert" + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate." } }, { "client_serial_header_name": { "required": true, + "default": "X-Client-Cert-Serial", "type": "string", - "description": "Define the HTTP header name used for the serial number of the client certificate.", - "default": "X-Client-Cert-Serial" + "description": "Define the HTTP header name used for the serial number of the client certificate." } }, { "client_cert_issuer_dn_header_name": { "required": true, + "default": "X-Client-Cert-Issuer-DN", "type": "string", - "description": "Define the HTTP header name used for the issuer DN of the client certificate.", - "default": "X-Client-Cert-Issuer-DN" + "description": "Define the HTTP header name used for the issuer DN of the client certificate." } }, { "client_cert_subject_dn_header_name": { "required": true, + "default": "X-Client-Cert-Subject-DN", "type": "string", - "description": "Define the HTTP header name used for the subject DN of the client certificate.", - "default": "X-Client-Cert-Subject-DN" + "description": "Define the HTTP header name used for the subject DN of the client certificate." } }, { "client_cert_fingerprint_header_name": { "required": true, + "default": "X-Client-Cert-Fingerprint", "type": "string", - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", - "default": "X-Client-Cert-Fingerprint" + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/udp-log/3.8.x.json b/schemas/udp-log/3.8.x.json index fd6c991c..2f09cbc5 100644 --- a/schemas/udp-log/3.8.x.json +++ b/schemas/udp-log/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -51,18 +54,18 @@ "port": { "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer" } }, { "timeout": { - "type": "number", + "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "default": 10000 + "type": "number" } }, { @@ -71,21 +74,18 @@ "type": "string", "len_min": 1 }, - "type": "map", "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - } + "len_min": 1, + "type": "string" + }, + "type": "map" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/upstream-oauth/3.8.x.json b/schemas/upstream-oauth/3.8.x.json index eb370814..01c90b25 100644 --- a/schemas/upstream-oauth/3.8.x.json +++ b/schemas/upstream-oauth/3.8.x.json @@ -19,14 +19,6 @@ { "protocols": { "required": true, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "type": "set", - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -35,7 +27,15 @@ "http", "https" ] - } + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -47,25 +47,25 @@ { "auth_method": { "required": true, - "default": "client_secret_post", - "type": "string", "one_of": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "none" - ] + ], + "default": "client_secret_post", + "type": "string" } }, { "client_secret_jwt_alg": { "required": true, - "default": "HS512", - "type": "string", "one_of": [ "HS512", "HS256" - ] + ], + "default": "HS512", + "type": "string" } }, { @@ -84,8 +84,8 @@ }, { "http_proxy_authorization": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { @@ -97,26 +97,26 @@ }, { "https_proxy_authorization": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "no_proxy": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "timeout": { "required": true, - "default": 10000, "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 10000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -134,8 +134,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -150,11 +150,6 @@ }, { "token_headers": { - "required": true, - "default": [ - - ], - "type": "map", "keys": { "type": "string", "description": "A string representing an HTTP header name." @@ -162,66 +157,63 @@ "values": { "type": "string", "referenceable": true - } + }, + "type": "map" } }, { "token_post_args": { - "required": true, - "default": [ - - ], - "type": "map", "keys": { "type": "string" }, "values": { "type": "string", "referenceable": true - } + }, + "type": "map" } }, { "grant_type": { "required": true, - "default": "client_credentials", - "type": "string", "one_of": [ "client_credentials", "password" - ] + ], + "default": "client_credentials", + "type": "string" } }, { "client_id": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "client_secret": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "username": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "password": { "required": false, + "referenceable": true, "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { @@ -230,10 +222,10 @@ "default": [ "openid" ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } }, { @@ -242,15 +234,15 @@ "default": [ ], - "type": "array", "elements": { "type": "string" - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -259,12 +251,12 @@ { "strategy": { "required": true, - "default": "memory", - "type": "string", "one_of": [ "memory", "redis" - ] + ], + "default": "memory", + "type": "string" } }, { @@ -278,13 +270,110 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "redis": { "required": true, + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + }, + "if_field": "connection_is_proxied" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", "fields": [ { @@ -295,200 +384,200 @@ }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "username": { + "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "type": "string" } }, { "password": { - "type": "string", "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, "encrypted": true, - "referenceable": true + "type": "string" } }, { "sentinel_username": { + "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "type": "string" } }, { "sentinel_password": { - "type": "string", "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, "encrypted": true, - "referenceable": true + "type": "string" } }, { "database": { "default": 0, - "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "between": [ 1, 2147483646 ], + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_nodes": { "required": false, - "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "host": { "required": true, "default": "127.0.0.1", - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } - ] - } + ], + "type": "record" + }, + "type": "array", + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { "required": false, - "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "ip": { "required": true, "default": "127.0.0.1", - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } - ] - } + ], + "type": "record" + }, + "type": "array", + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { "required": false, "default": false, - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" } }, { "ssl_verify": { "required": false, "default": false, - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" } }, { @@ -510,8 +599,8 @@ "connection_is_proxied": { "required": false, "default": false, - "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" } } ], @@ -522,10 +611,10 @@ "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "removal_in_version": "4.0" }, - "type": "integer", "translate_backwards": [ "connect_timeout" - ] + ], + "type": "integer" } }, { @@ -534,11 +623,11 @@ "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, - "len_min": 1, "type": "array", "elements": { "type": "string" - } + }, + "len_min": 1 } }, { @@ -547,108 +636,11 @@ "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, - "len_min": 1, "type": "array", "elements": { "type": "string" - } - } - } - ], - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_field": "connection_is_proxied", - "if_match": { - "eq": true }, - "then_field": "host", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] + "len_min": 1 } } ] @@ -656,22 +648,22 @@ }, { "eagerly_expire": { - "required": true, - "default": 5, "gt": -1, + "default": 5, + "required": true, "type": "integer" } }, { "default_ttl": { - "default": 3600, "gt": 0, + "default": 3600, "type": "number" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -680,44 +672,44 @@ { "upstream_access_token_header_name": { "required": true, + "default": "Authorization", "len_min": 0, - "type": "string", - "default": "Authorization" + "type": "string" } }, { "idp_error_response_status_code": { "required": true, "default": 502, - "type": "integer", "between": [ 500, 599 - ] + ], + "type": "integer" } }, { "idp_error_response_content_type": { "required": true, + "default": "application/json; charset=utf-8", "len_min": 0, - "type": "string", - "default": "application/json; charset=utf-8" + "type": "string" } }, { "idp_error_response_message": { "required": true, + "default": "Failed to authenticate request to upstream", "len_min": 0, - "type": "string", - "default": "Failed to authenticate request to upstream" + "type": "string" } }, { "idp_error_response_body_template": { "required": true, + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", "len_min": 0, - "type": "string", - "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }" + "type": "string" } }, { @@ -725,24 +717,24 @@ "default": [ 401 ], - "type": "array", "elements": { - "type": "integer", "between": [ 100, 599 - ] - } + ], + "type": "integer" + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/upstream-timeout/3.8.x.json b/schemas/upstream-timeout/3.8.x.json index 5db2c5aa..3ca81375 100644 --- a/schemas/upstream-timeout/3.8.x.json +++ b/schemas/upstream-timeout/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,41 +38,38 @@ "fields": [ { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.8.x.json b/schemas/vault-auth/3.8.x.json index 515b0d93..2c71b65c 100644 --- a/schemas/vault-auth/3.8.x.json +++ b/schemas/vault-auth/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,29 +15,30 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "reference": "consumers", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,41 +46,41 @@ "fields": [ { "access_token_name": { - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, "type": "string", - "default": "access_token" + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." } }, { "secret_token_name": { - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, "type": "string", - "default": "secret_token" + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." } }, { "vault": { "required": true, - "type": "foreign", + "reference": "vault_auth_vaults", "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", - "reference": "vault_auth_vaults" + "type": "foreign" } }, { "hide_credentials": { - "type": "boolean", + "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", - "default": false + "type": "boolean" } }, { @@ -88,25 +91,22 @@ }, { "tokens_in_body": { - "type": "boolean", + "default": false, "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "default": false + "type": "boolean" } }, { "run_on_preflight": { - "type": "boolean", + "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "default": true + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.8.x.json b/schemas/websocket-size-limit/3.8.x.json index e6aaf3fc..ed3c4a63 100644 --- a/schemas/websocket-size-limit/3.8.x.json +++ b/schemas/websocket-size-limit/3.8.x.json @@ -1,8 +1,15 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { "required": true, + "default": [ + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -10,19 +17,15 @@ "wss" ] }, - "type": "set", - "default": [ - "ws", - "wss" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -31,24 +34,25 @@ { "client_max_payload": { "required": false, - "type": "integer", "between": [ 1, 33554432 - ] + ], + "type": "integer" } }, { "upstream_max_payload": { "required": false, - "type": "integer", "between": [ 1, 33554432 - ] + ], + "type": "integer" } } ], + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -57,12 +61,8 @@ ] } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.8.x.json b/schemas/websocket-validator/3.8.x.json index 635cffa7..f3a1fea5 100644 --- a/schemas/websocket-validator/3.8.x.json +++ b/schemas/websocket-validator/3.8.x.json @@ -1,8 +1,15 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { "required": true, + "default": [ + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -10,19 +17,15 @@ "wss" ] }, - "type": "set", - "default": [ - "ws", - "wss" - ] + "type": "set" } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -31,39 +34,19 @@ { "client": { "required": false, - "entity_checks": [ - { - "at_least_one_of": [ - "text", - "binary" - ] - } - ], - "type": "record", "fields": [ { "text": { "required": false, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], - "type": "record", "fields": [ { "type": { "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string", "one_of": [ "draft4" - ] + ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string" } }, { @@ -73,12 +56,7 @@ "type": "string" } } - ] - } - }, - { - "binary": { - "required": false, + ], "entity_checks": [ { "custom_entity_check": { @@ -89,16 +67,21 @@ } } ], - "type": "record", + "type": "record" + } + }, + { + "binary": { + "required": false, "fields": [ { "type": { "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string", "one_of": [ "draft4" - ] + ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string" } }, { @@ -108,15 +91,21 @@ "type": "string" } } - ] + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record" } } - ] - } - }, - { - "upstream": { - "required": false, + ], "entity_checks": [ { "at_least_one_of": [ @@ -125,31 +114,25 @@ ] } ], - "type": "record", + "type": "record" + } + }, + { + "upstream": { + "required": false, "fields": [ { "text": { "required": false, - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], - "type": "record", "fields": [ { "type": { "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string", "one_of": [ "draft4" - ] + ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string" } }, { @@ -159,12 +142,7 @@ "type": "string" } } - ] - } - }, - { - "binary": { - "required": false, + ], "entity_checks": [ { "custom_entity_check": { @@ -175,16 +153,21 @@ } } ], - "type": "record", + "type": "record" + } + }, + { + "binary": { + "required": false, "fields": [ { "type": { "required": true, - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string", "one_of": [ "draft4" - ] + ], + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string" } }, { @@ -194,13 +177,34 @@ "type": "string" } } - ] + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record" } } - ] + ], + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "type": "record" } } ], + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -209,12 +213,8 @@ ] } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.8.x.json b/schemas/xml-threat-protection/3.8.x.json index 56b5cdf3..a6a3d9f6 100644 --- a/schemas/xml-threat-protection/3.8.x.json +++ b/schemas/xml-threat-protection/3.8.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { "type": "string", @@ -13,21 +15,22 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -35,266 +38,263 @@ "fields": [ { "checked_content_types": { - "type": "set", "required": true, "elements": { "required": true, - "type": "string", - "match": "^[^%s]+%/[^ ;]+$" + "match": "^[^%s]+%/[^ ;]+$", + "type": "string" }, - "description": "A list of Content-Type values with payloads that must be validated.", + "type": "set", "default": [ "application/xml" - ] + ], + "description": "A list of Content-Type values with payloads that must be validated." } }, { "allowed_content_types": { - "type": "set", "required": true, "elements": { "required": true, - "type": "string", - "match": "^[^%s]+%/[^ ;]+$" + "match": "^[^%s]+%/[^ ;]+$", + "type": "string" }, - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "type": "set", "default": [ - ] + ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." } }, { "allow_dtd": { "required": true, - "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "default": false, "type": "boolean", - "default": false + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed." } }, { "namespace_aware": { "required": true, - "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "default": true, "type": "boolean", - "default": true + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such." } }, { "max_depth": { "gt": 0, - "required": true, "type": "integer", - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", - "default": 50 + "default": 50, + "required": true, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." } }, { "max_children": { "gt": 0, - "required": true, "type": "integer", - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", - "default": 100 + "default": 100, + "required": true, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." } }, { "max_attributes": { "gt": 0, - "required": true, "type": "integer", - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", - "default": 100 + "default": 100, + "required": true, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." } }, { "max_namespaces": { "gt": 0, - "required": false, "type": "integer", - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", - "default": 20 + "default": 20, + "required": false, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." } }, { "document": { "gt": 0, - "required": true, - "description": "Maximum size of the entire document.", "type": "integer", - "default": 10485760 + "default": 10485760, + "required": true, + "description": "Maximum size of the entire document." } }, { "buffer": { "gt": 0, - "required": true, - "description": "Maximum size of the unparsed buffer (see below).", "type": "integer", - "default": 1048576 + "default": 1048576, + "required": true, + "description": "Maximum size of the unparsed buffer (see below)." } }, { "comment": { "gt": 0, - "required": true, - "description": "Maximum size of comments.", "type": "integer", - "default": 1024 + "default": 1024, + "required": true, + "description": "Maximum size of comments." } }, { "localname": { "gt": 0, - "required": true, - "description": "Maximum size of the localname. This applies to tags and attributes.", "type": "integer", - "default": 1024 + "default": 1024, + "required": true, + "description": "Maximum size of the localname. This applies to tags and attributes." } }, { "prefix": { "gt": 0, - "required": false, - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "type": "integer", - "default": 1024 + "default": 1024, + "required": false, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." } }, { "namespaceuri": { "gt": 0, - "required": false, - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "type": "integer", - "default": 1024 + "default": 1024, + "required": false, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." } }, { "attribute": { "gt": 0, - "required": true, - "description": "Maximum size of the attribute value.", "type": "integer", - "default": 1048576 + "default": 1048576, + "required": true, + "description": "Maximum size of the attribute value." } }, { "text": { "gt": 0, - "required": true, - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "type": "integer", - "default": 1048576 + "default": 1048576, + "required": true, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." } }, { "pitarget": { "gt": 0, - "required": true, - "description": "Maximum size of processing instruction targets.", "type": "integer", - "default": 1024 + "default": 1024, + "required": true, + "description": "Maximum size of processing instruction targets." } }, { "pidata": { "gt": 0, - "required": true, - "description": "Maximum size of processing instruction data.", "type": "integer", - "default": 1024 + "default": 1024, + "required": true, + "description": "Maximum size of processing instruction data." } }, { "entityname": { "gt": 0, - "required": true, - "description": "Maximum size of entity names in EntityDecl.", "type": "integer", - "default": 1024 + "default": 1024, + "required": true, + "description": "Maximum size of entity names in EntityDecl." } }, { "entity": { "gt": 0, - "required": true, - "description": "Maximum size of entity values in EntityDecl.", "type": "integer", - "default": 1024 + "default": 1024, + "required": true, + "description": "Maximum size of entity values in EntityDecl." } }, { "entityproperty": { "gt": 0, - "required": true, - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "type": "integer", - "default": 1024 + "default": 1024, + "required": true, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." } }, { "bla_max_amplification": { "gt": 1, - "required": true, "type": "number", - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", - "default": 100 + "default": 100, + "required": true, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." } }, { "bla_threshold": { - "gt": 1024, "required": true, - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", "type": "integer", - "default": 8388608 + "default": 8388608, + "gt": 1024, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." } } ], + "required": true, "entity_checks": [ { "conditional": { - "if_field": "namespace_aware", + "then_field": "max_namespaces", "if_match": { "eq": true }, - "then_field": "max_namespaces", "then_match": { "required": true - } + }, + "if_field": "namespace_aware" } }, { "conditional": { - "if_field": "namespace_aware", + "then_field": "prefix", "if_match": { "eq": true }, - "then_field": "prefix", "then_match": { "required": true - } + }, + "if_field": "namespace_aware" } }, { "conditional": { - "if_field": "namespace_aware", + "then_field": "namespaceuri", "if_match": { "eq": true }, - "then_field": "namespaceuri", "then_match": { "required": true - } + }, + "if_field": "namespace_aware" } } ], - "type": "record", - "required": true + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/zipkin/3.8.x.json b/schemas/zipkin/3.8.x.json index 389af427..bac2c9b7 100644 --- a/schemas/zipkin/3.8.x.json +++ b/schemas/zipkin/3.8.x.json @@ -1,12 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "required": true, "elements": { - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ "grpc", "grpcs", @@ -18,23 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string", + "description": "A string representing a protocol, such as HTTP or HTTPS." }, - "description": "A set of strings representing protocols.", + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { - "reference": "consumer_groups", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null + "reference": "consumer_groups", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." } }, { @@ -43,9 +46,9 @@ { "local_service_name": { "required": true, + "default": "kong", "type": "string", - "description": "The name of the service as displayed in Zipkin.", - "default": "kong" + "description": "The name of the service as displayed in Zipkin." } }, { @@ -56,13 +59,13 @@ }, { "sample_ratio": { - "default": 0.001, - "type": "number", - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", "between": [ 0, 1 - ] + ], + "default": 0.001, + "type": "number", + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " } }, { @@ -74,34 +77,33 @@ { "include_credential": { "required": true, + "default": true, "type": "boolean", - "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", - "default": true + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server." } }, { "traceid_byte_count": { - "default": 16, "required": true, "type": "integer", - "description": "The length in bytes of each request's Trace ID.", + "default": 16, "one_of": [ 8, 16 - ] + ], + "description": "The length in bytes of each request's Trace ID." } }, { "header_type": { - "default": "preserve", - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "required": true, + "type": "string", "deprecation": { - "old_default": "preserve", "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "old_default": "preserve" }, - "type": "string", + "default": "preserve", "one_of": [ "preserve", "ignore", @@ -113,20 +115,20 @@ "aws", "datadog", "gcp" - ] + ], + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests" } }, { "default_header_type": { - "default": "b3", - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "required": true, + "type": "string", "deprecation": { - "old_default": "b3", "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "old_default": "b3" }, - "type": "string", + "default": "b3", "one_of": [ "b3", "b3-single", @@ -136,26 +138,26 @@ "aws", "datadog", "gcp" - ] + ], + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored." } }, { "tags_header": { "required": true, + "default": "Zipkin-Tags", "type": "string", - "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", - "default": "Zipkin-Tags" + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property." } }, { "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", "elements": { - "type": "record", "fields": [ { "name": { "required": true, - "type": "string", "not_one_of": [ "error", "http.method", @@ -170,7 +172,8 @@ "kong.service", "lc", "peer.hostname" - ] + ], + "type": "string" } }, { @@ -179,55 +182,55 @@ "type": "string" } } - ] + ], + "type": "record" }, - "type": "array", - "description": "The tags specified on this property will be added to the generated request traces." + "type": "array" } }, { "http_span_name": { - "default": "method", "required": true, "type": "string", - "description": "Specify whether to include the HTTP path in the span name.", + "default": "method", "one_of": [ "method", "method_path" - ] + ], + "description": "Specify whether to include the HTTP path in the span name." } }, { "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -237,14 +240,14 @@ }, { "phase_duration_flavor": { - "default": "annotations", "required": true, "type": "string", - "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "default": "annotations", "one_of": [ "annotations", "tags" - ] + ], + "description": "Specify whether to include the duration of each phase as an annotation or a tag." } }, { @@ -252,35 +255,35 @@ "fields": [ { "max_batch_size": { - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 - ] + ], + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 - ] + ], + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 - ] + ], + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { @@ -291,36 +294,47 @@ }, { "max_retry_time": { + "default": 60, "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "default": 60 + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 - ] + ], + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 - ] + ], + "default": 60, + "type": "number", + "description": "Maximum time in seconds between retries, caps exponential backoff." + } + }, + { + "concurrency_limit": { + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ], + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -328,83 +342,80 @@ "fields": [ { "extract": { + "type": "array", "elements": { "type": "string", "one_of": [ - "b3", - "gcp", - "jaeger", "aws", "ot", "w3c", - "datadog" + "datadog", + "b3", + "gcp", + "jaeger" ] }, - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", - "type": "array" + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID." } }, { "clear": { + "type": "array", "elements": { "type": "string" }, - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", - "type": "array" + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared." } }, { "inject": { + "type": "array", "elements": { "type": "string", "one_of": [ "preserve", - "b3", - "gcp", - "b3-single", - "jaeger", "aws", "ot", "w3c", - "datadog" + "datadog", + "b3", + "gcp", + "b3-single", + "jaeger" ] }, - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", - "type": "array" + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests." } }, { "default_format": { "required": true, - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", - "type": "string", "one_of": [ - "b3", - "gcp", - "b3-single", - "jaeger", "aws", "ot", "w3c", - "datadog" - ] + "datadog", + "b3", + "gcp", + "b3-single", + "jaeger" + ], + "type": "string", + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`." } } ], - "required": true, - "type": "record", "default": { "default_format": "b3" - } + }, + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file From f627877bed31fb126cf8d519c235e1cd5675056d Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 29 Aug 2024 09:58:02 -0700 Subject: [PATCH 075/165] download new schema that populates all the fields (#56) --- schemas/upstream-oauth/3.8.x.json | 567 ++++++++++++++++-------------- 1 file changed, 297 insertions(+), 270 deletions(-) diff --git a/schemas/upstream-oauth/3.8.x.json b/schemas/upstream-oauth/3.8.x.json index 01c90b25..e36b6a0a 100644 --- a/schemas/upstream-oauth/3.8.x.json +++ b/schemas/upstream-oauth/3.8.x.json @@ -1,24 +1,9 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -28,7 +13,6 @@ "https" ] }, - "type": "set", "default": [ "grpc", "grpcs", @@ -40,340 +24,264 @@ }, { "config": { + "type": "record", "fields": [ { "client": { + "type": "record", "fields": [ { "auth_method": { - "required": true, "one_of": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "none" ], + "required": true, + "type": "string", "default": "client_secret_post", - "type": "string" + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body." } }, { "client_secret_jwt_alg": { - "required": true, "one_of": [ "HS512", "HS256" ], + "required": true, + "type": "string", "default": "HS512", - "type": "string" + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication." } }, { "http_version": { - "required": false, + "type": "number", + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", "default": 1.1, - "type": "number" + "required": false } }, { "http_proxy": { + "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "description": "The proxy to use when making HTTP requests to the IdP." } }, { "http_proxy_authorization": { + "type": "string", "required": false, - "type": "string" + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`." } }, { "https_proxy": { + "type": "string", "required": false, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "description": "The proxy to use when making HTTPS requests to the IdP." } }, { "https_proxy_authorization": { + "type": "string", "required": false, - "type": "string" + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`." } }, { "no_proxy": { + "type": "string", "required": false, - "type": "string" + "description": "A comma-separated list of hosts that should not be proxied." } }, { "timeout": { - "required": true, - "type": "integer", "between": [ 0, 2147483646 ], + "required": true, + "type": "integer", "default": 10000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "Network I/O timeout for requests to the IdP in milliseconds." } }, { "keep_alive": { + "type": "boolean", "required": true, "default": true, - "type": "boolean" + "description": "Whether to use keepalive connections to the IdP." } }, { "ssl_verify": { + "type": "boolean", "required": false, "default": false, - "type": "boolean" + "description": "Whether to verify the certificate presented by the IdP when using HTTPS." } } ], - "required": true, - "type": "record" + "required": true } }, { "oauth": { + "type": "record", "fields": [ { "token_endpoint": { + "type": "string", "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "description": "The token endpoint URI." } }, { "token_headers": { + "type": "map", + "values": { + "referenceable": true, + "type": "string" + }, "keys": { "type": "string", "description": "A string representing an HTTP header name." }, - "values": { - "type": "string", - "referenceable": true - }, - "type": "map" + "description": "Extra headers to be passed in the token endpoint request." } }, { "token_post_args": { - "keys": { + "type": "map", + "values": { + "referenceable": true, "type": "string" }, - "values": { - "type": "string", - "referenceable": true + "keys": { + "type": "string" }, - "type": "map" + "description": "Extra post arguments to be passed in the token endpoint request." } }, { "grant_type": { - "required": true, "one_of": [ "client_credentials", "password" ], + "required": true, + "type": "string", "default": "client_credentials", - "type": "string" + "description": "The OAuth grant type to be used." } }, { "client_id": { + "encrypted": true, "required": false, + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "description": "The client ID for the application registration in the IdP." } }, { "client_secret": { + "encrypted": true, "required": false, + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "description": "The client secret for the application registration in the IdP." } }, { "username": { + "encrypted": true, "required": false, + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "description": "The username to use if `config.oauth.grant_type` is set to `password`." } }, { "password": { + "encrypted": true, "required": false, + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "description": "The password to use if `config.oauth.grant_type` is set to `password`." } }, { "scopes": { "required": false, - "default": [ - "openid" - ], + "type": "array", "elements": { "type": "string" }, - "type": "array" + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token." } }, { "audience": { "required": false, - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "type": "array" + "default": [ + + ], + "description": "List of audiences passed to the IdP when obtaining a new token." } } ], - "required": true, - "type": "record" + "required": true } }, { "cache": { + "type": "record", "fields": [ { "strategy": { - "required": true, "one_of": [ "memory", "redis" ], + "required": true, + "type": "string", "default": "memory", - "type": "string" + "description": "The method Kong should use to cache tokens issued by the IdP." } }, { "memory": { + "type": "record", "fields": [ { "dictionary_name": { + "type": "string", "required": true, "default": "kong_db_cache", - "type": "string" + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`." } } ], - "required": true, - "type": "record" + "required": true } }, { "redis": { "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "type": "record", "fields": [ { @@ -384,263 +292,360 @@ }, { "port": { + "type": "integer", "between": [ 0, 65535 ], - "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { + "type": "integer", "between": [ 0, 2147483646 ], "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { + "type": "string", "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "sentinel_username": { + "type": "string", "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { + "type": "integer", "default": 0, - "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { + "type": "integer", "between": [ 1, 2147483646 ], "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." } }, { "keepalive_backlog": { + "type": "integer", "between": [ 0, 2147483646 ], - "type": "integer", "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "type": "string", "one_of": [ "master", "slave", "any" ], - "type": "string", "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_nodes": { + "len_min": 1, "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", + "type": "string", "description": "A string representing a host name, such as example.com.", - "type": "string" + "default": "127.0.0.1", + "required": true } }, { "port": { + "type": "integer", "between": [ 0, 65535 ], "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } } - ], - "type": "record" + ] }, - "type": "array", - "len_min": 1, "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { + "len_min": 1, "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", + "type": "string", "description": "A string representing a host name, such as example.com.", - "type": "string" + "default": "127.0.0.1", + "required": true } }, { "port": { + "type": "integer", "between": [ 0, 65535 ], "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "description": "An integer representing a port number between 0 and 65535, inclusive." } } - ], - "type": "record" + ] }, - "type": "array", - "len_min": 1, "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { - "required": false, - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "required": false, - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { + "type": "string", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS.", - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "description": "Maximum retry attempts for redirection.", + "default": 5, + "required": false } }, { "connection_is_proxied": { - "required": false, - "default": false, + "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ], + "set2": [ + "cluster_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set1": [ + "cluster_nodes" + ], + "set2": [ + "host", + "port" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_field": "host", + "if_match": { + "eq": true + }, + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "database", + "connection_is_proxied" + ], + "run_with_missing_fields": true + } + }, + { + "custom_entity_check": { + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ], + "run_with_missing_fields": true + } + }, + { + "custom_entity_check": { + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ], + "run_with_missing_fields": true } } ], "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" }, "translate_backwards": [ "connect_timeout" - ], - "type": "integer" + ] } }, { "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" - }, - "type": "array", + "len_min": 1, "elements": { "type": "string" }, - "len_min": 1 + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array" } }, { "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" - }, - "type": "array", + "len_min": 1, "elements": { "type": "string" }, - "len_min": 1 + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array" } } ] @@ -648,93 +653,115 @@ }, { "eagerly_expire": { + "required": true, + "type": "integer", "gt": -1, "default": 5, - "required": true, - "type": "integer" + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`." } }, { "default_ttl": { + "type": "number", "gt": 0, "default": 3600, - "type": "number" + "description": "The lifetime of a token without an explicit `expires_in` value." } } ], - "required": true, - "type": "record" + "required": true } }, { "behavior": { + "type": "record", "fields": [ { "upstream_access_token_header_name": { + "len_min": 0, "required": true, + "type": "string", "default": "Authorization", - "len_min": 0, - "type": "string" + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service." } }, { "idp_error_response_status_code": { - "required": true, - "default": 502, "between": [ 500, 599 ], - "type": "integer" + "required": true, + "type": "integer", + "default": 502, + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP." } }, { "idp_error_response_content_type": { + "len_min": 0, "required": true, + "type": "string", "default": "application/json; charset=utf-8", - "len_min": 0, - "type": "string" + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP." } }, { "idp_error_response_message": { + "len_min": 0, "required": true, + "type": "string", "default": "Failed to authenticate request to upstream", - "len_min": 0, - "type": "string" + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP." } }, { "idp_error_response_body_template": { + "len_min": 0, "required": true, + "type": "string", "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", - "len_min": 0, - "type": "string" + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP." } }, { "purge_token_on_upstream_status_codes": { - "default": [ - 401 - ], + "type": "array", "elements": { + "type": "integer", "between": [ 100, 599 - ], - "type": "integer" + ] }, - "type": "array" + "default": [ + 401 + ], + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality." } } ], - "required": true, - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] From 92f1dc0b6a2db555f9b4006fd1c2fc5ba2287496 Mon Sep 17 00:00:00 2001 From: Diana <75819066+cloudjumpercat@users.noreply.github.com> Date: Thu, 29 Aug 2024 15:05:20 -0500 Subject: [PATCH 076/165] Update the 3.8 example for AI Semantic Cache --- examples/ai-semantic-cache/_3.8.x.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/examples/ai-semantic-cache/_3.8.x.yaml b/examples/ai-semantic-cache/_3.8.x.yaml index 76da1240..faa8bec5 100644 --- a/examples/ai-semantic-cache/_3.8.x.yaml +++ b/examples/ai-semantic-cache/_3.8.x.yaml @@ -1,10 +1,12 @@ name: ai-semantic-cache config: embeddings: - provider: openai - name: text-embedding-3-large + model: + provider: openai + name: text-embedding-3-large vectordb: - dimensions: 1024 - distance_metric: cosine strategy: redis - threshold: 0.1 \ No newline at end of file + dimensions: 3072 + threshold: 0.1 + distance_metric: cosine + redis: From 72ef9e42f78451286fd1952946d1a833000e4c5d Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 3 Sep 2024 22:30:47 +0200 Subject: [PATCH 077/165] Referenceable fields for 3.8.x (#61) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- data/referenceable_fields/3.8.x.json | 123 ++++++++++++++++++++++++--- 1 file changed, 113 insertions(+), 10 deletions(-) diff --git a/data/referenceable_fields/3.8.x.json b/data/referenceable_fields/3.8.x.json index 0d023ee6..dfc72c2a 100644 --- a/data/referenceable_fields/3.8.x.json +++ b/data/referenceable_fields/3.8.x.json @@ -19,7 +19,36 @@ "config.auth.param_value", "config.auth.azure_client_id", "config.auth.azure_client_secret", - "config.auth.azure_tenant_id" + "config.auth.azure_tenant_id", + "config.auth.gcp_service_account_json", + "config.auth.aws_access_key_id", + "config.auth.aws_secret_access_key" + ], + "ai-proxy-advanced": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password", + "config.targets.auth.header_name", + "config.targets.auth.header_value", + "config.targets.auth.param_name", + "config.targets.auth.param_value", + "config.targets.auth.azure_client_id", + "config.targets.auth.azure_client_secret", + "config.targets.auth.azure_tenant_id", + "config.targets.auth.gcp_service_account_json", + "config.targets.auth.aws_access_key_id", + "config.targets.auth.aws_secret_access_key" ], "ai-rate-limiting-advanced": [ "config.redis.username", @@ -34,7 +63,10 @@ "config.llm.auth.param_value", "config.llm.auth.azure_client_id", "config.llm.auth.azure_client_secret", - "config.llm.auth.azure_tenant_id" + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key" ], "ai-response-transformer": [ "config.llm.auth.header_name", @@ -43,7 +75,42 @@ "config.llm.auth.param_value", "config.llm.auth.azure_client_id", "config.llm.auth.azure_client_secret", - "config.llm.auth.azure_tenant_id" + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key" + ], + "ai-semantic-cache": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password" + ], + "ai-semantic-prompt-guard": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password" ], "aws-lambda": [ "config.aws_key", @@ -54,6 +121,12 @@ "config.apikey", "config.clientid" ], + "confluent": [ + "config.cluster_api_key", + "config.cluster_api_secret", + "config.confluent_cloud_api_key", + "config.confluent_cloud_api_secret" + ], "datadog": [ "config.host" ], @@ -116,8 +189,14 @@ "config.v2_strategies.openid_connect.config.scopes", "config.v2_strategies.openid_connect.config.introspection_headers_values", "config.v2_strategies.openid_connect.config.session_secret", - "config.v2_strategies.openid_connect.config.session_redis_username", - "config.v2_strategies.openid_connect.config.session_redis_password" + "config.v2_strategies.openid_connect.config.redis.username", + "config.v2_strategies.openid_connect.config.redis.password", + "config.v2_strategies.openid_connect.config.redis.sentinel_username", + "config.v2_strategies.openid_connect.config.redis.sentinel_password", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.username", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.password", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_username", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_password" ], "ldap-auth-advanced": [ "config.ldap_password", @@ -147,11 +226,18 @@ "config.scopes", "config.introspection_headers_values", "config.session_secret", - "config.session_redis_username", - "config.session_redis_password" + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password", + "config.cluster_cache_redis.username", + "config.cluster_cache_redis.password", + "config.cluster_cache_redis.sentinel_username", + "config.cluster_cache_redis.sentinel_password" ], "opentelemetry": [ - "config.endpoint", + "config.traces_endpoint", + "config.logs_endpoint", "config.headers" ], "proxy-cache-advanced": [ @@ -194,10 +280,27 @@ "config.request_signing_key", "config.request_signing_certificate", "config.session_secret", - "config.session_redis_username", - "config.session_redis_password" + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" ], "session": [ "config.secret" + ], + "standard-webhooks": [ + "config.secret_v1" + ], + "upstream-oauth": [ + "config.oauth.token_headers", + "config.oauth.token_post_args", + "config.oauth.client_id", + "config.oauth.client_secret", + "config.oauth.username", + "config.oauth.password", + "config.cache.redis.username", + "config.cache.redis.password", + "config.cache.redis.sentinel_username", + "config.cache.redis.sentinel_password" ] } \ No newline at end of file From 7e436a86f223515d80923411ed9c76352004586e Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 3 Sep 2024 22:31:01 +0200 Subject: [PATCH 078/165] Download Schemas for 3.8.x (#62) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- schemas/acl/3.8.x.json | 64 +- schemas/acme/3.8.x.json | 390 +- schemas/ai-azure-content-safety/3.8.x.json | 84 +- schemas/ai-prompt-decorator/3.8.x.json | 68 +- schemas/ai-prompt-guard/3.8.x.json | 86 +- schemas/ai-prompt-template/3.8.x.json | 48 +- schemas/ai-proxy-advanced/3.8.x.json | 924 ++-- schemas/ai-proxy/3.8.x.json | 312 +- schemas/ai-rate-limiting-advanced/3.8.x.json | 489 +- schemas/ai-request-transformer/3.8.x.json | 378 +- schemas/ai-response-transformer/3.8.x.json | 382 +- schemas/ai-semantic-cache/3.8.x.json | 541 +-- schemas/ai-semantic-prompt-guard/3.8.x.json | 561 +-- schemas/app-dynamics/3.8.x.json | 16 +- schemas/aws-lambda/3.8.x.json | 160 +- schemas/azure-functions/3.8.x.json | 64 +- schemas/basic-auth/3.8.x.json | 28 +- schemas/bot-detection/3.8.x.json | 34 +- schemas/canary/3.8.x.json | 142 +- schemas/confluent/3.8.x.json | 118 +- schemas/correlation-id/3.8.x.json | 30 +- schemas/cors/3.8.x.json | 62 +- schemas/datadog/3.8.x.json | 182 +- schemas/degraphql/3.8.x.json | 26 +- schemas/exit-transformer/3.8.x.json | 28 +- schemas/file-log/3.8.x.json | 40 +- schemas/forward-proxy/3.8.x.json | 120 +- .../graphql-proxy-cache-advanced/3.8.x.json | 417 +- .../graphql-rate-limiting-advanced/3.8.x.json | 463 +- schemas/grpc-gateway/3.8.x.json | 26 +- schemas/grpc-web/3.8.x.json | 36 +- schemas/header-cert-auth/3.8.x.json | 106 +- schemas/hmac-auth/3.8.x.json | 76 +- schemas/http-log/3.8.x.json | 130 +- schemas/ip-restriction/3.8.x.json | 54 +- schemas/jq/3.8.x.json | 114 +- schemas/json-threat-protection/3.8.x.json | 84 +- schemas/jwe-decrypt/3.8.x.json | 40 +- schemas/jwt-signer/3.8.x.json | 464 +- schemas/jwt/3.8.x.json | 98 +- schemas/kafka-log/3.8.x.json | 124 +- schemas/kafka-upstream/3.8.x.json | 130 +- schemas/key-auth-enc/3.8.x.json | 56 +- schemas/key-auth/3.8.x.json | 60 +- schemas/konnect-application-auth/3.8.x.json | 2046 ++++----- schemas/ldap-auth-advanced/3.8.x.json | 138 +- schemas/ldap-auth/3.8.x.json | 86 +- schemas/loggly/3.8.x.json | 78 +- schemas/mocking/3.8.x.json | 72 +- schemas/mtls-auth/3.8.x.json | 90 +- schemas/oas-validation/3.8.x.json | 106 +- schemas/oauth2-introspection/3.8.x.json | 80 +- schemas/oauth2/3.8.x.json | 104 +- schemas/opa/3.8.x.json | 64 +- schemas/openid-connect/3.8.x.json | 3966 +++++++++-------- schemas/opentelemetry/3.8.x.json | 216 +- schemas/post-function/3.8.x.json | 130 +- schemas/pre-function/3.8.x.json | 130 +- schemas/prometheus/3.8.x.json | 46 +- schemas/proxy-cache-advanced/3.8.x.json | 473 +- schemas/proxy-cache/3.8.x.json | 92 +- schemas/rate-limiting-advanced/3.8.x.json | 481 +- schemas/rate-limiting/3.8.x.json | 580 +-- schemas/request-size-limiting/3.8.x.json | 32 +- schemas/request-termination/3.8.x.json | 30 +- .../request-transformer-advanced/3.8.x.json | 122 +- schemas/request-transformer/3.8.x.json | 134 +- schemas/request-validator/3.8.x.json | 88 +- schemas/response-ratelimiting/3.8.x.json | 336 +- .../response-transformer-advanced/3.8.x.json | 134 +- schemas/response-transformer/3.8.x.json | 106 +- schemas/route-by-header/3.8.x.json | 30 +- schemas/route-transformer-advanced/3.8.x.json | 16 +- schemas/saml/3.8.x.json | 1699 +++---- schemas/session/3.8.x.json | 118 +- schemas/standard-webhooks/3.8.x.json | 28 +- schemas/statsd-advanced/3.8.x.json | 180 +- schemas/statsd/3.8.x.json | 226 +- schemas/syslog/3.8.x.json | 60 +- schemas/tcp-log/3.8.x.json | 52 +- schemas/tls-handshake-modifier/3.8.x.json | 26 +- schemas/tls-metadata-headers/3.8.x.json | 54 +- schemas/udp-log/3.8.x.json | 38 +- schemas/upstream-oauth/3.8.x.json | 419 +- schemas/upstream-timeout/3.8.x.json | 34 +- schemas/vault-auth/3.8.x.json | 54 +- schemas/websocket-size-limit/3.8.x.json | 26 +- schemas/websocket-validator/3.8.x.json | 94 +- schemas/xml-threat-protection/3.8.x.json | 210 +- schemas/zipkin/3.8.x.json | 218 +- 90 files changed, 11118 insertions(+), 10279 deletions(-) diff --git a/schemas/acl/3.8.x.json b/schemas/acl/3.8.x.json index f0f2fd1a..8ed6b9be 100644 --- a/schemas/acl/3.8.x.json +++ b/schemas/acl/3.8.x.json @@ -1,37 +1,24 @@ { - "entity_checks": [ - { - "only_one_of": [ - "config.allow", - "config.deny" - ] - }, - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -48,8 +35,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -58,48 +44,62 @@ { "allow": { "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "deny": { "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "hide_groups_header": { - "required": true, - "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", "type": "boolean", - "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service." + "required": true, + "default": false } }, { "include_consumer_groups": { "required": false, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "always_use_authenticated_groups": { - "required": true, - "default": false, + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", "type": "boolean", - "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous." + "required": true, + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/acme/3.8.x.json b/schemas/acme/3.8.x.json index 411e23d6..23cd4280 100644 --- a/schemas/acme/3.8.x.json +++ b/schemas/acme/3.8.x.json @@ -1,88 +1,40 @@ { - "entity_checks": [ - { - "conditional": { - "then_match": { - "eq": true - }, - "then_field": "config.tos_accepted", - "if_match": { - "one_of": [ - "https://acme-v02.api.letsencrypt.org", - "https://acme-staging-v02.api.letsencrypt.org" - ] - }, - "if_field": "config.api_uri", - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/" - } - }, - { - "conditional": { - "then_field": "config.storage_config.redis.host", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.storage" - } - }, - { - "conditional": { - "then_field": "config.storage_config.redis.port", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.storage" - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.storage" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { - "type": "foreign", "reference": "services", "eq": null, + "type": "foreign", "description": "A reference to the 'services' table with a null value allowed." } }, { "route": { - "type": "foreign", "reference": "routes", "eq": null, + "type": "foreign", "description": "A reference to the 'routes' table with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -99,8 +51,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -108,24 +59,25 @@ "fields": [ { "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", "required": true, - "referenceable": true, "match": "%w*%p*@+%w*%.?%w*", "type": "string", - "encrypted": true, - "description": "The account identifier. Can be reused in a different plugin instance." + "referenceable": true, + "encrypted": true } }, { "account_key": { - "required": false, + "description": "The private key associated with the account.", "type": "record", + "required": false, "fields": [ { "key_id": { - "required": true, "description": "The Key ID.", - "type": "string" + "type": "string", + "required": true } }, { @@ -134,109 +86,109 @@ "type": "string" } } - ], - "description": "The private key associated with the account." + ] } }, { "api_uri": { - "default": "https://acme-v02.api.letsencrypt.org/directory", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "default": "https://acme-v02.api.letsencrypt.org/directory" } }, { "tos_accepted": { - "default": false, "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA." + "referenceable": true } }, { "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA." + "referenceable": true } }, { "cert_type": { + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", "type": "string", "default": "rsa", "one_of": [ "rsa", "ecc" - ], - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." + ] } }, { "rsa_key_size": { + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", "type": "number", "default": 4096, "one_of": [ 2048, 3072, 4096 - ], - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." + ] } }, { "renew_threshold_days": { - "default": 14, + "description": "Days remaining to renew the certificate before it expires.", "type": "number", - "description": "Days remaining to renew the certificate before it expires." + "default": 14 } }, { "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", "type": "array", "elements": { + "type": "string", "match_all": [ { "pattern": "^[^*]*%*?[^*]*$", "err": "invalid wildcard: must have at most one wildcard" } ], - "type": "string", "match_any": { - "err": "invalid wildcard: must be placed at leftmost or rightmost label", "patterns": [ "^%*%.", "%.%*$", "^[^*]*$" - ] + ], + "err": "invalid wildcard: must be placed at leftmost or rightmost label" } - }, - "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" + } } }, { "allow_any_domain": { - "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", "type": "boolean", - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." + "default": false } }, { "fail_backoff_minutes": { - "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", "type": "number", - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." + "default": 5 } }, { "storage": { + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", "type": "string", "default": "shm", "one_of": [ @@ -245,8 +197,7 @@ "redis", "consul", "vault" - ], - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." + ] } }, { @@ -257,14 +208,14 @@ "fields": [ { "shm_name": { - "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", "type": "string", - "description": "Name of shared memory zone used for Kong API gateway storage" + "default": "kong" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -272,8 +223,8 @@ "fields": [ ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -281,161 +232,191 @@ "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } }, { "timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { - "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "len_min": 0, "type": "string", - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true, + "encrypted": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "ssl": { - "required": false, - "default": false, + "description": "If set to true, uses SSL to connect to Redis.", "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "required": false, + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "required": false, + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "extra_options": { + "description": "Custom ACME Redis options", + "type": "record", "fields": [ { "namespace": { + "description": "A namespace to prepend to all keys stored in Redis.", "required": true, "type": "string", - "default": "", "len_min": 0, - "description": "A namespace to prepend to all keys stored in Redis." + "default": "" } }, { "scan_count": { - "required": false, - "default": 10, "description": "The number of keys to return in Redis SCAN calls.", - "type": "number" + "type": "number", + "required": false, + "default": 10 } } ], - "description": "Custom ACME Redis options", - "required": true, - "type": "record" + "required": true } } ], - "required": true, + "type": "record", "shorthand_fields": [ { "auth": { - "deprecation": { - "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", - "removal_in_version": "4.0" - }, "len_min": 0, + "type": "string", "translate_backwards": [ "password" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "password" + ] + } + ], + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", + "removal_in_version": "4.0" + } } }, { "ssl_server_name": { - "deprecation": { - "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", - "removal_in_version": "4.0" - }, + "type": "string", "translate_backwards": [ "server_name" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "server_name" + ] + } + ], + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", + "removal_in_version": "4.0" + } } }, { "namespace": { - "deprecation": { - "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", - "removal_in_version": "4.0" - }, "len_min": 0, + "type": "string", "translate_backwards": [ "extra_options", "namespace" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "extra_options", + "namespace" + ] + } + ], + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", + "removal_in_version": "4.0" + } } }, { "scan_count": { - "deprecation": { - "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "extra_options", "scan_count" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "extra_options", + "scan_count" + ] + } + ], + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", + "removal_in_version": "4.0" + } } } ], - "type": "record" + "required": true } }, { @@ -443,25 +424,25 @@ "fields": [ { "https": { - "default": false, "description": "Boolean representation of https.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -478,14 +459,14 @@ }, { "token": { - "referenceable": true, "description": "Consul ACL token.", - "type": "string" + "type": "string", + "referenceable": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -493,25 +474,25 @@ "fields": [ { "https": { - "default": false, "description": "Boolean representation of https.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -528,16 +509,16 @@ }, { "token": { - "referenceable": true, "description": "Consul ACL token.", - "type": "string" + "type": "string", + "referenceable": true } }, { "tls_verify": { - "default": true, "description": "Turn on TLS verification.", - "type": "boolean" + "type": "boolean", + "default": true } }, { @@ -549,12 +530,12 @@ { "auth_method": { "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "type": "string", "default": "token", "one_of": [ "token", "kubernetes" - ], - "type": "string" + ] } }, { @@ -576,31 +557,80 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "preferred_chain": { - "type": "string", - "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" } }, { "enable_ipv4_common_name": { - "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", "type": "boolean", - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_match": { + "eq": true + } + } + }, + { + "conditional": { + "if_field": "config.storage", + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.storage", + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] } } ] diff --git a/schemas/ai-azure-content-safety/3.8.x.json b/schemas/ai-azure-content-safety/3.8.x.json index 8aaf5b9e..8b87214a 100644 --- a/schemas/ai-azure-content-safety/3.8.x.json +++ b/schemas/ai-azure-content-safety/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,23 +19,22 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,131 +43,134 @@ "fields": [ { "content_safety_url": { - "required": true, - "referenceable": true, "description": "Full URL, inc protocol, of the Azure Content Safety instance.", - "type": "string" + "required": true, + "type": "string", + "referenceable": true } }, { "azure_api_version": { + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", "required": true, - "len_min": 1, - "default": "2023-10-01", "type": "string", - "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format." + "len_min": 1, + "default": "2023-10-01" } }, { "azure_use_managed_identity": { - "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", "type": "boolean", - "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity" + "default": false } }, { "azure_client_id": { - "required": false, "description": "If `azure_use_managed_identity` is true, set the client ID if required.", - "type": "string" + "type": "string", + "required": false } }, { "azure_client_secret": { - "required": false, "description": "If `azure_use_managed_identity` is true, set the client secret if required.", - "type": "string" + "type": "string", + "required": false } }, { "azure_tenant_id": { - "required": false, "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", - "type": "string" + "type": "string", + "required": false } }, { "content_safety_key": { + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety." + "referenceable": true } }, { "text_source": { + "description": "Select where to pick the 'text' for the Azure Content Services request.", "type": "string", "default": "concatenate_all_content", "one_of": [ "concatenate_all_content", "concatenate_user_content" - ], - "description": "Select where to pick the 'text' for the Azure Content Services request." + ] } }, { "categories": { + "description": "Array of categories, and their thresholds, to measure on.", "type": "array", "elements": { - "required": true, "fields": [ { "name": { - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "rejection_level": { - "required": true, - "type": "integer" + "type": "integer", + "required": true } } ], + "required": true, "type": "record" - }, - "description": "Array of categories, and their thresholds, to measure on." + } } }, { "reveal_failure_reason": { - "default": true, "description": "Set true to tell the caller why their request was rejected, if so.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "output_type": { + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", "type": "string", "default": "FourSeverityLevels", "one_of": [ "FourSeverityLevels", "EightSeverityLevels" - ], - "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories" + ] } }, { "blocklist_names": { "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "halt_on_blocklist_hit": { - "default": true, "description": "Tells Azure to reject the request if any blocklist filter is hit.", - "type": "boolean" + "type": "boolean", + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.8.x.json b/schemas/ai-prompt-decorator/3.8.x.json index 8feb59df..5465e8bc 100644 --- a/schemas/ai-prompt-decorator/3.8.x.json +++ b/schemas/ai-prompt-decorator/3.8.x.json @@ -1,15 +1,8 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.prompts.prepend", - "config.prompts.append" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -26,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -35,92 +27,100 @@ "fields": [ { "prompts": { - "required": false, "fields": [ { "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", "required": false, + "len_max": 15, "elements": { - "required": false, "fields": [ { "role": { - "required": true, "default": "system", + "type": "string", + "required": true, "one_of": [ "system", "assistant", "user" - ], - "type": "string" + ] } }, { "content": { - "required": true, + "len_min": 1, "type": "string", "len_max": 500, - "len_min": 1 + "required": true } } ], + "required": false, "type": "record" }, - "type": "array", - "len_max": 15, - "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages." + "type": "array" } }, { "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", "required": false, + "len_max": 15, "elements": { - "required": false, "fields": [ { "role": { - "required": true, "default": "system", + "type": "string", + "required": true, "one_of": [ "system", "assistant", "user" - ], - "type": "string" + ] } }, { "content": { - "required": true, + "len_min": 1, "type": "string", "len_max": 500, - "len_min": 1 + "required": true } } ], + "required": false, "type": "record" }, - "type": "array", - "len_max": 15, - "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages." + "type": "array" } } ], + "required": false, "type": "record" } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, + "description": "max allowed body size allowed to be introspected", "type": "integer", - "description": "max allowed body size allowed to be introspected" + "gt": 0, + "default": 8192 } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.8.x.json b/schemas/ai-prompt-guard/3.8.x.json index a25b0ad5..83d1ea42 100644 --- a/schemas/ai-prompt-guard/3.8.x.json +++ b/schemas/ai-prompt-guard/3.8.x.json @@ -1,27 +1,8 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow_patterns", - "config.deny_patterns" - ] - }, - { - "conditional": { - "then_field": "config.allow_all_conversation_history", - "if_match": { - "eq": true - }, - "then_match": { - "eq": false - }, - "if_field": "config.match_all_roles" - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -38,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -47,57 +27,77 @@ "fields": [ { "allow_patterns": { + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", "required": false, + "len_max": 10, "elements": { + "len_min": 1, "len_max": 500, - "type": "string", - "len_min": 1 + "type": "string" }, - "type": "array", - "len_max": 10, - "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat." + "type": "array" } }, { "deny_patterns": { + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", "required": false, + "len_max": 10, "elements": { + "len_min": 1, "len_max": 500, - "type": "string", - "len_min": 1 + "type": "string" }, - "type": "array", - "len_max": 10, - "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat." + "type": "array" } }, { "allow_all_conversation_history": { - "required": true, - "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history.", "type": "boolean", - "description": "If true, will ignore all previous chat prompts from the conversation history." + "required": true, + "default": false } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, + "description": "max allowed body size allowed to be introspected", "type": "integer", - "description": "max allowed body size allowed to be introspected" + "gt": 0, + "default": 8192 } }, { "match_all_roles": { - "required": true, - "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", "type": "boolean", - "description": "If true, will match all roles in addition to 'user' role in conversation history." + "required": true, + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + }, + { + "conditional": { + "if_field": "config.match_all_roles", + "if_match": { + "eq": true + }, + "then_field": "config.allow_all_conversation_history", + "then_match": { + "eq": false + } } } ] diff --git a/schemas/ai-prompt-template/3.8.x.json b/schemas/ai-prompt-template/3.8.x.json index 3ca73289..6c8f6ed5 100644 --- a/schemas/ai-prompt-template/3.8.x.json +++ b/schemas/ai-prompt-template/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -30,59 +27,62 @@ "fields": [ { "templates": { - "required": true, + "description": "Array of templates available to the request context.", "type": "array", + "required": true, "elements": { - "required": true, "fields": [ { "name": { - "required": true, + "description": "Unique name for the template, can be called with `{template://NAME}`", "type": "string", - "description": "Unique name for the template, can be called with `{template://NAME}`" + "required": true } }, { "template": { - "required": true, + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", "type": "string", - "description": "Template string for this request, supports mustache-style `{{placeholders}}`" + "required": true } } ], + "required": true, "type": "record" - }, - "description": "Array of templates available to the request context." + } } }, { "allow_untemplated_requests": { - "required": true, - "default": true, + "description": "Set true to allow requests that don't call or match any template.", "type": "boolean", - "description": "Set true to allow requests that don't call or match any template." + "required": true, + "default": true } }, { "log_original_request": { - "required": true, - "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", "type": "boolean", - "description": "Set true to add the original request to the Kong log plugin(s) output." + "required": true, + "default": false } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, + "description": "max allowed body size allowed to be introspected", "type": "integer", - "description": "max allowed body size allowed to be introspected" + "gt": 0, + "default": 8192 } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-proxy-advanced/3.8.x.json b/schemas/ai-proxy-advanced/3.8.x.json index f3bdf316..7be23c4c 100644 --- a/schemas/ai-proxy-advanced/3.8.x.json +++ b/schemas/ai-proxy-advanced/3.8.x.json @@ -1,24 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.targets" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.targets", - "config.balancer" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -35,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -44,10 +27,10 @@ "fields": [ { "balancer": { - "required": true, "fields": [ { "algorithm": { + "description": "Which load balancing algorithm to use.", "type": "string", "default": "round-robin", "one_of": [ @@ -56,420 +39,320 @@ "lowest-usage", "consistent-hashing", "semantic" - ], - "description": "Which load balancing algorithm to use." + ] } }, { "tokens_count_strategy": { + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", "type": "string", "default": "total-tokens", "one_of": [ "total-tokens", "prompt-tokens", "completion-tokens" - ], - "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`." + ] } }, { "latency_strategy": { + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", "type": "string", "default": "tpot", "one_of": [ "tpot", "e2e" - ], - "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`." + ] } }, { "hash_on_header": { - "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing.", "type": "string", - "description": "The header to use for consistent-hashing." + "default": "X-Kong-LLM-Request-ID" } }, { "slots": { + "description": "The number of slots in the load balancer algorithm.", + "type": "integer", "between": [ 10, 65536 ], - "default": 10000, - "type": "integer", - "description": "The number of slots in the load balancer algorithm." + "default": 10000 } }, { "retries": { + "description": "The number of retries to execute upon failure to proxy.", + "type": "integer", "between": [ 0, 32767 ], - "default": 5, - "type": "integer", - "description": "The number of retries to execute upon failure to proxy." + "default": 5 } }, { "connect_timeout": { + "type": "integer", "between": [ 1, 2147483646 ], - "default": 60000, - "type": "integer" + "default": 60000 } }, { "write_timeout": { + "type": "integer", "between": [ 1, 2147483646 ], - "default": 60000, - "type": "integer" + "default": 60000 } }, { "read_timeout": { + "type": "integer", "between": [ 1, 2147483646 ], - "default": 60000, - "type": "integer" + "default": 60000 } } ], + "required": true, "type": "record" } }, { "embeddings": { - "required": false, "fields": [ { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "description": "If AI model requires authentication via Authorization or API key header, specify its name here." + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true, + "encrypted": true } }, { "param_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "description": "If AI model requires authentication via query parameter, specify its name here." + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true, + "encrypted": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models." + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID." + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true, + "encrypted": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID." + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, + "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", - "description": "Use service account auth for GCP-based providers and models." + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true, + "encrypted": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "allow_override": { - "required": false, - "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin." + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", "required": true, "one_of": [ "openai", "mistral" - ], - "type": "string", - "description": "AI provider format to use for embeddings API" + ] } }, { "name": { + "description": "Model name to execute.", + "type": "string", "required": true, "one_of": [ "text-embedding-3-large", "text-embedding-3-small", "mistral-embed" - ], - "type": "string", - "description": "Model name to execute." + ] } }, { "options": { - "required": false, "description": "Key/value settings for the model", + "type": "record", "fields": [ { "upstream_url": { - "required": false, + "description": "upstream url for the embeddings", "type": "string", - "description": "upstream url for the embeddings" + "required": false } } ], - "type": "record" + "required": false } } ], + "required": true, "type": "record" } } ], + "required": false, "type": "record" } }, { "vectordb": { - "required": false, "fields": [ { "strategy": { + "description": "which vector database driver to use", + "type": "string", "required": true, "one_of": [ "redis" - ], - "type": "string", - "description": "which vector database driver to use" + ] } }, { "dimensions": { - "required": true, + "description": "the desired dimensionality for the vectors", "type": "integer", - "description": "the desired dimensionality for the vectors" + "required": true } }, { "threshold": { - "required": true, + "description": "the default similarity threshold for accepting semantic search results (float)", "type": "number", - "description": "the default similarity threshold for accepting semantic search results (float)" + "required": true } }, { "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", "required": true, "one_of": [ "cosine", "euclidean" - ], - "type": "string", - "description": "the distance metric to use for vector searches" + ] } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { @@ -479,439 +362,572 @@ }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { - "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", + "required": false + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] } }, { - "ssl": { - "required": false, - "default": false, - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." - } + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] }, { - "ssl_verify": { - "required": false, - "default": false, - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { - "server_name": { - "required": false, - "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] } }, { - "cluster_max_redirections": { - "required": false, - "default": 5, - "description": "Maximum retry attempts for redirection.", - "type": "integer" + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] } }, { - "connection_is_proxied": { - "required": false, - "default": false, - "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true, + "type": "record" } } ], + "required": false, "type": "record" } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, + "description": "max allowed body size allowed to be introspected", "type": "integer", - "description": "max allowed body size allowed to be introspected" + "gt": 0, + "default": 8192 } }, { "model_name_header": { - "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", "type": "boolean", - "description": "Display the model name selected in the X-Kong-LLM-Model response header" + "default": true } }, { "targets": { + "type": "array", "required": true, "elements": { "fields": [ { "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "required": true, "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ], - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation." + ] } }, { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "description": "If AI model requires authentication via Authorization or API key header, specify its name here." + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true, + "encrypted": true } }, { "param_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "description": "If AI model requires authentication via query parameter, specify its name here." + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true, + "encrypted": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models." + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID." + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true, + "encrypted": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID." + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, + "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", - "description": "Use service account auth for GCP-based providers and models." + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true, + "encrypted": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "allow_override": { - "required": false, - "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin." + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "required": true, "one_of": [ "openai", @@ -922,172 +938,170 @@ "llama2", "gemini", "bedrock" - ], - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats." + ] } }, { "name": { - "required": false, + "description": "Model name to execute.", "type": "string", - "description": "Model name to execute." + "required": false } }, { "options": { - "required": false, "description": "Key/value settings for the model", + "type": "record", "fields": [ { "max_tokens": { - "required": false, - "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer", - "description": "Defines the max_tokens, if using chat or completion models." + "required": false, + "default": 256 } }, { "input_cost": { - "required": false, + "description": "Defines the cost per 1M tokens in your prompt.", "type": "number", "gt": 0, - "description": "Defines the cost per 1M tokens in your prompt." + "required": false } }, { "output_cost": { - "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI.", "type": "number", "gt": 0, - "description": "Defines the cost per 1M tokens in the output of the AI." + "required": false } }, { "temperature": { - "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", "type": "number", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models." + "required": false } }, { "top_p": { - "required": false, + "description": "Defines the top-p probability mass, if supported.", "type": "number", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported." + "required": false } }, { "top_k": { - "required": false, + "description": "Defines the top-k most likely tokens, if supported.", "type": "integer", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported." + "required": false } }, { "anthropic_version": { - "required": false, + "description": "Defines the schema/API version, if using Anthropic provider.", "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider." + "required": false } }, { "azure_instance": { - "required": false, + "description": "Instance name for Azure OpenAI hosted models.", "type": "string", - "description": "Instance name for Azure OpenAI hosted models." + "required": false } }, { "azure_api_version": { - "required": false, - "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", "type": "string", - "description": "'api-version' for Azure OpenAI instances." + "required": false, + "default": "2023-05-15" } }, { "azure_deployment_id": { - "required": false, + "description": "Deployment ID for Azure OpenAI instances.", "type": "string", - "description": "Deployment ID for Azure OpenAI instances." + "required": false } }, { "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "raw", "openai", "ollama" - ], - "type": "string", - "description": "If using llama2 provider, select the upstream message format." + ] } }, { "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "openai", "ollama" - ], - "type": "string", - "description": "If using mistral provider, select the upstream message format." + ] } }, { "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, - "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + "type": "string" } }, { "upstream_path": { - "required": false, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "type": "string" + "type": "string", + "required": false } }, { "gemini": { - "required": false, "fields": [ { "api_endpoint": { - "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "type": "string", - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." + "required": false } }, { "project_id": { - "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", "type": "string", - "description": "If running Gemini on Vertex, specify the project ID." + "required": false } }, { "location_id": { - "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", "type": "string", - "description": "If running Gemini on Vertex, specify the location ID." + "required": false } } ], + "required": false, "entity_checks": [ { "mutually_required": [ @@ -1102,86 +1116,87 @@ }, { "bedrock": { - "required": false, "fields": [ { "aws_region": { - "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "type": "string" + "type": "string", + "required": false } } ], + "required": false, "type": "record" } } ], - "type": "record" + "required": false } } ], + "required": true, "type": "record" } }, { "weight": { + "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "type": "integer", "between": [ 1, 65535 ], - "default": 100, - "type": "integer", - "description": "The weight this target gets within the upstream loadbalancer (1-65535)." + "default": 100 } }, { "description": { + "description": "The semantic description of the target, required if using semantic load balancing.", "required": false, - "type": "string", - "description": "The semantic description of the target, required if using semantic load balancing." + "type": "string" } }, { "logging": { - "required": true, "fields": [ { "log_statistics": { - "required": true, - "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "type": "boolean", - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + "required": true, + "default": false } }, { "log_payloads": { - "required": true, - "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "type": "boolean", - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + "required": true, + "default": false } } ], + "required": true, "type": "record" } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "if_field": "model.provider", "if_match": { "one_of": [ "bedrock", "gemini" ] }, + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", "then_field": "auth.allow_override", "then_match": { "eq": false - }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + } } }, { @@ -1199,100 +1214,100 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] + "then_err": "must set %s for self-hosted providers/models" } }, { @@ -1304,15 +1319,30 @@ ] } } - ], - "type": "record" - }, - "type": "array" + ] + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] } } ] diff --git a/schemas/ai-proxy/3.8.x.json b/schemas/ai-proxy/3.8.x.json index c8a3294d..46d054a9 100644 --- a/schemas/ai-proxy/3.8.x.json +++ b/schemas/ai-proxy/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -30,151 +27,152 @@ "fields": [ { "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "required": true, "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ], - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation." + ] } }, { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "description": "If AI model requires authentication via Authorization or API key header, specify its name here." + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true, + "encrypted": true } }, { "param_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "description": "If AI model requires authentication via query parameter, specify its name here." + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true, + "encrypted": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models." + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID." + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true, + "encrypted": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID." + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, + "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", - "description": "Use service account auth for GCP-based providers and models." + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true, + "encrypted": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "allow_override": { - "required": false, - "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin." + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "required": true, "one_of": [ "openai", @@ -185,172 +183,170 @@ "llama2", "gemini", "bedrock" - ], - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats." + ] } }, { "name": { - "required": false, + "description": "Model name to execute.", "type": "string", - "description": "Model name to execute." + "required": false } }, { "options": { - "required": false, "description": "Key/value settings for the model", + "type": "record", "fields": [ { "max_tokens": { - "required": false, - "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer", - "description": "Defines the max_tokens, if using chat or completion models." + "required": false, + "default": 256 } }, { "input_cost": { - "required": false, + "description": "Defines the cost per 1M tokens in your prompt.", "type": "number", "gt": 0, - "description": "Defines the cost per 1M tokens in your prompt." + "required": false } }, { "output_cost": { - "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI.", "type": "number", "gt": 0, - "description": "Defines the cost per 1M tokens in the output of the AI." + "required": false } }, { "temperature": { - "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", "type": "number", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models." + "required": false } }, { "top_p": { - "required": false, + "description": "Defines the top-p probability mass, if supported.", "type": "number", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported." + "required": false } }, { "top_k": { - "required": false, + "description": "Defines the top-k most likely tokens, if supported.", "type": "integer", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported." + "required": false } }, { "anthropic_version": { - "required": false, + "description": "Defines the schema/API version, if using Anthropic provider.", "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider." + "required": false } }, { "azure_instance": { - "required": false, + "description": "Instance name for Azure OpenAI hosted models.", "type": "string", - "description": "Instance name for Azure OpenAI hosted models." + "required": false } }, { "azure_api_version": { - "required": false, - "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", "type": "string", - "description": "'api-version' for Azure OpenAI instances." + "required": false, + "default": "2023-05-15" } }, { "azure_deployment_id": { - "required": false, + "description": "Deployment ID for Azure OpenAI instances.", "type": "string", - "description": "Deployment ID for Azure OpenAI instances." + "required": false } }, { "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "raw", "openai", "ollama" - ], - "type": "string", - "description": "If using llama2 provider, select the upstream message format." + ] } }, { "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "openai", "ollama" - ], - "type": "string", - "description": "If using mistral provider, select the upstream message format." + ] } }, { "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, - "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + "type": "string" } }, { "upstream_path": { - "required": false, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "type": "string" + "type": "string", + "required": false } }, { "gemini": { - "required": false, "fields": [ { "api_endpoint": { - "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "type": "string", - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." + "required": false } }, { "project_id": { - "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", "type": "string", - "description": "If running Gemini on Vertex, specify the project ID." + "required": false } }, { "location_id": { - "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", "type": "string", - "description": "If running Gemini on Vertex, specify the location ID." + "required": false } } ], + "required": false, "entity_checks": [ { "mutually_required": [ @@ -365,96 +361,97 @@ }, { "bedrock": { - "required": false, "fields": [ { "aws_region": { - "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "type": "string" + "type": "string", + "required": false } } ], + "required": false, "type": "record" } } ], - "type": "record" + "required": false } } ], + "required": true, "type": "record" } }, { "logging": { - "required": true, "fields": [ { "log_statistics": { - "required": true, - "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "type": "boolean", - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + "required": true, + "default": false } }, { "log_payloads": { - "required": true, - "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "type": "boolean", - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + "required": true, + "default": false } } ], + "required": true, "type": "record" } }, { "response_streaming": { + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "required": false, - "type": "string", - "default": "allow", "one_of": [ "allow", "deny", "always" ], - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events." + "type": "string", + "default": "allow" } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, "description": "max allowed body size allowed to be introspected", - "type": "integer" + "type": "integer", + "gt": 0, + "default": 8192 } }, { "model_name_header": { - "default": true, "description": "Display the model name selected in the X-Kong-LLM-Model response header", - "type": "boolean" + "type": "boolean", + "default": true } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "if_field": "model.provider", "if_match": { "one_of": [ "bedrock", "gemini" ] }, + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", "then_field": "auth.allow_override", "then_match": { "eq": false - }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + } } }, { @@ -472,100 +469,100 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] + "then_err": "must set %s for self-hosted providers/models" } }, { @@ -578,8 +575,11 @@ } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-rate-limiting-advanced/3.8.x.json b/schemas/ai-rate-limiting-advanced/3.8.x.json index 9d8f08dd..7564c293 100644 --- a/schemas/ai-rate-limiting-advanced/3.8.x.json +++ b/schemas/ai-rate-limiting-advanced/3.8.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -36,9 +27,8 @@ "fields": [ { "identifier": { + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "required": true, - "type": "string", - "default": "consumer", "one_of": [ "ip", "credential", @@ -48,41 +38,45 @@ "path", "consumer-group" ], - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`." + "type": "string", + "default": "consumer" } }, { "window_type": { "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", "default": "sliding", "one_of": [ "fixed", "sliding" - ], - "type": "string" + ] } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "llm_providers": { - "required": true, "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "type": "array", + "required": true, "elements": { "fields": [ { "window_size": { - "required": true, "description": "The window size to apply a limit (defined in seconds).", - "type": "number" + "type": "number", + "required": true } }, { "name": { + "description": "The LLM provider to which the rate limit applies.", + "type": "string", "required": true, "one_of": [ "openai", @@ -94,285 +88,183 @@ "bedrock", "gemini", "requestPrompt" - ], - "description": "The LLM provider to which the rate limit applies.", - "type": "string" + ] } }, { "limit": { - "required": true, "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", - "type": "number" + "type": "number", + "required": true } } ], "type": "record" - }, - "type": "array" + } } }, { "strategy": { + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "required": true, - "type": "string", - "default": "local", "one_of": [ "cluster", "redis", "local" ], - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." + "type": "string", + "default": "local" } }, { "dictionary_name": { - "required": true, - "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "type": "string" + "type": "string", + "required": true, + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "retry_after_jitter_max": { - "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "type": "number" + "type": "number", + "default": 0 } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string" + "type": "string", + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -383,214 +275,353 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } }, { "disable_penalty": { - "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "request_prompt_count_function": { - "required": false, "description": "If defined, it use custom function to count requests for the request prompt provider", - "type": "string" + "type": "string", + "required": false } }, { "error_code": { - "gt": 0, - "default": 429, "description": "Set a custom error code to return when the rate limit is exceeded.", - "type": "number" + "type": "number", + "gt": 0, + "default": 429 } }, { "error_message": { - "default": "API rate limit exceeded for provider(s): ", "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string" + "type": "string", + "default": "API rate limit exceeded for provider(s): " } }, { "error_hide_providers": { - "default": false, "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "tokens_count_strategy": { + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", "required": true, - "type": "string", - "default": "total_tokens", "one_of": [ "total_tokens", "prompt_tokens", "completion_tokens", "cost" ], - "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`." + "type": "string", + "default": "total_tokens" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/ai-request-transformer/3.8.x.json b/schemas/ai-request-transformer/3.8.x.json index 029d7e40..e1f190ab 100644 --- a/schemas/ai-request-transformer/3.8.x.json +++ b/schemas/ai-request-transformer/3.8.x.json @@ -1,36 +1,8 @@ { - "entity_checks": [ - { - "conditional": { - "then_match": { - "eq": "llm/v1/chat" - }, - "then_field": "config.llm.route_type", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "if_field": "config.llm.route_type", - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins" - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -47,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -64,72 +35,72 @@ "fields": [ { "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", "required": true, - "type": "string", - "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return." + "type": "string" } }, { "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", "required": false, - "type": "string", - "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure." + "type": "string" } }, { "http_timeout": { - "required": true, - "default": 60000, "description": "Timeout in milliseconds for the AI upstream service.", - "type": "integer" + "type": "integer", + "required": true, + "default": 60000 } }, { "https_verify": { - "required": true, - "default": true, "description": "Verify the TLS certificate of the AI upstream service.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": true } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, "description": "max allowed body size allowed to be introspected", - "type": "integer" + "type": "integer", + "gt": 0, + "default": 8192 } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -137,151 +108,152 @@ "fields": [ { "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "required": true, "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ], - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "type": "string" + ] } }, { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true } }, { "param_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string" + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true } }, { "allow_override": { - "required": false, - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "required": true, "one_of": [ "openai", @@ -292,172 +264,172 @@ "llama2", "gemini", "bedrock" - ], - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "type": "string" + ] } }, { "name": { - "required": false, "description": "Model name to execute.", - "type": "string" + "type": "string", + "required": false } }, { "options": { - "required": false, + "description": "Key/value settings for the model", "type": "record", + "required": false, "fields": [ { "max_tokens": { - "required": false, - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", - "type": "integer" + "type": "integer", + "required": false, + "default": 256 } }, { "input_cost": { - "required": false, "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number", "gt": 0, - "type": "number" + "required": false } }, { "output_cost": { - "required": false, "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number", "gt": 0, - "type": "number" + "required": false } }, { "temperature": { - "required": false, "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", "between": [ 0, 5 ], - "type": "number" + "required": false } }, { "top_p": { - "required": false, "description": "Defines the top-p probability mass, if supported.", + "type": "number", "between": [ 0, 1 ], - "type": "number" + "required": false } }, { "top_k": { - "required": false, "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", "between": [ 0, 500 ], - "type": "integer" + "required": false } }, { "anthropic_version": { - "required": false, "description": "Defines the schema/API version, if using Anthropic provider.", - "type": "string" + "type": "string", + "required": false } }, { "azure_instance": { - "required": false, "description": "Instance name for Azure OpenAI hosted models.", - "type": "string" + "type": "string", + "required": false } }, { "azure_api_version": { - "required": false, - "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", - "type": "string" + "type": "string", + "required": false, + "default": "2023-05-15" } }, { "azure_deployment_id": { - "required": false, "description": "Deployment ID for Azure OpenAI instances.", - "type": "string" + "type": "string", + "required": false } }, { "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "raw", "openai", "ollama" - ], - "description": "If using llama2 provider, select the upstream message format.", - "type": "string" + ] } }, { "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "openai", "ollama" - ], - "description": "If using mistral provider, select the upstream message format.", - "type": "string" + ] } }, { "upstream_url": { - "required": false, "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, "type": "string" } }, { "upstream_path": { - "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "type": "string", - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type." + "required": false } }, { "gemini": { - "required": false, "fields": [ { "api_endpoint": { - "required": false, "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "type": "string" + "type": "string", + "required": false } }, { "project_id": { - "required": false, "description": "If running Gemini on Vertex, specify the project ID.", - "type": "string" + "type": "string", + "required": false } }, { "location_id": { - "required": false, "description": "If running Gemini on Vertex, specify the location ID.", - "type": "string" + "type": "string", + "required": false } } ], + "required": false, + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -466,74 +438,73 @@ "location_id" ] } - ], - "type": "record" + ] } }, { "bedrock": { - "required": false, "fields": [ { "aws_region": { - "required": false, + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", "type": "string", - "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option." + "required": false } } ], + "required": false, "type": "record" } } - ], - "description": "Key/value settings for the model" + ] } } ], + "required": true, "type": "record" } }, { "logging": { - "required": true, "fields": [ { "log_statistics": { - "required": true, - "default": false, "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "log_payloads": { - "required": true, - "default": false, "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } } ], + "required": true, "type": "record" } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "if_field": "model.provider", "if_match": { "one_of": [ "bedrock", "gemini" ] }, - "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", "then_match": { "eq": false }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + "then_field": "auth.allow_override" } }, { @@ -551,99 +522,99 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_at_least_one_of": [ - "model.options.llama2_format" - ], - "if_field": "model.provider", "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_at_least_one_of": [ - "model.options.mistral_format" - ], - "if_field": "model.provider", "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], - "if_field": "model.provider", "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_instance" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_at_least_one_of": [ - "model.options.upstream_url" - ], - "if_field": "model.provider", "then_err": "must set %s for self-hosted providers/models" } }, @@ -657,13 +628,42 @@ } } ], - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.8.x.json b/schemas/ai-response-transformer/3.8.x.json index 671f26c1..e7158ea7 100644 --- a/schemas/ai-response-transformer/3.8.x.json +++ b/schemas/ai-response-transformer/3.8.x.json @@ -1,36 +1,8 @@ { - "entity_checks": [ - { - "conditional": { - "then_match": { - "eq": "llm/v1/chat" - }, - "then_field": "config.llm.route_type", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "if_field": "config.llm.route_type", - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins" - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -47,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -56,80 +27,80 @@ "fields": [ { "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", "required": true, - "type": "string", - "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting." + "type": "string" } }, { "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", "required": false, - "type": "string", - "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client." + "type": "string" } }, { "parse_llm_response_json_instructions": { - "required": true, - "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", "type": "boolean", - "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions." + "required": true, + "default": false } }, { "http_timeout": { - "required": true, - "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", "type": "integer", - "description": "Timeout in milliseconds for the AI upstream service." + "required": true, + "default": 60000 } }, { "https_verify": { - "required": true, - "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", "type": "boolean", - "description": "Verify the TLS certificate of the AI upstream service." + "required": true, + "default": true } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, "description": "max allowed body size allowed to be introspected", - "type": "integer" + "type": "integer", + "gt": 0, + "default": 8192 } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -137,151 +108,152 @@ "fields": [ { "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "required": true, "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ], - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "type": "string" + ] } }, { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true } }, { "param_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string" + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true } }, { "allow_override": { - "required": false, - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "required": true, "one_of": [ "openai", @@ -292,172 +264,172 @@ "llama2", "gemini", "bedrock" - ], - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "type": "string" + ] } }, { "name": { - "required": false, "description": "Model name to execute.", - "type": "string" + "type": "string", + "required": false } }, { "options": { - "required": false, + "description": "Key/value settings for the model", "type": "record", + "required": false, "fields": [ { "max_tokens": { - "required": false, - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", - "type": "integer" + "type": "integer", + "required": false, + "default": 256 } }, { "input_cost": { - "required": false, "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number", "gt": 0, - "type": "number" + "required": false } }, { "output_cost": { - "required": false, "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number", "gt": 0, - "type": "number" + "required": false } }, { "temperature": { - "required": false, "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", "between": [ 0, 5 ], - "type": "number" + "required": false } }, { "top_p": { - "required": false, "description": "Defines the top-p probability mass, if supported.", + "type": "number", "between": [ 0, 1 ], - "type": "number" + "required": false } }, { "top_k": { - "required": false, "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", "between": [ 0, 500 ], - "type": "integer" + "required": false } }, { "anthropic_version": { - "required": false, "description": "Defines the schema/API version, if using Anthropic provider.", - "type": "string" + "type": "string", + "required": false } }, { "azure_instance": { - "required": false, "description": "Instance name for Azure OpenAI hosted models.", - "type": "string" + "type": "string", + "required": false } }, { "azure_api_version": { - "required": false, - "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", - "type": "string" + "type": "string", + "required": false, + "default": "2023-05-15" } }, { "azure_deployment_id": { - "required": false, "description": "Deployment ID for Azure OpenAI instances.", - "type": "string" + "type": "string", + "required": false } }, { "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "raw", "openai", "ollama" - ], - "description": "If using llama2 provider, select the upstream message format.", - "type": "string" + ] } }, { "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "openai", "ollama" - ], - "description": "If using mistral provider, select the upstream message format.", - "type": "string" + ] } }, { "upstream_url": { - "required": false, "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, "type": "string" } }, { "upstream_path": { - "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "type": "string", - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type." + "required": false } }, { "gemini": { - "required": false, "fields": [ { "api_endpoint": { - "required": false, "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "type": "string" + "type": "string", + "required": false } }, { "project_id": { - "required": false, "description": "If running Gemini on Vertex, specify the project ID.", - "type": "string" + "type": "string", + "required": false } }, { "location_id": { - "required": false, "description": "If running Gemini on Vertex, specify the location ID.", - "type": "string" + "type": "string", + "required": false } } ], + "required": false, + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -466,74 +438,73 @@ "location_id" ] } - ], - "type": "record" + ] } }, { "bedrock": { - "required": false, "fields": [ { "aws_region": { - "required": false, + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", "type": "string", - "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option." + "required": false } } ], + "required": false, "type": "record" } } - ], - "description": "Key/value settings for the model" + ] } } ], + "required": true, "type": "record" } }, { "logging": { - "required": true, "fields": [ { "log_statistics": { - "required": true, - "default": false, "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "log_payloads": { - "required": true, - "default": false, "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } } ], + "required": true, "type": "record" } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "if_field": "model.provider", "if_match": { "one_of": [ "bedrock", "gemini" ] }, - "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", "then_match": { "eq": false }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + "then_field": "auth.allow_override" } }, { @@ -551,99 +522,99 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_at_least_one_of": [ - "model.options.llama2_format" - ], - "if_field": "model.provider", "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_at_least_one_of": [ - "model.options.mistral_format" - ], - "if_field": "model.provider", "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], - "if_field": "model.provider", "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_instance" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_at_least_one_of": [ - "model.options.upstream_url" - ], - "if_field": "model.provider", "then_err": "must set %s for self-hosted providers/models" } }, @@ -657,13 +628,42 @@ } } ], - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-semantic-cache/3.8.x.json b/schemas/ai-semantic-cache/3.8.x.json index e7824407..92f99f8a 100644 --- a/schemas/ai-semantic-cache/3.8.x.json +++ b/schemas/ai-semantic-cache/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,491 +35,391 @@ "fields": [ { "message_countback": { + "description": "Number of messages in the chat history to Vectorize/Cache", + "type": "number", "between": [ 1, 1000 ], - "default": 1, - "type": "number", - "description": "Number of messages in the chat history to Vectorize/Cache" + "default": 1 } }, { "ignore_system_prompts": { - "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request", "type": "boolean", - "description": "Ignore and discard any system prompts when Vectorizing the request" + "default": false } }, { "ignore_assistant_prompts": { - "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request", "type": "boolean", - "description": "Ignore and discard any assistant prompts when Vectorizing the request" + "default": false } }, { "stop_on_failure": { + "description": "Halt the LLM request process in case of a caching system failure", "required": true, - "default": false, "type": "boolean", - "description": "Halt the LLM request process in case of a caching system failure" + "default": false } }, { "cache_ttl": { - "gt": 0, - "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", "type": "integer", - "description": "TTL in seconds of cache entities. Must be a value greater than 0." + "gt": 0, + "default": 300 } }, { "cache_control": { + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true, - "default": false, "type": "boolean", - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + "default": false } }, { "exact_caching": { + "description": "When enabled, a first check for exact query will be done. It will impact DB size", "required": true, - "default": false, "type": "boolean", - "description": "When enabled, a first check for exact query will be done. It will impact DB size" + "default": false } }, { "embeddings": { - "required": true, "fields": [ { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true } }, { "param_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string" + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true } }, { "allow_override": { - "required": false, - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", "required": true, "one_of": [ "openai", "mistral" - ], - "description": "AI provider format to use for embeddings API", - "type": "string" + ] } }, { "name": { + "description": "Model name to execute.", + "type": "string", "required": true, "one_of": [ "text-embedding-3-large", "text-embedding-3-small", "mistral-embed" - ], - "description": "Model name to execute.", - "type": "string" + ] } }, { "options": { - "required": false, + "description": "Key/value settings for the model", "type": "record", + "required": false, "fields": [ { "upstream_url": { - "required": false, "description": "upstream url for the embeddings", - "type": "string" + "type": "string", + "required": false } } - ], - "description": "Key/value settings for the model" + ] } } ], + "required": true, "type": "record" } } ], + "required": true, "type": "record" } }, { "vectordb": { - "required": true, "fields": [ { "strategy": { + "description": "which vector database driver to use", + "type": "string", "required": true, "one_of": [ "redis" - ], - "description": "which vector database driver to use", - "type": "string" + ] } }, { "dimensions": { - "required": true, "description": "the desired dimensionality for the vectors", - "type": "integer" + "type": "integer", + "required": true } }, { "threshold": { - "required": true, "description": "the default similarity threshold for accepting semantic search results (float)", - "type": "number" + "type": "number", + "required": true } }, { "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", "required": true, "one_of": [ "cosine", "euclidean" - ], - "description": "the distance metric to use for vector searches", - "type": "string" + ] } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -533,169 +430,303 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } } ], + "required": true, "type": "record" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-semantic-prompt-guard/3.8.x.json b/schemas/ai-semantic-prompt-guard/3.8.x.json index 644c2f6b..fe2daeed 100644 --- a/schemas/ai-semantic-prompt-guard/3.8.x.json +++ b/schemas/ai-semantic-prompt-guard/3.8.x.json @@ -1,15 +1,8 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.rules.allow_prompts", - "config.rules.deny_prompts" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -26,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -35,434 +27,334 @@ "fields": [ { "embeddings": { - "required": true, "fields": [ { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true } }, { "param_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string" + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true } }, { "allow_override": { - "required": false, - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", "required": true, "one_of": [ "openai", "mistral" - ], - "description": "AI provider format to use for embeddings API", - "type": "string" + ] } }, { "name": { + "description": "Model name to execute.", + "type": "string", "required": true, "one_of": [ "text-embedding-3-large", "text-embedding-3-small", "mistral-embed" - ], - "description": "Model name to execute.", - "type": "string" + ] } }, { "options": { - "required": false, + "description": "Key/value settings for the model", "type": "record", + "required": false, "fields": [ { "upstream_url": { - "required": false, "description": "upstream url for the embeddings", - "type": "string" + "type": "string", + "required": false } } - ], - "description": "Key/value settings for the model" + ] } } ], + "required": true, "type": "record" } } ], + "required": true, "type": "record" } }, { "vectordb": { - "required": true, "fields": [ { "strategy": { + "description": "which vector database driver to use", + "type": "string", "required": true, "one_of": [ "redis" - ], - "description": "which vector database driver to use", - "type": "string" + ] } }, { "dimensions": { - "required": true, "description": "the desired dimensionality for the vectors", - "type": "integer" + "type": "integer", + "required": true } }, { "threshold": { - "required": true, "description": "the default similarity threshold for accepting semantic search results (float)", - "type": "number" + "type": "number", + "required": true } }, { "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", "required": true, "one_of": [ "cosine", "euclidean" - ], - "description": "the distance metric to use for vector searches", - "type": "string" + ] } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -473,243 +365,382 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } } ], + "required": true, "type": "record" } }, { "search": { - "required": false, "fields": [ { "threshold": { - "required": false, - "default": 0.5, + "description": "Threshold for the similarity score to be considered a match.", "type": "number", - "description": "Threshold for the similarity score to be considered a match." + "required": false, + "default": 0.5 } } ], + "required": false, "type": "record" } }, { "rules": { - "required": true, "fields": [ { "match_all_conversation_history": { - "required": false, - "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history.", "type": "boolean", - "description": "If false, will ignore all previous chat prompts from the conversation history." + "required": false, + "default": false } }, { "allow_prompts": { + "description": "List of prompts to allow.", "required": false, + "len_max": 100, "elements": { - "len_max": 500, "type": "string", + "len_max": 500, "len_min": 1 }, - "type": "array", - "len_max": 100, - "description": "List of prompts to allow." + "type": "array" } }, { "deny_prompts": { + "description": "List of prompts to deny.", "required": false, + "len_max": 100, "elements": { - "len_max": 500, "type": "string", + "len_max": 500, "len_min": 1 }, - "type": "array", - "len_max": 100, - "description": "List of prompts to deny." + "type": "array" } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, + "description": "max allowed body size allowed to be introspected", "type": "integer", - "description": "max allowed body size allowed to be introspected" + "gt": 0, + "default": 8192 } }, { "match_all_roles": { - "required": true, - "default": false, "description": "If true, will match all roles in addition to 'user' role in conversation history.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } } ], + "required": true, "type": "record" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } ] } \ No newline at end of file diff --git a/schemas/app-dynamics/3.8.x.json b/schemas/app-dynamics/3.8.x.json index 8a2ed0f1..63233636 100644 --- a/schemas/app-dynamics/3.8.x.json +++ b/schemas/app-dynamics/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,9 +35,12 @@ "fields": [ ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.8.x.json b/schemas/aws-lambda/3.8.x.json index 85411178..94f57420 100644 --- a/schemas/aws-lambda/3.8.x.json +++ b/schemas/aws-lambda/3.8.x.json @@ -1,22 +1,8 @@ { - "entity_checks": [ - { - "mutually_required": [ - "config.aws_key", - "config.aws_secret" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "config.proxy_url" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -33,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -50,223 +35,238 @@ "fields": [ { "timeout": { + "description": "An optional timeout in milliseconds when invoking the function.", "required": true, - "default": 60000, "type": "number", - "description": "An optional timeout in milliseconds when invoking the function." + "default": 60000 } }, { "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "required": true, - "default": 60000, "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "default": 60000 } }, { "aws_key": { "description": "The AWS key credential to be used when invoking the function.", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "aws_secret": { "description": "The AWS secret credential to be used when invoking the function. ", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "The target AWS IAM role ARN used to invoke the Lambda function." + "referenceable": true } }, { "aws_role_session_name": { - "default": "kong", + "description": "The identifier of the assumed role session.", "type": "string", - "description": "The identifier of the assumed role session." + "default": "kong" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "aws_region": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", "required": false, - "type": "string", - "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported." + "type": "string" } }, { "qualifier": { - "type": "string", - "description": "The qualifier to use when invoking the function." + "description": "The qualifier to use when invoking the function.", + "type": "string" } }, { "invocation_type": { + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "required": true, - "type": "string", - "default": "RequestResponse", "one_of": [ "RequestResponse", "Event", "DryRun" ], - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun." + "type": "string", + "default": "RequestResponse" } }, { "log_type": { + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "required": true, - "type": "string", - "default": "Tail", "one_of": [ "Tail", "None" ], - "description": "The LogType to use when invoking the function. By default, None and Tail are supported." + "type": "string", + "default": "Tail" } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 443, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 443 } }, { "disable_https": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer", "between": [ 100, 999 - ], - "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", - "type": "integer" + ] } }, { "forward_request_method": { - "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", "type": "boolean", - "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." + "default": false } }, { "forward_request_uri": { - "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", "type": "boolean", - "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." + "default": false } }, { "forward_request_headers": { - "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", "type": "boolean", - "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." + "default": false } }, { "forward_request_body": { - "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", "type": "boolean", - "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " + "default": false } }, { "is_proxy_integration": { - "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", "type": "boolean", - "description": "An optional value that defines whether the response format to receive from the Lambda to this format." + "default": false } }, { "awsgateway_compatible": { - "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", "type": "boolean", - "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." + "default": false } }, { "proxy_url": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "skip_large_bodies": { - "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", "type": "boolean", - "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" + "default": true } }, { "base64_encode_body": { - "default": true, + "description": "An optional value that Base64-encodes the request body.", "type": "boolean", - "description": "An optional value that Base64-encodes the request body." + "default": true } }, { "aws_imds_protocol_version": { + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "required": true, - "type": "string", - "default": "v1", "one_of": [ "v1", "v2" ], - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`." + "type": "string", + "default": "v1" } }, { "empty_arrays_mode": { + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", "required": true, - "type": "string", - "default": "legacy", "one_of": [ "legacy", "correct" ], - "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response" + "type": "string", + "default": "legacy" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] } } ] diff --git a/schemas/azure-functions/3.8.x.json b/schemas/azure-functions/3.8.x.json index a82affc2..5299c53a 100644 --- a/schemas/azure-functions/3.8.x.json +++ b/schemas/azure-functions/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,81 +42,84 @@ "fields": [ { "timeout": { - "default": 600000, "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", - "type": "number" + "type": "number", + "default": 600000 } }, { "keepalive": { - "default": 60000, "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { "https": { - "default": true, "description": "Use of HTTPS to connect with the Azure Functions server.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "https_verify": { - "default": false, "description": "Set to `true` to authenticate the Azure Functions server.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "apikey": { "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "clientid": { "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "appname": { - "required": true, "description": "The Azure app name.", - "type": "string" + "type": "string", + "required": true } }, { "hostdomain": { - "required": true, - "default": "azurewebsites.net", "description": "The domain where the function resides.", - "type": "string" + "type": "string", + "required": true, + "default": "azurewebsites.net" } }, { "routeprefix": { - "default": "api", "description": "Route prefix to use.", - "type": "string" + "type": "string", + "default": "api" } }, { "functionname": { - "required": true, "description": "Name of the Azure function to invoke.", - "type": "string" + "type": "string", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.8.x.json b/schemas/basic-auth/3.8.x.json index 007ea436..fb634743 100644 --- a/schemas/basic-auth/3.8.x.json +++ b/schemas/basic-auth/3.8.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,15 +30,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -55,24 +52,27 @@ }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it." + "default": false } }, { "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": true, - "default": "service", "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "default": "service" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.8.x.json b/schemas/bot-detection/3.8.x.json index 7eb652d0..3f7aa01d 100644 --- a/schemas/bot-detection/3.8.x.json +++ b/schemas/bot-detection/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,34 +43,37 @@ "fields": [ { "allow": { + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "type": "array", - "default": [ - - ], "elements": { "type": "string", "is_regex": true }, - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header." + "default": [ + + ] } }, { "deny": { + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "type": "array", - "default": [ - - ], "elements": { "type": "string", "is_regex": true }, - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header." + "default": [ + + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/canary/3.8.x.json b/schemas/canary/3.8.x.json index 22a12eec..11ed4236 100644 --- a/schemas/canary/3.8.x.json +++ b/schemas/canary/3.8.x.json @@ -1,56 +1,24 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.upstream_uri", - "config.upstream_host", - "config.upstream_port" - ] - }, - { - "conditional": { - "then_field": "config.hash_header", - "if_match": { - "eq": "header" - }, - "then_match": { - "required": true - }, - "if_field": "config.hash" - } - }, - { - "conditional": { - "then_field": "config.upstream_host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "config.upstream_fallback" - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -67,23 +35,22 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "required": true, "fields": [ { "start": { - "type": "number", - "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" } }, { "hash": { "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "type": "string", "default": "consumer", "one_of": [ "consumer", @@ -92,98 +59,131 @@ "allow", "deny", "header" - ], - "type": "string" + ] } }, { "hash_header": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "duration": { - "gt": 0, - "default": 3600, "description": "The duration of the canary release in seconds.", - "type": "number" + "type": "number", + "gt": 0, + "default": 3600 } }, { "steps": { - "gt": 1, - "default": 1000, "description": "The number of steps for the canary release.", - "type": "number" + "type": "number", + "gt": 1, + "default": 1000 } }, { "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "type": "number", "between": [ 0, 100 - ], - "type": "number", - "description": "The percentage of traffic to be routed to the canary release." + ] } }, { "upstream_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", "len_min": 1, - "type": "string", - "description": "The URI of the upstream server to be used for the canary release." + "type": "string" } }, { "upstream_fallback": { - "required": true, - "default": false, "description": "Specifies whether to fallback to the upstream server if the canary release fails.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "groups": { + "description": "The groups allowed to access the canary release.", "type": "array", "elements": { "type": "string" - }, - "description": "The groups allowed to access the canary release." + } } }, { "canary_by_header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } ], + "required": true, + "type": "record", "shorthand_fields": [ { "hash": { - "type": "string", - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" } } - ], - "type": "record" + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_field": "config.hash", + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.upstream_fallback", + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host", + "then_match": { + "required": true + } } } ] diff --git a/schemas/confluent/3.8.x.json b/schemas/confluent/3.8.x.json index 280db66d..7a953883 100644 --- a/schemas/confluent/3.8.x.json +++ b/schemas/confluent/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -39,19 +36,20 @@ { "bootstrap_servers": { "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { "fields": [ { "host": { - "required": true, "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { - "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, "between": [ 0, 65535 @@ -61,29 +59,28 @@ } ], "type": "record" - }, - "type": "set" + } } }, { "topic": { - "required": true, + "description": "The Kafka topic to publish to.", "type": "string", - "description": "The Kafka topic to publish to." + "required": true } }, { "timeout": { - "default": 10000, + "description": "Socket timeout in milliseconds.", "type": "integer", - "description": "Socket timeout in milliseconds." + "default": 10000 } }, { "keepalive": { - "default": 60000, + "description": "Keepalive timeout in milliseconds.", "type": "integer", - "description": "Keepalive timeout in milliseconds." + "default": 60000 } }, { @@ -94,146 +91,146 @@ }, { "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", "required": true, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Username/Apikey for SASL authentication." + "referenceable": true, + "encrypted": true } }, { "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", "required": true, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Password/ApiSecret for SASL authentication." + "referenceable": true, + "encrypted": true } }, { "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc." + "referenceable": true, + "encrypted": true } }, { "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The corresponding secret for the Confluent Cloud API key." + "referenceable": true, + "encrypted": true } }, { "forward_method": { - "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "default": false } }, { "forward_uri": { - "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "default": false } }, { "forward_headers": { - "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "default": false } }, { "forward_body": { - "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "default": true } }, { "cluster_name": { - "required": false, - "type": "string", "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "auto": true + "type": "string", + "auto": true, + "required": false } }, { "producer_request_acks": { + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", "default": 1, "one_of": [ -1, 0, 1 - ], - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." + ] } }, { "producer_request_timeout": { - "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", "type": "integer", - "description": "Time to wait for a Produce response in milliseconds." + "default": 2000 } }, { "producer_request_limits_messages_per_request": { - "default": 200, + "description": "Maximum number of messages to include into a single producer request.", "type": "integer", - "description": "Maximum number of messages to include into a single producer request." + "default": 200 } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", "type": "integer", - "description": "Maximum size of a Produce request in bytes." + "default": 1048576 } }, { "producer_request_retries_max_attempts": { - "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", "type": "integer", - "description": "Maximum number of retry attempts per single Produce request." + "default": 10 } }, { "producer_request_retries_backoff_timeout": { - "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", "type": "integer", - "description": "Backoff interval between retry attempts in milliseconds." + "default": 100 } }, { "producer_async": { - "default": true, + "description": "Flag to enable asynchronous mode.", "type": "boolean", - "description": "Flag to enable asynchronous mode." + "default": true } }, { "producer_async_flush_timeout": { - "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "type": "integer", - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." + "default": 1000 } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "type": "integer", - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." + "default": 50000 } } ], - "required": true, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -246,8 +243,11 @@ } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/correlation-id/3.8.x.json b/schemas/correlation-id/3.8.x.json index 47df16c0..47945b3e 100644 --- a/schemas/correlation-id/3.8.x.json +++ b/schemas/correlation-id/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,36 +35,39 @@ "fields": [ { "header_name": { - "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", "type": "string", - "description": "The HTTP header name to use for the correlation ID." + "default": "Kong-Request-ID" } }, { "generator": { + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "required": true, - "type": "string", - "default": "uuid#counter", "one_of": [ "uuid", "uuid#counter", "tracker" ], - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators)." + "type": "string", + "default": "uuid#counter" } }, { "echo_downstream": { + "description": "Whether to echo the header back to downstream (the client).", "required": true, - "default": false, "type": "boolean", - "description": "Whether to echo the header back to downstream (the client)." + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/cors/3.8.x.json b/schemas/cors/3.8.x.json index b0a4bf78..85e723f0 100644 --- a/schemas/cors/3.8.x.json +++ b/schemas/cors/3.8.x.json @@ -1,29 +1,27 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { + "len_min": 1, + "type": "string", "required": true, "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string", - "len_min": 1 + ] }, "type": "set", "default": [ @@ -31,15 +29,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -49,33 +46,34 @@ { "origins": { "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { "description": "Value for the `Access-Control-Allow-Headers` header.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "exposed_headers": { "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "methods": { "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "type": "array", "default": [ "GET", "HEAD", @@ -100,44 +98,46 @@ "TRACE", "CONNECT" ] - }, - "type": "array" + } } }, { "max_age": { - "type": "number", - "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" } }, { "credentials": { - "required": true, - "default": false, "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "private_network": { - "required": true, - "default": false, "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "preflight_continue": { - "required": true, - "default": false, "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/datadog/3.8.x.json b/schemas/datadog/3.8.x.json index d464b6cb..9c8a1c3c 100644 --- a/schemas/datadog/3.8.x.json +++ b/schemas/datadog/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,81 +43,81 @@ { "host": { "description": "A string representing a host name, such as example.com.", + "type": "string", "referenceable": true, - "default": "localhost", - "type": "string" + "default": "localhost" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 8125 } }, { "prefix": { - "default": "kong", "description": "String to be attached as a prefix to a metric's name.", - "type": "string" + "type": "string", + "default": "kong" } }, { "service_name_tag": { - "default": "name", "description": "String to be attached as the name of the service.", - "type": "string" + "type": "string", + "default": "name" } }, { "status_tag": { - "default": "status", "description": "String to be attached as the tag of the HTTP status.", - "type": "string" + "type": "string", + "default": "status" } }, { "consumer_tag": { - "default": "consumer", "description": "String to be attached as tag of the consumer.", - "type": "string" + "type": "string", + "default": "consumer" } }, { "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", "deprecation": { + "old_default": 10, "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", - "removal_in_version": "4.0", - "old_default": 10 - }, - "type": "integer", - "description": "Number of times to retry when sending data to the upstream server." + "removal_in_version": "4.0" + } } }, { "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", "deprecation": { + "old_default": 1, "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0", - "old_default": 1 - }, - "type": "integer", - "description": "Maximum number of log entries to be sent on each message to the upstream server." + "removal_in_version": "4.0" + } } }, { "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", "deprecation": { + "old_default": 2, "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0", - "old_default": 2 - }, - "type": "number", - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + "removal_in_version": "4.0" + } } }, { @@ -128,96 +125,99 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "metrics": { + "description": "List of metrics to be logged.", "required": true, "elements": { "fields": [ { "name": { + "description": "Datadog metric’s name", "required": true, + "type": "string", "one_of": [ "kong_latency", "latency", @@ -225,14 +225,14 @@ "request_size", "response_size", "upstream_latency" - ], - "description": "Datadog metric’s name", - "type": "string" + ] } }, { "stat_type": { + "description": "Determines what sort of event the metric represents", "required": true, + "type": "string", "one_of": [ "counter", "gauge", @@ -241,121 +241,121 @@ "set", "timer", "distribution" - ], - "description": "Determines what sort of event the metric represents", - "type": "string" + ] } }, { "tags": { + "description": "List of tags", "type": "array", "elements": { - "match": "^.*[^:]$", - "type": "string" - }, - "description": "List of tags" + "type": "string", + "match": "^.*[^:]$" + } } }, { "sample_rate": { + "description": "Sampling rate", + "type": "number", "between": [ 0, 1 - ], - "type": "number", - "description": "Sampling rate" + ] } }, { "consumer_identifier": { + "description": "Authenticated user detail", + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string", - "description": "Authenticated user detail" + ] } } ], + "type": "record", "entity_checks": [ { "conditional": { - "then_field": "sample_rate", + "if_field": "stat_type", "if_match": { "one_of": [ "counter", "gauge" ] }, + "then_field": "sample_rate", "then_match": { "required": true - }, - "if_field": "stat_type" + } } } - ], - "type": "record" + ] }, "type": "array", "default": [ { - "sample_rate": 1, "stat_type": "counter", "name": "request_count", "consumer_identifier": "custom_id", + "sample_rate": 1, "tags": [ "app:kong" ] }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "tags": [ "app:kong" ], + "consumer_identifier": "custom_id", "name": "latency" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "tags": [ "app:kong" ], + "consumer_identifier": "custom_id", "name": "request_size" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "tags": [ "app:kong" ], + "consumer_identifier": "custom_id", "name": "response_size" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "tags": [ "app:kong" ], + "consumer_identifier": "custom_id", "name": "upstream_latency" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "tags": [ "app:kong" ], + "consumer_identifier": "custom_id", "name": "kong_latency" } - ], - "description": "List of metrics to be logged." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/degraphql/3.8.x.json b/schemas/degraphql/3.8.x.json index 8748c73e..80461c1c 100644 --- a/schemas/degraphql/3.8.x.json +++ b/schemas/degraphql/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,23 +43,26 @@ "fields": [ { "graphql_server_path": { - "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", + "required": true, "starts_with": "/", - "default": "/graphql", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/graphql" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.8.x.json b/schemas/exit-transformer/3.8.x.json index 2d523008..9ba8d46d 100644 --- a/schemas/exit-transformer/3.8.x.json +++ b/schemas/exit-transformer/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -39,30 +36,33 @@ { "functions": { "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "handle_unknown": { - "default": false, "description": "Determines whether to handle unknown status codes by transforming their responses.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "handle_unexpected": { - "default": false, "description": "Determines whether to handle unexpected errors by transforming their responses.", - "type": "boolean" + "type": "boolean", + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/file-log/3.8.x.json b/schemas/file-log/3.8.x.json index 0bd1604b..8c59160b 100644 --- a/schemas/file-log/3.8.x.json +++ b/schemas/file-log/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,19 +42,19 @@ "fields": [ { "path": { - "required": true, + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "err": "not a valid filename", "match": "^[^*&%%\\`]+$", "type": "string", - "err": "not a valid filename", - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." + "required": true } }, { "reopen": { + "description": "Determines whether the log file is closed and reopened on every request.", "required": true, - "default": false, "type": "boolean", - "description": "Determines whether the log file is closed and reopened on every request." + "default": false } }, { @@ -66,18 +63,21 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.8.x.json b/schemas/forward-proxy/3.8.x.json index a606ccd7..236f0a94 100644 --- a/schemas/forward-proxy/3.8.x.json +++ b/schemas/forward-proxy/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,130 +19,128 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "http_proxy_host", - "https_proxy_host" - ] - }, - { - "at_least_one_of": [ - "http_proxy_port", - "https_proxy_port" - ] - }, - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], - "type": "record", "fields": [ { "x_headers": { + "description": "Determines how to handle headers when forwarding the request.", "required": true, - "type": "string", - "default": "append", "one_of": [ "append", "transparent", "delete" ], - "description": "Determines how to handle headers when forwarding the request." + "type": "string", + "default": "append" } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "proxy_scheme": { + "description": "The proxy scheme to use when connecting. Only `http` is supported.", "required": true, - "type": "string", - "default": "http", "one_of": [ "http" ], - "description": "The proxy scheme to use when connecting. Only `http` is supported." + "type": "string", + "default": "http" } }, { "auth_username": { - "required": false, - "referenceable": true, "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "auth_password": { - "required": false, - "referenceable": true, "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "https_verify": { - "required": true, - "default": false, "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } } ], + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "type": "record", "shorthand_fields": [ { "proxy_host": { @@ -164,8 +160,12 @@ "type": "integer" } } - ] + ], + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.8.x.json b/schemas/graphql-proxy-cache-advanced/3.8.x.json index d165e82c..641b0e27 100644 --- a/schemas/graphql-proxy-cache-advanced/3.8.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,22 +35,22 @@ "fields": [ { "strategy": { + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "required": true, - "type": "string", - "default": "memory", "one_of": [ "memory", "redis" ], - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`." + "type": "string", + "default": "memory" } }, { "cache_ttl": { - "gt": 0, - "default": 300, "description": "TTL in seconds of cache entities. Must be a value greater than 0.", - "type": "integer" + "type": "integer", + "gt": 0, + "default": 300 } }, { @@ -61,224 +58,125 @@ "fields": [ { "dictionary_name": { - "required": true, - "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", - "type": "string" + "type": "string", + "required": true, + "default": "kong_db_cache" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -289,181 +187,314 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } }, { "bypass_on_err": { - "default": false, "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array", "elements": { "type": "string" - }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.8.x.json b/schemas/graphql-rate-limiting-advanced/3.8.x.json index bf90f6f7..6274df88 100644 --- a/schemas/graphql-rate-limiting-advanced/3.8.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.8.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -44,324 +35,225 @@ "fields": [ { "identifier": { + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "required": true, - "type": "string", - "default": "consumer", "one_of": [ "ip", "credential", "consumer" ], - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." + "type": "string", + "default": "consumer" } }, { "window_size": { - "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds).", "type": "array", + "required": true, "elements": { "type": "number" - }, - "description": "One or more window sizes to apply a limit to (defined in seconds)." + } } }, { "window_type": { + "description": "Sets the time window to either `sliding` or `fixed`.", "type": "string", "default": "sliding", "one_of": [ "fixed", "sliding" - ], - "description": "Sets the time window to either `sliding` or `fixed`." + ] } }, { "limit": { - "required": true, + "description": "One or more requests-per-window limits to apply.", "type": "array", + "required": true, "elements": { "type": "number" - }, - "description": "One or more requests-per-window limits to apply." + } } }, { "sync_rate": { - "required": true, + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." + "required": true } }, { "namespace": { + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", "type": "string", - "auto": true, - "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + "auto": true } }, { "strategy": { + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "required": true, - "type": "string", - "default": "cluster", "one_of": [ "cluster", "redis" ], - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." + "type": "string", + "default": "cluster" } }, { "dictionary_name": { - "required": true, - "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", "type": "string", - "description": "The shared dictionary where counters will be stored until the next sync cycle." + "required": true, + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", "type": "boolean", - "description": "Optionally hide informative response headers. Available options: `true` or `false`." + "default": false } }, { "cost_strategy": { + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", "type": "string", "default": "default", "one_of": [ "default", "node_quantifier" - ], - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`." + ] } }, { "score_factor": { - "gt": 0, - "type": "number", - "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", "required": false, - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." + "type": "number", + "gt": 0, + "default": 1 } }, { "max_cost": { - "required": false, - "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", "type": "number", - "description": "A defined maximum cost per query. 0 means unlimited." + "required": false, + "default": 0 } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -372,164 +264,303 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/grpc-gateway/3.8.x.json b/schemas/grpc-gateway/3.8.x.json index 03ba8d81..70622fdd 100644 --- a/schemas/grpc-gateway/3.8.x.json +++ b/schemas/grpc-gateway/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,15 +42,18 @@ "fields": [ { "proto": { - "required": false, + "description": "Describes the gRPC types and methods.", "type": "string", - "description": "Describes the gRPC types and methods." + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.8.x.json b/schemas/grpc-web/3.8.x.json index 377e7a32..7c096f17 100644 --- a/schemas/grpc-web/3.8.x.json +++ b/schemas/grpc-web/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,30 +42,33 @@ "fields": [ { "proto": { - "required": false, "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", - "type": "string" + "type": "string", + "required": false } }, { "pass_stripped_path": { - "required": false, "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", - "type": "boolean" + "type": "boolean", + "required": false } }, { "allow_origin_header": { - "required": false, - "default": "*", "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", - "type": "string" + "type": "string", + "required": false, + "default": "*" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/header-cert-auth/3.8.x.json b/schemas/header-cert-auth/3.8.x.json index 80ece429..94570d80 100644 --- a/schemas/header-cert-auth/3.8.x.json +++ b/schemas/header-cert-auth/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,28 +43,28 @@ "fields": [ { "certificate_header_name": { + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", "required": true, - "type": "string", - "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy." + "type": "string" } }, { "certificate_header_format": { + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", "required": true, + "type": "string", "one_of": [ "base64_encoded", "url_encoded" - ], - "type": "string", - "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`." + ] } }, { "secure_source": { - "required": true, - "default": true, "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", - "type": "boolean" + "type": "boolean", + "required": true, + "default": true } }, { @@ -78,6 +75,7 @@ }, { "consumer_by": { + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "required": false, "elements": { "type": "string", @@ -90,82 +88,81 @@ "default": [ "username", "custom_id" - ], - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + ] } }, { "ca_certificates": { - "required": true, "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "type": "array", + "required": true, "elements": { - "uuid": true, - "type": "string" - }, - "type": "array" + "type": "string", + "uuid": true + } } }, { "cache_ttl": { - "required": true, - "default": 60, "description": "Cache expiry time in seconds.", - "type": "number" + "type": "number", + "required": true, + "default": 60 } }, { "skip_consumer_lookup": { - "required": true, - "default": false, "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "allow_partial_chain": { - "required": true, - "default": false, "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "authenticated_group_by": { + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, - "type": "string", - "default": "CN", "one_of": [ "CN", "DN" ], - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." + "type": "string", + "default": "CN" } }, { "revocation_check_mode": { + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, - "type": "string", - "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" ], - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." + "type": "string", + "default": "IGNORE_CA_ERROR" } }, { "http_timeout": { - "default": 30000, "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", - "type": "number" + "type": "number", + "default": 30000 } }, { "cert_cache_ttl": { - "default": 60000, "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", - "type": "number" + "type": "number", + "default": 60000 } }, { @@ -176,38 +173,38 @@ }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } ], - "required": true, + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -222,8 +219,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.8.x.json b/schemas/hmac-auth/3.8.x.json index 5fdc7d3a..b3b458c4 100644 --- a/schemas/hmac-auth/3.8.x.json +++ b/schemas/hmac-auth/3.8.x.json @@ -1,25 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -28,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -38,15 +30,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -55,55 +46,50 @@ "fields": [ { "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + "default": false } }, { "clock_skew": { - "gt": 0, - "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", "type": "number", - "description": "Clock skew in seconds to prevent replay attacks." + "gt": 0, + "default": 300 } }, { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "validate_request_body": { + "description": "A boolean value telling the plugin to enable body validation.", "required": true, - "default": false, "type": "boolean", - "description": "A boolean value telling the plugin to enable body validation." + "default": false } }, { "enforce_headers": { "description": "A list of headers that the client should at least use for HTTP signature creation.", - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "type": "array" + "default": [ + + ] } }, { "algorithms": { "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ], + "type": "array", "elements": { "type": "string", "one_of": [ @@ -113,19 +99,33 @@ "hmac-sha512" ] }, - "type": "array" + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] } }, { "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, - "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "type": "string" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] } } ] diff --git a/schemas/http-log/3.8.x.json b/schemas/http-log/3.8.x.json index f45f2232..9a8a64ff 100644 --- a/schemas/http-log/3.8.x.json +++ b/schemas/http-log/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,81 +42,81 @@ "fields": [ { "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, - "referenceable": true, "type": "string", "encrypted": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "referenceable": true } }, { "method": { + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", "type": "string", "default": "POST", "one_of": [ "POST", "PUT", "PATCH" - ], - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`." + ] } }, { "content_type": { + "description": "Indicates the type of data sent. The only available option is `application/json`.", "type": "string", "default": "application/json", "one_of": [ "application/json", "application/json; charset=utf-8" - ], - "description": "Indicates the type of data sent. The only available option is `application/json`." + ] } }, { "timeout": { - "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "number", - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "default": 10000 } }, { "keepalive": { - "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." + "default": 60000 } }, { "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", "deprecation": { + "old_default": 10, "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", - "removal_in_version": "4.0", - "old_default": 10 - }, - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer" + "removal_in_version": "4.0" + } } }, { "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", "deprecation": { + "old_default": 1, "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0", - "old_default": 1 - }, - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer" + "removal_in_version": "4.0" + } } }, { "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", "deprecation": { + "old_default": 2, "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0", - "old_default": 2 - }, - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number" + "removal_in_version": "4.0" + } } }, { @@ -131,7 +128,6 @@ "type": "string" }, "keys": { - "description": "A string representing an HTTP header name.", "match_none": [ { "pattern": "^[Hh][Oo][Ss][Tt]$", @@ -146,7 +142,8 @@ "err": "cannot contain 'Content-Type' header" } ], - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } } }, @@ -155,86 +152,86 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -243,18 +240,21 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.8.x.json b/schemas/ip-restriction/3.8.x.json index a8c4562e..aa8bec87 100644 --- a/schemas/ip-restriction/3.8.x.json +++ b/schemas/ip-restriction/3.8.x.json @@ -1,17 +1,12 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -23,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -35,8 +28,7 @@ "tls", "grpc", "grpcs" - ], - "description": "A set of strings representing protocols." + ] } }, { @@ -44,42 +36,50 @@ "fields": [ { "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." - }, - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" + } } }, { "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." - }, - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" + } } }, { "status": { - "required": false, "description": "The HTTP status of the requests that will be rejected by the plugin.", - "type": "number" + "type": "number", + "required": false } }, { "message": { - "required": false, "description": "The message to send as a response body to rejected requests.", - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/jq/3.8.x.json b/schemas/jq/3.8.x.json index 3e8a828f..9e42f8c1 100644 --- a/schemas/jq/3.8.x.json +++ b/schemas/jq/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,8 +27,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -38,138 +35,134 @@ "fields": [ { "request_jq_program": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "request_jq_program_options": { - "required": false, - "default": [ - - ], "fields": [ { "compact_output": { "required": true, - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "raw_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "join_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "ascii_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "sort_keys": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } ], - "type": "record" + "required": false, + "type": "record", + "default": [ + + ] } }, { "request_if_media_type": { - "required": false, - "default": [ - "application/json" - ], "elements": { "type": "string" }, - "type": "array" + "required": false, + "type": "array", + "default": [ + "application/json" + ] } }, { "response_jq_program": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "response_jq_program_options": { - "required": false, - "default": [ - - ], "fields": [ { "compact_output": { "required": true, - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "raw_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "join_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "ascii_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "sort_keys": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } ], - "type": "record" + "required": false, + "type": "record", + "default": [ + + ] } }, { "response_if_media_type": { - "required": false, - "default": [ - "application/json" - ], "elements": { "type": "string" }, - "type": "array" + "required": false, + "type": "array", + "default": [ + "application/json" + ] } }, { "response_if_status_code": { - "required": false, - "default": [ - 200 - ], "elements": { "between": [ 100, @@ -177,11 +170,15 @@ ], "type": "integer" }, - "type": "array" + "required": false, + "type": "array", + "default": [ + 200 + ] } } ], - "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -190,8 +187,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/json-threat-protection/3.8.x.json b/schemas/json-threat-protection/3.8.x.json index e430db6c..a49e1e7d 100644 --- a/schemas/json-threat-protection/3.8.x.json +++ b/schemas/json-threat-protection/3.8.x.json @@ -1,25 +1,16 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.max_body_size", - "config.max_container_depth" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -36,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -53,111 +43,121 @@ "fields": [ { "max_body_size": { + "description": "Max size of the request body. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": 8192, - "description": "Max size of the request body. -1 means unlimited." + "type": "integer", + "default": 8192 } }, { "max_container_depth": { + "description": "Max nested depth of objects and arrays. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": -1, - "description": "Max nested depth of objects and arrays. -1 means unlimited." + "type": "integer", + "default": -1 } }, { "max_object_entry_count": { + "description": "Max number of entries in an object. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": -1, - "description": "Max number of entries in an object. -1 means unlimited." + "type": "integer", + "default": -1 } }, { "max_object_entry_name_length": { + "description": "Max string length of object name. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": -1, - "description": "Max string length of object name. -1 means unlimited." + "type": "integer", + "default": -1 } }, { "max_array_element_count": { + "description": "Max number of elements in an array. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": -1, - "description": "Max number of elements in an array. -1 means unlimited." + "type": "integer", + "default": -1 } }, { "max_string_value_length": { + "description": "Max string value length. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": -1, - "description": "Max string value length. -1 means unlimited." + "type": "integer", + "default": -1 } }, { "enforcement_mode": { + "description": "Enforcement mode of the security policy.", "required": false, - "type": "string", - "default": "block", "one_of": [ "block", "log_only" ], - "description": "Enforcement mode of the security policy." + "type": "string", + "default": "block" } }, { "error_status_code": { + "description": "The response status code when validation fails.", "required": false, - "type": "integer", "between": [ 400, 499 ], - "default": 400, - "description": "The response status code when validation fails." + "type": "integer", + "default": 400 } }, { "error_message": { + "description": "The response message when validation fails", "required": false, - "default": "Bad Request", "type": "string", - "description": "The response message when validation fails" + "default": "Bad Request" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] } } ] diff --git a/schemas/jwe-decrypt/3.8.x.json b/schemas/jwe-decrypt/3.8.x.json index b408e686..f30147c9 100644 --- a/schemas/jwe-decrypt/3.8.x.json +++ b/schemas/jwe-decrypt/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,23 +19,22 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,41 +43,44 @@ "fields": [ { "lookup_header_name": { - "required": true, - "default": "Authorization", + "description": "The name of the header to look for the JWE token.", "type": "string", - "description": "The name of the header to look for the JWE token." + "required": true, + "default": "Authorization" } }, { "forward_header_name": { - "required": true, - "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", "type": "string", - "description": "The name of the header that is used to set the decrypted value." + "required": true, + "default": "Authorization" } }, { "key_sets": { - "required": true, + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "type": "array", + "required": true, "elements": { "type": "string" - }, - "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token." + } } }, { "strict": { - "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", "type": "boolean", - "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found." + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.8.x.json b/schemas/jwt-signer/3.8.x.json index 7a375f7d..1f21e368 100644 --- a/schemas/jwt-signer/3.8.x.json +++ b/schemas/jwt-signer/3.8.x.json @@ -1,27 +1,16 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.access_token_upstream_header", - "config.channel_token_upstream_header", - "config.original_access_token_upstream_header", - "config.original_channel_token_upstream_header" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -38,162 +27,161 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, "fields": [ { "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "required": false, - "type": "string", - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." + "type": "string" } }, { "enable_hs_signatures": { + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", "required": false, - "default": false, "type": "boolean", - "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting." + "default": false } }, { "enable_instrumentation": { + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", "required": false, - "default": false, "type": "boolean", - "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level." + "default": false } }, { "access_token_issuer": { + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", "required": false, - "default": "kong", "type": "string", - "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token." + "default": "kong" } }, { "access_token_keyset": { + "description": "The name of the keyset containing signing keys.", "required": false, - "default": "kong", "type": "string", - "description": "The name of the keyset containing signing keys." + "default": "kong" } }, { "access_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", "required": false, - "referenceable": true, "type": "string", - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`" + "referenceable": true } }, { "access_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`" + "referenceable": true, + "encrypted": true } }, { "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", "required": false, - "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth." + "reference": "certificates" } }, { "access_token_keyset_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", "required": false, - "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation." + "default": 0 } }, { "access_token_jwks_uri": { - "required": false, "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "required": false, "type": "string" } }, { "access_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", "required": false, - "referenceable": true, "type": "string", - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`" + "referenceable": true } }, { "access_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`" + "referenceable": true, + "encrypted": true } }, { "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", "required": false, - "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth." + "reference": "certificates" } }, { "access_token_jwks_uri_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", "required": false, - "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation." + "default": 0 } }, { "access_token_request_header": { + "description": "This parameter tells the name of the header where to look for the access token.", "required": false, - "default": "Authorization", "type": "string", - "description": "This parameter tells the name of the header where to look for the access token." + "default": "Authorization" } }, { "access_token_leeway": { + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", "required": false, - "default": 0, "type": "number", - "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`." + "default": 0 } }, { "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." + } } }, { "access_token_scopes_claim": { + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "required": false, "elements": { "type": "string" @@ -201,22 +189,22 @@ "type": "array", "default": [ "scope" - ], - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." + ] } }, { "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." + } } }, { "access_token_consumer_by": { + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "required": false, "elements": { "type": "string", @@ -230,77 +218,77 @@ "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." + ] } }, { "access_token_upstream_header": { + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", "required": false, - "default": "Authorization:Bearer", "type": "string", - "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token." + "default": "Authorization:Bearer" } }, { "access_token_upstream_leeway": { + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", "required": false, - "default": 0, "type": "number", - "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim." + "default": 0 } }, { "access_token_introspection_endpoint": { - "required": false, "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "required": false, "type": "string" } }, { "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "required": false, - "type": "string", - "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." + "type": "string" } }, { "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "required": false, - "type": "string", - "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." + "type": "string" } }, { "access_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", "required": false, - "default": "access_token", "type": "string", - "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`." + "default": "access_token" } }, { "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." + } } }, { "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." + } } }, { "access_token_introspection_scopes_claim": { + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "required": true, "elements": { "type": "string" @@ -308,22 +296,22 @@ "type": "array", "default": [ "scope" - ], - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." + ] } }, { "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." + } } }, { "access_token_introspection_consumer_by": { + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "required": false, "elements": { "type": "string", @@ -337,30 +325,28 @@ "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." + ] } }, { "access_token_introspection_leeway": { + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", "required": false, - "default": 0, "type": "number", - "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`." + "default": 0 } }, { "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "required": false, - "type": "number", - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." + "type": "number" } }, { "access_token_signing_algorithm": { + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "required": true, - "type": "string", - "default": "RS256", "one_of": [ "HS256", "HS384", @@ -375,43 +361,45 @@ "PS512", "EdDSA" ], - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." + "type": "string", + "default": "RS256" } }, { "add_access_token_claims": { + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } }, { "set_access_token_claims": { + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } }, { "remove_access_token_claims": { + "description": "remove claims. It should be an array, and each element is a claim key string.", "required": false, "elements": { "type": "string" @@ -419,205 +407,205 @@ "type": "array", "default": [ - ], - "description": "remove claims. It should be an array, and each element is a claim key string." + ] } }, { "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", "required": false, - "type": "string", - "description": "The HTTP header name used to store the original access token." + "type": "string" } }, { "access_token_optional": { + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", "required": false, - "default": false, "type": "boolean", - "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect" + "default": false } }, { "verify_access_token_signature": { + "description": "Quickly turn access token signature verification off and on as needed.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn access token signature verification off and on as needed." + "default": true } }, { "verify_access_token_expiry": { + "description": "Quickly turn access token expiry verification off and on as needed.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn access token expiry verification off and on as needed." + "default": true } }, { "verify_access_token_scopes": { + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`." + "default": true } }, { "verify_access_token_introspection_expiry": { + "description": "Quickly turn access token introspection expiry verification off and on as needed.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn access token introspection expiry verification off and on as needed." + "default": true } }, { "verify_access_token_introspection_scopes": { + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`." + "default": true } }, { "cache_access_token_introspection": { + "description": "Whether to cache access token introspection results.", "required": false, - "default": true, "type": "boolean", - "description": "Whether to cache access token introspection results." + "default": true } }, { "trust_access_token_introspection": { + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", "required": false, - "default": true, "type": "boolean", - "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload." + "default": true } }, { "enable_access_token_introspection": { + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", "required": false, - "default": true, "type": "boolean", - "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection." + "default": true } }, { "channel_token_issuer": { + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", "required": false, - "default": "kong", "type": "string", - "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token." + "default": "kong" } }, { "channel_token_keyset": { + "description": "The name of the keyset containing signing keys.", "required": false, - "default": "kong", "type": "string", - "description": "The name of the keyset containing signing keys." + "default": "kong" } }, { "channel_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", "required": false, - "referenceable": true, "type": "string", - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`" + "referenceable": true } }, { "channel_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`" + "referenceable": true, + "encrypted": true } }, { "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", "required": false, - "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth." + "reference": "certificates" } }, { "channel_token_keyset_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", "required": false, - "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation." + "default": 0 } }, { "channel_token_jwks_uri": { - "required": false, "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "required": false, "type": "string" } }, { "channel_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", "required": false, - "referenceable": true, "type": "string", - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`" + "referenceable": true } }, { "channel_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`" + "referenceable": true, + "encrypted": true } }, { "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", "required": false, - "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth." + "reference": "certificates" } }, { "channel_token_jwks_uri_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", "required": false, - "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation." + "default": 0 } }, { "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "required": false, - "type": "string", - "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." + "type": "string" } }, { "channel_token_leeway": { + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", "required": false, - "default": 0, "type": "number", - "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`." + "default": 0 } }, { "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." + } } }, { "channel_token_scopes_claim": { + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "required": false, "elements": { "type": "string" @@ -625,27 +613,23 @@ "type": "array", "default": [ "scope" - ], - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." + ] } }, { "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." + } } }, { "channel_token_consumer_by": { "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "default": [ - "username", - "custom_id" - ], + "type": "array", "elements": { "type": "string", "one_of": [ @@ -654,83 +638,87 @@ "custom_id" ] }, - "type": "array" + "default": [ + "username", + "custom_id" + ] } }, { "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "required": false, - "type": "string", - "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." + "type": "string" } }, { "channel_token_upstream_leeway": { + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", "required": false, - "default": 0, "type": "number", - "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim." + "default": 0 } }, { "channel_token_introspection_endpoint": { - "required": false, "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "required": false, "type": "string" } }, { "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "required": false, "type": "string", "elements": { "type": "string" - }, - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." + } } }, { "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "required": false, "type": "string", "elements": { "type": "string" - }, - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." + } } }, { "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "required": false, "type": "string", "elements": { "type": "string" - }, - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." + } } }, { "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." + } } }, { "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." + } } }, { "channel_token_introspection_scopes_claim": { + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "required": false, "elements": { "type": "string" @@ -738,22 +726,22 @@ "type": "array", "default": [ "scope" - ], - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." + ] } }, { "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" + } } }, { "channel_token_introspection_consumer_by": { + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "required": false, "elements": { "type": "string", @@ -767,30 +755,28 @@ "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." + ] } }, { "channel_token_introspection_leeway": { + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", "required": false, - "default": 0, "type": "number", - "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`." + "default": 0 } }, { "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "required": false, - "type": "number", - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." + "type": "number" } }, { "channel_token_signing_algorithm": { + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "required": true, - "type": "string", - "default": "RS256", "one_of": [ "HS256", "HS384", @@ -805,43 +791,45 @@ "PS512", "EdDSA" ], - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." + "type": "string", + "default": "RS256" } }, { "add_channel_token_claims": { + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } }, { "set_channel_token_claims": { + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } }, { "remove_channel_token_claims": { + "description": "remove claims. It should be an array, and each element is a claim key string.", "required": false, "elements": { "type": "string" @@ -849,118 +837,117 @@ "type": "array", "default": [ - ], - "description": "remove claims. It should be an array, and each element is a claim key string." + ] } }, { "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", "required": false, - "type": "string", - "description": "The HTTP header name used to store the original channel token." + "type": "string" } }, { "channel_token_optional": { + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", "required": false, - "default": false, "type": "boolean", - "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect" + "default": false } }, { "verify_channel_token_signature": { + "description": "Quickly turn on/off the channel token signature verification.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token signature verification." + "default": true } }, { "verify_channel_token_expiry": { + "type": "boolean", "required": false, - "default": true, - "type": "boolean" + "default": true } }, { "verify_channel_token_scopes": { + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`." + "default": true } }, { "verify_channel_token_introspection_expiry": { + "description": "Quickly turn on/off the channel token introspection expiry verification.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token introspection expiry verification." + "default": true } }, { "verify_channel_token_introspection_scopes": { + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`." + "default": true } }, { "cache_channel_token_introspection": { + "description": "Whether to cache channel token introspection results.", "required": false, - "default": true, "type": "boolean", - "description": "Whether to cache channel token introspection results." + "default": true } }, { "trust_channel_token_introspection": { + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", "required": false, - "default": true, "type": "boolean", - "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked." + "default": true } }, { "enable_channel_token_introspection": { + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", "required": false, - "default": true, "type": "boolean", - "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`." + "default": true } }, { "add_claims": { + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } }, { "set_claims": { + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } } ], @@ -990,8 +977,21 @@ ] } ], + "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/jwt/3.8.x.json b/schemas/jwt/3.8.x.json index 7093c8fb..2530ff46 100644 --- a/schemas/jwt/3.8.x.json +++ b/schemas/jwt/3.8.x.json @@ -1,29 +1,16 @@ { - "entity_checks": [ - { - "conditional": { - "then_field": "config.claims_to_verify", - "if_match": { - "gt": 0 - }, - "then_match": { - "contains": "exp" - }, - "if_field": "config.maximum_expiration" - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -40,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -58,102 +44,116 @@ { "uri_param_names": { "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", - "default": [ - "jwt" - ], + "type": "set", "elements": { "type": "string" }, - "type": "set" + "default": [ + "jwt" + ] } }, { "cookie_names": { "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", - "default": [ - - ], + "type": "set", "elements": { "type": "string" }, - "type": "set" + "default": [ + + ] } }, { "key_claim_name": { - "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", "type": "string", - "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order." + "default": "iss" } }, { "secret_is_base64": { - "required": true, - "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", "type": "boolean", - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." + "required": true, + "default": false } }, { "claims_to_verify": { "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "type": "set", "elements": { "type": "string", "one_of": [ "exp", "nbf" ] - }, - "type": "set" + } } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "run_on_preflight": { - "required": true, - "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." + "required": true, + "default": true } }, { "maximum_expiration": { + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "type": "number", "between": [ 0, 31536000 ], - "default": 0, - "type": "number", - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future." + "default": 0 } }, { "header_names": { "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", - "default": [ - "authorization" - ], + "type": "set", "elements": { "type": "string" }, - "type": "set" + "default": [ + "authorization" + ] } }, { "realm": { - "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.maximum_expiration", + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify", + "then_match": { + "contains": "exp" + } } } ] diff --git a/schemas/kafka-log/3.8.x.json b/schemas/kafka-log/3.8.x.json index e6b4d0d1..00a36770 100644 --- a/schemas/kafka-log/3.8.x.json +++ b/schemas/kafka-log/3.8.x.json @@ -1,11 +1,7 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -14,6 +10,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -24,15 +22,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -41,20 +38,21 @@ "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set", "elements": { "fields": [ { "host": { - "required": true, "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { - "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, "between": [ 0, 65535 @@ -64,22 +62,21 @@ } ], "type": "record" - }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } } }, { "topic": { - "required": true, "description": "The Kafka topic to publish to.", - "type": "string" + "type": "string", + "required": true } }, { "timeout": { - "default": 10000, "description": "Socket timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 10000 } }, { @@ -99,54 +96,54 @@ "fields": [ { "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string", "required": false, "one_of": [ "sasl" - ], - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", - "type": "string" + ] } }, { "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "type": "string", "required": false, "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", - "type": "string" + ] } }, { "tokenauth": { - "required": false, "description": "Enable this to indicate `DelegationToken` authentication", - "type": "boolean" + "type": "boolean", + "required": false } }, { "user": { + "description": "Username for SASL authentication.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Username for SASL authentication." + "referenceable": true } }, { "password": { + "description": "Password for SASL authentication.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Password for SASL authentication." + "referenceable": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -154,98 +151,98 @@ "fields": [ { "certificate_id": { - "required": false, - "uuid": true, "description": "UUID of certificate entity for mTLS authentication.", - "type": "string" + "uuid": true, + "type": "string", + "required": false } }, { "ssl": { - "required": false, "description": "Enables TLS.", - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "cluster_name": { - "required": false, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "auto": true, - "type": "string" + "type": "string", + "required": false } }, { "producer_request_acks": { "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", "default": 1, "one_of": [ -1, 0, 1 - ], - "type": "integer" + ] } }, { "producer_request_timeout": { - "default": 2000, "description": "Time to wait for a Produce response in milliseconds", - "type": "integer" + "type": "integer", + "default": 2000 } }, { "producer_request_limits_messages_per_request": { - "default": 200, "description": "Maximum number of messages to include into a single Produce request.", - "type": "integer" + "type": "integer", + "default": 200 } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, "description": "Maximum size of a Produce request in bytes.", - "type": "integer" + "type": "integer", + "default": 1048576 } }, { "producer_request_retries_max_attempts": { - "default": 10, "description": "Maximum number of retry attempts per single Produce request.", - "type": "integer" + "type": "integer", + "default": 10 } }, { "producer_request_retries_backoff_timeout": { - "default": 100, "description": "Backoff interval between retry attempts in milliseconds.", - "type": "integer" + "type": "integer", + "default": 100 } }, { "producer_async": { - "default": true, "description": "Flag to enable asynchronous mode.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "producer_async_flush_timeout": { - "default": 1000, "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 1000 } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 50000 } }, { @@ -254,16 +251,16 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } } ], - "required": true, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -273,8 +270,11 @@ } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.8.x.json b/schemas/kafka-upstream/3.8.x.json index 135fc96f..1229e543 100644 --- a/schemas/kafka-upstream/3.8.x.json +++ b/schemas/kafka-upstream/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,20 +35,21 @@ "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set", "elements": { "fields": [ { "host": { - "required": true, "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { - "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, "between": [ 0, 65535 @@ -61,35 +59,34 @@ } ], "type": "record" - }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } } }, { "topic": { - "required": true, "description": "The Kafka topic to publish to.", + "required": true, "type": "string" } }, { "timeout": { - "default": 10000, "description": "Socket timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "Keepalive timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 60000 } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { @@ -97,54 +94,54 @@ "fields": [ { "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "required": false, + "type": "string", "one_of": [ "sasl" - ], - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", - "type": "string" + ] } }, { "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "required": false, + "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", - "type": "string" + ] } }, { "tokenauth": { - "required": false, "description": "Enable this to indicate `DelegationToken` authentication.", + "required": false, "type": "boolean" } }, { "user": { + "description": "Username for SASL authentication.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Username for SASL authentication." + "referenceable": true, + "encrypted": true } }, { "password": { + "description": "Password for SASL authentication.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Password for SASL authentication." + "referenceable": true, + "encrypted": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -152,56 +149,56 @@ "fields": [ { "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", "required": false, "uuid": true, - "description": "UUID of certificate entity for mTLS authentication.", "type": "string" } }, { "ssl": { - "required": false, "description": "Enables TLS.", + "required": false, "type": "boolean" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "forward_method": { - "default": false, "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_uri": { - "default": false, "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_headers": { - "default": false, "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_body": { - "default": true, "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "cluster_name": { - "required": false, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, "auto": true, "type": "string" } @@ -209,73 +206,73 @@ { "producer_request_acks": { "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", "default": 1, "one_of": [ -1, 0, 1 - ], - "type": "integer" + ] } }, { "producer_request_timeout": { - "default": 2000, "description": "Time to wait for a Produce response in milliseconds.", - "type": "integer" + "type": "integer", + "default": 2000 } }, { "producer_request_limits_messages_per_request": { - "default": 200, "description": "Maximum number of messages to include into a single producer request.", - "type": "integer" + "type": "integer", + "default": 200 } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, "description": "Maximum size of a Produce request in bytes.", - "type": "integer" + "type": "integer", + "default": 1048576 } }, { "producer_request_retries_max_attempts": { - "default": 10, "description": "Maximum number of retry attempts per single Produce request.", - "type": "integer" + "type": "integer", + "default": 10 } }, { "producer_request_retries_backoff_timeout": { - "default": 100, "description": "Backoff interval between retry attempts in milliseconds.", - "type": "integer" + "type": "integer", + "default": 100 } }, { "producer_async": { - "default": true, "description": "Flag to enable asynchronous mode.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "producer_async_flush_timeout": { - "default": 1000, "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 1000 } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 50000 } } ], - "required": true, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -295,8 +292,11 @@ } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.8.x.json b/schemas/key-auth-enc/3.8.x.json index dda5896c..c141f8db 100644 --- a/schemas/key-auth-enc/3.8.x.json +++ b/schemas/key-auth-enc/3.8.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,15 +30,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -49,70 +46,73 @@ "fields": [ { "key_names": { + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "array", "default": [ "apikey" - ], - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + ] } }, { "hide_credentials": { - "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." + "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "key_in_header": { - "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "type": "boolean", - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." + "default": true } }, { "key_in_query": { - "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "type": "boolean", - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." + "default": true } }, { "key_in_body": { - "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "type": "boolean", - "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + "default": false } }, { "run_on_preflight": { - "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." + "default": true } }, { "realm": { - "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth/3.8.x.json b/schemas/key-auth/3.8.x.json index 709fec51..f391803f 100644 --- a/schemas/key-auth/3.8.x.json +++ b/schemas/key-auth/3.8.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,15 +30,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -49,24 +46,24 @@ "fields": [ { "key_names": { + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "array", "default": [ "apikey" - ], - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + ] } }, { "hide_credentials": { - "required": true, - "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { @@ -77,47 +74,50 @@ }, { "key_in_header": { - "required": true, - "default": true, "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": true } }, { "key_in_query": { - "required": true, - "default": true, "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": true } }, { "key_in_body": { - "required": true, - "default": false, "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "run_on_preflight": { - "required": true, - "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": true } }, { "realm": { - "required": false, "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, "type": "string" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.8.x.json b/schemas/konnect-application-auth/3.8.x.json index 10c57bca..3ab638a1 100644 --- a/schemas/konnect-application-auth/3.8.x.json +++ b/schemas/konnect-application-auth/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,157 +43,162 @@ "fields": [ { "key_names": { + "description": "The names of the headers containing the API key. You can specify multiple header names.", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "array", "default": [ "apikey" - ], - "description": "The names of the headers containing the API key. You can specify multiple header names." + ] } }, { "auth_type": { + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "required": true, - "type": "string", - "default": "openid-connect", "one_of": [ "openid-connect", "key-auth", "v2-strategies" ], - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'." + "type": "string", + "default": "openid-connect" } }, { "scope": { - "required": true, - "type": "string", + "description": "The unique scope identifier for the plugin configuration.", "unique": true, - "description": "The unique scope identifier for the plugin configuration." + "required": true, + "type": "string" } }, { "v2_strategies": { + "description": "The map of v2 strategies.", "required": false, "type": "record", "fields": [ { "key_auth": { + "description": "List of key_auth strategies.", "required": false, "type": "array", "elements": { "fields": [ { "strategy_id": { + "description": "The strategy id the config is tied to.", "required": true, - "type": "string", - "description": "The strategy id the config is tied to." + "type": "string" } }, { "config": { - "required": true, "fields": [ { "key_names": { + "description": "The names of the headers containing the API key. You can specify multiple header names.", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "array", "default": [ "apikey" - ], - "description": "The names of the headers containing the API key. You can specify multiple header names." + ] } } ], - "type": "record" + "type": "record", + "required": true } } ], "type": "record" - }, - "description": "List of key_auth strategies." + } } }, { "openid_connect": { + "description": "List of openid_connect strategies.", "required": false, "type": "array", "elements": { "fields": [ { "strategy_id": { + "description": "The strategy id the config is tied to.", "required": true, - "type": "string", - "description": "The strategy id the config is tied to." + "type": "string" } }, { "config": { + "description": "openid-connect plugin configuration.", + "type": "record", "fields": [ { "issuer": { - "required": true, "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, "type": "string" } }, { "using_pseudo_issuer": { - "required": false, - "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", "type": "boolean", - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." + "required": false, + "default": false } }, { "discovery_headers_names": { - "required": false, + "description": "Extra header names passed to the discovery endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header names passed to the discovery endpoint." + } } }, { "discovery_headers_values": { - "required": false, + "description": "Extra header values passed to the discovery endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header values passed to the discovery endpoint." + } } }, { "extra_jwks_uris": { - "required": false, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "type": "set", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "rediscovery_lifetime": { - "required": false, - "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "type": "number", - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + "required": false, + "default": 30 } }, { "auth_methods": { + "description": "Types of credentials/grants to enable.", "required": false, "elements": { "type": "string", @@ -223,38 +225,38 @@ "kong_oauth2", "refresh_token", "session" - ], - "description": "Types of credentials/grants to enable." + ] } }, { "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "required": false, "elements": { "type": "string", "referenceable": true }, "type": "array", - "encrypted": true, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "encrypted": true } }, { "client_secret": { + "description": "The client secret.", "required": false, "elements": { "type": "string", "referenceable": true }, "type": "array", - "encrypted": true, - "description": "The client secret." + "encrypted": true } }, { "client_auth": { - "required": false, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -266,16 +268,15 @@ "self_signed_tls_client_auth", "none" ] - }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication)." + } } }, { "client_jwk": { - "required": false, + "description": "The JWK used for the private_key_jwt authentication.", "type": "array", + "required": false, "elements": { - "required": false, "fields": [ { "issuer": { @@ -298,11 +299,11 @@ { "key_ops": { "required": false, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { @@ -326,11 +327,11 @@ { "x5c": { "required": false, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { @@ -347,10 +348,10 @@ }, { "k": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { @@ -385,86 +386,87 @@ }, { "d": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "p": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "q": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "dp": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "dq": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "qi": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "oth": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "r": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "t": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } } ], - "type": "record" - }, - "description": "The JWK used for the private_key_jwt authentication." + "type": "record", + "required": false + } } }, { "client_alg": { - "required": false, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -482,123 +484,121 @@ "PS512", "EdDSA" ] - }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication." + } } }, { "client_arg": { - "required": false, - "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "type": "string", - "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + "required": false, + "default": "client_id" } }, { "redirect_uri": { - "required": false, + "description": "The redirect URI passed to the authorization and token endpoints.", "type": "array", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "The redirect URI passed to the authorization and token endpoints." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "login_redirect_uri": { - "required": false, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "type": "array", + "required": false, "elements": { - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - }, - "description": "Where to redirect the client when `login_action` is set to `redirect`." + "type": "string", + "referenceable": true + } } }, { "logout_redirect_uri": { - "required": false, + "description": "Where to redirect the client after the logout.", "type": "array", + "required": false, "elements": { - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - }, - "description": "Where to redirect the client after the logout." + "type": "string", + "referenceable": true + } } }, { "forbidden_redirect_uri": { - "required": false, + "description": "Where to redirect the client on forbidden requests.", "type": "array", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on forbidden requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "forbidden_error_message": { - "required": false, - "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", "type": "string", - "description": "The error message for the forbidden requests (when not using the redirection)." + "required": false, + "default": "Forbidden" } }, { "forbidden_destroy_session": { - "required": false, - "default": true, + "description": "Destroy any active session for the forbidden requests.", "type": "boolean", - "description": "Destroy any active session for the forbidden requests." + "required": false, + "default": true } }, { "unauthorized_destroy_session": { - "required": false, - "default": true, + "description": "Destroy any active session for the unauthorized requests.", "type": "boolean", - "description": "Destroy any active session for the unauthorized requests." + "required": false, + "default": true } }, { "unauthorized_redirect_uri": { - "required": false, + "description": "Where to redirect the client on unauthorized requests.", "type": "array", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on unauthorized requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "unauthorized_error_message": { - "required": false, - "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", "type": "string", - "description": "The error message for the unauthorized requests (when not using the redirection)." + "required": false, + "default": "Unauthorized" } }, { "unexpected_redirect_uri": { - "required": false, + "description": "Where to redirect the client when unexpected errors happen with the requests.", "type": "array", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client when unexpected errors happen with the requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "response_mode": { + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "required": false, - "type": "string", - "default": "query", "one_of": [ "query", "form_post", @@ -608,11 +608,13 @@ "fragment.jwt", "jwt" ], - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type." + "type": "string", + "default": "query" } }, { "response_type": { + "description": "The response type passed to the authorization endpoint.", "required": false, "elements": { "type": "string" @@ -620,12 +622,12 @@ "type": "array", "default": [ "code" - ], - "description": "The response type passed to the authorization endpoint." + ] } }, { "scopes": { + "description": "The scopes passed to the authorization and token endpoints.", "required": false, "elements": { "type": "string", @@ -634,42 +636,42 @@ "type": "array", "default": [ "openid" - ], - "description": "The scopes passed to the authorization and token endpoints." + ] } }, { "audience": { - "required": false, + "description": "The audience passed to the authorization endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The audience passed to the authorization endpoint." + } } }, { "issuers_allowed": { - "required": false, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The issuers allowed to be present in the tokens (`iss` claim)." + } } }, { "scopes_required": { - "required": false, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "scopes_claim": { + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -677,22 +679,22 @@ "type": "array", "default": [ "scope" - ], - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "audience_required": { - "required": false, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "audience_claim": { + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -700,22 +702,22 @@ "type": "array", "default": [ "aud" - ], - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "groups_required": { - "required": false, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "groups_claim": { + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -723,22 +725,22 @@ "type": "array", "default": [ "groups" - ], - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "roles_required": { - "required": false, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "roles_claim": { + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -746,46 +748,47 @@ "type": "array", "default": [ "roles" - ], - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "domains": { - "required": false, + "description": "The allowed values for the `hd` claim.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The allowed values for the `hd` claim." + } } }, { "max_age": { - "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "type": "number", - "description": "The maximum age (in seconds) compared to the `auth_time` claim." + "required": false } }, { "authenticated_groups_claim": { - "required": false, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "pushed_authorization_request_endpoint": { - "required": false, "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, "one_of": [ "client_secret_basic", @@ -795,153 +798,153 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "type": "string", - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "require_pushed_authorization_requests": { - "required": false, + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", "type": "boolean", - "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`)." + "required": false } }, { "require_proof_key_for_code_exchange": { - "required": false, + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", "type": "boolean", - "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled)." + "required": false } }, { "require_signed_request_object": { - "required": false, + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", "type": "boolean", - "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled)." + "required": false } }, { "authorization_endpoint": { - "required": false, "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "authorization_query_args_names": { - "required": false, + "description": "Extra query argument names passed to the authorization endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query argument names passed to the authorization endpoint." + } } }, { "authorization_query_args_values": { - "required": false, + "description": "Extra query argument values passed to the authorization endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the authorization endpoint." + } } }, { "authorization_query_args_client": { - "required": false, + "description": "Extra query arguments passed from the client to the authorization endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the authorization endpoint." + } } }, { "authorization_rolling_timeout": { - "required": false, - "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "type": "number", - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "required": false, + "default": 600 } }, { "authorization_cookie_name": { - "required": false, - "default": "authorization", + "description": "The authorization cookie name.", "type": "string", - "description": "The authorization cookie name." + "required": false, + "default": "authorization" } }, { "authorization_cookie_path": { + "description": "The authorization cookie Path flag.", "required": false, + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", - "starts_with": "/", - "default": "/", - "description": "The authorization cookie Path flag." + "default": "/" } }, { "authorization_cookie_domain": { - "required": false, + "description": "The authorization cookie Domain flag.", "type": "string", - "description": "The authorization cookie Domain flag." + "required": false } }, { "authorization_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, - "type": "string", - "default": "Default", "one_of": [ "Strict", "Lax", "None", "Default" ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + "type": "string", + "default": "Default" } }, { "authorization_cookie_http_only": { - "required": false, - "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "required": false, + "default": true } }, { "authorization_cookie_secure": { - "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "required": false } }, { "preserve_query_args": { - "required": false, - "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "type": "boolean", - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + "required": false, + "default": false } }, { "token_endpoint": { - "required": false, "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, "one_of": [ "client_secret_basic", @@ -951,62 +954,61 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "type": "string", - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "token_headers_names": { - "required": false, + "description": "Extra header names passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header names passed to the token endpoint." + } } }, { "token_headers_values": { - "required": false, + "description": "Extra header values passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header values passed to the token endpoint." + } } }, { "token_headers_client": { - "required": false, + "description": "Extra headers passed from the client to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the token endpoint." + } } }, { "token_headers_replay": { - "required": false, + "description": "The names of token endpoint response headers to forward to the downstream client.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The names of token endpoint response headers to forward to the downstream client." + } } }, { "token_headers_prefix": { - "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "type": "string", - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." + "required": false } }, { "token_headers_grants": { - "required": false, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1015,49 +1017,50 @@ "authorization_code", "refresh_token" ] - }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant." + } } }, { "token_post_args_names": { - "required": false, + "description": "Extra post argument names passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the token endpoint." + } } }, { "token_post_args_values": { - "required": false, + "description": "Extra post argument values passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the token endpoint." + } } }, { "token_post_args_client": { - "required": false, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint." + } } }, { "introspection_endpoint": { - "required": false, "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, "one_of": [ "client_secret_basic", @@ -1067,119 +1070,119 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "type": "string", - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "introspection_hint": { - "required": false, - "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", "type": "string", - "description": "Introspection hint parameter value passed to the introspection endpoint." + "required": false, + "default": "access_token" } }, { "introspection_check_active": { - "required": false, - "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", "type": "boolean", - "description": "Check that the introspection response has an `active` claim with a value of `true`." + "required": false, + "default": true } }, { "introspection_accept": { + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "required": false, - "type": "string", - "default": "application/json", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" ], - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)." + "type": "string", + "default": "application/json" } }, { "introspection_headers_names": { - "required": false, + "description": "Extra header names passed to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header names passed to the introspection endpoint." + } } }, { "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", "required": false, "elements": { "type": "string", "referenceable": true }, "type": "array", - "encrypted": true, - "description": "Extra header values passed to the introspection endpoint." + "encrypted": true } }, { "introspection_headers_client": { - "required": false, + "description": "Extra headers passed from the client to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the introspection endpoint." + } } }, { "introspection_post_args_names": { - "required": false, + "description": "Extra post argument names passed to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the introspection endpoint." + } } }, { "introspection_post_args_values": { - "required": false, + "description": "Extra post argument values passed to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the introspection endpoint." + } } }, { "introspection_post_args_client": { - "required": false, + "description": "Extra post arguments passed from the client to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post arguments passed from the client to the introspection endpoint." + } } }, { "introspect_jwt_tokens": { - "required": false, - "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "type": "boolean", - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + "required": false, + "default": false } }, { "revocation_endpoint": { - "required": false, "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, "one_of": [ "client_secret_basic", @@ -1189,240 +1192,239 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "type": "string", - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "end_session_endpoint": { - "required": false, "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "userinfo_endpoint": { - "required": false, "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "userinfo_accept": { + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "required": false, - "type": "string", - "default": "application/json", "one_of": [ "application/json", "application/jwt" ], - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)." + "type": "string", + "default": "application/json" } }, { "userinfo_headers_names": { - "required": false, + "description": "Extra header names passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header names passed to the user info endpoint." + } } }, { "userinfo_headers_values": { - "required": false, + "description": "Extra header values passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header values passed to the user info endpoint." + } } }, { "userinfo_headers_client": { - "required": false, + "description": "Extra headers passed from the client to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the user info endpoint." + } } }, { "userinfo_query_args_names": { - "required": false, + "description": "Extra query argument names passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query argument names passed to the user info endpoint." + } } }, { "userinfo_query_args_values": { - "required": false, + "description": "Extra query argument values passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the user info endpoint." + } } }, { "userinfo_query_args_client": { - "required": false, + "description": "Extra query arguments passed from the client to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the user info endpoint." + } } }, { "token_exchange_endpoint": { - "required": false, "description": "The token exchange endpoint.", + "required": false, "type": "string" } }, { "session_secret": { + "description": "The session secret.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The session secret." + "referenceable": true, + "encrypted": true } }, { "session_audience": { - "required": false, - "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "type": "string", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "required": false, + "default": "default" } }, { "session_cookie_name": { - "required": false, - "default": "session", + "description": "The session cookie name.", "type": "string", - "description": "The session cookie name." + "required": false, + "default": "session" } }, { "session_remember": { - "required": false, - "default": false, + "description": "Enables or disables persistent sessions.", "type": "boolean", - "description": "Enables or disables persistent sessions." + "required": false, + "default": false } }, { "session_remember_cookie_name": { - "required": false, - "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "type": "string", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "required": false, + "default": "remember" } }, { "session_remember_rolling_timeout": { - "required": false, - "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", "type": "number", - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." + "required": false, + "default": 604800 } }, { "session_remember_absolute_timeout": { - "required": false, - "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "type": "number", - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "required": false, + "default": 2592000 } }, { "session_idling_timeout": { - "required": false, - "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", "type": "number", - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." + "required": false, + "default": 900 } }, { "session_rolling_timeout": { - "required": false, - "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "type": "number", - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "required": false, + "default": 3600 } }, { "session_absolute_timeout": { - "required": false, - "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "type": "number", - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "required": false, + "default": 86400 } }, { "session_cookie_path": { + "description": "The session cookie Path flag.", "required": false, + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", - "starts_with": "/", - "default": "/", - "description": "The session cookie Path flag." + "default": "/" } }, { "session_cookie_domain": { - "required": false, + "description": "The session cookie Domain flag.", "type": "string", - "description": "The session cookie Domain flag." + "required": false } }, { "session_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, - "type": "string", - "default": "Lax", "one_of": [ "Strict", "Lax", "None", "Default" ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + "type": "string", + "default": "Lax" } }, { "session_cookie_http_only": { - "required": false, - "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "required": false, + "default": true } }, { "session_cookie_secure": { - "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "required": false } }, { "session_request_headers": { - "required": false, "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -1434,14 +1436,14 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_response_headers": { - "required": false, "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -1453,191 +1455,91 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_storage": { + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "required": false, - "type": "string", - "default": "cookie", "one_of": [ "cookie", "memcache", "memcached", "redis" ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis." + "type": "string", + "default": "cookie" } }, { "session_store_metadata": { - "required": false, - "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "type": "boolean", - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + "required": false, + "default": false } }, { "session_enforce_same_subject": { - "required": false, - "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", "type": "boolean", - "description": "When set to `true`, audiences are forced to share the same subject." + "required": false, + "default": false } }, { "session_hash_subject": { - "required": false, - "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "type": "boolean", - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "required": false, + "default": false } }, { "session_hash_storage_key": { - "required": false, - "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "type": "boolean", - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "required": false, + "default": false } }, { "session_memcached_prefix": { - "required": false, + "description": "The memcached session key prefix.", "type": "string", - "description": "The memcached session key prefix." + "required": false } }, { "session_memcached_socket": { - "required": false, + "description": "The memcached unix socket path.", "type": "string", - "description": "The memcached unix socket path." + "required": false } }, { "session_memcached_host": { - "required": false, - "default": "127.0.0.1", + "description": "The memcached host.", "type": "string", - "description": "The memcached host." + "required": false, + "default": "127.0.0.1" } }, { "session_memcached_port": { + "description": "The memcached port.", "required": false, - "type": "integer", "between": [ 0, 65535 ], - "default": 11211, - "description": "The memcached port." + "type": "integer", + "default": 11211 } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { @@ -1647,307 +1549,438 @@ }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { - "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "default": false } }, { "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "default": false } }, { "server_name": { - "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "required": false } }, { "cluster_max_redirections": { - "required": false, - "default": 5, "description": "Maximum retry attempts for redirection.", - "type": "integer" + "required": false, + "type": "integer", + "default": 5 } }, { "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "default": false, "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + "default": false } }, { "prefix": { - "required": false, + "description": "The Redis session key prefix.", "type": "string", - "description": "The Redis session key prefix." + "required": false } }, { "socket": { - "required": false, + "description": "The Redis unix socket path.", "type": "string", - "description": "The Redis unix socket path." + "required": false } } ], - "shorthand_fields": [ + "entity_checks": [ { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true }, + "then_field": "host" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true, + "type": "record" } }, { "reverify": { - "required": false, - "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", "type": "boolean", - "description": "Specifies whether to always verify tokens stored in the session." + "required": false, + "default": false } }, { "jwt_session_claim": { - "required": false, - "default": "sid", + "description": "The claim to match against the JWT session cookie.", "type": "string", - "description": "The claim to match against the JWT session cookie." + "required": false, + "default": "sid" } }, { "jwt_session_cookie": { - "required": false, + "description": "The name of the JWT session cookie.", "type": "string", - "description": "The name of the JWT session cookie." + "required": false } }, { "bearer_token_param_type": { + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "required": false, "elements": { "type": "string", @@ -1963,19 +1996,19 @@ "header", "query", "body" - ], - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." + ] } }, { "bearer_token_cookie_name": { - "required": false, + "description": "The name of the cookie in which the bearer token is passed.", "type": "string", - "description": "The name of the cookie in which the bearer token is passed." + "required": false } }, { "client_credentials_param_type": { + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "required": false, "elements": { "type": "string", @@ -1990,12 +2023,12 @@ "header", "query", "body" - ], - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." + ] } }, { "password_param_type": { + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2010,12 +2043,12 @@ "header", "query", "body" - ], - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_type": { + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2030,19 +2063,19 @@ "header", "query", "body" - ], - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_name": { - "required": false, + "description": "The name of the parameter used to pass the id token.", "type": "string", - "description": "The name of the parameter used to pass the id token." + "required": false } }, { "refresh_token_param_type": { + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2057,208 +2090,208 @@ "header", "query", "body" - ], - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "refresh_token_param_name": { - "required": false, + "description": "The name of the parameter used to pass the refresh token.", "type": "string", - "description": "The name of the parameter used to pass the refresh token." + "required": false } }, { "refresh_tokens": { - "required": false, - "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "type": "boolean", - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + "required": false, + "default": true } }, { "upstream_headers_claims": { - "required": false, + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "upstream_headers_names": { - "required": false, + "description": "The upstream header names for the claim values.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The upstream header names for the claim values." + } } }, { "upstream_access_token_header": { - "required": false, - "default": "authorization:bearer", + "description": "The upstream access token header.", "type": "string", - "description": "The upstream access token header." + "required": false, + "default": "authorization:bearer" } }, { "upstream_access_token_jwk_header": { - "required": false, + "description": "The upstream access token JWK header.", "type": "string", - "description": "The upstream access token JWK header." + "required": false } }, { "upstream_id_token_header": { - "required": false, + "description": "The upstream id token header.", "type": "string", - "description": "The upstream id token header." + "required": false } }, { "upstream_id_token_jwk_header": { - "required": false, + "description": "The upstream id token JWK header.", "type": "string", - "description": "The upstream id token JWK header." + "required": false } }, { "upstream_refresh_token_header": { - "required": false, + "description": "The upstream refresh token header.", "type": "string", - "description": "The upstream refresh token header." + "required": false } }, { "upstream_user_info_header": { - "required": false, + "description": "The upstream user info header.", "type": "string", - "description": "The upstream user info header." + "required": false } }, { "upstream_user_info_jwt_header": { - "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "description": "The upstream user info JWT header (in case the user info returns a JWT response)." + "required": false } }, { "upstream_introspection_header": { - "required": false, + "description": "The upstream introspection header.", "type": "string", - "description": "The upstream introspection header." + "required": false } }, { "upstream_introspection_jwt_header": { - "required": false, + "description": "The upstream introspection JWT header.", "type": "string", - "description": "The upstream introspection JWT header." + "required": false } }, { "upstream_session_id_header": { - "required": false, + "description": "The upstream session id header.", "type": "string", - "description": "The upstream session id header." + "required": false } }, { "downstream_headers_claims": { - "required": false, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "downstream_headers_names": { - "required": false, + "description": "The downstream header names for the claim values.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The downstream header names for the claim values." + } } }, { "downstream_access_token_header": { - "required": false, + "description": "The downstream access token header.", "type": "string", - "description": "The downstream access token header." + "required": false } }, { "downstream_access_token_jwk_header": { - "required": false, + "description": "The downstream access token JWK header.", "type": "string", - "description": "The downstream access token JWK header." + "required": false } }, { "downstream_id_token_header": { - "required": false, + "description": "The downstream id token header.", "type": "string", - "description": "The downstream id token header." + "required": false } }, { "downstream_id_token_jwk_header": { - "required": false, + "description": "The downstream id token JWK header.", "type": "string", - "description": "The downstream id token JWK header." + "required": false } }, { "downstream_refresh_token_header": { - "required": false, + "description": "The downstream refresh token header.", "type": "string", - "description": "The downstream refresh token header." + "required": false } }, { "downstream_user_info_header": { - "required": false, + "description": "The downstream user info header.", "type": "string", - "description": "The downstream user info header." + "required": false } }, { "downstream_user_info_jwt_header": { - "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "description": "The downstream user info JWT header (in case the user info returns a JWT response)." + "required": false } }, { "downstream_introspection_header": { - "required": false, + "description": "The downstream introspection header.", "type": "string", - "description": "The downstream introspection header." + "required": false } }, { "downstream_introspection_jwt_header": { - "required": false, + "description": "The downstream introspection JWT header.", "type": "string", - "description": "The downstream introspection JWT header." + "required": false } }, { "downstream_session_id_header": { - "required": false, + "description": "The downstream session id header.", "type": "string", - "description": "The downstream session id header." + "required": false } }, { "login_methods": { + "description": "Enable login functionality with specified grants.", "required": false, "elements": { "type": "string", @@ -2277,25 +2310,25 @@ "type": "array", "default": [ "authorization_code" - ], - "description": "Enable login functionality with specified grants." + ] } }, { "login_action": { + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "required": false, - "type": "string", - "default": "upstream", "one_of": [ "upstream", "response", "redirect" ], - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location." + "type": "string", + "default": "upstream" } }, { "login_tokens": { + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "required": false, "elements": { "type": "string", @@ -2310,45 +2343,45 @@ "type": "array", "default": [ "id_token" - ], - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." + ] } }, { "login_redirect_mode": { + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "required": false, - "type": "string", - "default": "fragment", "one_of": [ "query", "fragment" ], - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)." + "type": "string", + "default": "fragment" } }, { "logout_query_arg": { - "required": false, + "description": "The request query argument that activates the logout.", "type": "string", - "description": "The request query argument that activates the logout." + "required": false } }, { "logout_post_arg": { - "required": false, + "description": "The request body argument that activates the logout.", "type": "string", - "description": "The request body argument that activates the logout." + "required": false } }, { "logout_uri_suffix": { - "required": false, + "description": "The request URI suffix that activates the logout.", "type": "string", - "description": "The request URI suffix that activates the logout." + "required": false } }, { "logout_methods": { + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "required": false, "elements": { "type": "string", @@ -2362,46 +2395,46 @@ "default": [ "POST", "DELETE" - ], - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." + ] } }, { "logout_revoke": { - "required": false, - "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", "type": "boolean", - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." + "required": false, + "default": false } }, { "logout_revoke_access_token": { - "required": false, - "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", "type": "boolean", - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." + "required": false, + "default": true } }, { "logout_revoke_refresh_token": { - "required": false, - "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", "type": "boolean", - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." + "required": false, + "default": true } }, { "consumer_claim": { - "required": false, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "consumer_by": { + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "required": false, "elements": { "type": "string", @@ -2415,20 +2448,20 @@ "default": [ "username", "custom_id" - ], - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." + ] } }, { "consumer_optional": { - "required": false, - "default": false, + "description": "Do not terminate the request if consumer mapping fails.", "type": "boolean", - "description": "Do not terminate the request if consumer mapping fails." + "required": false, + "default": false } }, { "credential_claim": { + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -2436,67 +2469,67 @@ "type": "array", "default": [ "sub" - ], - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "anonymous": { - "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "required": false } }, { "run_on_preflight": { - "required": false, - "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "type": "boolean", - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + "required": false, + "default": true } }, { "leeway": { - "required": false, - "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", "type": "number", - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims" + "required": false, + "default": 0 } }, { "verify_parameters": { - "required": false, - "default": false, + "description": "Verify plugin configuration against discovery.", "type": "boolean", - "description": "Verify plugin configuration against discovery." + "required": false, + "default": false } }, { "verify_nonce": { - "required": false, - "default": true, + "description": "Verify nonce on authorization code flow.", "type": "boolean", - "description": "Verify nonce on authorization code flow." + "required": false, + "default": true } }, { "verify_claims": { - "required": false, - "default": true, + "description": "Verify tokens for standard claims.", "type": "boolean", - "description": "Verify tokens for standard claims." + "required": false, + "default": true } }, { "verify_signature": { - "required": false, - "default": true, + "description": "Verify signature of tokens.", "type": "boolean", - "description": "Verify signature of tokens." + "required": false, + "default": true } }, { "ignore_signature": { + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "required": false, "elements": { "type": "string", @@ -2513,22 +2546,22 @@ "type": "array", "default": [ - ], - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." + ] } }, { "enable_hs_signatures": { - "required": false, - "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "type": "boolean", - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + "required": false, + "default": false } }, { "disable_session": { - "required": false, + "description": "Disable issuing the session cookie with the specified grants.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2542,540 +2575,440 @@ "refresh_token", "session" ] - }, - "description": "Disable issuing the session cookie with the specified grants." + } } }, { "cache_ttl": { - "required": false, - "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "type": "number", - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + "required": false, + "default": 3600 } }, { "cache_ttl_max": { - "required": false, + "description": "The maximum cache ttl in seconds (enforced).", "type": "number", - "description": "The maximum cache ttl in seconds (enforced)." + "required": false } }, { "cache_ttl_min": { - "required": false, + "description": "The minimum cache ttl in seconds (enforced).", "type": "number", - "description": "The minimum cache ttl in seconds (enforced)." + "required": false } }, { "cache_ttl_neg": { - "required": false, + "description": "The negative cache ttl in seconds.", "type": "number", - "description": "The negative cache ttl in seconds." + "required": false } }, { "cache_ttl_resurrect": { - "required": false, + "description": "The resurrection ttl in seconds.", "type": "number", - "description": "The resurrection ttl in seconds." + "required": false } }, { "cache_tokens": { - "required": false, - "default": true, + "description": "Cache the token endpoint requests.", "type": "boolean", - "description": "Cache the token endpoint requests." + "required": false, + "default": true } }, { "cache_tokens_salt": { - "required": false, - "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "type": "string", + "required": false } }, { "cache_introspection": { - "required": false, - "default": true, + "description": "Cache the introspection endpoint requests.", "type": "boolean", - "description": "Cache the introspection endpoint requests." + "required": false, + "default": true } }, { "cache_token_exchange": { - "required": false, - "default": true, + "description": "Cache the token exchange endpoint requests.", "type": "boolean", - "description": "Cache the token exchange endpoint requests." + "required": false, + "default": true } }, { "cache_user_info": { - "required": false, - "default": true, + "description": "Cache the user info requests.", "type": "boolean", - "description": "Cache the user info requests." + "required": false, + "default": true } }, { "search_user_info": { - "required": false, - "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "type": "boolean", - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + "required": false, + "default": false } }, { "hide_credentials": { - "required": false, - "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "type": "boolean", - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + "required": false, + "default": false } }, { "http_version": { - "required": false, - "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", - "type": "number" + "required": false, + "type": "number", + "default": 1.1 } }, { "http_proxy": { - "required": false, "description": "The HTTP proxy.", + "required": false, "type": "string" } }, { "http_proxy_authorization": { - "required": false, + "description": "The HTTP proxy authorization.", "type": "string", - "description": "The HTTP proxy authorization." + "required": false } }, { "https_proxy": { - "required": false, "description": "The HTTPS proxy.", + "required": false, "type": "string" } }, { "https_proxy_authorization": { - "required": false, + "description": "The HTTPS proxy authorization.", "type": "string", - "description": "The HTTPS proxy authorization." + "required": false } }, { "no_proxy": { - "required": false, + "description": "Do not use proxy with these hosts.", "type": "string", - "description": "Do not use proxy with these hosts." + "required": false } }, { "keepalive": { - "required": false, - "default": true, + "description": "Use keepalive with the HTTP client.", "type": "boolean", - "description": "Use keepalive with the HTTP client." + "required": false, + "default": true } }, { "ssl_verify": { - "required": false, - "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", "type": "boolean", - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`." + "required": false, + "default": false } }, { "timeout": { - "required": false, - "default": 10000, + "description": "Network IO timeout in milliseconds.", "type": "number", - "description": "Network IO timeout in milliseconds." + "required": false, + "default": 10000 } }, { "display_errors": { - "required": false, - "default": false, + "description": "Display errors on failure responses.", "type": "boolean", - "description": "Display errors on failure responses." + "required": false, + "default": false } }, { "by_username_ignore_case": { - "required": false, - "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "type": "boolean", - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + "required": false, + "default": false } }, { "resolve_distributed_claims": { - "required": false, - "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "type": "boolean", - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + "required": false, + "default": false } }, { "expose_error_code": { - "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", "type": "boolean", - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + "default": true } }, { "token_cache_key_include_scope": { - "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", "type": "boolean", - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "default": false } }, { "introspection_token_param_name": { - "required": false, - "default": "token", + "description": "Designate token's parameter name for introspection.", "type": "string", - "description": "Designate token's parameter name for introspection." + "required": false, + "default": "token" } }, { "revocation_token_param_name": { - "required": false, - "default": "token", + "description": "Designate token's parameter name for revocation.", "type": "string", - "description": "Designate token's parameter name for revocation." + "required": false, + "default": "token" } }, { "proof_of_possession_mtls": { + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "strict", "optional" ], - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." + "type": "string", + "default": "off" } }, { "proof_of_possession_auth_methods_validation": { - "required": false, - "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", "type": "boolean", - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + "required": false, + "default": true } }, { "tls_client_auth_cert_id": { - "required": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "auto": false, "type": "string", "uuid": true, - "auto": false, - "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server." + "required": false } }, { "tls_client_auth_ssl_verify": { - "required": false, - "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", "type": "boolean", - "description": "Verify identity provider server certificate during mTLS client authentication." + "required": false, + "default": true } }, { "mtls_token_endpoint": { - "required": false, "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "mtls_introspection_endpoint": { - "required": false, "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "mtls_revocation_endpoint": { - "required": false, "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "proof_of_possession_dpop": { + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "strict", "optional" ], - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof." + "type": "string", + "default": "off" } }, { "dpop_use_nonce": { - "required": false, - "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", "type": "boolean", - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime." + "required": false, + "default": false } }, { "dpop_proof_lifetime": { - "required": false, - "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", "type": "number", - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise." + "required": false, + "default": 300 } }, { "claims_forbidden": { - "required": false, + "description": "If given, these claims are forbidden in the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "If given, these claims are forbidden in the token payload." + } } }, { "cluster_cache_strategy": { + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "redis" ], - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared." + "type": "string", + "default": "off" } }, { "cluster_cache_redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -3086,186 +3019,315 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } } - ], - "description": "openid-connect plugin configuration.", - "type": "record" + ] } } ], "type": "record" - }, - "description": "List of openid_connect strategies." + } } } ], "default": [ - ], - "description": "The map of v2 strategies." + ] } } ], - "required": true, + "type": "record", "entity_checks": [ ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.8.x.json b/schemas/ldap-auth-advanced/3.8.x.json index 542f5c10..34b7b64a 100644 --- a/schemas/ldap-auth-advanced/3.8.x.json +++ b/schemas/ldap-auth-advanced/3.8.x.json @@ -1,17 +1,7 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -20,6 +10,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -30,23 +22,22 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -55,125 +46,126 @@ "fields": [ { "ldap_host": { - "required": true, "description": "Host on which the LDAP server is running.", - "type": "string" + "type": "string", + "required": true } }, { "ldap_password": { "description": "The password to the LDAP server.", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "ldap_port": { - "default": 389, "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", - "type": "number" + "type": "number", + "default": 389 } }, { "bind_dn": { - "referenceable": true, "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", - "type": "string" + "type": "string", + "referenceable": true } }, { "ldaps": { - "required": true, - "default": false, "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "start_tls": { - "required": true, - "default": false, "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "verify_ldap_host": { - "required": true, - "default": false, "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "base_dn": { - "required": true, "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", - "type": "string" + "type": "string", + "required": true } }, { "attribute": { - "required": true, "description": "Attribute to be used to search the user; e.g., \"cn\".", - "type": "string" + "type": "string", + "required": true } }, { "cache_ttl": { - "required": true, - "default": 60, "description": "Cache expiry time in seconds.", - "type": "number" + "type": "number", + "required": true, + "default": 60 } }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number" + "type": "number", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { "anonymous": { "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "default": "", "type": "string", - "len_min": 0 + "len_min": 0, + "default": "" } }, { "header_type": { - "default": "ldap", "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", - "type": "string" + "type": "string", + "default": "ldap" } }, { "consumer_optional": { - "required": false, - "default": false, "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "consumer_by": { + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "required": false, "elements": { "type": "string", @@ -186,57 +178,65 @@ "default": [ "username", "custom_id" - ], - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." + ] } }, { "group_base_dn": { - "type": "string", - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" } }, { "group_name_attribute": { - "type": "string", - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" } }, { "group_member_attribute": { - "default": "memberOf", "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", - "type": "string" + "type": "string", + "default": "memberOf" } }, { "log_search_results": { - "required": false, - "default": false, "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "groups_required": { - "required": false, "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "type": "array", + "required": false, "elements": { "type": "string" - }, - "type": "array" + } } }, { "realm": { - "required": false, "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/ldap-auth/3.8.x.json b/schemas/ldap-auth/3.8.x.json index 97c09274..109c2af9 100644 --- a/schemas/ldap-auth/3.8.x.json +++ b/schemas/ldap-auth/3.8.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,15 +30,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -49,130 +46,133 @@ "fields": [ { "ldap_host": { - "required": true, "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "ldap_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, - "type": "integer", "between": [ 0, 65535 ], - "default": 389, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer", + "default": 389 } }, { "ldaps": { + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "required": true, - "default": false, "type": "boolean", - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + "default": false } }, { "start_tls": { + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "required": true, - "default": false, "type": "boolean", - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + "default": false } }, { "verify_ldap_host": { + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "required": true, - "default": false, "type": "boolean", - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + "default": false } }, { "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", "required": true, - "type": "string", - "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com" + "type": "string" } }, { "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", "required": true, - "type": "string", - "description": "Attribute to be used to search the user; e.g. cn" + "type": "string" } }, { "cache_ttl": { + "description": "Cache expiry time in seconds.", "required": true, - "default": 60, "type": "number", - "description": "Cache expiry time in seconds." + "default": 60 } }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + "default": false } }, { "timeout": { - "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", "type": "number", - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." + "default": 10000 } }, { "keepalive": { - "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." + "default": 60000 } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" } }, { "header_type": { - "default": "ldap", + "description": "An optional string to use as part of the Authorization header", "type": "string", - "description": "An optional string to use as part of the Authorization header" + "default": "ldap" } }, { "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, - "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "type": "string" } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "then_match": { - "eq": false - }, "then_field": "start_tls", + "if_field": "ldaps", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", "if_match": { "eq": true }, - "if_field": "ldaps", - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously" + "then_match": { + "eq": false + } } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/loggly/3.8.x.json b/schemas/loggly/3.8.x.json index 38d91448..a9bae72c 100644 --- a/schemas/loggly/3.8.x.json +++ b/schemas/loggly/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,43 +42,45 @@ "fields": [ { "host": { - "default": "logs-01.loggly.com", "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "logs-01.loggly.com" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 514, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 514 } }, { "key": { - "required": true, "referenceable": true, - "encrypted": true, - "type": "string" + "required": true, + "type": "string", + "encrypted": true } }, { "tags": { + "type": "set", "default": [ "kong" ], "elements": { "type": "string" - }, - "type": "set" + } } }, { "log_level": { + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -91,13 +90,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "successful_severity": { + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -107,13 +106,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "client_errors_severity": { + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -123,13 +122,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "server_errors_severity": { + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -139,15 +138,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "timeout": { - "type": "number", - "default": 10000 + "default": 10000, + "type": "number" } }, { @@ -156,18 +153,21 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/mocking/3.8.x.json b/schemas/mocking/3.8.x.json index ae499b46..1901c745 100644 --- a/schemas/mocking/3.8.x.json +++ b/schemas/mocking/3.8.x.json @@ -1,15 +1,8 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -26,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,89 +35,97 @@ "fields": [ { "api_specification_filename": { - "required": false, "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "required": false, "type": "string" } }, { "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", "required": false, - "type": "string", - "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field." + "type": "string" } }, { "random_delay": { - "default": false, "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "max_delay_time": { - "default": 1, "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", - "type": "number" + "type": "number", + "default": 1 } }, { "min_delay_time": { - "default": 0.001, "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", - "type": "number" + "type": "number", + "default": 0.001 } }, { "random_examples": { - "default": false, "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", "type": "array", "elements": { "type": "integer" - }, - "description": "A global list of the HTTP status codes that can only be selected and returned." + } } }, { "random_status_code": { - "required": true, - "default": false, "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "include_base_path": { - "required": true, - "default": false, "description": "Indicates whether to include the base path when performing path match evaluation.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", "required": false, + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "type": "string", - "starts_with": "/", - "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.8.x.json b/schemas/mtls-auth/3.8.x.json index 0785c215..8def91e2 100644 --- a/schemas/mtls-auth/3.8.x.json +++ b/schemas/mtls-auth/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,12 +43,13 @@ "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "consumer_by": { + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "required": false, "elements": { "type": "string", @@ -64,131 +62,130 @@ "default": [ "username", "custom_id" - ], - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + ] } }, { "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "required": true, "type": "array", "elements": { "type": "string", "uuid": true - }, - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." + } } }, { "cache_ttl": { + "description": "Cache expiry time in seconds.", "required": true, - "default": 60, "type": "number", - "description": "Cache expiry time in seconds." + "default": 60 } }, { "skip_consumer_lookup": { + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "required": true, - "default": false, "type": "boolean", - "description": "Skip consumer lookup once certificate is trusted against the configured CA list." + "default": false } }, { "allow_partial_chain": { + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "required": true, - "default": false, "type": "boolean", - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." + "default": false } }, { "authenticated_group_by": { + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, - "type": "string", - "default": "CN", "one_of": [ "CN", "DN" ], - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." + "type": "string", + "default": "CN" } }, { "revocation_check_mode": { + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, - "type": "string", - "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" ], - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." + "type": "string", + "default": "IGNORE_CA_ERROR" } }, { "http_timeout": { - "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", "type": "number", - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + "default": 30000 } }, { "cert_cache_ttl": { - "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", "type": "number", - "description": "The length of time in milliseconds between refreshes of the revocation check status cache." + "default": 60000 } }, { "send_ca_dn": { - "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", "type": "boolean", - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." + "default": false } }, { "default_consumer": { - "type": "string", - "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } ], - "required": true, + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -203,8 +200,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.8.x.json b/schemas/oas-validation/3.8.x.json index 35f99dd3..307e1a6d 100644 --- a/schemas/oas-validation/3.8.x.json +++ b/schemas/oas-validation/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,133 +35,136 @@ "fields": [ { "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", "required": true, - "type": "string", - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format." + "type": "string" } }, { "verbose_response": { - "required": false, - "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", "type": "boolean", - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." + "required": false, + "default": false } }, { "validate_request_body": { - "required": false, - "default": true, + "description": "If set to true, validates the request body content against the API specification.", "type": "boolean", - "description": "If set to true, validates the request body content against the API specification." + "required": false, + "default": true } }, { "notify_only_request_validation_failure": { - "required": false, - "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." + "required": false, + "default": false } }, { "validate_request_header_params": { - "required": false, - "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", "type": "boolean", - "description": "If set to true, validates HTTP header parameters against the API specification." + "required": false, + "default": true } }, { "validate_request_query_params": { - "required": false, - "default": true, + "description": "If set to true, validates query parameters against the API specification.", "type": "boolean", - "description": "If set to true, validates query parameters against the API specification." + "required": false, + "default": true } }, { "validate_request_uri_params": { - "required": false, - "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", "type": "boolean", - "description": "If set to true, validates URI parameters in the request against the API specification." + "required": false, + "default": true } }, { "validate_response_body": { - "required": false, - "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", "type": "boolean", - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." + "required": false, + "default": false } }, { "notify_only_response_body_validation_failure": { - "required": false, - "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." + "required": false, + "default": false } }, { "query_parameter_check": { - "required": true, - "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", "type": "boolean", - "description": "If set to true, checks if query parameters in the request exist in the API specification." + "required": true, + "default": false } }, { "header_parameter_check": { - "required": true, - "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", "type": "boolean", - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." + "required": true, + "default": false } }, { "allowed_header_parameters": { - "required": false, - "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", "type": "string", - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." + "required": false, + "default": "Host,Content-Type,User-Agent,Accept,Content-Length" } }, { "include_base_path": { - "required": true, - "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", "type": "boolean", - "description": "Indicates whether to include the base path when performing path match evaluation." + "required": true, + "default": false } }, { "api_spec_encoded": { - "required": true, - "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", "type": "boolean", - "description": "Indicates whether the api_spec is URI-Encoded." + "required": true, + "default": true } }, { "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", "required": false, + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "type": "string", - "starts_with": "/", - "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.8.x.json b/schemas/oauth2-introspection/3.8.x.json index 89a4a764..95956e5b 100644 --- a/schemas/oauth2-introspection/3.8.x.json +++ b/schemas/oauth2-introspection/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,107 +43,108 @@ "fields": [ { "introspection_url": { - "required": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, "type": "string" } }, { "ttl": { - "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", "type": "number", - "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." + "default": 30 } }, { "token_type_hint": { - "type": "string", - "description": "The `token_type_hint` value to associate to introspection requests." + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" } }, { "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "required": true, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." + "referenceable": true, + "encrypted": true } }, { "timeout": { - "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "integer", - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "default": 10000 } }, { "keepalive": { - "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "type": "integer", - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "default": 60000 } }, { "introspect_request": { + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", "required": true, - "default": false, "type": "boolean", - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request." + "default": false } }, { "hide_credentials": { - "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." + "default": false } }, { "run_on_preflight": { - "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." + "default": true } }, { "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "len_min": 0, - "default": "", "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "default": "" } }, { "consumer_by": { + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "required": true, - "type": "string", - "default": "username", "one_of": [ "username", "client_id" ], - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`." + "type": "string", + "default": "username" } }, { "custom_introspection_headers": { + "description": "A list of custom headers to be added in the introspection request.", "required": true, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "A list of custom headers to be added in the introspection request." + ] } }, { "custom_claims_forward": { + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "required": true, "elements": { "type": "string" @@ -154,14 +152,16 @@ "type": "set", "default": [ - ], - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2/3.8.x.json b/schemas/oauth2/3.8.x.json index cbacf7c3..4ae42794 100644 --- a/schemas/oauth2/3.8.x.json +++ b/schemas/oauth2/3.8.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,190 +30,192 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, "fields": [ { "scopes": { "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "mandatory_scope": { + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user." + "default": false } }, { "provision_key": { - "required": true, - "auto": true, "description": "The unique key the plugin has generated when it has been added to the Service.", + "required": true, + "unique": true, "type": "string", - "encrypted": true, - "unique": true + "auto": true, + "encrypted": true } }, { "token_expiration": { + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", "required": true, - "default": 7200, "type": "number", - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration." + "default": 7200 } }, { "enable_authorization_code": { + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1)." + "default": false } }, { "enable_implicit_grant": { + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2)." + "default": false } }, { "enable_client_credentials": { + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4)." + "default": false } }, { "enable_password_grant": { + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3)." + "default": false } }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + "default": false } }, { "accept_http_if_already_terminated": { + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", "required": true, - "default": false, "type": "boolean", - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer." + "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "global_credentials": { + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`." + "default": false } }, { "auth_header_name": { - "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", "type": "string", - "description": "The name of the header that is supposed to carry the access token." + "default": "authorization" } }, { "refresh_token_ttl": { + "description": "Time-to-live value for data", "required": true, - "type": "number", "between": [ 0, 100000000 ], - "default": 1209600, - "description": "Time-to-live value for data" + "type": "number", + "default": 1209600 } }, { "reuse_refresh_token": { + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token." + "default": false } }, { "persistent_refresh_token": { + "type": "boolean", "required": true, - "default": false, - "type": "boolean" + "default": false } }, { "pkce": { + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "required": false, - "type": "string", - "default": "lax", "one_of": [ "none", "lax", "strict" ], - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin." + "type": "string", + "default": "lax" } }, { "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, - "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "type": "string" } } ], "entity_checks": [ { "conditional": { - "then_field": "scopes", + "if_field": "mandatory_scope", "if_match": { "eq": true }, + "then_field": "scopes", "then_match": { "required": true - }, - "if_field": "mandatory_scope" + } } } ], + "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/opa/3.8.x.json b/schemas/opa/3.8.x.json index 448b6cb1..e23d2064 100644 --- a/schemas/opa/3.8.x.json +++ b/schemas/opa/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -47,67 +44,67 @@ { "opa_protocol": { "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "type": "string", "default": "http", "one_of": [ "http", "https" - ], - "type": "string" + ] } }, { "opa_host": { - "required": true, - "default": "localhost", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "localhost" } }, { "opa_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, - "type": "integer", "between": [ 0, 65535 ], - "default": 8181, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer", + "default": 8181 } }, { "opa_path": { - "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", + "required": true, "starts_with": "/", + "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "include_service_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "include_route_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "include_consumer_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -118,30 +115,33 @@ }, { "include_parsed_json_body_in_opa_input": { - "default": false, "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "include_uri_captures_in_opa_input": { - "default": false, "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": true, - "default": true, "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.8.x.json b/schemas/openid-connect/3.8.x.json index 480ff114..de68751a 100644 --- a/schemas/openid-connect/3.8.x.json +++ b/schemas/openid-connect/3.8.x.json @@ -1,24 +1,16 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -35,1010 +27,939 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "deprecation": { - "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead", - "removal_in_version": "4.0" - }, - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "deprecation": { - "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead", - "removal_in_version": "4.0" - }, - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "deprecation": { - "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead", - "removal_in_version": "4.0" - }, - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "deprecation": { - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", - "removal_in_version": "4.0" - }, - "type": "number" - } - }, - { - "session_cookie_idletime": { - "deprecation": { - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", - "removal_in_version": "4.0" - }, - "type": "number" - } - }, - { - "session_cookie_samesite": { - "deprecation": { - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", - "removal_in_version": "4.0" - }, - "type": "string" - } - }, - { - "session_cookie_httponly": { - "deprecation": { - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", - "removal_in_version": "4.0" - }, - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "deprecation": { - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", - "removal_in_version": "4.0" - }, - "type": "string" - } - }, - { - "session_memcache_socket": { - "deprecation": { - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", - "removal_in_version": "4.0" - }, - "type": "string" - } - }, + "fields": [ { - "session_memcache_host": { - "deprecation": { - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", - "removal_in_version": "4.0" - }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, "type": "string" } }, { - "session_memcache_port": { - "deprecation": { - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", - "removal_in_version": "4.0" - }, - "type": "integer" + "using_pseudo_issuer": { + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean", + "required": false, + "default": false } }, { - "session_cookie_renew": { - "deprecation": { - "message": "openid-connect: config.session_cookie_renew option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "number" + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } } }, { - "session_cookie_maxsize": { - "deprecation": { - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "integer" + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } } }, { - "session_strategy": { - "deprecation": { - "message": "openid-connect: config.session_strategy option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "string" + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "type": "set", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { - "session_compressor": { - "deprecation": { - "message": "openid-connect: config.session_compressor option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "string" + "rediscovery_lifetime": { + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number", + "required": false, + "default": 30 } }, { - "session_redis_prefix": { - "deprecation": { - "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", - "removal_in_version": "4.0" + "auth_methods": { + "description": "Types of credentials/grants to enable.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] }, - "translate_backwards": [ - "redis", - "prefix" - ], - "type": "string" + "type": "array", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] } }, { - "session_redis_socket": { - "deprecation": { - "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", - "removal_in_version": "4.0" + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "required": false, + "elements": { + "type": "string", + "referenceable": true }, - "translate_backwards": [ - "redis", - "socket" - ], - "type": "string" + "type": "array", + "encrypted": true } }, { - "session_redis_host": { - "deprecation": { - "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" + "client_secret": { + "description": "The client secret.", + "required": false, + "elements": { + "type": "string", + "referenceable": true }, - "translate_backwards": [ - "redis", - "host" - ], - "type": "string" + "type": "array", + "encrypted": true } }, { - "session_redis_port": { - "deprecation": { - "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "port" - ], - "type": "integer" + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } } }, { - "session_redis_username": { - "deprecation": { - "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "username" - ], - "type": "string" + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "type": "array", + "required": false, + "elements": { + "fields": [ + { + "issuer": { + "required": false, + "type": "string" + } + }, + { + "kty": { + "required": false, + "type": "string" + } + }, + { + "use": { + "required": false, + "type": "string" + } + }, + { + "key_ops": { + "required": false, + "type": "array", + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "alg": { + "required": false, + "type": "string" + } + }, + { + "kid": { + "required": false, + "type": "string" + } + }, + { + "x5u": { + "required": false, + "type": "string" + } + }, + { + "x5c": { + "required": false, + "type": "array", + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "x5t": { + "required": false, + "type": "string" + } + }, + { + "x5t#S256": { + "required": false, + "type": "string" + } + }, + { + "k": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "x": { + "required": false, + "type": "string" + } + }, + { + "y": { + "required": false, + "type": "string" + } + }, + { + "crv": { + "required": false, + "type": "string" + } + }, + { + "n": { + "required": false, + "type": "string" + } + }, + { + "e": { + "required": false, + "type": "string" + } + }, + { + "d": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "p": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "q": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "dp": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "dq": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "qi": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "oth": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "r": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "t": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + } + ], + "type": "record", + "required": false + } } }, { - "session_redis_password": { - "deprecation": { - "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "password" - ], - "type": "string" + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } } }, { - "session_redis_connect_timeout": { - "deprecation": { - "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "connect_timeout" - ], - "type": "integer" + "client_arg": { + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string", + "required": false, + "default": "client_id" } }, { - "session_redis_read_timeout": { - "deprecation": { - "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "read_timeout" - ], - "type": "integer" + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { - "session_redis_send_timeout": { - "deprecation": { - "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "send_timeout" - ], - "type": "integer" + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true + } } }, { - "session_redis_ssl": { - "deprecation": { - "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl" - ], - "type": "boolean" + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true + } } }, { - "session_redis_ssl_verify": { - "deprecation": { - "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl_verify" - ], - "type": "boolean" + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { - "session_redis_server_name": { - "deprecation": { - "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "server_name" - ], - "type": "string" + "forbidden_error_message": { + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string", + "required": false, + "default": "Forbidden" } }, { - "session_redis_cluster_nodes": { - "deprecation": { - "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", - "removal_in_version": "4.0" - }, - "elements": { - "fields": [ - { - "ip": { - "required": true, - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" - } - } - ], - "type": "record" - }, - "translate_backwards": [ - "redis", - "cluster_nodes" - ], - "type": "array" + "forbidden_destroy_session": { + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean", + "required": false, + "default": true } }, { - "session_redis_cluster_max_redirections": { - "deprecation": { - "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "cluster_max_redirections" - ], - "type": "integer" + "unauthorized_destroy_session": { + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean", + "required": false, + "default": true } - } - ], - "fields": [ + }, { - "issuer": { - "required": true, - "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", - "type": "string" + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { - "using_pseudo_issuer": { + "unauthorized_error_message": { + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string", "required": false, - "default": false, - "type": "boolean", - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." + "default": "Unauthorized" } }, { - "discovery_headers_names": { - "required": false, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", "type": "array", + "required": false, "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" - }, - "description": "Extra header names passed to the discovery endpoint." + } } }, { - "discovery_headers_values": { + "response_mode": { + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "required": false, + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ], + "type": "string", + "default": "query" + } + }, + { + "response_type": { + "description": "The response type passed to the authorization endpoint.", "required": false, - "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the discovery endpoint." + "type": "array", + "default": [ + "code" + ] } }, { - "extra_jwks_uris": { + "scopes": { + "description": "The scopes passed to the authorization and token endpoints.", "required": false, - "type": "set", "elements": { "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "referenceable": true }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." + "type": "array", + "default": [ + "openid" + ] } }, { - "rediscovery_lifetime": { + "audience": { + "description": "The audience passed to the authorization endpoint.", + "type": "array", "required": false, - "default": 30, - "type": "number", - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + "elements": { + "type": "string" + } } }, { - "auth_methods": { + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array", "required": false, "elements": { - "type": "string", - "one_of": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ] + "type": "string" + } + } + }, + { + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "scopes_claim": { + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" }, "type": "array", "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ], - "description": "Types of credentials/grants to enable." + "scope" + ] } }, { - "client_id": { + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "required": false, "elements": { - "type": "string", - "referenceable": true + "type": "string" + } + } + }, + { + "audience_claim": { + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" }, "type": "array", - "encrypted": true, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "default": [ + "aud" + ] + } + }, + { + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } } }, { - "client_secret": { + "groups_claim": { + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { - "type": "string", - "referenceable": true + "type": "string" }, "type": "array", - "encrypted": true, - "description": "The client secret." + "default": [ + "groups" + ] } }, { - "client_auth": { - "required": false, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", + "required": false, "elements": { - "type": "string", - "one_of": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "private_key_jwt", - "tls_client_auth", - "self_signed_tls_client_auth", - "none" - ] + "type": "string" + } + } + }, + { + "roles_claim": { + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication)." + "type": "array", + "default": [ + "roles" + ] } }, { - "client_jwk": { + "domains": { + "description": "The allowed values for the `hd` claim.", + "type": "array", "required": false, + "elements": { + "type": "string" + } + } + }, + { + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number", + "required": false + } + }, + { + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { - "required": false, - "fields": [ - { - "issuer": { - "required": false, - "type": "string" - } - }, - { - "kty": { - "required": false, - "type": "string" - } - }, - { - "use": { - "required": false, - "type": "string" - } - }, - { - "key_ops": { - "required": false, - "elements": { - "required": false, - "type": "string" - }, - "type": "array" - } - }, - { - "alg": { - "required": false, - "type": "string" - } - }, - { - "kid": { - "required": false, - "type": "string" - } - }, - { - "x5u": { - "required": false, - "type": "string" - } - }, - { - "x5c": { - "required": false, - "elements": { - "required": false, - "type": "string" - }, - "type": "array" - } - }, - { - "x5t": { - "required": false, - "type": "string" - } - }, - { - "x5t#S256": { - "required": false, - "type": "string" - } - }, - { - "k": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "x": { - "required": false, - "type": "string" - } - }, - { - "y": { - "required": false, - "type": "string" - } - }, - { - "crv": { - "required": false, - "type": "string" - } - }, - { - "n": { - "required": false, - "type": "string" - } - }, - { - "e": { - "required": false, - "type": "string" - } - }, - { - "d": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "p": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "q": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "dp": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "dq": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "qi": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "oth": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "r": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "t": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - } - ], - "type": "record" - }, - "description": "The JWK used for the private_key_jwt authentication." + "type": "string" + } } }, { - "client_alg": { + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "required": false, - "type": "array", - "elements": { - "type": "string", - "one_of": [ - "HS256", - "HS384", - "HS512", - "RS256", - "RS384", - "RS512", - "ES256", - "ES384", - "ES512", - "PS256", - "PS384", - "PS512", - "EdDSA" - ] - }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication." + "type": "string" } }, { - "client_arg": { - "required": false, - "default": "client_id", + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", - "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] } }, { - "redirect_uri": { - "required": false, - "type": "array", - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "The redirect URI passed to the authorization and token endpoints." + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean", + "required": false } }, { - "login_redirect_uri": { - "required": false, - "type": "array", - "elements": { - "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - }, - "description": "Where to redirect the client when `login_action` is set to `redirect`." + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean", + "required": false } }, { - "logout_redirect_uri": { + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean", + "required": false + } + }, + { + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", "required": false, + "type": "string" + } + }, + { + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", "type": "array", + "required": false, "elements": { - "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" - }, - "description": "Where to redirect the client after the logout." + } } }, { - "forbidden_redirect_uri": { - "required": false, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", "type": "array", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on forbidden requests." + "type": "string" + } } }, { - "forbidden_error_message": { + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array", "required": false, - "default": "Forbidden", - "type": "string", - "description": "The error message for the forbidden requests (when not using the redirection)." + "elements": { + "type": "string" + } } }, { - "forbidden_destroy_session": { + "authorization_rolling_timeout": { + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", "required": false, - "default": true, - "type": "boolean", - "description": "Destroy any active session for the forbidden requests." + "default": 600 } }, { - "unauthorized_destroy_session": { + "authorization_cookie_name": { + "description": "The authorization cookie name.", + "type": "string", "required": false, - "default": true, - "type": "boolean", - "description": "Destroy any active session for the unauthorized requests." + "default": "authorization" } }, { - "unauthorized_redirect_uri": { + "authorization_cookie_path": { + "description": "The authorization cookie Path flag.", "required": false, - "type": "array", - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on unauthorized requests." - } - }, - { - "unauthorized_error_message": { - "required": false, - "default": "Unauthorized", + "starts_with": "/", "type": "string", - "description": "The error message for the unauthorized requests (when not using the redirection)." + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/" } }, { - "unexpected_redirect_uri": { - "required": false, - "type": "array", - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client when unexpected errors happen with the requests." + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string", + "required": false } }, { - "response_mode": { + "authorization_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, - "type": "string", - "default": "query", "one_of": [ - "query", - "form_post", - "fragment", - "query.jwt", - "form_post.jwt", - "fragment.jwt", - "jwt" + "Strict", + "Lax", + "None", + "Default" ], - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type." + "type": "string", + "default": "Default" } }, { - "response_type": { + "authorization_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", "required": false, - "elements": { - "type": "string" - }, - "type": "array", - "default": [ - "code" - ], - "description": "The response type passed to the authorization endpoint." + "default": true } }, { - "scopes": { - "required": false, - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", - "default": [ - "openid" - ], - "description": "The scopes passed to the authorization and token endpoints." + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean", + "required": false } }, { - "audience": { + "preserve_query_args": { + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "The audience passed to the authorization endpoint." + "default": false } }, { - "issuers_allowed": { + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "The issuers allowed to be present in the tokens (`iss` claim)." + "type": "string" } }, { - "scopes_required": { + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] } }, { - "scopes_claim": { + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "type": "array", "required": false, "elements": { "type": "string" - }, - "type": "array", - "default": [ - "scope" - ], - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { - "audience_required": { - "required": false, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { - "audience_claim": { + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array", "required": false, "elements": { "type": "string" - }, - "type": "array", - "default": [ - "aud" - ], - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { - "groups_required": { - "required": false, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { - "groups_claim": { - "required": false, - "elements": { - "type": "string" - }, - "type": "array", - "default": [ - "groups" - ], - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string", + "required": false } }, { - "roles_required": { - "required": false, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "type": "array", + "required": false, "elements": { - "type": "string" - }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + } } }, { - "roles_claim": { + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "type": "array", "required": false, "elements": { "type": "string" - }, - "type": "array", - "default": [ - "roles" - ], - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { - "domains": { - "required": false, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The allowed values for the `hd` claim." - } - }, - { - "max_age": { - "required": false, - "type": "number", - "description": "The maximum age (in seconds) compared to the `auth_time` claim." + } } }, { - "authenticated_groups_claim": { - "required": false, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { - "pushed_authorization_request_endpoint": { + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", "required": false, - "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "type": "string" } }, { - "pushed_authorization_request_endpoint_auth_method": { + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, "one_of": [ "client_secret_basic", @@ -1048,1159 +969,917 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "type": "string", - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { - "require_pushed_authorization_requests": { + "introspection_hint": { + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string", "required": false, - "type": "boolean", - "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`)." + "default": "access_token" } }, { - "require_proof_key_for_code_exchange": { - "required": false, + "introspection_check_active": { + "description": "Check that the introspection response has an `active` claim with a value of `true`.", "type": "boolean", - "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled)." + "required": false, + "default": true } }, { - "require_signed_request_object": { + "introspection_accept": { + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "required": false, - "type": "boolean", - "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled)." + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ], + "type": "string", + "default": "application/json" } }, { - "authorization_endpoint": { + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "type": "array", "required": false, - "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", - "type": "string" + "elements": { + "type": "string" + } } }, { - "authorization_query_args_names": { + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", "required": false, - "type": "array", "elements": { - "type": "string" + "type": "string", + "referenceable": true }, - "description": "Extra query argument names passed to the authorization endpoint." + "type": "array", + "encrypted": true } }, { - "authorization_query_args_values": { - "required": false, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the authorization endpoint." + } } }, { - "authorization_query_args_client": { - "required": false, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the authorization endpoint." + } } }, { - "authorization_rolling_timeout": { + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array", "required": false, - "default": 600, - "type": "number", - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "elements": { + "type": "string" + } } }, { - "authorization_cookie_name": { + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array", "required": false, - "default": "authorization", - "type": "string", - "description": "The authorization cookie name." + "elements": { + "type": "string" + } } }, { - "authorization_cookie_path": { + "introspect_jwt_tokens": { + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean", "required": false, - "match_none": [ - { - "pattern": "//", - "err": "must not have empty segments" - } - ], - "type": "string", - "starts_with": "/", - "default": "/", - "description": "The authorization cookie Path flag." + "default": false } }, { - "authorization_cookie_domain": { + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", "required": false, - "type": "string", - "description": "The authorization cookie Domain flag." + "type": "string" } }, { - "authorization_cookie_same_site": { - "required": false, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", - "default": "Default", + "required": false, "one_of": [ - "Strict", - "Lax", - "None", - "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." - } - }, - { - "authorization_cookie_http_only": { - "required": false, - "default": true, - "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." - } - }, - { - "authorization_cookie_secure": { - "required": false, - "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] } }, { - "preserve_query_args": { + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", "required": false, - "default": false, - "type": "boolean", - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + "type": "string" } }, { - "token_endpoint": { + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", "required": false, - "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", "type": "string" } }, { - "token_endpoint_auth_method": { + "userinfo_accept": { + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "required": false, "one_of": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "private_key_jwt", - "tls_client_auth", - "self_signed_tls_client_auth", - "none" + "application/json", + "application/jwt" ], "type": "string", - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + "default": "application/json" } }, { - "token_headers_names": { - "required": false, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra header names passed to the token endpoint." - } - }, - { - "token_headers_values": { "required": false, - "type": "array", "elements": { "type": "string" - }, - "description": "Extra header values passed to the token endpoint." + } } }, { - "token_headers_client": { - "required": false, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the token endpoint." + } } }, { - "token_headers_replay": { - "required": false, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The names of token endpoint response headers to forward to the downstream client." - } - }, - { - "token_headers_prefix": { - "required": false, - "type": "string", - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." + } } }, { - "token_headers_grants": { - "required": false, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", "type": "array", - "elements": { - "type": "string", - "one_of": [ - "password", - "client_credentials", - "authorization_code", - "refresh_token" - ] - }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant." - } - }, - { - "token_post_args_names": { "required": false, - "type": "array", "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the token endpoint." + } } }, { - "token_post_args_values": { - "required": false, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the token endpoint." + } } }, { - "token_post_args_client": { - "required": false, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint." + } } }, { - "introspection_endpoint": { + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", "required": false, - "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", "type": "string" } }, { - "introspection_endpoint_auth_method": { + "session_secret": { + "description": "The session secret.", "required": false, - "one_of": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "private_key_jwt", - "tls_client_auth", - "self_signed_tls_client_auth", - "none" - ], "type": "string", - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + "referenceable": true, + "encrypted": true } }, { - "introspection_hint": { - "required": false, - "default": "access_token", + "session_audience": { + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "type": "string", - "description": "Introspection hint parameter value passed to the introspection endpoint." + "required": false, + "default": "default" } }, { - "introspection_check_active": { + "session_cookie_name": { + "description": "The session cookie name.", + "type": "string", "required": false, - "default": true, - "type": "boolean", - "description": "Check that the introspection response has an `active` claim with a value of `true`." + "default": "session" } }, { - "introspection_accept": { + "session_remember": { + "description": "Enables or disables persistent sessions.", + "type": "boolean", "required": false, - "type": "string", - "default": "application/json", - "one_of": [ - "application/json", - "application/token-introspection+jwt", - "application/jwt" - ], - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)." + "default": false } }, { - "introspection_headers_names": { + "session_remember_cookie_name": { + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra header names passed to the introspection endpoint." + "default": "remember" } }, { - "introspection_headers_values": { + "session_remember_rolling_timeout": { + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number", "required": false, - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", - "encrypted": true, - "description": "Extra header values passed to the introspection endpoint." + "default": 604800 } }, { - "introspection_headers_client": { + "session_remember_absolute_timeout": { + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra headers passed from the client to the introspection endpoint." + "default": 2592000 } }, { - "introspection_post_args_names": { + "session_idling_timeout": { + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra post argument names passed to the introspection endpoint." + "default": 900 } }, { - "introspection_post_args_values": { + "session_rolling_timeout": { + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra post argument values passed to the introspection endpoint." + "default": 3600 } }, { - "introspection_post_args_client": { + "session_absolute_timeout": { + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra post arguments passed from the client to the introspection endpoint." + "default": 86400 } }, { - "introspect_jwt_tokens": { + "session_cookie_path": { + "description": "The session cookie Path flag.", "required": false, - "default": false, - "type": "boolean", - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + "starts_with": "/", + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/" } }, { - "revocation_endpoint": { - "required": false, - "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", - "type": "string" + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string", + "required": false } }, { - "revocation_endpoint_auth_method": { + "session_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, "one_of": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "private_key_jwt", - "tls_client_auth", - "self_signed_tls_client_auth", - "none" + "Strict", + "Lax", + "None", + "Default" ], "type": "string", - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + "default": "Lax" } }, { - "end_session_endpoint": { - "required": false, - "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", - "type": "string" - } - }, - { - "userinfo_endpoint": { + "session_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", "required": false, - "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", - "type": "string" + "default": true } }, { - "userinfo_accept": { - "required": false, - "type": "string", - "default": "application/json", - "one_of": [ - "application/json", - "application/jwt" - ], - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)." + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean", + "required": false } }, { - "userinfo_headers_names": { + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "required": false, - "type": "array", + "type": "set", "elements": { - "type": "string" - }, - "description": "Extra header names passed to the user info endpoint." + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } } }, { - "userinfo_headers_values": { + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "required": false, - "type": "array", + "type": "set", "elements": { - "type": "string" - }, - "description": "Extra header values passed to the user info endpoint." - } - }, - { - "userinfo_headers_client": { - "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra headers passed from the client to the user info endpoint." - } - }, - { - "userinfo_query_args_names": { - "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra query argument names passed to the user info endpoint." - } - }, - { - "userinfo_query_args_values": { - "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra query argument values passed to the user info endpoint." - } - }, - { - "userinfo_query_args_client": { - "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra query arguments passed from the client to the user info endpoint." - } - }, - { - "token_exchange_endpoint": { - "required": false, - "description": "The token exchange endpoint.", - "type": "string" - } - }, - { - "session_secret": { - "required": false, - "referenceable": true, - "type": "string", - "encrypted": true, - "description": "The session secret." - } - }, - { - "session_audience": { - "required": false, - "default": "default", - "type": "string", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." - } - }, - { - "session_cookie_name": { - "required": false, - "default": "session", - "type": "string", - "description": "The session cookie name." - } - }, - { - "session_remember": { - "required": false, - "default": false, - "type": "boolean", - "description": "Enables or disables persistent sessions." - } - }, - { - "session_remember_cookie_name": { - "required": false, - "default": "remember", - "type": "string", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." - } - }, - { - "session_remember_rolling_timeout": { - "required": false, - "default": 604800, - "type": "number", - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." - } - }, - { - "session_remember_absolute_timeout": { - "required": false, - "default": 2592000, - "type": "number", - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." - } - }, - { - "session_idling_timeout": { - "required": false, - "default": 900, - "type": "number", - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." - } - }, - { - "session_rolling_timeout": { - "required": false, - "default": 3600, - "type": "number", - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." - } - }, - { - "session_absolute_timeout": { - "required": false, - "default": 86400, - "type": "number", - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." - } - }, - { - "session_cookie_path": { - "required": false, - "match_none": [ - { - "pattern": "//", - "err": "must not have empty segments" - } - ], - "type": "string", - "starts_with": "/", - "default": "/", - "description": "The session cookie Path flag." - } - }, - { - "session_cookie_domain": { - "required": false, - "type": "string", - "description": "The session cookie Domain flag." - } - }, - { - "session_cookie_same_site": { - "required": false, - "type": "string", - "default": "Lax", - "one_of": [ - "Strict", - "Lax", - "None", - "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." - } - }, - { - "session_cookie_http_only": { - "required": false, - "default": true, - "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." - } - }, - { - "session_cookie_secure": { - "required": false, - "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." - } - }, - { - "session_request_headers": { - "required": false, - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - }, - "type": "set" - } - }, - { - "session_response_headers": { - "required": false, - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - }, - "type": "set" + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } } }, { "session_storage": { + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "required": false, - "type": "string", - "default": "cookie", "one_of": [ "cookie", "memcache", "memcached", "redis" ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis." + "type": "string", + "default": "cookie" } }, { "session_store_metadata": { - "required": false, - "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "type": "boolean", - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + "required": false, + "default": false } }, { "session_enforce_same_subject": { - "required": false, - "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", "type": "boolean", - "description": "When set to `true`, audiences are forced to share the same subject." + "required": false, + "default": false } }, { "session_hash_subject": { - "required": false, - "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "type": "boolean", - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "required": false, + "default": false } }, { "session_hash_storage_key": { - "required": false, - "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "type": "boolean", - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "required": false, + "default": false } }, { "session_memcached_prefix": { - "required": false, + "description": "The memcached session key prefix.", "type": "string", - "description": "The memcached session key prefix." + "required": false } }, { "session_memcached_socket": { - "required": false, + "description": "The memcached unix socket path.", "type": "string", - "description": "The memcached unix socket path." + "required": false } }, { "session_memcached_host": { - "required": false, - "default": "127.0.0.1", + "description": "The memcached host.", "type": "string", - "description": "The memcached host." + "required": false, + "default": "127.0.0.1" } }, { "session_memcached_port": { + "description": "The memcached port.", "required": false, - "type": "integer", "between": [ 0, 65535 ], - "default": 11211, - "description": "The memcached port." + "type": "integer", + "default": 11211 } }, { "redis": { - "required": true, - "entity_checks": [ + "fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 ] } }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ], - "set1": [ - "cluster_nodes" - ] + "default": 2000 } }, { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "fields": [ - { - "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" - } - }, - { - "connect_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." - } - }, - { - "send_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." - } + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { - "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "default": false } }, { "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "default": false } }, { "server_name": { - "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "required": false } }, { "cluster_max_redirections": { - "required": false, - "default": 5, "description": "Maximum retry attempts for redirection.", - "type": "integer" + "required": false, + "type": "integer", + "default": 5 } }, { "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "default": false, "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + "default": false } }, { "prefix": { - "required": false, + "description": "The Redis session key prefix.", "type": "string", - "description": "The Redis session key prefix." + "required": false } }, { "socket": { - "required": false, + "description": "The Redis unix socket path.", "type": "string", - "description": "The Redis unix socket path." + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "host" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true, + "type": "record" } }, { "reverify": { - "required": false, - "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", "type": "boolean", - "description": "Specifies whether to always verify tokens stored in the session." + "required": false, + "default": false } }, { "jwt_session_claim": { - "required": false, - "default": "sid", + "description": "The claim to match against the JWT session cookie.", "type": "string", - "description": "The claim to match against the JWT session cookie." + "required": false, + "default": "sid" } }, { "jwt_session_cookie": { - "required": false, + "description": "The name of the JWT session cookie.", "type": "string", - "description": "The name of the JWT session cookie." + "required": false } }, { "bearer_token_param_type": { + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "required": false, "elements": { "type": "string", @@ -2216,19 +1895,19 @@ "header", "query", "body" - ], - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." + ] } }, { "bearer_token_cookie_name": { - "required": false, + "description": "The name of the cookie in which the bearer token is passed.", "type": "string", - "description": "The name of the cookie in which the bearer token is passed." + "required": false } }, { "client_credentials_param_type": { + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2243,12 +1922,12 @@ "header", "query", "body" - ], - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." + ] } }, { "password_param_type": { + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2263,12 +1942,12 @@ "header", "query", "body" - ], - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_type": { + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2283,19 +1962,19 @@ "header", "query", "body" - ], - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_name": { - "required": false, + "description": "The name of the parameter used to pass the id token.", "type": "string", - "description": "The name of the parameter used to pass the id token." + "required": false } }, { "refresh_token_param_type": { + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2310,208 +1989,208 @@ "header", "query", "body" - ], - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "refresh_token_param_name": { - "required": false, + "description": "The name of the parameter used to pass the refresh token.", "type": "string", - "description": "The name of the parameter used to pass the refresh token." + "required": false } }, { "refresh_tokens": { - "required": false, - "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "type": "boolean", - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + "required": false, + "default": true } }, { "upstream_headers_claims": { - "required": false, + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "upstream_headers_names": { - "required": false, + "description": "The upstream header names for the claim values.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The upstream header names for the claim values." + } } }, { "upstream_access_token_header": { - "required": false, - "default": "authorization:bearer", + "description": "The upstream access token header.", "type": "string", - "description": "The upstream access token header." + "required": false, + "default": "authorization:bearer" } }, { "upstream_access_token_jwk_header": { - "required": false, + "description": "The upstream access token JWK header.", "type": "string", - "description": "The upstream access token JWK header." + "required": false } }, { "upstream_id_token_header": { - "required": false, + "description": "The upstream id token header.", "type": "string", - "description": "The upstream id token header." + "required": false } }, { "upstream_id_token_jwk_header": { - "required": false, + "description": "The upstream id token JWK header.", "type": "string", - "description": "The upstream id token JWK header." + "required": false } }, { "upstream_refresh_token_header": { - "required": false, + "description": "The upstream refresh token header.", "type": "string", - "description": "The upstream refresh token header." + "required": false } }, { "upstream_user_info_header": { - "required": false, + "description": "The upstream user info header.", "type": "string", - "description": "The upstream user info header." + "required": false } }, { "upstream_user_info_jwt_header": { - "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "description": "The upstream user info JWT header (in case the user info returns a JWT response)." + "required": false } }, { "upstream_introspection_header": { - "required": false, + "description": "The upstream introspection header.", "type": "string", - "description": "The upstream introspection header." + "required": false } }, { "upstream_introspection_jwt_header": { - "required": false, + "description": "The upstream introspection JWT header.", "type": "string", - "description": "The upstream introspection JWT header." + "required": false } }, { "upstream_session_id_header": { - "required": false, + "description": "The upstream session id header.", "type": "string", - "description": "The upstream session id header." + "required": false } }, { "downstream_headers_claims": { - "required": false, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "downstream_headers_names": { - "required": false, + "description": "The downstream header names for the claim values.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The downstream header names for the claim values." + } } }, { "downstream_access_token_header": { - "required": false, + "description": "The downstream access token header.", "type": "string", - "description": "The downstream access token header." + "required": false } }, { "downstream_access_token_jwk_header": { - "required": false, + "description": "The downstream access token JWK header.", "type": "string", - "description": "The downstream access token JWK header." + "required": false } }, { "downstream_id_token_header": { - "required": false, + "description": "The downstream id token header.", "type": "string", - "description": "The downstream id token header." + "required": false } }, { "downstream_id_token_jwk_header": { - "required": false, + "description": "The downstream id token JWK header.", "type": "string", - "description": "The downstream id token JWK header." + "required": false } }, { "downstream_refresh_token_header": { - "required": false, + "description": "The downstream refresh token header.", "type": "string", - "description": "The downstream refresh token header." + "required": false } }, { "downstream_user_info_header": { - "required": false, + "description": "The downstream user info header.", "type": "string", - "description": "The downstream user info header." + "required": false } }, { "downstream_user_info_jwt_header": { - "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "description": "The downstream user info JWT header (in case the user info returns a JWT response)." + "required": false } }, { "downstream_introspection_header": { - "required": false, + "description": "The downstream introspection header.", "type": "string", - "description": "The downstream introspection header." + "required": false } }, { "downstream_introspection_jwt_header": { - "required": false, + "description": "The downstream introspection JWT header.", "type": "string", - "description": "The downstream introspection JWT header." + "required": false } }, { "downstream_session_id_header": { - "required": false, + "description": "The downstream session id header.", "type": "string", - "description": "The downstream session id header." + "required": false } }, { "login_methods": { + "description": "Enable login functionality with specified grants.", "required": false, "elements": { "type": "string", @@ -2530,25 +2209,25 @@ "type": "array", "default": [ "authorization_code" - ], - "description": "Enable login functionality with specified grants." + ] } }, { "login_action": { + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "required": false, - "type": "string", - "default": "upstream", "one_of": [ "upstream", "response", "redirect" ], - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location." + "type": "string", + "default": "upstream" } }, { "login_tokens": { + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "required": false, "elements": { "type": "string", @@ -2563,45 +2242,45 @@ "type": "array", "default": [ "id_token" - ], - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." + ] } }, { "login_redirect_mode": { + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "required": false, - "type": "string", - "default": "fragment", "one_of": [ "query", "fragment" ], - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)." + "type": "string", + "default": "fragment" } }, { "logout_query_arg": { - "required": false, + "description": "The request query argument that activates the logout.", "type": "string", - "description": "The request query argument that activates the logout." + "required": false } }, { "logout_post_arg": { - "required": false, + "description": "The request body argument that activates the logout.", "type": "string", - "description": "The request body argument that activates the logout." + "required": false } }, { "logout_uri_suffix": { - "required": false, + "description": "The request URI suffix that activates the logout.", "type": "string", - "description": "The request URI suffix that activates the logout." + "required": false } }, { "logout_methods": { + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "required": false, "elements": { "type": "string", @@ -2615,46 +2294,46 @@ "default": [ "POST", "DELETE" - ], - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." + ] } }, { "logout_revoke": { - "required": false, - "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", "type": "boolean", - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." + "required": false, + "default": false } }, { "logout_revoke_access_token": { - "required": false, - "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", "type": "boolean", - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." + "required": false, + "default": true } }, { "logout_revoke_refresh_token": { - "required": false, - "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", "type": "boolean", - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." + "required": false, + "default": true } }, { "consumer_claim": { - "required": false, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "consumer_by": { + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "required": false, "elements": { "type": "string", @@ -2668,20 +2347,20 @@ "default": [ "username", "custom_id" - ], - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." + ] } }, { "consumer_optional": { - "required": false, - "default": false, + "description": "Do not terminate the request if consumer mapping fails.", "type": "boolean", - "description": "Do not terminate the request if consumer mapping fails." + "required": false, + "default": false } }, { "credential_claim": { + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -2689,67 +2368,67 @@ "type": "array", "default": [ "sub" - ], - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "anonymous": { - "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "required": false } }, { "run_on_preflight": { - "required": false, - "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "type": "boolean", - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + "required": false, + "default": true } }, { "leeway": { - "required": false, - "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", "type": "number", - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims" + "required": false, + "default": 0 } }, { "verify_parameters": { - "required": false, - "default": false, + "description": "Verify plugin configuration against discovery.", "type": "boolean", - "description": "Verify plugin configuration against discovery." + "required": false, + "default": false } }, { "verify_nonce": { - "required": false, - "default": true, + "description": "Verify nonce on authorization code flow.", "type": "boolean", - "description": "Verify nonce on authorization code flow." + "required": false, + "default": true } }, { "verify_claims": { - "required": false, - "default": true, + "description": "Verify tokens for standard claims.", "type": "boolean", - "description": "Verify tokens for standard claims." + "required": false, + "default": true } }, { "verify_signature": { - "required": false, - "default": true, + "description": "Verify signature of tokens.", "type": "boolean", - "description": "Verify signature of tokens." + "required": false, + "default": true } }, { "ignore_signature": { + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "required": false, "elements": { "type": "string", @@ -2766,22 +2445,22 @@ "type": "array", "default": [ - ], - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." + ] } }, { "enable_hs_signatures": { - "required": false, - "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "type": "boolean", - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + "required": false, + "default": false } }, { "disable_session": { - "required": false, + "description": "Disable issuing the session cookie with the specified grants.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2795,540 +2474,440 @@ "refresh_token", "session" ] - }, - "description": "Disable issuing the session cookie with the specified grants." + } } }, { "cache_ttl": { - "required": false, - "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "type": "number", - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + "required": false, + "default": 3600 } }, { "cache_ttl_max": { - "required": false, + "description": "The maximum cache ttl in seconds (enforced).", "type": "number", - "description": "The maximum cache ttl in seconds (enforced)." + "required": false } }, { "cache_ttl_min": { - "required": false, + "description": "The minimum cache ttl in seconds (enforced).", "type": "number", - "description": "The minimum cache ttl in seconds (enforced)." + "required": false } }, { "cache_ttl_neg": { - "required": false, + "description": "The negative cache ttl in seconds.", "type": "number", - "description": "The negative cache ttl in seconds." + "required": false } }, { "cache_ttl_resurrect": { - "required": false, + "description": "The resurrection ttl in seconds.", "type": "number", - "description": "The resurrection ttl in seconds." + "required": false } }, { "cache_tokens": { - "required": false, - "default": true, + "description": "Cache the token endpoint requests.", "type": "boolean", - "description": "Cache the token endpoint requests." + "required": false, + "default": true } }, { "cache_tokens_salt": { - "required": false, - "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "type": "string", + "required": false } }, { "cache_introspection": { - "required": false, - "default": true, + "description": "Cache the introspection endpoint requests.", "type": "boolean", - "description": "Cache the introspection endpoint requests." + "required": false, + "default": true } }, { "cache_token_exchange": { - "required": false, - "default": true, + "description": "Cache the token exchange endpoint requests.", "type": "boolean", - "description": "Cache the token exchange endpoint requests." + "required": false, + "default": true } }, { "cache_user_info": { - "required": false, - "default": true, + "description": "Cache the user info requests.", "type": "boolean", - "description": "Cache the user info requests." + "required": false, + "default": true } }, { "search_user_info": { - "required": false, - "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "type": "boolean", - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + "required": false, + "default": false } }, { "hide_credentials": { - "required": false, - "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "type": "boolean", - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + "required": false, + "default": false } }, { "http_version": { - "required": false, - "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", - "type": "number" + "required": false, + "type": "number", + "default": 1.1 } }, { "http_proxy": { - "required": false, "description": "The HTTP proxy.", + "required": false, "type": "string" } }, { "http_proxy_authorization": { - "required": false, + "description": "The HTTP proxy authorization.", "type": "string", - "description": "The HTTP proxy authorization." + "required": false } }, { "https_proxy": { - "required": false, "description": "The HTTPS proxy.", + "required": false, "type": "string" } }, { "https_proxy_authorization": { - "required": false, + "description": "The HTTPS proxy authorization.", "type": "string", - "description": "The HTTPS proxy authorization." + "required": false } }, { "no_proxy": { - "required": false, + "description": "Do not use proxy with these hosts.", "type": "string", - "description": "Do not use proxy with these hosts." + "required": false } }, { "keepalive": { - "required": false, - "default": true, + "description": "Use keepalive with the HTTP client.", "type": "boolean", - "description": "Use keepalive with the HTTP client." + "required": false, + "default": true } }, { "ssl_verify": { - "required": false, - "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", "type": "boolean", - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`." + "required": false, + "default": false } }, { "timeout": { - "required": false, - "default": 10000, + "description": "Network IO timeout in milliseconds.", "type": "number", - "description": "Network IO timeout in milliseconds." + "required": false, + "default": 10000 } }, { "display_errors": { - "required": false, - "default": false, + "description": "Display errors on failure responses.", "type": "boolean", - "description": "Display errors on failure responses." + "required": false, + "default": false } }, { "by_username_ignore_case": { - "required": false, - "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "type": "boolean", - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + "required": false, + "default": false } }, { "resolve_distributed_claims": { - "required": false, - "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "type": "boolean", - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + "required": false, + "default": false } }, { "expose_error_code": { - "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", "type": "boolean", - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + "default": true } }, { "token_cache_key_include_scope": { - "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", "type": "boolean", - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "default": false } }, { "introspection_token_param_name": { - "required": false, - "default": "token", + "description": "Designate token's parameter name for introspection.", "type": "string", - "description": "Designate token's parameter name for introspection." + "required": false, + "default": "token" } }, { "revocation_token_param_name": { - "required": false, - "default": "token", + "description": "Designate token's parameter name for revocation.", "type": "string", - "description": "Designate token's parameter name for revocation." + "required": false, + "default": "token" } }, { "proof_of_possession_mtls": { + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "strict", "optional" ], - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." + "type": "string", + "default": "off" } }, { "proof_of_possession_auth_methods_validation": { - "required": false, - "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", "type": "boolean", - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + "required": false, + "default": true } }, { "tls_client_auth_cert_id": { - "required": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "auto": false, "type": "string", "uuid": true, - "auto": false, - "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server." + "required": false } }, { "tls_client_auth_ssl_verify": { - "required": false, - "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", "type": "boolean", - "description": "Verify identity provider server certificate during mTLS client authentication." + "required": false, + "default": true } }, { "mtls_token_endpoint": { - "required": false, "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "mtls_introspection_endpoint": { - "required": false, "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "mtls_revocation_endpoint": { - "required": false, "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "proof_of_possession_dpop": { + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "strict", "optional" ], - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof." + "type": "string", + "default": "off" } }, { "dpop_use_nonce": { - "required": false, - "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", "type": "boolean", - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime." + "required": false, + "default": false } }, { "dpop_proof_lifetime": { - "required": false, - "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", "type": "number", - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise." + "required": false, + "default": 300 } }, { "claims_forbidden": { - "required": false, + "description": "If given, these claims are forbidden in the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "If given, these claims are forbidden in the token payload." + } } }, { "cluster_cache_strategy": { + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "redis" ], - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared." + "type": "string", + "default": "off" } }, { "cluster_cache_redis": { - "required": true, - "entity_checks": [ + "fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 ] } }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ], - "set1": [ - "cluster_nodes" - ] + "default": 2000 } }, { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } }, { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "fields": [ - { - "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." - } - }, - { - "connect_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" - } - }, - { - "send_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" - } - }, - { - "read_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" - } + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -3339,164 +2918,759 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], - "shorthand_fields": [ + "entity_checks": [ { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "connect_timeout" + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" ], - "type": "integer" + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] } }, { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" - }, - "type": "array", - "elements": { - "type": "string" - }, - "len_min": 1 + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] } }, { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" - }, - "type": "array", - "elements": { - "type": "string" + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true }, - "len_min": 1 + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } - ] - } - } - ], + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + } + ], + "required": true, + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_redis_prefix": { + "type": "string", + "translate_backwards": [ + "redis", + "prefix" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ], + "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_socket": { + "type": "string", + "translate_backwards": [ + "redis", + "socket" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ], + "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_password": { + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ], + "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "read_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ], + "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "send_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ], + "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_cluster_nodes": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ], + "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "translate_backwards": [ + "redis", + "cluster_nodes" + ], + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + } + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ], + "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + } + } + } + ], "type": "record" } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/opentelemetry/3.8.x.json b/schemas/opentelemetry/3.8.x.json index e7c1e33c..a847aca4 100644 --- a/schemas/opentelemetry/3.8.x.json +++ b/schemas/opentelemetry/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,56 +19,45 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "traces_endpoint", - "logs_endpoint" - ] - } - ], - "type": "record", "fields": [ { "traces_endpoint": { - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "referenceable": true } }, { "logs_endpoint": { - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "referenceable": true } }, { "headers": { - "type": "map", "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "map", "values": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, "keys": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } }, @@ -80,11 +67,11 @@ "required": true, "type": "string" }, + "type": "map", "values": { "required": true, "type": "string" - }, - "type": "map" + } } }, { @@ -92,144 +79,144 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], + "type": "record", + "required": true, "default": { "max_batch_size": 200 - }, - "required": true, - "type": "record" + } } }, { "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer", "deprecation": { + "old_default": 200, "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0", - "old_default": 200 - }, - "type": "integer", - "description": "The number of spans to be sent in a single batch." + "removal_in_version": "4.0" + } } }, { "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer", "deprecation": { + "old_default": 3, "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0", - "old_default": 3 - }, - "type": "integer", - "description": "The delay, in seconds, between two consecutive batches." + "removal_in_version": "4.0" + } } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 1000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 1000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 5000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 5000 } }, { @@ -240,13 +227,6 @@ { "header_type": { "required": false, - "type": "string", - "deprecation": { - "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0", - "old_default": "preserve" - }, - "default": "preserve", "one_of": [ "preserve", "ignore", @@ -258,18 +238,25 @@ "aws", "gcp", "datadog" - ] + ], + "type": "string", + "deprecation": { + "old_default": "preserve", + "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, + "default": "preserve" } }, { "sampling_rate": { - "required": false, "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "type": "number", "between": [ 0, 1 ], - "type": "number" + "required": false } }, { @@ -277,91 +264,104 @@ "fields": [ { "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", "type": "array", "elements": { "type": "string", "one_of": [ + "gcp", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "jaeger" + "b3" ] - }, - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID." + } } }, { "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "type": "array", "elements": { "type": "string" - }, - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared." + } } }, { "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", "type": "array", "elements": { "type": "string", "one_of": [ "preserve", + "gcp", + "b3-single", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "b3-single", - "jaeger" + "b3" ] - }, - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests." + } } }, { "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", "required": true, "one_of": [ + "gcp", + "b3-single", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "b3-single", - "jaeger" - ], - "type": "string", - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`." + "b3" + ] } } ], + "type": "record", + "required": true, "default": { "default_format": "w3c" - }, - "required": true, - "type": "record" + } } } ], + "entity_checks": [ + { + "at_least_one_of": [ + "traces_endpoint", + "logs_endpoint" + ] + } + ], + "type": "record", "shorthand_fields": [ { "endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true, "deprecation": { "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead", "removal_in_version": "4.0" - }, - "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + } } } - ] + ], + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/post-function/3.8.x.json b/schemas/post-function/3.8.x.json index 6f23c173..80a53552 100644 --- a/schemas/post-function/3.8.x.json +++ b/schemas/post-function/3.8.x.json @@ -1,32 +1,7 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ { "protocols": { - "required": false, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], "elements": { "type": "string", "one_of": [ @@ -38,29 +13,41 @@ "wss" ] }, - "type": "set" + "required": false, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -72,9 +59,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -82,8 +67,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { @@ -91,138 +75,154 @@ "fields": [ { "certificate": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "rewrite": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "access": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "header_filter": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "body_filter": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "log": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_handshake": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_client_frame": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_upstream_frame": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_close": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.8.x.json b/schemas/pre-function/3.8.x.json index 6f23c173..80a53552 100644 --- a/schemas/pre-function/3.8.x.json +++ b/schemas/pre-function/3.8.x.json @@ -1,32 +1,7 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ { "protocols": { - "required": false, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], "elements": { "type": "string", "one_of": [ @@ -38,29 +13,41 @@ "wss" ] }, - "type": "set" + "required": false, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -72,9 +59,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -82,8 +67,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { @@ -91,138 +75,154 @@ "fields": [ { "certificate": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "rewrite": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "access": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "header_filter": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "body_filter": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "log": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_handshake": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_client_frame": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_upstream_frame": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_close": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.8.x.json b/schemas/prometheus/3.8.x.json index 477afdae..8a193072 100644 --- a/schemas/prometheus/3.8.x.json +++ b/schemas/prometheus/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,50 +42,53 @@ "fields": [ { "per_consumer": { - "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", "type": "boolean", - "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available." + "default": false } }, { "status_code_metrics": { - "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported." + "default": false } }, { "ai_metrics": { - "default": false, + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", "type": "boolean", - "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported." + "default": false } }, { "latency_metrics": { - "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", "type": "boolean", - "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported." + "default": false } }, { "bandwidth_metrics": { - "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", "type": "boolean", - "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported." + "default": false } }, { "upstream_health_metrics": { - "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", "type": "boolean", - "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported." + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.8.x.json b/schemas/proxy-cache-advanced/3.8.x.json index 81c6b90d..30b3682b 100644 --- a/schemas/proxy-cache-advanced/3.8.x.json +++ b/schemas/proxy-cache-advanced/3.8.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -36,6 +27,7 @@ "fields": [ { "response_code": { + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "required": true, "elements": { "between": [ @@ -45,17 +37,17 @@ "type": "integer" }, "type": "array", + "len_min": 1, "default": [ 200, 301, 404 - ], - "len_min": 1, - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900." + ] } }, { "request_method": { + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", "required": true, "elements": { "type": "string", @@ -71,12 +63,12 @@ "default": [ "GET", "HEAD" - ], - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." + ] } }, { "content_type": { + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "required": true, "elements": { "type": "string" @@ -85,49 +77,48 @@ "default": [ "text/plain", "application/json" - ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." + ] } }, { "cache_ttl": { - "gt": 0, - "default": 300, + "description": "TTL in seconds of cache entities.", "type": "integer", - "description": "TTL in seconds of cache entities." + "gt": 0, + "default": 300 } }, { "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "required": true, + "type": "string", "one_of": [ "memory", "redis" - ], - "type": "string", - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`." + ] } }, { "cache_control": { + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true, - "default": false, "type": "boolean", - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + "default": false } }, { "ignore_uri_case": { + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "required": false, - "default": false, "type": "boolean", - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI." + "default": false } }, { "storage_ttl": { - "type": "integer", - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" } }, { @@ -135,269 +126,170 @@ "fields": [ { "dictionary_name": { + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true, - "default": "kong_db_cache", "type": "string", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." + "default": "kong_db_cache" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "vary_query_params": { "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", "fields": [ { "age": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "X-Cache-Status": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "X-Cache-Key": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } } ], - "description": "Caching related diagnostic headers that should be included in cached responses", - "required": true, - "type": "record" + "required": true } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -408,171 +300,310 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } }, { "bypass_on_err": { - "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", "type": "boolean", - "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/proxy-cache/3.8.x.json b/schemas/proxy-cache/3.8.x.json index 63a21dc4..6bc799e6 100644 --- a/schemas/proxy-cache/3.8.x.json +++ b/schemas/proxy-cache/3.8.x.json @@ -1,18 +1,12 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -24,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -34,8 +26,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { @@ -43,6 +34,7 @@ "fields": [ { "response_code": { + "description": "Upstream response status code considered cacheable.", "required": true, "elements": { "between": [ @@ -51,18 +43,18 @@ ], "type": "integer" }, + "type": "array", "len_min": 1, "default": [ 200, 301, 404 - ], - "type": "array", - "description": "Upstream response status code considered cacheable." + ] } }, { "request_method": { + "description": "Downstream request methods considered cacheable.", "required": true, "elements": { "type": "string", @@ -78,12 +70,12 @@ "default": [ "GET", "HEAD" - ], - "description": "Downstream request methods considered cacheable." + ] } }, { "content_type": { + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "required": true, "elements": { "type": "string" @@ -92,41 +84,40 @@ "default": [ "text/plain", "application/json" - ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value." + ] } }, { "cache_ttl": { - "gt": 0, - "default": 300, "description": "TTL, in seconds, of cache entities.", - "type": "integer" + "type": "integer", + "gt": 0, + "default": 300 } }, { "strategy": { + "description": "The backing data store in which to hold cache entities.", "required": true, + "type": "string", "one_of": [ "memory" - ], - "description": "The backing data store in which to hold cache entities.", - "type": "string" + ] } }, { "cache_control": { - "required": true, - "default": false, "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "ignore_uri_case": { + "type": "boolean", "required": false, - "default": false, - "type": "boolean" + "default": false } }, { @@ -140,37 +131,39 @@ "fields": [ { "dictionary_name": { - "required": true, - "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "type": "string" + "required": true, + "type": "string", + "default": "kong_db_cache" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "type": "array", "elements": { "type": "string" - }, - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + } } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array", "elements": { "type": "string" - }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } } }, { "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", "fields": [ { "age": { @@ -191,14 +184,21 @@ } } ], - "type": "record", - "required": true, - "description": "Caching related diagnostic headers that should be included in cached responses" + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting-advanced/3.8.x.json b/schemas/rate-limiting-advanced/3.8.x.json index 71551003..7df38f70 100644 --- a/schemas/rate-limiting-advanced/3.8.x.json +++ b/schemas/rate-limiting-advanced/3.8.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -36,9 +27,8 @@ "fields": [ { "identifier": { + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "required": true, - "type": "string", - "default": "consumer", "one_of": [ "ip", "credential", @@ -48,315 +38,217 @@ "path", "consumer-group" ], - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`." + "type": "string", + "default": "consumer" } }, { "window_size": { - "required": true, "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array", "elements": { "type": "number" - }, - "type": "array" + } } }, { "window_type": { "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", "default": "sliding", "one_of": [ "fixed", "sliding" - ], - "type": "string" + ] } }, { "limit": { - "required": true, "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array", "elements": { "type": "number" - }, - "type": "array" + } } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "namespace": { - "required": true, - "auto": true, "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "type": "string" + "auto": true, + "type": "string", + "required": true } }, { "strategy": { + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "required": true, - "type": "string", - "default": "local", "one_of": [ "cluster", "redis", "local" ], - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." + "type": "string", + "default": "local" } }, { "dictionary_name": { - "required": true, - "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "type": "string" + "type": "string", + "required": true, + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "retry_after_jitter_max": { - "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "type": "number" + "type": "number", + "default": 0 } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string" + "type": "string", + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -367,202 +259,341 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } }, { "enforce_consumer_groups": { - "default": false, "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "type": "array", "elements": { "type": "string" - }, - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`." + } } }, { "disable_penalty": { - "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "error_code": { - "gt": 0, - "default": 429, "description": "Set a custom error code to return when the rate limit is exceeded.", - "type": "number" + "type": "number", + "gt": 0, + "default": 429 } }, { "error_message": { - "default": "API rate limit exceeded", "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string" + "type": "string", + "default": "API rate limit exceeded" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting/3.8.x.json b/schemas/rate-limiting/3.8.x.json index 88995bca..b98f28df 100644 --- a/schemas/rate-limiting/3.8.x.json +++ b/schemas/rate-limiting/3.8.x.json @@ -1,79 +1,8 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "then_field": "config.redis.host", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis.port", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis.timeout", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.header_name", - "if_match": { - "eq": "header" - }, - "then_match": { - "required": true - }, - "if_field": "config.limit_by" - } - }, - { - "conditional": { - "then_field": "config.path", - "if_match": { - "eq": "path" - }, - "then_match": { - "required": true - }, - "if_field": "config.limit_by" - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -90,178 +19,57 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "required": true, - "shorthand_fields": [ - { - "redis_host": { - "deprecation": { - "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "host" - ], - "type": "string" - } - }, - { - "redis_port": { - "deprecation": { - "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "port" - ], - "type": "integer" - } - }, - { - "redis_password": { - "deprecation": { - "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - }, - "len_min": 0, - "translate_backwards": [ - "redis", - "password" - ], - "type": "string" - } - }, - { - "redis_username": { - "deprecation": { - "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "username" - ], - "type": "string" - } - }, - { - "redis_ssl": { - "deprecation": { - "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl" - ], - "type": "boolean" - } - }, - { - "redis_ssl_verify": { - "deprecation": { - "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl_verify" - ], - "type": "boolean" - } - }, - { - "redis_server_name": { - "deprecation": { - "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "server_name" - ], - "type": "string" - } - }, - { - "redis_timeout": { - "deprecation": { - "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "timeout" - ], - "type": "integer" - } - }, - { - "redis_database": { - "deprecation": { - "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "database" - ], - "type": "integer" - } - } - ], "fields": [ { "second": { - "gt": 0, + "description": "The number of HTTP requests that can be made per second.", "type": "number", - "description": "The number of HTTP requests that can be made per second." + "gt": 0 } }, { "minute": { - "gt": 0, + "description": "The number of HTTP requests that can be made per minute.", "type": "number", - "description": "The number of HTTP requests that can be made per minute." + "gt": 0 } }, { "hour": { - "gt": 0, + "description": "The number of HTTP requests that can be made per hour.", "type": "number", - "description": "The number of HTTP requests that can be made per hour." + "gt": 0 } }, { "day": { - "gt": 0, + "description": "The number of HTTP requests that can be made per day.", "type": "number", - "description": "The number of HTTP requests that can be made per day." + "gt": 0 } }, { "month": { - "gt": 0, + "description": "The number of HTTP requests that can be made per month.", "type": "number", - "description": "The number of HTTP requests that can be made per month." + "gt": 0 } }, { "year": { - "gt": 0, + "description": "The number of HTTP requests that can be made per year.", "type": "number", - "description": "The number of HTTP requests that can be made per year." + "gt": 0 } }, { "limit_by": { + "description": "The entity that is used when aggregating the limits.", "type": "string", "default": "consumer", "one_of": [ @@ -272,167 +80,431 @@ "header", "path", "consumer-group" - ], - "description": "The entity that is used when aggregating the limits." + ] } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string" + "type": "string", + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "policy": { - "type": "string", - "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, "one_of": [ "local", "cluster", "redis" ], - "len_min": 0, - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + "type": "string", + "default": "local" } }, { "fault_tolerant": { + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", "required": true, - "default": true, "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." + "default": true } }, { "redis": { + "description": "Redis configuration", + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } }, { "timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { - "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "len_min": 0, "type": "string", - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true, + "encrypted": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "ssl": { - "required": false, - "default": false, + "description": "If set to true, uses SSL to connect to Redis.", "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "required": false, + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "required": false, + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } } ], - "description": "Redis configuration", - "required": true, - "type": "record" + "required": true } }, { "hide_client_headers": { + "description": "Optionally hide informative response headers.", "required": true, - "default": false, "type": "boolean", - "description": "Optionally hide informative response headers." + "default": false } }, { "error_code": { - "gt": 0, - "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", "type": "number", - "description": "Set a custom error code to return when the rate limit is exceeded." + "gt": 0, + "default": 429 } }, { "error_message": { - "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", "type": "string", - "description": "Set a custom error message to return when the rate limit is exceeded." + "default": "API rate limit exceeded" } }, { "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", "required": true, - "default": -1, "type": "number", - "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." + "default": -1 + } + } + ], + "required": true, + "shorthand_fields": [ + { + "redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_password": { + "len_min": 0, + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ], + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_database": { + "type": "integer", + "translate_backwards": [ + "redis", + "database" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ], + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0" + } } } ], "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.limit_by", + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.limit_by", + "if_match": { + "eq": "path" + }, + "then_field": "config.path", + "then_match": { + "required": true + } + } + } ] } \ No newline at end of file diff --git a/schemas/request-size-limiting/3.8.x.json b/schemas/request-size-limiting/3.8.x.json index 5e0fa712..669041e4 100644 --- a/schemas/request-size-limiting/3.8.x.json +++ b/schemas/request-size-limiting/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,36 +35,39 @@ "fields": [ { "allowed_payload_size": { - "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", "type": "integer", - "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes)." + "default": 128 } }, { "size_unit": { + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "required": true, - "type": "string", - "default": "megabytes", "one_of": [ "megabytes", "kilobytes", "bytes" ], - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0." + "type": "string", + "default": "megabytes" } }, { "require_content_length": { - "required": true, - "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", "type": "boolean", - "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body." + "required": true, + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-termination/3.8.x.json b/schemas/request-termination/3.8.x.json index 427081f9..e06de3dc 100644 --- a/schemas/request-termination/3.8.x.json +++ b/schemas/request-termination/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -30,14 +27,14 @@ "fields": [ { "status_code": { + "description": "The response code to send. Must be an integer between 100 and 599.", "required": true, - "type": "integer", "between": [ 100, 599 ], - "default": 503, - "description": "The response code to send. Must be an integer between 100 and 599." + "type": "integer", + "default": 503 } }, { @@ -60,22 +57,25 @@ }, { "echo": { - "required": true, - "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", "type": "boolean", - "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic." + "required": true, + "default": false } }, { "trigger": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.8.x.json b/schemas/request-transformer-advanced/3.8.x.json index 06a0820f..fa602888 100644 --- a/schemas/request-transformer-advanced/3.8.x.json +++ b/schemas/request-transformer-advanced/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -30,9 +27,9 @@ "fields": [ { "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string", - "match": "^%u+$", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + "match": "^%u+$" } }, { @@ -40,40 +37,40 @@ "fields": [ { "body": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "querystring": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -81,43 +78,43 @@ "fields": [ { "body": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "querystring": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -125,42 +122,43 @@ "fields": [ { "body": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "querystring": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -171,8 +169,7 @@ "number", "string" ] - }, - "type": "array" + } } }, { @@ -181,8 +178,8 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -190,42 +187,43 @@ "fields": [ { "body": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "querystring": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -236,13 +234,12 @@ "number", "string" ] - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -250,42 +247,43 @@ "fields": [ { "body": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "querystring": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -296,13 +294,12 @@ "number", "string" ] - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -310,28 +307,31 @@ "fields": [ { "body": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "dots_in_keys": { - "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", "type": "boolean", - "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.8.x.json b/schemas/request-transformer/3.8.x.json index c7ef2fe2..e6220243 100644 --- a/schemas/request-transformer/3.8.x.json +++ b/schemas/request-transformer/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,8 +26,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { @@ -37,9 +34,9 @@ "fields": [ { "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string", - "match": "^%u+$", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + "match": "^%u+$" } }, { @@ -47,43 +44,43 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -91,44 +88,44 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -136,39 +133,39 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -177,8 +174,8 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -186,44 +183,44 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -231,50 +228,53 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-validator/3.8.x.json b/schemas/request-validator/3.8.x.json index 868edddf..c334e59e 100644 --- a/schemas/request-validator/3.8.x.json +++ b/schemas/request-validator/3.8.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -44,70 +35,73 @@ "fields": [ { "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", "required": false, - "type": "string", - "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified." + "type": "string" } }, { "allowed_content_types": { "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "type": "set", "default": [ "application/json" ], "elements": { "required": true, "type": "string" - }, - "type": "set" + } } }, { "version": { + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "required": true, - "type": "string", "one_of": [ "kong", "draft4" ], - "default": "kong", - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator." + "type": "string", + "default": "kong" } }, { "parameter_schema": { - "required": false, + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", "type": "array", + "required": false, "elements": { "fields": [ { "in": { + "description": "The location of the parameter.", + "type": "string", "required": true, "one_of": [ "query", "header", "path" - ], - "type": "string", - "description": "The location of the parameter." + ] } }, { "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", "required": true, - "type": "string", - "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`." + "type": "string" } }, { "required": { + "description": "Determines whether this parameter is mandatory.", "required": true, - "type": "boolean", - "description": "Determines whether this parameter is mandatory." + "type": "boolean" } }, { "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "type": "string", "one_of": [ "label", "form", @@ -116,15 +110,13 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ], - "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", - "type": "string" + ] } }, { "explode": { - "type": "boolean", - "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" } }, { @@ -134,6 +126,7 @@ } } ], + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -150,30 +143,28 @@ ] } } - ], - "type": "record" - }, - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." + ] + } } }, { "verbose_response": { - "required": true, - "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "type": "boolean", - "description": "If enabled, the plugin returns more verbose and detailed validation errors." + "required": true, + "default": false } }, { "content_type_parameter_validation": { - "required": true, - "default": true, + "description": "Determines whether to enable parameters validation of request content-type.", "type": "boolean", - "description": "Determines whether to enable parameters validation of request content-type." + "required": true, + "default": true } } ], - "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -182,7 +173,16 @@ ] } ], - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/response-ratelimiting/3.8.x.json b/schemas/response-ratelimiting/3.8.x.json index f069f160..e443ef90 100644 --- a/schemas/response-ratelimiting/3.8.x.json +++ b/schemas/response-ratelimiting/3.8.x.json @@ -1,45 +1,8 @@ { - "entity_checks": [ - { - "conditional": { - "then_field": "config.redis.host", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis.port", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis.timeout", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -56,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -73,152 +35,147 @@ "fields": [ { "header_name": { - "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", "type": "string", - "description": "The name of the response header used to increment the counters." + "default": "x-kong-limit" } }, { "limit_by": { + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "type": "string", "default": "consumer", "one_of": [ "consumer", "credential", "ip" - ], - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." + ] } }, { "policy": { + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "type": "string", "default": "local", "one_of": [ "local", "cluster", "redis" - ], - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + ] } }, { "fault_tolerant": { + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "required": true, - "default": true, "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." + "default": true } }, { "redis": { + "description": "Redis configuration", + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } }, { "timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { - "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "len_min": 0, "type": "string", - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true, + "encrypted": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "ssl": { - "required": false, - "default": false, + "description": "If set to true, uses SSL to connect to Redis.", "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "required": false, + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "required": false, + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } } ], - "description": "Redis configuration", - "required": true, - "type": "record" + "required": true } }, { "block_on_first_violation": { + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "required": true, - "default": false, "type": "boolean", - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." + "default": false } }, { "hide_client_headers": { + "description": "Optionally hide informative response headers.", "required": true, - "default": false, "type": "boolean", - "description": "Optionally hide informative response headers." + "default": false } }, { "limits": { - "required": true, - "keys": { - "type": "string" - }, + "description": "A map that defines rate limits for the plugin.", "len_min": 1, - "type": "map", "values": { - "required": true, "fields": [ { "second": { @@ -257,6 +214,7 @@ } } ], + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -271,132 +229,246 @@ ], "type": "record" }, - "description": "A map that defines rate limits for the plugin." + "keys": { + "type": "string" + }, + "type": "map", + "required": true } } ], - "required": true, + "type": "record", "shorthand_fields": [ { "redis_host": { - "deprecation": { - "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - }, + "type": "string", "translate_backwards": [ "redis", "host" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } } }, { "redis_port": { - "deprecation": { - "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "redis", "port" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } } }, { "redis_password": { - "deprecation": { - "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - }, "len_min": 0, + "type": "string", "translate_backwards": [ "redis", "password" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } } }, { "redis_username": { - "deprecation": { - "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", - "removal_in_version": "4.0" - }, + "type": "string", "translate_backwards": [ "redis", "username" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0" + } } }, { "redis_ssl": { - "deprecation": { - "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - }, + "type": "boolean", "translate_backwards": [ "redis", "ssl" ], - "type": "boolean" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } } }, { "redis_ssl_verify": { - "deprecation": { - "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - }, + "type": "boolean", "translate_backwards": [ "redis", "ssl_verify" ], - "type": "boolean" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } } }, { "redis_server_name": { - "deprecation": { - "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - }, + "type": "string", "translate_backwards": [ "redis", "server_name" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } } }, { "redis_timeout": { - "deprecation": { - "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "redis", "timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ], + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0" + } } }, { "redis_database": { - "deprecation": { - "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "redis", "database" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ], + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0" + } } } ], - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "then_match": { + "required": true + } } } ] diff --git a/schemas/response-transformer-advanced/3.8.x.json b/schemas/response-transformer-advanced/3.8.x.json index 29ea518b..1d32331c 100644 --- a/schemas/response-transformer-advanced/3.8.x.json +++ b/schemas/response-transformer-advanced/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -33,40 +30,40 @@ "fields": [ { "json": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -74,30 +71,30 @@ "fields": [ { "headers": { + "type": "array", "default": [ ], "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -105,23 +102,24 @@ "fields": [ { "body": { - "type": "string", - "description": "String with which to replace the entire response body." + "description": "String with which to replace the entire response body.", + "type": "string" } }, { "json": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -132,35 +130,34 @@ "number", "string" ] - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -168,17 +165,18 @@ "fields": [ { "json": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -189,35 +187,34 @@ "number", "string" ] - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -225,17 +222,18 @@ "fields": [ { "json": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -246,35 +244,34 @@ "number", "string" ] - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -282,15 +279,15 @@ "fields": [ { "json": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -298,53 +295,56 @@ "fields": [ { "functions": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "json": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "dots_in_keys": { - "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", "type": "boolean", - "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.8.x.json b/schemas/response-transformer/3.8.x.json index 8a18c974..0219110a 100644 --- a/schemas/response-transformer/3.8.x.json +++ b/schemas/response-transformer/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -33,31 +30,31 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -65,33 +62,33 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -99,19 +96,20 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "required": true, "elements": { "type": "string", @@ -124,26 +122,25 @@ "type": "array", "default": [ - ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -151,19 +148,20 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "required": true, "elements": { "type": "string", @@ -176,26 +174,25 @@ "type": "array", "default": [ - ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -203,19 +200,20 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "required": true, "elements": { "type": "string", @@ -228,32 +226,34 @@ "type": "array", "default": [ - ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.8.x.json b/schemas/route-by-header/3.8.x.json index f677e3c1..df002542 100644 --- a/schemas/route-by-header/3.8.x.json +++ b/schemas/route-by-header/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -39,6 +36,7 @@ { "rules": { "description": "Route by header rules.", + "type": "array", "default": [ ], @@ -46,33 +44,35 @@ "fields": [ { "upstream_name": { - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "condition": { - "required": true, "len_min": 1, - "type": "map", "values": { "type": "string" }, "keys": { "type": "string" - } + }, + "type": "map", + "required": true } } ], "type": "record" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.8.x.json b/schemas/route-transformer-advanced/3.8.x.json index b21a71d6..76ec77f4 100644 --- a/schemas/route-transformer-advanced/3.8.x.json +++ b/schemas/route-transformer-advanced/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -58,7 +55,7 @@ } } ], - "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -68,8 +65,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/saml/3.8.x.json b/schemas/saml/3.8.x.json index 2e0448aa..18157277 100644 --- a/schemas/saml/3.8.x.json +++ b/schemas/saml/3.8.x.json @@ -1,24 +1,16 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -35,1140 +27,1299 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "shorthand_fields": [ + "fields": [ { - "session_cookie_lifetime": { - "deprecation": { - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", - "removal_in_version": "4.0" - }, - "type": "number" + "assertion_consumer_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { - "session_cookie_idletime": { - "deprecation": { - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", - "removal_in_version": "4.0" - }, - "type": "number" + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, + "type": "string" } }, { - "session_cookie_samesite": { - "deprecation": { - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", - "removal_in_version": "4.0" - }, - "type": "string" + "idp_certificate": { + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true } }, { - "session_cookie_httponly": { - "deprecation": { - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", - "removal_in_version": "4.0" - }, - "type": "boolean" + "response_encryption_key": { + "description": "The private encryption key required to decrypt encrypted assertions.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true } }, { - "session_memcache_prefix": { - "deprecation": { - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", - "removal_in_version": "4.0" - }, - "type": "string" + "request_signing_key": { + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true } }, { - "session_memcache_socket": { - "deprecation": { - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", - "removal_in_version": "4.0" - }, - "type": "string" + "request_signing_certificate": { + "description": "The certificate for signing requests.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true } }, { - "session_memcache_host": { - "deprecation": { - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", - "removal_in_version": "4.0" - }, - "type": "string" + "request_signature_algorithm": { + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "required": false, + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string", + "default": "SHA256" } }, { - "session_memcache_port": { - "deprecation": { - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", - "removal_in_version": "4.0" - }, - "type": "integer" + "request_digest_algorithm": { + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "required": false, + "one_of": [ + "SHA256", + "SHA1" + ], + "type": "string", + "default": "SHA256" } }, { - "session_cookie_renew": { - "deprecation": { - "message": "openid-connect: config.session_cookie_renew option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "number" + "response_signature_algorithm": { + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "required": false, + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string", + "default": "SHA256" } }, { - "session_cookie_maxsize": { - "deprecation": { - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "integer" + "response_digest_algorithm": { + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "required": false, + "one_of": [ + "SHA256", + "SHA1" + ], + "type": "string", + "default": "SHA256" } }, { - "session_strategy": { - "deprecation": { - "message": "openid-connect: config.session_strategy option does not exist anymore", - "removal_in_version": "4.0" - }, + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "required": true, "type": "string" } }, { - "session_compressor": { - "deprecation": { - "message": "openid-connect: config.session_compressor option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "string" + "nameid_format": { + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "required": false, + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ], + "type": "string", + "default": "EmailAddress" } }, { - "session_auth_ttl": { - "deprecation": { - "message": "openid-connect: config.session_auth_ttl option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "number" + "validate_assertion_signature": { + "description": "Enable signature validation for SAML responses.", + "required": false, + "type": "boolean", + "default": true } }, { - "session_redis_prefix": { - "deprecation": { - "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "prefix" - ], + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "required": false, "type": "string" } }, { - "session_redis_socket": { - "deprecation": { - "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "socket" - ], - "type": "string" + "session_secret": { + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "required": true, + "len_max": 32, + "match": "^[0-9a-zA-Z/_+]+$", + "referenceable": true, + "type": "string", + "len_min": 32, + "encrypted": true } }, { - "session_redis_host": { - "deprecation": { - "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "host" - ], - "type": "string" + "session_audience": { + "description": "The session audience, for example \"my-application\"", + "required": false, + "type": "string", + "default": "default" } }, { - "session_redis_port": { - "deprecation": { - "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "port" - ], - "type": "integer" + "session_cookie_name": { + "description": "The session cookie name.", + "required": false, + "type": "string", + "default": "session" } }, { - "session_redis_username": { - "deprecation": { - "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "username" - ], - "type": "string" + "session_remember": { + "description": "Enables or disables persistent sessions", + "required": false, + "type": "boolean", + "default": false } }, { - "session_redis_password": { - "deprecation": { - "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "password" - ], - "type": "string" + "session_remember_cookie_name": { + "description": "Persistent session cookie name", + "required": false, + "type": "string", + "default": "remember" } }, { - "session_redis_connect_timeout": { - "deprecation": { - "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "connect_timeout" - ], - "type": "integer" - } - }, - { - "session_redis_read_timeout": { - "deprecation": { - "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "read_timeout" - ], - "type": "integer" - } - }, - { - "session_redis_send_timeout": { - "deprecation": { - "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "send_timeout" - ], - "type": "integer" - } - }, - { - "session_redis_ssl": { - "deprecation": { - "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl" - ], - "type": "boolean" + "session_remember_rolling_timeout": { + "description": "Persistent session rolling timeout in seconds.", + "required": false, + "type": "number", + "default": 604800 } }, { - "session_redis_ssl_verify": { - "deprecation": { - "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl_verify" - ], - "type": "boolean" + "session_remember_absolute_timeout": { + "description": "Persistent session absolute timeout in seconds.", + "required": false, + "type": "number", + "default": 2592000 } }, { - "session_redis_server_name": { - "deprecation": { - "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "server_name" - ], - "type": "string" + "session_idling_timeout": { + "description": "The session cookie idle time in seconds.", + "required": false, + "type": "number", + "default": 900 } }, { - "session_redis_cluster_nodes": { - "deprecation": { - "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", - "removal_in_version": "4.0" - }, - "elements": { - "fields": [ - { - "ip": { - "required": true, - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" - } - } - ], - "type": "record" - }, - "translate_backwards": [ - "redis", - "cluster_nodes" - ], - "type": "array" + "session_rolling_timeout": { + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number", + "default": 3600 } }, { - "session_redis_cluster_max_redirections": { - "deprecation": { - "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "cluster_max_redirections" - ], - "type": "integer" + "session_absolute_timeout": { + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number", + "default": 86400 } }, { - "session_redis_cluster_maxredirections": { - "deprecation": { - "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "cluster_max_redirections" - ], - "type": "integer" - } - } - ], - "fields": [ - { - "assertion_consumer_path": { - "required": true, + "session_cookie_path": { "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", + "required": false, "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/" } }, { - "idp_sso_url": { - "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "required": false, "type": "string" } }, { - "idp_certificate": { + "session_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, - "referenceable": true, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], "type": "string", - "encrypted": true, - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." + "default": "Lax" } }, { - "response_encryption_key": { + "session_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, - "referenceable": true, - "type": "string", - "encrypted": true, - "description": "The private encryption key required to decrypt encrypted assertions." + "type": "boolean", + "default": true } }, { - "request_signing_key": { + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, - "referenceable": true, - "type": "string", - "encrypted": true, - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." + "type": "boolean" } }, { - "request_signing_certificate": { - "required": false, - "referenceable": true, - "type": "string", - "encrypted": true, - "description": "The certificate for signing requests." + "session_request_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } } }, { - "request_signature_algorithm": { - "required": false, - "type": "string", - "default": "SHA256", - "one_of": [ - "SHA256", - "SHA384", - "SHA512" - ], - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" + "session_response_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } } }, { - "request_digest_algorithm": { + "session_storage": { + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "required": false, - "type": "string", - "default": "SHA256", "one_of": [ - "SHA256", - "SHA1" + "cookie", + "memcache", + "memcached", + "redis" ], - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" + "type": "string", + "default": "cookie" } }, { - "response_signature_algorithm": { + "session_store_metadata": { + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "required": false, - "type": "string", - "default": "SHA256", - "one_of": [ - "SHA256", - "SHA384", - "SHA512" - ], - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" + "type": "boolean", + "default": false } }, { - "response_digest_algorithm": { + "session_enforce_same_subject": { + "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, - "type": "string", - "default": "SHA256", - "one_of": [ - "SHA256", - "SHA1" - ], - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" + "type": "boolean", + "default": false } }, { - "issuer": { - "required": true, - "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", - "type": "string" + "session_hash_subject": { + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean", + "default": false } }, { - "nameid_format": { + "session_hash_storage_key": { + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, - "type": "string", - "default": "EmailAddress", - "one_of": [ - "Unspecified", - "EmailAddress", - "Persistent", - "Transient" - ], - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" - } - }, - { - "validate_assertion_signature": { - "required": false, - "default": true, - "description": "Enable signature validation for SAML responses.", - "type": "boolean" - } - }, - { - "anonymous": { - "required": false, - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", - "type": "string" - } - }, - { - "session_secret": { - "required": true, - "referenceable": true, - "match": "^[0-9a-zA-Z/_+]+$", - "type": "string", - "len_max": 32, - "len_min": 32, - "encrypted": true, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." - } - }, - { - "session_audience": { - "required": false, - "default": "default", - "description": "The session audience, for example \"my-application\"", - "type": "string" - } - }, - { - "session_cookie_name": { - "required": false, - "default": "session", - "description": "The session cookie name.", - "type": "string" - } - }, - { - "session_remember": { - "required": false, - "default": false, - "description": "Enables or disables persistent sessions", - "type": "boolean" - } - }, - { - "session_remember_cookie_name": { - "required": false, - "default": "remember", - "description": "Persistent session cookie name", - "type": "string" - } - }, - { - "session_remember_rolling_timeout": { - "required": false, - "default": 604800, - "description": "Persistent session rolling timeout in seconds.", - "type": "number" - } - }, - { - "session_remember_absolute_timeout": { - "required": false, - "default": 2592000, - "description": "Persistent session absolute timeout in seconds.", - "type": "number" - } - }, - { - "session_idling_timeout": { - "required": false, - "default": 900, - "description": "The session cookie idle time in seconds.", - "type": "number" - } - }, - { - "session_rolling_timeout": { - "required": false, - "default": 3600, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "type": "number" - } - }, - { - "session_absolute_timeout": { - "required": false, - "default": 86400, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "type": "number" - } - }, - { - "session_cookie_path": { - "required": false, - "match_none": [ - { - "pattern": "//", - "err": "must not have empty segments" - } - ], - "type": "string", - "starts_with": "/", - "default": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." - } - }, - { - "session_cookie_domain": { - "required": false, - "description": "The session cookie domain flag.", - "type": "string" - } - }, - { - "session_cookie_same_site": { - "required": false, - "type": "string", - "default": "Lax", - "one_of": [ - "Strict", - "Lax", - "None", - "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." - } - }, - { - "session_cookie_http_only": { - "required": false, - "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "type": "boolean" - } - }, - { - "session_cookie_secure": { - "required": false, - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean" - } - }, - { - "session_request_headers": { - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - }, - "type": "set" - } - }, - { - "session_response_headers": { - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - }, - "type": "set" - } - }, - { - "session_storage": { - "required": false, - "type": "string", - "default": "cookie", - "one_of": [ - "cookie", - "memcache", - "memcached", - "redis" - ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" - } - }, - { - "session_store_metadata": { - "required": false, - "default": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", - "type": "boolean" - } - }, - { - "session_enforce_same_subject": { - "required": false, - "default": false, - "description": "When set to `true`, audiences are forced to share the same subject.", - "type": "boolean" - } - }, - { - "session_hash_subject": { - "required": false, - "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "type": "boolean" - } - }, - { - "session_hash_storage_key": { - "required": false, - "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "session_memcached_prefix": { - "required": false, "description": "The memcached session key prefix.", + "required": false, "type": "string" } }, { "session_memcached_socket": { - "required": false, "description": "The memcached unix socket path.", + "required": false, "type": "string" } }, { "session_memcached_host": { - "required": false, - "default": "127.0.0.1", "description": "The memcached host.", - "type": "string" + "required": false, + "type": "string", + "default": "127.0.0.1" } }, { "session_memcached_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": false, - "type": "integer", "between": [ 0, 65535 ], - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer", + "default": 11211 } }, { "redis": { - "required": true, - "entity_checks": [ + "fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 ] } }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "fields": [ - { - "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" - } - }, - { - "connect_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { - "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "default": false } }, { "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "default": false } }, { "server_name": { - "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "required": false } }, { "cluster_max_redirections": { - "required": false, - "default": 5, "description": "Maximum retry attempts for redirection.", - "type": "integer" + "required": false, + "type": "integer", + "default": 5 } }, { "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "default": false, "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + "default": false } }, { "prefix": { - "required": false, "description": "The Redis session key prefix.", + "required": false, "type": "string" } }, { "socket": { - "required": false, "description": "The Redis unix socket path.", + "required": false, "type": "string" } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "host" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true, + "type": "record" } } ], - "type": "record" + "required": true, + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_auth_ttl": { + "deprecation": { + "message": "openid-connect: config.session_auth_ttl option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_redis_prefix": { + "type": "string", + "translate_backwards": [ + "redis", + "prefix" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ], + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_socket": { + "type": "string", + "translate_backwards": [ + "redis", + "socket" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ], + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_password": { + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ], + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "read_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ], + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "send_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ], + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_cluster_nodes": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ], + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "translate_backwards": [ + "redis", + "cluster_nodes" + ], + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + } + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ], + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer", + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ], + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + } + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/session/3.8.x.json b/schemas/session/3.8.x.json index 4bd0b51b..decea8f5 100644 --- a/schemas/session/3.8.x.json +++ b/schemas/session/3.8.x.json @@ -1,20 +1,20 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -26,9 +26,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -36,15 +34,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -53,137 +50,138 @@ "fields": [ { "secret": { + "description": "The secret that is used in keyed HMAC generation.", "required": false, "referenceable": true, "type": "string", - "default": "jJoUL7vTfOhDYLGGEM4Dwk8E8Ahh3KwRHsDVdtqtOYIc", "encrypted": true, - "description": "The secret that is used in keyed HMAC generation." + "default": "7iK18YEanf6i9XHvNwzx4RpdmHdRN6nSpPxC1uQxfsse" } }, { "storage": { "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "type": "string", "default": "cookie", "one_of": [ "cookie", "kong" - ], - "type": "string" + ] } }, { "audience": { - "default": "default", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "type": "string" + "type": "string", + "default": "default" } }, { "idling_timeout": { - "default": 900, "description": "The session cookie idle time, in seconds.", - "type": "number" + "type": "number", + "default": 900 } }, { "rolling_timeout": { - "default": 3600, "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", - "type": "number" + "type": "number", + "default": 3600 } }, { "absolute_timeout": { - "default": 86400, "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", - "type": "number" + "type": "number", + "default": 86400 } }, { "stale_ttl": { - "default": 10, "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", - "type": "number" + "type": "number", + "default": 10 } }, { "cookie_name": { - "default": "session", "description": "The name of the cookie.", - "type": "string" + "type": "string", + "default": "session" } }, { "cookie_path": { - "default": "/", "description": "The resource in the host where the cookie is available.", - "type": "string" + "type": "string", + "default": "/" } }, { "cookie_domain": { - "type": "string", - "description": "The domain with which the cookie is intended to be exchanged." + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" } }, { "cookie_same_site": { "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "type": "string", "default": "Strict", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string" + ] } }, { "cookie_http_only": { - "default": true, "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "cookie_secure": { - "default": true, "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "remember": { - "default": false, "description": "Enables or disables persistent sessions.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "remember_cookie_name": { - "default": "remember", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "type": "string" + "type": "string", + "default": "remember" } }, { "remember_rolling_timeout": { - "default": 604800, "description": "The persistent session rolling timeout window, in seconds.", - "type": "number" + "type": "number", + "default": 604800 } }, { "remember_absolute_timeout": { - "default": 2592000, "description": "The persistent session absolute timeout limit, in seconds.", - "type": "number" + "type": "number", + "default": 2592000 } }, { "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", "type": "set", "elements": { "type": "string", @@ -196,12 +194,12 @@ "rolling-timeout", "absolute-timeout" ] - }, - "description": "List of information to include, as headers, in the response to the downstream." + } } }, { "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", "type": "set", "elements": { "type": "string", @@ -214,8 +212,7 @@ "rolling-timeout", "absolute-timeout" ] - }, - "description": "List of information to include, as headers, in the response to the downstream." + } } }, { @@ -226,11 +223,8 @@ }, { "logout_methods": { + "description": "A set of HTTP methods that the plugin will respond to.", "type": "set", - "default": [ - "POST", - "DELETE" - ], "elements": { "type": "string", "one_of": [ @@ -239,25 +233,28 @@ "DELETE" ] }, - "description": "A set of HTTP methods that the plugin will respond to." + "default": [ + "POST", + "DELETE" + ] } }, { "logout_query_arg": { - "default": "session_logout", "description": "The query argument passed to logout requests.", - "type": "string" + "type": "string", + "default": "session_logout" } }, { "logout_post_arg": { - "default": "session_logout", "description": "The POST argument passed to logout requests. Do not change this property.", - "type": "string" + "type": "string", + "default": "session_logout" } } ], - "required": true, + "type": "record", "shorthand_fields": [ { "cookie_lifetime": { @@ -295,8 +292,11 @@ } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/standard-webhooks/3.8.x.json b/schemas/standard-webhooks/3.8.x.json index 13c11260..c1cb595d 100644 --- a/schemas/standard-webhooks/3.8.x.json +++ b/schemas/standard-webhooks/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,8 +27,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -38,26 +35,29 @@ "fields": [ { "secret_v1": { + "description": "Webhook secret", "required": true, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Webhook secret" + "referenceable": true } }, { "tolerance_second": { - "gt": -1, - "type": "integer", - "default": 300, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", "required": true, - "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response." + "type": "integer", + "gt": -1, + "default": 300 } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.8.x.json b/schemas/statsd-advanced/3.8.x.json index 76c8d2a5..ed33f15a 100644 --- a/schemas/statsd-advanced/3.8.x.json +++ b/schemas/statsd-advanced/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,36 +42,37 @@ "fields": [ { "host": { - "default": "localhost", "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "localhost" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 8125 } }, { "prefix": { - "default": "kong", + "description": "String to prefix to each metric's name.", "type": "string", - "description": "String to prefix to each metric's name." + "default": "kong" } }, { "metrics": { "description": "List of Metrics to be logged.", + "type": "array", "default": [ { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_count" }, { @@ -86,8 +84,8 @@ "name": "request_size" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count" }, { @@ -99,8 +97,8 @@ "name": "unique_users" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_per_user" }, { @@ -112,33 +110,33 @@ "name": "kong_latency" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_workspace" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user_per_route" }, { - "sample_rate": 1, "stat_type": "gauge", + "sample_rate": 1, "name": "shdict_usage" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_hits_total" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_misses_total" } ], @@ -146,6 +144,7 @@ "fields": [ { "name": { + "type": "string", "required": true, "one_of": [ "kong_latency", @@ -163,12 +162,12 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "type": "string" + ] } }, { "stat_type": { + "type": "string", "required": true, "one_of": [ "counter", @@ -177,8 +176,7 @@ "meter", "set", "timer" - ], - "type": "string" + ] } }, { @@ -218,24 +216,25 @@ } } ], + "type": "record", "entity_checks": [ { "conditional": { - "then_field": "stat_type", + "if_field": "name", "if_match": { "one_of": [ "unique_users" ] }, + "then_field": "stat_type", "then_match": { "eq": "set" - }, - "if_field": "name" + } } }, { "conditional": { - "then_field": "stat_type", + "if_field": "name", "if_match": { "one_of": [ "request_count", @@ -248,119 +247,117 @@ "cache_datastore_misses_total" ] }, + "then_field": "stat_type", "then_match": { "eq": "counter" - }, - "if_field": "name" + } } }, { "conditional": { - "then_field": "stat_type", + "if_field": "name", "if_match": { "one_of": [ "shdict_usage" ] }, + "then_field": "stat_type", "then_match": { "eq": "gauge" - }, - "if_field": "name" + } } }, { "conditional": { - "then_field": "sample_rate", + "if_field": "stat_type", "if_match": { "one_of": [ "counter", "gauge" ] }, + "then_field": "sample_rate", "then_match": { "required": true - }, - "if_field": "stat_type" + } } } - ], - "type": "record" - }, - "type": "array" + ] + } } }, { "allow_status_codes": { "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array", "elements": { - "match": "^[0-9]+-[0-9]+$", - "type": "string" - }, - "type": "array" + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } } }, { "udp_packet_size": { + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "type": "number", "between": [ 0, 65507 ], - "default": 0, - "type": "number", - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive)." + "default": 0 } }, { "use_tcp": { - "default": false, + "description": "Use TCP instead of UDP.", "type": "boolean", - "description": "Use TCP instead of UDP." + "default": false } }, { "hostname_in_prefix": { - "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", "type": "boolean", - "description": "Include the `hostname` in the `prefix` for each metric name." + "default": false } }, { "consumer_identifier_default": { + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "required": true, - "type": "string", - "default": "custom_id", "one_of": [ "consumer_id", "custom_id", "username" ], - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`." + "type": "string", + "default": "custom_id" } }, { "service_identifier_default": { + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "required": true, - "type": "string", - "default": "service_name_or_host", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" ], - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`." + "type": "string", + "default": "service_name_or_host" } }, { "workspace_identifier_default": { + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "required": true, - "type": "string", - "default": "workspace_id", "one_of": [ "workspace_id", "workspace_name" ], - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. " + "type": "string", + "default": "workspace_id" } }, { @@ -368,92 +365,95 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd/3.8.x.json b/schemas/statsd/3.8.x.json index 2b2e0d1b..9d9a047a 100644 --- a/schemas/statsd/3.8.x.json +++ b/schemas/statsd/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,102 +42,103 @@ "fields": [ { "host": { - "default": "localhost", "description": "The IP address or hostname of StatsD server to send data to.", - "type": "string" + "type": "string", + "default": "localhost" } }, { "port": { + "description": "The port of StatsD server to send data to.", + "type": "integer", "between": [ 0, 65535 ], - "default": 8125, - "description": "The port of StatsD server to send data to.", - "type": "integer" + "default": 8125 } }, { "prefix": { - "default": "kong", "description": "String to prefix to each metric's name.", - "type": "string" + "type": "string", + "default": "kong" } }, { "metrics": { + "description": "List of metrics to be logged.", "type": "array", "default": [ { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_count" }, { - "name": "latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "latency" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_size" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "response_size" }, { - "name": "unique_users", - "stat_type": "set" + "stat_type": "set", + "name": "unique_users" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_per_user" }, { - "name": "upstream_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "upstream_latency" }, { - "name": "kong_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "kong_latency" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_workspace" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user_per_route" }, { - "sample_rate": 1, "stat_type": "gauge", + "sample_rate": 1, "name": "shdict_usage" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_hits_total" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_misses_total" } ], @@ -148,6 +146,8 @@ "fields": [ { "name": { + "description": "StatsD metric’s name.", + "type": "string", "required": true, "one_of": [ "kong_latency", @@ -165,13 +165,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "description": "StatsD metric’s name.", - "type": "string" + ] } }, { "stat_type": { + "description": "Determines what sort of event a metric represents.", + "type": "string", "required": true, "one_of": [ "counter", @@ -180,92 +180,89 @@ "meter", "set", "timer" - ], - "description": "Determines what sort of event a metric represents.", - "type": "string" + ] } }, { "sample_rate": { - "gt": 0, "description": "Sampling rate", - "type": "number" + "type": "number", + "gt": 0 } }, { "consumer_identifier": { + "description": "Authenticated user detail.", + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string", - "description": "Authenticated user detail." + ] } }, { "service_identifier": { + "description": "Service detail.", + "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string", - "description": "Service detail." + ] } }, { "workspace_identifier": { + "description": "Workspace detail.", + "type": "string", "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string", - "description": "Workspace detail." + ] } } ], + "type": "record", "entity_checks": [ { "conditional": { - "then_field": "sample_rate", + "if_field": "stat_type", "if_match": { "one_of": [ "counter", "gauge" ] }, + "then_field": "sample_rate", "then_match": { "required": true - }, - "if_field": "stat_type" + } } } - ], - "type": "record" - }, - "description": "List of metrics to be logged." + ] + } } }, { "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array", "elements": { - "match": "^[0-9]+-[0-9]+$", - "type": "string" - }, - "description": "List of status code ranges that are allowed to be logged in metrics." + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } } }, { "udp_packet_size": { + "type": "number", "between": [ 0, 65507 ], - "default": 0, - "type": "number" + "default": 0 } }, { @@ -282,80 +279,80 @@ }, { "consumer_identifier_default": { - "required": true, "default": "custom_id", + "type": "string", + "required": true, "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string" + ] } }, { "service_identifier_default": { - "required": true, "default": "service_name_or_host", + "type": "string", + "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string" + ] } }, { "workspace_identifier_default": { - "required": true, "default": "workspace_id", + "type": "string", + "required": true, "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string" + ] } }, { "retry_count": { + "type": "integer", "deprecation": { + "old_default": 10, "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", - "removal_in_version": "4.0", - "old_default": 10 - }, - "type": "integer" + "removal_in_version": "4.0" + } } }, { "queue_size": { + "type": "integer", "deprecation": { + "old_default": 1, "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0", - "old_default": 1 - }, - "type": "integer" + "removal_in_version": "4.0" + } } }, { "flush_timeout": { + "type": "number", "deprecation": { + "old_default": 2, "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0", - "old_default": 2 - }, - "type": "number" + "removal_in_version": "4.0" + } } }, { "tag_style": { + "type": "string", "required": false, "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ], - "type": "string" + ] } }, { @@ -363,92 +360,95 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/syslog/3.8.x.json b/schemas/syslog/3.8.x.json index 8521cf22..5daf010a 100644 --- a/schemas/syslog/3.8.x.json +++ b/schemas/syslog/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,8 +42,9 @@ "fields": [ { "log_level": { - "required": true, "default": "info", + "required": true, + "type": "string", "one_of": [ "debug", "info", @@ -56,14 +54,14 @@ "crit", "alert", "emerg" - ], - "type": "string" + ] } }, { "successful_severity": { - "required": true, "default": "info", + "required": true, + "type": "string", "one_of": [ "debug", "info", @@ -73,14 +71,14 @@ "crit", "alert", "emerg" - ], - "type": "string" + ] } }, { "client_errors_severity": { - "required": true, "default": "info", + "required": true, + "type": "string", "one_of": [ "debug", "info", @@ -90,14 +88,14 @@ "crit", "alert", "emerg" - ], - "type": "string" + ] } }, { "server_errors_severity": { - "required": true, "default": "info", + "required": true, + "type": "string", "one_of": [ "debug", "info", @@ -107,8 +105,7 @@ "crit", "alert", "emerg" - ], - "type": "string" + ] } }, { @@ -117,19 +114,18 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } }, { "facility": { + "description": "The facility is used by the operating system to decide how to handle each log message.", "required": true, - "type": "string", - "default": "user", "one_of": [ "auth", "authpriv", @@ -152,13 +148,17 @@ "local6", "local7" ], - "description": "The facility is used by the operating system to decide how to handle each log message." + "type": "string", + "default": "user" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.8.x.json b/schemas/tcp-log/3.8.x.json index ec1ef0a7..3edb1e1e 100644 --- a/schemas/tcp-log/3.8.x.json +++ b/schemas/tcp-log/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,15 +42,15 @@ "fields": [ { "host": { - "required": true, "description": "The IP address or host name to send data to.", + "required": true, "type": "string" } }, { "port": { - "required": true, "description": "The port to send data to on the upstream server.", + "required": true, "between": [ 0, 65535 @@ -63,24 +60,24 @@ }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number" + "type": "number", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { "tls": { - "required": true, - "default": false, "description": "Indicates whether to perform a TLS handshake against the remote server.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { @@ -91,22 +88,25 @@ }, { "custom_fields_by_lua": { + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "type": "map", - "keys": { + "values": { "type": "string", "len_min": 1 }, - "values": { - "len_min": 1, - "type": "string" - }, - "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value." + "keys": { + "type": "string", + "len_min": 1 + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.8.x.json b/schemas/tls-handshake-modifier/3.8.x.json index e3e7e4a0..0ce0806f 100644 --- a/schemas/tls-handshake-modifier/3.8.x.json +++ b/schemas/tls-handshake-modifier/3.8.x.json @@ -1,23 +1,21 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "https", "grpcs" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -25,15 +23,14 @@ "grpcs", "tls" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,19 +39,22 @@ "fields": [ { "tls_client_certificate": { + "description": "TLS Client Certificate", "required": false, - "type": "string", - "default": "REQUEST", "one_of": [ "REQUEST" ], - "description": "TLS Client Certificate" + "type": "string", + "default": "REQUEST" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.8.x.json b/schemas/tls-metadata-headers/3.8.x.json index 432788dc..70e69c6b 100644 --- a/schemas/tls-metadata-headers/3.8.x.json +++ b/schemas/tls-metadata-headers/3.8.x.json @@ -1,23 +1,21 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "https", "grpcs" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -25,15 +23,14 @@ "grpcs", "tls" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,55 +39,58 @@ "fields": [ { "inject_client_cert_details": { - "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", "type": "boolean", - "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." + "default": false } }, { "client_cert_header_name": { - "required": true, - "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "type": "string", - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate." + "required": true, + "default": "X-Client-Cert" } }, { "client_serial_header_name": { - "required": true, - "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", "type": "string", - "description": "Define the HTTP header name used for the serial number of the client certificate." + "required": true, + "default": "X-Client-Cert-Serial" } }, { "client_cert_issuer_dn_header_name": { - "required": true, - "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "type": "string", - "description": "Define the HTTP header name used for the issuer DN of the client certificate." + "required": true, + "default": "X-Client-Cert-Issuer-DN" } }, { "client_cert_subject_dn_header_name": { - "required": true, - "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", "type": "string", - "description": "Define the HTTP header name used for the subject DN of the client certificate." + "required": true, + "default": "X-Client-Cert-Subject-DN" } }, { "client_cert_fingerprint_header_name": { - "required": true, - "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "type": "string", - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate." + "required": true, + "default": "X-Client-Cert-Fingerprint" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/udp-log/3.8.x.json b/schemas/udp-log/3.8.x.json index 2f09cbc5..d8176b5d 100644 --- a/schemas/udp-log/3.8.x.json +++ b/schemas/udp-log/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,15 +42,15 @@ "fields": [ { "host": { - "required": true, "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { - "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, "between": [ 0, 65535 @@ -63,9 +60,9 @@ }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number" + "type": "number", + "default": 10000 } }, { @@ -74,18 +71,21 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/upstream-oauth/3.8.x.json b/schemas/upstream-oauth/3.8.x.json index e36b6a0a..cb3d6cdc 100644 --- a/schemas/upstream-oauth/3.8.x.json +++ b/schemas/upstream-oauth/3.8.x.json @@ -2,8 +2,8 @@ "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -13,539 +13,535 @@ "https" ] }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "client": { - "type": "record", "fields": [ { "auth_method": { + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "required": true, "one_of": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "none" ], - "required": true, "type": "string", - "default": "client_secret_post", - "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body." + "default": "client_secret_post" } }, { "client_secret_jwt_alg": { + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "required": true, "one_of": [ "HS512", "HS256" ], - "required": true, "type": "string", - "default": "HS512", - "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication." + "default": "HS512" } }, { "http_version": { - "type": "number", "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", - "default": 1.1, - "required": false + "required": false, + "type": "number", + "default": 1.1 } }, { "http_proxy": { - "type": "string", + "description": "The proxy to use when making HTTP requests to the IdP.", "required": false, - "description": "The proxy to use when making HTTP requests to the IdP." + "type": "string" } }, { "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", "type": "string", - "required": false, - "description": "The `Proxy-Authorization` header value to be used with `http_proxy`." + "required": false } }, { "https_proxy": { - "type": "string", + "description": "The proxy to use when making HTTPS requests to the IdP.", "required": false, - "description": "The proxy to use when making HTTPS requests to the IdP." + "type": "string" } }, { "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", "type": "string", - "required": false, - "description": "The `Proxy-Authorization` header value to be used with `https_proxy`." + "required": false } }, { "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", "type": "string", - "required": false, - "description": "A comma-separated list of hosts that should not be proxied." + "required": false } }, { "timeout": { + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "required": true, "between": [ 0, 2147483646 ], - "required": true, "type": "integer", - "default": 10000, - "description": "Network I/O timeout for requests to the IdP in milliseconds." + "default": 10000 } }, { "keep_alive": { + "description": "Whether to use keepalive connections to the IdP.", "type": "boolean", "required": true, - "default": true, - "description": "Whether to use keepalive connections to the IdP." + "default": true } }, { "ssl_verify": { + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", "type": "boolean", "required": false, - "default": false, - "description": "Whether to verify the certificate presented by the IdP when using HTTPS." + "default": false } } ], + "type": "record", "required": true } }, { "oauth": { - "type": "record", "fields": [ { "token_endpoint": { - "type": "string", + "description": "The token endpoint URI.", "required": true, - "description": "The token endpoint URI." + "type": "string" } }, { "token_headers": { + "description": "Extra headers to be passed in the token endpoint request.", "type": "map", "values": { - "referenceable": true, - "type": "string" - }, - "keys": { "type": "string", - "description": "A string representing an HTTP header name." + "referenceable": true }, - "description": "Extra headers to be passed in the token endpoint request." + "keys": { + "description": "A string representing an HTTP header name.", + "type": "string" + } } }, { "token_post_args": { + "description": "Extra post arguments to be passed in the token endpoint request.", "type": "map", "values": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "keys": { "type": "string" - }, - "description": "Extra post arguments to be passed in the token endpoint request." + } } }, { "grant_type": { + "description": "The OAuth grant type to be used.", + "required": true, "one_of": [ "client_credentials", "password" ], - "required": true, "type": "string", - "default": "client_credentials", - "description": "The OAuth grant type to be used." + "default": "client_credentials" } }, { "client_id": { - "encrypted": true, + "description": "The client ID for the application registration in the IdP.", "required": false, "type": "string", "referenceable": true, - "description": "The client ID for the application registration in the IdP." + "encrypted": true } }, { "client_secret": { - "encrypted": true, + "description": "The client secret for the application registration in the IdP.", "required": false, "type": "string", "referenceable": true, - "description": "The client secret for the application registration in the IdP." + "encrypted": true } }, { "username": { - "encrypted": true, + "description": "The username to use if `config.oauth.grant_type` is set to `password`.", "required": false, "type": "string", "referenceable": true, - "description": "The username to use if `config.oauth.grant_type` is set to `password`." + "encrypted": true } }, { "password": { - "encrypted": true, + "description": "The password to use if `config.oauth.grant_type` is set to `password`.", "required": false, "type": "string", "referenceable": true, - "description": "The password to use if `config.oauth.grant_type` is set to `password`." + "encrypted": true } }, { "scopes": { + "description": "List of scopes to request from the IdP when obtaining a new token.", "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "openid" - ], - "description": "List of scopes to request from the IdP when obtaining a new token." + ] } }, { "audience": { + "description": "List of audiences passed to the IdP when obtaining a new token.", "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "description": "List of audiences passed to the IdP when obtaining a new token." + ] } } ], + "type": "record", "required": true } }, { "cache": { - "type": "record", "fields": [ { "strategy": { + "description": "The method Kong should use to cache tokens issued by the IdP.", + "required": true, "one_of": [ "memory", "redis" ], - "required": true, "type": "string", - "default": "memory", - "description": "The method Kong should use to cache tokens issued by the IdP." + "default": "memory" } }, { "memory": { - "type": "record", "fields": [ { "dictionary_name": { + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", "type": "string", "required": true, - "default": "kong_db_cache", - "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`." + "default": "kong_db_cache" } } ], + "type": "record", "required": true } }, { "redis": { - "required": true, - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "encrypted": true, "referenceable": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "encrypted": true } }, { "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "encrypted": true, "referenceable": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "encrypted": true } }, { "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "default": 0, - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { - "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, - "type": "array", "elements": { - "type": "record", "fields": [ { "host": { - "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "required": true + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "type": "array", + "len_min": 1 } }, { "cluster_nodes": { - "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, - "type": "array", "elements": { - "type": "record", "fields": [ { "ip": { - "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "required": true + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "type": "array", + "len_min": 1 } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "default": false, - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", - "default": 5, - "required": false + "required": false, + "type": "integer", + "default": 5 } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "default": false, - "required": false + "required": false, + "type": "boolean", + "default": false } } ], "entity_checks": [ { "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_nodes" - ], - "set2": [ - "host", - "port" ] } }, { "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_nodes" - ], - "set2": [ - "cluster_nodes" ] } }, { "mutually_exclusive_sets": { - "set1": [ - "cluster_nodes" - ], "set2": [ "host", "port" + ], + "set1": [ + "cluster_nodes" ] } }, @@ -572,10 +568,10 @@ { "conditional": { "if_field": "connection_is_proxied", - "then_field": "host", "if_match": { "eq": true }, + "then_field": "host", "then_match": { "required": true } @@ -583,168 +579,203 @@ }, { "custom_entity_check": { + "run_with_missing_fields": true, "field_sources": [ "database", "connection_is_proxied" - ], - "run_with_missing_fields": true + ] } }, { "custom_entity_check": { + "run_with_missing_fields": true, "field_sources": [ "cluster_nodes", "connection_is_proxied" - ], - "run_with_missing_fields": true + ] } }, { "custom_entity_check": { + "run_with_missing_fields": true, "field_sources": [ "sentinel_role", "connection_is_proxied" - ], - "run_with_missing_fields": true + ] } } ], + "type": "record", "shorthand_fields": [ { "timeout": { "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - }, "translate_backwards": [ "connect_timeout" - ] + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, "len_min": 1, + "type": "array", "elements": { "type": "string" - }, - "deprecation": { - "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - }, - "type": "array" + } } }, { "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, "len_min": 1, + "type": "array", "elements": { "type": "string" - }, - "deprecation": { - "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - }, - "type": "array" + } } } - ] + ], + "required": true } }, { "eagerly_expire": { + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", "required": true, "type": "integer", "gt": -1, - "default": 5, - "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`." + "default": 5 } }, { "default_ttl": { + "description": "The lifetime of a token without an explicit `expires_in` value.", "type": "number", "gt": 0, - "default": 3600, - "description": "The lifetime of a token without an explicit `expires_in` value." + "default": 3600 } } ], + "type": "record", "required": true } }, { "behavior": { - "type": "record", "fields": [ { "upstream_access_token_header_name": { + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", "len_min": 0, - "required": true, "type": "string", - "default": "Authorization", - "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service." + "required": true, + "default": "Authorization" } }, { "idp_error_response_status_code": { + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", + "required": true, "between": [ 500, 599 ], - "required": true, "type": "integer", - "default": 502, - "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP." + "default": 502 } }, { "idp_error_response_content_type": { + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0, - "required": true, "type": "string", - "default": "application/json; charset=utf-8", - "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP." + "required": true, + "default": "application/json; charset=utf-8" } }, { "idp_error_response_message": { + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0, - "required": true, "type": "string", - "default": "Failed to authenticate request to upstream", - "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP." + "required": true, + "default": "Failed to authenticate request to upstream" } }, { "idp_error_response_body_template": { + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0, - "required": true, "type": "string", - "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", - "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP." + "required": true, + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }" } }, { "purge_token_on_upstream_status_codes": { + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", "type": "array", + "default": [ + 401 + ], "elements": { - "type": "integer", "between": [ 100, 599 - ] - }, - "default": [ - 401 - ], - "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality." + ], + "type": "integer" + } } } ], + "type": "record", "required": true } } ], + "type": "record", "required": true } } diff --git a/schemas/upstream-timeout/3.8.x.json b/schemas/upstream-timeout/3.8.x.json index 3ca81375..279be9a0 100644 --- a/schemas/upstream-timeout/3.8.x.json +++ b/schemas/upstream-timeout/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,38 +35,41 @@ "fields": [ { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.8.x.json b/schemas/vault-auth/3.8.x.json index 2c71b65c..9fc64449 100644 --- a/schemas/vault-auth/3.8.x.json +++ b/schemas/vault-auth/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,23 +19,22 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,67 +43,70 @@ "fields": [ { "access_token_name": { + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "string", - "default": "access_token", - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + "default": "access_token" } }, { "secret_token_name": { + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "string", - "default": "secret_token", - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + "default": "secret_token" } }, { "vault": { - "required": true, "reference": "vault_auth_vaults", + "type": "foreign", "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", - "type": "foreign" + "required": true } }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "tokens_in_body": { - "default": false, "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "run_on_preflight": { - "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "type": "boolean" + "type": "boolean", + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.8.x.json b/schemas/websocket-size-limit/3.8.x.json index ed3c4a63..fab7b3bc 100644 --- a/schemas/websocket-size-limit/3.8.x.json +++ b/schemas/websocket-size-limit/3.8.x.json @@ -1,30 +1,27 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "default": [ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -33,26 +30,26 @@ "fields": [ { "client_max_payload": { - "required": false, + "type": "integer", "between": [ 1, 33554432 ], - "type": "integer" + "required": false } }, { "upstream_max_payload": { - "required": false, + "type": "integer", "between": [ 1, 33554432 ], - "type": "integer" + "required": false } } ], - "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -61,8 +58,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.8.x.json b/schemas/websocket-validator/3.8.x.json index f3a1fea5..6fb55087 100644 --- a/schemas/websocket-validator/3.8.x.json +++ b/schemas/websocket-validator/3.8.x.json @@ -1,30 +1,27 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "default": [ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -33,30 +30,30 @@ "fields": [ { "client": { - "required": false, "fields": [ { "text": { - "required": false, "fields": [ { "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "required": true, "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + ] } }, { "schema": { - "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string" + "type": "string", + "required": true } } ], + "required": false, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -66,32 +63,32 @@ ] } } - ], - "type": "record" + ] } }, { "binary": { - "required": false, "fields": [ { "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "required": true, "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + ] } }, { "schema": { - "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string" + "type": "string", + "required": true } } ], + "required": false, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -101,11 +98,12 @@ ] } } - ], - "type": "record" + ] } } ], + "required": false, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -113,36 +111,35 @@ "binary" ] } - ], - "type": "record" + ] } }, { "upstream": { - "required": false, "fields": [ { "text": { - "required": false, "fields": [ { "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "required": true, "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + ] } }, { "schema": { - "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string" + "type": "string", + "required": true } } ], + "required": false, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -152,32 +149,32 @@ ] } } - ], - "type": "record" + ] } }, { "binary": { - "required": false, "fields": [ { "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "required": true, "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + ] } }, { "schema": { - "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string" + "type": "string", + "required": true } } ], + "required": false, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -187,11 +184,12 @@ ] } } - ], - "type": "record" + ] } } ], + "required": false, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -199,12 +197,11 @@ "binary" ] } - ], - "type": "record" + ] } } ], - "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -213,8 +210,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.8.x.json b/schemas/xml-threat-protection/3.8.x.json index a6a3d9f6..d9f354ae 100644 --- a/schemas/xml-threat-protection/3.8.x.json +++ b/schemas/xml-threat-protection/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,263 +35,266 @@ "fields": [ { "checked_content_types": { + "description": "A list of Content-Type values with payloads that must be validated.", "required": true, "elements": { "required": true, - "match": "^[^%s]+%/[^ ;]+$", - "type": "string" + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" }, "type": "set", "default": [ "application/xml" - ], - "description": "A list of Content-Type values with payloads that must be validated." + ] } }, { "allowed_content_types": { + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "required": true, "elements": { "required": true, - "match": "^[^%s]+%/[^ ;]+$", - "type": "string" + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" }, "type": "set", "default": [ - ], - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." + ] } }, { "allow_dtd": { - "required": true, - "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", "type": "boolean", - "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed." + "required": true, + "default": false } }, { "namespace_aware": { - "required": true, - "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", "type": "boolean", - "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such." + "required": true, + "default": true } }, { "max_depth": { - "gt": 0, - "type": "integer", - "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", "required": true, - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." + "type": "integer", + "gt": 0, + "default": 50 } }, { "max_children": { - "gt": 0, - "type": "integer", - "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", "required": true, - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." + "type": "integer", + "gt": 0, + "default": 100 } }, { "max_attributes": { - "gt": 0, - "type": "integer", - "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", "required": true, - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." + "type": "integer", + "gt": 0, + "default": 100 } }, { "max_namespaces": { - "gt": 0, - "type": "integer", - "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", "required": false, - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." + "type": "integer", + "gt": 0, + "default": 20 } }, { "document": { - "gt": 0, - "type": "integer", - "default": 10485760, + "description": "Maximum size of the entire document.", "required": true, - "description": "Maximum size of the entire document." + "type": "integer", + "gt": 0, + "default": 10485760 } }, { "buffer": { - "gt": 0, - "type": "integer", - "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", "required": true, - "description": "Maximum size of the unparsed buffer (see below)." + "type": "integer", + "gt": 0, + "default": 1048576 } }, { "comment": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of comments.", "required": true, - "description": "Maximum size of comments." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "localname": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", "required": true, - "description": "Maximum size of the localname. This applies to tags and attributes." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "prefix": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "required": false, - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "namespaceuri": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "required": false, - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "attribute": { - "gt": 0, - "type": "integer", - "default": 1048576, + "description": "Maximum size of the attribute value.", "required": true, - "description": "Maximum size of the attribute value." + "type": "integer", + "gt": 0, + "default": 1048576 } }, { "text": { - "gt": 0, - "type": "integer", - "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "required": true, - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." + "type": "integer", + "gt": 0, + "default": 1048576 } }, { "pitarget": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of processing instruction targets.", "required": true, - "description": "Maximum size of processing instruction targets." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "pidata": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of processing instruction data.", "required": true, - "description": "Maximum size of processing instruction data." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "entityname": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", "required": true, - "description": "Maximum size of entity names in EntityDecl." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "entity": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", "required": true, - "description": "Maximum size of entity values in EntityDecl." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "entityproperty": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "required": true, - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "bla_max_amplification": { - "gt": 1, - "type": "number", - "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", "required": true, - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." + "type": "number", + "gt": 1, + "default": 100 } }, { "bla_threshold": { + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", "required": true, "type": "integer", - "default": 8388608, "gt": 1024, - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." + "default": 8388608 } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "then_field": "max_namespaces", + "if_field": "namespace_aware", "if_match": { "eq": true }, + "then_field": "max_namespaces", "then_match": { "required": true - }, - "if_field": "namespace_aware" + } } }, { "conditional": { - "then_field": "prefix", + "if_field": "namespace_aware", "if_match": { "eq": true }, + "then_field": "prefix", "then_match": { "required": true - }, - "if_field": "namespace_aware" + } } }, { "conditional": { - "then_field": "namespaceuri", + "if_field": "namespace_aware", "if_match": { "eq": true }, + "then_field": "namespaceuri", "then_match": { "required": true - }, - "if_field": "namespace_aware" + } } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/zipkin/3.8.x.json b/schemas/zipkin/3.8.x.json index bac2c9b7..cd177c4e 100644 --- a/schemas/zipkin/3.8.x.json +++ b/schemas/zipkin/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,65 +42,59 @@ "fields": [ { "local_service_name": { + "description": "The name of the service as displayed in Zipkin.", "required": true, - "default": "kong", "type": "string", - "description": "The name of the service as displayed in Zipkin." + "default": "kong" } }, { "http_endpoint": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "sample_ratio": { + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "type": "number", "between": [ 0, 1 ], - "default": 0.001, - "type": "number", - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " + "default": 0.001 } }, { "default_service_name": { - "type": "string", - "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" } }, { "include_credential": { + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", "required": true, - "default": true, "type": "boolean", - "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server." + "default": true } }, { "traceid_byte_count": { + "description": "The length in bytes of each request's Trace ID.", "required": true, - "type": "integer", - "default": 16, "one_of": [ 8, 16 ], - "description": "The length in bytes of each request's Trace ID." + "type": "integer", + "default": 16 } }, { "header_type": { + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "required": true, - "type": "string", - "deprecation": { - "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0", - "old_default": "preserve" - }, - "default": "preserve", "one_of": [ "preserve", "ignore", @@ -116,19 +107,19 @@ "datadog", "gcp" ], - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests" + "type": "string", + "default": "preserve", + "deprecation": { + "old_default": "preserve", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + } } }, { "default_header_type": { + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "required": true, - "type": "string", - "deprecation": { - "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", - "removal_in_version": "4.0", - "old_default": "b3" - }, - "default": "b3", "one_of": [ "b3", "b3-single", @@ -139,25 +130,31 @@ "datadog", "gcp" ], - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored." + "type": "string", + "default": "b3", + "deprecation": { + "old_default": "b3", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", + "removal_in_version": "4.0" + } } }, { "tags_header": { + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", "required": true, - "default": "Zipkin-Tags", "type": "string", - "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property." + "default": "Zipkin-Tags" } }, { "static_tags": { "description": "The tags specified on this property will be added to the generated request traces.", + "type": "array", "elements": { "fields": [ { "name": { - "required": true, "not_one_of": [ "error", "http.method", @@ -173,64 +170,64 @@ "lc", "peer.hostname" ], + "required": true, "type": "string" } }, { "value": { - "required": true, - "type": "string" + "type": "string", + "required": true } } ], "type": "record" - }, - "type": "array" + } } }, { "http_span_name": { + "description": "Specify whether to include the HTTP path in the span name.", "required": true, - "type": "string", - "default": "method", "one_of": [ "method", "method_path" ], - "description": "Specify whether to include the HTTP path in the span name." + "type": "string", + "default": "method" } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 5000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 5000 } }, { @@ -240,14 +237,14 @@ }, { "phase_duration_flavor": { + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "required": true, - "type": "string", - "default": "annotations", "one_of": [ "annotations", "tags" ], - "description": "Specify whether to include the duration of each phase as an annotation or a tag." + "type": "string", + "default": "annotations" } }, { @@ -255,86 +252,86 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -342,80 +339,83 @@ "fields": [ { "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", "type": "array", "elements": { "type": "string", "one_of": [ + "gcp", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "jaeger" + "b3" ] - }, - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID." + } } }, { "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "type": "array", "elements": { "type": "string" - }, - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared." + } } }, { "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", "type": "array", "elements": { "type": "string", "one_of": [ "preserve", + "gcp", + "b3-single", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "b3-single", - "jaeger" + "b3" ] - }, - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests." + } } }, { "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", "required": true, "one_of": [ + "gcp", + "b3-single", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "b3-single", - "jaeger" - ], - "type": "string", - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`." + "b3" + ] } } ], + "type": "record", + "required": true, "default": { "default_format": "b3" - }, - "required": true, - "type": "record" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file From ce736ab478ce7be6f532a3b795cc3fb1f2c26c6c Mon Sep 17 00:00:00 2001 From: Diana <75819066+cloudjumpercat@users.noreply.github.com> Date: Tue, 3 Sep 2024 15:33:23 -0500 Subject: [PATCH 079/165] Apply suggestions from code review Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- examples/ai-semantic-cache/_3.8.x.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/ai-semantic-cache/_3.8.x.yaml b/examples/ai-semantic-cache/_3.8.x.yaml index faa8bec5..e273c72f 100644 --- a/examples/ai-semantic-cache/_3.8.x.yaml +++ b/examples/ai-semantic-cache/_3.8.x.yaml @@ -10,3 +10,5 @@ config: threshold: 0.1 distance_metric: cosine redis: + host: exampleredis.com + port: 80 From 0e370387e44d7a5570925f532a2f2ce77301b79c Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Tue, 3 Sep 2024 13:36:01 -0700 Subject: [PATCH 080/165] generate 3.8 plugin priorities (#63) --- data/priorities/ee/3.8.x.json | 19 ++++++++++++++----- data/priorities/oss/3.8.x.json | 1 + 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/data/priorities/ee/3.8.x.json b/data/priorities/ee/3.8.x.json index 8c1de9a7..b51f6e2a 100644 --- a/data/priorities/ee/3.8.x.json +++ b/data/priorities/ee/3.8.x.json @@ -24,24 +24,26 @@ "hmac-auth": 1030, "jwt-signer": 1020, "saml": 1010, + "header-cert-auth": 1009, + "json-threat-protection": 1009, + "xml-threat-protection": 1008, + "websocket-validator": 1006, + "websocket-size-limit": 1003, "request-validator": 999, - "websocket-size-limit": 999, - "websocket-validator": 999, - "xml-threat-protection": 999, "grpc-gateway": 998, "tls-handshake-modifier": 997, "tls-metadata-headers": 996, - "application-registration": 995, "ip-restriction": 990, "request-size-limiting": 951, "acl": 950, "opa": 920, "rate-limiting": 910, "rate-limiting-advanced": 910, + "ai-rate-limiting-advanced": 905, "graphql-rate-limiting-advanced": 902, "response-ratelimiting": 900, - "oas-validation": 850, "route-by-header": 850, + "oas-validation": 840, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, @@ -49,11 +51,18 @@ "response-transformer-advanced": 800, "route-transformer-advanced": 780, "ai-request-transformer": 777, + "ai-semantic-prompt-guard": 775, + "ai-azure-content-safety": 774, "ai-prompt-template": 773, "ai-prompt-decorator": 772, "ai-prompt-guard": 771, "ai-proxy": 770, + "ai-proxy-advanced": 770, "ai-response-transformer": 769, + "ai-semantic-cache": 765, + "standard-webhooks": 760, + "upstream-oauth": 760, + "confluent": 752, "kafka-upstream": 751, "aws-lambda": 750, "azure-functions": 749, diff --git a/data/priorities/oss/3.8.x.json b/data/priorities/oss/3.8.x.json index f1d4cd82..039222ef 100644 --- a/data/priorities/oss/3.8.x.json +++ b/data/priorities/oss/3.8.x.json @@ -25,6 +25,7 @@ "ai-prompt-guard": 771, "ai-proxy": 770, "ai-response-transformer": 769, + "standard-webhooks": 760, "aws-lambda": 750, "azure-functions": 749, "proxy-cache": 100, From 116b598b27c92ba5ce564543021994ea8d5bdbf1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 29 Aug 2024 18:17:39 +0000 Subject: [PATCH 081/165] Update dependency thor to v1.3.2 --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 3caf6622..99f2db97 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ GEM remote: https://rubygems.org/ specs: - thor (1.3.1) + thor (1.3.2) PLATFORMS arm64-darwin-23 From 33205bc9a5e12e6dd9573d0d840bcc4ceb250437 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:25:05 +0000 Subject: [PATCH 082/165] Update dependency ruby to v3.3.5 --- .ruby-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ruby-version b/.ruby-version index a0891f56..fa7adc7a 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.3.4 +3.3.5 From b31e4b0656a577b51b892afdf578296bc6aa8c0c Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 10 Sep 2024 21:10:58 +0200 Subject: [PATCH 083/165] Copy latest schemas to 3.9.x (#64) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- schemas/acl/3.9.x.json | 105 + schemas/acme/3.9.x.json | 637 +++ schemas/ai-azure-content-safety/3.9.x.json | 176 + schemas/ai-prompt-decorator/3.9.x.json | 126 + schemas/ai-prompt-guard/3.9.x.json | 104 + schemas/ai-prompt-template/3.9.x.json | 88 + schemas/ai-proxy-advanced/3.9.x.json | 1349 ++++++ schemas/ai-proxy/3.9.x.json | 585 +++ schemas/ai-rate-limiting-advanced/3.9.x.json | 628 +++ schemas/ai-request-transformer/3.9.x.json | 669 +++ schemas/ai-response-transformer/3.9.x.json | 669 +++ schemas/ai-semantic-cache/3.9.x.json | 732 ++++ schemas/ai-semantic-prompt-guard/3.9.x.json | 746 ++++ schemas/app-dynamics/3.9.x.json | 46 + schemas/application-registration/3.9.x.json | 108 + schemas/aws-lambda/3.9.x.json | 273 ++ schemas/azure-functions/3.9.x.json | 125 + schemas/basic-auth/3.9.x.json | 78 + schemas/bot-detection/3.9.x.json | 79 + schemas/canary/3.9.x.json | 190 + schemas/confluent/3.9.x.json | 253 ++ schemas/correlation-id/3.9.x.json | 73 + schemas/cors/3.9.x.json | 143 + schemas/datadog-tracing/3.9.x.json | 103 + schemas/datadog/3.9.x.json | 361 ++ schemas/degraphql/3.9.x.json | 68 + schemas/exit-transformer/3.9.x.json | 68 + schemas/file-log/3.9.x.json | 83 + schemas/forward-proxy/3.9.x.json | 171 + .../graphql-proxy-cache-advanced/3.9.x.json | 500 +++ .../graphql-rate-limiting-advanced/3.9.x.json | 567 +++ schemas/grpc-gateway/3.9.x.json | 59 + schemas/grpc-web/3.9.x.json | 74 + schemas/header-cert-auth/3.9.x.json | 229 + schemas/hmac-auth/3.9.x.json | 132 + schemas/http-log/3.9.x.json | 260 ++ schemas/ip-restriction/3.9.x.json | 85 + schemas/jq/3.9.x.json | 197 + schemas/json-threat-protection/3.9.x.json | 164 + schemas/jwe-decrypt/3.9.x.json | 86 + schemas/jwt-signer/3.9.x.json | 997 +++++ schemas/jwt/3.9.x.json | 160 + schemas/kafka-log/3.9.x.json | 280 ++ schemas/kafka-upstream/3.9.x.json | 302 ++ schemas/key-auth-enc/3.9.x.json | 118 + schemas/key-auth/3.9.x.json | 123 + schemas/konnect-application-auth/3.9.x.json | 3333 +++++++++++++++ schemas/ldap-auth-advanced/3.9.x.json | 243 ++ schemas/ldap-auth/3.9.x.json | 178 + schemas/loggly/3.9.x.json | 173 + schemas/mocking/3.9.x.json | 131 + schemas/mtls-auth/3.9.x.json | 210 + schemas/oas-validation/3.9.x.json | 170 + schemas/oauth2-introspection/3.9.x.json | 167 + schemas/oauth2/3.9.x.json | 221 + schemas/opa/3.9.x.json | 147 + schemas/openid-connect/3.9.x.json | 3676 +++++++++++++++++ schemas/opentelemetry/3.9.x.json | 367 ++ schemas/post-function/3.9.x.json | 228 + schemas/pre-function/3.9.x.json | 228 + schemas/prometheus/3.9.x.json | 94 + schemas/proxy-cache-advanced/3.9.x.json | 610 +++ schemas/proxy-cache/3.9.x.json | 205 + schemas/rate-limiting-advanced/3.9.x.json | 600 +++ schemas/rate-limiting/3.9.x.json | 510 +++ schemas/request-size-limiting/3.9.x.json | 73 + schemas/request-termination/3.9.x.json | 81 + .../request-transformer-advanced/3.9.x.json | 337 ++ schemas/request-transformer/3.9.x.json | 280 ++ schemas/request-validator/3.9.x.json | 189 + schemas/response-ratelimiting/3.9.x.json | 475 +++ .../response-transformer-advanced/3.9.x.json | 350 ++ schemas/response-transformer/3.9.x.json | 259 ++ schemas/route-by-header/3.9.x.json | 78 + schemas/route-transformer-advanced/3.9.x.json | 75 + schemas/saml/3.9.x.json | 1326 ++++++ schemas/session/3.9.x.json | 302 ++ schemas/standard-webhooks/3.9.x.json | 63 + schemas/statsd-advanced/3.9.x.json | 459 ++ schemas/statsd/3.9.x.json | 454 ++ schemas/syslog/3.9.x.json | 164 + schemas/tcp-log/3.9.x.json | 112 + schemas/tls-handshake-modifier/3.9.x.json | 60 + schemas/tls-metadata-headers/3.9.x.json | 96 + schemas/udp-log/3.9.x.json | 91 + schemas/upstream-oauth/3.9.x.json | 799 ++++ schemas/upstream-timeout/3.9.x.json | 75 + schemas/vault-auth/3.9.x.json | 112 + schemas/websocket-size-limit/3.9.x.json | 68 + schemas/websocket-validator/3.9.x.json | 220 + schemas/xml-threat-protection/3.9.x.json | 300 ++ schemas/zipkin/3.9.x.json | 421 ++ 92 files changed, 31979 insertions(+) create mode 100644 schemas/acl/3.9.x.json create mode 100644 schemas/acme/3.9.x.json create mode 100644 schemas/ai-azure-content-safety/3.9.x.json create mode 100644 schemas/ai-prompt-decorator/3.9.x.json create mode 100644 schemas/ai-prompt-guard/3.9.x.json create mode 100644 schemas/ai-prompt-template/3.9.x.json create mode 100644 schemas/ai-proxy-advanced/3.9.x.json create mode 100644 schemas/ai-proxy/3.9.x.json create mode 100644 schemas/ai-rate-limiting-advanced/3.9.x.json create mode 100644 schemas/ai-request-transformer/3.9.x.json create mode 100644 schemas/ai-response-transformer/3.9.x.json create mode 100644 schemas/ai-semantic-cache/3.9.x.json create mode 100644 schemas/ai-semantic-prompt-guard/3.9.x.json create mode 100644 schemas/app-dynamics/3.9.x.json create mode 100644 schemas/application-registration/3.9.x.json create mode 100644 schemas/aws-lambda/3.9.x.json create mode 100644 schemas/azure-functions/3.9.x.json create mode 100644 schemas/basic-auth/3.9.x.json create mode 100644 schemas/bot-detection/3.9.x.json create mode 100644 schemas/canary/3.9.x.json create mode 100644 schemas/confluent/3.9.x.json create mode 100644 schemas/correlation-id/3.9.x.json create mode 100644 schemas/cors/3.9.x.json create mode 100644 schemas/datadog-tracing/3.9.x.json create mode 100644 schemas/datadog/3.9.x.json create mode 100644 schemas/degraphql/3.9.x.json create mode 100644 schemas/exit-transformer/3.9.x.json create mode 100644 schemas/file-log/3.9.x.json create mode 100644 schemas/forward-proxy/3.9.x.json create mode 100644 schemas/graphql-proxy-cache-advanced/3.9.x.json create mode 100644 schemas/graphql-rate-limiting-advanced/3.9.x.json create mode 100644 schemas/grpc-gateway/3.9.x.json create mode 100644 schemas/grpc-web/3.9.x.json create mode 100644 schemas/header-cert-auth/3.9.x.json create mode 100644 schemas/hmac-auth/3.9.x.json create mode 100644 schemas/http-log/3.9.x.json create mode 100644 schemas/ip-restriction/3.9.x.json create mode 100644 schemas/jq/3.9.x.json create mode 100644 schemas/json-threat-protection/3.9.x.json create mode 100644 schemas/jwe-decrypt/3.9.x.json create mode 100644 schemas/jwt-signer/3.9.x.json create mode 100644 schemas/jwt/3.9.x.json create mode 100644 schemas/kafka-log/3.9.x.json create mode 100644 schemas/kafka-upstream/3.9.x.json create mode 100644 schemas/key-auth-enc/3.9.x.json create mode 100644 schemas/key-auth/3.9.x.json create mode 100644 schemas/konnect-application-auth/3.9.x.json create mode 100644 schemas/ldap-auth-advanced/3.9.x.json create mode 100644 schemas/ldap-auth/3.9.x.json create mode 100644 schemas/loggly/3.9.x.json create mode 100644 schemas/mocking/3.9.x.json create mode 100644 schemas/mtls-auth/3.9.x.json create mode 100644 schemas/oas-validation/3.9.x.json create mode 100644 schemas/oauth2-introspection/3.9.x.json create mode 100644 schemas/oauth2/3.9.x.json create mode 100644 schemas/opa/3.9.x.json create mode 100644 schemas/openid-connect/3.9.x.json create mode 100644 schemas/opentelemetry/3.9.x.json create mode 100644 schemas/post-function/3.9.x.json create mode 100644 schemas/pre-function/3.9.x.json create mode 100644 schemas/prometheus/3.9.x.json create mode 100644 schemas/proxy-cache-advanced/3.9.x.json create mode 100644 schemas/proxy-cache/3.9.x.json create mode 100644 schemas/rate-limiting-advanced/3.9.x.json create mode 100644 schemas/rate-limiting/3.9.x.json create mode 100644 schemas/request-size-limiting/3.9.x.json create mode 100644 schemas/request-termination/3.9.x.json create mode 100644 schemas/request-transformer-advanced/3.9.x.json create mode 100644 schemas/request-transformer/3.9.x.json create mode 100644 schemas/request-validator/3.9.x.json create mode 100644 schemas/response-ratelimiting/3.9.x.json create mode 100644 schemas/response-transformer-advanced/3.9.x.json create mode 100644 schemas/response-transformer/3.9.x.json create mode 100644 schemas/route-by-header/3.9.x.json create mode 100644 schemas/route-transformer-advanced/3.9.x.json create mode 100644 schemas/saml/3.9.x.json create mode 100644 schemas/session/3.9.x.json create mode 100644 schemas/standard-webhooks/3.9.x.json create mode 100644 schemas/statsd-advanced/3.9.x.json create mode 100644 schemas/statsd/3.9.x.json create mode 100644 schemas/syslog/3.9.x.json create mode 100644 schemas/tcp-log/3.9.x.json create mode 100644 schemas/tls-handshake-modifier/3.9.x.json create mode 100644 schemas/tls-metadata-headers/3.9.x.json create mode 100644 schemas/udp-log/3.9.x.json create mode 100644 schemas/upstream-oauth/3.9.x.json create mode 100644 schemas/upstream-timeout/3.9.x.json create mode 100644 schemas/vault-auth/3.9.x.json create mode 100644 schemas/websocket-size-limit/3.9.x.json create mode 100644 schemas/websocket-validator/3.9.x.json create mode 100644 schemas/xml-threat-protection/3.9.x.json create mode 100644 schemas/zipkin/3.9.x.json diff --git a/schemas/acl/3.9.x.json b/schemas/acl/3.9.x.json new file mode 100644 index 00000000..8ed6b9be --- /dev/null +++ b/schemas/acl/3.9.x.json @@ -0,0 +1,105 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "hide_groups_header": { + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "include_consumer_groups": { + "required": false, + "type": "boolean", + "default": false + } + }, + { + "always_use_authenticated_groups": { + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/acme/3.9.x.json b/schemas/acme/3.9.x.json new file mode 100644 index 00000000..23cd4280 --- /dev/null +++ b/schemas/acme/3.9.x.json @@ -0,0 +1,637 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "service": { + "reference": "services", + "eq": null, + "type": "foreign", + "description": "A reference to the 'services' table with a null value allowed." + } + }, + { + "route": { + "reference": "routes", + "eq": null, + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", + "required": true, + "match": "%w*%p*@+%w*%.?%w*", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "account_key": { + "description": "The private key associated with the account.", + "type": "record", + "required": false, + "fields": [ + { + "key_id": { + "description": "The Key ID.", + "type": "string", + "required": true + } + }, + { + "key_set": { + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" + } + } + ] + } + }, + { + "api_uri": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "default": "https://acme-v02.api.letsencrypt.org/directory" + } + }, + { + "tos_accepted": { + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean", + "default": false + } + }, + { + "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "cert_type": { + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "type": "string", + "default": "rsa", + "one_of": [ + "rsa", + "ecc" + ] + } + }, + { + "rsa_key_size": { + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "type": "number", + "default": 4096, + "one_of": [ + 2048, + 3072, + 4096 + ] + } + }, + { + "renew_threshold_days": { + "description": "Days remaining to renew the certificate before it expires.", + "type": "number", + "default": 14 + } + }, + { + "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "type": "array", + "elements": { + "type": "string", + "match_all": [ + { + "pattern": "^[^*]*%*?[^*]*$", + "err": "invalid wildcard: must have at most one wildcard" + } + ], + "match_any": { + "patterns": [ + "^%*%.", + "%.%*$", + "^[^*]*$" + ], + "err": "invalid wildcard: must be placed at leftmost or rightmost label" + } + } + } + }, + { + "allow_any_domain": { + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean", + "default": false + } + }, + { + "fail_backoff_minutes": { + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number", + "default": 5 + } + }, + { + "storage": { + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "type": "string", + "default": "shm", + "one_of": [ + "kong", + "shm", + "redis", + "consul", + "vault" + ] + } + }, + { + "storage_config": { + "fields": [ + { + "shm": { + "fields": [ + { + "shm_name": { + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string", + "default": "kong" + } + } + ], + "type": "record", + "required": true + } + }, + { + "kong": { + "fields": [ + + ], + "type": "record", + "required": true + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + }, + { + "timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "extra_options": { + "description": "Custom ACME Redis options", + "type": "record", + "fields": [ + { + "namespace": { + "description": "A namespace to prepend to all keys stored in Redis.", + "required": true, + "type": "string", + "len_min": 0, + "default": "" + } + }, + { + "scan_count": { + "description": "The number of keys to return in Redis SCAN calls.", + "type": "number", + "required": false, + "default": 10 + } + } + ], + "required": true + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "auth": { + "len_min": 0, + "type": "string", + "translate_backwards": [ + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "password" + ] + } + ], + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "ssl_server_name": { + "type": "string", + "translate_backwards": [ + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "server_name" + ] + } + ], + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "namespace": { + "len_min": 0, + "type": "string", + "translate_backwards": [ + "extra_options", + "namespace" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "extra_options", + "namespace" + ] + } + ], + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", + "removal_in_version": "4.0" + } + } + }, + { + "scan_count": { + "type": "integer", + "translate_backwards": [ + "extra_options", + "scan_count" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "extra_options", + "scan_count" + ] + } + ], + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", + "removal_in_version": "4.0" + } + } + } + ], + "required": true + } + }, + { + "consul": { + "fields": [ + { + "https": { + "description": "Boolean representation of https.", + "type": "boolean", + "default": false + } + }, + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "kv_path": { + "description": "KV prefix path.", + "type": "string" + } + }, + { + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + } + }, + { + "token": { + "description": "Consul ACL token.", + "type": "string", + "referenceable": true + } + } + ], + "type": "record", + "required": true + } + }, + { + "vault": { + "fields": [ + { + "https": { + "description": "Boolean representation of https.", + "type": "boolean", + "default": false + } + }, + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "kv_path": { + "description": "KV prefix path.", + "type": "string" + } + }, + { + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + } + }, + { + "token": { + "description": "Consul ACL token.", + "type": "string", + "referenceable": true + } + }, + { + "tls_verify": { + "description": "Turn on TLS verification.", + "type": "boolean", + "default": true + } + }, + { + "tls_server_name": { + "description": "SNI used in request, default to host if omitted.", + "type": "string" + } + }, + { + "auth_method": { + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "type": "string", + "default": "token", + "one_of": [ + "token", + "kubernetes" + ] + } + }, + { + "auth_path": { + "description": "Vault's authentication path to use.", + "type": "string" + } + }, + { + "auth_role": { + "description": "The role to try and assign.", + "type": "string" + } + }, + { + "jwt_path": { + "description": "The path to the JWT.", + "type": "string" + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + }, + { + "preferred_chain": { + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" + } + }, + { + "enable_ipv4_common_name": { + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_match": { + "eq": true + } + } + }, + { + "conditional": { + "if_field": "config.storage", + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.storage", + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-azure-content-safety/3.9.x.json b/schemas/ai-azure-content-safety/3.9.x.json new file mode 100644 index 00000000..8b87214a --- /dev/null +++ b/schemas/ai-azure-content-safety/3.9.x.json @@ -0,0 +1,176 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "content_safety_url": { + "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "required": true, + "type": "string", + "referenceable": true + } + }, + { + "azure_api_version": { + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "required": true, + "type": "string", + "len_min": 1, + "default": "2023-10-01" + } + }, + { + "azure_use_managed_identity": { + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "type": "boolean", + "default": false + } + }, + { + "azure_client_id": { + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", + "type": "string", + "required": false + } + }, + { + "azure_client_secret": { + "description": "If `azure_use_managed_identity` is true, set the client secret if required.", + "type": "string", + "required": false + } + }, + { + "azure_tenant_id": { + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", + "type": "string", + "required": false + } + }, + { + "content_safety_key": { + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "text_source": { + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "type": "string", + "default": "concatenate_all_content", + "one_of": [ + "concatenate_all_content", + "concatenate_user_content" + ] + } + }, + { + "categories": { + "description": "Array of categories, and their thresholds, to measure on.", + "type": "array", + "elements": { + "fields": [ + { + "name": { + "type": "string", + "required": true + } + }, + { + "rejection_level": { + "type": "integer", + "required": true + } + } + ], + "required": true, + "type": "record" + } + } + }, + { + "reveal_failure_reason": { + "description": "Set true to tell the caller why their request was rejected, if so.", + "type": "boolean", + "default": true + } + }, + { + "output_type": { + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "type": "string", + "default": "FourSeverityLevels", + "one_of": [ + "FourSeverityLevels", + "EightSeverityLevels" + ] + } + }, + { + "blocklist_names": { + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "halt_on_blocklist_hit": { + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "type": "boolean", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.9.x.json b/schemas/ai-prompt-decorator/3.9.x.json new file mode 100644 index 00000000..5465e8bc --- /dev/null +++ b/schemas/ai-prompt-decorator/3.9.x.json @@ -0,0 +1,126 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "prompts": { + "fields": [ + { + "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "required": false, + "len_max": 15, + "elements": { + "fields": [ + { + "role": { + "default": "system", + "type": "string", + "required": true, + "one_of": [ + "system", + "assistant", + "user" + ] + } + }, + { + "content": { + "len_min": 1, + "type": "string", + "len_max": 500, + "required": true + } + } + ], + "required": false, + "type": "record" + }, + "type": "array" + } + }, + { + "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "required": false, + "len_max": 15, + "elements": { + "fields": [ + { + "role": { + "default": "system", + "type": "string", + "required": true, + "one_of": [ + "system", + "assistant", + "user" + ] + } + }, + { + "content": { + "len_min": 1, + "type": "string", + "len_max": 500, + "required": true + } + } + ], + "required": false, + "type": "record" + }, + "type": "array" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "max_request_body_size": { + "description": "max allowed body size allowed to be introspected", + "type": "integer", + "gt": 0, + "default": 8192 + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.9.x.json b/schemas/ai-prompt-guard/3.9.x.json new file mode 100644 index 00000000..83d1ea42 --- /dev/null +++ b/schemas/ai-prompt-guard/3.9.x.json @@ -0,0 +1,104 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "allow_patterns": { + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", + "required": false, + "len_max": 10, + "elements": { + "len_min": 1, + "len_max": 500, + "type": "string" + }, + "type": "array" + } + }, + { + "deny_patterns": { + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", + "required": false, + "len_max": 10, + "elements": { + "len_min": 1, + "len_max": 500, + "type": "string" + }, + "type": "array" + } + }, + { + "allow_all_conversation_history": { + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "max_request_body_size": { + "description": "max allowed body size allowed to be introspected", + "type": "integer", + "gt": 0, + "default": 8192 + } + }, + { + "match_all_roles": { + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + }, + { + "conditional": { + "if_field": "config.match_all_roles", + "if_match": { + "eq": true + }, + "then_field": "config.allow_all_conversation_history", + "then_match": { + "eq": false + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-template/3.9.x.json b/schemas/ai-prompt-template/3.9.x.json new file mode 100644 index 00000000..6c8f6ed5 --- /dev/null +++ b/schemas/ai-prompt-template/3.9.x.json @@ -0,0 +1,88 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "templates": { + "description": "Array of templates available to the request context.", + "type": "array", + "required": true, + "elements": { + "fields": [ + { + "name": { + "description": "Unique name for the template, can be called with `{template://NAME}`", + "type": "string", + "required": true + } + }, + { + "template": { + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "type": "string", + "required": true + } + } + ], + "required": true, + "type": "record" + } + } + }, + { + "allow_untemplated_requests": { + "description": "Set true to allow requests that don't call or match any template.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "log_original_request": { + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "max_request_body_size": { + "description": "max allowed body size allowed to be introspected", + "type": "integer", + "gt": 0, + "default": 8192 + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-proxy-advanced/3.9.x.json b/schemas/ai-proxy-advanced/3.9.x.json new file mode 100644 index 00000000..7be23c4c --- /dev/null +++ b/schemas/ai-proxy-advanced/3.9.x.json @@ -0,0 +1,1349 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "balancer": { + "fields": [ + { + "algorithm": { + "description": "Which load balancing algorithm to use.", + "type": "string", + "default": "round-robin", + "one_of": [ + "round-robin", + "lowest-latency", + "lowest-usage", + "consistent-hashing", + "semantic" + ] + } + }, + { + "tokens_count_strategy": { + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "type": "string", + "default": "total-tokens", + "one_of": [ + "total-tokens", + "prompt-tokens", + "completion-tokens" + ] + } + }, + { + "latency_strategy": { + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", + "type": "string", + "default": "tpot", + "one_of": [ + "tpot", + "e2e" + ] + } + }, + { + "hash_on_header": { + "description": "The header to use for consistent-hashing.", + "type": "string", + "default": "X-Kong-LLM-Request-ID" + } + }, + { + "slots": { + "description": "The number of slots in the load balancer algorithm.", + "type": "integer", + "between": [ + 10, + 65536 + ], + "default": 10000 + } + }, + { + "retries": { + "description": "The number of retries to execute upon failure to proxy.", + "type": "integer", + "between": [ + 0, + 32767 + ], + "default": 5 + } + }, + { + "connect_timeout": { + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 60000 + } + }, + { + "write_timeout": { + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 60000 + } + }, + { + "read_timeout": { + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 60000 + } + } + ], + "required": true, + "type": "record" + } + }, + { + "embeddings": { + "fields": [ + { + "auth": { + "fields": [ + { + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "gcp_use_service_account": { + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "allow_override": { + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", + "required": false, + "default": false + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", + "required": true, + "one_of": [ + "openai", + "mistral" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "type": "string", + "required": true, + "one_of": [ + "text-embedding-3-large", + "text-embedding-3-small", + "mistral-embed" + ] + } + }, + { + "options": { + "description": "Key/value settings for the model", + "type": "record", + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string", + "required": false + } + } + ], + "required": false + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "vectordb": { + "fields": [ + { + "strategy": { + "description": "which vector database driver to use", + "type": "string", + "required": true, + "one_of": [ + "redis" + ] + } + }, + { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer", + "required": true + } + }, + { + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number", + "required": true + } + }, + { + "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", + "required": true, + "one_of": [ + "cosine", + "euclidean" + ] + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", + "required": false + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "host" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "max_request_body_size": { + "description": "max allowed body size allowed to be introspected", + "type": "integer", + "gt": 0, + "default": 8192 + } + }, + { + "model_name_header": { + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean", + "default": true + } + }, + { + "targets": { + "type": "array", + "required": true, + "elements": { + "fields": [ + { + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", + "required": true, + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "fields": [ + { + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "gcp_use_service_account": { + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "allow_override": { + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", + "required": false, + "default": false + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "type": "string", + "required": false + } + }, + { + "options": { + "description": "Key/value settings for the model", + "type": "record", + "fields": [ + { + "max_tokens": { + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer", + "required": false, + "default": 256 + } + }, + { + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number", + "gt": 0, + "required": false + } + }, + { + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number", + "gt": 0, + "required": false + } + }, + { + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", + "between": [ + 0, + 5 + ], + "required": false + } + }, + { + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "type": "number", + "between": [ + 0, + 1 + ], + "required": false + } + }, + { + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", + "between": [ + 0, + 500 + ], + "required": false + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string", + "required": false + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string", + "required": false + } + }, + { + "azure_api_version": { + "description": "'api-version' for Azure OpenAI instances.", + "type": "string", + "required": false, + "default": "2023-05-15" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string", + "required": false + } + }, + { + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", + "required": false, + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", + "required": false, + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string", + "required": false + } + }, + { + "gemini": { + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string", + "required": false + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string", + "required": false + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string", + "required": false + } + } + ], + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record" + } + }, + { + "bedrock": { + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string", + "required": false + } + } + ], + "required": false, + "type": "record" + } + } + ], + "required": false + } + } + ], + "required": true, + "type": "record" + } + }, + { + "weight": { + "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "type": "integer", + "between": [ + 1, + 65535 + ], + "default": 100 + } + }, + { + "description": { + "description": "The semantic description of the target, required if using semantic load balancing.", + "required": false, + "type": "string" + } + }, + { + "logging": { + "fields": [ + { + "log_statistics": { + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "log_payloads": { + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "required": true, + "type": "record" + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", + "then_field": "auth.allow_override", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ] + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-proxy/3.9.x.json b/schemas/ai-proxy/3.9.x.json new file mode 100644 index 00000000..46d054a9 --- /dev/null +++ b/schemas/ai-proxy/3.9.x.json @@ -0,0 +1,585 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", + "required": true, + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "fields": [ + { + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "gcp_use_service_account": { + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "allow_override": { + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", + "required": false, + "default": false + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "type": "string", + "required": false + } + }, + { + "options": { + "description": "Key/value settings for the model", + "type": "record", + "fields": [ + { + "max_tokens": { + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer", + "required": false, + "default": 256 + } + }, + { + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number", + "gt": 0, + "required": false + } + }, + { + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number", + "gt": 0, + "required": false + } + }, + { + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", + "between": [ + 0, + 5 + ], + "required": false + } + }, + { + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "type": "number", + "between": [ + 0, + 1 + ], + "required": false + } + }, + { + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", + "between": [ + 0, + 500 + ], + "required": false + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string", + "required": false + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string", + "required": false + } + }, + { + "azure_api_version": { + "description": "'api-version' for Azure OpenAI instances.", + "type": "string", + "required": false, + "default": "2023-05-15" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string", + "required": false + } + }, + { + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", + "required": false, + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", + "required": false, + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string", + "required": false + } + }, + { + "gemini": { + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string", + "required": false + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string", + "required": false + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string", + "required": false + } + } + ], + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record" + } + }, + { + "bedrock": { + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string", + "required": false + } + } + ], + "required": false, + "type": "record" + } + } + ], + "required": false + } + } + ], + "required": true, + "type": "record" + } + }, + { + "logging": { + "fields": [ + { + "log_statistics": { + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "log_payloads": { + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "required": true, + "type": "record" + } + }, + { + "response_streaming": { + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "required": false, + "one_of": [ + "allow", + "deny", + "always" + ], + "type": "string", + "default": "allow" + } + }, + { + "max_request_body_size": { + "description": "max allowed body size allowed to be introspected", + "type": "integer", + "gt": 0, + "default": 8192 + } + }, + { + "model_name_header": { + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean", + "default": true + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", + "then_field": "auth.allow_override", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-rate-limiting-advanced/3.9.x.json b/schemas/ai-rate-limiting-advanced/3.9.x.json new file mode 100644 index 00000000..7564c293 --- /dev/null +++ b/schemas/ai-rate-limiting-advanced/3.9.x.json @@ -0,0 +1,628 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "required": true, + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ], + "type": "string", + "default": "consumer" + } + }, + { + "window_type": { + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", + "default": "sliding", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + } + }, + { + "llm_providers": { + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "type": "array", + "required": true, + "elements": { + "fields": [ + { + "window_size": { + "description": "The window size to apply a limit (defined in seconds).", + "type": "number", + "required": true + } + }, + { + "name": { + "description": "The LLM provider to which the rate limit applies.", + "type": "string", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "bedrock", + "gemini", + "requestPrompt" + ] + } + }, + { + "limit": { + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", + "type": "number", + "required": true + } + } + ], + "type": "record" + } + } + }, + { + "strategy": { + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "required": true, + "one_of": [ + "cluster", + "redis", + "local" + ], + "type": "string", + "default": "local" + } + }, + { + "dictionary_name": { + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string", + "required": true, + "default": "kong_rate_limiting_counters" + } + }, + { + "hide_client_headers": { + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean", + "default": false + } + }, + { + "retry_after_jitter_max": { + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number", + "default": 0 + } + }, + { + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + { + "path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "type": "string", + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + }, + { + "disable_penalty": { + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "type": "boolean", + "default": false + } + }, + { + "request_prompt_count_function": { + "description": "If defined, it use custom function to count requests for the request prompt provider", + "type": "string", + "required": false + } + }, + { + "error_code": { + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number", + "gt": 0, + "default": 429 + } + }, + { + "error_message": { + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string", + "default": "API rate limit exceeded for provider(s): " + } + }, + { + "error_hide_providers": { + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "type": "boolean", + "default": false + } + }, + { + "tokens_count_strategy": { + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", + "required": true, + "one_of": [ + "total_tokens", + "prompt_tokens", + "completion_tokens", + "cost" + ], + "type": "string", + "default": "total_tokens" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.9.x.json b/schemas/ai-request-transformer/3.9.x.json new file mode 100644 index 00000000..e1f190ab --- /dev/null +++ b/schemas/ai-request-transformer/3.9.x.json @@ -0,0 +1,669 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", + "required": true, + "type": "string" + } + }, + { + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", + "required": false, + "type": "string" + } + }, + { + "http_timeout": { + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer", + "required": true, + "default": 60000 + } + }, + { + "https_verify": { + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "max_request_body_size": { + "description": "max allowed body size allowed to be introspected", + "type": "integer", + "gt": 0, + "default": 8192 + } + }, + { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "llm": { + "fields": [ + { + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", + "required": true, + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "fields": [ + { + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "gcp_use_service_account": { + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "allow_override": { + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", + "required": false, + "default": false + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "type": "string", + "required": false + } + }, + { + "options": { + "description": "Key/value settings for the model", + "type": "record", + "required": false, + "fields": [ + { + "max_tokens": { + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer", + "required": false, + "default": 256 + } + }, + { + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number", + "gt": 0, + "required": false + } + }, + { + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number", + "gt": 0, + "required": false + } + }, + { + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", + "between": [ + 0, + 5 + ], + "required": false + } + }, + { + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "type": "number", + "between": [ + 0, + 1 + ], + "required": false + } + }, + { + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", + "between": [ + 0, + 500 + ], + "required": false + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string", + "required": false + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string", + "required": false + } + }, + { + "azure_api_version": { + "description": "'api-version' for Azure OpenAI instances.", + "type": "string", + "required": false, + "default": "2023-05-15" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string", + "required": false + } + }, + { + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", + "required": false, + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", + "required": false, + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string", + "required": false + } + }, + { + "gemini": { + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string", + "required": false + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string", + "required": false + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string", + "required": false + } + } + ], + "required": false, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ] + } + }, + { + "bedrock": { + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string", + "required": false + } + } + ], + "required": false, + "type": "record" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + }, + { + "logging": { + "fields": [ + { + "log_statistics": { + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "log_payloads": { + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "required": true, + "type": "record" + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", + "then_match": { + "eq": false + }, + "then_field": "auth.allow_override" + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.9.x.json b/schemas/ai-response-transformer/3.9.x.json new file mode 100644 index 00000000..e7158ea7 --- /dev/null +++ b/schemas/ai-response-transformer/3.9.x.json @@ -0,0 +1,669 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", + "required": true, + "type": "string" + } + }, + { + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", + "required": false, + "type": "string" + } + }, + { + "parse_llm_response_json_instructions": { + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "http_timeout": { + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer", + "required": true, + "default": 60000 + } + }, + { + "https_verify": { + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "max_request_body_size": { + "description": "max allowed body size allowed to be introspected", + "type": "integer", + "gt": 0, + "default": 8192 + } + }, + { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "llm": { + "fields": [ + { + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", + "required": true, + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "fields": [ + { + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "gcp_use_service_account": { + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "allow_override": { + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", + "required": false, + "default": false + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "type": "string", + "required": false + } + }, + { + "options": { + "description": "Key/value settings for the model", + "type": "record", + "required": false, + "fields": [ + { + "max_tokens": { + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer", + "required": false, + "default": 256 + } + }, + { + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number", + "gt": 0, + "required": false + } + }, + { + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number", + "gt": 0, + "required": false + } + }, + { + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", + "between": [ + 0, + 5 + ], + "required": false + } + }, + { + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "type": "number", + "between": [ + 0, + 1 + ], + "required": false + } + }, + { + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", + "between": [ + 0, + 500 + ], + "required": false + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string", + "required": false + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string", + "required": false + } + }, + { + "azure_api_version": { + "description": "'api-version' for Azure OpenAI instances.", + "type": "string", + "required": false, + "default": "2023-05-15" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string", + "required": false + } + }, + { + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", + "required": false, + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", + "required": false, + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string", + "required": false + } + }, + { + "gemini": { + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string", + "required": false + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string", + "required": false + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string", + "required": false + } + } + ], + "required": false, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ] + } + }, + { + "bedrock": { + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string", + "required": false + } + } + ], + "required": false, + "type": "record" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + }, + { + "logging": { + "fields": [ + { + "log_statistics": { + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "log_payloads": { + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "required": true, + "type": "record" + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", + "then_match": { + "eq": false + }, + "then_field": "auth.allow_override" + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models" + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/ai-semantic-cache/3.9.x.json b/schemas/ai-semantic-cache/3.9.x.json new file mode 100644 index 00000000..92f99f8a --- /dev/null +++ b/schemas/ai-semantic-cache/3.9.x.json @@ -0,0 +1,732 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "message_countback": { + "description": "Number of messages in the chat history to Vectorize/Cache", + "type": "number", + "between": [ + 1, + 1000 + ], + "default": 1 + } + }, + { + "ignore_system_prompts": { + "description": "Ignore and discard any system prompts when Vectorizing the request", + "type": "boolean", + "default": false + } + }, + { + "ignore_assistant_prompts": { + "description": "Ignore and discard any assistant prompts when Vectorizing the request", + "type": "boolean", + "default": false + } + }, + { + "stop_on_failure": { + "description": "Halt the LLM request process in case of a caching system failure", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "cache_ttl": { + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "type": "integer", + "gt": 0, + "default": 300 + } + }, + { + "cache_control": { + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "exact_caching": { + "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "embeddings": { + "fields": [ + { + "auth": { + "fields": [ + { + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "gcp_use_service_account": { + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "allow_override": { + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", + "required": false, + "default": false + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", + "required": true, + "one_of": [ + "openai", + "mistral" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "type": "string", + "required": true, + "one_of": [ + "text-embedding-3-large", + "text-embedding-3-small", + "mistral-embed" + ] + } + }, + { + "options": { + "description": "Key/value settings for the model", + "type": "record", + "required": false, + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string", + "required": false + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "vectordb": { + "fields": [ + { + "strategy": { + "description": "which vector database driver to use", + "type": "string", + "required": true, + "one_of": [ + "redis" + ] + } + }, + { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer", + "required": true + } + }, + { + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number", + "required": true + } + }, + { + "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", + "required": true, + "one_of": [ + "cosine", + "euclidean" + ] + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + } + ], + "required": true, + "type": "record" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ai-semantic-prompt-guard/3.9.x.json b/schemas/ai-semantic-prompt-guard/3.9.x.json new file mode 100644 index 00000000..fe2daeed --- /dev/null +++ b/schemas/ai-semantic-prompt-guard/3.9.x.json @@ -0,0 +1,746 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "embeddings": { + "fields": [ + { + "auth": { + "fields": [ + { + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "gcp_use_service_account": { + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "allow_override": { + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", + "required": false, + "default": false + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", + "required": true, + "one_of": [ + "openai", + "mistral" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "type": "string", + "required": true, + "one_of": [ + "text-embedding-3-large", + "text-embedding-3-small", + "mistral-embed" + ] + } + }, + { + "options": { + "description": "Key/value settings for the model", + "type": "record", + "required": false, + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string", + "required": false + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "vectordb": { + "fields": [ + { + "strategy": { + "description": "which vector database driver to use", + "type": "string", + "required": true, + "one_of": [ + "redis" + ] + } + }, + { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer", + "required": true + } + }, + { + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number", + "required": true + } + }, + { + "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", + "required": true, + "one_of": [ + "cosine", + "euclidean" + ] + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + } + ], + "required": true, + "type": "record" + } + }, + { + "search": { + "fields": [ + { + "threshold": { + "description": "Threshold for the similarity score to be considered a match.", + "type": "number", + "required": false, + "default": 0.5 + } + } + ], + "required": false, + "type": "record" + } + }, + { + "rules": { + "fields": [ + { + "match_all_conversation_history": { + "description": "If false, will ignore all previous chat prompts from the conversation history.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "allow_prompts": { + "description": "List of prompts to allow.", + "required": false, + "len_max": 100, + "elements": { + "type": "string", + "len_max": 500, + "len_min": 1 + }, + "type": "array" + } + }, + { + "deny_prompts": { + "description": "List of prompts to deny.", + "required": false, + "len_max": 100, + "elements": { + "type": "string", + "len_max": 500, + "len_min": 1 + }, + "type": "array" + } + }, + { + "max_request_body_size": { + "description": "max allowed body size allowed to be introspected", + "type": "integer", + "gt": 0, + "default": 8192 + } + }, + { + "match_all_roles": { + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "required": true, + "type": "record" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/app-dynamics/3.9.x.json b/schemas/app-dynamics/3.9.x.json new file mode 100644 index 00000000..63233636 --- /dev/null +++ b/schemas/app-dynamics/3.9.x.json @@ -0,0 +1,46 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/application-registration/3.9.x.json b/schemas/application-registration/3.9.x.json new file mode 100644 index 00000000..604ffb5c --- /dev/null +++ b/schemas/application-registration/3.9.x.json @@ -0,0 +1,108 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "service": { + "reference": "services", + "on_delete": "cascade", + "type": "foreign", + "ne": null + } + }, + { + "route": { + "reference": "routes", + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "display_name": { + "required": true, + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string", + "unique": true + } + }, + { + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string", + "unique": true + } + }, + { + "auto_approve": { + "required": true, + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "type": "boolean", + "default": false + } + }, + { + "show_issuer": { + "required": true, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "type": "boolean", + "default": false + } + }, + { + "enable_proxy_with_consumer_credential": { + "required": true, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/aws-lambda/3.9.x.json b/schemas/aws-lambda/3.9.x.json new file mode 100644 index 00000000..94f57420 --- /dev/null +++ b/schemas/aws-lambda/3.9.x.json @@ -0,0 +1,273 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "timeout": { + "description": "An optional timeout in milliseconds when invoking the function.", + "required": true, + "type": "number", + "default": 60000 + } + }, + { + "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "required": true, + "type": "number", + "default": 60000 + } + }, + { + "aws_key": { + "description": "The AWS key credential to be used when invoking the function.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_secret": { + "description": "The AWS secret credential to be used when invoking the function. ", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "aws_role_session_name": { + "description": "The identifier of the assumed role session.", + "type": "string", + "default": "kong" + } + }, + { + "aws_sts_endpoint_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "aws_region": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "required": false, + "type": "string" + } + }, + { + "qualifier": { + "description": "The qualifier to use when invoking the function.", + "type": "string" + } + }, + { + "invocation_type": { + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "required": true, + "one_of": [ + "RequestResponse", + "Event", + "DryRun" + ], + "type": "string", + "default": "RequestResponse" + } + }, + { + "log_type": { + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "required": true, + "one_of": [ + "Tail", + "None" + ], + "type": "string", + "default": "Tail" + } + }, + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 443 + } + }, + { + "disable_https": { + "default": false, + "type": "boolean" + } + }, + { + "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer", + "between": [ + 100, + 999 + ] + } + }, + { + "forward_request_method": { + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean", + "default": false + } + }, + { + "forward_request_uri": { + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean", + "default": false + } + }, + { + "forward_request_headers": { + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean", + "default": false + } + }, + { + "forward_request_body": { + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean", + "default": false + } + }, + { + "is_proxy_integration": { + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean", + "default": false + } + }, + { + "awsgateway_compatible": { + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean", + "default": false + } + }, + { + "proxy_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "skip_large_bodies": { + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean", + "default": true + } + }, + { + "base64_encode_body": { + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean", + "default": true + } + }, + { + "aws_imds_protocol_version": { + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "required": true, + "one_of": [ + "v1", + "v2" + ], + "type": "string", + "default": "v1" + } + }, + { + "empty_arrays_mode": { + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", + "required": true, + "one_of": [ + "legacy", + "correct" + ], + "type": "string", + "default": "legacy" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/azure-functions/3.9.x.json b/schemas/azure-functions/3.9.x.json new file mode 100644 index 00000000..5299c53a --- /dev/null +++ b/schemas/azure-functions/3.9.x.json @@ -0,0 +1,125 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "timeout": { + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number", + "default": 600000 + } + }, + { + "keepalive": { + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "https": { + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean", + "default": true + } + }, + { + "https_verify": { + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean", + "default": false + } + }, + { + "apikey": { + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "clientid": { + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "appname": { + "description": "The Azure app name.", + "type": "string", + "required": true + } + }, + { + "hostdomain": { + "description": "The domain where the function resides.", + "type": "string", + "required": true, + "default": "azurewebsites.net" + } + }, + { + "routeprefix": { + "description": "Route prefix to use.", + "type": "string", + "default": "api" + } + }, + { + "functionname": { + "description": "Name of the Azure function to invoke.", + "type": "string", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/basic-auth/3.9.x.json b/schemas/basic-auth/3.9.x.json new file mode 100644 index 00000000..fb634743 --- /dev/null +++ b/schemas/basic-auth/3.9.x.json @@ -0,0 +1,78 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": true, + "type": "string", + "default": "service" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/bot-detection/3.9.x.json b/schemas/bot-detection/3.9.x.json new file mode 100644 index 00000000..3f7aa01d --- /dev/null +++ b/schemas/bot-detection/3.9.x.json @@ -0,0 +1,79 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "allow": { + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "type": "array", + "elements": { + "type": "string", + "is_regex": true + }, + "default": [ + + ] + } + }, + { + "deny": { + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "type": "array", + "elements": { + "type": "string", + "is_regex": true + }, + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/canary/3.9.x.json b/schemas/canary/3.9.x.json new file mode 100644 index 00000000..11ed4236 --- /dev/null +++ b/schemas/canary/3.9.x.json @@ -0,0 +1,190 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + } + }, + { + "hash": { + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "type": "string", + "default": "consumer", + "one_of": [ + "consumer", + "ip", + "none", + "allow", + "deny", + "header" + ] + } + }, + { + "hash_header": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + { + "duration": { + "description": "The duration of the canary release in seconds.", + "type": "number", + "gt": 0, + "default": 3600 + } + }, + { + "steps": { + "description": "The number of steps for the canary release.", + "type": "number", + "gt": 1, + "default": 1000 + } + }, + { + "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "type": "number", + "between": [ + 0, + 100 + ] + } + }, + { + "upstream_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "len_min": 1, + "type": "string" + } + }, + { + "upstream_fallback": { + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "groups": { + "description": "The groups allowed to access the canary release.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "canary_by_header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + } + ], + "required": true, + "type": "record", + "shorthand_fields": [ + { + "hash": { + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" + } + } + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_field": "config.hash", + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.upstream_fallback", + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host", + "then_match": { + "required": true + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/confluent/3.9.x.json b/schemas/confluent/3.9.x.json new file mode 100644 index 00000000..7a953883 --- /dev/null +++ b/schemas/confluent/3.9.x.json @@ -0,0 +1,253 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + } + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string", + "required": true + } + }, + { + "timeout": { + "description": "Socket timeout in milliseconds.", + "type": "integer", + "default": 10000 + } + }, + { + "keepalive": { + "description": "Keepalive timeout in milliseconds.", + "type": "integer", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "type": "boolean", + "default": false + } + }, + { + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", + "required": true, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", + "required": true, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "forward_method": { + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_uri": { + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_headers": { + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_body": { + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": true + } + }, + { + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string", + "auto": true, + "required": false + } + }, + { + "producer_request_acks": { + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", + "default": 1, + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer", + "default": 2000 + } + }, + { + "producer_request_limits_messages_per_request": { + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer", + "default": 200 + } + }, + { + "producer_request_limits_bytes_per_request": { + "description": "Maximum size of a Produce request in bytes.", + "type": "integer", + "default": 1048576 + } + }, + { + "producer_request_retries_max_attempts": { + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer", + "default": 10 + } + }, + { + "producer_request_retries_backoff_timeout": { + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer", + "default": 100 + } + }, + { + "producer_async": { + "description": "Flag to enable asynchronous mode.", + "type": "boolean", + "default": true + } + }, + { + "producer_async_flush_timeout": { + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer", + "default": 1000 + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer", + "default": 50000 + } + } + ], + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/correlation-id/3.9.x.json b/schemas/correlation-id/3.9.x.json new file mode 100644 index 00000000..47945b3e --- /dev/null +++ b/schemas/correlation-id/3.9.x.json @@ -0,0 +1,73 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "header_name": { + "description": "The HTTP header name to use for the correlation ID.", + "type": "string", + "default": "Kong-Request-ID" + } + }, + { + "generator": { + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "required": true, + "one_of": [ + "uuid", + "uuid#counter", + "tracker" + ], + "type": "string", + "default": "uuid#counter" + } + }, + { + "echo_downstream": { + "description": "Whether to echo the header back to downstream (the client).", + "required": true, + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/cors/3.9.x.json b/schemas/cors/3.9.x.json new file mode 100644 index 00000000..85e723f0 --- /dev/null +++ b/schemas/cors/3.9.x.json @@ -0,0 +1,143 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "len_min": 1, + "type": "string", + "required": true, + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "methods": { + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "type": "array", + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "elements": { + "type": "string", + "one_of": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] + } + } + }, + { + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" + } + }, + { + "credentials": { + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "private_network": { + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "preflight_continue": { + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "required": true, + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/datadog-tracing/3.9.x.json b/schemas/datadog-tracing/3.9.x.json new file mode 100644 index 00000000..450d1bc3 --- /dev/null +++ b/schemas/datadog-tracing/3.9.x.json @@ -0,0 +1,103 @@ +{ + "fields": [ + { + "consumer": { + "eq": null, + "type": "foreign", + "reference": "consumers" + } + }, + { + "protocols": { + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "endpoint": { + "type": "string", + "referenceable": true + } + }, + { + "service_name": { + "required": true, + "type": "string", + "default": "kong" + } + }, + { + "environment": { + "type": "string", + "default": "none" + } + }, + { + "batch_span_count": { + "required": true, + "type": "integer", + "default": 200 + } + }, + { + "batch_flush_delay": { + "required": true, + "type": "integer", + "default": 3 + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 1000 + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 5000 + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 5000 + } + } + ], + "type": "record", + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/datadog/3.9.x.json b/schemas/datadog/3.9.x.json new file mode 100644 index 00000000..9c8a1c3c --- /dev/null +++ b/schemas/datadog/3.9.x.json @@ -0,0 +1,361 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string", + "referenceable": true, + "default": "localhost" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 8125 + } + }, + { + "prefix": { + "description": "String to be attached as a prefix to a metric's name.", + "type": "string", + "default": "kong" + } + }, + { + "service_name_tag": { + "description": "String to be attached as the name of the service.", + "type": "string", + "default": "name" + } + }, + { + "status_tag": { + "description": "String to be attached as the tag of the HTTP status.", + "type": "string", + "default": "status" + } + }, + { + "consumer_tag": { + "description": "String to be attached as tag of the consumer.", + "type": "string", + "default": "consumer" + } + }, + { + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 10, + "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 1, + "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", + "deprecation": { + "old_default": 2, + "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 1 + } + }, + { + "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", + "between": [ + 0, + 3600 + ], + "default": 1 + } + }, + { + "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 10000 + } + }, + { + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + } + }, + { + "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number", + "default": 60 + } + }, + { + "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 0.01 + } + }, + { + "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 60 + } + }, + { + "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "metrics": { + "description": "List of metrics to be logged.", + "required": true, + "elements": { + "fields": [ + { + "name": { + "description": "Datadog metric’s name", + "required": true, + "type": "string", + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ] + } + }, + { + "stat_type": { + "description": "Determines what sort of event the metric represents", + "required": true, + "type": "string", + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer", + "distribution" + ] + } + }, + { + "tags": { + "description": "List of tags", + "type": "array", + "elements": { + "type": "string", + "match": "^.*[^:]$" + } + } + }, + { + "sample_rate": { + "description": "Sampling rate", + "type": "number", + "between": [ + 0, + 1 + ] + } + }, + { + "consumer_identifier": { + "description": "Authenticated user detail", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_field": "stat_type", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "then_match": { + "required": true + } + } + } + ] + }, + "type": "array", + "default": [ + { + "stat_type": "counter", + "name": "request_count", + "consumer_identifier": "custom_id", + "sample_rate": 1, + "tags": [ + "app:kong" + ] + }, + { + "stat_type": "timer", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "latency" + }, + { + "stat_type": "timer", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "request_size" + }, + { + "stat_type": "timer", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "response_size" + }, + { + "stat_type": "timer", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "kong_latency" + } + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/degraphql/3.9.x.json b/schemas/degraphql/3.9.x.json new file mode 100644 index 00000000..80461c1c --- /dev/null +++ b/schemas/degraphql/3.9.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "graphql_server_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/graphql" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/exit-transformer/3.9.x.json b/schemas/exit-transformer/3.9.x.json new file mode 100644 index 00000000..9ba8d46d --- /dev/null +++ b/schemas/exit-transformer/3.9.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "functions": { + "required": true, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "handle_unknown": { + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean", + "default": false + } + }, + { + "handle_unexpected": { + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/file-log/3.9.x.json b/schemas/file-log/3.9.x.json new file mode 100644 index 00000000..8c59160b --- /dev/null +++ b/schemas/file-log/3.9.x.json @@ -0,0 +1,83 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "path": { + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "err": "not a valid filename", + "match": "^[^*&%%\\`]+$", + "type": "string", + "required": true + } + }, + { + "reopen": { + "description": "Determines whether the log file is closed and reopened on every request.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/forward-proxy/3.9.x.json b/schemas/forward-proxy/3.9.x.json new file mode 100644 index 00000000..236f0a94 --- /dev/null +++ b/schemas/forward-proxy/3.9.x.json @@ -0,0 +1,171 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "x_headers": { + "description": "Determines how to handle headers when forwarding the request.", + "required": true, + "one_of": [ + "append", + "transparent", + "delete" + ], + "type": "string", + "default": "append" + } + }, + { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "proxy_scheme": { + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "required": true, + "one_of": [ + "http" + ], + "type": "string", + "default": "http" + } + }, + { + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "https_verify": { + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "type": "record", + "shorthand_fields": [ + { + "proxy_host": { + "deprecation": { + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "proxy_port": { + "deprecation": { + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.9.x.json b/schemas/graphql-proxy-cache-advanced/3.9.x.json new file mode 100644 index 00000000..641b0e27 --- /dev/null +++ b/schemas/graphql-proxy-cache-advanced/3.9.x.json @@ -0,0 +1,500 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "strategy": { + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "required": true, + "one_of": [ + "memory", + "redis" + ], + "type": "string", + "default": "memory" + } + }, + { + "cache_ttl": { + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "type": "integer", + "gt": 0, + "default": 300 + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string", + "required": true, + "default": "kong_db_cache" + } + } + ], + "type": "record", + "required": true + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + }, + { + "bypass_on_err": { + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean", + "default": false + } + }, + { + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.9.x.json b/schemas/graphql-rate-limiting-advanced/3.9.x.json new file mode 100644 index 00000000..6274df88 --- /dev/null +++ b/schemas/graphql-rate-limiting-advanced/3.9.x.json @@ -0,0 +1,567 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "required": true, + "one_of": [ + "ip", + "credential", + "consumer" + ], + "type": "string", + "default": "consumer" + } + }, + { + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "type": "array", + "required": true, + "elements": { + "type": "number" + } + } + }, + { + "window_type": { + "description": "Sets the time window to either `sliding` or `fixed`.", + "type": "string", + "default": "sliding", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "description": "One or more requests-per-window limits to apply.", + "type": "array", + "required": true, + "elements": { + "type": "number" + } + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "type": "number", + "required": true + } + }, + { + "namespace": { + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string", + "auto": true + } + }, + { + "strategy": { + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "required": true, + "one_of": [ + "cluster", + "redis" + ], + "type": "string", + "default": "cluster" + } + }, + { + "dictionary_name": { + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "type": "string", + "required": true, + "default": "kong_rate_limiting_counters" + } + }, + { + "hide_client_headers": { + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean", + "default": false + } + }, + { + "cost_strategy": { + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "type": "string", + "default": "default", + "one_of": [ + "default", + "node_quantifier" + ] + } + }, + { + "score_factor": { + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "required": false, + "type": "number", + "gt": 0, + "default": 1 + } + }, + { + "max_cost": { + "description": "A defined maximum cost per query. 0 means unlimited.", + "type": "number", + "required": false, + "default": 0 + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/grpc-gateway/3.9.x.json b/schemas/grpc-gateway/3.9.x.json new file mode 100644 index 00000000..70622fdd --- /dev/null +++ b/schemas/grpc-gateway/3.9.x.json @@ -0,0 +1,59 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "proto": { + "description": "Describes the gRPC types and methods.", + "type": "string", + "required": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/grpc-web/3.9.x.json b/schemas/grpc-web/3.9.x.json new file mode 100644 index 00000000..7c096f17 --- /dev/null +++ b/schemas/grpc-web/3.9.x.json @@ -0,0 +1,74 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "proto": { + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string", + "required": false + } + }, + { + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "type": "boolean", + "required": false + } + }, + { + "allow_origin_header": { + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "type": "string", + "required": false, + "default": "*" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/header-cert-auth/3.9.x.json b/schemas/header-cert-auth/3.9.x.json new file mode 100644 index 00000000..94570d80 --- /dev/null +++ b/schemas/header-cert-auth/3.9.x.json @@ -0,0 +1,229 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "certificate_header_name": { + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", + "required": true, + "type": "string" + } + }, + { + "certificate_header_format": { + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "required": true, + "type": "string", + "one_of": [ + "base64_encoded", + "url_encoded" + ] + } + }, + { + "secure_source": { + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "consumer_by": { + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "type": "array", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "type": "array", + "required": true, + "elements": { + "type": "string", + "uuid": true + } + } + }, + { + "cache_ttl": { + "description": "Cache expiry time in seconds.", + "type": "number", + "required": true, + "default": 60 + } + }, + { + "skip_consumer_lookup": { + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "allow_partial_chain": { + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "authenticated_group_by": { + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "required": false, + "one_of": [ + "CN", + "DN" + ], + "type": "string", + "default": "CN" + } + }, + { + "revocation_check_mode": { + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "required": false, + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ], + "type": "string", + "default": "IGNORE_CA_ERROR" + } + }, + { + "http_timeout": { + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number", + "default": 30000 + } + }, + { + "cert_cache_ttl": { + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number", + "default": 60000 + } + }, + { + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + } + ], + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/hmac-auth/3.9.x.json b/schemas/hmac-auth/3.9.x.json new file mode 100644 index 00000000..b3b458c4 --- /dev/null +++ b/schemas/hmac-auth/3.9.x.json @@ -0,0 +1,132 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "clock_skew": { + "description": "Clock skew in seconds to prevent replay attacks.", + "type": "number", + "gt": 0, + "default": 300 + } + }, + { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + } + }, + { + "validate_request_body": { + "description": "A boolean value telling the plugin to enable body validation.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "enforce_headers": { + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "type": "array", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "algorithms": { + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] + }, + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/http-log/3.9.x.json b/schemas/http-log/3.9.x.json new file mode 100644 index 00000000..9a8a64ff --- /dev/null +++ b/schemas/http-log/3.9.x.json @@ -0,0 +1,260 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "method": { + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "type": "string", + "default": "POST", + "one_of": [ + "POST", + "PUT", + "PATCH" + ] + } + }, + { + "content_type": { + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "type": "string", + "default": "application/json", + "one_of": [ + "application/json", + "application/json; charset=utf-8" + ] + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number", + "default": 10000 + } + }, + { + "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 10, + "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 1, + "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", + "deprecation": { + "old_default": 2, + "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "headers": { + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "map", + "values": { + "referenceable": true, + "type": "string" + }, + "keys": { + "match_none": [ + { + "pattern": "^[Hh][Oo][Ss][Tt]$", + "err": "cannot contain 'Host' header" + }, + { + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$", + "err": "cannot contain 'Content-Length' header" + }, + { + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", + "err": "cannot contain 'Content-Type' header" + } + ], + "type": "string", + "description": "A string representing an HTTP header name." + } + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 1 + } + }, + { + "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", + "between": [ + 0, + 3600 + ], + "default": 1 + } + }, + { + "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 10000 + } + }, + { + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + } + }, + { + "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number", + "default": 60 + } + }, + { + "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 0.01 + } + }, + { + "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 60 + } + }, + { + "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ip-restriction/3.9.x.json b/schemas/ip-restriction/3.9.x.json new file mode 100644 index 00000000..aa8bec87 --- /dev/null +++ b/schemas/ip-restriction/3.9.x.json @@ -0,0 +1,85 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ] + } + }, + { + "config": { + "fields": [ + { + "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "type": "array", + "elements": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" + } + } + }, + { + "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "type": "array", + "elements": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" + } + } + }, + { + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "type": "number", + "required": false + } + }, + { + "message": { + "description": "The message to send as a response body to rejected requests.", + "type": "string", + "required": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/jq/3.9.x.json b/schemas/jq/3.9.x.json new file mode 100644 index 00000000..9e42f8c1 --- /dev/null +++ b/schemas/jq/3.9.x.json @@ -0,0 +1,197 @@ +{ + "fields": [ + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "request_jq_program": { + "type": "string", + "required": false + } + }, + { + "request_jq_program_options": { + "fields": [ + { + "compact_output": { + "required": true, + "type": "boolean", + "default": true + } + }, + { + "raw_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "join_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "ascii_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "sort_keys": { + "required": true, + "type": "boolean", + "default": false + } + } + ], + "required": false, + "type": "record", + "default": [ + + ] + } + }, + { + "request_if_media_type": { + "elements": { + "type": "string" + }, + "required": false, + "type": "array", + "default": [ + "application/json" + ] + } + }, + { + "response_jq_program": { + "type": "string", + "required": false + } + }, + { + "response_jq_program_options": { + "fields": [ + { + "compact_output": { + "required": true, + "type": "boolean", + "default": true + } + }, + { + "raw_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "join_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "ascii_output": { + "required": true, + "type": "boolean", + "default": false + } + }, + { + "sort_keys": { + "required": true, + "type": "boolean", + "default": false + } + } + ], + "required": false, + "type": "record", + "default": [ + + ] + } + }, + { + "response_if_media_type": { + "elements": { + "type": "string" + }, + "required": false, + "type": "array", + "default": [ + "application/json" + ] + } + }, + { + "response_if_status_code": { + "elements": { + "between": [ + 100, + 599 + ], + "type": "integer" + }, + "required": false, + "type": "array", + "default": [ + 200 + ] + } + } + ], + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/json-threat-protection/3.9.x.json b/schemas/json-threat-protection/3.9.x.json new file mode 100644 index 00000000..a49e1e7d --- /dev/null +++ b/schemas/json-threat-protection/3.9.x.json @@ -0,0 +1,164 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "max_body_size": { + "description": "Max size of the request body. -1 means unlimited.", + "required": false, + "between": [ + -1, + 2147483648 + ], + "type": "integer", + "default": 8192 + } + }, + { + "max_container_depth": { + "description": "Max nested depth of objects and arrays. -1 means unlimited.", + "required": false, + "between": [ + -1, + 2147483648 + ], + "type": "integer", + "default": -1 + } + }, + { + "max_object_entry_count": { + "description": "Max number of entries in an object. -1 means unlimited.", + "required": false, + "between": [ + -1, + 2147483648 + ], + "type": "integer", + "default": -1 + } + }, + { + "max_object_entry_name_length": { + "description": "Max string length of object name. -1 means unlimited.", + "required": false, + "between": [ + -1, + 2147483648 + ], + "type": "integer", + "default": -1 + } + }, + { + "max_array_element_count": { + "description": "Max number of elements in an array. -1 means unlimited.", + "required": false, + "between": [ + -1, + 2147483648 + ], + "type": "integer", + "default": -1 + } + }, + { + "max_string_value_length": { + "description": "Max string value length. -1 means unlimited.", + "required": false, + "between": [ + -1, + 2147483648 + ], + "type": "integer", + "default": -1 + } + }, + { + "enforcement_mode": { + "description": "Enforcement mode of the security policy.", + "required": false, + "one_of": [ + "block", + "log_only" + ], + "type": "string", + "default": "block" + } + }, + { + "error_status_code": { + "description": "The response status code when validation fails.", + "required": false, + "between": [ + 400, + 499 + ], + "type": "integer", + "default": 400 + } + }, + { + "error_message": { + "description": "The response message when validation fails", + "required": false, + "type": "string", + "default": "Bad Request" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.9.x.json b/schemas/jwe-decrypt/3.9.x.json new file mode 100644 index 00000000..f30147c9 --- /dev/null +++ b/schemas/jwe-decrypt/3.9.x.json @@ -0,0 +1,86 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "lookup_header_name": { + "description": "The name of the header to look for the JWE token.", + "type": "string", + "required": true, + "default": "Authorization" + } + }, + { + "forward_header_name": { + "description": "The name of the header that is used to set the decrypted value.", + "type": "string", + "required": true, + "default": "Authorization" + } + }, + { + "key_sets": { + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + }, + { + "strict": { + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/jwt-signer/3.9.x.json b/schemas/jwt-signer/3.9.x.json new file mode 100644 index 00000000..1f21e368 --- /dev/null +++ b/schemas/jwt-signer/3.9.x.json @@ -0,0 +1,997 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "required": false, + "type": "string" + } + }, + { + "enable_hs_signatures": { + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "enable_instrumentation": { + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "access_token_issuer": { + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "required": false, + "type": "string", + "default": "kong" + } + }, + { + "access_token_keyset": { + "description": "The name of the keyset containing signing keys.", + "required": false, + "type": "string", + "default": "kong" + } + }, + { + "access_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "access_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "required": false, + "type": "foreign", + "reference": "certificates" + } + }, + { + "access_token_keyset_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number", + "default": 0 + } + }, + { + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "access_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "required": false, + "type": "foreign", + "reference": "certificates" + } + }, + { + "access_token_jwks_uri_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number", + "default": 0 + } + }, + { + "access_token_request_header": { + "description": "This parameter tells the name of the header where to look for the access token.", + "required": false, + "type": "string", + "default": "Authorization" + } + }, + { + "access_token_leeway": { + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "required": false, + "type": "number", + "default": 0 + } + }, + { + "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "required": false, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "access_token_scopes_claim": { + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "scope" + ] + } + }, + { + "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "required": false, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "access_token_consumer_by": { + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "type": "array", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "access_token_upstream_header": { + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "required": false, + "type": "string", + "default": "Authorization:Bearer" + } + }, + { + "access_token_upstream_leeway": { + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "required": false, + "type": "number", + "default": 0 + } + }, + { + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "required": false, + "type": "string", + "default": "access_token" + } + }, + { + "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "required": false, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "required": false, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "access_token_introspection_scopes_claim": { + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "scope" + ] + } + }, + { + "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "required": false, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "access_token_introspection_consumer_by": { + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "type": "array", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "access_token_introspection_leeway": { + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "required": false, + "type": "number", + "default": 0 + } + }, + { + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "required": false, + "type": "number" + } + }, + { + "access_token_signing_algorithm": { + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "required": true, + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ], + "type": "string", + "default": "RS256" + } + }, + { + "add_access_token_claims": { + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "set_access_token_claims": { + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "remove_access_token_claims": { + "description": "remove claims. It should be an array, and each element is a claim key string.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_optional": { + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "verify_access_token_signature": { + "description": "Quickly turn access token signature verification off and on as needed.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "verify_access_token_expiry": { + "description": "Quickly turn access token expiry verification off and on as needed.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "verify_access_token_scopes": { + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "verify_access_token_introspection_expiry": { + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "verify_access_token_introspection_scopes": { + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "cache_access_token_introspection": { + "description": "Whether to cache access token introspection results.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "trust_access_token_introspection": { + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "enable_access_token_introspection": { + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "channel_token_issuer": { + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "required": false, + "type": "string", + "default": "kong" + } + }, + { + "channel_token_keyset": { + "description": "The name of the keyset containing signing keys.", + "required": false, + "type": "string", + "default": "kong" + } + }, + { + "channel_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "channel_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "required": false, + "type": "foreign", + "reference": "certificates" + } + }, + { + "channel_token_keyset_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number", + "default": 0 + } + }, + { + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "required": false, + "type": "string" + } + }, + { + "channel_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "channel_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "required": false, + "type": "foreign", + "reference": "certificates" + } + }, + { + "channel_token_jwks_uri_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number", + "default": 0 + } + }, + { + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "required": false, + "type": "string" + } + }, + { + "channel_token_leeway": { + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "required": false, + "type": "number", + "default": 0 + } + }, + { + "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "required": false, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "channel_token_scopes_claim": { + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "scope" + ] + } + }, + { + "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "required": false, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "channel_token_consumer_by": { + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "default": [ + "username", + "custom_id" + ] + } + }, + { + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "required": false, + "type": "string" + } + }, + { + "channel_token_upstream_leeway": { + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "required": false, + "type": "number", + "default": 0 + } + }, + { + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "required": false, + "type": "string" + } + }, + { + "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "required": false, + "type": "string", + "elements": { + "type": "string" + } + } + }, + { + "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "required": false, + "type": "string", + "elements": { + "type": "string" + } + } + }, + { + "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "required": false, + "type": "string", + "elements": { + "type": "string" + } + } + }, + { + "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "required": false, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "required": false, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "channel_token_introspection_scopes_claim": { + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "scope" + ] + } + }, + { + "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "required": false, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "channel_token_introspection_consumer_by": { + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "type": "array", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "channel_token_introspection_leeway": { + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "required": false, + "type": "number", + "default": 0 + } + }, + { + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "required": false, + "type": "number" + } + }, + { + "channel_token_signing_algorithm": { + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "required": true, + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ], + "type": "string", + "default": "RS256" + } + }, + { + "add_channel_token_claims": { + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "set_channel_token_claims": { + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "remove_channel_token_claims": { + "description": "remove claims. It should be an array, and each element is a claim key string.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + }, + { + "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", + "required": false, + "type": "string" + } + }, + { + "channel_token_optional": { + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "verify_channel_token_signature": { + "description": "Quickly turn on/off the channel token signature verification.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "verify_channel_token_expiry": { + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_channel_token_scopes": { + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "verify_channel_token_introspection_expiry": { + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "verify_channel_token_introspection_scopes": { + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "cache_channel_token_introspection": { + "description": "Whether to cache channel token introspection results.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "trust_channel_token_introspection": { + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "enable_channel_token_introspection": { + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "add_claims": { + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "set_claims": { + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "required": false, + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "access_token_jwks_uri_client_username", + "access_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "access_token_keyset_client_username", + "access_token_keyset_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_jwks_uri_client_username", + "channel_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_keyset_client_username", + "channel_token_keyset_client_password" + ] + } + ], + "required": true, + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwt/3.9.x.json b/schemas/jwt/3.9.x.json new file mode 100644 index 00000000..2530ff46 --- /dev/null +++ b/schemas/jwt/3.9.x.json @@ -0,0 +1,160 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "uri_param_names": { + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "type": "set", + "elements": { + "type": "string" + }, + "default": [ + "jwt" + ] + } + }, + { + "cookie_names": { + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "type": "set", + "elements": { + "type": "string" + }, + "default": [ + + ] + } + }, + { + "key_claim_name": { + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string", + "default": "iss" + } + }, + { + "secret_is_base64": { + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "exp", + "nbf" + ] + } + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + } + }, + { + "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "maximum_expiration": { + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "type": "number", + "between": [ + 0, + 31536000 + ], + "default": 0 + } + }, + { + "header_names": { + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "type": "set", + "elements": { + "type": "string" + }, + "default": [ + "authorization" + ] + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string", + "required": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.maximum_expiration", + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify", + "then_match": { + "contains": "exp" + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-log/3.9.x.json b/schemas/kafka-log/3.9.x.json new file mode 100644 index 00000000..00a36770 --- /dev/null +++ b/schemas/kafka-log/3.9.x.json @@ -0,0 +1,280 @@ +{ + "fields": [ + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + } + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string", + "required": true + } + }, + { + "timeout": { + "description": "Socket timeout in milliseconds.", + "type": "integer", + "default": 10000 + } + }, + { + "keepalive": { + "default": 60000, + "type": "integer" + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "authentication": { + "fields": [ + { + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string", + "required": false, + "one_of": [ + "sasl" + ] + } + }, + { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "type": "string", + "required": false, + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ] + } + }, + { + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean", + "required": false + } + }, + { + "user": { + "description": "Username for SASL authentication.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "password": { + "description": "Password for SASL authentication.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + } + ], + "type": "record", + "required": true + } + }, + { + "security": { + "fields": [ + { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "uuid": true, + "type": "string", + "required": false + } + }, + { + "ssl": { + "description": "Enables TLS.", + "type": "boolean", + "required": false + } + } + ], + "type": "record", + "required": true + } + }, + { + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true, + "type": "string", + "required": false + } + }, + { + "producer_request_acks": { + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", + "default": 1, + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer", + "default": 2000 + } + }, + { + "producer_request_limits_messages_per_request": { + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer", + "default": 200 + } + }, + { + "producer_request_limits_bytes_per_request": { + "description": "Maximum size of a Produce request in bytes.", + "type": "integer", + "default": 1048576 + } + }, + { + "producer_request_retries_max_attempts": { + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer", + "default": 10 + } + }, + { + "producer_request_retries_backoff_timeout": { + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer", + "default": 100 + } + }, + { + "producer_async": { + "description": "Flag to enable asynchronous mode.", + "type": "boolean", + "default": true + } + }, + { + "producer_async_flush_timeout": { + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer", + "default": 1000 + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer", + "default": 50000 + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map" + } + } + ], + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/kafka-upstream/3.9.x.json b/schemas/kafka-upstream/3.9.x.json new file mode 100644 index 00000000..1229e543 --- /dev/null +++ b/schemas/kafka-upstream/3.9.x.json @@ -0,0 +1,302 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + } + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "required": true, + "type": "string" + } + }, + { + "timeout": { + "description": "Socket timeout in milliseconds.", + "type": "integer", + "default": 10000 + } + }, + { + "keepalive": { + "description": "Keepalive timeout in milliseconds.", + "type": "integer", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "authentication": { + "fields": [ + { + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "required": false, + "type": "string", + "one_of": [ + "sasl" + ] + } + }, + { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "required": false, + "type": "string", + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ] + } + }, + { + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "required": false, + "type": "boolean" + } + }, + { + "user": { + "description": "Username for SASL authentication.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "password": { + "description": "Password for SASL authentication.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + } + ], + "type": "record", + "required": true + } + }, + { + "security": { + "fields": [ + { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "required": false, + "uuid": true, + "type": "string" + } + }, + { + "ssl": { + "description": "Enables TLS.", + "required": false, + "type": "boolean" + } + } + ], + "type": "record", + "required": true + } + }, + { + "forward_method": { + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_uri": { + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_headers": { + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": false + } + }, + { + "forward_body": { + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean", + "default": true + } + }, + { + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, + "auto": true, + "type": "string" + } + }, + { + "producer_request_acks": { + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", + "default": 1, + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer", + "default": 2000 + } + }, + { + "producer_request_limits_messages_per_request": { + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer", + "default": 200 + } + }, + { + "producer_request_limits_bytes_per_request": { + "description": "Maximum size of a Produce request in bytes.", + "type": "integer", + "default": 1048576 + } + }, + { + "producer_request_retries_max_attempts": { + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer", + "default": 10 + } + }, + { + "producer_request_retries_backoff_timeout": { + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer", + "default": 100 + } + }, + { + "producer_async": { + "description": "Flag to enable asynchronous mode.", + "type": "boolean", + "default": true + } + }, + { + "producer_async_flush_timeout": { + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer", + "default": 1000 + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer", + "default": 50000 + } + } + ], + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/key-auth-enc/3.9.x.json b/schemas/key-auth-enc/3.9.x.json new file mode 100644 index 00000000..c141f8db --- /dev/null +++ b/schemas/key-auth-enc/3.9.x.json @@ -0,0 +1,118 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true, + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "array", + "default": [ + "apikey" + ] + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean", + "default": false + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "key_in_header": { + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean", + "default": true + } + }, + { + "key_in_query": { + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean", + "default": true + } + }, + { + "key_in_body": { + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean", + "default": false + } + }, + { + "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean", + "default": true + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string", + "required": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/key-auth/3.9.x.json b/schemas/key-auth/3.9.x.json new file mode 100644 index 00000000..f391803f --- /dev/null +++ b/schemas/key-auth/3.9.x.json @@ -0,0 +1,123 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "required": true, + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "array", + "default": [ + "apikey" + ] + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + } + }, + { + "key_in_header": { + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "required": true, + "type": "boolean", + "default": true + } + }, + { + "key_in_query": { + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "required": true, + "type": "boolean", + "default": true + } + }, + { + "key_in_body": { + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "required": true, + "type": "boolean", + "default": true + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.9.x.json b/schemas/konnect-application-auth/3.9.x.json new file mode 100644 index 00000000..3ab638a1 --- /dev/null +++ b/schemas/konnect-application-auth/3.9.x.json @@ -0,0 +1,3333 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "required": true, + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "array", + "default": [ + "apikey" + ] + } + }, + { + "auth_type": { + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "required": true, + "one_of": [ + "openid-connect", + "key-auth", + "v2-strategies" + ], + "type": "string", + "default": "openid-connect" + } + }, + { + "scope": { + "description": "The unique scope identifier for the plugin configuration.", + "unique": true, + "required": true, + "type": "string" + } + }, + { + "v2_strategies": { + "description": "The map of v2 strategies.", + "required": false, + "type": "record", + "fields": [ + { + "key_auth": { + "description": "List of key_auth strategies.", + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "strategy_id": { + "description": "The strategy id the config is tied to.", + "required": true, + "type": "string" + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "required": true, + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "array", + "default": [ + "apikey" + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record" + } + } + }, + { + "openid_connect": { + "description": "List of openid_connect strategies.", + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "strategy_id": { + "description": "The strategy id the config is tied to.", + "required": true, + "type": "string" + } + }, + { + "config": { + "description": "openid-connect plugin configuration.", + "type": "record", + "fields": [ + { + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, + "type": "string" + } + }, + { + "using_pseudo_issuer": { + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "type": "set", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + }, + { + "rediscovery_lifetime": { + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number", + "required": false, + "default": 30 + } + }, + { + "auth_methods": { + "description": "Types of credentials/grants to enable.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "type": "array", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + }, + { + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "encrypted": true + } + }, + { + "client_secret": { + "description": "The client secret.", + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "encrypted": true + } + }, + { + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + } + }, + { + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "type": "array", + "required": false, + "elements": { + "fields": [ + { + "issuer": { + "required": false, + "type": "string" + } + }, + { + "kty": { + "required": false, + "type": "string" + } + }, + { + "use": { + "required": false, + "type": "string" + } + }, + { + "key_ops": { + "required": false, + "type": "array", + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "alg": { + "required": false, + "type": "string" + } + }, + { + "kid": { + "required": false, + "type": "string" + } + }, + { + "x5u": { + "required": false, + "type": "string" + } + }, + { + "x5c": { + "required": false, + "type": "array", + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "x5t": { + "required": false, + "type": "string" + } + }, + { + "x5t#S256": { + "required": false, + "type": "string" + } + }, + { + "k": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "x": { + "required": false, + "type": "string" + } + }, + { + "y": { + "required": false, + "type": "string" + } + }, + { + "crv": { + "required": false, + "type": "string" + } + }, + { + "n": { + "required": false, + "type": "string" + } + }, + { + "e": { + "required": false, + "type": "string" + } + }, + { + "d": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "p": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "q": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "dp": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "dq": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "qi": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "oth": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "r": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "t": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + } + ], + "type": "record", + "required": false + } + } + }, + { + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + } + }, + { + "client_arg": { + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string", + "required": false, + "default": "client_id" + } + }, + { + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + }, + { + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true + } + } + }, + { + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true + } + } + }, + { + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + }, + { + "forbidden_error_message": { + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string", + "required": false, + "default": "Forbidden" + } + }, + { + "forbidden_destroy_session": { + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "unauthorized_destroy_session": { + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + }, + { + "unauthorized_error_message": { + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string", + "required": false, + "default": "Unauthorized" + } + }, + { + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + }, + { + "response_mode": { + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "required": false, + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ], + "type": "string", + "default": "query" + } + }, + { + "response_type": { + "description": "The response type passed to the authorization endpoint.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "code" + ] + } + }, + { + "scopes": { + "description": "The scopes passed to the authorization and token endpoints.", + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + "openid" + ] + } + }, + { + "audience": { + "description": "The audience passed to the authorization endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "scopes_claim": { + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "scope" + ] + } + }, + { + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "audience_claim": { + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "aud" + ] + } + }, + { + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "groups_claim": { + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "groups" + ] + } + }, + { + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "roles_claim": { + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "roles" + ] + } + }, + { + "domains": { + "description": "The allowed values for the `hd` claim.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number", + "required": false + } + }, + { + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean", + "required": false + } + }, + { + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean", + "required": false + } + }, + { + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean", + "required": false + } + }, + { + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "authorization_rolling_timeout": { + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", + "required": false, + "default": 600 + } + }, + { + "authorization_cookie_name": { + "description": "The authorization cookie name.", + "type": "string", + "required": false, + "default": "authorization" + } + }, + { + "authorization_cookie_path": { + "description": "The authorization cookie Path flag.", + "required": false, + "starts_with": "/", + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/" + } + }, + { + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string", + "required": false + } + }, + { + "authorization_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "type": "string", + "default": "Default" + } + }, + { + "authorization_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean", + "required": false + } + }, + { + "preserve_query_args": { + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string", + "required": false + } + }, + { + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + } + } + }, + { + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "introspection_hint": { + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string", + "required": false, + "default": "access_token" + } + }, + { + "introspection_check_active": { + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "introspection_accept": { + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "required": false, + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ], + "type": "string", + "default": "application/json" + } + }, + { + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "encrypted": true + } + }, + { + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspect_jwt_tokens": { + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_accept": { + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "required": false, + "one_of": [ + "application/json", + "application/jwt" + ], + "type": "string", + "default": "application/json" + } + }, + { + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "required": false, + "type": "string" + } + }, + { + "session_secret": { + "description": "The session secret.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "session_audience": { + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string", + "required": false, + "default": "default" + } + }, + { + "session_cookie_name": { + "description": "The session cookie name.", + "type": "string", + "required": false, + "default": "session" + } + }, + { + "session_remember": { + "description": "Enables or disables persistent sessions.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "session_remember_cookie_name": { + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string", + "required": false, + "default": "remember" + } + }, + { + "session_remember_rolling_timeout": { + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number", + "required": false, + "default": 604800 + } + }, + { + "session_remember_absolute_timeout": { + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", + "required": false, + "default": 2592000 + } + }, + { + "session_idling_timeout": { + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number", + "required": false, + "default": 900 + } + }, + { + "session_rolling_timeout": { + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", + "required": false, + "default": 3600 + } + }, + { + "session_absolute_timeout": { + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", + "required": false, + "default": 86400 + } + }, + { + "session_cookie_path": { + "description": "The session cookie Path flag.", + "required": false, + "starts_with": "/", + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/" + } + }, + { + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string", + "required": false + } + }, + { + "session_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "type": "string", + "default": "Lax" + } + }, + { + "session_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean", + "required": false + } + }, + { + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_storage": { + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "required": false, + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string", + "default": "cookie" + } + }, + { + "session_store_metadata": { + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "session_enforce_same_subject": { + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "session_hash_subject": { + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "session_hash_storage_key": { + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string", + "required": false + } + }, + { + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string", + "required": false + } + }, + { + "session_memcached_host": { + "description": "The memcached host.", + "type": "string", + "required": false, + "default": "127.0.0.1" + } + }, + { + "session_memcached_port": { + "description": "The memcached port.", + "required": false, + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 11211 + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", + "required": false + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "prefix": { + "description": "The Redis session key prefix.", + "type": "string", + "required": false + } + }, + { + "socket": { + "description": "The Redis unix socket path.", + "type": "string", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "host" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true, + "type": "record" + } + }, + { + "reverify": { + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "jwt_session_claim": { + "description": "The claim to match against the JWT session cookie.", + "type": "string", + "required": false, + "default": "sid" + } + }, + { + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string", + "required": false + } + }, + { + "bearer_token_param_type": { + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + }, + "type": "array", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string", + "required": false + } + }, + { + "client_credentials_param_type": { + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "type": "array", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "password_param_type": { + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "type": "array", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "id_token_param_type": { + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "type": "array", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string", + "required": false + } + }, + { + "refresh_token_param_type": { + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "type": "array", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string", + "required": false + } + }, + { + "refresh_tokens": { + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "upstream_headers_claims": { + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "upstream_access_token_header": { + "description": "The upstream access token header.", + "type": "string", + "required": false, + "default": "authorization:bearer" + } + }, + { + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string", + "required": false + } + }, + { + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string", + "required": false + } + }, + { + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string", + "required": false + } + }, + { + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string", + "required": false + } + }, + { + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string", + "required": false + } + }, + { + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string", + "required": false + } + }, + { + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string", + "required": false + } + }, + { + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string", + "required": false + } + }, + { + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string", + "required": false + } + }, + { + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string", + "required": false + } + }, + { + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string", + "required": false + } + }, + { + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string", + "required": false + } + }, + { + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string", + "required": false + } + }, + { + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string", + "required": false + } + }, + { + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string", + "required": false + } + }, + { + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string", + "required": false + } + }, + { + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string", + "required": false + } + }, + { + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string", + "required": false + } + }, + { + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string", + "required": false + } + }, + { + "login_methods": { + "description": "Enable login functionality with specified grants.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "type": "array", + "default": [ + "authorization_code" + ] + } + }, + { + "login_action": { + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "required": false, + "one_of": [ + "upstream", + "response", + "redirect" + ], + "type": "string", + "default": "upstream" + } + }, + { + "login_tokens": { + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + }, + "type": "array", + "default": [ + "id_token" + ] + } + }, + { + "login_redirect_mode": { + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "required": false, + "one_of": [ + "query", + "fragment" + ], + "type": "string", + "default": "fragment" + } + }, + { + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string", + "required": false + } + }, + { + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string", + "required": false + } + }, + { + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string", + "required": false + } + }, + { + "logout_methods": { + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + }, + "type": "array", + "default": [ + "POST", + "DELETE" + ] + } + }, + { + "logout_revoke": { + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "logout_revoke_access_token": { + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "logout_revoke_refresh_token": { + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "consumer_by": { + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "type": "array", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "consumer_optional": { + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "credential_claim": { + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "sub" + ] + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string", + "required": false + } + }, + { + "run_on_preflight": { + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "leeway": { + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number", + "required": false, + "default": 0 + } + }, + { + "verify_parameters": { + "description": "Verify plugin configuration against discovery.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "verify_nonce": { + "description": "Verify nonce on authorization code flow.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_claims": { + "description": "Verify tokens for standard claims.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_signature": { + "description": "Verify signature of tokens.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "ignore_signature": { + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "enable_hs_signatures": { + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + } + }, + { + "cache_ttl": { + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number", + "required": false, + "default": 3600 + } + }, + { + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number", + "required": false + } + }, + { + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number", + "required": false + } + }, + { + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number", + "required": false + } + }, + { + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number", + "required": false + } + }, + { + "cache_tokens": { + "description": "Cache the token endpoint requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "auto": true, + "type": "string", + "required": false + } + }, + { + "cache_introspection": { + "description": "Cache the introspection endpoint requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "cache_token_exchange": { + "description": "Cache the token exchange endpoint requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "cache_user_info": { + "description": "Cache the user info requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "search_user_info": { + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "hide_credentials": { + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "http_version": { + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "required": false, + "type": "number", + "default": 1.1 + } + }, + { + "http_proxy": { + "description": "The HTTP proxy.", + "required": false, + "type": "string" + } + }, + { + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string", + "required": false + } + }, + { + "https_proxy": { + "description": "The HTTPS proxy.", + "required": false, + "type": "string" + } + }, + { + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string", + "required": false + } + }, + { + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string", + "required": false + } + }, + { + "keepalive": { + "description": "Use keepalive with the HTTP client.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "ssl_verify": { + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "timeout": { + "description": "Network IO timeout in milliseconds.", + "type": "number", + "required": false, + "default": 10000 + } + }, + { + "display_errors": { + "description": "Display errors on failure responses.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "by_username_ignore_case": { + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "resolve_distributed_claims": { + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "expose_error_code": { + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean", + "default": true + } + }, + { + "token_cache_key_include_scope": { + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean", + "default": false + } + }, + { + "introspection_token_param_name": { + "description": "Designate token's parameter name for introspection.", + "type": "string", + "required": false, + "default": "token" + } + }, + { + "revocation_token_param_name": { + "description": "Designate token's parameter name for revocation.", + "type": "string", + "required": false, + "default": "token" + } + }, + { + "proof_of_possession_mtls": { + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "required": false, + "one_of": [ + "off", + "strict", + "optional" + ], + "type": "string", + "default": "off" + } + }, + { + "proof_of_possession_auth_methods_validation": { + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "auto": false, + "type": "string", + "uuid": true, + "required": false + } + }, + { + "tls_client_auth_ssl_verify": { + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_dpop": { + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "required": false, + "one_of": [ + "off", + "strict", + "optional" + ], + "type": "string", + "default": "off" + } + }, + { + "dpop_use_nonce": { + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "dpop_proof_lifetime": { + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number", + "required": false, + "default": 300 + } + }, + { + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "cluster_cache_strategy": { + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "required": false, + "one_of": [ + "off", + "redis" + ], + "type": "string", + "default": "off" + } + }, + { + "cluster_cache_redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + } + ] + } + } + ], + "type": "record" + } + } + } + ], + "default": [ + + ] + } + } + ], + "type": "record", + "entity_checks": [ + + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.9.x.json b/schemas/ldap-auth-advanced/3.9.x.json new file mode 100644 index 00000000..34b7b64a --- /dev/null +++ b/schemas/ldap-auth-advanced/3.9.x.json @@ -0,0 +1,243 @@ +{ + "fields": [ + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "type": "string", + "required": true + } + }, + { + "ldap_password": { + "description": "The password to the LDAP server.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "ldap_port": { + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number", + "default": 389 + } + }, + { + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "type": "string", + "referenceable": true + } + }, + { + "ldaps": { + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "start_tls": { + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "verify_ldap_host": { + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "type": "string", + "required": true + } + }, + { + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "type": "string", + "required": true + } + }, + { + "cache_ttl": { + "description": "Cache expiry time in seconds.", + "type": "number", + "required": true, + "default": 60 + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean", + "default": false + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number", + "default": 10000 + } + }, + { + "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string", + "len_min": 0, + "default": "" + } + }, + { + "header_type": { + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string", + "default": "ldap" + } + }, + { + "consumer_optional": { + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "consumer_by": { + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "type": "array", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + } + }, + { + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + } + }, + { + "group_member_attribute": { + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string", + "default": "memberOf" + } + }, + { + "log_search_results": { + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string", + "required": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth/3.9.x.json b/schemas/ldap-auth/3.9.x.json new file mode 100644 index 00000000..109c2af9 --- /dev/null +++ b/schemas/ldap-auth/3.9.x.json @@ -0,0 +1,178 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "ldap_host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "ldap_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 389 + } + }, + { + "ldaps": { + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "start_tls": { + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "verify_ldap_host": { + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "required": true, + "type": "string" + } + }, + { + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "required": true, + "type": "string" + } + }, + { + "cache_ttl": { + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number", + "default": 60 + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number", + "default": 10000 + } + }, + { + "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" + } + }, + { + "header_type": { + "description": "An optional string to use as part of the Authorization header", + "type": "string", + "default": "ldap" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "then_field": "start_tls", + "if_field": "ldaps", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "if_match": { + "eq": true + }, + "then_match": { + "eq": false + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/loggly/3.9.x.json b/schemas/loggly/3.9.x.json new file mode 100644 index 00000000..a9bae72c --- /dev/null +++ b/schemas/loggly/3.9.x.json @@ -0,0 +1,173 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string", + "default": "logs-01.loggly.com" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 514 + } + }, + { + "key": { + "referenceable": true, + "required": true, + "type": "string", + "encrypted": true + } + }, + { + "tags": { + "type": "set", + "default": [ + "kong" + ], + "elements": { + "type": "string" + } + } + }, + { + "log_level": { + "type": "string", + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "successful_severity": { + "type": "string", + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "client_errors_severity": { + "type": "string", + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "server_errors_severity": { + "type": "string", + "default": "info", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "timeout": { + "default": 10000, + "type": "number" + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/mocking/3.9.x.json b/schemas/mocking/3.9.x.json new file mode 100644 index 00000000..1901c745 --- /dev/null +++ b/schemas/mocking/3.9.x.json @@ -0,0 +1,131 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "required": false, + "type": "string" + } + }, + { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "required": false, + "type": "string" + } + }, + { + "random_delay": { + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean", + "default": false + } + }, + { + "max_delay_time": { + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number", + "default": 1 + } + }, + { + "min_delay_time": { + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number", + "default": 0.001 + } + }, + { + "random_examples": { + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean", + "default": false + } + }, + { + "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "type": "array", + "elements": { + "type": "integer" + } + } + }, + { + "random_status_code": { + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "include_base_path": { + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "required": false, + "starts_with": "/", + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/mtls-auth/3.9.x.json b/schemas/mtls-auth/3.9.x.json new file mode 100644 index 00000000..8def91e2 --- /dev/null +++ b/schemas/mtls-auth/3.9.x.json @@ -0,0 +1,210 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "consumer_by": { + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "type": "array", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, + "type": "array", + "elements": { + "type": "string", + "uuid": true + } + } + }, + { + "cache_ttl": { + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number", + "default": 60 + } + }, + { + "skip_consumer_lookup": { + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "allow_partial_chain": { + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "authenticated_group_by": { + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "required": false, + "one_of": [ + "CN", + "DN" + ], + "type": "string", + "default": "CN" + } + }, + { + "revocation_check_mode": { + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "required": false, + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ], + "type": "string", + "default": "IGNORE_CA_ERROR" + } + }, + { + "http_timeout": { + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number", + "default": 30000 + } + }, + { + "cert_cache_ttl": { + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number", + "default": 60000 + } + }, + { + "send_ca_dn": { + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean", + "default": false + } + }, + { + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + } + ], + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oas-validation/3.9.x.json b/schemas/oas-validation/3.9.x.json new file mode 100644 index 00000000..307e1a6d --- /dev/null +++ b/schemas/oas-validation/3.9.x.json @@ -0,0 +1,170 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "required": true, + "type": "string" + } + }, + { + "verbose_response": { + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "validate_request_body": { + "description": "If set to true, validates the request body content against the API specification.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "notify_only_request_validation_failure": { + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "validate_request_header_params": { + "description": "If set to true, validates HTTP header parameters against the API specification.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "validate_request_query_params": { + "description": "If set to true, validates query parameters against the API specification.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "validate_request_uri_params": { + "description": "If set to true, validates URI parameters in the request against the API specification.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "validate_response_body": { + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "notify_only_response_body_validation_failure": { + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "query_parameter_check": { + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "header_parameter_check": { + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "allowed_header_parameters": { + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "type": "string", + "required": false, + "default": "Host,Content-Type,User-Agent,Accept,Content-Length" + } + }, + { + "include_base_path": { + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "api_spec_encoded": { + "description": "Indicates whether the api_spec is URI-Encoded.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "required": false, + "starts_with": "/", + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.9.x.json b/schemas/oauth2-introspection/3.9.x.json new file mode 100644 index 00000000..95956e5b --- /dev/null +++ b/schemas/oauth2-introspection/3.9.x.json @@ -0,0 +1,167 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, + "type": "string" + } + }, + { + "ttl": { + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number", + "default": 30 + } + }, + { + "token_type_hint": { + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" + } + }, + { + "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "required": true, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer", + "default": 10000 + } + }, + { + "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer", + "default": 60000 + } + }, + { + "introspect_request": { + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean", + "default": false + } + }, + { + "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean", + "default": true + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0, + "type": "string", + "default": "" + } + }, + { + "consumer_by": { + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "required": true, + "one_of": [ + "username", + "client_id" + ], + "type": "string", + "default": "username" + } + }, + { + "custom_introspection_headers": { + "description": "A list of custom headers to be added in the introspection request.", + "required": true, + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "type": "map", + "default": [ + + ] + } + }, + { + "custom_claims_forward": { + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "required": true, + "elements": { + "type": "string" + }, + "type": "set", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/oauth2/3.9.x.json b/schemas/oauth2/3.9.x.json new file mode 100644 index 00000000..4ae42794 --- /dev/null +++ b/schemas/oauth2/3.9.x.json @@ -0,0 +1,221 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "mandatory_scope": { + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "provision_key": { + "description": "The unique key the plugin has generated when it has been added to the Service.", + "required": true, + "unique": true, + "type": "string", + "auto": true, + "encrypted": true + } + }, + { + "token_expiration": { + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "required": true, + "type": "number", + "default": 7200 + } + }, + { + "enable_authorization_code": { + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "enable_implicit_grant": { + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "enable_client_credentials": { + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "enable_password_grant": { + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "accept_http_if_already_terminated": { + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + } + }, + { + "global_credentials": { + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "auth_header_name": { + "description": "The name of the header that is supposed to carry the access token.", + "type": "string", + "default": "authorization" + } + }, + { + "refresh_token_ttl": { + "description": "Time-to-live value for data", + "required": true, + "between": [ + 0, + 100000000 + ], + "type": "number", + "default": 1209600 + } + }, + { + "reuse_refresh_token": { + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "persistent_refresh_token": { + "type": "boolean", + "required": true, + "default": false + } + }, + { + "pkce": { + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "required": false, + "one_of": [ + "none", + "lax", + "strict" + ], + "type": "string", + "default": "lax" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "mandatory_scope", + "if_match": { + "eq": true + }, + "then_field": "scopes", + "then_match": { + "required": true + } + } + } + ], + "required": true, + "type": "record" + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/opa/3.9.x.json b/schemas/opa/3.9.x.json new file mode 100644 index 00000000..e23d2064 --- /dev/null +++ b/schemas/opa/3.9.x.json @@ -0,0 +1,147 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "opa_protocol": { + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "type": "string", + "default": "http", + "one_of": [ + "http", + "https" + ] + } + }, + { + "opa_host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "localhost" + } + }, + { + "opa_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 8181 + } + }, + { + "opa_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + }, + { + "include_service_in_opa_input": { + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_route_in_opa_input": { + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_consumer_in_opa_input": { + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_body_in_opa_input": { + "type": "boolean", + "default": false + } + }, + { + "include_parsed_json_body_in_opa_input": { + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "include_uri_captures_in_opa_input": { + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean", + "required": true, + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/openid-connect/3.9.x.json b/schemas/openid-connect/3.9.x.json new file mode 100644 index 00000000..de68751a --- /dev/null +++ b/schemas/openid-connect/3.9.x.json @@ -0,0 +1,3676 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, + "type": "string" + } + }, + { + "using_pseudo_issuer": { + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "type": "set", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + }, + { + "rediscovery_lifetime": { + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number", + "required": false, + "default": 30 + } + }, + { + "auth_methods": { + "description": "Types of credentials/grants to enable.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "type": "array", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + }, + { + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "encrypted": true + } + }, + { + "client_secret": { + "description": "The client secret.", + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "encrypted": true + } + }, + { + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + } + }, + { + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "type": "array", + "required": false, + "elements": { + "fields": [ + { + "issuer": { + "required": false, + "type": "string" + } + }, + { + "kty": { + "required": false, + "type": "string" + } + }, + { + "use": { + "required": false, + "type": "string" + } + }, + { + "key_ops": { + "required": false, + "type": "array", + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "alg": { + "required": false, + "type": "string" + } + }, + { + "kid": { + "required": false, + "type": "string" + } + }, + { + "x5u": { + "required": false, + "type": "string" + } + }, + { + "x5c": { + "required": false, + "type": "array", + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "x5t": { + "required": false, + "type": "string" + } + }, + { + "x5t#S256": { + "required": false, + "type": "string" + } + }, + { + "k": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "x": { + "required": false, + "type": "string" + } + }, + { + "y": { + "required": false, + "type": "string" + } + }, + { + "crv": { + "required": false, + "type": "string" + } + }, + { + "n": { + "required": false, + "type": "string" + } + }, + { + "e": { + "required": false, + "type": "string" + } + }, + { + "d": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "p": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "q": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "dp": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "dq": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "qi": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "oth": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "r": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "t": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + } + ], + "type": "record", + "required": false + } + } + }, + { + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + } + }, + { + "client_arg": { + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string", + "required": false, + "default": "client_id" + } + }, + { + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + }, + { + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true + } + } + }, + { + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true + } + } + }, + { + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + }, + { + "forbidden_error_message": { + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string", + "required": false, + "default": "Forbidden" + } + }, + { + "forbidden_destroy_session": { + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "unauthorized_destroy_session": { + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + }, + { + "unauthorized_error_message": { + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string", + "required": false, + "default": "Unauthorized" + } + }, + { + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + }, + { + "response_mode": { + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "required": false, + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ], + "type": "string", + "default": "query" + } + }, + { + "response_type": { + "description": "The response type passed to the authorization endpoint.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "code" + ] + } + }, + { + "scopes": { + "description": "The scopes passed to the authorization and token endpoints.", + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "default": [ + "openid" + ] + } + }, + { + "audience": { + "description": "The audience passed to the authorization endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "scopes_claim": { + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "scope" + ] + } + }, + { + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "audience_claim": { + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "aud" + ] + } + }, + { + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "groups_claim": { + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "groups" + ] + } + }, + { + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "roles_claim": { + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "roles" + ] + } + }, + { + "domains": { + "description": "The allowed values for the `hd` claim.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number", + "required": false + } + }, + { + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean", + "required": false + } + }, + { + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean", + "required": false + } + }, + { + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean", + "required": false + } + }, + { + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "authorization_rolling_timeout": { + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", + "required": false, + "default": 600 + } + }, + { + "authorization_cookie_name": { + "description": "The authorization cookie name.", + "type": "string", + "required": false, + "default": "authorization" + } + }, + { + "authorization_cookie_path": { + "description": "The authorization cookie Path flag.", + "required": false, + "starts_with": "/", + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/" + } + }, + { + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string", + "required": false + } + }, + { + "authorization_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "type": "string", + "default": "Default" + } + }, + { + "authorization_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean", + "required": false + } + }, + { + "preserve_query_args": { + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string", + "required": false + } + }, + { + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + } + } + }, + { + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "introspection_hint": { + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string", + "required": false, + "default": "access_token" + } + }, + { + "introspection_check_active": { + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "introspection_accept": { + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "required": false, + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ], + "type": "string", + "default": "application/json" + } + }, + { + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, + "type": "array", + "encrypted": true + } + }, + { + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "introspect_jwt_tokens": { + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_accept": { + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "required": false, + "one_of": [ + "application/json", + "application/jwt" + ], + "type": "string", + "default": "application/json" + } + }, + { + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "required": false, + "type": "string" + } + }, + { + "session_secret": { + "description": "The session secret.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "session_audience": { + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string", + "required": false, + "default": "default" + } + }, + { + "session_cookie_name": { + "description": "The session cookie name.", + "type": "string", + "required": false, + "default": "session" + } + }, + { + "session_remember": { + "description": "Enables or disables persistent sessions.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "session_remember_cookie_name": { + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string", + "required": false, + "default": "remember" + } + }, + { + "session_remember_rolling_timeout": { + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number", + "required": false, + "default": 604800 + } + }, + { + "session_remember_absolute_timeout": { + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", + "required": false, + "default": 2592000 + } + }, + { + "session_idling_timeout": { + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number", + "required": false, + "default": 900 + } + }, + { + "session_rolling_timeout": { + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", + "required": false, + "default": 3600 + } + }, + { + "session_absolute_timeout": { + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", + "required": false, + "default": 86400 + } + }, + { + "session_cookie_path": { + "description": "The session cookie Path flag.", + "required": false, + "starts_with": "/", + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/" + } + }, + { + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string", + "required": false + } + }, + { + "session_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "type": "string", + "default": "Lax" + } + }, + { + "session_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean", + "required": false + } + }, + { + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_storage": { + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "required": false, + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string", + "default": "cookie" + } + }, + { + "session_store_metadata": { + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "session_enforce_same_subject": { + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "session_hash_subject": { + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "session_hash_storage_key": { + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string", + "required": false + } + }, + { + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string", + "required": false + } + }, + { + "session_memcached_host": { + "description": "The memcached host.", + "type": "string", + "required": false, + "default": "127.0.0.1" + } + }, + { + "session_memcached_port": { + "description": "The memcached port.", + "required": false, + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 11211 + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", + "required": false + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "prefix": { + "description": "The Redis session key prefix.", + "type": "string", + "required": false + } + }, + { + "socket": { + "description": "The Redis unix socket path.", + "type": "string", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "host" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true, + "type": "record" + } + }, + { + "reverify": { + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "jwt_session_claim": { + "description": "The claim to match against the JWT session cookie.", + "type": "string", + "required": false, + "default": "sid" + } + }, + { + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string", + "required": false + } + }, + { + "bearer_token_param_type": { + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + }, + "type": "array", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string", + "required": false + } + }, + { + "client_credentials_param_type": { + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "type": "array", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "password_param_type": { + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "type": "array", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "id_token_param_type": { + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "type": "array", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string", + "required": false + } + }, + { + "refresh_token_param_type": { + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + }, + "type": "array", + "default": [ + "header", + "query", + "body" + ] + } + }, + { + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string", + "required": false + } + }, + { + "refresh_tokens": { + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "upstream_headers_claims": { + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "upstream_access_token_header": { + "description": "The upstream access token header.", + "type": "string", + "required": false, + "default": "authorization:bearer" + } + }, + { + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string", + "required": false + } + }, + { + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string", + "required": false + } + }, + { + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string", + "required": false + } + }, + { + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string", + "required": false + } + }, + { + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string", + "required": false + } + }, + { + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string", + "required": false + } + }, + { + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string", + "required": false + } + }, + { + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string", + "required": false + } + }, + { + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string", + "required": false + } + }, + { + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string", + "required": false + } + }, + { + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string", + "required": false + } + }, + { + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string", + "required": false + } + }, + { + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string", + "required": false + } + }, + { + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string", + "required": false + } + }, + { + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string", + "required": false + } + }, + { + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string", + "required": false + } + }, + { + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string", + "required": false + } + }, + { + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string", + "required": false + } + }, + { + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string", + "required": false + } + }, + { + "login_methods": { + "description": "Enable login functionality with specified grants.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "type": "array", + "default": [ + "authorization_code" + ] + } + }, + { + "login_action": { + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "required": false, + "one_of": [ + "upstream", + "response", + "redirect" + ], + "type": "string", + "default": "upstream" + } + }, + { + "login_tokens": { + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + }, + "type": "array", + "default": [ + "id_token" + ] + } + }, + { + "login_redirect_mode": { + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "required": false, + "one_of": [ + "query", + "fragment" + ], + "type": "string", + "default": "fragment" + } + }, + { + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string", + "required": false + } + }, + { + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string", + "required": false + } + }, + { + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string", + "required": false + } + }, + { + "logout_methods": { + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + }, + "type": "array", + "default": [ + "POST", + "DELETE" + ] + } + }, + { + "logout_revoke": { + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "logout_revoke_access_token": { + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "logout_revoke_refresh_token": { + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "consumer_by": { + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "type": "array", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "consumer_optional": { + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "credential_claim": { + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "sub" + ] + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string", + "required": false + } + }, + { + "run_on_preflight": { + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "leeway": { + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number", + "required": false, + "default": 0 + } + }, + { + "verify_parameters": { + "description": "Verify plugin configuration against discovery.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "verify_nonce": { + "description": "Verify nonce on authorization code flow.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_claims": { + "description": "Verify tokens for standard claims.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "verify_signature": { + "description": "Verify signature of tokens.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "ignore_signature": { + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "enable_hs_signatures": { + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + } + }, + { + "cache_ttl": { + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number", + "required": false, + "default": 3600 + } + }, + { + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number", + "required": false + } + }, + { + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number", + "required": false + } + }, + { + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number", + "required": false + } + }, + { + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number", + "required": false + } + }, + { + "cache_tokens": { + "description": "Cache the token endpoint requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "auto": true, + "type": "string", + "required": false + } + }, + { + "cache_introspection": { + "description": "Cache the introspection endpoint requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "cache_token_exchange": { + "description": "Cache the token exchange endpoint requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "cache_user_info": { + "description": "Cache the user info requests.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "search_user_info": { + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "hide_credentials": { + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "http_version": { + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "required": false, + "type": "number", + "default": 1.1 + } + }, + { + "http_proxy": { + "description": "The HTTP proxy.", + "required": false, + "type": "string" + } + }, + { + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string", + "required": false + } + }, + { + "https_proxy": { + "description": "The HTTPS proxy.", + "required": false, + "type": "string" + } + }, + { + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string", + "required": false + } + }, + { + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string", + "required": false + } + }, + { + "keepalive": { + "description": "Use keepalive with the HTTP client.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "ssl_verify": { + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "timeout": { + "description": "Network IO timeout in milliseconds.", + "type": "number", + "required": false, + "default": 10000 + } + }, + { + "display_errors": { + "description": "Display errors on failure responses.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "by_username_ignore_case": { + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "resolve_distributed_claims": { + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "expose_error_code": { + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean", + "default": true + } + }, + { + "token_cache_key_include_scope": { + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean", + "default": false + } + }, + { + "introspection_token_param_name": { + "description": "Designate token's parameter name for introspection.", + "type": "string", + "required": false, + "default": "token" + } + }, + { + "revocation_token_param_name": { + "description": "Designate token's parameter name for revocation.", + "type": "string", + "required": false, + "default": "token" + } + }, + { + "proof_of_possession_mtls": { + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "required": false, + "one_of": [ + "off", + "strict", + "optional" + ], + "type": "string", + "default": "off" + } + }, + { + "proof_of_possession_auth_methods_validation": { + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "auto": false, + "type": "string", + "uuid": true, + "required": false + } + }, + { + "tls_client_auth_ssl_verify": { + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean", + "required": false, + "default": true + } + }, + { + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_dpop": { + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "required": false, + "one_of": [ + "off", + "strict", + "optional" + ], + "type": "string", + "default": "off" + } + }, + { + "dpop_use_nonce": { + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "dpop_proof_lifetime": { + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number", + "required": false, + "default": 300 + } + }, + { + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "cluster_cache_strategy": { + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "required": false, + "one_of": [ + "off", + "redis" + ], + "type": "string", + "default": "off" + } + }, + { + "cluster_cache_redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + } + ], + "required": true, + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_redis_prefix": { + "type": "string", + "translate_backwards": [ + "redis", + "prefix" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ], + "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_socket": { + "type": "string", + "translate_backwards": [ + "redis", + "socket" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ], + "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_password": { + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ], + "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "read_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ], + "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "send_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ], + "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_cluster_nodes": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ], + "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "translate_backwards": [ + "redis", + "cluster_nodes" + ], + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + } + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ], + "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + } + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/opentelemetry/3.9.x.json b/schemas/opentelemetry/3.9.x.json new file mode 100644 index 00000000..a847aca4 --- /dev/null +++ b/schemas/opentelemetry/3.9.x.json @@ -0,0 +1,367 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "traces_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true + } + }, + { + "logs_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true + } + }, + { + "headers": { + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "map", + "values": { + "referenceable": true, + "type": "string" + }, + "keys": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + } + }, + { + "resource_attributes": { + "keys": { + "required": true, + "type": "string" + }, + "type": "map", + "values": { + "required": true, + "type": "string" + } + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 1 + } + }, + { + "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", + "between": [ + 0, + 3600 + ], + "default": 1 + } + }, + { + "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 10000 + } + }, + { + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + } + }, + { + "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number", + "default": 60 + } + }, + { + "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 0.01 + } + }, + { + "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 60 + } + }, + { + "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ] + } + } + ], + "type": "record", + "required": true, + "default": { + "max_batch_size": 200 + } + } + }, + { + "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer", + "deprecation": { + "old_default": 200, + "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer", + "deprecation": { + "old_default": 3, + "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 1000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 5000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 5000 + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "header_type": { + "required": false, + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "gcp", + "datadog" + ], + "type": "string", + "deprecation": { + "old_default": "preserve", + "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, + "default": "preserve" + } + }, + { + "sampling_rate": { + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "type": "number", + "between": [ + 0, + 1 + ], + "required": false + } + }, + { + "propagation": { + "fields": [ + { + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "gcp", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + } + } + }, + { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "preserve", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + } + } + }, + { + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", + "required": true, + "one_of": [ + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + } + } + ], + "type": "record", + "required": true, + "default": { + "default_format": "w3c" + } + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "traces_endpoint", + "logs_endpoint" + ] + } + ], + "type": "record", + "shorthand_fields": [ + { + "endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true, + "deprecation": { + "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead", + "removal_in_version": "4.0" + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/post-function/3.9.x.json b/schemas/post-function/3.9.x.json new file mode 100644 index 00000000..80a53552 --- /dev/null +++ b/schemas/post-function/3.9.x.json @@ -0,0 +1,228 @@ +{ + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": false, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "certificate": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "rewrite": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "access": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "header_filter": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "body_filter": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "log": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "ws_handshake": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "ws_client_frame": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "ws_upstream_frame": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "ws_close": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/pre-function/3.9.x.json b/schemas/pre-function/3.9.x.json new file mode 100644 index 00000000..80a53552 --- /dev/null +++ b/schemas/pre-function/3.9.x.json @@ -0,0 +1,228 @@ +{ + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": false, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "certificate": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "rewrite": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "access": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "header_filter": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "body_filter": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "log": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "ws_handshake": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "ws_client_frame": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "ws_upstream_frame": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "ws_close": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "required": false, + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ] +} \ No newline at end of file diff --git a/schemas/prometheus/3.9.x.json b/schemas/prometheus/3.9.x.json new file mode 100644 index 00000000..8a193072 --- /dev/null +++ b/schemas/prometheus/3.9.x.json @@ -0,0 +1,94 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "per_consumer": { + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean", + "default": false + } + }, + { + "status_code_metrics": { + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean", + "default": false + } + }, + { + "ai_metrics": { + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", + "type": "boolean", + "default": false + } + }, + { + "latency_metrics": { + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean", + "default": false + } + }, + { + "bandwidth_metrics": { + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean", + "default": false + } + }, + { + "upstream_health_metrics": { + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.9.x.json b/schemas/proxy-cache-advanced/3.9.x.json new file mode 100644 index 00000000..30b3682b --- /dev/null +++ b/schemas/proxy-cache-advanced/3.9.x.json @@ -0,0 +1,610 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "response_code": { + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "required": true, + "elements": { + "between": [ + 100, + 900 + ], + "type": "integer" + }, + "type": "array", + "len_min": 1, + "default": [ + 200, + 301, + 404 + ] + } + }, + { + "request_method": { + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + }, + "type": "array", + "default": [ + "GET", + "HEAD" + ] + } + }, + { + "content_type": { + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "text/plain", + "application/json" + ] + } + }, + { + "cache_ttl": { + "description": "TTL in seconds of cache entities.", + "type": "integer", + "gt": 0, + "default": 300 + } + }, + { + "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "required": true, + "type": "string", + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "cache_control": { + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "ignore_uri_case": { + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string", + "default": "kong_db_cache" + } + } + ], + "type": "record", + "required": true + } + }, + { + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ], + "required": true + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + }, + { + "bypass_on_err": { + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache/3.9.x.json b/schemas/proxy-cache/3.9.x.json new file mode 100644 index 00000000..6bc799e6 --- /dev/null +++ b/schemas/proxy-cache/3.9.x.json @@ -0,0 +1,205 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "response_code": { + "description": "Upstream response status code considered cacheable.", + "required": true, + "elements": { + "between": [ + 100, + 900 + ], + "type": "integer" + }, + "type": "array", + "len_min": 1, + "default": [ + 200, + 301, + 404 + ] + } + }, + { + "request_method": { + "description": "Downstream request methods considered cacheable.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + }, + "type": "array", + "default": [ + "GET", + "HEAD" + ] + } + }, + { + "content_type": { + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "required": true, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "text/plain", + "application/json" + ] + } + }, + { + "cache_ttl": { + "description": "TTL, in seconds, of cache entities.", + "type": "integer", + "gt": 0, + "default": 300 + } + }, + { + "strategy": { + "description": "The backing data store in which to hold cache entities.", + "required": true, + "type": "string", + "one_of": [ + "memory" + ] + } + }, + { + "cache_control": { + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "ignore_uri_case": { + "type": "boolean", + "required": false, + "default": false + } + }, + { + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string", + "default": "kong_db_cache" + } + } + ], + "type": "record", + "required": true + } + }, + { + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ], + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.9.x.json b/schemas/rate-limiting-advanced/3.9.x.json new file mode 100644 index 00000000..7df38f70 --- /dev/null +++ b/schemas/rate-limiting-advanced/3.9.x.json @@ -0,0 +1,600 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "required": true, + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ], + "type": "string", + "default": "consumer" + } + }, + { + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array", + "elements": { + "type": "number" + } + } + }, + { + "window_type": { + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", + "default": "sliding", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array", + "elements": { + "type": "number" + } + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + } + }, + { + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "auto": true, + "type": "string", + "required": true + } + }, + { + "strategy": { + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "required": true, + "one_of": [ + "cluster", + "redis", + "local" + ], + "type": "string", + "default": "local" + } + }, + { + "dictionary_name": { + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string", + "required": true, + "default": "kong_rate_limiting_counters" + } + }, + { + "hide_client_headers": { + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean", + "default": false + } + }, + { + "retry_after_jitter_max": { + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number", + "default": 0 + } + }, + { + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + { + "path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "type": "string", + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + }, + { + "enforce_consumer_groups": { + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean", + "default": false + } + }, + { + "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "disable_penalty": { + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean", + "default": false + } + }, + { + "error_code": { + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number", + "gt": 0, + "default": 429 + } + }, + { + "error_message": { + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string", + "default": "API rate limit exceeded" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting/3.9.x.json b/schemas/rate-limiting/3.9.x.json new file mode 100644 index 00000000..b98f28df --- /dev/null +++ b/schemas/rate-limiting/3.9.x.json @@ -0,0 +1,510 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "second": { + "description": "The number of HTTP requests that can be made per second.", + "type": "number", + "gt": 0 + } + }, + { + "minute": { + "description": "The number of HTTP requests that can be made per minute.", + "type": "number", + "gt": 0 + } + }, + { + "hour": { + "description": "The number of HTTP requests that can be made per hour.", + "type": "number", + "gt": 0 + } + }, + { + "day": { + "description": "The number of HTTP requests that can be made per day.", + "type": "number", + "gt": 0 + } + }, + { + "month": { + "description": "The number of HTTP requests that can be made per month.", + "type": "number", + "gt": 0 + } + }, + { + "year": { + "description": "The number of HTTP requests that can be made per year.", + "type": "number", + "gt": 0 + } + }, + { + "limit_by": { + "description": "The entity that is used when aggregating the limits.", + "type": "string", + "default": "consumer", + "one_of": [ + "consumer", + "credential", + "ip", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + { + "path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "type": "string", + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + }, + { + "policy": { + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, + "one_of": [ + "local", + "cluster", + "redis" + ], + "type": "string", + "default": "local" + } + }, + { + "fault_tolerant": { + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "required": true, + "type": "boolean", + "default": true + } + }, + { + "redis": { + "description": "Redis configuration", + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + }, + { + "timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + } + ], + "required": true + } + }, + { + "hide_client_headers": { + "description": "Optionally hide informative response headers.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "error_code": { + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number", + "gt": 0, + "default": 429 + } + }, + { + "error_message": { + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string", + "default": "API rate limit exceeded" + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "required": true, + "type": "number", + "default": -1 + } + } + ], + "required": true, + "shorthand_fields": [ + { + "redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_password": { + "len_min": 0, + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ], + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_database": { + "type": "integer", + "translate_backwards": [ + "redis", + "database" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ], + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0" + } + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.limit_by", + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.limit_by", + "if_match": { + "eq": "path" + }, + "then_field": "config.path", + "then_match": { + "required": true + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-size-limiting/3.9.x.json b/schemas/request-size-limiting/3.9.x.json new file mode 100644 index 00000000..669041e4 --- /dev/null +++ b/schemas/request-size-limiting/3.9.x.json @@ -0,0 +1,73 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "allowed_payload_size": { + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer", + "default": 128 + } + }, + { + "size_unit": { + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "required": true, + "one_of": [ + "megabytes", + "kilobytes", + "bytes" + ], + "type": "string", + "default": "megabytes" + } + }, + { + "require_content_length": { + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "type": "boolean", + "required": true, + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-termination/3.9.x.json b/schemas/request-termination/3.9.x.json new file mode 100644 index 00000000..e06de3dc --- /dev/null +++ b/schemas/request-termination/3.9.x.json @@ -0,0 +1,81 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "status_code": { + "description": "The response code to send. Must be an integer between 100 and 599.", + "required": true, + "between": [ + 100, + 599 + ], + "type": "integer", + "default": 503 + } + }, + { + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + } + }, + { + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + } + }, + { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + } + }, + { + "echo": { + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "trigger": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.9.x.json b/schemas/request-transformer-advanced/3.9.x.json new file mode 100644 index 00000000..fa602888 --- /dev/null +++ b/schemas/request-transformer-advanced/3.9.x.json @@ -0,0 +1,337 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string", + "match": "^%u+$" + } + }, + { + "remove": { + "fields": [ + { + "body": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "headers": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "querystring": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "rename": { + "fields": [ + { + "body": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "headers": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "querystring": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "replace": { + "fields": [ + { + "body": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "headers": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "querystring": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "json_types": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + }, + { + "uri": { + "type": "string" + } + } + ], + "type": "record", + "required": true + } + }, + { + "add": { + "fields": [ + { + "body": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "headers": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "querystring": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "json_types": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "append": { + "fields": [ + { + "body": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "headers": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "querystring": { + "type": "array", + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "json_types": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "allow": { + "fields": [ + { + "body": { + "type": "set", + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "dots_in_keys": { + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-transformer/3.9.x.json b/schemas/request-transformer/3.9.x.json new file mode 100644 index 00000000..e6220243 --- /dev/null +++ b/schemas/request-transformer/3.9.x.json @@ -0,0 +1,280 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string", + "match": "^%u+$" + } + }, + { + "remove": { + "fields": [ + { + "body": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + }, + { + "headers": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + }, + { + "querystring": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "rename": { + "fields": [ + { + "body": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + }, + { + "headers": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + }, + { + "querystring": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "replace": { + "fields": [ + { + "body": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + }, + { + "headers": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + }, + { + "querystring": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + }, + { + "uri": { + "type": "string" + } + } + ], + "type": "record", + "required": true + } + }, + { + "add": { + "fields": [ + { + "body": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + }, + { + "headers": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + }, + { + "querystring": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "append": { + "fields": [ + { + "body": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + }, + { + "headers": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + }, + { + "querystring": { + "default": [ + + ], + "type": "array", + "required": true, + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/request-validator/3.9.x.json b/schemas/request-validator/3.9.x.json new file mode 100644 index 00000000..c334e59e --- /dev/null +++ b/schemas/request-validator/3.9.x.json @@ -0,0 +1,189 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "required": false, + "type": "string" + } + }, + { + "allowed_content_types": { + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "type": "set", + "default": [ + "application/json" + ], + "elements": { + "required": true, + "type": "string" + } + } + }, + { + "version": { + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "required": true, + "one_of": [ + "kong", + "draft4" + ], + "type": "string", + "default": "kong" + } + }, + { + "parameter_schema": { + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "array", + "required": false, + "elements": { + "fields": [ + { + "in": { + "description": "The location of the parameter.", + "type": "string", + "required": true, + "one_of": [ + "query", + "header", + "path" + ] + } + }, + { + "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "required": true, + "type": "string" + } + }, + { + "required": { + "description": "Determines whether this parameter is mandatory.", + "required": true, + "type": "boolean" + } + }, + { + "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "type": "string", + "one_of": [ + "label", + "form", + "matrix", + "simple", + "spaceDelimited", + "pipeDelimited", + "deepObject" + ] + } + }, + { + "explode": { + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" + } + }, + { + "schema": { + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" + } + } + ], + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ] + } + } + }, + { + "verbose_response": { + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "content_type_parameter_validation": { + "description": "Determines whether to enable parameters validation of request content-type.", + "type": "boolean", + "required": true, + "default": true + } + } + ], + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.9.x.json b/schemas/response-ratelimiting/3.9.x.json new file mode 100644 index 00000000..e443ef90 --- /dev/null +++ b/schemas/response-ratelimiting/3.9.x.json @@ -0,0 +1,475 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "header_name": { + "description": "The name of the response header used to increment the counters.", + "type": "string", + "default": "x-kong-limit" + } + }, + { + "limit_by": { + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "type": "string", + "default": "consumer", + "one_of": [ + "consumer", + "credential", + "ip" + ] + } + }, + { + "policy": { + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "type": "string", + "default": "local", + "one_of": [ + "local", + "cluster", + "redis" + ] + } + }, + { + "fault_tolerant": { + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "required": true, + "type": "boolean", + "default": true + } + }, + { + "redis": { + "description": "Redis configuration", + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + }, + { + "timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "required": false, + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + } + ], + "required": true + } + }, + { + "block_on_first_violation": { + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "hide_client_headers": { + "description": "Optionally hide informative response headers.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "limits": { + "description": "A map that defines rate limits for the plugin.", + "len_min": 1, + "values": { + "fields": [ + { + "second": { + "gt": 0, + "type": "number" + } + }, + { + "minute": { + "gt": 0, + "type": "number" + } + }, + { + "hour": { + "gt": 0, + "type": "number" + } + }, + { + "day": { + "gt": 0, + "type": "number" + } + }, + { + "month": { + "gt": 0, + "type": "number" + } + }, + { + "year": { + "gt": 0, + "type": "number" + } + } + ], + "required": true, + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], + "type": "record" + }, + "keys": { + "type": "string" + }, + "type": "map", + "required": true + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_password": { + "len_min": 0, + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ], + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_database": { + "type": "integer", + "translate_backwards": [ + "redis", + "database" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ], + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0" + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "then_match": { + "required": true + } + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.9.x.json b/schemas/response-transformer-advanced/3.9.x.json new file mode 100644 index 00000000..1d32331c --- /dev/null +++ b/schemas/response-transformer-advanced/3.9.x.json @@ -0,0 +1,350 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "remove": { + "fields": [ + { + "json": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "headers": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "if_status": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "rename": { + "fields": [ + { + "headers": { + "type": "array", + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + }, + { + "if_status": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "replace": { + "fields": [ + { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + } + }, + { + "json": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "json_types": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + }, + { + "headers": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "if_status": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "add": { + "fields": [ + { + "json": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "json_types": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + }, + { + "headers": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "if_status": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "append": { + "fields": [ + { + "json": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "json_types": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + }, + { + "headers": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "if_status": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "allow": { + "fields": [ + { + "json": { + "type": "set", + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "transform": { + "fields": [ + { + "functions": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "if_status": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + }, + { + "json": { + "type": "array", + "default": [ + + ], + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "dots_in_keys": { + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/response-transformer/3.9.x.json b/schemas/response-transformer/3.9.x.json new file mode 100644 index 00000000..0219110a --- /dev/null +++ b/schemas/response-transformer/3.9.x.json @@ -0,0 +1,259 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "remove": { + "fields": [ + { + "json": { + "default": [ + + ], + "required": true, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "headers": { + "default": [ + + ], + "required": true, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "rename": { + "fields": [ + { + "json": { + "default": [ + + ], + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + }, + { + "headers": { + "default": [ + + ], + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "replace": { + "fields": [ + { + "json": { + "default": [ + + ], + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + }, + { + "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "default": [ + + ], + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "add": { + "fields": [ + { + "json": { + "default": [ + + ], + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + }, + { + "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "default": [ + + ], + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "append": { + "fields": [ + { + "json": { + "default": [ + + ], + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + }, + { + "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array", + "default": [ + + ] + } + }, + { + "headers": { + "default": [ + + ], + "required": true, + "type": "array", + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/route-by-header/3.9.x.json b/schemas/route-by-header/3.9.x.json new file mode 100644 index 00000000..df002542 --- /dev/null +++ b/schemas/route-by-header/3.9.x.json @@ -0,0 +1,78 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "rules": { + "description": "Route by header rules.", + "type": "array", + "default": [ + + ], + "elements": { + "fields": [ + { + "upstream_name": { + "type": "string", + "required": true + } + }, + { + "condition": { + "len_min": 1, + "values": { + "type": "string" + }, + "keys": { + "type": "string" + }, + "type": "map", + "required": true + } + } + ], + "type": "record" + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.9.x.json b/schemas/route-transformer-advanced/3.9.x.json new file mode 100644 index 00000000..76ec77f4 --- /dev/null +++ b/schemas/route-transformer-advanced/3.9.x.json @@ -0,0 +1,75 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "path": { + "type": "string" + } + }, + { + "port": { + "type": "string" + } + }, + { + "host": { + "type": "string" + } + }, + { + "escape_path": { + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/saml/3.9.x.json b/schemas/saml/3.9.x.json new file mode 100644 index 00000000..18157277 --- /dev/null +++ b/schemas/saml/3.9.x.json @@ -0,0 +1,1326 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "assertion_consumer_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + } + }, + { + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, + "type": "string" + } + }, + { + "idp_certificate": { + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "response_encryption_key": { + "description": "The private encryption key required to decrypt encrypted assertions.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "request_signing_key": { + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "request_signing_certificate": { + "description": "The certificate for signing requests.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "request_signature_algorithm": { + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "required": false, + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string", + "default": "SHA256" + } + }, + { + "request_digest_algorithm": { + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "required": false, + "one_of": [ + "SHA256", + "SHA1" + ], + "type": "string", + "default": "SHA256" + } + }, + { + "response_signature_algorithm": { + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "required": false, + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string", + "default": "SHA256" + } + }, + { + "response_digest_algorithm": { + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "required": false, + "one_of": [ + "SHA256", + "SHA1" + ], + "type": "string", + "default": "SHA256" + } + }, + { + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "required": true, + "type": "string" + } + }, + { + "nameid_format": { + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "required": false, + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ], + "type": "string", + "default": "EmailAddress" + } + }, + { + "validate_assertion_signature": { + "description": "Enable signature validation for SAML responses.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "required": false, + "type": "string" + } + }, + { + "session_secret": { + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "required": true, + "len_max": 32, + "match": "^[0-9a-zA-Z/_+]+$", + "referenceable": true, + "type": "string", + "len_min": 32, + "encrypted": true + } + }, + { + "session_audience": { + "description": "The session audience, for example \"my-application\"", + "required": false, + "type": "string", + "default": "default" + } + }, + { + "session_cookie_name": { + "description": "The session cookie name.", + "required": false, + "type": "string", + "default": "session" + } + }, + { + "session_remember": { + "description": "Enables or disables persistent sessions", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "session_remember_cookie_name": { + "description": "Persistent session cookie name", + "required": false, + "type": "string", + "default": "remember" + } + }, + { + "session_remember_rolling_timeout": { + "description": "Persistent session rolling timeout in seconds.", + "required": false, + "type": "number", + "default": 604800 + } + }, + { + "session_remember_absolute_timeout": { + "description": "Persistent session absolute timeout in seconds.", + "required": false, + "type": "number", + "default": 2592000 + } + }, + { + "session_idling_timeout": { + "description": "The session cookie idle time in seconds.", + "required": false, + "type": "number", + "default": 900 + } + }, + { + "session_rolling_timeout": { + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number", + "default": 3600 + } + }, + { + "session_absolute_timeout": { + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number", + "default": 86400 + } + }, + { + "session_cookie_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": false, + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/" + } + }, + { + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "required": false, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], + "type": "string", + "default": "Lax" + } + }, + { + "session_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean", + "default": true + } + }, + { + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "session_request_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_response_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "session_storage": { + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "required": false, + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string", + "default": "cookie" + } + }, + { + "session_store_metadata": { + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "session_enforce_same_subject": { + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "session_hash_subject": { + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "session_hash_storage_key": { + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_host": { + "description": "The memcached host.", + "required": false, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "session_memcached_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false, + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 11211 + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", + "required": false + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "prefix": { + "description": "The Redis session key prefix.", + "required": false, + "type": "string" + } + }, + { + "socket": { + "description": "The Redis unix socket path.", + "required": false, + "type": "string" + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "host" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_auth_ttl": { + "deprecation": { + "message": "openid-connect: config.session_auth_ttl option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_redis_prefix": { + "type": "string", + "translate_backwards": [ + "redis", + "prefix" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ], + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_socket": { + "type": "string", + "translate_backwards": [ + "redis", + "socket" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ], + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_password": { + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ], + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "read_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ], + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "send_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ], + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_cluster_nodes": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ], + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "translate_backwards": [ + "redis", + "cluster_nodes" + ], + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + } + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ], + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer", + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ], + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + } + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/session/3.9.x.json b/schemas/session/3.9.x.json new file mode 100644 index 00000000..decea8f5 --- /dev/null +++ b/schemas/session/3.9.x.json @@ -0,0 +1,302 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "secret": { + "description": "The secret that is used in keyed HMAC generation.", + "required": false, + "referenceable": true, + "type": "string", + "encrypted": true, + "default": "7iK18YEanf6i9XHvNwzx4RpdmHdRN6nSpPxC1uQxfsse" + } + }, + { + "storage": { + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "type": "string", + "default": "cookie", + "one_of": [ + "cookie", + "kong" + ] + } + }, + { + "audience": { + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string", + "default": "default" + } + }, + { + "idling_timeout": { + "description": "The session cookie idle time, in seconds.", + "type": "number", + "default": 900 + } + }, + { + "rolling_timeout": { + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number", + "default": 3600 + } + }, + { + "absolute_timeout": { + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number", + "default": 86400 + } + }, + { + "stale_ttl": { + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number", + "default": 10 + } + }, + { + "cookie_name": { + "description": "The name of the cookie.", + "type": "string", + "default": "session" + } + }, + { + "cookie_path": { + "description": "The resource in the host where the cookie is available.", + "type": "string", + "default": "/" + } + }, + { + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + } + }, + { + "cookie_same_site": { + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "type": "string", + "default": "Strict", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "cookie_http_only": { + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean", + "default": true + } + }, + { + "cookie_secure": { + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean", + "default": true + } + }, + { + "remember": { + "description": "Enables or disables persistent sessions.", + "type": "boolean", + "default": false + } + }, + { + "remember_cookie_name": { + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string", + "default": "remember" + } + }, + { + "remember_rolling_timeout": { + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number", + "default": 604800 + } + }, + { + "remember_absolute_timeout": { + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number", + "default": 2592000 + } + }, + { + "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } + } + }, + { + "read_body_for_logout": { + "default": false, + "type": "boolean" + } + }, + { + "logout_methods": { + "description": "A set of HTTP methods that the plugin will respond to.", + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "GET", + "POST", + "DELETE" + ] + }, + "default": [ + "POST", + "DELETE" + ] + } + }, + { + "logout_query_arg": { + "description": "The query argument passed to logout requests.", + "type": "string", + "default": "session_logout" + } + }, + { + "logout_post_arg": { + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string", + "default": "session_logout" + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/standard-webhooks/3.9.x.json b/schemas/standard-webhooks/3.9.x.json new file mode 100644 index 00000000..c1cb595d --- /dev/null +++ b/schemas/standard-webhooks/3.9.x.json @@ -0,0 +1,63 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "secret_v1": { + "description": "Webhook secret", + "required": true, + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "tolerance_second": { + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "required": true, + "type": "integer", + "gt": -1, + "default": 300 + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/statsd-advanced/3.9.x.json b/schemas/statsd-advanced/3.9.x.json new file mode 100644 index 00000000..ed33f15a --- /dev/null +++ b/schemas/statsd-advanced/3.9.x.json @@ -0,0 +1,459 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string", + "default": "localhost" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 8125 + } + }, + { + "prefix": { + "description": "String to prefix to each metric's name.", + "type": "string", + "default": "kong" + } + }, + { + "metrics": { + "description": "List of Metrics to be logged.", + "type": "array", + "default": [ + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_count" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "timer", + "name": "request_size" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count" + }, + { + "stat_type": "timer", + "name": "response_size" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_per_user" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_workspace" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user_per_route" + }, + { + "stat_type": "gauge", + "sample_rate": 1, + "name": "shdict_usage" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_hits_total" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_misses_total" + } + ], + "elements": { + "fields": [ + { + "name": { + "type": "string", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "type": "string", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "gt": 0, + "type": "number" + } + }, + { + "consumer_identifier": { + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_field": "name", + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_field": "stat_type", + "then_match": { + "eq": "set" + } + } + }, + { + "conditional": { + "if_field": "name", + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_field": "stat_type", + "then_match": { + "eq": "counter" + } + } + }, + { + "conditional": { + "if_field": "name", + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_field": "stat_type", + "then_match": { + "eq": "gauge" + } + } + }, + { + "conditional": { + "if_field": "stat_type", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "then_match": { + "required": true + } + } + } + ] + } + } + }, + { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array", + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } + } + }, + { + "udp_packet_size": { + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "type": "number", + "between": [ + 0, + 65507 + ], + "default": 0 + } + }, + { + "use_tcp": { + "description": "Use TCP instead of UDP.", + "type": "boolean", + "default": false + } + }, + { + "hostname_in_prefix": { + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean", + "default": false + } + }, + { + "consumer_identifier_default": { + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "required": true, + "one_of": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string", + "default": "custom_id" + } + }, + { + "service_identifier_default": { + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "required": true, + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ], + "type": "string", + "default": "service_name_or_host" + } + }, + { + "workspace_identifier_default": { + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "required": true, + "one_of": [ + "workspace_id", + "workspace_name" + ], + "type": "string", + "default": "workspace_id" + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 1 + } + }, + { + "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", + "between": [ + 0, + 3600 + ], + "default": 1 + } + }, + { + "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 10000 + } + }, + { + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + } + }, + { + "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number", + "default": 60 + } + }, + { + "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 0.01 + } + }, + { + "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 60 + } + }, + { + "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/statsd/3.9.x.json b/schemas/statsd/3.9.x.json new file mode 100644 index 00000000..9d9a047a --- /dev/null +++ b/schemas/statsd/3.9.x.json @@ -0,0 +1,454 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string", + "default": "localhost" + } + }, + { + "port": { + "description": "The port of StatsD server to send data to.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 8125 + } + }, + { + "prefix": { + "description": "String to prefix to each metric's name.", + "type": "string", + "default": "kong" + } + }, + { + "metrics": { + "description": "List of metrics to be logged.", + "type": "array", + "default": [ + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_count" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_size" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "response_size" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_per_user" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_workspace" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user_per_route" + }, + { + "stat_type": "gauge", + "sample_rate": 1, + "name": "shdict_usage" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_hits_total" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_misses_total" + } + ], + "elements": { + "fields": [ + { + "name": { + "description": "StatsD metric’s name.", + "type": "string", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "description": "Determines what sort of event a metric represents.", + "type": "string", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "description": "Sampling rate", + "type": "number", + "gt": 0 + } + }, + { + "consumer_identifier": { + "description": "Authenticated user detail.", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "description": "Service detail.", + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "description": "Workspace detail.", + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_field": "stat_type", + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "then_match": { + "required": true + } + } + } + ] + } + } + }, + { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array", + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } + } + }, + { + "udp_packet_size": { + "type": "number", + "between": [ + 0, + 65507 + ], + "default": 0 + } + }, + { + "use_tcp": { + "default": false, + "type": "boolean" + } + }, + { + "hostname_in_prefix": { + "default": false, + "type": "boolean" + } + }, + { + "consumer_identifier_default": { + "default": "custom_id", + "type": "string", + "required": true, + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier_default": { + "default": "service_name_or_host", + "type": "string", + "required": true, + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier_default": { + "default": "workspace_id", + "type": "string", + "required": true, + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + }, + { + "retry_count": { + "type": "integer", + "deprecation": { + "old_default": 10, + "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue_size": { + "type": "integer", + "deprecation": { + "old_default": 1, + "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "flush_timeout": { + "type": "number", + "deprecation": { + "old_default": 2, + "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "tag_style": { + "type": "string", + "required": false, + "one_of": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ] + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 1 + } + }, + { + "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", + "between": [ + 0, + 3600 + ], + "default": 1 + } + }, + { + "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 10000 + } + }, + { + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + } + }, + { + "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number", + "default": 60 + } + }, + { + "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 0.01 + } + }, + { + "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 60 + } + }, + { + "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/syslog/3.9.x.json b/schemas/syslog/3.9.x.json new file mode 100644 index 00000000..5daf010a --- /dev/null +++ b/schemas/syslog/3.9.x.json @@ -0,0 +1,164 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "log_level": { + "default": "info", + "required": true, + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "successful_severity": { + "default": "info", + "required": true, + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "client_errors_severity": { + "default": "info", + "required": true, + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "server_errors_severity": { + "default": "info", + "required": true, + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map" + } + }, + { + "facility": { + "description": "The facility is used by the operating system to decide how to handle each log message.", + "required": true, + "one_of": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7" + ], + "type": "string", + "default": "user" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tcp-log/3.9.x.json b/schemas/tcp-log/3.9.x.json new file mode 100644 index 00000000..3edb1e1e --- /dev/null +++ b/schemas/tcp-log/3.9.x.json @@ -0,0 +1,112 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "The IP address or host name to send data to.", + "required": true, + "type": "string" + } + }, + { + "port": { + "description": "The port to send data to on the upstream server.", + "required": true, + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number", + "default": 10000 + } + }, + { + "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number", + "default": 60000 + } + }, + { + "tls": { + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "required": true, + "type": "boolean", + "default": false + } + }, + { + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + { + "custom_fields_by_lua": { + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "keys": { + "type": "string", + "len_min": 1 + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.9.x.json b/schemas/tls-handshake-modifier/3.9.x.json new file mode 100644 index 00000000..0ce0806f --- /dev/null +++ b/schemas/tls-handshake-modifier/3.9.x.json @@ -0,0 +1,60 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "https", + "grpcs" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "tls_client_certificate": { + "description": "TLS Client Certificate", + "required": false, + "one_of": [ + "REQUEST" + ], + "type": "string", + "default": "REQUEST" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.9.x.json b/schemas/tls-metadata-headers/3.9.x.json new file mode 100644 index 00000000..70e69c6b --- /dev/null +++ b/schemas/tls-metadata-headers/3.9.x.json @@ -0,0 +1,96 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "https", + "grpcs" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "inject_client_cert_details": { + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean", + "default": false + } + }, + { + "client_cert_header_name": { + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "type": "string", + "required": true, + "default": "X-Client-Cert" + } + }, + { + "client_serial_header_name": { + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "type": "string", + "required": true, + "default": "X-Client-Cert-Serial" + } + }, + { + "client_cert_issuer_dn_header_name": { + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "type": "string", + "required": true, + "default": "X-Client-Cert-Issuer-DN" + } + }, + { + "client_cert_subject_dn_header_name": { + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "type": "string", + "required": true, + "default": "X-Client-Cert-Subject-DN" + } + }, + { + "client_cert_fingerprint_header_name": { + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "type": "string", + "required": true, + "default": "X-Client-Cert-Fingerprint" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/udp-log/3.9.x.json b/schemas/udp-log/3.9.x.json new file mode 100644 index 00000000..d8176b5d --- /dev/null +++ b/schemas/udp-log/3.9.x.json @@ -0,0 +1,91 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "timeout": { + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number", + "default": 10000 + } + }, + { + "custom_fields_by_lua": { + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map", + "values": { + "type": "string", + "len_min": 1 + }, + "description": "Lua code as a key-value map" + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/upstream-oauth/3.9.x.json b/schemas/upstream-oauth/3.9.x.json new file mode 100644 index 00000000..cb3d6cdc --- /dev/null +++ b/schemas/upstream-oauth/3.9.x.json @@ -0,0 +1,799 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "client": { + "fields": [ + { + "auth_method": { + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "required": true, + "one_of": [ + "client_secret_post", + "client_secret_basic", + "client_secret_jwt", + "none" + ], + "type": "string", + "default": "client_secret_post" + } + }, + { + "client_secret_jwt_alg": { + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "required": true, + "one_of": [ + "HS512", + "HS256" + ], + "type": "string", + "default": "HS512" + } + }, + { + "http_version": { + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "required": false, + "type": "number", + "default": 1.1 + } + }, + { + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "required": false, + "type": "string" + } + }, + { + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string", + "required": false + } + }, + { + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "required": false, + "type": "string" + } + }, + { + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string", + "required": false + } + }, + { + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string", + "required": false + } + }, + { + "timeout": { + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "required": true, + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 10000 + } + }, + { + "keep_alive": { + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "ssl_verify": { + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean", + "required": false, + "default": false + } + } + ], + "type": "record", + "required": true + } + }, + { + "oauth": { + "fields": [ + { + "token_endpoint": { + "description": "The token endpoint URI.", + "required": true, + "type": "string" + } + }, + { + "token_headers": { + "description": "Extra headers to be passed in the token endpoint request.", + "type": "map", + "values": { + "type": "string", + "referenceable": true + }, + "keys": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + } + }, + { + "token_post_args": { + "description": "Extra post arguments to be passed in the token endpoint request.", + "type": "map", + "values": { + "type": "string", + "referenceable": true + }, + "keys": { + "type": "string" + } + } + }, + { + "grant_type": { + "description": "The OAuth grant type to be used.", + "required": true, + "one_of": [ + "client_credentials", + "password" + ], + "type": "string", + "default": "client_credentials" + } + }, + { + "client_id": { + "description": "The client ID for the application registration in the IdP.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "client_secret": { + "description": "The client secret for the application registration in the IdP.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "required": false, + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "scopes": { + "description": "List of scopes to request from the IdP when obtaining a new token.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + "openid" + ] + } + }, + { + "audience": { + "description": "List of audiences passed to the IdP when obtaining a new token.", + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [ + + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "cache": { + "fields": [ + { + "strategy": { + "description": "The method Kong should use to cache tokens issued by the IdP.", + "required": true, + "one_of": [ + "memory", + "redis" + ], + "type": "string", + "default": "memory" + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "type": "string", + "required": true, + "default": "kong_db_cache" + } + } + ], + "type": "record", + "required": true + } + }, + { + "redis": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer", + "default": 0 + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", + "between": [ + 1, + 2147483646 + ], + "default": 256 + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + }, + { + "eagerly_expire": { + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", + "required": true, + "type": "integer", + "gt": -1, + "default": 5 + } + }, + { + "default_ttl": { + "description": "The lifetime of a token without an explicit `expires_in` value.", + "type": "number", + "gt": 0, + "default": 3600 + } + } + ], + "type": "record", + "required": true + } + }, + { + "behavior": { + "fields": [ + { + "upstream_access_token_header_name": { + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", + "len_min": 0, + "type": "string", + "required": true, + "default": "Authorization" + } + }, + { + "idp_error_response_status_code": { + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", + "required": true, + "between": [ + 500, + 599 + ], + "type": "integer", + "default": 502 + } + }, + { + "idp_error_response_content_type": { + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0, + "type": "string", + "required": true, + "default": "application/json; charset=utf-8" + } + }, + { + "idp_error_response_message": { + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0, + "type": "string", + "required": true, + "default": "Failed to authenticate request to upstream" + } + }, + { + "idp_error_response_body_template": { + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0, + "type": "string", + "required": true, + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }" + } + }, + { + "purge_token_on_upstream_status_codes": { + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", + "type": "array", + "default": [ + 401 + ], + "elements": { + "between": [ + 100, + 599 + ], + "type": "integer" + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/upstream-timeout/3.9.x.json b/schemas/upstream-timeout/3.9.x.json new file mode 100644 index 00000000..279be9a0 --- /dev/null +++ b/schemas/upstream-timeout/3.9.x.json @@ -0,0 +1,75 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/vault-auth/3.9.x.json b/schemas/vault-auth/3.9.x.json new file mode 100644 index 00000000..9fc64449 --- /dev/null +++ b/schemas/vault-auth/3.9.x.json @@ -0,0 +1,112 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "access_token_name": { + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true, + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "string", + "default": "access_token" + } + }, + { + "secret_token_name": { + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "required": true, + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "type": "string", + "default": "secret_token" + } + }, + { + "vault": { + "reference": "vault_auth_vaults", + "type": "foreign", + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "required": true + } + }, + { + "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean", + "default": false + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + } + }, + { + "tokens_in_body": { + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean", + "default": false + } + }, + { + "run_on_preflight": { + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean", + "default": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.9.x.json b/schemas/websocket-size-limit/3.9.x.json new file mode 100644 index 00000000..fab7b3bc --- /dev/null +++ b/schemas/websocket-size-limit/3.9.x.json @@ -0,0 +1,68 @@ +{ + "fields": [ + { + "protocols": { + "default": [ + "ws", + "wss" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "client_max_payload": { + "type": "integer", + "between": [ + 1, + 33554432 + ], + "required": false + } + }, + { + "upstream_max_payload": { + "type": "integer", + "between": [ + 1, + 33554432 + ], + "required": false + } + } + ], + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/websocket-validator/3.9.x.json b/schemas/websocket-validator/3.9.x.json new file mode 100644 index 00000000..6fb55087 --- /dev/null +++ b/schemas/websocket-validator/3.9.x.json @@ -0,0 +1,220 @@ +{ + "fields": [ + { + "protocols": { + "default": [ + "ws", + "wss" + ], + "required": true, + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "client": { + "fields": [ + { + "text": { + "fields": [ + { + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string", + "required": true + } + } + ], + "required": false, + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ] + } + }, + { + "binary": { + "fields": [ + { + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string", + "required": true + } + } + ], + "required": false, + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ] + } + } + ], + "required": false, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ] + } + }, + { + "upstream": { + "fields": [ + { + "text": { + "fields": [ + { + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string", + "required": true + } + } + ], + "required": false, + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ] + } + }, + { + "binary": { + "fields": [ + { + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string", + "required": true + } + } + ], + "required": false, + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ] + } + } + ], + "required": false, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ] + } + } + ], + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.9.x.json b/schemas/xml-threat-protection/3.9.x.json new file mode 100644 index 00000000..d9f354ae --- /dev/null +++ b/schemas/xml-threat-protection/3.9.x.json @@ -0,0 +1,300 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "checked_content_types": { + "description": "A list of Content-Type values with payloads that must be validated.", + "required": true, + "elements": { + "required": true, + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" + }, + "type": "set", + "default": [ + "application/xml" + ] + } + }, + { + "allowed_content_types": { + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "required": true, + "elements": { + "required": true, + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" + }, + "type": "set", + "default": [ + + ] + } + }, + { + "allow_dtd": { + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean", + "required": true, + "default": false + } + }, + { + "namespace_aware": { + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean", + "required": true, + "default": true + } + }, + { + "max_depth": { + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "required": true, + "type": "integer", + "gt": 0, + "default": 50 + } + }, + { + "max_children": { + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "required": true, + "type": "integer", + "gt": 0, + "default": 100 + } + }, + { + "max_attributes": { + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "required": true, + "type": "integer", + "gt": 0, + "default": 100 + } + }, + { + "max_namespaces": { + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "required": false, + "type": "integer", + "gt": 0, + "default": 20 + } + }, + { + "document": { + "description": "Maximum size of the entire document.", + "required": true, + "type": "integer", + "gt": 0, + "default": 10485760 + } + }, + { + "buffer": { + "description": "Maximum size of the unparsed buffer (see below).", + "required": true, + "type": "integer", + "gt": 0, + "default": 1048576 + } + }, + { + "comment": { + "description": "Maximum size of comments.", + "required": true, + "type": "integer", + "gt": 0, + "default": 1024 + } + }, + { + "localname": { + "description": "Maximum size of the localname. This applies to tags and attributes.", + "required": true, + "type": "integer", + "gt": 0, + "default": 1024 + } + }, + { + "prefix": { + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "required": false, + "type": "integer", + "gt": 0, + "default": 1024 + } + }, + { + "namespaceuri": { + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "required": false, + "type": "integer", + "gt": 0, + "default": 1024 + } + }, + { + "attribute": { + "description": "Maximum size of the attribute value.", + "required": true, + "type": "integer", + "gt": 0, + "default": 1048576 + } + }, + { + "text": { + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "required": true, + "type": "integer", + "gt": 0, + "default": 1048576 + } + }, + { + "pitarget": { + "description": "Maximum size of processing instruction targets.", + "required": true, + "type": "integer", + "gt": 0, + "default": 1024 + } + }, + { + "pidata": { + "description": "Maximum size of processing instruction data.", + "required": true, + "type": "integer", + "gt": 0, + "default": 1024 + } + }, + { + "entityname": { + "description": "Maximum size of entity names in EntityDecl.", + "required": true, + "type": "integer", + "gt": 0, + "default": 1024 + } + }, + { + "entity": { + "description": "Maximum size of entity values in EntityDecl.", + "required": true, + "type": "integer", + "gt": 0, + "default": 1024 + } + }, + { + "entityproperty": { + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "required": true, + "type": "integer", + "gt": 0, + "default": 1024 + } + }, + { + "bla_max_amplification": { + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "required": true, + "type": "number", + "gt": 1, + "default": 100 + } + }, + { + "bla_threshold": { + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "required": true, + "type": "integer", + "gt": 1024, + "default": 8388608 + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_field": "namespace_aware", + "if_match": { + "eq": true + }, + "then_field": "max_namespaces", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "namespace_aware", + "if_match": { + "eq": true + }, + "then_field": "prefix", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "namespace_aware", + "if_match": { + "eq": true + }, + "then_field": "namespaceuri", + "then_match": { + "required": true + } + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/zipkin/3.9.x.json b/schemas/zipkin/3.9.x.json new file mode 100644 index 00000000..cd177c4e --- /dev/null +++ b/schemas/zipkin/3.9.x.json @@ -0,0 +1,421 @@ +{ + "fields": [ + { + "protocols": { + "description": "A set of strings representing protocols.", + "required": true, + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "local_service_name": { + "description": "The name of the service as displayed in Zipkin.", + "required": true, + "type": "string", + "default": "kong" + } + }, + { + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "sample_ratio": { + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "type": "number", + "between": [ + 0, + 1 + ], + "default": 0.001 + } + }, + { + "default_service_name": { + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" + } + }, + { + "include_credential": { + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "required": true, + "type": "boolean", + "default": true + } + }, + { + "traceid_byte_count": { + "description": "The length in bytes of each request's Trace ID.", + "required": true, + "one_of": [ + 8, + 16 + ], + "type": "integer", + "default": 16 + } + }, + { + "header_type": { + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "required": true, + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ], + "type": "string", + "default": "preserve", + "deprecation": { + "old_default": "preserve", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + } + } + }, + { + "default_header_type": { + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "required": true, + "one_of": [ + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ], + "type": "string", + "default": "b3", + "deprecation": { + "old_default": "b3", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", + "removal_in_version": "4.0" + } + } + }, + { + "tags_header": { + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "required": true, + "type": "string", + "default": "Zipkin-Tags" + } + }, + { + "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", + "type": "array", + "elements": { + "fields": [ + { + "name": { + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "required": true, + "type": "string" + } + }, + { + "value": { + "type": "string", + "required": true + } + } + ], + "type": "record" + } + } + }, + { + "http_span_name": { + "description": "Specify whether to include the HTTP path in the span name.", + "required": true, + "one_of": [ + "method", + "method_path" + ], + "type": "string", + "default": "method" + } + }, + { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 5000 + } + }, + { + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 5000 + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "phase_duration_flavor": { + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "required": true, + "one_of": [ + "annotations", + "tags" + ], + "type": "string", + "default": "annotations" + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 1 + } + }, + { + "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", + "between": [ + 0, + 3600 + ], + "default": 1 + } + }, + { + "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", + "between": [ + 1, + 1000000 + ], + "default": 10000 + } + }, + { + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + } + }, + { + "max_retry_time": { + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number", + "default": 60 + } + }, + { + "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 0.01 + } + }, + { + "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", + "between": [ + 0.001, + 1000000 + ], + "default": 60 + } + }, + { + "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "default": 1, + "one_of": [ + -1, + 1 + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "propagation": { + "fields": [ + { + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "gcp", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + } + } + }, + { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "preserve", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + } + } + }, + { + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", + "required": true, + "one_of": [ + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + } + } + ], + "type": "record", + "required": true, + "default": { + "default_format": "b3" + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file From 103c3efd594f42216c6a00460d53aedb5a5c80ba Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 10 Sep 2024 21:11:18 +0200 Subject: [PATCH 084/165] Copy latest examples to 3.9.x (#65) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- examples/acl/_3.9.x.yaml | 6 +++ examples/acme/_3.9.x.yaml | 3 ++ examples/ai-azure-content-safety/_3.9.x.yaml | 9 ++++ examples/ai-prompt-decorator/_3.9.x.yaml | 13 ++++++ examples/ai-prompt-guard/_3.9.x.yaml | 9 ++++ examples/ai-prompt-template/_3.9.x.yaml | 23 ++++++++++ examples/ai-proxy-advanced/_3.9.x.yaml | 15 +++++++ examples/ai-proxy/_3.9.x.yaml | 12 ++++++ .../ai-rate-limiting-advanced/_3.9.x.yaml | 9 ++++ examples/ai-request-transformer/_3.9.x.yaml | 18 ++++++++ examples/ai-response-transformer/_3.9.x.yaml | 21 +++++++++ examples/ai-semantic-cache/_3.9.x.yaml | 14 ++++++ examples/ai-semantic-prompt-guard/_3.9.x.yaml | 18 ++++++++ examples/app-dynamics/_3.9.x.yaml | 2 + examples/application-registration/_3.9.x.yaml | 7 +++ examples/aws-lambda/_3.9.x.yaml | 9 ++++ examples/azure-functions/_3.9.x.yaml | 6 +++ examples/basic-auth/_3.9.x.yaml | 3 ++ examples/bot-detection/_3.9.x.yaml | 4 ++ examples/canary/_3.9.x.yaml | 5 +++ examples/confluent/_3.9.x.yaml | 9 ++++ examples/correlation-id/_3.9.x.yaml | 5 +++ examples/cors/_3.9.x.yaml | 19 ++++++++ examples/datadog/_3.9.x.yaml | 6 +++ examples/degraphql/_3.9.x.yaml | 3 ++ examples/exit-transformer/_3.9.x.yaml | 4 ++ examples/file-log/_3.9.x.yaml | 3 ++ examples/forward-proxy/_3.9.x.yaml | 9 ++++ .../graphql-proxy-cache-advanced/_3.9.x.yaml | 3 ++ .../_3.9.x.yaml | 9 ++++ examples/grpc-gateway/_3.9.x.yaml | 3 ++ examples/grpc-web/_3.9.x.yaml | 3 ++ examples/header-cert-auth/_3.9.x.yaml | 7 +++ examples/hmac-auth/_3.9.x.yaml | 3 ++ examples/http-log/_3.9.x.yaml | 8 ++++ examples/ip-restriction/_3.9.x.yaml | 5 +++ examples/jq/_3.9.x.yaml | 3 ++ examples/json-threat-protection/_3.9.x.yaml | 11 +++++ examples/jwe-decrypt/_3.9.x.yaml | 4 ++ examples/jwt-signer/_3.9.x.yaml | 4 ++ examples/jwt/_3.9.x.yaml | 4 ++ examples/kafka-log/_3.9.x.yaml | 3 ++ examples/kafka-upstream/_3.9.x.yaml | 3 ++ examples/key-auth-enc/_3.9.x.yaml | 4 ++ examples/key-auth/_3.9.x.yaml | 4 ++ examples/konnect-application-auth/_3.9.x.yaml | 3 ++ examples/ldap-auth-advanced/_3.9.x.yaml | 10 +++++ examples/ldap-auth/_3.9.x.yaml | 8 ++++ examples/loggly/_3.9.x.yaml | 3 ++ examples/mocking/_3.9.x.yaml | 14 ++++++ examples/mtls-auth/_3.9.x.yaml | 6 +++ examples/oas-validation/_3.9.x.yaml | 29 +++++++++++++ examples/oauth2-introspection/_3.9.x.yaml | 5 +++ examples/oauth2/_3.9.x.yaml | 9 ++++ examples/opa/_3.9.x.yaml | 5 +++ examples/openid-connect/_3.9.x.yaml | 12 ++++++ examples/opentelemetry/_3.9.x.yaml | 6 +++ examples/post-function/_3.9.x.yaml | 6 +++ examples/pre-function/_3.9.x.yaml | 6 +++ examples/prometheus/_3.9.x.yaml | 4 ++ examples/proxy-cache-advanced/_3.9.x.yaml | 11 +++++ examples/proxy-cache/_3.9.x.yaml | 12 ++++++ examples/rate-limiting-advanced/_3.9.x.yaml | 11 +++++ examples/rate-limiting/_3.9.x.yaml | 5 +++ examples/request-size-limiting/_3.9.x.yaml | 4 ++ examples/request-termination/_3.9.x.yaml | 4 ++ .../request-transformer-advanced/_3.9.x.yaml | 43 +++++++++++++++++++ examples/request-transformer/_3.9.x.yaml | 36 ++++++++++++++++ examples/request-validator/_3.9.x.yaml | 3 ++ examples/response-ratelimiting/_3.9.x.yaml | 8 ++++ .../response-transformer-advanced/_3.9.x.yaml | 31 +++++++++++++ examples/response-transformer/_3.9.x.yaml | 24 +++++++++++ examples/route-by-header/_3.9.x.yaml | 8 ++++ .../route-transformer-advanced/_3.9.x.yaml | 3 ++ examples/saml/_3.9.x.yaml | 12 ++++++ examples/session/_3.9.x.yaml | 3 ++ examples/standard-webhooks/_3.9.x.yaml | 3 ++ examples/statsd-advanced/_3.9.x.yaml | 7 +++ examples/statsd/_3.9.x.yaml | 9 ++++ examples/syslog/_3.9.x.yaml | 3 ++ examples/tcp-log/_3.9.x.yaml | 4 ++ examples/tls-handshake-modifier/_3.9.x.yaml | 1 + examples/tls-metadata-headers/_3.9.x.yaml | 4 ++ examples/udp-log/_3.9.x.yaml | 5 +++ examples/upstream-oauth/_3.9.x.yaml | 12 ++++++ examples/upstream-timeout/_3.9.x.yaml | 5 +++ examples/vault-auth/_3.9.x.yaml | 4 ++ examples/websocket-size-limit/_3.9.x.yaml | 4 ++ examples/websocket-validator/_3.9.x.yaml | 14 ++++++ examples/xml-threat-protection/_3.9.x.yaml | 6 +++ examples/zipkin/_3.9.x.yaml | 5 +++ 91 files changed, 775 insertions(+) create mode 100644 examples/acl/_3.9.x.yaml create mode 100644 examples/acme/_3.9.x.yaml create mode 100644 examples/ai-azure-content-safety/_3.9.x.yaml create mode 100644 examples/ai-prompt-decorator/_3.9.x.yaml create mode 100644 examples/ai-prompt-guard/_3.9.x.yaml create mode 100644 examples/ai-prompt-template/_3.9.x.yaml create mode 100644 examples/ai-proxy-advanced/_3.9.x.yaml create mode 100644 examples/ai-proxy/_3.9.x.yaml create mode 100644 examples/ai-rate-limiting-advanced/_3.9.x.yaml create mode 100644 examples/ai-request-transformer/_3.9.x.yaml create mode 100644 examples/ai-response-transformer/_3.9.x.yaml create mode 100644 examples/ai-semantic-cache/_3.9.x.yaml create mode 100644 examples/ai-semantic-prompt-guard/_3.9.x.yaml create mode 100644 examples/app-dynamics/_3.9.x.yaml create mode 100644 examples/application-registration/_3.9.x.yaml create mode 100644 examples/aws-lambda/_3.9.x.yaml create mode 100644 examples/azure-functions/_3.9.x.yaml create mode 100644 examples/basic-auth/_3.9.x.yaml create mode 100644 examples/bot-detection/_3.9.x.yaml create mode 100644 examples/canary/_3.9.x.yaml create mode 100644 examples/confluent/_3.9.x.yaml create mode 100644 examples/correlation-id/_3.9.x.yaml create mode 100644 examples/cors/_3.9.x.yaml create mode 100644 examples/datadog/_3.9.x.yaml create mode 100644 examples/degraphql/_3.9.x.yaml create mode 100644 examples/exit-transformer/_3.9.x.yaml create mode 100644 examples/file-log/_3.9.x.yaml create mode 100644 examples/forward-proxy/_3.9.x.yaml create mode 100644 examples/graphql-proxy-cache-advanced/_3.9.x.yaml create mode 100644 examples/graphql-rate-limiting-advanced/_3.9.x.yaml create mode 100644 examples/grpc-gateway/_3.9.x.yaml create mode 100644 examples/grpc-web/_3.9.x.yaml create mode 100644 examples/header-cert-auth/_3.9.x.yaml create mode 100644 examples/hmac-auth/_3.9.x.yaml create mode 100644 examples/http-log/_3.9.x.yaml create mode 100644 examples/ip-restriction/_3.9.x.yaml create mode 100644 examples/jq/_3.9.x.yaml create mode 100644 examples/json-threat-protection/_3.9.x.yaml create mode 100644 examples/jwe-decrypt/_3.9.x.yaml create mode 100644 examples/jwt-signer/_3.9.x.yaml create mode 100644 examples/jwt/_3.9.x.yaml create mode 100644 examples/kafka-log/_3.9.x.yaml create mode 100644 examples/kafka-upstream/_3.9.x.yaml create mode 100644 examples/key-auth-enc/_3.9.x.yaml create mode 100644 examples/key-auth/_3.9.x.yaml create mode 100644 examples/konnect-application-auth/_3.9.x.yaml create mode 100644 examples/ldap-auth-advanced/_3.9.x.yaml create mode 100644 examples/ldap-auth/_3.9.x.yaml create mode 100644 examples/loggly/_3.9.x.yaml create mode 100644 examples/mocking/_3.9.x.yaml create mode 100644 examples/mtls-auth/_3.9.x.yaml create mode 100644 examples/oas-validation/_3.9.x.yaml create mode 100644 examples/oauth2-introspection/_3.9.x.yaml create mode 100644 examples/oauth2/_3.9.x.yaml create mode 100644 examples/opa/_3.9.x.yaml create mode 100644 examples/openid-connect/_3.9.x.yaml create mode 100644 examples/opentelemetry/_3.9.x.yaml create mode 100644 examples/post-function/_3.9.x.yaml create mode 100644 examples/pre-function/_3.9.x.yaml create mode 100644 examples/prometheus/_3.9.x.yaml create mode 100644 examples/proxy-cache-advanced/_3.9.x.yaml create mode 100644 examples/proxy-cache/_3.9.x.yaml create mode 100644 examples/rate-limiting-advanced/_3.9.x.yaml create mode 100644 examples/rate-limiting/_3.9.x.yaml create mode 100644 examples/request-size-limiting/_3.9.x.yaml create mode 100644 examples/request-termination/_3.9.x.yaml create mode 100644 examples/request-transformer-advanced/_3.9.x.yaml create mode 100644 examples/request-transformer/_3.9.x.yaml create mode 100644 examples/request-validator/_3.9.x.yaml create mode 100644 examples/response-ratelimiting/_3.9.x.yaml create mode 100644 examples/response-transformer-advanced/_3.9.x.yaml create mode 100644 examples/response-transformer/_3.9.x.yaml create mode 100644 examples/route-by-header/_3.9.x.yaml create mode 100644 examples/route-transformer-advanced/_3.9.x.yaml create mode 100644 examples/saml/_3.9.x.yaml create mode 100644 examples/session/_3.9.x.yaml create mode 100644 examples/standard-webhooks/_3.9.x.yaml create mode 100644 examples/statsd-advanced/_3.9.x.yaml create mode 100644 examples/statsd/_3.9.x.yaml create mode 100644 examples/syslog/_3.9.x.yaml create mode 100644 examples/tcp-log/_3.9.x.yaml create mode 100644 examples/tls-handshake-modifier/_3.9.x.yaml create mode 100644 examples/tls-metadata-headers/_3.9.x.yaml create mode 100644 examples/udp-log/_3.9.x.yaml create mode 100644 examples/upstream-oauth/_3.9.x.yaml create mode 100644 examples/upstream-timeout/_3.9.x.yaml create mode 100644 examples/vault-auth/_3.9.x.yaml create mode 100644 examples/websocket-size-limit/_3.9.x.yaml create mode 100644 examples/websocket-validator/_3.9.x.yaml create mode 100644 examples/xml-threat-protection/_3.9.x.yaml create mode 100644 examples/zipkin/_3.9.x.yaml diff --git a/examples/acl/_3.9.x.yaml b/examples/acl/_3.9.x.yaml new file mode 100644 index 00000000..a76559c0 --- /dev/null +++ b/examples/acl/_3.9.x.yaml @@ -0,0 +1,6 @@ +name: acl +config: + allow: + - group1 + - group2 + hide_groups_header: true diff --git a/examples/acme/_3.9.x.yaml b/examples/acme/_3.9.x.yaml new file mode 100644 index 00000000..6b35cddc --- /dev/null +++ b/examples/acme/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: acme +config: + account_email: example@example.com diff --git a/examples/ai-azure-content-safety/_3.9.x.yaml b/examples/ai-azure-content-safety/_3.9.x.yaml new file mode 100644 index 00000000..025407dc --- /dev/null +++ b/examples/ai-azure-content-safety/_3.9.x.yaml @@ -0,0 +1,9 @@ +name: ai-azure-content-safety +config: + content_safety_url: http//: + azure_use_managed_identity: false + reveal_failure_reason: true + content_safety_key: anything + categories: + - "Hate" + - "Violence" \ No newline at end of file diff --git a/examples/ai-prompt-decorator/_3.9.x.yaml b/examples/ai-prompt-decorator/_3.9.x.yaml new file mode 100644 index 00000000..50a84994 --- /dev/null +++ b/examples/ai-prompt-decorator/_3.9.x.yaml @@ -0,0 +1,13 @@ +name: ai-prompt-decorator +config: + prompts: + prepend: + - role: "system" + content: "You are data scientist, specialising in survey analytics." + - role: "user" + content: "Classify this test result set as positive, negative, or neutral." + - role: "assistant" + content: "These tests are NEUTRAL." + append: + - role: "user" + content: "Do not mention any real participants name in your justification." diff --git a/examples/ai-prompt-guard/_3.9.x.yaml b/examples/ai-prompt-guard/_3.9.x.yaml new file mode 100644 index 00000000..bd724506 --- /dev/null +++ b/examples/ai-prompt-guard/_3.9.x.yaml @@ -0,0 +1,9 @@ +name: ai-prompt-guard +config: + allow_all_conversation_history: true + allow_patterns: + - ".*(P|p)ears.*" + - ".*(P|p)eaches.*" + deny_patterns: + - ".*(A|a)pples.*" + - ".*(O|o)ranges.*" diff --git a/examples/ai-prompt-template/_3.9.x.yaml b/examples/ai-prompt-template/_3.9.x.yaml new file mode 100644 index 00000000..1ed007fc --- /dev/null +++ b/examples/ai-prompt-template/_3.9.x.yaml @@ -0,0 +1,23 @@ +name: ai-prompt-template +config: + allow_untemplated_requests: true + templates: + - name: "developer-chat" + template: |- + { + "messages": [ + { + "role": "system", + "content": "You are a {{program}} expert, in {{language}} programming language." + }, + { + "role": "user", + "content": "Write me a {{program}} program." + } + ] + } + - name: "summarize-prompt" + template: |- + { + "prompt": "Summarize the following text for me: {{text}}" + } diff --git a/examples/ai-proxy-advanced/_3.9.x.yaml b/examples/ai-proxy-advanced/_3.9.x.yaml new file mode 100644 index 00000000..54acb74f --- /dev/null +++ b/examples/ai-proxy-advanced/_3.9.x.yaml @@ -0,0 +1,15 @@ +name: ai-proxy-advanced +config: + targets: + - route_type: llm/v1/chat + auth: + header_name: Authorization + header_value: Bearer token + model: + provider: openai + - route_type: llm/v1/chat + model: + provider: llama2 + options: + llama2_format: openai + upstream_url: http://httpbin diff --git a/examples/ai-proxy/_3.9.x.yaml b/examples/ai-proxy/_3.9.x.yaml new file mode 100644 index 00000000..a16a3dd4 --- /dev/null +++ b/examples/ai-proxy/_3.9.x.yaml @@ -0,0 +1,12 @@ +name: ai-proxy +config: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 512 + temperature: 1.0 diff --git a/examples/ai-rate-limiting-advanced/_3.9.x.yaml b/examples/ai-rate-limiting-advanced/_3.9.x.yaml new file mode 100644 index 00000000..9831356c --- /dev/null +++ b/examples/ai-rate-limiting-advanced/_3.9.x.yaml @@ -0,0 +1,9 @@ +name: ai-rate-limiting-advanced +config: + llm_providers: + - name: openai + limit: 1000 + window_size: 3600 + - name: mistral + limit: 100 + window_size: 60 diff --git a/examples/ai-request-transformer/_3.9.x.yaml b/examples/ai-request-transformer/_3.9.x.yaml new file mode 100644 index 00000000..b8275ac7 --- /dev/null +++ b/examples/ai-request-transformer/_3.9.x.yaml @@ -0,0 +1,18 @@ +name: ai-request-transformer +config: + prompt: "Mask any credit card numbers in my JSON message. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + llm: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + logging: + log_statistics: true + log_payloads: false + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 1024 + temperature: 1.0 diff --git a/examples/ai-response-transformer/_3.9.x.yaml b/examples/ai-response-transformer/_3.9.x.yaml new file mode 100644 index 00000000..4c62a8e2 --- /dev/null +++ b/examples/ai-response-transformer/_3.9.x.yaml @@ -0,0 +1,21 @@ +name: ai-response-transformer +config: + prompt: "For any city name, put the country that it's in, in brackets next to it. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + parse_llm_response_json_instructions: false + llm: + route_type: "llm/v1/chat" + auth: + header_name: "api-key" + header_value: "" + logging: + log_statistics: true + log_payloads: false + model: + provider: "azure" + name: "gpt-35-turbo" + options: + max_tokens: 1024 + temperature: 1.0 + azure_instance: "azure-openai-instance-name" + azure_deployment_id: "gpt-3-5-deployment" diff --git a/examples/ai-semantic-cache/_3.9.x.yaml b/examples/ai-semantic-cache/_3.9.x.yaml new file mode 100644 index 00000000..e273c72f --- /dev/null +++ b/examples/ai-semantic-cache/_3.9.x.yaml @@ -0,0 +1,14 @@ +name: ai-semantic-cache +config: + embeddings: + model: + provider: openai + name: text-embedding-3-large + vectordb: + strategy: redis + dimensions: 3072 + threshold: 0.1 + distance_metric: cosine + redis: + host: exampleredis.com + port: 80 diff --git a/examples/ai-semantic-prompt-guard/_3.9.x.yaml b/examples/ai-semantic-prompt-guard/_3.9.x.yaml new file mode 100644 index 00000000..aceb96eb --- /dev/null +++ b/examples/ai-semantic-prompt-guard/_3.9.x.yaml @@ -0,0 +1,18 @@ +name: ai-semantic-prompt-guard +config: + embeddings: + provider: openai + name: text-embedding-3-large + vectordb: + strategy: redis + distance_metric: cosine + threshold: 0.5 + dimensions: 1024 + redis: + host: localhost + port: 6379 + rules: + match_all_conversation_history: true + allow_prompts: + - "[1] = string.rep('x', 501)" + deny_prompts: {} diff --git a/examples/app-dynamics/_3.9.x.yaml b/examples/app-dynamics/_3.9.x.yaml new file mode 100644 index 00000000..fb73f97b --- /dev/null +++ b/examples/app-dynamics/_3.9.x.yaml @@ -0,0 +1,2 @@ +name: app-dynamics +config: {} diff --git a/examples/application-registration/_3.9.x.yaml b/examples/application-registration/_3.9.x.yaml new file mode 100644 index 00000000..a52184fb --- /dev/null +++ b/examples/application-registration/_3.9.x.yaml @@ -0,0 +1,7 @@ +name: application-registration +service: SERVICE_NAME +config: + auto_approve: false + description: + display_name: + show_issuer: false diff --git a/examples/aws-lambda/_3.9.x.yaml b/examples/aws-lambda/_3.9.x.yaml new file mode 100644 index 00000000..5eddd18d --- /dev/null +++ b/examples/aws-lambda/_3.9.x.yaml @@ -0,0 +1,9 @@ +name: aws-lambda +config: + aws_key: + aws_secret: + aws_region: + aws_assume_role_arn: + aws_role_session_name: + function_name: + proxy_url: http://my-proxy-server:3128 diff --git a/examples/azure-functions/_3.9.x.yaml b/examples/azure-functions/_3.9.x.yaml new file mode 100644 index 00000000..00f73c86 --- /dev/null +++ b/examples/azure-functions/_3.9.x.yaml @@ -0,0 +1,6 @@ +name: azure-functions +config: + functionname: + appname: + hostdomain: azurewebsites.net + apikey: diff --git a/examples/basic-auth/_3.9.x.yaml b/examples/basic-auth/_3.9.x.yaml new file mode 100644 index 00000000..40fcf8c2 --- /dev/null +++ b/examples/basic-auth/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: basic-auth +config: + hide_credentials: true diff --git a/examples/bot-detection/_3.9.x.yaml b/examples/bot-detection/_3.9.x.yaml new file mode 100644 index 00000000..e4f2eb24 --- /dev/null +++ b/examples/bot-detection/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: bot-detection +config: + deny: + - helloworld diff --git a/examples/canary/_3.9.x.yaml b/examples/canary/_3.9.x.yaml new file mode 100644 index 00000000..928424f8 --- /dev/null +++ b/examples/canary/_3.9.x.yaml @@ -0,0 +1,5 @@ +name: canary +config: + percentage: 50 + upstream_host: example.com + upstream_port: 80 diff --git a/examples/confluent/_3.9.x.yaml b/examples/confluent/_3.9.x.yaml new file mode 100644 index 00000000..d4bd8e82 --- /dev/null +++ b/examples/confluent/_3.9.x.yaml @@ -0,0 +1,9 @@ +name: confluent +config: + bootstrap_servers: + - host: example.com + port: 80 + producer_async: false + topic: 'kong-test' + cluster_api_key: CONFLUENT_CLUSTER_API_KEY + cluster_api_secret: CONFLUENT_CLUSTER_API_SECRET \ No newline at end of file diff --git a/examples/correlation-id/_3.9.x.yaml b/examples/correlation-id/_3.9.x.yaml new file mode 100644 index 00000000..31240989 --- /dev/null +++ b/examples/correlation-id/_3.9.x.yaml @@ -0,0 +1,5 @@ +name: correlation-id +config: + header_name: Kong-Request-ID + generator: uuid#counter + echo_downstream: false diff --git a/examples/cors/_3.9.x.yaml b/examples/cors/_3.9.x.yaml new file mode 100644 index 00000000..c2046281 --- /dev/null +++ b/examples/cors/_3.9.x.yaml @@ -0,0 +1,19 @@ +name: cors +config: + origins: + - http://mockbin.com + methods: + - GET + - POST + headers: + - Accept + - Accept-Version + - Content-Length + - Content-MD5 + - Content-Type + - Date + - X-Auth-Token + exposed_headers: + - X-Auth-Token + credentials: true + max_age: 3600 diff --git a/examples/datadog/_3.9.x.yaml b/examples/datadog/_3.9.x.yaml new file mode 100644 index 00000000..957e300c --- /dev/null +++ b/examples/datadog/_3.9.x.yaml @@ -0,0 +1,6 @@ +name: datadog +config: + host: 127.0.0.1 + port: 8125 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/degraphql/_3.9.x.yaml b/examples/degraphql/_3.9.x.yaml new file mode 100644 index 00000000..84443323 --- /dev/null +++ b/examples/degraphql/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: degraphql +config: + graphql_server_path: '/graphql' diff --git a/examples/exit-transformer/_3.9.x.yaml b/examples/exit-transformer/_3.9.x.yaml new file mode 100644 index 00000000..c7f0c5d4 --- /dev/null +++ b/examples/exit-transformer/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: exit-transformer +config: + functions: + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/file-log/_3.9.x.yaml b/examples/file-log/_3.9.x.yaml new file mode 100644 index 00000000..aefd2bdc --- /dev/null +++ b/examples/file-log/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: file-log +config: + path: /tmp/file.log diff --git a/examples/forward-proxy/_3.9.x.yaml b/examples/forward-proxy/_3.9.x.yaml new file mode 100644 index 00000000..7fb797ca --- /dev/null +++ b/examples/forward-proxy/_3.9.x.yaml @@ -0,0 +1,9 @@ +name: forward-proxy +config: + http_proxy_host: example.com + http_proxy_port: 80 + proxy_scheme: http + auth_username: example_user + auth_password: example_pass + https_verify: false + x_headers: transparent diff --git a/examples/graphql-proxy-cache-advanced/_3.9.x.yaml b/examples/graphql-proxy-cache-advanced/_3.9.x.yaml new file mode 100644 index 00000000..e1ce637b --- /dev/null +++ b/examples/graphql-proxy-cache-advanced/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: graphql-proxy-cache-advanced +config: + strategy: memory diff --git a/examples/graphql-rate-limiting-advanced/_3.9.x.yaml b/examples/graphql-rate-limiting-advanced/_3.9.x.yaml new file mode 100644 index 00000000..10985f83 --- /dev/null +++ b/examples/graphql-rate-limiting-advanced/_3.9.x.yaml @@ -0,0 +1,9 @@ +name: graphql-rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + sync_rate: -1 + namespace: example_namespace + strategy: cluster diff --git a/examples/grpc-gateway/_3.9.x.yaml b/examples/grpc-gateway/_3.9.x.yaml new file mode 100644 index 00000000..36b576ea --- /dev/null +++ b/examples/grpc-gateway/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: grpc-gateway +config: + proto: path/to/hello.proto diff --git a/examples/grpc-web/_3.9.x.yaml b/examples/grpc-web/_3.9.x.yaml new file mode 100644 index 00000000..e4f2c597 --- /dev/null +++ b/examples/grpc-web/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: grpc-web +config: + proto: path/to/hello.proto diff --git a/examples/header-cert-auth/_3.9.x.yaml b/examples/header-cert-auth/_3.9.x.yaml new file mode 100644 index 00000000..0bbd7799 --- /dev/null +++ b/examples/header-cert-auth/_3.9.x.yaml @@ -0,0 +1,7 @@ +name: header-cert-auth +config: + ca_certificates: + - "0D769DE8-7CC0-4541-989B-F9C23E20054C" + certificate_header_name: ssl-client-cert + certificate_header_format: base64_encoded + secure_source: false \ No newline at end of file diff --git a/examples/hmac-auth/_3.9.x.yaml b/examples/hmac-auth/_3.9.x.yaml new file mode 100644 index 00000000..ba1ae19d --- /dev/null +++ b/examples/hmac-auth/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: hmac-auth +config: + hide_credentials: false diff --git a/examples/http-log/_3.9.x.yaml b/examples/http-log/_3.9.x.yaml new file mode 100644 index 00000000..dd88c67c --- /dev/null +++ b/examples/http-log/_3.9.x.yaml @@ -0,0 +1,8 @@ +name: http-log +config: + http_endpoint: http://mockbin.org/bin/:id + method: POST + timeout: 1000 + keepalive: 1000 + flush_timeout: 2 + retry_count: 15 diff --git a/examples/ip-restriction/_3.9.x.yaml b/examples/ip-restriction/_3.9.x.yaml new file mode 100644 index 00000000..4ca5298d --- /dev/null +++ b/examples/ip-restriction/_3.9.x.yaml @@ -0,0 +1,5 @@ +name: ip-restriction +config: + allow: + - 54.13.21.1 + - 143.1.0.0/24 diff --git a/examples/jq/_3.9.x.yaml b/examples/jq/_3.9.x.yaml new file mode 100644 index 00000000..d69ce58d --- /dev/null +++ b/examples/jq/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: jq +config: + request_jq_program: .[0] diff --git a/examples/json-threat-protection/_3.9.x.yaml b/examples/json-threat-protection/_3.9.x.yaml new file mode 100644 index 00000000..787fdad7 --- /dev/null +++ b/examples/json-threat-protection/_3.9.x.yaml @@ -0,0 +1,11 @@ +name: json-threat-protection +config: + max_body_size: 10 + max_container_depth: 1 + max_object_entry_count: 2 + max_object_entry_name_length: 3 + max_array_element_count: 4 + max_string_value_length: 5 + enforcement_mode: block + error_status_code: 400 + error_message: BadRequest \ No newline at end of file diff --git a/examples/jwe-decrypt/_3.9.x.yaml b/examples/jwe-decrypt/_3.9.x.yaml new file mode 100644 index 00000000..f413b0e5 --- /dev/null +++ b/examples/jwe-decrypt/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: jwe-decrypt +config: + key_sets: + - dummyID diff --git a/examples/jwt-signer/_3.9.x.yaml b/examples/jwt-signer/_3.9.x.yaml new file mode 100644 index 00000000..71443348 --- /dev/null +++ b/examples/jwt-signer/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: jwt-signer +config: + access_token_introspection_scopes_claim: + - scope diff --git a/examples/jwt/_3.9.x.yaml b/examples/jwt/_3.9.x.yaml new file mode 100644 index 00000000..60fd478d --- /dev/null +++ b/examples/jwt/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: jwt +config: + uri_param_names: + - paramName_2.2.x diff --git a/examples/kafka-log/_3.9.x.yaml b/examples/kafka-log/_3.9.x.yaml new file mode 100644 index 00000000..efb1efa7 --- /dev/null +++ b/examples/kafka-log/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: kafka-log +config: + topic: TOPIC diff --git a/examples/kafka-upstream/_3.9.x.yaml b/examples/kafka-upstream/_3.9.x.yaml new file mode 100644 index 00000000..64ff19e5 --- /dev/null +++ b/examples/kafka-upstream/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: kafka-upstream +config: + topic: TOPIC diff --git a/examples/key-auth-enc/_3.9.x.yaml b/examples/key-auth-enc/_3.9.x.yaml new file mode 100644 index 00000000..9f1a6093 --- /dev/null +++ b/examples/key-auth-enc/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: key-auth-enc +config: + key_names: + - apikey diff --git a/examples/key-auth/_3.9.x.yaml b/examples/key-auth/_3.9.x.yaml new file mode 100644 index 00000000..f8ef72c5 --- /dev/null +++ b/examples/key-auth/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: key-auth +config: + key_names: + - apikey diff --git a/examples/konnect-application-auth/_3.9.x.yaml b/examples/konnect-application-auth/_3.9.x.yaml new file mode 100644 index 00000000..e54993e5 --- /dev/null +++ b/examples/konnect-application-auth/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: konnect-application-auth +config: + scope: 'uuid' diff --git a/examples/ldap-auth-advanced/_3.9.x.yaml b/examples/ldap-auth-advanced/_3.9.x.yaml new file mode 100644 index 00000000..5396d6cf --- /dev/null +++ b/examples/ldap-auth-advanced/_3.9.x.yaml @@ -0,0 +1,10 @@ +name: ldap-auth-advanced +config: + ldap_host: ldap.example.com + ldap_port: 389 + start_tls: true + base_dn: dc=example,dc=com + verify_ldap_host: false + attribute: cn + cache_ttl: 60 + header_type: ldap diff --git a/examples/ldap-auth/_3.9.x.yaml b/examples/ldap-auth/_3.9.x.yaml new file mode 100644 index 00000000..fe95f595 --- /dev/null +++ b/examples/ldap-auth/_3.9.x.yaml @@ -0,0 +1,8 @@ +name: ldap-auth +config: + hide_credentials: true + ldap_host: ldap.example.com + ldap_port: 389 + base_dn: dc=example,dc=com + attribute: cn + header_type: ldap diff --git a/examples/loggly/_3.9.x.yaml b/examples/loggly/_3.9.x.yaml new file mode 100644 index 00000000..186454f8 --- /dev/null +++ b/examples/loggly/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: loggly +config: + key: YOUR_LOGGLY_SERVICE_TOKEN diff --git a/examples/mocking/_3.9.x.yaml b/examples/mocking/_3.9.x.yaml new file mode 100644 index 00000000..549e1f46 --- /dev/null +++ b/examples/mocking/_3.9.x.yaml @@ -0,0 +1,14 @@ +name: mocking +config: + random_delay: true + max_delay_time: 1 + min_delay_time: 0.001 + random_examples: true + api_specification: | + openapi: 3.0.1 + info: + title: OpenAPI 3.0 API + description: This is a simple API + contact: + email: example@example.com + version: 1.0.0 diff --git a/examples/mtls-auth/_3.9.x.yaml b/examples/mtls-auth/_3.9.x.yaml new file mode 100644 index 00000000..4bcdb7fd --- /dev/null +++ b/examples/mtls-auth/_3.9.x.yaml @@ -0,0 +1,6 @@ +name: mtls-auth +config: + ca_certificates: + - fdac360e-7b19-4ade-a553-6dd22937c82f + http_proxy_host: example + http_proxy_port: 80 diff --git a/examples/oas-validation/_3.9.x.yaml b/examples/oas-validation/_3.9.x.yaml new file mode 100644 index 00000000..2eb7dc89 --- /dev/null +++ b/examples/oas-validation/_3.9.x.yaml @@ -0,0 +1,29 @@ +name: oas-validation +config: + api_spec: | + openapi: 3.0.0 + info: + version: "2.19.3" + title: Xero Finance API + description: The Finance API is a collection of endpoints which customers can use in the course of a loan application, which may assist lenders to gain the confidence they need to provide capital. + termsOfService: "https://developer.xero.com/xero-developer-platform-terms-conditions/" + contact: + name: "Xero Platform Team" + email: "api@xero.com" + url: "https://developer.xero.com" + license: + name: MIT + url: 'https://github.com/XeroAPI/Xero-OpenAPI/blob/master/LICENSE' + servers: + - description: Xero API servers + url: https://api.xero.com/finance.xro/1.0 + paths: + /CashValidation: + get: + security: + - OAuth2: [finance.cashvalidation.read] + tags: + - Finance + summary: Get cash validation + operationId: getCashValidation + description: Summarizes the total cash position for each account for an org diff --git a/examples/oauth2-introspection/_3.9.x.yaml b/examples/oauth2-introspection/_3.9.x.yaml new file mode 100644 index 00000000..bdf723af --- /dev/null +++ b/examples/oauth2-introspection/_3.9.x.yaml @@ -0,0 +1,5 @@ +name: oauth2-introspection +config: + introspection_url: https://example-url.com + authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l + consumer_by: username diff --git a/examples/oauth2/_3.9.x.yaml b/examples/oauth2/_3.9.x.yaml new file mode 100644 index 00000000..d733d558 --- /dev/null +++ b/examples/oauth2/_3.9.x.yaml @@ -0,0 +1,9 @@ +name: oauth2 +config: + scopes: + - email + - phone + - address + mandatory_scope: true + provision_key: + enable_authorization_code: true diff --git a/examples/opa/_3.9.x.yaml b/examples/opa/_3.9.x.yaml new file mode 100644 index 00000000..51ff2b78 --- /dev/null +++ b/examples/opa/_3.9.x.yaml @@ -0,0 +1,5 @@ +name: opa +config: + opa_host: localhost + opa_port: 8181 + opa_path: /v1/data/example/kong/allowBoolean diff --git a/examples/openid-connect/_3.9.x.yaml b/examples/openid-connect/_3.9.x.yaml new file mode 100644 index 00000000..69f30114 --- /dev/null +++ b/examples/openid-connect/_3.9.x.yaml @@ -0,0 +1,12 @@ +name: openid-connect +config: + auth_methods: + - authorization_code + - session + issuer: http://example.org + client_id: + - + client_secret: + - + session_secret: + response_mode: form_post diff --git a/examples/opentelemetry/_3.9.x.yaml b/examples/opentelemetry/_3.9.x.yaml new file mode 100644 index 00000000..02aeaa66 --- /dev/null +++ b/examples/opentelemetry/_3.9.x.yaml @@ -0,0 +1,6 @@ +name: opentelemetry +config: + traces_endpoint: http://opentelemetry.collector:4318/v1/traces + logs_endpoint: http://opentelemetry.collector:4318/v1/logs + headers: + X-Auth-Token: secret-token diff --git a/examples/post-function/_3.9.x.yaml b/examples/post-function/_3.9.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.9.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/pre-function/_3.9.x.yaml b/examples/pre-function/_3.9.x.yaml new file mode 100644 index 00000000..62ffe4dd --- /dev/null +++ b/examples/pre-function/_3.9.x.yaml @@ -0,0 +1,6 @@ +name: pre-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/prometheus/_3.9.x.yaml b/examples/prometheus/_3.9.x.yaml new file mode 100644 index 00000000..6b7b3b62 --- /dev/null +++ b/examples/prometheus/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: prometheus +config: + per_consumer: false + diff --git a/examples/proxy-cache-advanced/_3.9.x.yaml b/examples/proxy-cache-advanced/_3.9.x.yaml new file mode 100644 index 00000000..d070db76 --- /dev/null +++ b/examples/proxy-cache-advanced/_3.9.x.yaml @@ -0,0 +1,11 @@ +name: proxy-cache-advanced +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + strategy: memory diff --git a/examples/proxy-cache/_3.9.x.yaml b/examples/proxy-cache/_3.9.x.yaml new file mode 100644 index 00000000..ce185e5e --- /dev/null +++ b/examples/proxy-cache/_3.9.x.yaml @@ -0,0 +1,12 @@ +name: proxy-cache +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + cache_ttl: 300 + strategy: memory diff --git a/examples/rate-limiting-advanced/_3.9.x.yaml b/examples/rate-limiting-advanced/_3.9.x.yaml new file mode 100644 index 00000000..7fee7c38 --- /dev/null +++ b/examples/rate-limiting-advanced/_3.9.x.yaml @@ -0,0 +1,11 @@ +name: rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + identifier: consumer + sync_rate: -1 + namespace: example_namespace + strategy: local + hide_client_headers: false diff --git a/examples/rate-limiting/_3.9.x.yaml b/examples/rate-limiting/_3.9.x.yaml new file mode 100644 index 00000000..f43f89fd --- /dev/null +++ b/examples/rate-limiting/_3.9.x.yaml @@ -0,0 +1,5 @@ +name: rate-limiting +config: + second: 5 + hour: 10000 + policy: local diff --git a/examples/request-size-limiting/_3.9.x.yaml b/examples/request-size-limiting/_3.9.x.yaml new file mode 100644 index 00000000..983d6d9e --- /dev/null +++ b/examples/request-size-limiting/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: request-size-limiting +config: + allowed_payload_size: 128 + require_content_length: false diff --git a/examples/request-termination/_3.9.x.yaml b/examples/request-termination/_3.9.x.yaml new file mode 100644 index 00000000..7be67818 --- /dev/null +++ b/examples/request-termination/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: request-termination +config: + status_code: 403 + message: So long and thanks for all the fish! diff --git a/examples/request-transformer-advanced/_3.9.x.yaml b/examples/request-transformer-advanced/_3.9.x.yaml new file mode 100644 index 00000000..999898e7 --- /dev/null +++ b/examples/request-transformer-advanced/_3.9.x.yaml @@ -0,0 +1,43 @@ +name: request-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one + remove: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + remove: + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + rename: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + rename: + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + add: + querystring: + - new-param:some_value + - another-param:some_value + add: + json_types: + - string + - boolean + - number diff --git a/examples/request-transformer/_3.9.x.yaml b/examples/request-transformer/_3.9.x.yaml new file mode 100644 index 00000000..d9e0a346 --- /dev/null +++ b/examples/request-transformer/_3.9.x.yaml @@ -0,0 +1,36 @@ +name: request-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + querystring: + - new-param:some_value + - another-param:some_value + body: + - new-form-param:some_value + - another-form-param:some_value diff --git a/examples/request-validator/_3.9.x.yaml b/examples/request-validator/_3.9.x.yaml new file mode 100644 index 00000000..89251acf --- /dev/null +++ b/examples/request-validator/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: request-validator +config: + body_schema: '[{"name":{"type": "string", "required": true}}]' diff --git a/examples/response-ratelimiting/_3.9.x.yaml b/examples/response-ratelimiting/_3.9.x.yaml new file mode 100644 index 00000000..a3860b2a --- /dev/null +++ b/examples/response-ratelimiting/_3.9.x.yaml @@ -0,0 +1,8 @@ +name: response-ratelimiting +config: + limits: + limit_name: + limits: + limit_name: + minute: 10 + policy: local diff --git a/examples/response-transformer-advanced/_3.9.x.yaml b/examples/response-transformer-advanced/_3.9.x.yaml new file mode 100644 index 00000000..4942c5c5 --- /dev/null +++ b/examples/response-transformer-advanced/_3.9.x.yaml @@ -0,0 +1,31 @@ +name: response-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one:application/json + - x-list-of-values:v1,v2,v3 + - Set-Cookie:/JSESSIONID=.*/ + - x-another-regex://status/$/ + - x-one-more-regex:/^/begin// + remove: + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + add: + json: + - new-json-key:some_value + - another-json-key:some_value + add: + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/response-transformer/_3.9.x.yaml b/examples/response-transformer/_3.9.x.yaml new file mode 100644 index 00000000..aab7075a --- /dev/null +++ b/examples/response-transformer/_3.9.x.yaml @@ -0,0 +1,24 @@ +name: response-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + json: + - new-json-key:some_value + - another-json-key:some_value + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/route-by-header/_3.9.x.yaml b/examples/route-by-header/_3.9.x.yaml new file mode 100644 index 00000000..e2854428 --- /dev/null +++ b/examples/route-by-header/_3.9.x.yaml @@ -0,0 +1,8 @@ +name: route-by-header +config: + rules: + - + upstream_name: bar.domain.com + condition: + location: us-east + diff --git a/examples/route-transformer-advanced/_3.9.x.yaml b/examples/route-transformer-advanced/_3.9.x.yaml new file mode 100644 index 00000000..098f0994 --- /dev/null +++ b/examples/route-transformer-advanced/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: route-transformer-advanced +config: + path: /path diff --git a/examples/saml/_3.9.x.yaml b/examples/saml/_3.9.x.yaml new file mode 100644 index 00000000..18b41c3f --- /dev/null +++ b/examples/saml/_3.9.x.yaml @@ -0,0 +1,12 @@ +name: saml +config: + anonymous: anonymous + assertion_consumer_path: /acs-uri + idp_sso_url: http://example.org/sso-uri + validate_assertion_signature: true + session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + issuer: AzureAD_Identity_ID + idp_certificate: | + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- diff --git a/examples/session/_3.9.x.yaml b/examples/session/_3.9.x.yaml new file mode 100644 index 00000000..1c5100d2 --- /dev/null +++ b/examples/session/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: session +config: + secret: opensesame diff --git a/examples/standard-webhooks/_3.9.x.yaml b/examples/standard-webhooks/_3.9.x.yaml new file mode 100644 index 00000000..e2e66d71 --- /dev/null +++ b/examples/standard-webhooks/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: standard-webhooks +config: + secret_v1: example-secret diff --git a/examples/statsd-advanced/_3.9.x.yaml b/examples/statsd-advanced/_3.9.x.yaml new file mode 100644 index 00000000..cfd68de0 --- /dev/null +++ b/examples/statsd-advanced/_3.9.x.yaml @@ -0,0 +1,7 @@ +name: statsd-advanced +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 diff --git a/examples/statsd/_3.9.x.yaml b/examples/statsd/_3.9.x.yaml new file mode 100644 index 00000000..796222aa --- /dev/null +++ b/examples/statsd/_3.9.x.yaml @@ -0,0 +1,9 @@ +name: statsd +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/syslog/_3.9.x.yaml b/examples/syslog/_3.9.x.yaml new file mode 100644 index 00000000..9cc23ca1 --- /dev/null +++ b/examples/syslog/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: syslog +config: + log_level: info diff --git a/examples/tcp-log/_3.9.x.yaml b/examples/tcp-log/_3.9.x.yaml new file mode 100644 index 00000000..4e155f5a --- /dev/null +++ b/examples/tcp-log/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: tcp-log +config: + host: 127.0.0.1 + port: 9999 diff --git a/examples/tls-handshake-modifier/_3.9.x.yaml b/examples/tls-handshake-modifier/_3.9.x.yaml new file mode 100644 index 00000000..52561153 --- /dev/null +++ b/examples/tls-handshake-modifier/_3.9.x.yaml @@ -0,0 +1 @@ +name: tls-handshake-modifier diff --git a/examples/tls-metadata-headers/_3.9.x.yaml b/examples/tls-metadata-headers/_3.9.x.yaml new file mode 100644 index 00000000..98df21ec --- /dev/null +++ b/examples/tls-metadata-headers/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: tls-metadata-headers +config: + inject_client_cert_details: true + client_cert_header_name: X-Forwarded-Client-Cert diff --git a/examples/udp-log/_3.9.x.yaml b/examples/udp-log/_3.9.x.yaml new file mode 100644 index 00000000..bfd35c0a --- /dev/null +++ b/examples/udp-log/_3.9.x.yaml @@ -0,0 +1,5 @@ +name: udp-log +config: + host: 127.0.0.1 + port: 9999 + timeout: 10000 diff --git a/examples/upstream-oauth/_3.9.x.yaml b/examples/upstream-oauth/_3.9.x.yaml new file mode 100644 index 00000000..2c80a4ac --- /dev/null +++ b/examples/upstream-oauth/_3.9.x.yaml @@ -0,0 +1,12 @@ +name: upstream-oauth +config: + oauth: + token_endpoint: "http://test.test" + grant_type: client_credentials + client_id: CLIENT_CREDENTIALS_GRANT_POST_AUTH_CLIENT_ID + client_secret: CLIENT_CREDENTIALS_GRANT_POST_AUTH_CLIENT_SECRET + scopes: + - "openid" + - "profile" + behavior: + upstream_access_token_header_name: X-Custom-Auth \ No newline at end of file diff --git a/examples/upstream-timeout/_3.9.x.yaml b/examples/upstream-timeout/_3.9.x.yaml new file mode 100644 index 00000000..962a6cdf --- /dev/null +++ b/examples/upstream-timeout/_3.9.x.yaml @@ -0,0 +1,5 @@ +name: upstream-timeout +config: + connect_timeout: 4000 + send_timeout: 5000 + read_timeout: 5000 diff --git a/examples/vault-auth/_3.9.x.yaml b/examples/vault-auth/_3.9.x.yaml new file mode 100644 index 00000000..8a2e5285 --- /dev/null +++ b/examples/vault-auth/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: vault-auth +config: + vault: + id: 00000000-0000-0000-0000-000000000000 diff --git a/examples/websocket-size-limit/_3.9.x.yaml b/examples/websocket-size-limit/_3.9.x.yaml new file mode 100644 index 00000000..7274d312 --- /dev/null +++ b/examples/websocket-size-limit/_3.9.x.yaml @@ -0,0 +1,4 @@ +name: websocket-size-limit +config: + client_max_payload: 1024 + upstream_max_payload: 16384 diff --git a/examples/websocket-validator/_3.9.x.yaml b/examples/websocket-validator/_3.9.x.yaml new file mode 100644 index 00000000..12fe18ac --- /dev/null +++ b/examples/websocket-validator/_3.9.x.yaml @@ -0,0 +1,14 @@ +name: websocket-validator +config: + client: + text: + type: draft4 + schema: | + { + "type": "object", + "properties": { + "foo": { "type": "string" }, + "bar": { "type": "string" } + }, + "required": [ "foo", "bar" ] + } diff --git a/examples/xml-threat-protection/_3.9.x.yaml b/examples/xml-threat-protection/_3.9.x.yaml new file mode 100644 index 00000000..a25f15fc --- /dev/null +++ b/examples/xml-threat-protection/_3.9.x.yaml @@ -0,0 +1,6 @@ +name: xml-threat-protection +config: + max_depth: 50 + localname: 512 + prefix: 512 + namespaceuri: 1024 diff --git a/examples/zipkin/_3.9.x.yaml b/examples/zipkin/_3.9.x.yaml new file mode 100644 index 00000000..62ab05c8 --- /dev/null +++ b/examples/zipkin/_3.9.x.yaml @@ -0,0 +1,5 @@ +name: zipkin +config: + http_endpoint: http://your.zipkin.collector:9411/api/v2/spans + sample_ratio: 0.001 + include_credential: true From 8c937a4dad251e857ebeac78cc0f4ee7919dce87 Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 10 Sep 2024 22:24:42 +0200 Subject: [PATCH 085/165] Referenceable fields for 3.9.x (#66) * Referenceable fields for 3.9.x * copy priorities --------- Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Co-authored-by: lena-larionova --- data/priorities/ee/3.9.x.json | 91 ++++++++ data/priorities/oss/3.9.x.json | 46 ++++ data/referenceable_fields/3.9.x.json | 306 +++++++++++++++++++++++++++ 3 files changed, 443 insertions(+) create mode 100644 data/priorities/ee/3.9.x.json create mode 100644 data/priorities/oss/3.9.x.json create mode 100644 data/referenceable_fields/3.9.x.json diff --git a/data/priorities/ee/3.9.x.json b/data/priorities/ee/3.9.x.json new file mode 100644 index 00000000..b51f6e2a --- /dev/null +++ b/data/priorities/ee/3.9.x.json @@ -0,0 +1,91 @@ +{ + "pre-function": 1000000, + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth": 1250, + "key-auth-enc": 1250, + "ldap-auth": 1200, + "ldap-auth-advanced": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "saml": 1010, + "header-cert-auth": 1009, + "json-threat-protection": 1009, + "xml-threat-protection": 1008, + "websocket-validator": 1006, + "websocket-size-limit": 1003, + "request-validator": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "opa": 920, + "rate-limiting": 910, + "rate-limiting-advanced": 910, + "ai-rate-limiting-advanced": 905, + "graphql-rate-limiting-advanced": 902, + "response-ratelimiting": 900, + "route-by-header": 850, + "oas-validation": 840, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "ai-request-transformer": 777, + "ai-semantic-prompt-guard": 775, + "ai-azure-content-safety": 774, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-proxy-advanced": 770, + "ai-response-transformer": 769, + "ai-semantic-cache": 765, + "standard-webhooks": 760, + "upstream-oauth": 760, + "confluent": 752, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "statsd-advanced": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "mocking": -1, + "post-function": -1000 +} \ No newline at end of file diff --git a/data/priorities/oss/3.9.x.json b/data/priorities/oss/3.9.x.json new file mode 100644 index 00000000..039222ef --- /dev/null +++ b/data/priorities/oss/3.9.x.json @@ -0,0 +1,46 @@ +{ + "pre-function": 1000000, + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "ai-request-transformer": 777, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-response-transformer": 769, + "standard-webhooks": 760, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "correlation-id": 1, + "post-function": -1000 +} \ No newline at end of file diff --git a/data/referenceable_fields/3.9.x.json b/data/referenceable_fields/3.9.x.json new file mode 100644 index 00000000..dfc72c2a --- /dev/null +++ b/data/referenceable_fields/3.9.x.json @@ -0,0 +1,306 @@ +{ + "acme": [ + "config.account_email", + "config.eab_kid", + "config.eab_hmac_key", + "config.storage_config.redis.username", + "config.storage_config.redis.password", + "config.storage_config.consul.token", + "config.storage_config.vault.token" + ], + "ai-azure-content-safety": [ + "config.content_safety_url", + "config.content_safety_key" + ], + "ai-proxy": [ + "config.auth.header_name", + "config.auth.header_value", + "config.auth.param_name", + "config.auth.param_value", + "config.auth.azure_client_id", + "config.auth.azure_client_secret", + "config.auth.azure_tenant_id", + "config.auth.gcp_service_account_json", + "config.auth.aws_access_key_id", + "config.auth.aws_secret_access_key" + ], + "ai-proxy-advanced": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password", + "config.targets.auth.header_name", + "config.targets.auth.header_value", + "config.targets.auth.param_name", + "config.targets.auth.param_value", + "config.targets.auth.azure_client_id", + "config.targets.auth.azure_client_secret", + "config.targets.auth.azure_tenant_id", + "config.targets.auth.gcp_service_account_json", + "config.targets.auth.aws_access_key_id", + "config.targets.auth.aws_secret_access_key" + ], + "ai-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "ai-request-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key" + ], + "ai-response-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key" + ], + "ai-semantic-cache": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password" + ], + "ai-semantic-prompt-guard": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password" + ], + "aws-lambda": [ + "config.aws_key", + "config.aws_secret", + "config.aws_assume_role_arn" + ], + "azure-functions": [ + "config.apikey", + "config.clientid" + ], + "confluent": [ + "config.cluster_api_key", + "config.cluster_api_secret", + "config.confluent_cloud_api_key", + "config.confluent_cloud_api_secret" + ], + "datadog": [ + "config.host" + ], + "datadog-tracing": [ + "config.endpoint" + ], + "forward-proxy": [ + "config.auth_username", + "config.auth_password" + ], + "graphql-proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "graphql-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "http-log": [ + "config.http_endpoint", + "config.headers" + ], + "jwt-signer": [ + "config.access_token_keyset_client_username", + "config.access_token_keyset_client_password", + "config.access_token_jwks_uri_client_username", + "config.access_token_jwks_uri_client_password", + "config.channel_token_keyset_client_username", + "config.channel_token_keyset_client_password", + "config.channel_token_jwks_uri_client_username", + "config.channel_token_jwks_uri_client_password" + ], + "kafka-log": [ + "config.authentication.user", + "config.authentication.password" + ], + "kafka-upstream": [ + "config.authentication.user", + "config.authentication.password" + ], + "konnect-application-auth": [ + "config.v2_strategies.openid_connect.config.client_id", + "config.v2_strategies.openid_connect.config.client_secret", + "config.v2_strategies.openid_connect.config.client_jwk.k", + "config.v2_strategies.openid_connect.config.client_jwk.d", + "config.v2_strategies.openid_connect.config.client_jwk.p", + "config.v2_strategies.openid_connect.config.client_jwk.q", + "config.v2_strategies.openid_connect.config.client_jwk.dp", + "config.v2_strategies.openid_connect.config.client_jwk.dq", + "config.v2_strategies.openid_connect.config.client_jwk.qi", + "config.v2_strategies.openid_connect.config.client_jwk.oth", + "config.v2_strategies.openid_connect.config.client_jwk.r", + "config.v2_strategies.openid_connect.config.client_jwk.t", + "config.v2_strategies.openid_connect.config.login_redirect_uri", + "config.v2_strategies.openid_connect.config.logout_redirect_uri", + "config.v2_strategies.openid_connect.config.scopes", + "config.v2_strategies.openid_connect.config.introspection_headers_values", + "config.v2_strategies.openid_connect.config.session_secret", + "config.v2_strategies.openid_connect.config.redis.username", + "config.v2_strategies.openid_connect.config.redis.password", + "config.v2_strategies.openid_connect.config.redis.sentinel_username", + "config.v2_strategies.openid_connect.config.redis.sentinel_password", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.username", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.password", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_username", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_password" + ], + "ldap-auth-advanced": [ + "config.ldap_password", + "config.bind_dn" + ], + "loggly": [ + "config.key" + ], + "oauth2-introspection": [ + "config.authorization_value" + ], + "openid-connect": [ + "config.client_id", + "config.client_secret", + "config.client_jwk.k", + "config.client_jwk.d", + "config.client_jwk.p", + "config.client_jwk.q", + "config.client_jwk.dp", + "config.client_jwk.dq", + "config.client_jwk.qi", + "config.client_jwk.oth", + "config.client_jwk.r", + "config.client_jwk.t", + "config.login_redirect_uri", + "config.logout_redirect_uri", + "config.scopes", + "config.introspection_headers_values", + "config.session_secret", + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password", + "config.cluster_cache_redis.username", + "config.cluster_cache_redis.password", + "config.cluster_cache_redis.sentinel_username", + "config.cluster_cache_redis.sentinel_password" + ], + "opentelemetry": [ + "config.traces_endpoint", + "config.logs_endpoint", + "config.headers" + ], + "proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "rate-limiting": [ + "config.redis.username", + "config.redis.password" + ], + "rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "request-transformer-advanced": [ + "config.rename.body", + "config.rename.headers", + "config.rename.querystring", + "config.replace.body", + "config.replace.headers", + "config.replace.querystring", + "config.add.body", + "config.add.headers", + "config.add.querystring", + "config.append.body", + "config.append.headers", + "config.append.querystring" + ], + "response-ratelimiting": [ + "config.redis.username", + "config.redis.password" + ], + "saml": [ + "config.idp_certificate", + "config.response_encryption_key", + "config.request_signing_key", + "config.request_signing_certificate", + "config.session_secret", + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "session": [ + "config.secret" + ], + "standard-webhooks": [ + "config.secret_v1" + ], + "upstream-oauth": [ + "config.oauth.token_headers", + "config.oauth.token_post_args", + "config.oauth.client_id", + "config.oauth.client_secret", + "config.oauth.username", + "config.oauth.password", + "config.cache.redis.username", + "config.cache.redis.password", + "config.cache.redis.sentinel_username", + "config.cache.redis.sentinel_password" + ] +} \ No newline at end of file From 9ad6cdfe766c31ae271c54eec4292a761cb4c3a0 Mon Sep 17 00:00:00 2001 From: Lucie Milan Date: Wed, 11 Sep 2024 15:56:25 +0200 Subject: [PATCH 086/165] Update example with new schema --- examples/ai-semantic-prompt-guard/_3.8.x.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/examples/ai-semantic-prompt-guard/_3.8.x.yaml b/examples/ai-semantic-prompt-guard/_3.8.x.yaml index aceb96eb..8cbb9571 100644 --- a/examples/ai-semantic-prompt-guard/_3.8.x.yaml +++ b/examples/ai-semantic-prompt-guard/_3.8.x.yaml @@ -1,8 +1,14 @@ name: ai-semantic-prompt-guard config: embeddings: - provider: openai - name: text-embedding-3-large + auth: + header_name: Authorization + header_value: Bearer + model: + name: text-embedding-3-small + provider: openai + search: + threshold: 0.7 vectordb: strategy: redis distance_metric: cosine @@ -14,5 +20,4 @@ config: rules: match_all_conversation_history: true allow_prompts: - - "[1] = string.rep('x', 501)" - deny_prompts: {} + - Questions about Kong \ No newline at end of file From 49e77a7df424edea4a893963e78a32d55110ae42 Mon Sep 17 00:00:00 2001 From: Lucie Milan Date: Wed, 11 Sep 2024 15:57:15 +0200 Subject: [PATCH 087/165] update 3.9 example --- examples/ai-semantic-prompt-guard/_3.9.x.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/examples/ai-semantic-prompt-guard/_3.9.x.yaml b/examples/ai-semantic-prompt-guard/_3.9.x.yaml index aceb96eb..8cbb9571 100644 --- a/examples/ai-semantic-prompt-guard/_3.9.x.yaml +++ b/examples/ai-semantic-prompt-guard/_3.9.x.yaml @@ -1,8 +1,14 @@ name: ai-semantic-prompt-guard config: embeddings: - provider: openai - name: text-embedding-3-large + auth: + header_name: Authorization + header_value: Bearer + model: + name: text-embedding-3-small + provider: openai + search: + threshold: 0.7 vectordb: strategy: redis distance_metric: cosine @@ -14,5 +20,4 @@ config: rules: match_all_conversation_history: true allow_prompts: - - "[1] = string.rep('x', 501)" - deny_prompts: {} + - Questions about Kong \ No newline at end of file From 154630a48d9700a5a7ab87384ce60935bc4d33bb Mon Sep 17 00:00:00 2001 From: Xumin <100666470+StarlightIbuki@users.noreply.github.com> Date: Thu, 3 Oct 2024 08:48:15 +0800 Subject: [PATCH 088/165] Fix incorrect example of request-transformer (#68) * Update _3.8.x.yaml * make same changes in 3.9 --------- Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- examples/request-transformer/_3.8.x.yaml | 4 ++-- examples/request-transformer/_3.9.x.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/request-transformer/_3.8.x.yaml b/examples/request-transformer/_3.8.x.yaml index d9e0a346..3e9148f5 100644 --- a/examples/request-transformer/_3.8.x.yaml +++ b/examples/request-transformer/_3.8.x.yaml @@ -5,8 +5,8 @@ config: - x-toremove - x-another-one querystring: - - qs-old-name:qs-new-name - - qs2-old-name:qs2-new-name + - qs-toremove + - qs2-toremove body: - formparam-toremove - formparam-another-one diff --git a/examples/request-transformer/_3.9.x.yaml b/examples/request-transformer/_3.9.x.yaml index d9e0a346..3e9148f5 100644 --- a/examples/request-transformer/_3.9.x.yaml +++ b/examples/request-transformer/_3.9.x.yaml @@ -5,8 +5,8 @@ config: - x-toremove - x-another-one querystring: - - qs-old-name:qs-new-name - - qs2-old-name:qs2-new-name + - qs-toremove + - qs2-toremove body: - formparam-toremove - formparam-another-one From f5f8cf0e4a0f818fbacef862a2362dc711f6fae1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 10:25:11 +0000 Subject: [PATCH 089/165] Update peter-evans/create-pull-request action to v7 --- .github/workflows/copy-examples.yml | 2 +- .github/workflows/copy-schemas.yml | 2 +- .github/workflows/download-schemas.yml | 2 +- .github/workflows/generate-plugin-priorities.yml | 2 +- .github/workflows/generate-referenceable-fields.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/copy-examples.yml b/.github/workflows/copy-examples.yml index 1c6a035a..0612c4a2 100644 --- a/.github/workflows/copy-examples.yml +++ b/.github/workflows/copy-examples.yml @@ -21,7 +21,7 @@ jobs: run: | bundle exec ./plugins copy_examples --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@v7 with: token: ${{ secrets.PAT }} title: "Copy latest examples to ${{ github.event.inputs.version }}" diff --git a/.github/workflows/copy-schemas.yml b/.github/workflows/copy-schemas.yml index db1a288a..04478fb0 100644 --- a/.github/workflows/copy-schemas.yml +++ b/.github/workflows/copy-schemas.yml @@ -21,7 +21,7 @@ jobs: run: | bundle exec ./plugins copy_schemas --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@v7 with: token: ${{ secrets.PAT }} title: "Copy latest schemas to ${{ github.event.inputs.version }}" diff --git a/.github/workflows/download-schemas.yml b/.github/workflows/download-schemas.yml index 7bc2f32e..792a27e5 100644 --- a/.github/workflows/download-schemas.yml +++ b/.github/workflows/download-schemas.yml @@ -39,7 +39,7 @@ jobs: run: | bundle exec ./plugins download_schemas --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@v7 with: token: ${{ secrets.PAT }} title: "Download Schemas for ${{ github.event.inputs.version }}" diff --git a/.github/workflows/generate-plugin-priorities.yml b/.github/workflows/generate-plugin-priorities.yml index a7f29346..f4b200ba 100644 --- a/.github/workflows/generate-plugin-priorities.yml +++ b/.github/workflows/generate-plugin-priorities.yml @@ -44,7 +44,7 @@ jobs: run: | bundle exec ./plugins generate_plugin_priorities --type=${{ github.event.inputs.kong-edition }} --version=${{ github.event.inputs.version }} --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@v7 with: token: ${{ secrets.PAT }} title: "Plugin Priorities for ${{ github.event.inputs.version }}" diff --git a/.github/workflows/generate-referenceable-fields.yml b/.github/workflows/generate-referenceable-fields.yml index 341adb23..0e48bdde 100644 --- a/.github/workflows/generate-referenceable-fields.yml +++ b/.github/workflows/generate-referenceable-fields.yml @@ -39,7 +39,7 @@ jobs: run: | bundle exec ./plugins generate_referenceable_fields_list --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@v7 with: token: ${{ secrets.PAT }} title: "Referenceable fields for ${{ github.event.inputs.version }}" From e60006dc927b1faa1497a259a2474c07521f3a80 Mon Sep 17 00:00:00 2001 From: Diana <75819066+cloudjumpercat@users.noreply.github.com> Date: Fri, 22 Nov 2024 12:02:22 -0600 Subject: [PATCH 090/165] Add empty service-protection directory Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> --- schemas/service-protection/.foo | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 schemas/service-protection/.foo diff --git a/schemas/service-protection/.foo b/schemas/service-protection/.foo new file mode 100644 index 00000000..e69de29b From 82b58d1ef0af8a6c4bdfd8792d6650c897d1433b Mon Sep 17 00:00:00 2001 From: cloudjumpercat <75819066+cloudjumpercat@users.noreply.github.com> Date: Fri, 22 Nov 2024 18:10:43 +0000 Subject: [PATCH 091/165] Download Schemas for 3.9.x --- schemas/acl/3.9.x.json | 49 +- schemas/acme/3.9.x.json | 346 ++-- schemas/ai-azure-content-safety/3.9.x.json | 62 +- schemas/ai-prompt-decorator/3.9.x.json | 66 +- schemas/ai-prompt-guard/3.9.x.json | 82 +- schemas/ai-prompt-template/3.9.x.json | 38 +- schemas/ai-proxy-advanced/3.9.x.json | 688 +++---- schemas/ai-proxy/3.9.x.json | 286 +-- schemas/ai-rate-limiting-advanced/3.9.x.json | 287 ++- schemas/ai-request-transformer/3.9.x.json | 348 ++-- schemas/ai-response-transformer/3.9.x.json | 360 ++-- schemas/ai-semantic-cache/3.9.x.json | 369 ++-- schemas/ai-semantic-prompt-guard/3.9.x.json | 368 ++-- schemas/app-dynamics/3.9.x.json | 12 +- schemas/aws-lambda/3.9.x.json | 142 +- schemas/azure-functions/3.9.x.json | 52 +- schemas/basic-auth/3.9.x.json | 30 +- schemas/bot-detection/3.9.x.json | 38 +- schemas/canary/3.9.x.json | 116 +- schemas/confluent/3.9.x.json | 104 +- schemas/correlation-id/3.9.x.json | 28 +- schemas/cors/3.9.x.json | 38 +- schemas/datadog/3.9.x.json | 168 +- schemas/degraphql/3.9.x.json | 20 +- schemas/exit-transformer/3.9.x.json | 20 +- schemas/file-log/3.9.x.json | 30 +- schemas/forward-proxy/3.9.x.json | 64 +- .../graphql-proxy-cache-advanced/3.9.x.json | 233 +-- .../graphql-rate-limiting-advanced/3.9.x.json | 261 +-- schemas/grpc-gateway/3.9.x.json | 12 +- schemas/grpc-web/3.9.x.json | 26 +- schemas/header-cert-auth/3.9.x.json | 82 +- schemas/hmac-auth/3.9.x.json | 72 +- schemas/http-log/3.9.x.json | 124 +- schemas/ip-restriction/3.9.x.json | 32 +- schemas/jq/3.9.x.json | 96 +- schemas/json-threat-protection/3.9.x.json | 70 +- schemas/jwe-decrypt/3.9.x.json | 28 +- schemas/jwt-signer/3.9.x.json | 366 ++-- schemas/jwt/3.9.x.json | 86 +- schemas/kafka-log/3.9.x.json | 98 +- schemas/kafka-upstream/3.9.x.json | 104 +- schemas/key-auth-enc/3.9.x.json | 42 +- schemas/key-auth/3.9.x.json | 42 +- schemas/konnect-application-auth/3.9.x.json | 1594 +++++++------- schemas/ldap-auth-advanced/3.9.x.json | 128 +- schemas/ldap-auth/3.9.x.json | 84 +- schemas/loggly/3.9.x.json | 34 +- schemas/mocking/3.9.x.json | 66 +- schemas/mtls-auth/3.9.x.json | 78 +- schemas/oas-validation/3.9.x.json | 102 +- schemas/oauth2-introspection/3.9.x.json | 68 +- schemas/oauth2/3.9.x.json | 86 +- schemas/opa/3.9.x.json | 56 +- schemas/openid-connect/3.9.x.json | 1830 ++++++++--------- schemas/opentelemetry/3.9.x.json | 170 +- schemas/post-function/3.9.x.json | 102 +- schemas/pre-function/3.9.x.json | 102 +- schemas/prometheus/3.9.x.json | 36 +- schemas/proxy-cache-advanced/3.9.x.json | 275 ++- schemas/proxy-cache/3.9.x.json | 64 +- schemas/rate-limiting-advanced/3.9.x.json | 305 ++- schemas/rate-limiting/3.9.x.json | 374 ++-- schemas/request-size-limiting/3.9.x.json | 26 +- schemas/request-termination/3.9.x.json | 18 +- .../request-transformer-advanced/3.9.x.json | 18 +- schemas/request-transformer/3.9.x.json | 74 +- schemas/request-validator/3.9.x.json | 54 +- schemas/response-ratelimiting/3.9.x.json | 280 ++- .../response-transformer-advanced/3.9.x.json | 14 +- schemas/response-transformer/3.9.x.json | 62 +- schemas/route-by-header/3.9.x.json | 22 +- schemas/route-transformer-advanced/3.9.x.json | 16 +- schemas/saml/3.9.x.json | 665 +++--- schemas/service-protection/3.9.x.json | 543 +++++ schemas/session/3.9.x.json | 100 +- schemas/standard-webhooks/3.9.x.json | 24 +- schemas/statsd-advanced/3.9.x.json | 170 +- schemas/statsd/3.9.x.json | 198 +- schemas/syslog/3.9.x.json | 36 +- schemas/tcp-log/3.9.x.json | 42 +- schemas/tls-handshake-modifier/3.9.x.json | 20 +- schemas/tls-metadata-headers/3.9.x.json | 48 +- schemas/udp-log/3.9.x.json | 34 +- schemas/upstream-oauth/3.9.x.json | 369 ++-- schemas/upstream-timeout/3.9.x.json | 30 +- schemas/vault-auth/3.9.x.json | 40 +- schemas/websocket-size-limit/3.9.x.json | 16 +- schemas/websocket-validator/3.9.x.json | 68 +- schemas/xml-threat-protection/3.9.x.json | 156 +- schemas/zipkin/3.9.x.json | 172 +- 91 files changed, 7359 insertions(+), 7495 deletions(-) create mode 100644 schemas/service-protection/3.9.x.json diff --git a/schemas/acl/3.9.x.json b/schemas/acl/3.9.x.json index 8ed6b9be..88f2dcf1 100644 --- a/schemas/acl/3.9.x.json +++ b/schemas/acl/3.9.x.json @@ -1,24 +1,37 @@ { + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -35,7 +48,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -62,24 +76,25 @@ { "hide_groups_header": { "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } }, { "include_consumer_groups": { + "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", "required": false, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "always_use_authenticated_groups": { "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } } ], @@ -87,19 +102,5 @@ "required": true } } - ], - "entity_checks": [ - { - "only_one_of": [ - "config.allow", - "config.deny" - ] - }, - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } ] } \ No newline at end of file diff --git a/schemas/acme/3.9.x.json b/schemas/acme/3.9.x.json index 23cd4280..a277be83 100644 --- a/schemas/acme/3.9.x.json +++ b/schemas/acme/3.9.x.json @@ -1,40 +1,88 @@ { + "entity_checks": [ + { + "conditional": { + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_match": { + "eq": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.host", + "if_field": "config.storage", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.port", + "if_field": "config.storage", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { "reference": "services", - "eq": null, "type": "foreign", + "eq": null, "description": "A reference to the 'services' table with a null value allowed." } }, { "route": { "reference": "routes", - "eq": null, "type": "foreign", + "eq": null, "description": "A reference to the 'routes' table with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -51,7 +99,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -59,64 +108,64 @@ "fields": [ { "account_email": { - "description": "The account identifier. Can be reused in a different plugin instance.", "required": true, - "match": "%w*%p*@+%w*%.?%w*", - "type": "string", "referenceable": true, + "description": "The account identifier. Can be reused in a different plugin instance.", + "type": "string", + "match": "%w*%p*@+%w*%.?%w*", "encrypted": true } }, { "account_key": { - "description": "The private key associated with the account.", - "type": "record", - "required": false, "fields": [ { "key_id": { - "description": "The Key ID.", "type": "string", + "description": "The Key ID.", "required": true } }, { "key_set": { - "description": "The ID of the key set to associate the Key ID with.", - "type": "string" + "type": "string", + "description": "The ID of the key set to associate the Key ID with." } } - ] + ], + "type": "record", + "description": "The private key associated with the account.", + "required": false } }, { "api_uri": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "default": "https://acme-v02.api.letsencrypt.org/directory" + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "tos_accepted": { - "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", "type": "boolean", - "default": false + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service." } }, { "eab_kid": { "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "eab_hmac_key": { "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { @@ -144,9 +193,9 @@ }, { "renew_threshold_days": { - "description": "Days remaining to renew the certificate before it expires.", "type": "number", - "default": 14 + "default": 14, + "description": "Days remaining to renew the certificate before it expires." } }, { @@ -154,36 +203,36 @@ "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", "type": "array", "elements": { - "type": "string", "match_all": [ { "pattern": "^[^*]*%*?[^*]*$", "err": "invalid wildcard: must have at most one wildcard" } ], + "type": "string", "match_any": { + "err": "invalid wildcard: must be placed at leftmost or rightmost label", "patterns": [ "^%*%.", "%.%*$", "^[^*]*$" - ], - "err": "invalid wildcard: must be placed at leftmost or rightmost label" + ] } } } }, { "allow_any_domain": { - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", "type": "boolean", - "default": false + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." } }, { "fail_backoff_minutes": { - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", "type": "number", - "default": 5 + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." } }, { @@ -208,9 +257,9 @@ "fields": [ { "shm_name": { - "description": "Name of shared memory zone used for Kong API gateway storage", "type": "string", - "default": "kong" + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage" } } ], @@ -238,95 +287,95 @@ }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, "len_min": 0, "type": "string", - "referenceable": true, "encrypted": true } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "default": 0 + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "ssl": { "description": "If set to true, uses SSL to connect to Redis.", "type": "boolean", - "required": false, - "default": false + "default": false, + "required": false } }, { "ssl_verify": { "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "required": false, - "default": false + "default": false, + "required": false } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "extra_options": { - "description": "Custom ACME Redis options", - "type": "record", "fields": [ { "namespace": { - "description": "A namespace to prepend to all keys stored in Redis.", "required": true, - "type": "string", "len_min": 0, - "default": "" + "type": "string", + "default": "", + "description": "A namespace to prepend to all keys stored in Redis." } }, { "scan_count": { "description": "The number of keys to return in Redis SCAN calls.", - "type": "number", "required": false, - "default": 10 + "default": 10, + "type": "number" } } ], + "description": "Custom ACME Redis options", + "type": "record", "required": true } } @@ -335,52 +384,42 @@ "shorthand_fields": [ { "auth": { - "len_min": 0, - "type": "string", - "translate_backwards": [ - "password" - ], "deprecation": { + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "password" ] } - ], - "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string", + "len_min": 0 } }, { "ssl_server_name": { - "type": "string", - "translate_backwards": [ - "server_name" - ], "deprecation": { + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "server_name" ] } - ], - "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "namespace": { - "len_min": 0, - "type": "string", - "translate_backwards": [ - "extra_options", - "namespace" - ], "deprecation": { + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -388,20 +427,17 @@ "namespace" ] } - ], - "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string", + "len_min": 0 } }, { "scan_count": { - "type": "integer", - "translate_backwards": [ - "extra_options", - "scan_count" - ], "deprecation": { + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -409,10 +445,9 @@ "scan_count" ] } - ], - "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } } ], @@ -424,9 +459,9 @@ "fields": [ { "https": { - "description": "Boolean representation of https.", "type": "boolean", - "default": false + "default": false, + "description": "Boolean representation of https." } }, { @@ -437,31 +472,31 @@ }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "kv_path": { - "description": "KV prefix path.", - "type": "string" + "type": "string", + "description": "KV prefix path." } }, { "timeout": { - "description": "Timeout in milliseconds.", - "type": "number" + "type": "number", + "description": "Timeout in milliseconds." } }, { "token": { "description": "Consul ACL token.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } } ], @@ -474,9 +509,9 @@ "fields": [ { "https": { - "description": "Boolean representation of https.", "type": "boolean", - "default": false + "default": false, + "description": "Boolean representation of https." } }, { @@ -487,44 +522,44 @@ }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "kv_path": { - "description": "KV prefix path.", - "type": "string" + "type": "string", + "description": "KV prefix path." } }, { "timeout": { - "description": "Timeout in milliseconds.", - "type": "number" + "type": "number", + "description": "Timeout in milliseconds." } }, { "token": { "description": "Consul ACL token.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "tls_verify": { - "description": "Turn on TLS verification.", "type": "boolean", - "default": true + "default": true, + "description": "Turn on TLS verification." } }, { "tls_server_name": { - "description": "SNI used in request, default to host if omitted.", - "type": "string" + "type": "string", + "description": "SNI used in request, default to host if omitted." } }, { @@ -540,20 +575,20 @@ }, { "auth_path": { - "description": "Vault's authentication path to use.", - "type": "string" + "type": "string", + "description": "Vault's authentication path to use." } }, { "auth_role": { - "description": "The role to try and assign.", - "type": "string" + "type": "string", + "description": "The role to try and assign." } }, { "jwt_path": { - "description": "The path to the JWT.", - "type": "string" + "type": "string", + "description": "The path to the JWT." } } ], @@ -568,15 +603,15 @@ }, { "preferred_chain": { - "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", - "type": "string" + "type": "string", + "description": "A string value that specifies the preferred certificate chain to use when generating certificates." } }, { "enable_ipv4_common_name": { - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", "type": "boolean", - "default": true + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." } } ], @@ -584,54 +619,5 @@ "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "config.tos_accepted", - "if_field": "config.api_uri", - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", - "if_match": { - "one_of": [ - "https://acme-v02.api.letsencrypt.org", - "https://acme-staging-v02.api.letsencrypt.org" - ] - }, - "then_match": { - "eq": true - } - } - }, - { - "conditional": { - "if_field": "config.storage", - "if_match": { - "eq": "redis" - }, - "then_field": "config.storage_config.redis.host", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.storage", - "if_match": { - "eq": "redis" - }, - "then_field": "config.storage_config.redis.port", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.storage" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ai-azure-content-safety/3.9.x.json b/schemas/ai-azure-content-safety/3.9.x.json index 8b87214a..96cac76e 100644 --- a/schemas/ai-azure-content-safety/3.9.x.json +++ b/schemas/ai-azure-content-safety/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,22 +21,23 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,54 +48,54 @@ "content_safety_url": { "description": "Full URL, inc protocol, of the Azure Content Safety instance.", "required": true, - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "azure_api_version": { - "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", "required": true, - "type": "string", "len_min": 1, - "default": "2023-10-01" + "type": "string", + "default": "2023-10-01", + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format." } }, { "azure_use_managed_identity": { - "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", "type": "boolean", - "default": false + "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity" } }, { "azure_client_id": { "description": "If `azure_use_managed_identity` is true, set the client ID if required.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "azure_client_secret": { "description": "If `azure_use_managed_identity` is true, set the client secret if required.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "azure_tenant_id": { "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "content_safety_key": { "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", - "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "required": false, + "encrypted": true } }, { @@ -108,8 +111,8 @@ }, { "categories": { - "description": "Array of categories, and their thresholds, to measure on.", "type": "array", + "description": "Array of categories, and their thresholds, to measure on.", "elements": { "fields": [ { @@ -125,16 +128,16 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } }, { "reveal_failure_reason": { - "description": "Set true to tell the caller why their request was rejected, if so.", "type": "boolean", - "default": true + "default": true, + "description": "Set true to tell the caller why their request was rejected, if so." } }, { @@ -150,8 +153,8 @@ }, { "blocklist_names": { - "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", "type": "array", + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", "elements": { "type": "string" } @@ -159,9 +162,9 @@ }, { "halt_on_blocklist_hit": { - "description": "Tells Azure to reject the request if any blocklist filter is hit.", "type": "boolean", - "default": true + "default": true, + "description": "Tells Azure to reject the request if any blocklist filter is hit." } } ], @@ -169,8 +172,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.9.x.json b/schemas/ai-prompt-decorator/3.9.x.json index 5465e8bc..dae4a747 100644 --- a/schemas/ai-prompt-decorator/3.9.x.json +++ b/schemas/ai-prompt-decorator/3.9.x.json @@ -1,8 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +26,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -30,16 +38,14 @@ "fields": [ { "prepend": { - "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", "required": false, - "len_max": 15, "elements": { "fields": [ { "role": { - "default": "system", "type": "string", "required": true, + "default": "system", "one_of": [ "system", "assistant", @@ -49,31 +55,31 @@ }, { "content": { - "len_min": 1, - "type": "string", "len_max": 500, - "required": true + "required": true, + "type": "string", + "len_min": 1 } } ], - "required": false, - "type": "record" + "type": "record", + "required": false }, - "type": "array" + "len_max": 15, + "type": "array", + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages." } }, { "append": { - "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", "required": false, - "len_max": 15, "elements": { "fields": [ { "role": { - "default": "system", "type": "string", "required": true, + "default": "system", "one_of": [ "system", "assistant", @@ -83,30 +89,32 @@ }, { "content": { - "len_min": 1, - "type": "string", "len_max": 500, - "required": true + "required": true, + "type": "string", + "len_min": 1 } } ], - "required": false, - "type": "record" + "type": "record", + "required": false }, - "type": "array" + "len_max": 15, + "type": "array", + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages." } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { "max_request_body_size": { - "description": "max allowed body size allowed to be introspected", - "type": "integer", "gt": 0, - "default": 8192 + "type": "integer", + "default": 8192, + "description": "max allowed body size allowed to be introspected" } } ], @@ -114,13 +122,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.prompts.prepend", - "config.prompts.append" - ] - } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.9.x.json b/schemas/ai-prompt-guard/3.9.x.json index 83d1ea42..ff77367d 100644 --- a/schemas/ai-prompt-guard/3.9.x.json +++ b/schemas/ai-prompt-guard/3.9.x.json @@ -1,8 +1,27 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "config.allow_all_conversation_history", + "if_field": "config.match_all_roles", + "then_match": { + "eq": false + } + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +38,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -28,51 +48,51 @@ { "allow_patterns": { "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", - "required": false, - "len_max": 10, "elements": { - "len_min": 1, "len_max": 500, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "array" + "len_max": 10, + "type": "array", + "required": false } }, { "deny_patterns": { "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", - "required": false, - "len_max": 10, "elements": { - "len_min": 1, "len_max": 500, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "array" + "len_max": 10, + "type": "array", + "required": false } }, { "allow_all_conversation_history": { - "description": "If true, will ignore all previous chat prompts from the conversation history.", "type": "boolean", - "required": true, - "default": false + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "default": false, + "required": true } }, { "max_request_body_size": { - "description": "max allowed body size allowed to be introspected", - "type": "integer", "gt": 0, - "default": 8192 + "description": "max allowed body size allowed to be introspected", + "default": 8192, + "type": "integer" } }, { "match_all_roles": { - "description": "If true, will match all roles in addition to 'user' role in conversation history.", "type": "boolean", - "required": true, - "default": false + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "default": false, + "required": true } } ], @@ -80,25 +100,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow_patterns", - "config.deny_patterns" - ] - }, - { - "conditional": { - "if_field": "config.match_all_roles", - "if_match": { - "eq": true - }, - "then_field": "config.allow_all_conversation_history", - "then_match": { - "eq": false - } - } - } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-template/3.9.x.json b/schemas/ai-prompt-template/3.9.x.json index 6c8f6ed5..5cef938c 100644 --- a/schemas/ai-prompt-template/3.9.x.json +++ b/schemas/ai-prompt-template/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +21,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,53 +30,53 @@ "fields": [ { "templates": { + "required": true, "description": "Array of templates available to the request context.", "type": "array", - "required": true, "elements": { "fields": [ { "name": { - "description": "Unique name for the template, can be called with `{template://NAME}`", "type": "string", + "description": "Unique name for the template, can be called with `{template://NAME}`", "required": true } }, { "template": { - "description": "Template string for this request, supports mustache-style `{{placeholders}}`", "type": "string", + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } }, { "allow_untemplated_requests": { - "description": "Set true to allow requests that don't call or match any template.", - "type": "boolean", "required": true, - "default": true + "description": "Set true to allow requests that don't call or match any template.", + "default": true, + "type": "boolean" } }, { "log_original_request": { - "description": "Set true to add the original request to the Kong log plugin(s) output.", - "type": "boolean", "required": true, - "default": false + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "default": false, + "type": "boolean" } }, { "max_request_body_size": { - "description": "max allowed body size allowed to be introspected", - "type": "integer", "gt": 0, - "default": 8192 + "description": "max allowed body size allowed to be introspected", + "default": 8192, + "type": "integer" } } ], @@ -81,8 +84,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-proxy-advanced/3.9.x.json b/schemas/ai-proxy-advanced/3.9.x.json index 7be23c4c..a6982a16 100644 --- a/schemas/ai-proxy-advanced/3.9.x.json +++ b/schemas/ai-proxy-advanced/3.9.x.json @@ -1,8 +1,24 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +35,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -67,60 +84,60 @@ }, { "hash_on_header": { - "description": "The header to use for consistent-hashing.", "type": "string", - "default": "X-Kong-LLM-Request-ID" + "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing." } }, { "slots": { - "description": "The number of slots in the load balancer algorithm.", - "type": "integer", "between": [ 10, 65536 ], - "default": 10000 + "type": "integer", + "default": 10000, + "description": "The number of slots in the load balancer algorithm." } }, { "retries": { - "description": "The number of retries to execute upon failure to proxy.", - "type": "integer", "between": [ 0, 32767 ], - "default": 5 + "type": "integer", + "default": 5, + "description": "The number of retries to execute upon failure to proxy." } }, { "connect_timeout": { - "type": "integer", "between": [ 1, 2147483646 ], + "type": "integer", "default": 60000 } }, { "write_timeout": { - "type": "integer", "between": [ 1, 2147483646 ], + "type": "integer", "default": 60000 } }, { "read_timeout": { - "type": "integer", "between": [ 1, 2147483646 ], + "type": "integer", "default": 60000 } } @@ -137,123 +154,123 @@ "fields": [ { "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string", "required": false, - "referenceable": true + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" } }, { "header_value": { "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string", "required": false, - "referenceable": true + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" } }, { "param_value": { "description": "Specify the full parameter value for 'param_name'.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "param_location": { - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string", - "required": false, "one_of": [ "query", "body" - ] + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "type": "string" } }, { "azure_use_managed_identity": { - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean", "required": false, - "default": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, + "type": "boolean" } }, { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string", "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" } }, { "azure_client_secret": { "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string", "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" } }, { "gcp_use_service_account": { - "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean", "required": false, - "default": false + "description": "Use service account auth for GCP-based providers and models.", + "default": false, + "type": "boolean" } }, { "gcp_service_account_json": { "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "aws_access_key_id": { "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "aws_secret_access_key": { "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "allow_override": { - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean", "required": false, - "default": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, + "type": "boolean" } } ], @@ -266,41 +283,36 @@ "fields": [ { "provider": { - "description": "AI provider format to use for embeddings API", - "type": "string", - "required": true, "one_of": [ "openai", "mistral" - ] + ], + "description": "AI provider format to use for embeddings API", + "required": true, + "type": "string" } }, { "name": { - "description": "Model name to execute.", "type": "string", - "required": true, - "one_of": [ - "text-embedding-3-large", - "text-embedding-3-small", - "mistral-embed" - ] + "description": "Model name to execute.", + "required": true } }, { "options": { - "description": "Key/value settings for the model", - "type": "record", "fields": [ { "upstream_url": { "description": "upstream url for the embeddings", - "type": "string", - "required": false + "required": false, + "type": "string" } } ], - "required": false + "type": "record", + "required": false, + "description": "Key/value settings for the model" } } ], @@ -318,37 +330,37 @@ "fields": [ { "strategy": { - "description": "which vector database driver to use", - "type": "string", - "required": true, "one_of": [ "redis" - ] + ], + "description": "which vector database driver to use", + "required": true, + "type": "string" } }, { "dimensions": { - "description": "the desired dimensionality for the vectors", "type": "integer", + "description": "the desired dimensionality for the vectors", "required": true } }, { "threshold": { - "description": "the default similarity threshold for accepting semantic search results (float)", "type": "number", + "description": "the default similarity threshold for accepting semantic search results (float)", "required": true } }, { "distance_metric": { - "description": "the distance metric to use for vector searches", - "type": "string", - "required": true, "one_of": [ "cosine", "euclidean" - ] + ], + "description": "the distance metric to use for vector searches", + "required": true, + "type": "string" } }, { @@ -356,115 +368,117 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { @@ -480,144 +494,115 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "required": true, - "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", "required": true, - "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "required": false } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "required": false } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -626,12 +611,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -641,14 +620,14 @@ }, { "conditional": { - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, "if_match": { "eq": true }, - "then_field": "host" + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } } }, { @@ -679,14 +658,13 @@ } } ], + "type": "record", "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -703,27 +681,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -732,26 +709,24 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true, - "type": "record" + ] } } ], @@ -759,19 +734,32 @@ "type": "record" } }, + { + "response_streaming": { + "required": false, + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "type": "string", + "default": "allow", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, { "max_request_body_size": { - "description": "max allowed body size allowed to be introspected", - "type": "integer", "gt": 0, - "default": 8192 + "type": "integer", + "default": 8192, + "description": "max allowed body size allowed to be introspected" } }, { "model_name_header": { - "description": "Display the model name selected in the X-Kong-LLM-Model response header", "type": "boolean", - "default": true + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header" } }, { @@ -782,14 +770,14 @@ "fields": [ { "route_type": { - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "type": "string", - "required": true, "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ] + ], + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "required": true, + "type": "string" } }, { @@ -797,123 +785,123 @@ "fields": [ { "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string", "required": false, - "referenceable": true + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" } }, { "header_value": { "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string", "required": false, - "referenceable": true + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" } }, { "param_value": { "description": "Specify the full parameter value for 'param_name'.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "param_location": { - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string", - "required": false, "one_of": [ "query", "body" - ] + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "type": "string" } }, { "azure_use_managed_identity": { - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean", "required": false, - "default": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, + "type": "boolean" } }, { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string", "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" } }, { "azure_client_secret": { "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string", "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" } }, { "gcp_use_service_account": { - "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean", "required": false, - "default": false + "description": "Use service account auth for GCP-based providers and models.", + "default": false, + "type": "boolean" } }, { "gcp_service_account_json": { "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "aws_access_key_id": { "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "aws_secret_access_key": { "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "allow_override": { - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean", "required": false, - "default": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, + "type": "boolean" } } ], @@ -926,9 +914,6 @@ "fields": [ { "provider": { - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "type": "string", - "required": true, "one_of": [ "openai", "azure", @@ -938,135 +923,136 @@ "llama2", "gemini", "bedrock" - ] + ], + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "required": true, + "type": "string" } }, { "name": { - "description": "Model name to execute.", "type": "string", + "description": "Model name to execute.", "required": false } }, { "options": { - "description": "Key/value settings for the model", - "type": "record", "fields": [ { "max_tokens": { - "description": "Defines the max_tokens, if using chat or completion models.", - "type": "integer", "required": false, - "default": 256 + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256, + "type": "integer" } }, { "input_cost": { - "description": "Defines the cost per 1M tokens in your prompt.", - "type": "number", "gt": 0, - "required": false + "description": "Defines the cost per 1M tokens in your prompt.", + "required": false, + "type": "number" } }, { "output_cost": { - "description": "Defines the cost per 1M tokens in the output of the AI.", - "type": "number", "gt": 0, - "required": false + "description": "Defines the cost per 1M tokens in the output of the AI.", + "required": false, + "type": "number" } }, { "temperature": { - "description": "Defines the matching temperature, if using chat or completion models.", - "type": "number", "between": [ 0, 5 ], - "required": false + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "type": "number" } }, { "top_p": { - "description": "Defines the top-p probability mass, if supported.", - "type": "number", "between": [ 0, 1 ], - "required": false + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "type": "number" } }, { "top_k": { - "description": "Defines the top-k most likely tokens, if supported.", - "type": "integer", "between": [ 0, 500 ], - "required": false + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "type": "integer" } }, { "anthropic_version": { - "description": "Defines the schema/API version, if using Anthropic provider.", "type": "string", + "description": "Defines the schema/API version, if using Anthropic provider.", "required": false } }, { "azure_instance": { - "description": "Instance name for Azure OpenAI hosted models.", "type": "string", + "description": "Instance name for Azure OpenAI hosted models.", "required": false } }, { "azure_api_version": { - "description": "'api-version' for Azure OpenAI instances.", - "type": "string", "required": false, - "default": "2023-05-15" + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "type": "string" } }, { "azure_deployment_id": { - "description": "Deployment ID for Azure OpenAI instances.", "type": "string", + "description": "Deployment ID for Azure OpenAI instances.", "required": false } }, { "llama2_format": { - "description": "If using llama2 provider, select the upstream message format.", - "type": "string", - "required": false, "one_of": [ "raw", "openai", "ollama" - ] + ], + "description": "If using llama2 provider, select the upstream message format.", + "required": false, + "type": "string" } }, { "mistral_format": { - "description": "If using mistral provider, select the upstream message format.", - "type": "string", - "required": false, "one_of": [ "openai", "ollama" - ] + ], + "description": "If using mistral provider, select the upstream message format.", + "required": false, + "type": "string" } }, { "upstream_url": { - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, - "type": "string" + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." } }, { @@ -1081,22 +1067,22 @@ "fields": [ { "api_endpoint": { - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "type": "string", + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "required": false } }, { "project_id": { - "description": "If running Gemini on Vertex, specify the project ID.", "type": "string", + "description": "If running Gemini on Vertex, specify the project ID.", "required": false } }, { "location_id": { - "description": "If running Gemini on Vertex, specify the location ID.", "type": "string", + "description": "If running Gemini on Vertex, specify the location ID.", "required": false } } @@ -1130,7 +1116,9 @@ } } ], - "required": false + "type": "record", + "required": false, + "description": "Key/value settings for the model" } } ], @@ -1140,20 +1128,20 @@ }, { "weight": { - "description": "The weight this target gets within the upstream loadbalancer (1-65535).", - "type": "integer", "between": [ 1, 65535 ], - "default": 100 + "type": "integer", + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535)." } }, { "description": { "description": "The semantic description of the target, required if using semantic load balancing.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1161,18 +1149,18 @@ "fields": [ { "log_statistics": { - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "type": "boolean", "required": true, - "default": false + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false, + "type": "boolean" } }, { "log_payloads": { - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "type": "boolean", "required": true, - "default": false + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, + "type": "boolean" } } ], @@ -1185,15 +1173,15 @@ "entity_checks": [ { "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ "bedrock", "gemini" ] }, - "if_field": "model.provider", - "then_err": "bedrock and gemini only support auth.allow_override = false", "then_field": "auth.allow_override", + "if_field": "model.provider", "then_match": { "eq": false } @@ -1214,100 +1202,100 @@ }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider" + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider" + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider" + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models" + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] } }, { @@ -1319,7 +1307,8 @@ ] } } - ] + ], + "required": true } } } @@ -1328,22 +1317,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.targets" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.targets", - "config.balancer" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ai-proxy/3.9.x.json b/schemas/ai-proxy/3.9.x.json index 46d054a9..30f41ce9 100644 --- a/schemas/ai-proxy/3.9.x.json +++ b/schemas/ai-proxy/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +21,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,14 +30,14 @@ "fields": [ { "route_type": { - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "type": "string", - "required": true, "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ] + ], + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "required": true, + "type": "string" } }, { @@ -42,123 +45,123 @@ "fields": [ { "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string", "required": false, - "referenceable": true + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" } }, { "header_value": { "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string", "required": false, - "referenceable": true + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" } }, { "param_value": { "description": "Specify the full parameter value for 'param_name'.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "param_location": { - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string", - "required": false, "one_of": [ "query", "body" - ] + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "type": "string" } }, { "azure_use_managed_identity": { - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean", "required": false, - "default": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, + "type": "boolean" } }, { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string", "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" } }, { "azure_client_secret": { "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string", "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" } }, { "gcp_use_service_account": { - "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean", "required": false, - "default": false + "description": "Use service account auth for GCP-based providers and models.", + "default": false, + "type": "boolean" } }, { "gcp_service_account_json": { "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "aws_access_key_id": { "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "aws_secret_access_key": { "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "allow_override": { - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean", "required": false, - "default": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, + "type": "boolean" } } ], @@ -171,9 +174,6 @@ "fields": [ { "provider": { - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "type": "string", - "required": true, "one_of": [ "openai", "azure", @@ -183,135 +183,136 @@ "llama2", "gemini", "bedrock" - ] + ], + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "required": true, + "type": "string" } }, { "name": { - "description": "Model name to execute.", "type": "string", + "description": "Model name to execute.", "required": false } }, { "options": { - "description": "Key/value settings for the model", - "type": "record", "fields": [ { "max_tokens": { - "description": "Defines the max_tokens, if using chat or completion models.", - "type": "integer", "required": false, - "default": 256 + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256, + "type": "integer" } }, { "input_cost": { - "description": "Defines the cost per 1M tokens in your prompt.", - "type": "number", "gt": 0, - "required": false + "description": "Defines the cost per 1M tokens in your prompt.", + "required": false, + "type": "number" } }, { "output_cost": { - "description": "Defines the cost per 1M tokens in the output of the AI.", - "type": "number", "gt": 0, - "required": false + "description": "Defines the cost per 1M tokens in the output of the AI.", + "required": false, + "type": "number" } }, { "temperature": { - "description": "Defines the matching temperature, if using chat or completion models.", - "type": "number", "between": [ 0, 5 ], - "required": false + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "type": "number" } }, { "top_p": { - "description": "Defines the top-p probability mass, if supported.", - "type": "number", "between": [ 0, 1 ], - "required": false + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "type": "number" } }, { "top_k": { - "description": "Defines the top-k most likely tokens, if supported.", - "type": "integer", "between": [ 0, 500 ], - "required": false + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "type": "integer" } }, { "anthropic_version": { - "description": "Defines the schema/API version, if using Anthropic provider.", "type": "string", + "description": "Defines the schema/API version, if using Anthropic provider.", "required": false } }, { "azure_instance": { - "description": "Instance name for Azure OpenAI hosted models.", "type": "string", + "description": "Instance name for Azure OpenAI hosted models.", "required": false } }, { "azure_api_version": { - "description": "'api-version' for Azure OpenAI instances.", - "type": "string", "required": false, - "default": "2023-05-15" + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "type": "string" } }, { "azure_deployment_id": { - "description": "Deployment ID for Azure OpenAI instances.", "type": "string", + "description": "Deployment ID for Azure OpenAI instances.", "required": false } }, { "llama2_format": { - "description": "If using llama2 provider, select the upstream message format.", - "type": "string", - "required": false, "one_of": [ "raw", "openai", "ollama" - ] + ], + "description": "If using llama2 provider, select the upstream message format.", + "required": false, + "type": "string" } }, { "mistral_format": { - "description": "If using mistral provider, select the upstream message format.", - "type": "string", - "required": false, "one_of": [ "openai", "ollama" - ] + ], + "description": "If using mistral provider, select the upstream message format.", + "required": false, + "type": "string" } }, { "upstream_url": { - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, - "type": "string" + "type": "string", + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." } }, { @@ -326,22 +327,22 @@ "fields": [ { "api_endpoint": { - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "type": "string", + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "required": false } }, { "project_id": { - "description": "If running Gemini on Vertex, specify the project ID.", "type": "string", + "description": "If running Gemini on Vertex, specify the project ID.", "required": false } }, { "location_id": { - "description": "If running Gemini on Vertex, specify the location ID.", "type": "string", + "description": "If running Gemini on Vertex, specify the location ID.", "required": false } } @@ -375,7 +376,9 @@ } } ], - "required": false + "type": "record", + "required": false, + "description": "Key/value settings for the model" } } ], @@ -388,18 +391,18 @@ "fields": [ { "log_statistics": { - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "type": "boolean", "required": true, - "default": false + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false, + "type": "boolean" } }, { "log_payloads": { - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "type": "boolean", "required": true, - "default": false + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, + "type": "boolean" } } ], @@ -409,30 +412,30 @@ }, { "response_streaming": { - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "required": false, + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "type": "string", + "default": "allow", "one_of": [ "allow", "deny", "always" - ], - "type": "string", - "default": "allow" + ] } }, { "max_request_body_size": { - "description": "max allowed body size allowed to be introspected", - "type": "integer", "gt": 0, - "default": 8192 + "description": "max allowed body size allowed to be introspected", + "default": 8192, + "type": "integer" } }, { "model_name_header": { "description": "Display the model name selected in the X-Kong-LLM-Model response header", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } } ], @@ -440,15 +443,15 @@ "entity_checks": [ { "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ "bedrock", "gemini" ] }, - "if_field": "model.provider", - "then_err": "bedrock and gemini only support auth.allow_override = false", "then_field": "auth.allow_override", + "if_field": "model.provider", "then_match": { "eq": false } @@ -469,100 +472,100 @@ }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider" + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider" + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider" + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models" + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] } }, { @@ -578,8 +581,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-rate-limiting-advanced/3.9.x.json b/schemas/ai-rate-limiting-advanced/3.9.x.json index 7564c293..d3dc66fe 100644 --- a/schemas/ai-rate-limiting-advanced/3.9.x.json +++ b/schemas/ai-rate-limiting-advanced/3.9.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +27,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -29,6 +38,8 @@ "identifier": { "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "required": true, + "type": "string", + "default": "consumer", "one_of": [ "ip", "credential", @@ -37,9 +48,7 @@ "header", "path", "consumer-group" - ], - "type": "string", - "default": "consumer" + ] } }, { @@ -55,22 +64,22 @@ }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." } }, { "llm_providers": { - "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", "type": "array", + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", "required": true, "elements": { "fields": [ { "window_size": { + "required": true, "description": "The window size to apply a limit (defined in seconds).", - "type": "number", - "required": true + "type": "number" } }, { @@ -93,9 +102,9 @@ }, { "limit": { + "required": true, "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", - "type": "number", - "required": true + "type": "number" } } ], @@ -107,35 +116,35 @@ "strategy": { "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "required": true, + "type": "string", + "default": "local", "one_of": [ "cluster", "redis", "local" - ], - "type": "string", - "default": "local" + ] } }, { "dictionary_name": { "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", "type": "string", - "required": true, - "default": "kong_rate_limiting_counters" + "default": "kong_rate_limiting_counters", + "required": true } }, { "hide_client_headers": { - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", "type": "boolean", - "default": false + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." } }, { "retry_after_jitter_max": { - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", "type": "number", - "default": 0 + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." } }, { @@ -146,15 +155,15 @@ }, { "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string" } }, { @@ -162,58 +171,60 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -227,8 +238,8 @@ { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -242,29 +253,29 @@ { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -275,155 +286,126 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_nodes": { "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "cluster_nodes": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", "required": false, - "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -432,12 +414,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -447,11 +423,11 @@ }, { "conditional": { - "if_field": "connection_is_proxied", "if_match": { "eq": true }, "then_field": "host", + "if_field": "connection_is_proxied", "then_match": { "required": true } @@ -489,11 +465,9 @@ "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -510,27 +484,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -539,75 +512,74 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true + ] } }, { "disable_penalty": { - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", "type": "boolean", - "default": false + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider." } }, { "request_prompt_count_function": { - "description": "If defined, it use custom function to count requests for the request prompt provider", "type": "string", + "description": "If defined, it use custom function to count requests for the request prompt provider", "required": false } }, { "error_code": { - "description": "Set a custom error code to return when the rate limit is exceeded.", - "type": "number", "gt": 0, - "default": 429 + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, + "type": "number" } }, { "error_message": { - "description": "Set a custom error message to return when the rate limit is exceeded.", "type": "string", - "default": "API rate limit exceeded for provider(s): " + "default": "AI token rate limit exceeded for provider(s): ", + "description": "Set a custom error message to return when the rate limit is exceeded." } }, { "error_hide_providers": { - "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", "type": "boolean", - "default": false + "default": false, + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message." } }, { "tokens_count_strategy": { "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", "required": true, + "type": "string", + "default": "total_tokens", "one_of": [ "total_tokens", "prompt_tokens", "completion_tokens", "cost" - ], - "type": "string", - "default": "total_tokens" + ] } } ], @@ -615,14 +587,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.9.x.json b/schemas/ai-request-transformer/3.9.x.json index e1f190ab..4f2435bb 100644 --- a/schemas/ai-request-transformer/3.9.x.json +++ b/schemas/ai-request-transformer/3.9.x.json @@ -1,8 +1,36 @@ { + "entity_checks": [ + { + "conditional": { + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +47,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -49,26 +78,26 @@ }, { "http_timeout": { - "description": "Timeout in milliseconds for the AI upstream service.", - "type": "integer", "required": true, - "default": 60000 + "description": "Timeout in milliseconds for the AI upstream service.", + "default": 60000, + "type": "integer" } }, { "https_verify": { - "description": "Verify the TLS certificate of the AI upstream service.", - "type": "boolean", "required": true, - "default": true + "description": "Verify the TLS certificate of the AI upstream service.", + "default": true, + "type": "boolean" } }, { "max_request_body_size": { - "description": "max allowed body size allowed to be introspected", - "type": "integer", "gt": 0, - "default": 8192 + "description": "max allowed body size allowed to be introspected", + "default": 8192, + "type": "integer" } }, { @@ -79,12 +108,12 @@ }, { "http_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -95,12 +124,12 @@ }, { "https_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -108,8 +137,8 @@ "fields": [ { "route_type": { - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "type": "string", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "required": true, "one_of": [ "llm/v1/chat", @@ -123,42 +152,42 @@ "fields": [ { "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "required": false, - "referenceable": true + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "required": false } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true } }, { "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "required": false, - "referenceable": true + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "required": false } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true } }, { "param_location": { - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, "one_of": [ "query", @@ -168,78 +197,78 @@ }, { "azure_use_managed_identity": { - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", - "required": false, - "default": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, + "required": false } }, { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "required": false } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "encrypted": true } }, { "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "required": false } }, { "gcp_use_service_account": { - "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", - "required": false, - "default": false + "description": "Use service account auth for GCP-based providers and models.", + "default": false, + "required": false } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "encrypted": true } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "encrypted": true } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "encrypted": true } }, { "allow_override": { - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", - "required": false, - "default": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, + "required": false } } ], @@ -252,8 +281,8 @@ "fields": [ { "provider": { - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "required": true, "one_of": [ "openai", @@ -269,107 +298,104 @@ }, { "name": { - "description": "Model name to execute.", + "required": false, "type": "string", - "required": false + "description": "Model name to execute." } }, { "options": { - "description": "Key/value settings for the model", - "type": "record", - "required": false, "fields": [ { "max_tokens": { - "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer", - "required": false, - "default": 256 + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256, + "required": false } }, { "input_cost": { + "gt": 0, "description": "Defines the cost per 1M tokens in your prompt.", "type": "number", - "gt": 0, "required": false } }, { "output_cost": { + "gt": 0, "description": "Defines the cost per 1M tokens in the output of the AI.", "type": "number", - "gt": 0, "required": false } }, { "temperature": { - "description": "Defines the matching temperature, if using chat or completion models.", - "type": "number", "between": [ 0, 5 ], + "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", "required": false } }, { "top_p": { - "description": "Defines the top-p probability mass, if supported.", - "type": "number", "between": [ 0, 1 ], + "description": "Defines the top-p probability mass, if supported.", + "type": "number", "required": false } }, { "top_k": { - "description": "Defines the top-k most likely tokens, if supported.", - "type": "integer", "between": [ 0, 500 ], + "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", "required": false } }, { "anthropic_version": { - "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false, "type": "string", - "required": false + "description": "Defines the schema/API version, if using Anthropic provider." } }, { "azure_instance": { - "description": "Instance name for Azure OpenAI hosted models.", + "required": false, "type": "string", - "required": false + "description": "Instance name for Azure OpenAI hosted models." } }, { "azure_api_version": { - "description": "'api-version' for Azure OpenAI instances.", "type": "string", - "required": false, - "default": "2023-05-15" + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "required": false } }, { "azure_deployment_id": { - "description": "Deployment ID for Azure OpenAI instances.", + "required": false, "type": "string", - "required": false + "description": "Deployment ID for Azure OpenAI instances." } }, { "llama2_format": { - "description": "If using llama2 provider, select the upstream message format.", "type": "string", + "description": "If using llama2 provider, select the upstream message format.", "required": false, "one_of": [ "raw", @@ -380,8 +406,8 @@ }, { "mistral_format": { - "description": "If using mistral provider, select the upstream message format.", "type": "string", + "description": "If using mistral provider, select the upstream message format.", "required": false, "one_of": [ "openai", @@ -391,16 +417,16 @@ }, { "upstream_url": { - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "type": "string" } }, { "upstream_path": { + "required": false, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "type": "string", - "required": false + "type": "string" } }, { @@ -408,28 +434,27 @@ "fields": [ { "api_endpoint": { - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, "type": "string", - "required": false + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." } }, { "project_id": { - "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, "type": "string", - "required": false + "description": "If running Gemini on Vertex, specify the project ID." } }, { "location_id": { - "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, "type": "string", - "required": false + "description": "If running Gemini on Vertex, specify the location ID." } } ], "required": false, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -438,7 +463,8 @@ "location_id" ] } - ] + ], + "type": "record" } }, { @@ -446,9 +472,9 @@ "fields": [ { "aws_region": { + "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "type": "string", - "required": false + "type": "string" } } ], @@ -456,7 +482,10 @@ "type": "record" } } - ] + ], + "type": "record", + "description": "Key/value settings for the model", + "required": false } } ], @@ -469,18 +498,18 @@ "fields": [ { "log_statistics": { - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "type": "boolean", - "required": true, - "default": false + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false, + "required": true } }, { "log_payloads": { - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "type": "boolean", - "required": true, - "default": false + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, + "required": true } } ], @@ -493,18 +522,18 @@ "entity_checks": [ { "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ "bedrock", "gemini" ] }, + "then_field": "auth.allow_override", "if_field": "model.provider", - "then_err": "bedrock and gemini only support auth.allow_override = false", "then_match": { "eq": false - }, - "then_field": "auth.allow_override" + } } }, { @@ -522,100 +551,100 @@ }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider" + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider" + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider" + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models" + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] } }, { @@ -636,34 +665,5 @@ "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "config.llm.route_type", - "if_field": "config.llm.route_type", - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_match": { - "eq": "llm/v1/chat" - } - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } ] } \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.9.x.json b/schemas/ai-response-transformer/3.9.x.json index e7158ea7..245cf031 100644 --- a/schemas/ai-response-transformer/3.9.x.json +++ b/schemas/ai-response-transformer/3.9.x.json @@ -1,8 +1,36 @@ { + "entity_checks": [ + { + "conditional": { + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +47,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -28,47 +57,47 @@ { "prompt": { "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "transformation_extract_pattern": { "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "parse_llm_response_json_instructions": { - "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions." } }, { "http_timeout": { - "description": "Timeout in milliseconds for the AI upstream service.", - "type": "integer", "required": true, - "default": 60000 + "type": "integer", + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service." } }, { "https_verify": { - "description": "Verify the TLS certificate of the AI upstream service.", - "type": "boolean", "required": true, - "default": true + "type": "boolean", + "default": true, + "description": "Verify the TLS certificate of the AI upstream service." } }, { "max_request_body_size": { - "description": "max allowed body size allowed to be introspected", - "type": "integer", "gt": 0, - "default": 8192 + "type": "integer", + "default": 8192, + "description": "max allowed body size allowed to be introspected" } }, { @@ -79,12 +108,12 @@ }, { "http_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -95,12 +124,12 @@ }, { "https_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -108,8 +137,8 @@ "fields": [ { "route_type": { - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "type": "string", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "required": true, "one_of": [ "llm/v1/chat", @@ -123,42 +152,42 @@ "fields": [ { "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "required": false, - "referenceable": true + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "required": false } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true } }, { "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "required": false, - "referenceable": true + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "required": false } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true } }, { "param_location": { - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, "one_of": [ "query", @@ -168,78 +197,78 @@ }, { "azure_use_managed_identity": { - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", - "required": false, - "default": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, + "required": false } }, { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "required": false } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "encrypted": true } }, { "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "required": false } }, { "gcp_use_service_account": { - "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", - "required": false, - "default": false + "description": "Use service account auth for GCP-based providers and models.", + "default": false, + "required": false } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "encrypted": true } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "encrypted": true } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "encrypted": true } }, { "allow_override": { - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", - "required": false, - "default": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, + "required": false } } ], @@ -252,8 +281,8 @@ "fields": [ { "provider": { - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "required": true, "one_of": [ "openai", @@ -269,107 +298,104 @@ }, { "name": { - "description": "Model name to execute.", + "required": false, "type": "string", - "required": false + "description": "Model name to execute." } }, { "options": { - "description": "Key/value settings for the model", - "type": "record", - "required": false, "fields": [ { "max_tokens": { - "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer", - "required": false, - "default": 256 + "description": "Defines the max_tokens, if using chat or completion models.", + "default": 256, + "required": false } }, { "input_cost": { + "gt": 0, "description": "Defines the cost per 1M tokens in your prompt.", "type": "number", - "gt": 0, "required": false } }, { "output_cost": { + "gt": 0, "description": "Defines the cost per 1M tokens in the output of the AI.", "type": "number", - "gt": 0, "required": false } }, { "temperature": { - "description": "Defines the matching temperature, if using chat or completion models.", - "type": "number", "between": [ 0, 5 ], + "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", "required": false } }, { "top_p": { - "description": "Defines the top-p probability mass, if supported.", - "type": "number", "between": [ 0, 1 ], + "description": "Defines the top-p probability mass, if supported.", + "type": "number", "required": false } }, { "top_k": { - "description": "Defines the top-k most likely tokens, if supported.", - "type": "integer", "between": [ 0, 500 ], + "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", "required": false } }, { "anthropic_version": { - "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false, "type": "string", - "required": false + "description": "Defines the schema/API version, if using Anthropic provider." } }, { "azure_instance": { - "description": "Instance name for Azure OpenAI hosted models.", + "required": false, "type": "string", - "required": false + "description": "Instance name for Azure OpenAI hosted models." } }, { "azure_api_version": { - "description": "'api-version' for Azure OpenAI instances.", "type": "string", - "required": false, - "default": "2023-05-15" + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "required": false } }, { "azure_deployment_id": { - "description": "Deployment ID for Azure OpenAI instances.", + "required": false, "type": "string", - "required": false + "description": "Deployment ID for Azure OpenAI instances." } }, { "llama2_format": { - "description": "If using llama2 provider, select the upstream message format.", "type": "string", + "description": "If using llama2 provider, select the upstream message format.", "required": false, "one_of": [ "raw", @@ -380,8 +406,8 @@ }, { "mistral_format": { - "description": "If using mistral provider, select the upstream message format.", "type": "string", + "description": "If using mistral provider, select the upstream message format.", "required": false, "one_of": [ "openai", @@ -391,16 +417,16 @@ }, { "upstream_url": { - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "type": "string" } }, { "upstream_path": { + "required": false, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "type": "string", - "required": false + "type": "string" } }, { @@ -408,28 +434,27 @@ "fields": [ { "api_endpoint": { - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, "type": "string", - "required": false + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." } }, { "project_id": { - "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, "type": "string", - "required": false + "description": "If running Gemini on Vertex, specify the project ID." } }, { "location_id": { - "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, "type": "string", - "required": false + "description": "If running Gemini on Vertex, specify the location ID." } } ], "required": false, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -438,7 +463,8 @@ "location_id" ] } - ] + ], + "type": "record" } }, { @@ -446,9 +472,9 @@ "fields": [ { "aws_region": { + "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "type": "string", - "required": false + "type": "string" } } ], @@ -456,7 +482,10 @@ "type": "record" } } - ] + ], + "type": "record", + "description": "Key/value settings for the model", + "required": false } } ], @@ -469,18 +498,18 @@ "fields": [ { "log_statistics": { - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "type": "boolean", - "required": true, - "default": false + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false, + "required": true } }, { "log_payloads": { - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "type": "boolean", - "required": true, - "default": false + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, + "required": true } } ], @@ -493,18 +522,18 @@ "entity_checks": [ { "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ "bedrock", "gemini" ] }, + "then_field": "auth.allow_override", "if_field": "model.provider", - "then_err": "bedrock and gemini only support auth.allow_override = false", "then_match": { "eq": false - }, - "then_field": "auth.allow_override" + } } }, { @@ -522,100 +551,100 @@ }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider" + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider" + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider" + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider" + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] } }, { "conditional_at_least_one_of": { - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models" + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] } }, { @@ -636,34 +665,5 @@ "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "then_field": "config.llm.route_type", - "if_field": "config.llm.route_type", - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_match": { - "eq": "llm/v1/chat" - } - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } ] } \ No newline at end of file diff --git a/schemas/ai-semantic-cache/3.9.x.json b/schemas/ai-semantic-cache/3.9.x.json index 92f99f8a..32ef5abd 100644 --- a/schemas/ai-semantic-cache/3.9.x.json +++ b/schemas/ai-semantic-cache/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,15 +21,8 @@ "grpcs", "http", "https" - ] - } - }, - { - "consumer_group": { - "reference": "consumer_groups", - "eq": null, - "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -35,59 +30,66 @@ "fields": [ { "message_countback": { - "description": "Number of messages in the chat history to Vectorize/Cache", - "type": "number", "between": [ 1, 1000 ], - "default": 1 + "description": "Number of messages in the chat history to Vectorize/Cache", + "default": 1, + "type": "number" } }, { "ignore_system_prompts": { "description": "Ignore and discard any system prompts when Vectorizing the request", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "ignore_assistant_prompts": { "description": "Ignore and discard any assistant prompts when Vectorizing the request", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" + } + }, + { + "ignore_tool_prompts": { + "description": "Ignore and discard any tool prompts when Vectorizing the request", + "default": false, + "type": "boolean" } }, { "stop_on_failure": { - "description": "Halt the LLM request process in case of a caching system failure", - "required": true, "type": "boolean", - "default": false + "description": "Halt the LLM request process in case of a caching system failure", + "default": false, + "required": true } }, { "cache_ttl": { - "description": "TTL in seconds of cache entities. Must be a value greater than 0.", - "type": "integer", "gt": 0, - "default": 300 + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "default": 300, + "type": "integer" } }, { "cache_control": { - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "required": true, "type": "boolean", - "default": false + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "default": false, + "required": true } }, { "exact_caching": { - "description": "When enabled, a first check for exact query will be done. It will impact DB size", - "required": true, "type": "boolean", - "default": false + "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "default": false, + "required": true } }, { @@ -98,42 +100,42 @@ "fields": [ { "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "required": false, - "referenceable": true + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "required": false } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true } }, { "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "required": false, - "referenceable": true + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "required": false } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true } }, { "param_location": { - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, "one_of": [ "query", @@ -143,78 +145,78 @@ }, { "azure_use_managed_identity": { - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", - "required": false, - "default": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, + "required": false } }, { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "required": false } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "encrypted": true } }, { "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "required": false } }, { "gcp_use_service_account": { - "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", - "required": false, - "default": false + "description": "Use service account auth for GCP-based providers and models.", + "default": false, + "required": false } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "encrypted": true } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "encrypted": true } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "encrypted": true } }, { "allow_override": { - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", - "required": false, - "default": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, + "required": false } } ], @@ -227,8 +229,8 @@ "fields": [ { "provider": { - "description": "AI provider format to use for embeddings API", "type": "string", + "description": "AI provider format to use for embeddings API", "required": true, "one_of": [ "openai", @@ -238,21 +240,13 @@ }, { "name": { - "description": "Model name to execute.", - "type": "string", "required": true, - "one_of": [ - "text-embedding-3-large", - "text-embedding-3-small", - "mistral-embed" - ] + "type": "string", + "description": "Model name to execute." } }, { "options": { - "description": "Key/value settings for the model", - "type": "record", - "required": false, "fields": [ { "upstream_url": { @@ -261,7 +255,10 @@ "required": false } } - ] + ], + "type": "record", + "description": "Key/value settings for the model", + "required": false } } ], @@ -279,8 +276,8 @@ "fields": [ { "strategy": { - "description": "which vector database driver to use", "type": "string", + "description": "which vector database driver to use", "required": true, "one_of": [ "redis" @@ -289,22 +286,22 @@ }, { "dimensions": { - "description": "the desired dimensionality for the vectors", + "required": true, "type": "integer", - "required": true + "description": "the desired dimensionality for the vectors" } }, { "threshold": { - "description": "the default similarity threshold for accepting semantic search results (float)", + "required": true, "type": "number", - "required": true + "description": "the default similarity threshold for accepting semantic search results (float)" } }, { "distance_metric": { - "description": "the distance metric to use for vector searches", "type": "string", + "description": "the distance metric to use for vector searches", "required": true, "one_of": [ "cosine", @@ -317,58 +314,60 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -382,8 +381,8 @@ { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -397,29 +396,29 @@ { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -430,155 +429,126 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_nodes": { "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "cluster_nodes": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", "required": false, - "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -587,12 +557,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -602,11 +566,11 @@ }, { "conditional": { - "if_field": "connection_is_proxied", "if_match": { "eq": true }, "then_field": "host", + "if_field": "connection_is_proxied", "then_match": { "required": true } @@ -644,11 +608,9 @@ "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -665,27 +627,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -694,25 +655,24 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true + ] } } ], @@ -725,8 +685,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-semantic-prompt-guard/3.9.x.json b/schemas/ai-semantic-prompt-guard/3.9.x.json index fe2daeed..1a25c6e3 100644 --- a/schemas/ai-semantic-prompt-guard/3.9.x.json +++ b/schemas/ai-semantic-prompt-guard/3.9.x.json @@ -1,8 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +26,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -33,42 +41,42 @@ "fields": [ { "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "required": false, - "referenceable": true + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "required": false } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true } }, { "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "required": false, - "referenceable": true + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "required": false } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true } }, { "param_location": { - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, "one_of": [ "query", @@ -78,78 +86,78 @@ }, { "azure_use_managed_identity": { - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", - "required": false, - "default": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, + "required": false } }, { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "required": false } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "encrypted": true } }, { "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "required": false, - "referenceable": true + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "required": false } }, { "gcp_use_service_account": { - "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", - "required": false, - "default": false + "description": "Use service account auth for GCP-based providers and models.", + "default": false, + "required": false } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "encrypted": true } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "encrypted": true } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "encrypted": true } }, { "allow_override": { - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", - "required": false, - "default": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, + "required": false } } ], @@ -162,8 +170,8 @@ "fields": [ { "provider": { - "description": "AI provider format to use for embeddings API", "type": "string", + "description": "AI provider format to use for embeddings API", "required": true, "one_of": [ "openai", @@ -173,21 +181,13 @@ }, { "name": { - "description": "Model name to execute.", - "type": "string", "required": true, - "one_of": [ - "text-embedding-3-large", - "text-embedding-3-small", - "mistral-embed" - ] + "type": "string", + "description": "Model name to execute." } }, { "options": { - "description": "Key/value settings for the model", - "type": "record", - "required": false, "fields": [ { "upstream_url": { @@ -196,7 +196,10 @@ "required": false } } - ] + ], + "type": "record", + "description": "Key/value settings for the model", + "required": false } } ], @@ -214,8 +217,8 @@ "fields": [ { "strategy": { - "description": "which vector database driver to use", "type": "string", + "description": "which vector database driver to use", "required": true, "one_of": [ "redis" @@ -224,22 +227,22 @@ }, { "dimensions": { - "description": "the desired dimensionality for the vectors", + "required": true, "type": "integer", - "required": true + "description": "the desired dimensionality for the vectors" } }, { "threshold": { - "description": "the default similarity threshold for accepting semantic search results (float)", + "required": true, "type": "number", - "required": true + "description": "the default similarity threshold for accepting semantic search results (float)" } }, { "distance_metric": { - "description": "the distance metric to use for vector searches", "type": "string", + "description": "the distance metric to use for vector searches", "required": true, "one_of": [ "cosine", @@ -252,58 +255,60 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -317,8 +322,8 @@ { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -332,29 +337,29 @@ { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -365,155 +370,126 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_nodes": { "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "cluster_nodes": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", "required": false, - "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -522,12 +498,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -537,11 +507,11 @@ }, { "conditional": { - "if_field": "connection_is_proxied", "if_match": { "eq": true }, "then_field": "host", + "if_field": "connection_is_proxied", "then_match": { "required": true } @@ -579,11 +549,9 @@ "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -600,27 +568,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -629,25 +596,24 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true + ] } } ], @@ -660,15 +626,15 @@ "fields": [ { "threshold": { - "description": "Threshold for the similarity score to be considered a match.", "type": "number", "required": false, - "default": 0.5 + "default": 0.5, + "description": "Threshold for the similarity score to be considered a match." } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { @@ -676,57 +642,57 @@ "fields": [ { "match_all_conversation_history": { - "description": "If false, will ignore all previous chat prompts from the conversation history.", "type": "boolean", "required": false, - "default": false + "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history." } }, { "allow_prompts": { "description": "List of prompts to allow.", - "required": false, - "len_max": 100, "elements": { - "type": "string", "len_max": 500, + "type": "string", "len_min": 1 }, - "type": "array" + "len_max": 100, + "type": "array", + "required": false } }, { "deny_prompts": { "description": "List of prompts to deny.", - "required": false, - "len_max": 100, "elements": { - "type": "string", "len_max": 500, + "type": "string", "len_min": 1 }, - "type": "array" + "len_max": 100, + "type": "array", + "required": false } }, { "max_request_body_size": { - "description": "max allowed body size allowed to be introspected", - "type": "integer", "gt": 0, - "default": 8192 + "type": "integer", + "default": 8192, + "description": "max allowed body size allowed to be introspected" } }, { "match_all_roles": { - "description": "If true, will match all roles in addition to 'user' role in conversation history.", "type": "boolean", "required": true, - "default": false + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history." } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], @@ -734,13 +700,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.rules.allow_prompts", - "config.rules.deny_prompts" - ] - } ] } \ No newline at end of file diff --git a/schemas/app-dynamics/3.9.x.json b/schemas/app-dynamics/3.9.x.json index 63233636..0abe1931 100644 --- a/schemas/app-dynamics/3.9.x.json +++ b/schemas/app-dynamics/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -39,8 +42,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.9.x.json b/schemas/aws-lambda/3.9.x.json index 94f57420..45dcdb61 100644 --- a/schemas/aws-lambda/3.9.x.json +++ b/schemas/aws-lambda/3.9.x.json @@ -1,8 +1,22 @@ { + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +33,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,49 +50,49 @@ "fields": [ { "timeout": { - "description": "An optional timeout in milliseconds when invoking the function.", "required": true, "type": "number", - "default": 60000 + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "required": true, "type": "number", - "default": 60000 + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "aws_key": { "description": "The AWS key credential to be used when invoking the function.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "aws_secret": { "description": "The AWS secret credential to be used when invoking the function. ", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "aws_assume_role_arn": { "description": "The target AWS IAM role ARN used to invoke the Lambda function.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "aws_role_session_name": { - "description": "The identifier of the assumed role session.", "type": "string", - "default": "kong" + "default": "kong", + "description": "The identifier of the assumed role session." } }, { @@ -94,40 +109,40 @@ }, { "function_name": { - "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", "required": false, + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", "type": "string" } }, { "qualifier": { - "description": "The qualifier to use when invoking the function.", - "type": "string" + "type": "string", + "description": "The qualifier to use when invoking the function." } }, { "invocation_type": { - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "required": true, + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "type": "string", + "default": "RequestResponse", "one_of": [ "RequestResponse", "Event", "DryRun" - ], - "type": "string", - "default": "RequestResponse" + ] } }, { "log_type": { - "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "required": true, + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "type": "string", + "default": "Tail", "one_of": [ "Tail", "None" - ], - "type": "string", - "default": "Tail" + ] } }, { @@ -138,13 +153,13 @@ }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 443 + "type": "integer", + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -155,54 +170,54 @@ }, { "unhandled_status": { - "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", - "type": "integer", "between": [ 100, 999 - ] + ], + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer" } }, { "forward_request_method": { - "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", "type": "boolean", - "default": false + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." } }, { "forward_request_uri": { - "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", "type": "boolean", - "default": false + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." } }, { "forward_request_headers": { - "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", "type": "boolean", - "default": false + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." } }, { "forward_request_body": { - "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", "type": "boolean", - "default": false + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " } }, { "is_proxy_integration": { - "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", "type": "boolean", - "default": false + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format." } }, { "awsgateway_compatible": { - "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", "type": "boolean", - "default": false + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." } }, { @@ -213,40 +228,40 @@ }, { "skip_large_bodies": { - "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", "type": "boolean", - "default": true + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" } }, { "base64_encode_body": { - "description": "An optional value that Base64-encodes the request body.", "type": "boolean", - "default": true + "default": true, + "description": "An optional value that Base64-encodes the request body." } }, { "aws_imds_protocol_version": { - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "required": true, + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "type": "string", + "default": "v1", "one_of": [ "v1", "v2" - ], - "type": "string", - "default": "v1" + ] } }, { "empty_arrays_mode": { - "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", "required": true, + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", + "type": "string", + "default": "legacy", "one_of": [ "legacy", "correct" - ], - "type": "string", - "default": "legacy" + ] } } ], @@ -254,20 +269,5 @@ "required": true } } - ], - "entity_checks": [ - { - "mutually_required": [ - "config.aws_key", - "config.aws_secret" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "config.proxy_url" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/azure-functions/3.9.x.json b/schemas/azure-functions/3.9.x.json index 5299c53a..1d647ca2 100644 --- a/schemas/azure-functions/3.9.x.json +++ b/schemas/azure-functions/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,73 +46,73 @@ { "timeout": { "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", - "type": "number", - "default": 600000 + "default": 600000, + "type": "number" } }, { "keepalive": { "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", - "type": "number", - "default": 60000 + "default": 60000, + "type": "number" } }, { "https": { "description": "Use of HTTPS to connect with the Azure Functions server.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "https_verify": { "description": "Set to `true` to authenticate the Azure Functions server.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "apikey": { - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", "type": "string", - "encrypted": true, - "referenceable": true + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "referenceable": true, + "encrypted": true } }, { "clientid": { - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", "type": "string", - "encrypted": true, - "referenceable": true + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "referenceable": true, + "encrypted": true } }, { "appname": { - "description": "The Azure app name.", "type": "string", + "description": "The Azure app name.", "required": true } }, { "hostdomain": { "description": "The domain where the function resides.", - "type": "string", "required": true, - "default": "azurewebsites.net" + "default": "azurewebsites.net", + "type": "string" } }, { "routeprefix": { "description": "Route prefix to use.", - "type": "string", - "default": "api" + "default": "api", + "type": "string" } }, { "functionname": { - "description": "Name of the Azure function to invoke.", "type": "string", + "description": "Name of the Azure function to invoke.", "required": true } } @@ -118,8 +121,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.9.x.json b/schemas/basic-auth/3.9.x.json index fb634743..48473232 100644 --- a/schemas/basic-auth/3.9.x.json +++ b/schemas/basic-auth/3.9.x.json @@ -1,15 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, "default": [ "grpc", "grpcs", @@ -18,8 +23,6 @@ "ws", "wss" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,8 +39,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,24 +49,24 @@ "fields": [ { "anonymous": { - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", "required": true, - "type": "boolean", - "default": false + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "default": false, + "type": "boolean" } }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": true, - "type": "string", - "default": "service" + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "default": "service", + "type": "string" } } ], @@ -71,8 +74,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.9.x.json b/schemas/bot-detection/3.9.x.json index 3f7aa01d..e7a25605 100644 --- a/schemas/bot-detection/3.9.x.json +++ b/schemas/bot-detection/3.9.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +29,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,28 +46,28 @@ "fields": [ { "allow": { - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "type": "array", - "elements": { - "type": "string", - "is_regex": true - }, + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "default": [ - ] + ], + "elements": { + "is_regex": true, + "type": "string" + } } }, { "deny": { - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "type": "array", - "elements": { - "type": "string", - "is_regex": true - }, + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "default": [ - ] + ], + "elements": { + "is_regex": true, + "type": "string" + } } } ], @@ -72,8 +75,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/canary/3.9.x.json b/schemas/canary/3.9.x.json index 11ed4236..8c350f42 100644 --- a/schemas/canary/3.9.x.json +++ b/schemas/canary/3.9.x.json @@ -1,24 +1,56 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header", + "if_field": "config.hash", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback", + "then_match": { + "required": true + } + } + } + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -35,7 +67,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -70,28 +103,28 @@ }, { "duration": { - "description": "The duration of the canary release in seconds.", - "type": "number", "gt": 0, - "default": 3600 + "type": "number", + "default": 3600, + "description": "The duration of the canary release in seconds." } }, { "steps": { - "description": "The number of steps for the canary release.", - "type": "number", "gt": 1, - "default": 1000 + "type": "number", + "default": 1000, + "description": "The number of steps for the canary release." } }, { "percentage": { - "description": "The percentage of traffic to be routed to the canary release.", - "type": "number", "between": [ 0, 100 - ] + ], + "description": "The percentage of traffic to be routed to the canary release.", + "type": "number" } }, { @@ -102,33 +135,33 @@ }, { "upstream_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "upstream_uri": { "description": "The URI of the upstream server to be used for the canary release.", - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 } }, { "upstream_fallback": { "description": "Specifies whether to fallback to the upstream server if the canary release fails.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "groups": { - "description": "The groups allowed to access the canary release.", "type": "array", + "description": "The groups allowed to access the canary release.", "elements": { "type": "string" } @@ -142,48 +175,15 @@ } ], "required": true, - "type": "record", "shorthand_fields": [ { "hash": { - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", - "type": "string" + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." } } - ] - } - } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.upstream_uri", - "config.upstream_host", - "config.upstream_port" - ] - }, - { - "conditional": { - "if_field": "config.hash", - "if_match": { - "eq": "header" - }, - "then_field": "config.hash_header", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.upstream_fallback", - "if_match": { - "eq": true - }, - "then_field": "config.upstream_host", - "then_match": { - "required": true - } + ], + "type": "record" } } ] diff --git a/schemas/confluent/3.9.x.json b/schemas/confluent/3.9.x.json index 7a953883..94cc4da6 100644 --- a/schemas/confluent/3.9.x.json +++ b/schemas/confluent/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,26 +38,26 @@ "fields": [ { "bootstrap_servers": { - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", + "type": "string", "required": true, - "type": "string" + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, "between": [ 0, 65535 ], - "type": "integer" + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], @@ -64,93 +67,93 @@ }, { "topic": { + "required": true, "description": "The Kafka topic to publish to.", - "type": "string", - "required": true + "type": "string" } }, { "timeout": { - "description": "Socket timeout in milliseconds.", "type": "integer", - "default": 10000 + "default": 10000, + "description": "Socket timeout in milliseconds." } }, { "keepalive": { - "description": "Keepalive timeout in milliseconds.", "type": "integer", - "default": 60000 + "default": 60000, + "description": "Keepalive timeout in milliseconds." } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "cluster_api_key": { - "description": "Username/Apikey for SASL authentication.", "required": true, - "type": "string", "referenceable": true, + "type": "string", + "description": "Username/Apikey for SASL authentication.", "encrypted": true } }, { "cluster_api_secret": { - "description": "Password/ApiSecret for SASL authentication.", "required": true, - "type": "string", "referenceable": true, + "type": "string", + "description": "Password/ApiSecret for SASL authentication.", "encrypted": true } }, { "confluent_cloud_api_key": { - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", "encrypted": true } }, { "confluent_cloud_api_secret": { - "description": "The corresponding secret for the Confluent Cloud API key.", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "The corresponding secret for the Confluent Cloud API key.", "encrypted": true } }, { "forward_method": { - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "default": false + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_uri": { - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "default": false + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_headers": { - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "default": false + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_body": { - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "default": true + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { @@ -175,58 +178,58 @@ }, { "producer_request_timeout": { - "description": "Time to wait for a Produce response in milliseconds.", "type": "integer", - "default": 2000 + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds." } }, { "producer_request_limits_messages_per_request": { - "description": "Maximum number of messages to include into a single producer request.", "type": "integer", - "default": 200 + "default": 200, + "description": "Maximum number of messages to include into a single producer request." } }, { "producer_request_limits_bytes_per_request": { - "description": "Maximum size of a Produce request in bytes.", "type": "integer", - "default": 1048576 + "default": 1048576, + "description": "Maximum size of a Produce request in bytes." } }, { "producer_request_retries_max_attempts": { - "description": "Maximum number of retry attempts per single Produce request.", "type": "integer", - "default": 10 + "default": 10, + "description": "Maximum number of retry attempts per single Produce request." } }, { "producer_request_retries_backoff_timeout": { - "description": "Backoff interval between retry attempts in milliseconds.", "type": "integer", - "default": 100 + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds." } }, { "producer_async": { - "description": "Flag to enable asynchronous mode.", "type": "boolean", - "default": true + "default": true, + "description": "Flag to enable asynchronous mode." } }, { "producer_async_flush_timeout": { - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "type": "integer", - "default": 1000 + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." } }, { "producer_async_buffering_limits_messages_in_memory": { - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "type": "integer", - "default": 50000 + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." } } ], @@ -246,8 +249,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/correlation-id/3.9.x.json b/schemas/correlation-id/3.9.x.json index 47945b3e..aeabeb35 100644 --- a/schemas/correlation-id/3.9.x.json +++ b/schemas/correlation-id/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,30 +38,30 @@ "fields": [ { "header_name": { - "description": "The HTTP header name to use for the correlation ID.", "type": "string", - "default": "Kong-Request-ID" + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID." } }, { "generator": { "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "required": true, + "type": "string", + "default": "uuid#counter", "one_of": [ "uuid", "uuid#counter", "tracker" - ], - "type": "string", - "default": "uuid#counter" + ] } }, { "echo_downstream": { - "description": "Whether to echo the header back to downstream (the client).", - "required": true, "type": "boolean", - "default": false + "required": true, + "default": false, + "description": "Whether to echo the header back to downstream (the client)." } } ], @@ -66,8 +69,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/cors/3.9.x.json b/schemas/cors/3.9.x.json index 85e723f0..20b4d4bc 100644 --- a/schemas/cors/3.9.x.json +++ b/schemas/cors/3.9.x.json @@ -1,27 +1,29 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { - "len_min": 1, "type": "string", - "required": true, "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "required": true, + "len_min": 1 }, "type": "set", "default": [ @@ -29,14 +31,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -109,26 +112,26 @@ }, { "credentials": { - "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", - "required": true, "type": "boolean", - "default": false + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "default": false, + "required": true } }, { "private_network": { - "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", - "required": true, "type": "boolean", - "default": false + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "default": false, + "required": true } }, { "preflight_continue": { - "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", - "required": true, "type": "boolean", - "default": false + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "default": false, + "required": true } } ], @@ -136,8 +139,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/datadog/3.9.x.json b/schemas/datadog/3.9.x.json index 9c8a1c3c..3ff5f870 100644 --- a/schemas/datadog/3.9.x.json +++ b/schemas/datadog/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,82 +45,82 @@ "fields": [ { "host": { + "default": "localhost", "description": "A string representing a host name, such as example.com.", - "type": "string", "referenceable": true, - "default": "localhost" + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 8125 + "type": "integer", + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "prefix": { - "description": "String to be attached as a prefix to a metric's name.", "type": "string", - "default": "kong" + "default": "kong", + "description": "String to be attached as a prefix to a metric's name." } }, { "service_name_tag": { - "description": "String to be attached as the name of the service.", "type": "string", - "default": "name" + "default": "name", + "description": "String to be attached as the name of the service." } }, { "status_tag": { - "description": "String to be attached as the tag of the HTTP status.", "type": "string", - "default": "status" + "default": "status", + "description": "String to be attached as the tag of the HTTP status." } }, { "consumer_tag": { - "description": "String to be attached as tag of the consumer.", "type": "string", - "default": "consumer" + "default": "consumer", + "description": "String to be attached as tag of the consumer." } }, { "retry_count": { - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer", "deprecation": { "old_default": 10, "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", "removal_in_version": "4.0" - } + }, + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" } }, { "queue_size": { - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer", "deprecation": { "old_default": 1, "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0" - } + }, + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" } }, { "flush_timeout": { - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number", "deprecation": { "old_default": 2, "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0" - } + }, + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { @@ -125,81 +128,81 @@ "fields": [ { "max_batch_size": { - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 1 + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number", "between": [ 0, 3600 ], - "default": 1 + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 10000 + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01 + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 60 + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } }, { "concurrency_limit": { - "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", - "default": 1, "one_of": [ -1, 1 - ] + ], + "type": "integer", + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], @@ -210,14 +213,13 @@ { "metrics": { "description": "List of metrics to be logged.", - "required": true, "elements": { "fields": [ { "name": { - "description": "Datadog metric’s name", "required": true, "type": "string", + "description": "Datadog metric’s name", "one_of": [ "kong_latency", "latency", @@ -230,9 +232,9 @@ }, { "stat_type": { - "description": "Determines what sort of event the metric represents", "required": true, "type": "string", + "description": "Determines what sort of event the metric represents", "one_of": [ "counter", "gauge", @@ -246,33 +248,33 @@ }, { "tags": { - "description": "List of tags", "type": "array", + "description": "List of tags", "elements": { - "type": "string", - "match": "^.*[^:]$" + "match": "^.*[^:]$", + "type": "string" } } }, { "sample_rate": { - "description": "Sampling rate", - "type": "number", "between": [ 0, 1 - ] + ], + "description": "Sampling rate", + "type": "number" } }, { "consumer_identifier": { - "description": "Authenticated user detail", - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string", + "description": "Authenticated user detail" } } ], @@ -280,7 +282,6 @@ "entity_checks": [ { "conditional": { - "if_field": "stat_type", "if_match": { "one_of": [ "counter", @@ -288,6 +289,7 @@ ] }, "then_field": "sample_rate", + "if_field": "stat_type", "then_match": { "required": true } @@ -298,55 +300,56 @@ "type": "array", "default": [ { - "stat_type": "counter", "name": "request_count", - "consumer_identifier": "custom_id", - "sample_rate": 1, "tags": [ "app:kong" - ] + ], + "sample_rate": 1, + "stat_type": "counter", + "consumer_identifier": "custom_id" }, { + "name": "latency", "stat_type": "timer", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "latency" + ] }, { + "name": "request_size", "stat_type": "timer", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "request_size" + ] }, { + "name": "response_size", "stat_type": "timer", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "response_size" + ] }, { + "name": "upstream_latency", "stat_type": "timer", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "upstream_latency" + ] }, { + "name": "kong_latency", "stat_type": "timer", + "consumer_identifier": "custom_id", "tags": [ "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "kong_latency" + ] } - ] + ], + "required": true } } ], @@ -354,8 +357,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/degraphql/3.9.x.json b/schemas/degraphql/3.9.x.json index 80461c1c..2b162dca 100644 --- a/schemas/degraphql/3.9.x.json +++ b/schemas/degraphql/3.9.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +29,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,17 +46,17 @@ "fields": [ { "graphql_server_path": { + "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": true, "starts_with": "/", "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "default": "/graphql" + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } } ], @@ -61,8 +64,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.9.x.json b/schemas/exit-transformer/3.9.x.json index 9ba8d46d..3b3df2fc 100644 --- a/schemas/exit-transformer/3.9.x.json +++ b/schemas/exit-transformer/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,15 +48,15 @@ { "handle_unknown": { "description": "Determines whether to handle unknown status codes by transforming their responses.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "handle_unexpected": { "description": "Determines whether to handle unexpected errors by transforming their responses.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } ], @@ -61,8 +64,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/file-log/3.9.x.json b/schemas/file-log/3.9.x.json index 8c59160b..96216048 100644 --- a/schemas/file-log/3.9.x.json +++ b/schemas/file-log/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,19 +45,19 @@ "fields": [ { "path": { - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", "err": "not a valid filename", - "match": "^[^*&%%\\`]+$", + "required": true, "type": "string", - "required": true + "match": "^[^*&%%\\`]+$", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." } }, { "reopen": { "description": "Determines whether the log file is closed and reopened on every request.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { @@ -64,11 +67,11 @@ "len_min": 1 }, "type": "map", + "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map" + "len_min": 1, + "type": "string" + } } } ], @@ -76,8 +79,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.9.x.json b/schemas/forward-proxy/3.9.x.json index 236f0a94..86cb0bf0 100644 --- a/schemas/forward-proxy/3.9.x.json +++ b/schemas/forward-proxy/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,15 +38,15 @@ "fields": [ { "x_headers": { - "description": "Determines how to handle headers when forwarding the request.", "required": true, + "description": "Determines how to handle headers when forwarding the request.", + "type": "string", + "default": "append", "one_of": [ "append", "transparent", "delete" - ], - "type": "string", - "default": "append" + ] } }, { @@ -54,12 +57,12 @@ }, { "http_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -70,50 +73,51 @@ }, { "https_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "proxy_scheme": { - "description": "The proxy scheme to use when connecting. Only `http` is supported.", "required": true, + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "type": "string", + "default": "http", "one_of": [ "http" - ], - "type": "string", - "default": "http" + ] } }, { "auth_username": { "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "type": "string", - "required": false, - "referenceable": true + "referenceable": true, + "required": false } }, { "auth_password": { "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "type": "string", - "required": false, - "referenceable": true + "referenceable": true, + "required": false } }, { "https_verify": { "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "type": "boolean", - "required": true, - "default": false + "default": false, + "required": true } } ], + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -145,8 +149,8 @@ { "proxy_host": { "deprecation": { - "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" }, "type": "string" } @@ -154,18 +158,14 @@ { "proxy_port": { "deprecation": { - "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" }, "type": "integer" } } - ], - "required": true + ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.9.x.json b/schemas/graphql-proxy-cache-advanced/3.9.x.json index 641b0e27..0cc31578 100644 --- a/schemas/graphql-proxy-cache-advanced/3.9.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,22 +38,22 @@ "fields": [ { "strategy": { - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "required": true, + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "type": "string", + "default": "memory", "one_of": [ "memory", "redis" - ], - "type": "string", - "default": "memory" + ] } }, { "cache_ttl": { - "description": "TTL in seconds of cache entities. Must be a value greater than 0.", - "type": "integer", "gt": 0, - "default": 300 + "type": "integer", + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0." } }, { @@ -58,10 +61,10 @@ "fields": [ { "dictionary_name": { - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", - "type": "string", "required": true, - "default": "kong_db_cache" + "type": "string", + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template." } } ], @@ -74,58 +77,60 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -139,8 +144,8 @@ { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -154,29 +159,29 @@ { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -187,155 +192,126 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_nodes": { "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "cluster_nodes": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", "required": false, - "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -344,12 +320,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -359,11 +329,11 @@ }, { "conditional": { - "if_field": "connection_is_proxied", "if_match": { "eq": true }, "then_field": "host", + "if_field": "connection_is_proxied", "then_match": { "required": true } @@ -401,11 +371,9 @@ "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -422,27 +390,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -451,38 +418,37 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true + ] } }, { "bypass_on_err": { - "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", "type": "boolean", - "default": false + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." } }, { "vary_headers": { - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" } @@ -493,8 +459,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.9.x.json b/schemas/graphql-rate-limiting-advanced/3.9.x.json index 6274df88..d0e11ed5 100644 --- a/schemas/graphql-rate-limiting-advanced/3.9.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.9.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +27,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,22 +44,22 @@ "fields": [ { "identifier": { - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "required": true, + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "type": "string", + "default": "consumer", "one_of": [ "ip", "credential", "consumer" - ], - "type": "string", - "default": "consumer" + ] } }, { "window_size": { - "description": "One or more window sizes to apply a limit to (defined in seconds).", "type": "array", "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds).", "elements": { "type": "number" } @@ -69,9 +78,9 @@ }, { "limit": { - "description": "One or more requests-per-window limits to apply.", "type": "array", "required": true, + "description": "One or more requests-per-window limits to apply.", "elements": { "type": "number" } @@ -79,9 +88,9 @@ }, { "sync_rate": { + "required": true, "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", - "type": "number", - "required": true + "type": "number" } }, { @@ -93,29 +102,29 @@ }, { "strategy": { - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "type": "string", + "default": "cluster", "one_of": [ "cluster", "redis" - ], - "type": "string", - "default": "cluster" + ] } }, { "dictionary_name": { "description": "The shared dictionary where counters will be stored until the next sync cycle.", "type": "string", - "required": true, - "default": "kong_rate_limiting_counters" + "default": "kong_rate_limiting_counters", + "required": true } }, { "hide_client_headers": { - "description": "Optionally hide informative response headers. Available options: `true` or `false`.", "type": "boolean", - "default": false + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`." } }, { @@ -131,19 +140,19 @@ }, { "score_factor": { + "gt": 0, "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", - "required": false, "type": "number", - "gt": 0, - "default": 1 + "default": 1, + "required": false } }, { "max_cost": { "description": "A defined maximum cost per query. 0 means unlimited.", "type": "number", - "required": false, - "default": 0 + "default": 0, + "required": false } }, { @@ -151,58 +160,60 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -216,8 +227,8 @@ { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -231,29 +242,29 @@ { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -264,155 +275,126 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_nodes": { "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "cluster_nodes": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", "required": false, - "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -421,12 +403,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -436,11 +412,11 @@ }, { "conditional": { - "if_field": "connection_is_proxied", "if_match": { "eq": true }, "then_field": "host", + "if_field": "connection_is_proxied", "then_match": { "required": true } @@ -478,11 +454,9 @@ "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -499,27 +473,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -528,25 +501,24 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true + ] } } ], @@ -554,14 +526,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/grpc-gateway/3.9.x.json b/schemas/grpc-gateway/3.9.x.json index 70622fdd..0c2d741f 100644 --- a/schemas/grpc-gateway/3.9.x.json +++ b/schemas/grpc-gateway/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -52,8 +55,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.9.x.json b/schemas/grpc-web/3.9.x.json index 7c096f17..d2728f35 100644 --- a/schemas/grpc-web/3.9.x.json +++ b/schemas/grpc-web/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,23 +46,23 @@ { "proto": { "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "pass_stripped_path": { "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { "allow_origin_header": { - "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", - "type": "string", "required": false, - "default": "*" + "type": "string", + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client." } } ], @@ -67,8 +70,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/header-cert-auth/3.9.x.json b/schemas/header-cert-auth/3.9.x.json index 94570d80..e52abf92 100644 --- a/schemas/header-cert-auth/3.9.x.json +++ b/schemas/header-cert-auth/3.9.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +29,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -44,15 +47,15 @@ { "certificate_header_name": { "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "certificate_header_format": { - "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", - "required": true, "type": "string", + "required": true, + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", "one_of": [ "base64_encoded", "url_encoded" @@ -63,8 +66,8 @@ "secure_source": { "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", "type": "boolean", - "required": true, - "default": true + "default": true, + "required": true } }, { @@ -76,7 +79,6 @@ { "consumer_by": { "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -88,7 +90,8 @@ "default": [ "username", "custom_id" - ] + ], + "required": false } }, { @@ -97,8 +100,8 @@ "type": "array", "required": true, "elements": { - "type": "string", - "uuid": true + "uuid": true, + "type": "string" } } }, @@ -106,63 +109,63 @@ "cache_ttl": { "description": "Cache expiry time in seconds.", "type": "number", - "required": true, - "default": 60 + "default": 60, + "required": true } }, { "skip_consumer_lookup": { "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "type": "boolean", - "required": true, - "default": false + "default": false, + "required": true } }, { "allow_partial_chain": { "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "type": "boolean", - "required": true, - "default": false + "default": false, + "required": true } }, { "authenticated_group_by": { - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "type": "string", + "default": "CN", "one_of": [ "CN", "DN" - ], - "type": "string", - "default": "CN" + ] } }, { "revocation_check_mode": { - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "type": "string", + "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ], - "type": "string", - "default": "IGNORE_CA_ERROR" + ] } }, { "http_timeout": { - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", "type": "number", - "default": 30000 + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." } }, { "cert_cache_ttl": { - "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", "type": "number", - "default": 60000 + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache." } }, { @@ -179,12 +182,12 @@ }, { "http_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -195,12 +198,12 @@ }, { "https_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], @@ -222,8 +225,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.9.x.json b/schemas/hmac-auth/3.9.x.json index b3b458c4..54103296 100644 --- a/schemas/hmac-auth/3.9.x.json +++ b/schemas/hmac-auth/3.9.x.json @@ -1,15 +1,26 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, "default": [ "grpc", "grpcs", @@ -18,8 +29,6 @@ "ws", "wss" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,8 +45,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -47,49 +56,55 @@ { "hide_credentials": { "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "clock_skew": { - "description": "Clock skew in seconds to prevent replay attacks.", - "type": "number", "gt": 0, - "default": 300 + "type": "number", + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks." } }, { "anonymous": { - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", - "type": "string" + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "validate_request_body": { "description": "A boolean value telling the plugin to enable body validation.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "enforce_headers": { - "description": "A list of headers that the client should at least use for HTTP signature creation.", "type": "array", - "elements": { - "type": "string" - }, + "description": "A list of headers that the client should at least use for HTTP signature creation.", "default": [ - ] + ], + "elements": { + "type": "string" + } } }, { "algorithms": { - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", "type": "array", + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], "elements": { "type": "string", "one_of": [ @@ -98,19 +113,13 @@ "hmac-sha384", "hmac-sha512" ] - }, - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ] + } } }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string" } } @@ -119,14 +128,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/http-log/3.9.x.json b/schemas/http-log/3.9.x.json index 9a8a64ff..ce379b50 100644 --- a/schemas/http-log/3.9.x.json +++ b/schemas/http-log/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,11 +45,11 @@ "fields": [ { "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "encrypted": true } }, { @@ -74,76 +77,76 @@ }, { "timeout": { - "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "number", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", "type": "number", - "default": 60000 + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." } }, { "retry_count": { - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer", "deprecation": { "old_default": 10, "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", "removal_in_version": "4.0" - } + }, + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" } }, { "queue_size": { - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer", "deprecation": { "old_default": 1, "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0" - } + }, + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" } }, { "flush_timeout": { - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number", "deprecation": { "old_default": 2, "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0" - } + }, + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { "headers": { - "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", - "type": "map", - "values": { - "referenceable": true, - "type": "string" - }, "keys": { + "type": "string", "match_none": [ { - "pattern": "^[Hh][Oo][Ss][Tt]$", - "err": "cannot contain 'Host' header" + "err": "cannot contain 'Host' header", + "pattern": "^[Hh][Oo][Ss][Tt]$" }, { - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$", - "err": "cannot contain 'Content-Length' header" + "err": "cannot contain 'Content-Length' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" }, { - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", - "err": "cannot contain 'Content-Type' header" + "err": "cannot contain 'Content-Type' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" } ], - "type": "string", "description": "A string representing an HTTP header name." + }, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "map", + "values": { + "referenceable": true, + "type": "string" } } }, @@ -152,81 +155,81 @@ "fields": [ { "max_batch_size": { - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 1 + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number", "between": [ 0, 3600 ], - "default": 1 + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 10000 + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01 + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 60 + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } }, { "concurrency_limit": { - "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", - "default": 1, "one_of": [ -1, 1 - ] + ], + "type": "integer", + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], @@ -241,11 +244,11 @@ "len_min": 1 }, "type": "map", + "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map" + "len_min": 1, + "type": "string" + } } } ], @@ -253,8 +256,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.9.x.json b/schemas/ip-restriction/3.9.x.json index aa8bec87..7ee4e390 100644 --- a/schemas/ip-restriction/3.9.x.json +++ b/schemas/ip-restriction/3.9.x.json @@ -1,8 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -28,7 +35,8 @@ "tls", "grpc", "grpcs" - ] + ], + "description": "A set of strings representing protocols." } }, { @@ -36,8 +44,8 @@ "fields": [ { "allow": { - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "type": "array", + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "elements": { "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", "type": "string" @@ -46,8 +54,8 @@ }, { "deny": { - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "type": "array", + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "elements": { "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", "type": "string" @@ -57,15 +65,15 @@ { "status": { "description": "The HTTP status of the requests that will be rejected by the plugin.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "message": { "description": "The message to send as a response body to rejected requests.", - "type": "string", - "required": false + "required": false, + "type": "string" } } ], @@ -73,13 +81,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } ] } \ No newline at end of file diff --git a/schemas/jq/3.9.x.json b/schemas/jq/3.9.x.json index 9e42f8c1..4611502f 100644 --- a/schemas/jq/3.9.x.json +++ b/schemas/jq/3.9.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,7 +29,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -35,8 +38,8 @@ "fields": [ { "request_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { @@ -45,62 +48,62 @@ { "compact_output": { "required": true, - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "raw_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "join_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "ascii_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "sort_keys": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } ], - "required": false, "type": "record", "default": [ - ] + ], + "required": false } }, { "request_if_media_type": { - "elements": { - "type": "string" - }, "required": false, "type": "array", "default": [ "application/json" - ] + ], + "elements": { + "type": "string" + } } }, { "response_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { @@ -109,72 +112,72 @@ { "compact_output": { "required": true, - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "raw_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "join_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "ascii_output": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "sort_keys": { "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } ], - "required": false, "type": "record", "default": [ - ] + ], + "required": false } }, { "response_if_media_type": { - "elements": { - "type": "string" - }, "required": false, "type": "array", "default": [ "application/json" - ] + ], + "elements": { + "type": "string" + } } }, { "response_if_status_code": { + "required": false, + "type": "array", + "default": [ + 200 + ], "elements": { "between": [ 100, 599 ], "type": "integer" - }, - "required": false, - "type": "array", - "default": [ - 200 - ] + } } } ], @@ -190,8 +193,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/json-threat-protection/3.9.x.json b/schemas/json-threat-protection/3.9.x.json index a49e1e7d..8d23191f 100644 --- a/schemas/json-threat-protection/3.9.x.json +++ b/schemas/json-threat-protection/3.9.x.json @@ -1,16 +1,25 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] + } + } + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +36,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,106 +53,106 @@ "fields": [ { "max_body_size": { - "description": "Max size of the request body. -1 means unlimited.", "required": false, "between": [ -1, 2147483648 ], "type": "integer", - "default": 8192 + "default": 8192, + "description": "Max size of the request body. -1 means unlimited." } }, { "max_container_depth": { - "description": "Max nested depth of objects and arrays. -1 means unlimited.", "required": false, "between": [ -1, 2147483648 ], "type": "integer", - "default": -1 + "default": -1, + "description": "Max nested depth of objects and arrays. -1 means unlimited." } }, { "max_object_entry_count": { - "description": "Max number of entries in an object. -1 means unlimited.", "required": false, "between": [ -1, 2147483648 ], "type": "integer", - "default": -1 + "default": -1, + "description": "Max number of entries in an object. -1 means unlimited." } }, { "max_object_entry_name_length": { - "description": "Max string length of object name. -1 means unlimited.", "required": false, "between": [ -1, 2147483648 ], "type": "integer", - "default": -1 + "default": -1, + "description": "Max string length of object name. -1 means unlimited." } }, { "max_array_element_count": { - "description": "Max number of elements in an array. -1 means unlimited.", "required": false, "between": [ -1, 2147483648 ], "type": "integer", - "default": -1 + "default": -1, + "description": "Max number of elements in an array. -1 means unlimited." } }, { "max_string_value_length": { - "description": "Max string value length. -1 means unlimited.", "required": false, "between": [ -1, 2147483648 ], "type": "integer", - "default": -1 + "default": -1, + "description": "Max string value length. -1 means unlimited." } }, { "enforcement_mode": { - "description": "Enforcement mode of the security policy.", "required": false, + "description": "Enforcement mode of the security policy.", + "type": "string", + "default": "block", "one_of": [ "block", "log_only" - ], - "type": "string", - "default": "block" + ] } }, { "error_status_code": { - "description": "The response status code when validation fails.", "required": false, "between": [ 400, 499 ], "type": "integer", - "default": 400 + "default": 400, + "description": "The response status code when validation fails." } }, { "error_message": { - "description": "The response message when validation fails", "required": false, - "type": "string", - "default": "Bad Request" + "description": "The response message when validation fails", + "default": "Bad Request", + "type": "string" } } ], @@ -150,15 +160,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.max_body_size", - "config.max_container_depth" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.9.x.json b/schemas/jwe-decrypt/3.9.x.json index f30147c9..94127a4b 100644 --- a/schemas/jwe-decrypt/3.9.x.json +++ b/schemas/jwe-decrypt/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,22 +21,23 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -44,23 +47,23 @@ { "lookup_header_name": { "description": "The name of the header to look for the JWE token.", - "type": "string", "required": true, - "default": "Authorization" + "default": "Authorization", + "type": "string" } }, { "forward_header_name": { "description": "The name of the header that is used to set the decrypted value.", - "type": "string", "required": true, - "default": "Authorization" + "default": "Authorization", + "type": "string" } }, { "key_sets": { - "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "type": "array", + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "required": true, "elements": { "type": "string" @@ -70,8 +73,8 @@ { "strict": { "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } } ], @@ -79,8 +82,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.9.x.json b/schemas/jwt-signer/3.9.x.json index 1f21e368..cae83050 100644 --- a/schemas/jwt-signer/3.9.x.json +++ b/schemas/jwt-signer/3.9.x.json @@ -1,16 +1,27 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" + ] + } + } + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +38,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,137 +55,137 @@ "fields": [ { "realm": { - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "required": false, + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "type": "string" } }, { "enable_hs_signatures": { "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", - "required": false, "type": "boolean", - "default": false + "default": false, + "required": false } }, { "enable_instrumentation": { "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", - "required": false, "type": "boolean", - "default": false + "default": false, + "required": false } }, { "access_token_issuer": { "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", - "required": false, "type": "string", - "default": "kong" + "default": "kong", + "required": false } }, { "access_token_keyset": { "description": "The name of the keyset containing signing keys.", - "required": false, "type": "string", - "default": "kong" + "default": "kong", + "required": false } }, { "access_token_keyset_client_username": { "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", - "required": false, "type": "string", - "referenceable": true + "referenceable": true, + "required": false } }, { "access_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", "encrypted": true } }, { "access_token_keyset_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", - "required": false, "type": "foreign", - "reference": "certificates" + "reference": "certificates", + "required": false } }, { "access_token_keyset_rotate_period": { "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", - "required": false, "type": "number", - "default": 0 + "default": 0, + "required": false } }, { "access_token_jwks_uri": { - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "required": false, + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "type": "string" } }, { "access_token_jwks_uri_client_username": { "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", - "required": false, "type": "string", - "referenceable": true + "referenceable": true, + "required": false } }, { "access_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", "encrypted": true } }, { "access_token_jwks_uri_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", - "required": false, "type": "foreign", - "reference": "certificates" + "reference": "certificates", + "required": false } }, { "access_token_jwks_uri_rotate_period": { "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", - "required": false, "type": "number", - "default": 0 + "default": 0, + "required": false } }, { "access_token_request_header": { "description": "This parameter tells the name of the header where to look for the access token.", - "required": false, "type": "string", - "default": "Authorization" + "default": "Authorization", + "required": false } }, { "access_token_leeway": { "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", - "required": false, "type": "number", - "default": 0 + "default": 0, + "required": false } }, { "access_token_scopes_required": { "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -181,7 +193,6 @@ }, { "access_token_scopes_claim": { - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "required": false, "elements": { "type": "string" @@ -189,14 +200,15 @@ "type": "array", "default": [ "scope" - ] + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." } }, { "access_token_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -204,7 +216,6 @@ }, { "access_token_consumer_by": { - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "required": false, "elements": { "type": "string", @@ -218,59 +229,60 @@ "default": [ "username", "custom_id" - ] + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." } }, { "access_token_upstream_header": { "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", - "required": false, "type": "string", - "default": "Authorization:Bearer" + "default": "Authorization:Bearer", + "required": false } }, { "access_token_upstream_leeway": { "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", - "required": false, "type": "number", - "default": 0 + "default": 0, + "required": false } }, { "access_token_introspection_endpoint": { - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "required": false, + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "type": "string" } }, { "access_token_introspection_authorization": { - "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "required": false, + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "type": "string" } }, { "access_token_introspection_body_args": { - "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "required": false, + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "type": "string" } }, { "access_token_introspection_hint": { "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", - "required": false, "type": "string", - "default": "access_token" + "default": "access_token", + "required": false } }, { "access_token_introspection_jwt_claim": { "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -279,8 +291,8 @@ { "access_token_introspection_scopes_required": { "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -288,7 +300,6 @@ }, { "access_token_introspection_scopes_claim": { - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "required": true, "elements": { "type": "string" @@ -296,14 +307,15 @@ "type": "array", "default": [ "scope" - ] + ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." } }, { "access_token_introspection_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -311,7 +323,6 @@ }, { "access_token_introspection_consumer_by": { - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "required": false, "elements": { "type": "string", @@ -325,21 +336,22 @@ "default": [ "username", "custom_id" - ] + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." } }, { "access_token_introspection_leeway": { "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", - "required": false, "type": "number", - "default": 0 + "default": 0, + "required": false } }, { "access_token_introspection_timeout": { - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "required": false, + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "type": "number" } }, @@ -347,6 +359,8 @@ "access_token_signing_algorithm": { "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "required": true, + "type": "string", + "default": "RS256", "one_of": [ "HS256", "HS384", @@ -360,15 +374,12 @@ "PS384", "PS512", "EdDSA" - ], - "type": "string", - "default": "RS256" + ] } }, { "add_access_token_claims": { "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, "values": { "type": "string" }, @@ -378,13 +389,13 @@ "type": "map", "default": [ - ] + ], + "required": false } }, { "set_access_token_claims": { "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, "values": { "type": "string" }, @@ -394,12 +405,12 @@ "type": "map", "default": [ - ] + ], + "required": false } }, { "remove_access_token_claims": { - "description": "remove claims. It should be an array, and each element is a claim key string.", "required": false, "elements": { "type": "string" @@ -407,197 +418,198 @@ "type": "array", "default": [ - ] + ], + "description": "remove claims. It should be an array, and each element is a claim key string." } }, { "original_access_token_upstream_header": { - "description": "The HTTP header name used to store the original access token.", "required": false, + "description": "The HTTP header name used to store the original access token.", "type": "string" } }, { "access_token_optional": { "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", - "required": false, "type": "boolean", - "default": false + "default": false, + "required": false } }, { "verify_access_token_signature": { "description": "Quickly turn access token signature verification off and on as needed.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "verify_access_token_expiry": { "description": "Quickly turn access token expiry verification off and on as needed.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "verify_access_token_scopes": { "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "verify_access_token_introspection_expiry": { "description": "Quickly turn access token introspection expiry verification off and on as needed.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "verify_access_token_introspection_scopes": { "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "cache_access_token_introspection": { "description": "Whether to cache access token introspection results.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "trust_access_token_introspection": { "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "enable_access_token_introspection": { "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "channel_token_issuer": { "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", - "required": false, "type": "string", - "default": "kong" + "default": "kong", + "required": false } }, { "channel_token_keyset": { "description": "The name of the keyset containing signing keys.", - "required": false, "type": "string", - "default": "kong" + "default": "kong", + "required": false } }, { "channel_token_keyset_client_username": { "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", - "required": false, "type": "string", - "referenceable": true + "referenceable": true, + "required": false } }, { "channel_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", "encrypted": true } }, { "channel_token_keyset_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", - "required": false, "type": "foreign", - "reference": "certificates" + "reference": "certificates", + "required": false } }, { "channel_token_keyset_rotate_period": { "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", - "required": false, "type": "number", - "default": 0 + "default": 0, + "required": false } }, { "channel_token_jwks_uri": { - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "required": false, + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "type": "string" } }, { "channel_token_jwks_uri_client_username": { "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", - "required": false, "type": "string", - "referenceable": true + "referenceable": true, + "required": false } }, { "channel_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", "encrypted": true } }, { "channel_token_jwks_uri_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", - "required": false, "type": "foreign", - "reference": "certificates" + "reference": "certificates", + "required": false } }, { "channel_token_jwks_uri_rotate_period": { "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", - "required": false, "type": "number", - "default": 0 + "default": 0, + "required": false } }, { "channel_token_request_header": { - "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "required": false, + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "type": "string" } }, { "channel_token_leeway": { "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", - "required": false, "type": "number", - "default": 0 + "default": 0, + "required": false } }, { "channel_token_scopes_required": { "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -605,7 +617,6 @@ }, { "channel_token_scopes_claim": { - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "required": false, "elements": { "type": "string" @@ -613,14 +624,15 @@ "type": "array", "default": [ "scope" - ] + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." } }, { "channel_token_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -628,8 +640,12 @@ }, { "channel_token_consumer_by": { - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", "type": "array", + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -637,40 +653,36 @@ "username", "custom_id" ] - }, - "default": [ - "username", - "custom_id" - ] + } } }, { "channel_token_upstream_header": { - "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "required": false, + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "type": "string" } }, { "channel_token_upstream_leeway": { "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", - "required": false, "type": "number", - "default": 0 + "default": 0, + "required": false } }, { "channel_token_introspection_endpoint": { - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "required": false, + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "type": "string" } }, { "channel_token_introspection_authorization": { "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", - "required": false, "type": "string", + "required": false, "elements": { "type": "string" } @@ -679,8 +691,8 @@ { "channel_token_introspection_body_args": { "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", - "required": false, "type": "string", + "required": false, "elements": { "type": "string" } @@ -689,8 +701,8 @@ { "channel_token_introspection_hint": { "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", - "required": false, "type": "string", + "required": false, "elements": { "type": "string" } @@ -699,8 +711,8 @@ { "channel_token_introspection_jwt_claim": { "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -709,8 +721,8 @@ { "channel_token_introspection_scopes_required": { "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -718,7 +730,6 @@ }, { "channel_token_introspection_scopes_claim": { - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "required": false, "elements": { "type": "string" @@ -726,14 +737,15 @@ "type": "array", "default": [ "scope" - ] + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." } }, { "channel_token_introspection_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", - "required": false, "type": "array", + "required": false, "elements": { "type": "string" } @@ -741,7 +753,6 @@ }, { "channel_token_introspection_consumer_by": { - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "required": false, "elements": { "type": "string", @@ -755,21 +766,22 @@ "default": [ "username", "custom_id" - ] + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." } }, { "channel_token_introspection_leeway": { "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", - "required": false, "type": "number", - "default": 0 + "default": 0, + "required": false } }, { "channel_token_introspection_timeout": { - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "required": false, + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "type": "number" } }, @@ -777,6 +789,8 @@ "channel_token_signing_algorithm": { "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "required": true, + "type": "string", + "default": "RS256", "one_of": [ "HS256", "HS384", @@ -790,15 +804,12 @@ "PS384", "PS512", "EdDSA" - ], - "type": "string", - "default": "RS256" + ] } }, { "add_channel_token_claims": { "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, "values": { "type": "string" }, @@ -808,13 +819,13 @@ "type": "map", "default": [ - ] + ], + "required": false } }, { "set_channel_token_claims": { "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, "values": { "type": "string" }, @@ -824,12 +835,12 @@ "type": "map", "default": [ - ] + ], + "required": false } }, { "remove_channel_token_claims": { - "description": "remove claims. It should be an array, and each element is a claim key string.", "required": false, "elements": { "type": "string" @@ -837,91 +848,91 @@ "type": "array", "default": [ - ] + ], + "description": "remove claims. It should be an array, and each element is a claim key string." } }, { "original_channel_token_upstream_header": { - "description": "The HTTP header name used to store the original channel token.", "required": false, + "description": "The HTTP header name used to store the original channel token.", "type": "string" } }, { "channel_token_optional": { "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", - "required": false, "type": "boolean", - "default": false + "default": false, + "required": false } }, { "verify_channel_token_signature": { "description": "Quickly turn on/off the channel token signature verification.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "verify_channel_token_expiry": { "type": "boolean", - "required": false, - "default": true + "default": true, + "required": false } }, { "verify_channel_token_scopes": { "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "verify_channel_token_introspection_expiry": { "description": "Quickly turn on/off the channel token introspection expiry verification.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "verify_channel_token_introspection_scopes": { "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "cache_channel_token_introspection": { "description": "Whether to cache channel token introspection results.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "trust_channel_token_introspection": { "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "enable_channel_token_introspection": { "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", - "required": false, "type": "boolean", - "default": true + "default": true, + "required": false } }, { "add_claims": { "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, "values": { "type": "string" }, @@ -931,13 +942,13 @@ "type": "map", "default": [ - ] + ], + "required": false } }, { "set_claims": { "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", - "required": false, "values": { "type": "string" }, @@ -947,10 +958,12 @@ "type": "map", "default": [ - ] + ], + "required": false } } ], + "required": true, "entity_checks": [ { "mutually_required": [ @@ -977,21 +990,8 @@ ] } ], - "required": true, "type": "record" } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.access_token_upstream_header", - "config.channel_token_upstream_header", - "config.original_access_token_upstream_header", - "config.original_channel_token_upstream_header" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/jwt/3.9.x.json b/schemas/jwt/3.9.x.json index 2530ff46..d5983af7 100644 --- a/schemas/jwt/3.9.x.json +++ b/schemas/jwt/3.9.x.json @@ -1,16 +1,29 @@ { + "entity_checks": [ + { + "conditional": { + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration", + "then_match": { + "contains": "exp" + } + } + } + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +40,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,39 +59,39 @@ "uri_param_names": { "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "type": "set", - "elements": { - "type": "string" - }, "default": [ "jwt" - ] + ], + "elements": { + "type": "string" + } } }, { "cookie_names": { "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "type": "set", - "elements": { - "type": "string" - }, "default": [ - ] + ], + "elements": { + "type": "string" + } } }, { "key_claim_name": { "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", - "type": "string", - "default": "iss" + "default": "iss", + "type": "string" } }, { "secret_is_base64": { - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", - "type": "boolean", "required": true, - "default": false + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "default": false, + "type": "boolean" } }, { @@ -101,40 +115,40 @@ }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", - "type": "boolean", "required": true, - "default": true + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "default": true, + "type": "boolean" } }, { "maximum_expiration": { - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", - "type": "number", "between": [ 0, 31536000 ], - "default": 0 + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "default": 0, + "type": "number" } }, { "header_names": { "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "type": "set", - "elements": { - "type": "string" - }, "default": [ "authorization" - ] + ], + "elements": { + "type": "string" + } } }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string", - "required": false + "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." } } ], @@ -142,19 +156,5 @@ "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "if_field": "config.maximum_expiration", - "if_match": { - "gt": 0 - }, - "then_field": "config.claims_to_verify", - "then_match": { - "contains": "exp" - } - } - } ] } \ No newline at end of file diff --git a/schemas/kafka-log/3.9.x.json b/schemas/kafka-log/3.9.x.json index 00a36770..d771b93c 100644 --- a/schemas/kafka-log/3.9.x.json +++ b/schemas/kafka-log/3.9.x.json @@ -1,7 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { + "type": "set", + "required": true, "default": [ "grpc", "grpcs", @@ -10,8 +15,6 @@ "ws", "wss" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -28,8 +31,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -44,20 +47,20 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", + "type": "string", "required": true, - "type": "string" + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, "between": [ 0, 65535 ], - "type": "integer" + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], @@ -67,16 +70,16 @@ }, { "topic": { - "description": "The Kafka topic to publish to.", "type": "string", + "description": "The Kafka topic to publish to.", "required": true } }, { "timeout": { "description": "Socket timeout in milliseconds.", - "type": "integer", - "default": 10000 + "default": 10000, + "type": "integer" } }, { @@ -97,8 +100,8 @@ { "strategy": { "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", - "type": "string", "required": false, + "type": "string", "one_of": [ "sasl" ] @@ -107,8 +110,8 @@ { "mechanism": { "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", - "type": "string", "required": false, + "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", @@ -118,27 +121,27 @@ }, { "tokenauth": { - "description": "Enable this to indicate `DelegationToken` authentication", "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication", "required": false } }, { "user": { "description": "Username for SASL authentication.", - "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "required": false, + "encrypted": true } }, { "password": { "description": "Password for SASL authentication.", - "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "required": false, + "encrypted": true } } ], @@ -152,15 +155,15 @@ { "certificate_id": { "description": "UUID of certificate entity for mTLS authentication.", + "required": false, "uuid": true, - "type": "string", - "required": false + "type": "string" } }, { "ssl": { - "description": "Enables TLS.", "type": "boolean", + "description": "Enables TLS.", "required": false } } @@ -172,15 +175,15 @@ { "cluster_name": { "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, "auto": true, - "type": "string", - "required": false + "type": "string" } }, { "producer_request_acks": { - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "default": 1, "one_of": [ -1, @@ -192,57 +195,57 @@ { "producer_request_timeout": { "description": "Time to wait for a Produce response in milliseconds", - "type": "integer", - "default": 2000 + "default": 2000, + "type": "integer" } }, { "producer_request_limits_messages_per_request": { "description": "Maximum number of messages to include into a single Produce request.", - "type": "integer", - "default": 200 + "default": 200, + "type": "integer" } }, { "producer_request_limits_bytes_per_request": { "description": "Maximum size of a Produce request in bytes.", - "type": "integer", - "default": 1048576 + "default": 1048576, + "type": "integer" } }, { "producer_request_retries_max_attempts": { "description": "Maximum number of retry attempts per single Produce request.", - "type": "integer", - "default": 10 + "default": 10, + "type": "integer" } }, { "producer_request_retries_backoff_timeout": { "description": "Backoff interval between retry attempts in milliseconds.", - "type": "integer", - "default": 100 + "default": 100, + "type": "integer" } }, { "producer_async": { "description": "Flag to enable asynchronous mode.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "producer_async_flush_timeout": { "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "type": "integer", - "default": 1000 + "default": 1000, + "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "type": "integer", - "default": 50000 + "default": 50000, + "type": "integer" } }, { @@ -252,11 +255,11 @@ "len_min": 1 }, "type": "map", + "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map" + "len_min": 1, + "type": "string" + } } } ], @@ -273,8 +276,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.9.x.json b/schemas/kafka-upstream/3.9.x.json index 1229e543..d75f1fec 100644 --- a/schemas/kafka-upstream/3.9.x.json +++ b/schemas/kafka-upstream/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,26 +38,26 @@ "fields": [ { "bootstrap_servers": { - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", + "type": "string", "required": true, - "type": "string" + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, "between": [ 0, 65535 ], - "type": "integer" + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], @@ -71,16 +74,16 @@ }, { "timeout": { - "description": "Socket timeout in milliseconds.", "type": "integer", - "default": 10000 + "default": 10000, + "description": "Socket timeout in milliseconds." } }, { "keepalive": { - "description": "Keepalive timeout in milliseconds.", "type": "integer", - "default": 60000 + "default": 60000, + "description": "Keepalive timeout in milliseconds." } }, { @@ -94,9 +97,9 @@ "fields": [ { "strategy": { - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "required": false, "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "one_of": [ "sasl" ] @@ -104,9 +107,9 @@ }, { "mechanism": { - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "required": false, "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "one_of": [ "PLAIN", "SCRAM-SHA-256", @@ -123,19 +126,19 @@ }, { "user": { - "description": "Username for SASL authentication.", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "Username for SASL authentication.", "encrypted": true } }, { "password": { - "description": "Password for SASL authentication.", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "Password for SASL authentication.", "encrypted": true } } @@ -149,10 +152,10 @@ "fields": [ { "certificate_id": { - "description": "UUID of certificate entity for mTLS authentication.", - "required": false, "uuid": true, - "type": "string" + "type": "string", + "required": false, + "description": "UUID of certificate entity for mTLS authentication." } }, { @@ -169,38 +172,38 @@ }, { "forward_method": { - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "default": false + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_uri": { - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "default": false + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_headers": { - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "default": false + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "forward_body": { - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "default": true + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." } }, { "cluster_name": { - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "required": false, "auto": true, - "type": "string" + "type": "string", + "required": false, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster." } }, { @@ -217,58 +220,58 @@ }, { "producer_request_timeout": { - "description": "Time to wait for a Produce response in milliseconds.", "type": "integer", - "default": 2000 + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds." } }, { "producer_request_limits_messages_per_request": { - "description": "Maximum number of messages to include into a single producer request.", "type": "integer", - "default": 200 + "default": 200, + "description": "Maximum number of messages to include into a single producer request." } }, { "producer_request_limits_bytes_per_request": { - "description": "Maximum size of a Produce request in bytes.", "type": "integer", - "default": 1048576 + "default": 1048576, + "description": "Maximum size of a Produce request in bytes." } }, { "producer_request_retries_max_attempts": { - "description": "Maximum number of retry attempts per single Produce request.", "type": "integer", - "default": 10 + "default": 10, + "description": "Maximum number of retry attempts per single Produce request." } }, { "producer_request_retries_backoff_timeout": { - "description": "Backoff interval between retry attempts in milliseconds.", "type": "integer", - "default": 100 + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds." } }, { "producer_async": { - "description": "Flag to enable asynchronous mode.", "type": "boolean", - "default": true + "default": true, + "description": "Flag to enable asynchronous mode." } }, { "producer_async_flush_timeout": { - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "type": "integer", - "default": 1000 + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." } }, { "producer_async_buffering_limits_messages_in_memory": { - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "type": "integer", - "default": 50000 + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." } } ], @@ -295,8 +298,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.9.x.json b/schemas/key-auth-enc/3.9.x.json index c141f8db..f7d81dcb 100644 --- a/schemas/key-auth-enc/3.9.x.json +++ b/schemas/key-auth-enc/3.9.x.json @@ -1,15 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, "default": [ "grpc", "grpcs", @@ -18,8 +23,6 @@ "ws", "wss" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,8 +39,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,7 +49,6 @@ "fields": [ { "key_names": { - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "required": true, "elements": { "description": "A string representing an HTTP header name.", @@ -55,48 +57,49 @@ "type": "array", "default": [ "apikey" - ] + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", "type": "boolean", - "default": false + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "key_in_header": { - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "type": "boolean", - "default": true + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." } }, { "key_in_query": { - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "type": "boolean", - "default": true + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." } }, { "key_in_body": { - "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "type": "boolean", - "default": false + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "type": "boolean", - "default": true + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." } }, { @@ -111,8 +114,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/key-auth/3.9.x.json b/schemas/key-auth/3.9.x.json index f391803f..fdd792f8 100644 --- a/schemas/key-auth/3.9.x.json +++ b/schemas/key-auth/3.9.x.json @@ -1,15 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, "default": [ "grpc", "grpcs", @@ -18,8 +23,6 @@ "ws", "wss" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,8 +39,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,7 +49,6 @@ "fields": [ { "key_names": { - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "required": true, "elements": { "description": "A string representing an HTTP header name.", @@ -55,53 +57,54 @@ "type": "array", "default": [ "apikey" - ] + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", "required": true, "type": "boolean", - "default": false + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request." } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." } }, { "key_in_header": { - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "required": true, "type": "boolean", - "default": true + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." } }, { "key_in_query": { - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "required": true, "type": "boolean", - "default": true + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." } }, { "key_in_body": { - "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "required": true, "type": "boolean", - "default": false + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "required": true, "type": "boolean", - "default": true + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." } }, { @@ -116,8 +119,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.9.x.json b/schemas/konnect-application-auth/3.9.x.json index 3ab638a1..699adb21 100644 --- a/schemas/konnect-application-auth/3.9.x.json +++ b/schemas/konnect-application-auth/3.9.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +29,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,7 +46,6 @@ "fields": [ { "key_names": { - "description": "The names of the headers containing the API key. You can specify multiple header names.", "required": true, "elements": { "description": "A string representing an HTTP header name.", @@ -52,48 +54,46 @@ "type": "array", "default": [ "apikey" - ] + ], + "description": "The names of the headers containing the API key. You can specify multiple header names." } }, { "auth_type": { "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "required": true, + "type": "string", + "default": "openid-connect", "one_of": [ "openid-connect", "key-auth", "v2-strategies" - ], - "type": "string", - "default": "openid-connect" + ] } }, { "scope": { + "required": true, "description": "The unique scope identifier for the plugin configuration.", "unique": true, - "required": true, "type": "string" } }, { "v2_strategies": { - "description": "The map of v2 strategies.", - "required": false, - "type": "record", "fields": [ { "key_auth": { - "description": "List of key_auth strategies.", "required": false, + "description": "List of key_auth strategies.", "type": "array", "elements": { "fields": [ { "strategy_id": { - "description": "The strategy id the config is tied to.", + "type": "string", "required": true, - "type": "string" + "description": "The strategy id the config is tied to." } }, { @@ -101,7 +101,6 @@ "fields": [ { "key_names": { - "description": "The names of the headers containing the API key. You can specify multiple header names.", "required": true, "elements": { "description": "A string representing an HTTP header name.", @@ -110,7 +109,8 @@ "type": "array", "default": [ "apikey" - ] + ], + "description": "The names of the headers containing the API key. You can specify multiple header names." } } ], @@ -125,22 +125,20 @@ }, { "openid_connect": { - "description": "List of openid_connect strategies.", "required": false, + "description": "List of openid_connect strategies.", "type": "array", "elements": { "fields": [ { "strategy_id": { - "description": "The strategy id the config is tied to.", + "type": "string", "required": true, - "type": "string" + "description": "The strategy id the config is tied to." } }, { "config": { - "description": "openid-connect plugin configuration.", - "type": "record", "fields": [ { "issuer": { @@ -151,17 +149,17 @@ }, { "using_pseudo_issuer": { - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." } }, { "discovery_headers_names": { - "description": "Extra header names passed to the discovery endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" } @@ -169,9 +167,9 @@ }, { "discovery_headers_values": { - "description": "Extra header values passed to the discovery endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" } @@ -179,9 +177,9 @@ }, { "extra_jwks_uris": { - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", - "type": "set", "required": false, + "type": "set", + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -190,16 +188,15 @@ }, { "rediscovery_lifetime": { - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", - "type": "number", "required": false, - "default": 30 + "type": "number", + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." } }, { "auth_methods": { "description": "Types of credentials/grants to enable.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -225,38 +222,39 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "required": false } }, { "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, "type": "array", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "encrypted": true } }, { "client_secret": { - "description": "The client secret.", "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, "type": "array", + "description": "The client secret.", "encrypted": true } }, { "client_auth": { - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "type": "array", "required": false, + "type": "array", + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", "elements": { "type": "string", "one_of": [ @@ -273,27 +271,27 @@ }, { "client_jwk": { - "description": "The JWK used for the private_key_jwt authentication.", - "type": "array", "required": false, + "type": "array", + "description": "The JWK used for the private_key_jwt authentication.", "elements": { "fields": [ { "issuer": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kty": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "use": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -301,27 +299,27 @@ "required": false, "type": "array", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "alg": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kid": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5u": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -329,131 +327,131 @@ "required": false, "type": "array", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "x5t": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5t#S256": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "k": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "x": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "y": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "crv": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "n": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "e": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "d": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "p": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "q": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "dp": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "dq": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "qi": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "oth": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "r": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "t": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } } ], @@ -464,9 +462,9 @@ }, { "client_alg": { - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "type": "array", "required": false, + "type": "array", + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", "elements": { "type": "string", "one_of": [ @@ -489,17 +487,17 @@ }, { "client_arg": { - "description": "The client to use for this request (the selection is made with a request parameter with the same name).", - "type": "string", "required": false, - "default": "client_id" + "type": "string", + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name)." } }, { "redirect_uri": { - "description": "The redirect URI passed to the authorization and token endpoints.", - "type": "array", "required": false, + "type": "array", + "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -508,33 +506,33 @@ }, { "login_redirect_uri": { - "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "type": "array", "required": false, + "type": "array", + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "logout_redirect_uri": { - "description": "Where to redirect the client after the logout.", - "type": "array", "required": false, + "type": "array", + "description": "Where to redirect the client after the logout.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "forbidden_redirect_uri": { - "description": "Where to redirect the client on forbidden requests.", - "type": "array", "required": false, + "type": "array", + "description": "Where to redirect the client on forbidden requests.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -543,33 +541,33 @@ }, { "forbidden_error_message": { - "description": "The error message for the forbidden requests (when not using the redirection).", - "type": "string", "required": false, - "default": "Forbidden" + "type": "string", + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection)." } }, { "forbidden_destroy_session": { - "description": "Destroy any active session for the forbidden requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Destroy any active session for the forbidden requests." } }, { "unauthorized_destroy_session": { - "description": "Destroy any active session for the unauthorized requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Destroy any active session for the unauthorized requests." } }, { "unauthorized_redirect_uri": { - "description": "Where to redirect the client on unauthorized requests.", - "type": "array", "required": false, + "type": "array", + "description": "Where to redirect the client on unauthorized requests.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -578,17 +576,17 @@ }, { "unauthorized_error_message": { - "description": "The error message for the unauthorized requests (when not using the redirection).", - "type": "string", "required": false, - "default": "Unauthorized" + "type": "string", + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection)." } }, { "unexpected_redirect_uri": { - "description": "Where to redirect the client when unexpected errors happen with the requests.", - "type": "array", "required": false, + "type": "array", + "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -599,6 +597,8 @@ "response_mode": { "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "required": false, + "type": "string", + "default": "query", "one_of": [ "query", "form_post", @@ -607,43 +607,41 @@ "form_post.jwt", "fragment.jwt", "jwt" - ], - "type": "string", - "default": "query" + ] } }, { "response_type": { "description": "The response type passed to the authorization endpoint.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "code" - ] + ], + "required": false } }, { "scopes": { "description": "The scopes passed to the authorization and token endpoints.", - "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, "type": "array", "default": [ "openid" - ] + ], + "required": false } }, { "audience": { - "description": "The audience passed to the authorization endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" } @@ -651,9 +649,9 @@ }, { "issuers_allowed": { - "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "type": "array", "required": false, + "type": "array", + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" } @@ -661,9 +659,9 @@ }, { "scopes_required": { - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false, + "type": "array", + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -672,21 +670,21 @@ { "scopes_claim": { "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "scope" - ] + ], + "required": false } }, { "audience_required": { - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false, + "type": "array", + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -695,21 +693,21 @@ { "audience_claim": { "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "aud" - ] + ], + "required": false } }, { "groups_required": { - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false, + "type": "array", + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -718,21 +716,21 @@ { "groups_claim": { "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "groups" - ] + ], + "required": false } }, { "roles_required": { - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false, + "type": "array", + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -741,21 +739,21 @@ { "roles_claim": { "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "roles" - ] + ], + "required": false } }, { "domains": { - "description": "The allowed values for the `hd` claim.", - "type": "array", "required": false, + "type": "array", + "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" } @@ -764,15 +762,15 @@ { "max_age": { "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "authenticated_groups_claim": { - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false, + "type": "array", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" } @@ -787,9 +785,9 @@ }, { "pushed_authorization_request_endpoint_auth_method": { - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "required": false, + "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -804,22 +802,22 @@ { "require_pushed_authorization_requests": { "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { "require_proof_key_for_code_exchange": { "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { "require_signed_request_object": { "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { @@ -831,9 +829,9 @@ }, { "authorization_query_args_names": { - "description": "Extra query argument names passed to the authorization endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" } @@ -841,9 +839,9 @@ }, { "authorization_query_args_values": { - "description": "Extra query argument values passed to the authorization endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" } @@ -851,9 +849,9 @@ }, { "authorization_query_args_client": { - "description": "Extra query arguments passed from the client to the authorization endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" } @@ -861,77 +859,77 @@ }, { "authorization_rolling_timeout": { - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "type": "number", "required": false, - "default": 600 + "type": "number", + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." } }, { "authorization_cookie_name": { - "description": "The authorization cookie name.", - "type": "string", "required": false, - "default": "authorization" + "type": "string", + "default": "authorization", + "description": "The authorization cookie name." } }, { "authorization_cookie_path": { - "description": "The authorization cookie Path flag.", "required": false, - "starts_with": "/", - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/" + "starts_with": "/", + "type": "string", + "default": "/", + "description": "The authorization cookie Path flag." } }, { "authorization_cookie_domain": { "description": "The authorization cookie Domain flag.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "authorization_cookie_same_site": { "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, + "type": "string", + "default": "Default", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string", - "default": "Default" + ] } }, { "authorization_cookie_http_only": { - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "authorization_cookie_secure": { "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { "preserve_query_args": { - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." } }, { @@ -943,9 +941,9 @@ }, { "token_endpoint_auth_method": { - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "required": false, + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -959,9 +957,9 @@ }, { "token_headers_names": { - "description": "Extra header names passed to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" } @@ -969,9 +967,9 @@ }, { "token_headers_values": { - "description": "Extra header values passed to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" } @@ -979,9 +977,9 @@ }, { "token_headers_client": { - "description": "Extra headers passed from the client to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" } @@ -989,9 +987,9 @@ }, { "token_headers_replay": { - "description": "The names of token endpoint response headers to forward to the downstream client.", - "type": "array", "required": false, + "type": "array", + "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" } @@ -1000,15 +998,15 @@ { "token_headers_prefix": { "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "token_headers_grants": { - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", - "type": "array", "required": false, + "type": "array", + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "elements": { "type": "string", "one_of": [ @@ -1022,9 +1020,9 @@ }, { "token_post_args_names": { - "description": "Extra post argument names passed to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" } @@ -1032,9 +1030,9 @@ }, { "token_post_args_values": { - "description": "Extra post argument values passed to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" } @@ -1042,9 +1040,9 @@ }, { "token_post_args_client": { - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "elements": { "type": "string" } @@ -1059,9 +1057,9 @@ }, { "introspection_endpoint_auth_method": { - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "required": false, + "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1075,38 +1073,38 @@ }, { "introspection_hint": { - "description": "Introspection hint parameter value passed to the introspection endpoint.", - "type": "string", "required": false, - "default": "access_token" + "type": "string", + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint." } }, { "introspection_check_active": { - "description": "Check that the introspection response has an `active` claim with a value of `true`.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`." } }, { "introspection_accept": { "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "required": false, + "type": "string", + "default": "application/json", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ], - "type": "string", - "default": "application/json" + ] } }, { "introspection_headers_names": { - "description": "Extra header names passed to the introspection endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" } @@ -1114,21 +1112,21 @@ }, { "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, "type": "array", + "description": "Extra header values passed to the introspection endpoint.", "encrypted": true } }, { "introspection_headers_client": { - "description": "Extra headers passed from the client to the introspection endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" } @@ -1136,9 +1134,9 @@ }, { "introspection_post_args_names": { - "description": "Extra post argument names passed to the introspection endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" } @@ -1146,9 +1144,9 @@ }, { "introspection_post_args_values": { - "description": "Extra post argument values passed to the introspection endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" } @@ -1156,9 +1154,19 @@ }, { "introspection_post_args_client": { - "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, "type": "array", + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "elements": { + "type": "string" + } + } + }, + { + "introspection_post_args_client_headers": { "required": false, + "type": "array", + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", "elements": { "type": "string" } @@ -1166,10 +1174,10 @@ }, { "introspect_jwt_tokens": { - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." } }, { @@ -1181,9 +1189,9 @@ }, { "revocation_endpoint_auth_method": { - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "required": false, + "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1213,19 +1221,19 @@ "userinfo_accept": { "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "required": false, + "type": "string", + "default": "application/json", "one_of": [ "application/json", "application/jwt" - ], - "type": "string", - "default": "application/json" + ] } }, { "userinfo_headers_names": { - "description": "Extra header names passed to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" } @@ -1233,9 +1241,9 @@ }, { "userinfo_headers_values": { - "description": "Extra header values passed to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" } @@ -1243,9 +1251,9 @@ }, { "userinfo_headers_client": { - "description": "Extra headers passed from the client to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" } @@ -1253,9 +1261,9 @@ }, { "userinfo_query_args_names": { - "description": "Extra query argument names passed to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" } @@ -1263,9 +1271,9 @@ }, { "userinfo_query_args_values": { - "description": "Extra query argument values passed to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" } @@ -1273,9 +1281,9 @@ }, { "userinfo_query_args_client": { - "description": "Extra query arguments passed from the client to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" } @@ -1291,140 +1299,140 @@ { "session_secret": { "description": "The session secret.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "session_audience": { - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "type": "string", "required": false, - "default": "default" + "type": "string", + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." } }, { "session_cookie_name": { - "description": "The session cookie name.", - "type": "string", "required": false, - "default": "session" + "type": "string", + "default": "session", + "description": "The session cookie name." } }, { "session_remember": { - "description": "Enables or disables persistent sessions.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Enables or disables persistent sessions." } }, { "session_remember_cookie_name": { - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "type": "string", "required": false, - "default": "remember" + "type": "string", + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." } }, { "session_remember_rolling_timeout": { - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", - "type": "number", "required": false, - "default": 604800 + "type": "number", + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." } }, { "session_remember_absolute_timeout": { - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "type": "number", "required": false, - "default": 2592000 + "type": "number", + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." } }, { "session_idling_timeout": { - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", - "type": "number", "required": false, - "default": 900 + "type": "number", + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." } }, { "session_rolling_timeout": { - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "type": "number", "required": false, - "default": 3600 + "type": "number", + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." } }, { "session_absolute_timeout": { - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "type": "number", "required": false, - "default": 86400 + "type": "number", + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." } }, { "session_cookie_path": { - "description": "The session cookie Path flag.", "required": false, - "starts_with": "/", - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/" + "starts_with": "/", + "type": "string", + "default": "/", + "description": "The session cookie Path flag." } }, { "session_cookie_domain": { "description": "The session cookie Domain flag.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "session_cookie_same_site": { "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, + "type": "string", + "default": "Lax", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string", - "default": "Lax" + ] } }, { "session_cookie_http_only": { - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "session_cookie_secure": { "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { "session_request_headers": { + "type": "set", "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "required": false, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -1441,9 +1449,9 @@ }, { "session_response_headers": { + "type": "set", "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "required": false, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -1462,80 +1470,80 @@ "session_storage": { "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "required": false, + "type": "string", + "default": "cookie", "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "type": "string", - "default": "cookie" + ] } }, { "session_store_metadata": { - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." } }, { "session_enforce_same_subject": { - "description": "When set to `true`, audiences are forced to share the same subject.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject." } }, { "session_hash_subject": { - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." } }, { "session_hash_storage_key": { - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." } }, { "session_memcached_prefix": { "description": "The memcached session key prefix.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "session_memcached_socket": { "description": "The memcached unix socket path.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "session_memcached_host": { - "description": "The memcached host.", - "type": "string", "required": false, - "default": "127.0.0.1" + "type": "string", + "default": "127.0.0.1", + "description": "The memcached host." } }, { "session_memcached_port": { - "description": "The memcached port.", "required": false, "between": [ 0, 65535 ], "type": "integer", - "default": 11211 + "default": 11211, + "description": "The memcached port." } }, { @@ -1543,115 +1551,117 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { @@ -1667,158 +1677,129 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "required": true, - "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", "required": true, - "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "required": false } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "required": false } }, { "prefix": { "description": "The Redis session key prefix.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "socket": { "description": "The Redis unix socket path.", - "type": "string", - "required": false + "required": false, + "type": "string" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -1827,12 +1808,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -1842,14 +1817,14 @@ }, { "conditional": { - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, "if_match": { "eq": true }, - "then_field": "host" + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } } }, { @@ -1880,14 +1855,13 @@ } } ], + "type": "record", "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1904,27 +1878,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -1933,55 +1906,52 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true, - "type": "record" + ] } }, { "reverify": { - "description": "Specifies whether to always verify tokens stored in the session.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specifies whether to always verify tokens stored in the session." } }, { "jwt_session_claim": { - "description": "The claim to match against the JWT session cookie.", - "type": "string", "required": false, - "default": "sid" + "type": "string", + "default": "sid", + "description": "The claim to match against the JWT session cookie." } }, { "jwt_session_cookie": { "description": "The name of the JWT session cookie.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "bearer_token_param_type": { - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", - "required": false, + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "elements": { "type": "string", "one_of": [ @@ -1996,20 +1966,20 @@ "header", "query", "body" - ] + ], + "required": false } }, { "bearer_token_cookie_name": { "description": "The name of the cookie in which the bearer token is passed.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "client_credentials_param_type": { "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2023,13 +1993,13 @@ "header", "query", "body" - ] + ], + "required": false } }, { "password_param_type": { "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2043,13 +2013,13 @@ "header", "query", "body" - ] + ], + "required": false } }, { "id_token_param_type": { "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2063,20 +2033,20 @@ "header", "query", "body" - ] + ], + "required": false } }, { "id_token_param_name": { "description": "The name of the parameter used to pass the id token.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "refresh_token_param_type": { "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2090,29 +2060,30 @@ "header", "query", "body" - ] + ], + "required": false } }, { "refresh_token_param_name": { "description": "The name of the parameter used to pass the refresh token.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "refresh_tokens": { - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." } }, { "upstream_headers_claims": { - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false, + "type": "array", + "description": "The upstream header claims. Only top level claims are supported.", "elements": { "type": "string" } @@ -2120,9 +2091,9 @@ }, { "upstream_headers_names": { - "description": "The upstream header names for the claim values.", - "type": "array", "required": false, + "type": "array", + "description": "The upstream header names for the claim values.", "elements": { "type": "string" } @@ -2130,80 +2101,80 @@ }, { "upstream_access_token_header": { - "description": "The upstream access token header.", - "type": "string", "required": false, - "default": "authorization:bearer" + "type": "string", + "default": "authorization:bearer", + "description": "The upstream access token header." } }, { "upstream_access_token_jwk_header": { "description": "The upstream access token JWK header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_id_token_header": { "description": "The upstream id token header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_id_token_jwk_header": { "description": "The upstream id token JWK header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_refresh_token_header": { "description": "The upstream refresh token header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_user_info_header": { "description": "The upstream user info header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_user_info_jwt_header": { "description": "The upstream user info JWT header (in case the user info returns a JWT response).", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_introspection_header": { "description": "The upstream introspection header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_introspection_jwt_header": { "description": "The upstream introspection JWT header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_session_id_header": { "description": "The upstream session id header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_headers_claims": { - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false, + "type": "array", + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" } @@ -2211,9 +2182,9 @@ }, { "downstream_headers_names": { - "description": "The downstream header names for the claim values.", - "type": "array", "required": false, + "type": "array", + "description": "The downstream header names for the claim values.", "elements": { "type": "string" } @@ -2222,77 +2193,76 @@ { "downstream_access_token_header": { "description": "The downstream access token header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_access_token_jwk_header": { "description": "The downstream access token JWK header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_id_token_header": { "description": "The downstream id token header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_id_token_jwk_header": { "description": "The downstream id token JWK header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_refresh_token_header": { "description": "The downstream refresh token header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_user_info_header": { "description": "The downstream user info header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_user_info_jwt_header": { "description": "The downstream user info JWT header (in case the user info returns a JWT response).", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_introspection_header": { "description": "The downstream introspection header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_introspection_jwt_header": { "description": "The downstream introspection JWT header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_session_id_header": { "description": "The downstream session id header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "login_methods": { "description": "Enable login functionality with specified grants.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2310,26 +2280,26 @@ "type": "array", "default": [ "authorization_code" - ] + ], + "required": false } }, { "login_action": { "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "required": false, + "type": "string", + "default": "upstream", "one_of": [ "upstream", "response", "redirect" - ], - "type": "string", - "default": "upstream" + ] } }, { "login_tokens": { "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2343,46 +2313,46 @@ "type": "array", "default": [ "id_token" - ] + ], + "required": false } }, { "login_redirect_mode": { "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "required": false, + "type": "string", + "default": "fragment", "one_of": [ "query", "fragment" - ], - "type": "string", - "default": "fragment" + ] } }, { "logout_query_arg": { "description": "The request query argument that activates the logout.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "logout_post_arg": { - "description": "The request body argument that activates the logout.", - "type": "string", - "required": false + "description": "The request body argument that activates the logout.", + "required": false, + "type": "string" } }, { "logout_uri_suffix": { "description": "The request URI suffix that activates the logout.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "logout_methods": { "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2395,38 +2365,39 @@ "default": [ "POST", "DELETE" - ] + ], + "required": false } }, { "logout_revoke": { - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." } }, { "logout_revoke_access_token": { - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." } }, { "logout_revoke_refresh_token": { - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." } }, { "consumer_claim": { - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false, + "type": "array", + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" } @@ -2435,7 +2406,6 @@ { "consumer_by": { "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2448,89 +2418,89 @@ "default": [ "username", "custom_id" - ] + ], + "required": false } }, { "consumer_optional": { - "description": "Do not terminate the request if consumer mapping fails.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Do not terminate the request if consumer mapping fails." } }, { "credential_claim": { "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "sub" - ] + ], + "required": false } }, { "anonymous": { "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "run_on_preflight": { - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." } }, { "leeway": { - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", - "type": "number", "required": false, - "default": 0 + "type": "number", + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims" } }, { "verify_parameters": { - "description": "Verify plugin configuration against discovery.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Verify plugin configuration against discovery." } }, { "verify_nonce": { - "description": "Verify nonce on authorization code flow.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify nonce on authorization code flow." } }, { "verify_claims": { - "description": "Verify tokens for standard claims.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify tokens for standard claims." } }, { "verify_signature": { - "description": "Verify signature of tokens.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify signature of tokens." } }, { "ignore_signature": { "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2546,22 +2516,23 @@ "type": "array", "default": [ - ] + ], + "required": false } }, { "enable_hs_signatures": { - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." } }, { "disable_session": { - "description": "Disable issuing the session cookie with the specified grants.", - "type": "array", "required": false, + "type": "array", + "description": "Disable issuing the session cookie with the specified grants.", "elements": { "type": "string", "one_of": [ @@ -2580,102 +2551,102 @@ }, { "cache_ttl": { - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", - "type": "number", "required": false, - "default": 3600 + "type": "number", + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." } }, { "cache_ttl_max": { "description": "The maximum cache ttl in seconds (enforced).", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "cache_ttl_min": { "description": "The minimum cache ttl in seconds (enforced).", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "cache_ttl_neg": { "description": "The negative cache ttl in seconds.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "cache_ttl_resurrect": { "description": "The resurrection ttl in seconds.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "cache_tokens": { - "description": "Cache the token endpoint requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the token endpoint requests." } }, { "cache_tokens_salt": { - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", - "auto": true, + "required": false, "type": "string", - "required": false + "auto": true, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." } }, { "cache_introspection": { - "description": "Cache the introspection endpoint requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the introspection endpoint requests." } }, { "cache_token_exchange": { - "description": "Cache the token exchange endpoint requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the token exchange endpoint requests." } }, { "cache_user_info": { - "description": "Cache the user info requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the user info requests." } }, { "search_user_info": { - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." } }, { "hide_credentials": { - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." } }, { "http_version": { - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", "required": false, "type": "number", - "default": 1.1 + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0." } }, { @@ -2687,9 +2658,10 @@ }, { "http_proxy_authorization": { - "description": "The HTTP proxy authorization.", + "required": false, "type": "string", - "required": false + "referenceable": true, + "description": "The HTTP proxy authorization." } }, { @@ -2701,132 +2673,133 @@ }, { "https_proxy_authorization": { - "description": "The HTTPS proxy authorization.", + "required": false, "type": "string", - "required": false + "referenceable": true, + "description": "The HTTPS proxy authorization." } }, { "no_proxy": { "description": "Do not use proxy with these hosts.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "keepalive": { - "description": "Use keepalive with the HTTP client.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Use keepalive with the HTTP client." } }, { "ssl_verify": { - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`." } }, { "timeout": { - "description": "Network IO timeout in milliseconds.", - "type": "number", "required": false, - "default": 10000 + "type": "number", + "default": 10000, + "description": "Network IO timeout in milliseconds." } }, { "display_errors": { - "description": "Display errors on failure responses.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Display errors on failure responses." } }, { "by_username_ignore_case": { - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." } }, { "resolve_distributed_claims": { - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." } }, { "expose_error_code": { - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", "type": "boolean", - "default": true + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." } }, { "token_cache_key_include_scope": { - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", "type": "boolean", - "default": false + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." } }, { "introspection_token_param_name": { - "description": "Designate token's parameter name for introspection.", - "type": "string", "required": false, - "default": "token" + "type": "string", + "default": "token", + "description": "Designate token's parameter name for introspection." } }, { "revocation_token_param_name": { - "description": "Designate token's parameter name for revocation.", - "type": "string", "required": false, - "default": "token" + "type": "string", + "default": "token", + "description": "Designate token's parameter name for revocation." } }, { "proof_of_possession_mtls": { "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "required": false, + "type": "string", + "default": "off", "one_of": [ "off", "strict", "optional" - ], - "type": "string", - "default": "off" + ] } }, { "proof_of_possession_auth_methods_validation": { - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." } }, { "tls_client_auth_cert_id": { + "required": false, "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", - "auto": false, "type": "string", "uuid": true, - "required": false + "auto": false } }, { "tls_client_auth_ssl_verify": { - "description": "Verify identity provider server certificate during mTLS client authentication.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication." } }, { @@ -2854,36 +2827,36 @@ "proof_of_possession_dpop": { "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "required": false, + "type": "string", + "default": "off", "one_of": [ "off", "strict", "optional" - ], - "type": "string", - "default": "off" + ] } }, { "dpop_use_nonce": { - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime." } }, { "dpop_proof_lifetime": { - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", - "type": "number", "required": false, - "default": 300 + "type": "number", + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise." } }, { "claims_forbidden": { - "description": "If given, these claims are forbidden in the token payload.", - "type": "array", "required": false, + "type": "array", + "description": "If given, these claims are forbidden in the token payload.", "elements": { "type": "string" } @@ -2893,12 +2866,12 @@ "cluster_cache_strategy": { "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "required": false, + "type": "string", + "default": "off", "one_of": [ "off", "redis" - ], - "type": "string", - "default": "off" + ] } }, { @@ -2906,58 +2879,60 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -2971,8 +2946,8 @@ { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -2986,29 +2961,29 @@ { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -3019,155 +2994,126 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_nodes": { "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "cluster_nodes": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", "required": false, - "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -3176,12 +3122,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -3191,11 +3131,11 @@ }, { "conditional": { - "if_field": "connection_is_proxied", "if_match": { "eq": true }, "then_field": "host", + "if_field": "connection_is_proxied", "then_match": { "required": true } @@ -3233,11 +3173,9 @@ "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3254,27 +3192,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -3283,28 +3220,29 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true + ] } } - ] + ], + "type": "record", + "description": "openid-connect plugin configuration." } } ], @@ -3313,9 +3251,12 @@ } } ], + "description": "The map of v2 strategies.", + "type": "record", "default": [ - ] + ], + "required": false } } ], @@ -3326,8 +3267,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.9.x.json b/schemas/ldap-auth-advanced/3.9.x.json index 34b7b64a..9f83e8d3 100644 --- a/schemas/ldap-auth-advanced/3.9.x.json +++ b/schemas/ldap-auth-advanced/3.9.x.json @@ -1,7 +1,18 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { + "type": "set", + "required": true, "default": [ "grpc", "grpcs", @@ -10,8 +21,6 @@ "ws", "wss" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -28,16 +37,16 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -47,125 +56,124 @@ { "ldap_host": { "description": "Host on which the LDAP server is running.", - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "ldap_password": { "description": "The password to the LDAP server.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "ldap_port": { - "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", "type": "number", - "default": 389 + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636." } }, { "bind_dn": { - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." } }, { "ldaps": { - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." } }, { "start_tls": { - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." } }, { "verify_ldap_host": { - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "type": "boolean", "required": true, - "default": false + "type": "boolean", + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." } }, { "base_dn": { "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "attribute": { "description": "Attribute to be used to search the user; e.g., \"cn\".", - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "cache_ttl": { - "description": "Cache expiry time in seconds.", - "type": "number", "required": true, - "default": 60 + "type": "number", + "default": 60, + "description": "Cache expiry time in seconds." } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "type": "boolean", - "default": false + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." } }, { "timeout": { - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", "type": "number", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", "type": "number", - "default": 60000 + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." } }, { "anonymous": { "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "len_min": 0, - "default": "" + "default": "", + "len_min": 0 } }, { "header_type": { - "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", "type": "string", - "default": "ldap" + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`." } }, { "consumer_optional": { - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." } }, { "consumer_by": { - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "required": false, "elements": { "type": "string", @@ -178,41 +186,42 @@ "default": [ "username", "custom_id" - ] + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." } }, { "group_base_dn": { - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", - "type": "string" + "type": "string", + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." } }, { "group_name_attribute": { - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", - "type": "string" + "type": "string", + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." } }, { "group_member_attribute": { - "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", "type": "string", - "default": "memberOf" + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive." } }, { "log_search_results": { - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." } }, { "groups_required": { - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "type": "array", "required": false, + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "elements": { "type": "string" } @@ -221,8 +230,8 @@ { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "type": "string", - "required": false + "required": false, + "type": "string" } } ], @@ -230,14 +239,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ldap-auth/3.9.x.json b/schemas/ldap-auth/3.9.x.json index 109c2af9..0eeec567 100644 --- a/schemas/ldap-auth/3.9.x.json +++ b/schemas/ldap-auth/3.9.x.json @@ -1,15 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, "default": [ "grpc", "grpcs", @@ -18,8 +23,6 @@ "ws", "wss" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,8 +39,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,109 +49,109 @@ "fields": [ { "ldap_host": { - "description": "A string representing a host name, such as example.com.", + "type": "string", "required": true, - "type": "string" + "description": "A string representing a host name, such as example.com." } }, { "ldap_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, "between": [ 0, 65535 ], "type": "integer", - "default": 389 + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "ldaps": { - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "required": true, "type": "boolean", - "default": false + "required": true, + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." } }, { "start_tls": { - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "required": true, "type": "boolean", - "default": false + "required": true, + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." } }, { "verify_ldap_host": { - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "required": true, "type": "boolean", - "default": false + "required": true, + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." } }, { "base_dn": { "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "attribute": { "description": "Attribute to be used to search the user; e.g. cn", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "cache_ttl": { - "description": "Cache expiry time in seconds.", - "required": true, "type": "number", - "default": 60 + "required": true, + "default": 60, + "description": "Cache expiry time in seconds." } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "required": true, "type": "boolean", - "default": false + "required": true, + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." } }, { "timeout": { - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", "type": "number", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", "type": "number", - "default": 60000 + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." } }, { "header_type": { - "description": "An optional string to use as part of the Authorization header", "type": "string", - "default": "ldap" + "default": "ldap", + "description": "An optional string to use as part of the Authorization header" } }, { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], @@ -156,12 +159,12 @@ "entity_checks": [ { "conditional": { - "then_field": "start_tls", - "if_field": "ldaps", "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", "if_match": { "eq": true }, + "then_field": "start_tls", + "if_field": "ldaps", "then_match": { "eq": false } @@ -171,8 +174,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/loggly/3.9.x.json b/schemas/loggly/3.9.x.json index a9bae72c..115b27b8 100644 --- a/schemas/loggly/3.9.x.json +++ b/schemas/loggly/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,27 +45,27 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "type": "string", - "default": "logs-01.loggly.com" + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 514 + "type": "integer", + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "key": { - "referenceable": true, - "required": true, "type": "string", + "required": true, + "referenceable": true, "encrypted": true } }, @@ -154,11 +157,11 @@ "len_min": 1 }, "type": "map", + "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map" + "len_min": 1, + "type": "string" + } } } ], @@ -166,8 +169,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/mocking/3.9.x.json b/schemas/mocking/3.9.x.json index 1901c745..1a637a5f 100644 --- a/schemas/mocking/3.9.x.json +++ b/schemas/mocking/3.9.x.json @@ -1,8 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +26,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,44 +43,44 @@ "fields": [ { "api_specification_filename": { - "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", "required": false, - "type": "string" + "type": "string", + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode." } }, { "api_specification": { "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "random_delay": { "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "max_delay_time": { "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", - "type": "number", - "default": 1 + "default": 1, + "type": "number" } }, { "min_delay_time": { "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", - "type": "number", - "default": 0.001 + "default": 0.001, + "type": "number" } }, { "random_examples": { "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { @@ -86,32 +94,32 @@ }, { "random_status_code": { - "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", - "required": true, "type": "boolean", - "default": false + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "default": false, + "required": true } }, { "include_base_path": { - "description": "Indicates whether to include the base path when performing path match evaluation.", - "required": true, "type": "boolean", - "default": false + "description": "Indicates whether to include the base path when performing path match evaluation.", + "default": false, + "required": true } }, { "custom_base_path": { "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", - "required": false, - "starts_with": "/", - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "starts_with": "/", + "type": "string", + "required": false } } ], @@ -119,13 +127,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.9.x.json b/schemas/mtls-auth/3.9.x.json index 8def91e2..5a1a0595 100644 --- a/schemas/mtls-auth/3.9.x.json +++ b/schemas/mtls-auth/3.9.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +29,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,13 +46,12 @@ "fields": [ { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "consumer_by": { - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "required": false, "elements": { "type": "string", @@ -62,7 +64,8 @@ "default": [ "username", "custom_id" - ] + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." } }, { @@ -71,8 +74,8 @@ "required": true, "type": "array", "elements": { - "type": "string", - "uuid": true + "uuid": true, + "type": "string" } } }, @@ -80,76 +83,76 @@ "cache_ttl": { "description": "Cache expiry time in seconds.", "required": true, - "type": "number", - "default": 60 + "default": 60, + "type": "number" } }, { "skip_consumer_lookup": { "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "allow_partial_chain": { "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "authenticated_group_by": { "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, + "type": "string", + "default": "CN", "one_of": [ "CN", "DN" - ], - "type": "string", - "default": "CN" + ] } }, { "revocation_check_mode": { "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, + "type": "string", + "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ], - "type": "string", - "default": "IGNORE_CA_ERROR" + ] } }, { "http_timeout": { - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", "type": "number", - "default": 30000 + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." } }, { "cert_cache_ttl": { - "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", "type": "number", - "default": 60000 + "default": 60000, + "description": "The length of time in seconds between refreshes of the revocation check status cache." } }, { "send_ca_dn": { - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", "type": "boolean", - "default": false + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." } }, { "default_consumer": { - "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { @@ -160,12 +163,12 @@ }, { "http_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -176,12 +179,12 @@ }, { "https_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], @@ -203,8 +206,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.9.x.json b/schemas/oas-validation/3.9.x.json index 307e1a6d..ec989a51 100644 --- a/schemas/oas-validation/3.9.x.json +++ b/schemas/oas-validation/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,127 +38,127 @@ "fields": [ { "api_spec": { + "type": "string", "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", - "required": true, - "type": "string" + "required": true } }, { "verbose_response": { - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", - "type": "boolean", "required": false, - "default": false + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "default": false, + "type": "boolean" } }, { "validate_request_body": { - "description": "If set to true, validates the request body content against the API specification.", - "type": "boolean", "required": false, - "default": true + "description": "If set to true, validates the request body content against the API specification.", + "default": true, + "type": "boolean" } }, { "notify_only_request_validation_failure": { - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", - "type": "boolean", "required": false, - "default": false + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "default": false, + "type": "boolean" } }, { "validate_request_header_params": { - "description": "If set to true, validates HTTP header parameters against the API specification.", - "type": "boolean", "required": false, - "default": true + "description": "If set to true, validates HTTP header parameters against the API specification.", + "default": true, + "type": "boolean" } }, { "validate_request_query_params": { - "description": "If set to true, validates query parameters against the API specification.", - "type": "boolean", "required": false, - "default": true + "description": "If set to true, validates query parameters against the API specification.", + "default": true, + "type": "boolean" } }, { "validate_request_uri_params": { - "description": "If set to true, validates URI parameters in the request against the API specification.", - "type": "boolean", "required": false, - "default": true + "description": "If set to true, validates URI parameters in the request against the API specification.", + "default": true, + "type": "boolean" } }, { "validate_response_body": { - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", - "type": "boolean", "required": false, - "default": false + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "default": false, + "type": "boolean" } }, { "notify_only_response_body_validation_failure": { - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", - "type": "boolean", "required": false, - "default": false + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "default": false, + "type": "boolean" } }, { "query_parameter_check": { - "description": "If set to true, checks if query parameters in the request exist in the API specification.", - "type": "boolean", "required": true, - "default": false + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "default": false, + "type": "boolean" } }, { "header_parameter_check": { - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", - "type": "boolean", "required": true, - "default": false + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "default": false, + "type": "boolean" } }, { "allowed_header_parameters": { - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", - "type": "string", "required": false, - "default": "Host,Content-Type,User-Agent,Accept,Content-Length" + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "type": "string" } }, { "include_base_path": { - "description": "Indicates whether to include the base path when performing path match evaluation.", - "type": "boolean", "required": true, - "default": false + "description": "Indicates whether to include the base path when performing path match evaluation.", + "default": false, + "type": "boolean" } }, { "api_spec_encoded": { - "description": "Indicates whether the api_spec is URI-Encoded.", - "type": "boolean", "required": true, - "default": true + "description": "Indicates whether the api_spec is URI-Encoded.", + "default": true, + "type": "boolean" } }, { "custom_base_path": { "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", - "required": false, - "starts_with": "/", - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ] + ], + "starts_with": "/", + "type": "string", + "required": false } } ], @@ -163,8 +166,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.9.x.json b/schemas/oauth2-introspection/3.9.x.json index 95956e5b..5e7fac0d 100644 --- a/schemas/oauth2-introspection/3.9.x.json +++ b/schemas/oauth2-introspection/3.9.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +29,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,16 +46,16 @@ "fields": [ { "introspection_url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", "required": true, - "type": "string" + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "ttl": { "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", - "type": "number", - "default": 30 + "default": 30, + "type": "number" } }, { @@ -63,73 +66,72 @@ }, { "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "required": true, - "type": "string", "referenceable": true, + "type": "string", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "encrypted": true } }, { "timeout": { "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "integer", - "default": 10000 + "default": 10000, + "type": "integer" } }, { "keepalive": { "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "type": "integer", - "default": 60000 + "default": 60000, + "type": "integer" } }, { "introspect_request": { - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", "required": true, - "type": "boolean", - "default": false + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "default": false, + "type": "boolean" } }, { "hide_credentials": { "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "run_on_preflight": { "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "len_min": 0, "type": "string", - "default": "" + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "default": "", + "len_min": 0 } }, { "consumer_by": { "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "required": true, + "type": "string", + "default": "username", "one_of": [ "username", "client_id" - ], - "type": "string", - "default": "username" + ] } }, { "custom_introspection_headers": { "description": "A list of custom headers to be added in the introspection request.", - "required": true, "values": { "type": "string" }, @@ -139,12 +141,12 @@ "type": "map", "default": [ - ] + ], + "required": true } }, { "custom_claims_forward": { - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "required": true, "elements": { "type": "string" @@ -152,7 +154,8 @@ "type": "set", "default": [ - ] + ], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." } } ], @@ -160,8 +163,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2/3.9.x.json b/schemas/oauth2/3.9.x.json index 4ae42794..dab713dd 100644 --- a/schemas/oauth2/3.9.x.json +++ b/schemas/oauth2/3.9.x.json @@ -1,15 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, "default": [ "grpc", "grpcs", @@ -18,8 +23,6 @@ "ws", "wss" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -36,8 +39,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,8 +49,8 @@ "fields": [ { "scopes": { - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "type": "array", + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "elements": { "type": "string" } @@ -56,75 +59,75 @@ { "mandatory_scope": { "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "provision_key": { - "description": "The unique key the plugin has generated when it has been added to the Service.", "required": true, - "unique": true, "type": "string", + "description": "The unique key the plugin has generated when it has been added to the Service.", "auto": true, + "unique": true, "encrypted": true } }, { "token_expiration": { "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", - "required": true, "type": "number", - "default": 7200 + "default": 7200, + "required": true } }, { "enable_authorization_code": { "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "enable_implicit_grant": { "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "enable_client_credentials": { "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "enable_password_grant": { "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "hide_credentials": { "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "accept_http_if_already_terminated": { "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { @@ -136,86 +139,83 @@ { "global_credentials": { "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "auth_header_name": { - "description": "The name of the header that is supposed to carry the access token.", "type": "string", - "default": "authorization" + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token." } }, { "refresh_token_ttl": { - "description": "Time-to-live value for data", "required": true, "between": [ 0, 100000000 ], "type": "number", - "default": 1209600 + "default": 1209600, + "description": "Time-to-live value for data" } }, { "reuse_refresh_token": { "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "persistent_refresh_token": { "type": "boolean", - "required": true, - "default": false + "default": false, + "required": true } }, { "pkce": { - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "required": false, + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "type": "string", + "default": "lax", "one_of": [ "none", "lax", "strict" - ], - "type": "string", - "default": "lax" + ] } }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string" } } ], + "required": true, "entity_checks": [ { "conditional": { - "if_field": "mandatory_scope", "if_match": { "eq": true }, "then_field": "scopes", + "if_field": "mandatory_scope", "then_match": { "required": true } } } ], - "required": true, "type": "record" } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/opa/3.9.x.json b/schemas/opa/3.9.x.json index e23d2064..dc667be3 100644 --- a/schemas/opa/3.9.x.json +++ b/schemas/opa/3.9.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +29,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -54,85 +57,85 @@ }, { "opa_host": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "localhost" + "description": "A string representing a host name, such as example.com.", + "default": "localhost", + "required": true } }, { "opa_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, "between": [ 0, 65535 ], "type": "integer", - "default": 8181 + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "opa_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": true, "starts_with": "/", "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "required": true } }, { "include_service_in_opa_input": { - "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", "type": "boolean", - "default": false + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA." } }, { "include_route_in_opa_input": { - "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", "type": "boolean", - "default": false + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA." } }, { "include_consumer_in_opa_input": { - "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", "type": "boolean", - "default": false + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA." } }, { "include_body_in_opa_input": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "include_parsed_json_body_in_opa_input": { - "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", "type": "boolean", - "default": false + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA." } }, { "include_uri_captures_in_opa_input": { - "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", "type": "boolean", - "default": false + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA." } }, { "ssl_verify": { "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "type": "boolean", - "required": true, - "default": true + "default": true, + "required": true } } ], @@ -140,8 +143,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.9.x.json b/schemas/openid-connect/3.9.x.json index de68751a..eebba972 100644 --- a/schemas/openid-connect/3.9.x.json +++ b/schemas/openid-connect/3.9.x.json @@ -1,16 +1,24 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +35,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -50,17 +59,17 @@ }, { "using_pseudo_issuer": { - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." } }, { "discovery_headers_names": { - "description": "Extra header names passed to the discovery endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" } @@ -68,9 +77,9 @@ }, { "discovery_headers_values": { - "description": "Extra header values passed to the discovery endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" } @@ -78,9 +87,9 @@ }, { "extra_jwks_uris": { - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", - "type": "set", "required": false, + "type": "set", + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -89,16 +98,15 @@ }, { "rediscovery_lifetime": { - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", - "type": "number", "required": false, - "default": 30 + "type": "number", + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." } }, { "auth_methods": { "description": "Types of credentials/grants to enable.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -124,38 +132,39 @@ "kong_oauth2", "refresh_token", "session" - ] + ], + "required": false } }, { "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, "type": "array", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "encrypted": true } }, { "client_secret": { - "description": "The client secret.", "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, "type": "array", + "description": "The client secret.", "encrypted": true } }, { "client_auth": { - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "type": "array", "required": false, + "type": "array", + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", "elements": { "type": "string", "one_of": [ @@ -172,27 +181,27 @@ }, { "client_jwk": { - "description": "The JWK used for the private_key_jwt authentication.", - "type": "array", "required": false, + "type": "array", + "description": "The JWK used for the private_key_jwt authentication.", "elements": { "fields": [ { "issuer": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kty": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "use": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -200,27 +209,27 @@ "required": false, "type": "array", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "alg": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kid": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5u": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -228,131 +237,131 @@ "required": false, "type": "array", "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false } } }, { "x5t": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5t#S256": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "k": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "x": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "y": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "crv": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "n": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "e": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "d": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "p": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "q": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "dp": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "dq": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "qi": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "oth": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "r": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } }, { "t": { - "encrypted": true, - "required": false, "type": "string", - "referenceable": true + "required": false, + "referenceable": true, + "encrypted": true } } ], @@ -363,9 +372,9 @@ }, { "client_alg": { - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "type": "array", "required": false, + "type": "array", + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", "elements": { "type": "string", "one_of": [ @@ -388,17 +397,17 @@ }, { "client_arg": { - "description": "The client to use for this request (the selection is made with a request parameter with the same name).", - "type": "string", "required": false, - "default": "client_id" + "type": "string", + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name)." } }, { "redirect_uri": { - "description": "The redirect URI passed to the authorization and token endpoints.", - "type": "array", "required": false, + "type": "array", + "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -407,33 +416,33 @@ }, { "login_redirect_uri": { - "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "type": "array", "required": false, + "type": "array", + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "logout_redirect_uri": { - "description": "Where to redirect the client after the logout.", - "type": "array", "required": false, + "type": "array", + "description": "Where to redirect the client after the logout.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } }, { "forbidden_redirect_uri": { - "description": "Where to redirect the client on forbidden requests.", - "type": "array", "required": false, + "type": "array", + "description": "Where to redirect the client on forbidden requests.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -442,33 +451,33 @@ }, { "forbidden_error_message": { - "description": "The error message for the forbidden requests (when not using the redirection).", - "type": "string", "required": false, - "default": "Forbidden" + "type": "string", + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection)." } }, { "forbidden_destroy_session": { - "description": "Destroy any active session for the forbidden requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Destroy any active session for the forbidden requests." } }, { "unauthorized_destroy_session": { - "description": "Destroy any active session for the unauthorized requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Destroy any active session for the unauthorized requests." } }, { "unauthorized_redirect_uri": { - "description": "Where to redirect the client on unauthorized requests.", - "type": "array", "required": false, + "type": "array", + "description": "Where to redirect the client on unauthorized requests.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -477,17 +486,17 @@ }, { "unauthorized_error_message": { - "description": "The error message for the unauthorized requests (when not using the redirection).", - "type": "string", "required": false, - "default": "Unauthorized" + "type": "string", + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection)." } }, { "unexpected_redirect_uri": { - "description": "Where to redirect the client when unexpected errors happen with the requests.", - "type": "array", "required": false, + "type": "array", + "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" @@ -498,6 +507,8 @@ "response_mode": { "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "required": false, + "type": "string", + "default": "query", "one_of": [ "query", "form_post", @@ -506,43 +517,41 @@ "form_post.jwt", "fragment.jwt", "jwt" - ], - "type": "string", - "default": "query" + ] } }, { "response_type": { "description": "The response type passed to the authorization endpoint.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "code" - ] + ], + "required": false } }, { "scopes": { "description": "The scopes passed to the authorization and token endpoints.", - "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, "type": "array", "default": [ "openid" - ] + ], + "required": false } }, { "audience": { - "description": "The audience passed to the authorization endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" } @@ -550,9 +559,9 @@ }, { "issuers_allowed": { - "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "type": "array", "required": false, + "type": "array", + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" } @@ -560,9 +569,9 @@ }, { "scopes_required": { - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false, + "type": "array", + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -571,21 +580,21 @@ { "scopes_claim": { "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "scope" - ] + ], + "required": false } }, { "audience_required": { - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false, + "type": "array", + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -594,21 +603,21 @@ { "audience_claim": { "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "aud" - ] + ], + "required": false } }, { "groups_required": { - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false, + "type": "array", + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -617,21 +626,21 @@ { "groups_claim": { "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "groups" - ] + ], + "required": false } }, { "roles_required": { - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false, + "type": "array", + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" } @@ -640,21 +649,21 @@ { "roles_claim": { "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "roles" - ] + ], + "required": false } }, { "domains": { - "description": "The allowed values for the `hd` claim.", - "type": "array", "required": false, + "type": "array", + "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" } @@ -663,15 +672,15 @@ { "max_age": { "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "authenticated_groups_claim": { - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false, + "type": "array", + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" } @@ -686,9 +695,9 @@ }, { "pushed_authorization_request_endpoint_auth_method": { - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "required": false, + "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -703,22 +712,22 @@ { "require_pushed_authorization_requests": { "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { "require_proof_key_for_code_exchange": { "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { "require_signed_request_object": { "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { @@ -730,9 +739,9 @@ }, { "authorization_query_args_names": { - "description": "Extra query argument names passed to the authorization endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" } @@ -740,9 +749,9 @@ }, { "authorization_query_args_values": { - "description": "Extra query argument values passed to the authorization endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" } @@ -750,9 +759,9 @@ }, { "authorization_query_args_client": { - "description": "Extra query arguments passed from the client to the authorization endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" } @@ -760,77 +769,77 @@ }, { "authorization_rolling_timeout": { - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "type": "number", "required": false, - "default": 600 + "type": "number", + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." } }, { "authorization_cookie_name": { - "description": "The authorization cookie name.", - "type": "string", "required": false, - "default": "authorization" + "type": "string", + "default": "authorization", + "description": "The authorization cookie name." } }, { "authorization_cookie_path": { - "description": "The authorization cookie Path flag.", "required": false, - "starts_with": "/", - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/" + "starts_with": "/", + "type": "string", + "default": "/", + "description": "The authorization cookie Path flag." } }, { "authorization_cookie_domain": { "description": "The authorization cookie Domain flag.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "authorization_cookie_same_site": { "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, + "type": "string", + "default": "Default", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string", - "default": "Default" + ] } }, { "authorization_cookie_http_only": { - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "authorization_cookie_secure": { "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { "preserve_query_args": { - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." } }, { @@ -842,9 +851,9 @@ }, { "token_endpoint_auth_method": { - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "required": false, + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -858,9 +867,9 @@ }, { "token_headers_names": { - "description": "Extra header names passed to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" } @@ -868,9 +877,9 @@ }, { "token_headers_values": { - "description": "Extra header values passed to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" } @@ -878,9 +887,9 @@ }, { "token_headers_client": { - "description": "Extra headers passed from the client to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" } @@ -888,9 +897,9 @@ }, { "token_headers_replay": { - "description": "The names of token endpoint response headers to forward to the downstream client.", - "type": "array", "required": false, + "type": "array", + "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" } @@ -899,15 +908,15 @@ { "token_headers_prefix": { "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "token_headers_grants": { - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", - "type": "array", "required": false, + "type": "array", + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "elements": { "type": "string", "one_of": [ @@ -921,9 +930,9 @@ }, { "token_post_args_names": { - "description": "Extra post argument names passed to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" } @@ -931,9 +940,9 @@ }, { "token_post_args_values": { - "description": "Extra post argument values passed to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" } @@ -941,9 +950,9 @@ }, { "token_post_args_client": { - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "elements": { "type": "string" } @@ -958,9 +967,9 @@ }, { "introspection_endpoint_auth_method": { - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "required": false, + "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -974,38 +983,38 @@ }, { "introspection_hint": { - "description": "Introspection hint parameter value passed to the introspection endpoint.", - "type": "string", "required": false, - "default": "access_token" + "type": "string", + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint." } }, { "introspection_check_active": { - "description": "Check that the introspection response has an `active` claim with a value of `true`.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`." } }, { "introspection_accept": { "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "required": false, + "type": "string", + "default": "application/json", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ], - "type": "string", - "default": "application/json" + ] } }, { "introspection_headers_names": { - "description": "Extra header names passed to the introspection endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" } @@ -1013,21 +1022,21 @@ }, { "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", "required": false, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, "type": "array", + "description": "Extra header values passed to the introspection endpoint.", "encrypted": true } }, { "introspection_headers_client": { - "description": "Extra headers passed from the client to the introspection endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" } @@ -1035,9 +1044,9 @@ }, { "introspection_post_args_names": { - "description": "Extra post argument names passed to the introspection endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" } @@ -1045,9 +1054,9 @@ }, { "introspection_post_args_values": { - "description": "Extra post argument values passed to the introspection endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" } @@ -1055,9 +1064,19 @@ }, { "introspection_post_args_client": { - "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, "type": "array", + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "elements": { + "type": "string" + } + } + }, + { + "introspection_post_args_client_headers": { "required": false, + "type": "array", + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", "elements": { "type": "string" } @@ -1065,10 +1084,10 @@ }, { "introspect_jwt_tokens": { - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." } }, { @@ -1080,9 +1099,9 @@ }, { "revocation_endpoint_auth_method": { - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "type": "string", "required": false, + "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1112,19 +1131,19 @@ "userinfo_accept": { "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "required": false, + "type": "string", + "default": "application/json", "one_of": [ "application/json", "application/jwt" - ], - "type": "string", - "default": "application/json" + ] } }, { "userinfo_headers_names": { - "description": "Extra header names passed to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" } @@ -1132,9 +1151,9 @@ }, { "userinfo_headers_values": { - "description": "Extra header values passed to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" } @@ -1142,9 +1161,9 @@ }, { "userinfo_headers_client": { - "description": "Extra headers passed from the client to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" } @@ -1152,9 +1171,9 @@ }, { "userinfo_query_args_names": { - "description": "Extra query argument names passed to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" } @@ -1162,9 +1181,9 @@ }, { "userinfo_query_args_values": { - "description": "Extra query argument values passed to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" } @@ -1172,9 +1191,9 @@ }, { "userinfo_query_args_client": { - "description": "Extra query arguments passed from the client to the user info endpoint.", - "type": "array", "required": false, + "type": "array", + "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" } @@ -1190,140 +1209,140 @@ { "session_secret": { "description": "The session secret.", - "required": false, - "type": "string", "referenceable": true, + "type": "string", + "required": false, "encrypted": true } }, { "session_audience": { - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "type": "string", "required": false, - "default": "default" + "type": "string", + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." } }, { "session_cookie_name": { - "description": "The session cookie name.", - "type": "string", "required": false, - "default": "session" + "type": "string", + "default": "session", + "description": "The session cookie name." } }, { "session_remember": { - "description": "Enables or disables persistent sessions.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Enables or disables persistent sessions." } }, { "session_remember_cookie_name": { - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "type": "string", "required": false, - "default": "remember" + "type": "string", + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." } }, { "session_remember_rolling_timeout": { - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", - "type": "number", "required": false, - "default": 604800 + "type": "number", + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." } }, { "session_remember_absolute_timeout": { - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "type": "number", "required": false, - "default": 2592000 + "type": "number", + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." } }, { "session_idling_timeout": { - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", - "type": "number", "required": false, - "default": 900 + "type": "number", + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." } }, { "session_rolling_timeout": { - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "type": "number", "required": false, - "default": 3600 + "type": "number", + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." } }, { "session_absolute_timeout": { - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "type": "number", "required": false, - "default": 86400 + "type": "number", + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." } }, { "session_cookie_path": { - "description": "The session cookie Path flag.", "required": false, - "starts_with": "/", - "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "default": "/" + "starts_with": "/", + "type": "string", + "default": "/", + "description": "The session cookie Path flag." } }, { "session_cookie_domain": { "description": "The session cookie Domain flag.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "session_cookie_same_site": { "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, + "type": "string", + "default": "Lax", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string", - "default": "Lax" + ] } }, { "session_cookie_http_only": { - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { "session_cookie_secure": { "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean", - "required": false + "required": false, + "type": "boolean" } }, { "session_request_headers": { + "type": "set", "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "required": false, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -1340,9 +1359,9 @@ }, { "session_response_headers": { + "type": "set", "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "required": false, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -1361,80 +1380,80 @@ "session_storage": { "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "required": false, + "type": "string", + "default": "cookie", "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "type": "string", - "default": "cookie" + ] } }, { "session_store_metadata": { - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." } }, { "session_enforce_same_subject": { - "description": "When set to `true`, audiences are forced to share the same subject.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject." } }, { "session_hash_subject": { - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." } }, { "session_hash_storage_key": { - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." } }, { "session_memcached_prefix": { "description": "The memcached session key prefix.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "session_memcached_socket": { "description": "The memcached unix socket path.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "session_memcached_host": { - "description": "The memcached host.", - "type": "string", "required": false, - "default": "127.0.0.1" + "type": "string", + "default": "127.0.0.1", + "description": "The memcached host." } }, { "session_memcached_port": { - "description": "The memcached port.", "required": false, "between": [ 0, 65535 ], "type": "integer", - "default": 11211 + "default": 11211, + "description": "The memcached port." } }, { @@ -1442,115 +1461,117 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { @@ -1566,158 +1587,129 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "required": true, - "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", "required": true, - "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer", - "default": 5 - } + "description": "Maximum retry attempts for redirection.", + "default": 5, + "required": false + } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "required": false } }, { "prefix": { "description": "The Redis session key prefix.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "socket": { "description": "The Redis unix socket path.", - "type": "string", - "required": false + "required": false, + "type": "string" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -1726,12 +1718,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -1741,14 +1727,14 @@ }, { "conditional": { - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, "if_match": { "eq": true }, - "then_field": "host" + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } } }, { @@ -1779,14 +1765,13 @@ } } ], + "type": "record", "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1803,27 +1788,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -1832,55 +1816,52 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true, - "type": "record" + ] } }, { "reverify": { - "description": "Specifies whether to always verify tokens stored in the session.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specifies whether to always verify tokens stored in the session." } }, { "jwt_session_claim": { - "description": "The claim to match against the JWT session cookie.", - "type": "string", "required": false, - "default": "sid" + "type": "string", + "default": "sid", + "description": "The claim to match against the JWT session cookie." } }, { "jwt_session_cookie": { "description": "The name of the JWT session cookie.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "bearer_token_param_type": { - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", - "required": false, + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "elements": { "type": "string", "one_of": [ @@ -1895,20 +1876,20 @@ "header", "query", "body" - ] + ], + "required": false } }, { "bearer_token_cookie_name": { "description": "The name of the cookie in which the bearer token is passed.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "client_credentials_param_type": { "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1922,13 +1903,13 @@ "header", "query", "body" - ] + ], + "required": false } }, { "password_param_type": { "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1942,13 +1923,13 @@ "header", "query", "body" - ] + ], + "required": false } }, { "id_token_param_type": { "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1962,20 +1943,20 @@ "header", "query", "body" - ] + ], + "required": false } }, { "id_token_param_name": { "description": "The name of the parameter used to pass the id token.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "refresh_token_param_type": { "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1989,29 +1970,30 @@ "header", "query", "body" - ] + ], + "required": false } }, { "refresh_token_param_name": { "description": "The name of the parameter used to pass the refresh token.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "refresh_tokens": { - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." } }, { "upstream_headers_claims": { - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false, + "type": "array", + "description": "The upstream header claims. Only top level claims are supported.", "elements": { "type": "string" } @@ -2019,9 +2001,9 @@ }, { "upstream_headers_names": { - "description": "The upstream header names for the claim values.", - "type": "array", "required": false, + "type": "array", + "description": "The upstream header names for the claim values.", "elements": { "type": "string" } @@ -2029,80 +2011,80 @@ }, { "upstream_access_token_header": { - "description": "The upstream access token header.", - "type": "string", "required": false, - "default": "authorization:bearer" + "type": "string", + "default": "authorization:bearer", + "description": "The upstream access token header." } }, { "upstream_access_token_jwk_header": { "description": "The upstream access token JWK header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_id_token_header": { "description": "The upstream id token header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_id_token_jwk_header": { "description": "The upstream id token JWK header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_refresh_token_header": { "description": "The upstream refresh token header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_user_info_header": { "description": "The upstream user info header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_user_info_jwt_header": { "description": "The upstream user info JWT header (in case the user info returns a JWT response).", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_introspection_header": { "description": "The upstream introspection header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_introspection_jwt_header": { "description": "The upstream introspection JWT header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "upstream_session_id_header": { "description": "The upstream session id header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_headers_claims": { - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false, + "type": "array", + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" } @@ -2110,9 +2092,9 @@ }, { "downstream_headers_names": { - "description": "The downstream header names for the claim values.", - "type": "array", "required": false, + "type": "array", + "description": "The downstream header names for the claim values.", "elements": { "type": "string" } @@ -2121,77 +2103,76 @@ { "downstream_access_token_header": { "description": "The downstream access token header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_access_token_jwk_header": { "description": "The downstream access token JWK header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_id_token_header": { "description": "The downstream id token header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_id_token_jwk_header": { "description": "The downstream id token JWK header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_refresh_token_header": { "description": "The downstream refresh token header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_user_info_header": { "description": "The downstream user info header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_user_info_jwt_header": { "description": "The downstream user info JWT header (in case the user info returns a JWT response).", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_introspection_header": { "description": "The downstream introspection header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_introspection_jwt_header": { "description": "The downstream introspection JWT header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "downstream_session_id_header": { "description": "The downstream session id header.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "login_methods": { "description": "Enable login functionality with specified grants.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2209,26 +2190,26 @@ "type": "array", "default": [ "authorization_code" - ] + ], + "required": false } }, { "login_action": { "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "required": false, + "type": "string", + "default": "upstream", "one_of": [ "upstream", "response", "redirect" - ], - "type": "string", - "default": "upstream" + ] } }, { "login_tokens": { "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2242,46 +2223,46 @@ "type": "array", "default": [ "id_token" - ] + ], + "required": false } }, { "login_redirect_mode": { "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "required": false, + "type": "string", + "default": "fragment", "one_of": [ "query", "fragment" - ], - "type": "string", - "default": "fragment" + ] } }, { "logout_query_arg": { "description": "The request query argument that activates the logout.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "logout_post_arg": { "description": "The request body argument that activates the logout.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "logout_uri_suffix": { "description": "The request URI suffix that activates the logout.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "logout_methods": { "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2294,38 +2275,39 @@ "default": [ "POST", "DELETE" - ] + ], + "required": false } }, { "logout_revoke": { - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." } }, { "logout_revoke_access_token": { - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." } }, { "logout_revoke_refresh_token": { - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." } }, { "consumer_claim": { - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false, + "type": "array", + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" } @@ -2334,7 +2316,6 @@ { "consumer_by": { "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2347,89 +2328,89 @@ "default": [ "username", "custom_id" - ] + ], + "required": false } }, { "consumer_optional": { - "description": "Do not terminate the request if consumer mapping fails.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Do not terminate the request if consumer mapping fails." } }, { "credential_claim": { "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "elements": { "type": "string" }, "type": "array", "default": [ "sub" - ] + ], + "required": false } }, { "anonymous": { "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "run_on_preflight": { - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." } }, { "leeway": { - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", - "type": "number", "required": false, - "default": 0 + "type": "number", + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims" } }, { "verify_parameters": { - "description": "Verify plugin configuration against discovery.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Verify plugin configuration against discovery." } }, { "verify_nonce": { - "description": "Verify nonce on authorization code flow.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify nonce on authorization code flow." } }, { "verify_claims": { - "description": "Verify tokens for standard claims.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify tokens for standard claims." } }, { "verify_signature": { - "description": "Verify signature of tokens.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify signature of tokens." } }, { "ignore_signature": { "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -2445,22 +2426,23 @@ "type": "array", "default": [ - ] + ], + "required": false } }, { "enable_hs_signatures": { - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." } }, { "disable_session": { - "description": "Disable issuing the session cookie with the specified grants.", - "type": "array", "required": false, + "type": "array", + "description": "Disable issuing the session cookie with the specified grants.", "elements": { "type": "string", "one_of": [ @@ -2479,102 +2461,102 @@ }, { "cache_ttl": { - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", - "type": "number", "required": false, - "default": 3600 + "type": "number", + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." } }, { "cache_ttl_max": { "description": "The maximum cache ttl in seconds (enforced).", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "cache_ttl_min": { "description": "The minimum cache ttl in seconds (enforced).", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "cache_ttl_neg": { "description": "The negative cache ttl in seconds.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "cache_ttl_resurrect": { "description": "The resurrection ttl in seconds.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "cache_tokens": { - "description": "Cache the token endpoint requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the token endpoint requests." } }, { "cache_tokens_salt": { - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", - "auto": true, + "required": false, "type": "string", - "required": false + "auto": true, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." } }, { "cache_introspection": { - "description": "Cache the introspection endpoint requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the introspection endpoint requests." } }, { "cache_token_exchange": { - "description": "Cache the token exchange endpoint requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the token exchange endpoint requests." } }, { "cache_user_info": { - "description": "Cache the user info requests.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Cache the user info requests." } }, { "search_user_info": { - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." } }, { "hide_credentials": { - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." } }, { "http_version": { - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", "required": false, "type": "number", - "default": 1.1 + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0." } }, { @@ -2586,9 +2568,10 @@ }, { "http_proxy_authorization": { - "description": "The HTTP proxy authorization.", + "required": false, "type": "string", - "required": false + "referenceable": true, + "description": "The HTTP proxy authorization." } }, { @@ -2600,132 +2583,133 @@ }, { "https_proxy_authorization": { - "description": "The HTTPS proxy authorization.", + "required": false, "type": "string", - "required": false + "referenceable": true, + "description": "The HTTPS proxy authorization." } }, { "no_proxy": { "description": "Do not use proxy with these hosts.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "keepalive": { - "description": "Use keepalive with the HTTP client.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Use keepalive with the HTTP client." } }, { "ssl_verify": { - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`." } }, { "timeout": { - "description": "Network IO timeout in milliseconds.", - "type": "number", "required": false, - "default": 10000 + "type": "number", + "default": 10000, + "description": "Network IO timeout in milliseconds." } }, { "display_errors": { - "description": "Display errors on failure responses.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Display errors on failure responses." } }, { "by_username_ignore_case": { - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." } }, { "resolve_distributed_claims": { - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." } }, { "expose_error_code": { - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", "type": "boolean", - "default": true + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." } }, { "token_cache_key_include_scope": { - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", "type": "boolean", - "default": false + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." } }, { "introspection_token_param_name": { - "description": "Designate token's parameter name for introspection.", - "type": "string", "required": false, - "default": "token" + "type": "string", + "default": "token", + "description": "Designate token's parameter name for introspection." } }, { "revocation_token_param_name": { - "description": "Designate token's parameter name for revocation.", - "type": "string", "required": false, - "default": "token" + "type": "string", + "default": "token", + "description": "Designate token's parameter name for revocation." } }, { "proof_of_possession_mtls": { "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "required": false, + "type": "string", + "default": "off", "one_of": [ "off", "strict", "optional" - ], - "type": "string", - "default": "off" + ] } }, { "proof_of_possession_auth_methods_validation": { - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." } }, { "tls_client_auth_cert_id": { + "required": false, "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", - "auto": false, "type": "string", "uuid": true, - "required": false + "auto": false } }, { "tls_client_auth_ssl_verify": { - "description": "Verify identity provider server certificate during mTLS client authentication.", - "type": "boolean", "required": false, - "default": true + "type": "boolean", + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication." } }, { @@ -2753,36 +2737,36 @@ "proof_of_possession_dpop": { "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "required": false, + "type": "string", + "default": "off", "one_of": [ "off", "strict", "optional" - ], - "type": "string", - "default": "off" + ] } }, { "dpop_use_nonce": { - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", - "type": "boolean", "required": false, - "default": false + "type": "boolean", + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime." } }, { "dpop_proof_lifetime": { - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", - "type": "number", "required": false, - "default": 300 + "type": "number", + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise." } }, { - "claims_forbidden": { - "description": "If given, these claims are forbidden in the token payload.", - "type": "array", + "claims_forbidden": { "required": false, + "type": "array", + "description": "If given, these claims are forbidden in the token payload.", "elements": { "type": "string" } @@ -2792,12 +2776,12 @@ "cluster_cache_strategy": { "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "required": false, + "type": "string", + "default": "off", "one_of": [ "off", "redis" - ], - "type": "string", - "default": "off" + ] } }, { @@ -2805,58 +2789,60 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -2870,8 +2856,8 @@ { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -2885,29 +2871,29 @@ { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -2918,155 +2904,126 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_nodes": { "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "cluster_nodes": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", "required": false, - "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -3075,12 +3032,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -3090,11 +3041,11 @@ }, { "conditional": { - "if_field": "connection_is_proxied", "if_match": { "eq": true }, "then_field": "host", + "if_field": "connection_is_proxied", "then_match": { "required": true } @@ -3132,11 +3083,9 @@ "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3153,27 +3102,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -3182,25 +3130,24 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true + ] } } ], @@ -3209,8 +3156,8 @@ { "authorization_cookie_lifetime": { "deprecation": { - "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" }, "type": "number" } @@ -3218,8 +3165,8 @@ { "authorization_cookie_samesite": { "deprecation": { - "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" }, "type": "string" } @@ -3227,8 +3174,8 @@ { "authorization_cookie_httponly": { "deprecation": { - "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" }, "type": "boolean" } @@ -3236,8 +3183,8 @@ { "session_cookie_lifetime": { "deprecation": { - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" }, "type": "number" } @@ -3245,8 +3192,8 @@ { "session_cookie_idletime": { "deprecation": { - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" }, "type": "number" } @@ -3254,8 +3201,8 @@ { "session_cookie_samesite": { "deprecation": { - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" }, "type": "string" } @@ -3263,8 +3210,8 @@ { "session_cookie_httponly": { "deprecation": { - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" }, "type": "boolean" } @@ -3272,8 +3219,8 @@ { "session_memcache_prefix": { "deprecation": { - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" }, "type": "string" } @@ -3281,8 +3228,8 @@ { "session_memcache_socket": { "deprecation": { - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" }, "type": "string" } @@ -3290,8 +3237,8 @@ { "session_memcache_host": { "deprecation": { - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" }, "type": "string" } @@ -3299,8 +3246,8 @@ { "session_memcache_port": { "deprecation": { - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" }, "type": "integer" } @@ -3308,8 +3255,8 @@ { "session_cookie_renew": { "deprecation": { - "message": "openid-connect: config.session_cookie_renew option does not exist anymore", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" }, "type": "number" } @@ -3317,8 +3264,8 @@ { "session_cookie_maxsize": { "deprecation": { - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" }, "type": "integer" } @@ -3326,8 +3273,8 @@ { "session_strategy": { "deprecation": { - "message": "openid-connect: config.session_strategy option does not exist anymore", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" }, "type": "string" } @@ -3335,20 +3282,17 @@ { "session_compressor": { "deprecation": { - "message": "openid-connect: config.session_compressor option does not exist anymore", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" }, "type": "string" } }, { "session_redis_prefix": { - "type": "string", - "translate_backwards": [ - "redis", - "prefix" - ], "deprecation": { + "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3356,20 +3300,16 @@ "prefix" ] } - ], - "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_socket": { - "type": "string", - "translate_backwards": [ - "redis", - "socket" - ], "deprecation": { + "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3377,20 +3317,16 @@ "socket" ] } - ], - "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_host": { - "type": "string", - "translate_backwards": [ - "redis", - "host" - ], "deprecation": { + "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3398,20 +3334,16 @@ "host" ] } - ], - "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_port": { - "type": "integer", - "translate_backwards": [ - "redis", - "port" - ], "deprecation": { + "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3419,20 +3351,16 @@ "port" ] } - ], - "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "session_redis_username": { - "type": "string", - "translate_backwards": [ - "redis", - "username" - ], "deprecation": { + "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3440,20 +3368,16 @@ "username" ] } - ], - "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_password": { - "type": "string", - "translate_backwards": [ - "redis", - "password" - ], "deprecation": { + "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3461,20 +3385,16 @@ "password" ] } - ], - "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_connect_timeout": { - "type": "integer", - "translate_backwards": [ - "redis", - "connect_timeout" - ], "deprecation": { + "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3482,20 +3402,16 @@ "connect_timeout" ] } - ], - "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", - "translate_backwards": [ - "redis", - "read_timeout" - ], "deprecation": { + "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3503,20 +3419,16 @@ "read_timeout" ] } - ], - "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", - "translate_backwards": [ - "redis", - "send_timeout" - ], "deprecation": { + "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3524,20 +3436,16 @@ "send_timeout" ] } - ], - "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "session_redis_ssl": { - "type": "boolean", - "translate_backwards": [ - "redis", - "ssl" - ], "deprecation": { + "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3545,20 +3453,16 @@ "ssl" ] } - ], - "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "boolean" } }, { "session_redis_ssl_verify": { - "type": "boolean", - "translate_backwards": [ - "redis", - "ssl_verify" - ], "deprecation": { + "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3566,20 +3470,16 @@ "ssl_verify" ] } - ], - "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "boolean" } }, { "session_redis_server_name": { - "type": "string", - "translate_backwards": [ - "redis", - "server_name" - ], "deprecation": { + "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3587,15 +3487,16 @@ "server_name" ] } - ], - "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_cluster_nodes": { "deprecation": { + "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3603,34 +3504,28 @@ "cluster_nodes" ] } - ], - "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", - "removal_in_version": "4.0" + ] }, "type": "array", - "translate_backwards": [ - "redis", - "cluster_nodes" - ], "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], @@ -3640,12 +3535,9 @@ }, { "session_redis_cluster_max_redirections": { - "type": "integer", - "translate_backwards": [ - "redis", - "cluster_max_redirections" - ], "deprecation": { + "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3653,24 +3545,14 @@ "cluster_max_redirections" ] } - ], - "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } } ], "type": "record" } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/opentelemetry/3.9.x.json b/schemas/opentelemetry/3.9.x.json index a847aca4..b82f2e14 100644 --- a/schemas/opentelemetry/3.9.x.json +++ b/schemas/opentelemetry/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,42 +38,42 @@ "fields": [ { "traces_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "logs_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "headers": { + "keys": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "type": "map", "values": { "referenceable": true, "type": "string" - }, - "keys": { - "description": "A string representing an HTTP header name.", - "type": "string" } } }, { "resource_attributes": { "keys": { - "required": true, - "type": "string" + "type": "string", + "required": true }, "type": "map", "values": { - "required": true, - "type": "string" + "type": "string", + "required": true } } }, @@ -79,144 +82,144 @@ "fields": [ { "max_batch_size": { - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 1 + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number", "between": [ 0, 3600 ], - "default": 1 + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 10000 + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01 + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 60 + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } }, { "concurrency_limit": { - "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", - "default": 1, "one_of": [ -1, 1 - ] + ], + "type": "integer", + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], "type": "record", - "required": true, "default": { "max_batch_size": 200 - } + }, + "required": true } }, { "batch_span_count": { - "description": "The number of spans to be sent in a single batch.", - "type": "integer", "deprecation": { "old_default": 200, "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0" - } + }, + "description": "The number of spans to be sent in a single batch.", + "type": "integer" } }, { "batch_flush_delay": { - "description": "The delay, in seconds, between two consecutive batches.", - "type": "integer", "deprecation": { "old_default": 3, "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0" - } + }, + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 1000 + "type": "integer", + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000 + "type": "integer", + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000 + "type": "integer", + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -227,6 +230,13 @@ { "header_type": { "required": false, + "deprecation": { + "old_default": "preserve", + "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, + "type": "string", + "default": "preserve", "one_of": [ "preserve", "ignore", @@ -238,24 +248,17 @@ "aws", "gcp", "datadog" - ], - "type": "string", - "deprecation": { - "old_default": "preserve", - "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0" - }, - "default": "preserve" + ] } }, { "sampling_rate": { - "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", - "type": "number", "between": [ 0, 1 ], + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "type": "number", "required": false } }, @@ -269,13 +272,13 @@ "elements": { "type": "string", "one_of": [ + "b3", "gcp", "jaeger", "aws", "ot", "w3c", - "datadog", - "b3" + "datadog" ] } } @@ -297,14 +300,14 @@ "type": "string", "one_of": [ "preserve", + "b3", "gcp", "b3-single", "jaeger", "aws", "ot", "w3c", - "datadog", - "b3" + "datadog" ] } } @@ -313,28 +316,29 @@ "default_format": { "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", "type": "string", - "required": true, "one_of": [ + "b3", "gcp", "b3-single", "jaeger", "aws", "ot", "w3c", - "datadog", - "b3" - ] + "datadog" + ], + "required": true } } ], "type": "record", - "required": true, "default": { "default_format": "w3c" - } + }, + "required": true } } ], + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -347,21 +351,17 @@ "shorthand_fields": [ { "endpoint": { + "deprecation": { + "removal_in_version": "4.0", + "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead" + }, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string", "referenceable": true, - "deprecation": { - "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead", - "removal_in_version": "4.0" - } + "type": "string" } } - ], - "required": true + ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/post-function/3.9.x.json b/schemas/post-function/3.9.x.json index 80a53552..dd5dc348 100644 --- a/schemas/post-function/3.9.x.json +++ b/schemas/post-function/3.9.x.json @@ -1,7 +1,33 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], "fields": [ { "protocols": { + "required": false, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -12,38 +38,27 @@ "ws", "wss" ] - }, - "required": false, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + } } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -67,7 +82,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { @@ -75,11 +91,11 @@ "fields": [ { "certificate": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -88,11 +104,11 @@ }, { "rewrite": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -101,11 +117,11 @@ }, { "access": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -114,11 +130,11 @@ }, { "header_filter": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -127,11 +143,11 @@ }, { "body_filter": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -140,11 +156,11 @@ }, { "log": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -153,11 +169,11 @@ }, { "ws_handshake": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -166,11 +182,11 @@ }, { "ws_client_frame": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -179,11 +195,11 @@ }, { "ws_upstream_frame": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -192,11 +208,11 @@ }, { "ws_close": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -208,21 +224,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.9.x.json b/schemas/pre-function/3.9.x.json index 80a53552..dd5dc348 100644 --- a/schemas/pre-function/3.9.x.json +++ b/schemas/pre-function/3.9.x.json @@ -1,7 +1,33 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], "fields": [ { "protocols": { + "required": false, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -12,38 +38,27 @@ "ws", "wss" ] - }, - "required": false, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] + } } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -67,7 +82,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { @@ -75,11 +91,11 @@ "fields": [ { "certificate": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -88,11 +104,11 @@ }, { "rewrite": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -101,11 +117,11 @@ }, { "access": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -114,11 +130,11 @@ }, { "header_filter": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -127,11 +143,11 @@ }, { "body_filter": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -140,11 +156,11 @@ }, { "log": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -153,11 +169,11 @@ }, { "ws_handshake": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -166,11 +182,11 @@ }, { "ws_client_frame": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -179,11 +195,11 @@ }, { "ws_upstream_frame": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -192,11 +208,11 @@ }, { "ws_close": { + "required": true, + "type": "array", "default": [ ], - "type": "array", - "required": true, "elements": { "required": false, "type": "string" @@ -208,21 +224,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.9.x.json b/schemas/prometheus/3.9.x.json index 8a193072..c43db38a 100644 --- a/schemas/prometheus/3.9.x.json +++ b/schemas/prometheus/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,43 +46,43 @@ { "per_consumer": { "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "status_code_metrics": { "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "ai_metrics": { "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "latency_metrics": { "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "bandwidth_metrics": { "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "upstream_health_metrics": { "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } ], @@ -87,8 +90,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.9.x.json b/schemas/proxy-cache-advanced/3.9.x.json index 30b3682b..4de5bf1e 100644 --- a/schemas/proxy-cache-advanced/3.9.x.json +++ b/schemas/proxy-cache-advanced/3.9.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +27,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,7 +36,6 @@ "fields": [ { "response_code": { - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "required": true, "elements": { "between": [ @@ -36,18 +44,18 @@ ], "type": "integer" }, + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "type": "array", - "len_min": 1, "default": [ 200, 301, 404 - ] + ], + "len_min": 1 } }, { "request_method": { - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", "required": true, "elements": { "type": "string", @@ -63,12 +71,12 @@ "default": [ "GET", "HEAD" - ] + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." } }, { "content_type": { - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "required": true, "elements": { "type": "string" @@ -77,22 +85,23 @@ "default": [ "text/plain", "application/json" - ] + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." } }, { "cache_ttl": { - "description": "TTL in seconds of cache entities.", - "type": "integer", "gt": 0, - "default": 300 + "type": "integer", + "default": 300, + "description": "TTL in seconds of cache entities." } }, { "strategy": { - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", - "required": true, "type": "string", + "required": true, + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "one_of": [ "memory", "redis" @@ -101,24 +110,24 @@ }, { "cache_control": { - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "required": true, "type": "boolean", - "default": false + "required": true, + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." } }, { "ignore_uri_case": { - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", - "required": false, "type": "boolean", - "default": false + "required": false, + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI." } }, { "storage_ttl": { - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", - "type": "integer" + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." } }, { @@ -126,10 +135,10 @@ "fields": [ { "dictionary_name": { - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "required": true, "type": "string", - "default": "kong_db_cache" + "required": true, + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." } } ], @@ -139,8 +148,8 @@ }, { "vary_query_params": { - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" } @@ -148,8 +157,8 @@ }, { "vary_headers": { - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" } @@ -157,8 +166,6 @@ }, { "response_headers": { - "description": "Caching related diagnostic headers that should be included in cached responses", - "type": "record", "fields": [ { "age": { @@ -179,6 +186,8 @@ } } ], + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", "required": true } }, @@ -187,58 +196,60 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -252,8 +263,8 @@ { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -267,29 +278,29 @@ { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -300,155 +311,126 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_nodes": { "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "cluster_nodes": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", "required": false, - "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -457,12 +439,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -472,11 +448,11 @@ }, { "conditional": { - "if_field": "connection_is_proxied", "if_match": { "eq": true }, "then_field": "host", + "if_field": "connection_is_proxied", "then_match": { "required": true } @@ -514,11 +490,9 @@ "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -535,27 +509,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -564,32 +537,31 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true + ] } }, { "bypass_on_err": { - "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", "type": "boolean", - "default": false + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." } } ], @@ -597,14 +569,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/proxy-cache/3.9.x.json b/schemas/proxy-cache/3.9.x.json index 6bc799e6..a6ea66d6 100644 --- a/schemas/proxy-cache/3.9.x.json +++ b/schemas/proxy-cache/3.9.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,7 +34,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { @@ -34,7 +43,6 @@ "fields": [ { "response_code": { - "description": "Upstream response status code considered cacheable.", "required": true, "elements": { "between": [ @@ -43,19 +51,19 @@ ], "type": "integer" }, + "description": "Upstream response status code considered cacheable.", "type": "array", - "len_min": 1, "default": [ 200, 301, 404 - ] + ], + "len_min": 1 } }, { "request_method": { "description": "Downstream request methods considered cacheable.", - "required": true, "elements": { "type": "string", "one_of": [ @@ -70,13 +78,13 @@ "default": [ "GET", "HEAD" - ] + ], + "required": true } }, { "content_type": { "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", - "required": true, "elements": { "type": "string" }, @@ -84,22 +92,23 @@ "default": [ "text/plain", "application/json" - ] + ], + "required": true } }, { "cache_ttl": { - "description": "TTL, in seconds, of cache entities.", - "type": "integer", "gt": 0, - "default": 300 + "type": "integer", + "default": 300, + "description": "TTL, in seconds, of cache entities." } }, { "strategy": { "description": "The backing data store in which to hold cache entities.", - "required": true, "type": "string", + "required": true, "one_of": [ "memory" ] @@ -108,16 +117,16 @@ { "cache_control": { "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { "ignore_uri_case": { "type": "boolean", - "required": false, - "default": false + "default": false, + "required": false } }, { @@ -131,10 +140,10 @@ "fields": [ { "dictionary_name": { - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true, "type": "string", - "default": "kong_db_cache" + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." } } ], @@ -144,8 +153,8 @@ }, { "vary_query_params": { - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "type": "array", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" } @@ -153,8 +162,8 @@ }, { "vary_headers": { - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array", + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" } @@ -162,8 +171,6 @@ }, { "response_headers": { - "description": "Caching related diagnostic headers that should be included in cached responses", - "type": "record", "fields": [ { "age": { @@ -184,6 +191,8 @@ } } ], + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", "required": true } } @@ -192,14 +201,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.9.x.json b/schemas/rate-limiting-advanced/3.9.x.json index 7df38f70..91e3eb60 100644 --- a/schemas/rate-limiting-advanced/3.9.x.json +++ b/schemas/rate-limiting-advanced/3.9.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +27,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,8 +36,10 @@ "fields": [ { "identifier": { - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "required": true, + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "type": "string", + "default": "consumer", "one_of": [ "ip", "credential", @@ -37,16 +48,14 @@ "header", "path", "consumer-group" - ], - "type": "string", - "default": "consumer" + ] } }, { "window_size": { - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", - "required": true, "type": "array", + "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" } @@ -65,9 +74,9 @@ }, { "limit": { - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", - "required": true, "type": "array", + "required": true, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" } @@ -75,51 +84,59 @@ }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." } }, { "namespace": { - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", "auto": true, + "required": true, "type": "string", - "required": true + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same." } }, { "strategy": { - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "type": "string", + "default": "local", "one_of": [ "cluster", "redis", "local" - ], - "type": "string", - "default": "local" + ] } }, { "dictionary_name": { - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", "type": "string", "required": true, - "default": "kong_rate_limiting_counters" + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." + } + }, + { + "lock_dictionary_name": { + "type": "string", + "required": true, + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf." } }, { "hide_client_headers": { - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", "type": "boolean", - "default": false + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." } }, { "retry_after_jitter_max": { - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", "type": "number", - "default": 0 + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." } }, { @@ -130,15 +147,15 @@ }, { "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string" } }, { @@ -146,58 +163,60 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -211,8 +230,8 @@ { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -226,35 +245,35 @@ { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { @@ -270,144 +289,125 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "required": true, - "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", "required": true, - "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false } }, { "server_name": { + "type": "string", "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "required": false } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "required": false } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean", - "default": false - } - } - ], - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "required": false } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" + "redis_proxy_type": { + "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", + "required": false, + "type": "string", + "one_of": [ + "envoy_v1.31" ] } - }, + } + ], + "required": true, + "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -416,12 +416,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -431,11 +425,11 @@ }, { "conditional": { - "if_field": "connection_is_proxied", "if_match": { "eq": true }, "then_field": "host", + "if_field": "connection_is_proxied", "then_match": { "required": true } @@ -473,11 +467,9 @@ "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -494,27 +486,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -523,38 +514,37 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true + ] } }, { "enforce_consumer_groups": { - "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", "type": "boolean", - "default": false + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." } }, { "consumer_groups": { - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "type": "array", + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "elements": { "type": "string" } @@ -562,24 +552,24 @@ }, { "disable_penalty": { - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", "type": "boolean", - "default": false + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." } }, { "error_code": { - "description": "Set a custom error code to return when the rate limit is exceeded.", - "type": "number", "gt": 0, - "default": 429 + "type": "number", + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { "error_message": { - "description": "Set a custom error message to return when the rate limit is exceeded.", "type": "string", - "default": "API rate limit exceeded" + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded." } } ], @@ -587,14 +577,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/rate-limiting/3.9.x.json b/schemas/rate-limiting/3.9.x.json index b98f28df..7fa63ded 100644 --- a/schemas/rate-limiting/3.9.x.json +++ b/schemas/rate-limiting/3.9.x.json @@ -1,8 +1,79 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name", + "if_field": "config.limit_by", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "path" + }, + "then_field": "config.path", + "if_field": "config.limit_by", + "then_match": { + "required": true + } + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +90,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,50 +99,50 @@ "fields": [ { "second": { + "gt": 0, "description": "The number of HTTP requests that can be made per second.", - "type": "number", - "gt": 0 + "type": "number" } }, { "minute": { + "gt": 0, "description": "The number of HTTP requests that can be made per minute.", - "type": "number", - "gt": 0 + "type": "number" } }, { "hour": { + "gt": 0, "description": "The number of HTTP requests that can be made per hour.", - "type": "number", - "gt": 0 + "type": "number" } }, { "day": { + "gt": 0, "description": "The number of HTTP requests that can be made per day.", - "type": "number", - "gt": 0 + "type": "number" } }, { "month": { + "gt": 0, "description": "The number of HTTP requests that can be made per month.", - "type": "number", - "gt": 0 + "type": "number" } }, { "year": { + "gt": 0, "description": "The number of HTTP requests that can be made per year.", - "type": "number", - "gt": 0 + "type": "number" } }, { "limit_by": { - "description": "The entity that is used when aggregating the limits.", "type": "string", + "description": "The entity that is used when aggregating the limits.", "default": "consumer", "one_of": [ "consumer", @@ -91,42 +163,40 @@ }, { "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string" } }, { "policy": { "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "len_min": 0, + "type": "string", + "default": "local", "one_of": [ "local", "cluster", "redis" - ], - "type": "string", - "default": "local" + ] } }, { "fault_tolerant": { "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", "required": true, - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "redis": { - "description": "Redis configuration", - "type": "record", "fields": [ { "host": { @@ -136,73 +206,75 @@ }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, "len_min": 0, "type": "string", - "referenceable": true, "encrypted": true } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "default": 0 + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "ssl": { "description": "If set to true, uses SSL to connect to Redis.", "type": "boolean", - "required": false, - "default": false + "default": false, + "required": false } }, { "ssl_verify": { "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "required": false, - "default": false + "default": false, + "required": false } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } } ], + "description": "Redis configuration", + "type": "record", "required": true } }, @@ -210,31 +282,31 @@ "hide_client_headers": { "description": "Optionally hide informative response headers.", "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "error_code": { - "description": "Set a custom error code to return when the rate limit is exceeded.", - "type": "number", "gt": 0, - "default": 429 + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, + "type": "number" } }, { "error_message": { "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string", - "default": "API rate limit exceeded" + "default": "API rate limit exceeded", + "type": "string" } }, { "sync_rate": { "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", "required": true, - "type": "number", - "default": -1 + "default": -1, + "type": "number" } } ], @@ -242,12 +314,9 @@ "shorthand_fields": [ { "redis_host": { - "type": "string", - "translate_backwards": [ - "redis", - "host" - ], "deprecation": { + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -255,20 +324,16 @@ "host" ] } - ], - "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "redis_port": { - "type": "integer", - "translate_backwards": [ - "redis", - "port" - ], "deprecation": { + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -276,21 +341,16 @@ "port" ] } - ], - "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "redis_password": { - "len_min": 0, - "type": "string", - "translate_backwards": [ - "redis", - "password" - ], "deprecation": { + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -298,20 +358,17 @@ "password" ] } - ], - "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string", + "len_min": 0 } }, { "redis_username": { - "type": "string", - "translate_backwards": [ - "redis", - "username" - ], "deprecation": { + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -319,20 +376,16 @@ "username" ] } - ], - "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "redis_ssl": { - "type": "boolean", - "translate_backwards": [ - "redis", - "ssl" - ], "deprecation": { + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -340,20 +393,16 @@ "ssl" ] } - ], - "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "boolean" } }, { "redis_ssl_verify": { - "type": "boolean", - "translate_backwards": [ - "redis", - "ssl_verify" - ], "deprecation": { + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -361,20 +410,16 @@ "ssl_verify" ] } - ], - "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "boolean" } }, { "redis_server_name": { - "type": "string", - "translate_backwards": [ - "redis", - "server_name" - ], "deprecation": { + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -382,20 +427,16 @@ "server_name" ] } - ], - "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "redis_timeout": { - "type": "integer", - "translate_backwards": [ - "redis", - "timeout" - ], "deprecation": { + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -403,20 +444,16 @@ "timeout" ] } - ], - "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "redis_database": { - "type": "integer", - "translate_backwards": [ - "redis", - "database" - ], "deprecation": { + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -424,87 +461,14 @@ "database" ] } - ], - "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } } ], "type": "record" } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.host", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.port", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.timeout", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.limit_by", - "if_match": { - "eq": "header" - }, - "then_field": "config.header_name", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.limit_by", - "if_match": { - "eq": "path" - }, - "then_field": "config.path", - "then_match": { - "required": true - } - } - } ] } \ No newline at end of file diff --git a/schemas/request-size-limiting/3.9.x.json b/schemas/request-size-limiting/3.9.x.json index 669041e4..33333291 100644 --- a/schemas/request-size-limiting/3.9.x.json +++ b/schemas/request-size-limiting/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -36,29 +39,29 @@ { "allowed_payload_size": { "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", - "type": "integer", - "default": 128 + "default": 128, + "type": "integer" } }, { "size_unit": { "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "required": true, + "type": "string", + "default": "megabytes", "one_of": [ "megabytes", "kilobytes", "bytes" - ], - "type": "string", - "default": "megabytes" + ] } }, { "require_content_length": { "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", - "type": "boolean", "required": true, - "default": false + "default": false, + "type": "boolean" } } ], @@ -66,8 +69,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-termination/3.9.x.json b/schemas/request-termination/3.9.x.json index e06de3dc..a05a67b4 100644 --- a/schemas/request-termination/3.9.x.json +++ b/schemas/request-termination/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +21,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -28,13 +31,13 @@ { "status_code": { "description": "The response code to send. Must be an integer between 100 and 599.", - "required": true, "between": [ 100, 599 ], "type": "integer", - "default": 503 + "default": 503, + "required": true } }, { @@ -59,8 +62,8 @@ "echo": { "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", "type": "boolean", - "required": true, - "default": false + "default": false, + "required": true } }, { @@ -74,8 +77,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.9.x.json b/schemas/request-transformer-advanced/3.9.x.json index fa602888..21fc7757 100644 --- a/schemas/request-transformer-advanced/3.9.x.json +++ b/schemas/request-transformer-advanced/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +21,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -27,9 +30,9 @@ "fields": [ { "http_method": { - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string", - "match": "^%u+$" + "match": "^%u+$", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." } }, { @@ -320,9 +323,9 @@ }, { "dots_in_keys": { - "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", "type": "boolean", - "default": true + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." } } ], @@ -330,8 +333,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.9.x.json b/schemas/request-transformer/3.9.x.json index e6220243..389e002e 100644 --- a/schemas/request-transformer/3.9.x.json +++ b/schemas/request-transformer/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,7 +28,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { @@ -34,9 +37,9 @@ "fields": [ { "http_method": { - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string", - "match": "^%u+$" + "match": "^%u+$", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." } }, { @@ -44,11 +47,11 @@ "fields": [ { "body": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -56,11 +59,11 @@ }, { "headers": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -68,11 +71,11 @@ }, { "querystring": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -88,11 +91,11 @@ "fields": [ { "body": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -100,11 +103,11 @@ }, { "headers": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -113,11 +116,11 @@ }, { "querystring": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -133,11 +136,11 @@ "fields": [ { "body": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -145,11 +148,11 @@ }, { "headers": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -158,11 +161,11 @@ }, { "querystring": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -183,11 +186,11 @@ "fields": [ { "body": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -195,11 +198,11 @@ }, { "headers": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -208,11 +211,11 @@ }, { "querystring": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -228,11 +231,11 @@ "fields": [ { "body": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -240,11 +243,11 @@ }, { "headers": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -253,11 +256,11 @@ }, { "querystring": { + "type": "array", + "required": true, "default": [ ], - "type": "array", - "required": true, "elements": { "type": "string" } @@ -273,8 +276,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-validator/3.9.x.json b/schemas/request-validator/3.9.x.json index c334e59e..9a8a1232 100644 --- a/schemas/request-validator/3.9.x.json +++ b/schemas/request-validator/3.9.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +27,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,8 +51,8 @@ }, { "allowed_content_types": { - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "type": "set", + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "default": [ "application/json" ], @@ -55,21 +64,21 @@ }, { "version": { - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "required": true, + "type": "string", "one_of": [ "kong", "draft4" ], - "type": "string", - "default": "kong" + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator." } }, { "parameter_schema": { - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", - "type": "array", "required": false, + "type": "array", + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", "elements": { "fields": [ { @@ -100,8 +109,6 @@ }, { "style": { - "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", - "type": "string", "one_of": [ "label", "form", @@ -110,7 +117,9 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ] + ], + "type": "string", + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value." } }, { @@ -121,8 +130,8 @@ }, { "schema": { - "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", - "type": "string" + "type": "string", + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating." } } ], @@ -151,16 +160,16 @@ "verbose_response": { "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "type": "boolean", - "required": true, - "default": false + "default": false, + "required": true } }, { "content_type_parameter_validation": { "description": "Determines whether to enable parameters validation of request content-type.", "type": "boolean", - "required": true, - "default": true + "default": true, + "required": true } } ], @@ -176,14 +185,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.9.x.json b/schemas/response-ratelimiting/3.9.x.json index e443ef90..e9280c04 100644 --- a/schemas/response-ratelimiting/3.9.x.json +++ b/schemas/response-ratelimiting/3.9.x.json @@ -1,8 +1,45 @@ { + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +56,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -36,14 +74,14 @@ { "header_name": { "description": "The name of the response header used to increment the counters.", - "type": "string", - "default": "x-kong-limit" + "default": "x-kong-limit", + "type": "string" } }, { "limit_by": { - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "type": "string", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "default": "consumer", "one_of": [ "consumer", @@ -54,8 +92,8 @@ }, { "policy": { - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "type": "string", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "default": "local", "one_of": [ "local", @@ -68,14 +106,12 @@ "fault_tolerant": { "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "required": true, - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "redis": { - "description": "Redis configuration", - "type": "record", "fields": [ { "host": { @@ -85,73 +121,75 @@ }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, "len_min": 0, "type": "string", - "referenceable": true, "encrypted": true } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "default": 0 + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "ssl": { "description": "If set to true, uses SSL to connect to Redis.", "type": "boolean", - "required": false, - "default": false + "default": false, + "required": false } }, { "ssl_verify": { "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "required": false, - "default": false + "default": false, + "required": false } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } } ], + "description": "Redis configuration", + "type": "record", "required": true } }, @@ -159,22 +197,27 @@ "block_on_first_violation": { "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "hide_client_headers": { "description": "Optionally hide informative response headers.", "required": true, - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "limits": { "description": "A map that defines rate limits for the plugin.", "len_min": 1, + "keys": { + "type": "string" + }, + "type": "map", + "required": true, "values": { "fields": [ { @@ -228,12 +271,7 @@ } ], "type": "record" - }, - "keys": { - "type": "string" - }, - "type": "map", - "required": true + } } } ], @@ -241,12 +279,9 @@ "shorthand_fields": [ { "redis_host": { - "type": "string", - "translate_backwards": [ - "redis", - "host" - ], "deprecation": { + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -254,20 +289,16 @@ "host" ] } - ], - "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "redis_port": { - "type": "integer", - "translate_backwards": [ - "redis", - "port" - ], "deprecation": { + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -275,21 +306,16 @@ "port" ] } - ], - "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "redis_password": { - "len_min": 0, - "type": "string", - "translate_backwards": [ - "redis", - "password" - ], "deprecation": { + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -297,20 +323,17 @@ "password" ] } - ], - "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string", + "len_min": 0 } }, { "redis_username": { - "type": "string", - "translate_backwards": [ - "redis", - "username" - ], "deprecation": { + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -318,20 +341,16 @@ "username" ] } - ], - "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "redis_ssl": { - "type": "boolean", - "translate_backwards": [ - "redis", - "ssl" - ], "deprecation": { + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -339,20 +358,16 @@ "ssl" ] } - ], - "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "boolean" } }, { "redis_ssl_verify": { - "type": "boolean", - "translate_backwards": [ - "redis", - "ssl_verify" - ], "deprecation": { + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -360,20 +375,16 @@ "ssl_verify" ] } - ], - "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "boolean" } }, { "redis_server_name": { - "type": "string", - "translate_backwards": [ - "redis", - "server_name" - ], "deprecation": { + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -381,20 +392,16 @@ "server_name" ] } - ], - "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "redis_timeout": { - "type": "integer", - "translate_backwards": [ - "redis", - "timeout" - ], "deprecation": { + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -402,20 +409,16 @@ "timeout" ] } - ], - "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "redis_database": { - "type": "integer", - "translate_backwards": [ - "redis", - "database" - ], "deprecation": { + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -423,53 +426,14 @@ "database" ] } - ], - "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } } ], "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.host", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.port", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_field": "config.policy", - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.timeout", - "then_match": { - "required": true - } - } - } ] } \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.9.x.json b/schemas/response-transformer-advanced/3.9.x.json index 1d32331c..35f2b243 100644 --- a/schemas/response-transformer-advanced/3.9.x.json +++ b/schemas/response-transformer-advanced/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +21,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -333,9 +336,9 @@ }, { "dots_in_keys": { - "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", "type": "boolean", - "default": true + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." } } ], @@ -343,8 +346,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.9.x.json b/schemas/response-transformer/3.9.x.json index 0219110a..b7480468 100644 --- a/schemas/response-transformer/3.9.x.json +++ b/schemas/response-transformer/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +21,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -30,11 +33,11 @@ "fields": [ { "json": { + "required": true, + "type": "array", "default": [ ], - "required": true, - "type": "array", "elements": { "type": "string" } @@ -42,11 +45,11 @@ }, { "headers": { + "required": true, + "type": "array", "default": [ ], - "required": true, - "type": "array", "elements": { "type": "string" } @@ -62,11 +65,11 @@ "fields": [ { "json": { + "required": true, + "type": "array", "default": [ ], - "required": true, - "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -75,11 +78,11 @@ }, { "headers": { + "required": true, + "type": "array", "default": [ ], - "required": true, - "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -96,11 +99,11 @@ "fields": [ { "json": { + "required": true, + "type": "array", "default": [ ], - "required": true, - "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -110,7 +113,6 @@ { "json_types": { "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true, "elements": { "type": "string", "one_of": [ @@ -122,16 +124,17 @@ "type": "array", "default": [ - ] + ], + "required": true } }, { "headers": { + "required": true, + "type": "array", "default": [ ], - "required": true, - "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -148,11 +151,11 @@ "fields": [ { "json": { + "required": true, + "type": "array", "default": [ ], - "required": true, - "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -162,7 +165,6 @@ { "json_types": { "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true, "elements": { "type": "string", "one_of": [ @@ -174,16 +176,17 @@ "type": "array", "default": [ - ] + ], + "required": true } }, { "headers": { + "required": true, + "type": "array", "default": [ ], - "required": true, - "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -200,11 +203,11 @@ "fields": [ { "json": { + "required": true, + "type": "array", "default": [ ], - "required": true, - "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -214,7 +217,6 @@ { "json_types": { "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", - "required": true, "elements": { "type": "string", "one_of": [ @@ -226,16 +228,17 @@ "type": "array", "default": [ - ] + ], + "required": true } }, { "headers": { + "required": true, + "type": "array", "default": [ ], - "required": true, - "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" @@ -252,8 +255,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.9.x.json b/schemas/route-by-header/3.9.x.json index df002542..4adedef5 100644 --- a/schemas/route-by-header/3.9.x.json +++ b/schemas/route-by-header/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,8 +38,8 @@ "fields": [ { "rules": { - "description": "Route by header rules.", "type": "array", + "description": "Route by header rules.", "default": [ ], @@ -50,15 +53,15 @@ }, { "condition": { + "required": true, "len_min": 1, - "values": { - "type": "string" - }, "keys": { "type": "string" }, "type": "map", - "required": true + "values": { + "type": "string" + } } } ], @@ -71,8 +74,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.9.x.json b/schemas/route-transformer-advanced/3.9.x.json index 76ec77f4..84951d64 100644 --- a/schemas/route-transformer-advanced/3.9.x.json +++ b/schemas/route-transformer-advanced/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -50,8 +53,8 @@ }, { "escape_path": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } ], @@ -68,8 +71,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/saml/3.9.x.json b/schemas/saml/3.9.x.json index 18157277..f1656692 100644 --- a/schemas/saml/3.9.x.json +++ b/schemas/saml/3.9.x.json @@ -1,16 +1,24 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,14 +35,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,109 +52,109 @@ "fields": [ { "assertion_consumer_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": true, "starts_with": "/", "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "required": true } }, { "idp_sso_url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", "required": true, - "type": "string" + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "idp_certificate": { "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", - "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "required": false, + "encrypted": true } }, { "response_encryption_key": { "description": "The private encryption key required to decrypt encrypted assertions.", - "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "required": false, + "encrypted": true } }, { "request_signing_key": { "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", - "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "required": false, + "encrypted": true } }, { "request_signing_certificate": { "description": "The certificate for signing requests.", - "required": false, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "required": false, + "encrypted": true } }, { "request_signature_algorithm": { "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "required": false, + "type": "string", + "default": "SHA256", "one_of": [ "SHA256", "SHA384", "SHA512" - ], - "type": "string", - "default": "SHA256" + ] } }, { "request_digest_algorithm": { "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "required": false, + "type": "string", + "default": "SHA256", "one_of": [ "SHA256", "SHA1" - ], - "type": "string", - "default": "SHA256" + ] } }, { "response_signature_algorithm": { "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "required": false, + "type": "string", + "default": "SHA256", "one_of": [ "SHA256", "SHA384", "SHA512" - ], - "type": "string", - "default": "SHA256" + ] } }, { "response_digest_algorithm": { "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "required": false, + "type": "string", + "default": "SHA256", "one_of": [ "SHA256", "SHA1" - ], - "type": "string", - "default": "SHA256" + ] } }, { @@ -159,22 +168,22 @@ "nameid_format": { "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "required": false, + "type": "string", + "default": "EmailAddress", "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" - ], - "type": "string", - "default": "EmailAddress" + ] } }, { "validate_assertion_signature": { - "description": "Enable signature validation for SAML responses.", "required": false, "type": "boolean", - "default": true + "default": true, + "description": "Enable signature validation for SAML responses." } }, { @@ -186,101 +195,101 @@ }, { "session_secret": { - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", "required": true, - "len_max": 32, - "match": "^[0-9a-zA-Z/_+]+$", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", "referenceable": true, - "type": "string", "len_min": 32, + "len_max": 32, + "type": "string", + "match": "^[0-9a-zA-Z/_+]+$", "encrypted": true } }, { "session_audience": { - "description": "The session audience, for example \"my-application\"", "required": false, "type": "string", - "default": "default" + "default": "default", + "description": "The session audience, for example \"my-application\"" } }, { "session_cookie_name": { - "description": "The session cookie name.", "required": false, "type": "string", - "default": "session" + "default": "session", + "description": "The session cookie name." } }, { "session_remember": { - "description": "Enables or disables persistent sessions", "required": false, "type": "boolean", - "default": false + "default": false, + "description": "Enables or disables persistent sessions" } }, { "session_remember_cookie_name": { - "description": "Persistent session cookie name", "required": false, "type": "string", - "default": "remember" + "default": "remember", + "description": "Persistent session cookie name" } }, { "session_remember_rolling_timeout": { - "description": "Persistent session rolling timeout in seconds.", "required": false, "type": "number", - "default": 604800 + "default": 604800, + "description": "Persistent session rolling timeout in seconds." } }, { "session_remember_absolute_timeout": { - "description": "Persistent session absolute timeout in seconds.", "required": false, "type": "number", - "default": 2592000 + "default": 2592000, + "description": "Persistent session absolute timeout in seconds." } }, { "session_idling_timeout": { - "description": "The session cookie idle time in seconds.", "required": false, "type": "number", - "default": 900 + "default": 900, + "description": "The session cookie idle time in seconds." } }, { "session_rolling_timeout": { - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false, "type": "number", - "default": 3600 + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." } }, { "session_absolute_timeout": { - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false, "type": "number", - "default": 86400 + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." } }, { "session_cookie_path": { + "required": false, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "required": false, "starts_with": "/", "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "default": "/" + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { @@ -294,22 +303,22 @@ "session_cookie_same_site": { "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, + "type": "string", + "default": "Lax", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string", - "default": "Lax" + ] } }, { "session_cookie_http_only": { - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, "type": "boolean", - "default": true + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." } }, { @@ -357,46 +366,46 @@ "session_storage": { "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "required": false, + "type": "string", + "default": "cookie", "one_of": [ "cookie", "memcache", "memcached", "redis" - ], - "type": "string", - "default": "cookie" + ] } }, { "session_store_metadata": { - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "required": false, "type": "boolean", - "default": false + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject." } }, { "session_enforce_same_subject": { - "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, "type": "boolean", - "default": false + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject." } }, { "session_hash_subject": { - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false, "type": "boolean", - "default": false + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." } }, { "session_hash_storage_key": { - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, "type": "boolean", - "default": false + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." } }, { @@ -415,22 +424,22 @@ }, { "session_memcached_host": { - "description": "The memcached host.", "required": false, "type": "string", - "default": "127.0.0.1" + "default": "127.0.0.1", + "description": "The memcached host." } }, { "session_memcached_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": false, "between": [ 0, 65535 ], "type": "integer", - "default": 11211 + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -438,115 +447,117 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "encrypted": true, - "referenceable": true + "referenceable": true, + "encrypted": true } }, { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { @@ -562,105 +573,105 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "required": true, - "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", "required": true, - "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", - "len_min": 1 + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "required": false } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "required": false } }, { @@ -678,42 +689,13 @@ } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -722,12 +704,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -737,14 +713,14 @@ }, { "conditional": { - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, "if_match": { "eq": true }, - "then_field": "host" + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } } }, { @@ -775,14 +751,13 @@ } } ], + "type": "record", "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -799,27 +774,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -828,26 +802,24 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true, - "type": "record" + ] } } ], @@ -856,8 +828,8 @@ { "session_cookie_lifetime": { "deprecation": { - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" }, "type": "number" } @@ -865,8 +837,8 @@ { "session_cookie_idletime": { "deprecation": { - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" }, "type": "number" } @@ -874,8 +846,8 @@ { "session_cookie_samesite": { "deprecation": { - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" }, "type": "string" } @@ -883,8 +855,8 @@ { "session_cookie_httponly": { "deprecation": { - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" }, "type": "boolean" } @@ -892,8 +864,8 @@ { "session_memcache_prefix": { "deprecation": { - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" }, "type": "string" } @@ -901,8 +873,8 @@ { "session_memcache_socket": { "deprecation": { - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" }, "type": "string" } @@ -910,8 +882,8 @@ { "session_memcache_host": { "deprecation": { - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" }, "type": "string" } @@ -919,8 +891,8 @@ { "session_memcache_port": { "deprecation": { - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" }, "type": "integer" } @@ -928,8 +900,8 @@ { "session_cookie_renew": { "deprecation": { - "message": "openid-connect: config.session_cookie_renew option does not exist anymore", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" }, "type": "number" } @@ -937,8 +909,8 @@ { "session_cookie_maxsize": { "deprecation": { - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" }, "type": "integer" } @@ -946,8 +918,8 @@ { "session_strategy": { "deprecation": { - "message": "openid-connect: config.session_strategy option does not exist anymore", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" }, "type": "string" } @@ -955,8 +927,8 @@ { "session_compressor": { "deprecation": { - "message": "openid-connect: config.session_compressor option does not exist anymore", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" }, "type": "string" } @@ -964,20 +936,17 @@ { "session_auth_ttl": { "deprecation": { - "message": "openid-connect: config.session_auth_ttl option does not exist anymore", - "removal_in_version": "4.0" + "removal_in_version": "4.0", + "message": "openid-connect: config.session_auth_ttl option does not exist anymore" }, "type": "number" } }, { "session_redis_prefix": { - "type": "string", - "translate_backwards": [ - "redis", - "prefix" - ], "deprecation": { + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -985,20 +954,16 @@ "prefix" ] } - ], - "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_socket": { - "type": "string", - "translate_backwards": [ - "redis", - "socket" - ], "deprecation": { + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1006,20 +971,16 @@ "socket" ] } - ], - "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_host": { - "type": "string", - "translate_backwards": [ - "redis", - "host" - ], "deprecation": { + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1027,20 +988,16 @@ "host" ] } - ], - "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_port": { - "type": "integer", - "translate_backwards": [ - "redis", - "port" - ], "deprecation": { + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1048,20 +1005,16 @@ "port" ] } - ], - "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "session_redis_username": { - "type": "string", - "translate_backwards": [ - "redis", - "username" - ], "deprecation": { + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1069,20 +1022,16 @@ "username" ] } - ], - "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_password": { - "type": "string", - "translate_backwards": [ - "redis", - "password" - ], "deprecation": { + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1090,20 +1039,16 @@ "password" ] } - ], - "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_connect_timeout": { - "type": "integer", - "translate_backwards": [ - "redis", - "connect_timeout" - ], "deprecation": { + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1111,20 +1056,16 @@ "connect_timeout" ] } - ], - "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", - "translate_backwards": [ - "redis", - "read_timeout" - ], "deprecation": { + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1132,20 +1073,16 @@ "read_timeout" ] } - ], - "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", - "translate_backwards": [ - "redis", - "send_timeout" - ], "deprecation": { + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1153,20 +1090,16 @@ "send_timeout" ] } - ], - "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "session_redis_ssl": { - "type": "boolean", - "translate_backwards": [ - "redis", - "ssl" - ], "deprecation": { + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1174,20 +1107,16 @@ "ssl" ] } - ], - "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "boolean" } }, { "session_redis_ssl_verify": { - "type": "boolean", - "translate_backwards": [ - "redis", - "ssl_verify" - ], "deprecation": { + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1195,20 +1124,16 @@ "ssl_verify" ] } - ], - "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "boolean" } }, { "session_redis_server_name": { - "type": "string", - "translate_backwards": [ - "redis", - "server_name" - ], "deprecation": { + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1216,15 +1141,16 @@ "server_name" ] } - ], - "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "string" } }, { "session_redis_cluster_nodes": { "deprecation": { + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1232,34 +1158,28 @@ "cluster_nodes" ] } - ], - "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", - "removal_in_version": "4.0" + ] }, "type": "array", - "translate_backwards": [ - "redis", - "cluster_nodes" - ], "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], @@ -1269,12 +1189,9 @@ }, { "session_redis_cluster_max_redirections": { - "type": "integer", - "translate_backwards": [ - "redis", - "cluster_max_redirections" - ], "deprecation": { + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1282,20 +1199,16 @@ "cluster_max_redirections" ] } - ], - "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "session_redis_cluster_maxredirections": { - "type": "integer", - "translate_backwards": [ - "redis", - "cluster_max_redirections" - ], "deprecation": { + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1303,24 +1216,14 @@ "cluster_max_redirections" ] } - ], - "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } } ], "type": "record" } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/service-protection/3.9.x.json b/schemas/service-protection/3.9.x.json new file mode 100644 index 00000000..81dcf6ac --- /dev/null +++ b/schemas/service-protection/3.9.x.json @@ -0,0 +1,543 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "route": { + "reference": "routes", + "type": "foreign", + "eq": null, + "description": "A reference to the 'routes' table with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "fields": [ + { + "window_size": { + "required": true, + "type": "array", + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "elements": { + "type": "number" + } + } + }, + { + "window_type": { + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", + "default": "sliding", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "required": true, + "type": "array", + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "elements": { + "type": "number" + } + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + } + }, + { + "namespace": { + "auto": true, + "type": "string", + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "required": true + } + }, + { + "strategy": { + "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "type": "string", + "default": "local", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string", + "default": "kong_rate_limiting_counters", + "required": true + } + }, + { + "lock_dictionary_name": { + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", + "type": "string", + "default": "kong_locks", + "required": true + } + }, + { + "hide_client_headers": { + "type": "boolean", + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." + } + }, + { + "retry_after_jitter_max": { + "type": "number", + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", + "referenceable": true, + "encrypted": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "between": [ + 1, + 2147483646 + ], + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "one_of": [ + "master", + "slave", + "any" + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "elements": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "type": "array", + "required": false, + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "elements": { + "fields": [ + { + "ip": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "type": "array", + "required": false, + "len_min": 1 + } + }, + { + "ssl": { + "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" + } + }, + { + "server_name": { + "type": "string", + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "cluster_max_redirections": { + "required": false, + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "required": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean" + } + } + ], + "required": true, + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array", + "len_min": 1, + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array", + "len_min": 1, + "elements": { + "type": "string" + } + } + } + ] + } + }, + { + "disable_penalty": { + "type": "boolean", + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." + } + }, + { + "error_code": { + "gt": 0, + "type": "number", + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded." + } + }, + { + "error_message": { + "type": "string", + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded." + } + } + ], + "type": "record", + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/session/3.9.x.json b/schemas/session/3.9.x.json index decea8f5..40ca6afc 100644 --- a/schemas/session/3.9.x.json +++ b/schemas/session/3.9.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -34,14 +36,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -51,11 +54,11 @@ { "secret": { "description": "The secret that is used in keyed HMAC generation.", - "required": false, "referenceable": true, + "required": false, "type": "string", - "encrypted": true, - "default": "7iK18YEanf6i9XHvNwzx4RpdmHdRN6nSpPxC1uQxfsse" + "default": "tbCs8vALEOKU7zxCnd2EibmRkcxihN3zpbR62Uwo2Zky", + "encrypted": true } }, { @@ -71,57 +74,57 @@ }, { "audience": { - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "type": "string", - "default": "default" + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`." } }, { "idling_timeout": { - "description": "The session cookie idle time, in seconds.", "type": "number", - "default": 900 + "default": 900, + "description": "The session cookie idle time, in seconds." } }, { "rolling_timeout": { - "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", "type": "number", - "default": 3600 + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed." } }, { "absolute_timeout": { - "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", "type": "number", - "default": 86400 + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid." } }, { "stale_ttl": { - "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", "type": "number", - "default": 10 + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one." } }, { "cookie_name": { - "description": "The name of the cookie.", "type": "string", - "default": "session" + "default": "session", + "description": "The name of the cookie." } }, { "cookie_path": { - "description": "The resource in the host where the cookie is available.", "type": "string", - "default": "/" + "default": "/", + "description": "The resource in the host where the cookie is available." } }, { "cookie_domain": { - "description": "The domain with which the cookie is intended to be exchanged.", - "type": "string" + "type": "string", + "description": "The domain with which the cookie is intended to be exchanged." } }, { @@ -139,50 +142,50 @@ }, { "cookie_http_only": { - "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", "type": "boolean", - "default": true + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server." } }, { "cookie_secure": { - "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", "type": "boolean", - "default": true + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol." } }, { "remember": { - "description": "Enables or disables persistent sessions.", "type": "boolean", - "default": false + "default": false, + "description": "Enables or disables persistent sessions." } }, { "remember_cookie_name": { - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "type": "string", - "default": "remember" + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter." } }, { "remember_rolling_timeout": { - "description": "The persistent session rolling timeout window, in seconds.", "type": "number", - "default": 604800 + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds." } }, { "remember_absolute_timeout": { - "description": "The persistent session absolute timeout limit, in seconds.", "type": "number", - "default": 2592000 + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds." } }, { "response_headers": { - "description": "List of information to include, as headers, in the response to the downstream.", "type": "set", + "description": "List of information to include, as headers, in the response to the downstream.", "elements": { "type": "string", "one_of": [ @@ -199,8 +202,8 @@ }, { "request_headers": { - "description": "List of information to include, as headers, in the response to the downstream.", "type": "set", + "description": "List of information to include, as headers, in the response to the downstream.", "elements": { "type": "string", "one_of": [ @@ -223,8 +226,12 @@ }, { "logout_methods": { - "description": "A set of HTTP methods that the plugin will respond to.", "type": "set", + "description": "A set of HTTP methods that the plugin will respond to.", + "default": [ + "POST", + "DELETE" + ], "elements": { "type": "string", "one_of": [ @@ -232,25 +239,21 @@ "POST", "DELETE" ] - }, - "default": [ - "POST", - "DELETE" - ] + } } }, { "logout_query_arg": { - "description": "The query argument passed to logout requests.", "type": "string", - "default": "session_logout" + "default": "session_logout", + "description": "The query argument passed to logout requests." } }, { "logout_post_arg": { - "description": "The POST argument passed to logout requests. Do not change this property.", "type": "string", - "default": "session_logout" + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property." } } ], @@ -295,8 +298,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/standard-webhooks/3.9.x.json b/schemas/standard-webhooks/3.9.x.json index c1cb595d..f4ec3310 100644 --- a/schemas/standard-webhooks/3.9.x.json +++ b/schemas/standard-webhooks/3.9.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,7 +29,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -35,20 +38,20 @@ "fields": [ { "secret_v1": { - "description": "Webhook secret", "required": true, + "referenceable": true, "type": "string", - "encrypted": true, - "referenceable": true + "description": "Webhook secret", + "encrypted": true } }, { "tolerance_second": { - "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "gt": -1, "required": true, "type": "integer", - "gt": -1, - "default": 300 + "default": 300, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response." } } ], @@ -56,8 +59,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.9.x.json b/schemas/statsd-advanced/3.9.x.json index ed33f15a..99b7a511 100644 --- a/schemas/statsd-advanced/3.9.x.json +++ b/schemas/statsd-advanced/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,27 +45,27 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "type": "string", - "default": "localhost" + "default": "localhost", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 8125 + "type": "integer", + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "prefix": { "description": "String to prefix to each metric's name.", - "type": "string", - "default": "kong" + "default": "kong", + "type": "string" } }, { @@ -71,72 +74,72 @@ "type": "array", "default": [ { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "request_count" }, { - "stat_type": "timer", - "name": "latency" + "name": "latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "request_size" + "name": "request_size", + "stat_type": "timer" }, { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "status_count" }, { - "stat_type": "timer", - "name": "response_size" + "name": "response_size", + "stat_type": "timer" }, { - "stat_type": "set", - "name": "unique_users" + "name": "unique_users", + "stat_type": "set" }, { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "request_per_user" }, { - "stat_type": "timer", - "name": "upstream_latency" + "name": "upstream_latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "kong_latency" + "name": "kong_latency", + "stat_type": "timer" }, { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "status_count_per_user" }, { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "status_count_per_workspace" }, { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "status_count_per_user_per_route" }, { - "stat_type": "gauge", "sample_rate": 1, + "stat_type": "gauge", "name": "shdict_usage" }, { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "cache_datastore_hits_total" }, { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "cache_datastore_misses_total" } ], @@ -144,8 +147,6 @@ "fields": [ { "name": { - "type": "string", - "required": true, "one_of": [ "kong_latency", "latency", @@ -162,13 +163,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "type": "string", + "required": true } }, { "stat_type": { - "type": "string", - "required": true, "one_of": [ "counter", "gauge", @@ -176,7 +177,9 @@ "meter", "set", "timer" - ] + ], + "type": "string", + "required": true } }, { @@ -220,13 +223,13 @@ "entity_checks": [ { "conditional": { - "if_field": "name", "if_match": { "one_of": [ "unique_users" ] }, "then_field": "stat_type", + "if_field": "name", "then_match": { "eq": "set" } @@ -234,7 +237,6 @@ }, { "conditional": { - "if_field": "name", "if_match": { "one_of": [ "request_count", @@ -248,6 +250,7 @@ ] }, "then_field": "stat_type", + "if_field": "name", "then_match": { "eq": "counter" } @@ -255,13 +258,13 @@ }, { "conditional": { - "if_field": "name", "if_match": { "one_of": [ "shdict_usage" ] }, "then_field": "stat_type", + "if_field": "name", "then_match": { "eq": "gauge" } @@ -269,7 +272,6 @@ }, { "conditional": { - "if_field": "stat_type", "if_match": { "one_of": [ "counter", @@ -277,6 +279,7 @@ ] }, "then_field": "sample_rate", + "if_field": "stat_type", "then_match": { "required": true } @@ -291,73 +294,73 @@ "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array", "elements": { - "type": "string", - "match": "^[0-9]+-[0-9]+$" + "match": "^[0-9]+-[0-9]+$", + "type": "string" } } }, { "udp_packet_size": { - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", - "type": "number", "between": [ 0, 65507 ], - "default": 0 + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "default": 0, + "type": "number" } }, { "use_tcp": { "description": "Use TCP instead of UDP.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "hostname_in_prefix": { "description": "Include the `hostname` in the `prefix` for each metric name.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "consumer_identifier_default": { "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "required": true, + "type": "string", + "default": "custom_id", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string", - "default": "custom_id" + ] } }, { "service_identifier_default": { "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "required": true, + "type": "string", + "default": "service_name_or_host", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string", - "default": "service_name_or_host" + ] } }, { "workspace_identifier_default": { "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "required": true, + "type": "string", + "default": "workspace_id", "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string", - "default": "workspace_id" + ] } }, { @@ -365,81 +368,81 @@ "fields": [ { "max_batch_size": { - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 1 + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number", "between": [ 0, 3600 ], - "default": 1 + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 10000 + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01 + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 60 + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } }, { "concurrency_limit": { - "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", - "default": 1, "one_of": [ -1, 1 - ] + ], + "type": "integer", + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], @@ -452,8 +455,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/statsd/3.9.x.json b/schemas/statsd/3.9.x.json index 9d9a047a..eb843f36 100644 --- a/schemas/statsd/3.9.x.json +++ b/schemas/statsd/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,102 +46,102 @@ { "host": { "description": "The IP address or hostname of StatsD server to send data to.", - "type": "string", - "default": "localhost" + "default": "localhost", + "type": "string" } }, { "port": { - "description": "The port of StatsD server to send data to.", - "type": "integer", "between": [ 0, 65535 ], - "default": 8125 + "description": "The port of StatsD server to send data to.", + "default": 8125, + "type": "integer" } }, { "prefix": { - "description": "String to prefix to each metric's name.", "type": "string", - "default": "kong" + "default": "kong", + "description": "String to prefix to each metric's name." } }, { "metrics": { - "description": "List of metrics to be logged.", "type": "array", + "description": "List of metrics to be logged.", "default": [ { + "name": "request_count", "stat_type": "counter", - "sample_rate": 1, - "name": "request_count" + "sample_rate": 1 }, { - "stat_type": "timer", - "name": "latency" + "name": "latency", + "stat_type": "timer" }, { + "name": "request_size", "stat_type": "counter", - "sample_rate": 1, - "name": "request_size" + "sample_rate": 1 }, { + "name": "status_count", "stat_type": "counter", - "sample_rate": 1, - "name": "status_count" + "sample_rate": 1 }, { + "name": "response_size", "stat_type": "counter", - "sample_rate": 1, - "name": "response_size" + "sample_rate": 1 }, { - "stat_type": "set", - "name": "unique_users" + "name": "unique_users", + "stat_type": "set" }, { + "name": "request_per_user", "stat_type": "counter", - "sample_rate": 1, - "name": "request_per_user" + "sample_rate": 1 }, { - "stat_type": "timer", - "name": "upstream_latency" + "name": "upstream_latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "kong_latency" + "name": "kong_latency", + "stat_type": "timer" }, { + "name": "status_count_per_user", "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_user" + "sample_rate": 1 }, { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "status_count_per_workspace" }, { + "name": "status_count_per_user_per_route", "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_user_per_route" + "sample_rate": 1 }, { + "name": "shdict_usage", "stat_type": "gauge", - "sample_rate": 1, - "name": "shdict_usage" + "sample_rate": 1 }, { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "cache_datastore_hits_total" }, { - "stat_type": "counter", "sample_rate": 1, + "stat_type": "counter", "name": "cache_datastore_misses_total" } ], @@ -146,9 +149,9 @@ "fields": [ { "name": { - "description": "StatsD metric’s name.", - "type": "string", "required": true, + "type": "string", + "description": "StatsD metric’s name.", "one_of": [ "kong_latency", "latency", @@ -170,9 +173,9 @@ }, { "stat_type": { - "description": "Determines what sort of event a metric represents.", - "type": "string", "required": true, + "type": "string", + "description": "Determines what sort of event a metric represents.", "one_of": [ "counter", "gauge", @@ -185,42 +188,42 @@ }, { "sample_rate": { - "description": "Sampling rate", + "gt": 0, "type": "number", - "gt": 0 + "description": "Sampling rate" } }, { "consumer_identifier": { - "description": "Authenticated user detail.", - "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "type": "string", + "description": "Authenticated user detail." } }, { "service_identifier": { - "description": "Service detail.", - "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "type": "string", + "description": "Service detail." } }, { "workspace_identifier": { - "description": "Workspace detail.", - "type": "string", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "type": "string", + "description": "Workspace detail." } } ], @@ -228,7 +231,6 @@ "entity_checks": [ { "conditional": { - "if_field": "stat_type", "if_match": { "one_of": [ "counter", @@ -236,6 +238,7 @@ ] }, "then_field": "sample_rate", + "if_field": "stat_type", "then_match": { "required": true } @@ -247,21 +250,21 @@ }, { "allow_status_codes": { - "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array", + "description": "List of status code ranges that are allowed to be logged in metrics.", "elements": { - "type": "string", - "match": "^[0-9]+-[0-9]+$" + "match": "^[0-9]+-[0-9]+$", + "type": "string" } } }, { "udp_packet_size": { - "type": "number", "between": [ 0, 65507 ], + "type": "number", "default": 0 } }, @@ -279,9 +282,9 @@ }, { "consumer_identifier_default": { - "default": "custom_id", - "type": "string", "required": true, + "type": "string", + "default": "custom_id", "one_of": [ "consumer_id", "custom_id", @@ -291,9 +294,9 @@ }, { "service_identifier_default": { - "default": "service_name_or_host", - "type": "string", "required": true, + "type": "string", + "default": "service_name_or_host", "one_of": [ "service_id", "service_name", @@ -304,9 +307,9 @@ }, { "workspace_identifier_default": { - "default": "workspace_id", - "type": "string", "required": true, + "type": "string", + "default": "workspace_id", "one_of": [ "workspace_id", "workspace_name" @@ -315,44 +318,44 @@ }, { "retry_count": { - "type": "integer", "deprecation": { "old_default": 10, "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", "removal_in_version": "4.0" - } + }, + "type": "integer" } }, { "queue_size": { - "type": "integer", "deprecation": { "old_default": 1, "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0" - } + }, + "type": "integer" } }, { "flush_timeout": { - "type": "number", "deprecation": { "old_default": 2, "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0" - } + }, + "type": "number" } }, { "tag_style": { - "type": "string", - "required": false, "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ] + ], + "type": "string", + "required": false } }, { @@ -360,81 +363,81 @@ "fields": [ { "max_batch_size": { - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 1 + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number", "between": [ 0, 3600 ], - "default": 1 + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 10000 + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01 + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 60 + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } }, { "concurrency_limit": { - "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", - "default": 1, "one_of": [ -1, 1 - ] + ], + "type": "integer", + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], @@ -447,8 +450,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/syslog/3.9.x.json b/schemas/syslog/3.9.x.json index 5daf010a..dcb804dc 100644 --- a/schemas/syslog/3.9.x.json +++ b/schemas/syslog/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,9 +45,9 @@ "fields": [ { "log_level": { - "default": "info", "required": true, "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -59,9 +62,9 @@ }, { "successful_severity": { - "default": "info", "required": true, "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -76,9 +79,9 @@ }, { "client_errors_severity": { - "default": "info", "required": true, "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -93,9 +96,9 @@ }, { "server_errors_severity": { - "default": "info", "required": true, "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -115,17 +118,19 @@ "len_min": 1 }, "type": "map", + "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map" + "len_min": 1, + "type": "string" + } } }, { "facility": { - "description": "The facility is used by the operating system to decide how to handle each log message.", "required": true, + "description": "The facility is used by the operating system to decide how to handle each log message.", + "type": "string", + "default": "user", "one_of": [ "auth", "authpriv", @@ -147,9 +152,7 @@ "local5", "local6", "local7" - ], - "type": "string", - "default": "user" + ] } } ], @@ -157,8 +160,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.9.x.json b/schemas/tcp-log/3.9.x.json index 3edb1e1e..3c8ed554 100644 --- a/schemas/tcp-log/3.9.x.json +++ b/schemas/tcp-log/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,42 +45,42 @@ "fields": [ { "host": { - "description": "The IP address or host name to send data to.", "required": true, + "description": "The IP address or host name to send data to.", "type": "string" } }, { "port": { - "description": "The port to send data to on the upstream server.", - "required": true, "between": [ 0, 65535 ], + "required": true, + "description": "The port to send data to on the upstream server.", "type": "integer" } }, { "timeout": { - "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "number", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "type": "number", - "default": 60000 + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." } }, { "tls": { "description": "Indicates whether to perform a TLS handshake against the remote server.", - "required": true, "type": "boolean", - "default": false + "default": false, + "required": true } }, { @@ -88,15 +91,15 @@ }, { "custom_fields_by_lua": { - "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", - "type": "map", - "values": { - "type": "string", - "len_min": 1 - }, "keys": { "type": "string", "len_min": 1 + }, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "map", + "values": { + "len_min": 1, + "type": "string" } } } @@ -105,8 +108,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.9.x.json b/schemas/tls-handshake-modifier/3.9.x.json index 0ce0806f..9adc3a78 100644 --- a/schemas/tls-handshake-modifier/3.9.x.json +++ b/schemas/tls-handshake-modifier/3.9.x.json @@ -1,21 +1,24 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "required": true, + "type": "set", "default": [ "https", "grpcs" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -29,8 +32,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -41,11 +44,11 @@ "tls_client_certificate": { "description": "TLS Client Certificate", "required": false, + "type": "string", + "default": "REQUEST", "one_of": [ "REQUEST" - ], - "type": "string", - "default": "REQUEST" + ] } } ], @@ -53,8 +56,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.9.x.json b/schemas/tls-metadata-headers/3.9.x.json index 70e69c6b..085bf711 100644 --- a/schemas/tls-metadata-headers/3.9.x.json +++ b/schemas/tls-metadata-headers/3.9.x.json @@ -1,21 +1,24 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "type": "set", + "required": true, "default": [ "https", "grpcs" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -29,8 +32,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -39,49 +42,49 @@ "fields": [ { "inject_client_cert_details": { - "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", "type": "boolean", - "default": false + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." } }, { "client_cert_header_name": { - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "type": "string", - "required": true, - "default": "X-Client-Cert" + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "default": "X-Client-Cert", + "required": true } }, { "client_serial_header_name": { - "description": "Define the HTTP header name used for the serial number of the client certificate.", "type": "string", - "required": true, - "default": "X-Client-Cert-Serial" + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "default": "X-Client-Cert-Serial", + "required": true } }, { "client_cert_issuer_dn_header_name": { - "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "type": "string", - "required": true, - "default": "X-Client-Cert-Issuer-DN" + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "default": "X-Client-Cert-Issuer-DN", + "required": true } }, { "client_cert_subject_dn_header_name": { - "description": "Define the HTTP header name used for the subject DN of the client certificate.", "type": "string", - "required": true, - "default": "X-Client-Cert-Subject-DN" + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "default": "X-Client-Cert-Subject-DN", + "required": true } }, { "client_cert_fingerprint_header_name": { - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "type": "string", - "required": true, - "default": "X-Client-Cert-Fingerprint" + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "default": "X-Client-Cert-Fingerprint", + "required": true } } ], @@ -89,8 +92,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/udp-log/3.9.x.json b/schemas/udp-log/3.9.x.json index d8176b5d..5f2d8c53 100644 --- a/schemas/udp-log/3.9.x.json +++ b/schemas/udp-log/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,27 +45,27 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", + "type": "string", "required": true, - "type": "string" + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, "between": [ 0, 65535 ], - "type": "integer" + "required": true, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { - "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "number", - "default": 10000 + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server." } }, { @@ -72,11 +75,11 @@ "len_min": 1 }, "type": "map", + "description": "Lua code as a key-value map", "values": { - "type": "string", - "len_min": 1 - }, - "description": "Lua code as a key-value map" + "len_min": 1, + "type": "string" + } } } ], @@ -84,8 +87,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/upstream-oauth/3.9.x.json b/schemas/upstream-oauth/3.9.x.json index cb3d6cdc..c7123240 100644 --- a/schemas/upstream-oauth/3.9.x.json +++ b/schemas/upstream-oauth/3.9.x.json @@ -1,8 +1,23 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,7 +34,8 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { @@ -38,8 +54,8 @@ "client_secret_jwt", "none" ], - "type": "string", - "default": "client_secret_post" + "default": "client_secret_post", + "type": "string" } }, { @@ -50,79 +66,79 @@ "HS512", "HS256" ], - "type": "string", - "default": "HS512" + "default": "HS512", + "type": "string" } }, { "http_version": { "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", - "required": false, "type": "number", - "default": 1.1 + "default": 1.1, + "required": false } }, { "http_proxy": { - "description": "The proxy to use when making HTTP requests to the IdP.", "required": false, + "description": "The proxy to use when making HTTP requests to the IdP.", "type": "string" } }, { "http_proxy_authorization": { - "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "required": false, "type": "string", - "required": false + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`." } }, { "https_proxy": { - "description": "The proxy to use when making HTTPS requests to the IdP.", "required": false, + "description": "The proxy to use when making HTTPS requests to the IdP.", "type": "string" } }, { "https_proxy_authorization": { - "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "required": false, "type": "string", - "required": false + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`." } }, { "no_proxy": { - "description": "A comma-separated list of hosts that should not be proxied.", + "required": false, "type": "string", - "required": false + "description": "A comma-separated list of hosts that should not be proxied." } }, { "timeout": { "description": "Network I/O timeout for requests to the IdP in milliseconds.", - "required": true, "between": [ 0, 2147483646 ], "type": "integer", - "default": 10000 + "default": 10000, + "required": true } }, { "keep_alive": { - "description": "Whether to use keepalive connections to the IdP.", "type": "boolean", - "required": true, - "default": true + "description": "Whether to use keepalive connections to the IdP.", + "default": true, + "required": true } }, { "ssl_verify": { - "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", "type": "boolean", - "required": false, - "default": false + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "default": false, + "required": false } } ], @@ -135,34 +151,34 @@ "fields": [ { "token_endpoint": { - "description": "The token endpoint URI.", "required": true, + "description": "The token endpoint URI.", "type": "string" } }, { "token_headers": { - "description": "Extra headers to be passed in the token endpoint request.", - "type": "map", - "values": { - "type": "string", - "referenceable": true - }, "keys": { "description": "A string representing an HTTP header name.", "type": "string" + }, + "type": "map", + "description": "Extra headers to be passed in the token endpoint request.", + "values": { + "referenceable": true, + "type": "string" } } }, { "token_post_args": { - "description": "Extra post arguments to be passed in the token endpoint request.", + "keys": { + "type": "string" + }, "type": "map", + "description": "Extra post arguments to be passed in the token endpoint request.", "values": { - "type": "string", - "referenceable": true - }, - "keys": { + "referenceable": true, "type": "string" } } @@ -175,49 +191,48 @@ "client_credentials", "password" ], - "type": "string", - "default": "client_credentials" + "default": "client_credentials", + "type": "string" } }, { "client_id": { - "description": "The client ID for the application registration in the IdP.", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "The client ID for the application registration in the IdP.", "encrypted": true } }, { "client_secret": { - "description": "The client secret for the application registration in the IdP.", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "The client secret for the application registration in the IdP.", "encrypted": true } }, { "username": { - "description": "The username to use if `config.oauth.grant_type` is set to `password`.", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "The username to use if `config.oauth.grant_type` is set to `password`.", "encrypted": true } }, { "password": { - "description": "The password to use if `config.oauth.grant_type` is set to `password`.", "required": false, - "type": "string", "referenceable": true, + "type": "string", + "description": "The password to use if `config.oauth.grant_type` is set to `password`.", "encrypted": true } }, { "scopes": { - "description": "List of scopes to request from the IdP when obtaining a new token.", "required": false, "elements": { "type": "string" @@ -225,12 +240,12 @@ "type": "array", "default": [ "openid" - ] + ], + "description": "List of scopes to request from the IdP when obtaining a new token." } }, { "audience": { - "description": "List of audiences passed to the IdP when obtaining a new token.", "required": false, "elements": { "type": "string" @@ -238,7 +253,8 @@ "type": "array", "default": [ - ] + ], + "description": "List of audiences passed to the IdP when obtaining a new token." } } ], @@ -257,8 +273,8 @@ "memory", "redis" ], - "type": "string", - "default": "memory" + "default": "memory", + "type": "string" } }, { @@ -266,10 +282,10 @@ "fields": [ { "dictionary_name": { - "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", "type": "string", - "required": true, - "default": "kong_db_cache" + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "default": "kong_db_cache", + "required": true } } ], @@ -282,58 +298,60 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com." } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -347,8 +365,8 @@ { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { @@ -362,29 +380,29 @@ { "database": { "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer", - "default": 0 + "default": 0, + "type": "integer" } }, { "keepalive_pool_size": { - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer", "between": [ 1, 2147483646 ], - "default": 256 + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer" } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." } }, { @@ -395,155 +413,126 @@ }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_nodes": { "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "cluster_nodes": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "required": false, "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string", - "default": "127.0.0.1" + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 ], - "default": 6379 + "type": "integer", + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "type": "record" }, "type": "array", + "required": false, "len_min": 1 } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "type": "boolean", - "default": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", "required": false, - "type": "string" + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", "required": false, - "type": "integer", - "default": 5 + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "type": "boolean", - "default": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean" } } ], + "required": true, "entity_checks": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } + "mutually_required": [ + "host", + "port" + ] }, { "mutually_required": [ @@ -552,12 +541,6 @@ "sentinel_nodes" ] }, - { - "mutually_required": [ - "host", - "port" - ] - }, { "mutually_required": [ "connect_timeout", @@ -567,11 +550,11 @@ }, { "conditional": { - "if_field": "connection_is_proxied", "if_match": { "eq": true }, "then_field": "host", + "if_field": "connection_is_proxied", "then_match": { "required": true } @@ -609,11 +592,9 @@ "shorthand_fields": [ { "timeout": { - "type": "integer", - "translate_backwards": [ - "connect_timeout" - ], "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -630,27 +611,26 @@ "read_timeout" ] } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - } + ] + }, + "type": "integer" } }, { "sentinel_addresses": { "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } @@ -659,42 +639,41 @@ { "cluster_addresses": { "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" + ] }, - "len_min": 1, "type": "array", + "len_min": 1, "elements": { "type": "string" } } } - ], - "required": true + ] } }, { "eagerly_expire": { + "gt": -1, "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", - "required": true, "type": "integer", - "gt": -1, - "default": 5 + "default": 5, + "required": true } }, { "default_ttl": { - "description": "The lifetime of a token without an explicit `expires_in` value.", - "type": "number", "gt": 0, - "default": 3600 + "description": "The lifetime of a token without an explicit `expires_in` value.", + "default": 3600, + "type": "number" } } ], @@ -710,20 +689,20 @@ "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", "len_min": 0, "type": "string", - "required": true, - "default": "Authorization" + "default": "Authorization", + "required": true } }, { "idp_error_response_status_code": { - "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", "required": true, "between": [ 500, 599 ], "type": "integer", - "default": 502 + "default": 502, + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP." } }, { @@ -731,8 +710,8 @@ "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0, "type": "string", - "required": true, - "default": "application/json; charset=utf-8" + "default": "application/json; charset=utf-8", + "required": true } }, { @@ -740,8 +719,8 @@ "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0, "type": "string", - "required": true, - "default": "Failed to authenticate request to upstream" + "default": "Failed to authenticate request to upstream", + "required": true } }, { @@ -749,8 +728,8 @@ "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0, "type": "string", - "required": true, - "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }" + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", + "required": true } }, { @@ -779,21 +758,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/upstream-timeout/3.9.x.json b/schemas/upstream-timeout/3.9.x.json index 279be9a0..50754606 100644 --- a/schemas/upstream-timeout/3.9.x.json +++ b/schemas/upstream-timeout/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -35,32 +38,32 @@ "fields": [ { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } } ], @@ -68,8 +71,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.9.x.json b/schemas/vault-auth/3.9.x.json index 9fc64449..6e311ded 100644 --- a/schemas/vault-auth/3.9.x.json +++ b/schemas/vault-auth/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,22 +21,23 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -44,40 +47,40 @@ { "access_token_name": { "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", - "required": true, "elements": { "description": "A string representing an HTTP header name.", "type": "string" }, "type": "string", - "default": "access_token" + "default": "access_token", + "required": true } }, { "secret_token_name": { "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", - "required": true, "elements": { "description": "A string representing an HTTP header name.", "type": "string" }, "type": "string", - "default": "secret_token" + "default": "secret_token", + "required": true } }, { "vault": { - "reference": "vault_auth_vaults", - "type": "foreign", "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", - "required": true + "type": "foreign", + "required": true, + "reference": "vault_auth_vaults" } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", "type": "boolean", - "default": false + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it." } }, { @@ -88,16 +91,16 @@ }, { "tokens_in_body": { - "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "type": "boolean", - "default": false + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." } }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", "type": "boolean", - "default": true + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." } } ], @@ -105,8 +108,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.9.x.json b/schemas/websocket-size-limit/3.9.x.json index fab7b3bc..c2e27b6e 100644 --- a/schemas/websocket-size-limit/3.9.x.json +++ b/schemas/websocket-size-limit/3.9.x.json @@ -1,13 +1,16 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { + "type": "set", + "required": true, "default": [ "ws", "wss" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -20,8 +23,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -30,21 +33,21 @@ "fields": [ { "client_max_payload": { - "type": "integer", "between": [ 1, 33554432 ], + "type": "integer", "required": false } }, { "upstream_max_payload": { - "type": "integer", "between": [ 1, 33554432 ], + "type": "integer", "required": false } } @@ -61,8 +64,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.9.x.json b/schemas/websocket-validator/3.9.x.json index 6fb55087..8ab02969 100644 --- a/schemas/websocket-validator/3.9.x.json +++ b/schemas/websocket-validator/3.9.x.json @@ -1,13 +1,16 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { + "type": "set", + "required": true, "default": [ "ws", "wss" ], - "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -20,8 +23,8 @@ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -36,9 +39,9 @@ "fields": [ { "type": { - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string", "required": true, + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ] @@ -47,12 +50,11 @@ { "schema": { "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string", - "required": true + "required": true, + "type": "string" } } ], - "required": false, "type": "record", "entity_checks": [ { @@ -63,7 +65,8 @@ ] } } - ] + ], + "required": false } }, { @@ -71,9 +74,9 @@ "fields": [ { "type": { - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string", "required": true, + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ] @@ -82,12 +85,11 @@ { "schema": { "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string", - "required": true + "required": true, + "type": "string" } } ], - "required": false, "type": "record", "entity_checks": [ { @@ -98,11 +100,11 @@ ] } } - ] + ], + "required": false } } ], - "required": false, "type": "record", "entity_checks": [ { @@ -111,7 +113,8 @@ "binary" ] } - ] + ], + "required": false } }, { @@ -122,9 +125,9 @@ "fields": [ { "type": { - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string", "required": true, + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ] @@ -133,12 +136,11 @@ { "schema": { "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string", - "required": true + "required": true, + "type": "string" } } ], - "required": false, "type": "record", "entity_checks": [ { @@ -149,7 +151,8 @@ ] } } - ] + ], + "required": false } }, { @@ -157,9 +160,9 @@ "fields": [ { "type": { - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string", "required": true, + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "one_of": [ "draft4" ] @@ -168,12 +171,11 @@ { "schema": { "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string", - "required": true + "required": true, + "type": "string" } } ], - "required": false, "type": "record", "entity_checks": [ { @@ -184,11 +186,11 @@ ] } } - ] + ], + "required": false } } ], - "required": false, "type": "record", "entity_checks": [ { @@ -197,7 +199,8 @@ "binary" ] } - ] + ], + "required": false } } ], @@ -213,8 +216,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.9.x.json b/schemas/xml-threat-protection/3.9.x.json index d9f354ae..b6b4af74 100644 --- a/schemas/xml-threat-protection/3.9.x.json +++ b/schemas/xml-threat-protection/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -19,14 +21,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -36,218 +39,218 @@ { "checked_content_types": { "description": "A list of Content-Type values with payloads that must be validated.", - "required": true, "elements": { "required": true, - "type": "string", - "match": "^[^%s]+%/[^ ;]+$" + "match": "^[^%s]+%/[^ ;]+$", + "type": "string" }, "type": "set", "default": [ "application/xml" - ] + ], + "required": true } }, { "allowed_content_types": { "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", - "required": true, "elements": { "required": true, - "type": "string", - "match": "^[^%s]+%/[^ ;]+$" + "match": "^[^%s]+%/[^ ;]+$", + "type": "string" }, "type": "set", "default": [ - ] + ], + "required": true } }, { "allow_dtd": { "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", "type": "boolean", - "required": true, - "default": false + "default": false, + "required": true } }, { "namespace_aware": { "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", "type": "boolean", - "required": true, - "default": true + "default": true, + "required": true } }, { "max_depth": { - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 50 + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." } }, { "max_children": { - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 100 + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." } }, { "max_attributes": { - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 100 + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." } }, { "max_namespaces": { - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "gt": 0, "required": false, "type": "integer", - "gt": 0, - "default": 20 + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." } }, { "document": { - "description": "Maximum size of the entire document.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 10485760 + "default": 10485760, + "description": "Maximum size of the entire document." } }, { "buffer": { - "description": "Maximum size of the unparsed buffer (see below).", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 1048576 + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below)." } }, { "comment": { - "description": "Maximum size of comments.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of comments." } }, { "localname": { - "description": "Maximum size of the localname. This applies to tags and attributes.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes." } }, { "prefix": { - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "gt": 0, "required": false, "type": "integer", - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." } }, { "namespaceuri": { - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "gt": 0, "required": false, "type": "integer", - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." } }, { "attribute": { - "description": "Maximum size of the attribute value.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 1048576 + "default": 1048576, + "description": "Maximum size of the attribute value." } }, { "text": { - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 1048576 + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." } }, { "pitarget": { - "description": "Maximum size of processing instruction targets.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of processing instruction targets." } }, { "pidata": { - "description": "Maximum size of processing instruction data.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of processing instruction data." } }, { "entityname": { - "description": "Maximum size of entity names in EntityDecl.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of entity names in EntityDecl." } }, { "entity": { - "description": "Maximum size of entity values in EntityDecl.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of entity values in EntityDecl." } }, { "entityproperty": { - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "gt": 0, "required": true, "type": "integer", - "gt": 0, - "default": 1024 + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." } }, { "bla_max_amplification": { - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "gt": 1, "required": true, "type": "number", - "gt": 1, - "default": 100 + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." } }, { "bla_threshold": { - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "gt": 1024, "required": true, "type": "integer", - "gt": 1024, - "default": 8388608 + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." } } ], @@ -255,11 +258,11 @@ "entity_checks": [ { "conditional": { - "if_field": "namespace_aware", "if_match": { "eq": true }, "then_field": "max_namespaces", + "if_field": "namespace_aware", "then_match": { "required": true } @@ -267,11 +270,11 @@ }, { "conditional": { - "if_field": "namespace_aware", "if_match": { "eq": true }, "then_field": "prefix", + "if_field": "namespace_aware", "then_match": { "required": true } @@ -279,11 +282,11 @@ }, { "conditional": { - "if_field": "namespace_aware", "if_match": { "eq": true }, "then_field": "namespaceuri", + "if_field": "namespace_aware", "then_match": { "required": true } @@ -293,8 +296,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/zipkin/3.9.x.json b/schemas/zipkin/3.9.x.json index cd177c4e..add0c14a 100644 --- a/schemas/zipkin/3.9.x.json +++ b/schemas/zipkin/3.9.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", @@ -26,14 +28,15 @@ "grpcs", "http", "https" - ] + ], + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", + "eq": null, "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,9 +46,9 @@ { "local_service_name": { "description": "The name of the service as displayed in Zipkin.", - "required": true, "type": "string", - "default": "kong" + "default": "kong", + "required": true } }, { @@ -56,45 +59,50 @@ }, { "sample_ratio": { - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", - "type": "number", "between": [ 0, 1 ], - "default": 0.001 + "type": "number", + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " } }, { "default_service_name": { - "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", - "type": "string" + "type": "string", + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." } }, { "include_credential": { "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", - "required": true, "type": "boolean", - "default": true + "default": true, + "required": true } }, { "traceid_byte_count": { - "description": "The length in bytes of each request's Trace ID.", "required": true, + "description": "The length in bytes of each request's Trace ID.", + "type": "integer", + "default": 16, "one_of": [ 8, 16 - ], - "type": "integer", - "default": 16 + ] } }, { "header_type": { - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "required": true, + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "deprecation": { + "old_default": "preserve", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, "one_of": [ "preserve", "ignore", @@ -107,19 +115,19 @@ "datadog", "gcp" ], - "type": "string", "default": "preserve", - "deprecation": { - "old_default": "preserve", - "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0" - } + "type": "string" } }, { "default_header_type": { - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "required": true, + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "deprecation": { + "old_default": "b3", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", + "removal_in_version": "4.0" + }, "one_of": [ "b3", "b3-single", @@ -130,21 +138,16 @@ "datadog", "gcp" ], - "type": "string", "default": "b3", - "deprecation": { - "old_default": "b3", - "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", - "removal_in_version": "4.0" - } + "type": "string" } }, { "tags_header": { "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", - "required": true, "type": "string", - "default": "Zipkin-Tags" + "default": "Zipkin-Tags", + "required": true } }, { @@ -155,6 +158,7 @@ "fields": [ { "name": { + "required": true, "not_one_of": [ "error", "http.method", @@ -170,7 +174,6 @@ "lc", "peer.hostname" ], - "required": true, "type": "string" } }, @@ -187,47 +190,47 @@ }, { "http_span_name": { - "description": "Specify whether to include the HTTP path in the span name.", "required": true, + "description": "Specify whether to include the HTTP path in the span name.", + "type": "string", + "default": "method", "one_of": [ "method", "method_path" - ], - "type": "string", - "default": "method" + ] } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000 + "type": "integer", + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000 + "type": "integer", + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000 + "type": "integer", + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -237,14 +240,14 @@ }, { "phase_duration_flavor": { - "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "required": true, + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "type": "string", + "default": "annotations", "one_of": [ "annotations", "tags" - ], - "type": "string", - "default": "annotations" + ] } }, { @@ -252,81 +255,81 @@ "fields": [ { "max_batch_size": { - "description": "Maximum number of entries that can be processed at a time.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 1 + "type": "integer", + "default": 1, + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", - "type": "number", "between": [ 0, 3600 ], - "default": 1 + "type": "number", + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "description": "Maximum number of entries that can be waiting on the queue.", - "type": "integer", "between": [ 1, 1000000 ], - "default": 10000 + "type": "integer", + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", - "type": "integer" + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." } }, { "max_retry_time": { - "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "default": 60 + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch." } }, { "initial_retry_delay": { - "description": "Time in seconds before the initial retry is made for a failing batch.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01 + "type": "number", + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "description": "Maximum time in seconds between retries, caps exponential backoff.", - "type": "number", "between": [ 0.001, 1000000 ], - "default": 60 + "type": "number", + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff." } }, { "concurrency_limit": { - "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", - "default": 1, "one_of": [ -1, 1 - ] + ], + "type": "integer", + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited." } } ], @@ -344,13 +347,13 @@ "elements": { "type": "string", "one_of": [ + "b3", "gcp", "jaeger", "aws", "ot", "w3c", - "datadog", - "b3" + "datadog" ] } } @@ -372,14 +375,14 @@ "type": "string", "one_of": [ "preserve", + "b3", "gcp", "b3-single", "jaeger", "aws", "ot", "w3c", - "datadog", - "b3" + "datadog" ] } } @@ -388,25 +391,25 @@ "default_format": { "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", "type": "string", - "required": true, "one_of": [ + "b3", "gcp", "b3-single", "jaeger", "aws", "ot", "w3c", - "datadog", - "b3" - ] + "datadog" + ], + "required": true } } ], "type": "record", - "required": true, "default": { "default_format": "b3" - } + }, + "required": true } } ], @@ -414,8 +417,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file From 405ab734f904ca18727a1bfafd384c4d53caf766 Mon Sep 17 00:00:00 2001 From: Diana <75819066+cloudjumpercat@users.noreply.github.com> Date: Fri, 22 Nov 2024 14:29:02 -0600 Subject: [PATCH 092/165] Add service protection example Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> --- examples/service-protection/_3.9.x.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 examples/service-protection/_3.9.x.yaml diff --git a/examples/service-protection/_3.9.x.yaml b/examples/service-protection/_3.9.x.yaml new file mode 100644 index 00000000..c23a4120 --- /dev/null +++ b/examples/service-protection/_3.9.x.yaml @@ -0,0 +1,6 @@ +name: service-protection +config: + window_size: 30 + window_type: sliding + limit: 5 + namespace: example_namespace From 6221381024c0aa49882ff65c6fe2820aaa9c6d99 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Mon, 25 Nov 2024 13:29:28 -0800 Subject: [PATCH 093/165] Update AWS lambda for the 3.4.3.13 release (#69) --- schemas/aws-lambda/3.4.x.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/schemas/aws-lambda/3.4.x.json b/schemas/aws-lambda/3.4.x.json index 7695829e..4d9cd95f 100644 --- a/schemas/aws-lambda/3.4.x.json +++ b/schemas/aws-lambda/3.4.x.json @@ -80,6 +80,12 @@ "type": "string" } }, + { + "aws_sts_endpoint_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, { "aws_region": { "type": "string", @@ -252,4 +258,4 @@ } } ] -} \ No newline at end of file +} From 56c8395e6c9990a2aa7e85dc44c167229d7de442 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 07:49:01 +0000 Subject: [PATCH 094/165] Update dependency ruby to v3.3.6 --- .ruby-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ruby-version b/.ruby-version index fa7adc7a..9c25013d 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.3.5 +3.3.6 From 745ee4c226f2acaea4da726f39be9c8e5077cf93 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 27 Nov 2024 09:46:29 -0800 Subject: [PATCH 095/165] generate schema for aws lambda (#74) --- schemas/aws-lambda/3.7.x.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/schemas/aws-lambda/3.7.x.json b/schemas/aws-lambda/3.7.x.json index 762af58b..d470790c 100644 --- a/schemas/aws-lambda/3.7.x.json +++ b/schemas/aws-lambda/3.7.x.json @@ -80,6 +80,12 @@ "default": "kong" } }, + { + "aws_sts_endpoint_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, { "aws_region": { "type": "string", From e5e3561880b1d113b44b7aaec05206a2546476bc Mon Sep 17 00:00:00 2001 From: Diana <75819066+cloudjumpercat@users.noreply.github.com> Date: Wed, 27 Nov 2024 18:02:47 -0600 Subject: [PATCH 096/165] Add injection plugin directory and example (#76) * Add schema folder for injection-protection, add basic example Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> * Change ,foo to json file Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> --------- Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com> --- examples/injection-protection/_3.9.x.yaml | 7 +++++++ schemas/injection-protection/3.9.x.json | 1 + 2 files changed, 8 insertions(+) create mode 100644 examples/injection-protection/_3.9.x.yaml create mode 100644 schemas/injection-protection/3.9.x.json diff --git a/examples/injection-protection/_3.9.x.yaml b/examples/injection-protection/_3.9.x.yaml new file mode 100644 index 00000000..2d0e1a61 --- /dev/null +++ b/examples/injection-protection/_3.9.x.yaml @@ -0,0 +1,7 @@ +name: injection-protection +config: + injection_types: sql + locations: path_and_query + enforcement_mode: block + error_status_code: 400 + error_message: Bad Request \ No newline at end of file diff --git a/schemas/injection-protection/3.9.x.json b/schemas/injection-protection/3.9.x.json new file mode 100644 index 00000000..6f31cf5a --- /dev/null +++ b/schemas/injection-protection/3.9.x.json @@ -0,0 +1 @@ +{ } \ No newline at end of file From 2940a9ec9725285c22a8dd0191319f483ab0c3fb Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 3 Dec 2024 07:12:25 +0000 Subject: [PATCH 097/165] Download Schemas for 3.9.x --- schemas/acl/3.9.x.json | 44 +- schemas/acme/3.9.x.json | 228 +- schemas/ai-azure-content-safety/3.9.x.json | 82 +- schemas/ai-prompt-decorator/3.9.x.json | 62 +- schemas/ai-prompt-guard/3.9.x.json | 62 +- schemas/ai-prompt-template/3.9.x.json | 52 +- schemas/ai-proxy-advanced/3.9.x.json | 1019 ++--- schemas/ai-proxy/3.9.x.json | 487 +-- schemas/ai-rate-limiting-advanced/3.9.x.json | 469 +-- schemas/ai-request-transformer/3.9.x.json | 541 +-- schemas/ai-response-transformer/3.9.x.json | 563 +-- schemas/ai-semantic-cache/3.9.x.json | 542 +-- schemas/ai-semantic-prompt-guard/3.9.x.json | 570 +-- schemas/app-dynamics/3.9.x.json | 24 +- schemas/aws-lambda/3.9.x.json | 120 +- schemas/azure-functions/3.9.x.json | 56 +- schemas/basic-auth/3.9.x.json | 22 +- schemas/bot-detection/3.9.x.json | 46 +- schemas/canary/3.9.x.json | 84 +- schemas/confluent/3.9.x.json | 148 +- schemas/correlation-id/3.9.x.json | 36 +- schemas/cors/3.9.x.json | 72 +- schemas/datadog/3.9.x.json | 274 +- schemas/degraphql/3.9.x.json | 38 +- schemas/exit-transformer/3.9.x.json | 34 +- schemas/file-log/3.9.x.json | 50 +- schemas/forward-proxy/3.9.x.json | 154 +- .../graphql-proxy-cache-advanced/3.9.x.json | 432 +- .../graphql-rate-limiting-advanced/3.9.x.json | 458 +-- schemas/grpc-gateway/3.9.x.json | 32 +- schemas/grpc-web/3.9.x.json | 34 +- schemas/header-cert-auth/3.9.x.json | 136 +- schemas/hmac-auth/3.9.x.json | 64 +- schemas/http-log/3.9.x.json | 136 +- schemas/injection-protection/3.9.x.json | 160 +- schemas/ip-restriction/3.9.x.json | 50 +- schemas/jq/3.9.x.json | 116 +- schemas/json-threat-protection/3.9.x.json | 46 +- schemas/jwe-decrypt/3.9.x.json | 40 +- schemas/jwt-signer/3.9.x.json | 618 +-- schemas/jwt/3.9.x.json | 74 +- schemas/kafka-log/3.9.x.json | 122 +- schemas/kafka-upstream/3.9.x.json | 166 +- schemas/key-auth-enc/3.9.x.json | 48 +- schemas/key-auth/3.9.x.json | 58 +- schemas/konnect-application-auth/3.9.x.json | 2260 +++++------ schemas/ldap-auth-advanced/3.9.x.json | 110 +- schemas/ldap-auth/3.9.x.json | 104 +- schemas/loggly/3.9.x.json | 68 +- schemas/mocking/3.9.x.json | 68 +- schemas/mtls-auth/3.9.x.json | 106 +- schemas/oas-validation/3.9.x.json | 90 +- schemas/oauth2-introspection/3.9.x.json | 76 +- schemas/oauth2/3.9.x.json | 126 +- schemas/opa/3.9.x.json | 72 +- schemas/openid-connect/3.9.x.json | 3496 ++++++++--------- schemas/opentelemetry/3.9.x.json | 240 +- schemas/post-function/3.9.x.json | 96 +- schemas/pre-function/3.9.x.json | 96 +- schemas/prometheus/3.9.x.json | 40 +- schemas/proxy-cache-advanced/3.9.x.json | 494 +-- schemas/proxy-cache/3.9.x.json | 116 +- schemas/rate-limiting-advanced/3.9.x.json | 500 +-- schemas/rate-limiting/3.9.x.json | 100 +- schemas/request-size-limiting/3.9.x.json | 30 +- schemas/request-termination/3.9.x.json | 36 +- .../request-transformer-advanced/3.9.x.json | 130 +- schemas/request-transformer/3.9.x.json | 156 +- schemas/request-validator/3.9.x.json | 120 +- schemas/response-ratelimiting/3.9.x.json | 144 +- .../response-transformer-advanced/3.9.x.json | 142 +- schemas/response-transformer/3.9.x.json | 142 +- schemas/route-by-header/3.9.x.json | 48 +- schemas/route-transformer-advanced/3.9.x.json | 42 +- schemas/saml/3.9.x.json | 1634 ++++---- schemas/service-protection/3.9.x.json | 468 +-- schemas/session/3.9.x.json | 132 +- schemas/standard-webhooks/3.9.x.json | 34 +- schemas/statsd-advanced/3.9.x.json | 304 +- schemas/statsd/3.9.x.json | 256 +- schemas/syslog/3.9.x.json | 58 +- schemas/tcp-log/3.9.x.json | 58 +- schemas/tls-handshake-modifier/3.9.x.json | 16 +- schemas/tls-metadata-headers/3.9.x.json | 48 +- schemas/udp-log/3.9.x.json | 52 +- schemas/upstream-oauth/3.9.x.json | 600 +-- schemas/upstream-timeout/3.9.x.json | 36 +- schemas/vault-auth/3.9.x.json | 70 +- schemas/websocket-size-limit/3.9.x.json | 36 +- schemas/websocket-validator/3.9.x.json | 152 +- schemas/xml-threat-protection/3.9.x.json | 254 +- schemas/zipkin/3.9.x.json | 216 +- 92 files changed, 11305 insertions(+), 11036 deletions(-) diff --git a/schemas/acl/3.9.x.json b/schemas/acl/3.9.x.json index 88f2dcf1..ddcf7860 100644 --- a/schemas/acl/3.9.x.json +++ b/schemas/acl/3.9.x.json @@ -17,22 +17,30 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -41,15 +49,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -57,49 +57,49 @@ "fields": [ { "allow": { - "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", - "type": "array", "elements": { "type": "string" - } + }, + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array" } }, { "deny": { - "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", - "type": "array", "elements": { "type": "string" - } + }, + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array" } }, { "hide_groups_header": { + "default": false, "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", "required": true, - "default": false, "type": "boolean" } }, { "include_consumer_groups": { + "default": false, "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", "required": false, - "default": false, "type": "boolean" } }, { "always_use_authenticated_groups": { + "default": false, "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", "required": true, - "default": false, "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/acme/3.9.x.json b/schemas/acme/3.9.x.json index a277be83..677bf267 100644 --- a/schemas/acme/3.9.x.json +++ b/schemas/acme/3.9.x.json @@ -52,38 +52,46 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { "reference": "services", - "type": "foreign", "eq": null, + "type": "foreign", "description": "A reference to the 'services' table with a null value allowed." } }, { "route": { "reference": "routes", - "type": "foreign", "eq": null, + "type": "foreign", "description": "A reference to the 'routes' table with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -92,15 +100,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -108,22 +108,25 @@ "fields": [ { "account_email": { + "encrypted": true, + "match": "%w*%p*@+%w*%.?%w*", "required": true, - "referenceable": true, - "description": "The account identifier. Can be reused in a different plugin instance.", "type": "string", - "match": "%w*%p*@+%w*%.?%w*", - "encrypted": true + "description": "The account identifier. Can be reused in a different plugin instance.", + "referenceable": true } }, { "account_key": { + "type": "record", + "description": "The private key associated with the account.", + "required": false, "fields": [ { "key_id": { - "type": "string", "description": "The Key ID.", - "required": true + "required": true, + "type": "string" } }, { @@ -132,47 +135,44 @@ "description": "The ID of the key set to associate the Key ID with." } } - ], - "type": "record", - "description": "The private key associated with the account.", - "required": false + ] } }, { "api_uri": { - "type": "string", "default": "https://acme-v02.api.letsencrypt.org/directory", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "tos_accepted": { - "type": "boolean", "default": false, - "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service." + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" } }, { "eab_kid": { + "encrypted": true, "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "eab_hmac_key": { + "encrypted": true, "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "cert_type": { - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", - "type": "string", "default": "rsa", + "description": "The certificate type to create. The possible values are `rsa` for RSA certificate or `ecc` for EC certificate.", + "type": "string", "one_of": [ "rsa", "ecc" @@ -181,9 +181,9 @@ }, { "rsa_key_size": { + "default": 4096, "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", "type": "number", - "default": 4096, "one_of": [ 2048, 3072, @@ -193,20 +193,18 @@ }, { "renew_threshold_days": { - "type": "number", "default": 14, - "description": "Days remaining to renew the certificate before it expires." + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" } }, { "domains": { - "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", - "type": "array", "elements": { "match_all": [ { - "pattern": "^[^*]*%*?[^*]*$", - "err": "invalid wildcard: must have at most one wildcard" + "err": "invalid wildcard: must have at most one wildcard", + "pattern": "^[^*]*%*?[^*]*$" } ], "type": "string", @@ -218,28 +216,30 @@ "^[^*]*$" ] } - } + }, + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "type": "array" } }, { "allow_any_domain": { - "type": "boolean", "default": false, - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" } }, { "fail_backoff_minutes": { - "type": "number", "default": 5, - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" } }, { "storage": { - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", - "type": "string", "default": "shm", + "description": "The backend storage type to use. In DB-less mode and Konnect, `kong` storage is unavailable. In hybrid mode and Konnect, `shm` storage is unavailable. `shm` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `kong`, `redis`, `consul`, or `vault` in production.", + "type": "string", "one_of": [ "kong", "shm", @@ -257,14 +257,14 @@ "fields": [ { "shm_name": { - "type": "string", "default": "kong", - "description": "Name of shared memory zone used for Kong API gateway storage" + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -272,8 +272,8 @@ "fields": [ ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -281,109 +281,109 @@ "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "username": { - "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "type": "string" } }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "referenceable": true, - "len_min": 0, "type": "string", - "encrypted": true + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 } }, { "database": { - "type": "integer", "default": 0, - "description": "Database to use for the Redis connection when using the `redis` strategy" + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean", "default": false, - "required": false + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean", "default": false, - "required": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "extra_options": { + "type": "record", + "description": "Custom ACME Redis options", + "required": true, "fields": [ { "namespace": { "required": true, - "len_min": 0, "type": "string", "default": "", - "description": "A namespace to prepend to all keys stored in Redis." + "description": "A namespace to prepend to all keys stored in Redis.", + "len_min": 0 } }, { "scan_count": { + "default": 10, "description": "The number of keys to return in Redis SCAN calls.", "required": false, - "default": 10, "type": "number" } } - ], - "description": "Custom ACME Redis options", - "type": "record", - "required": true + ] } } ], - "type": "record", "shorthand_fields": [ { "auth": { + "type": "string", "deprecation": { "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", "removal_in_version": "4.0", @@ -395,7 +395,6 @@ } ] }, - "type": "string", "len_min": 0 } }, @@ -417,6 +416,7 @@ }, { "namespace": { + "type": "string", "deprecation": { "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", "removal_in_version": "4.0", @@ -429,7 +429,6 @@ } ] }, - "type": "string", "len_min": 0 } }, @@ -451,7 +450,8 @@ } } ], - "required": true + "required": true, + "type": "record" } }, { @@ -459,15 +459,15 @@ "fields": [ { "https": { - "type": "boolean", "default": false, - "description": "Boolean representation of https." + "description": "Boolean representation of https.", + "type": "boolean" } }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -476,8 +476,8 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { @@ -500,8 +500,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -509,15 +509,15 @@ "fields": [ { "https": { - "type": "boolean", "default": false, - "description": "Boolean representation of https." + "description": "Boolean representation of https.", + "type": "boolean" } }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -526,8 +526,8 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { @@ -551,9 +551,9 @@ }, { "tls_verify": { - "type": "boolean", "default": true, - "description": "Turn on TLS verification." + "description": "Turn on TLS verification.", + "type": "boolean" } }, { @@ -564,9 +564,9 @@ }, { "auth_method": { + "default": "token", "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", "type": "string", - "default": "token", "one_of": [ "token", "kubernetes" @@ -592,31 +592,31 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "preferred_chain": { - "type": "string", - "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" } }, { "enable_ipv4_common_name": { - "type": "boolean", "default": true, - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-azure-content-safety/3.9.x.json b/schemas/ai-azure-content-safety/3.9.x.json index 96cac76e..0752c460 100644 --- a/schemas/ai-azure-content-safety/3.9.x.json +++ b/schemas/ai-azure-content-safety/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,30 +22,22 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,26 +46,26 @@ "fields": [ { "content_safety_url": { + "referenceable": true, "description": "Full URL, inc protocol, of the Azure Content Safety instance.", "required": true, - "referenceable": true, "type": "string" } }, { "azure_api_version": { "required": true, - "len_min": 1, "type": "string", "default": "2023-10-01", - "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format." + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "len_min": 1 } }, { "azure_use_managed_identity": { - "type": "boolean", "default": false, - "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity" + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "type": "boolean" } }, { @@ -91,18 +91,18 @@ }, { "content_safety_key": { - "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "referenceable": true } }, { "text_source": { + "default": "concatenate_all_content", "description": "Select where to pick the 'text' for the Azure Content Services request.", "type": "string", - "default": "concatenate_all_content", "one_of": [ "concatenate_all_content", "concatenate_user_content" @@ -111,40 +111,40 @@ }, { "categories": { - "type": "array", - "description": "Array of categories, and their thresholds, to measure on.", "elements": { + "type": "record", + "required": true, "fields": [ { "name": { - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "rejection_level": { - "type": "integer", - "required": true + "required": true, + "type": "integer" } } - ], - "type": "record", - "required": true - } + ] + }, + "description": "Array of categories, and their thresholds, to measure on.", + "type": "array" } }, { "reveal_failure_reason": { - "type": "boolean", "default": true, - "description": "Set true to tell the caller why their request was rejected, if so." + "description": "Set true to tell the caller why their request was rejected, if so.", + "type": "boolean" } }, { "output_type": { + "default": "FourSeverityLevels", "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", "type": "string", - "default": "FourSeverityLevels", "one_of": [ "FourSeverityLevels", "EightSeverityLevels" @@ -153,23 +153,23 @@ }, { "blocklist_names": { - "type": "array", - "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", "elements": { "type": "string" - } + }, + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "type": "array" } }, { "halt_on_blocklist_hit": { - "type": "boolean", "default": true, - "description": "Tells Azure to reject the request if any blocklist filter is hit." + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-prompt-decorator/3.9.x.json b/schemas/ai-prompt-decorator/3.9.x.json index dae4a747..4002199f 100644 --- a/schemas/ai-prompt-decorator/3.9.x.json +++ b/schemas/ai-prompt-decorator/3.9.x.json @@ -11,6 +11,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -19,15 +27,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -35,17 +35,23 @@ "fields": [ { "prompts": { + "type": "record", + "required": false, "fields": [ { "prepend": { + "len_max": 15, "required": false, + "type": "array", "elements": { + "type": "record", + "required": false, "fields": [ { "role": { + "default": "system", "type": "string", "required": true, - "default": "system", "one_of": [ "system", "assistant", @@ -56,30 +62,30 @@ { "content": { "len_max": 500, - "required": true, "type": "string", + "required": true, "len_min": 1 } } - ], - "type": "record", - "required": false + ] }, - "len_max": 15, - "type": "array", "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages." } }, { "append": { + "len_max": 15, "required": false, + "type": "array", "elements": { + "type": "record", + "required": false, "fields": [ { "role": { + "default": "system", "type": "string", "required": true, - "default": "system", "one_of": [ "system", "assistant", @@ -90,36 +96,30 @@ { "content": { "len_max": 500, - "required": true, "type": "string", + "required": true, "len_min": 1 } } - ], - "type": "record", - "required": false + ] }, - "len_max": 15, - "type": "array", "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages." } } - ], - "type": "record", - "required": false + ] } }, { "max_request_body_size": { - "gt": 0, - "type": "integer", "default": 8192, - "description": "max allowed body size allowed to be introspected" + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-prompt-guard/3.9.x.json b/schemas/ai-prompt-guard/3.9.x.json index ff77367d..1eb02b54 100644 --- a/schemas/ai-prompt-guard/3.9.x.json +++ b/schemas/ai-prompt-guard/3.9.x.json @@ -23,6 +23,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -31,15 +39,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -47,57 +47,57 @@ "fields": [ { "allow_patterns": { - "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", + "len_max": 10, + "required": false, + "type": "array", "elements": { "len_max": 500, - "type": "string", - "len_min": 1 + "len_min": 1, + "type": "string" }, - "len_max": 10, - "type": "array", - "required": false + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat." } }, { "deny_patterns": { - "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", + "len_max": 10, + "required": false, + "type": "array", "elements": { "len_max": 500, - "type": "string", - "len_min": 1 + "len_min": 1, + "type": "string" }, - "len_max": 10, - "type": "array", - "required": false + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat." } }, { "allow_all_conversation_history": { - "type": "boolean", - "description": "If true, will ignore all previous chat prompts from the conversation history.", "default": false, - "required": true + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "required": true, + "type": "boolean" } }, { "max_request_body_size": { - "gt": 0, - "description": "max allowed body size allowed to be introspected", "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, "type": "integer" } }, { "match_all_roles": { - "type": "boolean", - "description": "If true, will match all roles in addition to 'user' role in conversation history.", "default": false, - "required": true + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "required": true, + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-prompt-template/3.9.x.json b/schemas/ai-prompt-template/3.9.x.json index 5cef938c..2822bb38 100644 --- a/schemas/ai-prompt-template/3.9.x.json +++ b/schemas/ai-prompt-template/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,15 +22,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -30,44 +30,44 @@ "fields": [ { "templates": { - "required": true, - "description": "Array of templates available to the request context.", - "type": "array", "elements": { + "type": "record", + "required": true, "fields": [ { "name": { - "type": "string", "description": "Unique name for the template, can be called with `{template://NAME}`", - "required": true + "required": true, + "type": "string" } }, { "template": { - "type": "string", "description": "Template string for this request, supports mustache-style `{{placeholders}}`", - "required": true + "required": true, + "type": "string" } } - ], - "type": "record", - "required": true - } + ] + }, + "description": "Array of templates available to the request context.", + "required": true, + "type": "array" } }, { "allow_untemplated_requests": { - "required": true, - "description": "Set true to allow requests that don't call or match any template.", "default": true, + "description": "Set true to allow requests that don't call or match any template.", + "required": true, "type": "boolean" } }, { "log_original_request": { - "required": true, - "description": "Set true to add the original request to the Kong log plugin(s) output.", "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "required": true, "type": "boolean" } }, @@ -80,8 +80,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-proxy-advanced/3.9.x.json b/schemas/ai-proxy-advanced/3.9.x.json index a6982a16..0e657ace 100644 --- a/schemas/ai-proxy-advanced/3.9.x.json +++ b/schemas/ai-proxy-advanced/3.9.x.json @@ -20,6 +20,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -28,15 +36,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -44,12 +44,14 @@ "fields": [ { "balancer": { + "type": "record", + "required": true, "fields": [ { "algorithm": { + "default": "round-robin", "description": "Which load balancing algorithm to use.", "type": "string", - "default": "round-robin", "one_of": [ "round-robin", "lowest-latency", @@ -61,9 +63,9 @@ }, { "tokens_count_strategy": { + "default": "total-tokens", "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", "type": "string", - "default": "total-tokens", "one_of": [ "total-tokens", "prompt-tokens", @@ -73,9 +75,9 @@ }, { "latency_strategy": { + "default": "tpot", "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", "type": "string", - "default": "tpot", "one_of": [ "tpot", "e2e" @@ -84,66 +86,64 @@ }, { "hash_on_header": { - "type": "string", "default": "X-Kong-LLM-Request-ID", - "description": "The header to use for consistent-hashing." + "description": "The header to use for consistent-hashing.", + "type": "string" } }, { "slots": { + "default": 10000, + "description": "The number of slots in the load balancer algorithm.", "between": [ 10, 65536 ], - "type": "integer", - "default": 10000, - "description": "The number of slots in the load balancer algorithm." + "type": "integer" } }, { "retries": { + "default": 5, + "description": "The number of retries to execute upon failure to proxy.", "between": [ 0, 32767 ], - "type": "integer", - "default": 5, - "description": "The number of retries to execute upon failure to proxy." + "type": "integer" } }, { "connect_timeout": { + "default": 60000, "between": [ 1, 2147483646 ], - "type": "integer", - "default": 60000 + "type": "integer" } }, { "write_timeout": { + "default": 60000, "between": [ 1, 2147483646 ], - "type": "integer", - "default": 60000 + "type": "integer" } }, { "read_timeout": { + "default": 60000, "between": [ 1, 2147483646 ], - "type": "integer", - "default": 60000 + "type": "integer" } } - ], - "required": true, - "type": "record" + ] } }, { @@ -154,36 +154,36 @@ "fields": [ { "header_name": { - "required": false, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "required": false, "type": "string" } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true } }, { "param_name": { - "required": false, - "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "required": false, "type": "string" } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true } }, { @@ -199,77 +199,77 @@ }, { "azure_use_managed_identity": { - "required": false, - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, "type": "boolean" } }, { "azure_client_id": { - "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "required": false, "type": "string" } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "required": false, "type": "string" } }, { "gcp_use_service_account": { - "required": false, - "description": "Use service account auth for GCP-based providers and models.", "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, "type": "boolean" } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true } }, { "allow_override": { - "required": false, - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, "type": "boolean" } } @@ -294,9 +294,9 @@ }, { "name": { - "type": "string", "description": "Model name to execute.", - "required": true + "required": true, + "type": "string" } }, { @@ -310,9 +310,9 @@ } } ], - "type": "record", + "description": "Key/value settings for the model", "required": false, - "description": "Key/value settings for the model" + "type": "record" } } ], @@ -340,16 +340,16 @@ }, { "dimensions": { - "type": "integer", "description": "the desired dimensionality for the vectors", - "required": true + "required": true, + "type": "integer" } }, { "threshold": { - "type": "number", "description": "the default similarity threshold for accepting semantic search results (float)", - "required": true + "required": true, + "type": "number" } }, { @@ -365,56 +365,187 @@ }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -426,10 +557,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -441,27 +572,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -471,259 +602,128 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string" } }, { "sentinel_nodes": { "required": false, + "type": "array", "elements": { "fields": [ { "host": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } ], "type": "record" }, - "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "cluster_nodes": { "required": false, + "type": "array", "elements": { "fields": [ { "ip": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } ], "type": "record" }, - "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "ssl": { - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis.", "default": false, - "required": false + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" } }, { "ssl_verify": { - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, - "required": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" } }, { "server_name": { - "type": "string", "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "required": false, + "type": "string" } }, { "cluster_max_redirections": { - "type": "integer", - "description": "Maximum retry attempts for redirection.", "default": 5, - "required": false + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" } }, { "connection_is_proxied": { - "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, - "required": false - } - } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" } } ] @@ -737,9 +737,9 @@ { "response_streaming": { "required": false, - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "type": "string", "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "one_of": [ "allow", "deny", @@ -749,24 +749,162 @@ }, { "max_request_body_size": { - "gt": 0, - "type": "integer", "default": 8192, - "description": "max allowed body size allowed to be introspected" + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" } }, { "model_name_header": { - "type": "boolean", "default": true, - "description": "Display the model name selected in the X-Kong-LLM-Model response header" + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" } }, { "targets": { - "type": "array", - "required": true, "elements": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "type": "record", + "required": true, "fields": [ { "route_type": { @@ -785,36 +923,36 @@ "fields": [ { "header_name": { - "required": false, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "required": false, "type": "string" } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true } }, { "param_name": { - "required": false, - "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "required": false, "type": "string" } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true } }, { @@ -830,77 +968,77 @@ }, { "azure_use_managed_identity": { - "required": false, - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, "type": "boolean" } }, { "azure_client_id": { - "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "required": false, "type": "string" } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "required": false, "type": "string" } }, { "gcp_use_service_account": { - "required": false, - "description": "Use service account auth for GCP-based providers and models.", "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, "type": "boolean" } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true } }, { "allow_override": { - "required": false, - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, "type": "boolean" } } @@ -922,7 +1060,8 @@ "mistral", "llama2", "gemini", - "bedrock" + "bedrock", + "huggingface" ], "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "required": true, @@ -931,9 +1070,9 @@ }, { "name": { - "type": "string", "description": "Model name to execute.", - "required": false + "required": false, + "type": "string" } }, { @@ -941,9 +1080,9 @@ "fields": [ { "max_tokens": { - "required": false, - "description": "Defines the max_tokens, if using chat or completion models.", "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, "type": "integer" } }, @@ -998,31 +1137,31 @@ }, { "anthropic_version": { - "type": "string", "description": "Defines the schema/API version, if using Anthropic provider.", - "required": false + "required": false, + "type": "string" } }, { "azure_instance": { - "type": "string", "description": "Instance name for Azure OpenAI hosted models.", - "required": false + "required": false, + "type": "string" } }, { "azure_api_version": { - "required": false, - "description": "'api-version' for Azure OpenAI instances.", "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "required": false, "type": "string" } }, { "azure_deployment_id": { - "type": "string", "description": "Deployment ID for Azure OpenAI instances.", - "required": false + "required": false, + "type": "string" } }, { @@ -1050,53 +1189,53 @@ }, { "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, - "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + "type": "string" } }, { "upstream_path": { "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], "fields": [ { "api_endpoint": { - "type": "string", "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "required": false + "required": false, + "type": "string" } }, { "project_id": { - "type": "string", "description": "If running Gemini on Vertex, specify the project ID.", - "required": false + "required": false, + "type": "string" } }, { "location_id": { - "type": "string", "description": "If running Gemini on Vertex, specify the location ID.", - "required": false + "required": false, + "type": "string" } } ], "required": false, - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } - ], "type": "record" } }, @@ -1106,8 +1245,30 @@ { "aws_region": { "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "type": "string", - "required": false + "required": false, + "type": "string" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "huggingface": { + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" } } ], @@ -1116,9 +1277,9 @@ } } ], - "type": "record", + "description": "Key/value settings for the model", "required": false, - "description": "Key/value settings for the model" + "type": "record" } } ], @@ -1128,20 +1289,20 @@ }, { "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535).", "between": [ 1, 65535 ], - "type": "integer", - "default": 100, - "description": "The weight this target gets within the upstream loadbalancer (1-65535)." + "type": "integer" } }, { "description": { "description": "The semantic description of the target, required if using semantic load balancing.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { @@ -1149,17 +1310,17 @@ "fields": [ { "log_statistics": { - "required": true, - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, "type": "boolean" } }, { "log_payloads": { - "required": true, - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, "type": "boolean" } } @@ -1168,153 +1329,15 @@ "type": "record" } } - ], - "type": "record", - "entity_checks": [ - { - "conditional": { - "then_err": "bedrock and gemini only support auth.allow_override = false", - "if_match": { - "one_of": [ - "bedrock", - "gemini" - ] - }, - "then_field": "auth.allow_override", - "if_field": "model.provider", - "then_match": { - "eq": false - } - } - }, - { - "mutually_required": [ - "auth.header_name", - "auth.header_value" - ] - }, - { - "mutually_required": [ - "auth.param_name", - "auth.param_value", - "auth.param_location" - ] - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "mistral" - ] - }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "anthropic" - ] - }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "route_type", - "model", - "logging" - ] - } - } - ], - "required": true - } + ] + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-proxy/3.9.x.json b/schemas/ai-proxy/3.9.x.json index 30f41ce9..d66b2f6d 100644 --- a/schemas/ai-proxy/3.9.x.json +++ b/schemas/ai-proxy/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,19 +22,151 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "config": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "type": "record", + "required": true, "fields": [ { "route_type": { @@ -45,36 +185,36 @@ "fields": [ { "header_name": { - "required": false, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "required": false, "type": "string" } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true } }, { "param_name": { - "required": false, - "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "required": false, "type": "string" } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true } }, { @@ -90,77 +230,77 @@ }, { "azure_use_managed_identity": { - "required": false, - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, "type": "boolean" } }, { "azure_client_id": { - "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "required": false, "type": "string" } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "required": false, "type": "string" } }, { "gcp_use_service_account": { - "required": false, - "description": "Use service account auth for GCP-based providers and models.", "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, "type": "boolean" } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "referenceable": true, - "type": "string", + "encrypted": true, "required": false, - "encrypted": true + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true } }, { "allow_override": { - "required": false, - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, "type": "boolean" } } @@ -182,7 +322,8 @@ "mistral", "llama2", "gemini", - "bedrock" + "bedrock", + "huggingface" ], "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "required": true, @@ -191,9 +332,9 @@ }, { "name": { - "type": "string", "description": "Model name to execute.", - "required": false + "required": false, + "type": "string" } }, { @@ -201,9 +342,9 @@ "fields": [ { "max_tokens": { - "required": false, - "description": "Defines the max_tokens, if using chat or completion models.", "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, "type": "integer" } }, @@ -258,31 +399,31 @@ }, { "anthropic_version": { - "type": "string", "description": "Defines the schema/API version, if using Anthropic provider.", - "required": false + "required": false, + "type": "string" } }, { "azure_instance": { - "type": "string", "description": "Instance name for Azure OpenAI hosted models.", - "required": false + "required": false, + "type": "string" } }, { "azure_api_version": { - "required": false, - "description": "'api-version' for Azure OpenAI instances.", "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "required": false, "type": "string" } }, { "azure_deployment_id": { - "type": "string", "description": "Deployment ID for Azure OpenAI instances.", - "required": false + "required": false, + "type": "string" } }, { @@ -310,53 +451,53 @@ }, { "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, - "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + "type": "string" } }, { "upstream_path": { "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], "fields": [ { "api_endpoint": { - "type": "string", "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "required": false + "required": false, + "type": "string" } }, { "project_id": { - "type": "string", "description": "If running Gemini on Vertex, specify the project ID.", - "required": false + "required": false, + "type": "string" } }, { "location_id": { - "type": "string", "description": "If running Gemini on Vertex, specify the location ID.", - "required": false + "required": false, + "type": "string" } } ], "required": false, - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } - ], "type": "record" } }, @@ -366,8 +507,30 @@ { "aws_region": { "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "type": "string", - "required": false + "required": false, + "type": "string" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "huggingface": { + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" } } ], @@ -376,9 +539,9 @@ } } ], - "type": "record", + "description": "Key/value settings for the model", "required": false, - "description": "Key/value settings for the model" + "type": "record" } } ], @@ -391,17 +554,17 @@ "fields": [ { "log_statistics": { - "required": true, - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, "type": "boolean" } }, { "log_payloads": { - "required": true, - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, "type": "boolean" } } @@ -413,9 +576,9 @@ { "response_streaming": { "required": false, - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "type": "string", "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "one_of": [ "allow", "deny", @@ -425,160 +588,20 @@ }, { "max_request_body_size": { - "gt": 0, - "description": "max allowed body size allowed to be introspected", "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, "type": "integer" } }, { "model_name_header": { - "description": "Display the model name selected in the X-Kong-LLM-Model response header", "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", "type": "boolean" } } - ], - "type": "record", - "entity_checks": [ - { - "conditional": { - "then_err": "bedrock and gemini only support auth.allow_override = false", - "if_match": { - "one_of": [ - "bedrock", - "gemini" - ] - }, - "then_field": "auth.allow_override", - "if_field": "model.provider", - "then_match": { - "eq": false - } - } - }, - { - "mutually_required": [ - "auth.header_name", - "auth.header_value" - ] - }, - { - "mutually_required": [ - "auth.param_name", - "auth.param_value", - "auth.param_location" - ] - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "mistral" - ] - }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "anthropic" - ] - }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "route_type", - "model", - "logging" - ] - } - } - ], - "required": true + ] } } ] diff --git a/schemas/ai-rate-limiting-advanced/3.9.x.json b/schemas/ai-rate-limiting-advanced/3.9.x.json index d3dc66fe..07010f21 100644 --- a/schemas/ai-rate-limiting-advanced/3.9.x.json +++ b/schemas/ai-rate-limiting-advanced/3.9.x.json @@ -12,6 +12,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -20,15 +28,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -36,10 +36,10 @@ "fields": [ { "identifier": { - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "required": true, "type": "string", "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "one_of": [ "ip", "credential", @@ -53,9 +53,9 @@ }, { "window_type": { + "default": "sliding", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "type": "string", - "default": "sliding", "one_of": [ "fixed", "sliding" @@ -70,22 +70,20 @@ }, { "llm_providers": { - "type": "array", - "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", - "required": true, "elements": { + "type": "record", "fields": [ { "window_size": { - "required": true, "description": "The window size to apply a limit (defined in seconds).", + "required": true, "type": "number" } }, { "name": { - "description": "The LLM provider to which the rate limit applies.", "type": "string", + "description": "The LLM provider to which the rate limit applies.", "required": true, "one_of": [ "openai", @@ -96,28 +94,31 @@ "llama2", "bedrock", "gemini", + "huggingface", "requestPrompt" ] } }, { "limit": { - "required": true, "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", + "required": true, "type": "number" } } - ], - "type": "record" - } + ] + }, + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "required": true, + "type": "array" } }, { "strategy": { - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "required": true, "type": "string", "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", @@ -127,30 +128,30 @@ }, { "dictionary_name": { - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "type": "string", "default": "kong_rate_limiting_counters", - "required": true + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "required": true, + "type": "string" } }, { "hide_client_headers": { - "type": "boolean", "default": false, - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" } }, { "retry_after_jitter_max": { - "type": "number", "default": 0, - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" } }, { "header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { @@ -159,8 +160,8 @@ "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], "type": "string" @@ -168,56 +169,187 @@ }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -229,10 +361,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -244,27 +376,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -274,276 +406,145 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "type": "boolean" } }, { "ssl_verify": { - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "required": false, - "description": "Maximum retry attempts for redirection.", "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, "type": "integer" } }, { "connection_is_proxied": { - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "type": "boolean" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } }, { "disable_penalty": { - "type": "boolean", "default": false, - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider." + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "type": "boolean" } }, { "request_prompt_count_function": { - "type": "string", "description": "If defined, it use custom function to count requests for the request prompt provider", - "required": false + "required": false, + "type": "string" } }, { @@ -556,24 +557,24 @@ }, { "error_message": { - "type": "string", "default": "AI token rate limit exceeded for provider(s): ", - "description": "Set a custom error message to return when the rate limit is exceeded." + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" } }, { "error_hide_providers": { - "type": "boolean", "default": false, - "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message." + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "type": "boolean" } }, { "tokens_count_strategy": { - "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", "required": true, "type": "string", "default": "total_tokens", + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", "one_of": [ "total_tokens", "prompt_tokens", @@ -583,8 +584,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-request-transformer/3.9.x.json b/schemas/ai-request-transformer/3.9.x.json index 4f2435bb..1373c841 100644 --- a/schemas/ai-request-transformer/3.9.x.json +++ b/schemas/ai-request-transformer/3.9.x.json @@ -32,6 +32,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -40,22 +48,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -78,17 +78,17 @@ }, { "http_timeout": { - "required": true, - "description": "Timeout in milliseconds for the AI upstream service.", "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "required": true, "type": "integer" } }, { "https_verify": { - "required": true, - "description": "Verify the TLS certificate of the AI upstream service.", "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "required": true, "type": "boolean" } }, @@ -102,8 +102,8 @@ }, { "http_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -112,14 +112,14 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "https_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -128,12 +128,150 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "llm": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], "fields": [ { "route_type": { @@ -149,39 +287,41 @@ }, { "auth": { + "type": "record", + "required": false, "fields": [ { "header_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "header_value": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "encrypted": true + "referenceable": true } }, { "param_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "param_value": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Specify the full parameter value for 'param_name'.", - "encrypted": true + "referenceable": true } }, { @@ -197,87 +337,87 @@ }, { "azure_use_managed_identity": { - "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "default": false, - "required": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" } }, { "azure_client_id": { - "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "referenceable": true, - "required": false + "type": "string" } }, { "azure_client_secret": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "encrypted": true + "referenceable": true } }, { "azure_tenant_id": { - "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "referenceable": true, - "required": false + "type": "string" } }, { "gcp_use_service_account": { - "type": "boolean", - "description": "Use service account auth for GCP-based providers and models.", "default": false, - "required": false + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" } }, { "gcp_service_account_json": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "encrypted": true + "referenceable": true } }, { "aws_access_key_id": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "encrypted": true + "referenceable": true } }, { "aws_secret_access_key": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "encrypted": true + "referenceable": true } }, { "allow_override": { - "type": "boolean", - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "default": false, - "required": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" } } - ], - "required": false, - "type": "record" + ] } }, { "model": { + "type": "record", + "required": true, "fields": [ { "provider": { @@ -292,42 +432,46 @@ "mistral", "llama2", "gemini", - "bedrock" + "bedrock", + "huggingface" ] } }, { "name": { + "description": "Model name to execute.", "required": false, - "type": "string", - "description": "Model name to execute." + "type": "string" } }, { "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, "fields": [ { "max_tokens": { - "type": "integer", - "description": "Defines the max_tokens, if using chat or completion models.", "default": 256, - "required": false + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, + "type": "integer" } }, { "input_cost": { "gt": 0, "description": "Defines the cost per 1M tokens in your prompt.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "output_cost": { "gt": 0, "description": "Defines the cost per 1M tokens in the output of the AI.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { @@ -337,8 +481,8 @@ 5 ], "description": "Defines the matching temperature, if using chat or completion models.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { @@ -348,8 +492,8 @@ 1 ], "description": "Defines the top-p probability mass, if supported.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { @@ -359,37 +503,37 @@ 500 ], "description": "Defines the top-k most likely tokens, if supported.", - "type": "integer", - "required": false + "required": false, + "type": "integer" } }, { "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", "required": false, - "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider." + "type": "string" } }, { "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", "required": false, - "type": "string", - "description": "Instance name for Azure OpenAI hosted models." + "type": "string" } }, { "azure_api_version": { - "type": "string", - "description": "'api-version' for Azure OpenAI instances.", "default": "2023-05-15", - "required": false + "description": "'api-version' for Azure OpenAI instances.", + "required": false, + "type": "string" } }, { "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", "required": false, - "type": "string", - "description": "Deployment ID for Azure OpenAI instances." + "type": "string" } }, { @@ -417,252 +561,131 @@ }, { "upstream_url": { - "required": false, "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, "type": "string" } }, { "upstream_path": { - "required": false, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "required": false, "type": "string" } }, { "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record", + "required": false, "fields": [ { "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "required": false, - "type": "string", - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." + "type": "string" } }, { "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", "required": false, - "type": "string", - "description": "If running Gemini on Vertex, specify the project ID." + "type": "string" } }, { "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", "required": false, - "type": "string", - "description": "If running Gemini on Vertex, specify the location ID." + "type": "string" } } - ], - "required": false, - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } - ], - "type": "record" + ] } }, { "bedrock": { + "type": "record", + "required": false, "fields": [ { "aws_region": { - "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "required": false, "type": "string" } } - ], + ] + } + }, + { + "huggingface": { + "type": "record", "required": false, - "type": "record" + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ] } } - ], - "type": "record", - "description": "Key/value settings for the model", - "required": false + ] } } - ], - "required": true, - "type": "record" + ] } }, { "logging": { + "type": "record", + "required": true, "fields": [ { "log_statistics": { - "type": "boolean", - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "default": false, - "required": true + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" } }, { "log_payloads": { - "type": "boolean", - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "default": false, - "required": true + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" } } - ], - "required": true, - "type": "record" - } - } - ], - "type": "record", - "entity_checks": [ - { - "conditional": { - "then_err": "bedrock and gemini only support auth.allow_override = false", - "if_match": { - "one_of": [ - "bedrock", - "gemini" - ] - }, - "then_field": "auth.allow_override", - "if_field": "model.provider", - "then_match": { - "eq": false - } - } - }, - { - "mutually_required": [ - "auth.header_name", - "auth.header_value" - ] - }, - { - "mutually_required": [ - "auth.param_name", - "auth.param_value", - "auth.param_location" - ] - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "mistral" - ] - }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "anthropic" - ] - }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "route_type", - "model", - "logging" ] } } ], - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-response-transformer/3.9.x.json b/schemas/ai-response-transformer/3.9.x.json index 245cf031..30d69cd6 100644 --- a/schemas/ai-response-transformer/3.9.x.json +++ b/schemas/ai-response-transformer/3.9.x.json @@ -32,6 +32,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -40,15 +48,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -57,53 +57,53 @@ { "prompt": { "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "transformation_extract_pattern": { "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "parse_llm_response_json_instructions": { - "required": true, - "type": "boolean", "default": false, - "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions." + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "required": true, + "type": "boolean" } }, { "http_timeout": { - "required": true, - "type": "integer", "default": 60000, - "description": "Timeout in milliseconds for the AI upstream service." + "description": "Timeout in milliseconds for the AI upstream service.", + "required": true, + "type": "integer" } }, { "https_verify": { - "required": true, - "type": "boolean", "default": true, - "description": "Verify the TLS certificate of the AI upstream service." + "description": "Verify the TLS certificate of the AI upstream service.", + "required": true, + "type": "boolean" } }, { "max_request_body_size": { - "gt": 0, - "type": "integer", "default": 8192, - "description": "max allowed body size allowed to be introspected" + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" } }, { "http_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -112,14 +112,14 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "https_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -128,12 +128,150 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "llm": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], "fields": [ { "route_type": { @@ -149,39 +287,41 @@ }, { "auth": { + "type": "record", + "required": false, "fields": [ { "header_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "header_value": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "encrypted": true + "referenceable": true } }, { "param_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "param_value": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Specify the full parameter value for 'param_name'.", - "encrypted": true + "referenceable": true } }, { @@ -197,87 +337,87 @@ }, { "azure_use_managed_identity": { - "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "default": false, - "required": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" } }, { "azure_client_id": { - "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "referenceable": true, - "required": false + "type": "string" } }, { "azure_client_secret": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "encrypted": true + "referenceable": true } }, { "azure_tenant_id": { - "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "referenceable": true, - "required": false + "type": "string" } }, { "gcp_use_service_account": { - "type": "boolean", - "description": "Use service account auth for GCP-based providers and models.", "default": false, - "required": false + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" } }, { "gcp_service_account_json": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "encrypted": true + "referenceable": true } }, { "aws_access_key_id": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "encrypted": true + "referenceable": true } }, { "aws_secret_access_key": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "encrypted": true + "referenceable": true } }, { "allow_override": { - "type": "boolean", - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "default": false, - "required": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" } } - ], - "required": false, - "type": "record" + ] } }, { "model": { + "type": "record", + "required": true, "fields": [ { "provider": { @@ -292,42 +432,46 @@ "mistral", "llama2", "gemini", - "bedrock" + "bedrock", + "huggingface" ] } }, { "name": { + "description": "Model name to execute.", "required": false, - "type": "string", - "description": "Model name to execute." + "type": "string" } }, { "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, "fields": [ { "max_tokens": { - "type": "integer", - "description": "Defines the max_tokens, if using chat or completion models.", "default": 256, - "required": false + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, + "type": "integer" } }, { "input_cost": { "gt": 0, "description": "Defines the cost per 1M tokens in your prompt.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "output_cost": { "gt": 0, "description": "Defines the cost per 1M tokens in the output of the AI.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { @@ -337,8 +481,8 @@ 5 ], "description": "Defines the matching temperature, if using chat or completion models.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { @@ -348,8 +492,8 @@ 1 ], "description": "Defines the top-p probability mass, if supported.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { @@ -359,37 +503,37 @@ 500 ], "description": "Defines the top-k most likely tokens, if supported.", - "type": "integer", - "required": false + "required": false, + "type": "integer" } }, { "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", "required": false, - "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider." + "type": "string" } }, { "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", "required": false, - "type": "string", - "description": "Instance name for Azure OpenAI hosted models." + "type": "string" } }, { "azure_api_version": { - "type": "string", - "description": "'api-version' for Azure OpenAI instances.", "default": "2023-05-15", - "required": false + "description": "'api-version' for Azure OpenAI instances.", + "required": false, + "type": "string" } }, { "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", "required": false, - "type": "string", - "description": "Deployment ID for Azure OpenAI instances." + "type": "string" } }, { @@ -417,252 +561,131 @@ }, { "upstream_url": { - "required": false, "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, "type": "string" } }, { "upstream_path": { - "required": false, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "required": false, "type": "string" } }, { "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record", + "required": false, "fields": [ { "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "required": false, - "type": "string", - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." + "type": "string" } }, { "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", "required": false, - "type": "string", - "description": "If running Gemini on Vertex, specify the project ID." + "type": "string" } }, { "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", "required": false, - "type": "string", - "description": "If running Gemini on Vertex, specify the location ID." + "type": "string" } } - ], - "required": false, - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } - ], - "type": "record" + ] } }, { "bedrock": { + "type": "record", + "required": false, "fields": [ { "aws_region": { - "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "required": false, "type": "string" } } - ], + ] + } + }, + { + "huggingface": { + "type": "record", "required": false, - "type": "record" + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ] } } - ], - "type": "record", - "description": "Key/value settings for the model", - "required": false + ] } } - ], - "required": true, - "type": "record" + ] } }, { "logging": { + "type": "record", + "required": true, "fields": [ { "log_statistics": { - "type": "boolean", - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "default": false, - "required": true + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" } }, { "log_payloads": { - "type": "boolean", - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "default": false, - "required": true + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" } } - ], - "required": true, - "type": "record" - } - } - ], - "type": "record", - "entity_checks": [ - { - "conditional": { - "then_err": "bedrock and gemini only support auth.allow_override = false", - "if_match": { - "one_of": [ - "bedrock", - "gemini" - ] - }, - "then_field": "auth.allow_override", - "if_field": "model.provider", - "then_match": { - "eq": false - } - } - }, - { - "mutually_required": [ - "auth.header_name", - "auth.header_value" - ] - }, - { - "mutually_required": [ - "auth.param_name", - "auth.param_value", - "auth.param_location" - ] - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "mistral" - ] - }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "anthropic" - ] - }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "route_type", - "model", - "logging" ] } } ], - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-semantic-cache/3.9.x.json b/schemas/ai-semantic-cache/3.9.x.json index 32ef5abd..afa47df0 100644 --- a/schemas/ai-semantic-cache/3.9.x.json +++ b/schemas/ai-semantic-cache/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,15 +22,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -30,106 +30,110 @@ "fields": [ { "message_countback": { + "default": 1, + "description": "Number of messages in the chat history to Vectorize/Cache", "between": [ 1, 1000 ], - "description": "Number of messages in the chat history to Vectorize/Cache", - "default": 1, "type": "number" } }, { "ignore_system_prompts": { - "description": "Ignore and discard any system prompts when Vectorizing the request", "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request", "type": "boolean" } }, { "ignore_assistant_prompts": { - "description": "Ignore and discard any assistant prompts when Vectorizing the request", "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request", "type": "boolean" } }, { "ignore_tool_prompts": { - "description": "Ignore and discard any tool prompts when Vectorizing the request", "default": false, + "description": "Ignore and discard any tool prompts when Vectorizing the request", "type": "boolean" } }, { "stop_on_failure": { - "type": "boolean", - "description": "Halt the LLM request process in case of a caching system failure", "default": false, - "required": true + "description": "Halt the LLM request process in case of a caching system failure", + "required": true, + "type": "boolean" } }, { "cache_ttl": { - "gt": 0, - "description": "TTL in seconds of cache entities. Must be a value greater than 0.", "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "gt": 0, "type": "integer" } }, { "cache_control": { - "type": "boolean", - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "default": false, - "required": true + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean" } }, { "exact_caching": { - "type": "boolean", - "description": "When enabled, a first check for exact query will be done. It will impact DB size", "default": false, - "required": true + "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "required": true, + "type": "boolean" } }, { "embeddings": { + "type": "record", + "required": true, "fields": [ { "auth": { + "type": "record", + "required": false, "fields": [ { "header_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "header_value": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "encrypted": true + "referenceable": true } }, { "param_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "param_value": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Specify the full parameter value for 'param_name'.", - "encrypted": true + "referenceable": true } }, { @@ -145,87 +149,87 @@ }, { "azure_use_managed_identity": { - "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "default": false, - "required": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" } }, { "azure_client_id": { - "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "referenceable": true, - "required": false + "type": "string" } }, { "azure_client_secret": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "encrypted": true + "referenceable": true } }, { "azure_tenant_id": { - "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "referenceable": true, - "required": false + "type": "string" } }, { "gcp_use_service_account": { - "type": "boolean", - "description": "Use service account auth for GCP-based providers and models.", "default": false, - "required": false + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" } }, { "gcp_service_account_json": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "encrypted": true + "referenceable": true } }, { "aws_access_key_id": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "encrypted": true + "referenceable": true } }, { "aws_secret_access_key": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "encrypted": true + "referenceable": true } }, { "allow_override": { - "type": "boolean", - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "default": false, - "required": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" } } - ], - "required": false, - "type": "record" + ] } }, { "model": { + "type": "record", + "required": true, "fields": [ { "provider": { @@ -240,39 +244,37 @@ }, { "name": { + "description": "Model name to execute.", "required": true, - "type": "string", - "description": "Model name to execute." + "type": "string" } }, { "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, "fields": [ { "upstream_url": { "description": "upstream url for the embeddings", - "type": "string", - "required": false + "required": false, + "type": "string" } } - ], - "type": "record", - "description": "Key/value settings for the model", - "required": false + ] } } - ], - "required": true, - "type": "record" + ] } } - ], - "required": true, - "type": "record" + ] } }, { "vectordb": { + "type": "record", + "required": true, "fields": [ { "strategy": { @@ -286,16 +288,16 @@ }, { "dimensions": { + "description": "the desired dimensionality for the vectors", "required": true, - "type": "integer", - "description": "the desired dimensionality for the vectors" + "type": "integer" } }, { "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", "required": true, - "type": "number", - "description": "the default similarity threshold for accepting semantic search results (float)" + "type": "number" } }, { @@ -311,56 +313,187 @@ }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -372,10 +505,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -387,27 +520,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -417,272 +550,139 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "type": "boolean" } }, { "ssl_verify": { - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "required": false, - "description": "Maximum retry attempts for redirection.", "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, "type": "integer" } }, { "connection_is_proxied": { - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "type": "boolean" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } } - ], - "required": true, - "type": "record" + ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ai-semantic-prompt-guard/3.9.x.json b/schemas/ai-semantic-prompt-guard/3.9.x.json index 1a25c6e3..c1fac108 100644 --- a/schemas/ai-semantic-prompt-guard/3.9.x.json +++ b/schemas/ai-semantic-prompt-guard/3.9.x.json @@ -11,6 +11,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -19,15 +27,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -35,42 +35,46 @@ "fields": [ { "embeddings": { + "type": "record", + "required": true, "fields": [ { "auth": { + "type": "record", + "required": false, "fields": [ { "header_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "header_value": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "encrypted": true + "referenceable": true } }, { "param_name": { - "type": "string", + "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "referenceable": true, - "required": false + "type": "string" } }, { "param_value": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Specify the full parameter value for 'param_name'.", - "encrypted": true + "referenceable": true } }, { @@ -86,87 +90,87 @@ }, { "azure_use_managed_identity": { - "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "default": false, - "required": false + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" } }, { "azure_client_id": { - "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "referenceable": true, - "required": false + "type": "string" } }, { "azure_client_secret": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "encrypted": true + "referenceable": true } }, { "azure_tenant_id": { - "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "referenceable": true, - "required": false + "type": "string" } }, { "gcp_use_service_account": { - "type": "boolean", - "description": "Use service account auth for GCP-based providers and models.", "default": false, - "required": false + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" } }, { "gcp_service_account_json": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "encrypted": true + "referenceable": true } }, { "aws_access_key_id": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "encrypted": true + "referenceable": true } }, { "aws_secret_access_key": { + "encrypted": true, "required": false, - "referenceable": true, "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "encrypted": true + "referenceable": true } }, { "allow_override": { - "type": "boolean", - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "default": false, - "required": false + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" } } - ], - "required": false, - "type": "record" + ] } }, { "model": { + "type": "record", + "required": true, "fields": [ { "provider": { @@ -181,39 +185,37 @@ }, { "name": { + "description": "Model name to execute.", "required": true, - "type": "string", - "description": "Model name to execute." + "type": "string" } }, { "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, "fields": [ { "upstream_url": { "description": "upstream url for the embeddings", - "type": "string", - "required": false + "required": false, + "type": "string" } } - ], - "type": "record", - "description": "Key/value settings for the model", - "required": false + ] } } - ], - "required": true, - "type": "record" + ] } } - ], - "required": true, - "type": "record" + ] } }, { "vectordb": { + "type": "record", + "required": true, "fields": [ { "strategy": { @@ -227,16 +229,16 @@ }, { "dimensions": { + "description": "the desired dimensionality for the vectors", "required": true, - "type": "integer", - "description": "the desired dimensionality for the vectors" + "type": "integer" } }, { "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", "required": true, - "type": "number", - "description": "the default similarity threshold for accepting semantic search results (float)" + "type": "number" } }, { @@ -252,56 +254,187 @@ }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -313,10 +446,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -328,27 +461,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -358,346 +491,213 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "type": "boolean" } }, { "ssl_verify": { - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "required": false, - "description": "Maximum retry attempts for redirection.", "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, "type": "integer" } }, { "connection_is_proxied": { - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "type": "boolean" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } } - ], - "required": true, - "type": "record" + ] } }, { "search": { + "type": "record", + "required": false, "fields": [ { "threshold": { - "type": "number", - "required": false, "default": 0.5, - "description": "Threshold for the similarity score to be considered a match." + "description": "Threshold for the similarity score to be considered a match.", + "required": false, + "type": "number" } } - ], - "type": "record", - "required": false + ] } }, { "rules": { + "type": "record", + "required": true, "fields": [ { "match_all_conversation_history": { - "type": "boolean", - "required": false, "default": false, - "description": "If false, will ignore all previous chat prompts from the conversation history." + "description": "If false, will ignore all previous chat prompts from the conversation history.", + "required": false, + "type": "boolean" } }, { "allow_prompts": { - "description": "List of prompts to allow.", + "len_max": 100, + "required": false, + "type": "array", "elements": { "len_max": 500, - "type": "string", - "len_min": 1 + "len_min": 1, + "type": "string" }, - "len_max": 100, - "type": "array", - "required": false + "description": "List of prompts to allow." } }, { "deny_prompts": { - "description": "List of prompts to deny.", + "len_max": 100, + "required": false, + "type": "array", "elements": { "len_max": 500, - "type": "string", - "len_min": 1 + "len_min": 1, + "type": "string" }, - "len_max": 100, - "type": "array", - "required": false + "description": "List of prompts to deny." } }, { "max_request_body_size": { - "gt": 0, - "type": "integer", "default": 8192, - "description": "max allowed body size allowed to be introspected" + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" } }, { "match_all_roles": { - "type": "boolean", - "required": true, "default": false, - "description": "If true, will match all roles in addition to 'user' role in conversation history." + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "required": true, + "type": "boolean" } } - ], - "type": "record", - "required": true + ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/app-dynamics/3.9.x.json b/schemas/app-dynamics/3.9.x.json index 0abe1931..8e65202b 100644 --- a/schemas/app-dynamics/3.9.x.json +++ b/schemas/app-dynamics/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,22 +22,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,8 +38,8 @@ "fields": [ ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/aws-lambda/3.9.x.json b/schemas/aws-lambda/3.9.x.json index 45dcdb61..583a9b6a 100644 --- a/schemas/aws-lambda/3.9.x.json +++ b/schemas/aws-lambda/3.9.x.json @@ -18,6 +18,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -26,22 +34,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -50,82 +50,82 @@ "fields": [ { "timeout": { - "required": true, - "type": "number", "default": 60000, - "description": "An optional timeout in milliseconds when invoking the function." + "description": "An optional timeout in milliseconds when invoking the function.", + "required": true, + "type": "number" } }, { "keepalive": { - "required": true, - "type": "number", "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "required": true, + "type": "number" } }, { "aws_key": { + "encrypted": true, "description": "The AWS key credential to be used when invoking the function.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "aws_secret": { + "encrypted": true, "description": "The AWS secret credential to be used when invoking the function. ", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "aws_assume_role_arn": { + "encrypted": true, "description": "The target AWS IAM role ARN used to invoke the Lambda function.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "aws_role_session_name": { - "type": "string", "default": "kong", - "description": "The identifier of the assumed role session." + "description": "The identifier of the assumed role session.", + "type": "string" } }, { "aws_sts_endpoint_url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "aws_region": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "function_name": { - "required": false, "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "required": false, "type": "string" } }, { "qualifier": { - "type": "string", - "description": "The qualifier to use when invoking the function." + "description": "The qualifier to use when invoking the function.", + "type": "string" } }, { "invocation_type": { "required": true, - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "type": "string", "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "one_of": [ "RequestResponse", "Event", @@ -136,9 +136,9 @@ { "log_type": { "required": true, - "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "type": "string", "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "one_of": [ "Tail", "None" @@ -147,19 +147,19 @@ }, { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 443, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { @@ -180,72 +180,72 @@ }, { "forward_request_method": { - "type": "boolean", "default": false, - "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" } }, { "forward_request_uri": { - "type": "boolean", "default": false, - "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" } }, { "forward_request_headers": { - "type": "boolean", "default": false, - "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" } }, { "forward_request_body": { - "type": "boolean", "default": false, - "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" } }, { "is_proxy_integration": { - "type": "boolean", "default": false, - "description": "An optional value that defines whether the response format to receive from the Lambda to this format." + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" } }, { "awsgateway_compatible": { - "type": "boolean", "default": false, - "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" } }, { "proxy_url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "skip_large_bodies": { - "type": "boolean", "default": true, - "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" } }, { "base64_encode_body": { - "type": "boolean", "default": true, - "description": "An optional value that Base64-encodes the request body." + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" } }, { "aws_imds_protocol_version": { "required": true, - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "type": "string", "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "one_of": [ "v1", "v2" @@ -255,9 +255,9 @@ { "empty_arrays_mode": { "required": true, - "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", "type": "string", "default": "legacy", + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", "one_of": [ "legacy", "correct" @@ -265,8 +265,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/azure-functions/3.9.x.json b/schemas/azure-functions/3.9.x.json index 1d647ca2..19e89278 100644 --- a/schemas/azure-functions/3.9.x.json +++ b/schemas/azure-functions/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,80 +45,80 @@ "fields": [ { "timeout": { - "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", "type": "number" } }, { "keepalive": { - "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", "type": "number" } }, { "https": { - "description": "Use of HTTPS to connect with the Azure Functions server.", "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", "type": "boolean" } }, { "https_verify": { - "description": "Set to `true` to authenticate the Azure Functions server.", "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", "type": "boolean" } }, { "apikey": { - "type": "string", + "encrypted": true, "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", "referenceable": true, - "encrypted": true + "type": "string" } }, { "clientid": { - "type": "string", + "encrypted": true, "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", "referenceable": true, - "encrypted": true + "type": "string" } }, { "appname": { - "type": "string", "description": "The Azure app name.", - "required": true + "required": true, + "type": "string" } }, { "hostdomain": { + "default": "azurewebsites.net", "description": "The domain where the function resides.", "required": true, - "default": "azurewebsites.net", "type": "string" } }, { "routeprefix": { - "description": "Route prefix to use.", "default": "api", + "description": "Route prefix to use.", "type": "string" } }, { "functionname": { - "type": "string", "description": "Name of the Azure function to invoke.", - "required": true + "required": true, + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/basic-auth/3.9.x.json b/schemas/basic-auth/3.9.x.json index 48473232..0a5c8b49 100644 --- a/schemas/basic-auth/3.9.x.json +++ b/schemas/basic-auth/3.9.x.json @@ -6,15 +6,13 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", - "required": true, "default": [ "grpc", "grpcs", @@ -33,14 +31,16 @@ "ws", "wss" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -55,23 +55,23 @@ }, { "hide_credentials": { - "required": true, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "required": true, "type": "boolean" } }, { "realm": { - "required": true, - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "default": "service", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": true, "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/bot-detection/3.9.x.json b/schemas/bot-detection/3.9.x.json index e7a25605..d48d260c 100644 --- a/schemas/bot-detection/3.9.x.json +++ b/schemas/bot-detection/3.9.x.json @@ -6,14 +6,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,22 +30,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,33 +46,33 @@ "fields": [ { "allow": { - "type": "array", + "elements": { + "type": "string", + "is_regex": true + }, "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "default": [ ], - "elements": { - "is_regex": true, - "type": "string" - } + "type": "array" } }, { "deny": { - "type": "array", + "elements": { + "type": "string", + "is_regex": true + }, "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "default": [ ], - "elements": { - "is_regex": true, - "type": "string" - } + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/canary/3.9.x.json b/schemas/canary/3.9.x.json index 8c350f42..a020f33c 100644 --- a/schemas/canary/3.9.x.json +++ b/schemas/canary/3.9.x.json @@ -36,22 +36,30 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -60,19 +68,21 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "config": { + "type": "record", + "shorthand_fields": [ + { + "hash": { + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + } + } + ], + "required": true, "fields": [ { "start": { @@ -82,9 +92,9 @@ }, { "hash": { + "default": "consumer", "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", "type": "string", - "default": "consumer", "one_of": [ "consumer", "ip", @@ -97,24 +107,24 @@ }, { "hash_header": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { "duration": { - "gt": 0, - "type": "number", "default": 3600, - "description": "The duration of the canary release in seconds." + "description": "The duration of the canary release in seconds.", + "gt": 0, + "type": "number" } }, { "steps": { - "gt": 1, - "type": "number", "default": 1000, - "description": "The number of steps for the canary release." + "description": "The number of steps for the canary release.", + "gt": 1, + "type": "number" } }, { @@ -129,8 +139,8 @@ }, { "upstream_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -139,8 +149,8 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { @@ -152,38 +162,28 @@ }, { "upstream_fallback": { - "description": "Specifies whether to fallback to the upstream server if the canary release fails.", - "type": "boolean", "default": false, - "required": true + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "required": true, + "type": "boolean" } }, { "groups": { - "type": "array", - "description": "The groups allowed to access the canary release.", "elements": { "type": "string" - } + }, + "description": "The groups allowed to access the canary release.", + "type": "array" } }, { "canary_by_header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" - } - } - ], - "required": true, - "shorthand_fields": [ - { - "hash": { "type": "string", - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + "description": "A string representing an HTTP header name." } } - ], - "type": "record" + ] } } ] diff --git a/schemas/confluent/3.9.x.json b/schemas/confluent/3.9.x.json index 94cc4da6..534933d8 100644 --- a/schemas/confluent/3.9.x.json +++ b/schemas/confluent/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,39 +22,42 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + } + ], "fields": [ { "bootstrap_servers": { - "type": "set", - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", + "description": "A string representing a host name, such as example.com.", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { @@ -55,35 +66,36 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" - } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set" } }, { "topic": { - "required": true, "description": "The Kafka topic to publish to.", + "required": true, "type": "string" } }, { "timeout": { - "type": "integer", "default": 10000, - "description": "Socket timeout in milliseconds." + "description": "Socket timeout in milliseconds.", + "type": "integer" } }, { "keepalive": { - "type": "integer", "default": 60000, - "description": "Keepalive timeout in milliseconds." + "description": "Keepalive timeout in milliseconds.", + "type": "integer" } }, { @@ -94,81 +106,81 @@ }, { "cluster_api_key": { - "required": true, + "encrypted": true, "referenceable": true, "type": "string", "description": "Username/Apikey for SASL authentication.", - "encrypted": true + "required": true } }, { "cluster_api_secret": { - "required": true, + "encrypted": true, "referenceable": true, "type": "string", "description": "Password/ApiSecret for SASL authentication.", - "encrypted": true + "required": true } }, { "confluent_cloud_api_key": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", - "encrypted": true + "required": false } }, { "confluent_cloud_api_secret": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "The corresponding secret for the Confluent Cloud API key.", - "encrypted": true + "required": false } }, { "forward_method": { - "type": "boolean", "default": false, - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "forward_uri": { - "type": "boolean", "default": false, - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "forward_headers": { - "type": "boolean", "default": false, - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "forward_body": { - "type": "boolean", "default": true, - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "cluster_name": { - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "type": "string", "auto": true, - "required": false + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, + "type": "string" } }, { "producer_request_acks": { + "default": 1, "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", - "default": 1, "one_of": [ -1, 0, @@ -178,75 +190,63 @@ }, { "producer_request_timeout": { - "type": "integer", "default": 2000, - "description": "Time to wait for a Produce response in milliseconds." + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" } }, { "producer_request_limits_messages_per_request": { - "type": "integer", "default": 200, - "description": "Maximum number of messages to include into a single producer request." + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" } }, { "producer_request_limits_bytes_per_request": { - "type": "integer", "default": 1048576, - "description": "Maximum size of a Produce request in bytes." + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" } }, { "producer_request_retries_max_attempts": { - "type": "integer", "default": 10, - "description": "Maximum number of retry attempts per single Produce request." + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" } }, { "producer_request_retries_backoff_timeout": { - "type": "integer", "default": 100, - "description": "Backoff interval between retry attempts in milliseconds." + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" } }, { "producer_async": { - "type": "boolean", "default": true, - "description": "Flag to enable asynchronous mode." + "description": "Flag to enable asynchronous mode.", + "type": "boolean" } }, { "producer_async_flush_timeout": { - "type": "integer", "default": 1000, - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { - "type": "integer", "default": 50000, - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." - } - } - ], - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "forward_method", - "forward_uri", - "forward_headers", - "forward_body" - ] + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" } } ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/correlation-id/3.9.x.json b/schemas/correlation-id/3.9.x.json index aeabeb35..46723bf0 100644 --- a/schemas/correlation-id/3.9.x.json +++ b/schemas/correlation-id/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,22 +22,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,17 +38,17 @@ "fields": [ { "header_name": { - "type": "string", "default": "Kong-Request-ID", - "description": "The HTTP header name to use for the correlation ID." + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" } }, { "generator": { - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "required": true, "type": "string", "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "one_of": [ "uuid", "uuid#counter", @@ -58,15 +58,15 @@ }, { "echo_downstream": { - "type": "boolean", - "required": true, "default": false, - "description": "Whether to echo the header back to downstream (the client)." + "description": "Whether to echo the header back to downstream (the client).", + "required": true, + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/cors/3.9.x.json b/schemas/cors/3.9.x.json index 20b4d4bc..87f52a0e 100644 --- a/schemas/cors/3.9.x.json +++ b/schemas/cors/3.9.x.json @@ -6,40 +6,40 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" ], + "len_min": 1, "required": true, - "len_min": 1 - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -48,35 +48,33 @@ "fields": [ { "origins": { - "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", - "type": "array", "elements": { "type": "string" - } + }, + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "type": "array" } }, { "headers": { - "description": "Value for the `Access-Control-Allow-Headers` header.", - "type": "array", "elements": { "type": "string" - } + }, + "description": "Value for the `Access-Control-Allow-Headers` header.", + "type": "array" } }, { "exposed_headers": { - "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", - "type": "array", "elements": { "type": "string" - } + }, + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "type": "array" } }, { "methods": { - "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", - "type": "array", "default": [ "GET", "HEAD", @@ -88,6 +86,7 @@ "TRACE", "CONNECT" ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", "elements": { "type": "string", "one_of": [ @@ -101,7 +100,8 @@ "TRACE", "CONNECT" ] - } + }, + "type": "array" } }, { @@ -112,31 +112,31 @@ }, { "credentials": { - "type": "boolean", - "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", "default": false, - "required": true + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "required": true, + "type": "boolean" } }, { "private_network": { - "type": "boolean", - "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", "default": false, - "required": true + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "required": true, + "type": "boolean" } }, { "preflight_continue": { - "type": "boolean", - "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", "default": false, - "required": true + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "required": true, + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/datadog/3.9.x.json b/schemas/datadog/3.9.x.json index 3ff5f870..7157cc3d 100644 --- a/schemas/datadog/3.9.x.json +++ b/schemas/datadog/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -53,74 +53,74 @@ }, { "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "prefix": { - "type": "string", "default": "kong", - "description": "String to be attached as a prefix to a metric's name." + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" } }, { "service_name_tag": { - "type": "string", "default": "name", - "description": "String to be attached as the name of the service." + "description": "String to be attached as the name of the service.", + "type": "string" } }, { "status_tag": { - "type": "string", "default": "status", - "description": "String to be attached as the tag of the HTTP status." + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" } }, { "consumer_tag": { - "type": "string", "default": "consumer", - "description": "String to be attached as tag of the consumer." + "description": "String to be attached as tag of the consumer.", + "type": "string" } }, { "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", "deprecation": { "old_default": 10, "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", "removal_in_version": "4.0" - }, - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer" + } } }, { "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", "deprecation": { "old_default": 1, "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0" - }, - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer" + } } }, { "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", "deprecation": { "old_default": 2, "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0" - }, - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number" + } } }, { @@ -128,35 +128,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + "type": "integer" } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "type": "number" } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + "type": "integer" } }, { @@ -167,59 +167,129 @@ }, { "max_retry_time": { - "type": "number", "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" } }, { "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + "type": "number" } }, { "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + "type": "number" } }, { "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", "one_of": [ -1, 1 - ], - "type": "integer", - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "metrics": { + "required": true, + "type": "array", + "default": [ + { + "name": "request_count", + "stat_type": "counter", + "tags": [ + "app:kong" + ], + "sample_rate": 1, + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "request_size", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "response_size", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "upstream_latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "kong_latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + } + ], "description": "List of metrics to be logged.", "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], "fields": [ { "name": { - "required": true, "type": "string", "description": "Datadog metric’s name", + "required": true, "one_of": [ "kong_latency", "latency", @@ -232,9 +302,9 @@ }, { "stat_type": { - "required": true, "type": "string", "description": "Determines what sort of event the metric represents", + "required": true, "one_of": [ "counter", "gauge", @@ -248,12 +318,12 @@ }, { "tags": { - "type": "array", - "description": "List of tags", "elements": { "match": "^.*[^:]$", "type": "string" - } + }, + "description": "List of tags", + "type": "array" } }, { @@ -268,93 +338,23 @@ }, { "consumer_identifier": { + "description": "Authenticated user detail", + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string", - "description": "Authenticated user detail" + ] } } ], - "type": "record", - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } - ] - }, - "type": "array", - "default": [ - { - "name": "request_count", - "tags": [ - "app:kong" - ], - "sample_rate": 1, - "stat_type": "counter", - "consumer_identifier": "custom_id" - }, - { - "name": "latency", - "stat_type": "timer", - "consumer_identifier": "custom_id", - "tags": [ - "app:kong" - ] - }, - { - "name": "request_size", - "stat_type": "timer", - "consumer_identifier": "custom_id", - "tags": [ - "app:kong" - ] - }, - { - "name": "response_size", - "stat_type": "timer", - "consumer_identifier": "custom_id", - "tags": [ - "app:kong" - ] - }, - { - "name": "upstream_latency", - "stat_type": "timer", - "consumer_identifier": "custom_id", - "tags": [ - "app:kong" - ] - }, - { - "name": "kong_latency", - "stat_type": "timer", - "consumer_identifier": "custom_id", - "tags": [ - "app:kong" - ] - } - ], - "required": true + "type": "record" + } } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/degraphql/3.9.x.json b/schemas/degraphql/3.9.x.json index 2b162dca..36cd73d3 100644 --- a/schemas/degraphql/3.9.x.json +++ b/schemas/degraphql/3.9.x.json @@ -6,14 +6,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,22 +30,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -47,21 +47,21 @@ { "graphql_server_path": { "required": true, + "type": "string", + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "starts_with": "/", - "type": "string", - "default": "/graphql", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "starts_with": "/" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/exit-transformer/3.9.x.json b/schemas/exit-transformer/3.9.x.json index 3b3df2fc..11f94588 100644 --- a/schemas/exit-transformer/3.9.x.json +++ b/schemas/exit-transformer/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,22 +22,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,30 +38,30 @@ "fields": [ { "functions": { - "required": true, - "type": "array", "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } }, { "handle_unknown": { - "description": "Determines whether to handle unknown status codes by transforming their responses.", "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", "type": "boolean" } }, { "handle_unexpected": { - "description": "Determines whether to handle unexpected errors by transforming their responses.", "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/file-log/3.9.x.json b/schemas/file-log/3.9.x.json index 96216048..6532d553 100644 --- a/schemas/file-log/3.9.x.json +++ b/schemas/file-log/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,38 +45,38 @@ "fields": [ { "path": { - "err": "not a valid filename", + "match": "^[^*&%%\\`]+$", "required": true, "type": "string", - "match": "^[^*&%%\\`]+$", + "err": "not a valid filename", "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." } }, { "reopen": { - "description": "Determines whether the log file is closed and reopened on every request.", - "type": "boolean", "default": false, - "required": true + "description": "Determines whether the log file is closed and reopened on every request.", + "required": true, + "type": "boolean" } }, { "custom_fields_by_lua": { - "keys": { - "type": "string", - "len_min": 1 - }, - "type": "map", "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - } + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/forward-proxy/3.9.x.json b/schemas/forward-proxy/3.9.x.json index 86cb0bf0..260aadee 100644 --- a/schemas/forward-proxy/3.9.x.json +++ b/schemas/forward-proxy/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,34 +22,74 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "shorthand_fields": [ + { + "proxy_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" + }, + "type": "string" + } + }, + { + "proxy_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" + }, + "type": "integer" + } + } + ], "fields": [ { "x_headers": { "required": true, - "description": "Determines how to handle headers when forwarding the request.", "type": "string", "default": "append", + "description": "Determines how to handle headers when forwarding the request.", "one_of": [ "append", "transparent", @@ -51,8 +99,8 @@ }, { "http_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -61,14 +109,14 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "https_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -77,16 +125,16 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "proxy_scheme": { "required": true, - "description": "The proxy scheme to use when connecting. Only `http` is supported.", "type": "string", "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", "one_of": [ "http" ] @@ -94,74 +142,26 @@ }, { "auth_username": { - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", - "type": "string", "referenceable": true, - "required": false + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "required": false, + "type": "string" } }, { "auth_password": { - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", - "type": "string", "referenceable": true, - "required": false + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "required": false, + "type": "string" } }, { "https_verify": { - "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "type": "boolean", "default": false, - "required": true - } - } - ], - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "http_proxy_host", - "https_proxy_host" - ] - }, - { - "at_least_one_of": [ - "http_proxy_port", - "https_proxy_port" - ] - }, - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], - "type": "record", - "shorthand_fields": [ - { - "proxy_host": { - "deprecation": { - "removal_in_version": "4.0", - "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" - }, - "type": "string" - } - }, - { - "proxy_port": { - "deprecation": { - "removal_in_version": "4.0", - "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" - }, - "type": "integer" + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "required": true, + "type": "boolean" } } ] diff --git a/schemas/graphql-proxy-cache-advanced/3.9.x.json b/schemas/graphql-proxy-cache-advanced/3.9.x.json index 0cc31578..e805038f 100644 --- a/schemas/graphql-proxy-cache-advanced/3.9.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,22 +22,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -39,9 +39,9 @@ { "strategy": { "required": true, - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "type": "string", "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "one_of": [ "memory", "redis" @@ -51,9 +51,9 @@ { "cache_ttl": { "gt": 0, - "type": "integer", + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", "default": 300, - "description": "TTL in seconds of cache entities. Must be a value greater than 0." + "type": "integer" } }, { @@ -61,69 +61,200 @@ "fields": [ { "dictionary_name": { - "required": true, - "type": "string", "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template." + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -135,10 +266,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -150,27 +281,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -180,283 +311,152 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "type": "boolean" } }, { "ssl_verify": { - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "required": false, - "description": "Maximum retry attempts for redirection.", "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, "type": "integer" } }, { "connection_is_proxied": { - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "type": "boolean" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } }, { "bypass_on_err": { - "type": "boolean", "default": false, - "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" } }, { "vary_headers": { - "type": "array", - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" - } + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/graphql-rate-limiting-advanced/3.9.x.json b/schemas/graphql-rate-limiting-advanced/3.9.x.json index d0e11ed5..55336ec3 100644 --- a/schemas/graphql-rate-limiting-advanced/3.9.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.9.x.json @@ -12,6 +12,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -20,22 +28,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,9 +45,9 @@ { "identifier": { "required": true, - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "type": "string", "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "one_of": [ "ip", "credential", @@ -57,19 +57,19 @@ }, { "window_size": { - "type": "array", - "required": true, - "description": "One or more window sizes to apply a limit to (defined in seconds).", "elements": { "type": "number" - } + }, + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "required": true, + "type": "array" } }, { "window_type": { + "default": "sliding", "description": "Sets the time window to either `sliding` or `fixed`.", "type": "string", - "default": "sliding", "one_of": [ "fixed", "sliding" @@ -78,34 +78,34 @@ }, { "limit": { - "type": "array", - "required": true, - "description": "One or more requests-per-window limits to apply.", "elements": { "type": "number" - } + }, + "description": "One or more requests-per-window limits to apply.", + "required": true, + "type": "array" } }, { "sync_rate": { - "required": true, "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "required": true, "type": "number" } }, { "namespace": { + "auto": true, "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "type": "string", - "auto": true + "type": "string" } }, { "strategy": { "required": true, - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "type": "string", "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "one_of": [ "cluster", "redis" @@ -114,24 +114,24 @@ }, { "dictionary_name": { - "description": "The shared dictionary where counters will be stored until the next sync cycle.", - "type": "string", "default": "kong_rate_limiting_counters", - "required": true + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "required": true, + "type": "string" } }, { "hide_client_headers": { - "type": "boolean", "default": false, - "description": "Optionally hide informative response headers. Available options: `true` or `false`." + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" } }, { "cost_strategy": { + "default": "default", "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", "type": "string", - "default": "default", "one_of": [ "default", "node_quantifier" @@ -140,73 +140,204 @@ }, { "score_factor": { + "required": false, + "type": "number", "gt": 0, "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", - "type": "number", - "default": 1, - "required": false + "default": 1 } }, { "max_cost": { - "description": "A defined maximum cost per query. 0 means unlimited.", - "type": "number", "default": 0, - "required": false + "description": "A defined maximum cost per query. 0 means unlimited.", + "required": false, + "type": "number" } }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -218,10 +349,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -233,27 +364,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -263,267 +394,136 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "type": "boolean" } }, { "ssl_verify": { - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "required": false, - "description": "Maximum retry attempts for redirection.", "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, "type": "integer" } }, { "connection_is_proxied": { - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "type": "boolean" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/grpc-gateway/3.9.x.json b/schemas/grpc-gateway/3.9.x.json index 0c2d741f..cb4aab19 100644 --- a/schemas/grpc-gateway/3.9.x.json +++ b/schemas/grpc-gateway/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,13 +46,13 @@ { "proto": { "description": "Describes the gRPC types and methods.", - "type": "string", - "required": false + "required": false, + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/grpc-web/3.9.x.json b/schemas/grpc-web/3.9.x.json index d2728f35..95633634 100644 --- a/schemas/grpc-web/3.9.x.json +++ b/schemas/grpc-web/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -59,15 +59,15 @@ }, { "allow_origin_header": { - "required": false, - "type": "string", "default": "*", - "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client." + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "required": false, + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/header-cert-auth/3.9.x.json b/schemas/header-cert-auth/3.9.x.json index e52abf92..380d6860 100644 --- a/schemas/header-cert-auth/3.9.x.json +++ b/schemas/header-cert-auth/3.9.x.json @@ -6,14 +6,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,40 +30,46 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], "fields": [ { "certificate_header_name": { "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "certificate_header_format": { "type": "string", - "required": true, "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "required": true, "one_of": [ "base64_encoded", "url_encoded" @@ -64,21 +78,22 @@ }, { "secure_source": { - "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", - "type": "boolean", "default": true, - "required": true + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "required": true, + "type": "boolean" } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "consumer_by": { - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -86,55 +101,54 @@ "custom_id" ] }, - "type": "array", + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "default": [ "username", "custom_id" - ], - "required": false + ] } }, { "ca_certificates": { - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", - "type": "array", - "required": true, "elements": { "uuid": true, "type": "string" - } + }, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, + "type": "array" } }, { "cache_ttl": { - "description": "Cache expiry time in seconds.", - "type": "number", "default": 60, - "required": true + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" } }, { "skip_consumer_lookup": { - "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", - "type": "boolean", "default": false, - "required": true + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "required": true, + "type": "boolean" } }, { "allow_partial_chain": { - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", - "type": "boolean", "default": false, - "required": true + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "required": true, + "type": "boolean" } }, { "authenticated_group_by": { "required": false, - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "type": "string", "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ "CN", "DN" @@ -144,9 +158,9 @@ { "revocation_check_mode": { "required": false, - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "type": "string", "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ "SKIP", "IGNORE_CA_ERROR", @@ -156,28 +170,28 @@ }, { "http_timeout": { - "type": "number", "default": 30000, - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" } }, { "cert_cache_ttl": { - "type": "number", "default": 60000, - "description": "The length of time in milliseconds between refreshes of the revocation check status cache." + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" } }, { "default_consumer": { - "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "http_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -186,14 +200,14 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "https_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -202,27 +216,13 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } ], - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/hmac-auth/3.9.x.json b/schemas/hmac-auth/3.9.x.json index 54103296..b922bd3e 100644 --- a/schemas/hmac-auth/3.9.x.json +++ b/schemas/hmac-auth/3.9.x.json @@ -12,15 +12,13 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", - "required": true, "default": [ "grpc", "grpcs", @@ -39,14 +37,16 @@ "ws", "wss" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -55,56 +55,48 @@ "fields": [ { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "type": "boolean", "default": false, - "required": true + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true, + "type": "boolean" } }, { "clock_skew": { - "gt": 0, - "type": "number", "default": 300, - "description": "Clock skew in seconds to prevent replay attacks." + "description": "Clock skew in seconds to prevent replay attacks.", + "gt": 0, + "type": "number" } }, { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "validate_request_body": { - "description": "A boolean value telling the plugin to enable body validation.", - "type": "boolean", "default": false, - "required": true + "description": "A boolean value telling the plugin to enable body validation.", + "required": true, + "type": "boolean" } }, { "enforce_headers": { - "type": "array", + "elements": { + "type": "string" + }, "description": "A list of headers that the client should at least use for HTTP signature creation.", "default": [ ], - "elements": { - "type": "string" - } + "type": "array" } }, { "algorithms": { - "type": "array", - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ], "elements": { "type": "string", "one_of": [ @@ -113,19 +105,27 @@ "hmac-sha384", "hmac-sha512" ] - } + }, + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "type": "array" } }, { "realm": { - "required": false, "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/http-log/3.9.x.json b/schemas/http-log/3.9.x.json index ce379b50..0c018a80 100644 --- a/schemas/http-log/3.9.x.json +++ b/schemas/http-log/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,18 +45,18 @@ "fields": [ { "http_endpoint": { - "required": true, + "encrypted": true, "referenceable": true, "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "encrypted": true + "required": true } }, { "method": { + "default": "POST", "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", "type": "string", - "default": "POST", "one_of": [ "POST", "PUT", @@ -66,9 +66,9 @@ }, { "content_type": { + "default": "application/json", "description": "Indicates the type of data sent. The only available option is `application/json`.", "type": "string", - "default": "application/json", "one_of": [ "application/json", "application/json; charset=utf-8" @@ -77,55 +77,60 @@ }, { "timeout": { - "type": "number", "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" } }, { "keepalive": { - "type": "number", "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" } }, { "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", "deprecation": { "old_default": 10, "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", "removal_in_version": "4.0" - }, - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer" + } } }, { "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", "deprecation": { "old_default": 1, "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0" - }, - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer" + } } }, { "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", "deprecation": { "old_default": 2, "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0" - }, - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number" + } } }, { "headers": { + "values": { + "referenceable": true, + "type": "string" + }, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", "keys": { - "type": "string", + "description": "A string representing an HTTP header name.", "match_none": [ { "err": "cannot contain 'Host' header", @@ -140,14 +145,9 @@ "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" } ], - "description": "A string representing an HTTP header name." - }, - "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", - "type": "map", - "values": { - "referenceable": true, "type": "string" - } + }, + "type": "map" } }, { @@ -155,35 +155,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + "type": "integer" } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "type": "number" } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + "type": "integer" } }, { @@ -194,66 +194,66 @@ }, { "max_retry_time": { - "type": "number", "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" } }, { "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + "type": "number" } }, { "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + "type": "number" } }, { "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", "one_of": [ -1, 1 - ], - "type": "integer", - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "custom_fields_by_lua": { - "keys": { - "type": "string", - "len_min": 1 - }, - "type": "map", "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - } + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/injection-protection/3.9.x.json b/schemas/injection-protection/3.9.x.json index 6f31cf5a..1f100616 100644 --- a/schemas/injection-protection/3.9.x.json +++ b/schemas/injection-protection/3.9.x.json @@ -1 +1,159 @@ -{ } \ No newline at end of file +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "injection_types", + "custom_injections" + ] + } + ], + "fields": [ + { + "injection_types": { + "required": true, + "type": "set", + "default": [ + "sql" + ], + "description": "The type of injections to check for.", + "elements": { + "type": "string", + "one_of": [ + "sql", + "js", + "ssi", + "xpath_abbreviated", + "xpath_extended", + "java_exception" + ] + } + } + }, + { + "locations": { + "required": true, + "type": "set", + "default": [ + "path_and_query" + ], + "description": "The locations to check for injection.", + "elements": { + "type": "string", + "one_of": [ + "headers", + "path_and_query", + "body" + ] + } + } + }, + { + "custom_injections": { + "elements": { + "type": "record", + "fields": [ + { + "name": { + "description": "A unique name for this injection.", + "required": true, + "type": "string" + } + }, + { + "regex": { + "description": "The regex to match against.", + "is_regex": true, + "required": true, + "type": "string" + } + } + ] + }, + "description": "Custom regexes to check for.", + "default": null, + "type": "array" + } + }, + { + "enforcement_mode": { + "required": true, + "type": "string", + "default": "block", + "description": "Enforcement mode of the security policy.", + "one_of": [ + "block", + "log_only" + ] + } + }, + { + "error_status_code": { + "between": [ + 400, + 499 + ], + "required": true, + "type": "integer", + "default": 400, + "description": "The response status code when validation fails." + } + }, + { + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ip-restriction/3.9.x.json b/schemas/ip-restriction/3.9.x.json index 7ee4e390..6ce79129 100644 --- a/schemas/ip-restriction/3.9.x.json +++ b/schemas/ip-restriction/3.9.x.json @@ -11,9 +11,18 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -25,18 +34,9 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "http", - "https", - "tcp", - "tls", - "grpc", - "grpcs" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { @@ -44,22 +44,22 @@ "fields": [ { "allow": { - "type": "array", - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "elements": { - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "type": "string" - } + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "type": "array" } }, { "deny": { - "type": "array", - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "elements": { - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "type": "string" - } + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "type": "array" } }, { @@ -77,8 +77,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/jq/3.9.x.json b/schemas/jq/3.9.x.json index 4611502f..623393bd 100644 --- a/schemas/jq/3.9.x.json +++ b/schemas/jq/3.9.x.json @@ -6,14 +6,22 @@ { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,19 +30,19 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } + ], "fields": [ { "request_jq_program": { @@ -44,60 +52,60 @@ }, { "request_jq_program_options": { + "default": [ + + ], + "type": "record", + "required": false, "fields": [ { "compact_output": { - "required": true, "default": true, + "required": true, "type": "boolean" } }, { "raw_output": { - "required": true, "default": false, + "required": true, "type": "boolean" } }, { "join_output": { - "required": true, "default": false, + "required": true, "type": "boolean" } }, { "ascii_output": { - "required": true, "default": false, + "required": true, "type": "boolean" } }, { "sort_keys": { - "required": true, "default": false, + "required": true, "type": "boolean" } } - ], - "type": "record", - "default": [ - - ], - "required": false + ] } }, { "request_if_media_type": { - "required": false, - "type": "array", + "elements": { + "type": "string" + }, "default": [ "application/json" ], - "elements": { - "type": "string" - } + "required": false, + "type": "array" } }, { @@ -108,89 +116,81 @@ }, { "response_jq_program_options": { + "default": [ + + ], + "type": "record", + "required": false, "fields": [ { "compact_output": { - "required": true, "default": true, + "required": true, "type": "boolean" } }, { "raw_output": { - "required": true, "default": false, + "required": true, "type": "boolean" } }, { "join_output": { - "required": true, "default": false, + "required": true, "type": "boolean" } }, { "ascii_output": { - "required": true, "default": false, + "required": true, "type": "boolean" } }, { "sort_keys": { - "required": true, "default": false, + "required": true, "type": "boolean" } } - ], - "type": "record", - "default": [ - - ], - "required": false + ] } }, { "response_if_media_type": { - "required": false, - "type": "array", + "elements": { + "type": "string" + }, "default": [ "application/json" ], - "elements": { - "type": "string" - } + "required": false, + "type": "array" } }, { "response_if_status_code": { - "required": false, - "type": "array", - "default": [ - 200 - ], "elements": { "between": [ 100, 599 ], "type": "integer" - } + }, + "default": [ + 200 + ], + "required": false, + "type": "array" } } ], - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "request_jq_program", - "response_jq_program" - ] - } - ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/json-threat-protection/3.9.x.json b/schemas/json-threat-protection/3.9.x.json index 8d23191f..e41dd894 100644 --- a/schemas/json-threat-protection/3.9.x.json +++ b/schemas/json-threat-protection/3.9.x.json @@ -13,14 +13,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -29,22 +37,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -53,11 +53,11 @@ "fields": [ { "max_body_size": { - "required": false, "between": [ -1, 2147483648 ], + "required": false, "type": "integer", "default": 8192, "description": "Max size of the request body. -1 means unlimited." @@ -65,11 +65,11 @@ }, { "max_container_depth": { - "required": false, "between": [ -1, 2147483648 ], + "required": false, "type": "integer", "default": -1, "description": "Max nested depth of objects and arrays. -1 means unlimited." @@ -77,11 +77,11 @@ }, { "max_object_entry_count": { - "required": false, "between": [ -1, 2147483648 ], + "required": false, "type": "integer", "default": -1, "description": "Max number of entries in an object. -1 means unlimited." @@ -89,11 +89,11 @@ }, { "max_object_entry_name_length": { - "required": false, "between": [ -1, 2147483648 ], + "required": false, "type": "integer", "default": -1, "description": "Max string length of object name. -1 means unlimited." @@ -101,11 +101,11 @@ }, { "max_array_element_count": { - "required": false, "between": [ -1, 2147483648 ], + "required": false, "type": "integer", "default": -1, "description": "Max number of elements in an array. -1 means unlimited." @@ -113,11 +113,11 @@ }, { "max_string_value_length": { - "required": false, "between": [ -1, 2147483648 ], + "required": false, "type": "integer", "default": -1, "description": "Max string value length. -1 means unlimited." @@ -126,9 +126,9 @@ { "enforcement_mode": { "required": false, - "description": "Enforcement mode of the security policy.", "type": "string", "default": "block", + "description": "Enforcement mode of the security policy.", "one_of": [ "block", "log_only" @@ -137,11 +137,11 @@ }, { "error_status_code": { - "required": false, "between": [ 400, 499 ], + "required": false, "type": "integer", "default": 400, "description": "The response status code when validation fails." @@ -149,15 +149,15 @@ }, { "error_message": { - "required": false, - "description": "The response message when validation fails", "default": "Bad Request", + "description": "The response message when validation fails", + "required": false, "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/jwe-decrypt/3.9.x.json b/schemas/jwe-decrypt/3.9.x.json index 94127a4b..f414e64e 100644 --- a/schemas/jwe-decrypt/3.9.x.json +++ b/schemas/jwe-decrypt/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,30 +22,22 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,40 +46,40 @@ "fields": [ { "lookup_header_name": { + "default": "Authorization", "description": "The name of the header to look for the JWE token.", "required": true, - "default": "Authorization", "type": "string" } }, { "forward_header_name": { + "default": "Authorization", "description": "The name of the header that is used to set the decrypted value.", "required": true, - "default": "Authorization", "type": "string" } }, { "key_sets": { - "type": "array", - "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", - "required": true, "elements": { "type": "string" - } + }, + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "required": true, + "type": "array" } }, { "strict": { - "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/jwt-signer/3.9.x.json b/schemas/jwt-signer/3.9.x.json index cae83050..613ca8b3 100644 --- a/schemas/jwt-signer/3.9.x.json +++ b/schemas/jwt-signer/3.9.x.json @@ -15,14 +15,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -31,192 +39,213 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "mutually_required": [ + "access_token_jwks_uri_client_username", + "access_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "access_token_keyset_client_username", + "access_token_keyset_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_jwks_uri_client_username", + "channel_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_keyset_client_username", + "channel_token_keyset_client_password" + ] + } + ], + "type": "record", + "required": true, "fields": [ { "realm": { - "required": false, "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "required": false, "type": "string" } }, { "enable_hs_signatures": { - "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", - "type": "boolean", "default": false, - "required": false + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "required": false, + "type": "boolean" } }, { "enable_instrumentation": { - "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", - "type": "boolean", "default": false, - "required": false + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "required": false, + "type": "boolean" } }, { "access_token_issuer": { - "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", - "type": "string", "default": "kong", - "required": false + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "required": false, + "type": "string" } }, { "access_token_keyset": { - "description": "The name of the keyset containing signing keys.", - "type": "string", "default": "kong", - "required": false + "description": "The name of the keyset containing signing keys.", + "required": false, + "type": "string" } }, { "access_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", - "type": "string", "referenceable": true, - "required": false + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "required": false, + "type": "string" } }, { "access_token_keyset_client_password": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", - "encrypted": true + "required": false } }, { "access_token_keyset_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", - "type": "foreign", "reference": "certificates", - "required": false + "required": false, + "type": "foreign" } }, { "access_token_keyset_rotate_period": { - "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", - "type": "number", "default": 0, - "required": false + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" } }, { "access_token_jwks_uri": { - "required": false, "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "required": false, "type": "string" } }, { "access_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", - "type": "string", "referenceable": true, - "required": false + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "required": false, + "type": "string" } }, { "access_token_jwks_uri_client_password": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", - "encrypted": true + "required": false } }, { "access_token_jwks_uri_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", - "type": "foreign", "reference": "certificates", - "required": false + "required": false, + "type": "foreign" } }, { "access_token_jwks_uri_rotate_period": { - "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", - "type": "number", "default": 0, - "required": false + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" } }, { "access_token_request_header": { - "description": "This parameter tells the name of the header where to look for the access token.", - "type": "string", "default": "Authorization", - "required": false + "description": "This parameter tells the name of the header where to look for the access token.", + "required": false, + "type": "string" } }, { "access_token_leeway": { - "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", - "type": "number", "default": 0, - "required": false + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "required": false, + "type": "number" } }, { "access_token_scopes_required": { - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "required": false, + "type": "array" } }, { "access_token_scopes_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "default": [ "scope" - ], - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." + ] } }, { "access_token_consumer_claim": { - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "required": false, + "type": "array" } }, { "access_token_consumer_by": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -225,105 +254,105 @@ "custom_id" ] }, - "type": "array", + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." + ] } }, { "access_token_upstream_header": { - "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", - "type": "string", "default": "Authorization:Bearer", - "required": false + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "required": false, + "type": "string" } }, { "access_token_upstream_leeway": { - "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", - "type": "number", "default": 0, - "required": false + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "required": false, + "type": "number" } }, { "access_token_introspection_endpoint": { - "required": false, "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "required": false, "type": "string" } }, { "access_token_introspection_authorization": { - "required": false, "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "required": false, "type": "string" } }, { "access_token_introspection_body_args": { - "required": false, "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "required": false, "type": "string" } }, { "access_token_introspection_hint": { - "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", - "type": "string", "default": "access_token", - "required": false + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "required": false, + "type": "string" } }, { "access_token_introspection_jwt_claim": { - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "required": false, + "type": "array" } }, { "access_token_introspection_scopes_required": { - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "required": false, + "type": "array" } }, { "access_token_introspection_scopes_claim": { "required": true, + "type": "array", "elements": { "type": "string" }, - "type": "array", + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "default": [ "scope" - ], - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." + ] } }, { "access_token_introspection_consumer_claim": { - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "required": false, + "type": "array" } }, { "access_token_introspection_consumer_by": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -332,35 +361,34 @@ "custom_id" ] }, - "type": "array", + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." + ] } }, { "access_token_introspection_leeway": { - "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", - "type": "number", "default": 0, - "required": false + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "required": false, + "type": "number" } }, { "access_token_introspection_timeout": { - "required": false, "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "required": false, "type": "number" } }, { "access_token_signing_algorithm": { - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "required": true, "type": "string", "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "one_of": [ "HS256", "HS384", @@ -379,273 +407,267 @@ }, { "add_access_token_claims": { - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, - "keys": { - "type": "string" - }, + "required": false, "type": "map", "default": [ ], - "required": false + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } } }, { "set_access_token_claims": { - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, - "keys": { - "type": "string" - }, + "required": false, "type": "map", "default": [ ], - "required": false + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } } }, { "remove_access_token_claims": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", + "description": "remove claims. It should be an array, and each element is a claim key string.", "default": [ - ], - "description": "remove claims. It should be an array, and each element is a claim key string." + ] } }, { "original_access_token_upstream_header": { - "required": false, "description": "The HTTP header name used to store the original access token.", + "required": false, "type": "string" } }, { "access_token_optional": { - "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", - "type": "boolean", "default": false, - "required": false + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "required": false, + "type": "boolean" } }, { "verify_access_token_signature": { - "description": "Quickly turn access token signature verification off and on as needed.", - "type": "boolean", "default": true, - "required": false + "description": "Quickly turn access token signature verification off and on as needed.", + "required": false, + "type": "boolean" } }, { "verify_access_token_expiry": { - "description": "Quickly turn access token expiry verification off and on as needed.", - "type": "boolean", "default": true, - "required": false + "description": "Quickly turn access token expiry verification off and on as needed.", + "required": false, + "type": "boolean" } }, { "verify_access_token_scopes": { - "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", - "type": "boolean", "default": true, - "required": false + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "required": false, + "type": "boolean" } }, { "verify_access_token_introspection_expiry": { - "description": "Quickly turn access token introspection expiry verification off and on as needed.", - "type": "boolean", "default": true, - "required": false + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "required": false, + "type": "boolean" } }, { "verify_access_token_introspection_scopes": { - "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", - "type": "boolean", "default": true, - "required": false + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "required": false, + "type": "boolean" } }, { "cache_access_token_introspection": { - "description": "Whether to cache access token introspection results.", - "type": "boolean", "default": true, - "required": false + "description": "Whether to cache access token introspection results.", + "required": false, + "type": "boolean" } }, { "trust_access_token_introspection": { - "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", - "type": "boolean", "default": true, - "required": false + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "required": false, + "type": "boolean" } }, { "enable_access_token_introspection": { - "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", - "type": "boolean", "default": true, - "required": false + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "required": false, + "type": "boolean" } }, { "channel_token_issuer": { + "default": "kong", "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", - "type": "string", - "default": "kong", - "required": false + "required": false, + "type": "string" } }, { "channel_token_keyset": { - "description": "The name of the keyset containing signing keys.", - "type": "string", "default": "kong", - "required": false + "description": "The name of the keyset containing signing keys.", + "required": false, + "type": "string" } }, { "channel_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", - "type": "string", "referenceable": true, - "required": false + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "required": false, + "type": "string" } }, { "channel_token_keyset_client_password": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", - "encrypted": true + "required": false } }, { "channel_token_keyset_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", - "type": "foreign", "reference": "certificates", - "required": false + "required": false, + "type": "foreign" } }, { "channel_token_keyset_rotate_period": { - "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", - "type": "number", "default": 0, - "required": false + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" } }, { "channel_token_jwks_uri": { - "required": false, "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "required": false, "type": "string" } }, { "channel_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", - "type": "string", "referenceable": true, - "required": false + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "required": false, + "type": "string" } }, { "channel_token_jwks_uri_client_password": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", - "encrypted": true + "required": false } }, { "channel_token_jwks_uri_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", - "type": "foreign", "reference": "certificates", - "required": false + "required": false, + "type": "foreign" } }, { "channel_token_jwks_uri_rotate_period": { - "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", - "type": "number", "default": 0, - "required": false + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" } }, { "channel_token_request_header": { - "required": false, "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "required": false, "type": "string" } }, { "channel_token_leeway": { - "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", - "type": "number", "default": 0, - "required": false + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "required": false, + "type": "number" } }, { "channel_token_scopes_required": { - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "required": false, + "type": "array" } }, { "channel_token_scopes_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "default": [ "scope" - ], - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." + ] } }, { "channel_token_consumer_claim": { - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "required": false, + "type": "array" } }, { "channel_token_consumer_by": { - "type": "array", - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "default": [ - "username", - "custom_id" - ], "elements": { "type": "string", "one_of": [ @@ -653,107 +675,114 @@ "username", "custom_id" ] - } + }, + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ], + "type": "array" } }, { "channel_token_upstream_header": { - "required": false, "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "required": false, "type": "string" } }, { "channel_token_upstream_leeway": { - "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", - "type": "number", "default": 0, - "required": false + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "required": false, + "type": "number" } }, { "channel_token_introspection_endpoint": { - "required": false, "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "required": false, "type": "string" } }, { "channel_token_introspection_authorization": { - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", - "type": "string", - "required": false, "elements": { "type": "string" - } + }, + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "required": false, + "type": "string" } }, { "channel_token_introspection_body_args": { - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", - "type": "string", - "required": false, "elements": { "type": "string" - } + }, + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "required": false, + "type": "string" } }, { "channel_token_introspection_hint": { - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", - "type": "string", - "required": false, "elements": { "type": "string" - } + }, + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "required": false, + "type": "string" } }, { "channel_token_introspection_jwt_claim": { - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "required": false, + "type": "array" } }, { "channel_token_introspection_scopes_required": { - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "required": false, + "type": "array" } }, { "channel_token_introspection_scopes_claim": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "default": [ "scope" - ], - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." + ] } }, { "channel_token_introspection_consumer_claim": { - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", - "type": "array", - "required": false, "elements": { "type": "string" - } + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "required": false, + "type": "array" } }, { "channel_token_introspection_consumer_by": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -762,35 +791,34 @@ "custom_id" ] }, - "type": "array", + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." + ] } }, { "channel_token_introspection_leeway": { - "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", - "type": "number", "default": 0, - "required": false + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "required": false, + "type": "number" } }, { "channel_token_introspection_timeout": { - "required": false, "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "required": false, "type": "number" } }, { "channel_token_signing_algorithm": { - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "required": true, "type": "string", "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "one_of": [ "HS256", "HS384", @@ -809,188 +837,160 @@ }, { "add_channel_token_claims": { - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, - "keys": { - "type": "string" - }, + "required": false, "type": "map", "default": [ ], - "required": false + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } } }, { "set_channel_token_claims": { - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, - "keys": { - "type": "string" - }, + "required": false, "type": "map", "default": [ ], - "required": false + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } } }, { "remove_channel_token_claims": { "required": false, + "type": "array", "elements": { "type": "string" }, - "type": "array", + "description": "remove claims. It should be an array, and each element is a claim key string.", "default": [ - ], - "description": "remove claims. It should be an array, and each element is a claim key string." + ] } }, { "original_channel_token_upstream_header": { - "required": false, "description": "The HTTP header name used to store the original channel token.", + "required": false, "type": "string" } }, { "channel_token_optional": { - "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", - "type": "boolean", "default": false, - "required": false + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "required": false, + "type": "boolean" } }, { "verify_channel_token_signature": { - "description": "Quickly turn on/off the channel token signature verification.", - "type": "boolean", "default": true, - "required": false + "description": "Quickly turn on/off the channel token signature verification.", + "required": false, + "type": "boolean" } }, { "verify_channel_token_expiry": { - "type": "boolean", "default": true, - "required": false + "required": false, + "type": "boolean" } }, { "verify_channel_token_scopes": { - "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", - "type": "boolean", "default": true, - "required": false + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "required": false, + "type": "boolean" } }, { "verify_channel_token_introspection_expiry": { - "description": "Quickly turn on/off the channel token introspection expiry verification.", - "type": "boolean", "default": true, - "required": false + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "required": false, + "type": "boolean" } }, { "verify_channel_token_introspection_scopes": { - "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", - "type": "boolean", "default": true, - "required": false + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "required": false, + "type": "boolean" } }, { "cache_channel_token_introspection": { - "description": "Whether to cache channel token introspection results.", - "type": "boolean", "default": true, - "required": false + "description": "Whether to cache channel token introspection results.", + "required": false, + "type": "boolean" } }, { "trust_channel_token_introspection": { - "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", - "type": "boolean", "default": true, - "required": false + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "required": false, + "type": "boolean" } }, { "enable_channel_token_introspection": { - "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", - "type": "boolean", "default": true, - "required": false + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "required": false, + "type": "boolean" } }, { "add_claims": { - "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, - "keys": { - "type": "string" - }, + "required": false, "type": "map", "default": [ ], - "required": false + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } } }, { "set_claims": { - "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, - "keys": { - "type": "string" - }, + "required": false, "type": "map", "default": [ ], - "required": false + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "access_token_jwks_uri_client_username", - "access_token_jwks_uri_client_password" - ] - }, - { - "mutually_required": [ - "access_token_keyset_client_username", - "access_token_keyset_client_password" - ] - }, - { - "mutually_required": [ - "channel_token_jwks_uri_client_username", - "channel_token_jwks_uri_client_password" - ] - }, - { - "mutually_required": [ - "channel_token_keyset_client_username", - "channel_token_keyset_client_password" - ] - } - ], - "type": "record" + ] } } ] diff --git a/schemas/jwt/3.9.x.json b/schemas/jwt/3.9.x.json index d5983af7..06e0c528 100644 --- a/schemas/jwt/3.9.x.json +++ b/schemas/jwt/3.9.x.json @@ -17,14 +17,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -33,22 +41,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -57,54 +57,54 @@ "fields": [ { "uri_param_names": { + "elements": { + "type": "string" + }, "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", - "type": "set", "default": [ "jwt" ], - "elements": { - "type": "string" - } + "type": "set" } }, { "cookie_names": { + "elements": { + "type": "string" + }, "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", - "type": "set", "default": [ ], - "elements": { - "type": "string" - } + "type": "set" } }, { "key_claim_name": { - "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", "type": "string" } }, { "secret_is_base64": { - "required": true, - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "required": true, "type": "boolean" } }, { "claims_to_verify": { - "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", - "type": "set", "elements": { "type": "string", "one_of": [ "exp", "nbf" ] - } + }, + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "type": "set" } }, { @@ -115,45 +115,45 @@ }, { "run_on_preflight": { - "required": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "required": true, "type": "boolean" } }, { "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", "between": [ 0, 31536000 ], - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", - "default": 0, "type": "number" } }, { "header_names": { + "elements": { + "type": "string" + }, "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", - "type": "set", "default": [ "authorization" ], - "elements": { - "type": "string" - } + "type": "set" } }, { "realm": { - "type": "string", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/kafka-log/3.9.x.json b/schemas/kafka-log/3.9.x.json index d771b93c..2b4dc212 100644 --- a/schemas/kafka-log/3.9.x.json +++ b/schemas/kafka-log/3.9.x.json @@ -5,8 +5,6 @@ "fields": [ { "protocols": { - "type": "set", - "required": true, "default": [ "grpc", "grpcs", @@ -25,31 +23,41 @@ "ws", "wss" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], "fields": [ { "bootstrap_servers": { - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", - "type": "set", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", + "description": "A string representing a host name, such as example.com.", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { @@ -58,27 +66,28 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" - } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set" } }, { "topic": { - "type": "string", "description": "The Kafka topic to publish to.", - "required": true + "required": true, + "type": "string" } }, { "timeout": { - "description": "Socket timeout in milliseconds.", "default": 10000, + "description": "Socket timeout in milliseconds.", "type": "integer" } }, @@ -99,9 +108,9 @@ "fields": [ { "strategy": { + "type": "string", "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "required": false, - "type": "string", "one_of": [ "sasl" ] @@ -109,9 +118,9 @@ }, { "mechanism": { + "type": "string", "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "required": false, - "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", @@ -121,32 +130,32 @@ }, { "tokenauth": { - "type": "boolean", "description": "Enable this to indicate `DelegationToken` authentication", - "required": false + "required": false, + "type": "boolean" } }, { "user": { - "description": "Username for SASL authentication.", + "encrypted": true, "referenceable": true, "type": "string", - "required": false, - "encrypted": true + "description": "Username for SASL authentication.", + "required": false } }, { "password": { - "description": "Password for SASL authentication.", + "encrypted": true, "referenceable": true, "type": "string", - "required": false, - "encrypted": true + "description": "Password for SASL authentication.", + "required": false } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -154,37 +163,37 @@ "fields": [ { "certificate_id": { - "description": "UUID of certificate entity for mTLS authentication.", "required": false, + "description": "UUID of certificate entity for mTLS authentication.", "uuid": true, "type": "string" } }, { "ssl": { - "type": "boolean", "description": "Enables TLS.", - "required": false + "required": false, + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "cluster_name": { + "auto": true, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "required": false, - "auto": true, "type": "string" } }, { "producer_request_acks": { - "type": "integer", - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", "one_of": [ -1, 0, @@ -194,86 +203,77 @@ }, { "producer_request_timeout": { - "description": "Time to wait for a Produce response in milliseconds", "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", "type": "integer" } }, { "producer_request_limits_messages_per_request": { - "description": "Maximum number of messages to include into a single Produce request.", "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", "type": "integer" } }, { "producer_request_limits_bytes_per_request": { - "description": "Maximum size of a Produce request in bytes.", "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", "type": "integer" } }, { "producer_request_retries_max_attempts": { - "description": "Maximum number of retry attempts per single Produce request.", "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", "type": "integer" } }, { "producer_request_retries_backoff_timeout": { - "description": "Backoff interval between retry attempts in milliseconds.", "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", "type": "integer" } }, { "producer_async": { - "description": "Flag to enable asynchronous mode.", "default": true, + "description": "Flag to enable asynchronous mode.", "type": "boolean" } }, { "producer_async_flush_timeout": { - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "type": "integer" } }, { "custom_fields_by_lua": { - "keys": { - "type": "string", - "len_min": 1 - }, - "type": "map", "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - } - } - } - ], - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "authentication" - ] + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" } } ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/kafka-upstream/3.9.x.json b/schemas/kafka-upstream/3.9.x.json index d75f1fec..e05b530c 100644 --- a/schemas/kafka-upstream/3.9.x.json +++ b/schemas/kafka-upstream/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,39 +22,49 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], "fields": [ { "bootstrap_servers": { - "type": "set", - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", + "description": "A string representing a host name, such as example.com.", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { @@ -55,14 +73,15 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" - } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set" } }, { @@ -74,16 +93,16 @@ }, { "timeout": { - "type": "integer", "default": 10000, - "description": "Socket timeout in milliseconds." + "description": "Socket timeout in milliseconds.", + "type": "integer" } }, { "keepalive": { - "type": "integer", "default": 60000, - "description": "Keepalive timeout in milliseconds." + "description": "Keepalive timeout in milliseconds.", + "type": "integer" } }, { @@ -97,9 +116,9 @@ "fields": [ { "strategy": { - "required": false, "type": "string", "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "required": false, "one_of": [ "sasl" ] @@ -107,9 +126,9 @@ }, { "mechanism": { - "required": false, "type": "string", "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "required": false, "one_of": [ "PLAIN", "SCRAM-SHA-256", @@ -126,25 +145,25 @@ }, { "user": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "Username for SASL authentication.", - "encrypted": true + "required": false } }, { "password": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "Password for SASL authentication.", - "encrypted": true + "required": false } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -153,9 +172,9 @@ { "certificate_id": { "uuid": true, - "type": "string", + "description": "UUID of certificate entity for mTLS authentication.", "required": false, - "description": "UUID of certificate entity for mTLS authentication." + "type": "string" } }, { @@ -166,51 +185,51 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "forward_method": { - "type": "boolean", "default": false, - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "forward_uri": { - "type": "boolean", "default": false, - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "forward_headers": { - "type": "boolean", "default": false, - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "forward_body": { - "type": "boolean", "default": true, - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" } }, { "cluster_name": { "auto": true, - "type": "string", + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "required": false, - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster." + "type": "string" } }, { "producer_request_acks": { + "default": 1, "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", - "default": 1, "one_of": [ -1, 0, @@ -220,82 +239,63 @@ }, { "producer_request_timeout": { - "type": "integer", "default": 2000, - "description": "Time to wait for a Produce response in milliseconds." + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" } }, { "producer_request_limits_messages_per_request": { - "type": "integer", "default": 200, - "description": "Maximum number of messages to include into a single producer request." + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" } }, { "producer_request_limits_bytes_per_request": { - "type": "integer", "default": 1048576, - "description": "Maximum size of a Produce request in bytes." + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" } }, { "producer_request_retries_max_attempts": { - "type": "integer", "default": 10, - "description": "Maximum number of retry attempts per single Produce request." + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" } }, { "producer_request_retries_backoff_timeout": { - "type": "integer", "default": 100, - "description": "Backoff interval between retry attempts in milliseconds." + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" } }, { "producer_async": { - "type": "boolean", "default": true, - "description": "Flag to enable asynchronous mode." + "description": "Flag to enable asynchronous mode.", + "type": "boolean" } }, { "producer_async_flush_timeout": { - "type": "integer", "default": 1000, - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { - "type": "integer", "default": 50000, - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" } } ], - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "forward_method", - "forward_uri", - "forward_headers", - "forward_body" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "authentication" - ] - } - } - ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/key-auth-enc/3.9.x.json b/schemas/key-auth-enc/3.9.x.json index f7d81dcb..0db052a3 100644 --- a/schemas/key-auth-enc/3.9.x.json +++ b/schemas/key-auth-enc/3.9.x.json @@ -6,15 +6,13 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", - "required": true, "default": [ "grpc", "grpcs", @@ -33,14 +31,16 @@ "ws", "wss" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -50,22 +50,22 @@ { "key_names": { "required": true, + "type": "array", "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, - "type": "array", + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "default": [ "apikey" - ], - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + ] } }, { "hide_credentials": { - "type": "boolean", "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" } }, { @@ -76,42 +76,42 @@ }, { "key_in_header": { - "type": "boolean", "default": true, - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" } }, { "key_in_query": { - "type": "boolean", "default": true, - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" } }, { "key_in_body": { - "type": "boolean", "default": false, - "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" } }, { "run_on_preflight": { - "type": "boolean", "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" } }, { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "type": "string", - "required": false + "required": false, + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/key-auth/3.9.x.json b/schemas/key-auth/3.9.x.json index fdd792f8..dbb4a35d 100644 --- a/schemas/key-auth/3.9.x.json +++ b/schemas/key-auth/3.9.x.json @@ -6,15 +6,13 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", - "required": true, "default": [ "grpc", "grpcs", @@ -33,14 +31,16 @@ "ws", "wss" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -50,61 +50,61 @@ { "key_names": { "required": true, + "type": "array", "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, - "type": "array", + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "default": [ "apikey" - ], - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + ] } }, { "hide_credentials": { - "required": true, - "type": "boolean", "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request." + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "required": true, + "type": "boolean" } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" } }, { "key_in_header": { - "required": true, - "type": "boolean", "default": true, - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "required": true, + "type": "boolean" } }, { "key_in_query": { - "required": true, - "type": "boolean", "default": true, - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "required": true, + "type": "boolean" } }, { "key_in_body": { - "required": true, - "type": "boolean", "default": false, - "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "required": true, + "type": "boolean" } }, { "run_on_preflight": { - "required": true, - "type": "boolean", "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "required": true, + "type": "boolean" } }, { @@ -115,8 +115,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/konnect-application-auth/3.9.x.json b/schemas/konnect-application-auth/3.9.x.json index 699adb21..e7763990 100644 --- a/schemas/konnect-application-auth/3.9.x.json +++ b/schemas/konnect-application-auth/3.9.x.json @@ -6,14 +6,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,48 +30,43 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + + ], "fields": [ { "key_names": { "required": true, + "type": "array", "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, - "type": "array", + "description": "The names of the headers containing the API key. You can specify multiple header names.", "default": [ "apikey" - ], - "description": "The names of the headers containing the API key. You can specify multiple header names." + ] } }, { "auth_type": { - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "required": true, "type": "string", "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "one_of": [ "openid-connect", "key-auth", @@ -81,64 +84,70 @@ }, { "v2_strategies": { + "required": false, + "type": "record", + "default": [ + + ], + "description": "The map of v2 strategies.", "fields": [ { "key_auth": { - "required": false, - "description": "List of key_auth strategies.", - "type": "array", "elements": { + "type": "record", "fields": [ { "strategy_id": { - "type": "string", + "description": "The strategy id the config is tied to.", "required": true, - "description": "The strategy id the config is tied to." + "type": "string" } }, { "config": { + "type": "record", + "required": true, "fields": [ { "key_names": { "required": true, + "type": "array", "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." }, - "type": "array", + "description": "The names of the headers containing the API key. You can specify multiple header names.", "default": [ "apikey" - ], - "description": "The names of the headers containing the API key. You can specify multiple header names." + ] } } - ], - "type": "record", - "required": true + ] } } - ], - "type": "record" - } + ] + }, + "description": "List of key_auth strategies.", + "required": false, + "type": "array" } }, { "openid_connect": { - "required": false, - "description": "List of openid_connect strategies.", - "type": "array", "elements": { + "type": "record", "fields": [ { "strategy_id": { - "type": "string", + "description": "The strategy id the config is tied to.", "required": true, - "description": "The strategy id the config is tied to." + "type": "string" } }, { "config": { + "description": "openid-connect plugin configuration.", + "type": "record", "fields": [ { "issuer": { @@ -149,53 +158,66 @@ }, { "using_pseudo_issuer": { - "required": false, - "type": "boolean", "default": false, - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "required": false, + "type": "boolean" } }, { "discovery_headers_names": { - "required": false, - "type": "array", - "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra header names passed to the discovery endpoint.", + "required": false, + "type": "array" } }, { "discovery_headers_values": { - "required": false, - "type": "array", - "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra header values passed to the discovery endpoint.", + "required": false, + "type": "array" } }, { "extra_jwks_uris": { - "required": false, - "type": "set", - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "required": false, + "type": "set" } }, { "rediscovery_lifetime": { - "required": false, - "type": "number", "default": 30, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "required": false, + "type": "number" } }, { "auth_methods": { + "required": false, + "type": "array", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], "description": "Types of credentials/grants to enable.", "elements": { "type": "string", @@ -210,51 +232,35 @@ "refresh_token", "session" ] - }, - "type": "array", - "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ], - "required": false + } } }, { "client_id": { + "encrypted": true, "required": false, + "type": "array", "elements": { "referenceable": true, "type": "string" }, - "type": "array", - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", - "encrypted": true + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." } }, { "client_secret": { + "encrypted": true, "required": false, + "type": "array", "elements": { "referenceable": true, "type": "string" }, - "type": "array", - "description": "The client secret.", - "encrypted": true + "description": "The client secret." } }, { "client_auth": { - "required": false, - "type": "array", - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", "elements": { "type": "string", "one_of": [ @@ -266,205 +272,205 @@ "self_signed_tls_client_auth", "none" ] - } + }, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "required": false, + "type": "array" } }, { "client_jwk": { - "required": false, - "type": "array", - "description": "The JWK used for the private_key_jwt authentication.", "elements": { + "type": "record", + "required": false, "fields": [ { "issuer": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kty": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "use": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "key_ops": { - "required": false, - "type": "array", "elements": { - "type": "string", - "required": false - } + "required": false, + "type": "string" + }, + "required": false, + "type": "array" } }, { "alg": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kid": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5u": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5c": { - "required": false, - "type": "array", "elements": { - "type": "string", - "required": false - } + "required": false, + "type": "string" + }, + "required": false, + "type": "array" } }, { "x5t": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5t#S256": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "k": { - "type": "string", + "encrypted": true, "required": false, "referenceable": true, - "encrypted": true + "type": "string" } }, { "x": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "y": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "crv": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "n": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "e": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "d": { - "type": "string", + "encrypted": true, "required": false, "referenceable": true, - "encrypted": true + "type": "string" } }, { "p": { - "type": "string", + "encrypted": true, "required": false, "referenceable": true, - "encrypted": true + "type": "string" } }, { "q": { - "type": "string", + "encrypted": true, "required": false, "referenceable": true, - "encrypted": true + "type": "string" } }, { "dp": { - "type": "string", + "encrypted": true, "required": false, "referenceable": true, - "encrypted": true + "type": "string" } }, { "dq": { - "type": "string", + "encrypted": true, "required": false, "referenceable": true, - "encrypted": true + "type": "string" } }, { "qi": { - "type": "string", + "encrypted": true, "required": false, "referenceable": true, - "encrypted": true + "type": "string" } }, { "oth": { - "type": "string", + "encrypted": true, "required": false, "referenceable": true, - "encrypted": true + "type": "string" } }, { "r": { - "type": "string", + "encrypted": true, "required": false, "referenceable": true, - "encrypted": true + "type": "string" } }, { "t": { - "type": "string", + "encrypted": true, "required": false, "referenceable": true, - "encrypted": true + "type": "string" } } - ], - "type": "record", - "required": false - } + ] + }, + "description": "The JWK used for the private_key_jwt authentication.", + "required": false, + "type": "array" } }, { "client_alg": { - "required": false, - "type": "array", - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", "elements": { "type": "string", "one_of": [ @@ -482,123 +488,126 @@ "PS512", "EdDSA" ] - } + }, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "required": false, + "type": "array" } }, { "client_arg": { - "required": false, - "type": "string", "default": "client_id", - "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "required": false, + "type": "string" } }, { "redirect_uri": { - "required": false, - "type": "array", - "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "The redirect URI passed to the authorization and token endpoints.", + "required": false, + "type": "array" } }, { "login_redirect_uri": { - "required": false, - "type": "array", - "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "type": "string" + }, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "required": false, + "type": "array" } }, { "logout_redirect_uri": { - "required": false, - "type": "array", - "description": "Where to redirect the client after the logout.", "elements": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "type": "string" + }, + "description": "Where to redirect the client after the logout.", + "required": false, + "type": "array" } }, { "forbidden_redirect_uri": { - "required": false, - "type": "array", - "description": "Where to redirect the client on forbidden requests.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on forbidden requests.", + "required": false, + "type": "array" } }, { "forbidden_error_message": { - "required": false, - "type": "string", "default": "Forbidden", - "description": "The error message for the forbidden requests (when not using the redirection)." + "description": "The error message for the forbidden requests (when not using the redirection).", + "required": false, + "type": "string" } }, { "forbidden_destroy_session": { - "required": false, - "type": "boolean", "default": true, - "description": "Destroy any active session for the forbidden requests." + "description": "Destroy any active session for the forbidden requests.", + "required": false, + "type": "boolean" } }, { "unauthorized_destroy_session": { - "required": false, - "type": "boolean", "default": true, - "description": "Destroy any active session for the unauthorized requests." + "description": "Destroy any active session for the unauthorized requests.", + "required": false, + "type": "boolean" } }, { "unauthorized_redirect_uri": { - "required": false, - "type": "array", - "description": "Where to redirect the client on unauthorized requests.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on unauthorized requests.", + "required": false, + "type": "array" } }, { "unauthorized_error_message": { - "required": false, - "type": "string", "default": "Unauthorized", - "description": "The error message for the unauthorized requests (when not using the redirection)." + "description": "The error message for the unauthorized requests (when not using the redirection).", + "required": false, + "type": "string" } }, { "unexpected_redirect_uri": { - "required": false, - "type": "array", - "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } - } - }, - { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "required": false, + "type": "array" + } + }, + { "response_mode": { - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "required": false, "type": "string", "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "one_of": [ "query", "form_post", @@ -612,151 +621,151 @@ }, { "response_type": { - "description": "The response type passed to the authorization endpoint.", - "elements": { - "type": "string" - }, + "required": false, "type": "array", "default": [ "code" ], - "required": false + "description": "The response type passed to the authorization endpoint.", + "elements": { + "type": "string" + } } }, { "scopes": { - "description": "The scopes passed to the authorization and token endpoints.", - "elements": { - "referenceable": true, - "type": "string" - }, + "required": false, "type": "array", "default": [ "openid" ], - "required": false + "description": "The scopes passed to the authorization and token endpoints.", + "elements": { + "referenceable": true, + "type": "string" + } } }, { "audience": { - "required": false, - "type": "array", - "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" - } + }, + "description": "The audience passed to the authorization endpoint.", + "required": false, + "type": "array" } }, { "issuers_allowed": { - "required": false, - "type": "array", - "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" - } + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "required": false, + "type": "array" } }, { "scopes_required": { - "required": false, - "type": "array", - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - } + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" } }, { "scopes_claim": { - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "elements": { - "type": "string" - }, + "required": false, "type": "array", "default": [ "scope" ], - "required": false + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } } }, { "audience_required": { - "required": false, - "type": "array", - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - } + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" } }, { "audience_claim": { - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "elements": { - "type": "string" - }, + "required": false, "type": "array", "default": [ "aud" ], - "required": false + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } } }, { "groups_required": { - "required": false, - "type": "array", - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - } + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" } }, { "groups_claim": { - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "elements": { - "type": "string" - }, + "required": false, "type": "array", "default": [ "groups" ], - "required": false + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } } }, { "roles_required": { - "required": false, - "type": "array", - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" - } + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" } }, { "roles_claim": { - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "elements": { - "type": "string" - }, + "required": false, "type": "array", "default": [ "roles" ], - "required": false + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } } }, { "domains": { - "required": false, - "type": "array", - "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" - } + }, + "description": "The allowed values for the `hd` claim.", + "required": false, + "type": "array" } }, { @@ -768,12 +777,12 @@ }, { "authenticated_groups_claim": { - "required": false, - "type": "array", - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" } }, { @@ -785,9 +794,9 @@ }, { "pushed_authorization_request_endpoint_auth_method": { - "required": false, "type": "string", "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, "one_of": [ "client_secret_basic", "client_secret_post", @@ -829,63 +838,63 @@ }, { "authorization_query_args_names": { - "required": false, - "type": "array", - "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra query argument names passed to the authorization endpoint.", + "required": false, + "type": "array" } }, { "authorization_query_args_values": { - "required": false, - "type": "array", - "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra query argument values passed to the authorization endpoint.", + "required": false, + "type": "array" } }, { "authorization_query_args_client": { - "required": false, - "type": "array", - "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "required": false, + "type": "array" } }, { "authorization_rolling_timeout": { - "required": false, - "type": "number", "default": 600, - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" } }, { "authorization_cookie_name": { - "required": false, - "type": "string", "default": "authorization", - "description": "The authorization cookie name." + "description": "The authorization cookie name.", + "required": false, + "type": "string" } }, { "authorization_cookie_path": { "required": false, + "type": "string", + "default": "/", + "description": "The authorization cookie Path flag.", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "starts_with": "/", - "type": "string", - "default": "/", - "description": "The authorization cookie Path flag." + "starts_with": "/" } }, { @@ -897,10 +906,10 @@ }, { "authorization_cookie_same_site": { - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, "type": "string", "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", @@ -911,10 +920,10 @@ }, { "authorization_cookie_http_only": { - "required": false, - "type": "boolean", "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" } }, { @@ -926,10 +935,10 @@ }, { "preserve_query_args": { - "required": false, - "type": "boolean", "default": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "required": false, + "type": "boolean" } }, { @@ -941,9 +950,9 @@ }, { "token_endpoint_auth_method": { - "required": false, "type": "string", "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, "one_of": [ "client_secret_basic", "client_secret_post", @@ -957,42 +966,42 @@ }, { "token_headers_names": { - "required": false, - "type": "array", - "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra header names passed to the token endpoint.", + "required": false, + "type": "array" } }, { "token_headers_values": { - "required": false, - "type": "array", - "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra header values passed to the token endpoint.", + "required": false, + "type": "array" } }, { "token_headers_client": { - "required": false, - "type": "array", - "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra headers passed from the client to the token endpoint.", + "required": false, + "type": "array" } }, { "token_headers_replay": { - "required": false, - "type": "array", - "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" - } + }, + "description": "The names of token endpoint response headers to forward to the downstream client.", + "required": false, + "type": "array" } }, { @@ -1004,9 +1013,6 @@ }, { "token_headers_grants": { - "required": false, - "type": "array", - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "elements": { "type": "string", "one_of": [ @@ -1015,37 +1021,40 @@ "authorization_code", "refresh_token" ] - } + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "required": false, + "type": "array" } }, { "token_post_args_names": { - "required": false, - "type": "array", - "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post argument names passed to the token endpoint.", + "required": false, + "type": "array" } }, { "token_post_args_values": { - "required": false, - "type": "array", - "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post argument values passed to the token endpoint.", + "required": false, + "type": "array" } }, { "token_post_args_client": { - "required": false, - "type": "array", - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "elements": { "type": "string" - } + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "required": false, + "type": "array" } }, { @@ -1057,9 +1066,9 @@ }, { "introspection_endpoint_auth_method": { - "required": false, "type": "string", "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, "one_of": [ "client_secret_basic", "client_secret_post", @@ -1073,26 +1082,26 @@ }, { "introspection_hint": { - "required": false, - "type": "string", "default": "access_token", - "description": "Introspection hint parameter value passed to the introspection endpoint." + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "required": false, + "type": "string" } }, { "introspection_check_active": { - "required": false, - "type": "boolean", "default": true, - "description": "Check that the introspection response has an `active` claim with a value of `true`." + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "required": false, + "type": "boolean" } }, { "introspection_accept": { - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "required": false, "type": "string", "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/token-introspection+jwt", @@ -1102,82 +1111,82 @@ }, { "introspection_headers_names": { - "required": false, - "type": "array", - "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra header names passed to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspection_headers_values": { + "encrypted": true, "required": false, + "type": "array", "elements": { "referenceable": true, "type": "string" }, - "type": "array", - "description": "Extra header values passed to the introspection endpoint.", - "encrypted": true + "description": "Extra header values passed to the introspection endpoint." } }, { "introspection_headers_client": { - "required": false, - "type": "array", - "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra headers passed from the client to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspection_post_args_names": { - "required": false, - "type": "array", - "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post argument names passed to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspection_post_args_values": { - "required": false, - "type": "array", - "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post argument values passed to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspection_post_args_client": { - "required": false, - "type": "array", - "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspection_post_args_client_headers": { - "required": false, - "type": "array", - "description": "Extra post arguments passed from the client headers to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspect_jwt_tokens": { - "required": false, - "type": "boolean", "default": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "required": false, + "type": "boolean" } }, { @@ -1189,9 +1198,9 @@ }, { "revocation_endpoint_auth_method": { - "required": false, "type": "string", "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, "one_of": [ "client_secret_basic", "client_secret_post", @@ -1219,10 +1228,10 @@ }, { "userinfo_accept": { - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "required": false, "type": "string", "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/jwt" @@ -1231,62 +1240,62 @@ }, { "userinfo_headers_names": { - "required": false, - "type": "array", - "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra header names passed to the user info endpoint.", + "required": false, + "type": "array" } }, { "userinfo_headers_values": { - "required": false, - "type": "array", - "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra header values passed to the user info endpoint.", + "required": false, + "type": "array" } }, { "userinfo_headers_client": { - "required": false, - "type": "array", - "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra headers passed from the client to the user info endpoint.", + "required": false, + "type": "array" } }, { "userinfo_query_args_names": { - "required": false, - "type": "array", - "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra query argument names passed to the user info endpoint.", + "required": false, + "type": "array" } }, { "userinfo_query_args_values": { - "required": false, - "type": "array", - "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra query argument values passed to the user info endpoint.", + "required": false, + "type": "array" } }, { "userinfo_query_args_client": { - "required": false, - "type": "array", - "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra query arguments passed from the client to the user info endpoint.", + "required": false, + "type": "array" } }, { @@ -1298,98 +1307,98 @@ }, { "session_secret": { - "description": "The session secret.", + "encrypted": true, "referenceable": true, "type": "string", - "required": false, - "encrypted": true + "description": "The session secret.", + "required": false } }, { "session_audience": { - "required": false, - "type": "string", "default": "default", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "required": false, + "type": "string" } }, { "session_cookie_name": { - "required": false, - "type": "string", "default": "session", - "description": "The session cookie name." + "description": "The session cookie name.", + "required": false, + "type": "string" } }, { "session_remember": { - "required": false, - "type": "boolean", "default": false, - "description": "Enables or disables persistent sessions." + "description": "Enables or disables persistent sessions.", + "required": false, + "type": "boolean" } }, { "session_remember_cookie_name": { - "required": false, - "type": "string", "default": "remember", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "required": false, + "type": "string" } }, { "session_remember_rolling_timeout": { - "required": false, - "type": "number", "default": 604800, - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "required": false, + "type": "number" } }, { "session_remember_absolute_timeout": { - "required": false, - "type": "number", "default": 2592000, - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" } }, { "session_idling_timeout": { - "required": false, - "type": "number", "default": 900, - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "required": false, + "type": "number" } }, { "session_rolling_timeout": { - "required": false, - "type": "number", "default": 3600, - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" } }, { "session_absolute_timeout": { - "required": false, - "type": "number", "default": 86400, - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" } }, { "session_cookie_path": { "required": false, + "type": "string", + "default": "/", + "description": "The session cookie Path flag.", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "starts_with": "/", - "type": "string", - "default": "/", - "description": "The session cookie Path flag." + "starts_with": "/" } }, { @@ -1401,10 +1410,10 @@ }, { "session_cookie_same_site": { - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, "type": "string", "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", @@ -1415,10 +1424,10 @@ }, { "session_cookie_http_only": { - "required": false, - "type": "boolean", "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" } }, { @@ -1430,9 +1439,6 @@ }, { "session_request_headers": { - "type": "set", - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1444,14 +1450,14 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, + "type": "set" } }, { "session_response_headers": { - "type": "set", - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1463,15 +1469,18 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, + "type": "set" } }, { "session_storage": { - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "required": false, "type": "string", "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "one_of": [ "cookie", "memcache", @@ -1482,34 +1491,34 @@ }, { "session_store_metadata": { - "required": false, - "type": "boolean", "default": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "required": false, + "type": "boolean" } }, { "session_enforce_same_subject": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, audiences are forced to share the same subject." + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "type": "boolean" } }, { "session_hash_subject": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean" } }, { "session_hash_storage_key": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "type": "boolean" } }, { @@ -1528,19 +1537,19 @@ }, { "session_memcached_host": { - "required": false, - "type": "string", "default": "127.0.0.1", - "description": "The memcached host." + "description": "The memcached host.", + "required": false, + "type": "string" } }, { "session_memcached_port": { - "required": false, "between": [ 0, 65535 ], + "required": false, "type": "integer", "default": 11211, "description": "The memcached port." @@ -1548,103 +1557,234 @@ }, { "redis": { - "fields": [ - { - "host": { - "type": "string", - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." - } - }, + "required": true, + "type": "record", + "entity_checks": [ { - "connect_timeout": { - "between": [ - 0, - 2147483646 - ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." - } + "mutually_required": [ + "host", + "port" + ] }, { - "send_timeout": { - "between": [ - 0, - 2147483646 - ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." - } + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] }, { - "read_timeout": { - "between": [ - 0, - 2147483646 - ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." - } + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] }, { - "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } } }, { - "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", - "referenceable": true, - "encrypted": true + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] } }, { - "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] } }, { - "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", - "referenceable": true, - "encrypted": true + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } - }, + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -1654,128 +1794,128 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string" } }, { "sentinel_nodes": { "required": false, + "type": "array", "elements": { "fields": [ { "host": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } ], "type": "record" }, - "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "cluster_nodes": { "required": false, + "type": "array", "elements": { "fields": [ { "ip": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } ], "type": "record" }, - "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "ssl": { - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis.", "default": false, - "required": false + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" } }, { "ssl_verify": { - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, - "required": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" } }, { "server_name": { - "type": "string", "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "required": false, + "type": "string" } }, { "cluster_max_redirections": { - "type": "integer", - "description": "Maximum retry attempts for redirection.", "default": 5, - "required": false + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" } }, { "connection_is_proxied": { - "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, - "required": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" } }, { @@ -1792,154 +1932,23 @@ "type": "string" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } }, { "reverify": { - "required": false, - "type": "boolean", "default": false, - "description": "Specifies whether to always verify tokens stored in the session." + "description": "Specifies whether to always verify tokens stored in the session.", + "required": false, + "type": "boolean" } }, { "jwt_session_claim": { - "required": false, - "type": "string", "default": "sid", - "description": "The claim to match against the JWT session cookie." + "description": "The claim to match against the JWT session cookie.", + "required": false, + "type": "string" } }, { @@ -1951,6 +1960,13 @@ }, { "bearer_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "elements": { "type": "string", @@ -1960,14 +1976,7 @@ "query", "body" ] - }, - "type": "array", - "default": [ - "header", - "query", - "body" - ], - "required": false + } } }, { @@ -1979,6 +1988,13 @@ }, { "client_credentials_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "elements": { "type": "string", @@ -1987,18 +2003,18 @@ "query", "body" ] - }, + } + } + }, + { + "password_param_type": { + "required": false, "type": "array", "default": [ "header", "query", "body" ], - "required": false - } - }, - { - "password_param_type": { "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -2007,18 +2023,18 @@ "query", "body" ] - }, + } + } + }, + { + "id_token_param_type": { + "required": false, "type": "array", "default": [ "header", "query", "body" ], - "required": false - } - }, - { - "id_token_param_type": { "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -2027,14 +2043,7 @@ "query", "body" ] - }, - "type": "array", - "default": [ - "header", - "query", - "body" - ], - "required": false + } } }, { @@ -2046,6 +2055,13 @@ }, { "refresh_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -2054,14 +2070,7 @@ "query", "body" ] - }, - "type": "array", - "default": [ - "header", - "query", - "body" - ], - "required": false + } } }, { @@ -2073,38 +2082,38 @@ }, { "refresh_tokens": { - "required": false, - "type": "boolean", "default": true, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "required": false, + "type": "boolean" } }, { "upstream_headers_claims": { - "required": false, - "type": "array", - "description": "The upstream header claims. Only top level claims are supported.", "elements": { "type": "string" - } + }, + "description": "The upstream header claims. Only top level claims are supported.", + "required": false, + "type": "array" } }, { "upstream_headers_names": { - "required": false, - "type": "array", - "description": "The upstream header names for the claim values.", "elements": { "type": "string" - } + }, + "description": "The upstream header names for the claim values.", + "required": false, + "type": "array" } }, { "upstream_access_token_header": { - "required": false, - "type": "string", "default": "authorization:bearer", - "description": "The upstream access token header." + "description": "The upstream access token header.", + "required": false, + "type": "string" } }, { @@ -2172,22 +2181,22 @@ }, { "downstream_headers_claims": { - "required": false, - "type": "array", - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" } }, { "downstream_headers_names": { - "required": false, - "type": "array", - "description": "The downstream header names for the claim values.", "elements": { "type": "string" - } + }, + "description": "The downstream header names for the claim values.", + "required": false, + "type": "array" } }, { @@ -2262,6 +2271,11 @@ }, { "login_methods": { + "required": false, + "type": "array", + "default": [ + "authorization_code" + ], "description": "Enable login functionality with specified grants.", "elements": { "type": "string", @@ -2276,20 +2290,15 @@ "refresh_token", "session" ] - }, - "type": "array", - "default": [ - "authorization_code" - ], - "required": false + } } }, { "login_action": { - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "required": false, "type": "string", "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "one_of": [ "upstream", "response", @@ -2299,6 +2308,11 @@ }, { "login_tokens": { + "required": false, + "type": "array", + "default": [ + "id_token" + ], "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "elements": { "type": "string", @@ -2309,20 +2323,15 @@ "tokens", "introspection" ] - }, - "type": "array", - "default": [ - "id_token" - ], - "required": false + } } }, { "login_redirect_mode": { - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "required": false, "type": "string", "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "one_of": [ "query", "fragment" @@ -2352,6 +2361,12 @@ }, { "logout_methods": { + "required": false, + "type": "array", + "default": [ + "POST", + "DELETE" + ], "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "elements": { "type": "string", @@ -2360,51 +2375,51 @@ "GET", "DELETE" ] - }, - "type": "array", - "default": [ - "POST", - "DELETE" - ], - "required": false + } } }, { "logout_revoke": { - "required": false, - "type": "boolean", "default": false, - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "required": false, + "type": "boolean" } }, { "logout_revoke_access_token": { - "required": false, - "type": "boolean", "default": true, - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" } }, { "logout_revoke_refresh_token": { - "required": false, - "type": "boolean", "default": true, - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" } }, { "consumer_claim": { - "required": false, - "type": "array", - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" } }, { "consumer_by": { + "required": false, + "type": "array", + "default": [ + "username", + "custom_id" + ], "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "elements": { "type": "string", @@ -2413,34 +2428,28 @@ "username", "custom_id" ] - }, - "type": "array", - "default": [ - "username", - "custom_id" - ], - "required": false + } } }, { "consumer_optional": { - "required": false, - "type": "boolean", "default": false, - "description": "Do not terminate the request if consumer mapping fails." + "description": "Do not terminate the request if consumer mapping fails.", + "required": false, + "type": "boolean" } }, { "credential_claim": { - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "elements": { - "type": "string" - }, + "required": false, "type": "array", "default": [ "sub" ], - "required": false + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } } }, { @@ -2452,54 +2461,59 @@ }, { "run_on_preflight": { - "required": false, - "type": "boolean", "default": true, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "required": false, + "type": "boolean" } }, { "leeway": { - "required": false, - "type": "number", "default": 0, - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims" + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "required": false, + "type": "number" } }, { "verify_parameters": { - "required": false, - "type": "boolean", "default": false, - "description": "Verify plugin configuration against discovery." + "description": "Verify plugin configuration against discovery.", + "required": false, + "type": "boolean" } }, { "verify_nonce": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify nonce on authorization code flow." + "description": "Verify nonce on authorization code flow.", + "required": false, + "type": "boolean" } }, { "verify_claims": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify tokens for standard claims." + "description": "Verify tokens for standard claims.", + "required": false, + "type": "boolean" } }, { "verify_signature": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify signature of tokens." + "description": "Verify signature of tokens.", + "required": false, + "type": "boolean" } }, { "ignore_signature": { + "required": false, + "type": "array", + "default": [ + + ], "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "elements": { "type": "string", @@ -2512,27 +2526,19 @@ "introspection", "userinfo" ] - }, - "type": "array", - "default": [ - - ], - "required": false + } } }, { "enable_hs_signatures": { - "required": false, - "type": "boolean", "default": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "required": false, + "type": "boolean" } }, { "disable_session": { - "required": false, - "type": "array", - "description": "Disable issuing the session cookie with the specified grants.", "elements": { "type": "string", "one_of": [ @@ -2546,15 +2552,18 @@ "refresh_token", "session" ] - } + }, + "description": "Disable issuing the session cookie with the specified grants.", + "required": false, + "type": "array" } }, { "cache_ttl": { - "required": false, - "type": "number", "default": 3600, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "required": false, + "type": "number" } }, { @@ -2587,66 +2596,66 @@ }, { "cache_tokens": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the token endpoint requests." + "description": "Cache the token endpoint requests.", + "required": false, + "type": "boolean" } }, { "cache_tokens_salt": { - "required": false, - "type": "string", "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false, + "type": "string" } }, { "cache_introspection": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the introspection endpoint requests." + "description": "Cache the introspection endpoint requests.", + "required": false, + "type": "boolean" } }, { "cache_token_exchange": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the token exchange endpoint requests." + "description": "Cache the token exchange endpoint requests.", + "required": false, + "type": "boolean" } }, { "cache_user_info": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the user info requests." + "description": "Cache the user info requests.", + "required": false, + "type": "boolean" } }, { "search_user_info": { - "required": false, - "type": "boolean", "default": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "required": false, + "type": "boolean" } }, { "hide_credentials": { - "required": false, - "type": "boolean", "default": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "required": false, + "type": "boolean" } }, { "http_version": { - "required": false, - "type": "number", "default": 1.1, - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0." + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "required": false, + "type": "number" } }, { @@ -2659,9 +2668,9 @@ { "http_proxy_authorization": { "required": false, - "type": "string", + "description": "The HTTP proxy authorization.", "referenceable": true, - "description": "The HTTP proxy authorization." + "type": "string" } }, { @@ -2674,9 +2683,9 @@ { "https_proxy_authorization": { "required": false, - "type": "string", + "description": "The HTTPS proxy authorization.", "referenceable": true, - "description": "The HTTPS proxy authorization." + "type": "string" } }, { @@ -2688,88 +2697,88 @@ }, { "keepalive": { - "required": false, - "type": "boolean", "default": true, - "description": "Use keepalive with the HTTP client." + "description": "Use keepalive with the HTTP client.", + "required": false, + "type": "boolean" } }, { "ssl_verify": { - "required": false, - "type": "boolean", "default": false, - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`." + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "required": false, + "type": "boolean" } }, { "timeout": { - "required": false, - "type": "number", "default": 10000, - "description": "Network IO timeout in milliseconds." + "description": "Network IO timeout in milliseconds.", + "required": false, + "type": "number" } }, { "display_errors": { - "required": false, - "type": "boolean", "default": false, - "description": "Display errors on failure responses." + "description": "Display errors on failure responses.", + "required": false, + "type": "boolean" } }, { "by_username_ignore_case": { - "required": false, - "type": "boolean", "default": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "required": false, + "type": "boolean" } }, { "resolve_distributed_claims": { - "required": false, - "type": "boolean", "default": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "required": false, + "type": "boolean" } }, { "expose_error_code": { - "type": "boolean", "default": true, - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" } }, { "token_cache_key_include_scope": { - "type": "boolean", "default": false, - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" } }, { "introspection_token_param_name": { - "required": false, - "type": "string", "default": "token", - "description": "Designate token's parameter name for introspection." + "description": "Designate token's parameter name for introspection.", + "required": false, + "type": "string" } }, { "revocation_token_param_name": { - "required": false, - "type": "string", "default": "token", - "description": "Designate token's parameter name for revocation." + "description": "Designate token's parameter name for revocation.", + "required": false, + "type": "string" } }, { "proof_of_possession_mtls": { - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "required": false, "type": "string", "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "one_of": [ "off", "strict", @@ -2779,27 +2788,27 @@ }, { "proof_of_possession_auth_methods_validation": { - "required": false, - "type": "boolean", "default": true, - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "required": false, + "type": "boolean" } }, { "tls_client_auth_cert_id": { + "auto": false, "required": false, - "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", "type": "string", - "uuid": true, - "auto": false + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "uuid": true } }, { "tls_client_auth_ssl_verify": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify identity provider server certificate during mTLS client authentication." + "description": "Verify identity provider server certificate during mTLS client authentication.", + "required": false, + "type": "boolean" } }, { @@ -2825,10 +2834,10 @@ }, { "proof_of_possession_dpop": { - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "required": false, "type": "string", "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "one_of": [ "off", "strict", @@ -2838,36 +2847,36 @@ }, { "dpop_use_nonce": { - "required": false, - "type": "boolean", "default": false, - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime." + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "required": false, + "type": "boolean" } }, { "dpop_proof_lifetime": { - "required": false, - "type": "number", "default": 300, - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise." + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "required": false, + "type": "number" } }, { "claims_forbidden": { - "required": false, - "type": "array", - "description": "If given, these claims are forbidden in the token payload.", "elements": { "type": "string" - } + }, + "description": "If given, these claims are forbidden in the token payload.", + "required": false, + "type": "array" } }, { "cluster_cache_strategy": { - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "required": false, "type": "string", "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "one_of": [ "off", "redis" @@ -2876,56 +2885,187 @@ }, { "cluster_cache_redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -2937,10 +3077,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -2952,27 +3092,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -2982,289 +3122,149 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "type": "boolean" } }, { "ssl_verify": { - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "required": false, - "description": "Maximum retry attempts for redirection.", "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, "type": "integer" } }, { "connection_is_proxied": { - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "type": "boolean" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } } - ], - "type": "record", - "description": "openid-connect plugin configuration." + ] } } - ], - "type": "record" - } + ] + }, + "description": "List of openid_connect strategies.", + "required": false, + "type": "array" } } - ], - "description": "The map of v2 strategies.", - "type": "record", - "default": [ - - ], - "required": false + ] } } ], - "type": "record", - "entity_checks": [ - - ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ldap-auth-advanced/3.9.x.json b/schemas/ldap-auth-advanced/3.9.x.json index 9f83e8d3..545178ce 100644 --- a/schemas/ldap-auth-advanced/3.9.x.json +++ b/schemas/ldap-auth-advanced/3.9.x.json @@ -11,8 +11,6 @@ "fields": [ { "protocols": { - "type": "set", - "required": true, "default": [ "grpc", "grpcs", @@ -31,22 +29,24 @@ "ws", "wss" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -62,48 +62,48 @@ }, { "ldap_password": { + "encrypted": true, "description": "The password to the LDAP server.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "ldap_port": { - "type": "number", "default": 389, - "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636." + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" } }, { "bind_dn": { - "type": "string", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", "referenceable": true, - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated." + "type": "string" } }, { "ldaps": { - "required": true, - "type": "boolean", "default": false, - "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "required": true, + "type": "boolean" } }, { "start_tls": { - "required": true, - "type": "boolean", "default": false, - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "required": true, + "type": "boolean" } }, { "verify_ldap_host": { - "required": true, - "type": "boolean", "default": false, - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "required": true, + "type": "boolean" } }, { @@ -122,59 +122,60 @@ }, { "cache_ttl": { - "required": true, - "type": "number", "default": 60, - "description": "Cache expiry time in seconds." + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" } }, { "hide_credentials": { - "type": "boolean", "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" } }, { "timeout": { - "type": "number", "default": 10000, - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" } }, { "keepalive": { - "type": "number", "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string", "default": "", - "len_min": 0 + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0, + "type": "string" } }, { "header_type": { - "type": "string", "default": "ldap", - "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`." + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" } }, { "consumer_optional": { - "required": false, - "type": "boolean", "default": false, - "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user." + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "required": false, + "type": "boolean" } }, { "consumer_by": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -182,49 +183,48 @@ "custom_id" ] }, - "type": "array", + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "default": [ "username", "custom_id" - ], - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." + ] } }, { "group_base_dn": { - "type": "string", - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" } }, { "group_name_attribute": { - "type": "string", - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" } }, { "group_member_attribute": { - "type": "string", "default": "memberOf", - "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive." + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" } }, { "log_search_results": { - "required": false, - "type": "boolean", "default": false, - "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment." + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "required": false, + "type": "boolean" } }, { "groups_required": { - "type": "array", - "required": false, - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "elements": { "type": "string" - } + }, + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "required": false, + "type": "array" } }, { @@ -235,8 +235,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/ldap-auth/3.9.x.json b/schemas/ldap-auth/3.9.x.json index 0eeec567..c165cd47 100644 --- a/schemas/ldap-auth/3.9.x.json +++ b/schemas/ldap-auth/3.9.x.json @@ -6,15 +6,13 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", - "required": true, "default": [ "grpc", "grpcs", @@ -33,34 +31,51 @@ "ws", "wss" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "conditional": { + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "if_match": { + "eq": true + }, + "then_field": "start_tls", + "if_field": "ldaps", + "then_match": { + "eq": false + } + } + } + ], "fields": [ { "ldap_host": { - "type": "string", + "description": "A string representing a host name, such as example.com.", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { "ldap_port": { - "required": true, "between": [ 0, 65535 ], + "required": true, "type": "integer", "default": 389, "description": "An integer representing a port number between 0 and 65535, inclusive." @@ -68,70 +83,70 @@ }, { "ldaps": { - "type": "boolean", - "required": true, "default": false, - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "required": true, + "type": "boolean" } }, { "start_tls": { - "type": "boolean", - "required": true, "default": false, - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "required": true, + "type": "boolean" } }, { "verify_ldap_host": { - "type": "boolean", - "required": true, "default": false, - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "required": true, + "type": "boolean" } }, { "base_dn": { "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "attribute": { "description": "Attribute to be used to search the user; e.g. cn", - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "cache_ttl": { - "type": "number", - "required": true, "default": 60, - "description": "Cache expiry time in seconds." + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" } }, { "hide_credentials": { - "type": "boolean", - "required": true, "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "required": true, + "type": "boolean" } }, { "timeout": { - "type": "number", "default": 10000, - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" } }, { "keepalive": { - "type": "number", "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" } }, { @@ -142,36 +157,21 @@ }, { "header_type": { - "type": "string", "default": "ldap", - "description": "An optional string to use as part of the Authorization header" + "description": "An optional string to use as part of the Authorization header", + "type": "string" } }, { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "type": "string", - "required": false - } - } - ], - "type": "record", - "entity_checks": [ - { - "conditional": { - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", - "if_match": { - "eq": true - }, - "then_field": "start_tls", - "if_field": "ldaps", - "then_match": { - "eq": false - } + "required": false, + "type": "string" } } ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/loggly/3.9.x.json b/schemas/loggly/3.9.x.json index 115b27b8..7f4564c6 100644 --- a/schemas/loggly/3.9.x.json +++ b/schemas/loggly/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,45 +45,45 @@ "fields": [ { "host": { - "type": "string", "default": "logs-01.loggly.com", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 514, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "key": { - "type": "string", - "required": true, + "encrypted": true, "referenceable": true, - "encrypted": true + "required": true, + "type": "string" } }, { "tags": { - "type": "set", "default": [ "kong" ], "elements": { "type": "string" - } + }, + "type": "set" } }, { "log_level": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -98,8 +98,8 @@ }, { "successful_severity": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -114,8 +114,8 @@ }, { "client_errors_severity": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -130,8 +130,8 @@ }, { "server_errors_severity": { - "type": "string", "default": "info", + "type": "string", "one_of": [ "debug", "info", @@ -152,21 +152,21 @@ }, { "custom_fields_by_lua": { - "keys": { - "type": "string", - "len_min": 1 - }, - "type": "map", "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - } + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/mocking/3.9.x.json b/schemas/mocking/3.9.x.json index 1a637a5f..246c1047 100644 --- a/schemas/mocking/3.9.x.json +++ b/schemas/mocking/3.9.x.json @@ -11,6 +11,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -19,22 +27,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,88 +43,88 @@ "fields": [ { "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", "required": false, - "type": "string", - "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode." + "type": "string" } }, { "api_specification": { "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "random_delay": { - "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", "type": "boolean" } }, { "max_delay_time": { - "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", "type": "number" } }, { "min_delay_time": { - "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", "type": "number" } }, { "random_examples": { - "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", "type": "boolean" } }, { "included_status_codes": { - "description": "A global list of the HTTP status codes that can only be selected and returned.", - "type": "array", "elements": { "type": "integer" - } + }, + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "type": "array" } }, { "random_status_code": { - "type": "boolean", - "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", "default": false, - "required": true + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "required": true, + "type": "boolean" } }, { "include_base_path": { - "type": "boolean", - "description": "Indicates whether to include the base path when performing path match evaluation.", "default": false, - "required": true + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true, + "type": "boolean" } }, { "custom_base_path": { + "required": false, + "type": "string", "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "starts_with": "/", - "type": "string", - "required": false + "starts_with": "/" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/mtls-auth/3.9.x.json b/schemas/mtls-auth/3.9.x.json index 5a1a0595..d65a598b 100644 --- a/schemas/mtls-auth/3.9.x.json +++ b/schemas/mtls-auth/3.9.x.json @@ -6,14 +6,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,27 +30,33 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], "fields": [ { "anonymous": { @@ -53,6 +67,7 @@ { "consumer_by": { "required": false, + "type": "array", "elements": { "type": "string", "one_of": [ @@ -60,55 +75,54 @@ "custom_id" ] }, - "type": "array", + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "default": [ "username", "custom_id" - ], - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + ] } }, { "ca_certificates": { - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", - "required": true, - "type": "array", "elements": { "uuid": true, "type": "string" - } + }, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, + "type": "array" } }, { "cache_ttl": { + "default": 60, "description": "Cache expiry time in seconds.", "required": true, - "default": 60, "type": "number" } }, { "skip_consumer_lookup": { + "default": false, "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "required": true, - "default": false, "type": "boolean" } }, { "allow_partial_chain": { + "default": false, "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "required": true, - "default": false, "type": "boolean" } }, { "authenticated_group_by": { - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, "type": "string", "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ "CN", "DN" @@ -117,10 +131,10 @@ }, { "revocation_check_mode": { - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, "type": "string", "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ "SKIP", "IGNORE_CA_ERROR", @@ -130,23 +144,23 @@ }, { "http_timeout": { - "type": "number", "default": 30000, - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" } }, { "cert_cache_ttl": { - "type": "number", "default": 60000, - "description": "The length of time in seconds between refreshes of the revocation check status cache." + "description": "The length of time in seconds between refreshes of the revocation check status cache.", + "type": "number" } }, { "send_ca_dn": { - "type": "boolean", "default": false, - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" } }, { @@ -157,8 +171,8 @@ }, { "http_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -167,14 +181,14 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "https_proxy_host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { @@ -183,27 +197,13 @@ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } ], - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/oas-validation/3.9.x.json b/schemas/oas-validation/3.9.x.json index ec989a51..ada2985b 100644 --- a/schemas/oas-validation/3.9.x.json +++ b/schemas/oas-validation/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,22 +22,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,132 +38,132 @@ "fields": [ { "api_spec": { - "type": "string", "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", - "required": true + "required": true, + "type": "string" } }, { "verbose_response": { - "required": false, - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "required": false, "type": "boolean" } }, { "validate_request_body": { - "required": false, - "description": "If set to true, validates the request body content against the API specification.", "default": true, + "description": "If set to true, validates the request body content against the API specification.", + "required": false, "type": "boolean" } }, { "notify_only_request_validation_failure": { - "required": false, - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "required": false, "type": "boolean" } }, { "validate_request_header_params": { - "required": false, - "description": "If set to true, validates HTTP header parameters against the API specification.", "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", + "required": false, "type": "boolean" } }, { "validate_request_query_params": { - "required": false, - "description": "If set to true, validates query parameters against the API specification.", "default": true, + "description": "If set to true, validates query parameters against the API specification.", + "required": false, "type": "boolean" } }, { "validate_request_uri_params": { - "required": false, - "description": "If set to true, validates URI parameters in the request against the API specification.", "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", + "required": false, "type": "boolean" } }, { "validate_response_body": { - "required": false, - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "required": false, "type": "boolean" } }, { "notify_only_response_body_validation_failure": { - "required": false, - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "required": false, "type": "boolean" } }, { "query_parameter_check": { - "required": true, - "description": "If set to true, checks if query parameters in the request exist in the API specification.", "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "required": true, "type": "boolean" } }, { "header_parameter_check": { - "required": true, - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "required": true, "type": "boolean" } }, { "allowed_header_parameters": { - "required": false, - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "required": false, "type": "string" } }, { "include_base_path": { - "required": true, - "description": "Indicates whether to include the base path when performing path match evaluation.", "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true, "type": "boolean" } }, { "api_spec_encoded": { - "required": true, - "description": "Indicates whether the api_spec is URI-Encoded.", "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", + "required": true, "type": "boolean" } }, { "custom_base_path": { + "required": false, + "type": "string", "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "starts_with": "/", - "type": "string", - "required": false + "starts_with": "/" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/oauth2-introspection/3.9.x.json b/schemas/oauth2-introspection/3.9.x.json index 5e7fac0d..8b041407 100644 --- a/schemas/oauth2-introspection/3.9.x.json +++ b/schemas/oauth2-introspection/3.9.x.json @@ -6,14 +6,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,22 +30,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,83 +46,83 @@ "fields": [ { "introspection_url": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "ttl": { - "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", "type": "number" } }, { "token_type_hint": { - "description": "The `token_type_hint` value to associate to introspection requests.", - "type": "string" + "type": "string", + "description": "The `token_type_hint` value to associate to introspection requests." } }, { "authorization_value": { + "encrypted": true, "required": true, - "referenceable": true, "type": "string", "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", - "encrypted": true + "referenceable": true } }, { "timeout": { - "description": "An optional timeout in milliseconds when sending data to the upstream server.", "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "integer" } }, { "keepalive": { - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "type": "integer" } }, { "introspect_request": { - "required": true, - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "required": true, "type": "boolean" } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", "type": "boolean" } }, { "run_on_preflight": { - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", "type": "boolean" } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "default": "", - "len_min": 0 + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0, + "type": "string" } }, { "consumer_by": { - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "required": true, "type": "string", "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "one_of": [ "username", "client_id" @@ -131,36 +131,36 @@ }, { "custom_introspection_headers": { - "description": "A list of custom headers to be added in the introspection request.", "values": { "type": "string" }, - "keys": { - "type": "string" - }, + "required": true, "type": "map", "default": [ ], - "required": true + "description": "A list of custom headers to be added in the introspection request.", + "keys": { + "type": "string" + } } }, { "custom_claims_forward": { "required": true, + "type": "set", "elements": { "type": "string" }, - "type": "set", + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "default": [ - ], - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." + ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/oauth2/3.9.x.json b/schemas/oauth2/3.9.x.json index dab713dd..2c0e00b3 100644 --- a/schemas/oauth2/3.9.x.json +++ b/schemas/oauth2/3.9.x.json @@ -6,15 +6,13 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", - "required": true, "default": [ "grpc", "grpcs", @@ -33,101 +31,117 @@ "ws", "wss" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "scopes", + "if_field": "mandatory_scope", + "then_match": { + "required": true + } + } + } + ], "fields": [ { "scopes": { - "type": "array", - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "elements": { "type": "string" - } + }, + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "type": "array" } }, { "mandatory_scope": { - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", - "type": "boolean", "default": false, - "required": true + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "required": true, + "type": "boolean" } }, { "provision_key": { - "required": true, + "encrypted": true, + "unique": true, "type": "string", "description": "The unique key the plugin has generated when it has been added to the Service.", - "auto": true, - "unique": true, - "encrypted": true + "required": true, + "auto": true } }, { "token_expiration": { - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", - "type": "number", "default": 7200, - "required": true + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "required": true, + "type": "number" } }, { "enable_authorization_code": { - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", - "type": "boolean", "default": false, - "required": true + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "required": true, + "type": "boolean" } }, { "enable_implicit_grant": { - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", - "type": "boolean", "default": false, - "required": true + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "required": true, + "type": "boolean" } }, { "enable_client_credentials": { - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", - "type": "boolean", "default": false, - "required": true + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "required": true, + "type": "boolean" } }, { "enable_password_grant": { - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", - "type": "boolean", "default": false, - "required": true + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "required": true, + "type": "boolean" } }, { "hide_credentials": { - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "type": "boolean", "default": false, - "required": true + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true, + "type": "boolean" } }, { "accept_http_if_already_terminated": { - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", - "type": "boolean", "default": false, - "required": true + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "required": true, + "type": "boolean" } }, { @@ -138,26 +152,26 @@ }, { "global_credentials": { - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", - "type": "boolean", "default": false, - "required": true + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "required": true, + "type": "boolean" } }, { "auth_header_name": { - "type": "string", "default": "authorization", - "description": "The name of the header that is supposed to carry the access token." + "description": "The name of the header that is supposed to carry the access token.", + "type": "string" } }, { "refresh_token_ttl": { - "required": true, "between": [ 0, 100000000 ], + "required": true, "type": "number", "default": 1209600, "description": "Time-to-live value for data" @@ -165,25 +179,25 @@ }, { "reuse_refresh_token": { - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", - "type": "boolean", "default": false, - "required": true + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "required": true, + "type": "boolean" } }, { "persistent_refresh_token": { - "type": "boolean", "default": false, - "required": true + "required": true, + "type": "boolean" } }, { "pkce": { "required": false, - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "type": "string", "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "one_of": [ "none", "lax", @@ -193,27 +207,13 @@ }, { "realm": { - "required": false, "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, "type": "string" } } ], "required": true, - "entity_checks": [ - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "scopes", - "if_field": "mandatory_scope", - "then_match": { - "required": true - } - } - } - ], "type": "record" } } diff --git a/schemas/opa/3.9.x.json b/schemas/opa/3.9.x.json index dc667be3..1b302c32 100644 --- a/schemas/opa/3.9.x.json +++ b/schemas/opa/3.9.x.json @@ -6,14 +6,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,22 +30,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,9 +46,9 @@ "fields": [ { "opa_protocol": { + "default": "http", "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", "type": "string", - "default": "http", "one_of": [ "http", "https" @@ -57,19 +57,19 @@ }, { "opa_host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "localhost", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "opa_port": { - "required": true, "between": [ 0, 65535 ], + "required": true, "type": "integer", "default": 8181, "description": "An integer representing a port number between 0 and 65535, inclusive." @@ -77,37 +77,37 @@ }, { "opa_path": { + "required": true, + "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "starts_with": "/", - "type": "string", - "required": true + "starts_with": "/" } }, { "include_service_in_opa_input": { - "type": "boolean", "default": false, - "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA." + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" } }, { "include_route_in_opa_input": { - "type": "boolean", "default": false, - "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA." + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" } }, { "include_consumer_in_opa_input": { - "type": "boolean", "default": false, - "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA." + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" } }, { @@ -118,29 +118,29 @@ }, { "include_parsed_json_body_in_opa_input": { - "type": "boolean", "default": false, - "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA." + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" } }, { "include_uri_captures_in_opa_input": { - "type": "boolean", "default": false, - "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA." + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "type": "boolean", "default": true, - "required": true + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "required": true, + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/openid-connect/3.9.x.json b/schemas/openid-connect/3.9.x.json index eebba972..7a0c9dd9 100644 --- a/schemas/openid-connect/3.9.x.json +++ b/schemas/openid-connect/3.9.x.json @@ -12,14 +12,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -28,832 +36,1069 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "fields": [ + "type": "record", + "shorthand_fields": [ { - "issuer": { - "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", - "required": true, + "authorization_cookie_lifetime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" + }, + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" + }, "type": "string" } }, { - "using_pseudo_issuer": { - "required": false, - "type": "boolean", - "default": false, - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." + "authorization_cookie_httponly": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" + }, + "type": "boolean" } }, { - "discovery_headers_names": { - "required": false, - "type": "array", - "description": "Extra header names passed to the discovery endpoint.", - "elements": { - "type": "string" - } + "session_cookie_lifetime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" + }, + "type": "number" } }, { - "discovery_headers_values": { - "required": false, - "type": "array", - "description": "Extra header values passed to the discovery endpoint.", - "elements": { - "type": "string" - } + "session_cookie_idletime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" + }, + "type": "number" } }, { - "extra_jwks_uris": { - "required": false, - "type": "set", - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", - "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "session_cookie_samesite": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" + }, + "type": "string" } }, { - "rediscovery_lifetime": { - "required": false, - "type": "number", - "default": 30, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + "session_cookie_httponly": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" + }, + "type": "boolean" } }, { - "auth_methods": { - "description": "Types of credentials/grants to enable.", - "elements": { - "type": "string", - "one_of": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ] + "session_memcache_prefix": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" }, - "type": "array", - "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ], - "required": false + "type": "string" } }, { - "client_id": { - "required": false, - "elements": { - "referenceable": true, - "type": "string" + "session_memcache_socket": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" }, - "type": "array", - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", - "encrypted": true + "type": "string" } }, { - "client_secret": { - "required": false, - "elements": { - "referenceable": true, - "type": "string" + "session_memcache_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" }, - "type": "array", - "description": "The client secret.", - "encrypted": true + "type": "string" } }, { - "client_auth": { - "required": false, - "type": "array", - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "elements": { - "type": "string", - "one_of": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "private_key_jwt", - "tls_client_auth", - "self_signed_tls_client_auth", - "none" - ] - } + "session_memcache_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" + }, + "type": "integer" } }, { - "client_jwk": { - "required": false, - "type": "array", - "description": "The JWK used for the private_key_jwt authentication.", - "elements": { - "fields": [ + "session_cookie_renew": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" + }, + "type": "string" + } + }, + { + "session_redis_prefix": { + "deprecation": { + "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0", + "replaced_with": [ { - "issuer": { - "type": "string", - "required": false - } - }, + "path": [ + "redis", + "prefix" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_socket": { + "deprecation": { + "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0", + "replaced_with": [ { - "kty": { - "type": "string", - "required": false - } - }, + "path": [ + "redis", + "socket" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_host": { + "deprecation": { + "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ { - "use": { - "type": "string", - "required": false - } - }, - { - "key_ops": { - "required": false, - "type": "array", - "elements": { - "type": "string", - "required": false - } - } - }, - { - "alg": { - "type": "string", - "required": false - } - }, - { - "kid": { - "type": "string", - "required": false - } - }, - { - "x5u": { - "type": "string", - "required": false - } - }, - { - "x5c": { - "required": false, - "type": "array", - "elements": { - "type": "string", - "required": false - } - } - }, - { - "x5t": { - "type": "string", - "required": false - } - }, - { - "x5t#S256": { - "type": "string", - "required": false - } - }, - { - "k": { - "type": "string", - "required": false, - "referenceable": true, - "encrypted": true - } - }, - { - "x": { - "type": "string", - "required": false - } - }, - { - "y": { - "type": "string", - "required": false - } - }, - { - "crv": { - "type": "string", - "required": false - } - }, - { - "n": { - "type": "string", - "required": false - } - }, - { - "e": { - "type": "string", - "required": false - } - }, - { - "d": { - "type": "string", - "required": false, - "referenceable": true, - "encrypted": true - } - }, - { - "p": { - "type": "string", - "required": false, - "referenceable": true, - "encrypted": true - } - }, - { - "q": { - "type": "string", - "required": false, - "referenceable": true, - "encrypted": true - } - }, - { - "dp": { - "type": "string", - "required": false, - "referenceable": true, - "encrypted": true - } - }, - { - "dq": { - "type": "string", - "required": false, - "referenceable": true, - "encrypted": true - } - }, - { - "qi": { - "type": "string", - "required": false, - "referenceable": true, - "encrypted": true - } - }, - { - "oth": { - "type": "string", - "required": false, - "referenceable": true, - "encrypted": true - } - }, - { - "r": { - "type": "string", - "required": false, - "referenceable": true, - "encrypted": true - } - }, - { - "t": { - "type": "string", - "required": false, - "referenceable": true, - "encrypted": true - } + "path": [ + "redis", + "host" + ] } - ], - "type": "record", - "required": false - } - } - }, - { - "client_alg": { - "required": false, - "type": "array", - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "elements": { - "type": "string", - "one_of": [ - "HS256", - "HS384", - "HS512", - "RS256", - "RS384", - "RS512", - "ES256", - "ES384", - "ES512", - "PS256", - "PS384", - "PS512", - "EdDSA" ] - } + }, + "type": "string" } }, { - "client_arg": { - "required": false, - "type": "string", - "default": "client_id", - "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + "session_redis_port": { + "deprecation": { + "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + }, + "type": "integer" } }, { - "redirect_uri": { - "required": false, - "type": "array", - "description": "The redirect URI passed to the authorization and token endpoints.", - "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "session_redis_username": { + "deprecation": { + "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + }, + "type": "string" } }, { - "login_redirect_uri": { - "required": false, - "type": "array", - "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "elements": { - "type": "string", - "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "session_redis_password": { + "deprecation": { + "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + }, + "type": "string" } }, { - "logout_redirect_uri": { - "required": false, - "type": "array", - "description": "Where to redirect the client after the logout.", - "elements": { - "type": "string", - "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - } + "session_redis_connect_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ] + }, + "type": "integer" } }, { - "forbidden_redirect_uri": { - "required": false, - "type": "array", - "description": "Where to redirect the client on forbidden requests.", - "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "session_redis_read_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ] + }, + "type": "integer" } }, { - "forbidden_error_message": { - "required": false, - "type": "string", - "default": "Forbidden", - "description": "The error message for the forbidden requests (when not using the redirection)." + "session_redis_send_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ] + }, + "type": "integer" } }, { - "forbidden_destroy_session": { - "required": false, - "type": "boolean", - "default": true, - "description": "Destroy any active session for the forbidden requests." + "session_redis_ssl": { + "deprecation": { + "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + }, + "type": "boolean" } }, { - "unauthorized_destroy_session": { - "required": false, - "type": "boolean", - "default": true, - "description": "Destroy any active session for the unauthorized requests." + "session_redis_ssl_verify": { + "deprecation": { + "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + }, + "type": "boolean" } }, { - "unauthorized_redirect_uri": { - "required": false, - "type": "array", - "description": "Where to redirect the client on unauthorized requests.", + "session_redis_server_name": { + "deprecation": { + "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_cluster_nodes": { "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "type": "array", + "deprecation": { + "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ] } } }, { - "unauthorized_error_message": { - "required": false, - "type": "string", - "default": "Unauthorized", - "description": "The error message for the unauthorized requests (when not using the redirection)." + "session_redis_cluster_max_redirections": { + "deprecation": { + "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ] + }, + "type": "integer" } - }, + } + ], + "required": true, + "fields": [ { - "unexpected_redirect_uri": { - "required": false, - "type": "array", - "description": "Where to redirect the client when unexpected errors happen with the requests.", - "elements": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - } + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, + "type": "string" } }, { - "response_mode": { - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", "required": false, - "type": "string", - "default": "query", - "one_of": [ - "query", - "form_post", - "fragment", - "query.jwt", - "form_post.jwt", - "fragment.jwt", - "jwt" - ] + "type": "boolean" } }, { - "response_type": { - "description": "The response type passed to the authorization endpoint.", + "discovery_headers_names": { "elements": { "type": "string" }, - "type": "array", - "default": [ - "code" - ], - "required": false + "description": "Extra header names passed to the discovery endpoint.", + "required": false, + "type": "array" } }, { - "scopes": { - "description": "The scopes passed to the authorization and token endpoints.", + "discovery_headers_values": { "elements": { - "referenceable": true, "type": "string" }, - "type": "array", - "default": [ - "openid" - ], - "required": false + "description": "Extra header values passed to the discovery endpoint.", + "required": false, + "type": "array" } }, { - "audience": { - "required": false, - "type": "array", - "description": "The audience passed to the authorization endpoint.", + "extra_jwks_uris": { "elements": { - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "required": false, + "type": "set" } }, { - "issuers_allowed": { + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "required": false, - "type": "array", - "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "elements": { - "type": "string" - } + "type": "number" } }, { - "scopes_required": { + "auth_methods": { "required": false, "type": "array", - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "description": "Types of credentials/grants to enable.", "elements": { - "type": "string" + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] } } }, { - "scopes_claim": { - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "client_id": { + "encrypted": true, + "required": false, + "type": "array", "elements": { + "referenceable": true, "type": "string" }, - "type": "array", - "default": [ - "scope" - ], - "required": false + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." } }, { - "audience_required": { + "client_secret": { + "encrypted": true, "required": false, "type": "array", - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "elements": { - "type": "string" - } - } - }, - { - "audience_claim": { - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { + "referenceable": true, "type": "string" }, - "type": "array", - "default": [ - "aud" - ], - "required": false + "description": "The client secret." } }, { - "groups_required": { + "client_auth": { + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", "required": false, - "type": "array", - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array" + } + }, + { + "client_jwk": { "elements": { - "type": "string" - } + "type": "record", + "required": false, + "fields": [ + { + "issuer": { + "required": false, + "type": "string" + } + }, + { + "kty": { + "required": false, + "type": "string" + } + }, + { + "use": { + "required": false, + "type": "string" + } + }, + { + "key_ops": { + "elements": { + "required": false, + "type": "string" + }, + "required": false, + "type": "array" + } + }, + { + "alg": { + "required": false, + "type": "string" + } + }, + { + "kid": { + "required": false, + "type": "string" + } + }, + { + "x5u": { + "required": false, + "type": "string" + } + }, + { + "x5c": { + "elements": { + "required": false, + "type": "string" + }, + "required": false, + "type": "array" + } + }, + { + "x5t": { + "required": false, + "type": "string" + } + }, + { + "x5t#S256": { + "required": false, + "type": "string" + } + }, + { + "k": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "x": { + "required": false, + "type": "string" + } + }, + { + "y": { + "required": false, + "type": "string" + } + }, + { + "crv": { + "required": false, + "type": "string" + } + }, + { + "n": { + "required": false, + "type": "string" + } + }, + { + "e": { + "required": false, + "type": "string" + } + }, + { + "d": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "p": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "q": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "dp": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "dq": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "qi": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "oth": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "r": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "t": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + } + ] + }, + "description": "The JWK used for the private_key_jwt authentication.", + "required": false, + "type": "array" } }, { - "groups_claim": { - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "client_alg": { "elements": { - "type": "string" + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] }, - "type": "array", - "default": [ - "groups" - ], - "required": false + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "required": false, + "type": "array" } }, { - "roles_required": { + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "required": false, - "type": "array", - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "string" + } + }, + { + "redirect_uri": { "elements": { - "type": "string" - } + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "The redirect URI passed to the authorization and token endpoints.", + "required": false, + "type": "array" } }, { - "roles_claim": { - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "login_redirect_uri": { "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, "type": "string" }, - "type": "array", - "default": [ - "roles" - ], - "required": false + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "required": false, + "type": "array" } }, { - "domains": { - "required": false, - "type": "array", - "description": "The allowed values for the `hd` claim.", + "logout_redirect_uri": { "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, "type": "string" - } + }, + "description": "Where to redirect the client after the logout.", + "required": false, + "type": "array" } }, { - "max_age": { - "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "forbidden_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on forbidden requests.", "required": false, - "type": "number" + "type": "array" } }, { - "authenticated_groups_claim": { + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", "required": false, - "type": "array", - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "elements": { - "type": "string" - } + "type": "string" } }, { - "pushed_authorization_request_endpoint": { - "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", "required": false, - "type": "string" + "type": "boolean" } }, { - "pushed_authorization_request_endpoint_auth_method": { + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", "required": false, - "type": "string", - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", - "one_of": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "private_key_jwt", - "tls_client_auth", - "self_signed_tls_client_auth", - "none" - ] + "type": "boolean" } }, { - "require_pushed_authorization_requests": { - "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "unauthorized_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on unauthorized requests.", "required": false, - "type": "boolean" + "type": "array" } }, { - "require_proof_key_for_code_exchange": { - "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", "required": false, - "type": "boolean" + "type": "string" } }, { - "require_signed_request_object": { - "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "unexpected_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when unexpected errors happen with the requests.", "required": false, - "type": "boolean" + "type": "array" } }, { - "authorization_endpoint": { - "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "response_mode": { "required": false, - "type": "string" + "type": "string", + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ] } }, { - "authorization_query_args_names": { + "response_type": { "required": false, "type": "array", - "description": "Extra query argument names passed to the authorization endpoint.", + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", "elements": { "type": "string" } } }, { - "authorization_query_args_values": { + "scopes": { "required": false, "type": "array", - "description": "Extra query argument values passed to the authorization endpoint.", + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", "elements": { + "referenceable": true, "type": "string" } } }, { - "authorization_query_args_client": { + "audience": { + "elements": { + "type": "string" + }, + "description": "The audience passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "issuers_allowed": { + "elements": { + "type": "string" + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "required": false, + "type": "array" + } + }, + { + "scopes_required": { + "elements": { + "type": "string" + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "scopes_claim": { "required": false, "type": "array", - "description": "Extra query arguments passed from the client to the authorization endpoint.", + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" } } }, { - "authorization_rolling_timeout": { + "audience_required": { + "elements": { + "type": "string" + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, - "type": "number", - "default": 600, - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "type": "array" } }, { - "authorization_cookie_name": { + "audience_claim": { "required": false, - "type": "string", - "default": "authorization", - "description": "The authorization cookie name." + "type": "array", + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } } }, { - "authorization_cookie_path": { + "groups_required": { + "elements": { + "type": "string" + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, - "match_none": [ - { - "pattern": "//", - "err": "must not have empty segments" - } + "type": "array" + } + }, + { + "groups_claim": { + "required": false, + "type": "array", + "default": [ + "groups" ], - "starts_with": "/", - "type": "string", - "default": "/", - "description": "The authorization cookie Path flag." + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } } }, { - "authorization_cookie_domain": { - "description": "The authorization cookie Domain flag.", + "roles_required": { + "elements": { + "type": "string" + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "required": false, - "type": "string" + "type": "array" } }, { - "authorization_cookie_same_site": { - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "roles_claim": { "required": false, - "type": "string", - "default": "Default", - "one_of": [ - "Strict", - "Lax", - "None", - "Default" - ] + "type": "array", + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } } }, { - "authorization_cookie_http_only": { + "domains": { + "elements": { + "type": "string" + }, + "description": "The allowed values for the `hd` claim.", "required": false, - "type": "boolean", - "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "type": "array" } }, { - "authorization_cookie_secure": { - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "required": false, - "type": "boolean" + "type": "number" } }, { - "preserve_query_args": { + "authenticated_groups_claim": { + "elements": { + "type": "string" + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, - "type": "boolean", - "default": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + "type": "array" } }, { - "token_endpoint": { - "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "required": false, "type": "string" } }, { - "token_endpoint_auth_method": { - "required": false, + "pushed_authorization_request_endpoint_auth_method": { "type": "string", - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, "one_of": [ "client_secret_basic", "client_secret_post", @@ -866,43 +1111,199 @@ } }, { - "token_headers_names": { + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", "required": false, - "type": "array", - "description": "Extra header names passed to the token endpoint.", - "elements": { - "type": "string" - } + "type": "boolean" } }, { - "token_headers_values": { + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", "required": false, - "type": "array", - "description": "Extra header values passed to the token endpoint.", - "elements": { - "type": "string" - } + "type": "boolean" } }, { - "token_headers_client": { + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", "required": false, - "type": "array", - "description": "Extra headers passed from the client to the token endpoint.", - "elements": { - "type": "string" - } + "type": "boolean" } }, { - "token_headers_replay": { + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", "required": false, - "type": "array", - "description": "The names of token endpoint response headers to forward to the downstream client.", + "type": "string" + } + }, + { + "authorization_query_args_names": { "elements": { "type": "string" - } + }, + "description": "Extra query argument names passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_query_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_query_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "required": false, + "type": "string" + } + }, + { + "authorization_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "The authorization cookie Path flag.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "required": false, + "type": "string" + } + }, + { + "authorization_cookie_same_site": { + "required": false, + "type": "string", + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "required": false, + "type": "boolean" + } + }, + { + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "token_endpoint_auth_method": { + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "token_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_replay": { + "elements": { + "type": "string" + }, + "description": "The names of token endpoint response headers to forward to the downstream client.", + "required": false, + "type": "array" } }, { @@ -914,9 +1315,6 @@ }, { "token_headers_grants": { - "required": false, - "type": "array", - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "elements": { "type": "string", "one_of": [ @@ -925,37 +1323,40 @@ "authorization_code", "refresh_token" ] - } + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "required": false, + "type": "array" } }, { "token_post_args_names": { - "required": false, - "type": "array", - "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post argument names passed to the token endpoint.", + "required": false, + "type": "array" } }, { "token_post_args_values": { - "required": false, - "type": "array", - "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post argument values passed to the token endpoint.", + "required": false, + "type": "array" } }, { "token_post_args_client": { - "required": false, - "type": "array", - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "elements": { "type": "string" - } + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "required": false, + "type": "array" } }, { @@ -967,9 +1368,9 @@ }, { "introspection_endpoint_auth_method": { - "required": false, "type": "string", "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, "one_of": [ "client_secret_basic", "client_secret_post", @@ -983,26 +1384,26 @@ }, { "introspection_hint": { - "required": false, - "type": "string", "default": "access_token", - "description": "Introspection hint parameter value passed to the introspection endpoint." + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "required": false, + "type": "string" } }, { "introspection_check_active": { - "required": false, - "type": "boolean", "default": true, - "description": "Check that the introspection response has an `active` claim with a value of `true`." + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "required": false, + "type": "boolean" } }, { "introspection_accept": { - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "required": false, "type": "string", "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/token-introspection+jwt", @@ -1012,82 +1413,82 @@ }, { "introspection_headers_names": { - "required": false, - "type": "array", - "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra header names passed to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspection_headers_values": { + "encrypted": true, "required": false, + "type": "array", "elements": { "referenceable": true, "type": "string" }, - "type": "array", - "description": "Extra header values passed to the introspection endpoint.", - "encrypted": true + "description": "Extra header values passed to the introspection endpoint." } }, { "introspection_headers_client": { - "required": false, - "type": "array", - "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra headers passed from the client to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspection_post_args_names": { - "required": false, - "type": "array", - "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post argument names passed to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspection_post_args_values": { - "required": false, - "type": "array", - "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post argument values passed to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspection_post_args_client": { - "required": false, - "type": "array", - "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspection_post_args_client_headers": { - "required": false, - "type": "array", - "description": "Extra post arguments passed from the client headers to the introspection endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "required": false, + "type": "array" } }, { "introspect_jwt_tokens": { - "required": false, - "type": "boolean", "default": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "required": false, + "type": "boolean" } }, { @@ -1099,9 +1500,9 @@ }, { "revocation_endpoint_auth_method": { - "required": false, "type": "string", "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, "one_of": [ "client_secret_basic", "client_secret_post", @@ -1129,10 +1530,10 @@ }, { "userinfo_accept": { - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "required": false, "type": "string", "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/jwt" @@ -1141,62 +1542,62 @@ }, { "userinfo_headers_names": { - "required": false, - "type": "array", - "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra header names passed to the user info endpoint.", + "required": false, + "type": "array" } }, { "userinfo_headers_values": { - "required": false, - "type": "array", - "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra header values passed to the user info endpoint.", + "required": false, + "type": "array" } }, { "userinfo_headers_client": { - "required": false, - "type": "array", - "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra headers passed from the client to the user info endpoint.", + "required": false, + "type": "array" } }, { "userinfo_query_args_names": { - "required": false, - "type": "array", - "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra query argument names passed to the user info endpoint.", + "required": false, + "type": "array" } }, { "userinfo_query_args_values": { - "required": false, - "type": "array", - "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra query argument values passed to the user info endpoint.", + "required": false, + "type": "array" } }, { "userinfo_query_args_client": { - "required": false, - "type": "array", - "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" - } + }, + "description": "Extra query arguments passed from the client to the user info endpoint.", + "required": false, + "type": "array" } }, { @@ -1208,98 +1609,98 @@ }, { "session_secret": { - "description": "The session secret.", + "encrypted": true, "referenceable": true, "type": "string", - "required": false, - "encrypted": true + "description": "The session secret.", + "required": false } }, { "session_audience": { - "required": false, - "type": "string", "default": "default", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "required": false, + "type": "string" } }, { "session_cookie_name": { - "required": false, - "type": "string", "default": "session", - "description": "The session cookie name." + "description": "The session cookie name.", + "required": false, + "type": "string" } }, { "session_remember": { - "required": false, - "type": "boolean", "default": false, - "description": "Enables or disables persistent sessions." + "description": "Enables or disables persistent sessions.", + "required": false, + "type": "boolean" } }, { "session_remember_cookie_name": { - "required": false, - "type": "string", "default": "remember", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "required": false, + "type": "string" } }, { "session_remember_rolling_timeout": { - "required": false, - "type": "number", "default": 604800, - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "required": false, + "type": "number" } }, { "session_remember_absolute_timeout": { - "required": false, - "type": "number", "default": 2592000, - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" } }, { "session_idling_timeout": { - "required": false, - "type": "number", "default": 900, - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "required": false, + "type": "number" } }, { "session_rolling_timeout": { - "required": false, - "type": "number", "default": 3600, - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" } }, { "session_absolute_timeout": { - "required": false, - "type": "number", "default": 86400, - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" } }, { "session_cookie_path": { "required": false, + "type": "string", + "default": "/", + "description": "The session cookie Path flag.", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "starts_with": "/", - "type": "string", - "default": "/", - "description": "The session cookie Path flag." + "starts_with": "/" } }, { @@ -1311,10 +1712,10 @@ }, { "session_cookie_same_site": { - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, "type": "string", "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", @@ -1325,10 +1726,10 @@ }, { "session_cookie_http_only": { - "required": false, - "type": "boolean", "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" } }, { @@ -1340,9 +1741,6 @@ }, { "session_request_headers": { - "type": "set", - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1354,14 +1752,14 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, + "type": "set" } }, { "session_response_headers": { - "type": "set", - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", - "required": false, "elements": { "type": "string", "one_of": [ @@ -1373,15 +1771,18 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, + "type": "set" } }, { "session_storage": { - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "required": false, "type": "string", "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "one_of": [ "cookie", "memcache", @@ -1392,34 +1793,34 @@ }, { "session_store_metadata": { - "required": false, - "type": "boolean", "default": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "required": false, + "type": "boolean" } }, { "session_enforce_same_subject": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, audiences are forced to share the same subject." + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "type": "boolean" } }, { "session_hash_subject": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean" } }, { "session_hash_storage_key": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "type": "boolean" } }, { @@ -1438,19 +1839,19 @@ }, { "session_memcached_host": { - "required": false, - "type": "string", "default": "127.0.0.1", - "description": "The memcached host." + "description": "The memcached host.", + "required": false, + "type": "string" } }, { "session_memcached_port": { - "required": false, "between": [ 0, 65535 ], + "required": false, "type": "integer", "default": 11211, "description": "The memcached port." @@ -1458,56 +1859,187 @@ }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -1519,10 +2051,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -1534,27 +2066,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -1564,128 +2096,128 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string" } }, { "sentinel_nodes": { "required": false, + "type": "array", "elements": { "fields": [ { "host": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } ], "type": "record" }, - "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "cluster_nodes": { "required": false, + "type": "array", "elements": { "fields": [ { "ip": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } ], "type": "record" }, - "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "ssl": { - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis.", "default": false, - "required": false + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" } }, { "ssl_verify": { - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, - "required": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" } }, { "server_name": { - "type": "string", "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "required": false, + "type": "string" } }, { "cluster_max_redirections": { - "type": "integer", - "description": "Maximum retry attempts for redirection.", "default": 5, - "required": false + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" } }, { "connection_is_proxied": { - "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, - "required": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" } }, { @@ -1702,154 +2234,23 @@ "type": "string" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } }, { "reverify": { - "required": false, - "type": "boolean", "default": false, - "description": "Specifies whether to always verify tokens stored in the session." + "description": "Specifies whether to always verify tokens stored in the session.", + "required": false, + "type": "boolean" } }, { "jwt_session_claim": { - "required": false, - "type": "string", "default": "sid", - "description": "The claim to match against the JWT session cookie." + "description": "The claim to match against the JWT session cookie.", + "required": false, + "type": "string" } }, { @@ -1861,6 +2262,13 @@ }, { "bearer_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "elements": { "type": "string", @@ -1870,14 +2278,7 @@ "query", "body" ] - }, - "type": "array", - "default": [ - "header", - "query", - "body" - ], - "required": false + } } }, { @@ -1889,6 +2290,13 @@ }, { "client_credentials_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "elements": { "type": "string", @@ -1897,18 +2305,18 @@ "query", "body" ] - }, + } + } + }, + { + "password_param_type": { + "required": false, "type": "array", "default": [ "header", "query", "body" ], - "required": false - } - }, - { - "password_param_type": { "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -1917,18 +2325,18 @@ "query", "body" ] - }, + } + } + }, + { + "id_token_param_type": { + "required": false, "type": "array", "default": [ "header", "query", "body" ], - "required": false - } - }, - { - "id_token_param_type": { "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -1937,14 +2345,7 @@ "query", "body" ] - }, - "type": "array", - "default": [ - "header", - "query", - "body" - ], - "required": false + } } }, { @@ -1956,22 +2357,22 @@ }, { "refresh_token_param_type": { - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", - "elements": { - "type": "string", - "one_of": [ - "header", - "query", - "body" - ] - }, + "required": false, "type": "array", "default": [ "header", "query", "body" ], - "required": false + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } } }, { @@ -1983,38 +2384,38 @@ }, { "refresh_tokens": { - "required": false, - "type": "boolean", "default": true, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "required": false, + "type": "boolean" } }, { "upstream_headers_claims": { - "required": false, - "type": "array", - "description": "The upstream header claims. Only top level claims are supported.", "elements": { "type": "string" - } + }, + "description": "The upstream header claims. Only top level claims are supported.", + "required": false, + "type": "array" } }, { "upstream_headers_names": { - "required": false, - "type": "array", - "description": "The upstream header names for the claim values.", "elements": { "type": "string" - } + }, + "description": "The upstream header names for the claim values.", + "required": false, + "type": "array" } }, { "upstream_access_token_header": { - "required": false, - "type": "string", "default": "authorization:bearer", - "description": "The upstream access token header." + "description": "The upstream access token header.", + "required": false, + "type": "string" } }, { @@ -2082,22 +2483,22 @@ }, { "downstream_headers_claims": { - "required": false, - "type": "array", - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" } }, { "downstream_headers_names": { - "required": false, - "type": "array", - "description": "The downstream header names for the claim values.", "elements": { "type": "string" - } + }, + "description": "The downstream header names for the claim values.", + "required": false, + "type": "array" } }, { @@ -2172,6 +2573,11 @@ }, { "login_methods": { + "required": false, + "type": "array", + "default": [ + "authorization_code" + ], "description": "Enable login functionality with specified grants.", "elements": { "type": "string", @@ -2186,20 +2592,15 @@ "refresh_token", "session" ] - }, - "type": "array", - "default": [ - "authorization_code" - ], - "required": false + } } }, { "login_action": { - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "required": false, "type": "string", "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "one_of": [ "upstream", "response", @@ -2209,6 +2610,11 @@ }, { "login_tokens": { + "required": false, + "type": "array", + "default": [ + "id_token" + ], "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "elements": { "type": "string", @@ -2219,20 +2625,15 @@ "tokens", "introspection" ] - }, - "type": "array", - "default": [ - "id_token" - ], - "required": false + } } }, { "login_redirect_mode": { - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "required": false, "type": "string", "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "one_of": [ "query", "fragment" @@ -2262,6 +2663,12 @@ }, { "logout_methods": { + "required": false, + "type": "array", + "default": [ + "POST", + "DELETE" + ], "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "elements": { "type": "string", @@ -2270,51 +2677,51 @@ "GET", "DELETE" ] - }, - "type": "array", - "default": [ - "POST", - "DELETE" - ], - "required": false + } } }, { "logout_revoke": { - "required": false, - "type": "boolean", "default": false, - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "required": false, + "type": "boolean" } }, { "logout_revoke_access_token": { - "required": false, - "type": "boolean", "default": true, - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" } }, { "logout_revoke_refresh_token": { - "required": false, - "type": "boolean", "default": true, - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" } }, { "consumer_claim": { - "required": false, - "type": "array", - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" } }, { "consumer_by": { + "required": false, + "type": "array", + "default": [ + "username", + "custom_id" + ], "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "elements": { "type": "string", @@ -2323,34 +2730,28 @@ "username", "custom_id" ] - }, - "type": "array", - "default": [ - "username", - "custom_id" - ], - "required": false + } } }, { "consumer_optional": { - "required": false, - "type": "boolean", "default": false, - "description": "Do not terminate the request if consumer mapping fails." + "description": "Do not terminate the request if consumer mapping fails.", + "required": false, + "type": "boolean" } }, { "credential_claim": { - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "elements": { - "type": "string" - }, + "required": false, "type": "array", "default": [ "sub" ], - "required": false + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } } }, { @@ -2362,54 +2763,59 @@ }, { "run_on_preflight": { - "required": false, - "type": "boolean", "default": true, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "required": false, + "type": "boolean" } }, { "leeway": { - "required": false, - "type": "number", "default": 0, - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims" + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "required": false, + "type": "number" } }, { "verify_parameters": { - "required": false, - "type": "boolean", "default": false, - "description": "Verify plugin configuration against discovery." + "description": "Verify plugin configuration against discovery.", + "required": false, + "type": "boolean" } }, { "verify_nonce": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify nonce on authorization code flow." + "description": "Verify nonce on authorization code flow.", + "required": false, + "type": "boolean" } }, { "verify_claims": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify tokens for standard claims." + "description": "Verify tokens for standard claims.", + "required": false, + "type": "boolean" } }, { "verify_signature": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify signature of tokens." + "description": "Verify signature of tokens.", + "required": false, + "type": "boolean" } }, { "ignore_signature": { + "required": false, + "type": "array", + "default": [ + + ], "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "elements": { "type": "string", @@ -2422,27 +2828,19 @@ "introspection", "userinfo" ] - }, - "type": "array", - "default": [ - - ], - "required": false + } } }, { "enable_hs_signatures": { - "required": false, - "type": "boolean", "default": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "required": false, + "type": "boolean" } }, { "disable_session": { - "required": false, - "type": "array", - "description": "Disable issuing the session cookie with the specified grants.", "elements": { "type": "string", "one_of": [ @@ -2456,15 +2854,18 @@ "refresh_token", "session" ] - } + }, + "description": "Disable issuing the session cookie with the specified grants.", + "required": false, + "type": "array" } }, { "cache_ttl": { - "required": false, - "type": "number", "default": 3600, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "required": false, + "type": "number" } }, { @@ -2497,66 +2898,66 @@ }, { "cache_tokens": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the token endpoint requests." + "description": "Cache the token endpoint requests.", + "required": false, + "type": "boolean" } }, { "cache_tokens_salt": { - "required": false, - "type": "string", "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false, + "type": "string" } }, { "cache_introspection": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the introspection endpoint requests." + "description": "Cache the introspection endpoint requests.", + "required": false, + "type": "boolean" } }, { "cache_token_exchange": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the token exchange endpoint requests." + "description": "Cache the token exchange endpoint requests.", + "required": false, + "type": "boolean" } }, { "cache_user_info": { - "required": false, - "type": "boolean", "default": true, - "description": "Cache the user info requests." + "description": "Cache the user info requests.", + "required": false, + "type": "boolean" } }, { "search_user_info": { - "required": false, - "type": "boolean", "default": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "required": false, + "type": "boolean" } }, { "hide_credentials": { - "required": false, - "type": "boolean", "default": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "required": false, + "type": "boolean" } }, { "http_version": { - "required": false, - "type": "number", "default": 1.1, - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0." + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "required": false, + "type": "number" } }, { @@ -2569,9 +2970,9 @@ { "http_proxy_authorization": { "required": false, - "type": "string", + "description": "The HTTP proxy authorization.", "referenceable": true, - "description": "The HTTP proxy authorization." + "type": "string" } }, { @@ -2584,9 +2985,9 @@ { "https_proxy_authorization": { "required": false, - "type": "string", + "description": "The HTTPS proxy authorization.", "referenceable": true, - "description": "The HTTPS proxy authorization." + "type": "string" } }, { @@ -2598,88 +2999,88 @@ }, { "keepalive": { - "required": false, - "type": "boolean", "default": true, - "description": "Use keepalive with the HTTP client." + "description": "Use keepalive with the HTTP client.", + "required": false, + "type": "boolean" } }, { "ssl_verify": { - "required": false, - "type": "boolean", "default": false, - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`." + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "required": false, + "type": "boolean" } }, { "timeout": { - "required": false, - "type": "number", "default": 10000, - "description": "Network IO timeout in milliseconds." + "description": "Network IO timeout in milliseconds.", + "required": false, + "type": "number" } }, { "display_errors": { - "required": false, - "type": "boolean", "default": false, - "description": "Display errors on failure responses." + "description": "Display errors on failure responses.", + "required": false, + "type": "boolean" } }, { "by_username_ignore_case": { - "required": false, - "type": "boolean", "default": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "required": false, + "type": "boolean" } }, { "resolve_distributed_claims": { - "required": false, - "type": "boolean", "default": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "required": false, + "type": "boolean" } }, { "expose_error_code": { - "type": "boolean", "default": true, - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" } }, { "token_cache_key_include_scope": { - "type": "boolean", "default": false, - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" } }, { "introspection_token_param_name": { - "required": false, - "type": "string", "default": "token", - "description": "Designate token's parameter name for introspection." + "description": "Designate token's parameter name for introspection.", + "required": false, + "type": "string" } }, { "revocation_token_param_name": { - "required": false, - "type": "string", "default": "token", - "description": "Designate token's parameter name for revocation." + "description": "Designate token's parameter name for revocation.", + "required": false, + "type": "string" } }, { "proof_of_possession_mtls": { - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "required": false, "type": "string", "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "one_of": [ "off", "strict", @@ -2689,27 +3090,27 @@ }, { "proof_of_possession_auth_methods_validation": { - "required": false, - "type": "boolean", "default": true, - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "required": false, + "type": "boolean" } }, { "tls_client_auth_cert_id": { + "auto": false, "required": false, - "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", "type": "string", - "uuid": true, - "auto": false + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "uuid": true } }, { "tls_client_auth_ssl_verify": { - "required": false, - "type": "boolean", "default": true, - "description": "Verify identity provider server certificate during mTLS client authentication." + "description": "Verify identity provider server certificate during mTLS client authentication.", + "required": false, + "type": "boolean" } }, { @@ -2735,10 +3136,10 @@ }, { "proof_of_possession_dpop": { - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "required": false, "type": "string", "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "one_of": [ "off", "strict", @@ -2748,36 +3149,36 @@ }, { "dpop_use_nonce": { - "required": false, - "type": "boolean", "default": false, - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime." + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "required": false, + "type": "boolean" } }, { "dpop_proof_lifetime": { - "required": false, - "type": "number", "default": 300, - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise." + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "required": false, + "type": "number" } }, { "claims_forbidden": { - "required": false, - "type": "array", - "description": "If given, these claims are forbidden in the token payload.", "elements": { "type": "string" - } + }, + "description": "If given, these claims are forbidden in the token payload.", + "required": false, + "type": "array" } }, { "cluster_cache_strategy": { - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "required": false, "type": "string", "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "one_of": [ "off", "redis" @@ -2786,56 +3187,187 @@ }, { "cluster_cache_redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -2847,10 +3379,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -2862,27 +3394,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -2892,666 +3424,134 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "type": "boolean" } }, { "ssl_verify": { - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "required": false, - "description": "Maximum retry attempts for redirection.", "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, "type": "integer" } }, { "connection_is_proxied": { - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "type": "boolean" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } } - ], - "required": true, - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" - }, - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" - }, - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" - }, - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" - }, - "type": "number" - } - }, - { - "session_cookie_idletime": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" - }, - "type": "number" - } - }, - { - "session_cookie_samesite": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" - }, - "type": "string" - } - }, - { - "session_cookie_httponly": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" - }, - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" - }, - "type": "string" - } - }, - { - "session_memcache_socket": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" - }, - "type": "string" - } - }, - { - "session_memcache_host": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" - }, - "type": "string" - } - }, - { - "session_memcache_port": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" - }, - "type": "integer" - } - }, - { - "session_cookie_renew": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_renew option does not exist anymore" - }, - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" - }, - "type": "integer" - } - }, - { - "session_strategy": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_strategy option does not exist anymore" - }, - "type": "string" - } - }, - { - "session_compressor": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_compressor option does not exist anymore" - }, - "type": "string" - } - }, - { - "session_redis_prefix": { - "deprecation": { - "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "prefix" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_socket": { - "deprecation": { - "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "socket" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_host": { - "deprecation": { - "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "host" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_port": { - "deprecation": { - "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "port" - ] - } - ] - }, - "type": "integer" - } - }, - { - "session_redis_username": { - "deprecation": { - "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "username" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_password": { - "deprecation": { - "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "password" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_connect_timeout": { - "deprecation": { - "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "connect_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "session_redis_read_timeout": { - "deprecation": { - "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "session_redis_send_timeout": { - "deprecation": { - "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "send_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "session_redis_ssl": { - "deprecation": { - "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "session_redis_ssl_verify": { - "deprecation": { - "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl_verify" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "session_redis_server_name": { - "deprecation": { - "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "server_name" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_cluster_nodes": { - "deprecation": { - "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "elements": { - "fields": [ - { - "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "required": true - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." - } - } - ], - "type": "record" - } - } - }, - { - "session_redis_cluster_max_redirections": { - "deprecation": { - "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "cluster_max_redirections" - ] - } - ] - }, - "type": "integer" - } - } - ], - "type": "record" + ] } } ] diff --git a/schemas/opentelemetry/3.9.x.json b/schemas/opentelemetry/3.9.x.json index b82f2e14..573b5251 100644 --- a/schemas/opentelemetry/3.9.x.json +++ b/schemas/opentelemetry/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,103 +22,123 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "traces_endpoint", + "logs_endpoint" + ] + } + ], + "shorthand_fields": [ + { + "endpoint": { + "deprecation": { + "removal_in_version": "4.0", + "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead" + }, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + } + } + ], "fields": [ { "traces_endpoint": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "logs_endpoint": { - "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "type": "string" } }, { "headers": { - "keys": { - "description": "A string representing an HTTP header name.", - "type": "string" - }, - "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", - "type": "map", "values": { "referenceable": true, "type": "string" - } + }, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "map" } }, { "resource_attributes": { + "values": { + "required": true, + "type": "string" + }, "keys": { - "type": "string", - "required": true + "required": true, + "type": "string" }, - "type": "map", - "values": { - "type": "string", - "required": true - } + "type": "map" } }, { "queue": { + "default": { + "max_batch_size": 200 + }, + "type": "record", + "required": true, "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + "type": "integer" } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "type": "number" } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + "type": "integer" } }, { @@ -121,105 +149,100 @@ }, { "max_retry_time": { - "type": "number", "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" } }, { "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + "type": "number" } }, { "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + "type": "number" } }, { "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", "one_of": [ -1, 1 - ], - "type": "integer", - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } - ], - "type": "record", - "default": { - "max_batch_size": 200 - }, - "required": true + ] } }, { "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer", "deprecation": { "old_default": 200, "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0" - }, - "description": "The number of spans to be sent in a single batch.", - "type": "integer" + } } }, { "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer", "deprecation": { "old_default": 3, "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0" - }, - "description": "The delay, in seconds, between two consecutive batches.", - "type": "integer" + } } }, { "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 1000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -230,13 +253,13 @@ { "header_type": { "required": false, + "type": "string", + "default": "preserve", "deprecation": { "old_default": "preserve", "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", "removal_in_version": "4.0" }, - "type": "string", - "default": "preserve", "one_of": [ "preserve", "ignore", @@ -258,106 +281,83 @@ 1 ], "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", - "type": "number", - "required": false + "required": false, + "type": "number" } }, { "propagation": { + "default": { + "default_format": "w3c" + }, "fields": [ { "extract": { - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", - "type": "array", "elements": { "type": "string", "one_of": [ - "b3", "gcp", "jaeger", "aws", "ot", "w3c", - "datadog" + "datadog", + "b3" ] - } + }, + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array" } }, { "clear": { - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", - "type": "array", "elements": { "type": "string" - } + }, + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array" } }, { "inject": { - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", - "type": "array", "elements": { "type": "string", "one_of": [ "preserve", - "b3", "gcp", "b3-single", "jaeger", "aws", "ot", "w3c", - "datadog" + "datadog", + "b3" ] - } + }, + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array" } }, { "default_format": { - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", "type": "string", + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "required": true, "one_of": [ - "b3", "gcp", "b3-single", "jaeger", "aws", "ot", "w3c", - "datadog" - ], - "required": true + "datadog", + "b3" + ] } } ], - "type": "record", - "default": { - "default_format": "w3c" - }, - "required": true - } - } - ], - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "traces_endpoint", - "logs_endpoint" - ] - } - ], - "type": "record", - "shorthand_fields": [ - { - "endpoint": { - "deprecation": { - "removal_in_version": "4.0", - "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead" - }, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true, - "type": "string" + "required": true, + "type": "record" } } ] diff --git a/schemas/post-function/3.9.x.json b/schemas/post-function/3.9.x.json index dd5dc348..6835bfd9 100644 --- a/schemas/post-function/3.9.x.json +++ b/schemas/post-function/3.9.x.json @@ -18,8 +18,6 @@ "fields": [ { "protocols": { - "required": false, - "type": "set", "default": [ "grpc", "grpcs", @@ -38,31 +36,40 @@ "ws", "wss" ] - } + }, + "required": false, + "type": "set" } }, { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -74,16 +81,9 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { @@ -91,137 +91,137 @@ "fields": [ { "certificate": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "rewrite": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "access": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "header_filter": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "body_filter": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "log": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "ws_handshake": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "ws_client_frame": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "ws_upstream_frame": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "ws_close": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/pre-function/3.9.x.json b/schemas/pre-function/3.9.x.json index dd5dc348..6835bfd9 100644 --- a/schemas/pre-function/3.9.x.json +++ b/schemas/pre-function/3.9.x.json @@ -18,8 +18,6 @@ "fields": [ { "protocols": { - "required": false, - "type": "set", "default": [ "grpc", "grpcs", @@ -38,31 +36,40 @@ "ws", "wss" ] - } + }, + "required": false, + "type": "set" } }, { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -74,16 +81,9 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { @@ -91,137 +91,137 @@ "fields": [ { "certificate": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "rewrite": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "access": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "header_filter": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "body_filter": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "log": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "ws_handshake": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "ws_client_frame": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "ws_upstream_frame": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } }, { "ws_close": { - "required": true, - "type": "array", "default": [ ], "elements": { "required": false, "type": "string" - } + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/prometheus/3.9.x.json b/schemas/prometheus/3.9.x.json index c43db38a..ff139dbf 100644 --- a/schemas/prometheus/3.9.x.json +++ b/schemas/prometheus/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,49 +45,49 @@ "fields": [ { "per_consumer": { - "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", "type": "boolean" } }, { "status_code_metrics": { - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", "type": "boolean" } }, { "ai_metrics": { - "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", "default": false, + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", "type": "boolean" } }, { "latency_metrics": { - "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", "type": "boolean" } }, { "bandwidth_metrics": { - "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", "type": "boolean" } }, { "upstream_health_metrics": { - "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/proxy-cache-advanced/3.9.x.json b/schemas/proxy-cache-advanced/3.9.x.json index 4de5bf1e..63d95361 100644 --- a/schemas/proxy-cache-advanced/3.9.x.json +++ b/schemas/proxy-cache-advanced/3.9.x.json @@ -12,6 +12,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -20,15 +28,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -37,6 +37,13 @@ { "response_code": { "required": true, + "type": "array", + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "elements": { "between": [ 100, @@ -44,19 +51,18 @@ ], "type": "integer" }, - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", - "type": "array", - "default": [ - 200, - 301, - 404 - ], "len_min": 1 } }, { "request_method": { "required": true, + "type": "array", + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", "elements": { "type": "string", "one_of": [ @@ -66,42 +72,36 @@ "PATCH", "PUT" ] - }, - "type": "array", - "default": [ - "GET", - "HEAD" - ], - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." + } } }, { "content_type": { "required": true, - "elements": { - "type": "string" - }, "type": "array", "default": [ "text/plain", "application/json" ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "elements": { + "type": "string" + } } }, { "cache_ttl": { - "gt": 0, - "type": "integer", "default": 300, - "description": "TTL in seconds of cache entities." + "description": "TTL in seconds of cache entities.", + "gt": 0, + "type": "integer" } }, { "strategy": { "type": "string", - "required": true, "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "required": true, "one_of": [ "memory", "redis" @@ -110,18 +110,18 @@ }, { "cache_control": { - "type": "boolean", - "required": true, "default": false, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean" } }, { "ignore_uri_case": { - "type": "boolean", - "required": false, "default": false, - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI." + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "required": false, + "type": "boolean" } }, { @@ -135,37 +135,40 @@ "fields": [ { "dictionary_name": { - "type": "string", - "required": true, "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "vary_query_params": { - "type": "array", - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" - } + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array" } }, { "vary_headers": { - "type": "array", - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" - } + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array" } }, { "response_headers": { + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", + "required": true, "fields": [ { "age": { @@ -185,64 +188,192 @@ "type": "boolean" } } - ], - "description": "Caching related diagnostic headers that should be included in cached responses", - "type": "record", - "required": true + ] } }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -254,10 +385,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -269,27 +400,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -299,274 +430,143 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "type": "boolean" } }, { "ssl_verify": { - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "required": false, - "description": "Maximum retry attempts for redirection.", "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, "type": "integer" } }, { "connection_is_proxied": { - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "type": "boolean" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } }, { "bypass_on_err": { - "type": "boolean", "default": false, - "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/proxy-cache/3.9.x.json b/schemas/proxy-cache/3.9.x.json index a6ea66d6..c639f5af 100644 --- a/schemas/proxy-cache/3.9.x.json +++ b/schemas/proxy-cache/3.9.x.json @@ -12,9 +12,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -26,16 +33,9 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { @@ -44,6 +44,13 @@ { "response_code": { "required": true, + "type": "array", + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", "elements": { "between": [ 100, @@ -51,18 +58,17 @@ ], "type": "integer" }, - "description": "Upstream response status code considered cacheable.", - "type": "array", - "default": [ - 200, - 301, - 404 - ], "len_min": 1 } }, { "request_method": { + "required": true, + "type": "array", + "default": [ + "GET", + "HEAD" + ], "description": "Downstream request methods considered cacheable.", "elements": { "type": "string", @@ -73,41 +79,35 @@ "PATCH", "PUT" ] - }, - "type": "array", - "default": [ - "GET", - "HEAD" - ], - "required": true + } } }, { "content_type": { - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", - "elements": { - "type": "string" - }, + "required": true, "type": "array", "default": [ "text/plain", "application/json" ], - "required": true + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "elements": { + "type": "string" + } } }, { "cache_ttl": { - "gt": 0, - "type": "integer", "default": 300, - "description": "TTL, in seconds, of cache entities." + "description": "TTL, in seconds, of cache entities.", + "gt": 0, + "type": "integer" } }, { "strategy": { - "description": "The backing data store in which to hold cache entities.", "type": "string", + "description": "The backing data store in which to hold cache entities.", "required": true, "one_of": [ "memory" @@ -116,23 +116,23 @@ }, { "cache_control": { - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "type": "boolean", "default": false, - "required": true + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean" } }, { "ignore_uri_case": { - "type": "boolean", "default": false, - "required": false + "required": false, + "type": "boolean" } }, { "storage_ttl": { - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", - "type": "integer" + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." } }, { @@ -140,37 +140,40 @@ "fields": [ { "dictionary_name": { - "required": true, - "type": "string", "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "vary_query_params": { - "type": "array", - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" - } + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array" } }, { "vary_headers": { - "type": "array", - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" - } + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array" } }, { "response_headers": { + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", + "required": true, "fields": [ { "age": { @@ -190,15 +193,12 @@ "type": "boolean" } } - ], - "description": "Caching related diagnostic headers that should be included in cached responses", - "type": "record", - "required": true + ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/rate-limiting-advanced/3.9.x.json b/schemas/rate-limiting-advanced/3.9.x.json index 91e3eb60..a2ecf410 100644 --- a/schemas/rate-limiting-advanced/3.9.x.json +++ b/schemas/rate-limiting-advanced/3.9.x.json @@ -12,6 +12,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -20,15 +28,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -37,9 +37,9 @@ { "identifier": { "required": true, - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "type": "string", "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "one_of": [ "ip", "credential", @@ -51,21 +51,39 @@ ] } }, + { + "compound_identifier": { + "elements": { + "type": "string", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + }, + "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", + "type": "array" + } + }, { "window_size": { - "type": "array", - "required": true, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" - } + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" } }, { "window_type": { + "default": "sliding", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "type": "string", - "default": "sliding", "one_of": [ "fixed", "sliding" @@ -74,34 +92,34 @@ }, { "limit": { - "type": "array", - "required": true, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" - } + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "namespace": { "auto": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", "required": true, - "type": "string", - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same." + "type": "string" } }, { "strategy": { "required": true, - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", @@ -111,38 +129,38 @@ }, { "dictionary_name": { - "type": "string", - "required": true, "default": "kong_rate_limiting_counters", - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle." + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "required": true, + "type": "string" } }, { "lock_dictionary_name": { - "type": "string", - "required": true, "default": "kong_locks", - "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf." + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf.", + "required": true, + "type": "string" } }, { "hide_client_headers": { - "type": "boolean", "default": false, - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" } }, { "retry_after_jitter_max": { - "type": "number", "default": 0, - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" } }, { "header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { @@ -151,8 +169,8 @@ "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], "type": "string" @@ -160,56 +178,187 @@ }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -221,10 +370,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -236,27 +385,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -266,315 +415,184 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string" } }, { "sentinel_nodes": { "required": false, + "type": "array", "elements": { "fields": [ { "host": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } ], "type": "record" }, - "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "cluster_nodes": { "required": false, + "type": "array", "elements": { "fields": [ { "ip": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } ], "type": "record" }, - "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "ssl": { - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis.", "default": false, - "required": false + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" } }, { "ssl_verify": { - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, - "required": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" } }, { "server_name": { - "type": "string", "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "required": false, + "type": "string" } }, { "cluster_max_redirections": { - "type": "integer", - "description": "Maximum retry attempts for redirection.", "default": 5, - "required": false + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" } }, { "connection_is_proxied": { - "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, - "required": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" } }, { "redis_proxy_type": { + "type": "string", "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", "required": false, - "type": "string", "one_of": [ "envoy_v1.31" ] } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } }, { "enforce_consumer_groups": { - "type": "boolean", "default": false, - "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups." + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" } }, { "consumer_groups": { - "type": "array", - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "elements": { "type": "string" - } + }, + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "type": "array" } }, { "disable_penalty": { - "type": "boolean", "default": false, - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" } }, { "error_code": { - "gt": 0, - "type": "number", "default": 429, - "description": "Set a custom error code to return when the rate limit is exceeded." + "description": "Set a custom error code to return when the rate limit is exceeded.", + "gt": 0, + "type": "number" } }, { "error_message": { - "type": "string", "default": "API rate limit exceeded", - "description": "Set a custom error message to return when the rate limit is exceeded." + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/rate-limiting/3.9.x.json b/schemas/rate-limiting/3.9.x.json index 7fa63ded..fc7061fb 100644 --- a/schemas/rate-limiting/3.9.x.json +++ b/schemas/rate-limiting/3.9.x.json @@ -75,6 +75,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -83,15 +91,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -141,9 +141,9 @@ }, { "limit_by": { - "type": "string", - "description": "The entity that is used when aggregating the limits.", "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "type": "string", "one_of": [ "consumer", "credential", @@ -157,8 +157,8 @@ }, { "header_name": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } }, { @@ -167,8 +167,8 @@ "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], "type": "string" @@ -176,10 +176,10 @@ }, { "policy": { - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", - "len_min": 0, "type": "string", "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, "one_of": [ "local", "cluster", @@ -189,100 +189,100 @@ }, { "fault_tolerant": { + "default": true, "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", "required": true, - "default": true, "type": "boolean" } }, { "redis": { + "type": "record", + "description": "Redis configuration", + "required": true, "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "username": { - "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "type": "string" } }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "referenceable": true, - "len_min": 0, "type": "string", - "encrypted": true + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 } }, { "database": { - "type": "integer", "default": 0, - "description": "Database to use for the Redis connection when using the `redis` strategy" + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean", "default": false, - "required": false + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean", "default": false, - "required": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } } - ], - "description": "Redis configuration", - "type": "record", - "required": true + ] } }, { "hide_client_headers": { + "default": false, "description": "Optionally hide informative response headers.", "required": true, - "default": false, "type": "boolean" } }, @@ -296,21 +296,20 @@ }, { "error_message": { - "description": "Set a custom error message to return when the rate limit is exceeded.", "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", "type": "string" } }, { "sync_rate": { + "default": -1, "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", "required": true, - "default": -1, "type": "number" } } ], - "required": true, "shorthand_fields": [ { "redis_host": { @@ -348,6 +347,7 @@ }, { "redis_password": { + "type": "string", "deprecation": { "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", "removal_in_version": "4.0", @@ -360,7 +360,6 @@ } ] }, - "type": "string", "len_min": 0 } }, @@ -467,6 +466,7 @@ } } ], + "required": true, "type": "record" } } diff --git a/schemas/request-size-limiting/3.9.x.json b/schemas/request-size-limiting/3.9.x.json index 33333291..bcef5a46 100644 --- a/schemas/request-size-limiting/3.9.x.json +++ b/schemas/request-size-limiting/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,22 +22,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,17 +38,17 @@ "fields": [ { "allowed_payload_size": { - "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", "type": "integer" } }, { "size_unit": { - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "required": true, "type": "string", "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "one_of": [ "megabytes", "kilobytes", @@ -58,15 +58,15 @@ }, { "require_content_length": { + "default": false, "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", "required": true, - "default": false, "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/request-termination/3.9.x.json b/schemas/request-termination/3.9.x.json index a05a67b4..a95ead36 100644 --- a/schemas/request-termination/3.9.x.json +++ b/schemas/request-termination/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,15 +22,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -30,14 +30,14 @@ "fields": [ { "status_code": { - "description": "The response code to send. Must be an integer between 100 and 599.", "between": [ 100, 599 ], + "required": true, "type": "integer", "default": 503, - "required": true + "description": "The response code to send. Must be an integer between 100 and 599." } }, { @@ -60,21 +60,21 @@ }, { "echo": { - "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", - "type": "boolean", "default": false, - "required": true + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "required": true, + "type": "boolean" } }, { "trigger": { - "description": "A string representing an HTTP header name.", - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/request-transformer-advanced/3.9.x.json b/schemas/request-transformer-advanced/3.9.x.json index 21fc7757..90f58ca4 100644 --- a/schemas/request-transformer-advanced/3.9.x.json +++ b/schemas/request-transformer-advanced/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,15 +22,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -30,9 +30,9 @@ "fields": [ { "http_method": { - "type": "string", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "match": "^%u+$", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + "type": "string" } }, { @@ -40,40 +40,40 @@ "fields": [ { "body": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "headers": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "querystring": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -81,43 +81,43 @@ "fields": [ { "body": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "headers": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "querystring": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -125,43 +125,42 @@ "fields": [ { "body": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "headers": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "querystring": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "json_types": { - "type": "array", "default": [ ], @@ -172,7 +171,8 @@ "number", "string" ] - } + }, + "type": "array" } }, { @@ -181,8 +181,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -190,43 +190,42 @@ "fields": [ { "body": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "headers": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "querystring": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "json_types": { - "type": "array", "default": [ ], @@ -237,12 +236,13 @@ "number", "string" ] - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -250,43 +250,42 @@ "fields": [ { "body": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "headers": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "querystring": { - "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - } + }, + "type": "array" } }, { "json_types": { - "type": "array", "default": [ ], @@ -297,12 +296,13 @@ "number", "string" ] - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -310,27 +310,27 @@ "fields": [ { "body": { - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "dots_in_keys": { - "type": "boolean", "default": true, - "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/request-transformer/3.9.x.json b/schemas/request-transformer/3.9.x.json index 389e002e..ee8d790f 100644 --- a/schemas/request-transformer/3.9.x.json +++ b/schemas/request-transformer/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,16 +27,9 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { @@ -37,9 +37,9 @@ "fields": [ { "http_method": { - "type": "string", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "match": "^%u+$", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + "type": "string" } }, { @@ -47,43 +47,43 @@ "fields": [ { "body": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } }, { "headers": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } }, { "querystring": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -91,44 +91,44 @@ "fields": [ { "body": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } }, { "headers": { - "type": "array", - "required": true, "default": [ ], "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" } }, { "querystring": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -136,39 +136,39 @@ "fields": [ { "body": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } }, { "headers": { - "type": "array", - "required": true, "default": [ ], "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" } }, { "querystring": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } }, { @@ -177,8 +177,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -186,44 +186,44 @@ "fields": [ { "body": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } }, { "headers": { - "type": "array", - "required": true, "default": [ ], "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" } }, { "querystring": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -231,49 +231,49 @@ "fields": [ { "body": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } }, { "headers": { - "type": "array", - "required": true, "default": [ ], "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" } }, { "querystring": { - "type": "array", - "required": true, "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/request-validator/3.9.x.json b/schemas/request-validator/3.9.x.json index 9a8a1232..b8b9d41d 100644 --- a/schemas/request-validator/3.9.x.json +++ b/schemas/request-validator/3.9.x.json @@ -12,6 +12,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -20,27 +28,27 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ], "fields": [ { "body_schema": { @@ -51,40 +59,54 @@ }, { "allowed_content_types": { - "type": "set", - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "default": [ "application/json" ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "elements": { "required": true, "type": "string" - } + }, + "type": "set" } }, { "version": { "required": true, "type": "string", + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "one_of": [ "kong", "draft4" - ], - "default": "kong", - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator." + ] } }, { "parameter_schema": { - "required": false, - "type": "array", - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", "elements": { + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ], "fields": [ { "in": { - "description": "The location of the parameter.", "type": "string", + "description": "The location of the parameter.", "required": true, "one_of": [ "query", @@ -109,6 +131,8 @@ }, { "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "type": "string", "one_of": [ "label", "form", @@ -117,15 +141,13 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ], - "type": "string", - "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value." + ] } }, { "explode": { - "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", - "type": "boolean" + "type": "boolean", + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." } }, { @@ -135,54 +157,32 @@ } } ], - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "style", - "explode", - "schema" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "style", - "in" - ] - } - } - ] - } + "type": "record" + }, + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "required": false, + "type": "array" } }, { "verbose_response": { - "description": "If enabled, the plugin returns more verbose and detailed validation errors.", - "type": "boolean", "default": false, - "required": true + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "required": true, + "type": "boolean" } }, { "content_type_parameter_validation": { - "description": "Determines whether to enable parameters validation of request content-type.", - "type": "boolean", "default": true, - "required": true + "description": "Determines whether to enable parameters validation of request content-type.", + "required": true, + "type": "boolean" } } ], - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "body_schema", - "parameter_schema" - ] - } - ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/response-ratelimiting/3.9.x.json b/schemas/response-ratelimiting/3.9.x.json index e9280c04..b6e0eba1 100644 --- a/schemas/response-ratelimiting/3.9.x.json +++ b/schemas/response-ratelimiting/3.9.x.json @@ -41,6 +41,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -49,22 +57,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -73,16 +73,16 @@ "fields": [ { "header_name": { - "description": "The name of the response header used to increment the counters.", "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", "type": "string" } }, { "limit_by": { - "type": "string", - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "type": "string", "one_of": [ "consumer", "credential", @@ -92,9 +92,9 @@ }, { "policy": { - "type": "string", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "type": "string", "one_of": [ "local", "cluster", @@ -104,121 +104,128 @@ }, { "fault_tolerant": { + "default": true, "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "required": true, - "default": true, "type": "boolean" } }, { "redis": { + "type": "record", + "description": "Redis configuration", + "required": true, "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "username": { - "type": "string", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "type": "string" } }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "referenceable": true, - "len_min": 0, "type": "string", - "encrypted": true + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 } }, { "database": { - "type": "integer", "default": 0, - "description": "Database to use for the Redis connection when using the `redis` strategy" + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean", "default": false, - "required": false + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean", "default": false, - "required": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } } - ], - "description": "Redis configuration", - "type": "record", - "required": true + ] } }, { "block_on_first_violation": { + "default": false, "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "required": true, - "default": false, "type": "boolean" } }, { "hide_client_headers": { + "default": false, "description": "Optionally hide informative response headers.", "required": true, - "default": false, "type": "boolean" } }, { "limits": { - "description": "A map that defines rate limits for the plugin.", - "len_min": 1, - "keys": { - "type": "string" - }, - "type": "map", - "required": true, "values": { + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], + "type": "record", + "required": true, "fields": [ { "second": { @@ -256,26 +263,18 @@ "type": "number" } } - ], - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "second", - "minute", - "hour", - "day", - "month", - "year" - ] - } - ], - "type": "record" - } + ] + }, + "required": true, + "type": "map", + "description": "A map that defines rate limits for the plugin.", + "keys": { + "type": "string" + }, + "len_min": 1 } } ], - "type": "record", "shorthand_fields": [ { "redis_host": { @@ -313,6 +312,7 @@ }, { "redis_password": { + "len_min": 0, "deprecation": { "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", "removal_in_version": "4.0", @@ -325,8 +325,7 @@ } ] }, - "type": "string", - "len_min": 0 + "type": "string" } }, { @@ -432,7 +431,8 @@ } } ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/response-transformer-advanced/3.9.x.json b/schemas/response-transformer-advanced/3.9.x.json index 35f2b243..acf4ee71 100644 --- a/schemas/response-transformer-advanced/3.9.x.json +++ b/schemas/response-transformer-advanced/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,15 +22,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -33,40 +33,40 @@ "fields": [ { "json": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "headers": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "if_status": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -74,30 +74,30 @@ "fields": [ { "headers": { - "type": "array", "default": [ ], "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" } }, { "if_status": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -111,18 +111,17 @@ }, { "json": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "json_types": { - "type": "array", "default": [ ], @@ -133,34 +132,35 @@ "number", "string" ] - } + }, + "type": "array" } }, { "headers": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "if_status": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -168,18 +168,17 @@ "fields": [ { "json": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "json_types": { - "type": "array", "default": [ ], @@ -190,34 +189,35 @@ "number", "string" ] - } + }, + "type": "array" } }, { "headers": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "if_status": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -225,18 +225,17 @@ "fields": [ { "json": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "json_types": { - "type": "array", "default": [ ], @@ -247,34 +246,35 @@ "number", "string" ] - } + }, + "type": "array" } }, { "headers": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "if_status": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -282,15 +282,15 @@ "fields": [ { "json": { - "type": "set", "elements": { "type": "string" - } + }, + "type": "set" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -298,52 +298,52 @@ "fields": [ { "functions": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "if_status": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } }, { "json": { - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "dots_in_keys": { - "type": "boolean", "default": true, - "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/response-transformer/3.9.x.json b/schemas/response-transformer/3.9.x.json index b7480468..eb4a6258 100644 --- a/schemas/response-transformer/3.9.x.json +++ b/schemas/response-transformer/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,15 +22,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -33,31 +33,31 @@ "fields": [ { "json": { - "required": true, - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } }, { "headers": { - "required": true, - "type": "array", "default": [ ], "elements": { "type": "string" - } + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -65,33 +65,33 @@ "fields": [ { "json": { - "required": true, - "type": "array", "default": [ ], "elements": { "match": "^[^:]+:.*$", "type": "string" - } + }, + "required": true, + "type": "array" } }, { "headers": { - "required": true, - "type": "array", "default": [ ], "elements": { - "match": "^[^:]+:.*$", - "type": "string" - } + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -99,19 +99,24 @@ "fields": [ { "json": { - "required": true, - "type": "array", "default": [ ], "elements": { "match": "^[^:]+:.*$", "type": "string" - } + }, + "required": true, + "type": "array" } }, { "json_types": { + "required": true, + "type": "array", + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "elements": { "type": "string", @@ -120,30 +125,25 @@ "number", "string" ] - }, - "type": "array", - "default": [ - - ], - "required": true + } } }, { "headers": { - "required": true, - "type": "array", "default": [ ], "elements": { "match": "^[^:]+:.*$", "type": "string" - } + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -151,19 +151,24 @@ "fields": [ { "json": { - "required": true, - "type": "array", "default": [ ], "elements": { "match": "^[^:]+:.*$", "type": "string" - } + }, + "required": true, + "type": "array" } }, { "json_types": { + "required": true, + "type": "array", + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "elements": { "type": "string", @@ -172,30 +177,25 @@ "number", "string" ] - }, - "type": "array", - "default": [ - - ], - "required": true + } } }, { "headers": { - "required": true, - "type": "array", "default": [ ], "elements": { "match": "^[^:]+:.*$", "type": "string" - } + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -203,19 +203,24 @@ "fields": [ { "json": { - "required": true, - "type": "array", "default": [ ], "elements": { "match": "^[^:]+:.*$", "type": "string" - } + }, + "required": true, + "type": "array" } }, { "json_types": { + "required": true, + "type": "array", + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "elements": { "type": "string", @@ -224,35 +229,30 @@ "number", "string" ] - }, - "type": "array", - "default": [ - - ], - "required": true + } } }, { "headers": { - "required": true, - "type": "array", "default": [ ], "elements": { "match": "^[^:]+:.*$", "type": "string" - } + }, + "required": true, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/route-by-header/3.9.x.json b/schemas/route-by-header/3.9.x.json index 4adedef5..fb2008cd 100644 --- a/schemas/route-by-header/3.9.x.json +++ b/schemas/route-by-header/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,22 +22,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,40 +38,40 @@ "fields": [ { "rules": { - "type": "array", - "description": "Route by header rules.", "default": [ ], + "description": "Route by header rules.", "elements": { + "type": "record", "fields": [ { "upstream_name": { - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "condition": { - "required": true, - "len_min": 1, - "keys": { + "values": { "type": "string" }, + "required": true, "type": "map", - "values": { + "keys": { "type": "string" - } + }, + "len_min": 1 } } - ], - "type": "record" - } + ] + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/route-transformer-advanced/3.9.x.json b/schemas/route-transformer-advanced/3.9.x.json index 84951d64..a640c0ff 100644 --- a/schemas/route-transformer-advanced/3.9.x.json +++ b/schemas/route-transformer-advanced/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,27 +22,28 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } + ], "fields": [ { "path": { @@ -58,17 +67,8 @@ } } ], - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "path", - "port", - "host" - ] - } - ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/saml/3.9.x.json b/schemas/saml/3.9.x.json index f1656692..b9a8bf2e 100644 --- a/schemas/saml/3.9.x.json +++ b/schemas/saml/3.9.x.json @@ -12,14 +12,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -28,313 +36,704 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "fields": [ + "type": "record", + "shorthand_fields": [ { - "assertion_consumer_path": { - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "match_none": [ - { - "pattern": "//", - "err": "must not have empty segments" - } - ], - "starts_with": "/", - "type": "string", - "required": true + "session_cookie_lifetime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" + }, + "type": "number" } }, { - "idp_sso_url": { - "type": "string", - "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "session_cookie_idletime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" + }, + "type": "number" } }, { - "idp_certificate": { - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", - "referenceable": true, - "type": "string", - "required": false, - "encrypted": true + "session_cookie_samesite": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" + }, + "type": "string" } }, { - "response_encryption_key": { - "description": "The private encryption key required to decrypt encrypted assertions.", - "referenceable": true, - "type": "string", - "required": false, - "encrypted": true + "session_cookie_httponly": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" + }, + "type": "boolean" } }, { - "request_signing_key": { - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", - "referenceable": true, - "type": "string", - "required": false, - "encrypted": true + "session_memcache_prefix": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" + }, + "type": "string" } }, { - "request_signing_certificate": { - "description": "The certificate for signing requests.", - "referenceable": true, - "type": "string", - "required": false, - "encrypted": true + "session_memcache_socket": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" + }, + "type": "string" } }, { - "request_signature_algorithm": { - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", - "required": false, - "type": "string", - "default": "SHA256", - "one_of": [ - "SHA256", - "SHA384", - "SHA512" - ] + "session_memcache_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" + }, + "type": "string" } }, { - "request_digest_algorithm": { - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", - "required": false, - "type": "string", - "default": "SHA256", - "one_of": [ - "SHA256", - "SHA1" - ] + "session_memcache_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" + }, + "type": "integer" } }, { - "response_signature_algorithm": { - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", - "required": false, - "type": "string", - "default": "SHA256", - "one_of": [ - "SHA256", - "SHA384", - "SHA512" - ] + "session_cookie_renew": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" + }, + "type": "number" } }, { - "response_digest_algorithm": { - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", - "required": false, - "type": "string", - "default": "SHA256", - "one_of": [ - "SHA256", - "SHA1" - ] + "session_cookie_maxsize": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" + }, + "type": "integer" } }, { - "issuer": { - "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", - "required": true, + "session_strategy": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" + }, "type": "string" } }, { - "nameid_format": { - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", - "required": false, - "type": "string", - "default": "EmailAddress", - "one_of": [ - "Unspecified", - "EmailAddress", - "Persistent", - "Transient" - ] + "session_compressor": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" + }, + "type": "string" } }, { - "validate_assertion_signature": { - "required": false, - "type": "boolean", - "default": true, - "description": "Enable signature validation for SAML responses." + "session_auth_ttl": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_auth_ttl option does not exist anymore" + }, + "type": "number" } }, { - "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", - "required": false, + "session_redis_prefix": { + "deprecation": { + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ] + }, "type": "string" } }, { - "session_secret": { - "required": true, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", - "referenceable": true, - "len_min": 32, - "len_max": 32, - "type": "string", - "match": "^[0-9a-zA-Z/_+]+$", - "encrypted": true + "session_redis_socket": { + "deprecation": { + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ] + }, + "type": "string" } }, { - "session_audience": { - "required": false, - "type": "string", - "default": "default", - "description": "The session audience, for example \"my-application\"" + "session_redis_host": { + "deprecation": { + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + }, + "type": "string" } }, { - "session_cookie_name": { - "required": false, - "type": "string", - "default": "session", - "description": "The session cookie name." + "session_redis_port": { + "deprecation": { + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + }, + "type": "integer" } }, { - "session_remember": { - "required": false, - "type": "boolean", - "default": false, - "description": "Enables or disables persistent sessions" + "session_redis_username": { + "deprecation": { + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + }, + "type": "string" } }, { - "session_remember_cookie_name": { - "required": false, - "type": "string", - "default": "remember", - "description": "Persistent session cookie name" + "session_redis_password": { + "deprecation": { + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + }, + "type": "string" } }, { - "session_remember_rolling_timeout": { - "required": false, - "type": "number", - "default": 604800, - "description": "Persistent session rolling timeout in seconds." + "session_redis_connect_timeout": { + "deprecation": { + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ] + }, + "type": "integer" } }, { - "session_remember_absolute_timeout": { - "required": false, - "type": "number", - "default": 2592000, - "description": "Persistent session absolute timeout in seconds." + "session_redis_read_timeout": { + "deprecation": { + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ] + }, + "type": "integer" } }, { - "session_idling_timeout": { - "required": false, - "type": "number", - "default": 900, - "description": "The session cookie idle time in seconds." + "session_redis_send_timeout": { + "deprecation": { + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ] + }, + "type": "integer" } }, { - "session_rolling_timeout": { - "required": false, - "type": "number", - "default": 3600, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." + "session_redis_ssl": { + "deprecation": { + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + }, + "type": "boolean" } }, { - "session_absolute_timeout": { - "required": false, - "type": "number", - "default": 86400, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid." + "session_redis_ssl_verify": { + "deprecation": { + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + }, + "type": "boolean" } }, { - "session_cookie_path": { - "required": false, + "session_redis_server_name": { + "deprecation": { + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_cluster_nodes": { + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "type": "array", + "deprecation": { + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ] + } + } + }, + { + "session_redis_cluster_max_redirections": { + "deprecation": { + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "deprecation": { + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "fields": [ + { + "assertion_consumer_path": { + "required": true, + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "starts_with": "/", - "type": "string", - "default": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "starts_with": "/" } }, { - "session_cookie_domain": { - "description": "The session cookie domain flag.", - "required": false, + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, "type": "string" } }, { - "session_cookie_same_site": { - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", - "required": false, + "idp_certificate": { + "encrypted": true, + "referenceable": true, "type": "string", - "default": "Lax", - "one_of": [ - "Strict", - "Lax", - "None", - "Default" - ] + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "required": false } }, { - "session_cookie_http_only": { - "required": false, - "type": "boolean", - "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "response_encryption_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The private encryption key required to decrypt encrypted assertions.", + "required": false } }, { - "session_cookie_secure": { - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false, - "type": "boolean" + "request_signing_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "required": false } }, { - "session_request_headers": { - "type": "set", - "elements": { - "type": "string", - "one_of": [ - "id", + "request_signing_certificate": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The certificate for signing requests.", + "required": false + } + }, + { + "request_signature_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "request_digest_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "response_signature_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "response_digest_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "required": true, + "type": "string" + } + }, + { + "nameid_format": { + "required": false, + "type": "string", + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ] + } + }, + { + "validate_assertion_signature": { + "default": true, + "description": "Enable signature validation for SAML responses.", + "required": false, + "type": "boolean" + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "required": false, + "type": "string" + } + }, + { + "session_secret": { + "len_max": 32, + "match": "^[0-9a-zA-Z/_+]+$", + "referenceable": true, + "type": "string", + "required": true, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "encrypted": true, + "len_min": 32 + } + }, + { + "session_audience": { + "default": "default", + "description": "The session audience, for example \"my-application\"", + "required": false, + "type": "string" + } + }, + { + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "required": false, + "type": "string" + } + }, + { + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions", + "required": false, + "type": "boolean" + } + }, + { + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name", + "required": false, + "type": "string" + } + }, + { + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "required": false, + "type": "number" + } + }, + { + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "required": false, + "type": "number" + } + }, + { + "session_idling_timeout": { + "default": 900, + "description": "The session cookie idle time in seconds.", + "required": false, + "type": "number" + } + }, + { + "session_rolling_timeout": { + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number" + } + }, + { + "session_absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number" + } + }, + { + "session_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_same_site": { + "required": false, + "type": "string", + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "session_request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", "audience", "subject", "timeout", @@ -342,12 +741,12 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "type": "set" } }, { "session_response_headers": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -359,15 +758,16 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "type": "set" } }, { "session_storage": { - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "required": false, "type": "string", "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "one_of": [ "cookie", "memcache", @@ -378,34 +778,34 @@ }, { "session_store_metadata": { - "required": false, - "type": "boolean", "default": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject." + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "required": false, + "type": "boolean" } }, { "session_enforce_same_subject": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, audiences are forced to share the same subject." + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "type": "boolean" } }, { "session_hash_subject": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean" } }, { "session_hash_storage_key": { - "required": false, - "type": "boolean", "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "type": "boolean" } }, { @@ -424,19 +824,19 @@ }, { "session_memcached_host": { - "required": false, - "type": "string", "default": "127.0.0.1", - "description": "The memcached host." + "description": "The memcached host.", + "required": false, + "type": "string" } }, { "session_memcached_port": { - "required": false, "between": [ 0, 65535 ], + "required": false, "type": "integer", "default": 11211, "description": "An integer representing a port number between 0 and 65535, inclusive." @@ -444,56 +844,187 @@ }, { "redis": { - "fields": [ + "required": true, + "type": "record", + "entity_checks": [ { - "host": { - "type": "string", - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." - } + "mutually_required": [ + "host", + "port" + ] }, { - "port": { - "between": [ - 0, - 65535 - ], + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -505,10 +1036,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -520,27 +1051,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -550,128 +1081,128 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string" } }, { "sentinel_nodes": { "required": false, + "type": "array", "elements": { "fields": [ { "host": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } ], "type": "record" }, - "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "cluster_nodes": { "required": false, + "type": "array", "elements": { "fields": [ { "ip": { - "required": true, - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } ], "type": "record" }, - "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 } }, { "ssl": { - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis.", "default": false, - "required": false + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" } }, { "ssl_verify": { - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, - "required": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" } }, { "server_name": { - "type": "string", "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false + "required": false, + "type": "string" } }, { "cluster_max_redirections": { - "type": "integer", - "description": "Maximum retry attempts for redirection.", "default": 5, - "required": false + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" } }, { "connection_is_proxied": { - "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, - "required": false + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" } }, { @@ -688,541 +1219,10 @@ "type": "string" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } } - ], - "required": true, - "shorthand_fields": [ - { - "session_cookie_lifetime": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" - }, - "type": "number" - } - }, - { - "session_cookie_idletime": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" - }, - "type": "number" - } - }, - { - "session_cookie_samesite": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" - }, - "type": "string" - } - }, - { - "session_cookie_httponly": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" - }, - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" - }, - "type": "string" - } - }, - { - "session_memcache_socket": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" - }, - "type": "string" - } - }, - { - "session_memcache_host": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" - }, - "type": "string" - } - }, - { - "session_memcache_port": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" - }, - "type": "integer" - } - }, - { - "session_cookie_renew": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_renew option does not exist anymore" - }, - "type": "number" - } - }, - { - "session_cookie_maxsize": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" - }, - "type": "integer" - } - }, - { - "session_strategy": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_strategy option does not exist anymore" - }, - "type": "string" - } - }, - { - "session_compressor": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_compressor option does not exist anymore" - }, - "type": "string" - } - }, - { - "session_auth_ttl": { - "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_auth_ttl option does not exist anymore" - }, - "type": "number" - } - }, - { - "session_redis_prefix": { - "deprecation": { - "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "prefix" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_socket": { - "deprecation": { - "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "socket" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_host": { - "deprecation": { - "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "host" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_port": { - "deprecation": { - "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "port" - ] - } - ] - }, - "type": "integer" - } - }, - { - "session_redis_username": { - "deprecation": { - "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "username" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_password": { - "deprecation": { - "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "password" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_connect_timeout": { - "deprecation": { - "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "connect_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "session_redis_read_timeout": { - "deprecation": { - "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "session_redis_send_timeout": { - "deprecation": { - "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "send_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "session_redis_ssl": { - "deprecation": { - "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "session_redis_ssl_verify": { - "deprecation": { - "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl_verify" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "session_redis_server_name": { - "deprecation": { - "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "server_name" - ] - } - ] - }, - "type": "string" - } - }, - { - "session_redis_cluster_nodes": { - "deprecation": { - "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "elements": { - "fields": [ - { - "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "required": true - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." - } - } - ], - "type": "record" - } - } - }, - { - "session_redis_cluster_max_redirections": { - "deprecation": { - "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "cluster_max_redirections" - ] - } - ] - }, - "type": "integer" - } - }, - { - "session_redis_cluster_maxredirections": { - "deprecation": { - "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "cluster_max_redirections" - ] - } - ] - }, - "type": "integer" - } - } - ], - "type": "record" + ] } } ] diff --git a/schemas/service-protection/3.9.x.json b/schemas/service-protection/3.9.x.json index 81dcf6ac..c53e3deb 100644 --- a/schemas/service-protection/3.9.x.json +++ b/schemas/service-protection/3.9.x.json @@ -12,30 +12,38 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "route": { "reference": "routes", - "type": "foreign", "eq": null, + "type": "foreign", "description": "A reference to the 'routes' table with a null value allowed." } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -44,15 +52,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -60,19 +60,19 @@ "fields": [ { "window_size": { - "required": true, - "type": "array", - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" - } + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" } }, { "window_type": { + "default": "sliding", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "type": "string", - "default": "sliding", "one_of": [ "fixed", "sliding" @@ -81,12 +81,12 @@ }, { "limit": { - "required": true, - "type": "array", - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" - } + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" } }, { @@ -98,17 +98,17 @@ { "namespace": { "auto": true, - "type": "string", "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", - "required": true + "required": true, + "type": "string" } }, { "strategy": { "required": true, - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", @@ -118,86 +118,217 @@ }, { "dictionary_name": { - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "type": "string", "default": "kong_rate_limiting_counters", - "required": true + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "required": true, + "type": "string" } }, { "lock_dictionary_name": { - "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", - "type": "string", "default": "kong_locks", - "required": true + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", + "required": true, + "type": "string" } }, { "hide_client_headers": { - "type": "boolean", "default": false, - "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters." + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" } }, { "retry_after_jitter_max": { - "type": "number", "default": 0, - "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header." + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" } }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -209,10 +340,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -224,27 +355,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -254,289 +385,158 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "type": "boolean" } }, { "ssl_verify": { - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "required": false, - "description": "Maximum retry attempts for redirection.", "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, "type": "integer" } }, { "connection_is_proxied": { - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "type": "boolean" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } }, { "disable_penalty": { - "type": "boolean", "default": false, - "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type." + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" } }, { "error_code": { - "gt": 0, - "type": "number", "default": 429, - "description": "Set a custom error code to return when the rate limit is exceeded." + "description": "Set a custom error code to return when the rate limit is exceeded.", + "gt": 0, + "type": "number" } }, { "error_message": { - "type": "string", "default": "API rate limit exceeded", - "description": "Set a custom error message to return when the rate limit is exceeded." + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/session/3.9.x.json b/schemas/session/3.9.x.json index 40ca6afc..cf9a5e2d 100644 --- a/schemas/session/3.9.x.json +++ b/schemas/session/3.9.x.json @@ -6,17 +6,24 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -28,23 +35,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -53,19 +53,19 @@ "fields": [ { "secret": { - "description": "The secret that is used in keyed HMAC generation.", + "encrypted": true, "referenceable": true, - "required": false, "type": "string", - "default": "tbCs8vALEOKU7zxCnd2EibmRkcxihN3zpbR62Uwo2Zky", - "encrypted": true + "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", + "description": "The secret that is used in keyed HMAC generation.", + "required": false } }, { "storage": { + "default": "cookie", "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", "type": "string", - "default": "cookie", "one_of": [ "cookie", "kong" @@ -74,64 +74,64 @@ }, { "audience": { - "type": "string", "default": "default", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" } }, { "idling_timeout": { - "type": "number", "default": 900, - "description": "The session cookie idle time, in seconds." + "description": "The session cookie idle time, in seconds.", + "type": "number" } }, { "rolling_timeout": { - "type": "number", "default": 3600, - "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed." + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number" } }, { "absolute_timeout": { - "type": "number", "default": 86400, - "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid." + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" } }, { "stale_ttl": { - "type": "number", "default": 10, - "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one." + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number" } }, { "cookie_name": { - "type": "string", "default": "session", - "description": "The name of the cookie." + "description": "The name of the cookie.", + "type": "string" } }, { "cookie_path": { - "type": "string", "default": "/", - "description": "The resource in the host where the cookie is available." + "description": "The resource in the host where the cookie is available.", + "type": "string" } }, { "cookie_domain": { - "type": "string", - "description": "The domain with which the cookie is intended to be exchanged." + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" } }, { "cookie_same_site": { + "default": "Strict", "description": "Determines whether and how a cookie may be sent with cross-site requests.", "type": "string", - "default": "Strict", "one_of": [ "Strict", "Lax", @@ -142,50 +142,48 @@ }, { "cookie_http_only": { - "type": "boolean", "default": true, - "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server." + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean" } }, { "cookie_secure": { - "type": "boolean", "default": true, - "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol." + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean" } }, { "remember": { - "type": "boolean", "default": false, - "description": "Enables or disables persistent sessions." + "description": "Enables or disables persistent sessions.", + "type": "boolean" } }, { "remember_cookie_name": { - "type": "string", "default": "remember", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" } }, { "remember_rolling_timeout": { - "type": "number", "default": 604800, - "description": "The persistent session rolling timeout window, in seconds." + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number" } }, { "remember_absolute_timeout": { - "type": "number", "default": 2592000, - "description": "The persistent session absolute timeout limit, in seconds." + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number" } }, { "response_headers": { - "type": "set", - "description": "List of information to include, as headers, in the response to the downstream.", "elements": { "type": "string", "one_of": [ @@ -197,13 +195,13 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" } }, { "request_headers": { - "type": "set", - "description": "List of information to include, as headers, in the response to the downstream.", "elements": { "type": "string", "one_of": [ @@ -215,7 +213,9 @@ "rolling-timeout", "absolute-timeout" ] - } + }, + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" } }, { @@ -226,12 +226,6 @@ }, { "logout_methods": { - "type": "set", - "description": "A set of HTTP methods that the plugin will respond to.", - "default": [ - "POST", - "DELETE" - ], "elements": { "type": "string", "one_of": [ @@ -239,25 +233,30 @@ "POST", "DELETE" ] - } + }, + "description": "A set of HTTP methods that the plugin will respond to.", + "default": [ + "POST", + "DELETE" + ], + "type": "set" } }, { "logout_query_arg": { - "type": "string", "default": "session_logout", - "description": "The query argument passed to logout requests." + "description": "The query argument passed to logout requests.", + "type": "string" } }, { "logout_post_arg": { - "type": "string", "default": "session_logout", - "description": "The POST argument passed to logout requests. Do not change this property." + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" } } ], - "type": "record", "shorthand_fields": [ { "cookie_lifetime": { @@ -295,7 +294,8 @@ } } ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/standard-webhooks/3.9.x.json b/schemas/standard-webhooks/3.9.x.json index f4ec3310..bf13b5b6 100644 --- a/schemas/standard-webhooks/3.9.x.json +++ b/schemas/standard-webhooks/3.9.x.json @@ -6,14 +6,22 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,15 +30,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -38,25 +38,25 @@ "fields": [ { "secret_v1": { + "encrypted": true, "required": true, - "referenceable": true, "type": "string", "description": "Webhook secret", - "encrypted": true + "referenceable": true } }, { "tolerance_second": { - "gt": -1, "required": true, "type": "integer", - "default": 300, - "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response." + "gt": -1, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "default": 300 } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/statsd-advanced/3.9.x.json b/schemas/statsd-advanced/3.9.x.json index 99b7a511..aafa408b 100644 --- a/schemas/statsd-advanced/3.9.x.json +++ b/schemas/statsd-advanced/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,108 +45,175 @@ "fields": [ { "host": { - "type": "string", "default": "localhost", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "prefix": { - "description": "String to prefix to each metric's name.", "default": "kong", + "description": "String to prefix to each metric's name.", "type": "string" } }, { "metrics": { - "description": "List of Metrics to be logged.", - "type": "array", "default": [ { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_count" }, { - "name": "latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "latency" }, { - "name": "request_size", - "stat_type": "timer" + "stat_type": "timer", + "name": "request_size" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count" }, { - "name": "response_size", - "stat_type": "timer" + "stat_type": "timer", + "name": "response_size" }, { - "name": "unique_users", - "stat_type": "set" + "stat_type": "set", + "name": "unique_users" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_per_user" }, { - "name": "upstream_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "upstream_latency" }, { - "name": "kong_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "kong_latency" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_workspace" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user_per_route" }, { - "sample_rate": 1, "stat_type": "gauge", + "sample_rate": 1, "name": "shdict_usage" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_hits_total" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_misses_total" } ], + "description": "List of Metrics to be logged.", "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "set" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "counter" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "gauge" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], "fields": [ { "name": { + "type": "string", + "required": true, "one_of": [ "kong_latency", "latency", @@ -163,13 +230,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "type": "string", - "required": true + ] } }, { "stat_type": { + "type": "string", + "required": true, "one_of": [ "counter", "gauge", @@ -177,9 +244,7 @@ "meter", "set", "timer" - ], - "type": "string", - "required": true + ] } }, { @@ -219,117 +284,52 @@ } } ], - "type": "record", - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "unique_users" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "set" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "request_count", - "status_count", - "request_per_user", - "status_count_per_user", - "status_count_per_workspace", - "status_count_per_user_per_route", - "cache_datastore_hits_total", - "cache_datastore_misses_total" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "counter" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "shdict_usage" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "gauge" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } - ] - } + "type": "record" + }, + "type": "array" } }, { "allow_status_codes": { - "description": "List of status code ranges that are allowed to be logged in metrics.", - "type": "array", "elements": { - "match": "^[0-9]+-[0-9]+$", - "type": "string" - } + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array" } }, { "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", "between": [ 0, 65507 ], - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", - "default": 0, "type": "number" } }, { "use_tcp": { - "description": "Use TCP instead of UDP.", "default": false, + "description": "Use TCP instead of UDP.", "type": "boolean" } }, { "hostname_in_prefix": { - "description": "Include the `hostname` in the `prefix` for each metric name.", "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", "type": "boolean" } }, { "consumer_identifier_default": { - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "required": true, "type": "string", "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "one_of": [ "consumer_id", "custom_id", @@ -339,10 +339,10 @@ }, { "service_identifier_default": { - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "required": true, "type": "string", "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "one_of": [ "service_id", "service_name", @@ -353,10 +353,10 @@ }, { "workspace_identifier_default": { - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "required": true, "type": "string", "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "one_of": [ "workspace_id", "workspace_name" @@ -368,35 +368,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + "type": "integer" } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "type": "number" } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + "type": "integer" } }, { @@ -407,52 +407,52 @@ }, { "max_retry_time": { - "type": "number", "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" } }, { "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + "type": "number" } }, { "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + "type": "number" } }, { "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", "one_of": [ -1, 1 - ], - "type": "integer", - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/statsd/3.9.x.json b/schemas/statsd/3.9.x.json index eb843f36..042741d2 100644 --- a/schemas/statsd/3.9.x.json +++ b/schemas/statsd/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,113 +45,129 @@ "fields": [ { "host": { - "description": "The IP address or hostname of StatsD server to send data to.", "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", "type": "string" } }, { "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", "between": [ 0, 65535 ], - "description": "The port of StatsD server to send data to.", - "default": 8125, "type": "integer" } }, { "prefix": { - "type": "string", "default": "kong", - "description": "String to prefix to each metric's name." + "description": "String to prefix to each metric's name.", + "type": "string" } }, { "metrics": { - "type": "array", - "description": "List of metrics to be logged.", "default": [ { - "name": "request_count", "stat_type": "counter", - "sample_rate": 1 + "sample_rate": 1, + "name": "request_count" }, { - "name": "latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "latency" }, { - "name": "request_size", "stat_type": "counter", - "sample_rate": 1 + "sample_rate": 1, + "name": "request_size" }, { - "name": "status_count", "stat_type": "counter", - "sample_rate": 1 + "sample_rate": 1, + "name": "status_count" }, { - "name": "response_size", "stat_type": "counter", - "sample_rate": 1 + "sample_rate": 1, + "name": "response_size" }, { - "name": "unique_users", - "stat_type": "set" + "stat_type": "set", + "name": "unique_users" }, { - "name": "request_per_user", "stat_type": "counter", - "sample_rate": 1 + "sample_rate": 1, + "name": "request_per_user" }, { - "name": "upstream_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "upstream_latency" }, { - "name": "kong_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "kong_latency" }, { - "name": "status_count_per_user", "stat_type": "counter", - "sample_rate": 1 + "sample_rate": 1, + "name": "status_count_per_user" }, { - "sample_rate": 1, "stat_type": "counter", - "name": "status_count_per_workspace" + "name": "status_count_per_workspace", + "sample_rate": 1 }, { - "name": "status_count_per_user_per_route", "stat_type": "counter", - "sample_rate": 1 + "sample_rate": 1, + "name": "status_count_per_user_per_route" }, { - "name": "shdict_usage", "stat_type": "gauge", - "sample_rate": 1 + "sample_rate": 1, + "name": "shdict_usage" }, { - "sample_rate": 1, "stat_type": "counter", - "name": "cache_datastore_hits_total" + "name": "cache_datastore_hits_total", + "sample_rate": 1 }, { - "sample_rate": 1, "stat_type": "counter", - "name": "cache_datastore_misses_total" + "name": "cache_datastore_misses_total", + "sample_rate": 1 } ], + "description": "List of metrics to be logged.", "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], "fields": [ { "name": { - "required": true, "type": "string", "description": "StatsD metric’s name.", + "required": true, "one_of": [ "kong_latency", "latency", @@ -173,9 +189,9 @@ }, { "stat_type": { - "required": true, "type": "string", "description": "Determines what sort of event a metric represents.", + "required": true, "one_of": [ "counter", "gauge", @@ -189,83 +205,67 @@ { "sample_rate": { "gt": 0, - "type": "number", - "description": "Sampling rate" + "description": "Sampling rate", + "type": "number" } }, { "consumer_identifier": { + "description": "Authenticated user detail.", + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string", - "description": "Authenticated user detail." + ] } }, { "service_identifier": { + "description": "Service detail.", + "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string", - "description": "Service detail." + ] } }, { "workspace_identifier": { + "description": "Workspace detail.", + "type": "string", "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string", - "description": "Workspace detail." + ] } } ], - "type": "record", - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } - ] - } + "type": "record" + }, + "type": "array" } }, { "allow_status_codes": { - "type": "array", - "description": "List of status code ranges that are allowed to be logged in metrics.", "elements": { - "match": "^[0-9]+-[0-9]+$", - "type": "string" - } + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array" } }, { "udp_packet_size": { + "default": 0, "between": [ 0, 65507 ], - "type": "number", - "default": 0 + "type": "number" } }, { @@ -282,9 +282,9 @@ }, { "consumer_identifier_default": { - "required": true, - "type": "string", "default": "custom_id", + "type": "string", + "required": true, "one_of": [ "consumer_id", "custom_id", @@ -294,9 +294,9 @@ }, { "service_identifier_default": { - "required": true, - "type": "string", "default": "service_name_or_host", + "type": "string", + "required": true, "one_of": [ "service_id", "service_name", @@ -307,9 +307,9 @@ }, { "workspace_identifier_default": { - "required": true, - "type": "string", "default": "workspace_id", + "type": "string", + "required": true, "one_of": [ "workspace_id", "workspace_name" @@ -318,44 +318,44 @@ }, { "retry_count": { + "type": "integer", "deprecation": { "old_default": 10, "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", "removal_in_version": "4.0" - }, - "type": "integer" + } } }, { "queue_size": { + "type": "integer", "deprecation": { "old_default": 1, "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0" - }, - "type": "integer" + } } }, { "flush_timeout": { + "type": "number", "deprecation": { "old_default": 2, "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0" - }, - "type": "number" + } } }, { "tag_style": { + "type": "string", + "required": false, "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ], - "type": "string", - "required": false + ] } }, { @@ -363,35 +363,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + "type": "integer" } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "type": "number" } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + "type": "integer" } }, { @@ -402,52 +402,52 @@ }, { "max_retry_time": { - "type": "number", "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" } }, { "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + "type": "number" } }, { "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + "type": "number" } }, { "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", "one_of": [ -1, 1 - ], - "type": "integer", - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/syslog/3.9.x.json b/schemas/syslog/3.9.x.json index dcb804dc..27f2ac90 100644 --- a/schemas/syslog/3.9.x.json +++ b/schemas/syslog/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,9 +45,9 @@ "fields": [ { "log_level": { - "required": true, - "type": "string", "default": "info", + "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -62,9 +62,9 @@ }, { "successful_severity": { - "required": true, - "type": "string", "default": "info", + "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -79,9 +79,9 @@ }, { "client_errors_severity": { - "required": true, - "type": "string", "default": "info", + "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -96,9 +96,9 @@ }, { "server_errors_severity": { - "required": true, - "type": "string", "default": "info", + "type": "string", + "required": true, "one_of": [ "debug", "info", @@ -113,24 +113,24 @@ }, { "custom_fields_by_lua": { - "keys": { - "type": "string", - "len_min": 1 - }, - "type": "map", "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - } + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" } }, { "facility": { "required": true, - "description": "The facility is used by the operating system to decide how to handle each log message.", "type": "string", "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", "one_of": [ "auth", "authpriv", @@ -156,8 +156,8 @@ } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/tcp-log/3.9.x.json b/schemas/tcp-log/3.9.x.json index 3c8ed554..e51f9399 100644 --- a/schemas/tcp-log/3.9.x.json +++ b/schemas/tcp-log/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,8 +45,8 @@ "fields": [ { "host": { - "required": true, "description": "The IP address or host name to send data to.", + "required": true, "type": "string" } }, @@ -56,31 +56,31 @@ 0, 65535 ], - "required": true, "description": "The port to send data to on the upstream server.", + "required": true, "type": "integer" } }, { "timeout": { - "type": "number", "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" } }, { "keepalive": { - "type": "number", "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" } }, { "tls": { - "description": "Indicates whether to perform a TLS handshake against the remote server.", - "type": "boolean", "default": false, - "required": true + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "required": true, + "type": "boolean" } }, { @@ -91,21 +91,21 @@ }, { "custom_fields_by_lua": { - "keys": { - "type": "string", - "len_min": 1 - }, "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", - "type": "map", "values": { "len_min": 1, "type": "string" - } + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/tls-handshake-modifier/3.9.x.json b/schemas/tls-handshake-modifier/3.9.x.json index 9adc3a78..28e50f31 100644 --- a/schemas/tls-handshake-modifier/3.9.x.json +++ b/schemas/tls-handshake-modifier/3.9.x.json @@ -6,15 +6,13 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, - "type": "set", "default": [ "https", "grpcs" @@ -26,14 +24,16 @@ "grpcs", "tls" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,18 +42,18 @@ "fields": [ { "tls_client_certificate": { - "description": "TLS Client Certificate", "required": false, "type": "string", "default": "REQUEST", + "description": "TLS Client Certificate", "one_of": [ "REQUEST" ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/tls-metadata-headers/3.9.x.json b/schemas/tls-metadata-headers/3.9.x.json index 085bf711..68ca8cad 100644 --- a/schemas/tls-metadata-headers/3.9.x.json +++ b/schemas/tls-metadata-headers/3.9.x.json @@ -6,15 +6,13 @@ { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "type": "set", - "required": true, "default": [ "https", "grpcs" @@ -26,14 +24,16 @@ "grpcs", "tls" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,54 +42,54 @@ "fields": [ { "inject_client_cert_details": { - "type": "boolean", "default": false, - "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" } }, { "client_cert_header_name": { - "type": "string", - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "default": "X-Client-Cert", - "required": true + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "required": true, + "type": "string" } }, { "client_serial_header_name": { - "type": "string", - "description": "Define the HTTP header name used for the serial number of the client certificate.", "default": "X-Client-Cert-Serial", - "required": true + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "required": true, + "type": "string" } }, { "client_cert_issuer_dn_header_name": { - "type": "string", - "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "default": "X-Client-Cert-Issuer-DN", - "required": true + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "required": true, + "type": "string" } }, { "client_cert_subject_dn_header_name": { - "type": "string", - "description": "Define the HTTP header name used for the subject DN of the client certificate.", "default": "X-Client-Cert-Subject-DN", - "required": true + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "required": true, + "type": "string" } }, { "client_cert_fingerprint_header_name": { - "type": "string", - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "default": "X-Client-Cert-Fingerprint", - "required": true + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "required": true, + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/udp-log/3.9.x.json b/schemas/udp-log/3.9.x.json index 5f2d8c53..eae6394a 100644 --- a/schemas/udp-log/3.9.x.json +++ b/schemas/udp-log/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,9 +45,9 @@ "fields": [ { "host": { - "type": "string", + "description": "A string representing a host name, such as example.com.", "required": true, - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { @@ -56,35 +56,35 @@ 0, 65535 ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "timeout": { - "type": "number", "default": 10000, - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" } }, { "custom_fields_by_lua": { - "keys": { - "type": "string", - "len_min": 1 - }, - "type": "map", "description": "Lua code as a key-value map", "values": { "len_min": 1, "type": "string" - } + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/upstream-oauth/3.9.x.json b/schemas/upstream-oauth/3.9.x.json index c7123240..484a5470 100644 --- a/schemas/upstream-oauth/3.9.x.json +++ b/schemas/upstream-oauth/3.9.x.json @@ -19,6 +19,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -27,15 +35,7 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { @@ -46,104 +46,104 @@ "fields": [ { "auth_method": { - "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", "required": true, + "type": "string", + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", "one_of": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "none" - ], - "default": "client_secret_post", - "type": "string" + ] } }, { "client_secret_jwt_alg": { - "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", "required": true, + "type": "string", + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", "one_of": [ "HS512", "HS256" - ], - "default": "HS512", - "type": "string" + ] } }, { "http_version": { - "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", - "type": "number", "default": 1.1, - "required": false + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "required": false, + "type": "number" } }, { "http_proxy": { - "required": false, "description": "The proxy to use when making HTTP requests to the IdP.", + "required": false, "type": "string" } }, { "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", "required": false, - "type": "string", - "description": "The `Proxy-Authorization` header value to be used with `http_proxy`." + "type": "string" } }, { "https_proxy": { - "required": false, "description": "The proxy to use when making HTTPS requests to the IdP.", + "required": false, "type": "string" } }, { "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", "required": false, - "type": "string", - "description": "The `Proxy-Authorization` header value to be used with `https_proxy`." + "type": "string" } }, { "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", "required": false, - "type": "string", - "description": "A comma-separated list of hosts that should not be proxied." + "type": "string" } }, { "timeout": { - "description": "Network I/O timeout for requests to the IdP in milliseconds.", "between": [ 0, 2147483646 ], + "required": true, "type": "integer", "default": 10000, - "required": true + "description": "Network I/O timeout for requests to the IdP in milliseconds." } }, { "keep_alive": { - "type": "boolean", - "description": "Whether to use keepalive connections to the IdP.", "default": true, - "required": true + "description": "Whether to use keepalive connections to the IdP.", + "required": true, + "type": "boolean" } }, { "ssl_verify": { - "type": "boolean", - "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", "default": false, - "required": false + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "required": false, + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -151,115 +151,115 @@ "fields": [ { "token_endpoint": { - "required": true, "description": "The token endpoint URI.", + "required": true, "type": "string" } }, { "token_headers": { - "keys": { - "description": "A string representing an HTTP header name.", - "type": "string" - }, - "type": "map", - "description": "Extra headers to be passed in the token endpoint request.", "values": { "referenceable": true, "type": "string" - } + }, + "description": "Extra headers to be passed in the token endpoint request.", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "map" } }, { "token_post_args": { - "keys": { + "values": { + "referenceable": true, "type": "string" }, - "type": "map", "description": "Extra post arguments to be passed in the token endpoint request.", - "values": { - "referenceable": true, + "keys": { "type": "string" - } + }, + "type": "map" } }, { "grant_type": { - "description": "The OAuth grant type to be used.", "required": true, + "type": "string", + "default": "client_credentials", + "description": "The OAuth grant type to be used.", "one_of": [ "client_credentials", "password" - ], - "default": "client_credentials", - "type": "string" + ] } }, { "client_id": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "The client ID for the application registration in the IdP.", - "encrypted": true + "required": false } }, { "client_secret": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "The client secret for the application registration in the IdP.", - "encrypted": true + "required": false } }, { "username": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "The username to use if `config.oauth.grant_type` is set to `password`.", - "encrypted": true + "required": false } }, { "password": { - "required": false, + "encrypted": true, "referenceable": true, "type": "string", "description": "The password to use if `config.oauth.grant_type` is set to `password`.", - "encrypted": true + "required": false } }, { "scopes": { "required": false, - "elements": { - "type": "string" - }, "type": "array", "default": [ "openid" ], - "description": "List of scopes to request from the IdP when obtaining a new token." + "description": "List of scopes to request from the IdP when obtaining a new token.", + "elements": { + "type": "string" + } } }, { "audience": { "required": false, - "elements": { - "type": "string" - }, "type": "array", "default": [ ], - "description": "List of audiences passed to the IdP when obtaining a new token." + "description": "List of audiences passed to the IdP when obtaining a new token.", + "elements": { + "type": "string" + } } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -267,14 +267,14 @@ "fields": [ { "strategy": { - "description": "The method Kong should use to cache tokens issued by the IdP.", "required": true, + "type": "string", + "default": "memory", + "description": "The method Kong should use to cache tokens issued by the IdP.", "one_of": [ "memory", "redis" - ], - "default": "memory", - "type": "string" + ] } }, { @@ -282,69 +282,200 @@ "fields": [ { "dictionary_name": { - "type": "string", - "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", "default": "kong_db_cache", - "required": true + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "required": true, + "type": "string" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -356,10 +487,10 @@ }, { "password": { + "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { @@ -371,27 +502,27 @@ }, { "sentinel_password": { + "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "type": "string", "referenceable": true, - "encrypted": true + "type": "string" } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, { "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "default": 256, "type": "integer" } }, @@ -401,284 +532,153 @@ 0, 2147483646 ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "required": false, + "type": "array", "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ], - "type": "record" + ] }, - "type": "array", - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "required": false, - "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "type": "boolean" } }, { "ssl_verify": { - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "type": "boolean" } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "required": false, - "description": "Maximum retry attempts for redirection.", "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, "type": "integer" } }, { "connection_is_proxied": { - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "type": "boolean" } } - ], - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - }, - { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array", - "len_min": 1, - "elements": { - "type": "string" - } - } - } ] } }, { "eagerly_expire": { + "required": true, + "type": "integer", "gt": -1, "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", - "type": "integer", - "default": 5, - "required": true + "default": 5 } }, { "default_ttl": { - "gt": 0, - "description": "The lifetime of a token without an explicit `expires_in` value.", "default": 3600, + "description": "The lifetime of a token without an explicit `expires_in` value.", + "gt": 0, "type": "number" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { @@ -686,20 +686,20 @@ "fields": [ { "upstream_access_token_header_name": { - "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", - "len_min": 0, + "required": true, "type": "string", "default": "Authorization", - "required": true + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", + "len_min": 0 } }, { "idp_error_response_status_code": { - "required": true, "between": [ 500, 599 ], + "required": true, "type": "integer", "default": 502, "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP." @@ -707,55 +707,55 @@ }, { "idp_error_response_content_type": { - "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", - "len_min": 0, + "required": true, "type": "string", "default": "application/json; charset=utf-8", - "required": true + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0 } }, { "idp_error_response_message": { - "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", - "len_min": 0, + "required": true, "type": "string", "default": "Failed to authenticate request to upstream", - "required": true + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0 } }, { "idp_error_response_body_template": { - "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", - "len_min": 0, + "required": true, "type": "string", "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", - "required": true + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0 } }, { "purge_token_on_upstream_status_codes": { - "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", - "type": "array", "default": [ 401 ], + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", "elements": { "between": [ 100, 599 ], "type": "integer" - } + }, + "type": "array" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/upstream-timeout/3.9.x.json b/schemas/upstream-timeout/3.9.x.json index 50754606..d14b02ad 100644 --- a/schemas/upstream-timeout/3.9.x.json +++ b/schemas/upstream-timeout/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,22 +22,14 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,8 +42,8 @@ 0, 2147483646 ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -52,8 +52,8 @@ 0, 2147483646 ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -62,13 +62,13 @@ 0, 2147483646 ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/vault-auth/3.9.x.json b/schemas/vault-auth/3.9.x.json index 6e311ded..d42bfd70 100644 --- a/schemas/vault-auth/3.9.x.json +++ b/schemas/vault-auth/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,30 +22,22 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { "reference": "consumers", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,66 +46,66 @@ "fields": [ { "access_token_name": { - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", - "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" - }, + "required": true, "type": "string", "default": "access_token", - "required": true + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } } }, { "secret_token_name": { - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", - "elements": { - "description": "A string representing an HTTP header name.", - "type": "string" - }, + "required": true, "type": "string", "default": "secret_token", - "required": true + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } } }, { "vault": { "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", - "type": "foreign", + "reference": "vault_auth_vaults", "required": true, - "reference": "vault_auth_vaults" + "type": "foreign" } }, { "hide_credentials": { - "type": "boolean", "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it." + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "tokens_in_body": { - "type": "boolean", "default": false, - "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" } }, { "run_on_preflight": { - "type": "boolean", "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/websocket-size-limit/3.9.x.json b/schemas/websocket-size-limit/3.9.x.json index c2e27b6e..6e1e3593 100644 --- a/schemas/websocket-size-limit/3.9.x.json +++ b/schemas/websocket-size-limit/3.9.x.json @@ -5,8 +5,6 @@ "fields": [ { "protocols": { - "type": "set", - "required": true, "default": [ "ws", "wss" @@ -17,19 +15,29 @@ "ws", "wss" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], "fields": [ { "client_max_payload": { @@ -37,8 +45,8 @@ 1, 33554432 ], - "type": "integer", - "required": false + "required": false, + "type": "integer" } }, { @@ -47,21 +55,13 @@ 1, 33554432 ], - "type": "integer", - "required": false + "required": false, + "type": "integer" } } ], - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "client_max_payload", - "upstream_max_payload" - ] - } - ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/websocket-validator/3.9.x.json b/schemas/websocket-validator/3.9.x.json index 8ab02969..4bbf094d 100644 --- a/schemas/websocket-validator/3.9.x.json +++ b/schemas/websocket-validator/3.9.x.json @@ -5,8 +5,6 @@ "fields": [ { "protocols": { - "type": "set", - "required": true, "default": [ "ws", "wss" @@ -17,31 +15,63 @@ "ws", "wss" ] - } + }, + "required": true, + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], "fields": [ { "client": { + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "type": "record", + "required": false, "fields": [ { "text": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "required": false, "fields": [ { "type": { - "required": true, "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, "one_of": [ "draft4" ] @@ -54,8 +84,11 @@ "type": "string" } } - ], - "type": "record", + ] + } + }, + { + "binary": { "entity_checks": [ { "custom_entity_check": { @@ -66,17 +99,14 @@ } } ], - "required": false - } - }, - { - "binary": { + "type": "record", + "required": false, "fields": [ { "type": { - "required": true, "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, "one_of": [ "draft4" ] @@ -89,23 +119,14 @@ "type": "string" } } - ], - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], - "required": false + ] } } - ], - "type": "record", + ] + } + }, + { + "upstream": { "entity_checks": [ { "at_least_one_of": [ @@ -114,20 +135,29 @@ ] } ], - "required": false - } - }, - { - "upstream": { + "type": "record", + "required": false, "fields": [ { "text": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "required": false, "fields": [ { "type": { - "required": true, "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, "one_of": [ "draft4" ] @@ -140,8 +170,11 @@ "type": "string" } } - ], - "type": "record", + ] + } + }, + { + "binary": { "entity_checks": [ { "custom_entity_check": { @@ -152,17 +185,14 @@ } } ], - "required": false - } - }, - { - "binary": { + "type": "record", + "required": false, "fields": [ { "type": { - "required": true, "type": "string", "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, "one_of": [ "draft4" ] @@ -175,45 +205,15 @@ "type": "string" } } - ], - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], - "required": false + ] } } - ], - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "text", - "binary" - ] - } - ], - "required": false + ] } } ], - "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "client", - "upstream" - ] - } - ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/xml-threat-protection/3.9.x.json b/schemas/xml-threat-protection/3.9.x.json index b6b4af74..5a48ae6a 100644 --- a/schemas/xml-threat-protection/3.9.x.json +++ b/schemas/xml-threat-protection/3.9.x.json @@ -6,6 +6,14 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -14,286 +22,278 @@ "http", "https" ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing HTTP protocols." + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "max_namespaces", + "if_field": "namespace_aware", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "prefix", + "if_field": "namespace_aware", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "namespaceuri", + "if_field": "namespace_aware", + "then_match": { + "required": true + } + } + } + ], "fields": [ { "checked_content_types": { - "description": "A list of Content-Type values with payloads that must be validated.", - "elements": { - "required": true, - "match": "^[^%s]+%/[^ ;]+$", - "type": "string" - }, + "required": true, "type": "set", "default": [ "application/xml" ], - "required": true + "description": "A list of Content-Type values with payloads that must be validated.", + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "required": true, + "type": "string" + } } }, { "allowed_content_types": { - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", - "elements": { - "required": true, - "match": "^[^%s]+%/[^ ;]+$", - "type": "string" - }, + "required": true, "type": "set", "default": [ ], - "required": true + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "required": true, + "type": "string" + } } }, { "allow_dtd": { - "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", - "type": "boolean", "default": false, - "required": true + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "required": true, + "type": "boolean" } }, { "namespace_aware": { - "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", - "type": "boolean", "default": true, - "required": true + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "required": true, + "type": "boolean" } }, { "max_depth": { - "gt": 0, "required": true, "type": "integer", - "default": 50, - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." + "gt": 0, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "default": 50 } }, { "max_children": { - "gt": 0, "required": true, "type": "integer", - "default": 100, - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." + "gt": 0, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "default": 100 } }, { "max_attributes": { - "gt": 0, "required": true, "type": "integer", - "default": 100, - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." + "gt": 0, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "default": 100 } }, { "max_namespaces": { - "gt": 0, "required": false, "type": "integer", - "default": 20, - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." + "gt": 0, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "default": 20 } }, { "document": { - "gt": 0, "required": true, "type": "integer", - "default": 10485760, - "description": "Maximum size of the entire document." + "gt": 0, + "description": "Maximum size of the entire document.", + "default": 10485760 } }, { "buffer": { - "gt": 0, "required": true, "type": "integer", - "default": 1048576, - "description": "Maximum size of the unparsed buffer (see below)." + "gt": 0, + "description": "Maximum size of the unparsed buffer (see below).", + "default": 1048576 } }, { "comment": { - "gt": 0, "required": true, "type": "integer", - "default": 1024, - "description": "Maximum size of comments." + "gt": 0, + "description": "Maximum size of comments.", + "default": 1024 } }, { "localname": { - "gt": 0, "required": true, "type": "integer", - "default": 1024, - "description": "Maximum size of the localname. This applies to tags and attributes." + "gt": 0, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "default": 1024 } }, { "prefix": { - "gt": 0, "required": false, "type": "integer", - "default": 1024, - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." + "gt": 0, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "default": 1024 } }, { "namespaceuri": { - "gt": 0, "required": false, "type": "integer", - "default": 1024, - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." + "gt": 0, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "default": 1024 } }, { "attribute": { - "gt": 0, "required": true, "type": "integer", - "default": 1048576, - "description": "Maximum size of the attribute value." + "gt": 0, + "description": "Maximum size of the attribute value.", + "default": 1048576 } }, { "text": { - "gt": 0, "required": true, "type": "integer", - "default": 1048576, - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." + "gt": 0, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "default": 1048576 } }, { "pitarget": { - "gt": 0, "required": true, "type": "integer", - "default": 1024, - "description": "Maximum size of processing instruction targets." + "gt": 0, + "description": "Maximum size of processing instruction targets.", + "default": 1024 } }, { "pidata": { - "gt": 0, "required": true, "type": "integer", - "default": 1024, - "description": "Maximum size of processing instruction data." + "gt": 0, + "description": "Maximum size of processing instruction data.", + "default": 1024 } }, { "entityname": { - "gt": 0, "required": true, "type": "integer", - "default": 1024, - "description": "Maximum size of entity names in EntityDecl." + "gt": 0, + "description": "Maximum size of entity names in EntityDecl.", + "default": 1024 } }, { "entity": { - "gt": 0, "required": true, "type": "integer", - "default": 1024, - "description": "Maximum size of entity values in EntityDecl." + "gt": 0, + "description": "Maximum size of entity values in EntityDecl.", + "default": 1024 } }, { "entityproperty": { - "gt": 0, "required": true, "type": "integer", - "default": 1024, - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." + "gt": 0, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "default": 1024 } }, { "bla_max_amplification": { - "gt": 1, "required": true, "type": "number", - "default": 100, - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." + "gt": 1, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "default": 100 } }, { "bla_threshold": { - "gt": 1024, "required": true, "type": "integer", - "default": 8388608, - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." - } - } - ], - "type": "record", - "entity_checks": [ - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "max_namespaces", - "if_field": "namespace_aware", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "prefix", - "if_field": "namespace_aware", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "namespaceuri", - "if_field": "namespace_aware", - "then_match": { - "required": true - } + "gt": 1024, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "default": 8388608 } } ], - "required": true + "required": true, + "type": "record" } } ] diff --git a/schemas/zipkin/3.9.x.json b/schemas/zipkin/3.9.x.json index add0c14a..f08c4023 100644 --- a/schemas/zipkin/3.9.x.json +++ b/schemas/zipkin/3.9.x.json @@ -6,9 +6,16 @@ { "protocols": { "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -20,23 +27,16 @@ "udp", "ws", "wss" - ] - }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "description": "A set of strings representing protocols." + ], + "type": "string" + } } }, { "consumer_group": { "reference": "consumer_groups", - "type": "foreign", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,27 +45,27 @@ "fields": [ { "local_service_name": { - "description": "The name of the service as displayed in Zipkin.", - "type": "string", "default": "kong", - "required": true + "description": "The name of the service as displayed in Zipkin.", + "required": true, + "type": "string" } }, { "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", "between": [ 0, 1 ], - "type": "number", - "default": 0.001, - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " + "type": "number" } }, { @@ -76,18 +76,18 @@ }, { "include_credential": { - "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", - "type": "boolean", "default": true, - "required": true + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "required": true, + "type": "boolean" } }, { "traceid_byte_count": { "required": true, - "description": "The length in bytes of each request's Trace ID.", "type": "integer", "default": 16, + "description": "The length in bytes of each request's Trace ID.", "one_of": [ 8, 16 @@ -97,12 +97,9 @@ { "header_type": { "required": true, + "type": "string", + "default": "preserve", "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", - "deprecation": { - "old_default": "preserve", - "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0" - }, "one_of": [ "preserve", "ignore", @@ -115,19 +112,19 @@ "datadog", "gcp" ], - "default": "preserve", - "type": "string" + "deprecation": { + "old_default": "preserve", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + } } }, { "default_header_type": { "required": true, + "type": "string", + "default": "b3", "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", - "deprecation": { - "old_default": "b3", - "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", - "removal_in_version": "4.0" - }, "one_of": [ "b3", "b3-single", @@ -138,27 +135,28 @@ "datadog", "gcp" ], - "default": "b3", - "type": "string" + "deprecation": { + "old_default": "b3", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", + "removal_in_version": "4.0" + } } }, { "tags_header": { - "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", - "type": "string", "default": "Zipkin-Tags", - "required": true + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "required": true, + "type": "string" } }, { "static_tags": { - "description": "The tags specified on this property will be added to the generated request traces.", - "type": "array", "elements": { + "type": "record", "fields": [ { "name": { - "required": true, "not_one_of": [ "error", "http.method", @@ -174,26 +172,28 @@ "lc", "peer.hostname" ], + "required": true, "type": "string" } }, { "value": { - "type": "string", - "required": true + "required": true, + "type": "string" } } - ], - "type": "record" - } + ] + }, + "description": "The tags specified on this property will be added to the generated request traces.", + "type": "array" } }, { "http_span_name": { "required": true, - "description": "Specify whether to include the HTTP path in the span name.", "type": "string", "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", "one_of": [ "method", "method_path" @@ -202,35 +202,35 @@ }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer", - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { @@ -241,9 +241,9 @@ { "phase_duration_flavor": { "required": true, - "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "type": "string", "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "one_of": [ "annotations", "tags" @@ -255,35 +255,35 @@ "fields": [ { "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 1, - "description": "Maximum number of entries that can be processed at a time." + "type": "integer" } }, { "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number", - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "type": "number" } }, { "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer", - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue." + "type": "integer" } }, { @@ -294,127 +294,127 @@ }, { "max_retry_time": { - "type": "number", "default": 60, - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" } }, { "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch." + "type": "number" } }, { "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", "between": [ 0.001, 1000000 ], - "type": "number", - "default": 60, - "description": "Maximum time in seconds between retries, caps exponential backoff." + "type": "number" } }, { "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", "one_of": [ -1, 1 - ], - "type": "integer", - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } }, { "propagation": { + "default": { + "default_format": "b3" + }, "fields": [ { "extract": { - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", - "type": "array", "elements": { "type": "string", "one_of": [ - "b3", "gcp", "jaeger", "aws", "ot", "w3c", - "datadog" + "datadog", + "b3" ] - } + }, + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array" } }, { "clear": { - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", - "type": "array", "elements": { "type": "string" - } + }, + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array" } }, { "inject": { - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", - "type": "array", "elements": { "type": "string", "one_of": [ "preserve", - "b3", "gcp", "b3-single", "jaeger", "aws", "ot", "w3c", - "datadog" + "datadog", + "b3" ] - } + }, + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array" } }, { "default_format": { - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", "type": "string", + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "required": true, "one_of": [ - "b3", "gcp", "b3-single", "jaeger", "aws", "ot", "w3c", - "datadog" - ], - "required": true + "datadog", + "b3" + ] } } ], - "type": "record", - "default": { - "default_format": "b3" - }, - "required": true + "required": true, + "type": "record" } } ], - "type": "record", - "required": true + "required": true, + "type": "record" } } ] From fd566b72e9e95b7230314227e104d11d0bcd7ae2 Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 3 Dec 2024 07:48:29 +0000 Subject: [PATCH 098/165] Referenceable fields for 3.9.x --- data/referenceable_fields/3.9.x.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/data/referenceable_fields/3.9.x.json b/data/referenceable_fields/3.9.x.json index dfc72c2a..d74a28ee 100644 --- a/data/referenceable_fields/3.9.x.json +++ b/data/referenceable_fields/3.9.x.json @@ -193,6 +193,8 @@ "config.v2_strategies.openid_connect.config.redis.password", "config.v2_strategies.openid_connect.config.redis.sentinel_username", "config.v2_strategies.openid_connect.config.redis.sentinel_password", + "config.v2_strategies.openid_connect.config.http_proxy_authorization", + "config.v2_strategies.openid_connect.config.https_proxy_authorization", "config.v2_strategies.openid_connect.config.cluster_cache_redis.username", "config.v2_strategies.openid_connect.config.cluster_cache_redis.password", "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_username", @@ -230,6 +232,8 @@ "config.redis.password", "config.redis.sentinel_username", "config.redis.sentinel_password", + "config.http_proxy_authorization", + "config.https_proxy_authorization", "config.cluster_cache_redis.username", "config.cluster_cache_redis.password", "config.cluster_cache_redis.sentinel_username", @@ -285,6 +289,12 @@ "config.redis.sentinel_username", "config.redis.sentinel_password" ], + "service-protection": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], "session": [ "config.secret" ], From 7b56923eed594df89d3efa30a06ba03eb0d9a3fd Mon Sep 17 00:00:00 2001 From: Lucie Milan <32450552+lmilan@users.noreply.github.com> Date: Tue, 3 Dec 2024 17:38:33 +0100 Subject: [PATCH 099/165] limit and window size examples (#75) --- examples/ai-rate-limiting-advanced/_3.9.x.yaml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/examples/ai-rate-limiting-advanced/_3.9.x.yaml b/examples/ai-rate-limiting-advanced/_3.9.x.yaml index 9831356c..1eab87de 100644 --- a/examples/ai-rate-limiting-advanced/_3.9.x.yaml +++ b/examples/ai-rate-limiting-advanced/_3.9.x.yaml @@ -2,8 +2,14 @@ name: ai-rate-limiting-advanced config: llm_providers: - name: openai - limit: 1000 - window_size: 3600 + limit: + - 1000 + - 10000 + window_size: + - 3600 + - 60 - name: mistral - limit: 100 - window_size: 60 + limit: + - 100 + window_size: + - 60 From b0750e9741364f55c2cbf0e47e3200a907998071 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Tue, 3 Dec 2024 17:40:04 +0100 Subject: [PATCH 100/165] Pass kong-image-name to plugin priorities (#80) * Pass kong-image-name to plugin priorities * Plugin Priorities for 3.9.x * Fix oss plugin-priorities * Generate oss plugin priorities --------- Co-authored-by: fabianrbz <715229+fabianrbz@users.noreply.github.com> --- .github/reusable-steps/run-kong-oss/action.yml | 5 ++++- .github/workflows/generate-plugin-priorities.yml | 10 ++++++++++ data/priorities/ee/3.9.x.json | 5 ++++- data/priorities/oss/3.9.x.json | 5 +++-- 4 files changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/reusable-steps/run-kong-oss/action.yml b/.github/reusable-steps/run-kong-oss/action.yml index a8a1a749..681a2067 100644 --- a/.github/reusable-steps/run-kong-oss/action.yml +++ b/.github/reusable-steps/run-kong-oss/action.yml @@ -4,6 +4,9 @@ inputs: required: true description: | Kong Docker image tag to run, 3.6.1. + kong-image-name: + description: | + Kong Docker image name to use, e.g. kong-gateway, kong-gateway-dev. runs: using: composite @@ -15,6 +18,6 @@ runs: env: KONG_PLUGINS: 'bundled' KONG_IMAGE_TAG: ${{ inputs.kong-image-tag }} - KONG_IMAGE_NAME: 'kong' + KONG_IMAGE_NAME: ${{ inputs.kong-image-name || 'kong' }} run: | ./quickstart.sh -e "KONG_PLUGINS" -e "KONG_IMAGE_TAG" -e "KONG_IMAGE_NAME" diff --git a/.github/workflows/generate-plugin-priorities.yml b/.github/workflows/generate-plugin-priorities.yml index f4b200ba..5a3817db 100644 --- a/.github/workflows/generate-plugin-priorities.yml +++ b/.github/workflows/generate-plugin-priorities.yml @@ -20,6 +20,14 @@ on: - oss - ee description: Whether the API running is the OSS or Enterprise version + kong-image-name: + type: choice + description: | + Kong Docker image name to use, e.g. kong-gateway, kong-gateway-dev. + options: + - kong-gateway + - kong-gateway-dev + - kong jobs: generate-plugin-priorities: @@ -35,11 +43,13 @@ jobs: with: op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} kong-image-tag: ${{ github.event.inputs.kong-image-tag }} + kong-image-name: ${{ github.event.inputs.kong-image-name }} - name: Run Kong OSS if: ${{ github.event.inputs.kong-edition == 'oss' }} uses: ./.github/reusable-steps/run-kong-oss with: kong-image-tag: ${{ github.event.inputs.kong-image-tag }} + kong-image-name: ${{ github.event.inputs.kong-image-name }} - name: Run generate_plugin_priorities run: | bundle exec ./plugins generate_plugin_priorities --type=${{ github.event.inputs.kong-edition }} --version=${{ github.event.inputs.version }} --verbose diff --git a/data/priorities/ee/3.9.x.json b/data/priorities/ee/3.9.x.json index b51f6e2a..75c7cb74 100644 --- a/data/priorities/ee/3.9.x.json +++ b/data/priorities/ee/3.9.x.json @@ -27,6 +27,7 @@ "header-cert-auth": 1009, "json-threat-protection": 1009, "xml-threat-protection": 1008, + "injection-protection": 1007, "websocket-validator": 1006, "websocket-size-limit": 1003, "request-validator": 999, @@ -37,6 +38,7 @@ "request-size-limiting": 951, "acl": 950, "opa": 920, + "service-protection": 915, "rate-limiting": 910, "rate-limiting-advanced": 910, "ai-rate-limiting-advanced": 905, @@ -50,6 +52,7 @@ "response-transformer": 800, "response-transformer-advanced": 800, "route-transformer-advanced": 780, + "redirect": 779, "ai-request-transformer": 777, "ai-semantic-prompt-guard": 775, "ai-azure-content-safety": 774, @@ -58,7 +61,7 @@ "ai-prompt-guard": 771, "ai-proxy": 770, "ai-proxy-advanced": 770, - "ai-response-transformer": 769, + "ai-response-transformer": 768, "ai-semantic-cache": 765, "standard-webhooks": 760, "upstream-oauth": 760, diff --git a/data/priorities/oss/3.9.x.json b/data/priorities/oss/3.9.x.json index 039222ef..b5b4aa12 100644 --- a/data/priorities/oss/3.9.x.json +++ b/data/priorities/oss/3.9.x.json @@ -1,5 +1,6 @@ { "pre-function": 1000000, + "correlation-id": 100001, "zipkin": 100000, "bot-detection": 2500, "cors": 2000, @@ -19,12 +20,13 @@ "response-ratelimiting": 900, "request-transformer": 801, "response-transformer": 800, + "redirect": 779, "ai-request-transformer": 777, "ai-prompt-template": 773, "ai-prompt-decorator": 772, "ai-prompt-guard": 771, "ai-proxy": 770, - "ai-response-transformer": 769, + "ai-response-transformer": 768, "standard-webhooks": 760, "aws-lambda": 750, "azure-functions": 749, @@ -41,6 +43,5 @@ "syslog": 4, "grpc-web": 3, "request-termination": 2, - "correlation-id": 1, "post-function": -1000 } \ No newline at end of file From a68699173ab7d466a540ab9313837670b3750728 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Wed, 4 Dec 2024 17:07:04 +0100 Subject: [PATCH 101/165] Revert "limit and window size examples (#75)" (#83) This reverts commit 7b56923eed594df89d3efa30a06ba03eb0d9a3fd. --- examples/ai-rate-limiting-advanced/_3.9.x.yaml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/examples/ai-rate-limiting-advanced/_3.9.x.yaml b/examples/ai-rate-limiting-advanced/_3.9.x.yaml index 1eab87de..9831356c 100644 --- a/examples/ai-rate-limiting-advanced/_3.9.x.yaml +++ b/examples/ai-rate-limiting-advanced/_3.9.x.yaml @@ -2,14 +2,8 @@ name: ai-rate-limiting-advanced config: llm_providers: - name: openai - limit: - - 1000 - - 10000 - window_size: - - 3600 - - 60 + limit: 1000 + window_size: 3600 - name: mistral - limit: - - 100 - window_size: - - 60 + limit: 100 + window_size: 60 From 74a6908173ee9d98c5f697207c2f5e103f752c8e Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 4 Dec 2024 08:07:20 -0800 Subject: [PATCH 102/165] generate redirect plugin schema + example (#82) --- examples/redirect/_3.9.x.yaml | 3 ++ schemas/redirect/3.9.x.json | 61 +++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 examples/redirect/_3.9.x.yaml create mode 100644 schemas/redirect/3.9.x.json diff --git a/examples/redirect/_3.9.x.yaml b/examples/redirect/_3.9.x.yaml new file mode 100644 index 00000000..5c02d0ed --- /dev/null +++ b/examples/redirect/_3.9.x.yaml @@ -0,0 +1,3 @@ +name: redirect +config: + location: "https://example.com" \ No newline at end of file diff --git a/schemas/redirect/3.9.x.json b/schemas/redirect/3.9.x.json new file mode 100644 index 00000000..32153288 --- /dev/null +++ b/schemas/redirect/3.9.x.json @@ -0,0 +1,61 @@ +{ + "entity_checks": [], + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "status_code": { + "between": [ + 100, + 599 + ], + "default": 301, + "type": "integer", + "required": true, + "description": "The response code to send. Must be an integer between 100 and 599." + } + }, + { + "location": { + "type": "string", + "required": true, + "description": "The URL to redirect to" + } + }, + { + "keep_incoming_path": { + "type": "boolean", + "default": false, + "description": "Use the incoming request's path and query string in the redirect URL" + } + } + ] + } + } + ] +} \ No newline at end of file From 32c68fdd864b6fb35fbe0e6dab045ce005ab744d Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Thu, 5 Dec 2024 21:28:18 +0100 Subject: [PATCH 103/165] Copy latest schemas to 3.10.x (#84) Co-authored-by: fabianrbz <715229+fabianrbz@users.noreply.github.com> --- schemas/acl/3.10.x.json | 106 + schemas/acme/3.10.x.json | 623 +++ schemas/ai-azure-content-safety/3.10.x.json | 176 + schemas/ai-prompt-decorator/3.10.x.json | 126 + schemas/ai-prompt-guard/3.10.x.json | 104 + schemas/ai-prompt-template/3.10.x.json | 88 + schemas/ai-proxy-advanced/3.10.x.json | 1344 +++++++ schemas/ai-proxy/3.10.x.json | 608 +++ schemas/ai-rate-limiting-advanced/3.10.x.json | 592 +++ schemas/ai-request-transformer/3.10.x.json | 692 ++++ schemas/ai-response-transformer/3.10.x.json | 692 ++++ schemas/ai-semantic-cache/3.10.x.json | 689 ++++ schemas/ai-semantic-prompt-guard/3.10.x.json | 704 ++++ schemas/app-dynamics/3.10.x.json | 46 + schemas/application-registration/3.10.x.json | 108 + schemas/aws-lambda/3.10.x.json | 273 ++ schemas/azure-functions/3.10.x.json | 125 + schemas/basic-auth/3.10.x.json | 78 + schemas/bot-detection/3.10.x.json | 79 + schemas/canary/3.10.x.json | 190 + schemas/confluent/3.10.x.json | 253 ++ schemas/correlation-id/3.10.x.json | 73 + schemas/cors/3.10.x.json | 143 + schemas/datadog-tracing/3.10.x.json | 103 + schemas/datadog/3.10.x.json | 361 ++ schemas/degraphql/3.10.x.json | 68 + schemas/exit-transformer/3.10.x.json | 68 + schemas/file-log/3.10.x.json | 83 + schemas/forward-proxy/3.10.x.json | 171 + .../graphql-proxy-cache-advanced/3.10.x.json | 463 +++ .../3.10.x.json | 530 +++ schemas/grpc-gateway/3.10.x.json | 59 + schemas/grpc-web/3.10.x.json | 74 + schemas/header-cert-auth/3.10.x.json | 229 ++ schemas/hmac-auth/3.10.x.json | 132 + schemas/http-log/3.10.x.json | 260 ++ schemas/injection-protection/3.10.x.json | 159 + schemas/ip-restriction/3.10.x.json | 85 + schemas/jq/3.10.x.json | 197 + schemas/json-threat-protection/3.10.x.json | 164 + schemas/jwe-decrypt/3.10.x.json | 86 + schemas/jwt-signer/3.10.x.json | 997 +++++ schemas/jwt/3.10.x.json | 160 + schemas/kafka-log/3.10.x.json | 280 ++ schemas/kafka-upstream/3.10.x.json | 302 ++ schemas/key-auth-enc/3.10.x.json | 118 + schemas/key-auth/3.10.x.json | 123 + schemas/konnect-application-auth/3.10.x.json | 3271 +++++++++++++++ schemas/ldap-auth-advanced/3.10.x.json | 243 ++ schemas/ldap-auth/3.10.x.json | 178 + schemas/loggly/3.10.x.json | 173 + schemas/mocking/3.10.x.json | 131 + schemas/mtls-auth/3.10.x.json | 210 + schemas/oas-validation/3.10.x.json | 170 + schemas/oauth2-introspection/3.10.x.json | 167 + schemas/oauth2/3.10.x.json | 221 + schemas/opa/3.10.x.json | 147 + schemas/openid-connect/3.10.x.json | 3558 +++++++++++++++++ schemas/opentelemetry/3.10.x.json | 367 ++ schemas/post-function/3.10.x.json | 228 ++ schemas/pre-function/3.10.x.json | 228 ++ schemas/prometheus/3.10.x.json | 94 + schemas/proxy-cache-advanced/3.10.x.json | 573 +++ schemas/proxy-cache/3.10.x.json | 205 + schemas/rate-limiting-advanced/3.10.x.json | 599 +++ schemas/rate-limiting/3.10.x.json | 474 +++ schemas/redirect/3.10.x.json | 61 + schemas/request-size-limiting/3.10.x.json | 73 + schemas/request-termination/3.10.x.json | 81 + .../request-transformer-advanced/3.10.x.json | 337 ++ schemas/request-transformer/3.10.x.json | 280 ++ schemas/request-validator/3.10.x.json | 189 + schemas/response-ratelimiting/3.10.x.json | 439 ++ .../response-transformer-advanced/3.10.x.json | 350 ++ schemas/response-transformer/3.10.x.json | 259 ++ schemas/route-by-header/3.10.x.json | 78 + .../route-transformer-advanced/3.10.x.json | 75 + schemas/saml/3.10.x.json | 1229 ++++++ schemas/service-protection/3.10.x.json | 543 +++ schemas/session/3.10.x.json | 302 ++ schemas/standard-webhooks/3.10.x.json | 63 + schemas/statsd-advanced/3.10.x.json | 459 +++ schemas/statsd/3.10.x.json | 454 +++ schemas/syslog/3.10.x.json | 164 + schemas/tcp-log/3.10.x.json | 112 + schemas/tls-handshake-modifier/3.10.x.json | 60 + schemas/tls-metadata-headers/3.10.x.json | 96 + schemas/udp-log/3.10.x.json | 91 + schemas/upstream-oauth/3.10.x.json | 762 ++++ schemas/upstream-timeout/3.10.x.json | 75 + schemas/vault-auth/3.10.x.json | 112 + schemas/websocket-size-limit/3.10.x.json | 68 + schemas/websocket-validator/3.10.x.json | 220 + schemas/xml-threat-protection/3.10.x.json | 300 ++ schemas/zipkin/3.10.x.json | 421 ++ 95 files changed, 32174 insertions(+) create mode 100644 schemas/acl/3.10.x.json create mode 100644 schemas/acme/3.10.x.json create mode 100644 schemas/ai-azure-content-safety/3.10.x.json create mode 100644 schemas/ai-prompt-decorator/3.10.x.json create mode 100644 schemas/ai-prompt-guard/3.10.x.json create mode 100644 schemas/ai-prompt-template/3.10.x.json create mode 100644 schemas/ai-proxy-advanced/3.10.x.json create mode 100644 schemas/ai-proxy/3.10.x.json create mode 100644 schemas/ai-rate-limiting-advanced/3.10.x.json create mode 100644 schemas/ai-request-transformer/3.10.x.json create mode 100644 schemas/ai-response-transformer/3.10.x.json create mode 100644 schemas/ai-semantic-cache/3.10.x.json create mode 100644 schemas/ai-semantic-prompt-guard/3.10.x.json create mode 100644 schemas/app-dynamics/3.10.x.json create mode 100644 schemas/application-registration/3.10.x.json create mode 100644 schemas/aws-lambda/3.10.x.json create mode 100644 schemas/azure-functions/3.10.x.json create mode 100644 schemas/basic-auth/3.10.x.json create mode 100644 schemas/bot-detection/3.10.x.json create mode 100644 schemas/canary/3.10.x.json create mode 100644 schemas/confluent/3.10.x.json create mode 100644 schemas/correlation-id/3.10.x.json create mode 100644 schemas/cors/3.10.x.json create mode 100644 schemas/datadog-tracing/3.10.x.json create mode 100644 schemas/datadog/3.10.x.json create mode 100644 schemas/degraphql/3.10.x.json create mode 100644 schemas/exit-transformer/3.10.x.json create mode 100644 schemas/file-log/3.10.x.json create mode 100644 schemas/forward-proxy/3.10.x.json create mode 100644 schemas/graphql-proxy-cache-advanced/3.10.x.json create mode 100644 schemas/graphql-rate-limiting-advanced/3.10.x.json create mode 100644 schemas/grpc-gateway/3.10.x.json create mode 100644 schemas/grpc-web/3.10.x.json create mode 100644 schemas/header-cert-auth/3.10.x.json create mode 100644 schemas/hmac-auth/3.10.x.json create mode 100644 schemas/http-log/3.10.x.json create mode 100644 schemas/injection-protection/3.10.x.json create mode 100644 schemas/ip-restriction/3.10.x.json create mode 100644 schemas/jq/3.10.x.json create mode 100644 schemas/json-threat-protection/3.10.x.json create mode 100644 schemas/jwe-decrypt/3.10.x.json create mode 100644 schemas/jwt-signer/3.10.x.json create mode 100644 schemas/jwt/3.10.x.json create mode 100644 schemas/kafka-log/3.10.x.json create mode 100644 schemas/kafka-upstream/3.10.x.json create mode 100644 schemas/key-auth-enc/3.10.x.json create mode 100644 schemas/key-auth/3.10.x.json create mode 100644 schemas/konnect-application-auth/3.10.x.json create mode 100644 schemas/ldap-auth-advanced/3.10.x.json create mode 100644 schemas/ldap-auth/3.10.x.json create mode 100644 schemas/loggly/3.10.x.json create mode 100644 schemas/mocking/3.10.x.json create mode 100644 schemas/mtls-auth/3.10.x.json create mode 100644 schemas/oas-validation/3.10.x.json create mode 100644 schemas/oauth2-introspection/3.10.x.json create mode 100644 schemas/oauth2/3.10.x.json create mode 100644 schemas/opa/3.10.x.json create mode 100644 schemas/openid-connect/3.10.x.json create mode 100644 schemas/opentelemetry/3.10.x.json create mode 100644 schemas/post-function/3.10.x.json create mode 100644 schemas/pre-function/3.10.x.json create mode 100644 schemas/prometheus/3.10.x.json create mode 100644 schemas/proxy-cache-advanced/3.10.x.json create mode 100644 schemas/proxy-cache/3.10.x.json create mode 100644 schemas/rate-limiting-advanced/3.10.x.json create mode 100644 schemas/rate-limiting/3.10.x.json create mode 100644 schemas/redirect/3.10.x.json create mode 100644 schemas/request-size-limiting/3.10.x.json create mode 100644 schemas/request-termination/3.10.x.json create mode 100644 schemas/request-transformer-advanced/3.10.x.json create mode 100644 schemas/request-transformer/3.10.x.json create mode 100644 schemas/request-validator/3.10.x.json create mode 100644 schemas/response-ratelimiting/3.10.x.json create mode 100644 schemas/response-transformer-advanced/3.10.x.json create mode 100644 schemas/response-transformer/3.10.x.json create mode 100644 schemas/route-by-header/3.10.x.json create mode 100644 schemas/route-transformer-advanced/3.10.x.json create mode 100644 schemas/saml/3.10.x.json create mode 100644 schemas/service-protection/3.10.x.json create mode 100644 schemas/session/3.10.x.json create mode 100644 schemas/standard-webhooks/3.10.x.json create mode 100644 schemas/statsd-advanced/3.10.x.json create mode 100644 schemas/statsd/3.10.x.json create mode 100644 schemas/syslog/3.10.x.json create mode 100644 schemas/tcp-log/3.10.x.json create mode 100644 schemas/tls-handshake-modifier/3.10.x.json create mode 100644 schemas/tls-metadata-headers/3.10.x.json create mode 100644 schemas/udp-log/3.10.x.json create mode 100644 schemas/upstream-oauth/3.10.x.json create mode 100644 schemas/upstream-timeout/3.10.x.json create mode 100644 schemas/vault-auth/3.10.x.json create mode 100644 schemas/websocket-size-limit/3.10.x.json create mode 100644 schemas/websocket-validator/3.10.x.json create mode 100644 schemas/xml-threat-protection/3.10.x.json create mode 100644 schemas/zipkin/3.10.x.json diff --git a/schemas/acl/3.10.x.json b/schemas/acl/3.10.x.json new file mode 100644 index 00000000..ddcf7860 --- /dev/null +++ b/schemas/acl/3.10.x.json @@ -0,0 +1,106 @@ +{ + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "allow": { + "elements": { + "type": "string" + }, + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array" + } + }, + { + "deny": { + "elements": { + "type": "string" + }, + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array" + } + }, + { + "hide_groups_header": { + "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "required": true, + "type": "boolean" + } + }, + { + "include_consumer_groups": { + "default": false, + "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", + "required": false, + "type": "boolean" + } + }, + { + "always_use_authenticated_groups": { + "default": false, + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/acme/3.10.x.json b/schemas/acme/3.10.x.json new file mode 100644 index 00000000..677bf267 --- /dev/null +++ b/schemas/acme/3.10.x.json @@ -0,0 +1,623 @@ +{ + "entity_checks": [ + { + "conditional": { + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_match": { + "eq": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.host", + "if_field": "config.storage", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.port", + "if_field": "config.storage", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "service": { + "reference": "services", + "eq": null, + "type": "foreign", + "description": "A reference to the 'services' table with a null value allowed." + } + }, + { + "route": { + "reference": "routes", + "eq": null, + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "account_email": { + "encrypted": true, + "match": "%w*%p*@+%w*%.?%w*", + "required": true, + "type": "string", + "description": "The account identifier. Can be reused in a different plugin instance.", + "referenceable": true + } + }, + { + "account_key": { + "type": "record", + "description": "The private key associated with the account.", + "required": false, + "fields": [ + { + "key_id": { + "description": "The Key ID.", + "required": true, + "type": "string" + } + }, + { + "key_set": { + "type": "string", + "description": "The ID of the key set to associate the Key ID with." + } + } + ] + } + }, + { + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "tos_accepted": { + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" + } + }, + { + "eab_kid": { + "encrypted": true, + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "referenceable": true, + "type": "string" + } + }, + { + "eab_hmac_key": { + "encrypted": true, + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "referenceable": true, + "type": "string" + } + }, + { + "cert_type": { + "default": "rsa", + "description": "The certificate type to create. The possible values are `rsa` for RSA certificate or `ecc` for EC certificate.", + "type": "string", + "one_of": [ + "rsa", + "ecc" + ] + } + }, + { + "rsa_key_size": { + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "type": "number", + "one_of": [ + 2048, + 3072, + 4096 + ] + } + }, + { + "renew_threshold_days": { + "default": 14, + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" + } + }, + { + "domains": { + "elements": { + "match_all": [ + { + "err": "invalid wildcard: must have at most one wildcard", + "pattern": "^[^*]*%*?[^*]*$" + } + ], + "type": "string", + "match_any": { + "err": "invalid wildcard: must be placed at leftmost or rightmost label", + "patterns": [ + "^%*%.", + "%.%*$", + "^[^*]*$" + ] + } + }, + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "type": "array" + } + }, + { + "allow_any_domain": { + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" + } + }, + { + "fail_backoff_minutes": { + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" + } + }, + { + "storage": { + "default": "shm", + "description": "The backend storage type to use. In DB-less mode and Konnect, `kong` storage is unavailable. In hybrid mode and Konnect, `shm` storage is unavailable. `shm` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `kong`, `redis`, `consul`, or `vault` in production.", + "type": "string", + "one_of": [ + "kong", + "shm", + "redis", + "consul", + "vault" + ] + } + }, + { + "storage_config": { + "fields": [ + { + "shm": { + "fields": [ + { + "shm_name": { + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "kong": { + "fields": [ + + ], + "required": true, + "type": "record" + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "extra_options": { + "type": "record", + "description": "Custom ACME Redis options", + "required": true, + "fields": [ + { + "namespace": { + "required": true, + "type": "string", + "default": "", + "description": "A namespace to prepend to all keys stored in Redis.", + "len_min": 0 + } + }, + { + "scan_count": { + "default": 10, + "description": "The number of keys to return in Redis SCAN calls.", + "required": false, + "type": "number" + } + } + ] + } + } + ], + "shorthand_fields": [ + { + "auth": { + "type": "string", + "deprecation": { + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "password" + ] + } + ] + }, + "len_min": 0 + } + }, + { + "ssl_server_name": { + "deprecation": { + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "namespace": { + "type": "string", + "deprecation": { + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "extra_options", + "namespace" + ] + } + ] + }, + "len_min": 0 + } + }, + { + "scan_count": { + "deprecation": { + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "extra_options", + "scan_count" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "consul": { + "fields": [ + { + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "kv_path": { + "type": "string", + "description": "KV prefix path." + } + }, + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds." + } + }, + { + "token": { + "description": "Consul ACL token.", + "referenceable": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "vault": { + "fields": [ + { + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "kv_path": { + "type": "string", + "description": "KV prefix path." + } + }, + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds." + } + }, + { + "token": { + "description": "Consul ACL token.", + "referenceable": true, + "type": "string" + } + }, + { + "tls_verify": { + "default": true, + "description": "Turn on TLS verification.", + "type": "boolean" + } + }, + { + "tls_server_name": { + "type": "string", + "description": "SNI used in request, default to host if omitted." + } + }, + { + "auth_method": { + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "type": "string", + "one_of": [ + "token", + "kubernetes" + ] + } + }, + { + "auth_path": { + "type": "string", + "description": "Vault's authentication path to use." + } + }, + { + "auth_role": { + "type": "string", + "description": "The role to try and assign." + } + }, + { + "jwt_path": { + "type": "string", + "description": "The path to the JWT." + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "preferred_chain": { + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" + } + }, + { + "enable_ipv4_common_name": { + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-azure-content-safety/3.10.x.json b/schemas/ai-azure-content-safety/3.10.x.json new file mode 100644 index 00000000..0752c460 --- /dev/null +++ b/schemas/ai-azure-content-safety/3.10.x.json @@ -0,0 +1,176 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "content_safety_url": { + "referenceable": true, + "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "required": true, + "type": "string" + } + }, + { + "azure_api_version": { + "required": true, + "type": "string", + "default": "2023-10-01", + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "len_min": 1 + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "type": "boolean" + } + }, + { + "azure_client_id": { + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", + "required": false, + "type": "string" + } + }, + { + "azure_client_secret": { + "description": "If `azure_use_managed_identity` is true, set the client secret if required.", + "required": false, + "type": "string" + } + }, + { + "azure_tenant_id": { + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", + "required": false, + "type": "string" + } + }, + { + "content_safety_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "referenceable": true + } + }, + { + "text_source": { + "default": "concatenate_all_content", + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "type": "string", + "one_of": [ + "concatenate_all_content", + "concatenate_user_content" + ] + } + }, + { + "categories": { + "elements": { + "type": "record", + "required": true, + "fields": [ + { + "name": { + "required": true, + "type": "string" + } + }, + { + "rejection_level": { + "required": true, + "type": "integer" + } + } + ] + }, + "description": "Array of categories, and their thresholds, to measure on.", + "type": "array" + } + }, + { + "reveal_failure_reason": { + "default": true, + "description": "Set true to tell the caller why their request was rejected, if so.", + "type": "boolean" + } + }, + { + "output_type": { + "default": "FourSeverityLevels", + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "type": "string", + "one_of": [ + "FourSeverityLevels", + "EightSeverityLevels" + ] + } + }, + { + "blocklist_names": { + "elements": { + "type": "string" + }, + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "type": "array" + } + }, + { + "halt_on_blocklist_hit": { + "default": true, + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.10.x.json b/schemas/ai-prompt-decorator/3.10.x.json new file mode 100644 index 00000000..4002199f --- /dev/null +++ b/schemas/ai-prompt-decorator/3.10.x.json @@ -0,0 +1,126 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "prompts": { + "type": "record", + "required": false, + "fields": [ + { + "prepend": { + "len_max": 15, + "required": false, + "type": "array", + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "role": { + "default": "system", + "type": "string", + "required": true, + "one_of": [ + "system", + "assistant", + "user" + ] + } + }, + { + "content": { + "len_max": 500, + "type": "string", + "required": true, + "len_min": 1 + } + } + ] + }, + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages." + } + }, + { + "append": { + "len_max": 15, + "required": false, + "type": "array", + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "role": { + "default": "system", + "type": "string", + "required": true, + "one_of": [ + "system", + "assistant", + "user" + ] + } + }, + { + "content": { + "len_max": 500, + "type": "string", + "required": true, + "len_min": 1 + } + } + ] + }, + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages." + } + } + ] + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.10.x.json b/schemas/ai-prompt-guard/3.10.x.json new file mode 100644 index 00000000..1eb02b54 --- /dev/null +++ b/schemas/ai-prompt-guard/3.10.x.json @@ -0,0 +1,104 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "config.allow_all_conversation_history", + "if_field": "config.match_all_roles", + "then_match": { + "eq": false + } + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "allow_patterns": { + "len_max": 10, + "required": false, + "type": "array", + "elements": { + "len_max": 500, + "len_min": 1, + "type": "string" + }, + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat." + } + }, + { + "deny_patterns": { + "len_max": 10, + "required": false, + "type": "array", + "elements": { + "len_max": 500, + "len_min": 1, + "type": "string" + }, + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat." + } + }, + { + "allow_all_conversation_history": { + "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "required": true, + "type": "boolean" + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-template/3.10.x.json b/schemas/ai-prompt-template/3.10.x.json new file mode 100644 index 00000000..2822bb38 --- /dev/null +++ b/schemas/ai-prompt-template/3.10.x.json @@ -0,0 +1,88 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "templates": { + "elements": { + "type": "record", + "required": true, + "fields": [ + { + "name": { + "description": "Unique name for the template, can be called with `{template://NAME}`", + "required": true, + "type": "string" + } + }, + { + "template": { + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "required": true, + "type": "string" + } + } + ] + }, + "description": "Array of templates available to the request context.", + "required": true, + "type": "array" + } + }, + { + "allow_untemplated_requests": { + "default": true, + "description": "Set true to allow requests that don't call or match any template.", + "required": true, + "type": "boolean" + } + }, + { + "log_original_request": { + "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + }, + { + "max_request_body_size": { + "gt": 0, + "description": "max allowed body size allowed to be introspected", + "default": 8192, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-proxy-advanced/3.10.x.json b/schemas/ai-proxy-advanced/3.10.x.json new file mode 100644 index 00000000..0e657ace --- /dev/null +++ b/schemas/ai-proxy-advanced/3.10.x.json @@ -0,0 +1,1344 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "balancer": { + "type": "record", + "required": true, + "fields": [ + { + "algorithm": { + "default": "round-robin", + "description": "Which load balancing algorithm to use.", + "type": "string", + "one_of": [ + "round-robin", + "lowest-latency", + "lowest-usage", + "consistent-hashing", + "semantic" + ] + } + }, + { + "tokens_count_strategy": { + "default": "total-tokens", + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "type": "string", + "one_of": [ + "total-tokens", + "prompt-tokens", + "completion-tokens" + ] + } + }, + { + "latency_strategy": { + "default": "tpot", + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", + "type": "string", + "one_of": [ + "tpot", + "e2e" + ] + } + }, + { + "hash_on_header": { + "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing.", + "type": "string" + } + }, + { + "slots": { + "default": 10000, + "description": "The number of slots in the load balancer algorithm.", + "between": [ + 10, + 65536 + ], + "type": "integer" + } + }, + { + "retries": { + "default": 5, + "description": "The number of retries to execute upon failure to proxy.", + "between": [ + 0, + 32767 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 60000, + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "write_timeout": { + "default": 60000, + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 60000, + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + } + ] + } + }, + { + "embeddings": { + "fields": [ + { + "auth": { + "fields": [ + { + "header_name": { + "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "one_of": [ + "query", + "body" + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "type": "string" + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "required": false, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "required": false, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "one_of": [ + "openai", + "mistral" + ], + "description": "AI provider format to use for embeddings API", + "required": true, + "type": "string" + } + }, + { + "name": { + "description": "Model name to execute.", + "required": true, + "type": "string" + } + }, + { + "options": { + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "required": false, + "type": "string" + } + } + ], + "description": "Key/value settings for the model", + "required": false, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "vectordb": { + "fields": [ + { + "strategy": { + "one_of": [ + "redis" + ], + "description": "which vector database driver to use", + "required": true, + "type": "string" + } + }, + { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "required": true, + "type": "integer" + } + }, + { + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "required": true, + "type": "number" + } + }, + { + "distance_metric": { + "one_of": [ + "cosine", + "euclidean" + ], + "description": "the distance metric to use for vector searches", + "required": true, + "type": "string" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ], + "required": false, + "type": "record" + } + }, + { + "response_streaming": { + "required": false, + "type": "string", + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + } + }, + { + "targets": { + "elements": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "type": "record", + "required": true, + "fields": [ + { + "route_type": { + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "required": true, + "type": "string" + } + }, + { + "auth": { + "fields": [ + { + "header_name": { + "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "one_of": [ + "query", + "body" + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "type": "string" + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "required": false, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "required": false, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock", + "huggingface" + ], + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "required": true, + "type": "string" + } + }, + { + "name": { + "description": "Model name to execute.", + "required": false, + "type": "string" + } + }, + { + "options": { + "fields": [ + { + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, + "type": "integer" + } + }, + { + "input_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in your prompt.", + "required": false, + "type": "number" + } + }, + { + "output_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "required": false, + "type": "number" + } + }, + { + "temperature": { + "between": [ + 0, + 5 + ], + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "type": "number" + } + }, + { + "top_p": { + "between": [ + 0, + 1 + ], + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "type": "number" + } + }, + { + "top_k": { + "between": [ + 0, + 500 + ], + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "type": "integer" + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false, + "type": "string" + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "required": false, + "type": "string" + } + }, + { + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "llama2_format": { + "one_of": [ + "raw", + "openai", + "ollama" + ], + "description": "If using llama2 provider, select the upstream message format.", + "required": false, + "type": "string" + } + }, + { + "mistral_format": { + "one_of": [ + "openai", + "ollama" + ], + "description": "If using mistral provider, select the upstream message format.", + "required": false, + "type": "string" + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "required": false, + "type": "string" + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, + "type": "string" + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, + "type": "string" + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, + "type": "string" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "bedrock": { + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "required": false, + "type": "string" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "huggingface": { + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + } + ], + "description": "Key/value settings for the model", + "required": false, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "between": [ + 1, + 65535 + ], + "type": "integer" + } + }, + { + "description": { + "description": "The semantic description of the target, required if using semantic load balancing.", + "required": false, + "type": "string" + } + }, + { + "logging": { + "fields": [ + { + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + }, + { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-proxy/3.10.x.json b/schemas/ai-proxy/3.10.x.json new file mode 100644 index 00000000..d66b2f6d --- /dev/null +++ b/schemas/ai-proxy/3.10.x.json @@ -0,0 +1,608 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "type": "record", + "required": true, + "fields": [ + { + "route_type": { + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "required": true, + "type": "string" + } + }, + { + "auth": { + "fields": [ + { + "header_name": { + "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "one_of": [ + "query", + "body" + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "type": "string" + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "required": false, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "required": false, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock", + "huggingface" + ], + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "required": true, + "type": "string" + } + }, + { + "name": { + "description": "Model name to execute.", + "required": false, + "type": "string" + } + }, + { + "options": { + "fields": [ + { + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, + "type": "integer" + } + }, + { + "input_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in your prompt.", + "required": false, + "type": "number" + } + }, + { + "output_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "required": false, + "type": "number" + } + }, + { + "temperature": { + "between": [ + 0, + 5 + ], + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "type": "number" + } + }, + { + "top_p": { + "between": [ + 0, + 1 + ], + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "type": "number" + } + }, + { + "top_k": { + "between": [ + 0, + 500 + ], + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "type": "integer" + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false, + "type": "string" + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "required": false, + "type": "string" + } + }, + { + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "llama2_format": { + "one_of": [ + "raw", + "openai", + "ollama" + ], + "description": "If using llama2 provider, select the upstream message format.", + "required": false, + "type": "string" + } + }, + { + "mistral_format": { + "one_of": [ + "openai", + "ollama" + ], + "description": "If using mistral provider, select the upstream message format.", + "required": false, + "type": "string" + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "required": false, + "type": "string" + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, + "type": "string" + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, + "type": "string" + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, + "type": "string" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "bedrock": { + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "required": false, + "type": "string" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "huggingface": { + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + } + ], + "description": "Key/value settings for the model", + "required": false, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "logging": { + "fields": [ + { + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + }, + { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "response_streaming": { + "required": false, + "type": "string", + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-rate-limiting-advanced/3.10.x.json b/schemas/ai-rate-limiting-advanced/3.10.x.json new file mode 100644 index 00000000..07010f21 --- /dev/null +++ b/schemas/ai-rate-limiting-advanced/3.10.x.json @@ -0,0 +1,592 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "required": true, + "type": "string", + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "sync_rate": { + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + } + }, + { + "llm_providers": { + "elements": { + "type": "record", + "fields": [ + { + "window_size": { + "description": "The window size to apply a limit (defined in seconds).", + "required": true, + "type": "number" + } + }, + { + "name": { + "type": "string", + "description": "The LLM provider to which the rate limit applies.", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "bedrock", + "gemini", + "huggingface", + "requestPrompt" + ] + } + }, + { + "limit": { + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", + "required": true, + "type": "number" + } + } + ] + }, + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "required": true, + "type": "array" + } + }, + { + "strategy": { + "required": true, + "type": "string", + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "required": true, + "type": "string" + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + } + }, + { + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "type": "string" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "type": "boolean" + } + }, + { + "request_prompt_count_function": { + "description": "If defined, it use custom function to count requests for the request prompt provider", + "required": false, + "type": "string" + } + }, + { + "error_code": { + "gt": 0, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, + "type": "number" + } + }, + { + "error_message": { + "default": "AI token rate limit exceeded for provider(s): ", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + } + }, + { + "error_hide_providers": { + "default": false, + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "type": "boolean" + } + }, + { + "tokens_count_strategy": { + "required": true, + "type": "string", + "default": "total_tokens", + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", + "one_of": [ + "total_tokens", + "prompt_tokens", + "completion_tokens", + "cost" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.10.x.json b/schemas/ai-request-transformer/3.10.x.json new file mode 100644 index 00000000..1373c841 --- /dev/null +++ b/schemas/ai-request-transformer/3.10.x.json @@ -0,0 +1,692 @@ +{ + "entity_checks": [ + { + "conditional": { + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", + "required": true, + "type": "string" + } + }, + { + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", + "required": false, + "type": "string" + } + }, + { + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "required": true, + "type": "integer" + } + }, + { + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "required": true, + "type": "boolean" + } + }, + { + "max_request_body_size": { + "gt": 0, + "description": "max allowed body size allowed to be introspected", + "default": 8192, + "type": "integer" + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "llm": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "fields": [ + { + "route_type": { + "type": "string", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "required": true, + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "type": "record", + "required": false, + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "model": { + "type": "record", + "required": true, + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock", + "huggingface" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "required": false, + "type": "string" + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, + "fields": [ + { + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, + "type": "integer" + } + }, + { + "input_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in your prompt.", + "required": false, + "type": "number" + } + }, + { + "output_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "required": false, + "type": "number" + } + }, + { + "temperature": { + "between": [ + 0, + 5 + ], + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "type": "number" + } + }, + { + "top_p": { + "between": [ + 0, + 1 + ], + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "type": "number" + } + }, + { + "top_k": { + "between": [ + 0, + 500 + ], + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "type": "integer" + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false, + "type": "string" + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "required": false, + "type": "string" + } + }, + { + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "llama2_format": { + "type": "string", + "description": "If using llama2 provider, select the upstream message format.", + "required": false, + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "type": "string", + "description": "If using mistral provider, select the upstream message format.", + "required": false, + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "required": false, + "type": "string" + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record", + "required": false, + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, + "type": "string" + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, + "type": "string" + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "bedrock": { + "type": "record", + "required": false, + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "huggingface": { + "type": "record", + "required": false, + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ] + } + }, + { + "logging": { + "type": "record", + "required": true, + "fields": [ + { + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + }, + { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.10.x.json b/schemas/ai-response-transformer/3.10.x.json new file mode 100644 index 00000000..30d69cd6 --- /dev/null +++ b/schemas/ai-response-transformer/3.10.x.json @@ -0,0 +1,692 @@ +{ + "entity_checks": [ + { + "conditional": { + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", + "required": true, + "type": "string" + } + }, + { + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", + "required": false, + "type": "string" + } + }, + { + "parse_llm_response_json_instructions": { + "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "required": true, + "type": "boolean" + } + }, + { + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "required": true, + "type": "integer" + } + }, + { + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "required": true, + "type": "boolean" + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "llm": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "fields": [ + { + "route_type": { + "type": "string", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "required": true, + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "type": "record", + "required": false, + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "model": { + "type": "record", + "required": true, + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock", + "huggingface" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "required": false, + "type": "string" + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, + "fields": [ + { + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, + "type": "integer" + } + }, + { + "input_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in your prompt.", + "required": false, + "type": "number" + } + }, + { + "output_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "required": false, + "type": "number" + } + }, + { + "temperature": { + "between": [ + 0, + 5 + ], + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "type": "number" + } + }, + { + "top_p": { + "between": [ + 0, + 1 + ], + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "type": "number" + } + }, + { + "top_k": { + "between": [ + 0, + 500 + ], + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "type": "integer" + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false, + "type": "string" + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "required": false, + "type": "string" + } + }, + { + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "llama2_format": { + "type": "string", + "description": "If using llama2 provider, select the upstream message format.", + "required": false, + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "type": "string", + "description": "If using mistral provider, select the upstream message format.", + "required": false, + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "required": false, + "type": "string" + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record", + "required": false, + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, + "type": "string" + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, + "type": "string" + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "bedrock": { + "type": "record", + "required": false, + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "huggingface": { + "type": "record", + "required": false, + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ] + } + }, + { + "logging": { + "type": "record", + "required": true, + "fields": [ + { + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + }, + { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-semantic-cache/3.10.x.json b/schemas/ai-semantic-cache/3.10.x.json new file mode 100644 index 00000000..afa47df0 --- /dev/null +++ b/schemas/ai-semantic-cache/3.10.x.json @@ -0,0 +1,689 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "message_countback": { + "default": 1, + "description": "Number of messages in the chat history to Vectorize/Cache", + "between": [ + 1, + 1000 + ], + "type": "number" + } + }, + { + "ignore_system_prompts": { + "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request", + "type": "boolean" + } + }, + { + "ignore_assistant_prompts": { + "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request", + "type": "boolean" + } + }, + { + "ignore_tool_prompts": { + "default": false, + "description": "Ignore and discard any tool prompts when Vectorizing the request", + "type": "boolean" + } + }, + { + "stop_on_failure": { + "default": false, + "description": "Halt the LLM request process in case of a caching system failure", + "required": true, + "type": "boolean" + } + }, + { + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "gt": 0, + "type": "integer" + } + }, + { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean" + } + }, + { + "exact_caching": { + "default": false, + "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "required": true, + "type": "boolean" + } + }, + { + "embeddings": { + "type": "record", + "required": true, + "fields": [ + { + "auth": { + "type": "record", + "required": false, + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "model": { + "type": "record", + "required": true, + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider format to use for embeddings API", + "required": true, + "one_of": [ + "openai", + "mistral" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "required": true, + "type": "string" + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "required": false, + "type": "string" + } + } + ] + } + } + ] + } + } + ] + } + }, + { + "vectordb": { + "type": "record", + "required": true, + "fields": [ + { + "strategy": { + "type": "string", + "description": "which vector database driver to use", + "required": true, + "one_of": [ + "redis" + ] + } + }, + { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "required": true, + "type": "integer" + } + }, + { + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "required": true, + "type": "number" + } + }, + { + "distance_metric": { + "type": "string", + "description": "the distance metric to use for vector searches", + "required": true, + "one_of": [ + "cosine", + "euclidean" + ] + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-semantic-prompt-guard/3.10.x.json b/schemas/ai-semantic-prompt-guard/3.10.x.json new file mode 100644 index 00000000..c1fac108 --- /dev/null +++ b/schemas/ai-semantic-prompt-guard/3.10.x.json @@ -0,0 +1,704 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "embeddings": { + "type": "record", + "required": true, + "fields": [ + { + "auth": { + "type": "record", + "required": false, + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "model": { + "type": "record", + "required": true, + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider format to use for embeddings API", + "required": true, + "one_of": [ + "openai", + "mistral" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "required": true, + "type": "string" + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "required": false, + "type": "string" + } + } + ] + } + } + ] + } + } + ] + } + }, + { + "vectordb": { + "type": "record", + "required": true, + "fields": [ + { + "strategy": { + "type": "string", + "description": "which vector database driver to use", + "required": true, + "one_of": [ + "redis" + ] + } + }, + { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "required": true, + "type": "integer" + } + }, + { + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "required": true, + "type": "number" + } + }, + { + "distance_metric": { + "type": "string", + "description": "the distance metric to use for vector searches", + "required": true, + "one_of": [ + "cosine", + "euclidean" + ] + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + }, + { + "search": { + "type": "record", + "required": false, + "fields": [ + { + "threshold": { + "default": 0.5, + "description": "Threshold for the similarity score to be considered a match.", + "required": false, + "type": "number" + } + } + ] + } + }, + { + "rules": { + "type": "record", + "required": true, + "fields": [ + { + "match_all_conversation_history": { + "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history.", + "required": false, + "type": "boolean" + } + }, + { + "allow_prompts": { + "len_max": 100, + "required": false, + "type": "array", + "elements": { + "len_max": 500, + "len_min": 1, + "type": "string" + }, + "description": "List of prompts to allow." + } + }, + { + "deny_prompts": { + "len_max": 100, + "required": false, + "type": "array", + "elements": { + "len_max": 500, + "len_min": 1, + "type": "string" + }, + "description": "List of prompts to deny." + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "required": true, + "type": "boolean" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/app-dynamics/3.10.x.json b/schemas/app-dynamics/3.10.x.json new file mode 100644 index 00000000..8e65202b --- /dev/null +++ b/schemas/app-dynamics/3.10.x.json @@ -0,0 +1,46 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/application-registration/3.10.x.json b/schemas/application-registration/3.10.x.json new file mode 100644 index 00000000..604ffb5c --- /dev/null +++ b/schemas/application-registration/3.10.x.json @@ -0,0 +1,108 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "service": { + "reference": "services", + "on_delete": "cascade", + "type": "foreign", + "ne": null + } + }, + { + "route": { + "reference": "routes", + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "display_name": { + "required": true, + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string", + "unique": true + } + }, + { + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string", + "unique": true + } + }, + { + "auto_approve": { + "required": true, + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "type": "boolean", + "default": false + } + }, + { + "show_issuer": { + "required": true, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "type": "boolean", + "default": false + } + }, + { + "enable_proxy_with_consumer_credential": { + "required": true, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/aws-lambda/3.10.x.json b/schemas/aws-lambda/3.10.x.json new file mode 100644 index 00000000..583a9b6a --- /dev/null +++ b/schemas/aws-lambda/3.10.x.json @@ -0,0 +1,273 @@ +{ + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "timeout": { + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", + "required": true, + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "required": true, + "type": "number" + } + }, + { + "aws_key": { + "encrypted": true, + "description": "The AWS key credential to be used when invoking the function.", + "referenceable": true, + "type": "string" + } + }, + { + "aws_secret": { + "encrypted": true, + "description": "The AWS secret credential to be used when invoking the function. ", + "referenceable": true, + "type": "string" + } + }, + { + "aws_assume_role_arn": { + "encrypted": true, + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "referenceable": true, + "type": "string" + } + }, + { + "aws_role_session_name": { + "default": "kong", + "description": "The identifier of the assumed role session.", + "type": "string" + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "aws_region": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "required": false, + "type": "string" + } + }, + { + "qualifier": { + "description": "The qualifier to use when invoking the function.", + "type": "string" + } + }, + { + "invocation_type": { + "required": true, + "type": "string", + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "one_of": [ + "RequestResponse", + "Event", + "DryRun" + ] + } + }, + { + "log_type": { + "required": true, + "type": "string", + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "one_of": [ + "Tail", + "None" + ] + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "disable_https": { + "default": false, + "type": "boolean" + } + }, + { + "unhandled_status": { + "between": [ + 100, + 999 + ], + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer" + } + }, + { + "forward_request_method": { + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" + } + }, + { + "forward_request_uri": { + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" + } + }, + { + "forward_request_headers": { + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" + } + }, + { + "forward_request_body": { + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" + } + }, + { + "is_proxy_integration": { + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" + } + }, + { + "awsgateway_compatible": { + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" + } + }, + { + "proxy_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "skip_large_bodies": { + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" + } + }, + { + "base64_encode_body": { + "default": true, + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" + } + }, + { + "aws_imds_protocol_version": { + "required": true, + "type": "string", + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "one_of": [ + "v1", + "v2" + ] + } + }, + { + "empty_arrays_mode": { + "required": true, + "type": "string", + "default": "legacy", + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", + "one_of": [ + "legacy", + "correct" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/azure-functions/3.10.x.json b/schemas/azure-functions/3.10.x.json new file mode 100644 index 00000000..19e89278 --- /dev/null +++ b/schemas/azure-functions/3.10.x.json @@ -0,0 +1,125 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "timeout": { + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" + } + }, + { + "https": { + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" + } + }, + { + "https_verify": { + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" + } + }, + { + "apikey": { + "encrypted": true, + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "referenceable": true, + "type": "string" + } + }, + { + "clientid": { + "encrypted": true, + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "referenceable": true, + "type": "string" + } + }, + { + "appname": { + "description": "The Azure app name.", + "required": true, + "type": "string" + } + }, + { + "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", + "required": true, + "type": "string" + } + }, + { + "routeprefix": { + "default": "api", + "description": "Route prefix to use.", + "type": "string" + } + }, + { + "functionname": { + "description": "Name of the Azure function to invoke.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/basic-auth/3.10.x.json b/schemas/basic-auth/3.10.x.json new file mode 100644 index 00000000..0a5c8b49 --- /dev/null +++ b/schemas/basic-auth/3.10.x.json @@ -0,0 +1,78 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "anonymous": { + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "required": true, + "type": "boolean" + } + }, + { + "realm": { + "default": "service", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/bot-detection/3.10.x.json b/schemas/bot-detection/3.10.x.json new file mode 100644 index 00000000..d48d260c --- /dev/null +++ b/schemas/bot-detection/3.10.x.json @@ -0,0 +1,79 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "allow": { + "elements": { + "type": "string", + "is_regex": true + }, + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "default": [ + + ], + "type": "array" + } + }, + { + "deny": { + "elements": { + "type": "string", + "is_regex": true + }, + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "default": [ + + ], + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/canary/3.10.x.json b/schemas/canary/3.10.x.json new file mode 100644 index 00000000..a020f33c --- /dev/null +++ b/schemas/canary/3.10.x.json @@ -0,0 +1,190 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header", + "if_field": "config.hash", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "hash": { + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + } + } + ], + "required": true, + "fields": [ + { + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + } + }, + { + "hash": { + "default": "consumer", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "type": "string", + "one_of": [ + "consumer", + "ip", + "none", + "allow", + "deny", + "header" + ] + } + }, + { + "hash_header": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "duration": { + "default": 3600, + "description": "The duration of the canary release in seconds.", + "gt": 0, + "type": "number" + } + }, + { + "steps": { + "default": 1000, + "description": "The number of steps for the canary release.", + "gt": 1, + "type": "number" + } + }, + { + "percentage": { + "between": [ + 0, + 100 + ], + "description": "The percentage of traffic to be routed to the canary release.", + "type": "number" + } + }, + { + "upstream_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "upstream_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "type": "string", + "len_min": 1 + } + }, + { + "upstream_fallback": { + "default": false, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "required": true, + "type": "boolean" + } + }, + { + "groups": { + "elements": { + "type": "string" + }, + "description": "The groups allowed to access the canary release.", + "type": "array" + } + }, + { + "canary_by_header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/confluent/3.10.x.json b/schemas/confluent/3.10.x.json new file mode 100644 index 00000000..534933d8 --- /dev/null +++ b/schemas/confluent/3.10.x.json @@ -0,0 +1,253 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + } + ], + "fields": [ + { + "bootstrap_servers": { + "elements": { + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" + } + } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set" + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "required": true, + "type": "string" + } + }, + { + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + } + }, + { + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "cluster_api_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Username/Apikey for SASL authentication.", + "required": true + } + }, + { + "cluster_api_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password/ApiSecret for SASL authentication.", + "required": true + } + }, + { + "confluent_cloud_api_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "required": false + } + }, + { + "confluent_cloud_api_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The corresponding secret for the Confluent Cloud API key.", + "required": false + } + }, + { + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "cluster_name": { + "auto": true, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, + "type": "string" + } + }, + { + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + } + }, + { + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + } + }, + { + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + } + }, + { + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + } + }, + { + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + } + }, + { + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + } + }, + { + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/correlation-id/3.10.x.json b/schemas/correlation-id/3.10.x.json new file mode 100644 index 00000000..46723bf0 --- /dev/null +++ b/schemas/correlation-id/3.10.x.json @@ -0,0 +1,73 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "header_name": { + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" + } + }, + { + "generator": { + "required": true, + "type": "string", + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "one_of": [ + "uuid", + "uuid#counter", + "tracker" + ] + } + }, + { + "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/cors/3.10.x.json b/schemas/cors/3.10.x.json new file mode 100644 index 00000000..87f52a0e --- /dev/null +++ b/schemas/cors/3.10.x.json @@ -0,0 +1,143 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "len_min": 1, + "required": true, + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "origins": { + "elements": { + "type": "string" + }, + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "type": "array" + } + }, + { + "headers": { + "elements": { + "type": "string" + }, + "description": "Value for the `Access-Control-Allow-Headers` header.", + "type": "array" + } + }, + { + "exposed_headers": { + "elements": { + "type": "string" + }, + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "type": "array" + } + }, + { + "methods": { + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "elements": { + "type": "string", + "one_of": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "type": "array" + } + }, + { + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" + } + }, + { + "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "required": true, + "type": "boolean" + } + }, + { + "private_network": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "required": true, + "type": "boolean" + } + }, + { + "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/datadog-tracing/3.10.x.json b/schemas/datadog-tracing/3.10.x.json new file mode 100644 index 00000000..450d1bc3 --- /dev/null +++ b/schemas/datadog-tracing/3.10.x.json @@ -0,0 +1,103 @@ +{ + "fields": [ + { + "consumer": { + "eq": null, + "type": "foreign", + "reference": "consumers" + } + }, + { + "protocols": { + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "endpoint": { + "type": "string", + "referenceable": true + } + }, + { + "service_name": { + "required": true, + "type": "string", + "default": "kong" + } + }, + { + "environment": { + "type": "string", + "default": "none" + } + }, + { + "batch_span_count": { + "required": true, + "type": "integer", + "default": 200 + } + }, + { + "batch_flush_delay": { + "required": true, + "type": "integer", + "default": 3 + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 1000 + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 5000 + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 5000 + } + } + ], + "type": "record", + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/datadog/3.10.x.json b/schemas/datadog/3.10.x.json new file mode 100644 index 00000000..7157cc3d --- /dev/null +++ b/schemas/datadog/3.10.x.json @@ -0,0 +1,361 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "referenceable": true, + "type": "string" + } + }, + { + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "prefix": { + "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" + } + }, + { + "service_name_tag": { + "default": "name", + "description": "String to be attached as the name of the service.", + "type": "string" + } + }, + { + "status_tag": { + "default": "status", + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" + } + }, + { + "consumer_tag": { + "default": "consumer", + "description": "String to be attached as tag of the consumer.", + "type": "string" + } + }, + { + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 10, + "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 1, + "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", + "deprecation": { + "old_default": 2, + "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ], + "required": true, + "type": "record" + } + }, + { + "metrics": { + "required": true, + "type": "array", + "default": [ + { + "name": "request_count", + "stat_type": "counter", + "tags": [ + "app:kong" + ], + "sample_rate": 1, + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "request_size", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "response_size", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "upstream_latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "kong_latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + } + ], + "description": "List of metrics to be logged.", + "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "name": { + "type": "string", + "description": "Datadog metric’s name", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ] + } + }, + { + "stat_type": { + "type": "string", + "description": "Determines what sort of event the metric represents", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer", + "distribution" + ] + } + }, + { + "tags": { + "elements": { + "match": "^.*[^:]$", + "type": "string" + }, + "description": "List of tags", + "type": "array" + } + }, + { + "sample_rate": { + "between": [ + 0, + 1 + ], + "description": "Sampling rate", + "type": "number" + } + }, + { + "consumer_identifier": { + "description": "Authenticated user detail", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + } + ], + "type": "record" + } + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/degraphql/3.10.x.json b/schemas/degraphql/3.10.x.json new file mode 100644 index 00000000..36cd73d3 --- /dev/null +++ b/schemas/degraphql/3.10.x.json @@ -0,0 +1,68 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "graphql_server_path": { + "required": true, + "type": "string", + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/exit-transformer/3.10.x.json b/schemas/exit-transformer/3.10.x.json new file mode 100644 index 00000000..11f94588 --- /dev/null +++ b/schemas/exit-transformer/3.10.x.json @@ -0,0 +1,68 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "functions": { + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "handle_unknown": { + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean" + } + }, + { + "handle_unexpected": { + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/file-log/3.10.x.json b/schemas/file-log/3.10.x.json new file mode 100644 index 00000000..6532d553 --- /dev/null +++ b/schemas/file-log/3.10.x.json @@ -0,0 +1,83 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "path": { + "match": "^[^*&%%\\`]+$", + "required": true, + "type": "string", + "err": "not a valid filename", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." + } + }, + { + "reopen": { + "default": false, + "description": "Determines whether the log file is closed and reopened on every request.", + "required": true, + "type": "boolean" + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/forward-proxy/3.10.x.json b/schemas/forward-proxy/3.10.x.json new file mode 100644 index 00000000..260aadee --- /dev/null +++ b/schemas/forward-proxy/3.10.x.json @@ -0,0 +1,171 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "shorthand_fields": [ + { + "proxy_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" + }, + "type": "string" + } + }, + { + "proxy_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" + }, + "type": "integer" + } + } + ], + "fields": [ + { + "x_headers": { + "required": true, + "type": "string", + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", + "one_of": [ + "append", + "transparent", + "delete" + ] + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "proxy_scheme": { + "required": true, + "type": "string", + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "one_of": [ + "http" + ] + } + }, + { + "auth_username": { + "referenceable": true, + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "required": false, + "type": "string" + } + }, + { + "auth_password": { + "referenceable": true, + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "required": false, + "type": "string" + } + }, + { + "https_verify": { + "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "required": true, + "type": "boolean" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.10.x.json b/schemas/graphql-proxy-cache-advanced/3.10.x.json new file mode 100644 index 00000000..e805038f --- /dev/null +++ b/schemas/graphql-proxy-cache-advanced/3.10.x.json @@ -0,0 +1,463 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "strategy": { + "required": true, + "type": "string", + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "cache_ttl": { + "gt": 0, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "default": 300, + "type": "integer" + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + } + }, + { + "vary_headers": { + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.10.x.json b/schemas/graphql-rate-limiting-advanced/3.10.x.json new file mode 100644 index 00000000..55336ec3 --- /dev/null +++ b/schemas/graphql-rate-limiting-advanced/3.10.x.json @@ -0,0 +1,530 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "required": true, + "type": "string", + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "one_of": [ + "ip", + "credential", + "consumer" + ] + } + }, + { + "window_size": { + "elements": { + "type": "number" + }, + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "required": true, + "type": "array" + } + }, + { + "window_type": { + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "type": "string", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "elements": { + "type": "number" + }, + "description": "One or more requests-per-window limits to apply.", + "required": true, + "type": "array" + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "required": true, + "type": "number" + } + }, + { + "namespace": { + "auto": true, + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + } + }, + { + "strategy": { + "required": true, + "type": "string", + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "one_of": [ + "cluster", + "redis" + ] + } + }, + { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "required": true, + "type": "string" + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" + } + }, + { + "cost_strategy": { + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "type": "string", + "one_of": [ + "default", + "node_quantifier" + ] + } + }, + { + "score_factor": { + "required": false, + "type": "number", + "gt": 0, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "default": 1 + } + }, + { + "max_cost": { + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", + "required": false, + "type": "number" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/grpc-gateway/3.10.x.json b/schemas/grpc-gateway/3.10.x.json new file mode 100644 index 00000000..cb4aab19 --- /dev/null +++ b/schemas/grpc-gateway/3.10.x.json @@ -0,0 +1,59 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "proto": { + "description": "Describes the gRPC types and methods.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/grpc-web/3.10.x.json b/schemas/grpc-web/3.10.x.json new file mode 100644 index 00000000..95633634 --- /dev/null +++ b/schemas/grpc-web/3.10.x.json @@ -0,0 +1,74 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "proto": { + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "required": false, + "type": "string" + } + }, + { + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "required": false, + "type": "boolean" + } + }, + { + "allow_origin_header": { + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/header-cert-auth/3.10.x.json b/schemas/header-cert-auth/3.10.x.json new file mode 100644 index 00000000..380d6860 --- /dev/null +++ b/schemas/header-cert-auth/3.10.x.json @@ -0,0 +1,229 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "fields": [ + { + "certificate_header_name": { + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", + "required": true, + "type": "string" + } + }, + { + "certificate_header_format": { + "type": "string", + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "required": true, + "one_of": [ + "base64_encoded", + "url_encoded" + ] + } + }, + { + "secure_source": { + "default": true, + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "required": true, + "type": "boolean" + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "ca_certificates": { + "elements": { + "uuid": true, + "type": "string" + }, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, + "type": "array" + } + }, + { + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" + } + }, + { + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "required": true, + "type": "boolean" + } + }, + { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "required": true, + "type": "boolean" + } + }, + { + "authenticated_group_by": { + "required": false, + "type": "string", + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "one_of": [ + "CN", + "DN" + ] + } + }, + { + "revocation_check_mode": { + "required": false, + "type": "string", + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ] + } + }, + { + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + } + }, + { + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + } + }, + { + "default_consumer": { + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/hmac-auth/3.10.x.json b/schemas/hmac-auth/3.10.x.json new file mode 100644 index 00000000..b922bd3e --- /dev/null +++ b/schemas/hmac-auth/3.10.x.json @@ -0,0 +1,132 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true, + "type": "boolean" + } + }, + { + "clock_skew": { + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", + "gt": 0, + "type": "number" + } + }, + { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + } + }, + { + "validate_request_body": { + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", + "required": true, + "type": "boolean" + } + }, + { + "enforce_headers": { + "elements": { + "type": "string" + }, + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "default": [ + + ], + "type": "array" + } + }, + { + "algorithms": { + "elements": { + "type": "string", + "one_of": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] + }, + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "type": "array" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/http-log/3.10.x.json b/schemas/http-log/3.10.x.json new file mode 100644 index 00000000..0c018a80 --- /dev/null +++ b/schemas/http-log/3.10.x.json @@ -0,0 +1,260 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "http_endpoint": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true + } + }, + { + "method": { + "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "type": "string", + "one_of": [ + "POST", + "PUT", + "PATCH" + ] + } + }, + { + "content_type": { + "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "type": "string", + "one_of": [ + "application/json", + "application/json; charset=utf-8" + ] + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" + } + }, + { + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 10, + "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 1, + "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", + "deprecation": { + "old_default": 2, + "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "headers": { + "values": { + "referenceable": true, + "type": "string" + }, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "keys": { + "description": "A string representing an HTTP header name.", + "match_none": [ + { + "err": "cannot contain 'Host' header", + "pattern": "^[Hh][Oo][Ss][Tt]$" + }, + { + "err": "cannot contain 'Content-Length' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" + }, + { + "err": "cannot contain 'Content-Type' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" + } + ], + "type": "string" + }, + "type": "map" + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ], + "required": true, + "type": "record" + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/injection-protection/3.10.x.json b/schemas/injection-protection/3.10.x.json new file mode 100644 index 00000000..1f100616 --- /dev/null +++ b/schemas/injection-protection/3.10.x.json @@ -0,0 +1,159 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "injection_types", + "custom_injections" + ] + } + ], + "fields": [ + { + "injection_types": { + "required": true, + "type": "set", + "default": [ + "sql" + ], + "description": "The type of injections to check for.", + "elements": { + "type": "string", + "one_of": [ + "sql", + "js", + "ssi", + "xpath_abbreviated", + "xpath_extended", + "java_exception" + ] + } + } + }, + { + "locations": { + "required": true, + "type": "set", + "default": [ + "path_and_query" + ], + "description": "The locations to check for injection.", + "elements": { + "type": "string", + "one_of": [ + "headers", + "path_and_query", + "body" + ] + } + } + }, + { + "custom_injections": { + "elements": { + "type": "record", + "fields": [ + { + "name": { + "description": "A unique name for this injection.", + "required": true, + "type": "string" + } + }, + { + "regex": { + "description": "The regex to match against.", + "is_regex": true, + "required": true, + "type": "string" + } + } + ] + }, + "description": "Custom regexes to check for.", + "default": null, + "type": "array" + } + }, + { + "enforcement_mode": { + "required": true, + "type": "string", + "default": "block", + "description": "Enforcement mode of the security policy.", + "one_of": [ + "block", + "log_only" + ] + } + }, + { + "error_status_code": { + "between": [ + 400, + 499 + ], + "required": true, + "type": "integer", + "default": 400, + "description": "The response status code when validation fails." + } + }, + { + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ip-restriction/3.10.x.json b/schemas/ip-restriction/3.10.x.json new file mode 100644 index 00000000..6ce79129 --- /dev/null +++ b/schemas/ip-restriction/3.10.x.json @@ -0,0 +1,85 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "config": { + "fields": [ + { + "allow": { + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "type": "array" + } + }, + { + "deny": { + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "type": "array" + } + }, + { + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "required": false, + "type": "number" + } + }, + { + "message": { + "description": "The message to send as a response body to rejected requests.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/jq/3.10.x.json b/schemas/jq/3.10.x.json new file mode 100644 index 00000000..623393bd --- /dev/null +++ b/schemas/jq/3.10.x.json @@ -0,0 +1,197 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } + ], + "fields": [ + { + "request_jq_program": { + "required": false, + "type": "string" + } + }, + { + "request_jq_program_options": { + "default": [ + + ], + "type": "record", + "required": false, + "fields": [ + { + "compact_output": { + "default": true, + "required": true, + "type": "boolean" + } + }, + { + "raw_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "join_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "ascii_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "sort_keys": { + "default": false, + "required": true, + "type": "boolean" + } + } + ] + } + }, + { + "request_if_media_type": { + "elements": { + "type": "string" + }, + "default": [ + "application/json" + ], + "required": false, + "type": "array" + } + }, + { + "response_jq_program": { + "required": false, + "type": "string" + } + }, + { + "response_jq_program_options": { + "default": [ + + ], + "type": "record", + "required": false, + "fields": [ + { + "compact_output": { + "default": true, + "required": true, + "type": "boolean" + } + }, + { + "raw_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "join_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "ascii_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "sort_keys": { + "default": false, + "required": true, + "type": "boolean" + } + } + ] + } + }, + { + "response_if_media_type": { + "elements": { + "type": "string" + }, + "default": [ + "application/json" + ], + "required": false, + "type": "array" + } + }, + { + "response_if_status_code": { + "elements": { + "between": [ + 100, + 599 + ], + "type": "integer" + }, + "default": [ + 200 + ], + "required": false, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/json-threat-protection/3.10.x.json b/schemas/json-threat-protection/3.10.x.json new file mode 100644 index 00000000..e41dd894 --- /dev/null +++ b/schemas/json-threat-protection/3.10.x.json @@ -0,0 +1,164 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "max_body_size": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": 8192, + "description": "Max size of the request body. -1 means unlimited." + } + }, + { + "max_container_depth": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": -1, + "description": "Max nested depth of objects and arrays. -1 means unlimited." + } + }, + { + "max_object_entry_count": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": -1, + "description": "Max number of entries in an object. -1 means unlimited." + } + }, + { + "max_object_entry_name_length": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": -1, + "description": "Max string length of object name. -1 means unlimited." + } + }, + { + "max_array_element_count": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": -1, + "description": "Max number of elements in an array. -1 means unlimited." + } + }, + { + "max_string_value_length": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": -1, + "description": "Max string value length. -1 means unlimited." + } + }, + { + "enforcement_mode": { + "required": false, + "type": "string", + "default": "block", + "description": "Enforcement mode of the security policy.", + "one_of": [ + "block", + "log_only" + ] + } + }, + { + "error_status_code": { + "between": [ + 400, + 499 + ], + "required": false, + "type": "integer", + "default": 400, + "description": "The response status code when validation fails." + } + }, + { + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.10.x.json b/schemas/jwe-decrypt/3.10.x.json new file mode 100644 index 00000000..f414e64e --- /dev/null +++ b/schemas/jwe-decrypt/3.10.x.json @@ -0,0 +1,86 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "lookup_header_name": { + "default": "Authorization", + "description": "The name of the header to look for the JWE token.", + "required": true, + "type": "string" + } + }, + { + "forward_header_name": { + "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", + "required": true, + "type": "string" + } + }, + { + "key_sets": { + "elements": { + "type": "string" + }, + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "required": true, + "type": "array" + } + }, + { + "strict": { + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwt-signer/3.10.x.json b/schemas/jwt-signer/3.10.x.json new file mode 100644 index 00000000..613ca8b3 --- /dev/null +++ b/schemas/jwt-signer/3.10.x.json @@ -0,0 +1,997 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "mutually_required": [ + "access_token_jwks_uri_client_username", + "access_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "access_token_keyset_client_username", + "access_token_keyset_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_jwks_uri_client_username", + "channel_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_keyset_client_username", + "channel_token_keyset_client_password" + ] + } + ], + "type": "record", + "required": true, + "fields": [ + { + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "required": false, + "type": "string" + } + }, + { + "enable_hs_signatures": { + "default": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "required": false, + "type": "boolean" + } + }, + { + "enable_instrumentation": { + "default": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "required": false, + "type": "boolean" + } + }, + { + "access_token_issuer": { + "default": "kong", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "required": false, + "type": "string" + } + }, + { + "access_token_keyset_client_username": { + "referenceable": true, + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "required": false, + "type": "string" + } + }, + { + "access_token_keyset_client_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "required": false + } + }, + { + "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "reference": "certificates", + "required": false, + "type": "foreign" + } + }, + { + "access_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" + } + }, + { + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_jwks_uri_client_username": { + "referenceable": true, + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "required": false, + "type": "string" + } + }, + { + "access_token_jwks_uri_client_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "required": false + } + }, + { + "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "reference": "certificates", + "required": false, + "type": "foreign" + } + }, + { + "access_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" + } + }, + { + "access_token_request_header": { + "default": "Authorization", + "description": "This parameter tells the name of the header where to look for the access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "required": false, + "type": "number" + } + }, + { + "access_token_scopes_required": { + "elements": { + "type": "string" + }, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "required": false, + "type": "array" + } + }, + { + "access_token_scopes_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "default": [ + "scope" + ] + } + }, + { + "access_token_consumer_claim": { + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "required": false, + "type": "array" + } + }, + { + "access_token_consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "access_token_upstream_header": { + "default": "Authorization:Bearer", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "required": false, + "type": "string" + } + }, + { + "access_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "required": false, + "type": "number" + } + }, + { + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_hint": { + "default": "access_token", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_jwt_claim": { + "elements": { + "type": "string" + }, + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "required": false, + "type": "array" + } + }, + { + "access_token_introspection_scopes_required": { + "elements": { + "type": "string" + }, + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "required": false, + "type": "array" + } + }, + { + "access_token_introspection_scopes_claim": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "default": [ + "scope" + ] + } + }, + { + "access_token_introspection_consumer_claim": { + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "required": false, + "type": "array" + } + }, + { + "access_token_introspection_consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "access_token_introspection_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "required": false, + "type": "number" + } + }, + { + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "required": false, + "type": "number" + } + }, + { + "access_token_signing_algorithm": { + "required": true, + "type": "string", + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + }, + { + "add_access_token_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + }, + { + "set_access_token_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + }, + { + "remove_access_token_claims": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "remove claims. It should be an array, and each element is a claim key string.", + "default": [ + + ] + } + }, + { + "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_optional": { + "default": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "required": false, + "type": "boolean" + } + }, + { + "verify_access_token_signature": { + "default": true, + "description": "Quickly turn access token signature verification off and on as needed.", + "required": false, + "type": "boolean" + } + }, + { + "verify_access_token_expiry": { + "default": true, + "description": "Quickly turn access token expiry verification off and on as needed.", + "required": false, + "type": "boolean" + } + }, + { + "verify_access_token_scopes": { + "default": true, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "required": false, + "type": "boolean" + } + }, + { + "verify_access_token_introspection_expiry": { + "default": true, + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "required": false, + "type": "boolean" + } + }, + { + "verify_access_token_introspection_scopes": { + "default": true, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "required": false, + "type": "boolean" + } + }, + { + "cache_access_token_introspection": { + "default": true, + "description": "Whether to cache access token introspection results.", + "required": false, + "type": "boolean" + } + }, + { + "trust_access_token_introspection": { + "default": true, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "required": false, + "type": "boolean" + } + }, + { + "enable_access_token_introspection": { + "default": true, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "required": false, + "type": "boolean" + } + }, + { + "channel_token_issuer": { + "default": "kong", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "required": false, + "type": "string" + } + }, + { + "channel_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "required": false, + "type": "string" + } + }, + { + "channel_token_keyset_client_username": { + "referenceable": true, + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "required": false, + "type": "string" + } + }, + { + "channel_token_keyset_client_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "required": false + } + }, + { + "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "reference": "certificates", + "required": false, + "type": "foreign" + } + }, + { + "channel_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" + } + }, + { + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "required": false, + "type": "string" + } + }, + { + "channel_token_jwks_uri_client_username": { + "referenceable": true, + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "required": false, + "type": "string" + } + }, + { + "channel_token_jwks_uri_client_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "required": false + } + }, + { + "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "reference": "certificates", + "required": false, + "type": "foreign" + } + }, + { + "channel_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" + } + }, + { + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "required": false, + "type": "string" + } + }, + { + "channel_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "required": false, + "type": "number" + } + }, + { + "channel_token_scopes_required": { + "elements": { + "type": "string" + }, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "required": false, + "type": "array" + } + }, + { + "channel_token_scopes_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "default": [ + "scope" + ] + } + }, + { + "channel_token_consumer_claim": { + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "required": false, + "type": "array" + } + }, + { + "channel_token_consumer_by": { + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ], + "type": "array" + } + }, + { + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "required": false, + "type": "string" + } + }, + { + "channel_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "required": false, + "type": "number" + } + }, + { + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "required": false, + "type": "string" + } + }, + { + "channel_token_introspection_authorization": { + "elements": { + "type": "string" + }, + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "required": false, + "type": "string" + } + }, + { + "channel_token_introspection_body_args": { + "elements": { + "type": "string" + }, + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "required": false, + "type": "string" + } + }, + { + "channel_token_introspection_hint": { + "elements": { + "type": "string" + }, + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "required": false, + "type": "string" + } + }, + { + "channel_token_introspection_jwt_claim": { + "elements": { + "type": "string" + }, + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "required": false, + "type": "array" + } + }, + { + "channel_token_introspection_scopes_required": { + "elements": { + "type": "string" + }, + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "required": false, + "type": "array" + } + }, + { + "channel_token_introspection_scopes_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "default": [ + "scope" + ] + } + }, + { + "channel_token_introspection_consumer_claim": { + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "required": false, + "type": "array" + } + }, + { + "channel_token_introspection_consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "channel_token_introspection_leeway": { + "default": 0, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "required": false, + "type": "number" + } + }, + { + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "required": false, + "type": "number" + } + }, + { + "channel_token_signing_algorithm": { + "required": true, + "type": "string", + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + }, + { + "add_channel_token_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + }, + { + "set_channel_token_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + }, + { + "remove_channel_token_claims": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "remove claims. It should be an array, and each element is a claim key string.", + "default": [ + + ] + } + }, + { + "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", + "required": false, + "type": "string" + } + }, + { + "channel_token_optional": { + "default": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "required": false, + "type": "boolean" + } + }, + { + "verify_channel_token_signature": { + "default": true, + "description": "Quickly turn on/off the channel token signature verification.", + "required": false, + "type": "boolean" + } + }, + { + "verify_channel_token_expiry": { + "default": true, + "required": false, + "type": "boolean" + } + }, + { + "verify_channel_token_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "required": false, + "type": "boolean" + } + }, + { + "verify_channel_token_introspection_expiry": { + "default": true, + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "required": false, + "type": "boolean" + } + }, + { + "verify_channel_token_introspection_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "required": false, + "type": "boolean" + } + }, + { + "cache_channel_token_introspection": { + "default": true, + "description": "Whether to cache channel token introspection results.", + "required": false, + "type": "boolean" + } + }, + { + "trust_channel_token_introspection": { + "default": true, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "required": false, + "type": "boolean" + } + }, + { + "enable_channel_token_introspection": { + "default": true, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "required": false, + "type": "boolean" + } + }, + { + "add_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + }, + { + "set_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwt/3.10.x.json b/schemas/jwt/3.10.x.json new file mode 100644 index 00000000..06e0c528 --- /dev/null +++ b/schemas/jwt/3.10.x.json @@ -0,0 +1,160 @@ +{ + "entity_checks": [ + { + "conditional": { + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration", + "then_match": { + "contains": "exp" + } + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "uri_param_names": { + "elements": { + "type": "string" + }, + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "default": [ + "jwt" + ], + "type": "set" + } + }, + { + "cookie_names": { + "elements": { + "type": "string" + }, + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "default": [ + + ], + "type": "set" + } + }, + { + "key_claim_name": { + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" + } + }, + { + "secret_is_base64": { + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "required": true, + "type": "boolean" + } + }, + { + "claims_to_verify": { + "elements": { + "type": "string", + "one_of": [ + "exp", + "nbf" + ] + }, + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "type": "set" + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "required": true, + "type": "boolean" + } + }, + { + "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "between": [ + 0, + 31536000 + ], + "type": "number" + } + }, + { + "header_names": { + "elements": { + "type": "string" + }, + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "default": [ + "authorization" + ], + "type": "set" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-log/3.10.x.json b/schemas/kafka-log/3.10.x.json new file mode 100644 index 00000000..2b4dc212 --- /dev/null +++ b/schemas/kafka-log/3.10.x.json @@ -0,0 +1,280 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "fields": [ + { + "bootstrap_servers": { + "elements": { + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" + } + } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set" + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "required": true, + "type": "string" + } + }, + { + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + } + }, + { + "keepalive": { + "default": 60000, + "type": "integer" + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "authentication": { + "fields": [ + { + "strategy": { + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "required": false, + "one_of": [ + "sasl" + ] + } + }, + { + "mechanism": { + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "required": false, + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ] + } + }, + { + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "required": false, + "type": "boolean" + } + }, + { + "user": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Username for SASL authentication.", + "required": false + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password for SASL authentication.", + "required": false + } + } + ], + "required": true, + "type": "record" + } + }, + { + "security": { + "fields": [ + { + "certificate_id": { + "required": false, + "description": "UUID of certificate entity for mTLS authentication.", + "uuid": true, + "type": "string" + } + }, + { + "ssl": { + "description": "Enables TLS.", + "required": false, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "cluster_name": { + "auto": true, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, + "type": "string" + } + }, + { + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer" + } + }, + { + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + } + }, + { + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + } + }, + { + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + } + }, + { + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + } + }, + { + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + } + }, + { + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-upstream/3.10.x.json b/schemas/kafka-upstream/3.10.x.json new file mode 100644 index 00000000..e05b530c --- /dev/null +++ b/schemas/kafka-upstream/3.10.x.json @@ -0,0 +1,302 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "fields": [ + { + "bootstrap_servers": { + "elements": { + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" + } + } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set" + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "required": true, + "type": "string" + } + }, + { + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + } + }, + { + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "authentication": { + "fields": [ + { + "strategy": { + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "required": false, + "one_of": [ + "sasl" + ] + } + }, + { + "mechanism": { + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "required": false, + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ] + } + }, + { + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "required": false, + "type": "boolean" + } + }, + { + "user": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Username for SASL authentication.", + "required": false + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password for SASL authentication.", + "required": false + } + } + ], + "required": true, + "type": "record" + } + }, + { + "security": { + "fields": [ + { + "certificate_id": { + "uuid": true, + "description": "UUID of certificate entity for mTLS authentication.", + "required": false, + "type": "string" + } + }, + { + "ssl": { + "description": "Enables TLS.", + "required": false, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "cluster_name": { + "auto": true, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, + "type": "string" + } + }, + { + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + } + }, + { + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + } + }, + { + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + } + }, + { + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + } + }, + { + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + } + }, + { + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + } + }, + { + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/key-auth-enc/3.10.x.json b/schemas/key-auth-enc/3.10.x.json new file mode 100644 index 00000000..0db052a3 --- /dev/null +++ b/schemas/key-auth-enc/3.10.x.json @@ -0,0 +1,118 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "default": [ + "apikey" + ] + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + } + }, + { + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + } + }, + { + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/key-auth/3.10.x.json b/schemas/key-auth/3.10.x.json new file mode 100644 index 00000000..dbb4a35d --- /dev/null +++ b/schemas/key-auth/3.10.x.json @@ -0,0 +1,123 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "default": [ + "apikey" + ] + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "required": true, + "type": "boolean" + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + } + }, + { + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "required": true, + "type": "boolean" + } + }, + { + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "required": true, + "type": "boolean" + } + }, + { + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "required": true, + "type": "boolean" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "required": true, + "type": "boolean" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.10.x.json b/schemas/konnect-application-auth/3.10.x.json new file mode 100644 index 00000000..e7763990 --- /dev/null +++ b/schemas/konnect-application-auth/3.10.x.json @@ -0,0 +1,3271 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + + ], + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "default": [ + "apikey" + ] + } + }, + { + "auth_type": { + "required": true, + "type": "string", + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "one_of": [ + "openid-connect", + "key-auth", + "v2-strategies" + ] + } + }, + { + "scope": { + "required": true, + "description": "The unique scope identifier for the plugin configuration.", + "unique": true, + "type": "string" + } + }, + { + "v2_strategies": { + "required": false, + "type": "record", + "default": [ + + ], + "description": "The map of v2 strategies.", + "fields": [ + { + "key_auth": { + "elements": { + "type": "record", + "fields": [ + { + "strategy_id": { + "description": "The strategy id the config is tied to.", + "required": true, + "type": "string" + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "default": [ + "apikey" + ] + } + } + ] + } + } + ] + }, + "description": "List of key_auth strategies.", + "required": false, + "type": "array" + } + }, + { + "openid_connect": { + "elements": { + "type": "record", + "fields": [ + { + "strategy_id": { + "description": "The strategy id the config is tied to.", + "required": true, + "type": "string" + } + }, + { + "config": { + "description": "openid-connect plugin configuration.", + "type": "record", + "fields": [ + { + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, + "type": "string" + } + }, + { + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "required": false, + "type": "boolean" + } + }, + { + "discovery_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the discovery endpoint.", + "required": false, + "type": "array" + } + }, + { + "discovery_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the discovery endpoint.", + "required": false, + "type": "array" + } + }, + { + "extra_jwks_uris": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "required": false, + "type": "set" + } + }, + { + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "required": false, + "type": "number" + } + }, + { + "auth_methods": { + "required": false, + "type": "array", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "description": "Types of credentials/grants to enable.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + } + }, + { + "client_id": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + } + }, + { + "client_secret": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client secret." + } + }, + { + "client_auth": { + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "required": false, + "type": "array" + } + }, + { + "client_jwk": { + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "issuer": { + "required": false, + "type": "string" + } + }, + { + "kty": { + "required": false, + "type": "string" + } + }, + { + "use": { + "required": false, + "type": "string" + } + }, + { + "key_ops": { + "elements": { + "required": false, + "type": "string" + }, + "required": false, + "type": "array" + } + }, + { + "alg": { + "required": false, + "type": "string" + } + }, + { + "kid": { + "required": false, + "type": "string" + } + }, + { + "x5u": { + "required": false, + "type": "string" + } + }, + { + "x5c": { + "elements": { + "required": false, + "type": "string" + }, + "required": false, + "type": "array" + } + }, + { + "x5t": { + "required": false, + "type": "string" + } + }, + { + "x5t#S256": { + "required": false, + "type": "string" + } + }, + { + "k": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "x": { + "required": false, + "type": "string" + } + }, + { + "y": { + "required": false, + "type": "string" + } + }, + { + "crv": { + "required": false, + "type": "string" + } + }, + { + "n": { + "required": false, + "type": "string" + } + }, + { + "e": { + "required": false, + "type": "string" + } + }, + { + "d": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "p": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "q": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "dp": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "dq": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "qi": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "oth": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "r": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "t": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + } + ] + }, + "description": "The JWK used for the private_key_jwt authentication.", + "required": false, + "type": "array" + } + }, + { + "client_alg": { + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + }, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "required": false, + "type": "array" + } + }, + { + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "required": false, + "type": "string" + } + }, + { + "redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "The redirect URI passed to the authorization and token endpoints.", + "required": false, + "type": "array" + } + }, + { + "login_redirect_uri": { + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + }, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "required": false, + "type": "array" + } + }, + { + "logout_redirect_uri": { + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + }, + "description": "Where to redirect the client after the logout.", + "required": false, + "type": "array" + } + }, + { + "forbidden_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on forbidden requests.", + "required": false, + "type": "array" + } + }, + { + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "required": false, + "type": "string" + } + }, + { + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "required": false, + "type": "boolean" + } + }, + { + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "required": false, + "type": "boolean" + } + }, + { + "unauthorized_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on unauthorized requests.", + "required": false, + "type": "array" + } + }, + { + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "required": false, + "type": "string" + } + }, + { + "unexpected_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "required": false, + "type": "array" + } + }, + { + "response_mode": { + "required": false, + "type": "string", + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ] + } + }, + { + "response_type": { + "required": false, + "type": "array", + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "elements": { + "type": "string" + } + } + }, + { + "scopes": { + "required": false, + "type": "array", + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "audience": { + "elements": { + "type": "string" + }, + "description": "The audience passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "issuers_allowed": { + "elements": { + "type": "string" + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "required": false, + "type": "array" + } + }, + { + "scopes_required": { + "elements": { + "type": "string" + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "scopes_claim": { + "required": false, + "type": "array", + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "audience_required": { + "elements": { + "type": "string" + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "audience_claim": { + "required": false, + "type": "array", + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "groups_required": { + "elements": { + "type": "string" + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "groups_claim": { + "required": false, + "type": "array", + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "roles_required": { + "elements": { + "type": "string" + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "roles_claim": { + "required": false, + "type": "array", + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "domains": { + "elements": { + "type": "string" + }, + "description": "The allowed values for the `hd` claim.", + "required": false, + "type": "array" + } + }, + { + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "required": false, + "type": "number" + } + }, + { + "authenticated_groups_claim": { + "elements": { + "type": "string" + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "required": false, + "type": "boolean" + } + }, + { + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "required": false, + "type": "boolean" + } + }, + { + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "required": false, + "type": "boolean" + } + }, + { + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "authorization_query_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_query_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_query_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "required": false, + "type": "string" + } + }, + { + "authorization_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "The authorization cookie Path flag.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "required": false, + "type": "string" + } + }, + { + "authorization_cookie_same_site": { + "required": false, + "type": "string", + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "required": false, + "type": "boolean" + } + }, + { + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "token_endpoint_auth_method": { + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "token_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_replay": { + "elements": { + "type": "string" + }, + "description": "The names of token endpoint response headers to forward to the downstream client.", + "required": false, + "type": "array" + } + }, + { + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "required": false, + "type": "string" + } + }, + { + "token_headers_grants": { + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_client": { + "elements": { + "type": "string" + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "introspection_endpoint_auth_method": { + "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "required": false, + "type": "string" + } + }, + { + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "required": false, + "type": "boolean" + } + }, + { + "introspection_accept": { + "required": false, + "type": "string", + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ] + } + }, + { + "introspection_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_headers_values": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "Extra header values passed to the introspection endpoint." + } + }, + { + "introspection_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_client_headers": { + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "required": false, + "type": "boolean" + } + }, + { + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "revocation_endpoint_auth_method": { + "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_accept": { + "required": false, + "type": "string", + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/jwt" + ] + } + }, + { + "userinfo_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "required": false, + "type": "string" + } + }, + { + "session_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The session secret.", + "required": false + } + }, + { + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "required": false, + "type": "string" + } + }, + { + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "required": false, + "type": "boolean" + } + }, + { + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" + } + }, + { + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "required": false, + "type": "number" + } + }, + { + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" + } + }, + { + "session_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "The session cookie Path flag.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_same_site": { + "required": false, + "type": "string", + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "session_request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, + "type": "set" + } + }, + { + "session_response_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, + "type": "set" + } + }, + { + "session_storage": { + "required": false, + "type": "string", + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "type": "boolean" + } + }, + { + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_port": { + "between": [ + 0, + 65535 + ], + "required": false, + "type": "integer", + "default": 11211, + "description": "The memcached port." + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + }, + { + "prefix": { + "description": "The Redis session key prefix.", + "required": false, + "type": "string" + } + }, + { + "socket": { + "description": "The Redis unix socket path.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "required": false, + "type": "boolean" + } + }, + { + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "required": false, + "type": "string" + } + }, + { + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "required": false, + "type": "string" + } + }, + { + "bearer_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + } + } + }, + { + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "required": false, + "type": "string" + } + }, + { + "client_credentials_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "password_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "id_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "required": false, + "type": "string" + } + }, + { + "refresh_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "required": false, + "type": "string" + } + }, + { + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "required": false, + "type": "boolean" + } + }, + { + "upstream_headers_claims": { + "elements": { + "type": "string" + }, + "description": "The upstream header claims. Only top level claims are supported.", + "required": false, + "type": "array" + } + }, + { + "upstream_headers_names": { + "elements": { + "type": "string" + }, + "description": "The upstream header names for the claim values.", + "required": false, + "type": "array" + } + }, + { + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "required": false, + "type": "string" + } + }, + { + "upstream_id_token_header": { + "description": "The upstream id token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "required": false, + "type": "string" + } + }, + { + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_user_info_header": { + "description": "The upstream user info header.", + "required": false, + "type": "string" + } + }, + { + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "required": false, + "type": "string" + } + }, + { + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "required": false, + "type": "string" + } + }, + { + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "required": false, + "type": "string" + } + }, + { + "upstream_session_id_header": { + "description": "The upstream session id header.", + "required": false, + "type": "string" + } + }, + { + "downstream_headers_claims": { + "elements": { + "type": "string" + }, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "downstream_headers_names": { + "elements": { + "type": "string" + }, + "description": "The downstream header names for the claim values.", + "required": false, + "type": "array" + } + }, + { + "downstream_access_token_header": { + "description": "The downstream access token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "required": false, + "type": "string" + } + }, + { + "downstream_id_token_header": { + "description": "The downstream id token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "required": false, + "type": "string" + } + }, + { + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_user_info_header": { + "description": "The downstream user info header.", + "required": false, + "type": "string" + } + }, + { + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "required": false, + "type": "string" + } + }, + { + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "required": false, + "type": "string" + } + }, + { + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "required": false, + "type": "string" + } + }, + { + "downstream_session_id_header": { + "description": "The downstream session id header.", + "required": false, + "type": "string" + } + }, + { + "login_methods": { + "required": false, + "type": "array", + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + } + }, + { + "login_action": { + "required": false, + "type": "string", + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "one_of": [ + "upstream", + "response", + "redirect" + ] + } + }, + { + "login_tokens": { + "required": false, + "type": "array", + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + } + } + }, + { + "login_redirect_mode": { + "required": false, + "type": "string", + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "one_of": [ + "query", + "fragment" + ] + } + }, + { + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_methods": { + "required": false, + "type": "array", + "default": [ + "POST", + "DELETE" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + } + } + }, + { + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "required": false, + "type": "boolean" + } + }, + { + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" + } + }, + { + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" + } + }, + { + "consumer_claim": { + "elements": { + "type": "string" + }, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "default": [ + "username", + "custom_id" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + } + } + }, + { + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "required": false, + "type": "boolean" + } + }, + { + "credential_claim": { + "required": false, + "type": "array", + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "required": false, + "type": "string" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "required": false, + "type": "boolean" + } + }, + { + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "required": false, + "type": "number" + } + }, + { + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "required": false, + "type": "boolean" + } + }, + { + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "required": false, + "type": "boolean" + } + }, + { + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "required": false, + "type": "boolean" + } + }, + { + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "required": false, + "type": "boolean" + } + }, + { + "ignore_signature": { + "required": false, + "type": "array", + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + } + } + }, + { + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "required": false, + "type": "boolean" + } + }, + { + "disable_session": { + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Disable issuing the session cookie with the specified grants.", + "required": false, + "type": "array" + } + }, + { + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "required": false, + "type": "number" + } + }, + { + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_tokens_salt": { + "auto": true, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false, + "type": "string" + } + }, + { + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "required": false, + "type": "boolean" + } + }, + { + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "required": false, + "type": "boolean" + } + }, + { + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "required": false, + "type": "boolean" + } + }, + { + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "required": false, + "type": "number" + } + }, + { + "http_proxy": { + "description": "The HTTP proxy.", + "required": false, + "type": "string" + } + }, + { + "http_proxy_authorization": { + "required": false, + "description": "The HTTP proxy authorization.", + "referenceable": true, + "type": "string" + } + }, + { + "https_proxy": { + "description": "The HTTPS proxy.", + "required": false, + "type": "string" + } + }, + { + "https_proxy_authorization": { + "required": false, + "description": "The HTTPS proxy authorization.", + "referenceable": true, + "type": "string" + } + }, + { + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "required": false, + "type": "string" + } + }, + { + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "required": false, + "type": "boolean" + } + }, + { + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "required": false, + "type": "number" + } + }, + { + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "required": false, + "type": "boolean" + } + }, + { + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "required": false, + "type": "boolean" + } + }, + { + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "required": false, + "type": "boolean" + } + }, + { + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + } + }, + { + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + } + }, + { + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "required": false, + "type": "string" + } + }, + { + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_mtls": { + "required": false, + "type": "string", + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "required": false, + "type": "boolean" + } + }, + { + "tls_client_auth_cert_id": { + "auto": false, + "required": false, + "type": "string", + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "uuid": true + } + }, + { + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "required": false, + "type": "boolean" + } + }, + { + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_dpop": { + "required": false, + "type": "string", + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "required": false, + "type": "boolean" + } + }, + { + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "required": false, + "type": "number" + } + }, + { + "claims_forbidden": { + "elements": { + "type": "string" + }, + "description": "If given, these claims are forbidden in the token payload.", + "required": false, + "type": "array" + } + }, + { + "cluster_cache_strategy": { + "required": false, + "type": "string", + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "one_of": [ + "off", + "redis" + ] + } + }, + { + "cluster_cache_redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ] + }, + "description": "List of openid_connect strategies.", + "required": false, + "type": "array" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.10.x.json b/schemas/ldap-auth-advanced/3.10.x.json new file mode 100644 index 00000000..545178ce --- /dev/null +++ b/schemas/ldap-auth-advanced/3.10.x.json @@ -0,0 +1,243 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "required": true, + "type": "string" + } + }, + { + "ldap_password": { + "encrypted": true, + "description": "The password to the LDAP server.", + "referenceable": true, + "type": "string" + } + }, + { + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" + } + }, + { + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "referenceable": true, + "type": "string" + } + }, + { + "ldaps": { + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "required": true, + "type": "boolean" + } + }, + { + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "required": true, + "type": "boolean" + } + }, + { + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "required": true, + "type": "boolean" + } + }, + { + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "required": true, + "type": "string" + } + }, + { + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "required": true, + "type": "string" + } + }, + { + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + } + }, + { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0, + "type": "string" + } + }, + { + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" + } + }, + { + "consumer_optional": { + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "required": false, + "type": "boolean" + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + } + }, + { + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + } + }, + { + "group_member_attribute": { + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" + } + }, + { + "log_search_results": { + "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "required": false, + "type": "boolean" + } + }, + { + "groups_required": { + "elements": { + "type": "string" + }, + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "required": false, + "type": "array" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth/3.10.x.json b/schemas/ldap-auth/3.10.x.json new file mode 100644 index 00000000..c165cd47 --- /dev/null +++ b/schemas/ldap-auth/3.10.x.json @@ -0,0 +1,178 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "conditional": { + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "if_match": { + "eq": true + }, + "then_field": "start_tls", + "if_field": "ldaps", + "then_match": { + "eq": false + } + } + } + ], + "fields": [ + { + "ldap_host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "ldap_port": { + "between": [ + 0, + 65535 + ], + "required": true, + "type": "integer", + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "ldaps": { + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "required": true, + "type": "boolean" + } + }, + { + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "required": true, + "type": "boolean" + } + }, + { + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "required": true, + "type": "boolean" + } + }, + { + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "required": true, + "type": "string" + } + }, + { + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "required": true, + "type": "string" + } + }, + { + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "required": true, + "type": "boolean" + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + } + }, + { + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header", + "type": "string" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/loggly/3.10.x.json b/schemas/loggly/3.10.x.json new file mode 100644 index 00000000..7f4564c6 --- /dev/null +++ b/schemas/loggly/3.10.x.json @@ -0,0 +1,173 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "key": { + "encrypted": true, + "referenceable": true, + "required": true, + "type": "string" + } + }, + { + "tags": { + "default": [ + "kong" + ], + "elements": { + "type": "string" + }, + "type": "set" + } + }, + { + "log_level": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "successful_severity": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "client_errors_severity": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "server_errors_severity": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "timeout": { + "default": 10000, + "type": "number" + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/mocking/3.10.x.json b/schemas/mocking/3.10.x.json new file mode 100644 index 00000000..246c1047 --- /dev/null +++ b/schemas/mocking/3.10.x.json @@ -0,0 +1,131 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "required": false, + "type": "string" + } + }, + { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "required": false, + "type": "string" + } + }, + { + "random_delay": { + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean" + } + }, + { + "max_delay_time": { + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number" + } + }, + { + "min_delay_time": { + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number" + } + }, + { + "random_examples": { + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean" + } + }, + { + "included_status_codes": { + "elements": { + "type": "integer" + }, + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "type": "array" + } + }, + { + "random_status_code": { + "default": false, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "required": true, + "type": "boolean" + } + }, + { + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true, + "type": "boolean" + } + }, + { + "custom_base_path": { + "required": false, + "type": "string", + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/mtls-auth/3.10.x.json b/schemas/mtls-auth/3.10.x.json new file mode 100644 index 00000000..d65a598b --- /dev/null +++ b/schemas/mtls-auth/3.10.x.json @@ -0,0 +1,210 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "fields": [ + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "ca_certificates": { + "elements": { + "uuid": true, + "type": "string" + }, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, + "type": "array" + } + }, + { + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" + } + }, + { + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "required": true, + "type": "boolean" + } + }, + { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "required": true, + "type": "boolean" + } + }, + { + "authenticated_group_by": { + "required": false, + "type": "string", + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "one_of": [ + "CN", + "DN" + ] + } + }, + { + "revocation_check_mode": { + "required": false, + "type": "string", + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ] + } + }, + { + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + } + }, + { + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in seconds between refreshes of the revocation check status cache.", + "type": "number" + } + }, + { + "send_ca_dn": { + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" + } + }, + { + "default_consumer": { + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/oas-validation/3.10.x.json b/schemas/oas-validation/3.10.x.json new file mode 100644 index 00000000..ada2985b --- /dev/null +++ b/schemas/oas-validation/3.10.x.json @@ -0,0 +1,170 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "required": true, + "type": "string" + } + }, + { + "verbose_response": { + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "required": false, + "type": "boolean" + } + }, + { + "validate_request_body": { + "default": true, + "description": "If set to true, validates the request body content against the API specification.", + "required": false, + "type": "boolean" + } + }, + { + "notify_only_request_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "required": false, + "type": "boolean" + } + }, + { + "validate_request_header_params": { + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", + "required": false, + "type": "boolean" + } + }, + { + "validate_request_query_params": { + "default": true, + "description": "If set to true, validates query parameters against the API specification.", + "required": false, + "type": "boolean" + } + }, + { + "validate_request_uri_params": { + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", + "required": false, + "type": "boolean" + } + }, + { + "validate_response_body": { + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "required": false, + "type": "boolean" + } + }, + { + "notify_only_response_body_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "required": false, + "type": "boolean" + } + }, + { + "query_parameter_check": { + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "required": true, + "type": "boolean" + } + }, + { + "header_parameter_check": { + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "required": true, + "type": "boolean" + } + }, + { + "allowed_header_parameters": { + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "required": false, + "type": "string" + } + }, + { + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true, + "type": "boolean" + } + }, + { + "api_spec_encoded": { + "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", + "required": true, + "type": "boolean" + } + }, + { + "custom_base_path": { + "required": false, + "type": "string", + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.10.x.json b/schemas/oauth2-introspection/3.10.x.json new file mode 100644 index 00000000..8b041407 --- /dev/null +++ b/schemas/oauth2-introspection/3.10.x.json @@ -0,0 +1,167 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, + "type": "string" + } + }, + { + "ttl": { + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" + } + }, + { + "token_type_hint": { + "type": "string", + "description": "The `token_type_hint` value to associate to introspection requests." + } + }, + { + "authorization_value": { + "encrypted": true, + "required": true, + "type": "string", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "referenceable": true + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" + } + }, + { + "introspect_request": { + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "required": true, + "type": "boolean" + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + } + }, + { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0, + "type": "string" + } + }, + { + "consumer_by": { + "required": true, + "type": "string", + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "one_of": [ + "username", + "client_id" + ] + } + }, + { + "custom_introspection_headers": { + "values": { + "type": "string" + }, + "required": true, + "type": "map", + "default": [ + + ], + "description": "A list of custom headers to be added in the introspection request.", + "keys": { + "type": "string" + } + } + }, + { + "custom_claims_forward": { + "required": true, + "type": "set", + "elements": { + "type": "string" + }, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "default": [ + + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/oauth2/3.10.x.json b/schemas/oauth2/3.10.x.json new file mode 100644 index 00000000..2c0e00b3 --- /dev/null +++ b/schemas/oauth2/3.10.x.json @@ -0,0 +1,221 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "scopes", + "if_field": "mandatory_scope", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "scopes": { + "elements": { + "type": "string" + }, + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "type": "array" + } + }, + { + "mandatory_scope": { + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "required": true, + "type": "boolean" + } + }, + { + "provision_key": { + "encrypted": true, + "unique": true, + "type": "string", + "description": "The unique key the plugin has generated when it has been added to the Service.", + "required": true, + "auto": true + } + }, + { + "token_expiration": { + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "required": true, + "type": "number" + } + }, + { + "enable_authorization_code": { + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "required": true, + "type": "boolean" + } + }, + { + "enable_implicit_grant": { + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "required": true, + "type": "boolean" + } + }, + { + "enable_client_credentials": { + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "required": true, + "type": "boolean" + } + }, + { + "enable_password_grant": { + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "required": true, + "type": "boolean" + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true, + "type": "boolean" + } + }, + { + "accept_http_if_already_terminated": { + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "required": true, + "type": "boolean" + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + } + }, + { + "global_credentials": { + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "required": true, + "type": "boolean" + } + }, + { + "auth_header_name": { + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", + "type": "string" + } + }, + { + "refresh_token_ttl": { + "between": [ + 0, + 100000000 + ], + "required": true, + "type": "number", + "default": 1209600, + "description": "Time-to-live value for data" + } + }, + { + "reuse_refresh_token": { + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "required": true, + "type": "boolean" + } + }, + { + "persistent_refresh_token": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "pkce": { + "required": false, + "type": "string", + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "one_of": [ + "none", + "lax", + "strict" + ] + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/opa/3.10.x.json b/schemas/opa/3.10.x.json new file mode 100644 index 00000000..1b302c32 --- /dev/null +++ b/schemas/opa/3.10.x.json @@ -0,0 +1,147 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "type": "string", + "one_of": [ + "http", + "https" + ] + } + }, + { + "opa_host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "opa_port": { + "between": [ + 0, + 65535 + ], + "required": true, + "type": "integer", + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "opa_path": { + "required": true, + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "include_service_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" + } + }, + { + "include_route_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" + } + }, + { + "include_consumer_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" + } + }, + { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + } + }, + { + "include_parsed_json_body_in_opa_input": { + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" + } + }, + { + "include_uri_captures_in_opa_input": { + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/openid-connect/3.10.x.json b/schemas/openid-connect/3.10.x.json new file mode 100644 index 00000000..7a0c9dd9 --- /dev/null +++ b/schemas/openid-connect/3.10.x.json @@ -0,0 +1,3558 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" + }, + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" + }, + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" + }, + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" + }, + "type": "string" + } + }, + { + "session_redis_prefix": { + "deprecation": { + "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_socket": { + "deprecation": { + "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_host": { + "deprecation": { + "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_port": { + "deprecation": { + "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_username": { + "deprecation": { + "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_password": { + "deprecation": { + "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_connect_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_read_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_send_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_ssl": { + "deprecation": { + "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "session_redis_ssl_verify": { + "deprecation": { + "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "session_redis_server_name": { + "deprecation": { + "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_cluster_nodes": { + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "type": "array", + "deprecation": { + "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ] + } + } + }, + { + "session_redis_cluster_max_redirections": { + "deprecation": { + "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "fields": [ + { + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, + "type": "string" + } + }, + { + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "required": false, + "type": "boolean" + } + }, + { + "discovery_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the discovery endpoint.", + "required": false, + "type": "array" + } + }, + { + "discovery_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the discovery endpoint.", + "required": false, + "type": "array" + } + }, + { + "extra_jwks_uris": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "required": false, + "type": "set" + } + }, + { + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "required": false, + "type": "number" + } + }, + { + "auth_methods": { + "required": false, + "type": "array", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "description": "Types of credentials/grants to enable.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + } + }, + { + "client_id": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + } + }, + { + "client_secret": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client secret." + } + }, + { + "client_auth": { + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "required": false, + "type": "array" + } + }, + { + "client_jwk": { + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "issuer": { + "required": false, + "type": "string" + } + }, + { + "kty": { + "required": false, + "type": "string" + } + }, + { + "use": { + "required": false, + "type": "string" + } + }, + { + "key_ops": { + "elements": { + "required": false, + "type": "string" + }, + "required": false, + "type": "array" + } + }, + { + "alg": { + "required": false, + "type": "string" + } + }, + { + "kid": { + "required": false, + "type": "string" + } + }, + { + "x5u": { + "required": false, + "type": "string" + } + }, + { + "x5c": { + "elements": { + "required": false, + "type": "string" + }, + "required": false, + "type": "array" + } + }, + { + "x5t": { + "required": false, + "type": "string" + } + }, + { + "x5t#S256": { + "required": false, + "type": "string" + } + }, + { + "k": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "x": { + "required": false, + "type": "string" + } + }, + { + "y": { + "required": false, + "type": "string" + } + }, + { + "crv": { + "required": false, + "type": "string" + } + }, + { + "n": { + "required": false, + "type": "string" + } + }, + { + "e": { + "required": false, + "type": "string" + } + }, + { + "d": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "p": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "q": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "dp": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "dq": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "qi": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "oth": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "r": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "t": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + } + ] + }, + "description": "The JWK used for the private_key_jwt authentication.", + "required": false, + "type": "array" + } + }, + { + "client_alg": { + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + }, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "required": false, + "type": "array" + } + }, + { + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "required": false, + "type": "string" + } + }, + { + "redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "The redirect URI passed to the authorization and token endpoints.", + "required": false, + "type": "array" + } + }, + { + "login_redirect_uri": { + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + }, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "required": false, + "type": "array" + } + }, + { + "logout_redirect_uri": { + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + }, + "description": "Where to redirect the client after the logout.", + "required": false, + "type": "array" + } + }, + { + "forbidden_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on forbidden requests.", + "required": false, + "type": "array" + } + }, + { + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "required": false, + "type": "string" + } + }, + { + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "required": false, + "type": "boolean" + } + }, + { + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "required": false, + "type": "boolean" + } + }, + { + "unauthorized_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on unauthorized requests.", + "required": false, + "type": "array" + } + }, + { + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "required": false, + "type": "string" + } + }, + { + "unexpected_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "required": false, + "type": "array" + } + }, + { + "response_mode": { + "required": false, + "type": "string", + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ] + } + }, + { + "response_type": { + "required": false, + "type": "array", + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "elements": { + "type": "string" + } + } + }, + { + "scopes": { + "required": false, + "type": "array", + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "audience": { + "elements": { + "type": "string" + }, + "description": "The audience passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "issuers_allowed": { + "elements": { + "type": "string" + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "required": false, + "type": "array" + } + }, + { + "scopes_required": { + "elements": { + "type": "string" + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "scopes_claim": { + "required": false, + "type": "array", + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "audience_required": { + "elements": { + "type": "string" + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "audience_claim": { + "required": false, + "type": "array", + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "groups_required": { + "elements": { + "type": "string" + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "groups_claim": { + "required": false, + "type": "array", + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "roles_required": { + "elements": { + "type": "string" + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "roles_claim": { + "required": false, + "type": "array", + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "domains": { + "elements": { + "type": "string" + }, + "description": "The allowed values for the `hd` claim.", + "required": false, + "type": "array" + } + }, + { + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "required": false, + "type": "number" + } + }, + { + "authenticated_groups_claim": { + "elements": { + "type": "string" + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "required": false, + "type": "boolean" + } + }, + { + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "required": false, + "type": "boolean" + } + }, + { + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "required": false, + "type": "boolean" + } + }, + { + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "authorization_query_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_query_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_query_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "required": false, + "type": "string" + } + }, + { + "authorization_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "The authorization cookie Path flag.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "required": false, + "type": "string" + } + }, + { + "authorization_cookie_same_site": { + "required": false, + "type": "string", + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "required": false, + "type": "boolean" + } + }, + { + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "token_endpoint_auth_method": { + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "token_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_replay": { + "elements": { + "type": "string" + }, + "description": "The names of token endpoint response headers to forward to the downstream client.", + "required": false, + "type": "array" + } + }, + { + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "required": false, + "type": "string" + } + }, + { + "token_headers_grants": { + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_client": { + "elements": { + "type": "string" + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "introspection_endpoint_auth_method": { + "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "required": false, + "type": "string" + } + }, + { + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "required": false, + "type": "boolean" + } + }, + { + "introspection_accept": { + "required": false, + "type": "string", + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ] + } + }, + { + "introspection_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_headers_values": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "Extra header values passed to the introspection endpoint." + } + }, + { + "introspection_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_client_headers": { + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "required": false, + "type": "boolean" + } + }, + { + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "revocation_endpoint_auth_method": { + "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_accept": { + "required": false, + "type": "string", + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/jwt" + ] + } + }, + { + "userinfo_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "required": false, + "type": "string" + } + }, + { + "session_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The session secret.", + "required": false + } + }, + { + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "required": false, + "type": "string" + } + }, + { + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "required": false, + "type": "boolean" + } + }, + { + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" + } + }, + { + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "required": false, + "type": "number" + } + }, + { + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" + } + }, + { + "session_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "The session cookie Path flag.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_same_site": { + "required": false, + "type": "string", + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "session_request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, + "type": "set" + } + }, + { + "session_response_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, + "type": "set" + } + }, + { + "session_storage": { + "required": false, + "type": "string", + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "type": "boolean" + } + }, + { + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_port": { + "between": [ + 0, + 65535 + ], + "required": false, + "type": "integer", + "default": 11211, + "description": "The memcached port." + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + }, + { + "prefix": { + "description": "The Redis session key prefix.", + "required": false, + "type": "string" + } + }, + { + "socket": { + "description": "The Redis unix socket path.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "required": false, + "type": "boolean" + } + }, + { + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "required": false, + "type": "string" + } + }, + { + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "required": false, + "type": "string" + } + }, + { + "bearer_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + } + } + }, + { + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "required": false, + "type": "string" + } + }, + { + "client_credentials_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "password_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "id_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "required": false, + "type": "string" + } + }, + { + "refresh_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "required": false, + "type": "string" + } + }, + { + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "required": false, + "type": "boolean" + } + }, + { + "upstream_headers_claims": { + "elements": { + "type": "string" + }, + "description": "The upstream header claims. Only top level claims are supported.", + "required": false, + "type": "array" + } + }, + { + "upstream_headers_names": { + "elements": { + "type": "string" + }, + "description": "The upstream header names for the claim values.", + "required": false, + "type": "array" + } + }, + { + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "required": false, + "type": "string" + } + }, + { + "upstream_id_token_header": { + "description": "The upstream id token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "required": false, + "type": "string" + } + }, + { + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_user_info_header": { + "description": "The upstream user info header.", + "required": false, + "type": "string" + } + }, + { + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "required": false, + "type": "string" + } + }, + { + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "required": false, + "type": "string" + } + }, + { + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "required": false, + "type": "string" + } + }, + { + "upstream_session_id_header": { + "description": "The upstream session id header.", + "required": false, + "type": "string" + } + }, + { + "downstream_headers_claims": { + "elements": { + "type": "string" + }, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "downstream_headers_names": { + "elements": { + "type": "string" + }, + "description": "The downstream header names for the claim values.", + "required": false, + "type": "array" + } + }, + { + "downstream_access_token_header": { + "description": "The downstream access token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "required": false, + "type": "string" + } + }, + { + "downstream_id_token_header": { + "description": "The downstream id token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "required": false, + "type": "string" + } + }, + { + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_user_info_header": { + "description": "The downstream user info header.", + "required": false, + "type": "string" + } + }, + { + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "required": false, + "type": "string" + } + }, + { + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "required": false, + "type": "string" + } + }, + { + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "required": false, + "type": "string" + } + }, + { + "downstream_session_id_header": { + "description": "The downstream session id header.", + "required": false, + "type": "string" + } + }, + { + "login_methods": { + "required": false, + "type": "array", + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + } + }, + { + "login_action": { + "required": false, + "type": "string", + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "one_of": [ + "upstream", + "response", + "redirect" + ] + } + }, + { + "login_tokens": { + "required": false, + "type": "array", + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + } + } + }, + { + "login_redirect_mode": { + "required": false, + "type": "string", + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "one_of": [ + "query", + "fragment" + ] + } + }, + { + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_methods": { + "required": false, + "type": "array", + "default": [ + "POST", + "DELETE" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + } + } + }, + { + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "required": false, + "type": "boolean" + } + }, + { + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" + } + }, + { + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" + } + }, + { + "consumer_claim": { + "elements": { + "type": "string" + }, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "default": [ + "username", + "custom_id" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + } + } + }, + { + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "required": false, + "type": "boolean" + } + }, + { + "credential_claim": { + "required": false, + "type": "array", + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "required": false, + "type": "string" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "required": false, + "type": "boolean" + } + }, + { + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "required": false, + "type": "number" + } + }, + { + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "required": false, + "type": "boolean" + } + }, + { + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "required": false, + "type": "boolean" + } + }, + { + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "required": false, + "type": "boolean" + } + }, + { + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "required": false, + "type": "boolean" + } + }, + { + "ignore_signature": { + "required": false, + "type": "array", + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + } + } + }, + { + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "required": false, + "type": "boolean" + } + }, + { + "disable_session": { + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Disable issuing the session cookie with the specified grants.", + "required": false, + "type": "array" + } + }, + { + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "required": false, + "type": "number" + } + }, + { + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_tokens_salt": { + "auto": true, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false, + "type": "string" + } + }, + { + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "required": false, + "type": "boolean" + } + }, + { + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "required": false, + "type": "boolean" + } + }, + { + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "required": false, + "type": "boolean" + } + }, + { + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "required": false, + "type": "number" + } + }, + { + "http_proxy": { + "description": "The HTTP proxy.", + "required": false, + "type": "string" + } + }, + { + "http_proxy_authorization": { + "required": false, + "description": "The HTTP proxy authorization.", + "referenceable": true, + "type": "string" + } + }, + { + "https_proxy": { + "description": "The HTTPS proxy.", + "required": false, + "type": "string" + } + }, + { + "https_proxy_authorization": { + "required": false, + "description": "The HTTPS proxy authorization.", + "referenceable": true, + "type": "string" + } + }, + { + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "required": false, + "type": "string" + } + }, + { + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "required": false, + "type": "boolean" + } + }, + { + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "required": false, + "type": "number" + } + }, + { + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "required": false, + "type": "boolean" + } + }, + { + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "required": false, + "type": "boolean" + } + }, + { + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "required": false, + "type": "boolean" + } + }, + { + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + } + }, + { + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + } + }, + { + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "required": false, + "type": "string" + } + }, + { + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_mtls": { + "required": false, + "type": "string", + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "required": false, + "type": "boolean" + } + }, + { + "tls_client_auth_cert_id": { + "auto": false, + "required": false, + "type": "string", + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "uuid": true + } + }, + { + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "required": false, + "type": "boolean" + } + }, + { + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_dpop": { + "required": false, + "type": "string", + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "required": false, + "type": "boolean" + } + }, + { + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "required": false, + "type": "number" + } + }, + { + "claims_forbidden": { + "elements": { + "type": "string" + }, + "description": "If given, these claims are forbidden in the token payload.", + "required": false, + "type": "array" + } + }, + { + "cluster_cache_strategy": { + "required": false, + "type": "string", + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "one_of": [ + "off", + "redis" + ] + } + }, + { + "cluster_cache_redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/opentelemetry/3.10.x.json b/schemas/opentelemetry/3.10.x.json new file mode 100644 index 00000000..573b5251 --- /dev/null +++ b/schemas/opentelemetry/3.10.x.json @@ -0,0 +1,367 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "traces_endpoint", + "logs_endpoint" + ] + } + ], + "shorthand_fields": [ + { + "endpoint": { + "deprecation": { + "removal_in_version": "4.0", + "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead" + }, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + } + } + ], + "fields": [ + { + "traces_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + } + }, + { + "logs_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + } + }, + { + "headers": { + "values": { + "referenceable": true, + "type": "string" + }, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "map" + } + }, + { + "resource_attributes": { + "values": { + "required": true, + "type": "string" + }, + "keys": { + "required": true, + "type": "string" + }, + "type": "map" + } + }, + { + "queue": { + "default": { + "max_batch_size": 200 + }, + "type": "record", + "required": true, + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ] + } + }, + { + "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer", + "deprecation": { + "old_default": 200, + "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer", + "deprecation": { + "old_default": 3, + "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "header_type": { + "required": false, + "type": "string", + "default": "preserve", + "deprecation": { + "old_default": "preserve", + "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "gcp", + "datadog" + ] + } + }, + { + "sampling_rate": { + "between": [ + 0, + 1 + ], + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "required": false, + "type": "number" + } + }, + { + "propagation": { + "default": { + "default_format": "w3c" + }, + "fields": [ + { + "extract": { + "elements": { + "type": "string", + "one_of": [ + "gcp", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + }, + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array" + } + }, + { + "clear": { + "elements": { + "type": "string" + }, + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array" + } + }, + { + "inject": { + "elements": { + "type": "string", + "one_of": [ + "preserve", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + }, + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array" + } + }, + { + "default_format": { + "type": "string", + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "required": true, + "one_of": [ + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/post-function/3.10.x.json b/schemas/post-function/3.10.x.json new file mode 100644 index 00000000..6835bfd9 --- /dev/null +++ b/schemas/post-function/3.10.x.json @@ -0,0 +1,228 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], + "fields": [ + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": false, + "type": "set" + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "config": { + "fields": [ + { + "certificate": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "rewrite": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "access": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "header_filter": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "body_filter": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "log": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_handshake": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_client_frame": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_upstream_frame": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_close": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/pre-function/3.10.x.json b/schemas/pre-function/3.10.x.json new file mode 100644 index 00000000..6835bfd9 --- /dev/null +++ b/schemas/pre-function/3.10.x.json @@ -0,0 +1,228 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], + "fields": [ + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": false, + "type": "set" + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "config": { + "fields": [ + { + "certificate": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "rewrite": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "access": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "header_filter": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "body_filter": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "log": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_handshake": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_client_frame": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_upstream_frame": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_close": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/prometheus/3.10.x.json b/schemas/prometheus/3.10.x.json new file mode 100644 index 00000000..ff139dbf --- /dev/null +++ b/schemas/prometheus/3.10.x.json @@ -0,0 +1,94 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "per_consumer": { + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" + } + }, + { + "status_code_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" + } + }, + { + "ai_metrics": { + "default": false, + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", + "type": "boolean" + } + }, + { + "latency_metrics": { + "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" + } + }, + { + "bandwidth_metrics": { + "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" + } + }, + { + "upstream_health_metrics": { + "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.10.x.json b/schemas/proxy-cache-advanced/3.10.x.json new file mode 100644 index 00000000..63d95361 --- /dev/null +++ b/schemas/proxy-cache-advanced/3.10.x.json @@ -0,0 +1,573 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "response_code": { + "required": true, + "type": "array", + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "elements": { + "between": [ + 100, + 900 + ], + "type": "integer" + }, + "len_min": 1 + } + }, + { + "request_method": { + "required": true, + "type": "array", + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + } + } + }, + { + "content_type": { + "required": true, + "type": "array", + "default": [ + "text/plain", + "application/json" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "elements": { + "type": "string" + } + } + }, + { + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "gt": 0, + "type": "integer" + } + }, + { + "strategy": { + "type": "string", + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "required": true, + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean" + } + }, + { + "ignore_uri_case": { + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "required": false, + "type": "boolean" + } + }, + { + "storage_ttl": { + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "vary_query_params": { + "elements": { + "type": "string" + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array" + } + }, + { + "vary_headers": { + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array" + } + }, + { + "response_headers": { + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", + "required": true, + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ] + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache/3.10.x.json b/schemas/proxy-cache/3.10.x.json new file mode 100644 index 00000000..c639f5af --- /dev/null +++ b/schemas/proxy-cache/3.10.x.json @@ -0,0 +1,205 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "config": { + "fields": [ + { + "response_code": { + "required": true, + "type": "array", + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", + "elements": { + "between": [ + 100, + 900 + ], + "type": "integer" + }, + "len_min": 1 + } + }, + { + "request_method": { + "required": true, + "type": "array", + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + } + } + }, + { + "content_type": { + "required": true, + "type": "array", + "default": [ + "text/plain", + "application/json" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "elements": { + "type": "string" + } + } + }, + { + "cache_ttl": { + "default": 300, + "description": "TTL, in seconds, of cache entities.", + "gt": 0, + "type": "integer" + } + }, + { + "strategy": { + "type": "string", + "description": "The backing data store in which to hold cache entities.", + "required": true, + "one_of": [ + "memory" + ] + } + }, + { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean" + } + }, + { + "ignore_uri_case": { + "default": false, + "required": false, + "type": "boolean" + } + }, + { + "storage_ttl": { + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "vary_query_params": { + "elements": { + "type": "string" + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array" + } + }, + { + "vary_headers": { + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array" + } + }, + { + "response_headers": { + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", + "required": true, + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.10.x.json b/schemas/rate-limiting-advanced/3.10.x.json new file mode 100644 index 00000000..a2ecf410 --- /dev/null +++ b/schemas/rate-limiting-advanced/3.10.x.json @@ -0,0 +1,599 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "required": true, + "type": "string", + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "compound_identifier": { + "elements": { + "type": "string", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + }, + "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", + "type": "array" + } + }, + { + "window_size": { + "elements": { + "type": "number" + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" + } + }, + { + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "elements": { + "type": "number" + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + } + }, + { + "namespace": { + "auto": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "required": true, + "type": "string" + } + }, + { + "strategy": { + "required": true, + "type": "string", + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "required": true, + "type": "string" + } + }, + { + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf.", + "required": true, + "type": "string" + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + } + }, + { + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "type": "string" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + }, + { + "redis_proxy_type": { + "type": "string", + "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", + "required": false, + "one_of": [ + "envoy_v1.31" + ] + } + } + ] + } + }, + { + "enforce_consumer_groups": { + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" + } + }, + { + "consumer_groups": { + "elements": { + "type": "string" + }, + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "type": "array" + } + }, + { + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + } + }, + { + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "gt": 0, + "type": "number" + } + }, + { + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting/3.10.x.json b/schemas/rate-limiting/3.10.x.json new file mode 100644 index 00000000..fc7061fb --- /dev/null +++ b/schemas/rate-limiting/3.10.x.json @@ -0,0 +1,474 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name", + "if_field": "config.limit_by", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "path" + }, + "then_field": "config.path", + "if_field": "config.limit_by", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "second": { + "gt": 0, + "description": "The number of HTTP requests that can be made per second.", + "type": "number" + } + }, + { + "minute": { + "gt": 0, + "description": "The number of HTTP requests that can be made per minute.", + "type": "number" + } + }, + { + "hour": { + "gt": 0, + "description": "The number of HTTP requests that can be made per hour.", + "type": "number" + } + }, + { + "day": { + "gt": 0, + "description": "The number of HTTP requests that can be made per day.", + "type": "number" + } + }, + { + "month": { + "gt": 0, + "description": "The number of HTTP requests that can be made per month.", + "type": "number" + } + }, + { + "year": { + "gt": 0, + "description": "The number of HTTP requests that can be made per year.", + "type": "number" + } + }, + { + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "type": "string", + "one_of": [ + "consumer", + "credential", + "ip", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "type": "string" + } + }, + { + "policy": { + "type": "string", + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, + "one_of": [ + "local", + "cluster", + "redis" + ] + } + }, + { + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "required": true, + "type": "boolean" + } + }, + { + "redis": { + "type": "record", + "description": "Redis configuration", + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "required": true, + "type": "boolean" + } + }, + { + "error_code": { + "gt": 0, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, + "type": "number" + } + }, + { + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + } + }, + { + "sync_rate": { + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "required": true, + "type": "number" + } + } + ], + "shorthand_fields": [ + { + "redis_host": { + "deprecation": { + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_port": { + "deprecation": { + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + }, + "type": "integer" + } + }, + { + "redis_password": { + "type": "string", + "deprecation": { + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + }, + "len_min": 0 + } + }, + { + "redis_username": { + "deprecation": { + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_ssl": { + "deprecation": { + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "redis_ssl_verify": { + "deprecation": { + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "redis_server_name": { + "deprecation": { + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_timeout": { + "deprecation": { + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "redis_database": { + "deprecation": { + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/redirect/3.10.x.json b/schemas/redirect/3.10.x.json new file mode 100644 index 00000000..32153288 --- /dev/null +++ b/schemas/redirect/3.10.x.json @@ -0,0 +1,61 @@ +{ + "entity_checks": [], + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "status_code": { + "between": [ + 100, + 599 + ], + "default": 301, + "type": "integer", + "required": true, + "description": "The response code to send. Must be an integer between 100 and 599." + } + }, + { + "location": { + "type": "string", + "required": true, + "description": "The URL to redirect to" + } + }, + { + "keep_incoming_path": { + "type": "boolean", + "default": false, + "description": "Use the incoming request's path and query string in the redirect URL" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-size-limiting/3.10.x.json b/schemas/request-size-limiting/3.10.x.json new file mode 100644 index 00000000..bcef5a46 --- /dev/null +++ b/schemas/request-size-limiting/3.10.x.json @@ -0,0 +1,73 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "allowed_payload_size": { + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer" + } + }, + { + "size_unit": { + "required": true, + "type": "string", + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "one_of": [ + "megabytes", + "kilobytes", + "bytes" + ] + } + }, + { + "require_content_length": { + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-termination/3.10.x.json b/schemas/request-termination/3.10.x.json new file mode 100644 index 00000000..a95ead36 --- /dev/null +++ b/schemas/request-termination/3.10.x.json @@ -0,0 +1,81 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "status_code": { + "between": [ + 100, + 599 + ], + "required": true, + "type": "integer", + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599." + } + }, + { + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + } + }, + { + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + } + }, + { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + } + }, + { + "echo": { + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "required": true, + "type": "boolean" + } + }, + { + "trigger": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.10.x.json b/schemas/request-transformer-advanced/3.10.x.json new file mode 100644 index 00000000..90f58ca4 --- /dev/null +++ b/schemas/request-transformer-advanced/3.10.x.json @@ -0,0 +1,337 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "match": "^%u+$", + "type": "string" + } + }, + { + "remove": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "rename": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "replace": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "uri": { + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "add": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "append": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "allow": { + "fields": [ + { + "body": { + "elements": { + "type": "string" + }, + "type": "set" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "dots_in_keys": { + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-transformer/3.10.x.json b/schemas/request-transformer/3.10.x.json new file mode 100644 index 00000000..ee8d790f --- /dev/null +++ b/schemas/request-transformer/3.10.x.json @@ -0,0 +1,280 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "config": { + "fields": [ + { + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "match": "^%u+$", + "type": "string" + } + }, + { + "remove": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "rename": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "replace": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "uri": { + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "add": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "append": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-validator/3.10.x.json b/schemas/request-validator/3.10.x.json new file mode 100644 index 00000000..b8b9d41d --- /dev/null +++ b/schemas/request-validator/3.10.x.json @@ -0,0 +1,189 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ], + "fields": [ + { + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "required": false, + "type": "string" + } + }, + { + "allowed_content_types": { + "default": [ + "application/json" + ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "elements": { + "required": true, + "type": "string" + }, + "type": "set" + } + }, + { + "version": { + "required": true, + "type": "string", + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "one_of": [ + "kong", + "draft4" + ] + } + }, + { + "parameter_schema": { + "elements": { + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ], + "fields": [ + { + "in": { + "type": "string", + "description": "The location of the parameter.", + "required": true, + "one_of": [ + "query", + "header", + "path" + ] + } + }, + { + "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "required": true, + "type": "string" + } + }, + { + "required": { + "description": "Determines whether this parameter is mandatory.", + "required": true, + "type": "boolean" + } + }, + { + "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "type": "string", + "one_of": [ + "label", + "form", + "matrix", + "simple", + "spaceDelimited", + "pipeDelimited", + "deepObject" + ] + } + }, + { + "explode": { + "type": "boolean", + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + } + }, + { + "schema": { + "type": "string", + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating." + } + } + ], + "type": "record" + }, + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "required": false, + "type": "array" + } + }, + { + "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "required": true, + "type": "boolean" + } + }, + { + "content_type_parameter_validation": { + "default": true, + "description": "Determines whether to enable parameters validation of request content-type.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.10.x.json b/schemas/response-ratelimiting/3.10.x.json new file mode 100644 index 00000000..b6e0eba1 --- /dev/null +++ b/schemas/response-ratelimiting/3.10.x.json @@ -0,0 +1,439 @@ +{ + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "header_name": { + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" + } + }, + { + "limit_by": { + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "type": "string", + "one_of": [ + "consumer", + "credential", + "ip" + ] + } + }, + { + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "type": "string", + "one_of": [ + "local", + "cluster", + "redis" + ] + } + }, + { + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "required": true, + "type": "boolean" + } + }, + { + "redis": { + "type": "record", + "description": "Redis configuration", + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "required": true, + "type": "boolean" + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "required": true, + "type": "boolean" + } + }, + { + "limits": { + "values": { + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], + "type": "record", + "required": true, + "fields": [ + { + "second": { + "gt": 0, + "type": "number" + } + }, + { + "minute": { + "gt": 0, + "type": "number" + } + }, + { + "hour": { + "gt": 0, + "type": "number" + } + }, + { + "day": { + "gt": 0, + "type": "number" + } + }, + { + "month": { + "gt": 0, + "type": "number" + } + }, + { + "year": { + "gt": 0, + "type": "number" + } + } + ] + }, + "required": true, + "type": "map", + "description": "A map that defines rate limits for the plugin.", + "keys": { + "type": "string" + }, + "len_min": 1 + } + } + ], + "shorthand_fields": [ + { + "redis_host": { + "deprecation": { + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_port": { + "deprecation": { + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + }, + "type": "integer" + } + }, + { + "redis_password": { + "len_min": 0, + "deprecation": { + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_username": { + "deprecation": { + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_ssl": { + "deprecation": { + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "redis_ssl_verify": { + "deprecation": { + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "redis_server_name": { + "deprecation": { + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_timeout": { + "deprecation": { + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "redis_database": { + "deprecation": { + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.10.x.json b/schemas/response-transformer-advanced/3.10.x.json new file mode 100644 index 00000000..acf4ee71 --- /dev/null +++ b/schemas/response-transformer-advanced/3.10.x.json @@ -0,0 +1,350 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "remove": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "rename": { + "fields": [ + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "replace": { + "fields": [ + { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + } + }, + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "add": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "append": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "allow": { + "fields": [ + { + "json": { + "elements": { + "type": "string" + }, + "type": "set" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "transform": { + "fields": [ + { + "functions": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "dots_in_keys": { + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-transformer/3.10.x.json b/schemas/response-transformer/3.10.x.json new file mode 100644 index 00000000..eb4a6258 --- /dev/null +++ b/schemas/response-transformer/3.10.x.json @@ -0,0 +1,259 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "remove": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "rename": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "replace": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "json_types": { + "required": true, + "type": "array", + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "add": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "json_types": { + "required": true, + "type": "array", + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "append": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "json_types": { + "required": true, + "type": "array", + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/route-by-header/3.10.x.json b/schemas/route-by-header/3.10.x.json new file mode 100644 index 00000000..fb2008cd --- /dev/null +++ b/schemas/route-by-header/3.10.x.json @@ -0,0 +1,78 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "rules": { + "default": [ + + ], + "description": "Route by header rules.", + "elements": { + "type": "record", + "fields": [ + { + "upstream_name": { + "required": true, + "type": "string" + } + }, + { + "condition": { + "values": { + "type": "string" + }, + "required": true, + "type": "map", + "keys": { + "type": "string" + }, + "len_min": 1 + } + } + ] + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.10.x.json b/schemas/route-transformer-advanced/3.10.x.json new file mode 100644 index 00000000..a640c0ff --- /dev/null +++ b/schemas/route-transformer-advanced/3.10.x.json @@ -0,0 +1,75 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } + ], + "fields": [ + { + "path": { + "type": "string" + } + }, + { + "port": { + "type": "string" + } + }, + { + "host": { + "type": "string" + } + }, + { + "escape_path": { + "default": false, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/saml/3.10.x.json b/schemas/saml/3.10.x.json new file mode 100644 index 00000000..b9a8bf2e --- /dev/null +++ b/schemas/saml/3.10.x.json @@ -0,0 +1,1229 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" + }, + "type": "string" + } + }, + { + "session_auth_ttl": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_auth_ttl option does not exist anymore" + }, + "type": "number" + } + }, + { + "session_redis_prefix": { + "deprecation": { + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_socket": { + "deprecation": { + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_host": { + "deprecation": { + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_port": { + "deprecation": { + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_username": { + "deprecation": { + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_password": { + "deprecation": { + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_connect_timeout": { + "deprecation": { + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_read_timeout": { + "deprecation": { + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_send_timeout": { + "deprecation": { + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_ssl": { + "deprecation": { + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "session_redis_ssl_verify": { + "deprecation": { + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "session_redis_server_name": { + "deprecation": { + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_cluster_nodes": { + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "type": "array", + "deprecation": { + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ] + } + } + }, + { + "session_redis_cluster_max_redirections": { + "deprecation": { + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "deprecation": { + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "fields": [ + { + "assertion_consumer_path": { + "required": true, + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, + "type": "string" + } + }, + { + "idp_certificate": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "required": false + } + }, + { + "response_encryption_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The private encryption key required to decrypt encrypted assertions.", + "required": false + } + }, + { + "request_signing_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "required": false + } + }, + { + "request_signing_certificate": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The certificate for signing requests.", + "required": false + } + }, + { + "request_signature_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "request_digest_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "response_signature_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "response_digest_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "required": true, + "type": "string" + } + }, + { + "nameid_format": { + "required": false, + "type": "string", + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ] + } + }, + { + "validate_assertion_signature": { + "default": true, + "description": "Enable signature validation for SAML responses.", + "required": false, + "type": "boolean" + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "required": false, + "type": "string" + } + }, + { + "session_secret": { + "len_max": 32, + "match": "^[0-9a-zA-Z/_+]+$", + "referenceable": true, + "type": "string", + "required": true, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "encrypted": true, + "len_min": 32 + } + }, + { + "session_audience": { + "default": "default", + "description": "The session audience, for example \"my-application\"", + "required": false, + "type": "string" + } + }, + { + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "required": false, + "type": "string" + } + }, + { + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions", + "required": false, + "type": "boolean" + } + }, + { + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name", + "required": false, + "type": "string" + } + }, + { + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "required": false, + "type": "number" + } + }, + { + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "required": false, + "type": "number" + } + }, + { + "session_idling_timeout": { + "default": 900, + "description": "The session cookie idle time in seconds.", + "required": false, + "type": "number" + } + }, + { + "session_rolling_timeout": { + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number" + } + }, + { + "session_absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number" + } + }, + { + "session_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_same_site": { + "required": false, + "type": "string", + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "session_request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "type": "set" + } + }, + { + "session_response_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "type": "set" + } + }, + { + "session_storage": { + "required": false, + "type": "string", + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "type": "boolean" + } + }, + { + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_port": { + "between": [ + 0, + 65535 + ], + "required": false, + "type": "integer", + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + }, + { + "prefix": { + "description": "The Redis session key prefix.", + "required": false, + "type": "string" + } + }, + { + "socket": { + "description": "The Redis unix socket path.", + "required": false, + "type": "string" + } + } + ] + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/service-protection/3.10.x.json b/schemas/service-protection/3.10.x.json new file mode 100644 index 00000000..c53e3deb --- /dev/null +++ b/schemas/service-protection/3.10.x.json @@ -0,0 +1,543 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "route": { + "reference": "routes", + "eq": null, + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "window_size": { + "elements": { + "type": "number" + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" + } + }, + { + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "elements": { + "type": "number" + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + } + }, + { + "namespace": { + "auto": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "required": true, + "type": "string" + } + }, + { + "strategy": { + "required": true, + "type": "string", + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "required": true, + "type": "string" + } + }, + { + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", + "required": true, + "type": "string" + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + } + }, + { + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + } + }, + { + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "gt": 0, + "type": "number" + } + }, + { + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/session/3.10.x.json b/schemas/session/3.10.x.json new file mode 100644 index 00000000..cf9a5e2d --- /dev/null +++ b/schemas/session/3.10.x.json @@ -0,0 +1,302 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", + "description": "The secret that is used in keyed HMAC generation.", + "required": false + } + }, + { + "storage": { + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "type": "string", + "one_of": [ + "cookie", + "kong" + ] + } + }, + { + "audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + } + }, + { + "idling_timeout": { + "default": 900, + "description": "The session cookie idle time, in seconds.", + "type": "number" + } + }, + { + "rolling_timeout": { + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number" + } + }, + { + "absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + } + }, + { + "stale_ttl": { + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number" + } + }, + { + "cookie_name": { + "default": "session", + "description": "The name of the cookie.", + "type": "string" + } + }, + { + "cookie_path": { + "default": "/", + "description": "The resource in the host where the cookie is available.", + "type": "string" + } + }, + { + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + } + }, + { + "cookie_same_site": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "cookie_http_only": { + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean" + } + }, + { + "cookie_secure": { + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean" + } + }, + { + "remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + } + }, + { + "remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + } + }, + { + "remember_rolling_timeout": { + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number" + } + }, + { + "remember_absolute_timeout": { + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number" + } + }, + { + "response_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" + } + }, + { + "request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" + } + }, + { + "read_body_for_logout": { + "default": false, + "type": "boolean" + } + }, + { + "logout_methods": { + "elements": { + "type": "string", + "one_of": [ + "GET", + "POST", + "DELETE" + ] + }, + "description": "A set of HTTP methods that the plugin will respond to.", + "default": [ + "POST", + "DELETE" + ], + "type": "set" + } + }, + { + "logout_query_arg": { + "default": "session_logout", + "description": "The query argument passed to logout requests.", + "type": "string" + } + }, + { + "logout_post_arg": { + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" + } + } + ], + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/standard-webhooks/3.10.x.json b/schemas/standard-webhooks/3.10.x.json new file mode 100644 index 00000000..bf13b5b6 --- /dev/null +++ b/schemas/standard-webhooks/3.10.x.json @@ -0,0 +1,63 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "secret_v1": { + "encrypted": true, + "required": true, + "type": "string", + "description": "Webhook secret", + "referenceable": true + } + }, + { + "tolerance_second": { + "required": true, + "type": "integer", + "gt": -1, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "default": 300 + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/statsd-advanced/3.10.x.json b/schemas/statsd-advanced/3.10.x.json new file mode 100644 index 00000000..aafa408b --- /dev/null +++ b/schemas/statsd-advanced/3.10.x.json @@ -0,0 +1,459 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + } + }, + { + "metrics": { + "default": [ + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_count" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "timer", + "name": "request_size" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count" + }, + { + "stat_type": "timer", + "name": "response_size" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_per_user" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_workspace" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user_per_route" + }, + { + "stat_type": "gauge", + "sample_rate": 1, + "name": "shdict_usage" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_hits_total" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_misses_total" + } + ], + "description": "List of Metrics to be logged.", + "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "set" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "counter" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "gauge" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "name": { + "type": "string", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "type": "string", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "gt": 0, + "type": "number" + } + }, + { + "consumer_identifier": { + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "type": "record" + }, + "type": "array" + } + }, + { + "allow_status_codes": { + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array" + } + }, + { + "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "between": [ + 0, + 65507 + ], + "type": "number" + } + }, + { + "use_tcp": { + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" + } + }, + { + "hostname_in_prefix": { + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" + } + }, + { + "consumer_identifier_default": { + "required": true, + "type": "string", + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier_default": { + "required": true, + "type": "string", + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier_default": { + "required": true, + "type": "string", + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/statsd/3.10.x.json b/schemas/statsd/3.10.x.json new file mode 100644 index 00000000..042741d2 --- /dev/null +++ b/schemas/statsd/3.10.x.json @@ -0,0 +1,454 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" + } + }, + { + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + } + }, + { + "metrics": { + "default": [ + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_count" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_size" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "response_size" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_per_user" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user" + }, + { + "stat_type": "counter", + "name": "status_count_per_workspace", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user_per_route" + }, + { + "stat_type": "gauge", + "sample_rate": 1, + "name": "shdict_usage" + }, + { + "stat_type": "counter", + "name": "cache_datastore_hits_total", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_misses_total", + "sample_rate": 1 + } + ], + "description": "List of metrics to be logged.", + "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "name": { + "type": "string", + "description": "StatsD metric’s name.", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "type": "string", + "description": "Determines what sort of event a metric represents.", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "gt": 0, + "description": "Sampling rate", + "type": "number" + } + }, + { + "consumer_identifier": { + "description": "Authenticated user detail.", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "description": "Service detail.", + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "description": "Workspace detail.", + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "type": "record" + }, + "type": "array" + } + }, + { + "allow_status_codes": { + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array" + } + }, + { + "udp_packet_size": { + "default": 0, + "between": [ + 0, + 65507 + ], + "type": "number" + } + }, + { + "use_tcp": { + "default": false, + "type": "boolean" + } + }, + { + "hostname_in_prefix": { + "default": false, + "type": "boolean" + } + }, + { + "consumer_identifier_default": { + "default": "custom_id", + "type": "string", + "required": true, + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier_default": { + "default": "service_name_or_host", + "type": "string", + "required": true, + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier_default": { + "default": "workspace_id", + "type": "string", + "required": true, + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + }, + { + "retry_count": { + "type": "integer", + "deprecation": { + "old_default": 10, + "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue_size": { + "type": "integer", + "deprecation": { + "old_default": 1, + "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "flush_timeout": { + "type": "number", + "deprecation": { + "old_default": 2, + "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "tag_style": { + "type": "string", + "required": false, + "one_of": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ] + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/syslog/3.10.x.json b/schemas/syslog/3.10.x.json new file mode 100644 index 00000000..27f2ac90 --- /dev/null +++ b/schemas/syslog/3.10.x.json @@ -0,0 +1,164 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "log_level": { + "default": "info", + "type": "string", + "required": true, + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "successful_severity": { + "default": "info", + "type": "string", + "required": true, + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "client_errors_severity": { + "default": "info", + "type": "string", + "required": true, + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "server_errors_severity": { + "default": "info", + "type": "string", + "required": true, + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + }, + { + "facility": { + "required": true, + "type": "string", + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "one_of": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/tcp-log/3.10.x.json b/schemas/tcp-log/3.10.x.json new file mode 100644 index 00000000..e51f9399 --- /dev/null +++ b/schemas/tcp-log/3.10.x.json @@ -0,0 +1,112 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "The IP address or host name to send data to.", + "required": true, + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "The port to send data to on the upstream server.", + "required": true, + "type": "integer" + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + } + }, + { + "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "required": true, + "type": "boolean" + } + }, + { + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + { + "custom_fields_by_lua": { + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.10.x.json b/schemas/tls-handshake-modifier/3.10.x.json new file mode 100644 index 00000000..28e50f31 --- /dev/null +++ b/schemas/tls-handshake-modifier/3.10.x.json @@ -0,0 +1,60 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "https", + "grpcs" + ], + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "tls_client_certificate": { + "required": false, + "type": "string", + "default": "REQUEST", + "description": "TLS Client Certificate", + "one_of": [ + "REQUEST" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.10.x.json b/schemas/tls-metadata-headers/3.10.x.json new file mode 100644 index 00000000..68ca8cad --- /dev/null +++ b/schemas/tls-metadata-headers/3.10.x.json @@ -0,0 +1,96 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "https", + "grpcs" + ], + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "inject_client_cert_details": { + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" + } + }, + { + "client_cert_header_name": { + "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "required": true, + "type": "string" + } + }, + { + "client_serial_header_name": { + "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "required": true, + "type": "string" + } + }, + { + "client_cert_issuer_dn_header_name": { + "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "required": true, + "type": "string" + } + }, + { + "client_cert_subject_dn_header_name": { + "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "required": true, + "type": "string" + } + }, + { + "client_cert_fingerprint_header_name": { + "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/udp-log/3.10.x.json b/schemas/udp-log/3.10.x.json new file mode 100644 index 00000000..eae6394a --- /dev/null +++ b/schemas/udp-log/3.10.x.json @@ -0,0 +1,91 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/upstream-oauth/3.10.x.json b/schemas/upstream-oauth/3.10.x.json new file mode 100644 index 00000000..484a5470 --- /dev/null +++ b/schemas/upstream-oauth/3.10.x.json @@ -0,0 +1,762 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "client": { + "fields": [ + { + "auth_method": { + "required": true, + "type": "string", + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "one_of": [ + "client_secret_post", + "client_secret_basic", + "client_secret_jwt", + "none" + ] + } + }, + { + "client_secret_jwt_alg": { + "required": true, + "type": "string", + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "one_of": [ + "HS512", + "HS256" + ] + } + }, + { + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "required": false, + "type": "number" + } + }, + { + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "required": false, + "type": "string" + } + }, + { + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "required": false, + "type": "string" + } + }, + { + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "required": false, + "type": "string" + } + }, + { + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "required": false, + "type": "string" + } + }, + { + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "required": false, + "type": "string" + } + }, + { + "timeout": { + "between": [ + 0, + 2147483646 + ], + "required": true, + "type": "integer", + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds." + } + }, + { + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "required": true, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "required": false, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "oauth": { + "fields": [ + { + "token_endpoint": { + "description": "The token endpoint URI.", + "required": true, + "type": "string" + } + }, + { + "token_headers": { + "values": { + "referenceable": true, + "type": "string" + }, + "description": "Extra headers to be passed in the token endpoint request.", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "map" + } + }, + { + "token_post_args": { + "values": { + "referenceable": true, + "type": "string" + }, + "description": "Extra post arguments to be passed in the token endpoint request.", + "keys": { + "type": "string" + }, + "type": "map" + } + }, + { + "grant_type": { + "required": true, + "type": "string", + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "one_of": [ + "client_credentials", + "password" + ] + } + }, + { + "client_id": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client ID for the application registration in the IdP.", + "required": false + } + }, + { + "client_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client secret for the application registration in the IdP.", + "required": false + } + }, + { + "username": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "required": false + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "required": false + } + }, + { + "scopes": { + "required": false, + "type": "array", + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "elements": { + "type": "string" + } + } + }, + { + "audience": { + "required": false, + "type": "array", + "default": [ + + ], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "elements": { + "type": "string" + } + } + } + ], + "required": true, + "type": "record" + } + }, + { + "cache": { + "fields": [ + { + "strategy": { + "required": true, + "type": "string", + "default": "memory", + "description": "The method Kong should use to cache tokens issued by the IdP.", + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "eagerly_expire": { + "required": true, + "type": "integer", + "gt": -1, + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", + "default": 5 + } + }, + { + "default_ttl": { + "default": 3600, + "description": "The lifetime of a token without an explicit `expires_in` value.", + "gt": 0, + "type": "number" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "behavior": { + "fields": [ + { + "upstream_access_token_header_name": { + "required": true, + "type": "string", + "default": "Authorization", + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", + "len_min": 0 + } + }, + { + "idp_error_response_status_code": { + "between": [ + 500, + 599 + ], + "required": true, + "type": "integer", + "default": 502, + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP." + } + }, + { + "idp_error_response_content_type": { + "required": true, + "type": "string", + "default": "application/json; charset=utf-8", + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0 + } + }, + { + "idp_error_response_message": { + "required": true, + "type": "string", + "default": "Failed to authenticate request to upstream", + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0 + } + }, + { + "idp_error_response_body_template": { + "required": true, + "type": "string", + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0 + } + }, + { + "purge_token_on_upstream_status_codes": { + "default": [ + 401 + ], + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", + "elements": { + "between": [ + 100, + 599 + ], + "type": "integer" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/upstream-timeout/3.10.x.json b/schemas/upstream-timeout/3.10.x.json new file mode 100644 index 00000000..d14b02ad --- /dev/null +++ b/schemas/upstream-timeout/3.10.x.json @@ -0,0 +1,75 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/vault-auth/3.10.x.json b/schemas/vault-auth/3.10.x.json new file mode 100644 index 00000000..d42bfd70 --- /dev/null +++ b/schemas/vault-auth/3.10.x.json @@ -0,0 +1,112 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "access_token_name": { + "required": true, + "type": "string", + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + }, + { + "secret_token_name": { + "required": true, + "type": "string", + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + }, + { + "vault": { + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "reference": "vault_auth_vaults", + "required": true, + "type": "foreign" + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "tokens_in_body": { + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.10.x.json b/schemas/websocket-size-limit/3.10.x.json new file mode 100644 index 00000000..6e1e3593 --- /dev/null +++ b/schemas/websocket-size-limit/3.10.x.json @@ -0,0 +1,68 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "default": [ + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], + "fields": [ + { + "client_max_payload": { + "between": [ + 1, + 33554432 + ], + "required": false, + "type": "integer" + } + }, + { + "upstream_max_payload": { + "between": [ + 1, + 33554432 + ], + "required": false, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/websocket-validator/3.10.x.json b/schemas/websocket-validator/3.10.x.json new file mode 100644 index 00000000..4bbf094d --- /dev/null +++ b/schemas/websocket-validator/3.10.x.json @@ -0,0 +1,220 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "default": [ + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], + "fields": [ + { + "client": { + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "type": "record", + "required": false, + "fields": [ + { + "text": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "required": false, + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true, + "type": "string" + } + } + ] + } + }, + { + "binary": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "required": false, + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true, + "type": "string" + } + } + ] + } + } + ] + } + }, + { + "upstream": { + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "type": "record", + "required": false, + "fields": [ + { + "text": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "required": false, + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true, + "type": "string" + } + } + ] + } + }, + { + "binary": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "required": false, + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true, + "type": "string" + } + } + ] + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.10.x.json b/schemas/xml-threat-protection/3.10.x.json new file mode 100644 index 00000000..5a48ae6a --- /dev/null +++ b/schemas/xml-threat-protection/3.10.x.json @@ -0,0 +1,300 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "max_namespaces", + "if_field": "namespace_aware", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "prefix", + "if_field": "namespace_aware", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "namespaceuri", + "if_field": "namespace_aware", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "checked_content_types": { + "required": true, + "type": "set", + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "required": true, + "type": "string" + } + } + }, + { + "allowed_content_types": { + "required": true, + "type": "set", + "default": [ + + ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "required": true, + "type": "string" + } + } + }, + { + "allow_dtd": { + "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "required": true, + "type": "boolean" + } + }, + { + "namespace_aware": { + "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "required": true, + "type": "boolean" + } + }, + { + "max_depth": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "default": 50 + } + }, + { + "max_children": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "default": 100 + } + }, + { + "max_attributes": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "default": 100 + } + }, + { + "max_namespaces": { + "required": false, + "type": "integer", + "gt": 0, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "default": 20 + } + }, + { + "document": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of the entire document.", + "default": 10485760 + } + }, + { + "buffer": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of the unparsed buffer (see below).", + "default": 1048576 + } + }, + { + "comment": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of comments.", + "default": 1024 + } + }, + { + "localname": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "default": 1024 + } + }, + { + "prefix": { + "required": false, + "type": "integer", + "gt": 0, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "default": 1024 + } + }, + { + "namespaceuri": { + "required": false, + "type": "integer", + "gt": 0, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "default": 1024 + } + }, + { + "attribute": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of the attribute value.", + "default": 1048576 + } + }, + { + "text": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "default": 1048576 + } + }, + { + "pitarget": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of processing instruction targets.", + "default": 1024 + } + }, + { + "pidata": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of processing instruction data.", + "default": 1024 + } + }, + { + "entityname": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of entity names in EntityDecl.", + "default": 1024 + } + }, + { + "entity": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of entity values in EntityDecl.", + "default": 1024 + } + }, + { + "entityproperty": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "default": 1024 + } + }, + { + "bla_max_amplification": { + "required": true, + "type": "number", + "gt": 1, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "default": 100 + } + }, + { + "bla_threshold": { + "required": true, + "type": "integer", + "gt": 1024, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "default": 8388608 + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/zipkin/3.10.x.json b/schemas/zipkin/3.10.x.json new file mode 100644 index 00000000..f08c4023 --- /dev/null +++ b/schemas/zipkin/3.10.x.json @@ -0,0 +1,421 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "local_service_name": { + "default": "kong", + "description": "The name of the service as displayed in Zipkin.", + "required": true, + "type": "string" + } + }, + { + "http_endpoint": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "between": [ + 0, + 1 + ], + "type": "number" + } + }, + { + "default_service_name": { + "type": "string", + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + } + }, + { + "include_credential": { + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "required": true, + "type": "boolean" + } + }, + { + "traceid_byte_count": { + "required": true, + "type": "integer", + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "one_of": [ + 8, + 16 + ] + } + }, + { + "header_type": { + "required": true, + "type": "string", + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ], + "deprecation": { + "old_default": "preserve", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + } + } + }, + { + "default_header_type": { + "required": true, + "type": "string", + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "one_of": [ + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ], + "deprecation": { + "old_default": "b3", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", + "removal_in_version": "4.0" + } + } + }, + { + "tags_header": { + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "required": true, + "type": "string" + } + }, + { + "static_tags": { + "elements": { + "type": "record", + "fields": [ + { + "name": { + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "required": true, + "type": "string" + } + }, + { + "value": { + "required": true, + "type": "string" + } + } + ] + }, + "description": "The tags specified on this property will be added to the generated request traces.", + "type": "array" + } + }, + { + "http_span_name": { + "required": true, + "type": "string", + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "one_of": [ + "method", + "method_path" + ] + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "phase_duration_flavor": { + "required": true, + "type": "string", + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "one_of": [ + "annotations", + "tags" + ] + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ], + "required": true, + "type": "record" + } + }, + { + "propagation": { + "default": { + "default_format": "b3" + }, + "fields": [ + { + "extract": { + "elements": { + "type": "string", + "one_of": [ + "gcp", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + }, + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array" + } + }, + { + "clear": { + "elements": { + "type": "string" + }, + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array" + } + }, + { + "inject": { + "elements": { + "type": "string", + "one_of": [ + "preserve", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + }, + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array" + } + }, + { + "default_format": { + "type": "string", + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "required": true, + "one_of": [ + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file From c6b1dfa72bbce938c6af8aee89c99353d25d8999 Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Thu, 5 Dec 2024 21:28:28 +0100 Subject: [PATCH 104/165] Copy latest examples to 3.10.x (#85) Co-authored-by: fabianrbz <715229+fabianrbz@users.noreply.github.com> --- examples/acl/_3.10.x.yaml | 6 +++ examples/acme/_3.10.x.yaml | 3 ++ examples/ai-azure-content-safety/_3.10.x.yaml | 9 ++++ examples/ai-prompt-decorator/_3.10.x.yaml | 13 ++++++ examples/ai-prompt-guard/_3.10.x.yaml | 9 ++++ examples/ai-prompt-template/_3.10.x.yaml | 23 ++++++++++ examples/ai-proxy-advanced/_3.10.x.yaml | 15 +++++++ examples/ai-proxy/_3.10.x.yaml | 12 ++++++ .../ai-rate-limiting-advanced/_3.10.x.yaml | 9 ++++ examples/ai-request-transformer/_3.10.x.yaml | 18 ++++++++ examples/ai-response-transformer/_3.10.x.yaml | 21 +++++++++ examples/ai-semantic-cache/_3.10.x.yaml | 14 ++++++ .../ai-semantic-prompt-guard/_3.10.x.yaml | 23 ++++++++++ examples/app-dynamics/_3.10.x.yaml | 2 + .../application-registration/_3.10.x.yaml | 7 +++ examples/aws-lambda/_3.10.x.yaml | 9 ++++ examples/azure-functions/_3.10.x.yaml | 6 +++ examples/basic-auth/_3.10.x.yaml | 3 ++ examples/bot-detection/_3.10.x.yaml | 4 ++ examples/canary/_3.10.x.yaml | 5 +++ examples/confluent/_3.10.x.yaml | 9 ++++ examples/correlation-id/_3.10.x.yaml | 5 +++ examples/cors/_3.10.x.yaml | 19 ++++++++ examples/datadog/_3.10.x.yaml | 6 +++ examples/degraphql/_3.10.x.yaml | 3 ++ examples/exit-transformer/_3.10.x.yaml | 4 ++ examples/file-log/_3.10.x.yaml | 3 ++ examples/forward-proxy/_3.10.x.yaml | 9 ++++ .../graphql-proxy-cache-advanced/_3.10.x.yaml | 3 ++ .../_3.10.x.yaml | 9 ++++ examples/grpc-gateway/_3.10.x.yaml | 3 ++ examples/grpc-web/_3.10.x.yaml | 3 ++ examples/header-cert-auth/_3.10.x.yaml | 7 +++ examples/hmac-auth/_3.10.x.yaml | 3 ++ examples/http-log/_3.10.x.yaml | 8 ++++ examples/injection-protection/_3.10.x.yaml | 7 +++ examples/ip-restriction/_3.10.x.yaml | 5 +++ examples/jq/_3.10.x.yaml | 3 ++ examples/json-threat-protection/_3.10.x.yaml | 11 +++++ examples/jwe-decrypt/_3.10.x.yaml | 4 ++ examples/jwt-signer/_3.10.x.yaml | 4 ++ examples/jwt/_3.10.x.yaml | 4 ++ examples/kafka-log/_3.10.x.yaml | 3 ++ examples/kafka-upstream/_3.10.x.yaml | 3 ++ examples/key-auth-enc/_3.10.x.yaml | 4 ++ examples/key-auth/_3.10.x.yaml | 4 ++ .../konnect-application-auth/_3.10.x.yaml | 3 ++ examples/ldap-auth-advanced/_3.10.x.yaml | 10 +++++ examples/ldap-auth/_3.10.x.yaml | 8 ++++ examples/loggly/_3.10.x.yaml | 3 ++ examples/mocking/_3.10.x.yaml | 14 ++++++ examples/mtls-auth/_3.10.x.yaml | 6 +++ examples/oas-validation/_3.10.x.yaml | 29 +++++++++++++ examples/oauth2-introspection/_3.10.x.yaml | 5 +++ examples/oauth2/_3.10.x.yaml | 9 ++++ examples/opa/_3.10.x.yaml | 5 +++ examples/openid-connect/_3.10.x.yaml | 12 ++++++ examples/opentelemetry/_3.10.x.yaml | 6 +++ examples/post-function/_3.10.x.yaml | 6 +++ examples/pre-function/_3.10.x.yaml | 6 +++ examples/prometheus/_3.10.x.yaml | 4 ++ examples/proxy-cache-advanced/_3.10.x.yaml | 11 +++++ examples/proxy-cache/_3.10.x.yaml | 12 ++++++ examples/rate-limiting-advanced/_3.10.x.yaml | 11 +++++ examples/rate-limiting/_3.10.x.yaml | 5 +++ examples/redirect/_3.10.x.yaml | 3 ++ examples/request-size-limiting/_3.10.x.yaml | 4 ++ examples/request-termination/_3.10.x.yaml | 4 ++ .../request-transformer-advanced/_3.10.x.yaml | 43 +++++++++++++++++++ examples/request-transformer/_3.10.x.yaml | 36 ++++++++++++++++ examples/request-validator/_3.10.x.yaml | 3 ++ examples/response-ratelimiting/_3.10.x.yaml | 8 ++++ .../_3.10.x.yaml | 31 +++++++++++++ examples/response-transformer/_3.10.x.yaml | 24 +++++++++++ examples/route-by-header/_3.10.x.yaml | 8 ++++ .../route-transformer-advanced/_3.10.x.yaml | 3 ++ examples/saml/_3.10.x.yaml | 12 ++++++ examples/service-protection/_3.10.x.yaml | 6 +++ examples/session/_3.10.x.yaml | 3 ++ examples/standard-webhooks/_3.10.x.yaml | 3 ++ examples/statsd-advanced/_3.10.x.yaml | 7 +++ examples/statsd/_3.10.x.yaml | 9 ++++ examples/syslog/_3.10.x.yaml | 3 ++ examples/tcp-log/_3.10.x.yaml | 4 ++ examples/tls-handshake-modifier/_3.10.x.yaml | 1 + examples/tls-metadata-headers/_3.10.x.yaml | 4 ++ examples/udp-log/_3.10.x.yaml | 5 +++ examples/upstream-oauth/_3.10.x.yaml | 12 ++++++ examples/upstream-timeout/_3.10.x.yaml | 5 +++ examples/vault-auth/_3.10.x.yaml | 4 ++ examples/websocket-size-limit/_3.10.x.yaml | 4 ++ examples/websocket-validator/_3.10.x.yaml | 14 ++++++ examples/xml-threat-protection/_3.10.x.yaml | 6 +++ examples/zipkin/_3.10.x.yaml | 5 +++ 94 files changed, 796 insertions(+) create mode 100644 examples/acl/_3.10.x.yaml create mode 100644 examples/acme/_3.10.x.yaml create mode 100644 examples/ai-azure-content-safety/_3.10.x.yaml create mode 100644 examples/ai-prompt-decorator/_3.10.x.yaml create mode 100644 examples/ai-prompt-guard/_3.10.x.yaml create mode 100644 examples/ai-prompt-template/_3.10.x.yaml create mode 100644 examples/ai-proxy-advanced/_3.10.x.yaml create mode 100644 examples/ai-proxy/_3.10.x.yaml create mode 100644 examples/ai-rate-limiting-advanced/_3.10.x.yaml create mode 100644 examples/ai-request-transformer/_3.10.x.yaml create mode 100644 examples/ai-response-transformer/_3.10.x.yaml create mode 100644 examples/ai-semantic-cache/_3.10.x.yaml create mode 100644 examples/ai-semantic-prompt-guard/_3.10.x.yaml create mode 100644 examples/app-dynamics/_3.10.x.yaml create mode 100644 examples/application-registration/_3.10.x.yaml create mode 100644 examples/aws-lambda/_3.10.x.yaml create mode 100644 examples/azure-functions/_3.10.x.yaml create mode 100644 examples/basic-auth/_3.10.x.yaml create mode 100644 examples/bot-detection/_3.10.x.yaml create mode 100644 examples/canary/_3.10.x.yaml create mode 100644 examples/confluent/_3.10.x.yaml create mode 100644 examples/correlation-id/_3.10.x.yaml create mode 100644 examples/cors/_3.10.x.yaml create mode 100644 examples/datadog/_3.10.x.yaml create mode 100644 examples/degraphql/_3.10.x.yaml create mode 100644 examples/exit-transformer/_3.10.x.yaml create mode 100644 examples/file-log/_3.10.x.yaml create mode 100644 examples/forward-proxy/_3.10.x.yaml create mode 100644 examples/graphql-proxy-cache-advanced/_3.10.x.yaml create mode 100644 examples/graphql-rate-limiting-advanced/_3.10.x.yaml create mode 100644 examples/grpc-gateway/_3.10.x.yaml create mode 100644 examples/grpc-web/_3.10.x.yaml create mode 100644 examples/header-cert-auth/_3.10.x.yaml create mode 100644 examples/hmac-auth/_3.10.x.yaml create mode 100644 examples/http-log/_3.10.x.yaml create mode 100644 examples/injection-protection/_3.10.x.yaml create mode 100644 examples/ip-restriction/_3.10.x.yaml create mode 100644 examples/jq/_3.10.x.yaml create mode 100644 examples/json-threat-protection/_3.10.x.yaml create mode 100644 examples/jwe-decrypt/_3.10.x.yaml create mode 100644 examples/jwt-signer/_3.10.x.yaml create mode 100644 examples/jwt/_3.10.x.yaml create mode 100644 examples/kafka-log/_3.10.x.yaml create mode 100644 examples/kafka-upstream/_3.10.x.yaml create mode 100644 examples/key-auth-enc/_3.10.x.yaml create mode 100644 examples/key-auth/_3.10.x.yaml create mode 100644 examples/konnect-application-auth/_3.10.x.yaml create mode 100644 examples/ldap-auth-advanced/_3.10.x.yaml create mode 100644 examples/ldap-auth/_3.10.x.yaml create mode 100644 examples/loggly/_3.10.x.yaml create mode 100644 examples/mocking/_3.10.x.yaml create mode 100644 examples/mtls-auth/_3.10.x.yaml create mode 100644 examples/oas-validation/_3.10.x.yaml create mode 100644 examples/oauth2-introspection/_3.10.x.yaml create mode 100644 examples/oauth2/_3.10.x.yaml create mode 100644 examples/opa/_3.10.x.yaml create mode 100644 examples/openid-connect/_3.10.x.yaml create mode 100644 examples/opentelemetry/_3.10.x.yaml create mode 100644 examples/post-function/_3.10.x.yaml create mode 100644 examples/pre-function/_3.10.x.yaml create mode 100644 examples/prometheus/_3.10.x.yaml create mode 100644 examples/proxy-cache-advanced/_3.10.x.yaml create mode 100644 examples/proxy-cache/_3.10.x.yaml create mode 100644 examples/rate-limiting-advanced/_3.10.x.yaml create mode 100644 examples/rate-limiting/_3.10.x.yaml create mode 100644 examples/redirect/_3.10.x.yaml create mode 100644 examples/request-size-limiting/_3.10.x.yaml create mode 100644 examples/request-termination/_3.10.x.yaml create mode 100644 examples/request-transformer-advanced/_3.10.x.yaml create mode 100644 examples/request-transformer/_3.10.x.yaml create mode 100644 examples/request-validator/_3.10.x.yaml create mode 100644 examples/response-ratelimiting/_3.10.x.yaml create mode 100644 examples/response-transformer-advanced/_3.10.x.yaml create mode 100644 examples/response-transformer/_3.10.x.yaml create mode 100644 examples/route-by-header/_3.10.x.yaml create mode 100644 examples/route-transformer-advanced/_3.10.x.yaml create mode 100644 examples/saml/_3.10.x.yaml create mode 100644 examples/service-protection/_3.10.x.yaml create mode 100644 examples/session/_3.10.x.yaml create mode 100644 examples/standard-webhooks/_3.10.x.yaml create mode 100644 examples/statsd-advanced/_3.10.x.yaml create mode 100644 examples/statsd/_3.10.x.yaml create mode 100644 examples/syslog/_3.10.x.yaml create mode 100644 examples/tcp-log/_3.10.x.yaml create mode 100644 examples/tls-handshake-modifier/_3.10.x.yaml create mode 100644 examples/tls-metadata-headers/_3.10.x.yaml create mode 100644 examples/udp-log/_3.10.x.yaml create mode 100644 examples/upstream-oauth/_3.10.x.yaml create mode 100644 examples/upstream-timeout/_3.10.x.yaml create mode 100644 examples/vault-auth/_3.10.x.yaml create mode 100644 examples/websocket-size-limit/_3.10.x.yaml create mode 100644 examples/websocket-validator/_3.10.x.yaml create mode 100644 examples/xml-threat-protection/_3.10.x.yaml create mode 100644 examples/zipkin/_3.10.x.yaml diff --git a/examples/acl/_3.10.x.yaml b/examples/acl/_3.10.x.yaml new file mode 100644 index 00000000..a76559c0 --- /dev/null +++ b/examples/acl/_3.10.x.yaml @@ -0,0 +1,6 @@ +name: acl +config: + allow: + - group1 + - group2 + hide_groups_header: true diff --git a/examples/acme/_3.10.x.yaml b/examples/acme/_3.10.x.yaml new file mode 100644 index 00000000..6b35cddc --- /dev/null +++ b/examples/acme/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: acme +config: + account_email: example@example.com diff --git a/examples/ai-azure-content-safety/_3.10.x.yaml b/examples/ai-azure-content-safety/_3.10.x.yaml new file mode 100644 index 00000000..025407dc --- /dev/null +++ b/examples/ai-azure-content-safety/_3.10.x.yaml @@ -0,0 +1,9 @@ +name: ai-azure-content-safety +config: + content_safety_url: http//: + azure_use_managed_identity: false + reveal_failure_reason: true + content_safety_key: anything + categories: + - "Hate" + - "Violence" \ No newline at end of file diff --git a/examples/ai-prompt-decorator/_3.10.x.yaml b/examples/ai-prompt-decorator/_3.10.x.yaml new file mode 100644 index 00000000..50a84994 --- /dev/null +++ b/examples/ai-prompt-decorator/_3.10.x.yaml @@ -0,0 +1,13 @@ +name: ai-prompt-decorator +config: + prompts: + prepend: + - role: "system" + content: "You are data scientist, specialising in survey analytics." + - role: "user" + content: "Classify this test result set as positive, negative, or neutral." + - role: "assistant" + content: "These tests are NEUTRAL." + append: + - role: "user" + content: "Do not mention any real participants name in your justification." diff --git a/examples/ai-prompt-guard/_3.10.x.yaml b/examples/ai-prompt-guard/_3.10.x.yaml new file mode 100644 index 00000000..bd724506 --- /dev/null +++ b/examples/ai-prompt-guard/_3.10.x.yaml @@ -0,0 +1,9 @@ +name: ai-prompt-guard +config: + allow_all_conversation_history: true + allow_patterns: + - ".*(P|p)ears.*" + - ".*(P|p)eaches.*" + deny_patterns: + - ".*(A|a)pples.*" + - ".*(O|o)ranges.*" diff --git a/examples/ai-prompt-template/_3.10.x.yaml b/examples/ai-prompt-template/_3.10.x.yaml new file mode 100644 index 00000000..1ed007fc --- /dev/null +++ b/examples/ai-prompt-template/_3.10.x.yaml @@ -0,0 +1,23 @@ +name: ai-prompt-template +config: + allow_untemplated_requests: true + templates: + - name: "developer-chat" + template: |- + { + "messages": [ + { + "role": "system", + "content": "You are a {{program}} expert, in {{language}} programming language." + }, + { + "role": "user", + "content": "Write me a {{program}} program." + } + ] + } + - name: "summarize-prompt" + template: |- + { + "prompt": "Summarize the following text for me: {{text}}" + } diff --git a/examples/ai-proxy-advanced/_3.10.x.yaml b/examples/ai-proxy-advanced/_3.10.x.yaml new file mode 100644 index 00000000..54acb74f --- /dev/null +++ b/examples/ai-proxy-advanced/_3.10.x.yaml @@ -0,0 +1,15 @@ +name: ai-proxy-advanced +config: + targets: + - route_type: llm/v1/chat + auth: + header_name: Authorization + header_value: Bearer token + model: + provider: openai + - route_type: llm/v1/chat + model: + provider: llama2 + options: + llama2_format: openai + upstream_url: http://httpbin diff --git a/examples/ai-proxy/_3.10.x.yaml b/examples/ai-proxy/_3.10.x.yaml new file mode 100644 index 00000000..a16a3dd4 --- /dev/null +++ b/examples/ai-proxy/_3.10.x.yaml @@ -0,0 +1,12 @@ +name: ai-proxy +config: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 512 + temperature: 1.0 diff --git a/examples/ai-rate-limiting-advanced/_3.10.x.yaml b/examples/ai-rate-limiting-advanced/_3.10.x.yaml new file mode 100644 index 00000000..9831356c --- /dev/null +++ b/examples/ai-rate-limiting-advanced/_3.10.x.yaml @@ -0,0 +1,9 @@ +name: ai-rate-limiting-advanced +config: + llm_providers: + - name: openai + limit: 1000 + window_size: 3600 + - name: mistral + limit: 100 + window_size: 60 diff --git a/examples/ai-request-transformer/_3.10.x.yaml b/examples/ai-request-transformer/_3.10.x.yaml new file mode 100644 index 00000000..b8275ac7 --- /dev/null +++ b/examples/ai-request-transformer/_3.10.x.yaml @@ -0,0 +1,18 @@ +name: ai-request-transformer +config: + prompt: "Mask any credit card numbers in my JSON message. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + llm: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + logging: + log_statistics: true + log_payloads: false + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 1024 + temperature: 1.0 diff --git a/examples/ai-response-transformer/_3.10.x.yaml b/examples/ai-response-transformer/_3.10.x.yaml new file mode 100644 index 00000000..4c62a8e2 --- /dev/null +++ b/examples/ai-response-transformer/_3.10.x.yaml @@ -0,0 +1,21 @@ +name: ai-response-transformer +config: + prompt: "For any city name, put the country that it's in, in brackets next to it. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + parse_llm_response_json_instructions: false + llm: + route_type: "llm/v1/chat" + auth: + header_name: "api-key" + header_value: "" + logging: + log_statistics: true + log_payloads: false + model: + provider: "azure" + name: "gpt-35-turbo" + options: + max_tokens: 1024 + temperature: 1.0 + azure_instance: "azure-openai-instance-name" + azure_deployment_id: "gpt-3-5-deployment" diff --git a/examples/ai-semantic-cache/_3.10.x.yaml b/examples/ai-semantic-cache/_3.10.x.yaml new file mode 100644 index 00000000..e273c72f --- /dev/null +++ b/examples/ai-semantic-cache/_3.10.x.yaml @@ -0,0 +1,14 @@ +name: ai-semantic-cache +config: + embeddings: + model: + provider: openai + name: text-embedding-3-large + vectordb: + strategy: redis + dimensions: 3072 + threshold: 0.1 + distance_metric: cosine + redis: + host: exampleredis.com + port: 80 diff --git a/examples/ai-semantic-prompt-guard/_3.10.x.yaml b/examples/ai-semantic-prompt-guard/_3.10.x.yaml new file mode 100644 index 00000000..8cbb9571 --- /dev/null +++ b/examples/ai-semantic-prompt-guard/_3.10.x.yaml @@ -0,0 +1,23 @@ +name: ai-semantic-prompt-guard +config: + embeddings: + auth: + header_name: Authorization + header_value: Bearer + model: + name: text-embedding-3-small + provider: openai + search: + threshold: 0.7 + vectordb: + strategy: redis + distance_metric: cosine + threshold: 0.5 + dimensions: 1024 + redis: + host: localhost + port: 6379 + rules: + match_all_conversation_history: true + allow_prompts: + - Questions about Kong \ No newline at end of file diff --git a/examples/app-dynamics/_3.10.x.yaml b/examples/app-dynamics/_3.10.x.yaml new file mode 100644 index 00000000..fb73f97b --- /dev/null +++ b/examples/app-dynamics/_3.10.x.yaml @@ -0,0 +1,2 @@ +name: app-dynamics +config: {} diff --git a/examples/application-registration/_3.10.x.yaml b/examples/application-registration/_3.10.x.yaml new file mode 100644 index 00000000..a52184fb --- /dev/null +++ b/examples/application-registration/_3.10.x.yaml @@ -0,0 +1,7 @@ +name: application-registration +service: SERVICE_NAME +config: + auto_approve: false + description: + display_name: + show_issuer: false diff --git a/examples/aws-lambda/_3.10.x.yaml b/examples/aws-lambda/_3.10.x.yaml new file mode 100644 index 00000000..5eddd18d --- /dev/null +++ b/examples/aws-lambda/_3.10.x.yaml @@ -0,0 +1,9 @@ +name: aws-lambda +config: + aws_key: + aws_secret: + aws_region: + aws_assume_role_arn: + aws_role_session_name: + function_name: + proxy_url: http://my-proxy-server:3128 diff --git a/examples/azure-functions/_3.10.x.yaml b/examples/azure-functions/_3.10.x.yaml new file mode 100644 index 00000000..00f73c86 --- /dev/null +++ b/examples/azure-functions/_3.10.x.yaml @@ -0,0 +1,6 @@ +name: azure-functions +config: + functionname: + appname: + hostdomain: azurewebsites.net + apikey: diff --git a/examples/basic-auth/_3.10.x.yaml b/examples/basic-auth/_3.10.x.yaml new file mode 100644 index 00000000..40fcf8c2 --- /dev/null +++ b/examples/basic-auth/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: basic-auth +config: + hide_credentials: true diff --git a/examples/bot-detection/_3.10.x.yaml b/examples/bot-detection/_3.10.x.yaml new file mode 100644 index 00000000..e4f2eb24 --- /dev/null +++ b/examples/bot-detection/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: bot-detection +config: + deny: + - helloworld diff --git a/examples/canary/_3.10.x.yaml b/examples/canary/_3.10.x.yaml new file mode 100644 index 00000000..928424f8 --- /dev/null +++ b/examples/canary/_3.10.x.yaml @@ -0,0 +1,5 @@ +name: canary +config: + percentage: 50 + upstream_host: example.com + upstream_port: 80 diff --git a/examples/confluent/_3.10.x.yaml b/examples/confluent/_3.10.x.yaml new file mode 100644 index 00000000..d4bd8e82 --- /dev/null +++ b/examples/confluent/_3.10.x.yaml @@ -0,0 +1,9 @@ +name: confluent +config: + bootstrap_servers: + - host: example.com + port: 80 + producer_async: false + topic: 'kong-test' + cluster_api_key: CONFLUENT_CLUSTER_API_KEY + cluster_api_secret: CONFLUENT_CLUSTER_API_SECRET \ No newline at end of file diff --git a/examples/correlation-id/_3.10.x.yaml b/examples/correlation-id/_3.10.x.yaml new file mode 100644 index 00000000..31240989 --- /dev/null +++ b/examples/correlation-id/_3.10.x.yaml @@ -0,0 +1,5 @@ +name: correlation-id +config: + header_name: Kong-Request-ID + generator: uuid#counter + echo_downstream: false diff --git a/examples/cors/_3.10.x.yaml b/examples/cors/_3.10.x.yaml new file mode 100644 index 00000000..c2046281 --- /dev/null +++ b/examples/cors/_3.10.x.yaml @@ -0,0 +1,19 @@ +name: cors +config: + origins: + - http://mockbin.com + methods: + - GET + - POST + headers: + - Accept + - Accept-Version + - Content-Length + - Content-MD5 + - Content-Type + - Date + - X-Auth-Token + exposed_headers: + - X-Auth-Token + credentials: true + max_age: 3600 diff --git a/examples/datadog/_3.10.x.yaml b/examples/datadog/_3.10.x.yaml new file mode 100644 index 00000000..957e300c --- /dev/null +++ b/examples/datadog/_3.10.x.yaml @@ -0,0 +1,6 @@ +name: datadog +config: + host: 127.0.0.1 + port: 8125 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/degraphql/_3.10.x.yaml b/examples/degraphql/_3.10.x.yaml new file mode 100644 index 00000000..84443323 --- /dev/null +++ b/examples/degraphql/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: degraphql +config: + graphql_server_path: '/graphql' diff --git a/examples/exit-transformer/_3.10.x.yaml b/examples/exit-transformer/_3.10.x.yaml new file mode 100644 index 00000000..c7f0c5d4 --- /dev/null +++ b/examples/exit-transformer/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: exit-transformer +config: + functions: + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/file-log/_3.10.x.yaml b/examples/file-log/_3.10.x.yaml new file mode 100644 index 00000000..aefd2bdc --- /dev/null +++ b/examples/file-log/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: file-log +config: + path: /tmp/file.log diff --git a/examples/forward-proxy/_3.10.x.yaml b/examples/forward-proxy/_3.10.x.yaml new file mode 100644 index 00000000..7fb797ca --- /dev/null +++ b/examples/forward-proxy/_3.10.x.yaml @@ -0,0 +1,9 @@ +name: forward-proxy +config: + http_proxy_host: example.com + http_proxy_port: 80 + proxy_scheme: http + auth_username: example_user + auth_password: example_pass + https_verify: false + x_headers: transparent diff --git a/examples/graphql-proxy-cache-advanced/_3.10.x.yaml b/examples/graphql-proxy-cache-advanced/_3.10.x.yaml new file mode 100644 index 00000000..e1ce637b --- /dev/null +++ b/examples/graphql-proxy-cache-advanced/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: graphql-proxy-cache-advanced +config: + strategy: memory diff --git a/examples/graphql-rate-limiting-advanced/_3.10.x.yaml b/examples/graphql-rate-limiting-advanced/_3.10.x.yaml new file mode 100644 index 00000000..10985f83 --- /dev/null +++ b/examples/graphql-rate-limiting-advanced/_3.10.x.yaml @@ -0,0 +1,9 @@ +name: graphql-rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + sync_rate: -1 + namespace: example_namespace + strategy: cluster diff --git a/examples/grpc-gateway/_3.10.x.yaml b/examples/grpc-gateway/_3.10.x.yaml new file mode 100644 index 00000000..36b576ea --- /dev/null +++ b/examples/grpc-gateway/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: grpc-gateway +config: + proto: path/to/hello.proto diff --git a/examples/grpc-web/_3.10.x.yaml b/examples/grpc-web/_3.10.x.yaml new file mode 100644 index 00000000..e4f2c597 --- /dev/null +++ b/examples/grpc-web/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: grpc-web +config: + proto: path/to/hello.proto diff --git a/examples/header-cert-auth/_3.10.x.yaml b/examples/header-cert-auth/_3.10.x.yaml new file mode 100644 index 00000000..0bbd7799 --- /dev/null +++ b/examples/header-cert-auth/_3.10.x.yaml @@ -0,0 +1,7 @@ +name: header-cert-auth +config: + ca_certificates: + - "0D769DE8-7CC0-4541-989B-F9C23E20054C" + certificate_header_name: ssl-client-cert + certificate_header_format: base64_encoded + secure_source: false \ No newline at end of file diff --git a/examples/hmac-auth/_3.10.x.yaml b/examples/hmac-auth/_3.10.x.yaml new file mode 100644 index 00000000..ba1ae19d --- /dev/null +++ b/examples/hmac-auth/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: hmac-auth +config: + hide_credentials: false diff --git a/examples/http-log/_3.10.x.yaml b/examples/http-log/_3.10.x.yaml new file mode 100644 index 00000000..dd88c67c --- /dev/null +++ b/examples/http-log/_3.10.x.yaml @@ -0,0 +1,8 @@ +name: http-log +config: + http_endpoint: http://mockbin.org/bin/:id + method: POST + timeout: 1000 + keepalive: 1000 + flush_timeout: 2 + retry_count: 15 diff --git a/examples/injection-protection/_3.10.x.yaml b/examples/injection-protection/_3.10.x.yaml new file mode 100644 index 00000000..2d0e1a61 --- /dev/null +++ b/examples/injection-protection/_3.10.x.yaml @@ -0,0 +1,7 @@ +name: injection-protection +config: + injection_types: sql + locations: path_and_query + enforcement_mode: block + error_status_code: 400 + error_message: Bad Request \ No newline at end of file diff --git a/examples/ip-restriction/_3.10.x.yaml b/examples/ip-restriction/_3.10.x.yaml new file mode 100644 index 00000000..4ca5298d --- /dev/null +++ b/examples/ip-restriction/_3.10.x.yaml @@ -0,0 +1,5 @@ +name: ip-restriction +config: + allow: + - 54.13.21.1 + - 143.1.0.0/24 diff --git a/examples/jq/_3.10.x.yaml b/examples/jq/_3.10.x.yaml new file mode 100644 index 00000000..d69ce58d --- /dev/null +++ b/examples/jq/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: jq +config: + request_jq_program: .[0] diff --git a/examples/json-threat-protection/_3.10.x.yaml b/examples/json-threat-protection/_3.10.x.yaml new file mode 100644 index 00000000..787fdad7 --- /dev/null +++ b/examples/json-threat-protection/_3.10.x.yaml @@ -0,0 +1,11 @@ +name: json-threat-protection +config: + max_body_size: 10 + max_container_depth: 1 + max_object_entry_count: 2 + max_object_entry_name_length: 3 + max_array_element_count: 4 + max_string_value_length: 5 + enforcement_mode: block + error_status_code: 400 + error_message: BadRequest \ No newline at end of file diff --git a/examples/jwe-decrypt/_3.10.x.yaml b/examples/jwe-decrypt/_3.10.x.yaml new file mode 100644 index 00000000..f413b0e5 --- /dev/null +++ b/examples/jwe-decrypt/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: jwe-decrypt +config: + key_sets: + - dummyID diff --git a/examples/jwt-signer/_3.10.x.yaml b/examples/jwt-signer/_3.10.x.yaml new file mode 100644 index 00000000..71443348 --- /dev/null +++ b/examples/jwt-signer/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: jwt-signer +config: + access_token_introspection_scopes_claim: + - scope diff --git a/examples/jwt/_3.10.x.yaml b/examples/jwt/_3.10.x.yaml new file mode 100644 index 00000000..60fd478d --- /dev/null +++ b/examples/jwt/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: jwt +config: + uri_param_names: + - paramName_2.2.x diff --git a/examples/kafka-log/_3.10.x.yaml b/examples/kafka-log/_3.10.x.yaml new file mode 100644 index 00000000..efb1efa7 --- /dev/null +++ b/examples/kafka-log/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: kafka-log +config: + topic: TOPIC diff --git a/examples/kafka-upstream/_3.10.x.yaml b/examples/kafka-upstream/_3.10.x.yaml new file mode 100644 index 00000000..64ff19e5 --- /dev/null +++ b/examples/kafka-upstream/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: kafka-upstream +config: + topic: TOPIC diff --git a/examples/key-auth-enc/_3.10.x.yaml b/examples/key-auth-enc/_3.10.x.yaml new file mode 100644 index 00000000..9f1a6093 --- /dev/null +++ b/examples/key-auth-enc/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: key-auth-enc +config: + key_names: + - apikey diff --git a/examples/key-auth/_3.10.x.yaml b/examples/key-auth/_3.10.x.yaml new file mode 100644 index 00000000..f8ef72c5 --- /dev/null +++ b/examples/key-auth/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: key-auth +config: + key_names: + - apikey diff --git a/examples/konnect-application-auth/_3.10.x.yaml b/examples/konnect-application-auth/_3.10.x.yaml new file mode 100644 index 00000000..e54993e5 --- /dev/null +++ b/examples/konnect-application-auth/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: konnect-application-auth +config: + scope: 'uuid' diff --git a/examples/ldap-auth-advanced/_3.10.x.yaml b/examples/ldap-auth-advanced/_3.10.x.yaml new file mode 100644 index 00000000..5396d6cf --- /dev/null +++ b/examples/ldap-auth-advanced/_3.10.x.yaml @@ -0,0 +1,10 @@ +name: ldap-auth-advanced +config: + ldap_host: ldap.example.com + ldap_port: 389 + start_tls: true + base_dn: dc=example,dc=com + verify_ldap_host: false + attribute: cn + cache_ttl: 60 + header_type: ldap diff --git a/examples/ldap-auth/_3.10.x.yaml b/examples/ldap-auth/_3.10.x.yaml new file mode 100644 index 00000000..fe95f595 --- /dev/null +++ b/examples/ldap-auth/_3.10.x.yaml @@ -0,0 +1,8 @@ +name: ldap-auth +config: + hide_credentials: true + ldap_host: ldap.example.com + ldap_port: 389 + base_dn: dc=example,dc=com + attribute: cn + header_type: ldap diff --git a/examples/loggly/_3.10.x.yaml b/examples/loggly/_3.10.x.yaml new file mode 100644 index 00000000..186454f8 --- /dev/null +++ b/examples/loggly/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: loggly +config: + key: YOUR_LOGGLY_SERVICE_TOKEN diff --git a/examples/mocking/_3.10.x.yaml b/examples/mocking/_3.10.x.yaml new file mode 100644 index 00000000..549e1f46 --- /dev/null +++ b/examples/mocking/_3.10.x.yaml @@ -0,0 +1,14 @@ +name: mocking +config: + random_delay: true + max_delay_time: 1 + min_delay_time: 0.001 + random_examples: true + api_specification: | + openapi: 3.0.1 + info: + title: OpenAPI 3.0 API + description: This is a simple API + contact: + email: example@example.com + version: 1.0.0 diff --git a/examples/mtls-auth/_3.10.x.yaml b/examples/mtls-auth/_3.10.x.yaml new file mode 100644 index 00000000..4bcdb7fd --- /dev/null +++ b/examples/mtls-auth/_3.10.x.yaml @@ -0,0 +1,6 @@ +name: mtls-auth +config: + ca_certificates: + - fdac360e-7b19-4ade-a553-6dd22937c82f + http_proxy_host: example + http_proxy_port: 80 diff --git a/examples/oas-validation/_3.10.x.yaml b/examples/oas-validation/_3.10.x.yaml new file mode 100644 index 00000000..2eb7dc89 --- /dev/null +++ b/examples/oas-validation/_3.10.x.yaml @@ -0,0 +1,29 @@ +name: oas-validation +config: + api_spec: | + openapi: 3.0.0 + info: + version: "2.19.3" + title: Xero Finance API + description: The Finance API is a collection of endpoints which customers can use in the course of a loan application, which may assist lenders to gain the confidence they need to provide capital. + termsOfService: "https://developer.xero.com/xero-developer-platform-terms-conditions/" + contact: + name: "Xero Platform Team" + email: "api@xero.com" + url: "https://developer.xero.com" + license: + name: MIT + url: 'https://github.com/XeroAPI/Xero-OpenAPI/blob/master/LICENSE' + servers: + - description: Xero API servers + url: https://api.xero.com/finance.xro/1.0 + paths: + /CashValidation: + get: + security: + - OAuth2: [finance.cashvalidation.read] + tags: + - Finance + summary: Get cash validation + operationId: getCashValidation + description: Summarizes the total cash position for each account for an org diff --git a/examples/oauth2-introspection/_3.10.x.yaml b/examples/oauth2-introspection/_3.10.x.yaml new file mode 100644 index 00000000..bdf723af --- /dev/null +++ b/examples/oauth2-introspection/_3.10.x.yaml @@ -0,0 +1,5 @@ +name: oauth2-introspection +config: + introspection_url: https://example-url.com + authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l + consumer_by: username diff --git a/examples/oauth2/_3.10.x.yaml b/examples/oauth2/_3.10.x.yaml new file mode 100644 index 00000000..d733d558 --- /dev/null +++ b/examples/oauth2/_3.10.x.yaml @@ -0,0 +1,9 @@ +name: oauth2 +config: + scopes: + - email + - phone + - address + mandatory_scope: true + provision_key: + enable_authorization_code: true diff --git a/examples/opa/_3.10.x.yaml b/examples/opa/_3.10.x.yaml new file mode 100644 index 00000000..51ff2b78 --- /dev/null +++ b/examples/opa/_3.10.x.yaml @@ -0,0 +1,5 @@ +name: opa +config: + opa_host: localhost + opa_port: 8181 + opa_path: /v1/data/example/kong/allowBoolean diff --git a/examples/openid-connect/_3.10.x.yaml b/examples/openid-connect/_3.10.x.yaml new file mode 100644 index 00000000..69f30114 --- /dev/null +++ b/examples/openid-connect/_3.10.x.yaml @@ -0,0 +1,12 @@ +name: openid-connect +config: + auth_methods: + - authorization_code + - session + issuer: http://example.org + client_id: + - + client_secret: + - + session_secret: + response_mode: form_post diff --git a/examples/opentelemetry/_3.10.x.yaml b/examples/opentelemetry/_3.10.x.yaml new file mode 100644 index 00000000..02aeaa66 --- /dev/null +++ b/examples/opentelemetry/_3.10.x.yaml @@ -0,0 +1,6 @@ +name: opentelemetry +config: + traces_endpoint: http://opentelemetry.collector:4318/v1/traces + logs_endpoint: http://opentelemetry.collector:4318/v1/logs + headers: + X-Auth-Token: secret-token diff --git a/examples/post-function/_3.10.x.yaml b/examples/post-function/_3.10.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.10.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/pre-function/_3.10.x.yaml b/examples/pre-function/_3.10.x.yaml new file mode 100644 index 00000000..62ffe4dd --- /dev/null +++ b/examples/pre-function/_3.10.x.yaml @@ -0,0 +1,6 @@ +name: pre-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/prometheus/_3.10.x.yaml b/examples/prometheus/_3.10.x.yaml new file mode 100644 index 00000000..6b7b3b62 --- /dev/null +++ b/examples/prometheus/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: prometheus +config: + per_consumer: false + diff --git a/examples/proxy-cache-advanced/_3.10.x.yaml b/examples/proxy-cache-advanced/_3.10.x.yaml new file mode 100644 index 00000000..d070db76 --- /dev/null +++ b/examples/proxy-cache-advanced/_3.10.x.yaml @@ -0,0 +1,11 @@ +name: proxy-cache-advanced +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + strategy: memory diff --git a/examples/proxy-cache/_3.10.x.yaml b/examples/proxy-cache/_3.10.x.yaml new file mode 100644 index 00000000..ce185e5e --- /dev/null +++ b/examples/proxy-cache/_3.10.x.yaml @@ -0,0 +1,12 @@ +name: proxy-cache +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + cache_ttl: 300 + strategy: memory diff --git a/examples/rate-limiting-advanced/_3.10.x.yaml b/examples/rate-limiting-advanced/_3.10.x.yaml new file mode 100644 index 00000000..7fee7c38 --- /dev/null +++ b/examples/rate-limiting-advanced/_3.10.x.yaml @@ -0,0 +1,11 @@ +name: rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + identifier: consumer + sync_rate: -1 + namespace: example_namespace + strategy: local + hide_client_headers: false diff --git a/examples/rate-limiting/_3.10.x.yaml b/examples/rate-limiting/_3.10.x.yaml new file mode 100644 index 00000000..f43f89fd --- /dev/null +++ b/examples/rate-limiting/_3.10.x.yaml @@ -0,0 +1,5 @@ +name: rate-limiting +config: + second: 5 + hour: 10000 + policy: local diff --git a/examples/redirect/_3.10.x.yaml b/examples/redirect/_3.10.x.yaml new file mode 100644 index 00000000..5c02d0ed --- /dev/null +++ b/examples/redirect/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: redirect +config: + location: "https://example.com" \ No newline at end of file diff --git a/examples/request-size-limiting/_3.10.x.yaml b/examples/request-size-limiting/_3.10.x.yaml new file mode 100644 index 00000000..983d6d9e --- /dev/null +++ b/examples/request-size-limiting/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: request-size-limiting +config: + allowed_payload_size: 128 + require_content_length: false diff --git a/examples/request-termination/_3.10.x.yaml b/examples/request-termination/_3.10.x.yaml new file mode 100644 index 00000000..7be67818 --- /dev/null +++ b/examples/request-termination/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: request-termination +config: + status_code: 403 + message: So long and thanks for all the fish! diff --git a/examples/request-transformer-advanced/_3.10.x.yaml b/examples/request-transformer-advanced/_3.10.x.yaml new file mode 100644 index 00000000..999898e7 --- /dev/null +++ b/examples/request-transformer-advanced/_3.10.x.yaml @@ -0,0 +1,43 @@ +name: request-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one + remove: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + remove: + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + rename: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + rename: + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + add: + querystring: + - new-param:some_value + - another-param:some_value + add: + json_types: + - string + - boolean + - number diff --git a/examples/request-transformer/_3.10.x.yaml b/examples/request-transformer/_3.10.x.yaml new file mode 100644 index 00000000..3e9148f5 --- /dev/null +++ b/examples/request-transformer/_3.10.x.yaml @@ -0,0 +1,36 @@ +name: request-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + querystring: + - qs-toremove + - qs2-toremove + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + querystring: + - new-param:some_value + - another-param:some_value + body: + - new-form-param:some_value + - another-form-param:some_value diff --git a/examples/request-validator/_3.10.x.yaml b/examples/request-validator/_3.10.x.yaml new file mode 100644 index 00000000..89251acf --- /dev/null +++ b/examples/request-validator/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: request-validator +config: + body_schema: '[{"name":{"type": "string", "required": true}}]' diff --git a/examples/response-ratelimiting/_3.10.x.yaml b/examples/response-ratelimiting/_3.10.x.yaml new file mode 100644 index 00000000..a3860b2a --- /dev/null +++ b/examples/response-ratelimiting/_3.10.x.yaml @@ -0,0 +1,8 @@ +name: response-ratelimiting +config: + limits: + limit_name: + limits: + limit_name: + minute: 10 + policy: local diff --git a/examples/response-transformer-advanced/_3.10.x.yaml b/examples/response-transformer-advanced/_3.10.x.yaml new file mode 100644 index 00000000..4942c5c5 --- /dev/null +++ b/examples/response-transformer-advanced/_3.10.x.yaml @@ -0,0 +1,31 @@ +name: response-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one:application/json + - x-list-of-values:v1,v2,v3 + - Set-Cookie:/JSESSIONID=.*/ + - x-another-regex://status/$/ + - x-one-more-regex:/^/begin// + remove: + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + add: + json: + - new-json-key:some_value + - another-json-key:some_value + add: + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/response-transformer/_3.10.x.yaml b/examples/response-transformer/_3.10.x.yaml new file mode 100644 index 00000000..aab7075a --- /dev/null +++ b/examples/response-transformer/_3.10.x.yaml @@ -0,0 +1,24 @@ +name: response-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + json: + - new-json-key:some_value + - another-json-key:some_value + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/route-by-header/_3.10.x.yaml b/examples/route-by-header/_3.10.x.yaml new file mode 100644 index 00000000..e2854428 --- /dev/null +++ b/examples/route-by-header/_3.10.x.yaml @@ -0,0 +1,8 @@ +name: route-by-header +config: + rules: + - + upstream_name: bar.domain.com + condition: + location: us-east + diff --git a/examples/route-transformer-advanced/_3.10.x.yaml b/examples/route-transformer-advanced/_3.10.x.yaml new file mode 100644 index 00000000..098f0994 --- /dev/null +++ b/examples/route-transformer-advanced/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: route-transformer-advanced +config: + path: /path diff --git a/examples/saml/_3.10.x.yaml b/examples/saml/_3.10.x.yaml new file mode 100644 index 00000000..18b41c3f --- /dev/null +++ b/examples/saml/_3.10.x.yaml @@ -0,0 +1,12 @@ +name: saml +config: + anonymous: anonymous + assertion_consumer_path: /acs-uri + idp_sso_url: http://example.org/sso-uri + validate_assertion_signature: true + session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + issuer: AzureAD_Identity_ID + idp_certificate: | + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- diff --git a/examples/service-protection/_3.10.x.yaml b/examples/service-protection/_3.10.x.yaml new file mode 100644 index 00000000..c23a4120 --- /dev/null +++ b/examples/service-protection/_3.10.x.yaml @@ -0,0 +1,6 @@ +name: service-protection +config: + window_size: 30 + window_type: sliding + limit: 5 + namespace: example_namespace diff --git a/examples/session/_3.10.x.yaml b/examples/session/_3.10.x.yaml new file mode 100644 index 00000000..1c5100d2 --- /dev/null +++ b/examples/session/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: session +config: + secret: opensesame diff --git a/examples/standard-webhooks/_3.10.x.yaml b/examples/standard-webhooks/_3.10.x.yaml new file mode 100644 index 00000000..e2e66d71 --- /dev/null +++ b/examples/standard-webhooks/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: standard-webhooks +config: + secret_v1: example-secret diff --git a/examples/statsd-advanced/_3.10.x.yaml b/examples/statsd-advanced/_3.10.x.yaml new file mode 100644 index 00000000..cfd68de0 --- /dev/null +++ b/examples/statsd-advanced/_3.10.x.yaml @@ -0,0 +1,7 @@ +name: statsd-advanced +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 diff --git a/examples/statsd/_3.10.x.yaml b/examples/statsd/_3.10.x.yaml new file mode 100644 index 00000000..796222aa --- /dev/null +++ b/examples/statsd/_3.10.x.yaml @@ -0,0 +1,9 @@ +name: statsd +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/syslog/_3.10.x.yaml b/examples/syslog/_3.10.x.yaml new file mode 100644 index 00000000..9cc23ca1 --- /dev/null +++ b/examples/syslog/_3.10.x.yaml @@ -0,0 +1,3 @@ +name: syslog +config: + log_level: info diff --git a/examples/tcp-log/_3.10.x.yaml b/examples/tcp-log/_3.10.x.yaml new file mode 100644 index 00000000..4e155f5a --- /dev/null +++ b/examples/tcp-log/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: tcp-log +config: + host: 127.0.0.1 + port: 9999 diff --git a/examples/tls-handshake-modifier/_3.10.x.yaml b/examples/tls-handshake-modifier/_3.10.x.yaml new file mode 100644 index 00000000..52561153 --- /dev/null +++ b/examples/tls-handshake-modifier/_3.10.x.yaml @@ -0,0 +1 @@ +name: tls-handshake-modifier diff --git a/examples/tls-metadata-headers/_3.10.x.yaml b/examples/tls-metadata-headers/_3.10.x.yaml new file mode 100644 index 00000000..98df21ec --- /dev/null +++ b/examples/tls-metadata-headers/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: tls-metadata-headers +config: + inject_client_cert_details: true + client_cert_header_name: X-Forwarded-Client-Cert diff --git a/examples/udp-log/_3.10.x.yaml b/examples/udp-log/_3.10.x.yaml new file mode 100644 index 00000000..bfd35c0a --- /dev/null +++ b/examples/udp-log/_3.10.x.yaml @@ -0,0 +1,5 @@ +name: udp-log +config: + host: 127.0.0.1 + port: 9999 + timeout: 10000 diff --git a/examples/upstream-oauth/_3.10.x.yaml b/examples/upstream-oauth/_3.10.x.yaml new file mode 100644 index 00000000..2c80a4ac --- /dev/null +++ b/examples/upstream-oauth/_3.10.x.yaml @@ -0,0 +1,12 @@ +name: upstream-oauth +config: + oauth: + token_endpoint: "http://test.test" + grant_type: client_credentials + client_id: CLIENT_CREDENTIALS_GRANT_POST_AUTH_CLIENT_ID + client_secret: CLIENT_CREDENTIALS_GRANT_POST_AUTH_CLIENT_SECRET + scopes: + - "openid" + - "profile" + behavior: + upstream_access_token_header_name: X-Custom-Auth \ No newline at end of file diff --git a/examples/upstream-timeout/_3.10.x.yaml b/examples/upstream-timeout/_3.10.x.yaml new file mode 100644 index 00000000..962a6cdf --- /dev/null +++ b/examples/upstream-timeout/_3.10.x.yaml @@ -0,0 +1,5 @@ +name: upstream-timeout +config: + connect_timeout: 4000 + send_timeout: 5000 + read_timeout: 5000 diff --git a/examples/vault-auth/_3.10.x.yaml b/examples/vault-auth/_3.10.x.yaml new file mode 100644 index 00000000..8a2e5285 --- /dev/null +++ b/examples/vault-auth/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: vault-auth +config: + vault: + id: 00000000-0000-0000-0000-000000000000 diff --git a/examples/websocket-size-limit/_3.10.x.yaml b/examples/websocket-size-limit/_3.10.x.yaml new file mode 100644 index 00000000..7274d312 --- /dev/null +++ b/examples/websocket-size-limit/_3.10.x.yaml @@ -0,0 +1,4 @@ +name: websocket-size-limit +config: + client_max_payload: 1024 + upstream_max_payload: 16384 diff --git a/examples/websocket-validator/_3.10.x.yaml b/examples/websocket-validator/_3.10.x.yaml new file mode 100644 index 00000000..12fe18ac --- /dev/null +++ b/examples/websocket-validator/_3.10.x.yaml @@ -0,0 +1,14 @@ +name: websocket-validator +config: + client: + text: + type: draft4 + schema: | + { + "type": "object", + "properties": { + "foo": { "type": "string" }, + "bar": { "type": "string" } + }, + "required": [ "foo", "bar" ] + } diff --git a/examples/xml-threat-protection/_3.10.x.yaml b/examples/xml-threat-protection/_3.10.x.yaml new file mode 100644 index 00000000..a25f15fc --- /dev/null +++ b/examples/xml-threat-protection/_3.10.x.yaml @@ -0,0 +1,6 @@ +name: xml-threat-protection +config: + max_depth: 50 + localname: 512 + prefix: 512 + namespaceuri: 1024 diff --git a/examples/zipkin/_3.10.x.yaml b/examples/zipkin/_3.10.x.yaml new file mode 100644 index 00000000..62ab05c8 --- /dev/null +++ b/examples/zipkin/_3.10.x.yaml @@ -0,0 +1,5 @@ +name: zipkin +config: + http_endpoint: http://your.zipkin.collector:9411/api/v2/spans + sample_ratio: 0.001 + include_credential: true From ea5c1ca9c0ead0700cf9e28fbc6de5a97d00fe98 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 5 Dec 2024 21:28:36 +0100 Subject: [PATCH 105/165] Copy data files to 3.10 (#86) * Add command to copy the data files * Copy 3.9 data files to 3.10 * Add github action that runs copy_data_files --- .github/workflows/copy-data-files.yml | 32 +++ README.md | 14 ++ data/priorities/ee/3.10.x.json | 94 ++++++++ data/priorities/oss/3.10.x.json | 47 ++++ data/referenceable_fields/3.10.x.json | 316 ++++++++++++++++++++++++++ lib/data_copier.rb | 32 +++ plugins | 12 + 7 files changed, 547 insertions(+) create mode 100644 .github/workflows/copy-data-files.yml create mode 100644 data/priorities/ee/3.10.x.json create mode 100644 data/priorities/oss/3.10.x.json create mode 100644 data/referenceable_fields/3.10.x.json create mode 100644 lib/data_copier.rb diff --git a/.github/workflows/copy-data-files.yml b/.github/workflows/copy-data-files.yml new file mode 100644 index 00000000..9e96055c --- /dev/null +++ b/.github/workflows/copy-data-files.yml @@ -0,0 +1,32 @@ +name: Copy Latest Data Files +on: + workflow_dispatch: + inputs: + version: + required: true + type: string + description: | + Kong Gateway release, e.x. 3.4.x. + Used by some commands for storing files in the corresponding folder. + +jobs: + copy-data-files: + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@v4 + - name: Install dependencies + uses: ./.github/reusable-steps/install-deps + - name: Run copy_data_files + run: | + bundle exec ./plugins copy_data_files --version=${{ github.event.inputs.version }} + - name: Create Pull Request + uses: peter-evans/create-pull-request@v7 + with: + token: ${{ secrets.PAT }} + title: "Copy latest data files to ${{ github.event.inputs.version }}" + branch: copy-latest-data-files + commit-message: "Copy latest data files to ${{ github.event.inputs.version }}" + delete-branch: true + add-paths: | + ./data/* diff --git a/README.md b/README.md index bff915f6..14e2817b 100644 --- a/README.md +++ b/README.md @@ -129,6 +129,20 @@ For example, running: ``` copies the previous schema (assuming the previous version is `3.4.x`, it copies `./schemas/acme/3.4.x.json`) and generates a new file `./schemas/acme/3.5.x.json` +### Copy Data files + +Copies the last (ordered by version) data files file stored in `.//**/*/` and writes it to `.//**/*/`. + +| Options | Descriptions | +|--------------------------- |-----| +| `version` | **Required**. Kong Gateway release version, e.g. `3.3.x`. The new data file is named after it. | +| `source` | Path to the root folder containing the exisitng examples. Default: `./data`. | + +Example: +```bash +./plugins copy_data_files --version 3.5.x +``` + ## Updating the repo after a new release Whenever a new version of Kong Gateway is released, we need run the following commands in order. For all of them, specify all the plugins `--plugins $(ls ./schemas)` diff --git a/data/priorities/ee/3.10.x.json b/data/priorities/ee/3.10.x.json new file mode 100644 index 00000000..75c7cb74 --- /dev/null +++ b/data/priorities/ee/3.10.x.json @@ -0,0 +1,94 @@ +{ + "pre-function": 1000000, + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth": 1250, + "key-auth-enc": 1250, + "ldap-auth": 1200, + "ldap-auth-advanced": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "saml": 1010, + "header-cert-auth": 1009, + "json-threat-protection": 1009, + "xml-threat-protection": 1008, + "injection-protection": 1007, + "websocket-validator": 1006, + "websocket-size-limit": 1003, + "request-validator": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "opa": 920, + "service-protection": 915, + "rate-limiting": 910, + "rate-limiting-advanced": 910, + "ai-rate-limiting-advanced": 905, + "graphql-rate-limiting-advanced": 902, + "response-ratelimiting": 900, + "route-by-header": 850, + "oas-validation": 840, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "redirect": 779, + "ai-request-transformer": 777, + "ai-semantic-prompt-guard": 775, + "ai-azure-content-safety": 774, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-proxy-advanced": 770, + "ai-response-transformer": 768, + "ai-semantic-cache": 765, + "standard-webhooks": 760, + "upstream-oauth": 760, + "confluent": 752, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "statsd-advanced": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "mocking": -1, + "post-function": -1000 +} \ No newline at end of file diff --git a/data/priorities/oss/3.10.x.json b/data/priorities/oss/3.10.x.json new file mode 100644 index 00000000..b5b4aa12 --- /dev/null +++ b/data/priorities/oss/3.10.x.json @@ -0,0 +1,47 @@ +{ + "pre-function": 1000000, + "correlation-id": 100001, + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "redirect": 779, + "ai-request-transformer": 777, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-response-transformer": 768, + "standard-webhooks": 760, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "post-function": -1000 +} \ No newline at end of file diff --git a/data/referenceable_fields/3.10.x.json b/data/referenceable_fields/3.10.x.json new file mode 100644 index 00000000..d74a28ee --- /dev/null +++ b/data/referenceable_fields/3.10.x.json @@ -0,0 +1,316 @@ +{ + "acme": [ + "config.account_email", + "config.eab_kid", + "config.eab_hmac_key", + "config.storage_config.redis.username", + "config.storage_config.redis.password", + "config.storage_config.consul.token", + "config.storage_config.vault.token" + ], + "ai-azure-content-safety": [ + "config.content_safety_url", + "config.content_safety_key" + ], + "ai-proxy": [ + "config.auth.header_name", + "config.auth.header_value", + "config.auth.param_name", + "config.auth.param_value", + "config.auth.azure_client_id", + "config.auth.azure_client_secret", + "config.auth.azure_tenant_id", + "config.auth.gcp_service_account_json", + "config.auth.aws_access_key_id", + "config.auth.aws_secret_access_key" + ], + "ai-proxy-advanced": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password", + "config.targets.auth.header_name", + "config.targets.auth.header_value", + "config.targets.auth.param_name", + "config.targets.auth.param_value", + "config.targets.auth.azure_client_id", + "config.targets.auth.azure_client_secret", + "config.targets.auth.azure_tenant_id", + "config.targets.auth.gcp_service_account_json", + "config.targets.auth.aws_access_key_id", + "config.targets.auth.aws_secret_access_key" + ], + "ai-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "ai-request-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key" + ], + "ai-response-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key" + ], + "ai-semantic-cache": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password" + ], + "ai-semantic-prompt-guard": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password" + ], + "aws-lambda": [ + "config.aws_key", + "config.aws_secret", + "config.aws_assume_role_arn" + ], + "azure-functions": [ + "config.apikey", + "config.clientid" + ], + "confluent": [ + "config.cluster_api_key", + "config.cluster_api_secret", + "config.confluent_cloud_api_key", + "config.confluent_cloud_api_secret" + ], + "datadog": [ + "config.host" + ], + "datadog-tracing": [ + "config.endpoint" + ], + "forward-proxy": [ + "config.auth_username", + "config.auth_password" + ], + "graphql-proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "graphql-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "http-log": [ + "config.http_endpoint", + "config.headers" + ], + "jwt-signer": [ + "config.access_token_keyset_client_username", + "config.access_token_keyset_client_password", + "config.access_token_jwks_uri_client_username", + "config.access_token_jwks_uri_client_password", + "config.channel_token_keyset_client_username", + "config.channel_token_keyset_client_password", + "config.channel_token_jwks_uri_client_username", + "config.channel_token_jwks_uri_client_password" + ], + "kafka-log": [ + "config.authentication.user", + "config.authentication.password" + ], + "kafka-upstream": [ + "config.authentication.user", + "config.authentication.password" + ], + "konnect-application-auth": [ + "config.v2_strategies.openid_connect.config.client_id", + "config.v2_strategies.openid_connect.config.client_secret", + "config.v2_strategies.openid_connect.config.client_jwk.k", + "config.v2_strategies.openid_connect.config.client_jwk.d", + "config.v2_strategies.openid_connect.config.client_jwk.p", + "config.v2_strategies.openid_connect.config.client_jwk.q", + "config.v2_strategies.openid_connect.config.client_jwk.dp", + "config.v2_strategies.openid_connect.config.client_jwk.dq", + "config.v2_strategies.openid_connect.config.client_jwk.qi", + "config.v2_strategies.openid_connect.config.client_jwk.oth", + "config.v2_strategies.openid_connect.config.client_jwk.r", + "config.v2_strategies.openid_connect.config.client_jwk.t", + "config.v2_strategies.openid_connect.config.login_redirect_uri", + "config.v2_strategies.openid_connect.config.logout_redirect_uri", + "config.v2_strategies.openid_connect.config.scopes", + "config.v2_strategies.openid_connect.config.introspection_headers_values", + "config.v2_strategies.openid_connect.config.session_secret", + "config.v2_strategies.openid_connect.config.redis.username", + "config.v2_strategies.openid_connect.config.redis.password", + "config.v2_strategies.openid_connect.config.redis.sentinel_username", + "config.v2_strategies.openid_connect.config.redis.sentinel_password", + "config.v2_strategies.openid_connect.config.http_proxy_authorization", + "config.v2_strategies.openid_connect.config.https_proxy_authorization", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.username", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.password", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_username", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_password" + ], + "ldap-auth-advanced": [ + "config.ldap_password", + "config.bind_dn" + ], + "loggly": [ + "config.key" + ], + "oauth2-introspection": [ + "config.authorization_value" + ], + "openid-connect": [ + "config.client_id", + "config.client_secret", + "config.client_jwk.k", + "config.client_jwk.d", + "config.client_jwk.p", + "config.client_jwk.q", + "config.client_jwk.dp", + "config.client_jwk.dq", + "config.client_jwk.qi", + "config.client_jwk.oth", + "config.client_jwk.r", + "config.client_jwk.t", + "config.login_redirect_uri", + "config.logout_redirect_uri", + "config.scopes", + "config.introspection_headers_values", + "config.session_secret", + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password", + "config.http_proxy_authorization", + "config.https_proxy_authorization", + "config.cluster_cache_redis.username", + "config.cluster_cache_redis.password", + "config.cluster_cache_redis.sentinel_username", + "config.cluster_cache_redis.sentinel_password" + ], + "opentelemetry": [ + "config.traces_endpoint", + "config.logs_endpoint", + "config.headers" + ], + "proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "rate-limiting": [ + "config.redis.username", + "config.redis.password" + ], + "rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "request-transformer-advanced": [ + "config.rename.body", + "config.rename.headers", + "config.rename.querystring", + "config.replace.body", + "config.replace.headers", + "config.replace.querystring", + "config.add.body", + "config.add.headers", + "config.add.querystring", + "config.append.body", + "config.append.headers", + "config.append.querystring" + ], + "response-ratelimiting": [ + "config.redis.username", + "config.redis.password" + ], + "saml": [ + "config.idp_certificate", + "config.response_encryption_key", + "config.request_signing_key", + "config.request_signing_certificate", + "config.session_secret", + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "service-protection": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "session": [ + "config.secret" + ], + "standard-webhooks": [ + "config.secret_v1" + ], + "upstream-oauth": [ + "config.oauth.token_headers", + "config.oauth.token_post_args", + "config.oauth.client_id", + "config.oauth.client_secret", + "config.oauth.username", + "config.oauth.password", + "config.cache.redis.username", + "config.cache.redis.password", + "config.cache.redis.sentinel_username", + "config.cache.redis.sentinel_password" + ] +} \ No newline at end of file diff --git a/lib/data_copier.rb b/lib/data_copier.rb new file mode 100644 index 00000000..d2a73206 --- /dev/null +++ b/lib/data_copier.rb @@ -0,0 +1,32 @@ +require 'fileutils' + +class DataCopier + def self.run!(options:) + new(options:).run! + end + + def initialize(options:) + @options = options + end + + def run! + folders = Dir.glob("#{@options['source']}/**/*").select do |path| + File.directory?(path) && Dir.glob("#{path}/*").none? { |sub| File.directory?(sub) } + end + + folders.each do |folder| + latest = find_latest(folder) + FileUtils.cp(latest, new_path(folder)) + end + end + + private + + def find_latest(folder) + Dir["#{folder}/*.json"].sort.last + end + + def new_path(folder) + [folder, "#{@options[:version]}.json"].join('/') + end +end diff --git a/plugins b/plugins index 46525e67..1a3b249c 100755 --- a/plugins +++ b/plugins @@ -2,6 +2,7 @@ require 'thor' require_relative 'lib/schema_downloader' require_relative 'lib/example_validator' +require_relative 'lib/data_copier' require_relative 'lib/example_copier' require_relative 'lib/schema_copier' require_relative 'lib/referenceable_fields' @@ -74,6 +75,17 @@ class Plugins < Thor puts 'Done!' end + desc 'copy_data_files', 'Copy data files' + option :version, aliases: '-v', type: :string, required: true, desc: 'Kong Version' + option :source, aliases: '-s', type: :string, default: './data', desc: 'Source folder containing the data files' + def copy_data_files + puts 'Copying files...' + + DataCopier.run!(options:) + + puts 'Done!' + end + desc 'generate_referenceable_fields_list', 'Generates a json object listing all the referenceable fields for each plugin' option :version, aliases: '-v', type: :string, required: true, desc: 'Kong Version' option :plugins, aliases: '-p', type: :array, required: true, desc: 'List containing the name of the plugins' From ea2fa2f4659aa1c9d5d39731146c5b99609674cf Mon Sep 17 00:00:00 2001 From: Michael Heap Date: Thu, 8 Feb 2024 11:16:40 +0000 Subject: [PATCH 106/165] Add JSON schema conversion command --- lib/convert_json_schema.rb | 139 +++++++++++++++++++++++++++++++++++++ plugins | 14 ++++ 2 files changed, 153 insertions(+) create mode 100644 lib/convert_json_schema.rb diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb new file mode 100644 index 00000000..59134a84 --- /dev/null +++ b/lib/convert_json_schema.rb @@ -0,0 +1,139 @@ +require 'json' + +class ConvertJsonSchema + def self.run!(plugins:, options:) + new(plugins:, options:).run! + end + + def initialize(plugins:, options:) + @plugins = plugins + @options = options + end + + def run! + schemas.each_with_object([]) do |(plugin_name, schema), fields| + next unless File.exist?(schema) + + json_schema = JSON.parse(File.read(schema)) + + # TODO: Process all fields. + # @mheap only needs config, so that's all that's implemented + config = get_config_fields(json_schema) + json_schema = convert_to_json_schema(config) + json_schema = convert_required_list(json_schema) + + # If an entity is required, but no children are required + # it's not actually required + json_schema = remove_object_required_optional_children(json_schema) + + # Write the schema to the destination + FileUtils.mkdir_p("#{@options[:destination]}/#{plugin_name}") + dest = File.join(@options[:destination], plugin_name, "#{@options['version']}.json") + File.write(dest, JSON.pretty_generate(json_schema)) + end + end + + private + + def get_config_fields(schema) + { + 'properties' => schema['fields'].select { |f| f.key?('config') }.first + } + end + + def convert_to_json_schema(props) + # Remove required if default is set + props.delete("required") unless props["default"].nil? + + # Loop through each field + props.each_with_object({}) do |(k, v), fields| + v = convert_type(v) if k == 'type' + k = 'properties' if k == 'fields' + k = 'minimum' if k == 'gt' + k = 'maximum' if k == 'lt' + k = 'minLength' if k == 'len_min' + k = 'maxLength' if k == 'len_max' + k = 'items' if k == 'elements' + k = 'pattern' if k == 'match' + k = 'enum' if k == 'one_of' + + if (k == 'keys' || k == 'values') + fields['additionalProperties'] = true + next + end + + if k == 'between' + fields['minimum'] = v.first + fields['maximum'] = v.last + next + end + + # Remove entity checks + next if k == 'entity_checks' + + if v.is_a?(Array) && v.first.is_a?(Hash) + v = v.reduce({}, :merge) + end + + if v.is_a?(Hash) + v = convert_to_json_schema(v) + end + + fields[k] = v + end + end + + def convert_required_list(schema) + if schema['properties'] + schema['properties'].each do |k, v| + if v['required'] + schema['required'] ||= [] + schema['required'].push(k) + v.delete('required') + end + if v['properties'] + v = convert_required_list(v) + end + end + end + + schema + end + + def remove_object_required_optional_children(schema) + if schema['required'] && schema['properties'] + unused = [] + schema['required'].each do |k| + schema['properties'][k] = remove_object_required_optional_children(schema['properties'][k]) + unused.push(k) if !schema['properties'][k]['required'] + end + + schema['required'] -= unused + end + schema + end + + + def convert_type(type) + case type + when 'record' + 'object' + when 'map' + 'object' + when 'set' + 'array' + else + type + end + end + + def schemas + @schemas ||= @plugins.map do |plugin_name| + [plugin_name, schema_path(plugin_name)] + end + end + + def schema_path(plugin) + File.join(@options['source'], plugin, "#{@options['version']}.json") + end +end diff --git a/plugins b/plugins index 1a3b249c..6ad1f725 100755 --- a/plugins +++ b/plugins @@ -7,6 +7,7 @@ require_relative 'lib/example_copier' require_relative 'lib/schema_copier' require_relative 'lib/referenceable_fields' require_relative 'lib/plugin_priorities' +require_relative 'lib/convert_json_schema' class Plugins < Thor class_option :verbose, :type => :boolean @@ -112,6 +113,19 @@ class Plugins < Thor puts 'Done!' end + + desc 'convert_json_schema', 'Converts Kong plugin schema to JSON schema' + option :version, aliases: '-v', type: :string, required: true, desc: 'Kong Version' + option :plugins, aliases: '-p', type: :array, required: true, desc: 'List containing the name of the plugins' + option :source, aliases: '-s', type: :string, default: './schemas', desc: 'Source folder containing the schemas' + option :destination, aliases: '--dest', type: :string, default: './json_schemas', desc: 'Destination folder where the schemas will be written' + def convert_json_schema + #puts 'Converting plugins to JSON schema...' + + ConvertJsonSchema.run!(plugins: options[:plugins], options: options) + + #puts 'Done!' + end end Plugins.start(ARGV) From e4c0fb24a0a4ac491a3451676db13821c640a5fd Mon Sep 17 00:00:00 2001 From: Michael Heap Date: Fri, 14 Jun 2024 12:12:19 +0100 Subject: [PATCH 107/165] Fix more of the schema automatically --- lib/convert_json_schema.rb | 61 ++++++++++++++++++++++++++++++++++---- 1 file changed, 55 insertions(+), 6 deletions(-) diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index 59134a84..fde317d2 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -24,7 +24,10 @@ def run! # If an entity is required, but no children are required # it's not actually required - json_schema = remove_object_required_optional_children(json_schema) + json_schema = remove_object_required_optional_children(json_schema) + + # Fix any broken defaults + json_schema = fix_broken_defaults(json_schema) # Write the schema to the destination FileUtils.mkdir_p("#{@options[:destination]}/#{plugin_name}") @@ -68,8 +71,27 @@ def convert_to_json_schema(props) next end - # Remove entity checks - next if k == 'entity_checks' + if k == 'uuid' && fields[k] + fields['format'] = 'uuid' + end + + # Remove unused fields + next if [ + 'entity_checks', + 'referenceable', + 'reference', + 'encrypted', + 'err', + 'unique', + 'auto', + 'match_none', + 'starts_with', + 'deprecation' + ].include?(k) + + if k == 'type' && v == 'foreign' + v = 'string' + end if v.is_a?(Array) && v.first.is_a?(Hash) v = v.reduce({}, :merge) @@ -84,19 +106,30 @@ def convert_to_json_schema(props) end def convert_required_list(schema) + + schema['required'] = [] if !schema['required'].is_a?(Array) + if schema['properties'] schema['properties'].each do |k, v| if v['required'] - schema['required'] ||= [] schema['required'].push(k) - v.delete('required') end + + # Always remove required as "required: false" is invalid too + v.delete('required') + if v['properties'] v = convert_required_list(v) end + + if v['items'] + v['items'] = convert_required_list(v['items']) + end end + end + schema end @@ -105,7 +138,9 @@ def remove_object_required_optional_children(schema) unused = [] schema['required'].each do |k| schema['properties'][k] = remove_object_required_optional_children(schema['properties'][k]) - unused.push(k) if !schema['properties'][k]['required'] + if !schema['properties'][k]['required'] || schema['properties'][k]['required'].size == 0 + unused.push(k) + end end schema['required'] -= unused @@ -113,6 +148,20 @@ def remove_object_required_optional_children(schema) schema end + def fix_broken_defaults(schema) + if schema['default'] && schema['type'] == 'object' && schema['default'].is_a?(Array) + schema.delete('default') + end + + if schema['properties'] + schema['properties'].each do |k, v| + schema['properties'][k] = fix_broken_defaults(v) + end + end + + return schema + end + def convert_type(type) case type From ac40093b91d4a4621d37fe186b49990b4846c5bb Mon Sep 17 00:00:00 2001 From: Michael Heap Date: Wed, 11 Sep 2024 12:36:52 +0100 Subject: [PATCH 108/165] Fix additional JSON schema generation issues --- lib/convert_json_schema.rb | 62 +++++++++++++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index fde317d2..975e48ba 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -49,7 +49,7 @@ def convert_to_json_schema(props) props.delete("required") unless props["default"].nil? # Loop through each field - props.each_with_object({}) do |(k, v), fields| + props = props.each_with_object({}) do |(k, v), fields| v = convert_type(v) if k == 'type' k = 'properties' if k == 'fields' k = 'minimum' if k == 'gt' @@ -75,6 +75,7 @@ def convert_to_json_schema(props) fields['format'] = 'uuid' end + # Remove unused fields next if [ 'entity_checks', @@ -103,6 +104,15 @@ def convert_to_json_schema(props) fields[k] = v end + + if props['type'] == "number" && props['enum'] + allPropsAreIntegers = props['enum'].select { |e| e.is_a?(Integer) }.length == props['enum'].length + if allPropsAreIntegers + props['type'] = 'integer' + end + end + + props end def convert_required_list(schema) @@ -110,6 +120,14 @@ def convert_required_list(schema) schema['required'] = [] if !schema['required'].is_a?(Array) if schema['properties'] + + # Fix empty schema properties that should + # be additionalProperties = true + if schema['properties'].is_a?(Array) + schema['properties'] = {} + schema['additionalProperties'] = true + end + schema['properties'].each do |k, v| if v['required'] schema['required'].push(k) @@ -148,14 +166,56 @@ def remove_object_required_optional_children(schema) schema end + def fix_regex(schema) + if schema['pattern'] + # Convert Lua pattern to regex + lua_patterns = { + '%a' => '[a-zA-Z]', + '%c' => '[\x00-\x1F]', # Control characters, cannot be replaced with actual characters + '%d' => '[0-9]', + '%g' => '[\x21-\x7E]', # Printable characters, cannot be replaced with actual characters + '%l' => '[a-z]', + '%p' => '[!-/:-@[-`{-~]', # Punctuation characters + '%s' => '[\t\n\v\f\r ]', # Whitespace characters + '%u' => '[A-Z]', + '%w' => '[a-zA-Z0-9]', + '%x' => '[0-9a-fA-F]' + } + + negative_patterns = {} + lua_patterns.each do |lua_pattern, regex| + negative_patterns["[^"+lua_pattern+"]"] = "[^#{regex[1..-2]}]" + end + + lua_patterns = negative_patterns.merge(lua_patterns) + + lua_patterns.each do |lua_pattern, regex| + schema['pattern'] = schema['pattern'].gsub(lua_pattern, regex) + end + + # Escape forward slashes + schema['pattern'] = schema['pattern'].gsub('%/', '\\/') + end + if schema['items'] + schema['items'] = fix_regex(schema['items']) + end + + return schema + end + def fix_broken_defaults(schema) if schema['default'] && schema['type'] == 'object' && schema['default'].is_a?(Array) schema.delete('default') end + if schema['default'] && schema['type'] == 'array' && schema['default'].is_a?(Hash) + schema['default'] = [schema['default']] + end + if schema['properties'] schema['properties'].each do |k, v| schema['properties'][k] = fix_broken_defaults(v) + schema['properties'][k] = fix_regex(v) end end From 7c64691c3bc5033a62f5c89b803e2bffc091b3b1 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 2 Dec 2024 12:48:01 +0100 Subject: [PATCH 109/165] Include protocols in json-schemas --- lib/convert_json_schema.rb | 4 +++- plugins | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index 975e48ba..37c04531 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -5,6 +5,8 @@ def self.run!(plugins:, options:) new(plugins:, options:).run! end + FIELDS = %w[config protocols].freeze + def initialize(plugins:, options:) @plugins = plugins @options = options @@ -40,7 +42,7 @@ def run! def get_config_fields(schema) { - 'properties' => schema['fields'].select { |f| f.key?('config') }.first + 'properties' => schema.fetch('fields', []).select { |f| FIELDS.any? { |k| f.key?(k) } } } end diff --git a/plugins b/plugins index 6ad1f725..3259f471 100755 --- a/plugins +++ b/plugins @@ -120,11 +120,11 @@ class Plugins < Thor option :source, aliases: '-s', type: :string, default: './schemas', desc: 'Source folder containing the schemas' option :destination, aliases: '--dest', type: :string, default: './json_schemas', desc: 'Destination folder where the schemas will be written' def convert_json_schema - #puts 'Converting plugins to JSON schema...' + puts 'Converting plugins to JSON schema...' ConvertJsonSchema.run!(plugins: options[:plugins], options: options) - #puts 'Done!' + puts 'Done!' end end From c6b8982e11913a5c68d811fd65163c7754a6743c Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 2 Dec 2024 12:53:58 +0100 Subject: [PATCH 110/165] Update readme with convert_json_schema instructions --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index 14e2817b..082dce31 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,22 @@ Example: ./plugins copy_data_files --version 3.5.x ``` +### Generate JSON Schemas + +Converts schemas into JSON schemas. + +| Options | Descriptions | +|--------------------------- |-----| +| `version` | **Required**. Kong Gateway release version, e.g. `3.3.x`. The new example file is named after it. | +| `plugins` | **Required**. Space separated list of plugins to use, .e.g. `acme acl`. | +| `source` | Path to the root folder containing the exisiting schemas. Default: `./schemas`. | + +For example, running: +```bash +./plugins convert_json_schema --version 3.9.x --plugins acme +``` +converts `./schemas/acme/3.4.x.json` into a valid JSON schema and writes it to `./schemas/acme/3.5.x.json`. + ## Updating the repo after a new release Whenever a new version of Kong Gateway is released, we need run the following commands in order. For all of them, specify all the plugins `--plugins $(ls ./schemas)` From 29da4685a0f73901a819e6b0ad496c517126a8c9 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 2 Dec 2024 13:04:35 +0100 Subject: [PATCH 111/165] Add github action that generates json schemas --- .github/workflows/generate-json-schemas.yml | 53 +++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/generate-json-schemas.yml diff --git a/.github/workflows/generate-json-schemas.yml b/.github/workflows/generate-json-schemas.yml new file mode 100644 index 00000000..f2d6d82a --- /dev/null +++ b/.github/workflows/generate-json-schemas.yml @@ -0,0 +1,53 @@ +name: Generate json schemas +on: + workflow_dispatch: + inputs: + kong-image-tag: + required: true + type: string + description: | + Kong Docker image tag to run, 3.6.1.4. + version: + required: true + type: string + description: | + Kong Gateway release, e.x. 3.4.x. + Used by some commands for storing files in the corresponding folder. + kong-image-name: + type: choice + description: | + Kong Docker image name to use, e.g. kong-gateway, kong-gateway-dev. + options: + - kong-gateway + - kong-gateway-dev + +jobs: + generate-json-schemas: + runs-on: ubuntu-latest + steps: + - name: Check out repo + uses: actions/checkout@v4 + - name: Install dependencies + uses: ./.github/reusable-steps/install-deps + - name: Run Kong EE + uses: ./.github/reusable-steps/run-kong-ee + with: + op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + kong-image-tag: ${{ github.event.inputs.kong-image-tag }} + kong-image-name: ${{ github.event.inputs.kong-image-name }} + - name: Run convert_json_schema + run: | + bundle exec ./plugins convert_json_schema --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose + - name: Create Pull Request + uses: peter-evans/create-pull-request@v7 + with: + token: ${{ secrets.PAT }} + title: "Generate JSON Schemas for ${{ github.event.inputs.version }}" + branch: generate-json-schemas + commit-message: "JSON Schemas for ${{ github.event.inputs.version }}" + delete-branch: true + add-paths: | + ./json_schemas/* + - name: Cleanup + if: always() + uses: ./.github/reusable-steps/cleanup From ac839ce5b916363a4f4af273c06f97b8d767c436 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Wed, 4 Dec 2024 09:32:15 +0100 Subject: [PATCH 112/165] Set foreign keys and missing descriptions to json-schemas --- config/descriptions.yaml | 1 + config/foreign_keys.yaml | 28 ++++++++++++++++ lib/convert_json_schema.rb | 17 +++++++--- lib/json_schema/foreign_keys.rb | 44 +++++++++++++++++++++++++ lib/json_schema/missing_descriptions.rb | 34 +++++++++++++++++++ 5 files changed, 119 insertions(+), 5 deletions(-) create mode 100644 config/descriptions.yaml create mode 100644 config/foreign_keys.yaml create mode 100644 lib/json_schema/foreign_keys.rb create mode 100644 lib/json_schema/missing_descriptions.rb diff --git a/config/descriptions.yaml b/config/descriptions.yaml new file mode 100644 index 00000000..5c36ecff --- /dev/null +++ b/config/descriptions.yaml @@ -0,0 +1 @@ +protocols: "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls." diff --git a/config/foreign_keys.yaml b/config/foreign_keys.yaml new file mode 100644 index 00000000..6648c961 --- /dev/null +++ b/config/foreign_keys.yaml @@ -0,0 +1,28 @@ +consumer: + additionalProperties: false + description: 'If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.' + properties: + id: + type: string + type: object +consumer_group: + additionalProperties: false + description: If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups + properties: + id: + type: string + type: object +route: + additionalProperties: false + description: 'If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.' + properties: + id: + type: string + type: object +service: + additionalProperties: false + description: 'If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.' + properties: + id: + type: string + type: object diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index 37c04531..7b5b5aa4 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -1,11 +1,15 @@ require 'json' +require_relative './json_schema/foreign_keys' +require_relative './json_schema/missing_descriptions' class ConvertJsonSchema def self.run!(plugins:, options:) new(plugins:, options:).run! end - FIELDS = %w[config protocols].freeze + FOREIGN_KEYS = %w[consumer consumer_group route service].freeze + BASE_FIELDS = %w[config protocols].freeze + FIELDS = (BASE_FIELDS + FOREIGN_KEYS) def initialize(plugins:, options:) @plugins = plugins @@ -20,9 +24,12 @@ def run! # TODO: Process all fields. # @mheap only needs config, so that's all that's implemented - config = get_config_fields(json_schema) - json_schema = convert_to_json_schema(config) - json_schema = convert_required_list(json_schema) + fields = get_fields(json_schema) + JSONSchema::ForeignKeys.run!(fields) + JSONSchema::MissingDescriptions.run!(fields) + + json_schema = convert_to_json_schema(fields) + json_schema = convert_required_list(json_schema) # If an entity is required, but no children are required # it's not actually required @@ -40,7 +47,7 @@ def run! private - def get_config_fields(schema) + def get_fields(schema) { 'properties' => schema.fetch('fields', []).select { |f| FIELDS.any? { |k| f.key?(k) } } } diff --git a/lib/json_schema/foreign_keys.rb b/lib/json_schema/foreign_keys.rb new file mode 100644 index 00000000..05682159 --- /dev/null +++ b/lib/json_schema/foreign_keys.rb @@ -0,0 +1,44 @@ +require 'yaml' + +module JSONSchema + class ForeignKeys + def self.run!(schema) + new(schema).run! + end + + def initialize(schema) + @schema = schema + end + + def run! + unsupported_entities.each { |e| properties.delete(e) } + properties.concat(supported_entities) + end + + private + + def properties + @properties ||= @schema['properties'] + end + + def unsupported_entities + @unsupported_entities ||= properties.select do |prop| + available_entities.any? { |k| prop.key?(k) } + end + end + + def supported_entities + @supported_entities ||= [ + foreign_keys.except(*unsupported_entities.flat_map(&:keys)) + ] + end + + def foreign_keys + @foreign_keys ||= YAML.load(File.read('./config/foreign_keys.yaml')) + end + + def available_entities + @available_entities ||= foreign_keys.keys + end + end +end diff --git a/lib/json_schema/missing_descriptions.rb b/lib/json_schema/missing_descriptions.rb new file mode 100644 index 00000000..36c0173e --- /dev/null +++ b/lib/json_schema/missing_descriptions.rb @@ -0,0 +1,34 @@ +require 'yaml' + +module JSONSchema + class MissingDescriptions + def self.run!(schema) + new(schema).run! + end + + def initialize(schema) + @schema = schema + end + + def run! + @schema.fetch('properties', []).map do |prop| + key = prop.keys.first + values = prop.values.first + + next if values.key?('description') + + values['description'] = descriptions[key] if descriptions.key?(key) + end + end + + private + + def properties + @properties ||= @schema['properties'] + end + + def descriptions + @descriptions ||= YAML.load(File.read('./config/descriptions.yaml')) + end + end +end From 113320b16dfdf110d119ab5713a6edb3e2a1447c Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Wed, 4 Dec 2024 15:42:07 +0100 Subject: [PATCH 113/165] Deep-sort json-schemas before writing them to disk --- Gemfile | 1 + Gemfile.lock | 2 ++ lib/convert_json_schema.rb | 3 ++- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 028b878a..27967881 100644 --- a/Gemfile +++ b/Gemfile @@ -1,3 +1,4 @@ source 'https://rubygems.org' gem 'thor' +gem 'deepsort' diff --git a/Gemfile.lock b/Gemfile.lock index 99f2db97..64de0510 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,6 +1,7 @@ GEM remote: https://rubygems.org/ specs: + deepsort (0.5.0) thor (1.3.2) PLATFORMS @@ -8,6 +9,7 @@ PLATFORMS ruby DEPENDENCIES + deepsort thor BUNDLED WITH diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index 7b5b5aa4..af99986d 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -1,6 +1,7 @@ require 'json' require_relative './json_schema/foreign_keys' require_relative './json_schema/missing_descriptions' +require 'deepsort' class ConvertJsonSchema def self.run!(plugins:, options:) @@ -41,7 +42,7 @@ def run! # Write the schema to the destination FileUtils.mkdir_p("#{@options[:destination]}/#{plugin_name}") dest = File.join(@options[:destination], plugin_name, "#{@options['version']}.json") - File.write(dest, JSON.pretty_generate(json_schema)) + File.write(dest, JSON.pretty_generate(json_schema.deep_sort)) end end From d7558ffd84b7f3918215df5e65c90e63b0f5297b Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 5 Dec 2024 11:44:45 +0100 Subject: [PATCH 114/165] Fix Foreign keys generation --- lib/json_schema/foreign_keys.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/json_schema/foreign_keys.rb b/lib/json_schema/foreign_keys.rb index 05682159..cdcc20fd 100644 --- a/lib/json_schema/foreign_keys.rb +++ b/lib/json_schema/foreign_keys.rb @@ -28,9 +28,9 @@ def unsupported_entities end def supported_entities - @supported_entities ||= [ - foreign_keys.except(*unsupported_entities.flat_map(&:keys)) - ] + @supported_entities ||= foreign_keys + .except(*unsupported_entities.flat_map(&:keys)) + .map { |k, v| { k => v } } end def foreign_keys From 6197bdbe286080af014453e6792700e87fea756c Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 5 Dec 2024 11:46:32 +0100 Subject: [PATCH 115/165] Generate json-schemas for 3.9 --- json_schemas/acl/3.9.json | 84 + json_schemas/acme/3.9.json | 349 +++ json_schemas/ai-azure-content-safety/3.9.json | 139 ++ json_schemas/ai-prompt-decorator/3.9.json | 141 ++ json_schemas/ai-prompt-guard/3.9.json | 113 + json_schemas/ai-prompt-template/3.9.json | 112 + json_schemas/ai-proxy-advanced/3.9.json | 758 ++++++ json_schemas/ai-proxy/3.9.json | 339 +++ .../ai-rate-limiting-advanced/3.9.json | 384 +++ json_schemas/ai-request-transformer/3.9.json | 357 +++ json_schemas/ai-response-transformer/3.9.json | 373 +++ json_schemas/ai-semantic-cache/3.9.json | 426 ++++ .../ai-semantic-prompt-guard/3.9.json | 438 ++++ json_schemas/app-dynamics/3.9.json | 64 + .../application-registration/3.9.json | 54 + json_schemas/aws-lambda/3.9.json | 209 ++ json_schemas/azure-functions/3.9.json | 117 + json_schemas/basic-auth/3.9.json | 71 + json_schemas/bot-detection/3.9.json | 73 + json_schemas/canary/3.9.json | 130 + json_schemas/confluent/3.9.json | 195 ++ json_schemas/correlation-id/3.9.json | 84 + json_schemas/cors/3.9.json | 127 + json_schemas/datadog-tracing/3.9.json | 101 + json_schemas/datadog/3.9.json | 247 ++ json_schemas/degraphql/3.9.json | 58 + json_schemas/exit-transformer/3.9.json | 81 + json_schemas/file-log/3.9.json | 86 + json_schemas/forward-proxy/3.9.json | 123 + .../graphql-proxy-cache-advanced/3.9.json | 278 +++ .../graphql-rate-limiting-advanced/3.9.json | 321 +++ json_schemas/grpc-gateway/3.9.json | 75 + json_schemas/grpc-web/3.9.json | 84 + json_schemas/header-cert-auth/3.9.json | 167 ++ json_schemas/hmac-auth/3.9.json | 110 + json_schemas/http-log/3.9.json | 185 ++ json_schemas/injection-protection/3.9.json | 132 + json_schemas/ip-restriction/3.9.json | 110 + json_schemas/jq/3.9.json | 154 ++ json_schemas/json-threat-protection/3.9.json | 116 + json_schemas/jwe-decrypt/3.9.json | 76 + json_schemas/jwt-signer/3.9.json | 639 +++++ json_schemas/jwt/3.9.json | 126 + json_schemas/kafka-log/3.9.json | 216 ++ json_schemas/kafka-upstream/3.9.json | 228 ++ json_schemas/key-auth-enc/3.9.json | 102 + json_schemas/key-auth/3.9.json | 102 + .../konnect-application-auth/3.9.json | 2149 ++++++++++++++++ json_schemas/ldap-auth-advanced/3.9.json | 179 ++ json_schemas/ldap-auth/3.9.json | 124 + json_schemas/loggly/3.9.json | 161 ++ json_schemas/mocking/3.9.json | 114 + json_schemas/mtls-auth/3.9.json | 155 ++ json_schemas/oas-validation/3.9.json | 137 ++ json_schemas/oauth2-introspection/3.9.json | 124 + json_schemas/oauth2/3.9.json | 153 ++ json_schemas/opa/3.9.json | 112 + json_schemas/openid-connect/3.9.json | 2160 +++++++++++++++++ json_schemas/opentelemetry/3.9.json | 272 +++ json_schemas/post-function/3.9.json | 140 ++ json_schemas/pre-function/3.9.json | 140 ++ json_schemas/prometheus/3.9.json | 101 + json_schemas/proxy-cache-advanced/3.9.json | 376 +++ json_schemas/proxy-cache/3.9.json | 201 ++ json_schemas/rate-limiting-advanced/3.9.json | 388 +++ json_schemas/rate-limiting/3.9.json | 247 ++ json_schemas/redirect/3.9.json | 91 + json_schemas/request-size-limiting/3.9.json | 84 + json_schemas/request-termination/3.9.json | 103 + .../request-transformer-advanced/3.9.json | 290 +++ json_schemas/request-transformer/3.9.json | 244 ++ json_schemas/request-validator/3.9.json | 150 ++ json_schemas/response-ratelimiting/3.9.json | 193 ++ .../response-transformer-advanced/3.9.json | 309 +++ json_schemas/response-transformer/3.9.json | 235 ++ json_schemas/route-by-header/3.9.json | 86 + .../route-transformer-advanced/3.9.json | 77 + json_schemas/saml/3.9.json | 589 +++++ json_schemas/service-protection/3.9.json | 296 +++ json_schemas/session/3.9.json | 242 ++ json_schemas/standard-webhooks/3.9.json | 74 + json_schemas/statsd-advanced/3.9.json | 282 +++ json_schemas/statsd/3.9.json | 300 +++ json_schemas/syslog/3.9.json | 159 ++ json_schemas/tcp-log/3.9.json | 105 + json_schemas/tls-handshake-modifier/3.9.json | 58 + json_schemas/tls-metadata-headers/3.9.json | 80 + json_schemas/udp-log/3.9.json | 91 + json_schemas/upstream-oauth/3.9.json | 471 ++++ json_schemas/upstream-timeout/3.9.json | 82 + json_schemas/vault-auth/3.9.json | 96 + json_schemas/websocket-size-limit/3.9.json | 70 + json_schemas/websocket-validator/3.9.json | 152 ++ json_schemas/xml-threat-protection/3.9.json | 210 ++ json_schemas/zipkin/3.9.json | 346 +++ 95 files changed, 22052 insertions(+) create mode 100644 json_schemas/acl/3.9.json create mode 100644 json_schemas/acme/3.9.json create mode 100644 json_schemas/ai-azure-content-safety/3.9.json create mode 100644 json_schemas/ai-prompt-decorator/3.9.json create mode 100644 json_schemas/ai-prompt-guard/3.9.json create mode 100644 json_schemas/ai-prompt-template/3.9.json create mode 100644 json_schemas/ai-proxy-advanced/3.9.json create mode 100644 json_schemas/ai-proxy/3.9.json create mode 100644 json_schemas/ai-rate-limiting-advanced/3.9.json create mode 100644 json_schemas/ai-request-transformer/3.9.json create mode 100644 json_schemas/ai-response-transformer/3.9.json create mode 100644 json_schemas/ai-semantic-cache/3.9.json create mode 100644 json_schemas/ai-semantic-prompt-guard/3.9.json create mode 100644 json_schemas/app-dynamics/3.9.json create mode 100644 json_schemas/application-registration/3.9.json create mode 100644 json_schemas/aws-lambda/3.9.json create mode 100644 json_schemas/azure-functions/3.9.json create mode 100644 json_schemas/basic-auth/3.9.json create mode 100644 json_schemas/bot-detection/3.9.json create mode 100644 json_schemas/canary/3.9.json create mode 100644 json_schemas/confluent/3.9.json create mode 100644 json_schemas/correlation-id/3.9.json create mode 100644 json_schemas/cors/3.9.json create mode 100644 json_schemas/datadog-tracing/3.9.json create mode 100644 json_schemas/datadog/3.9.json create mode 100644 json_schemas/degraphql/3.9.json create mode 100644 json_schemas/exit-transformer/3.9.json create mode 100644 json_schemas/file-log/3.9.json create mode 100644 json_schemas/forward-proxy/3.9.json create mode 100644 json_schemas/graphql-proxy-cache-advanced/3.9.json create mode 100644 json_schemas/graphql-rate-limiting-advanced/3.9.json create mode 100644 json_schemas/grpc-gateway/3.9.json create mode 100644 json_schemas/grpc-web/3.9.json create mode 100644 json_schemas/header-cert-auth/3.9.json create mode 100644 json_schemas/hmac-auth/3.9.json create mode 100644 json_schemas/http-log/3.9.json create mode 100644 json_schemas/injection-protection/3.9.json create mode 100644 json_schemas/ip-restriction/3.9.json create mode 100644 json_schemas/jq/3.9.json create mode 100644 json_schemas/json-threat-protection/3.9.json create mode 100644 json_schemas/jwe-decrypt/3.9.json create mode 100644 json_schemas/jwt-signer/3.9.json create mode 100644 json_schemas/jwt/3.9.json create mode 100644 json_schemas/kafka-log/3.9.json create mode 100644 json_schemas/kafka-upstream/3.9.json create mode 100644 json_schemas/key-auth-enc/3.9.json create mode 100644 json_schemas/key-auth/3.9.json create mode 100644 json_schemas/konnect-application-auth/3.9.json create mode 100644 json_schemas/ldap-auth-advanced/3.9.json create mode 100644 json_schemas/ldap-auth/3.9.json create mode 100644 json_schemas/loggly/3.9.json create mode 100644 json_schemas/mocking/3.9.json create mode 100644 json_schemas/mtls-auth/3.9.json create mode 100644 json_schemas/oas-validation/3.9.json create mode 100644 json_schemas/oauth2-introspection/3.9.json create mode 100644 json_schemas/oauth2/3.9.json create mode 100644 json_schemas/opa/3.9.json create mode 100644 json_schemas/openid-connect/3.9.json create mode 100644 json_schemas/opentelemetry/3.9.json create mode 100644 json_schemas/post-function/3.9.json create mode 100644 json_schemas/pre-function/3.9.json create mode 100644 json_schemas/prometheus/3.9.json create mode 100644 json_schemas/proxy-cache-advanced/3.9.json create mode 100644 json_schemas/proxy-cache/3.9.json create mode 100644 json_schemas/rate-limiting-advanced/3.9.json create mode 100644 json_schemas/rate-limiting/3.9.json create mode 100644 json_schemas/redirect/3.9.json create mode 100644 json_schemas/request-size-limiting/3.9.json create mode 100644 json_schemas/request-termination/3.9.json create mode 100644 json_schemas/request-transformer-advanced/3.9.json create mode 100644 json_schemas/request-transformer/3.9.json create mode 100644 json_schemas/request-validator/3.9.json create mode 100644 json_schemas/response-ratelimiting/3.9.json create mode 100644 json_schemas/response-transformer-advanced/3.9.json create mode 100644 json_schemas/response-transformer/3.9.json create mode 100644 json_schemas/route-by-header/3.9.json create mode 100644 json_schemas/route-transformer-advanced/3.9.json create mode 100644 json_schemas/saml/3.9.json create mode 100644 json_schemas/service-protection/3.9.json create mode 100644 json_schemas/session/3.9.json create mode 100644 json_schemas/standard-webhooks/3.9.json create mode 100644 json_schemas/statsd-advanced/3.9.json create mode 100644 json_schemas/statsd/3.9.json create mode 100644 json_schemas/syslog/3.9.json create mode 100644 json_schemas/tcp-log/3.9.json create mode 100644 json_schemas/tls-handshake-modifier/3.9.json create mode 100644 json_schemas/tls-metadata-headers/3.9.json create mode 100644 json_schemas/udp-log/3.9.json create mode 100644 json_schemas/upstream-oauth/3.9.json create mode 100644 json_schemas/upstream-timeout/3.9.json create mode 100644 json_schemas/vault-auth/3.9.json create mode 100644 json_schemas/websocket-size-limit/3.9.json create mode 100644 json_schemas/websocket-validator/3.9.json create mode 100644 json_schemas/xml-threat-protection/3.9.json create mode 100644 json_schemas/zipkin/3.9.json diff --git a/json_schemas/acl/3.9.json b/json_schemas/acl/3.9.json new file mode 100644 index 00000000..303d1f68 --- /dev/null +++ b/json_schemas/acl/3.9.json @@ -0,0 +1,84 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "always_use_authenticated_groups": { + "default": false, + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", + "type": "boolean" + }, + "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_groups_header": { + "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "type": "boolean" + }, + "include_consumer_groups": { + "default": false, + "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/acme/3.9.json b/json_schemas/acme/3.9.json new file mode 100644 index 00000000..5502c1be --- /dev/null +++ b/json_schemas/acme/3.9.json @@ -0,0 +1,349 @@ +{ + "properties": { + "config": { + "properties": { + "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", + "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", + "type": "string" + }, + "account_key": { + "description": "The private key associated with the account.", + "properties": { + "key_id": { + "description": "The Key ID.", + "type": "string" + }, + "key_set": { + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" + } + }, + "required": [ + "key_id" + ], + "type": "object" + }, + "allow_any_domain": { + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" + }, + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "cert_type": { + "default": "rsa", + "description": "The certificate type to create. The possible values are `rsa` for RSA certificate or `ecc` for EC certificate.", + "enum": [ + "ecc", + "rsa" + ], + "type": "string" + }, + "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "items": { + "match_all": { + "pattern": "^[^*]*%*?[^*]*$" + }, + "match_any": { + "patterns": [ + "%.%*$", + "^%*%.", + "^[^*]*$" + ] + }, + "required": [], + "type": "string" + }, + "type": "array" + }, + "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "enable_ipv4_common_name": { + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" + }, + "fail_backoff_minutes": { + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" + }, + "preferred_chain": { + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" + }, + "renew_threshold_days": { + "default": 14, + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" + }, + "rsa_key_size": { + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "enum": [ + 2048, + 3072, + 4096 + ], + "type": "integer" + }, + "storage": { + "default": "shm", + "description": "The backend storage type to use. In DB-less mode and Konnect, `kong` storage is unavailable. In hybrid mode and Konnect, `shm` storage is unavailable. `shm` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `kong`, `redis`, `consul`, or `vault` in production.", + "enum": [ + "consul", + "kong", + "redis", + "shm", + "vault" + ], + "type": "string" + }, + "storage_config": { + "properties": { + "consul": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "token": { + "description": "Consul ACL token.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "kong": { + "additionalProperties": true, + "properties": {}, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "extra_options": { + "description": "Custom ACME Redis options", + "properties": { + "namespace": { + "default": "", + "description": "A namespace to prepend to all keys stored in Redis.", + "minLength": 0, + "type": "string" + }, + "scan_count": { + "default": 10, + "description": "The number of keys to return in Redis SCAN calls.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "auth": { + "minLength": 0, + "type": "string" + }, + "namespace": { + "minLength": 0, + "type": "string" + }, + "scan_count": { + "type": "integer" + }, + "ssl_server_name": { + "type": "string" + } + }, + "type": "object" + }, + "shm": { + "properties": { + "shm_name": { + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "vault": { + "properties": { + "auth_method": { + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "enum": [ + "kubernetes", + "token" + ], + "type": "string" + }, + "auth_path": { + "description": "Vault's authentication path to use.", + "type": "string" + }, + "auth_role": { + "description": "The role to try and assign.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "jwt_path": { + "description": "The path to the JWT.", + "type": "string" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "tls_server_name": { + "description": "SNI used in request, default to host if omitted.", + "type": "string" + }, + "tls_verify": { + "default": true, + "description": "Turn on TLS verification.", + "type": "boolean" + }, + "token": { + "description": "Consul ACL token.", + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "tos_accepted": { + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.9.json b/json_schemas/ai-azure-content-safety/3.9.json new file mode 100644 index 00000000..7fc1e807 --- /dev/null +++ b/json_schemas/ai-azure-content-safety/3.9.json @@ -0,0 +1,139 @@ +{ + "properties": { + "config": { + "properties": { + "azure_api_version": { + "default": "2023-10-01", + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "minLength": 1, + "type": "string" + }, + "azure_client_id": { + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", + "type": "string" + }, + "azure_client_secret": { + "description": "If `azure_use_managed_identity` is true, set the client secret if required.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "type": "boolean" + }, + "blocklist_names": { + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "categories": { + "description": "Array of categories, and their thresholds, to measure on.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "rejection_level": { + "type": "integer" + } + }, + "required": [ + "name", + "rejection_level" + ], + "type": "object" + }, + "type": "array" + }, + "content_safety_key": { + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "type": "string" + }, + "content_safety_url": { + "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "type": "string" + }, + "halt_on_blocklist_hit": { + "default": true, + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "type": "boolean" + }, + "output_type": { + "default": "FourSeverityLevels", + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "enum": [ + "EightSeverityLevels", + "FourSeverityLevels" + ], + "type": "string" + }, + "reveal_failure_reason": { + "default": true, + "description": "Set true to tell the caller why their request was rejected, if so.", + "type": "boolean" + }, + "text_source": { + "default": "concatenate_all_content", + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "enum": [ + "concatenate_all_content", + "concatenate_user_content" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-decorator/3.9.json b/json_schemas/ai-prompt-decorator/3.9.json new file mode 100644 index 00000000..f9a591c8 --- /dev/null +++ b/json_schemas/ai-prompt-decorator/3.9.json @@ -0,0 +1,141 @@ +{ + "properties": { + "config": { + "properties": { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "prompts": { + "properties": { + "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + }, + "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-guard/3.9.json b/json_schemas/ai-prompt-guard/3.9.json new file mode 100644 index 00000000..95c822a7 --- /dev/null +++ b/json_schemas/ai-prompt-guard/3.9.json @@ -0,0 +1,113 @@ +{ + "properties": { + "config": { + "properties": { + "allow_all_conversation_history": { + "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "allow_patterns": { + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [], + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "deny_patterns": { + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [], + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.9.json b/json_schemas/ai-prompt-template/3.9.json new file mode 100644 index 00000000..594030d0 --- /dev/null +++ b/json_schemas/ai-prompt-template/3.9.json @@ -0,0 +1,112 @@ +{ + "properties": { + "config": { + "properties": { + "allow_untemplated_requests": { + "default": true, + "description": "Set true to allow requests that don't call or match any template.", + "type": "boolean" + }, + "log_original_request": { + "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "templates": { + "description": "Array of templates available to the request context.", + "items": { + "properties": { + "name": { + "description": "Unique name for the template, can be called with `{template://NAME}`", + "type": "string" + }, + "template": { + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "type": "string" + } + }, + "required": [ + "name", + "template" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-proxy-advanced/3.9.json b/json_schemas/ai-proxy-advanced/3.9.json new file mode 100644 index 00000000..53725f79 --- /dev/null +++ b/json_schemas/ai-proxy-advanced/3.9.json @@ -0,0 +1,758 @@ +{ + "properties": { + "config": { + "properties": { + "balancer": { + "properties": { + "algorithm": { + "default": "round-robin", + "description": "Which load balancing algorithm to use.", + "enum": [ + "consistent-hashing", + "lowest-latency", + "lowest-usage", + "round-robin", + "semantic" + ], + "type": "string" + }, + "connect_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "hash_on_header": { + "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing.", + "type": "string" + }, + "latency_strategy": { + "default": "tpot", + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", + "enum": [ + "e2e", + "tpot" + ], + "type": "string" + }, + "read_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "retries": { + "default": 5, + "description": "The number of retries to execute upon failure to proxy.", + "maximum": 32767, + "minimum": 0, + "type": "integer" + }, + "slots": { + "default": 10000, + "description": "The number of slots in the load balancer algorithm.", + "maximum": 65536, + "minimum": 10, + "type": "integer" + }, + "tokens_count_strategy": { + "default": "total-tokens", + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "enum": [ + "completion-tokens", + "prompt-tokens", + "total-tokens" + ], + "type": "string" + }, + "write_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + "name", + "provider" + ], + "type": "object" + } + }, + "required": [ + "model" + ], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "targets": { + "items": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "description": { + "description": "The semantic description of the target, required if using semantic load balancing.", + "type": "string" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + "provider" + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + }, + "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "maximum": 65535, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "logging", + "model", + "route_type" + ], + "type": "object" + }, + "type": "array" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [ + "dimensions", + "distance_metric", + "redis", + "strategy", + "threshold" + ], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.9.json b/json_schemas/ai-proxy/3.9.json new file mode 100644 index 00000000..e29f7235 --- /dev/null +++ b/json_schemas/ai-proxy/3.9.json @@ -0,0 +1,339 @@ +{ + "properties": { + "config": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.9.json b/json_schemas/ai-rate-limiting-advanced/3.9.json new file mode 100644 index 00000000..3cd6918f --- /dev/null +++ b/json_schemas/ai-rate-limiting-advanced/3.9.json @@ -0,0 +1,384 @@ +{ + "properties": { + "config": { + "properties": { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_hide_providers": { + "default": false, + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "type": "boolean" + }, + "error_message": { + "default": "AI token rate limit exceeded for provider(s): ", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "llm_providers": { + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "items": { + "properties": { + "limit": { + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", + "type": "number" + }, + "name": { + "description": "The LLM provider to which the rate limit applies.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai", + "requestPrompt" + ], + "type": "string" + }, + "window_size": { + "description": "The window size to apply a limit (defined in seconds).", + "type": "number" + } + }, + "required": [ + "limit", + "name", + "window_size" + ], + "type": "object" + }, + "type": "array" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "request_prompt_count_function": { + "description": "If defined, it use custom function to count requests for the request prompt provider", + "type": "string" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "tokens_count_strategy": { + "default": "total_tokens", + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", + "enum": [ + "completion_tokens", + "cost", + "prompt_tokens", + "total_tokens" + ], + "type": "string" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.9.json b/json_schemas/ai-request-transformer/3.9.json new file mode 100644 index 00000000..f2f3db42 --- /dev/null +++ b/json_schemas/ai-request-transformer/3.9.json @@ -0,0 +1,357 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.9.json b/json_schemas/ai-response-transformer/3.9.json new file mode 100644 index 00000000..65979cd1 --- /dev/null +++ b/json_schemas/ai-response-transformer/3.9.json @@ -0,0 +1,373 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "parse_llm_response_json_instructions": { + "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "type": "boolean" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-semantic-cache/3.9.json b/json_schemas/ai-semantic-cache/3.9.json new file mode 100644 index 00000000..142bc35a --- /dev/null +++ b/json_schemas/ai-semantic-cache/3.9.json @@ -0,0 +1,426 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "exact_caching": { + "default": false, + "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "type": "boolean" + }, + "ignore_assistant_prompts": { + "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request", + "type": "boolean" + }, + "ignore_system_prompts": { + "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request", + "type": "boolean" + }, + "ignore_tool_prompts": { + "default": false, + "description": "Ignore and discard any tool prompts when Vectorizing the request", + "type": "boolean" + }, + "message_countback": { + "default": 1, + "description": "Number of messages in the chat history to Vectorize/Cache", + "maximum": 1000, + "minimum": 1, + "type": "number" + }, + "stop_on_failure": { + "default": false, + "description": "Halt the LLM request process in case of a caching system failure", + "type": "boolean" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-semantic-prompt-guard/3.9.json b/json_schemas/ai-semantic-prompt-guard/3.9.json new file mode 100644 index 00000000..32b4d423 --- /dev/null +++ b/json_schemas/ai-semantic-prompt-guard/3.9.json @@ -0,0 +1,438 @@ +{ + "properties": { + "config": { + "properties": { + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "rules": { + "properties": { + "allow_prompts": { + "description": "List of prompts to allow.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [], + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "deny_prompts": { + "description": "List of prompts to deny.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [], + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "match_all_conversation_history": { + "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "search": { + "properties": { + "threshold": { + "default": 0.5, + "description": "Threshold for the similarity score to be considered a match.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/app-dynamics/3.9.json b/json_schemas/app-dynamics/3.9.json new file mode 100644 index 00000000..984044ad --- /dev/null +++ b/json_schemas/app-dynamics/3.9.json @@ -0,0 +1,64 @@ +{ + "properties": { + "config": { + "additionalProperties": true, + "properties": {}, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/application-registration/3.9.json b/json_schemas/application-registration/3.9.json new file mode 100644 index 00000000..c0e82ee3 --- /dev/null +++ b/json_schemas/application-registration/3.9.json @@ -0,0 +1,54 @@ +{ + "properties": { + "config": { + "properties": { + "auto_approve": { + "default": false, + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "type": "boolean" + }, + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string" + }, + "display_name": { + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string" + }, + "enable_proxy_with_consumer_credential": { + "default": false, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean" + }, + "show_issuer": { + "default": false, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/aws-lambda/3.9.json b/json_schemas/aws-lambda/3.9.json new file mode 100644 index 00000000..531f6aac --- /dev/null +++ b/json_schemas/aws-lambda/3.9.json @@ -0,0 +1,209 @@ +{ + "properties": { + "config": { + "properties": { + "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "type": "string" + }, + "aws_imds_protocol_version": { + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "enum": [ + "v1", + "v2" + ], + "type": "string" + }, + "aws_key": { + "description": "The AWS key credential to be used when invoking the function.", + "type": "string" + }, + "aws_region": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "aws_role_session_name": { + "default": "kong", + "description": "The identifier of the assumed role session.", + "type": "string" + }, + "aws_secret": { + "description": "The AWS secret credential to be used when invoking the function. ", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "awsgateway_compatible": { + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" + }, + "base64_encode_body": { + "default": true, + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" + }, + "disable_https": { + "default": false, + "type": "boolean" + }, + "empty_arrays_mode": { + "default": "legacy", + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", + "enum": [ + "correct", + "legacy" + ], + "type": "string" + }, + "forward_request_body": { + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" + }, + "forward_request_headers": { + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_method": { + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_uri": { + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" + }, + "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "invocation_type": { + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "enum": [ + "DryRun", + "Event", + "RequestResponse" + ], + "type": "string" + }, + "is_proxy_integration": { + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "log_type": { + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "enum": [ + "None", + "Tail" + ], + "type": "string" + }, + "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "proxy_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "qualifier": { + "description": "The qualifier to use when invoking the function.", + "type": "string" + }, + "skip_large_bodies": { + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" + }, + "timeout": { + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", + "type": "number" + }, + "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "maximum": 999, + "minimum": 100, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/azure-functions/3.9.json b/json_schemas/azure-functions/3.9.json new file mode 100644 index 00000000..8c4378f8 --- /dev/null +++ b/json_schemas/azure-functions/3.9.json @@ -0,0 +1,117 @@ +{ + "properties": { + "config": { + "properties": { + "apikey": { + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "type": "string" + }, + "appname": { + "description": "The Azure app name.", + "type": "string" + }, + "clientid": { + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "type": "string" + }, + "functionname": { + "description": "Name of the Azure function to invoke.", + "type": "string" + }, + "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", + "type": "string" + }, + "https": { + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" + }, + "https_verify": { + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" + }, + "routeprefix": { + "default": "api", + "description": "Route prefix to use.", + "type": "string" + }, + "timeout": { + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/basic-auth/3.9.json b/json_schemas/basic-auth/3.9.json new file mode 100644 index 00000000..d67e26e6 --- /dev/null +++ b/json_schemas/basic-auth/3.9.json @@ -0,0 +1,71 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "type": "boolean" + }, + "realm": { + "default": "service", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/bot-detection/3.9.json b/json_schemas/bot-detection/3.9.json new file mode 100644 index 00000000..0a4e686c --- /dev/null +++ b/json_schemas/bot-detection/3.9.json @@ -0,0 +1,73 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "default": [], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [], + "type": "string" + }, + "type": "array" + }, + "deny": { + "default": [], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/canary/3.9.json b/json_schemas/canary/3.9.json new file mode 100644 index 00000000..b7ecf25f --- /dev/null +++ b/json_schemas/canary/3.9.json @@ -0,0 +1,130 @@ +{ + "properties": { + "config": { + "properties": { + "canary_by_header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "duration": { + "default": 3600, + "description": "The duration of the canary release in seconds.", + "minimum": 0, + "type": "number" + }, + "groups": { + "description": "The groups allowed to access the canary release.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hash": { + "default": "consumer", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "enum": [ + "allow", + "consumer", + "deny", + "header", + "ip", + "none" + ], + "type": "string" + }, + "hash_header": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "maximum": 100, + "minimum": 0, + "type": "number" + }, + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + }, + "steps": { + "default": 1000, + "description": "The number of steps for the canary release.", + "minimum": 1, + "type": "number" + }, + "upstream_fallback": { + "default": false, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "type": "boolean" + }, + "upstream_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "minLength": 1, + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "hash": { + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/confluent/3.9.json b/json_schemas/confluent/3.9.json new file mode 100644 index 00000000..8355c951 --- /dev/null +++ b/json_schemas/confluent/3.9.json @@ -0,0 +1,195 @@ +{ + "properties": { + "config": { + "properties": { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", + "type": "string" + }, + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", + "type": "string" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "type": "string" + }, + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/correlation-id/3.9.json b/json_schemas/correlation-id/3.9.json new file mode 100644 index 00000000..a6dd6f8d --- /dev/null +++ b/json_schemas/correlation-id/3.9.json @@ -0,0 +1,84 @@ +{ + "properties": { + "config": { + "properties": { + "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", + "type": "boolean" + }, + "generator": { + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "enum": [ + "tracker", + "uuid", + "uuid#counter" + ], + "type": "string" + }, + "header_name": { + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/cors/3.9.json b/json_schemas/cors/3.9.json new file mode 100644 index 00000000..d3d2518f --- /dev/null +++ b/json_schemas/cors/3.9.json @@ -0,0 +1,127 @@ +{ + "properties": { + "config": { + "properties": { + "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "type": "boolean" + }, + "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" + }, + "methods": { + "default": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "items": { + "enum": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "type": "boolean" + }, + "private_network": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "minLength": 1, + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/datadog-tracing/3.9.json b/json_schemas/datadog-tracing/3.9.json new file mode 100644 index 00000000..a599aec1 --- /dev/null +++ b/json_schemas/datadog-tracing/3.9.json @@ -0,0 +1,101 @@ +{ + "properties": { + "config": { + "properties": { + "batch_flush_delay": { + "default": 3, + "type": "integer" + }, + "batch_span_count": { + "default": 200, + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "endpoint": { + "type": "string" + }, + "environment": { + "default": "none", + "type": "string" + }, + "read_timeout": { + "default": 5000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 5000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "service_name": { + "default": "kong", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/datadog/3.9.json b/json_schemas/datadog/3.9.json new file mode 100644 index 00000000..b32b6dcf --- /dev/null +++ b/json_schemas/datadog/3.9.json @@ -0,0 +1,247 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_tag": { + "default": "consumer", + "description": "String to be attached as tag of the consumer.", + "type": "string" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "metrics": { + "default": [ + { + "consumer_identifier": "custom_id", + "name": "kong_latency", + "sample_rate": 1, + "stat_type": "timer", + "tags": [ + "app:kong" + ] + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "Datadog metric’s name", + "enum": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "stat_type": { + "description": "Determines what sort of event the metric represents", + "enum": [ + "counter", + "distribution", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "tags": { + "description": "List of tags", + "items": { + "pattern": "^.*[^:]$", + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "service_name_tag": { + "default": "name", + "description": "String to be attached as the name of the service.", + "type": "string" + }, + "status_tag": { + "default": "status", + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/degraphql/3.9.json b/json_schemas/degraphql/3.9.json new file mode 100644 index 00000000..305dfff1 --- /dev/null +++ b/json_schemas/degraphql/3.9.json @@ -0,0 +1,58 @@ +{ + "properties": { + "config": { + "properties": { + "graphql_server_path": { + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.9.json b/json_schemas/exit-transformer/3.9.json new file mode 100644 index 00000000..423006b1 --- /dev/null +++ b/json_schemas/exit-transformer/3.9.json @@ -0,0 +1,81 @@ +{ + "properties": { + "config": { + "properties": { + "functions": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "handle_unexpected": { + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean" + }, + "handle_unknown": { + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/file-log/3.9.json b/json_schemas/file-log/3.9.json new file mode 100644 index 00000000..1144bb8d --- /dev/null +++ b/json_schemas/file-log/3.9.json @@ -0,0 +1,86 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "path": { + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "pattern": "^[^*&%%\\`]+$", + "type": "string" + }, + "reopen": { + "default": false, + "description": "Determines whether the log file is closed and reopened on every request.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/forward-proxy/3.9.json b/json_schemas/forward-proxy/3.9.json new file mode 100644 index 00000000..800452c3 --- /dev/null +++ b/json_schemas/forward-proxy/3.9.json @@ -0,0 +1,123 @@ +{ + "properties": { + "config": { + "properties": { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + }, + "proxy_scheme": { + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "enum": [ + "http" + ], + "type": "string" + }, + "x_headers": { + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", + "enum": [ + "append", + "delete", + "transparent" + ], + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "proxy_host": { + "type": "string" + }, + "proxy_port": { + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/graphql-proxy-cache-advanced/3.9.json b/json_schemas/graphql-proxy-cache-advanced/3.9.json new file mode 100644 index 00000000..8fc6a4c4 --- /dev/null +++ b/json_schemas/graphql-proxy-cache-advanced/3.9.json @@ -0,0 +1,278 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.9.json b/json_schemas/graphql-rate-limiting-advanced/3.9.json new file mode 100644 index 00000000..7121732c --- /dev/null +++ b/json_schemas/graphql-rate-limiting-advanced/3.9.json @@ -0,0 +1,321 @@ +{ + "properties": { + "config": { + "properties": { + "cost_strategy": { + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "enum": [ + "default", + "node_quantifier" + ], + "type": "string" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "max_cost": { + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", + "type": "number" + }, + "namespace": { + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "score_factor": { + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "minimum": 0, + "type": "number" + }, + "strategy": { + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/grpc-gateway/3.9.json b/json_schemas/grpc-gateway/3.9.json new file mode 100644 index 00000000..f9b0ae1e --- /dev/null +++ b/json_schemas/grpc-gateway/3.9.json @@ -0,0 +1,75 @@ +{ + "properties": { + "config": { + "properties": { + "proto": { + "description": "Describes the gRPC types and methods.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/grpc-web/3.9.json b/json_schemas/grpc-web/3.9.json new file mode 100644 index 00000000..41a21e62 --- /dev/null +++ b/json_schemas/grpc-web/3.9.json @@ -0,0 +1,84 @@ +{ + "properties": { + "config": { + "properties": { + "allow_origin_header": { + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "type": "string" + }, + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "type": "boolean" + }, + "proto": { + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/header-cert-auth/3.9.json b/json_schemas/header-cert-auth/3.9.json new file mode 100644 index 00000000..0b872fc3 --- /dev/null +++ b/json_schemas/header-cert-auth/3.9.json @@ -0,0 +1,167 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "required": [], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "certificate_header_format": { + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "enum": [ + "base64_encoded", + "url_encoded" + ], + "type": "string" + }, + "certificate_header_name": { + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "secure_source": { + "default": true, + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/hmac-auth/3.9.json b/json_schemas/hmac-auth/3.9.json new file mode 100644 index 00000000..163911ba --- /dev/null +++ b/json_schemas/hmac-auth/3.9.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "algorithms": { + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "items": { + "enum": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "clock_skew": { + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", + "minimum": 0, + "type": "number" + }, + "enforce_headers": { + "default": [], + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "validate_request_body": { + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/http-log/3.9.json b/json_schemas/http-log/3.9.json new file mode 100644 index 00000000..548d1ad5 --- /dev/null +++ b/json_schemas/http-log/3.9.json @@ -0,0 +1,185 @@ +{ + "properties": { + "config": { + "properties": { + "content_type": { + "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "enum": [ + "application/json", + "application/json; charset=utf-8" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "headers": { + "additionalProperties": true, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "object" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" + }, + "method": { + "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "enum": [ + "PATCH", + "POST", + "PUT" + ], + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/injection-protection/3.9.json b/json_schemas/injection-protection/3.9.json new file mode 100644 index 00000000..199f956b --- /dev/null +++ b/json_schemas/injection-protection/3.9.json @@ -0,0 +1,132 @@ +{ + "properties": { + "config": { + "properties": { + "custom_injections": { + "default": null, + "description": "Custom regexes to check for.", + "items": { + "properties": { + "name": { + "description": "A unique name for this injection.", + "type": "string" + }, + "regex": { + "description": "The regex to match against.", + "is_regex": true, + "type": "string" + } + }, + "required": [ + "name", + "regex" + ], + "type": "object" + }, + "type": "array" + }, + "enforcement_mode": { + "default": "block", + "description": "Enforcement mode of the security policy.", + "enum": [ + "block", + "log_only" + ], + "type": "string" + }, + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "type": "string" + }, + "error_status_code": { + "default": 400, + "description": "The response status code when validation fails.", + "maximum": 499, + "minimum": 400, + "type": "integer" + }, + "injection_types": { + "default": [ + "sql" + ], + "description": "The type of injections to check for.", + "items": { + "enum": [ + "java_exception", + "js", + "sql", + "ssi", + "xpath_abbreviated", + "xpath_extended" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "locations": { + "default": [ + "path_and_query" + ], + "description": "The locations to check for injection.", + "items": { + "enum": [ + "body", + "headers", + "path_and_query" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ip-restriction/3.9.json b/json_schemas/ip-restriction/3.9.json new file mode 100644 index 00000000..00e778e7 --- /dev/null +++ b/json_schemas/ip-restriction/3.9.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "message": { + "description": "The message to send as a response body to rejected requests.", + "type": "string" + }, + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jq/3.9.json b/json_schemas/jq/3.9.json new file mode 100644 index 00000000..562724b3 --- /dev/null +++ b/json_schemas/jq/3.9.json @@ -0,0 +1,154 @@ +{ + "properties": { + "config": { + "properties": { + "request_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "request_jq_program": { + "type": "string" + }, + "request_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "response_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_if_status_code": { + "default": [ + 200 + ], + "items": { + "maximum": 599, + "minimum": 100, + "required": [], + "type": "integer" + }, + "type": "array" + }, + "response_jq_program": { + "type": "string" + }, + "response_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/json-threat-protection/3.9.json b/json_schemas/json-threat-protection/3.9.json new file mode 100644 index 00000000..86d98f32 --- /dev/null +++ b/json_schemas/json-threat-protection/3.9.json @@ -0,0 +1,116 @@ +{ + "properties": { + "config": { + "properties": { + "enforcement_mode": { + "default": "block", + "description": "Enforcement mode of the security policy.", + "enum": [ + "block", + "log_only" + ], + "type": "string" + }, + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "type": "string" + }, + "error_status_code": { + "default": 400, + "description": "The response status code when validation fails.", + "maximum": 499, + "minimum": 400, + "type": "integer" + }, + "max_array_element_count": { + "default": -1, + "description": "Max number of elements in an array. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_body_size": { + "default": 8192, + "description": "Max size of the request body. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_container_depth": { + "default": -1, + "description": "Max nested depth of objects and arrays. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_object_entry_count": { + "default": -1, + "description": "Max number of entries in an object. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_object_entry_name_length": { + "default": -1, + "description": "Max string length of object name. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_string_value_length": { + "default": -1, + "description": "Max string value length. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.9.json b/json_schemas/jwe-decrypt/3.9.json new file mode 100644 index 00000000..dd09fa60 --- /dev/null +++ b/json_schemas/jwe-decrypt/3.9.json @@ -0,0 +1,76 @@ +{ + "properties": { + "config": { + "properties": { + "forward_header_name": { + "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", + "type": "string" + }, + "key_sets": { + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "lookup_header_name": { + "default": "Authorization", + "description": "The name of the header to look for the JWE token.", + "type": "string" + }, + "strict": { + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jwt-signer/3.9.json b/json_schemas/jwt-signer/3.9.json new file mode 100644 index 00000000..3be7f441 --- /dev/null +++ b/json_schemas/jwt-signer/3.9.json @@ -0,0 +1,639 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "type": "string" + }, + "access_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_hint": { + "default": "access_token", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string" + }, + "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number" + }, + "access_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "type": "number" + }, + "access_token_issuer": { + "default": "kong", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string" + }, + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "type": "string" + }, + "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "access_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "type": "string" + }, + "access_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "type": "string" + }, + "access_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "access_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "type": "string" + }, + "access_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "type": "string" + }, + "access_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number" + }, + "access_token_optional": { + "default": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean" + }, + "access_token_request_header": { + "default": "Authorization", + "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string" + }, + "access_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "access_token_upstream_header": { + "default": "Authorization:Bearer", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string" + }, + "access_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number" + }, + "add_access_token_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_channel_token_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_claims": { + "additionalProperties": true, + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "cache_access_token_introspection": { + "default": true, + "description": "Whether to cache access token introspection results.", + "type": "boolean" + }, + "cache_channel_token_introspection": { + "default": true, + "description": "Whether to cache channel token introspection results.", + "type": "boolean" + }, + "channel_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "items": { + "required": [], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "items": { + "required": [], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "type": "string" + }, + "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "items": { + "required": [], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_leeway": { + "default": 0, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number" + }, + "channel_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "type": "number" + }, + "channel_token_issuer": { + "default": "kong", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string" + }, + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "type": "string" + }, + "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "channel_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "type": "string" + }, + "channel_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "type": "string" + }, + "channel_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "channel_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "type": "string" + }, + "channel_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "type": "string" + }, + "channel_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number" + }, + "channel_token_optional": { + "default": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean" + }, + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "type": "string" + }, + "channel_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "type": "string" + }, + "channel_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number" + }, + "enable_access_token_introspection": { + "default": true, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean" + }, + "enable_channel_token_introspection": { + "default": true, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean" + }, + "enable_instrumentation": { + "default": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean" + }, + "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", + "type": "string" + }, + "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", + "type": "string" + }, + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "type": "string" + }, + "remove_access_token_claims": { + "default": [], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "remove_channel_token_claims": { + "default": [], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "set_access_token_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_channel_token_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_claims": { + "additionalProperties": true, + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "trust_access_token_introspection": { + "default": true, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean" + }, + "trust_channel_token_introspection": { + "default": true, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean" + }, + "verify_access_token_expiry": { + "default": true, + "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_expiry": { + "default": true, + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_scopes": { + "default": true, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_scopes": { + "default": true, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_signature": { + "default": true, + "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean" + }, + "verify_channel_token_expiry": { + "default": true, + "type": "boolean" + }, + "verify_channel_token_introspection_expiry": { + "default": true, + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean" + }, + "verify_channel_token_introspection_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_signature": { + "default": true, + "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jwt/3.9.json b/json_schemas/jwt/3.9.json new file mode 100644 index 00000000..256f1af8 --- /dev/null +++ b/json_schemas/jwt/3.9.json @@ -0,0 +1,126 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "items": { + "enum": [ + "exp", + "nbf" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "cookie_names": { + "default": [], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_names": { + "default": [ + "authorization" + ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "key_claim_name": { + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" + }, + "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "maximum": 31536000, + "minimum": 0, + "type": "number" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean" + }, + "secret_is_base64": { + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean" + }, + "uri_param_names": { + "default": [ + "jwt" + ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/kafka-log/3.9.json b/json_schemas/kafka-log/3.9.json new file mode 100644 index 00000000..03450b52 --- /dev/null +++ b/json_schemas/kafka-log/3.9.json @@ -0,0 +1,216 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "keepalive": { + "default": 60000, + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.9.json b/json_schemas/kafka-upstream/3.9.json new file mode 100644 index 00000000..28be0e0e --- /dev/null +++ b/json_schemas/kafka-upstream/3.9.json @@ -0,0 +1,228 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/key-auth-enc/3.9.json b/json_schemas/key-auth-enc/3.9.json new file mode 100644 index 00000000..e436fd07 --- /dev/null +++ b/json_schemas/key-auth-enc/3.9.json @@ -0,0 +1,102 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/key-auth/3.9.json b/json_schemas/key-auth/3.9.json new file mode 100644 index 00000000..42a51f9a --- /dev/null +++ b/json_schemas/key-auth/3.9.json @@ -0,0 +1,102 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.9.json b/json_schemas/konnect-application-auth/3.9.json new file mode 100644 index 00000000..582fcff7 --- /dev/null +++ b/json_schemas/konnect-application-auth/3.9.json @@ -0,0 +1,2149 @@ +{ + "properties": { + "config": { + "properties": { + "auth_type": { + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "enum": [ + "key-auth", + "openid-connect", + "v2-strategies" + ], + "type": "string" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "scope": { + "description": "The unique scope identifier for the plugin configuration.", + "type": "string" + }, + "v2_strategies": { + "description": "The map of v2 strategies.", + "properties": { + "key_auth": { + "description": "List of key_auth strategies.", + "items": { + "properties": { + "config": { + "properties": { + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "config", + "strategy_id" + ], + "type": "object" + }, + "type": "array" + }, + "openid_connect": { + "description": "List of openid_connect strategies.", + "items": { + "properties": { + "config": { + "description": "openid-connect plugin configuration.", + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "type": "string" + }, + "key_ops": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "type": "string" + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "cluster_cache_redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "cluster_cache_strategy": { + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "enum": [ + "off", + "redis" + ], + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_client_headers": { + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "uuid": true + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. Only top level claims are supported.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + "cluster_cache_redis", + "issuer", + "redis" + ], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "strategy_id" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.9.json b/json_schemas/ldap-auth-advanced/3.9.json new file mode 100644 index 00000000..3963afba --- /dev/null +++ b/json_schemas/ldap-auth-advanced/3.9.json @@ -0,0 +1,179 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "type": "string" + }, + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean" + }, + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + }, + "group_member_attribute": { + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" + }, + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + }, + "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "type": "string" + }, + "ldap_password": { + "description": "The password to the LDAP server.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" + }, + "ldaps": { + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "log_search_results": { + "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.9.json b/json_schemas/ldap-auth/3.9.json new file mode 100644 index 00000000..01d68fe9 --- /dev/null +++ b/json_schemas/ldap-auth/3.9.json @@ -0,0 +1,124 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "ldaps": { + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/loggly/3.9.json b/json_schemas/loggly/3.9.json new file mode 100644 index 00000000..5c5621cc --- /dev/null +++ b/json_schemas/loggly/3.9.json @@ -0,0 +1,161 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "key": { + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "tags": { + "default": [ + "kong" + ], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "timeout": { + "default": 10000, + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/mocking/3.9.json b/json_schemas/mocking/3.9.json new file mode 100644 index 00000000..ef0dfd5c --- /dev/null +++ b/json_schemas/mocking/3.9.json @@ -0,0 +1,114 @@ +{ + "properties": { + "config": { + "properties": { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "type": "string" + }, + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "type": "string" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "items": { + "required": [], + "type": "integer" + }, + "type": "array" + }, + "max_delay_time": { + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number" + }, + "min_delay_time": { + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number" + }, + "random_delay": { + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean" + }, + "random_examples": { + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean" + }, + "random_status_code": { + "default": false, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.9.json b/json_schemas/mtls-auth/3.9.json new file mode 100644 index 00000000..4f4afe55 --- /dev/null +++ b/json_schemas/mtls-auth/3.9.json @@ -0,0 +1,155 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "required": [], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in seconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "send_ca_dn": { + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/oas-validation/3.9.json b/json_schemas/oas-validation/3.9.json new file mode 100644 index 00000000..a73a7a5d --- /dev/null +++ b/json_schemas/oas-validation/3.9.json @@ -0,0 +1,137 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_header_parameters": { + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "type": "string" + }, + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "type": "string" + }, + "api_spec_encoded": { + "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", + "type": "boolean" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "header_parameter_check": { + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "type": "boolean" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "notify_only_request_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "type": "boolean" + }, + "notify_only_response_body_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "type": "boolean" + }, + "query_parameter_check": { + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "type": "boolean" + }, + "validate_request_body": { + "default": true, + "description": "If set to true, validates the request body content against the API specification.", + "type": "boolean" + }, + "validate_request_header_params": { + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", + "type": "boolean" + }, + "validate_request_query_params": { + "default": true, + "description": "If set to true, validates query parameters against the API specification.", + "type": "boolean" + }, + "validate_request_uri_params": { + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", + "type": "boolean" + }, + "validate_response_body": { + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "type": "boolean" + }, + "verbose_response": { + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.9.json b/json_schemas/oauth2-introspection/3.9.json new file mode 100644 index 00000000..5b600229 --- /dev/null +++ b/json_schemas/oauth2-introspection/3.9.json @@ -0,0 +1,124 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "type": "string" + }, + "consumer_by": { + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "enum": [ + "client_id", + "username" + ], + "type": "string" + }, + "custom_claims_forward": { + "default": [], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "custom_introspection_headers": { + "additionalProperties": true, + "description": "A list of custom headers to be added in the introspection request.", + "type": "object" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "introspect_request": { + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "type": "boolean" + }, + "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" + }, + "token_type_hint": { + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" + }, + "ttl": { + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/oauth2/3.9.json b/json_schemas/oauth2/3.9.json new file mode 100644 index 00000000..612af7ab --- /dev/null +++ b/json_schemas/oauth2/3.9.json @@ -0,0 +1,153 @@ +{ + "properties": { + "config": { + "properties": { + "accept_http_if_already_terminated": { + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "auth_header_name": { + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", + "type": "string" + }, + "enable_authorization_code": { + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "type": "boolean" + }, + "enable_client_credentials": { + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "type": "boolean" + }, + "enable_implicit_grant": { + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "type": "boolean" + }, + "enable_password_grant": { + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "type": "boolean" + }, + "global_credentials": { + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "type": "boolean" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "mandatory_scope": { + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "type": "boolean" + }, + "persistent_refresh_token": { + "default": false, + "type": "boolean" + }, + "pkce": { + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "enum": [ + "lax", + "none", + "strict" + ], + "type": "string" + }, + "provision_key": { + "description": "The unique key the plugin has generated when it has been added to the Service.", + "type": "string" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "refresh_token_ttl": { + "default": 1209600, + "description": "Time-to-live value for data", + "maximum": 100000000, + "minimum": 0, + "type": "number" + }, + "reuse_refresh_token": { + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "type": "boolean" + }, + "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_expiration": { + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/opa/3.9.json b/json_schemas/opa/3.9.json new file mode 100644 index 00000000..60c4b8fc --- /dev/null +++ b/json_schemas/opa/3.9.json @@ -0,0 +1,112 @@ +{ + "properties": { + "config": { + "properties": { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + }, + "include_consumer_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" + }, + "include_parsed_json_body_in_opa_input": { + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" + }, + "include_route_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_service_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_uri_captures_in_opa_input": { + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" + }, + "opa_host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "opa_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "opa_port": { + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/openid-connect/3.9.json b/json_schemas/openid-connect/3.9.json new file mode 100644 index 00000000..1acdd149 --- /dev/null +++ b/json_schemas/openid-connect/3.9.json @@ -0,0 +1,2160 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "type": "string" + }, + "key_ops": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "type": "string" + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "cluster_cache_redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "cluster_cache_strategy": { + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "enum": [ + "off", + "redis" + ], + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_client_headers": { + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "uuid": true + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. Only top level claims are supported.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [], + "shorthand_fields": { + "authorization_cookie_httponly": { + "type": "boolean" + }, + "authorization_cookie_lifetime": { + "type": "number" + }, + "authorization_cookie_samesite": { + "type": "string" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "type": "integer" + }, + "session_redis_cluster_nodes": { + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "type": "integer" + }, + "session_redis_host": { + "type": "string" + }, + "session_redis_password": { + "type": "string" + }, + "session_redis_port": { + "type": "integer" + }, + "session_redis_prefix": { + "type": "string" + }, + "session_redis_read_timeout": { + "type": "integer" + }, + "session_redis_send_timeout": { + "type": "integer" + }, + "session_redis_server_name": { + "type": "string" + }, + "session_redis_socket": { + "type": "string" + }, + "session_redis_ssl": { + "type": "boolean" + }, + "session_redis_ssl_verify": { + "type": "boolean" + }, + "session_redis_username": { + "type": "string" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.9.json b/json_schemas/opentelemetry/3.9.json new file mode 100644 index 00000000..a7e8e181 --- /dev/null +++ b/json_schemas/opentelemetry/3.9.json @@ -0,0 +1,272 @@ +{ + "properties": { + "config": { + "properties": { + "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" + }, + "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "header_type": { + "default": "preserve", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "headers": { + "additionalProperties": true, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "object" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "logs_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "propagation": { + "default": { + "default_format": "w3c" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "default_format" + ], + "type": "object" + }, + "queue": { + "default": { + "max_batch_size": 200 + }, + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "resource_attributes": { + "additionalProperties": true, + "type": "object" + }, + "sampling_rate": { + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "traces_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/post-function/3.9.json b/json_schemas/post-function/3.9.json new file mode 100644 index 00000000..33806f8a --- /dev/null +++ b/json_schemas/post-function/3.9.json @@ -0,0 +1,140 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/pre-function/3.9.json b/json_schemas/pre-function/3.9.json new file mode 100644 index 00000000..33806f8a --- /dev/null +++ b/json_schemas/pre-function/3.9.json @@ -0,0 +1,140 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/prometheus/3.9.json b/json_schemas/prometheus/3.9.json new file mode 100644 index 00000000..30370b04 --- /dev/null +++ b/json_schemas/prometheus/3.9.json @@ -0,0 +1,101 @@ +{ + "properties": { + "config": { + "properties": { + "ai_metrics": { + "default": false, + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", + "type": "boolean" + }, + "bandwidth_metrics": { + "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "latency_metrics": { + "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" + }, + "per_consumer": { + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" + }, + "status_code_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "upstream_health_metrics": { + "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.9.json b/json_schemas/proxy-cache-advanced/3.9.json new file mode 100644 index 00000000..8cad5e05 --- /dev/null +++ b/json_schemas/proxy-cache-advanced/3.9.json @@ -0,0 +1,376 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.9.json b/json_schemas/proxy-cache/3.9.json new file mode 100644 index 00000000..d0b32ca7 --- /dev/null +++ b/json_schemas/proxy-cache/3.9.json @@ -0,0 +1,201 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL, in seconds, of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities.", + "enum": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.9.json b/json_schemas/rate-limiting-advanced/3.9.json new file mode 100644 index 00000000..db6b2311 --- /dev/null +++ b/json_schemas/rate-limiting-advanced/3.9.json @@ -0,0 +1,388 @@ +{ + "properties": { + "config": { + "properties": { + "compound_identifier": { + "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", + "items": { + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "enforce_consumer_groups": { + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf.", + "type": "string" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "redis_proxy_type": { + "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", + "enum": [ + "envoy_v1.31" + ], + "type": "string" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting/3.9.json b/json_schemas/rate-limiting/3.9.json new file mode 100644 index 00000000..59814145 --- /dev/null +++ b/json_schemas/rate-limiting/3.9.json @@ -0,0 +1,247 @@ +{ + "properties": { + "config": { + "properties": { + "day": { + "description": "The number of HTTP requests that can be made per day.", + "minimum": 0, + "type": "number" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "hour": { + "description": "The number of HTTP requests that can be made per hour.", + "minimum": 0, + "type": "number" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "minute": { + "description": "The number of HTTP requests that can be made per minute.", + "minimum": 0, + "type": "number" + }, + "month": { + "description": "The number of HTTP requests that can be made per month.", + "minimum": 0, + "type": "number" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "minLength": 0, + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "second": { + "description": "The number of HTTP requests that can be made per second.", + "minimum": 0, + "type": "number" + }, + "sync_rate": { + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "type": "number" + }, + "year": { + "description": "The number of HTTP requests that can be made per year.", + "minimum": 0, + "type": "number" + } + }, + "required": [], + "shorthand_fields": { + "redis_database": { + "type": "integer" + }, + "redis_host": { + "type": "string" + }, + "redis_password": { + "minLength": 0, + "type": "string" + }, + "redis_port": { + "type": "integer" + }, + "redis_server_name": { + "type": "string" + }, + "redis_ssl": { + "type": "boolean" + }, + "redis_ssl_verify": { + "type": "boolean" + }, + "redis_timeout": { + "type": "integer" + }, + "redis_username": { + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/redirect/3.9.json b/json_schemas/redirect/3.9.json new file mode 100644 index 00000000..36342a35 --- /dev/null +++ b/json_schemas/redirect/3.9.json @@ -0,0 +1,91 @@ +{ + "properties": { + "config": { + "properties": { + "keep_incoming_path": { + "default": false, + "description": "Use the incoming request's path and query string in the redirect URL", + "type": "boolean" + }, + "location": { + "description": "The URL to redirect to", + "type": "string" + }, + "status_code": { + "default": 301, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-size-limiting/3.9.json b/json_schemas/request-size-limiting/3.9.json new file mode 100644 index 00000000..3d4e9633 --- /dev/null +++ b/json_schemas/request-size-limiting/3.9.json @@ -0,0 +1,84 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_payload_size": { + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer" + }, + "require_content_length": { + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "type": "boolean" + }, + "size_unit": { + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "enum": [ + "bytes", + "kilobytes", + "megabytes" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-termination/3.9.json b/json_schemas/request-termination/3.9.json new file mode 100644 index 00000000..96110caf --- /dev/null +++ b/json_schemas/request-termination/3.9.json @@ -0,0 +1,103 @@ +{ + "properties": { + "config": { + "properties": { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + }, + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + }, + "echo": { + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean" + }, + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + }, + "status_code": { + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + }, + "trigger": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-transformer-advanced/3.9.json b/json_schemas/request-transformer-advanced/3.9.json new file mode 100644 index 00000000..b7a77c42 --- /dev/null +++ b/json_schemas/request-transformer-advanced/3.9.json @@ -0,0 +1,290 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "allow": { + "properties": { + "body": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-transformer/3.9.json b/json_schemas/request-transformer/3.9.json new file mode 100644 index 00000000..8a4551c8 --- /dev/null +++ b/json_schemas/request-transformer/3.9.json @@ -0,0 +1,244 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-validator/3.9.json b/json_schemas/request-validator/3.9.json new file mode 100644 index 00000000..5da7629d --- /dev/null +++ b/json_schemas/request-validator/3.9.json @@ -0,0 +1,150 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_content_types": { + "default": [ + "application/json" + ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "string" + }, + "content_type_parameter_validation": { + "default": true, + "description": "Determines whether to enable parameters validation of request content-type.", + "type": "boolean" + }, + "parameter_schema": { + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "items": { + "properties": { + "explode": { + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" + }, + "in": { + "description": "The location of the parameter.", + "enum": [ + "header", + "path", + "query" + ], + "type": "string" + }, + "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "type": "string" + }, + "required": { + "description": "Determines whether this parameter is mandatory.", + "type": "boolean" + }, + "schema": { + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" + }, + "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "enum": [ + "deepObject", + "form", + "label", + "matrix", + "pipeDelimited", + "simple", + "spaceDelimited" + ], + "type": "string" + } + }, + "required": [ + "in", + "name", + "required" + ], + "type": "object" + }, + "type": "array" + }, + "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "type": "boolean" + }, + "version": { + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "enum": [ + "draft4", + "kong" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/response-ratelimiting/3.9.json b/json_schemas/response-ratelimiting/3.9.json new file mode 100644 index 00000000..211dcfe2 --- /dev/null +++ b/json_schemas/response-ratelimiting/3.9.json @@ -0,0 +1,193 @@ +{ + "properties": { + "config": { + "properties": { + "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "type": "boolean" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limits": { + "additionalProperties": true, + "description": "A map that defines rate limits for the plugin.", + "minLength": 1, + "type": "object" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "shorthand_fields": { + "redis_database": { + "type": "integer" + }, + "redis_host": { + "type": "string" + }, + "redis_password": { + "minLength": 0, + "type": "string" + }, + "redis_port": { + "type": "integer" + }, + "redis_server_name": { + "type": "string" + }, + "redis_ssl": { + "type": "boolean" + }, + "redis_ssl_verify": { + "type": "boolean" + }, + "redis_timeout": { + "type": "integer" + }, + "redis_username": { + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/response-transformer-advanced/3.9.json b/json_schemas/response-transformer-advanced/3.9.json new file mode 100644 index 00000000..e5c923b4 --- /dev/null +++ b/json_schemas/response-transformer-advanced/3.9.json @@ -0,0 +1,309 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "allow": { + "properties": { + "json": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" + }, + "remove": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "transform": { + "properties": { + "functions": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/response-transformer/3.9.json b/json_schemas/response-transformer/3.9.json new file mode 100644 index 00000000..340a58e4 --- /dev/null +++ b/json_schemas/response-transformer/3.9.json @@ -0,0 +1,235 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "remove": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/route-by-header/3.9.json b/json_schemas/route-by-header/3.9.json new file mode 100644 index 00000000..2e8bace4 --- /dev/null +++ b/json_schemas/route-by-header/3.9.json @@ -0,0 +1,86 @@ +{ + "properties": { + "config": { + "properties": { + "rules": { + "default": [], + "description": "Route by header rules.", + "items": { + "properties": { + "condition": { + "additionalProperties": true, + "minLength": 1, + "type": "object" + }, + "upstream_name": { + "type": "string" + } + }, + "required": [ + "condition", + "upstream_name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/route-transformer-advanced/3.9.json b/json_schemas/route-transformer-advanced/3.9.json new file mode 100644 index 00000000..759d3aa2 --- /dev/null +++ b/json_schemas/route-transformer-advanced/3.9.json @@ -0,0 +1,77 @@ +{ + "properties": { + "config": { + "properties": { + "escape_path": { + "default": false, + "type": "boolean" + }, + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/saml/3.9.json b/json_schemas/saml/3.9.json new file mode 100644 index 00000000..cca343c0 --- /dev/null +++ b/json_schemas/saml/3.9.json @@ -0,0 +1,589 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "type": "string" + }, + "assertion_consumer_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "idp_certificate": { + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "type": "string" + }, + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "type": "string" + }, + "nameid_format": { + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "enum": [ + "EmailAddress", + "Persistent", + "Transient", + "Unspecified" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "request_digest_algorithm": { + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "request_signature_algorithm": { + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "request_signing_certificate": { + "description": "The certificate for signing requests.", + "type": "string" + }, + "request_signing_key": { + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "type": "string" + }, + "response_digest_algorithm": { + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "response_encryption_key": { + "description": "The private encryption key required to decrypt encrypted assertions.", + "type": "string" + }, + "response_signature_algorithm": { + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, for example \"my-application\"", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "The session cookie idle time in seconds.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "type": "number" + }, + "session_request_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_secret": { + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "maxLength": 32, + "minLength": 32, + "pattern": "^[0-9a-zA-Z/_+]+$", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean" + }, + "validate_assertion_signature": { + "default": true, + "description": "Enable signature validation for SAML responses.", + "type": "boolean" + } + }, + "required": [], + "shorthand_fields": { + "session_auth_ttl": { + "type": "number" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "type": "integer" + }, + "session_redis_cluster_maxredirections": { + "type": "integer" + }, + "session_redis_cluster_nodes": { + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "type": "integer" + }, + "session_redis_host": { + "type": "string" + }, + "session_redis_password": { + "type": "string" + }, + "session_redis_port": { + "type": "integer" + }, + "session_redis_prefix": { + "type": "string" + }, + "session_redis_read_timeout": { + "type": "integer" + }, + "session_redis_send_timeout": { + "type": "integer" + }, + "session_redis_server_name": { + "type": "string" + }, + "session_redis_socket": { + "type": "string" + }, + "session_redis_ssl": { + "type": "boolean" + }, + "session_redis_ssl_verify": { + "type": "boolean" + }, + "session_redis_username": { + "type": "string" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/service-protection/3.9.json b/json_schemas/service-protection/3.9.json new file mode 100644 index 00000000..803c767d --- /dev/null +++ b/json_schemas/service-protection/3.9.json @@ -0,0 +1,296 @@ +{ + "properties": { + "config": { + "properties": { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", + "type": "string" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/session/3.9.json b/json_schemas/session/3.9.json new file mode 100644 index 00000000..499b70ec --- /dev/null +++ b/json_schemas/session/3.9.json @@ -0,0 +1,242 @@ +{ + "properties": { + "config": { + "properties": { + "absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + }, + "cookie_http_only": { + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean" + }, + "cookie_name": { + "default": "session", + "description": "The name of the cookie.", + "type": "string" + }, + "cookie_path": { + "default": "/", + "description": "The resource in the host where the cookie is available.", + "type": "string" + }, + "cookie_same_site": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "cookie_secure": { + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean" + }, + "idling_timeout": { + "default": 900, + "description": "The session cookie idle time, in seconds.", + "type": "number" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "A set of HTTP methods that the plugin will respond to.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" + }, + "logout_query_arg": { + "default": "session_logout", + "description": "The query argument passed to logout requests.", + "type": "string" + }, + "read_body_for_logout": { + "default": false, + "type": "boolean" + }, + "remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "remember_absolute_timeout": { + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number" + }, + "remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "remember_rolling_timeout": { + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number" + }, + "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "rolling_timeout": { + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number" + }, + "secret": { + "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", + "description": "The secret that is used in keyed HMAC generation.", + "type": "string" + }, + "stale_ttl": { + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number" + }, + "storage": { + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "enum": [ + "cookie", + "kong" + ], + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cookie_discard": { + "type": "number" + }, + "cookie_httponly": { + "type": "boolean" + }, + "cookie_idletime": { + "type": "number" + }, + "cookie_lifetime": { + "type": "number" + }, + "cookie_persistent": { + "type": "boolean" + }, + "cookie_renew": { + "type": "number" + }, + "cookie_samesite": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/standard-webhooks/3.9.json b/json_schemas/standard-webhooks/3.9.json new file mode 100644 index 00000000..b2cd7c32 --- /dev/null +++ b/json_schemas/standard-webhooks/3.9.json @@ -0,0 +1,74 @@ +{ + "properties": { + "config": { + "properties": { + "secret_v1": { + "description": "Webhook secret", + "type": "string" + }, + "tolerance_second": { + "default": 300, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "minimum": -1, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/statsd-advanced/3.9.json b/json_schemas/statsd-advanced/3.9.json new file mode 100644 index 00000000..b842a66d --- /dev/null +++ b/json_schemas/statsd-advanced/3.9.json @@ -0,0 +1,282 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of Metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/statsd/3.9.json b/json_schemas/statsd/3.9.json new file mode 100644 index 00000000..930ae300 --- /dev/null +++ b/json_schemas/statsd/3.9.json @@ -0,0 +1,300 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "flush_timeout": { + "type": "number" + }, + "host": { + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "StatsD metric’s name.", + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "description": "Service detail.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "description": "Determines what sort of event a metric represents.", + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "description": "Workspace detail.", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "queue_size": { + "type": "integer" + }, + "retry_count": { + "type": "integer" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "tag_style": { + "enum": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/syslog/3.9.json b/json_schemas/syslog/3.9.json new file mode 100644 index 00000000..fbbdbdbe --- /dev/null +++ b/json_schemas/syslog/3.9.json @@ -0,0 +1,159 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "facility": { + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "enum": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp" + ], + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/tcp-log/3.9.json b/json_schemas/tcp-log/3.9.json new file mode 100644 index 00000000..028dafde --- /dev/null +++ b/json_schemas/tcp-log/3.9.json @@ -0,0 +1,105 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "object" + }, + "host": { + "description": "The IP address or host name to send data to.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "port": { + "description": "The port to send data to on the upstream server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + }, + "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "type": "boolean" + }, + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/tls-handshake-modifier/3.9.json b/json_schemas/tls-handshake-modifier/3.9.json new file mode 100644 index 00000000..fcfac7cc --- /dev/null +++ b/json_schemas/tls-handshake-modifier/3.9.json @@ -0,0 +1,58 @@ +{ + "properties": { + "config": { + "properties": { + "tls_client_certificate": { + "default": "REQUEST", + "description": "TLS Client Certificate", + "enum": [ + "REQUEST" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/tls-metadata-headers/3.9.json b/json_schemas/tls-metadata-headers/3.9.json new file mode 100644 index 00000000..d878d7ab --- /dev/null +++ b/json_schemas/tls-metadata-headers/3.9.json @@ -0,0 +1,80 @@ +{ + "properties": { + "config": { + "properties": { + "client_cert_fingerprint_header_name": { + "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "type": "string" + }, + "client_cert_header_name": { + "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "type": "string" + }, + "client_cert_issuer_dn_header_name": { + "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "type": "string" + }, + "client_cert_subject_dn_header_name": { + "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "type": "string" + }, + "client_serial_header_name": { + "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "type": "string" + }, + "inject_client_cert_details": { + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/udp-log/3.9.json b/json_schemas/udp-log/3.9.json new file mode 100644 index 00000000..adfff403 --- /dev/null +++ b/json_schemas/udp-log/3.9.json @@ -0,0 +1,91 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/upstream-oauth/3.9.json b/json_schemas/upstream-oauth/3.9.json new file mode 100644 index 00000000..c26c2dc7 --- /dev/null +++ b/json_schemas/upstream-oauth/3.9.json @@ -0,0 +1,471 @@ +{ + "properties": { + "config": { + "properties": { + "behavior": { + "properties": { + "idp_error_response_body_template": { + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_content_type": { + "default": "application/json; charset=utf-8", + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_message": { + "default": "Failed to authenticate request to upstream", + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_status_code": { + "default": 502, + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", + "maximum": 599, + "minimum": 500, + "type": "integer" + }, + "purge_token_on_upstream_status_codes": { + "default": [ + 401 + ], + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", + "items": { + "maximum": 599, + "minimum": 100, + "required": [], + "type": "integer" + }, + "type": "array" + }, + "upstream_access_token_header_name": { + "default": "Authorization", + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", + "minLength": 0, + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "cache": { + "properties": { + "default_ttl": { + "default": 3600, + "description": "The lifetime of a token without an explicit `expires_in` value.", + "minimum": 0, + "type": "number" + }, + "eagerly_expire": { + "default": 5, + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", + "minimum": -1, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The method Kong should use to cache tokens issued by the IdP.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": false, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "oauth": { + "properties": { + "audience": { + "default": [], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP.", + "type": "string" + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP.", + "type": "string" + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "type": "string" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": true, + "description": "Extra headers to be passed in the token endpoint request.", + "type": "object" + }, + "token_post_args": { + "additionalProperties": true, + "description": "Extra post arguments to be passed in the token endpoint request.", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/upstream-timeout/3.9.json b/json_schemas/upstream-timeout/3.9.json new file mode 100644 index 00000000..681120b5 --- /dev/null +++ b/json_schemas/upstream-timeout/3.9.json @@ -0,0 +1,82 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/vault-auth/3.9.json b/json_schemas/vault-auth/3.9.json new file mode 100644 index 00000000..3f52bdea --- /dev/null +++ b/json_schemas/vault-auth/3.9.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_name": { + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "string" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "secret_token_name": { + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "string" + }, + "tokens_in_body": { + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "vault": { + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/websocket-size-limit/3.9.json b/json_schemas/websocket-size-limit/3.9.json new file mode 100644 index 00000000..b46f162b --- /dev/null +++ b/json_schemas/websocket-size-limit/3.9.json @@ -0,0 +1,70 @@ +{ + "properties": { + "config": { + "properties": { + "client_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + }, + "upstream_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/websocket-validator/3.9.json b/json_schemas/websocket-validator/3.9.json new file mode 100644 index 00000000..8c23be44 --- /dev/null +++ b/json_schemas/websocket-validator/3.9.json @@ -0,0 +1,152 @@ +{ + "properties": { + "config": { + "properties": { + "client": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "upstream": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/xml-threat-protection/3.9.json b/json_schemas/xml-threat-protection/3.9.json new file mode 100644 index 00000000..0fea5bfa --- /dev/null +++ b/json_schemas/xml-threat-protection/3.9.json @@ -0,0 +1,210 @@ +{ + "properties": { + "config": { + "properties": { + "allow_dtd": { + "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean" + }, + "allowed_content_types": { + "default": [], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "attribute": { + "default": 1048576, + "description": "Maximum size of the attribute value.", + "minimum": 0, + "type": "integer" + }, + "bla_max_amplification": { + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "minimum": 1, + "type": "number" + }, + "bla_threshold": { + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "minimum": 1024, + "type": "integer" + }, + "buffer": { + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", + "minimum": 0, + "type": "integer" + }, + "checked_content_types": { + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "comment": { + "default": 1024, + "description": "Maximum size of comments.", + "minimum": 0, + "type": "integer" + }, + "document": { + "default": 10485760, + "description": "Maximum size of the entire document.", + "minimum": 0, + "type": "integer" + }, + "entity": { + "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityname": { + "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityproperty": { + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "localname": { + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "minimum": 0, + "type": "integer" + }, + "max_attributes": { + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "minimum": 0, + "type": "integer" + }, + "max_children": { + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "minimum": 0, + "type": "integer" + }, + "max_depth": { + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "minimum": 0, + "type": "integer" + }, + "max_namespaces": { + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "namespace_aware": { + "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean" + }, + "namespaceuri": { + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "pidata": { + "default": 1024, + "description": "Maximum size of processing instruction data.", + "minimum": 0, + "type": "integer" + }, + "pitarget": { + "default": 1024, + "description": "Maximum size of processing instruction targets.", + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "text": { + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/zipkin/3.9.json b/json_schemas/zipkin/3.9.json new file mode 100644 index 00000000..354c7064 --- /dev/null +++ b/json_schemas/zipkin/3.9.json @@ -0,0 +1,346 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "default_header_type": { + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "default_service_name": { + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" + }, + "header_type": { + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "http_span_name": { + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "enum": [ + "method", + "method_path" + ], + "type": "string" + }, + "include_credential": { + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "type": "boolean" + }, + "local_service_name": { + "default": "kong", + "description": "The name of the service as displayed in Zipkin.", + "type": "string" + }, + "phase_duration_flavor": { + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "enum": [ + "annotations", + "tags" + ], + "type": "string" + }, + "propagation": { + "default": { + "default_format": "b3" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "default_format" + ], + "type": "object" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", + "items": { + "properties": { + "name": { + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "tags_header": { + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "type": "string" + }, + "traceid_byte_count": { + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "enum": [ + 8, + 16 + ], + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file From 902df67c21a0248c8ed7d9049f5a8ea63a0e6c56 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 5 Dec 2024 11:48:10 +0100 Subject: [PATCH 116/165] Generate json-schemas for 3.8 --- json_schemas/acl/3.8.json | 83 + json_schemas/acme/3.8.json | 363 +++ json_schemas/ai-azure-content-safety/3.8.json | 139 ++ json_schemas/ai-prompt-decorator/3.8.json | 141 ++ json_schemas/ai-prompt-guard/3.8.json | 113 + json_schemas/ai-prompt-template/3.8.json | 112 + json_schemas/ai-proxy-advanced/3.8.json | 739 ++++++ json_schemas/ai-proxy/3.8.json | 324 +++ .../ai-rate-limiting-advanced/3.8.json | 384 +++ json_schemas/ai-request-transformer/3.8.json | 342 +++ json_schemas/ai-response-transformer/3.8.json | 358 +++ json_schemas/ai-semantic-cache/3.8.json | 416 ++++ .../ai-semantic-prompt-guard/3.8.json | 444 ++++ json_schemas/app-dynamics/3.8.json | 64 + .../application-registration/3.8.json | 54 + json_schemas/aws-lambda/3.8.json | 209 ++ json_schemas/azure-functions/3.8.json | 117 + json_schemas/basic-auth/3.8.json | 71 + json_schemas/bot-detection/3.8.json | 73 + json_schemas/canary/3.8.json | 130 + json_schemas/confluent/3.8.json | 195 ++ json_schemas/correlation-id/3.8.json | 84 + json_schemas/cors/3.8.json | 127 + json_schemas/datadog-tracing/3.8.json | 101 + json_schemas/datadog/3.8.json | 247 ++ json_schemas/degraphql/3.8.json | 58 + json_schemas/exit-transformer/3.8.json | 81 + json_schemas/file-log/3.8.json | 86 + json_schemas/forward-proxy/3.8.json | 123 + .../graphql-proxy-cache-advanced/3.8.json | 279 +++ .../graphql-rate-limiting-advanced/3.8.json | 322 +++ json_schemas/grpc-gateway/3.8.json | 75 + json_schemas/grpc-web/3.8.json | 84 + json_schemas/header-cert-auth/3.8.json | 167 ++ json_schemas/hmac-auth/3.8.json | 110 + json_schemas/http-log/3.8.json | 185 ++ json_schemas/ip-restriction/3.8.json | 110 + json_schemas/jq/3.8.json | 154 ++ json_schemas/json-threat-protection/3.8.json | 116 + json_schemas/jwe-decrypt/3.8.json | 76 + json_schemas/jwt-signer/3.8.json | 639 +++++ json_schemas/jwt/3.8.json | 126 + json_schemas/kafka-log/3.8.json | 216 ++ json_schemas/kafka-upstream/3.8.json | 228 ++ json_schemas/key-auth-enc/3.8.json | 102 + json_schemas/key-auth/3.8.json | 102 + .../konnect-application-auth/3.8.json | 2143 ++++++++++++++++ json_schemas/ldap-auth-advanced/3.8.json | 179 ++ json_schemas/ldap-auth/3.8.json | 124 + json_schemas/loggly/3.8.json | 161 ++ json_schemas/mocking/3.8.json | 114 + json_schemas/mtls-auth/3.8.json | 155 ++ json_schemas/oas-validation/3.8.json | 137 + json_schemas/oauth2-introspection/3.8.json | 124 + json_schemas/oauth2/3.8.json | 153 ++ json_schemas/opa/3.8.json | 112 + json_schemas/openid-connect/3.8.json | 2210 +++++++++++++++++ json_schemas/opentelemetry/3.8.json | 272 ++ json_schemas/post-function/3.8.json | 140 ++ json_schemas/pre-function/3.8.json | 140 ++ json_schemas/prometheus/3.8.json | 101 + json_schemas/proxy-cache-advanced/3.8.json | 377 +++ json_schemas/proxy-cache/3.8.json | 201 ++ json_schemas/rate-limiting-advanced/3.8.json | 360 +++ json_schemas/rate-limiting/3.8.json | 283 +++ json_schemas/request-size-limiting/3.8.json | 84 + json_schemas/request-termination/3.8.json | 103 + .../request-transformer-advanced/3.8.json | 290 +++ json_schemas/request-transformer/3.8.json | 244 ++ json_schemas/request-validator/3.8.json | 150 ++ json_schemas/response-ratelimiting/3.8.json | 229 ++ .../response-transformer-advanced/3.8.json | 309 +++ json_schemas/response-transformer/3.8.json | 235 ++ json_schemas/route-by-header/3.8.json | 86 + .../route-transformer-advanced/3.8.json | 77 + json_schemas/saml/3.8.json | 650 +++++ json_schemas/session/3.8.json | 242 ++ json_schemas/standard-webhooks/3.8.json | 74 + json_schemas/statsd-advanced/3.8.json | 282 +++ json_schemas/statsd/3.8.json | 300 +++ json_schemas/syslog/3.8.json | 159 ++ json_schemas/tcp-log/3.8.json | 105 + json_schemas/tls-handshake-modifier/3.8.json | 58 + json_schemas/tls-metadata-headers/3.8.json | 80 + json_schemas/udp-log/3.8.json | 91 + json_schemas/upstream-oauth/3.8.json | 472 ++++ json_schemas/upstream-timeout/3.8.json | 82 + json_schemas/vault-auth/3.8.json | 96 + json_schemas/websocket-size-limit/3.8.json | 70 + json_schemas/websocket-validator/3.8.json | 152 ++ json_schemas/xml-threat-protection/3.8.json | 210 ++ json_schemas/zipkin/3.8.json | 346 +++ 92 files changed, 21631 insertions(+) create mode 100644 json_schemas/acl/3.8.json create mode 100644 json_schemas/acme/3.8.json create mode 100644 json_schemas/ai-azure-content-safety/3.8.json create mode 100644 json_schemas/ai-prompt-decorator/3.8.json create mode 100644 json_schemas/ai-prompt-guard/3.8.json create mode 100644 json_schemas/ai-prompt-template/3.8.json create mode 100644 json_schemas/ai-proxy-advanced/3.8.json create mode 100644 json_schemas/ai-proxy/3.8.json create mode 100644 json_schemas/ai-rate-limiting-advanced/3.8.json create mode 100644 json_schemas/ai-request-transformer/3.8.json create mode 100644 json_schemas/ai-response-transformer/3.8.json create mode 100644 json_schemas/ai-semantic-cache/3.8.json create mode 100644 json_schemas/ai-semantic-prompt-guard/3.8.json create mode 100644 json_schemas/app-dynamics/3.8.json create mode 100644 json_schemas/application-registration/3.8.json create mode 100644 json_schemas/aws-lambda/3.8.json create mode 100644 json_schemas/azure-functions/3.8.json create mode 100644 json_schemas/basic-auth/3.8.json create mode 100644 json_schemas/bot-detection/3.8.json create mode 100644 json_schemas/canary/3.8.json create mode 100644 json_schemas/confluent/3.8.json create mode 100644 json_schemas/correlation-id/3.8.json create mode 100644 json_schemas/cors/3.8.json create mode 100644 json_schemas/datadog-tracing/3.8.json create mode 100644 json_schemas/datadog/3.8.json create mode 100644 json_schemas/degraphql/3.8.json create mode 100644 json_schemas/exit-transformer/3.8.json create mode 100644 json_schemas/file-log/3.8.json create mode 100644 json_schemas/forward-proxy/3.8.json create mode 100644 json_schemas/graphql-proxy-cache-advanced/3.8.json create mode 100644 json_schemas/graphql-rate-limiting-advanced/3.8.json create mode 100644 json_schemas/grpc-gateway/3.8.json create mode 100644 json_schemas/grpc-web/3.8.json create mode 100644 json_schemas/header-cert-auth/3.8.json create mode 100644 json_schemas/hmac-auth/3.8.json create mode 100644 json_schemas/http-log/3.8.json create mode 100644 json_schemas/ip-restriction/3.8.json create mode 100644 json_schemas/jq/3.8.json create mode 100644 json_schemas/json-threat-protection/3.8.json create mode 100644 json_schemas/jwe-decrypt/3.8.json create mode 100644 json_schemas/jwt-signer/3.8.json create mode 100644 json_schemas/jwt/3.8.json create mode 100644 json_schemas/kafka-log/3.8.json create mode 100644 json_schemas/kafka-upstream/3.8.json create mode 100644 json_schemas/key-auth-enc/3.8.json create mode 100644 json_schemas/key-auth/3.8.json create mode 100644 json_schemas/konnect-application-auth/3.8.json create mode 100644 json_schemas/ldap-auth-advanced/3.8.json create mode 100644 json_schemas/ldap-auth/3.8.json create mode 100644 json_schemas/loggly/3.8.json create mode 100644 json_schemas/mocking/3.8.json create mode 100644 json_schemas/mtls-auth/3.8.json create mode 100644 json_schemas/oas-validation/3.8.json create mode 100644 json_schemas/oauth2-introspection/3.8.json create mode 100644 json_schemas/oauth2/3.8.json create mode 100644 json_schemas/opa/3.8.json create mode 100644 json_schemas/openid-connect/3.8.json create mode 100644 json_schemas/opentelemetry/3.8.json create mode 100644 json_schemas/post-function/3.8.json create mode 100644 json_schemas/pre-function/3.8.json create mode 100644 json_schemas/prometheus/3.8.json create mode 100644 json_schemas/proxy-cache-advanced/3.8.json create mode 100644 json_schemas/proxy-cache/3.8.json create mode 100644 json_schemas/rate-limiting-advanced/3.8.json create mode 100644 json_schemas/rate-limiting/3.8.json create mode 100644 json_schemas/request-size-limiting/3.8.json create mode 100644 json_schemas/request-termination/3.8.json create mode 100644 json_schemas/request-transformer-advanced/3.8.json create mode 100644 json_schemas/request-transformer/3.8.json create mode 100644 json_schemas/request-validator/3.8.json create mode 100644 json_schemas/response-ratelimiting/3.8.json create mode 100644 json_schemas/response-transformer-advanced/3.8.json create mode 100644 json_schemas/response-transformer/3.8.json create mode 100644 json_schemas/route-by-header/3.8.json create mode 100644 json_schemas/route-transformer-advanced/3.8.json create mode 100644 json_schemas/saml/3.8.json create mode 100644 json_schemas/session/3.8.json create mode 100644 json_schemas/standard-webhooks/3.8.json create mode 100644 json_schemas/statsd-advanced/3.8.json create mode 100644 json_schemas/statsd/3.8.json create mode 100644 json_schemas/syslog/3.8.json create mode 100644 json_schemas/tcp-log/3.8.json create mode 100644 json_schemas/tls-handshake-modifier/3.8.json create mode 100644 json_schemas/tls-metadata-headers/3.8.json create mode 100644 json_schemas/udp-log/3.8.json create mode 100644 json_schemas/upstream-oauth/3.8.json create mode 100644 json_schemas/upstream-timeout/3.8.json create mode 100644 json_schemas/vault-auth/3.8.json create mode 100644 json_schemas/websocket-size-limit/3.8.json create mode 100644 json_schemas/websocket-validator/3.8.json create mode 100644 json_schemas/xml-threat-protection/3.8.json create mode 100644 json_schemas/zipkin/3.8.json diff --git a/json_schemas/acl/3.8.json b/json_schemas/acl/3.8.json new file mode 100644 index 00000000..0c3043e1 --- /dev/null +++ b/json_schemas/acl/3.8.json @@ -0,0 +1,83 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "always_use_authenticated_groups": { + "default": false, + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", + "type": "boolean" + }, + "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_groups_header": { + "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "type": "boolean" + }, + "include_consumer_groups": { + "default": false, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/acme/3.8.json b/json_schemas/acme/3.8.json new file mode 100644 index 00000000..4f34c195 --- /dev/null +++ b/json_schemas/acme/3.8.json @@ -0,0 +1,363 @@ +{ + "properties": { + "config": { + "properties": { + "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", + "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", + "type": "string" + }, + "account_key": { + "description": "The private key associated with the account.", + "properties": { + "key_id": { + "description": "The Key ID.", + "type": "string" + }, + "key_set": { + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" + } + }, + "required": [ + "key_id" + ], + "type": "object" + }, + "allow_any_domain": { + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" + }, + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "cert_type": { + "default": "rsa", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "enum": [ + "ecc", + "rsa" + ], + "type": "string" + }, + "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "items": { + "match_all": { + "pattern": "^[^*]*%*?[^*]*$" + }, + "match_any": { + "patterns": [ + "%.%*$", + "^%*%.", + "^[^*]*$" + ] + }, + "required": [], + "type": "string" + }, + "type": "array" + }, + "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "enable_ipv4_common_name": { + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" + }, + "fail_backoff_minutes": { + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" + }, + "preferred_chain": { + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" + }, + "renew_threshold_days": { + "default": 14, + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" + }, + "rsa_key_size": { + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "enum": [ + 2048, + 3072, + 4096 + ], + "type": "integer" + }, + "storage": { + "default": "shm", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "enum": [ + "consul", + "kong", + "redis", + "shm", + "vault" + ], + "type": "string" + }, + "storage_config": { + "properties": { + "consul": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "token": { + "description": "Consul ACL token.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "kong": { + "additionalProperties": true, + "properties": {}, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "extra_options": { + "description": "Custom ACME Redis options", + "properties": { + "namespace": { + "default": "", + "description": "A namespace to prepend to all keys stored in Redis.", + "minLength": 0, + "type": "string" + }, + "scan_count": { + "default": 10, + "description": "The number of keys to return in Redis SCAN calls.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "auth": { + "minLength": 0, + "translate_backwards": [ + "password" + ], + "type": "string" + }, + "namespace": { + "minLength": 0, + "translate_backwards": [ + "extra_options", + "namespace" + ], + "type": "string" + }, + "scan_count": { + "translate_backwards": [ + "extra_options", + "scan_count" + ], + "type": "integer" + }, + "ssl_server_name": { + "translate_backwards": [ + "server_name" + ], + "type": "string" + } + }, + "type": "object" + }, + "shm": { + "properties": { + "shm_name": { + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "vault": { + "properties": { + "auth_method": { + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "enum": [ + "kubernetes", + "token" + ], + "type": "string" + }, + "auth_path": { + "description": "Vault's authentication path to use.", + "type": "string" + }, + "auth_role": { + "description": "The role to try and assign.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "jwt_path": { + "description": "The path to the JWT.", + "type": "string" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "tls_server_name": { + "description": "SNI used in request, default to host if omitted.", + "type": "string" + }, + "tls_verify": { + "default": true, + "description": "Turn on TLS verification.", + "type": "boolean" + }, + "token": { + "description": "Consul ACL token.", + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "tos_accepted": { + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.8.json b/json_schemas/ai-azure-content-safety/3.8.json new file mode 100644 index 00000000..7fc1e807 --- /dev/null +++ b/json_schemas/ai-azure-content-safety/3.8.json @@ -0,0 +1,139 @@ +{ + "properties": { + "config": { + "properties": { + "azure_api_version": { + "default": "2023-10-01", + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "minLength": 1, + "type": "string" + }, + "azure_client_id": { + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", + "type": "string" + }, + "azure_client_secret": { + "description": "If `azure_use_managed_identity` is true, set the client secret if required.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "type": "boolean" + }, + "blocklist_names": { + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "categories": { + "description": "Array of categories, and their thresholds, to measure on.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "rejection_level": { + "type": "integer" + } + }, + "required": [ + "name", + "rejection_level" + ], + "type": "object" + }, + "type": "array" + }, + "content_safety_key": { + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "type": "string" + }, + "content_safety_url": { + "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "type": "string" + }, + "halt_on_blocklist_hit": { + "default": true, + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "type": "boolean" + }, + "output_type": { + "default": "FourSeverityLevels", + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "enum": [ + "EightSeverityLevels", + "FourSeverityLevels" + ], + "type": "string" + }, + "reveal_failure_reason": { + "default": true, + "description": "Set true to tell the caller why their request was rejected, if so.", + "type": "boolean" + }, + "text_source": { + "default": "concatenate_all_content", + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "enum": [ + "concatenate_all_content", + "concatenate_user_content" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-decorator/3.8.json b/json_schemas/ai-prompt-decorator/3.8.json new file mode 100644 index 00000000..f9a591c8 --- /dev/null +++ b/json_schemas/ai-prompt-decorator/3.8.json @@ -0,0 +1,141 @@ +{ + "properties": { + "config": { + "properties": { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "prompts": { + "properties": { + "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + }, + "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-guard/3.8.json b/json_schemas/ai-prompt-guard/3.8.json new file mode 100644 index 00000000..95c822a7 --- /dev/null +++ b/json_schemas/ai-prompt-guard/3.8.json @@ -0,0 +1,113 @@ +{ + "properties": { + "config": { + "properties": { + "allow_all_conversation_history": { + "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "allow_patterns": { + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [], + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "deny_patterns": { + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [], + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.8.json b/json_schemas/ai-prompt-template/3.8.json new file mode 100644 index 00000000..594030d0 --- /dev/null +++ b/json_schemas/ai-prompt-template/3.8.json @@ -0,0 +1,112 @@ +{ + "properties": { + "config": { + "properties": { + "allow_untemplated_requests": { + "default": true, + "description": "Set true to allow requests that don't call or match any template.", + "type": "boolean" + }, + "log_original_request": { + "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "templates": { + "description": "Array of templates available to the request context.", + "items": { + "properties": { + "name": { + "description": "Unique name for the template, can be called with `{template://NAME}`", + "type": "string" + }, + "template": { + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "type": "string" + } + }, + "required": [ + "name", + "template" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-proxy-advanced/3.8.json b/json_schemas/ai-proxy-advanced/3.8.json new file mode 100644 index 00000000..cc107278 --- /dev/null +++ b/json_schemas/ai-proxy-advanced/3.8.json @@ -0,0 +1,739 @@ +{ + "properties": { + "config": { + "properties": { + "balancer": { + "properties": { + "algorithm": { + "default": "round-robin", + "description": "Which load balancing algorithm to use.", + "enum": [ + "consistent-hashing", + "lowest-latency", + "lowest-usage", + "round-robin", + "semantic" + ], + "type": "string" + }, + "connect_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "hash_on_header": { + "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing.", + "type": "string" + }, + "latency_strategy": { + "default": "tpot", + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", + "enum": [ + "e2e", + "tpot" + ], + "type": "string" + }, + "read_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "retries": { + "default": 5, + "description": "The number of retries to execute upon failure to proxy.", + "maximum": 32767, + "minimum": 0, + "type": "integer" + }, + "slots": { + "default": 10000, + "description": "The number of slots in the load balancer algorithm.", + "maximum": 65536, + "minimum": 10, + "type": "integer" + }, + "tokens_count_strategy": { + "default": "total-tokens", + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "enum": [ + "completion-tokens", + "prompt-tokens", + "total-tokens" + ], + "type": "string" + }, + "write_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "enum": [ + "mistral-embed", + "text-embedding-3-large", + "text-embedding-3-small" + ], + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + "name", + "provider" + ], + "type": "object" + } + }, + "required": [ + "model" + ], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + }, + "targets": { + "items": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "description": { + "description": "The semantic description of the target, required if using semantic load balancing.", + "type": "string" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + "provider" + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + }, + "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "maximum": 65535, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "logging", + "model", + "route_type" + ], + "type": "object" + }, + "type": "array" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [ + "dimensions", + "distance_metric", + "redis", + "strategy", + "threshold" + ], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.8.json b/json_schemas/ai-proxy/3.8.json new file mode 100644 index 00000000..5e20a580 --- /dev/null +++ b/json_schemas/ai-proxy/3.8.json @@ -0,0 +1,324 @@ +{ + "properties": { + "config": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.8.json b/json_schemas/ai-rate-limiting-advanced/3.8.json new file mode 100644 index 00000000..2cbb55a9 --- /dev/null +++ b/json_schemas/ai-rate-limiting-advanced/3.8.json @@ -0,0 +1,384 @@ +{ + "properties": { + "config": { + "properties": { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_hide_providers": { + "default": false, + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "type": "boolean" + }, + "error_message": { + "default": "API rate limit exceeded for provider(s): ", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "llm_providers": { + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "items": { + "properties": { + "limit": { + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", + "type": "number" + }, + "name": { + "description": "The LLM provider to which the rate limit applies.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "llama2", + "mistral", + "openai", + "requestPrompt" + ], + "type": "string" + }, + "window_size": { + "description": "The window size to apply a limit (defined in seconds).", + "type": "number" + } + }, + "required": [ + "limit", + "name", + "window_size" + ], + "type": "object" + }, + "type": "array" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "request_prompt_count_function": { + "description": "If defined, it use custom function to count requests for the request prompt provider", + "type": "string" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "tokens_count_strategy": { + "default": "total_tokens", + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", + "enum": [ + "completion_tokens", + "cost", + "prompt_tokens", + "total_tokens" + ], + "type": "string" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.8.json b/json_schemas/ai-request-transformer/3.8.json new file mode 100644 index 00000000..24d8427e --- /dev/null +++ b/json_schemas/ai-request-transformer/3.8.json @@ -0,0 +1,342 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.8.json b/json_schemas/ai-response-transformer/3.8.json new file mode 100644 index 00000000..cb98309b --- /dev/null +++ b/json_schemas/ai-response-transformer/3.8.json @@ -0,0 +1,358 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "parse_llm_response_json_instructions": { + "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "type": "boolean" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-semantic-cache/3.8.json b/json_schemas/ai-semantic-cache/3.8.json new file mode 100644 index 00000000..17a6dee2 --- /dev/null +++ b/json_schemas/ai-semantic-cache/3.8.json @@ -0,0 +1,416 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "enum": [ + "mistral-embed", + "text-embedding-3-large", + "text-embedding-3-small" + ], + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "exact_caching": { + "default": false, + "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "type": "boolean" + }, + "ignore_assistant_prompts": { + "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request", + "type": "boolean" + }, + "ignore_system_prompts": { + "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request", + "type": "boolean" + }, + "message_countback": { + "default": 1, + "description": "Number of messages in the chat history to Vectorize/Cache", + "maximum": 1000, + "minimum": 1, + "type": "number" + }, + "stop_on_failure": { + "default": false, + "description": "Halt the LLM request process in case of a caching system failure", + "type": "boolean" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-semantic-prompt-guard/3.8.json b/json_schemas/ai-semantic-prompt-guard/3.8.json new file mode 100644 index 00000000..bd82c0ee --- /dev/null +++ b/json_schemas/ai-semantic-prompt-guard/3.8.json @@ -0,0 +1,444 @@ +{ + "properties": { + "config": { + "properties": { + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "enum": [ + "mistral-embed", + "text-embedding-3-large", + "text-embedding-3-small" + ], + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "rules": { + "properties": { + "allow_prompts": { + "description": "List of prompts to allow.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [], + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "deny_prompts": { + "description": "List of prompts to deny.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [], + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "match_all_conversation_history": { + "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "search": { + "properties": { + "threshold": { + "default": 0.5, + "description": "Threshold for the similarity score to be considered a match.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/app-dynamics/3.8.json b/json_schemas/app-dynamics/3.8.json new file mode 100644 index 00000000..984044ad --- /dev/null +++ b/json_schemas/app-dynamics/3.8.json @@ -0,0 +1,64 @@ +{ + "properties": { + "config": { + "additionalProperties": true, + "properties": {}, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/application-registration/3.8.json b/json_schemas/application-registration/3.8.json new file mode 100644 index 00000000..c0e82ee3 --- /dev/null +++ b/json_schemas/application-registration/3.8.json @@ -0,0 +1,54 @@ +{ + "properties": { + "config": { + "properties": { + "auto_approve": { + "default": false, + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "type": "boolean" + }, + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string" + }, + "display_name": { + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string" + }, + "enable_proxy_with_consumer_credential": { + "default": false, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean" + }, + "show_issuer": { + "default": false, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/aws-lambda/3.8.json b/json_schemas/aws-lambda/3.8.json new file mode 100644 index 00000000..531f6aac --- /dev/null +++ b/json_schemas/aws-lambda/3.8.json @@ -0,0 +1,209 @@ +{ + "properties": { + "config": { + "properties": { + "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "type": "string" + }, + "aws_imds_protocol_version": { + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "enum": [ + "v1", + "v2" + ], + "type": "string" + }, + "aws_key": { + "description": "The AWS key credential to be used when invoking the function.", + "type": "string" + }, + "aws_region": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "aws_role_session_name": { + "default": "kong", + "description": "The identifier of the assumed role session.", + "type": "string" + }, + "aws_secret": { + "description": "The AWS secret credential to be used when invoking the function. ", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "awsgateway_compatible": { + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" + }, + "base64_encode_body": { + "default": true, + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" + }, + "disable_https": { + "default": false, + "type": "boolean" + }, + "empty_arrays_mode": { + "default": "legacy", + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", + "enum": [ + "correct", + "legacy" + ], + "type": "string" + }, + "forward_request_body": { + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" + }, + "forward_request_headers": { + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_method": { + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_uri": { + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" + }, + "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "invocation_type": { + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "enum": [ + "DryRun", + "Event", + "RequestResponse" + ], + "type": "string" + }, + "is_proxy_integration": { + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "log_type": { + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "enum": [ + "None", + "Tail" + ], + "type": "string" + }, + "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "proxy_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "qualifier": { + "description": "The qualifier to use when invoking the function.", + "type": "string" + }, + "skip_large_bodies": { + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" + }, + "timeout": { + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", + "type": "number" + }, + "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "maximum": 999, + "minimum": 100, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/azure-functions/3.8.json b/json_schemas/azure-functions/3.8.json new file mode 100644 index 00000000..8c4378f8 --- /dev/null +++ b/json_schemas/azure-functions/3.8.json @@ -0,0 +1,117 @@ +{ + "properties": { + "config": { + "properties": { + "apikey": { + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "type": "string" + }, + "appname": { + "description": "The Azure app name.", + "type": "string" + }, + "clientid": { + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "type": "string" + }, + "functionname": { + "description": "Name of the Azure function to invoke.", + "type": "string" + }, + "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", + "type": "string" + }, + "https": { + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" + }, + "https_verify": { + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" + }, + "routeprefix": { + "default": "api", + "description": "Route prefix to use.", + "type": "string" + }, + "timeout": { + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/basic-auth/3.8.json b/json_schemas/basic-auth/3.8.json new file mode 100644 index 00000000..d67e26e6 --- /dev/null +++ b/json_schemas/basic-auth/3.8.json @@ -0,0 +1,71 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "type": "boolean" + }, + "realm": { + "default": "service", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/bot-detection/3.8.json b/json_schemas/bot-detection/3.8.json new file mode 100644 index 00000000..0a4e686c --- /dev/null +++ b/json_schemas/bot-detection/3.8.json @@ -0,0 +1,73 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "default": [], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [], + "type": "string" + }, + "type": "array" + }, + "deny": { + "default": [], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/canary/3.8.json b/json_schemas/canary/3.8.json new file mode 100644 index 00000000..b7ecf25f --- /dev/null +++ b/json_schemas/canary/3.8.json @@ -0,0 +1,130 @@ +{ + "properties": { + "config": { + "properties": { + "canary_by_header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "duration": { + "default": 3600, + "description": "The duration of the canary release in seconds.", + "minimum": 0, + "type": "number" + }, + "groups": { + "description": "The groups allowed to access the canary release.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hash": { + "default": "consumer", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "enum": [ + "allow", + "consumer", + "deny", + "header", + "ip", + "none" + ], + "type": "string" + }, + "hash_header": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "maximum": 100, + "minimum": 0, + "type": "number" + }, + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + }, + "steps": { + "default": 1000, + "description": "The number of steps for the canary release.", + "minimum": 1, + "type": "number" + }, + "upstream_fallback": { + "default": false, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "type": "boolean" + }, + "upstream_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "minLength": 1, + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "hash": { + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/confluent/3.8.json b/json_schemas/confluent/3.8.json new file mode 100644 index 00000000..8355c951 --- /dev/null +++ b/json_schemas/confluent/3.8.json @@ -0,0 +1,195 @@ +{ + "properties": { + "config": { + "properties": { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", + "type": "string" + }, + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", + "type": "string" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "type": "string" + }, + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/correlation-id/3.8.json b/json_schemas/correlation-id/3.8.json new file mode 100644 index 00000000..a6dd6f8d --- /dev/null +++ b/json_schemas/correlation-id/3.8.json @@ -0,0 +1,84 @@ +{ + "properties": { + "config": { + "properties": { + "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", + "type": "boolean" + }, + "generator": { + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "enum": [ + "tracker", + "uuid", + "uuid#counter" + ], + "type": "string" + }, + "header_name": { + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/cors/3.8.json b/json_schemas/cors/3.8.json new file mode 100644 index 00000000..d3d2518f --- /dev/null +++ b/json_schemas/cors/3.8.json @@ -0,0 +1,127 @@ +{ + "properties": { + "config": { + "properties": { + "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "type": "boolean" + }, + "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" + }, + "methods": { + "default": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "items": { + "enum": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "type": "boolean" + }, + "private_network": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "minLength": 1, + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/datadog-tracing/3.8.json b/json_schemas/datadog-tracing/3.8.json new file mode 100644 index 00000000..a599aec1 --- /dev/null +++ b/json_schemas/datadog-tracing/3.8.json @@ -0,0 +1,101 @@ +{ + "properties": { + "config": { + "properties": { + "batch_flush_delay": { + "default": 3, + "type": "integer" + }, + "batch_span_count": { + "default": 200, + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "endpoint": { + "type": "string" + }, + "environment": { + "default": "none", + "type": "string" + }, + "read_timeout": { + "default": 5000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 5000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "service_name": { + "default": "kong", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/datadog/3.8.json b/json_schemas/datadog/3.8.json new file mode 100644 index 00000000..b32b6dcf --- /dev/null +++ b/json_schemas/datadog/3.8.json @@ -0,0 +1,247 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_tag": { + "default": "consumer", + "description": "String to be attached as tag of the consumer.", + "type": "string" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "metrics": { + "default": [ + { + "consumer_identifier": "custom_id", + "name": "kong_latency", + "sample_rate": 1, + "stat_type": "timer", + "tags": [ + "app:kong" + ] + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "Datadog metric’s name", + "enum": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "stat_type": { + "description": "Determines what sort of event the metric represents", + "enum": [ + "counter", + "distribution", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "tags": { + "description": "List of tags", + "items": { + "pattern": "^.*[^:]$", + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "service_name_tag": { + "default": "name", + "description": "String to be attached as the name of the service.", + "type": "string" + }, + "status_tag": { + "default": "status", + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/degraphql/3.8.json b/json_schemas/degraphql/3.8.json new file mode 100644 index 00000000..305dfff1 --- /dev/null +++ b/json_schemas/degraphql/3.8.json @@ -0,0 +1,58 @@ +{ + "properties": { + "config": { + "properties": { + "graphql_server_path": { + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.8.json b/json_schemas/exit-transformer/3.8.json new file mode 100644 index 00000000..423006b1 --- /dev/null +++ b/json_schemas/exit-transformer/3.8.json @@ -0,0 +1,81 @@ +{ + "properties": { + "config": { + "properties": { + "functions": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "handle_unexpected": { + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean" + }, + "handle_unknown": { + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/file-log/3.8.json b/json_schemas/file-log/3.8.json new file mode 100644 index 00000000..1144bb8d --- /dev/null +++ b/json_schemas/file-log/3.8.json @@ -0,0 +1,86 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "path": { + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "pattern": "^[^*&%%\\`]+$", + "type": "string" + }, + "reopen": { + "default": false, + "description": "Determines whether the log file is closed and reopened on every request.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/forward-proxy/3.8.json b/json_schemas/forward-proxy/3.8.json new file mode 100644 index 00000000..800452c3 --- /dev/null +++ b/json_schemas/forward-proxy/3.8.json @@ -0,0 +1,123 @@ +{ + "properties": { + "config": { + "properties": { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + }, + "proxy_scheme": { + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "enum": [ + "http" + ], + "type": "string" + }, + "x_headers": { + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", + "enum": [ + "append", + "delete", + "transparent" + ], + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "proxy_host": { + "type": "string" + }, + "proxy_port": { + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/graphql-proxy-cache-advanced/3.8.json b/json_schemas/graphql-proxy-cache-advanced/3.8.json new file mode 100644 index 00000000..c79380fc --- /dev/null +++ b/json_schemas/graphql-proxy-cache-advanced/3.8.json @@ -0,0 +1,279 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.8.json b/json_schemas/graphql-rate-limiting-advanced/3.8.json new file mode 100644 index 00000000..0d3eebbc --- /dev/null +++ b/json_schemas/graphql-rate-limiting-advanced/3.8.json @@ -0,0 +1,322 @@ +{ + "properties": { + "config": { + "properties": { + "cost_strategy": { + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "enum": [ + "default", + "node_quantifier" + ], + "type": "string" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "max_cost": { + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", + "type": "number" + }, + "namespace": { + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "score_factor": { + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "minimum": 0, + "type": "number" + }, + "strategy": { + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/grpc-gateway/3.8.json b/json_schemas/grpc-gateway/3.8.json new file mode 100644 index 00000000..f9b0ae1e --- /dev/null +++ b/json_schemas/grpc-gateway/3.8.json @@ -0,0 +1,75 @@ +{ + "properties": { + "config": { + "properties": { + "proto": { + "description": "Describes the gRPC types and methods.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/grpc-web/3.8.json b/json_schemas/grpc-web/3.8.json new file mode 100644 index 00000000..41a21e62 --- /dev/null +++ b/json_schemas/grpc-web/3.8.json @@ -0,0 +1,84 @@ +{ + "properties": { + "config": { + "properties": { + "allow_origin_header": { + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "type": "string" + }, + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "type": "boolean" + }, + "proto": { + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/header-cert-auth/3.8.json b/json_schemas/header-cert-auth/3.8.json new file mode 100644 index 00000000..0b872fc3 --- /dev/null +++ b/json_schemas/header-cert-auth/3.8.json @@ -0,0 +1,167 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "required": [], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "certificate_header_format": { + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "enum": [ + "base64_encoded", + "url_encoded" + ], + "type": "string" + }, + "certificate_header_name": { + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "secure_source": { + "default": true, + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/hmac-auth/3.8.json b/json_schemas/hmac-auth/3.8.json new file mode 100644 index 00000000..163911ba --- /dev/null +++ b/json_schemas/hmac-auth/3.8.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "algorithms": { + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "items": { + "enum": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "clock_skew": { + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", + "minimum": 0, + "type": "number" + }, + "enforce_headers": { + "default": [], + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "validate_request_body": { + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/http-log/3.8.json b/json_schemas/http-log/3.8.json new file mode 100644 index 00000000..548d1ad5 --- /dev/null +++ b/json_schemas/http-log/3.8.json @@ -0,0 +1,185 @@ +{ + "properties": { + "config": { + "properties": { + "content_type": { + "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "enum": [ + "application/json", + "application/json; charset=utf-8" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "headers": { + "additionalProperties": true, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "object" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" + }, + "method": { + "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "enum": [ + "PATCH", + "POST", + "PUT" + ], + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ip-restriction/3.8.json b/json_schemas/ip-restriction/3.8.json new file mode 100644 index 00000000..00e778e7 --- /dev/null +++ b/json_schemas/ip-restriction/3.8.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "message": { + "description": "The message to send as a response body to rejected requests.", + "type": "string" + }, + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jq/3.8.json b/json_schemas/jq/3.8.json new file mode 100644 index 00000000..562724b3 --- /dev/null +++ b/json_schemas/jq/3.8.json @@ -0,0 +1,154 @@ +{ + "properties": { + "config": { + "properties": { + "request_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "request_jq_program": { + "type": "string" + }, + "request_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "response_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_if_status_code": { + "default": [ + 200 + ], + "items": { + "maximum": 599, + "minimum": 100, + "required": [], + "type": "integer" + }, + "type": "array" + }, + "response_jq_program": { + "type": "string" + }, + "response_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/json-threat-protection/3.8.json b/json_schemas/json-threat-protection/3.8.json new file mode 100644 index 00000000..86d98f32 --- /dev/null +++ b/json_schemas/json-threat-protection/3.8.json @@ -0,0 +1,116 @@ +{ + "properties": { + "config": { + "properties": { + "enforcement_mode": { + "default": "block", + "description": "Enforcement mode of the security policy.", + "enum": [ + "block", + "log_only" + ], + "type": "string" + }, + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "type": "string" + }, + "error_status_code": { + "default": 400, + "description": "The response status code when validation fails.", + "maximum": 499, + "minimum": 400, + "type": "integer" + }, + "max_array_element_count": { + "default": -1, + "description": "Max number of elements in an array. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_body_size": { + "default": 8192, + "description": "Max size of the request body. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_container_depth": { + "default": -1, + "description": "Max nested depth of objects and arrays. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_object_entry_count": { + "default": -1, + "description": "Max number of entries in an object. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_object_entry_name_length": { + "default": -1, + "description": "Max string length of object name. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_string_value_length": { + "default": -1, + "description": "Max string value length. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.8.json b/json_schemas/jwe-decrypt/3.8.json new file mode 100644 index 00000000..dd09fa60 --- /dev/null +++ b/json_schemas/jwe-decrypt/3.8.json @@ -0,0 +1,76 @@ +{ + "properties": { + "config": { + "properties": { + "forward_header_name": { + "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", + "type": "string" + }, + "key_sets": { + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "lookup_header_name": { + "default": "Authorization", + "description": "The name of the header to look for the JWE token.", + "type": "string" + }, + "strict": { + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jwt-signer/3.8.json b/json_schemas/jwt-signer/3.8.json new file mode 100644 index 00000000..3be7f441 --- /dev/null +++ b/json_schemas/jwt-signer/3.8.json @@ -0,0 +1,639 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "type": "string" + }, + "access_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_hint": { + "default": "access_token", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string" + }, + "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number" + }, + "access_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "type": "number" + }, + "access_token_issuer": { + "default": "kong", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string" + }, + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "type": "string" + }, + "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "access_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "type": "string" + }, + "access_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "type": "string" + }, + "access_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "access_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "type": "string" + }, + "access_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "type": "string" + }, + "access_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number" + }, + "access_token_optional": { + "default": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean" + }, + "access_token_request_header": { + "default": "Authorization", + "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string" + }, + "access_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "access_token_upstream_header": { + "default": "Authorization:Bearer", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string" + }, + "access_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number" + }, + "add_access_token_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_channel_token_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_claims": { + "additionalProperties": true, + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "cache_access_token_introspection": { + "default": true, + "description": "Whether to cache access token introspection results.", + "type": "boolean" + }, + "cache_channel_token_introspection": { + "default": true, + "description": "Whether to cache channel token introspection results.", + "type": "boolean" + }, + "channel_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "items": { + "required": [], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "items": { + "required": [], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "type": "string" + }, + "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "items": { + "required": [], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_leeway": { + "default": 0, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number" + }, + "channel_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "type": "number" + }, + "channel_token_issuer": { + "default": "kong", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string" + }, + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "type": "string" + }, + "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "channel_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "type": "string" + }, + "channel_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "type": "string" + }, + "channel_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "channel_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "type": "string" + }, + "channel_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "type": "string" + }, + "channel_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number" + }, + "channel_token_optional": { + "default": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean" + }, + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "type": "string" + }, + "channel_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "type": "string" + }, + "channel_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number" + }, + "enable_access_token_introspection": { + "default": true, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean" + }, + "enable_channel_token_introspection": { + "default": true, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean" + }, + "enable_instrumentation": { + "default": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean" + }, + "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", + "type": "string" + }, + "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", + "type": "string" + }, + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "type": "string" + }, + "remove_access_token_claims": { + "default": [], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "remove_channel_token_claims": { + "default": [], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "set_access_token_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_channel_token_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_claims": { + "additionalProperties": true, + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "trust_access_token_introspection": { + "default": true, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean" + }, + "trust_channel_token_introspection": { + "default": true, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean" + }, + "verify_access_token_expiry": { + "default": true, + "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_expiry": { + "default": true, + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_scopes": { + "default": true, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_scopes": { + "default": true, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_signature": { + "default": true, + "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean" + }, + "verify_channel_token_expiry": { + "default": true, + "type": "boolean" + }, + "verify_channel_token_introspection_expiry": { + "default": true, + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean" + }, + "verify_channel_token_introspection_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_signature": { + "default": true, + "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jwt/3.8.json b/json_schemas/jwt/3.8.json new file mode 100644 index 00000000..256f1af8 --- /dev/null +++ b/json_schemas/jwt/3.8.json @@ -0,0 +1,126 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "items": { + "enum": [ + "exp", + "nbf" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "cookie_names": { + "default": [], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_names": { + "default": [ + "authorization" + ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "key_claim_name": { + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" + }, + "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "maximum": 31536000, + "minimum": 0, + "type": "number" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean" + }, + "secret_is_base64": { + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean" + }, + "uri_param_names": { + "default": [ + "jwt" + ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/kafka-log/3.8.json b/json_schemas/kafka-log/3.8.json new file mode 100644 index 00000000..03450b52 --- /dev/null +++ b/json_schemas/kafka-log/3.8.json @@ -0,0 +1,216 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "keepalive": { + "default": 60000, + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.8.json b/json_schemas/kafka-upstream/3.8.json new file mode 100644 index 00000000..28be0e0e --- /dev/null +++ b/json_schemas/kafka-upstream/3.8.json @@ -0,0 +1,228 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/key-auth-enc/3.8.json b/json_schemas/key-auth-enc/3.8.json new file mode 100644 index 00000000..e436fd07 --- /dev/null +++ b/json_schemas/key-auth-enc/3.8.json @@ -0,0 +1,102 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/key-auth/3.8.json b/json_schemas/key-auth/3.8.json new file mode 100644 index 00000000..42a51f9a --- /dev/null +++ b/json_schemas/key-auth/3.8.json @@ -0,0 +1,102 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.8.json b/json_schemas/konnect-application-auth/3.8.json new file mode 100644 index 00000000..0796cbc7 --- /dev/null +++ b/json_schemas/konnect-application-auth/3.8.json @@ -0,0 +1,2143 @@ +{ + "properties": { + "config": { + "properties": { + "auth_type": { + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "enum": [ + "key-auth", + "openid-connect", + "v2-strategies" + ], + "type": "string" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "scope": { + "description": "The unique scope identifier for the plugin configuration.", + "type": "string" + }, + "v2_strategies": { + "description": "The map of v2 strategies.", + "properties": { + "key_auth": { + "description": "List of key_auth strategies.", + "items": { + "properties": { + "config": { + "properties": { + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "config", + "strategy_id" + ], + "type": "object" + }, + "type": "array" + }, + "openid_connect": { + "description": "List of openid_connect strategies.", + "items": { + "properties": { + "config": { + "description": "openid-connect plugin configuration.", + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "type": "string" + }, + "key_ops": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "type": "string" + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "cluster_cache_redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "cluster_cache_strategy": { + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "enum": [ + "off", + "redis" + ], + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "uuid": true + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + "cluster_cache_redis", + "issuer", + "redis" + ], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "strategy_id" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.8.json b/json_schemas/ldap-auth-advanced/3.8.json new file mode 100644 index 00000000..3963afba --- /dev/null +++ b/json_schemas/ldap-auth-advanced/3.8.json @@ -0,0 +1,179 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "type": "string" + }, + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean" + }, + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + }, + "group_member_attribute": { + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" + }, + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + }, + "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "type": "string" + }, + "ldap_password": { + "description": "The password to the LDAP server.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" + }, + "ldaps": { + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "log_search_results": { + "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.8.json b/json_schemas/ldap-auth/3.8.json new file mode 100644 index 00000000..01d68fe9 --- /dev/null +++ b/json_schemas/ldap-auth/3.8.json @@ -0,0 +1,124 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "ldaps": { + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/loggly/3.8.json b/json_schemas/loggly/3.8.json new file mode 100644 index 00000000..5c5621cc --- /dev/null +++ b/json_schemas/loggly/3.8.json @@ -0,0 +1,161 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "key": { + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "tags": { + "default": [ + "kong" + ], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "timeout": { + "default": 10000, + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/mocking/3.8.json b/json_schemas/mocking/3.8.json new file mode 100644 index 00000000..ef0dfd5c --- /dev/null +++ b/json_schemas/mocking/3.8.json @@ -0,0 +1,114 @@ +{ + "properties": { + "config": { + "properties": { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "type": "string" + }, + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "type": "string" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "items": { + "required": [], + "type": "integer" + }, + "type": "array" + }, + "max_delay_time": { + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number" + }, + "min_delay_time": { + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number" + }, + "random_delay": { + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean" + }, + "random_examples": { + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean" + }, + "random_status_code": { + "default": false, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.8.json b/json_schemas/mtls-auth/3.8.json new file mode 100644 index 00000000..e2d663a5 --- /dev/null +++ b/json_schemas/mtls-auth/3.8.json @@ -0,0 +1,155 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "required": [], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "send_ca_dn": { + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/oas-validation/3.8.json b/json_schemas/oas-validation/3.8.json new file mode 100644 index 00000000..a73a7a5d --- /dev/null +++ b/json_schemas/oas-validation/3.8.json @@ -0,0 +1,137 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_header_parameters": { + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "type": "string" + }, + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "type": "string" + }, + "api_spec_encoded": { + "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", + "type": "boolean" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "header_parameter_check": { + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "type": "boolean" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "notify_only_request_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "type": "boolean" + }, + "notify_only_response_body_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "type": "boolean" + }, + "query_parameter_check": { + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "type": "boolean" + }, + "validate_request_body": { + "default": true, + "description": "If set to true, validates the request body content against the API specification.", + "type": "boolean" + }, + "validate_request_header_params": { + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", + "type": "boolean" + }, + "validate_request_query_params": { + "default": true, + "description": "If set to true, validates query parameters against the API specification.", + "type": "boolean" + }, + "validate_request_uri_params": { + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", + "type": "boolean" + }, + "validate_response_body": { + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "type": "boolean" + }, + "verbose_response": { + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.8.json b/json_schemas/oauth2-introspection/3.8.json new file mode 100644 index 00000000..5b600229 --- /dev/null +++ b/json_schemas/oauth2-introspection/3.8.json @@ -0,0 +1,124 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "type": "string" + }, + "consumer_by": { + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "enum": [ + "client_id", + "username" + ], + "type": "string" + }, + "custom_claims_forward": { + "default": [], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "custom_introspection_headers": { + "additionalProperties": true, + "description": "A list of custom headers to be added in the introspection request.", + "type": "object" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "introspect_request": { + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "type": "boolean" + }, + "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" + }, + "token_type_hint": { + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" + }, + "ttl": { + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/oauth2/3.8.json b/json_schemas/oauth2/3.8.json new file mode 100644 index 00000000..612af7ab --- /dev/null +++ b/json_schemas/oauth2/3.8.json @@ -0,0 +1,153 @@ +{ + "properties": { + "config": { + "properties": { + "accept_http_if_already_terminated": { + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "auth_header_name": { + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", + "type": "string" + }, + "enable_authorization_code": { + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "type": "boolean" + }, + "enable_client_credentials": { + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "type": "boolean" + }, + "enable_implicit_grant": { + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "type": "boolean" + }, + "enable_password_grant": { + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "type": "boolean" + }, + "global_credentials": { + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "type": "boolean" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "mandatory_scope": { + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "type": "boolean" + }, + "persistent_refresh_token": { + "default": false, + "type": "boolean" + }, + "pkce": { + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "enum": [ + "lax", + "none", + "strict" + ], + "type": "string" + }, + "provision_key": { + "description": "The unique key the plugin has generated when it has been added to the Service.", + "type": "string" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "refresh_token_ttl": { + "default": 1209600, + "description": "Time-to-live value for data", + "maximum": 100000000, + "minimum": 0, + "type": "number" + }, + "reuse_refresh_token": { + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "type": "boolean" + }, + "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_expiration": { + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/opa/3.8.json b/json_schemas/opa/3.8.json new file mode 100644 index 00000000..60c4b8fc --- /dev/null +++ b/json_schemas/opa/3.8.json @@ -0,0 +1,112 @@ +{ + "properties": { + "config": { + "properties": { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + }, + "include_consumer_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" + }, + "include_parsed_json_body_in_opa_input": { + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" + }, + "include_route_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_service_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_uri_captures_in_opa_input": { + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" + }, + "opa_host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "opa_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "opa_port": { + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/openid-connect/3.8.json b/json_schemas/openid-connect/3.8.json new file mode 100644 index 00000000..98df9cdd --- /dev/null +++ b/json_schemas/openid-connect/3.8.json @@ -0,0 +1,2210 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "type": "string" + }, + "key_ops": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "type": "string" + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "cluster_cache_redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "cluster_cache_strategy": { + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "enum": [ + "off", + "redis" + ], + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "uuid": true + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [], + "shorthand_fields": { + "authorization_cookie_httponly": { + "type": "boolean" + }, + "authorization_cookie_lifetime": { + "type": "number" + }, + "authorization_cookie_samesite": { + "type": "string" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "translate_backwards": [ + "cluster_max_redirections", + "redis" + ], + "type": "integer" + }, + "session_redis_cluster_nodes": { + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "translate_backwards": [ + "cluster_nodes", + "redis" + ], + "type": "array" + }, + "session_redis_connect_timeout": { + "translate_backwards": [ + "connect_timeout", + "redis" + ], + "type": "integer" + }, + "session_redis_host": { + "translate_backwards": [ + "host", + "redis" + ], + "type": "string" + }, + "session_redis_password": { + "translate_backwards": [ + "password", + "redis" + ], + "type": "string" + }, + "session_redis_port": { + "translate_backwards": [ + "port", + "redis" + ], + "type": "integer" + }, + "session_redis_prefix": { + "translate_backwards": [ + "prefix", + "redis" + ], + "type": "string" + }, + "session_redis_read_timeout": { + "translate_backwards": [ + "read_timeout", + "redis" + ], + "type": "integer" + }, + "session_redis_send_timeout": { + "translate_backwards": [ + "redis", + "send_timeout" + ], + "type": "integer" + }, + "session_redis_server_name": { + "translate_backwards": [ + "redis", + "server_name" + ], + "type": "string" + }, + "session_redis_socket": { + "translate_backwards": [ + "redis", + "socket" + ], + "type": "string" + }, + "session_redis_ssl": { + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" + }, + "session_redis_ssl_verify": { + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "type": "boolean" + }, + "session_redis_username": { + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.8.json b/json_schemas/opentelemetry/3.8.json new file mode 100644 index 00000000..a7e8e181 --- /dev/null +++ b/json_schemas/opentelemetry/3.8.json @@ -0,0 +1,272 @@ +{ + "properties": { + "config": { + "properties": { + "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" + }, + "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "header_type": { + "default": "preserve", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "headers": { + "additionalProperties": true, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "object" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "logs_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "propagation": { + "default": { + "default_format": "w3c" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "default_format" + ], + "type": "object" + }, + "queue": { + "default": { + "max_batch_size": 200 + }, + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "resource_attributes": { + "additionalProperties": true, + "type": "object" + }, + "sampling_rate": { + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "traces_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/post-function/3.8.json b/json_schemas/post-function/3.8.json new file mode 100644 index 00000000..33806f8a --- /dev/null +++ b/json_schemas/post-function/3.8.json @@ -0,0 +1,140 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/pre-function/3.8.json b/json_schemas/pre-function/3.8.json new file mode 100644 index 00000000..33806f8a --- /dev/null +++ b/json_schemas/pre-function/3.8.json @@ -0,0 +1,140 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/prometheus/3.8.json b/json_schemas/prometheus/3.8.json new file mode 100644 index 00000000..30370b04 --- /dev/null +++ b/json_schemas/prometheus/3.8.json @@ -0,0 +1,101 @@ +{ + "properties": { + "config": { + "properties": { + "ai_metrics": { + "default": false, + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", + "type": "boolean" + }, + "bandwidth_metrics": { + "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "latency_metrics": { + "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" + }, + "per_consumer": { + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" + }, + "status_code_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "upstream_health_metrics": { + "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.8.json b/json_schemas/proxy-cache-advanced/3.8.json new file mode 100644 index 00000000..b8acf08c --- /dev/null +++ b/json_schemas/proxy-cache-advanced/3.8.json @@ -0,0 +1,377 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.8.json b/json_schemas/proxy-cache/3.8.json new file mode 100644 index 00000000..d0b32ca7 --- /dev/null +++ b/json_schemas/proxy-cache/3.8.json @@ -0,0 +1,201 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL, in seconds, of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities.", + "enum": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.8.json b/json_schemas/rate-limiting-advanced/3.8.json new file mode 100644 index 00000000..1dcbce06 --- /dev/null +++ b/json_schemas/rate-limiting-advanced/3.8.json @@ -0,0 +1,360 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "enforce_consumer_groups": { + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting/3.8.json b/json_schemas/rate-limiting/3.8.json new file mode 100644 index 00000000..aef90ea0 --- /dev/null +++ b/json_schemas/rate-limiting/3.8.json @@ -0,0 +1,283 @@ +{ + "properties": { + "config": { + "properties": { + "day": { + "description": "The number of HTTP requests that can be made per day.", + "minimum": 0, + "type": "number" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "hour": { + "description": "The number of HTTP requests that can be made per hour.", + "minimum": 0, + "type": "number" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "minute": { + "description": "The number of HTTP requests that can be made per minute.", + "minimum": 0, + "type": "number" + }, + "month": { + "description": "The number of HTTP requests that can be made per month.", + "minimum": 0, + "type": "number" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "minLength": 0, + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "second": { + "description": "The number of HTTP requests that can be made per second.", + "minimum": 0, + "type": "number" + }, + "sync_rate": { + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "type": "number" + }, + "year": { + "description": "The number of HTTP requests that can be made per year.", + "minimum": 0, + "type": "number" + } + }, + "required": [], + "shorthand_fields": { + "redis_database": { + "translate_backwards": [ + "database", + "redis" + ], + "type": "integer" + }, + "redis_host": { + "translate_backwards": [ + "host", + "redis" + ], + "type": "string" + }, + "redis_password": { + "minLength": 0, + "translate_backwards": [ + "password", + "redis" + ], + "type": "string" + }, + "redis_port": { + "translate_backwards": [ + "port", + "redis" + ], + "type": "integer" + }, + "redis_server_name": { + "translate_backwards": [ + "redis", + "server_name" + ], + "type": "string" + }, + "redis_ssl": { + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" + }, + "redis_ssl_verify": { + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "type": "boolean" + }, + "redis_timeout": { + "translate_backwards": [ + "redis", + "timeout" + ], + "type": "integer" + }, + "redis_username": { + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-size-limiting/3.8.json b/json_schemas/request-size-limiting/3.8.json new file mode 100644 index 00000000..3d4e9633 --- /dev/null +++ b/json_schemas/request-size-limiting/3.8.json @@ -0,0 +1,84 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_payload_size": { + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer" + }, + "require_content_length": { + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "type": "boolean" + }, + "size_unit": { + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "enum": [ + "bytes", + "kilobytes", + "megabytes" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-termination/3.8.json b/json_schemas/request-termination/3.8.json new file mode 100644 index 00000000..96110caf --- /dev/null +++ b/json_schemas/request-termination/3.8.json @@ -0,0 +1,103 @@ +{ + "properties": { + "config": { + "properties": { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + }, + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + }, + "echo": { + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean" + }, + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + }, + "status_code": { + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + }, + "trigger": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-transformer-advanced/3.8.json b/json_schemas/request-transformer-advanced/3.8.json new file mode 100644 index 00000000..b7a77c42 --- /dev/null +++ b/json_schemas/request-transformer-advanced/3.8.json @@ -0,0 +1,290 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "allow": { + "properties": { + "body": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-transformer/3.8.json b/json_schemas/request-transformer/3.8.json new file mode 100644 index 00000000..8a4551c8 --- /dev/null +++ b/json_schemas/request-transformer/3.8.json @@ -0,0 +1,244 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-validator/3.8.json b/json_schemas/request-validator/3.8.json new file mode 100644 index 00000000..5da7629d --- /dev/null +++ b/json_schemas/request-validator/3.8.json @@ -0,0 +1,150 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_content_types": { + "default": [ + "application/json" + ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "string" + }, + "content_type_parameter_validation": { + "default": true, + "description": "Determines whether to enable parameters validation of request content-type.", + "type": "boolean" + }, + "parameter_schema": { + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "items": { + "properties": { + "explode": { + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" + }, + "in": { + "description": "The location of the parameter.", + "enum": [ + "header", + "path", + "query" + ], + "type": "string" + }, + "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "type": "string" + }, + "required": { + "description": "Determines whether this parameter is mandatory.", + "type": "boolean" + }, + "schema": { + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" + }, + "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "enum": [ + "deepObject", + "form", + "label", + "matrix", + "pipeDelimited", + "simple", + "spaceDelimited" + ], + "type": "string" + } + }, + "required": [ + "in", + "name", + "required" + ], + "type": "object" + }, + "type": "array" + }, + "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "type": "boolean" + }, + "version": { + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "enum": [ + "draft4", + "kong" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/response-ratelimiting/3.8.json b/json_schemas/response-ratelimiting/3.8.json new file mode 100644 index 00000000..6b390f52 --- /dev/null +++ b/json_schemas/response-ratelimiting/3.8.json @@ -0,0 +1,229 @@ +{ + "properties": { + "config": { + "properties": { + "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "type": "boolean" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limits": { + "additionalProperties": true, + "description": "A map that defines rate limits for the plugin.", + "minLength": 1, + "type": "object" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "shorthand_fields": { + "redis_database": { + "translate_backwards": [ + "database", + "redis" + ], + "type": "integer" + }, + "redis_host": { + "translate_backwards": [ + "host", + "redis" + ], + "type": "string" + }, + "redis_password": { + "minLength": 0, + "translate_backwards": [ + "password", + "redis" + ], + "type": "string" + }, + "redis_port": { + "translate_backwards": [ + "port", + "redis" + ], + "type": "integer" + }, + "redis_server_name": { + "translate_backwards": [ + "redis", + "server_name" + ], + "type": "string" + }, + "redis_ssl": { + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" + }, + "redis_ssl_verify": { + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "type": "boolean" + }, + "redis_timeout": { + "translate_backwards": [ + "redis", + "timeout" + ], + "type": "integer" + }, + "redis_username": { + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/response-transformer-advanced/3.8.json b/json_schemas/response-transformer-advanced/3.8.json new file mode 100644 index 00000000..e5c923b4 --- /dev/null +++ b/json_schemas/response-transformer-advanced/3.8.json @@ -0,0 +1,309 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "allow": { + "properties": { + "json": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" + }, + "remove": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "transform": { + "properties": { + "functions": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/response-transformer/3.8.json b/json_schemas/response-transformer/3.8.json new file mode 100644 index 00000000..340a58e4 --- /dev/null +++ b/json_schemas/response-transformer/3.8.json @@ -0,0 +1,235 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "remove": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/route-by-header/3.8.json b/json_schemas/route-by-header/3.8.json new file mode 100644 index 00000000..2e8bace4 --- /dev/null +++ b/json_schemas/route-by-header/3.8.json @@ -0,0 +1,86 @@ +{ + "properties": { + "config": { + "properties": { + "rules": { + "default": [], + "description": "Route by header rules.", + "items": { + "properties": { + "condition": { + "additionalProperties": true, + "minLength": 1, + "type": "object" + }, + "upstream_name": { + "type": "string" + } + }, + "required": [ + "condition", + "upstream_name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/route-transformer-advanced/3.8.json b/json_schemas/route-transformer-advanced/3.8.json new file mode 100644 index 00000000..759d3aa2 --- /dev/null +++ b/json_schemas/route-transformer-advanced/3.8.json @@ -0,0 +1,77 @@ +{ + "properties": { + "config": { + "properties": { + "escape_path": { + "default": false, + "type": "boolean" + }, + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/saml/3.8.json b/json_schemas/saml/3.8.json new file mode 100644 index 00000000..9184223a --- /dev/null +++ b/json_schemas/saml/3.8.json @@ -0,0 +1,650 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "type": "string" + }, + "assertion_consumer_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "idp_certificate": { + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "type": "string" + }, + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "type": "string" + }, + "nameid_format": { + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "enum": [ + "EmailAddress", + "Persistent", + "Transient", + "Unspecified" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "request_digest_algorithm": { + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "request_signature_algorithm": { + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "request_signing_certificate": { + "description": "The certificate for signing requests.", + "type": "string" + }, + "request_signing_key": { + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "type": "string" + }, + "response_digest_algorithm": { + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "response_encryption_key": { + "description": "The private encryption key required to decrypt encrypted assertions.", + "type": "string" + }, + "response_signature_algorithm": { + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, for example \"my-application\"", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "The session cookie idle time in seconds.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "type": "number" + }, + "session_request_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_secret": { + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "maxLength": 32, + "minLength": 32, + "pattern": "^[0-9a-zA-Z/_+]+$", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean" + }, + "validate_assertion_signature": { + "default": true, + "description": "Enable signature validation for SAML responses.", + "type": "boolean" + } + }, + "required": [], + "shorthand_fields": { + "session_auth_ttl": { + "type": "number" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "translate_backwards": [ + "cluster_max_redirections", + "redis" + ], + "type": "integer" + }, + "session_redis_cluster_maxredirections": { + "translate_backwards": [ + "cluster_max_redirections", + "redis" + ], + "type": "integer" + }, + "session_redis_cluster_nodes": { + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "translate_backwards": [ + "cluster_nodes", + "redis" + ], + "type": "array" + }, + "session_redis_connect_timeout": { + "translate_backwards": [ + "connect_timeout", + "redis" + ], + "type": "integer" + }, + "session_redis_host": { + "translate_backwards": [ + "host", + "redis" + ], + "type": "string" + }, + "session_redis_password": { + "translate_backwards": [ + "password", + "redis" + ], + "type": "string" + }, + "session_redis_port": { + "translate_backwards": [ + "port", + "redis" + ], + "type": "integer" + }, + "session_redis_prefix": { + "translate_backwards": [ + "prefix", + "redis" + ], + "type": "string" + }, + "session_redis_read_timeout": { + "translate_backwards": [ + "read_timeout", + "redis" + ], + "type": "integer" + }, + "session_redis_send_timeout": { + "translate_backwards": [ + "redis", + "send_timeout" + ], + "type": "integer" + }, + "session_redis_server_name": { + "translate_backwards": [ + "redis", + "server_name" + ], + "type": "string" + }, + "session_redis_socket": { + "translate_backwards": [ + "redis", + "socket" + ], + "type": "string" + }, + "session_redis_ssl": { + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" + }, + "session_redis_ssl_verify": { + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "type": "boolean" + }, + "session_redis_username": { + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/session/3.8.json b/json_schemas/session/3.8.json new file mode 100644 index 00000000..da0eb72a --- /dev/null +++ b/json_schemas/session/3.8.json @@ -0,0 +1,242 @@ +{ + "properties": { + "config": { + "properties": { + "absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + }, + "cookie_http_only": { + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean" + }, + "cookie_name": { + "default": "session", + "description": "The name of the cookie.", + "type": "string" + }, + "cookie_path": { + "default": "/", + "description": "The resource in the host where the cookie is available.", + "type": "string" + }, + "cookie_same_site": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "cookie_secure": { + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean" + }, + "idling_timeout": { + "default": 900, + "description": "The session cookie idle time, in seconds.", + "type": "number" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "A set of HTTP methods that the plugin will respond to.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" + }, + "logout_query_arg": { + "default": "session_logout", + "description": "The query argument passed to logout requests.", + "type": "string" + }, + "read_body_for_logout": { + "default": false, + "type": "boolean" + }, + "remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "remember_absolute_timeout": { + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number" + }, + "remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "remember_rolling_timeout": { + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number" + }, + "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "rolling_timeout": { + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number" + }, + "secret": { + "default": "7iK18YEanf6i9XHvNwzx4RpdmHdRN6nSpPxC1uQxfsse", + "description": "The secret that is used in keyed HMAC generation.", + "type": "string" + }, + "stale_ttl": { + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number" + }, + "storage": { + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "enum": [ + "cookie", + "kong" + ], + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cookie_discard": { + "type": "number" + }, + "cookie_httponly": { + "type": "boolean" + }, + "cookie_idletime": { + "type": "number" + }, + "cookie_lifetime": { + "type": "number" + }, + "cookie_persistent": { + "type": "boolean" + }, + "cookie_renew": { + "type": "number" + }, + "cookie_samesite": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/standard-webhooks/3.8.json b/json_schemas/standard-webhooks/3.8.json new file mode 100644 index 00000000..b2cd7c32 --- /dev/null +++ b/json_schemas/standard-webhooks/3.8.json @@ -0,0 +1,74 @@ +{ + "properties": { + "config": { + "properties": { + "secret_v1": { + "description": "Webhook secret", + "type": "string" + }, + "tolerance_second": { + "default": 300, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "minimum": -1, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/statsd-advanced/3.8.json b/json_schemas/statsd-advanced/3.8.json new file mode 100644 index 00000000..b842a66d --- /dev/null +++ b/json_schemas/statsd-advanced/3.8.json @@ -0,0 +1,282 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of Metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/statsd/3.8.json b/json_schemas/statsd/3.8.json new file mode 100644 index 00000000..930ae300 --- /dev/null +++ b/json_schemas/statsd/3.8.json @@ -0,0 +1,300 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "flush_timeout": { + "type": "number" + }, + "host": { + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "StatsD metric’s name.", + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "description": "Service detail.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "description": "Determines what sort of event a metric represents.", + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "description": "Workspace detail.", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "queue_size": { + "type": "integer" + }, + "retry_count": { + "type": "integer" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "tag_style": { + "enum": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/syslog/3.8.json b/json_schemas/syslog/3.8.json new file mode 100644 index 00000000..fbbdbdbe --- /dev/null +++ b/json_schemas/syslog/3.8.json @@ -0,0 +1,159 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "facility": { + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "enum": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp" + ], + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/tcp-log/3.8.json b/json_schemas/tcp-log/3.8.json new file mode 100644 index 00000000..028dafde --- /dev/null +++ b/json_schemas/tcp-log/3.8.json @@ -0,0 +1,105 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "object" + }, + "host": { + "description": "The IP address or host name to send data to.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "port": { + "description": "The port to send data to on the upstream server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + }, + "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "type": "boolean" + }, + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/tls-handshake-modifier/3.8.json b/json_schemas/tls-handshake-modifier/3.8.json new file mode 100644 index 00000000..fcfac7cc --- /dev/null +++ b/json_schemas/tls-handshake-modifier/3.8.json @@ -0,0 +1,58 @@ +{ + "properties": { + "config": { + "properties": { + "tls_client_certificate": { + "default": "REQUEST", + "description": "TLS Client Certificate", + "enum": [ + "REQUEST" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/tls-metadata-headers/3.8.json b/json_schemas/tls-metadata-headers/3.8.json new file mode 100644 index 00000000..d878d7ab --- /dev/null +++ b/json_schemas/tls-metadata-headers/3.8.json @@ -0,0 +1,80 @@ +{ + "properties": { + "config": { + "properties": { + "client_cert_fingerprint_header_name": { + "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "type": "string" + }, + "client_cert_header_name": { + "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "type": "string" + }, + "client_cert_issuer_dn_header_name": { + "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "type": "string" + }, + "client_cert_subject_dn_header_name": { + "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "type": "string" + }, + "client_serial_header_name": { + "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "type": "string" + }, + "inject_client_cert_details": { + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/udp-log/3.8.json b/json_schemas/udp-log/3.8.json new file mode 100644 index 00000000..adfff403 --- /dev/null +++ b/json_schemas/udp-log/3.8.json @@ -0,0 +1,91 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/upstream-oauth/3.8.json b/json_schemas/upstream-oauth/3.8.json new file mode 100644 index 00000000..4bdb02f3 --- /dev/null +++ b/json_schemas/upstream-oauth/3.8.json @@ -0,0 +1,472 @@ +{ + "properties": { + "config": { + "properties": { + "behavior": { + "properties": { + "idp_error_response_body_template": { + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_content_type": { + "default": "application/json; charset=utf-8", + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_message": { + "default": "Failed to authenticate request to upstream", + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_status_code": { + "default": 502, + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", + "maximum": 599, + "minimum": 500, + "type": "integer" + }, + "purge_token_on_upstream_status_codes": { + "default": [ + 401 + ], + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", + "items": { + "maximum": 599, + "minimum": 100, + "required": [], + "type": "integer" + }, + "type": "array" + }, + "upstream_access_token_header_name": { + "default": "Authorization", + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", + "minLength": 0, + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "cache": { + "properties": { + "default_ttl": { + "default": 3600, + "description": "The lifetime of a token without an explicit `expires_in` value.", + "minimum": 0, + "type": "number" + }, + "eagerly_expire": { + "default": 5, + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", + "minimum": -1, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "translate_backwards": [ + "connect_timeout" + ], + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The method Kong should use to cache tokens issued by the IdP.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": false, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "oauth": { + "properties": { + "audience": { + "default": [], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP.", + "type": "string" + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP.", + "type": "string" + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "type": "string" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": true, + "description": "Extra headers to be passed in the token endpoint request.", + "type": "object" + }, + "token_post_args": { + "additionalProperties": true, + "description": "Extra post arguments to be passed in the token endpoint request.", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/upstream-timeout/3.8.json b/json_schemas/upstream-timeout/3.8.json new file mode 100644 index 00000000..681120b5 --- /dev/null +++ b/json_schemas/upstream-timeout/3.8.json @@ -0,0 +1,82 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/vault-auth/3.8.json b/json_schemas/vault-auth/3.8.json new file mode 100644 index 00000000..3f52bdea --- /dev/null +++ b/json_schemas/vault-auth/3.8.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_name": { + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "string" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "secret_token_name": { + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "string" + }, + "tokens_in_body": { + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "vault": { + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/websocket-size-limit/3.8.json b/json_schemas/websocket-size-limit/3.8.json new file mode 100644 index 00000000..b46f162b --- /dev/null +++ b/json_schemas/websocket-size-limit/3.8.json @@ -0,0 +1,70 @@ +{ + "properties": { + "config": { + "properties": { + "client_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + }, + "upstream_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/websocket-validator/3.8.json b/json_schemas/websocket-validator/3.8.json new file mode 100644 index 00000000..8c23be44 --- /dev/null +++ b/json_schemas/websocket-validator/3.8.json @@ -0,0 +1,152 @@ +{ + "properties": { + "config": { + "properties": { + "client": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "upstream": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/xml-threat-protection/3.8.json b/json_schemas/xml-threat-protection/3.8.json new file mode 100644 index 00000000..0fea5bfa --- /dev/null +++ b/json_schemas/xml-threat-protection/3.8.json @@ -0,0 +1,210 @@ +{ + "properties": { + "config": { + "properties": { + "allow_dtd": { + "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean" + }, + "allowed_content_types": { + "default": [], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "attribute": { + "default": 1048576, + "description": "Maximum size of the attribute value.", + "minimum": 0, + "type": "integer" + }, + "bla_max_amplification": { + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "minimum": 1, + "type": "number" + }, + "bla_threshold": { + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "minimum": 1024, + "type": "integer" + }, + "buffer": { + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", + "minimum": 0, + "type": "integer" + }, + "checked_content_types": { + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "comment": { + "default": 1024, + "description": "Maximum size of comments.", + "minimum": 0, + "type": "integer" + }, + "document": { + "default": 10485760, + "description": "Maximum size of the entire document.", + "minimum": 0, + "type": "integer" + }, + "entity": { + "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityname": { + "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityproperty": { + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "localname": { + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "minimum": 0, + "type": "integer" + }, + "max_attributes": { + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "minimum": 0, + "type": "integer" + }, + "max_children": { + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "minimum": 0, + "type": "integer" + }, + "max_depth": { + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "minimum": 0, + "type": "integer" + }, + "max_namespaces": { + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "namespace_aware": { + "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean" + }, + "namespaceuri": { + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "pidata": { + "default": 1024, + "description": "Maximum size of processing instruction data.", + "minimum": 0, + "type": "integer" + }, + "pitarget": { + "default": 1024, + "description": "Maximum size of processing instruction targets.", + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "text": { + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/zipkin/3.8.json b/json_schemas/zipkin/3.8.json new file mode 100644 index 00000000..354c7064 --- /dev/null +++ b/json_schemas/zipkin/3.8.json @@ -0,0 +1,346 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "default_header_type": { + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "default_service_name": { + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" + }, + "header_type": { + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "http_span_name": { + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "enum": [ + "method", + "method_path" + ], + "type": "string" + }, + "include_credential": { + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "type": "boolean" + }, + "local_service_name": { + "default": "kong", + "description": "The name of the service as displayed in Zipkin.", + "type": "string" + }, + "phase_duration_flavor": { + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "enum": [ + "annotations", + "tags" + ], + "type": "string" + }, + "propagation": { + "default": { + "default_format": "b3" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "default_format" + ], + "type": "object" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", + "items": { + "properties": { + "name": { + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "tags_header": { + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "type": "string" + }, + "traceid_byte_count": { + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "enum": [ + 8, + 16 + ], + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file From 2dd0fc6e94dae5b488e42d2fec6dd4adad34b019 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 5 Dec 2024 11:49:12 +0100 Subject: [PATCH 117/165] Generate json-schemas for 3.7 --- json_schemas/acl/3.7.json | 78 + json_schemas/acme/3.7.json | 363 ++++ json_schemas/ai-azure-content-safety/3.7.json | 139 ++ json_schemas/ai-prompt-decorator/3.7.json | 135 ++ json_schemas/ai-prompt-guard/3.7.json | 104 + json_schemas/ai-prompt-template/3.7.json | 95 + json_schemas/ai-proxy/3.7.json | 229 ++ .../ai-rate-limiting-advanced/3.7.json | 325 +++ json_schemas/ai-request-transformer/3.7.json | 284 +++ json_schemas/ai-response-transformer/3.7.json | 289 +++ json_schemas/app-dynamics/3.7.json | 64 + .../application-registration/3.7.json | 54 + json_schemas/aws-lambda/3.7.json | 200 ++ json_schemas/azure-functions/3.7.json | 117 ++ json_schemas/basic-auth/3.7.json | 71 + json_schemas/bot-detection/3.7.json | 73 + json_schemas/canary/3.7.json | 130 ++ json_schemas/correlation-id/3.7.json | 84 + json_schemas/cors/3.7.json | 127 ++ json_schemas/datadog/3.7.json | 238 +++ json_schemas/degraphql/3.7.json | 58 + json_schemas/exit-transformer/3.7.json | 81 + json_schemas/file-log/3.7.json | 86 + json_schemas/forward-proxy/3.7.json | 123 ++ .../graphql-proxy-cache-advanced/3.7.json | 223 ++ .../graphql-rate-limiting-advanced/3.7.json | 266 +++ json_schemas/grpc-gateway/3.7.json | 75 + json_schemas/grpc-web/3.7.json | 84 + json_schemas/hmac-auth/3.7.json | 106 + json_schemas/http-log/3.7.json | 176 ++ json_schemas/ip-restriction/3.7.json | 110 + json_schemas/jq/3.7.json | 154 ++ json_schemas/jwe-decrypt/3.7.json | 76 + json_schemas/jwt-signer/3.7.json | 639 ++++++ json_schemas/jwt/3.7.json | 122 ++ json_schemas/kafka-log/3.7.json | 216 ++ json_schemas/kafka-upstream/3.7.json | 228 ++ json_schemas/key-auth-enc/3.7.json | 98 + json_schemas/key-auth/3.7.json | 102 + .../konnect-application-auth/3.7.json | 1844 +++++++++++++++++ json_schemas/ldap-auth-advanced/3.7.json | 175 ++ json_schemas/ldap-auth/3.7.json | 120 ++ json_schemas/loggly/3.7.json | 161 ++ json_schemas/mocking/3.7.json | 114 + json_schemas/mtls-auth/3.7.json | 155 ++ json_schemas/oas-validation/3.7.json | 137 ++ json_schemas/oauth2-introspection/3.7.json | 124 ++ json_schemas/oauth2/3.7.json | 149 ++ json_schemas/opa/3.7.json | 112 + json_schemas/openid-connect/3.7.json | 1801 ++++++++++++++++ json_schemas/opentelemetry/3.7.json | 253 +++ json_schemas/post-function/3.7.json | 140 ++ json_schemas/pre-function/3.7.json | 140 ++ json_schemas/prometheus/3.7.json | 96 + json_schemas/proxy-cache-advanced/3.7.json | 321 +++ json_schemas/proxy-cache/3.7.json | 201 ++ json_schemas/rate-limiting-advanced/3.7.json | 304 +++ json_schemas/rate-limiting/3.7.json | 283 +++ json_schemas/request-size-limiting/3.7.json | 84 + json_schemas/request-termination/3.7.json | 103 + .../request-transformer-advanced/3.7.json | 290 +++ json_schemas/request-transformer/3.7.json | 244 +++ json_schemas/request-validator/3.7.json | 150 ++ json_schemas/response-ratelimiting/3.7.json | 229 ++ .../response-transformer-advanced/3.7.json | 309 +++ json_schemas/response-transformer/3.7.json | 226 ++ json_schemas/route-by-header/3.7.json | 86 + .../route-transformer-advanced/3.7.json | 77 + json_schemas/saml/3.7.json | 427 ++++ json_schemas/session/3.7.json | 242 +++ json_schemas/statsd-advanced/3.7.json | 273 +++ json_schemas/statsd/3.7.json | 291 +++ json_schemas/syslog/3.7.json | 159 ++ json_schemas/tcp-log/3.7.json | 105 + json_schemas/tls-handshake-modifier/3.7.json | 58 + json_schemas/tls-metadata-headers/3.7.json | 80 + json_schemas/udp-log/3.7.json | 91 + json_schemas/upstream-timeout/3.7.json | 82 + json_schemas/vault-auth/3.7.json | 96 + json_schemas/websocket-size-limit/3.7.json | 70 + json_schemas/websocket-validator/3.7.json | 152 ++ json_schemas/xml-threat-protection/3.7.json | 210 ++ json_schemas/zipkin/3.7.json | 337 +++ 83 files changed, 17323 insertions(+) create mode 100644 json_schemas/acl/3.7.json create mode 100644 json_schemas/acme/3.7.json create mode 100644 json_schemas/ai-azure-content-safety/3.7.json create mode 100644 json_schemas/ai-prompt-decorator/3.7.json create mode 100644 json_schemas/ai-prompt-guard/3.7.json create mode 100644 json_schemas/ai-prompt-template/3.7.json create mode 100644 json_schemas/ai-proxy/3.7.json create mode 100644 json_schemas/ai-rate-limiting-advanced/3.7.json create mode 100644 json_schemas/ai-request-transformer/3.7.json create mode 100644 json_schemas/ai-response-transformer/3.7.json create mode 100644 json_schemas/app-dynamics/3.7.json create mode 100644 json_schemas/application-registration/3.7.json create mode 100644 json_schemas/aws-lambda/3.7.json create mode 100644 json_schemas/azure-functions/3.7.json create mode 100644 json_schemas/basic-auth/3.7.json create mode 100644 json_schemas/bot-detection/3.7.json create mode 100644 json_schemas/canary/3.7.json create mode 100644 json_schemas/correlation-id/3.7.json create mode 100644 json_schemas/cors/3.7.json create mode 100644 json_schemas/datadog/3.7.json create mode 100644 json_schemas/degraphql/3.7.json create mode 100644 json_schemas/exit-transformer/3.7.json create mode 100644 json_schemas/file-log/3.7.json create mode 100644 json_schemas/forward-proxy/3.7.json create mode 100644 json_schemas/graphql-proxy-cache-advanced/3.7.json create mode 100644 json_schemas/graphql-rate-limiting-advanced/3.7.json create mode 100644 json_schemas/grpc-gateway/3.7.json create mode 100644 json_schemas/grpc-web/3.7.json create mode 100644 json_schemas/hmac-auth/3.7.json create mode 100644 json_schemas/http-log/3.7.json create mode 100644 json_schemas/ip-restriction/3.7.json create mode 100644 json_schemas/jq/3.7.json create mode 100644 json_schemas/jwe-decrypt/3.7.json create mode 100644 json_schemas/jwt-signer/3.7.json create mode 100644 json_schemas/jwt/3.7.json create mode 100644 json_schemas/kafka-log/3.7.json create mode 100644 json_schemas/kafka-upstream/3.7.json create mode 100644 json_schemas/key-auth-enc/3.7.json create mode 100644 json_schemas/key-auth/3.7.json create mode 100644 json_schemas/konnect-application-auth/3.7.json create mode 100644 json_schemas/ldap-auth-advanced/3.7.json create mode 100644 json_schemas/ldap-auth/3.7.json create mode 100644 json_schemas/loggly/3.7.json create mode 100644 json_schemas/mocking/3.7.json create mode 100644 json_schemas/mtls-auth/3.7.json create mode 100644 json_schemas/oas-validation/3.7.json create mode 100644 json_schemas/oauth2-introspection/3.7.json create mode 100644 json_schemas/oauth2/3.7.json create mode 100644 json_schemas/opa/3.7.json create mode 100644 json_schemas/openid-connect/3.7.json create mode 100644 json_schemas/opentelemetry/3.7.json create mode 100644 json_schemas/post-function/3.7.json create mode 100644 json_schemas/pre-function/3.7.json create mode 100644 json_schemas/prometheus/3.7.json create mode 100644 json_schemas/proxy-cache-advanced/3.7.json create mode 100644 json_schemas/proxy-cache/3.7.json create mode 100644 json_schemas/rate-limiting-advanced/3.7.json create mode 100644 json_schemas/rate-limiting/3.7.json create mode 100644 json_schemas/request-size-limiting/3.7.json create mode 100644 json_schemas/request-termination/3.7.json create mode 100644 json_schemas/request-transformer-advanced/3.7.json create mode 100644 json_schemas/request-transformer/3.7.json create mode 100644 json_schemas/request-validator/3.7.json create mode 100644 json_schemas/response-ratelimiting/3.7.json create mode 100644 json_schemas/response-transformer-advanced/3.7.json create mode 100644 json_schemas/response-transformer/3.7.json create mode 100644 json_schemas/route-by-header/3.7.json create mode 100644 json_schemas/route-transformer-advanced/3.7.json create mode 100644 json_schemas/saml/3.7.json create mode 100644 json_schemas/session/3.7.json create mode 100644 json_schemas/statsd-advanced/3.7.json create mode 100644 json_schemas/statsd/3.7.json create mode 100644 json_schemas/syslog/3.7.json create mode 100644 json_schemas/tcp-log/3.7.json create mode 100644 json_schemas/tls-handshake-modifier/3.7.json create mode 100644 json_schemas/tls-metadata-headers/3.7.json create mode 100644 json_schemas/udp-log/3.7.json create mode 100644 json_schemas/upstream-timeout/3.7.json create mode 100644 json_schemas/vault-auth/3.7.json create mode 100644 json_schemas/websocket-size-limit/3.7.json create mode 100644 json_schemas/websocket-validator/3.7.json create mode 100644 json_schemas/xml-threat-protection/3.7.json create mode 100644 json_schemas/zipkin/3.7.json diff --git a/json_schemas/acl/3.7.json b/json_schemas/acl/3.7.json new file mode 100644 index 00000000..2971cdc9 --- /dev/null +++ b/json_schemas/acl/3.7.json @@ -0,0 +1,78 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_groups_header": { + "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "type": "boolean" + }, + "include_consumer_groups": { + "default": false, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/acme/3.7.json b/json_schemas/acme/3.7.json new file mode 100644 index 00000000..4f34c195 --- /dev/null +++ b/json_schemas/acme/3.7.json @@ -0,0 +1,363 @@ +{ + "properties": { + "config": { + "properties": { + "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", + "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", + "type": "string" + }, + "account_key": { + "description": "The private key associated with the account.", + "properties": { + "key_id": { + "description": "The Key ID.", + "type": "string" + }, + "key_set": { + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" + } + }, + "required": [ + "key_id" + ], + "type": "object" + }, + "allow_any_domain": { + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" + }, + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "cert_type": { + "default": "rsa", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "enum": [ + "ecc", + "rsa" + ], + "type": "string" + }, + "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "items": { + "match_all": { + "pattern": "^[^*]*%*?[^*]*$" + }, + "match_any": { + "patterns": [ + "%.%*$", + "^%*%.", + "^[^*]*$" + ] + }, + "required": [], + "type": "string" + }, + "type": "array" + }, + "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "enable_ipv4_common_name": { + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" + }, + "fail_backoff_minutes": { + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" + }, + "preferred_chain": { + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" + }, + "renew_threshold_days": { + "default": 14, + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" + }, + "rsa_key_size": { + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "enum": [ + 2048, + 3072, + 4096 + ], + "type": "integer" + }, + "storage": { + "default": "shm", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "enum": [ + "consul", + "kong", + "redis", + "shm", + "vault" + ], + "type": "string" + }, + "storage_config": { + "properties": { + "consul": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "token": { + "description": "Consul ACL token.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "kong": { + "additionalProperties": true, + "properties": {}, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "extra_options": { + "description": "Custom ACME Redis options", + "properties": { + "namespace": { + "default": "", + "description": "A namespace to prepend to all keys stored in Redis.", + "minLength": 0, + "type": "string" + }, + "scan_count": { + "default": 10, + "description": "The number of keys to return in Redis SCAN calls.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "auth": { + "minLength": 0, + "translate_backwards": [ + "password" + ], + "type": "string" + }, + "namespace": { + "minLength": 0, + "translate_backwards": [ + "extra_options", + "namespace" + ], + "type": "string" + }, + "scan_count": { + "translate_backwards": [ + "extra_options", + "scan_count" + ], + "type": "integer" + }, + "ssl_server_name": { + "translate_backwards": [ + "server_name" + ], + "type": "string" + } + }, + "type": "object" + }, + "shm": { + "properties": { + "shm_name": { + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "vault": { + "properties": { + "auth_method": { + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "enum": [ + "kubernetes", + "token" + ], + "type": "string" + }, + "auth_path": { + "description": "Vault's authentication path to use.", + "type": "string" + }, + "auth_role": { + "description": "The role to try and assign.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "jwt_path": { + "description": "The path to the JWT.", + "type": "string" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "tls_server_name": { + "description": "SNI used in request, default to host if omitted.", + "type": "string" + }, + "tls_verify": { + "default": true, + "description": "Turn on TLS verification.", + "type": "boolean" + }, + "token": { + "description": "Consul ACL token.", + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "tos_accepted": { + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.7.json b/json_schemas/ai-azure-content-safety/3.7.json new file mode 100644 index 00000000..7fc1e807 --- /dev/null +++ b/json_schemas/ai-azure-content-safety/3.7.json @@ -0,0 +1,139 @@ +{ + "properties": { + "config": { + "properties": { + "azure_api_version": { + "default": "2023-10-01", + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "minLength": 1, + "type": "string" + }, + "azure_client_id": { + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", + "type": "string" + }, + "azure_client_secret": { + "description": "If `azure_use_managed_identity` is true, set the client secret if required.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "type": "boolean" + }, + "blocklist_names": { + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "categories": { + "description": "Array of categories, and their thresholds, to measure on.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "rejection_level": { + "type": "integer" + } + }, + "required": [ + "name", + "rejection_level" + ], + "type": "object" + }, + "type": "array" + }, + "content_safety_key": { + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "type": "string" + }, + "content_safety_url": { + "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "type": "string" + }, + "halt_on_blocklist_hit": { + "default": true, + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "type": "boolean" + }, + "output_type": { + "default": "FourSeverityLevels", + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "enum": [ + "EightSeverityLevels", + "FourSeverityLevels" + ], + "type": "string" + }, + "reveal_failure_reason": { + "default": true, + "description": "Set true to tell the caller why their request was rejected, if so.", + "type": "boolean" + }, + "text_source": { + "default": "concatenate_all_content", + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "enum": [ + "concatenate_all_content", + "concatenate_user_content" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-decorator/3.7.json b/json_schemas/ai-prompt-decorator/3.7.json new file mode 100644 index 00000000..91013ece --- /dev/null +++ b/json_schemas/ai-prompt-decorator/3.7.json @@ -0,0 +1,135 @@ +{ + "properties": { + "config": { + "properties": { + "prompts": { + "properties": { + "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + }, + "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-guard/3.7.json b/json_schemas/ai-prompt-guard/3.7.json new file mode 100644 index 00000000..6a26d4a7 --- /dev/null +++ b/json_schemas/ai-prompt-guard/3.7.json @@ -0,0 +1,104 @@ +{ + "properties": { + "config": { + "properties": { + "allow_all_conversation_history": { + "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "allow_patterns": { + "default": [], + "description": "Array of valid patterns, or valid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [], + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "deny_patterns": { + "default": [], + "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [], + "type": "string" + }, + "maxLength": 10, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.7.json b/json_schemas/ai-prompt-template/3.7.json new file mode 100644 index 00000000..2be256bc --- /dev/null +++ b/json_schemas/ai-prompt-template/3.7.json @@ -0,0 +1,95 @@ +{ + "properties": { + "config": { + "properties": { + "allow_untemplated_requests": { + "default": true, + "description": "Set true to allow requests that don't call or match any template.", + "type": "boolean" + }, + "log_original_request": { + "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "type": "boolean" + }, + "templates": { + "description": "Array of templates available to the request context.", + "items": { + "properties": { + "name": { + "description": "Unique name for the template, can be called with `{template://NAME}`", + "type": "string" + }, + "template": { + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "type": "string" + } + }, + "required": [ + "name", + "template" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.7.json b/json_schemas/ai-proxy/3.7.json new file mode 100644 index 00000000..f950282e --- /dev/null +++ b/json_schemas/ai-proxy/3.7.json @@ -0,0 +1,229 @@ +{ + "properties": { + "config": { + "properties": { + "auth": { + "properties": { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "cohere", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.7.json b/json_schemas/ai-rate-limiting-advanced/3.7.json new file mode 100644 index 00000000..75ac96e4 --- /dev/null +++ b/json_schemas/ai-rate-limiting-advanced/3.7.json @@ -0,0 +1,325 @@ +{ + "properties": { + "config": { + "properties": { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_hide_providers": { + "default": false, + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "type": "boolean" + }, + "error_message": { + "default": "API rate limit exceeded for provider(s): ", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "llm_providers": { + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "items": { + "properties": { + "limit": { + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", + "type": "number" + }, + "name": { + "description": "The LLM provider to which the rate limit applies.", + "enum": [ + "anthropic", + "azure", + "cohere", + "llama2", + "mistral", + "openai", + "requestPrompt" + ], + "type": "string" + }, + "window_size": { + "description": "The window size to apply a limit (defined in seconds).", + "type": "number" + } + }, + "required": [ + "limit", + "name", + "window_size" + ], + "type": "object" + }, + "type": "array" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "request_prompt_count_function": { + "description": "If defined, it use custom function to count requests for the request prompt provider", + "type": "string" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "tokens_count_strategy": { + "default": "total_tokens", + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "enum": [ + "completion_tokens", + "prompt_tokens", + "total_tokens" + ], + "type": "string" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.7.json b/json_schemas/ai-request-transformer/3.7.json new file mode 100644 index 00000000..b85135a1 --- /dev/null +++ b/json_schemas/ai-request-transformer/3.7.json @@ -0,0 +1,284 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "cohere", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.7.json b/json_schemas/ai-response-transformer/3.7.json new file mode 100644 index 00000000..af73ad32 --- /dev/null +++ b/json_schemas/ai-response-transformer/3.7.json @@ -0,0 +1,289 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "cohere", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "parse_llm_response_json_instructions": { + "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "type": "boolean" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/app-dynamics/3.7.json b/json_schemas/app-dynamics/3.7.json new file mode 100644 index 00000000..984044ad --- /dev/null +++ b/json_schemas/app-dynamics/3.7.json @@ -0,0 +1,64 @@ +{ + "properties": { + "config": { + "additionalProperties": true, + "properties": {}, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/application-registration/3.7.json b/json_schemas/application-registration/3.7.json new file mode 100644 index 00000000..c0e82ee3 --- /dev/null +++ b/json_schemas/application-registration/3.7.json @@ -0,0 +1,54 @@ +{ + "properties": { + "config": { + "properties": { + "auto_approve": { + "default": false, + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "type": "boolean" + }, + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string" + }, + "display_name": { + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string" + }, + "enable_proxy_with_consumer_credential": { + "default": false, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean" + }, + "show_issuer": { + "default": false, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/aws-lambda/3.7.json b/json_schemas/aws-lambda/3.7.json new file mode 100644 index 00000000..f24daea8 --- /dev/null +++ b/json_schemas/aws-lambda/3.7.json @@ -0,0 +1,200 @@ +{ + "properties": { + "config": { + "properties": { + "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "type": "string" + }, + "aws_imds_protocol_version": { + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "enum": [ + "v1", + "v2" + ], + "type": "string" + }, + "aws_key": { + "description": "The AWS key credential to be used when invoking the function.", + "type": "string" + }, + "aws_region": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "aws_role_session_name": { + "default": "kong", + "description": "The identifier of the assumed role session.", + "type": "string" + }, + "aws_secret": { + "description": "The AWS secret credential to be used when invoking the function. ", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "awsgateway_compatible": { + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" + }, + "base64_encode_body": { + "default": true, + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" + }, + "disable_https": { + "default": false, + "type": "boolean" + }, + "forward_request_body": { + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" + }, + "forward_request_headers": { + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_method": { + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_uri": { + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" + }, + "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "invocation_type": { + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "enum": [ + "DryRun", + "Event", + "RequestResponse" + ], + "type": "string" + }, + "is_proxy_integration": { + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "log_type": { + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "enum": [ + "None", + "Tail" + ], + "type": "string" + }, + "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "proxy_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "qualifier": { + "description": "The qualifier to use when invoking the function.", + "type": "string" + }, + "skip_large_bodies": { + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" + }, + "timeout": { + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", + "type": "number" + }, + "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "maximum": 999, + "minimum": 100, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/azure-functions/3.7.json b/json_schemas/azure-functions/3.7.json new file mode 100644 index 00000000..8c4378f8 --- /dev/null +++ b/json_schemas/azure-functions/3.7.json @@ -0,0 +1,117 @@ +{ + "properties": { + "config": { + "properties": { + "apikey": { + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "type": "string" + }, + "appname": { + "description": "The Azure app name.", + "type": "string" + }, + "clientid": { + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "type": "string" + }, + "functionname": { + "description": "Name of the Azure function to invoke.", + "type": "string" + }, + "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", + "type": "string" + }, + "https": { + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" + }, + "https_verify": { + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" + }, + "routeprefix": { + "default": "api", + "description": "Route prefix to use.", + "type": "string" + }, + "timeout": { + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/basic-auth/3.7.json b/json_schemas/basic-auth/3.7.json new file mode 100644 index 00000000..d67e26e6 --- /dev/null +++ b/json_schemas/basic-auth/3.7.json @@ -0,0 +1,71 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "type": "boolean" + }, + "realm": { + "default": "service", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/bot-detection/3.7.json b/json_schemas/bot-detection/3.7.json new file mode 100644 index 00000000..0a4e686c --- /dev/null +++ b/json_schemas/bot-detection/3.7.json @@ -0,0 +1,73 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "default": [], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [], + "type": "string" + }, + "type": "array" + }, + "deny": { + "default": [], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/canary/3.7.json b/json_schemas/canary/3.7.json new file mode 100644 index 00000000..b7ecf25f --- /dev/null +++ b/json_schemas/canary/3.7.json @@ -0,0 +1,130 @@ +{ + "properties": { + "config": { + "properties": { + "canary_by_header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "duration": { + "default": 3600, + "description": "The duration of the canary release in seconds.", + "minimum": 0, + "type": "number" + }, + "groups": { + "description": "The groups allowed to access the canary release.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hash": { + "default": "consumer", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "enum": [ + "allow", + "consumer", + "deny", + "header", + "ip", + "none" + ], + "type": "string" + }, + "hash_header": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "maximum": 100, + "minimum": 0, + "type": "number" + }, + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + }, + "steps": { + "default": 1000, + "description": "The number of steps for the canary release.", + "minimum": 1, + "type": "number" + }, + "upstream_fallback": { + "default": false, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "type": "boolean" + }, + "upstream_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "minLength": 1, + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "hash": { + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/correlation-id/3.7.json b/json_schemas/correlation-id/3.7.json new file mode 100644 index 00000000..a6dd6f8d --- /dev/null +++ b/json_schemas/correlation-id/3.7.json @@ -0,0 +1,84 @@ +{ + "properties": { + "config": { + "properties": { + "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", + "type": "boolean" + }, + "generator": { + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "enum": [ + "tracker", + "uuid", + "uuid#counter" + ], + "type": "string" + }, + "header_name": { + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/cors/3.7.json b/json_schemas/cors/3.7.json new file mode 100644 index 00000000..d3d2518f --- /dev/null +++ b/json_schemas/cors/3.7.json @@ -0,0 +1,127 @@ +{ + "properties": { + "config": { + "properties": { + "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "type": "boolean" + }, + "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" + }, + "methods": { + "default": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "items": { + "enum": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "type": "boolean" + }, + "private_network": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "minLength": 1, + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/datadog/3.7.json b/json_schemas/datadog/3.7.json new file mode 100644 index 00000000..f355efac --- /dev/null +++ b/json_schemas/datadog/3.7.json @@ -0,0 +1,238 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_tag": { + "default": "consumer", + "description": "String to be attached as tag of the consumer.", + "type": "string" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "metrics": { + "default": [ + { + "consumer_identifier": "custom_id", + "name": "kong_latency", + "sample_rate": 1, + "stat_type": "timer", + "tags": [ + "app:kong" + ] + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "Datadog metric’s name", + "enum": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "stat_type": { + "description": "Determines what sort of event the metric represents", + "enum": [ + "counter", + "distribution", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "tags": { + "description": "List of tags", + "items": { + "pattern": "^.*[^:]$", + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "service_name_tag": { + "default": "name", + "description": "String to be attached as the name of the service.", + "type": "string" + }, + "status_tag": { + "default": "status", + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/degraphql/3.7.json b/json_schemas/degraphql/3.7.json new file mode 100644 index 00000000..305dfff1 --- /dev/null +++ b/json_schemas/degraphql/3.7.json @@ -0,0 +1,58 @@ +{ + "properties": { + "config": { + "properties": { + "graphql_server_path": { + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.7.json b/json_schemas/exit-transformer/3.7.json new file mode 100644 index 00000000..423006b1 --- /dev/null +++ b/json_schemas/exit-transformer/3.7.json @@ -0,0 +1,81 @@ +{ + "properties": { + "config": { + "properties": { + "functions": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "handle_unexpected": { + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean" + }, + "handle_unknown": { + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/file-log/3.7.json b/json_schemas/file-log/3.7.json new file mode 100644 index 00000000..1144bb8d --- /dev/null +++ b/json_schemas/file-log/3.7.json @@ -0,0 +1,86 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "path": { + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "pattern": "^[^*&%%\\`]+$", + "type": "string" + }, + "reopen": { + "default": false, + "description": "Determines whether the log file is closed and reopened on every request.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/forward-proxy/3.7.json b/json_schemas/forward-proxy/3.7.json new file mode 100644 index 00000000..800452c3 --- /dev/null +++ b/json_schemas/forward-proxy/3.7.json @@ -0,0 +1,123 @@ +{ + "properties": { + "config": { + "properties": { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + }, + "proxy_scheme": { + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "enum": [ + "http" + ], + "type": "string" + }, + "x_headers": { + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", + "enum": [ + "append", + "delete", + "transparent" + ], + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "proxy_host": { + "type": "string" + }, + "proxy_port": { + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/graphql-proxy-cache-advanced/3.7.json b/json_schemas/graphql-proxy-cache-advanced/3.7.json new file mode 100644 index 00000000..7d98ca7d --- /dev/null +++ b/json_schemas/graphql-proxy-cache-advanced/3.7.json @@ -0,0 +1,223 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.7.json b/json_schemas/graphql-rate-limiting-advanced/3.7.json new file mode 100644 index 00000000..168be8f4 --- /dev/null +++ b/json_schemas/graphql-rate-limiting-advanced/3.7.json @@ -0,0 +1,266 @@ +{ + "properties": { + "config": { + "properties": { + "cost_strategy": { + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "enum": [ + "default", + "node_quantifier" + ], + "type": "string" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "max_cost": { + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", + "type": "number" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "score_factor": { + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "minimum": 0, + "type": "number" + }, + "strategy": { + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/grpc-gateway/3.7.json b/json_schemas/grpc-gateway/3.7.json new file mode 100644 index 00000000..f9b0ae1e --- /dev/null +++ b/json_schemas/grpc-gateway/3.7.json @@ -0,0 +1,75 @@ +{ + "properties": { + "config": { + "properties": { + "proto": { + "description": "Describes the gRPC types and methods.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/grpc-web/3.7.json b/json_schemas/grpc-web/3.7.json new file mode 100644 index 00000000..41a21e62 --- /dev/null +++ b/json_schemas/grpc-web/3.7.json @@ -0,0 +1,84 @@ +{ + "properties": { + "config": { + "properties": { + "allow_origin_header": { + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "type": "string" + }, + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "type": "boolean" + }, + "proto": { + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/hmac-auth/3.7.json b/json_schemas/hmac-auth/3.7.json new file mode 100644 index 00000000..9a65d4f2 --- /dev/null +++ b/json_schemas/hmac-auth/3.7.json @@ -0,0 +1,106 @@ +{ + "properties": { + "config": { + "properties": { + "algorithms": { + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "items": { + "enum": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "clock_skew": { + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", + "minimum": 0, + "type": "number" + }, + "enforce_headers": { + "default": [], + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "validate_request_body": { + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/http-log/3.7.json b/json_schemas/http-log/3.7.json new file mode 100644 index 00000000..94995b98 --- /dev/null +++ b/json_schemas/http-log/3.7.json @@ -0,0 +1,176 @@ +{ + "properties": { + "config": { + "properties": { + "content_type": { + "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "enum": [ + "application/json", + "application/json; charset=utf-8" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "headers": { + "additionalProperties": true, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "object" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" + }, + "method": { + "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "enum": [ + "PATCH", + "POST", + "PUT" + ], + "type": "string" + }, + "queue": { + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ip-restriction/3.7.json b/json_schemas/ip-restriction/3.7.json new file mode 100644 index 00000000..00e778e7 --- /dev/null +++ b/json_schemas/ip-restriction/3.7.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "message": { + "description": "The message to send as a response body to rejected requests.", + "type": "string" + }, + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jq/3.7.json b/json_schemas/jq/3.7.json new file mode 100644 index 00000000..562724b3 --- /dev/null +++ b/json_schemas/jq/3.7.json @@ -0,0 +1,154 @@ +{ + "properties": { + "config": { + "properties": { + "request_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "request_jq_program": { + "type": "string" + }, + "request_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "response_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_if_status_code": { + "default": [ + 200 + ], + "items": { + "maximum": 599, + "minimum": 100, + "required": [], + "type": "integer" + }, + "type": "array" + }, + "response_jq_program": { + "type": "string" + }, + "response_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.7.json b/json_schemas/jwe-decrypt/3.7.json new file mode 100644 index 00000000..dd09fa60 --- /dev/null +++ b/json_schemas/jwe-decrypt/3.7.json @@ -0,0 +1,76 @@ +{ + "properties": { + "config": { + "properties": { + "forward_header_name": { + "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", + "type": "string" + }, + "key_sets": { + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "lookup_header_name": { + "default": "Authorization", + "description": "The name of the header to look for the JWE token.", + "type": "string" + }, + "strict": { + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jwt-signer/3.7.json b/json_schemas/jwt-signer/3.7.json new file mode 100644 index 00000000..3be7f441 --- /dev/null +++ b/json_schemas/jwt-signer/3.7.json @@ -0,0 +1,639 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "type": "string" + }, + "access_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_hint": { + "default": "access_token", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string" + }, + "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number" + }, + "access_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "type": "number" + }, + "access_token_issuer": { + "default": "kong", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string" + }, + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "type": "string" + }, + "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "access_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "type": "string" + }, + "access_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "type": "string" + }, + "access_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "access_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "type": "string" + }, + "access_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "type": "string" + }, + "access_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number" + }, + "access_token_optional": { + "default": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean" + }, + "access_token_request_header": { + "default": "Authorization", + "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string" + }, + "access_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "access_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "access_token_upstream_header": { + "default": "Authorization:Bearer", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string" + }, + "access_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number" + }, + "add_access_token_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_channel_token_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_claims": { + "additionalProperties": true, + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "cache_access_token_introspection": { + "default": true, + "description": "Whether to cache access token introspection results.", + "type": "boolean" + }, + "cache_channel_token_introspection": { + "default": true, + "description": "Whether to cache channel token introspection results.", + "type": "boolean" + }, + "channel_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "items": { + "required": [], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "items": { + "required": [], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "type": "string" + }, + "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "items": { + "required": [], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_leeway": { + "default": 0, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number" + }, + "channel_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "type": "number" + }, + "channel_token_issuer": { + "default": "kong", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string" + }, + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "type": "string" + }, + "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "channel_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "type": "string" + }, + "channel_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "type": "string" + }, + "channel_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "channel_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "type": "string" + }, + "channel_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "type": "string" + }, + "channel_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number" + }, + "channel_token_optional": { + "default": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean" + }, + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "type": "string" + }, + "channel_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "channel_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "type": "string" + }, + "channel_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number" + }, + "enable_access_token_introspection": { + "default": true, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean" + }, + "enable_channel_token_introspection": { + "default": true, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean" + }, + "enable_instrumentation": { + "default": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean" + }, + "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", + "type": "string" + }, + "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", + "type": "string" + }, + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "type": "string" + }, + "remove_access_token_claims": { + "default": [], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "remove_channel_token_claims": { + "default": [], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "set_access_token_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_channel_token_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_claims": { + "additionalProperties": true, + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "trust_access_token_introspection": { + "default": true, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean" + }, + "trust_channel_token_introspection": { + "default": true, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean" + }, + "verify_access_token_expiry": { + "default": true, + "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_expiry": { + "default": true, + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_scopes": { + "default": true, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_scopes": { + "default": true, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_signature": { + "default": true, + "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean" + }, + "verify_channel_token_expiry": { + "default": true, + "type": "boolean" + }, + "verify_channel_token_introspection_expiry": { + "default": true, + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean" + }, + "verify_channel_token_introspection_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_signature": { + "default": true, + "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/jwt/3.7.json b/json_schemas/jwt/3.7.json new file mode 100644 index 00000000..d94b4103 --- /dev/null +++ b/json_schemas/jwt/3.7.json @@ -0,0 +1,122 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "items": { + "enum": [ + "exp", + "nbf" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "cookie_names": { + "default": [], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_names": { + "default": [ + "authorization" + ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "key_claim_name": { + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" + }, + "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "maximum": 31536000, + "minimum": 0, + "type": "number" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean" + }, + "secret_is_base64": { + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean" + }, + "uri_param_names": { + "default": [ + "jwt" + ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/kafka-log/3.7.json b/json_schemas/kafka-log/3.7.json new file mode 100644 index 00000000..03450b52 --- /dev/null +++ b/json_schemas/kafka-log/3.7.json @@ -0,0 +1,216 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "keepalive": { + "default": 60000, + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.7.json b/json_schemas/kafka-upstream/3.7.json new file mode 100644 index 00000000..28be0e0e --- /dev/null +++ b/json_schemas/kafka-upstream/3.7.json @@ -0,0 +1,228 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/key-auth-enc/3.7.json b/json_schemas/key-auth-enc/3.7.json new file mode 100644 index 00000000..c5bdb71f --- /dev/null +++ b/json_schemas/key-auth-enc/3.7.json @@ -0,0 +1,98 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/key-auth/3.7.json b/json_schemas/key-auth/3.7.json new file mode 100644 index 00000000..42a51f9a --- /dev/null +++ b/json_schemas/key-auth/3.7.json @@ -0,0 +1,102 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.7.json b/json_schemas/konnect-application-auth/3.7.json new file mode 100644 index 00000000..c142c978 --- /dev/null +++ b/json_schemas/konnect-application-auth/3.7.json @@ -0,0 +1,1844 @@ +{ + "properties": { + "config": { + "properties": { + "auth_type": { + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "enum": [ + "key-auth", + "openid-connect", + "v2-strategies" + ], + "type": "string" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "scope": { + "description": "The unique scope identifier for the plugin configuration.", + "type": "string" + }, + "v2_strategies": { + "description": "The map of v2 strategies.", + "properties": { + "key_auth": { + "description": "List of key_auth strategies.", + "items": { + "properties": { + "config": { + "properties": { + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "config", + "strategy_id" + ], + "type": "object" + }, + "type": "array" + }, + "openid_connect": { + "description": "List of openid_connect strategies.", + "items": { + "properties": { + "config": { + "description": "openid-connect plugin configuration.", + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "type": "string" + }, + "key_ops": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "type": "string" + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "description": "The Redis cluster maximum redirects.", + "type": "integer" + }, + "session_redis_cluster_nodes": { + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "description": "Session redis connection timeout in milliseconds.", + "type": "integer" + }, + "session_redis_host": { + "default": "127.0.0.1", + "description": "The Redis host.", + "type": "string" + }, + "session_redis_password": { + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "session_redis_port": { + "default": 6379, + "description": "The Redis port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_redis_prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "session_redis_read_timeout": { + "description": "Session redis read timeout in milliseconds.", + "type": "integer" + }, + "session_redis_send_timeout": { + "description": "Session redis send timeout in milliseconds.", + "type": "integer" + }, + "session_redis_server_name": { + "description": "The SNI used for connecting the Redis server.", + "type": "string" + }, + "session_redis_socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "session_redis_ssl": { + "default": false, + "description": "Use SSL/TLS for Redis connection.", + "type": "boolean" + }, + "session_redis_ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate.", + "type": "boolean" + }, + "session_redis_username": { + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "uuid": true + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + "issuer" + ], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "strategy_id" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.7.json b/json_schemas/ldap-auth-advanced/3.7.json new file mode 100644 index 00000000..2d5fdb43 --- /dev/null +++ b/json_schemas/ldap-auth-advanced/3.7.json @@ -0,0 +1,175 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "type": "string" + }, + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean" + }, + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + }, + "group_member_attribute": { + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" + }, + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + }, + "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "type": "string" + }, + "ldap_password": { + "description": "The password to the LDAP server.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" + }, + "ldaps": { + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "log_search_results": { + "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.7.json b/json_schemas/ldap-auth/3.7.json new file mode 100644 index 00000000..dc78488a --- /dev/null +++ b/json_schemas/ldap-auth/3.7.json @@ -0,0 +1,120 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "ldaps": { + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/loggly/3.7.json b/json_schemas/loggly/3.7.json new file mode 100644 index 00000000..5c5621cc --- /dev/null +++ b/json_schemas/loggly/3.7.json @@ -0,0 +1,161 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "key": { + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "tags": { + "default": [ + "kong" + ], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "timeout": { + "default": 10000, + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/mocking/3.7.json b/json_schemas/mocking/3.7.json new file mode 100644 index 00000000..ef0dfd5c --- /dev/null +++ b/json_schemas/mocking/3.7.json @@ -0,0 +1,114 @@ +{ + "properties": { + "config": { + "properties": { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "type": "string" + }, + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "type": "string" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "items": { + "required": [], + "type": "integer" + }, + "type": "array" + }, + "max_delay_time": { + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number" + }, + "min_delay_time": { + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number" + }, + "random_delay": { + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean" + }, + "random_examples": { + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean" + }, + "random_status_code": { + "default": false, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.7.json b/json_schemas/mtls-auth/3.7.json new file mode 100644 index 00000000..e2d663a5 --- /dev/null +++ b/json_schemas/mtls-auth/3.7.json @@ -0,0 +1,155 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "required": [], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "send_ca_dn": { + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/oas-validation/3.7.json b/json_schemas/oas-validation/3.7.json new file mode 100644 index 00000000..a73a7a5d --- /dev/null +++ b/json_schemas/oas-validation/3.7.json @@ -0,0 +1,137 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_header_parameters": { + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "type": "string" + }, + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "type": "string" + }, + "api_spec_encoded": { + "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", + "type": "boolean" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "header_parameter_check": { + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "type": "boolean" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "notify_only_request_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "type": "boolean" + }, + "notify_only_response_body_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "type": "boolean" + }, + "query_parameter_check": { + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "type": "boolean" + }, + "validate_request_body": { + "default": true, + "description": "If set to true, validates the request body content against the API specification.", + "type": "boolean" + }, + "validate_request_header_params": { + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", + "type": "boolean" + }, + "validate_request_query_params": { + "default": true, + "description": "If set to true, validates query parameters against the API specification.", + "type": "boolean" + }, + "validate_request_uri_params": { + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", + "type": "boolean" + }, + "validate_response_body": { + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "type": "boolean" + }, + "verbose_response": { + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.7.json b/json_schemas/oauth2-introspection/3.7.json new file mode 100644 index 00000000..5b600229 --- /dev/null +++ b/json_schemas/oauth2-introspection/3.7.json @@ -0,0 +1,124 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "type": "string" + }, + "consumer_by": { + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "enum": [ + "client_id", + "username" + ], + "type": "string" + }, + "custom_claims_forward": { + "default": [], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "custom_introspection_headers": { + "additionalProperties": true, + "description": "A list of custom headers to be added in the introspection request.", + "type": "object" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "introspect_request": { + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "type": "boolean" + }, + "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" + }, + "token_type_hint": { + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" + }, + "ttl": { + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/oauth2/3.7.json b/json_schemas/oauth2/3.7.json new file mode 100644 index 00000000..cd4abae2 --- /dev/null +++ b/json_schemas/oauth2/3.7.json @@ -0,0 +1,149 @@ +{ + "properties": { + "config": { + "properties": { + "accept_http_if_already_terminated": { + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "auth_header_name": { + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", + "type": "string" + }, + "enable_authorization_code": { + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "type": "boolean" + }, + "enable_client_credentials": { + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "type": "boolean" + }, + "enable_implicit_grant": { + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "type": "boolean" + }, + "enable_password_grant": { + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "type": "boolean" + }, + "global_credentials": { + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "type": "boolean" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "mandatory_scope": { + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "type": "boolean" + }, + "persistent_refresh_token": { + "default": false, + "type": "boolean" + }, + "pkce": { + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "enum": [ + "lax", + "none", + "strict" + ], + "type": "string" + }, + "provision_key": { + "description": "The unique key the plugin has generated when it has been added to the Service.", + "type": "string" + }, + "refresh_token_ttl": { + "default": 1209600, + "description": "Time-to-live value for data", + "maximum": 100000000, + "minimum": 0, + "type": "number" + }, + "reuse_refresh_token": { + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "type": "boolean" + }, + "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_expiration": { + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/opa/3.7.json b/json_schemas/opa/3.7.json new file mode 100644 index 00000000..60c4b8fc --- /dev/null +++ b/json_schemas/opa/3.7.json @@ -0,0 +1,112 @@ +{ + "properties": { + "config": { + "properties": { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + }, + "include_consumer_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" + }, + "include_parsed_json_body_in_opa_input": { + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" + }, + "include_route_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_service_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_uri_captures_in_opa_input": { + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" + }, + "opa_host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "opa_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "opa_port": { + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/openid-connect/3.7.json b/json_schemas/openid-connect/3.7.json new file mode 100644 index 00000000..7b5543c6 --- /dev/null +++ b/json_schemas/openid-connect/3.7.json @@ -0,0 +1,1801 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "type": "string" + }, + "key_ops": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "type": "string" + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "description": "The Redis cluster maximum redirects.", + "type": "integer" + }, + "session_redis_cluster_nodes": { + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "description": "Session redis connection timeout in milliseconds.", + "type": "integer" + }, + "session_redis_host": { + "default": "127.0.0.1", + "description": "The Redis host.", + "type": "string" + }, + "session_redis_password": { + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "session_redis_port": { + "default": 6379, + "description": "The Redis port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_redis_prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "session_redis_read_timeout": { + "description": "Session redis read timeout in milliseconds.", + "type": "integer" + }, + "session_redis_send_timeout": { + "description": "Session redis send timeout in milliseconds.", + "type": "integer" + }, + "session_redis_server_name": { + "description": "The SNI used for connecting the Redis server.", + "type": "string" + }, + "session_redis_socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "session_redis_ssl": { + "default": false, + "description": "Use SSL/TLS for Redis connection.", + "type": "boolean" + }, + "session_redis_ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate.", + "type": "boolean" + }, + "session_redis_username": { + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "uuid": true + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [], + "shorthand_fields": { + "authorization_cookie_httponly": { + "type": "boolean" + }, + "authorization_cookie_lifetime": { + "type": "number" + }, + "authorization_cookie_samesite": { + "type": "string" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_maxredirections": { + "type": "integer" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.7.json b/json_schemas/opentelemetry/3.7.json new file mode 100644 index 00000000..5b19a1c1 --- /dev/null +++ b/json_schemas/opentelemetry/3.7.json @@ -0,0 +1,253 @@ +{ + "properties": { + "config": { + "properties": { + "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" + }, + "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "header_type": { + "default": "preserve", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "headers": { + "additionalProperties": true, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "object" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "propagation": { + "default": { + "default_format": "w3c" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "default_format" + ], + "type": "object" + }, + "queue": { + "default": { + "max_batch_size": 200 + }, + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "resource_attributes": { + "additionalProperties": true, + "type": "object" + }, + "sampling_rate": { + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/post-function/3.7.json b/json_schemas/post-function/3.7.json new file mode 100644 index 00000000..33806f8a --- /dev/null +++ b/json_schemas/post-function/3.7.json @@ -0,0 +1,140 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/pre-function/3.7.json b/json_schemas/pre-function/3.7.json new file mode 100644 index 00000000..33806f8a --- /dev/null +++ b/json_schemas/pre-function/3.7.json @@ -0,0 +1,140 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/prometheus/3.7.json b/json_schemas/prometheus/3.7.json new file mode 100644 index 00000000..278323fc --- /dev/null +++ b/json_schemas/prometheus/3.7.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "bandwidth_metrics": { + "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "latency_metrics": { + "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" + }, + "per_consumer": { + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" + }, + "status_code_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "upstream_health_metrics": { + "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.7.json b/json_schemas/proxy-cache-advanced/3.7.json new file mode 100644 index 00000000..2fb2192c --- /dev/null +++ b/json_schemas/proxy-cache-advanced/3.7.json @@ -0,0 +1,321 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.7.json b/json_schemas/proxy-cache/3.7.json new file mode 100644 index 00000000..d0b32ca7 --- /dev/null +++ b/json_schemas/proxy-cache/3.7.json @@ -0,0 +1,201 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL, in seconds, of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities.", + "enum": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.7.json b/json_schemas/rate-limiting-advanced/3.7.json new file mode 100644 index 00000000..e0c10f30 --- /dev/null +++ b/json_schemas/rate-limiting-advanced/3.7.json @@ -0,0 +1,304 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "enforce_consumer_groups": { + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "required": [], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting/3.7.json b/json_schemas/rate-limiting/3.7.json new file mode 100644 index 00000000..aef90ea0 --- /dev/null +++ b/json_schemas/rate-limiting/3.7.json @@ -0,0 +1,283 @@ +{ + "properties": { + "config": { + "properties": { + "day": { + "description": "The number of HTTP requests that can be made per day.", + "minimum": 0, + "type": "number" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "hour": { + "description": "The number of HTTP requests that can be made per hour.", + "minimum": 0, + "type": "number" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "minute": { + "description": "The number of HTTP requests that can be made per minute.", + "minimum": 0, + "type": "number" + }, + "month": { + "description": "The number of HTTP requests that can be made per month.", + "minimum": 0, + "type": "number" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "minLength": 0, + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "second": { + "description": "The number of HTTP requests that can be made per second.", + "minimum": 0, + "type": "number" + }, + "sync_rate": { + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "type": "number" + }, + "year": { + "description": "The number of HTTP requests that can be made per year.", + "minimum": 0, + "type": "number" + } + }, + "required": [], + "shorthand_fields": { + "redis_database": { + "translate_backwards": [ + "database", + "redis" + ], + "type": "integer" + }, + "redis_host": { + "translate_backwards": [ + "host", + "redis" + ], + "type": "string" + }, + "redis_password": { + "minLength": 0, + "translate_backwards": [ + "password", + "redis" + ], + "type": "string" + }, + "redis_port": { + "translate_backwards": [ + "port", + "redis" + ], + "type": "integer" + }, + "redis_server_name": { + "translate_backwards": [ + "redis", + "server_name" + ], + "type": "string" + }, + "redis_ssl": { + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" + }, + "redis_ssl_verify": { + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "type": "boolean" + }, + "redis_timeout": { + "translate_backwards": [ + "redis", + "timeout" + ], + "type": "integer" + }, + "redis_username": { + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-size-limiting/3.7.json b/json_schemas/request-size-limiting/3.7.json new file mode 100644 index 00000000..3d4e9633 --- /dev/null +++ b/json_schemas/request-size-limiting/3.7.json @@ -0,0 +1,84 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_payload_size": { + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer" + }, + "require_content_length": { + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "type": "boolean" + }, + "size_unit": { + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "enum": [ + "bytes", + "kilobytes", + "megabytes" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-termination/3.7.json b/json_schemas/request-termination/3.7.json new file mode 100644 index 00000000..96110caf --- /dev/null +++ b/json_schemas/request-termination/3.7.json @@ -0,0 +1,103 @@ +{ + "properties": { + "config": { + "properties": { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + }, + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + }, + "echo": { + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean" + }, + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + }, + "status_code": { + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + }, + "trigger": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-transformer-advanced/3.7.json b/json_schemas/request-transformer-advanced/3.7.json new file mode 100644 index 00000000..b7a77c42 --- /dev/null +++ b/json_schemas/request-transformer-advanced/3.7.json @@ -0,0 +1,290 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "allow": { + "properties": { + "body": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-transformer/3.7.json b/json_schemas/request-transformer/3.7.json new file mode 100644 index 00000000..8a4551c8 --- /dev/null +++ b/json_schemas/request-transformer/3.7.json @@ -0,0 +1,244 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/request-validator/3.7.json b/json_schemas/request-validator/3.7.json new file mode 100644 index 00000000..5da7629d --- /dev/null +++ b/json_schemas/request-validator/3.7.json @@ -0,0 +1,150 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_content_types": { + "default": [ + "application/json" + ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "string" + }, + "content_type_parameter_validation": { + "default": true, + "description": "Determines whether to enable parameters validation of request content-type.", + "type": "boolean" + }, + "parameter_schema": { + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "items": { + "properties": { + "explode": { + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" + }, + "in": { + "description": "The location of the parameter.", + "enum": [ + "header", + "path", + "query" + ], + "type": "string" + }, + "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "type": "string" + }, + "required": { + "description": "Determines whether this parameter is mandatory.", + "type": "boolean" + }, + "schema": { + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" + }, + "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "enum": [ + "deepObject", + "form", + "label", + "matrix", + "pipeDelimited", + "simple", + "spaceDelimited" + ], + "type": "string" + } + }, + "required": [ + "in", + "name", + "required" + ], + "type": "object" + }, + "type": "array" + }, + "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "type": "boolean" + }, + "version": { + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "enum": [ + "draft4", + "kong" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/response-ratelimiting/3.7.json b/json_schemas/response-ratelimiting/3.7.json new file mode 100644 index 00000000..6b390f52 --- /dev/null +++ b/json_schemas/response-ratelimiting/3.7.json @@ -0,0 +1,229 @@ +{ + "properties": { + "config": { + "properties": { + "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "type": "boolean" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limits": { + "additionalProperties": true, + "description": "A map that defines rate limits for the plugin.", + "minLength": 1, + "type": "object" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "shorthand_fields": { + "redis_database": { + "translate_backwards": [ + "database", + "redis" + ], + "type": "integer" + }, + "redis_host": { + "translate_backwards": [ + "host", + "redis" + ], + "type": "string" + }, + "redis_password": { + "minLength": 0, + "translate_backwards": [ + "password", + "redis" + ], + "type": "string" + }, + "redis_port": { + "translate_backwards": [ + "port", + "redis" + ], + "type": "integer" + }, + "redis_server_name": { + "translate_backwards": [ + "redis", + "server_name" + ], + "type": "string" + }, + "redis_ssl": { + "translate_backwards": [ + "redis", + "ssl" + ], + "type": "boolean" + }, + "redis_ssl_verify": { + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "type": "boolean" + }, + "redis_timeout": { + "translate_backwards": [ + "redis", + "timeout" + ], + "type": "integer" + }, + "redis_username": { + "translate_backwards": [ + "redis", + "username" + ], + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/response-transformer-advanced/3.7.json b/json_schemas/response-transformer-advanced/3.7.json new file mode 100644 index 00000000..e5c923b4 --- /dev/null +++ b/json_schemas/response-transformer-advanced/3.7.json @@ -0,0 +1,309 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "allow": { + "properties": { + "json": { + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" + }, + "remove": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + }, + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "transform": { + "properties": { + "functions": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/response-transformer/3.7.json b/json_schemas/response-transformer/3.7.json new file mode 100644 index 00000000..5af6f89e --- /dev/null +++ b/json_schemas/response-transformer/3.7.json @@ -0,0 +1,226 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "remove": { + "properties": { + "headers": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "replace": { + "properties": { + "headers": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [], + "items": { + "pattern": "^[^:]+:.*$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/route-by-header/3.7.json b/json_schemas/route-by-header/3.7.json new file mode 100644 index 00000000..2e8bace4 --- /dev/null +++ b/json_schemas/route-by-header/3.7.json @@ -0,0 +1,86 @@ +{ + "properties": { + "config": { + "properties": { + "rules": { + "default": [], + "description": "Route by header rules.", + "items": { + "properties": { + "condition": { + "additionalProperties": true, + "minLength": 1, + "type": "object" + }, + "upstream_name": { + "type": "string" + } + }, + "required": [ + "condition", + "upstream_name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/route-transformer-advanced/3.7.json b/json_schemas/route-transformer-advanced/3.7.json new file mode 100644 index 00000000..759d3aa2 --- /dev/null +++ b/json_schemas/route-transformer-advanced/3.7.json @@ -0,0 +1,77 @@ +{ + "properties": { + "config": { + "properties": { + "escape_path": { + "default": false, + "type": "boolean" + }, + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/saml/3.7.json b/json_schemas/saml/3.7.json new file mode 100644 index 00000000..4d9e1c85 --- /dev/null +++ b/json_schemas/saml/3.7.json @@ -0,0 +1,427 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "type": "string" + }, + "assertion_consumer_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "idp_certificate": { + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "type": "string" + }, + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "type": "string" + }, + "nameid_format": { + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "enum": [ + "EmailAddress", + "Persistent", + "Transient", + "Unspecified" + ], + "type": "string" + }, + "request_digest_algorithm": { + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "request_signature_algorithm": { + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "request_signing_certificate": { + "description": "The certificate for signing requests.", + "type": "string" + }, + "request_signing_key": { + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "type": "string" + }, + "response_digest_algorithm": { + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "response_encryption_key": { + "description": "The private encryption key required to decrypt encrypted assertions.", + "type": "string" + }, + "response_signature_algorithm": { + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, for example \"my-application\"", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "The session cookie idle time in seconds.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "description": "The Redis cluster maximum redirects.", + "type": "integer" + }, + "session_redis_cluster_nodes": { + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "description": "The Redis connection timeout in milliseconds.", + "type": "integer" + }, + "session_redis_host": { + "default": "127.0.0.1", + "description": "The Redis host IP.", + "type": "string" + }, + "session_redis_password": { + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "type": "string" + }, + "session_redis_port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_redis_prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "session_redis_read_timeout": { + "description": "The Redis read timeout in milliseconds.", + "type": "integer" + }, + "session_redis_send_timeout": { + "description": "The Redis send timeout in milliseconds.", + "type": "integer" + }, + "session_redis_server_name": { + "description": "The SNI used for connecting to the Redis server.", + "type": "string" + }, + "session_redis_socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "session_redis_ssl": { + "default": false, + "description": "Use SSL/TLS for the Redis connection.", + "type": "boolean" + }, + "session_redis_ssl_verify": { + "default": false, + "description": "Verify the Redis server certificate.", + "type": "boolean" + }, + "session_redis_username": { + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "type": "number" + }, + "session_request_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_secret": { + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "maxLength": 32, + "minLength": 32, + "pattern": "^[0-9a-zA-Z/_+]+$", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean" + }, + "validate_assertion_signature": { + "default": true, + "description": "Enable signature validation for SAML responses.", + "type": "boolean" + } + }, + "required": [], + "shorthand_fields": { + "session_auth_ttl": { + "type": "number" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_maxredirections": { + "type": "integer" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/session/3.7.json b/json_schemas/session/3.7.json new file mode 100644 index 00000000..14760087 --- /dev/null +++ b/json_schemas/session/3.7.json @@ -0,0 +1,242 @@ +{ + "properties": { + "config": { + "properties": { + "absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + }, + "cookie_http_only": { + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean" + }, + "cookie_name": { + "default": "session", + "description": "The name of the cookie.", + "type": "string" + }, + "cookie_path": { + "default": "/", + "description": "The resource in the host where the cookie is available.", + "type": "string" + }, + "cookie_same_site": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "cookie_secure": { + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean" + }, + "idling_timeout": { + "default": 900, + "description": "The session cookie idle time, in seconds.", + "type": "number" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "A set of HTTP methods that the plugin will respond to.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" + }, + "logout_query_arg": { + "default": "session_logout", + "description": "The query argument passed to logout requests.", + "type": "string" + }, + "read_body_for_logout": { + "default": false, + "type": "boolean" + }, + "remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "remember_absolute_timeout": { + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number" + }, + "remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "remember_rolling_timeout": { + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number" + }, + "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "rolling_timeout": { + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number" + }, + "secret": { + "default": "4Xkz87KN9Mdq3BsyMOndCz3cjxVWxf4ndnK6tPTGKhYd", + "description": "The secret that is used in keyed HMAC generation.", + "type": "string" + }, + "stale_ttl": { + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number" + }, + "storage": { + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "enum": [ + "cookie", + "kong" + ], + "type": "string" + } + }, + "required": [], + "shorthand_fields": { + "cookie_discard": { + "type": "number" + }, + "cookie_httponly": { + "type": "boolean" + }, + "cookie_idletime": { + "type": "number" + }, + "cookie_lifetime": { + "type": "number" + }, + "cookie_persistent": { + "type": "boolean" + }, + "cookie_renew": { + "type": "number" + }, + "cookie_samesite": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/statsd-advanced/3.7.json b/json_schemas/statsd-advanced/3.7.json new file mode 100644 index 00000000..5788dbfe --- /dev/null +++ b/json_schemas/statsd-advanced/3.7.json @@ -0,0 +1,273 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of Metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/statsd/3.7.json b/json_schemas/statsd/3.7.json new file mode 100644 index 00000000..591323c0 --- /dev/null +++ b/json_schemas/statsd/3.7.json @@ -0,0 +1,291 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "flush_timeout": { + "type": "number" + }, + "host": { + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "StatsD metric’s name.", + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "description": "Service detail.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "description": "Determines what sort of event a metric represents.", + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "description": "Workspace detail.", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "queue_size": { + "type": "integer" + }, + "retry_count": { + "type": "integer" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "tag_style": { + "enum": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/syslog/3.7.json b/json_schemas/syslog/3.7.json new file mode 100644 index 00000000..fbbdbdbe --- /dev/null +++ b/json_schemas/syslog/3.7.json @@ -0,0 +1,159 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "facility": { + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "enum": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp" + ], + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/tcp-log/3.7.json b/json_schemas/tcp-log/3.7.json new file mode 100644 index 00000000..028dafde --- /dev/null +++ b/json_schemas/tcp-log/3.7.json @@ -0,0 +1,105 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "object" + }, + "host": { + "description": "The IP address or host name to send data to.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "port": { + "description": "The port to send data to on the upstream server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + }, + "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "type": "boolean" + }, + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/tls-handshake-modifier/3.7.json b/json_schemas/tls-handshake-modifier/3.7.json new file mode 100644 index 00000000..fcfac7cc --- /dev/null +++ b/json_schemas/tls-handshake-modifier/3.7.json @@ -0,0 +1,58 @@ +{ + "properties": { + "config": { + "properties": { + "tls_client_certificate": { + "default": "REQUEST", + "description": "TLS Client Certificate", + "enum": [ + "REQUEST" + ], + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/tls-metadata-headers/3.7.json b/json_schemas/tls-metadata-headers/3.7.json new file mode 100644 index 00000000..d878d7ab --- /dev/null +++ b/json_schemas/tls-metadata-headers/3.7.json @@ -0,0 +1,80 @@ +{ + "properties": { + "config": { + "properties": { + "client_cert_fingerprint_header_name": { + "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "type": "string" + }, + "client_cert_header_name": { + "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "type": "string" + }, + "client_cert_issuer_dn_header_name": { + "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "type": "string" + }, + "client_cert_subject_dn_header_name": { + "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "type": "string" + }, + "client_serial_header_name": { + "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "type": "string" + }, + "inject_client_cert_details": { + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/udp-log/3.7.json b/json_schemas/udp-log/3.7.json new file mode 100644 index 00000000..adfff403 --- /dev/null +++ b/json_schemas/udp-log/3.7.json @@ -0,0 +1,91 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/upstream-timeout/3.7.json b/json_schemas/upstream-timeout/3.7.json new file mode 100644 index 00000000..681120b5 --- /dev/null +++ b/json_schemas/upstream-timeout/3.7.json @@ -0,0 +1,82 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/vault-auth/3.7.json b/json_schemas/vault-auth/3.7.json new file mode 100644 index 00000000..3f52bdea --- /dev/null +++ b/json_schemas/vault-auth/3.7.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_name": { + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "string" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "secret_token_name": { + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [], + "type": "string" + }, + "type": "string" + }, + "tokens_in_body": { + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "vault": { + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/websocket-size-limit/3.7.json b/json_schemas/websocket-size-limit/3.7.json new file mode 100644 index 00000000..b46f162b --- /dev/null +++ b/json_schemas/websocket-size-limit/3.7.json @@ -0,0 +1,70 @@ +{ + "properties": { + "config": { + "properties": { + "client_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + }, + "upstream_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/websocket-validator/3.7.json b/json_schemas/websocket-validator/3.7.json new file mode 100644 index 00000000..8c23be44 --- /dev/null +++ b/json_schemas/websocket-validator/3.7.json @@ -0,0 +1,152 @@ +{ + "properties": { + "config": { + "properties": { + "client": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "upstream": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [], + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/xml-threat-protection/3.7.json b/json_schemas/xml-threat-protection/3.7.json new file mode 100644 index 00000000..0fea5bfa --- /dev/null +++ b/json_schemas/xml-threat-protection/3.7.json @@ -0,0 +1,210 @@ +{ + "properties": { + "config": { + "properties": { + "allow_dtd": { + "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean" + }, + "allowed_content_types": { + "default": [], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "attribute": { + "default": 1048576, + "description": "Maximum size of the attribute value.", + "minimum": 0, + "type": "integer" + }, + "bla_max_amplification": { + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "minimum": 1, + "type": "number" + }, + "bla_threshold": { + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "minimum": 1024, + "type": "integer" + }, + "buffer": { + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", + "minimum": 0, + "type": "integer" + }, + "checked_content_types": { + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [], + "type": "string" + }, + "type": "array" + }, + "comment": { + "default": 1024, + "description": "Maximum size of comments.", + "minimum": 0, + "type": "integer" + }, + "document": { + "default": 10485760, + "description": "Maximum size of the entire document.", + "minimum": 0, + "type": "integer" + }, + "entity": { + "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityname": { + "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityproperty": { + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "localname": { + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "minimum": 0, + "type": "integer" + }, + "max_attributes": { + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "minimum": 0, + "type": "integer" + }, + "max_children": { + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "minimum": 0, + "type": "integer" + }, + "max_depth": { + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "minimum": 0, + "type": "integer" + }, + "max_namespaces": { + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "namespace_aware": { + "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean" + }, + "namespaceuri": { + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "pidata": { + "default": 1024, + "description": "Maximum size of processing instruction data.", + "minimum": 0, + "type": "integer" + }, + "pitarget": { + "default": 1024, + "description": "Maximum size of processing instruction targets.", + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "text": { + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "minimum": 0, + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file diff --git a/json_schemas/zipkin/3.7.json b/json_schemas/zipkin/3.7.json new file mode 100644 index 00000000..e8004732 --- /dev/null +++ b/json_schemas/zipkin/3.7.json @@ -0,0 +1,337 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "default_header_type": { + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "default_service_name": { + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" + }, + "header_type": { + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "http_span_name": { + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "enum": [ + "method", + "method_path" + ], + "type": "string" + }, + "include_credential": { + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "type": "boolean" + }, + "local_service_name": { + "default": "kong", + "description": "The name of the service as displayed in Zipkin.", + "type": "string" + }, + "phase_duration_flavor": { + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "enum": [ + "annotations", + "tags" + ], + "type": "string" + }, + "propagation": { + "default": { + "default_format": "b3" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "required": [], + "type": "string" + }, + "type": "array" + }, + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "required": [], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "default_format" + ], + "type": "object" + }, + "queue": { + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", + "items": { + "properties": { + "name": { + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "tags_header": { + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "type": "string" + }, + "traceid_byte_count": { + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "enum": [ + 8, + 16 + ], + "type": "integer" + } + }, + "required": [], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [] +} \ No newline at end of file From 8f3081cf2a595dbc5720d7e3b124bfbd454f11b0 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 5 Dec 2024 16:28:32 +0100 Subject: [PATCH 118/165] Update convert_json_schema so that the file name is major.minor.json --- README.md | 2 +- lib/convert_json_schema.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 082dce31..77201b69 100644 --- a/README.md +++ b/README.md @@ -157,7 +157,7 @@ For example, running: ```bash ./plugins convert_json_schema --version 3.9.x --plugins acme ``` -converts `./schemas/acme/3.4.x.json` into a valid JSON schema and writes it to `./schemas/acme/3.5.x.json`. +converts `./schemas/acme/3.9.x.json` into a valid JSON schema and writes it to `./json_schemas/acme/3.9.json`. ## Updating the repo after a new release diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index af99986d..bfb88ac7 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -41,7 +41,7 @@ def run! # Write the schema to the destination FileUtils.mkdir_p("#{@options[:destination]}/#{plugin_name}") - dest = File.join(@options[:destination], plugin_name, "#{@options['version']}.json") + dest = File.join(@options[:destination], plugin_name, "#{@options['version'].gsub('.x', '')}.json") File.write(dest, JSON.pretty_generate(json_schema.deep_sort)) end end From 0000e493f94bf11cf618ca528e0cf5b035c61f20 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 9 Dec 2024 13:29:23 +0100 Subject: [PATCH 119/165] Update release notes --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 77201b69..f14794e3 100644 --- a/README.md +++ b/README.md @@ -168,3 +168,5 @@ Whenever a new version of Kong Gateway is released, we need run the following co 1. Validate Examples - specify the new version `x.x.x` 1. Generate Referenceable Fields List - specify the new version `x.x.x` 1. Generate Priorities List - for `oss` and `ee` and specify the new version `x.x.x` +1. Copy Data files +1. Generate JSON Schemas From 3f400dba76df4bd6cee2808e90fd447b379f8d46 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 16 Dec 2024 12:13:56 +0100 Subject: [PATCH 120/165] Fix service-protection examples --- examples/service-protection/_3.10.x.yaml | 6 ++++-- examples/service-protection/_3.9.x.yaml | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/examples/service-protection/_3.10.x.yaml b/examples/service-protection/_3.10.x.yaml index c23a4120..73702a32 100644 --- a/examples/service-protection/_3.10.x.yaml +++ b/examples/service-protection/_3.10.x.yaml @@ -1,6 +1,8 @@ name: service-protection config: - window_size: 30 + window_size: + - 30 window_type: sliding - limit: 5 + limit: + - 5 namespace: example_namespace diff --git a/examples/service-protection/_3.9.x.yaml b/examples/service-protection/_3.9.x.yaml index c23a4120..73702a32 100644 --- a/examples/service-protection/_3.9.x.yaml +++ b/examples/service-protection/_3.9.x.yaml @@ -1,6 +1,8 @@ name: service-protection config: - window_size: 30 + window_size: + - 30 window_type: sliding - limit: 5 + limit: + - 5 namespace: example_namespace From 7159eb637c3719ec19f1d53643f40cdba990d1ee Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 16 Dec 2024 12:14:16 +0100 Subject: [PATCH 121/165] Fix ai-azure-content-safety examples --- examples/ai-azure-content-safety/_3.10.x.yaml | 4 ++-- examples/ai-azure-content-safety/_3.9.x.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/ai-azure-content-safety/_3.10.x.yaml b/examples/ai-azure-content-safety/_3.10.x.yaml index 025407dc..75f6cffb 100644 --- a/examples/ai-azure-content-safety/_3.10.x.yaml +++ b/examples/ai-azure-content-safety/_3.10.x.yaml @@ -5,5 +5,5 @@ config: reveal_failure_reason: true content_safety_key: anything categories: - - "Hate" - - "Violence" \ No newline at end of file + - { name: "Hate", rejection_level: 2 } + - { name: "Violence", rejection_level: 2 } diff --git a/examples/ai-azure-content-safety/_3.9.x.yaml b/examples/ai-azure-content-safety/_3.9.x.yaml index 025407dc..75f6cffb 100644 --- a/examples/ai-azure-content-safety/_3.9.x.yaml +++ b/examples/ai-azure-content-safety/_3.9.x.yaml @@ -5,5 +5,5 @@ config: reveal_failure_reason: true content_safety_key: anything categories: - - "Hate" - - "Violence" \ No newline at end of file + - { name: "Hate", rejection_level: 2 } + - { name: "Violence", rejection_level: 2 } From 043be934adca7983a2ab2db83125614a2ba87079 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 16 Dec 2024 12:14:34 +0100 Subject: [PATCH 122/165] Fix injection-protection examples --- examples/injection-protection/_3.10.x.yaml | 8 +++++--- examples/injection-protection/_3.9.x.yaml | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/examples/injection-protection/_3.10.x.yaml b/examples/injection-protection/_3.10.x.yaml index 2d0e1a61..9e7e487e 100644 --- a/examples/injection-protection/_3.10.x.yaml +++ b/examples/injection-protection/_3.10.x.yaml @@ -1,7 +1,9 @@ name: injection-protection config: - injection_types: sql - locations: path_and_query + injection_types: + - "sql" + locations: + - "path_and_query" enforcement_mode: block error_status_code: 400 - error_message: Bad Request \ No newline at end of file + error_message: Bad Request diff --git a/examples/injection-protection/_3.9.x.yaml b/examples/injection-protection/_3.9.x.yaml index 2d0e1a61..9e7e487e 100644 --- a/examples/injection-protection/_3.9.x.yaml +++ b/examples/injection-protection/_3.9.x.yaml @@ -1,7 +1,9 @@ name: injection-protection config: - injection_types: sql - locations: path_and_query + injection_types: + - "sql" + locations: + - "path_and_query" enforcement_mode: block error_status_code: 400 - error_message: Bad Request \ No newline at end of file + error_message: Bad Request From e8951cf15213f0aed81a7e725b7e8a68071405fd Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Thu, 19 Dec 2024 16:28:01 +0000 Subject: [PATCH 123/165] JSON Schemas for 3.10.x --- json_schemas/acl/3.10.json | 98 + json_schemas/acme/3.10.json | 372 +++ .../ai-azure-content-safety/3.10.json | 151 ++ json_schemas/ai-prompt-decorator/3.10.json | 157 ++ json_schemas/ai-prompt-guard/3.10.json | 131 + json_schemas/ai-prompt-template/3.10.json | 126 + json_schemas/ai-proxy-advanced/3.10.json | 796 ++++++ json_schemas/ai-proxy/3.10.json | 367 +++ .../ai-rate-limiting-advanced/3.10.json | 404 +++ json_schemas/ai-request-transformer/3.10.json | 385 +++ .../ai-response-transformer/3.10.json | 403 +++ json_schemas/ai-semantic-cache/3.10.json | 456 ++++ .../ai-semantic-prompt-guard/3.10.json | 476 ++++ json_schemas/app-dynamics/3.10.json | 77 + .../application-registration/3.10.json | 60 + json_schemas/aws-lambda/3.10.json | 221 ++ json_schemas/azure-functions/3.10.json | 129 + json_schemas/basic-auth/3.10.json | 81 + json_schemas/bot-detection/3.10.json | 91 + json_schemas/canary/3.10.json | 142 + json_schemas/confluent/3.10.json | 207 ++ json_schemas/correlation-id/3.10.json | 96 + json_schemas/cors/3.10.json | 145 + json_schemas/datadog-tracing/3.10.json | 113 + json_schemas/datadog/3.10.json | 263 ++ json_schemas/degraphql/3.10.json | 68 + json_schemas/exit-transformer/3.10.json | 95 + json_schemas/file-log/3.10.json | 98 + json_schemas/forward-proxy/3.10.json | 135 + .../graphql-proxy-cache-advanced/3.10.json | 300 +++ .../graphql-rate-limiting-advanced/3.10.json | 343 +++ json_schemas/grpc-gateway/3.10.json | 87 + json_schemas/grpc-web/3.10.json | 96 + json_schemas/header-cert-auth/3.10.json | 181 ++ json_schemas/hmac-auth/3.10.json | 126 + json_schemas/http-log/3.10.json | 199 ++ json_schemas/injection-protection/3.10.json | 146 ++ json_schemas/ip-restriction/3.10.json | 128 + json_schemas/jq/3.10.json | 176 ++ json_schemas/json-threat-protection/3.10.json | 126 + json_schemas/jwe-decrypt/3.10.json | 88 + json_schemas/jwt-signer/3.10.json | 699 +++++ json_schemas/jwt/3.10.json | 146 ++ json_schemas/kafka-log/3.10.json | 232 ++ json_schemas/kafka-upstream/3.10.json | 244 ++ json_schemas/key-auth-enc/3.10.json | 114 + json_schemas/key-auth/3.10.json | 114 + .../konnect-application-auth/3.10.json | 2331 ++++++++++++++++ json_schemas/ldap-auth-advanced/3.10.json | 193 ++ json_schemas/ldap-auth/3.10.json | 134 + json_schemas/loggly/3.10.json | 175 ++ json_schemas/mocking/3.10.json | 128 + json_schemas/mtls-auth/3.10.json | 169 ++ json_schemas/oas-validation/3.10.json | 149 ++ json_schemas/oauth2-introspection/3.10.json | 138 + json_schemas/oauth2/3.10.json | 165 ++ json_schemas/opa/3.10.json | 122 + json_schemas/openid-connect/3.10.json | 2334 +++++++++++++++++ json_schemas/opentelemetry/3.10.json | 292 +++ json_schemas/post-function/3.10.json | 190 ++ json_schemas/pre-function/3.10.json | 190 ++ json_schemas/prometheus/3.10.json | 113 + json_schemas/proxy-cache-advanced/3.10.json | 410 +++ json_schemas/proxy-cache/3.10.json | 229 ++ json_schemas/rate-limiting-advanced/3.10.json | 416 +++ json_schemas/rate-limiting/3.10.json | 263 ++ json_schemas/redirect/3.10.json | 105 + json_schemas/request-size-limiting/3.10.json | 96 + json_schemas/request-termination/3.10.json | 117 + .../request-transformer-advanced/3.10.json | 390 +++ json_schemas/request-transformer/3.10.json | 328 +++ json_schemas/request-validator/3.10.json | 164 ++ json_schemas/response-ratelimiting/3.10.json | 207 ++ .../response-transformer-advanced/3.10.json | 419 +++ json_schemas/response-transformer/3.10.json | 311 +++ json_schemas/route-by-header/3.10.json | 100 + .../route-transformer-advanced/3.10.json | 89 + json_schemas/saml/3.10.json | 609 +++++ json_schemas/service-protection/3.10.json | 314 +++ json_schemas/session/3.10.json | 258 ++ json_schemas/standard-webhooks/3.10.json | 86 + json_schemas/statsd-advanced/3.10.json | 298 +++ json_schemas/statsd/3.10.json | 316 +++ json_schemas/syslog/3.10.json | 171 ++ json_schemas/tcp-log/3.10.json | 117 + json_schemas/tls-handshake-modifier/3.10.json | 68 + json_schemas/tls-metadata-headers/3.10.json | 90 + json_schemas/udp-log/3.10.json | 103 + json_schemas/upstream-oauth/3.10.json | 509 ++++ json_schemas/upstream-timeout/3.10.json | 94 + json_schemas/vault-auth/3.10.json | 110 + json_schemas/websocket-size-limit/3.10.json | 82 + json_schemas/websocket-validator/3.10.json | 168 ++ json_schemas/xml-threat-protection/3.10.json | 228 ++ json_schemas/zipkin/3.10.json | 366 +++ 95 files changed, 24342 insertions(+) create mode 100644 json_schemas/acl/3.10.json create mode 100644 json_schemas/acme/3.10.json create mode 100644 json_schemas/ai-azure-content-safety/3.10.json create mode 100644 json_schemas/ai-prompt-decorator/3.10.json create mode 100644 json_schemas/ai-prompt-guard/3.10.json create mode 100644 json_schemas/ai-prompt-template/3.10.json create mode 100644 json_schemas/ai-proxy-advanced/3.10.json create mode 100644 json_schemas/ai-proxy/3.10.json create mode 100644 json_schemas/ai-rate-limiting-advanced/3.10.json create mode 100644 json_schemas/ai-request-transformer/3.10.json create mode 100644 json_schemas/ai-response-transformer/3.10.json create mode 100644 json_schemas/ai-semantic-cache/3.10.json create mode 100644 json_schemas/ai-semantic-prompt-guard/3.10.json create mode 100644 json_schemas/app-dynamics/3.10.json create mode 100644 json_schemas/application-registration/3.10.json create mode 100644 json_schemas/aws-lambda/3.10.json create mode 100644 json_schemas/azure-functions/3.10.json create mode 100644 json_schemas/basic-auth/3.10.json create mode 100644 json_schemas/bot-detection/3.10.json create mode 100644 json_schemas/canary/3.10.json create mode 100644 json_schemas/confluent/3.10.json create mode 100644 json_schemas/correlation-id/3.10.json create mode 100644 json_schemas/cors/3.10.json create mode 100644 json_schemas/datadog-tracing/3.10.json create mode 100644 json_schemas/datadog/3.10.json create mode 100644 json_schemas/degraphql/3.10.json create mode 100644 json_schemas/exit-transformer/3.10.json create mode 100644 json_schemas/file-log/3.10.json create mode 100644 json_schemas/forward-proxy/3.10.json create mode 100644 json_schemas/graphql-proxy-cache-advanced/3.10.json create mode 100644 json_schemas/graphql-rate-limiting-advanced/3.10.json create mode 100644 json_schemas/grpc-gateway/3.10.json create mode 100644 json_schemas/grpc-web/3.10.json create mode 100644 json_schemas/header-cert-auth/3.10.json create mode 100644 json_schemas/hmac-auth/3.10.json create mode 100644 json_schemas/http-log/3.10.json create mode 100644 json_schemas/injection-protection/3.10.json create mode 100644 json_schemas/ip-restriction/3.10.json create mode 100644 json_schemas/jq/3.10.json create mode 100644 json_schemas/json-threat-protection/3.10.json create mode 100644 json_schemas/jwe-decrypt/3.10.json create mode 100644 json_schemas/jwt-signer/3.10.json create mode 100644 json_schemas/jwt/3.10.json create mode 100644 json_schemas/kafka-log/3.10.json create mode 100644 json_schemas/kafka-upstream/3.10.json create mode 100644 json_schemas/key-auth-enc/3.10.json create mode 100644 json_schemas/key-auth/3.10.json create mode 100644 json_schemas/konnect-application-auth/3.10.json create mode 100644 json_schemas/ldap-auth-advanced/3.10.json create mode 100644 json_schemas/ldap-auth/3.10.json create mode 100644 json_schemas/loggly/3.10.json create mode 100644 json_schemas/mocking/3.10.json create mode 100644 json_schemas/mtls-auth/3.10.json create mode 100644 json_schemas/oas-validation/3.10.json create mode 100644 json_schemas/oauth2-introspection/3.10.json create mode 100644 json_schemas/oauth2/3.10.json create mode 100644 json_schemas/opa/3.10.json create mode 100644 json_schemas/openid-connect/3.10.json create mode 100644 json_schemas/opentelemetry/3.10.json create mode 100644 json_schemas/post-function/3.10.json create mode 100644 json_schemas/pre-function/3.10.json create mode 100644 json_schemas/prometheus/3.10.json create mode 100644 json_schemas/proxy-cache-advanced/3.10.json create mode 100644 json_schemas/proxy-cache/3.10.json create mode 100644 json_schemas/rate-limiting-advanced/3.10.json create mode 100644 json_schemas/rate-limiting/3.10.json create mode 100644 json_schemas/redirect/3.10.json create mode 100644 json_schemas/request-size-limiting/3.10.json create mode 100644 json_schemas/request-termination/3.10.json create mode 100644 json_schemas/request-transformer-advanced/3.10.json create mode 100644 json_schemas/request-transformer/3.10.json create mode 100644 json_schemas/request-validator/3.10.json create mode 100644 json_schemas/response-ratelimiting/3.10.json create mode 100644 json_schemas/response-transformer-advanced/3.10.json create mode 100644 json_schemas/response-transformer/3.10.json create mode 100644 json_schemas/route-by-header/3.10.json create mode 100644 json_schemas/route-transformer-advanced/3.10.json create mode 100644 json_schemas/saml/3.10.json create mode 100644 json_schemas/service-protection/3.10.json create mode 100644 json_schemas/session/3.10.json create mode 100644 json_schemas/standard-webhooks/3.10.json create mode 100644 json_schemas/statsd-advanced/3.10.json create mode 100644 json_schemas/statsd/3.10.json create mode 100644 json_schemas/syslog/3.10.json create mode 100644 json_schemas/tcp-log/3.10.json create mode 100644 json_schemas/tls-handshake-modifier/3.10.json create mode 100644 json_schemas/tls-metadata-headers/3.10.json create mode 100644 json_schemas/udp-log/3.10.json create mode 100644 json_schemas/upstream-oauth/3.10.json create mode 100644 json_schemas/upstream-timeout/3.10.json create mode 100644 json_schemas/vault-auth/3.10.json create mode 100644 json_schemas/websocket-size-limit/3.10.json create mode 100644 json_schemas/websocket-validator/3.10.json create mode 100644 json_schemas/xml-threat-protection/3.10.json create mode 100644 json_schemas/zipkin/3.10.json diff --git a/json_schemas/acl/3.10.json b/json_schemas/acl/3.10.json new file mode 100644 index 00000000..c78c25f3 --- /dev/null +++ b/json_schemas/acl/3.10.json @@ -0,0 +1,98 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "always_use_authenticated_groups": { + "default": false, + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", + "type": "boolean" + }, + "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_groups_header": { + "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "type": "boolean" + }, + "include_consumer_groups": { + "default": false, + "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/acme/3.10.json b/json_schemas/acme/3.10.json new file mode 100644 index 00000000..a7102b7c --- /dev/null +++ b/json_schemas/acme/3.10.json @@ -0,0 +1,372 @@ +{ + "properties": { + "config": { + "properties": { + "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", + "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", + "type": "string" + }, + "account_key": { + "description": "The private key associated with the account.", + "properties": { + "key_id": { + "description": "The Key ID.", + "type": "string" + }, + "key_set": { + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" + } + }, + "required": [ + "key_id" + ], + "type": "object" + }, + "allow_any_domain": { + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" + }, + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "cert_type": { + "default": "rsa", + "description": "The certificate type to create. The possible values are `rsa` for RSA certificate or `ecc` for EC certificate.", + "enum": [ + "ecc", + "rsa" + ], + "type": "string" + }, + "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "items": { + "match_all": { + "pattern": "^[^*]*%*?[^*]*$" + }, + "match_any": { + "patterns": [ + "%.%*$", + "^%*%.", + "^[^*]*$" + ] + }, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "enable_ipv4_common_name": { + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" + }, + "fail_backoff_minutes": { + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" + }, + "preferred_chain": { + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" + }, + "renew_threshold_days": { + "default": 14, + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" + }, + "rsa_key_size": { + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "enum": [ + 2048, + 3072, + 4096 + ], + "type": "integer" + }, + "storage": { + "default": "shm", + "description": "The backend storage type to use. In DB-less mode and Konnect, `kong` storage is unavailable. In hybrid mode and Konnect, `shm` storage is unavailable. `shm` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `kong`, `redis`, `consul`, or `vault` in production.", + "enum": [ + "consul", + "kong", + "redis", + "shm", + "vault" + ], + "type": "string" + }, + "storage_config": { + "properties": { + "consul": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "token": { + "description": "Consul ACL token.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "kong": { + "additionalProperties": true, + "properties": { + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "extra_options": { + "description": "Custom ACME Redis options", + "properties": { + "namespace": { + "default": "", + "description": "A namespace to prepend to all keys stored in Redis.", + "minLength": 0, + "type": "string" + }, + "scan_count": { + "default": 10, + "description": "The number of keys to return in Redis SCAN calls.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "auth": { + "minLength": 0, + "type": "string" + }, + "namespace": { + "minLength": 0, + "type": "string" + }, + "scan_count": { + "type": "integer" + }, + "ssl_server_name": { + "type": "string" + } + }, + "type": "object" + }, + "shm": { + "properties": { + "shm_name": { + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "vault": { + "properties": { + "auth_method": { + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "enum": [ + "kubernetes", + "token" + ], + "type": "string" + }, + "auth_path": { + "description": "Vault's authentication path to use.", + "type": "string" + }, + "auth_role": { + "description": "The role to try and assign.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "jwt_path": { + "description": "The path to the JWT.", + "type": "string" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "tls_server_name": { + "description": "SNI used in request, default to host if omitted.", + "type": "string" + }, + "tls_verify": { + "default": true, + "description": "Turn on TLS verification.", + "type": "boolean" + }, + "token": { + "description": "Consul ACL token.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "tos_accepted": { + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.10.json b/json_schemas/ai-azure-content-safety/3.10.json new file mode 100644 index 00000000..b87a3b14 --- /dev/null +++ b/json_schemas/ai-azure-content-safety/3.10.json @@ -0,0 +1,151 @@ +{ + "properties": { + "config": { + "properties": { + "azure_api_version": { + "default": "2023-10-01", + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "minLength": 1, + "type": "string" + }, + "azure_client_id": { + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", + "type": "string" + }, + "azure_client_secret": { + "description": "If `azure_use_managed_identity` is true, set the client secret if required.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "type": "boolean" + }, + "blocklist_names": { + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "categories": { + "description": "Array of categories, and their thresholds, to measure on.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "rejection_level": { + "type": "integer" + } + }, + "required": [ + "name", + "rejection_level" + ], + "type": "object" + }, + "type": "array" + }, + "content_safety_key": { + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "type": "string" + }, + "content_safety_url": { + "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "type": "string" + }, + "halt_on_blocklist_hit": { + "default": true, + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "type": "boolean" + }, + "output_type": { + "default": "FourSeverityLevels", + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "enum": [ + "EightSeverityLevels", + "FourSeverityLevels" + ], + "type": "string" + }, + "reveal_failure_reason": { + "default": true, + "description": "Set true to tell the caller why their request was rejected, if so.", + "type": "boolean" + }, + "text_source": { + "default": "concatenate_all_content", + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "enum": [ + "concatenate_all_content", + "concatenate_user_content" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-decorator/3.10.json b/json_schemas/ai-prompt-decorator/3.10.json new file mode 100644 index 00000000..0559463c --- /dev/null +++ b/json_schemas/ai-prompt-decorator/3.10.json @@ -0,0 +1,157 @@ +{ + "properties": { + "config": { + "properties": { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "prompts": { + "properties": { + "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + }, + "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-guard/3.10.json b/json_schemas/ai-prompt-guard/3.10.json new file mode 100644 index 00000000..536e841e --- /dev/null +++ b/json_schemas/ai-prompt-guard/3.10.json @@ -0,0 +1,131 @@ +{ + "properties": { + "config": { + "properties": { + "allow_all_conversation_history": { + "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "allow_patterns": { + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "deny_patterns": { + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.10.json b/json_schemas/ai-prompt-template/3.10.json new file mode 100644 index 00000000..99f12ea0 --- /dev/null +++ b/json_schemas/ai-prompt-template/3.10.json @@ -0,0 +1,126 @@ +{ + "properties": { + "config": { + "properties": { + "allow_untemplated_requests": { + "default": true, + "description": "Set true to allow requests that don't call or match any template.", + "type": "boolean" + }, + "log_original_request": { + "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "templates": { + "description": "Array of templates available to the request context.", + "items": { + "properties": { + "name": { + "description": "Unique name for the template, can be called with `{template://NAME}`", + "type": "string" + }, + "template": { + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "type": "string" + } + }, + "required": [ + "name", + "template" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-proxy-advanced/3.10.json b/json_schemas/ai-proxy-advanced/3.10.json new file mode 100644 index 00000000..52ab213c --- /dev/null +++ b/json_schemas/ai-proxy-advanced/3.10.json @@ -0,0 +1,796 @@ +{ + "properties": { + "config": { + "properties": { + "balancer": { + "properties": { + "algorithm": { + "default": "round-robin", + "description": "Which load balancing algorithm to use.", + "enum": [ + "consistent-hashing", + "lowest-latency", + "lowest-usage", + "round-robin", + "semantic" + ], + "type": "string" + }, + "connect_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "hash_on_header": { + "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing.", + "type": "string" + }, + "latency_strategy": { + "default": "tpot", + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", + "enum": [ + "e2e", + "tpot" + ], + "type": "string" + }, + "read_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "retries": { + "default": 5, + "description": "The number of retries to execute upon failure to proxy.", + "maximum": 32767, + "minimum": 0, + "type": "integer" + }, + "slots": { + "default": 10000, + "description": "The number of slots in the load balancer algorithm.", + "maximum": 65536, + "minimum": 10, + "type": "integer" + }, + "tokens_count_strategy": { + "default": "total-tokens", + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "enum": [ + "completion-tokens", + "prompt-tokens", + "total-tokens" + ], + "type": "string" + }, + "write_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + "name", + "provider" + ], + "type": "object" + } + }, + "required": [ + "model" + ], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "targets": { + "items": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "description": { + "description": "The semantic description of the target, required if using semantic load balancing.", + "type": "string" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + "provider" + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + }, + "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "maximum": 65535, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "logging", + "model", + "route_type" + ], + "type": "object" + }, + "type": "array" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [ + "dimensions", + "distance_metric", + "redis", + "strategy", + "threshold" + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.10.json b/json_schemas/ai-proxy/3.10.json new file mode 100644 index 00000000..2c314291 --- /dev/null +++ b/json_schemas/ai-proxy/3.10.json @@ -0,0 +1,367 @@ +{ + "properties": { + "config": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.10.json b/json_schemas/ai-rate-limiting-advanced/3.10.json new file mode 100644 index 00000000..01df41c1 --- /dev/null +++ b/json_schemas/ai-rate-limiting-advanced/3.10.json @@ -0,0 +1,404 @@ +{ + "properties": { + "config": { + "properties": { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_hide_providers": { + "default": false, + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "type": "boolean" + }, + "error_message": { + "default": "AI token rate limit exceeded for provider(s): ", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "llm_providers": { + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "items": { + "properties": { + "limit": { + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", + "type": "number" + }, + "name": { + "description": "The LLM provider to which the rate limit applies.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai", + "requestPrompt" + ], + "type": "string" + }, + "window_size": { + "description": "The window size to apply a limit (defined in seconds).", + "type": "number" + } + }, + "required": [ + "limit", + "name", + "window_size" + ], + "type": "object" + }, + "type": "array" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "request_prompt_count_function": { + "description": "If defined, it use custom function to count requests for the request prompt provider", + "type": "string" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "tokens_count_strategy": { + "default": "total_tokens", + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", + "enum": [ + "completion_tokens", + "cost", + "prompt_tokens", + "total_tokens" + ], + "type": "string" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.10.json b/json_schemas/ai-request-transformer/3.10.json new file mode 100644 index 00000000..d3ad7417 --- /dev/null +++ b/json_schemas/ai-request-transformer/3.10.json @@ -0,0 +1,385 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.10.json b/json_schemas/ai-response-transformer/3.10.json new file mode 100644 index 00000000..a38e4531 --- /dev/null +++ b/json_schemas/ai-response-transformer/3.10.json @@ -0,0 +1,403 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "parse_llm_response_json_instructions": { + "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "type": "boolean" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-semantic-cache/3.10.json b/json_schemas/ai-semantic-cache/3.10.json new file mode 100644 index 00000000..633270b1 --- /dev/null +++ b/json_schemas/ai-semantic-cache/3.10.json @@ -0,0 +1,456 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "exact_caching": { + "default": false, + "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "type": "boolean" + }, + "ignore_assistant_prompts": { + "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request", + "type": "boolean" + }, + "ignore_system_prompts": { + "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request", + "type": "boolean" + }, + "ignore_tool_prompts": { + "default": false, + "description": "Ignore and discard any tool prompts when Vectorizing the request", + "type": "boolean" + }, + "message_countback": { + "default": 1, + "description": "Number of messages in the chat history to Vectorize/Cache", + "maximum": 1000, + "minimum": 1, + "type": "number" + }, + "stop_on_failure": { + "default": false, + "description": "Halt the LLM request process in case of a caching system failure", + "type": "boolean" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-semantic-prompt-guard/3.10.json b/json_schemas/ai-semantic-prompt-guard/3.10.json new file mode 100644 index 00000000..c979375d --- /dev/null +++ b/json_schemas/ai-semantic-prompt-guard/3.10.json @@ -0,0 +1,476 @@ +{ + "properties": { + "config": { + "properties": { + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "rules": { + "properties": { + "allow_prompts": { + "description": "List of prompts to allow.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "deny_prompts": { + "description": "List of prompts to deny.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "match_all_conversation_history": { + "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "search": { + "properties": { + "threshold": { + "default": 0.5, + "description": "Threshold for the similarity score to be considered a match.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/app-dynamics/3.10.json b/json_schemas/app-dynamics/3.10.json new file mode 100644 index 00000000..fa37327f --- /dev/null +++ b/json_schemas/app-dynamics/3.10.json @@ -0,0 +1,77 @@ +{ + "properties": { + "config": { + "additionalProperties": true, + "properties": { + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/application-registration/3.10.json b/json_schemas/application-registration/3.10.json new file mode 100644 index 00000000..42680aeb --- /dev/null +++ b/json_schemas/application-registration/3.10.json @@ -0,0 +1,60 @@ +{ + "properties": { + "config": { + "properties": { + "auto_approve": { + "default": false, + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "type": "boolean" + }, + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string" + }, + "display_name": { + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string" + }, + "enable_proxy_with_consumer_credential": { + "default": false, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean" + }, + "show_issuer": { + "default": false, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/aws-lambda/3.10.json b/json_schemas/aws-lambda/3.10.json new file mode 100644 index 00000000..5bbe2019 --- /dev/null +++ b/json_schemas/aws-lambda/3.10.json @@ -0,0 +1,221 @@ +{ + "properties": { + "config": { + "properties": { + "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "type": "string" + }, + "aws_imds_protocol_version": { + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "enum": [ + "v1", + "v2" + ], + "type": "string" + }, + "aws_key": { + "description": "The AWS key credential to be used when invoking the function.", + "type": "string" + }, + "aws_region": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "aws_role_session_name": { + "default": "kong", + "description": "The identifier of the assumed role session.", + "type": "string" + }, + "aws_secret": { + "description": "The AWS secret credential to be used when invoking the function. ", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "awsgateway_compatible": { + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" + }, + "base64_encode_body": { + "default": true, + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" + }, + "disable_https": { + "default": false, + "type": "boolean" + }, + "empty_arrays_mode": { + "default": "legacy", + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", + "enum": [ + "correct", + "legacy" + ], + "type": "string" + }, + "forward_request_body": { + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" + }, + "forward_request_headers": { + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_method": { + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_uri": { + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" + }, + "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "invocation_type": { + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "enum": [ + "DryRun", + "Event", + "RequestResponse" + ], + "type": "string" + }, + "is_proxy_integration": { + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "log_type": { + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "enum": [ + "None", + "Tail" + ], + "type": "string" + }, + "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "proxy_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "qualifier": { + "description": "The qualifier to use when invoking the function.", + "type": "string" + }, + "skip_large_bodies": { + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" + }, + "timeout": { + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", + "type": "number" + }, + "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "maximum": 999, + "minimum": 100, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/azure-functions/3.10.json b/json_schemas/azure-functions/3.10.json new file mode 100644 index 00000000..66d15b39 --- /dev/null +++ b/json_schemas/azure-functions/3.10.json @@ -0,0 +1,129 @@ +{ + "properties": { + "config": { + "properties": { + "apikey": { + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "type": "string" + }, + "appname": { + "description": "The Azure app name.", + "type": "string" + }, + "clientid": { + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "type": "string" + }, + "functionname": { + "description": "Name of the Azure function to invoke.", + "type": "string" + }, + "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", + "type": "string" + }, + "https": { + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" + }, + "https_verify": { + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" + }, + "routeprefix": { + "default": "api", + "description": "Route prefix to use.", + "type": "string" + }, + "timeout": { + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/basic-auth/3.10.json b/json_schemas/basic-auth/3.10.json new file mode 100644 index 00000000..da803a97 --- /dev/null +++ b/json_schemas/basic-auth/3.10.json @@ -0,0 +1,81 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "type": "boolean" + }, + "realm": { + "default": "service", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/bot-detection/3.10.json b/json_schemas/bot-detection/3.10.json new file mode 100644 index 00000000..2233a89d --- /dev/null +++ b/json_schemas/bot-detection/3.10.json @@ -0,0 +1,91 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "default": [ + + ], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "deny": { + "default": [ + + ], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/canary/3.10.json b/json_schemas/canary/3.10.json new file mode 100644 index 00000000..39072c60 --- /dev/null +++ b/json_schemas/canary/3.10.json @@ -0,0 +1,142 @@ +{ + "properties": { + "config": { + "properties": { + "canary_by_header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "duration": { + "default": 3600, + "description": "The duration of the canary release in seconds.", + "minimum": 0, + "type": "number" + }, + "groups": { + "description": "The groups allowed to access the canary release.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hash": { + "default": "consumer", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "enum": [ + "allow", + "consumer", + "deny", + "header", + "ip", + "none" + ], + "type": "string" + }, + "hash_header": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "maximum": 100, + "minimum": 0, + "type": "number" + }, + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + }, + "steps": { + "default": 1000, + "description": "The number of steps for the canary release.", + "minimum": 1, + "type": "number" + }, + "upstream_fallback": { + "default": false, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "type": "boolean" + }, + "upstream_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "minLength": 1, + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "hash": { + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/confluent/3.10.json b/json_schemas/confluent/3.10.json new file mode 100644 index 00000000..2eda69cb --- /dev/null +++ b/json_schemas/confluent/3.10.json @@ -0,0 +1,207 @@ +{ + "properties": { + "config": { + "properties": { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", + "type": "string" + }, + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", + "type": "string" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "type": "string" + }, + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/correlation-id/3.10.json b/json_schemas/correlation-id/3.10.json new file mode 100644 index 00000000..776a2f3e --- /dev/null +++ b/json_schemas/correlation-id/3.10.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", + "type": "boolean" + }, + "generator": { + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "enum": [ + "tracker", + "uuid", + "uuid#counter" + ], + "type": "string" + }, + "header_name": { + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/cors/3.10.json b/json_schemas/cors/3.10.json new file mode 100644 index 00000000..b0254d05 --- /dev/null +++ b/json_schemas/cors/3.10.json @@ -0,0 +1,145 @@ +{ + "properties": { + "config": { + "properties": { + "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "type": "boolean" + }, + "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" + }, + "methods": { + "default": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "items": { + "enum": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "type": "boolean" + }, + "private_network": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/datadog-tracing/3.10.json b/json_schemas/datadog-tracing/3.10.json new file mode 100644 index 00000000..9774fc0f --- /dev/null +++ b/json_schemas/datadog-tracing/3.10.json @@ -0,0 +1,113 @@ +{ + "properties": { + "config": { + "properties": { + "batch_flush_delay": { + "default": 3, + "type": "integer" + }, + "batch_span_count": { + "default": 200, + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "endpoint": { + "type": "string" + }, + "environment": { + "default": "none", + "type": "string" + }, + "read_timeout": { + "default": 5000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 5000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "service_name": { + "default": "kong", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/datadog/3.10.json b/json_schemas/datadog/3.10.json new file mode 100644 index 00000000..fbc2d98e --- /dev/null +++ b/json_schemas/datadog/3.10.json @@ -0,0 +1,263 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_tag": { + "default": "consumer", + "description": "String to be attached as tag of the consumer.", + "type": "string" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "metrics": { + "default": [ + { + "consumer_identifier": "custom_id", + "name": "kong_latency", + "sample_rate": 1, + "stat_type": "timer", + "tags": [ + "app:kong" + ] + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "Datadog metric’s name", + "enum": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "stat_type": { + "description": "Determines what sort of event the metric represents", + "enum": [ + "counter", + "distribution", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "tags": { + "description": "List of tags", + "items": { + "pattern": "^.*[^:]$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "service_name_tag": { + "default": "name", + "description": "String to be attached as the name of the service.", + "type": "string" + }, + "status_tag": { + "default": "status", + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/degraphql/3.10.json b/json_schemas/degraphql/3.10.json new file mode 100644 index 00000000..4d44acc6 --- /dev/null +++ b/json_schemas/degraphql/3.10.json @@ -0,0 +1,68 @@ +{ + "properties": { + "config": { + "properties": { + "graphql_server_path": { + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.10.json b/json_schemas/exit-transformer/3.10.json new file mode 100644 index 00000000..f65b3b1f --- /dev/null +++ b/json_schemas/exit-transformer/3.10.json @@ -0,0 +1,95 @@ +{ + "properties": { + "config": { + "properties": { + "functions": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "handle_unexpected": { + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean" + }, + "handle_unknown": { + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/file-log/3.10.json b/json_schemas/file-log/3.10.json new file mode 100644 index 00000000..7b34b71e --- /dev/null +++ b/json_schemas/file-log/3.10.json @@ -0,0 +1,98 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "path": { + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "pattern": "^[^*&%%\\`]+$", + "type": "string" + }, + "reopen": { + "default": false, + "description": "Determines whether the log file is closed and reopened on every request.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/forward-proxy/3.10.json b/json_schemas/forward-proxy/3.10.json new file mode 100644 index 00000000..ad6b829b --- /dev/null +++ b/json_schemas/forward-proxy/3.10.json @@ -0,0 +1,135 @@ +{ + "properties": { + "config": { + "properties": { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + }, + "proxy_scheme": { + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "enum": [ + "http" + ], + "type": "string" + }, + "x_headers": { + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", + "enum": [ + "append", + "delete", + "transparent" + ], + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "proxy_host": { + "type": "string" + }, + "proxy_port": { + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/graphql-proxy-cache-advanced/3.10.json b/json_schemas/graphql-proxy-cache-advanced/3.10.json new file mode 100644 index 00000000..fbd4614b --- /dev/null +++ b/json_schemas/graphql-proxy-cache-advanced/3.10.json @@ -0,0 +1,300 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.10.json b/json_schemas/graphql-rate-limiting-advanced/3.10.json new file mode 100644 index 00000000..d7a3788e --- /dev/null +++ b/json_schemas/graphql-rate-limiting-advanced/3.10.json @@ -0,0 +1,343 @@ +{ + "properties": { + "config": { + "properties": { + "cost_strategy": { + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "enum": [ + "default", + "node_quantifier" + ], + "type": "string" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "max_cost": { + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", + "type": "number" + }, + "namespace": { + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "score_factor": { + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "minimum": 0, + "type": "number" + }, + "strategy": { + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/grpc-gateway/3.10.json b/json_schemas/grpc-gateway/3.10.json new file mode 100644 index 00000000..2ae37a8c --- /dev/null +++ b/json_schemas/grpc-gateway/3.10.json @@ -0,0 +1,87 @@ +{ + "properties": { + "config": { + "properties": { + "proto": { + "description": "Describes the gRPC types and methods.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/grpc-web/3.10.json b/json_schemas/grpc-web/3.10.json new file mode 100644 index 00000000..31f56172 --- /dev/null +++ b/json_schemas/grpc-web/3.10.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "allow_origin_header": { + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "type": "string" + }, + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "type": "boolean" + }, + "proto": { + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/header-cert-auth/3.10.json b/json_schemas/header-cert-auth/3.10.json new file mode 100644 index 00000000..cd742de3 --- /dev/null +++ b/json_schemas/header-cert-auth/3.10.json @@ -0,0 +1,181 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "required": [ + + ], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "certificate_header_format": { + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "enum": [ + "base64_encoded", + "url_encoded" + ], + "type": "string" + }, + "certificate_header_name": { + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "secure_source": { + "default": true, + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/hmac-auth/3.10.json b/json_schemas/hmac-auth/3.10.json new file mode 100644 index 00000000..1e3ae8ec --- /dev/null +++ b/json_schemas/hmac-auth/3.10.json @@ -0,0 +1,126 @@ +{ + "properties": { + "config": { + "properties": { + "algorithms": { + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "items": { + "enum": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "clock_skew": { + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", + "minimum": 0, + "type": "number" + }, + "enforce_headers": { + "default": [ + + ], + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "validate_request_body": { + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/http-log/3.10.json b/json_schemas/http-log/3.10.json new file mode 100644 index 00000000..2d6b5c6c --- /dev/null +++ b/json_schemas/http-log/3.10.json @@ -0,0 +1,199 @@ +{ + "properties": { + "config": { + "properties": { + "content_type": { + "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "enum": [ + "application/json", + "application/json; charset=utf-8" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "headers": { + "additionalProperties": true, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "object" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" + }, + "method": { + "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "enum": [ + "PATCH", + "POST", + "PUT" + ], + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/injection-protection/3.10.json b/json_schemas/injection-protection/3.10.json new file mode 100644 index 00000000..52949341 --- /dev/null +++ b/json_schemas/injection-protection/3.10.json @@ -0,0 +1,146 @@ +{ + "properties": { + "config": { + "properties": { + "custom_injections": { + "default": null, + "description": "Custom regexes to check for.", + "items": { + "properties": { + "name": { + "description": "A unique name for this injection.", + "type": "string" + }, + "regex": { + "description": "The regex to match against.", + "is_regex": true, + "type": "string" + } + }, + "required": [ + "name", + "regex" + ], + "type": "object" + }, + "type": "array" + }, + "enforcement_mode": { + "default": "block", + "description": "Enforcement mode of the security policy.", + "enum": [ + "block", + "log_only" + ], + "type": "string" + }, + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "type": "string" + }, + "error_status_code": { + "default": 400, + "description": "The response status code when validation fails.", + "maximum": 499, + "minimum": 400, + "type": "integer" + }, + "injection_types": { + "default": [ + "sql" + ], + "description": "The type of injections to check for.", + "items": { + "enum": [ + "java_exception", + "js", + "sql", + "ssi", + "xpath_abbreviated", + "xpath_extended" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "locations": { + "default": [ + "path_and_query" + ], + "description": "The locations to check for injection.", + "items": { + "enum": [ + "body", + "headers", + "path_and_query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ip-restriction/3.10.json b/json_schemas/ip-restriction/3.10.json new file mode 100644 index 00000000..83800949 --- /dev/null +++ b/json_schemas/ip-restriction/3.10.json @@ -0,0 +1,128 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "message": { + "description": "The message to send as a response body to rejected requests.", + "type": "string" + }, + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jq/3.10.json b/json_schemas/jq/3.10.json new file mode 100644 index 00000000..7a686c75 --- /dev/null +++ b/json_schemas/jq/3.10.json @@ -0,0 +1,176 @@ +{ + "properties": { + "config": { + "properties": { + "request_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "request_jq_program": { + "type": "string" + }, + "request_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "response_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_if_status_code": { + "default": [ + 200 + ], + "items": { + "maximum": 599, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "response_jq_program": { + "type": "string" + }, + "response_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/json-threat-protection/3.10.json b/json_schemas/json-threat-protection/3.10.json new file mode 100644 index 00000000..43827bd8 --- /dev/null +++ b/json_schemas/json-threat-protection/3.10.json @@ -0,0 +1,126 @@ +{ + "properties": { + "config": { + "properties": { + "enforcement_mode": { + "default": "block", + "description": "Enforcement mode of the security policy.", + "enum": [ + "block", + "log_only" + ], + "type": "string" + }, + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "type": "string" + }, + "error_status_code": { + "default": 400, + "description": "The response status code when validation fails.", + "maximum": 499, + "minimum": 400, + "type": "integer" + }, + "max_array_element_count": { + "default": -1, + "description": "Max number of elements in an array. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_body_size": { + "default": 8192, + "description": "Max size of the request body. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_container_depth": { + "default": -1, + "description": "Max nested depth of objects and arrays. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_object_entry_count": { + "default": -1, + "description": "Max number of entries in an object. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_object_entry_name_length": { + "default": -1, + "description": "Max string length of object name. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_string_value_length": { + "default": -1, + "description": "Max string value length. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.10.json b/json_schemas/jwe-decrypt/3.10.json new file mode 100644 index 00000000..019e6fb1 --- /dev/null +++ b/json_schemas/jwe-decrypt/3.10.json @@ -0,0 +1,88 @@ +{ + "properties": { + "config": { + "properties": { + "forward_header_name": { + "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", + "type": "string" + }, + "key_sets": { + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "lookup_header_name": { + "default": "Authorization", + "description": "The name of the header to look for the JWE token.", + "type": "string" + }, + "strict": { + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwt-signer/3.10.json b/json_schemas/jwt-signer/3.10.json new file mode 100644 index 00000000..6b424d39 --- /dev/null +++ b/json_schemas/jwt-signer/3.10.json @@ -0,0 +1,699 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "type": "string" + }, + "access_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_hint": { + "default": "access_token", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string" + }, + "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number" + }, + "access_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "type": "number" + }, + "access_token_issuer": { + "default": "kong", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string" + }, + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "type": "string" + }, + "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "access_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "type": "string" + }, + "access_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "type": "string" + }, + "access_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "access_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "type": "string" + }, + "access_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "type": "string" + }, + "access_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number" + }, + "access_token_optional": { + "default": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean" + }, + "access_token_request_header": { + "default": "Authorization", + "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string" + }, + "access_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "access_token_upstream_header": { + "default": "Authorization:Bearer", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string" + }, + "access_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number" + }, + "add_access_token_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_channel_token_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_claims": { + "additionalProperties": true, + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "cache_access_token_introspection": { + "default": true, + "description": "Whether to cache access token introspection results.", + "type": "boolean" + }, + "cache_channel_token_introspection": { + "default": true, + "description": "Whether to cache channel token introspection results.", + "type": "boolean" + }, + "channel_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "type": "string" + }, + "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_leeway": { + "default": 0, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number" + }, + "channel_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "type": "number" + }, + "channel_token_issuer": { + "default": "kong", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string" + }, + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "type": "string" + }, + "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "channel_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "type": "string" + }, + "channel_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "type": "string" + }, + "channel_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "channel_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "type": "string" + }, + "channel_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "type": "string" + }, + "channel_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number" + }, + "channel_token_optional": { + "default": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean" + }, + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "type": "string" + }, + "channel_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "type": "string" + }, + "channel_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number" + }, + "enable_access_token_introspection": { + "default": true, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean" + }, + "enable_channel_token_introspection": { + "default": true, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean" + }, + "enable_instrumentation": { + "default": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean" + }, + "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", + "type": "string" + }, + "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", + "type": "string" + }, + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "type": "string" + }, + "remove_access_token_claims": { + "default": [ + + ], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "remove_channel_token_claims": { + "default": [ + + ], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "set_access_token_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_channel_token_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_claims": { + "additionalProperties": true, + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "trust_access_token_introspection": { + "default": true, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean" + }, + "trust_channel_token_introspection": { + "default": true, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean" + }, + "verify_access_token_expiry": { + "default": true, + "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_expiry": { + "default": true, + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_scopes": { + "default": true, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_scopes": { + "default": true, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_signature": { + "default": true, + "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean" + }, + "verify_channel_token_expiry": { + "default": true, + "type": "boolean" + }, + "verify_channel_token_introspection_expiry": { + "default": true, + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean" + }, + "verify_channel_token_introspection_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_signature": { + "default": true, + "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwt/3.10.json b/json_schemas/jwt/3.10.json new file mode 100644 index 00000000..6a6338ce --- /dev/null +++ b/json_schemas/jwt/3.10.json @@ -0,0 +1,146 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "items": { + "enum": [ + "exp", + "nbf" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "cookie_names": { + "default": [ + + ], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_names": { + "default": [ + "authorization" + ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "key_claim_name": { + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" + }, + "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "maximum": 31536000, + "minimum": 0, + "type": "number" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean" + }, + "secret_is_base64": { + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean" + }, + "uri_param_names": { + "default": [ + "jwt" + ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/kafka-log/3.10.json b/json_schemas/kafka-log/3.10.json new file mode 100644 index 00000000..3cc3b73a --- /dev/null +++ b/json_schemas/kafka-log/3.10.json @@ -0,0 +1,232 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "keepalive": { + "default": 60000, + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.10.json b/json_schemas/kafka-upstream/3.10.json new file mode 100644 index 00000000..4fa1cc92 --- /dev/null +++ b/json_schemas/kafka-upstream/3.10.json @@ -0,0 +1,244 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/key-auth-enc/3.10.json b/json_schemas/key-auth-enc/3.10.json new file mode 100644 index 00000000..393987e0 --- /dev/null +++ b/json_schemas/key-auth-enc/3.10.json @@ -0,0 +1,114 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/key-auth/3.10.json b/json_schemas/key-auth/3.10.json new file mode 100644 index 00000000..a37eb540 --- /dev/null +++ b/json_schemas/key-auth/3.10.json @@ -0,0 +1,114 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.10.json b/json_schemas/konnect-application-auth/3.10.json new file mode 100644 index 00000000..17240508 --- /dev/null +++ b/json_schemas/konnect-application-auth/3.10.json @@ -0,0 +1,2331 @@ +{ + "properties": { + "config": { + "properties": { + "auth_type": { + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "enum": [ + "key-auth", + "openid-connect", + "v2-strategies" + ], + "type": "string" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scope": { + "description": "The unique scope identifier for the plugin configuration.", + "type": "string" + }, + "v2_strategies": { + "description": "The map of v2 strategies.", + "properties": { + "key_auth": { + "description": "List of key_auth strategies.", + "items": { + "properties": { + "config": { + "properties": { + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "config", + "strategy_id" + ], + "type": "object" + }, + "type": "array" + }, + "openid_connect": { + "description": "List of openid_connect strategies.", + "items": { + "properties": { + "config": { + "description": "openid-connect plugin configuration.", + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "type": "string" + }, + "key_ops": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "type": "string" + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "cluster_cache_redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "cluster_cache_strategy": { + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "enum": [ + "off", + "redis" + ], + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_client_headers": { + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "uuid": true + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. Only top level claims are supported.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + "cluster_cache_redis", + "issuer", + "redis" + ], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "strategy_id" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.10.json b/json_schemas/ldap-auth-advanced/3.10.json new file mode 100644 index 00000000..354b9d7a --- /dev/null +++ b/json_schemas/ldap-auth-advanced/3.10.json @@ -0,0 +1,193 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "type": "string" + }, + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean" + }, + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + }, + "group_member_attribute": { + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" + }, + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + }, + "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "type": "string" + }, + "ldap_password": { + "description": "The password to the LDAP server.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" + }, + "ldaps": { + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "log_search_results": { + "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.10.json b/json_schemas/ldap-auth/3.10.json new file mode 100644 index 00000000..e4d24f03 --- /dev/null +++ b/json_schemas/ldap-auth/3.10.json @@ -0,0 +1,134 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "ldaps": { + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/loggly/3.10.json b/json_schemas/loggly/3.10.json new file mode 100644 index 00000000..81d78b5b --- /dev/null +++ b/json_schemas/loggly/3.10.json @@ -0,0 +1,175 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "key": { + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "tags": { + "default": [ + "kong" + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "timeout": { + "default": 10000, + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/mocking/3.10.json b/json_schemas/mocking/3.10.json new file mode 100644 index 00000000..ceb3d3a9 --- /dev/null +++ b/json_schemas/mocking/3.10.json @@ -0,0 +1,128 @@ +{ + "properties": { + "config": { + "properties": { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "type": "string" + }, + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "type": "string" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "items": { + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "max_delay_time": { + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number" + }, + "min_delay_time": { + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number" + }, + "random_delay": { + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean" + }, + "random_examples": { + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean" + }, + "random_status_code": { + "default": false, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.10.json b/json_schemas/mtls-auth/3.10.json new file mode 100644 index 00000000..0fae0bda --- /dev/null +++ b/json_schemas/mtls-auth/3.10.json @@ -0,0 +1,169 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "required": [ + + ], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in seconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "send_ca_dn": { + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oas-validation/3.10.json b/json_schemas/oas-validation/3.10.json new file mode 100644 index 00000000..1e421781 --- /dev/null +++ b/json_schemas/oas-validation/3.10.json @@ -0,0 +1,149 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_header_parameters": { + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "type": "string" + }, + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "type": "string" + }, + "api_spec_encoded": { + "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", + "type": "boolean" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "header_parameter_check": { + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "type": "boolean" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "notify_only_request_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "type": "boolean" + }, + "notify_only_response_body_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "type": "boolean" + }, + "query_parameter_check": { + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "type": "boolean" + }, + "validate_request_body": { + "default": true, + "description": "If set to true, validates the request body content against the API specification.", + "type": "boolean" + }, + "validate_request_header_params": { + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", + "type": "boolean" + }, + "validate_request_query_params": { + "default": true, + "description": "If set to true, validates query parameters against the API specification.", + "type": "boolean" + }, + "validate_request_uri_params": { + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", + "type": "boolean" + }, + "validate_response_body": { + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "type": "boolean" + }, + "verbose_response": { + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.10.json b/json_schemas/oauth2-introspection/3.10.json new file mode 100644 index 00000000..64bc7359 --- /dev/null +++ b/json_schemas/oauth2-introspection/3.10.json @@ -0,0 +1,138 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "type": "string" + }, + "consumer_by": { + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "enum": [ + "client_id", + "username" + ], + "type": "string" + }, + "custom_claims_forward": { + "default": [ + + ], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "custom_introspection_headers": { + "additionalProperties": true, + "description": "A list of custom headers to be added in the introspection request.", + "type": "object" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "introspect_request": { + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "type": "boolean" + }, + "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" + }, + "token_type_hint": { + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" + }, + "ttl": { + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oauth2/3.10.json b/json_schemas/oauth2/3.10.json new file mode 100644 index 00000000..ccfd1b4a --- /dev/null +++ b/json_schemas/oauth2/3.10.json @@ -0,0 +1,165 @@ +{ + "properties": { + "config": { + "properties": { + "accept_http_if_already_terminated": { + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "auth_header_name": { + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", + "type": "string" + }, + "enable_authorization_code": { + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "type": "boolean" + }, + "enable_client_credentials": { + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "type": "boolean" + }, + "enable_implicit_grant": { + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "type": "boolean" + }, + "enable_password_grant": { + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "type": "boolean" + }, + "global_credentials": { + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "type": "boolean" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "mandatory_scope": { + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "type": "boolean" + }, + "persistent_refresh_token": { + "default": false, + "type": "boolean" + }, + "pkce": { + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "enum": [ + "lax", + "none", + "strict" + ], + "type": "string" + }, + "provision_key": { + "description": "The unique key the plugin has generated when it has been added to the Service.", + "type": "string" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "refresh_token_ttl": { + "default": 1209600, + "description": "Time-to-live value for data", + "maximum": 100000000, + "minimum": 0, + "type": "number" + }, + "reuse_refresh_token": { + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "type": "boolean" + }, + "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_expiration": { + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/opa/3.10.json b/json_schemas/opa/3.10.json new file mode 100644 index 00000000..58dc36d0 --- /dev/null +++ b/json_schemas/opa/3.10.json @@ -0,0 +1,122 @@ +{ + "properties": { + "config": { + "properties": { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + }, + "include_consumer_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" + }, + "include_parsed_json_body_in_opa_input": { + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" + }, + "include_route_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_service_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_uri_captures_in_opa_input": { + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" + }, + "opa_host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "opa_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "opa_port": { + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/openid-connect/3.10.json b/json_schemas/openid-connect/3.10.json new file mode 100644 index 00000000..89d6c676 --- /dev/null +++ b/json_schemas/openid-connect/3.10.json @@ -0,0 +1,2334 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "type": "string" + }, + "key_ops": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "type": "string" + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "cluster_cache_redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "cluster_cache_strategy": { + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "enum": [ + "off", + "redis" + ], + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_client_headers": { + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "uuid": true + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. Only top level claims are supported.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + + ], + "shorthand_fields": { + "authorization_cookie_httponly": { + "type": "boolean" + }, + "authorization_cookie_lifetime": { + "type": "number" + }, + "authorization_cookie_samesite": { + "type": "string" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "type": "integer" + }, + "session_redis_cluster_nodes": { + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "type": "integer" + }, + "session_redis_host": { + "type": "string" + }, + "session_redis_password": { + "type": "string" + }, + "session_redis_port": { + "type": "integer" + }, + "session_redis_prefix": { + "type": "string" + }, + "session_redis_read_timeout": { + "type": "integer" + }, + "session_redis_send_timeout": { + "type": "integer" + }, + "session_redis_server_name": { + "type": "string" + }, + "session_redis_socket": { + "type": "string" + }, + "session_redis_ssl": { + "type": "boolean" + }, + "session_redis_ssl_verify": { + "type": "boolean" + }, + "session_redis_username": { + "type": "string" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.10.json b/json_schemas/opentelemetry/3.10.json new file mode 100644 index 00000000..bfad5c8a --- /dev/null +++ b/json_schemas/opentelemetry/3.10.json @@ -0,0 +1,292 @@ +{ + "properties": { + "config": { + "properties": { + "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" + }, + "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "header_type": { + "default": "preserve", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "headers": { + "additionalProperties": true, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "object" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "logs_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "propagation": { + "default": { + "default_format": "w3c" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "default_format" + ], + "type": "object" + }, + "queue": { + "default": { + "max_batch_size": 200 + }, + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "resource_attributes": { + "additionalProperties": true, + "type": "object" + }, + "sampling_rate": { + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "traces_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/post-function/3.10.json b/json_schemas/post-function/3.10.json new file mode 100644 index 00000000..fda803ac --- /dev/null +++ b/json_schemas/post-function/3.10.json @@ -0,0 +1,190 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/pre-function/3.10.json b/json_schemas/pre-function/3.10.json new file mode 100644 index 00000000..fda803ac --- /dev/null +++ b/json_schemas/pre-function/3.10.json @@ -0,0 +1,190 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/prometheus/3.10.json b/json_schemas/prometheus/3.10.json new file mode 100644 index 00000000..c2bc326c --- /dev/null +++ b/json_schemas/prometheus/3.10.json @@ -0,0 +1,113 @@ +{ + "properties": { + "config": { + "properties": { + "ai_metrics": { + "default": false, + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", + "type": "boolean" + }, + "bandwidth_metrics": { + "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "latency_metrics": { + "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" + }, + "per_consumer": { + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" + }, + "status_code_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "upstream_health_metrics": { + "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.10.json b/json_schemas/proxy-cache-advanced/3.10.json new file mode 100644 index 00000000..2b2bfc0b --- /dev/null +++ b/json_schemas/proxy-cache-advanced/3.10.json @@ -0,0 +1,410 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.10.json b/json_schemas/proxy-cache/3.10.json new file mode 100644 index 00000000..c2f2d7c7 --- /dev/null +++ b/json_schemas/proxy-cache/3.10.json @@ -0,0 +1,229 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL, in seconds, of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities.", + "enum": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.10.json b/json_schemas/rate-limiting-advanced/3.10.json new file mode 100644 index 00000000..ddf292ba --- /dev/null +++ b/json_schemas/rate-limiting-advanced/3.10.json @@ -0,0 +1,416 @@ +{ + "properties": { + "config": { + "properties": { + "compound_identifier": { + "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", + "items": { + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "enforce_consumer_groups": { + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf.", + "type": "string" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "redis_proxy_type": { + "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", + "enum": [ + "envoy_v1.31" + ], + "type": "string" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting/3.10.json b/json_schemas/rate-limiting/3.10.json new file mode 100644 index 00000000..9deecb91 --- /dev/null +++ b/json_schemas/rate-limiting/3.10.json @@ -0,0 +1,263 @@ +{ + "properties": { + "config": { + "properties": { + "day": { + "description": "The number of HTTP requests that can be made per day.", + "minimum": 0, + "type": "number" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "hour": { + "description": "The number of HTTP requests that can be made per hour.", + "minimum": 0, + "type": "number" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "minute": { + "description": "The number of HTTP requests that can be made per minute.", + "minimum": 0, + "type": "number" + }, + "month": { + "description": "The number of HTTP requests that can be made per month.", + "minimum": 0, + "type": "number" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "minLength": 0, + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "second": { + "description": "The number of HTTP requests that can be made per second.", + "minimum": 0, + "type": "number" + }, + "sync_rate": { + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "type": "number" + }, + "year": { + "description": "The number of HTTP requests that can be made per year.", + "minimum": 0, + "type": "number" + } + }, + "required": [ + + ], + "shorthand_fields": { + "redis_database": { + "type": "integer" + }, + "redis_host": { + "type": "string" + }, + "redis_password": { + "minLength": 0, + "type": "string" + }, + "redis_port": { + "type": "integer" + }, + "redis_server_name": { + "type": "string" + }, + "redis_ssl": { + "type": "boolean" + }, + "redis_ssl_verify": { + "type": "boolean" + }, + "redis_timeout": { + "type": "integer" + }, + "redis_username": { + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/redirect/3.10.json b/json_schemas/redirect/3.10.json new file mode 100644 index 00000000..dea922d4 --- /dev/null +++ b/json_schemas/redirect/3.10.json @@ -0,0 +1,105 @@ +{ + "properties": { + "config": { + "properties": { + "keep_incoming_path": { + "default": false, + "description": "Use the incoming request's path and query string in the redirect URL", + "type": "boolean" + }, + "location": { + "description": "The URL to redirect to", + "type": "string" + }, + "status_code": { + "default": 301, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-size-limiting/3.10.json b/json_schemas/request-size-limiting/3.10.json new file mode 100644 index 00000000..5259ed13 --- /dev/null +++ b/json_schemas/request-size-limiting/3.10.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_payload_size": { + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer" + }, + "require_content_length": { + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "type": "boolean" + }, + "size_unit": { + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "enum": [ + "bytes", + "kilobytes", + "megabytes" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-termination/3.10.json b/json_schemas/request-termination/3.10.json new file mode 100644 index 00000000..b9c25a41 --- /dev/null +++ b/json_schemas/request-termination/3.10.json @@ -0,0 +1,117 @@ +{ + "properties": { + "config": { + "properties": { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + }, + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + }, + "echo": { + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean" + }, + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + }, + "status_code": { + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + }, + "trigger": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-transformer-advanced/3.10.json b/json_schemas/request-transformer-advanced/3.10.json new file mode 100644 index 00000000..6c9653b2 --- /dev/null +++ b/json_schemas/request-transformer-advanced/3.10.json @@ -0,0 +1,390 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "allow": { + "properties": { + "body": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-transformer/3.10.json b/json_schemas/request-transformer/3.10.json new file mode 100644 index 00000000..ce375bb6 --- /dev/null +++ b/json_schemas/request-transformer/3.10.json @@ -0,0 +1,328 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-validator/3.10.json b/json_schemas/request-validator/3.10.json new file mode 100644 index 00000000..71fb676d --- /dev/null +++ b/json_schemas/request-validator/3.10.json @@ -0,0 +1,164 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_content_types": { + "default": [ + "application/json" + ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "string" + }, + "content_type_parameter_validation": { + "default": true, + "description": "Determines whether to enable parameters validation of request content-type.", + "type": "boolean" + }, + "parameter_schema": { + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "items": { + "properties": { + "explode": { + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" + }, + "in": { + "description": "The location of the parameter.", + "enum": [ + "header", + "path", + "query" + ], + "type": "string" + }, + "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "type": "string" + }, + "required": { + "description": "Determines whether this parameter is mandatory.", + "type": "boolean" + }, + "schema": { + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" + }, + "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "enum": [ + "deepObject", + "form", + "label", + "matrix", + "pipeDelimited", + "simple", + "spaceDelimited" + ], + "type": "string" + } + }, + "required": [ + "in", + "name", + "required" + ], + "type": "object" + }, + "type": "array" + }, + "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "type": "boolean" + }, + "version": { + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "enum": [ + "draft4", + "kong" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-ratelimiting/3.10.json b/json_schemas/response-ratelimiting/3.10.json new file mode 100644 index 00000000..bfd951ef --- /dev/null +++ b/json_schemas/response-ratelimiting/3.10.json @@ -0,0 +1,207 @@ +{ + "properties": { + "config": { + "properties": { + "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "type": "boolean" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limits": { + "additionalProperties": true, + "description": "A map that defines rate limits for the plugin.", + "minLength": 1, + "type": "object" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "shorthand_fields": { + "redis_database": { + "type": "integer" + }, + "redis_host": { + "type": "string" + }, + "redis_password": { + "minLength": 0, + "type": "string" + }, + "redis_port": { + "type": "integer" + }, + "redis_server_name": { + "type": "string" + }, + "redis_ssl": { + "type": "boolean" + }, + "redis_ssl_verify": { + "type": "boolean" + }, + "redis_timeout": { + "type": "integer" + }, + "redis_username": { + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-transformer-advanced/3.10.json b/json_schemas/response-transformer-advanced/3.10.json new file mode 100644 index 00000000..251e8dc2 --- /dev/null +++ b/json_schemas/response-transformer-advanced/3.10.json @@ -0,0 +1,419 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "allow": { + "properties": { + "json": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" + }, + "remove": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "transform": { + "properties": { + "functions": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-transformer/3.10.json b/json_schemas/response-transformer/3.10.json new file mode 100644 index 00000000..c4180b30 --- /dev/null +++ b/json_schemas/response-transformer/3.10.json @@ -0,0 +1,311 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "remove": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/route-by-header/3.10.json b/json_schemas/route-by-header/3.10.json new file mode 100644 index 00000000..308bac74 --- /dev/null +++ b/json_schemas/route-by-header/3.10.json @@ -0,0 +1,100 @@ +{ + "properties": { + "config": { + "properties": { + "rules": { + "default": [ + + ], + "description": "Route by header rules.", + "items": { + "properties": { + "condition": { + "additionalProperties": true, + "minLength": 1, + "type": "object" + }, + "upstream_name": { + "type": "string" + } + }, + "required": [ + "condition", + "upstream_name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/route-transformer-advanced/3.10.json b/json_schemas/route-transformer-advanced/3.10.json new file mode 100644 index 00000000..55afb37a --- /dev/null +++ b/json_schemas/route-transformer-advanced/3.10.json @@ -0,0 +1,89 @@ +{ + "properties": { + "config": { + "properties": { + "escape_path": { + "default": false, + "type": "boolean" + }, + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/saml/3.10.json b/json_schemas/saml/3.10.json new file mode 100644 index 00000000..699d06ce --- /dev/null +++ b/json_schemas/saml/3.10.json @@ -0,0 +1,609 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "type": "string" + }, + "assertion_consumer_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "idp_certificate": { + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "type": "string" + }, + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "type": "string" + }, + "nameid_format": { + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "enum": [ + "EmailAddress", + "Persistent", + "Transient", + "Unspecified" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "request_digest_algorithm": { + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "request_signature_algorithm": { + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "request_signing_certificate": { + "description": "The certificate for signing requests.", + "type": "string" + }, + "request_signing_key": { + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "type": "string" + }, + "response_digest_algorithm": { + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "response_encryption_key": { + "description": "The private encryption key required to decrypt encrypted assertions.", + "type": "string" + }, + "response_signature_algorithm": { + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, for example \"my-application\"", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "The session cookie idle time in seconds.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "type": "number" + }, + "session_request_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_secret": { + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "maxLength": 32, + "minLength": 32, + "pattern": "^[0-9a-zA-Z/_+]+$", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean" + }, + "validate_assertion_signature": { + "default": true, + "description": "Enable signature validation for SAML responses.", + "type": "boolean" + } + }, + "required": [ + + ], + "shorthand_fields": { + "session_auth_ttl": { + "type": "number" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "type": "integer" + }, + "session_redis_cluster_maxredirections": { + "type": "integer" + }, + "session_redis_cluster_nodes": { + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "type": "integer" + }, + "session_redis_host": { + "type": "string" + }, + "session_redis_password": { + "type": "string" + }, + "session_redis_port": { + "type": "integer" + }, + "session_redis_prefix": { + "type": "string" + }, + "session_redis_read_timeout": { + "type": "integer" + }, + "session_redis_send_timeout": { + "type": "integer" + }, + "session_redis_server_name": { + "type": "string" + }, + "session_redis_socket": { + "type": "string" + }, + "session_redis_ssl": { + "type": "boolean" + }, + "session_redis_ssl_verify": { + "type": "boolean" + }, + "session_redis_username": { + "type": "string" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/service-protection/3.10.json b/json_schemas/service-protection/3.10.json new file mode 100644 index 00000000..3e87cc14 --- /dev/null +++ b/json_schemas/service-protection/3.10.json @@ -0,0 +1,314 @@ +{ + "properties": { + "config": { + "properties": { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", + "type": "string" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/session/3.10.json b/json_schemas/session/3.10.json new file mode 100644 index 00000000..ce22bca5 --- /dev/null +++ b/json_schemas/session/3.10.json @@ -0,0 +1,258 @@ +{ + "properties": { + "config": { + "properties": { + "absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + }, + "cookie_http_only": { + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean" + }, + "cookie_name": { + "default": "session", + "description": "The name of the cookie.", + "type": "string" + }, + "cookie_path": { + "default": "/", + "description": "The resource in the host where the cookie is available.", + "type": "string" + }, + "cookie_same_site": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "cookie_secure": { + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean" + }, + "idling_timeout": { + "default": 900, + "description": "The session cookie idle time, in seconds.", + "type": "number" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "A set of HTTP methods that the plugin will respond to.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" + }, + "logout_query_arg": { + "default": "session_logout", + "description": "The query argument passed to logout requests.", + "type": "string" + }, + "read_body_for_logout": { + "default": false, + "type": "boolean" + }, + "remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "remember_absolute_timeout": { + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number" + }, + "remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "remember_rolling_timeout": { + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number" + }, + "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rolling_timeout": { + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number" + }, + "secret": { + "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", + "description": "The secret that is used in keyed HMAC generation.", + "type": "string" + }, + "stale_ttl": { + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number" + }, + "storage": { + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "enum": [ + "cookie", + "kong" + ], + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cookie_discard": { + "type": "number" + }, + "cookie_httponly": { + "type": "boolean" + }, + "cookie_idletime": { + "type": "number" + }, + "cookie_lifetime": { + "type": "number" + }, + "cookie_persistent": { + "type": "boolean" + }, + "cookie_renew": { + "type": "number" + }, + "cookie_samesite": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/standard-webhooks/3.10.json b/json_schemas/standard-webhooks/3.10.json new file mode 100644 index 00000000..edc62a01 --- /dev/null +++ b/json_schemas/standard-webhooks/3.10.json @@ -0,0 +1,86 @@ +{ + "properties": { + "config": { + "properties": { + "secret_v1": { + "description": "Webhook secret", + "type": "string" + }, + "tolerance_second": { + "default": 300, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "minimum": -1, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/statsd-advanced/3.10.json b/json_schemas/statsd-advanced/3.10.json new file mode 100644 index 00000000..be532c92 --- /dev/null +++ b/json_schemas/statsd-advanced/3.10.json @@ -0,0 +1,298 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of Metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/statsd/3.10.json b/json_schemas/statsd/3.10.json new file mode 100644 index 00000000..a55fdecc --- /dev/null +++ b/json_schemas/statsd/3.10.json @@ -0,0 +1,316 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "flush_timeout": { + "type": "number" + }, + "host": { + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "StatsD metric’s name.", + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "description": "Service detail.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "description": "Determines what sort of event a metric represents.", + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "description": "Workspace detail.", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "queue_size": { + "type": "integer" + }, + "retry_count": { + "type": "integer" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "tag_style": { + "enum": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/syslog/3.10.json b/json_schemas/syslog/3.10.json new file mode 100644 index 00000000..90bd9094 --- /dev/null +++ b/json_schemas/syslog/3.10.json @@ -0,0 +1,171 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "facility": { + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "enum": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp" + ], + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/tcp-log/3.10.json b/json_schemas/tcp-log/3.10.json new file mode 100644 index 00000000..91b64178 --- /dev/null +++ b/json_schemas/tcp-log/3.10.json @@ -0,0 +1,117 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "object" + }, + "host": { + "description": "The IP address or host name to send data to.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "port": { + "description": "The port to send data to on the upstream server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + }, + "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "type": "boolean" + }, + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/tls-handshake-modifier/3.10.json b/json_schemas/tls-handshake-modifier/3.10.json new file mode 100644 index 00000000..358d3225 --- /dev/null +++ b/json_schemas/tls-handshake-modifier/3.10.json @@ -0,0 +1,68 @@ +{ + "properties": { + "config": { + "properties": { + "tls_client_certificate": { + "default": "REQUEST", + "description": "TLS Client Certificate", + "enum": [ + "REQUEST" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/tls-metadata-headers/3.10.json b/json_schemas/tls-metadata-headers/3.10.json new file mode 100644 index 00000000..3ae3ee64 --- /dev/null +++ b/json_schemas/tls-metadata-headers/3.10.json @@ -0,0 +1,90 @@ +{ + "properties": { + "config": { + "properties": { + "client_cert_fingerprint_header_name": { + "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "type": "string" + }, + "client_cert_header_name": { + "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "type": "string" + }, + "client_cert_issuer_dn_header_name": { + "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "type": "string" + }, + "client_cert_subject_dn_header_name": { + "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "type": "string" + }, + "client_serial_header_name": { + "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "type": "string" + }, + "inject_client_cert_details": { + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/udp-log/3.10.json b/json_schemas/udp-log/3.10.json new file mode 100644 index 00000000..1c727685 --- /dev/null +++ b/json_schemas/udp-log/3.10.json @@ -0,0 +1,103 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/upstream-oauth/3.10.json b/json_schemas/upstream-oauth/3.10.json new file mode 100644 index 00000000..483a4342 --- /dev/null +++ b/json_schemas/upstream-oauth/3.10.json @@ -0,0 +1,509 @@ +{ + "properties": { + "config": { + "properties": { + "behavior": { + "properties": { + "idp_error_response_body_template": { + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_content_type": { + "default": "application/json; charset=utf-8", + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_message": { + "default": "Failed to authenticate request to upstream", + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_status_code": { + "default": 502, + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", + "maximum": 599, + "minimum": 500, + "type": "integer" + }, + "purge_token_on_upstream_status_codes": { + "default": [ + 401 + ], + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", + "items": { + "maximum": 599, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "upstream_access_token_header_name": { + "default": "Authorization", + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", + "minLength": 0, + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "cache": { + "properties": { + "default_ttl": { + "default": 3600, + "description": "The lifetime of a token without an explicit `expires_in` value.", + "minimum": 0, + "type": "number" + }, + "eagerly_expire": { + "default": 5, + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", + "minimum": -1, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The method Kong should use to cache tokens issued by the IdP.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": false, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "oauth": { + "properties": { + "audience": { + "default": [ + + ], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP.", + "type": "string" + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP.", + "type": "string" + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "type": "string" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": true, + "description": "Extra headers to be passed in the token endpoint request.", + "type": "object" + }, + "token_post_args": { + "additionalProperties": true, + "description": "Extra post arguments to be passed in the token endpoint request.", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/upstream-timeout/3.10.json b/json_schemas/upstream-timeout/3.10.json new file mode 100644 index 00000000..6ba90827 --- /dev/null +++ b/json_schemas/upstream-timeout/3.10.json @@ -0,0 +1,94 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/vault-auth/3.10.json b/json_schemas/vault-auth/3.10.json new file mode 100644 index 00000000..08e8cc3b --- /dev/null +++ b/json_schemas/vault-auth/3.10.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_name": { + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "secret_token_name": { + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "tokens_in_body": { + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "vault": { + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/websocket-size-limit/3.10.json b/json_schemas/websocket-size-limit/3.10.json new file mode 100644 index 00000000..483c3c46 --- /dev/null +++ b/json_schemas/websocket-size-limit/3.10.json @@ -0,0 +1,82 @@ +{ + "properties": { + "config": { + "properties": { + "client_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + }, + "upstream_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/websocket-validator/3.10.json b/json_schemas/websocket-validator/3.10.json new file mode 100644 index 00000000..65cf170c --- /dev/null +++ b/json_schemas/websocket-validator/3.10.json @@ -0,0 +1,168 @@ +{ + "properties": { + "config": { + "properties": { + "client": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "upstream": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/xml-threat-protection/3.10.json b/json_schemas/xml-threat-protection/3.10.json new file mode 100644 index 00000000..48a6bd95 --- /dev/null +++ b/json_schemas/xml-threat-protection/3.10.json @@ -0,0 +1,228 @@ +{ + "properties": { + "config": { + "properties": { + "allow_dtd": { + "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean" + }, + "allowed_content_types": { + "default": [ + + ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "attribute": { + "default": 1048576, + "description": "Maximum size of the attribute value.", + "minimum": 0, + "type": "integer" + }, + "bla_max_amplification": { + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "minimum": 1, + "type": "number" + }, + "bla_threshold": { + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "minimum": 1024, + "type": "integer" + }, + "buffer": { + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", + "minimum": 0, + "type": "integer" + }, + "checked_content_types": { + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "comment": { + "default": 1024, + "description": "Maximum size of comments.", + "minimum": 0, + "type": "integer" + }, + "document": { + "default": 10485760, + "description": "Maximum size of the entire document.", + "minimum": 0, + "type": "integer" + }, + "entity": { + "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityname": { + "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityproperty": { + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "localname": { + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "minimum": 0, + "type": "integer" + }, + "max_attributes": { + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "minimum": 0, + "type": "integer" + }, + "max_children": { + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "minimum": 0, + "type": "integer" + }, + "max_depth": { + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "minimum": 0, + "type": "integer" + }, + "max_namespaces": { + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "namespace_aware": { + "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean" + }, + "namespaceuri": { + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "pidata": { + "default": 1024, + "description": "Maximum size of processing instruction data.", + "minimum": 0, + "type": "integer" + }, + "pitarget": { + "default": 1024, + "description": "Maximum size of processing instruction targets.", + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "text": { + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/zipkin/3.10.json b/json_schemas/zipkin/3.10.json new file mode 100644 index 00000000..0e5554bb --- /dev/null +++ b/json_schemas/zipkin/3.10.json @@ -0,0 +1,366 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "default_header_type": { + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "default_service_name": { + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" + }, + "header_type": { + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "http_span_name": { + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "enum": [ + "method", + "method_path" + ], + "type": "string" + }, + "include_credential": { + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "type": "boolean" + }, + "local_service_name": { + "default": "kong", + "description": "The name of the service as displayed in Zipkin.", + "type": "string" + }, + "phase_duration_flavor": { + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "enum": [ + "annotations", + "tags" + ], + "type": "string" + }, + "propagation": { + "default": { + "default_format": "b3" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "default_format" + ], + "type": "object" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", + "items": { + "properties": { + "name": { + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "tags_header": { + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "type": "string" + }, + "traceid_byte_count": { + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "enum": [ + 8, + 16 + ], + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file From 9d26b557741dc199228daaefcda01e893bf942c6 Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Mon, 17 Feb 2025 13:48:26 +0000 Subject: [PATCH 124/165] JSON Schemas for 3.4.x --- json_schemas/acl/3.4.json | 88 + json_schemas/acme/3.4.json | 328 +++ json_schemas/app-dynamics/3.4.json | 90 + .../application-registration/3.4.json | 55 + json_schemas/aws-lambda/3.4.json | 212 ++ json_schemas/azure-functions/3.4.json | 129 ++ json_schemas/basic-auth/3.4.json | 76 + json_schemas/bot-detection/3.4.json | 91 + json_schemas/canary/3.4.json | 142 ++ json_schemas/correlation-id/3.4.json | 96 + json_schemas/cors/3.4.json | 145 ++ json_schemas/datadog/3.4.json | 254 +++ json_schemas/degraphql/3.4.json | 68 + json_schemas/exit-transformer/3.4.json | 95 + json_schemas/file-log/3.4.json | 98 + json_schemas/forward-proxy/3.4.json | 135 ++ .../graphql-proxy-cache-advanced/3.4.json | 113 + .../graphql-rate-limiting-advanced/3.4.json | 288 +++ json_schemas/grpc-gateway/3.4.json | 87 + json_schemas/grpc-web/3.4.json | 96 + json_schemas/hmac-auth/3.4.json | 122 ++ json_schemas/http-log/3.4.json | 190 ++ json_schemas/ip-restriction/3.4.json | 115 + json_schemas/jq/3.4.json | 176 ++ json_schemas/jwe-decrypt/3.4.json | 88 + json_schemas/jwt-signer/3.4.json | 577 ++++++ json_schemas/jwt/3.4.json | 142 ++ json_schemas/kafka-log/3.4.json | 232 +++ json_schemas/kafka-upstream/3.4.json | 244 +++ json_schemas/key-auth-enc/3.4.json | 110 + json_schemas/key-auth/3.4.json | 110 + .../konnect-application-auth/3.4.json | 77 + json_schemas/ldap-auth-advanced/3.4.json | 189 ++ json_schemas/ldap-auth/3.4.json | 130 ++ json_schemas/loggly/3.4.json | 175 ++ json_schemas/mocking/3.4.json | 119 ++ json_schemas/mtls-auth/3.4.json | 169 ++ json_schemas/oas-validation/3.4.json | 145 ++ json_schemas/oauth2-introspection/3.4.json | 138 ++ json_schemas/oauth2/3.4.json | 161 ++ json_schemas/opa/3.4.json | 122 ++ json_schemas/openid-connect/3.4.json | 1846 +++++++++++++++++ json_schemas/opentelemetry/3.4.json | 191 ++ json_schemas/post-function/3.4.json | 190 ++ json_schemas/pre-function/3.4.json | 190 ++ json_schemas/prometheus/3.4.json | 108 + json_schemas/proxy-cache-advanced/3.4.json | 321 +++ json_schemas/proxy-cache/3.4.json | 195 ++ json_schemas/rate-limiting-advanced/3.4.json | 329 +++ json_schemas/rate-limiting/3.4.json | 208 ++ json_schemas/request-size-limiting/3.4.json | 96 + json_schemas/request-termination/3.4.json | 104 + .../request-transformer-advanced/3.4.json | 390 ++++ json_schemas/request-transformer/3.4.json | 328 +++ json_schemas/request-validator/3.4.json | 159 ++ json_schemas/response-ratelimiting/3.4.json | 166 ++ .../response-transformer-advanced/3.4.json | 419 ++++ json_schemas/response-transformer/3.4.json | 298 +++ json_schemas/route-by-header/3.4.json | 100 + .../route-transformer-advanced/3.4.json | 89 + json_schemas/saml/3.4.json | 443 ++++ json_schemas/session/3.4.json | 254 +++ json_schemas/statsd-advanced/3.4.json | 289 +++ json_schemas/statsd/3.4.json | 307 +++ json_schemas/syslog/3.4.json | 171 ++ json_schemas/tcp-log/3.4.json | 117 ++ json_schemas/tls-handshake-modifier/3.4.json | 68 + json_schemas/tls-metadata-headers/3.4.json | 90 + json_schemas/udp-log/3.4.json | 103 + json_schemas/upstream-timeout/3.4.json | 94 + json_schemas/vault-auth/3.4.json | 110 + json_schemas/websocket-size-limit/3.4.json | 82 + json_schemas/websocket-validator/3.4.json | 168 ++ json_schemas/xml-threat-protection/3.4.json | 228 ++ json_schemas/zipkin/3.4.json | 278 +++ 75 files changed, 14746 insertions(+) create mode 100644 json_schemas/acl/3.4.json create mode 100644 json_schemas/acme/3.4.json create mode 100644 json_schemas/app-dynamics/3.4.json create mode 100644 json_schemas/application-registration/3.4.json create mode 100644 json_schemas/aws-lambda/3.4.json create mode 100644 json_schemas/azure-functions/3.4.json create mode 100644 json_schemas/basic-auth/3.4.json create mode 100644 json_schemas/bot-detection/3.4.json create mode 100644 json_schemas/canary/3.4.json create mode 100644 json_schemas/correlation-id/3.4.json create mode 100644 json_schemas/cors/3.4.json create mode 100644 json_schemas/datadog/3.4.json create mode 100644 json_schemas/degraphql/3.4.json create mode 100644 json_schemas/exit-transformer/3.4.json create mode 100644 json_schemas/file-log/3.4.json create mode 100644 json_schemas/forward-proxy/3.4.json create mode 100644 json_schemas/graphql-proxy-cache-advanced/3.4.json create mode 100644 json_schemas/graphql-rate-limiting-advanced/3.4.json create mode 100644 json_schemas/grpc-gateway/3.4.json create mode 100644 json_schemas/grpc-web/3.4.json create mode 100644 json_schemas/hmac-auth/3.4.json create mode 100644 json_schemas/http-log/3.4.json create mode 100644 json_schemas/ip-restriction/3.4.json create mode 100644 json_schemas/jq/3.4.json create mode 100644 json_schemas/jwe-decrypt/3.4.json create mode 100644 json_schemas/jwt-signer/3.4.json create mode 100644 json_schemas/jwt/3.4.json create mode 100644 json_schemas/kafka-log/3.4.json create mode 100644 json_schemas/kafka-upstream/3.4.json create mode 100644 json_schemas/key-auth-enc/3.4.json create mode 100644 json_schemas/key-auth/3.4.json create mode 100644 json_schemas/konnect-application-auth/3.4.json create mode 100644 json_schemas/ldap-auth-advanced/3.4.json create mode 100644 json_schemas/ldap-auth/3.4.json create mode 100644 json_schemas/loggly/3.4.json create mode 100644 json_schemas/mocking/3.4.json create mode 100644 json_schemas/mtls-auth/3.4.json create mode 100644 json_schemas/oas-validation/3.4.json create mode 100644 json_schemas/oauth2-introspection/3.4.json create mode 100644 json_schemas/oauth2/3.4.json create mode 100644 json_schemas/opa/3.4.json create mode 100644 json_schemas/openid-connect/3.4.json create mode 100644 json_schemas/opentelemetry/3.4.json create mode 100644 json_schemas/post-function/3.4.json create mode 100644 json_schemas/pre-function/3.4.json create mode 100644 json_schemas/prometheus/3.4.json create mode 100644 json_schemas/proxy-cache-advanced/3.4.json create mode 100644 json_schemas/proxy-cache/3.4.json create mode 100644 json_schemas/rate-limiting-advanced/3.4.json create mode 100644 json_schemas/rate-limiting/3.4.json create mode 100644 json_schemas/request-size-limiting/3.4.json create mode 100644 json_schemas/request-termination/3.4.json create mode 100644 json_schemas/request-transformer-advanced/3.4.json create mode 100644 json_schemas/request-transformer/3.4.json create mode 100644 json_schemas/request-validator/3.4.json create mode 100644 json_schemas/response-ratelimiting/3.4.json create mode 100644 json_schemas/response-transformer-advanced/3.4.json create mode 100644 json_schemas/response-transformer/3.4.json create mode 100644 json_schemas/route-by-header/3.4.json create mode 100644 json_schemas/route-transformer-advanced/3.4.json create mode 100644 json_schemas/saml/3.4.json create mode 100644 json_schemas/session/3.4.json create mode 100644 json_schemas/statsd-advanced/3.4.json create mode 100644 json_schemas/statsd/3.4.json create mode 100644 json_schemas/syslog/3.4.json create mode 100644 json_schemas/tcp-log/3.4.json create mode 100644 json_schemas/tls-handshake-modifier/3.4.json create mode 100644 json_schemas/tls-metadata-headers/3.4.json create mode 100644 json_schemas/udp-log/3.4.json create mode 100644 json_schemas/upstream-timeout/3.4.json create mode 100644 json_schemas/vault-auth/3.4.json create mode 100644 json_schemas/websocket-size-limit/3.4.json create mode 100644 json_schemas/websocket-validator/3.4.json create mode 100644 json_schemas/xml-threat-protection/3.4.json create mode 100644 json_schemas/zipkin/3.4.json diff --git a/json_schemas/acl/3.4.json b/json_schemas/acl/3.4.json new file mode 100644 index 00000000..f455a941 --- /dev/null +++ b/json_schemas/acl/3.4.json @@ -0,0 +1,88 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_groups_header": { + "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/acme/3.4.json b/json_schemas/acme/3.4.json new file mode 100644 index 00000000..8f14ffbf --- /dev/null +++ b/json_schemas/acme/3.4.json @@ -0,0 +1,328 @@ +{ + "properties": { + "config": { + "properties": { + "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", + "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", + "type": "string" + }, + "account_key": { + "description": "The private key associated with the account.", + "properties": { + "key_id": { + "description": "The Key ID.", + "type": "string" + }, + "key_set": { + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" + } + }, + "required": [ + "key_id" + ], + "type": "object" + }, + "allow_any_domain": { + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" + }, + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "cert_type": { + "default": "rsa", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "enum": [ + "ecc", + "rsa" + ], + "type": "string" + }, + "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "items": { + "match_all": { + "pattern": "^[^*]*%*?[^*]*$" + }, + "match_any": { + "patterns": [ + "%.%*$", + "^%*%.", + "^[^*]*$" + ] + }, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "enable_ipv4_common_name": { + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" + }, + "fail_backoff_minutes": { + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" + }, + "preferred_chain": { + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" + }, + "renew_threshold_days": { + "default": 14, + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" + }, + "rsa_key_size": { + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "enum": [ + 2048, + 3072, + 4096 + ], + "type": "integer" + }, + "storage": { + "default": "shm", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "enum": [ + "consul", + "kong", + "redis", + "shm", + "vault" + ], + "type": "string" + }, + "storage_config": { + "properties": { + "consul": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "token": { + "description": "Consul ACL token.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "kong": { + "additionalProperties": true, + "properties": { + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "auth": { + "description": "The Redis password to use for authentication. ", + "type": "string" + }, + "database": { + "description": "The index of the Redis database to use.", + "type": "number" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "namespace": { + "default": "", + "description": "A namespace to prepend to all keys stored in Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "ssl": { + "default": false, + "description": "Whether to use SSL/TLS encryption when connecting to the Redis server.", + "type": "boolean" + }, + "ssl_server_name": { + "description": "The expected server name for the SSL/TLS certificate presented by the Redis server.", + "type": "string" + }, + "ssl_verify": { + "default": false, + "description": "Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "shm": { + "properties": { + "shm_name": { + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "vault": { + "properties": { + "auth_method": { + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "enum": [ + "kubernetes", + "token" + ], + "type": "string" + }, + "auth_path": { + "description": "Vault's authentication path to use.", + "type": "string" + }, + "auth_role": { + "description": "The role to try and assign.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "jwt_path": { + "description": "The path to the JWT.", + "type": "string" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "tls_server_name": { + "description": "SNI used in request, default to host if omitted.", + "type": "string" + }, + "tls_verify": { + "default": true, + "description": "Turn on TLS verification.", + "type": "boolean" + }, + "token": { + "description": "Consul ACL token.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "tos_accepted": { + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/app-dynamics/3.4.json b/json_schemas/app-dynamics/3.4.json new file mode 100644 index 00000000..5675452c --- /dev/null +++ b/json_schemas/app-dynamics/3.4.json @@ -0,0 +1,90 @@ +{ + "properties": { + "config": { + "additionalProperties": true, + "properties": { + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/application-registration/3.4.json b/json_schemas/application-registration/3.4.json new file mode 100644 index 00000000..1f224562 --- /dev/null +++ b/json_schemas/application-registration/3.4.json @@ -0,0 +1,55 @@ +{ + "properties": { + "config": { + "properties": { + "auto_approve": { + "default": false, + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "type": "boolean" + }, + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string" + }, + "display_name": { + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string" + }, + "show_issuer": { + "default": false, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/aws-lambda/3.4.json b/json_schemas/aws-lambda/3.4.json new file mode 100644 index 00000000..482d99c0 --- /dev/null +++ b/json_schemas/aws-lambda/3.4.json @@ -0,0 +1,212 @@ +{ + "properties": { + "config": { + "properties": { + "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "type": "string" + }, + "aws_imds_protocol_version": { + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "enum": [ + "v1", + "v2" + ], + "type": "string" + }, + "aws_key": { + "description": "The AWS key credential to be used when invoking the function.", + "type": "string" + }, + "aws_region": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "aws_role_session_name": { + "default": "kong", + "description": "The identifier of the assumed role session.", + "type": "string" + }, + "aws_secret": { + "description": "The AWS secret credential to be used when invoking the function. ", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "awsgateway_compatible": { + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" + }, + "base64_encode_body": { + "default": true, + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" + }, + "disable_https": { + "default": false, + "type": "boolean" + }, + "forward_request_body": { + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" + }, + "forward_request_headers": { + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_method": { + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_uri": { + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" + }, + "function_name": { + "description": "The AWS Lambda function name to invoke.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "invocation_type": { + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "enum": [ + "DryRun", + "Event", + "RequestResponse" + ], + "type": "string" + }, + "is_proxy_integration": { + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "log_type": { + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "enum": [ + "None", + "Tail" + ], + "type": "string" + }, + "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "proxy_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "qualifier": { + "description": "The qualifier to use when invoking the function.", + "type": "string" + }, + "skip_large_bodies": { + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" + }, + "timeout": { + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", + "type": "number" + }, + "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "maximum": 999, + "minimum": 100, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/azure-functions/3.4.json b/json_schemas/azure-functions/3.4.json new file mode 100644 index 00000000..66d15b39 --- /dev/null +++ b/json_schemas/azure-functions/3.4.json @@ -0,0 +1,129 @@ +{ + "properties": { + "config": { + "properties": { + "apikey": { + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "type": "string" + }, + "appname": { + "description": "The Azure app name.", + "type": "string" + }, + "clientid": { + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "type": "string" + }, + "functionname": { + "description": "Name of the Azure function to invoke.", + "type": "string" + }, + "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", + "type": "string" + }, + "https": { + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" + }, + "https_verify": { + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" + }, + "routeprefix": { + "default": "api", + "description": "Route prefix to use.", + "type": "string" + }, + "timeout": { + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/basic-auth/3.4.json b/json_schemas/basic-auth/3.4.json new file mode 100644 index 00000000..f74daaf1 --- /dev/null +++ b/json_schemas/basic-auth/3.4.json @@ -0,0 +1,76 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/bot-detection/3.4.json b/json_schemas/bot-detection/3.4.json new file mode 100644 index 00000000..2233a89d --- /dev/null +++ b/json_schemas/bot-detection/3.4.json @@ -0,0 +1,91 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "default": [ + + ], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "deny": { + "default": [ + + ], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/canary/3.4.json b/json_schemas/canary/3.4.json new file mode 100644 index 00000000..39072c60 --- /dev/null +++ b/json_schemas/canary/3.4.json @@ -0,0 +1,142 @@ +{ + "properties": { + "config": { + "properties": { + "canary_by_header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "duration": { + "default": 3600, + "description": "The duration of the canary release in seconds.", + "minimum": 0, + "type": "number" + }, + "groups": { + "description": "The groups allowed to access the canary release.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hash": { + "default": "consumer", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "enum": [ + "allow", + "consumer", + "deny", + "header", + "ip", + "none" + ], + "type": "string" + }, + "hash_header": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "maximum": 100, + "minimum": 0, + "type": "number" + }, + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + }, + "steps": { + "default": 1000, + "description": "The number of steps for the canary release.", + "minimum": 1, + "type": "number" + }, + "upstream_fallback": { + "default": false, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "type": "boolean" + }, + "upstream_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "minLength": 1, + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "hash": { + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/correlation-id/3.4.json b/json_schemas/correlation-id/3.4.json new file mode 100644 index 00000000..776a2f3e --- /dev/null +++ b/json_schemas/correlation-id/3.4.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", + "type": "boolean" + }, + "generator": { + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "enum": [ + "tracker", + "uuid", + "uuid#counter" + ], + "type": "string" + }, + "header_name": { + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/cors/3.4.json b/json_schemas/cors/3.4.json new file mode 100644 index 00000000..b0254d05 --- /dev/null +++ b/json_schemas/cors/3.4.json @@ -0,0 +1,145 @@ +{ + "properties": { + "config": { + "properties": { + "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "type": "boolean" + }, + "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" + }, + "methods": { + "default": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "items": { + "enum": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "type": "boolean" + }, + "private_network": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/datadog/3.4.json b/json_schemas/datadog/3.4.json new file mode 100644 index 00000000..672b523a --- /dev/null +++ b/json_schemas/datadog/3.4.json @@ -0,0 +1,254 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_tag": { + "default": "consumer", + "description": "String to be attached as tag of the consumer.", + "type": "string" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "metrics": { + "default": [ + { + "consumer_identifier": "custom_id", + "name": "kong_latency", + "sample_rate": 1, + "stat_type": "timer", + "tags": [ + "app:kong" + ] + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "Datadog metric’s name", + "enum": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "stat_type": { + "description": "Determines what sort of event the metric represents", + "enum": [ + "counter", + "distribution", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "tags": { + "description": "List of tags", + "items": { + "pattern": "^.*[^:]$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "service_name_tag": { + "default": "name", + "description": "String to be attached as the name of the service.", + "type": "string" + }, + "status_tag": { + "default": "status", + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/degraphql/3.4.json b/json_schemas/degraphql/3.4.json new file mode 100644 index 00000000..4d44acc6 --- /dev/null +++ b/json_schemas/degraphql/3.4.json @@ -0,0 +1,68 @@ +{ + "properties": { + "config": { + "properties": { + "graphql_server_path": { + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.4.json b/json_schemas/exit-transformer/3.4.json new file mode 100644 index 00000000..f65b3b1f --- /dev/null +++ b/json_schemas/exit-transformer/3.4.json @@ -0,0 +1,95 @@ +{ + "properties": { + "config": { + "properties": { + "functions": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "handle_unexpected": { + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean" + }, + "handle_unknown": { + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/file-log/3.4.json b/json_schemas/file-log/3.4.json new file mode 100644 index 00000000..7b34b71e --- /dev/null +++ b/json_schemas/file-log/3.4.json @@ -0,0 +1,98 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "path": { + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "pattern": "^[^*&%%\\`]+$", + "type": "string" + }, + "reopen": { + "default": false, + "description": "Determines whether the log file is closed and reopened on every request.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/forward-proxy/3.4.json b/json_schemas/forward-proxy/3.4.json new file mode 100644 index 00000000..ad6b829b --- /dev/null +++ b/json_schemas/forward-proxy/3.4.json @@ -0,0 +1,135 @@ +{ + "properties": { + "config": { + "properties": { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + }, + "proxy_scheme": { + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "enum": [ + "http" + ], + "type": "string" + }, + "x_headers": { + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", + "enum": [ + "append", + "delete", + "transparent" + ], + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "proxy_host": { + "type": "string" + }, + "proxy_port": { + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/graphql-proxy-cache-advanced/3.4.json b/json_schemas/graphql-proxy-cache-advanced/3.4.json new file mode 100644 index 00000000..147f7004 --- /dev/null +++ b/json_schemas/graphql-proxy-cache-advanced/3.4.json @@ -0,0 +1,113 @@ +{ + "properties": { + "config": { + "properties": { + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "enum": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.4.json b/json_schemas/graphql-rate-limiting-advanced/3.4.json new file mode 100644 index 00000000..a7346df7 --- /dev/null +++ b/json_schemas/graphql-rate-limiting-advanced/3.4.json @@ -0,0 +1,288 @@ +{ + "properties": { + "config": { + "properties": { + "cost_strategy": { + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "enum": [ + "default", + "node_quantifier" + ], + "type": "string" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "max_cost": { + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", + "type": "number" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "score_factor": { + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "minimum": 0, + "type": "number" + }, + "strategy": { + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/grpc-gateway/3.4.json b/json_schemas/grpc-gateway/3.4.json new file mode 100644 index 00000000..2ae37a8c --- /dev/null +++ b/json_schemas/grpc-gateway/3.4.json @@ -0,0 +1,87 @@ +{ + "properties": { + "config": { + "properties": { + "proto": { + "description": "Describes the gRPC types and methods.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/grpc-web/3.4.json b/json_schemas/grpc-web/3.4.json new file mode 100644 index 00000000..31f56172 --- /dev/null +++ b/json_schemas/grpc-web/3.4.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "allow_origin_header": { + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "type": "string" + }, + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "type": "boolean" + }, + "proto": { + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/hmac-auth/3.4.json b/json_schemas/hmac-auth/3.4.json new file mode 100644 index 00000000..b4b59358 --- /dev/null +++ b/json_schemas/hmac-auth/3.4.json @@ -0,0 +1,122 @@ +{ + "properties": { + "config": { + "properties": { + "algorithms": { + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "items": { + "enum": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "clock_skew": { + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", + "minimum": 0, + "type": "number" + }, + "enforce_headers": { + "default": [ + + ], + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "validate_request_body": { + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/http-log/3.4.json b/json_schemas/http-log/3.4.json new file mode 100644 index 00000000..f1249e24 --- /dev/null +++ b/json_schemas/http-log/3.4.json @@ -0,0 +1,190 @@ +{ + "properties": { + "config": { + "properties": { + "content_type": { + "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "enum": [ + "application/json", + "application/json; charset=utf-8" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "headers": { + "additionalProperties": true, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "object" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" + }, + "method": { + "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "enum": [ + "PATCH", + "POST", + "PUT" + ], + "type": "string" + }, + "queue": { + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ip-restriction/3.4.json b/json_schemas/ip-restriction/3.4.json new file mode 100644 index 00000000..33ce9add --- /dev/null +++ b/json_schemas/ip-restriction/3.4.json @@ -0,0 +1,115 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "message": { + "description": "The message to send as a response body to rejected requests.", + "type": "string" + }, + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jq/3.4.json b/json_schemas/jq/3.4.json new file mode 100644 index 00000000..7a686c75 --- /dev/null +++ b/json_schemas/jq/3.4.json @@ -0,0 +1,176 @@ +{ + "properties": { + "config": { + "properties": { + "request_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "request_jq_program": { + "type": "string" + }, + "request_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "response_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_if_status_code": { + "default": [ + 200 + ], + "items": { + "maximum": 599, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "response_jq_program": { + "type": "string" + }, + "response_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.4.json b/json_schemas/jwe-decrypt/3.4.json new file mode 100644 index 00000000..019e6fb1 --- /dev/null +++ b/json_schemas/jwe-decrypt/3.4.json @@ -0,0 +1,88 @@ +{ + "properties": { + "config": { + "properties": { + "forward_header_name": { + "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", + "type": "string" + }, + "key_sets": { + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "lookup_header_name": { + "default": "Authorization", + "description": "The name of the header to look for the JWE token.", + "type": "string" + }, + "strict": { + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwt-signer/3.4.json b/json_schemas/jwt-signer/3.4.json new file mode 100644 index 00000000..349b7097 --- /dev/null +++ b/json_schemas/jwt-signer/3.4.json @@ -0,0 +1,577 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "type": "string" + }, + "access_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_hint": { + "default": "access_token", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string" + }, + "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number" + }, + "access_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "type": "number" + }, + "access_token_issuer": { + "default": "kong", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string" + }, + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "type": "string" + }, + "access_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "access_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number" + }, + "access_token_optional": { + "default": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean" + }, + "access_token_request_header": { + "default": "Authorization", + "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string" + }, + "access_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "access_token_upstream_header": { + "default": "Authorization:Bearer", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string" + }, + "access_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number" + }, + "add_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet.", + "type": "object" + }, + "cache_access_token_introspection": { + "default": true, + "description": "Whether to cache access token introspection results.", + "type": "boolean" + }, + "cache_channel_token_introspection": { + "default": true, + "description": "Whether to cache channel token introspection results.", + "type": "boolean" + }, + "channel_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "type": "string" + }, + "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_leeway": { + "default": 0, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number" + }, + "channel_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "type": "number" + }, + "channel_token_issuer": { + "default": "kong", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string" + }, + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "type": "string" + }, + "channel_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "channel_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number" + }, + "channel_token_optional": { + "default": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean" + }, + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "type": "string" + }, + "channel_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "type": "string" + }, + "channel_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number" + }, + "enable_access_token_introspection": { + "default": true, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean" + }, + "enable_channel_token_introspection": { + "default": true, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean" + }, + "enable_instrumentation": { + "default": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean" + }, + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "type": "string" + }, + "set_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten.", + "type": "object" + }, + "trust_access_token_introspection": { + "default": true, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean" + }, + "trust_channel_token_introspection": { + "default": true, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean" + }, + "verify_access_token_expiry": { + "default": true, + "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_expiry": { + "default": true, + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_scopes": { + "default": true, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_scopes": { + "default": true, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_signature": { + "default": true, + "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean" + }, + "verify_channel_token_expiry": { + "default": true, + "type": "boolean" + }, + "verify_channel_token_introspection_expiry": { + "default": true, + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean" + }, + "verify_channel_token_introspection_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_signature": { + "default": true, + "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwt/3.4.json b/json_schemas/jwt/3.4.json new file mode 100644 index 00000000..0353cf17 --- /dev/null +++ b/json_schemas/jwt/3.4.json @@ -0,0 +1,142 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "items": { + "enum": [ + "exp", + "nbf" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "cookie_names": { + "default": [ + + ], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_names": { + "default": [ + "authorization" + ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "key_claim_name": { + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" + }, + "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "maximum": 31536000, + "minimum": 0, + "type": "number" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean" + }, + "secret_is_base64": { + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean" + }, + "uri_param_names": { + "default": [ + "jwt" + ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/kafka-log/3.4.json b/json_schemas/kafka-log/3.4.json new file mode 100644 index 00000000..3cc3b73a --- /dev/null +++ b/json_schemas/kafka-log/3.4.json @@ -0,0 +1,232 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "keepalive": { + "default": 60000, + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.4.json b/json_schemas/kafka-upstream/3.4.json new file mode 100644 index 00000000..4fa1cc92 --- /dev/null +++ b/json_schemas/kafka-upstream/3.4.json @@ -0,0 +1,244 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/key-auth-enc/3.4.json b/json_schemas/key-auth-enc/3.4.json new file mode 100644 index 00000000..4feac78a --- /dev/null +++ b/json_schemas/key-auth-enc/3.4.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/key-auth/3.4.json b/json_schemas/key-auth/3.4.json new file mode 100644 index 00000000..b2ccc4be --- /dev/null +++ b/json_schemas/key-auth/3.4.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.4.json b/json_schemas/konnect-application-auth/3.4.json new file mode 100644 index 00000000..8caa5d3a --- /dev/null +++ b/json_schemas/konnect-application-auth/3.4.json @@ -0,0 +1,77 @@ +{ + "properties": { + "config": { + "properties": { + "auth_type": { + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth'.", + "enum": [ + "key-auth", + "openid-connect" + ], + "type": "string" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scope": { + "description": "The unique scope identifier for the plugin configuration.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.4.json b/json_schemas/ldap-auth-advanced/3.4.json new file mode 100644 index 00000000..d84a3b6c --- /dev/null +++ b/json_schemas/ldap-auth-advanced/3.4.json @@ -0,0 +1,189 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "type": "string" + }, + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean" + }, + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + }, + "group_member_attribute": { + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" + }, + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + }, + "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "type": "string" + }, + "ldap_password": { + "description": "The password to the LDAP server.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" + }, + "ldaps": { + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "log_search_results": { + "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.4.json b/json_schemas/ldap-auth/3.4.json new file mode 100644 index 00000000..be31c67d --- /dev/null +++ b/json_schemas/ldap-auth/3.4.json @@ -0,0 +1,130 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "ldaps": { + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/loggly/3.4.json b/json_schemas/loggly/3.4.json new file mode 100644 index 00000000..81d78b5b --- /dev/null +++ b/json_schemas/loggly/3.4.json @@ -0,0 +1,175 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "key": { + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "tags": { + "default": [ + "kong" + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "timeout": { + "default": 10000, + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/mocking/3.4.json b/json_schemas/mocking/3.4.json new file mode 100644 index 00000000..154ebb66 --- /dev/null +++ b/json_schemas/mocking/3.4.json @@ -0,0 +1,119 @@ +{ + "properties": { + "config": { + "properties": { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "type": "string" + }, + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "type": "string" + }, + "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "items": { + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "max_delay_time": { + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number" + }, + "min_delay_time": { + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number" + }, + "random_delay": { + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean" + }, + "random_examples": { + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean" + }, + "random_status_code": { + "default": false, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.4.json b/json_schemas/mtls-auth/3.4.json new file mode 100644 index 00000000..910e220b --- /dev/null +++ b/json_schemas/mtls-auth/3.4.json @@ -0,0 +1,169 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "required": [ + + ], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "send_ca_dn": { + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oas-validation/3.4.json b/json_schemas/oas-validation/3.4.json new file mode 100644 index 00000000..e3168553 --- /dev/null +++ b/json_schemas/oas-validation/3.4.json @@ -0,0 +1,145 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_header_parameters": { + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "type": "string" + }, + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "type": "string" + }, + "api_spec_encoded": { + "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", + "type": "boolean" + }, + "header_parameter_check": { + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "type": "boolean" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "notify_only_request_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "type": "boolean" + }, + "notify_only_response_body_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "type": "boolean" + }, + "query_parameter_check": { + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "type": "boolean" + }, + "validate_request_body": { + "default": true, + "description": "If set to true, validates the request body content against the API specification.", + "type": "boolean" + }, + "validate_request_header_params": { + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", + "type": "boolean" + }, + "validate_request_query_params": { + "default": true, + "description": "If set to true, validates query parameters against the API specification.", + "type": "boolean" + }, + "validate_request_uri_params": { + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", + "type": "boolean" + }, + "validate_response_body": { + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "type": "boolean" + }, + "verbose_response": { + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.4.json b/json_schemas/oauth2-introspection/3.4.json new file mode 100644 index 00000000..64bc7359 --- /dev/null +++ b/json_schemas/oauth2-introspection/3.4.json @@ -0,0 +1,138 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "type": "string" + }, + "consumer_by": { + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "enum": [ + "client_id", + "username" + ], + "type": "string" + }, + "custom_claims_forward": { + "default": [ + + ], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "custom_introspection_headers": { + "additionalProperties": true, + "description": "A list of custom headers to be added in the introspection request.", + "type": "object" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "introspect_request": { + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "type": "boolean" + }, + "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" + }, + "token_type_hint": { + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" + }, + "ttl": { + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oauth2/3.4.json b/json_schemas/oauth2/3.4.json new file mode 100644 index 00000000..34faf0bb --- /dev/null +++ b/json_schemas/oauth2/3.4.json @@ -0,0 +1,161 @@ +{ + "properties": { + "config": { + "properties": { + "accept_http_if_already_terminated": { + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "auth_header_name": { + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", + "type": "string" + }, + "enable_authorization_code": { + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "type": "boolean" + }, + "enable_client_credentials": { + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "type": "boolean" + }, + "enable_implicit_grant": { + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "type": "boolean" + }, + "enable_password_grant": { + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "type": "boolean" + }, + "global_credentials": { + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "type": "boolean" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "mandatory_scope": { + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "type": "boolean" + }, + "persistent_refresh_token": { + "default": false, + "type": "boolean" + }, + "pkce": { + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "enum": [ + "lax", + "none", + "strict" + ], + "type": "string" + }, + "provision_key": { + "description": "The unique key the plugin has generated when it has been added to the Service.", + "type": "string" + }, + "refresh_token_ttl": { + "default": 1209600, + "description": "Time-to-live value for data", + "maximum": 100000000, + "minimum": 0, + "type": "number" + }, + "reuse_refresh_token": { + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "type": "boolean" + }, + "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_expiration": { + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/opa/3.4.json b/json_schemas/opa/3.4.json new file mode 100644 index 00000000..58dc36d0 --- /dev/null +++ b/json_schemas/opa/3.4.json @@ -0,0 +1,122 @@ +{ + "properties": { + "config": { + "properties": { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + }, + "include_consumer_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" + }, + "include_parsed_json_body_in_opa_input": { + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" + }, + "include_route_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_service_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_uri_captures_in_opa_input": { + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" + }, + "opa_host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "opa_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "opa_port": { + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/openid-connect/3.4.json b/json_schemas/openid-connect/3.4.json new file mode 100644 index 00000000..f37bcc5b --- /dev/null +++ b/json_schemas/openid-connect/3.4.json @@ -0,0 +1,1846 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "client_alg": { + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The authentication method used by the client (plugin) when calling the endpoint.", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "type": "string" + }, + "key_ops": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "type": "string" + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0", + "type": "number" + }, + "https_proxy": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "issuer": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Allow some leeway (in seconds) on the ttl / expiry verification.", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "The response mode passed to the authorization endpoint: - `query`: Instructs the identity provider to pass parameters in query string - `form_post`: Instructs the identity provider to pass parameters in request body - `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", + "enum": [ + "form_post", + "fragment", + "query" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt" + ], + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "description": "The Redis cluster maximum redirects.", + "type": "integer" + }, + "session_redis_cluster_nodes": { + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "description": "Network IO timeout in milliseconds.", + "type": "integer" + }, + "session_redis_host": { + "default": "127.0.0.1", + "description": "The Redis host", + "type": "string" + }, + "session_redis_password": { + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "session_redis_port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_redis_prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "session_redis_read_timeout": { + "description": "Network IO timeout in milliseconds.", + "type": "integer" + }, + "session_redis_send_timeout": { + "description": "Network IO timeout in milliseconds.", + "type": "integer" + }, + "session_redis_server_name": { + "description": "The SNI used for connecting the Redis server.", + "type": "string" + }, + "session_redis_socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "session_redis_ssl": { + "default": false, + "description": "Use SSL/TLS for Redis connection.", + "type": "boolean" + }, + "session_redis_ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate.", + "type": "boolean" + }, + "session_redis_username": { + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "session_request_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: - `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header - `client_secret_post`: send `client_id` and `client_secret` as part of the body - `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body - `private_key_jwt`: send client assertion signed with the `private key` as part of the body - `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + + ], + "shorthand_fields": { + "authorization_cookie_httponly": { + "type": "boolean" + }, + "authorization_cookie_lifetime": { + "type": "number" + }, + "authorization_cookie_samesite": { + "type": "string" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_maxredirections": { + "type": "integer" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.4.json b/json_schemas/opentelemetry/3.4.json new file mode 100644 index 00000000..423c1bc6 --- /dev/null +++ b/json_schemas/opentelemetry/3.4.json @@ -0,0 +1,191 @@ +{ + "properties": { + "config": { + "properties": { + "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" + }, + "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "header_type": { + "default": "preserve", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "headers": { + "additionalProperties": true, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "object" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "queue": { + "default": { + "max_batch_size": 200 + }, + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "resource_attributes": { + "additionalProperties": true, + "type": "object" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/post-function/3.4.json b/json_schemas/post-function/3.4.json new file mode 100644 index 00000000..fda803ac --- /dev/null +++ b/json_schemas/post-function/3.4.json @@ -0,0 +1,190 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/pre-function/3.4.json b/json_schemas/pre-function/3.4.json new file mode 100644 index 00000000..fda803ac --- /dev/null +++ b/json_schemas/pre-function/3.4.json @@ -0,0 +1,190 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/prometheus/3.4.json b/json_schemas/prometheus/3.4.json new file mode 100644 index 00000000..81dcebfe --- /dev/null +++ b/json_schemas/prometheus/3.4.json @@ -0,0 +1,108 @@ +{ + "properties": { + "config": { + "properties": { + "bandwidth_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "latency_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" + }, + "per_consumer": { + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" + }, + "status_code_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "upstream_health_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.4.json b/json_schemas/proxy-cache-advanced/3.4.json new file mode 100644 index 00000000..87bf59fd --- /dev/null +++ b/json_schemas/proxy-cache-advanced/3.4.json @@ -0,0 +1,321 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.4.json b/json_schemas/proxy-cache/3.4.json new file mode 100644 index 00000000..f48f4d18 --- /dev/null +++ b/json_schemas/proxy-cache/3.4.json @@ -0,0 +1,195 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL, in seconds, of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities.", + "enum": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.4.json b/json_schemas/rate-limiting-advanced/3.4.json new file mode 100644 index 00000000..a9e577bf --- /dev/null +++ b/json_schemas/rate-limiting-advanced/3.4.json @@ -0,0 +1,329 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "enforce_consumer_groups": { + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", + "enum": [ + "consumer", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.", + "type": "string" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued connect operations resume once the number of connections in the pool is less than `keepalive_pool_size`. Note that queued connect operations are subject to set timeouts.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting/3.4.json b/json_schemas/rate-limiting/3.4.json new file mode 100644 index 00000000..3599a7b2 --- /dev/null +++ b/json_schemas/rate-limiting/3.4.json @@ -0,0 +1,208 @@ +{ + "properties": { + "config": { + "properties": { + "day": { + "description": "The number of HTTP requests that can be made per day.", + "minimum": 0, + "type": "number" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "hour": { + "description": "The number of HTTP requests that can be made per hour.", + "minimum": 0, + "type": "number" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "enum": [ + "consumer", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "minute": { + "description": "The number of HTTP requests that can be made per minute.", + "minimum": 0, + "type": "number" + }, + "month": { + "description": "The number of HTTP requests that can be made per month.", + "minimum": 0, + "type": "number" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "minLength": 0, + "type": "string" + }, + "redis_database": { + "default": 0, + "description": "When using the `redis` policy, this property specifies the Redis database to use.", + "type": "integer" + }, + "redis_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "redis_password": { + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "minLength": 0, + "type": "string" + }, + "redis_port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "redis_server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "redis_ssl": { + "default": false, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", + "type": "boolean" + }, + "redis_ssl_verify": { + "default": false, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", + "type": "boolean" + }, + "redis_timeout": { + "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", + "type": "number" + }, + "redis_username": { + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.", + "type": "string" + }, + "second": { + "description": "The number of HTTP requests that can be made per second.", + "minimum": 0, + "type": "number" + }, + "sync_rate": { + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "type": "number" + }, + "year": { + "description": "The number of HTTP requests that can be made per year.", + "minimum": 0, + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-size-limiting/3.4.json b/json_schemas/request-size-limiting/3.4.json new file mode 100644 index 00000000..5259ed13 --- /dev/null +++ b/json_schemas/request-size-limiting/3.4.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_payload_size": { + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer" + }, + "require_content_length": { + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "type": "boolean" + }, + "size_unit": { + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "enum": [ + "bytes", + "kilobytes", + "megabytes" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-termination/3.4.json b/json_schemas/request-termination/3.4.json new file mode 100644 index 00000000..b8472b1d --- /dev/null +++ b/json_schemas/request-termination/3.4.json @@ -0,0 +1,104 @@ +{ + "properties": { + "config": { + "properties": { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + }, + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + }, + "echo": { + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean" + }, + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + }, + "status_code": { + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + }, + "trigger": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-transformer-advanced/3.4.json b/json_schemas/request-transformer-advanced/3.4.json new file mode 100644 index 00000000..6c9653b2 --- /dev/null +++ b/json_schemas/request-transformer-advanced/3.4.json @@ -0,0 +1,390 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "allow": { + "properties": { + "body": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-transformer/3.4.json b/json_schemas/request-transformer/3.4.json new file mode 100644 index 00000000..ce375bb6 --- /dev/null +++ b/json_schemas/request-transformer/3.4.json @@ -0,0 +1,328 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-validator/3.4.json b/json_schemas/request-validator/3.4.json new file mode 100644 index 00000000..5aeff6f7 --- /dev/null +++ b/json_schemas/request-validator/3.4.json @@ -0,0 +1,159 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_content_types": { + "default": [ + "application/json" + ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "string" + }, + "parameter_schema": { + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "items": { + "properties": { + "explode": { + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" + }, + "in": { + "description": "The location of the parameter.", + "enum": [ + "header", + "path", + "query" + ], + "type": "string" + }, + "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "type": "string" + }, + "required": { + "description": "Determines whether this parameter is mandatory.", + "type": "boolean" + }, + "schema": { + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" + }, + "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "enum": [ + "deepObject", + "form", + "label", + "matrix", + "pipeDelimited", + "simple", + "spaceDelimited" + ], + "type": "string" + } + }, + "required": [ + "in", + "name", + "required" + ], + "type": "object" + }, + "type": "array" + }, + "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "type": "boolean" + }, + "version": { + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "enum": [ + "draft4", + "kong" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-ratelimiting/3.4.json b/json_schemas/response-ratelimiting/3.4.json new file mode 100644 index 00000000..15f7febd --- /dev/null +++ b/json_schemas/response-ratelimiting/3.4.json @@ -0,0 +1,166 @@ +{ + "properties": { + "config": { + "properties": { + "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "type": "boolean" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limits": { + "additionalProperties": true, + "description": "A map that defines rate limits for the plugin.", + "minLength": 1, + "type": "object" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "redis_database": { + "default": 0, + "description": "When using the `redis` policy, this property specifies Redis database to use.", + "type": "number" + }, + "redis_host": { + "description": "When using the `redis` policy, this property specifies the address to the Redis server.", + "type": "string" + }, + "redis_password": { + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "minLength": 0, + "type": "string" + }, + "redis_port": { + "default": 6379, + "description": "When using the `redis` policy, this property specifies the port of the Redis server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "redis_server_name": { + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI).", + "type": "string" + }, + "redis_ssl": { + "default": false, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", + "type": "boolean" + }, + "redis_ssl_verify": { + "default": false, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies if the server SSL certificate is validated. Note that you need to configure the `lua_ssl_trusted_certificate` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "redis_timeout": { + "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", + "type": "number" + }, + "redis_username": { + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-transformer-advanced/3.4.json b/json_schemas/response-transformer-advanced/3.4.json new file mode 100644 index 00000000..251e8dc2 --- /dev/null +++ b/json_schemas/response-transformer-advanced/3.4.json @@ -0,0 +1,419 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "allow": { + "properties": { + "json": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" + }, + "remove": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "transform": { + "properties": { + "functions": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-transformer/3.4.json b/json_schemas/response-transformer/3.4.json new file mode 100644 index 00000000..5ef1b874 --- /dev/null +++ b/json_schemas/response-transformer/3.4.json @@ -0,0 +1,298 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "remove": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/route-by-header/3.4.json b/json_schemas/route-by-header/3.4.json new file mode 100644 index 00000000..308bac74 --- /dev/null +++ b/json_schemas/route-by-header/3.4.json @@ -0,0 +1,100 @@ +{ + "properties": { + "config": { + "properties": { + "rules": { + "default": [ + + ], + "description": "Route by header rules.", + "items": { + "properties": { + "condition": { + "additionalProperties": true, + "minLength": 1, + "type": "object" + }, + "upstream_name": { + "type": "string" + } + }, + "required": [ + "condition", + "upstream_name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/route-transformer-advanced/3.4.json b/json_schemas/route-transformer-advanced/3.4.json new file mode 100644 index 00000000..55afb37a --- /dev/null +++ b/json_schemas/route-transformer-advanced/3.4.json @@ -0,0 +1,89 @@ +{ + "properties": { + "config": { + "properties": { + "escape_path": { + "default": false, + "type": "boolean" + }, + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/saml/3.4.json b/json_schemas/saml/3.4.json new file mode 100644 index 00000000..1a9c27ca --- /dev/null +++ b/json_schemas/saml/3.4.json @@ -0,0 +1,443 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "type": "string" + }, + "assertion_consumer_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "idp_certificate": { + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "type": "string" + }, + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "type": "string" + }, + "nameid_format": { + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "enum": [ + "EmailAddress", + "Persistent", + "Transient", + "Unspecified" + ], + "type": "string" + }, + "request_digest_algorithm": { + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "request_signature_algorithm": { + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "request_signing_certificate": { + "description": "The certificate for signing requests.", + "type": "string" + }, + "request_signing_key": { + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "type": "string" + }, + "response_digest_algorithm": { + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "response_encryption_key": { + "description": "The private encryption key required to decrypt encrypted assertions.", + "type": "string" + }, + "response_signature_algorithm": { + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, for example \"my-application\"", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "The session cookie idle time in seconds.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "description": "The Redis cluster maximum redirects.", + "type": "integer" + }, + "session_redis_cluster_nodes": { + "description": "The Redis cluster node host. Takes an array of host records, with either `ip` or `host`, and `port` values.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "description": "The Redis connection timeout in milliseconds.", + "type": "integer" + }, + "session_redis_host": { + "default": "127.0.0.1", + "description": "The Redis host IP.", + "type": "string" + }, + "session_redis_password": { + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "type": "string" + }, + "session_redis_port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_redis_prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "session_redis_read_timeout": { + "description": "The Redis read timeout in milliseconds.", + "type": "integer" + }, + "session_redis_send_timeout": { + "description": "The Redis send timeout in milliseconds.", + "type": "integer" + }, + "session_redis_server_name": { + "description": "The SNI used for connecting to the Redis server.", + "type": "string" + }, + "session_redis_socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "session_redis_ssl": { + "default": false, + "description": "Use SSL/TLS for the Redis connection.", + "type": "boolean" + }, + "session_redis_ssl_verify": { + "default": false, + "description": "Verify the Redis server certificate.", + "type": "boolean" + }, + "session_redis_username": { + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "type": "number" + }, + "session_request_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_secret": { + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "maxLength": 32, + "minLength": 32, + "pattern": "^[0-9a-zA-Z/_+]+$", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean" + }, + "validate_assertion_signature": { + "default": true, + "description": "Enable signature validation for SAML responses.", + "type": "boolean" + } + }, + "required": [ + + ], + "shorthand_fields": { + "session_auth_ttl": { + "type": "number" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_maxredirections": { + "type": "integer" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/session/3.4.json b/json_schemas/session/3.4.json new file mode 100644 index 00000000..e563b52e --- /dev/null +++ b/json_schemas/session/3.4.json @@ -0,0 +1,254 @@ +{ + "properties": { + "config": { + "properties": { + "absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + }, + "cookie_http_only": { + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean" + }, + "cookie_name": { + "default": "session", + "description": "The name of the cookie.", + "type": "string" + }, + "cookie_path": { + "default": "/", + "description": "The resource in the host where the cookie is available.", + "type": "string" + }, + "cookie_same_site": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "cookie_secure": { + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean" + }, + "idling_timeout": { + "default": 900, + "description": "The session cookie idle time, in seconds.", + "type": "number" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "A set of HTTP methods that the plugin will respond to.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" + }, + "logout_query_arg": { + "default": "session_logout", + "description": "The query argument passed to logout requests.", + "type": "string" + }, + "remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "remember_absolute_timeout": { + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number" + }, + "remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "remember_rolling_timeout": { + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number" + }, + "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rolling_timeout": { + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number" + }, + "secret": { + "default": "jUVc08J7Ji4ZDXVsLUZRvfCyF1cfFrVZ4rnoj9KTVyAi", + "description": "The secret that is used in keyed HMAC generation.", + "type": "string" + }, + "stale_ttl": { + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number" + }, + "storage": { + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "enum": [ + "cookie", + "kong" + ], + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cookie_discard": { + "type": "number" + }, + "cookie_httponly": { + "type": "boolean" + }, + "cookie_idletime": { + "type": "number" + }, + "cookie_lifetime": { + "type": "number" + }, + "cookie_persistent": { + "type": "boolean" + }, + "cookie_renew": { + "type": "number" + }, + "cookie_samesite": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/statsd-advanced/3.4.json b/json_schemas/statsd-advanced/3.4.json new file mode 100644 index 00000000..3495f1a3 --- /dev/null +++ b/json_schemas/statsd-advanced/3.4.json @@ -0,0 +1,289 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of Metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/statsd/3.4.json b/json_schemas/statsd/3.4.json new file mode 100644 index 00000000..16f7a39c --- /dev/null +++ b/json_schemas/statsd/3.4.json @@ -0,0 +1,307 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "flush_timeout": { + "type": "number" + }, + "host": { + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "StatsD metric’s name.", + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "description": "Service detail.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "description": "Determines what sort of event a metric represents.", + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "description": "Workspace detail.", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "queue_size": { + "type": "integer" + }, + "retry_count": { + "type": "integer" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "tag_style": { + "enum": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/syslog/3.4.json b/json_schemas/syslog/3.4.json new file mode 100644 index 00000000..90bd9094 --- /dev/null +++ b/json_schemas/syslog/3.4.json @@ -0,0 +1,171 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "facility": { + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "enum": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp" + ], + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/tcp-log/3.4.json b/json_schemas/tcp-log/3.4.json new file mode 100644 index 00000000..91b64178 --- /dev/null +++ b/json_schemas/tcp-log/3.4.json @@ -0,0 +1,117 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "object" + }, + "host": { + "description": "The IP address or host name to send data to.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "port": { + "description": "The port to send data to on the upstream server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + }, + "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "type": "boolean" + }, + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/tls-handshake-modifier/3.4.json b/json_schemas/tls-handshake-modifier/3.4.json new file mode 100644 index 00000000..358d3225 --- /dev/null +++ b/json_schemas/tls-handshake-modifier/3.4.json @@ -0,0 +1,68 @@ +{ + "properties": { + "config": { + "properties": { + "tls_client_certificate": { + "default": "REQUEST", + "description": "TLS Client Certificate", + "enum": [ + "REQUEST" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/tls-metadata-headers/3.4.json b/json_schemas/tls-metadata-headers/3.4.json new file mode 100644 index 00000000..3ae3ee64 --- /dev/null +++ b/json_schemas/tls-metadata-headers/3.4.json @@ -0,0 +1,90 @@ +{ + "properties": { + "config": { + "properties": { + "client_cert_fingerprint_header_name": { + "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "type": "string" + }, + "client_cert_header_name": { + "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "type": "string" + }, + "client_cert_issuer_dn_header_name": { + "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "type": "string" + }, + "client_cert_subject_dn_header_name": { + "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "type": "string" + }, + "client_serial_header_name": { + "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "type": "string" + }, + "inject_client_cert_details": { + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/udp-log/3.4.json b/json_schemas/udp-log/3.4.json new file mode 100644 index 00000000..1c727685 --- /dev/null +++ b/json_schemas/udp-log/3.4.json @@ -0,0 +1,103 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/upstream-timeout/3.4.json b/json_schemas/upstream-timeout/3.4.json new file mode 100644 index 00000000..6ba90827 --- /dev/null +++ b/json_schemas/upstream-timeout/3.4.json @@ -0,0 +1,94 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/vault-auth/3.4.json b/json_schemas/vault-auth/3.4.json new file mode 100644 index 00000000..08e8cc3b --- /dev/null +++ b/json_schemas/vault-auth/3.4.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_name": { + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "secret_token_name": { + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "tokens_in_body": { + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "vault": { + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/websocket-size-limit/3.4.json b/json_schemas/websocket-size-limit/3.4.json new file mode 100644 index 00000000..483c3c46 --- /dev/null +++ b/json_schemas/websocket-size-limit/3.4.json @@ -0,0 +1,82 @@ +{ + "properties": { + "config": { + "properties": { + "client_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + }, + "upstream_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/websocket-validator/3.4.json b/json_schemas/websocket-validator/3.4.json new file mode 100644 index 00000000..65cf170c --- /dev/null +++ b/json_schemas/websocket-validator/3.4.json @@ -0,0 +1,168 @@ +{ + "properties": { + "config": { + "properties": { + "client": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "upstream": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/xml-threat-protection/3.4.json b/json_schemas/xml-threat-protection/3.4.json new file mode 100644 index 00000000..48a6bd95 --- /dev/null +++ b/json_schemas/xml-threat-protection/3.4.json @@ -0,0 +1,228 @@ +{ + "properties": { + "config": { + "properties": { + "allow_dtd": { + "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean" + }, + "allowed_content_types": { + "default": [ + + ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "attribute": { + "default": 1048576, + "description": "Maximum size of the attribute value.", + "minimum": 0, + "type": "integer" + }, + "bla_max_amplification": { + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "minimum": 1, + "type": "number" + }, + "bla_threshold": { + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "minimum": 1024, + "type": "integer" + }, + "buffer": { + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", + "minimum": 0, + "type": "integer" + }, + "checked_content_types": { + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "comment": { + "default": 1024, + "description": "Maximum size of comments.", + "minimum": 0, + "type": "integer" + }, + "document": { + "default": 10485760, + "description": "Maximum size of the entire document.", + "minimum": 0, + "type": "integer" + }, + "entity": { + "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityname": { + "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityproperty": { + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "localname": { + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "minimum": 0, + "type": "integer" + }, + "max_attributes": { + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "minimum": 0, + "type": "integer" + }, + "max_children": { + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "minimum": 0, + "type": "integer" + }, + "max_depth": { + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "minimum": 0, + "type": "integer" + }, + "max_namespaces": { + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "namespace_aware": { + "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean" + }, + "namespaceuri": { + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "pidata": { + "default": 1024, + "description": "Maximum size of processing instruction data.", + "minimum": 0, + "type": "integer" + }, + "pitarget": { + "default": 1024, + "description": "Maximum size of processing instruction targets.", + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "text": { + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/zipkin/3.4.json b/json_schemas/zipkin/3.4.json new file mode 100644 index 00000000..cf91080e --- /dev/null +++ b/json_schemas/zipkin/3.4.json @@ -0,0 +1,278 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "default_header_type": { + "default": "b3", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "default_service_name": { + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" + }, + "header_type": { + "default": "preserve", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "http_span_name": { + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "enum": [ + "method", + "method_path" + ], + "type": "string" + }, + "include_credential": { + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "type": "boolean" + }, + "local_service_name": { + "default": "kong", + "description": "The name of the service as displayed in Zipkin.", + "type": "string" + }, + "phase_duration_flavor": { + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "enum": [ + "annotations", + "tags" + ], + "type": "string" + }, + "queue": { + "properties": { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", + "items": { + "properties": { + "name": { + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "tags_header": { + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "type": "string" + }, + "traceid_byte_count": { + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "enum": [ + 8, + 16 + ], + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file From f9f5a3bfabbcfb963ae226a1fcb45e41a5629596 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 27 Feb 2025 11:16:29 -0800 Subject: [PATCH 125/165] generate schemas and examples for plugins coming in 3.10 (#94) --- examples/ai-rag-injector/_3.10.x.yaml | 1 + examples/ai-sanitizer/_3.10.x.yaml | 1 + examples/confluent-consume/_3.10.x.yaml | 1 + examples/kafka-consume/_3.10.x.yaml | 1 + examples/request-callout/_3.10.x.yaml | 1 + schemas/ai-rag-injector/3.10.x.json | 865 ++++++++++++++++++++++++ schemas/ai-sanitizer/3.10.x.json | 177 +++++ schemas/confluent-consume/3.10.x.json | 200 ++++++ schemas/kafka-consume/3.10.x.json | 1 + schemas/request-callout/3.10.x.json | 534 +++++++++++++++ 10 files changed, 1782 insertions(+) create mode 100644 examples/ai-rag-injector/_3.10.x.yaml create mode 100644 examples/ai-sanitizer/_3.10.x.yaml create mode 100644 examples/confluent-consume/_3.10.x.yaml create mode 100644 examples/kafka-consume/_3.10.x.yaml create mode 100644 examples/request-callout/_3.10.x.yaml create mode 100644 schemas/ai-rag-injector/3.10.x.json create mode 100644 schemas/ai-sanitizer/3.10.x.json create mode 100644 schemas/confluent-consume/3.10.x.json create mode 100644 schemas/kafka-consume/3.10.x.json create mode 100644 schemas/request-callout/3.10.x.json diff --git a/examples/ai-rag-injector/_3.10.x.yaml b/examples/ai-rag-injector/_3.10.x.yaml new file mode 100644 index 00000000..0c2337fe --- /dev/null +++ b/examples/ai-rag-injector/_3.10.x.yaml @@ -0,0 +1 @@ +name: ai-rag-injector \ No newline at end of file diff --git a/examples/ai-sanitizer/_3.10.x.yaml b/examples/ai-sanitizer/_3.10.x.yaml new file mode 100644 index 00000000..94dcfb5c --- /dev/null +++ b/examples/ai-sanitizer/_3.10.x.yaml @@ -0,0 +1 @@ +name: ai-sanitizer \ No newline at end of file diff --git a/examples/confluent-consume/_3.10.x.yaml b/examples/confluent-consume/_3.10.x.yaml new file mode 100644 index 00000000..bc1c121d --- /dev/null +++ b/examples/confluent-consume/_3.10.x.yaml @@ -0,0 +1 @@ +name: confluent-consume \ No newline at end of file diff --git a/examples/kafka-consume/_3.10.x.yaml b/examples/kafka-consume/_3.10.x.yaml new file mode 100644 index 00000000..f12389c0 --- /dev/null +++ b/examples/kafka-consume/_3.10.x.yaml @@ -0,0 +1 @@ +name: kafka-consume \ No newline at end of file diff --git a/examples/request-callout/_3.10.x.yaml b/examples/request-callout/_3.10.x.yaml new file mode 100644 index 00000000..44c2aa93 --- /dev/null +++ b/examples/request-callout/_3.10.x.yaml @@ -0,0 +1 @@ +name: request-callout \ No newline at end of file diff --git a/schemas/ai-rag-injector/3.10.x.json b/schemas/ai-rag-injector/3.10.x.json new file mode 100644 index 00000000..0d13a664 --- /dev/null +++ b/schemas/ai-rag-injector/3.10.x.json @@ -0,0 +1,865 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "fields": [ + { + "stop_on_failure": { + "type": "boolean", + "default": false, + "required": true, + "description": "Halt the LLM request process in case of a vectordb or embeddings service failure" + } + }, + { + "inject_as_role": { + "one_of": [ + "system", + "assistant", + "user" + ], + "default": "user", + "required": true, + "type": "string" + } + }, + { + "inject_template": { + "default": "\n", + "required": true, + "type": "string" + } + }, + { + "fetch_chunks_count": { + "type": "number", + "default": 5, + "required": true, + "description": "The maximum number of chunks to fetch from vectordb" + } + }, + { + "vectordb_namespace": { + "type": "string", + "default": "kong_rag_injector", + "required": true, + "description": "The namespace of the vectordb to use for embeddings lookup" + } + }, + { + "embeddings": { + "fields": [ + { + "auth": { + "fields": [ + { + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "required": false, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + } + }, + { + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "required": false, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true, + "description": "Specify the full parameter value for 'param_name'." + } + }, + { + "param_location": { + "one_of": [ + "query", + "body" + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "type": "string" + } + }, + { + "azure_use_managed_identity": { + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "required": false, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + } + }, + { + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "required": false, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "description": "Use service account auth for GCP-based providers and models.", + "default": false, + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + } + }, + { + "allow_override": { + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "one_of": [ + "openai", + "mistral", + "huggingface", + "azure", + "bedrock", + "gemini" + ], + "description": "AI provider format to use for embeddings API", + "required": true, + "type": "string" + } + }, + { + "name": { + "description": "Model name to execute.", + "required": true, + "type": "string" + } + }, + { + "options": { + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "required": false, + "type": "string" + } + }, + { + "azure": { + "fields": [ + { + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "required": false, + "type": "string" + } + }, + { + "api_version": { + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "required": false, + "type": "string" + } + }, + { + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "bedrock": { + "fields": [ + { + "aws_region": { + "type": "string", + "required": false, + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option." + } + } + ], + "required": false, + "type": "record" + } + }, + { + "gemini": { + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, + "type": "string" + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, + "type": "string" + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, + "type": "string" + } + } + ], + "type": "record", + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ] + } + }, + { + "huggingface": { + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + } + ], + "type": "record", + "required": false, + "description": "Key/value settings for the model" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "type": "record", + "required": true, + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ], + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ], + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" + ], + "then_err": "must set %s for azure provider" + } + } + ] + } + }, + { + "vectordb": { + "fields": [ + { + "strategy": { + "one_of": [ + "redis", + "pgvector" + ], + "type": "string", + "required": true, + "description": "which vector database driver to use" + } + }, + { + "dimensions": { + "type": "integer", + "required": true, + "description": "the desired dimensionality for the vectors" + } + }, + { + "distance_metric": { + "one_of": [ + "cosine", + "euclidean" + ], + "type": "string", + "required": true, + "description": "the distance metric to use for vector searches" + } + }, + { + "redis": { + "required": true, + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "database", + "connection_is_proxied" + ], + "run_with_missing_fields": true + } + }, + { + "custom_entity_check": { + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ], + "run_with_missing_fields": true + } + }, + { + "custom_entity_check": { + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ], + "run_with_missing_fields": true + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "type": "string", + "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "type": "string", + "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + } + }, + { + "database": { + "default": 0, + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "type": "integer", + "default": 256, + "between": [ + 1, + 2147483646 + ], + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_nodes": { + "required": false, + "elements": { + "fields": [ + { + "host": { + "type": "string", + "default": "127.0.0.1", + "required": true, + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1, + "type": "array" + } + }, + { + "cluster_nodes": { + "required": false, + "elements": { + "fields": [ + { + "ip": { + "type": "string", + "default": "127.0.0.1", + "required": true, + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1, + "type": "array" + } + }, + { + "ssl": { + "type": "boolean", + "default": false, + "required": false, + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "type": "boolean", + "default": false, + "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "type": "string", + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS." + } + }, + { + "cluster_max_redirections": { + "type": "integer", + "default": 5, + "required": false, + "description": "Maximum retry attempts for redirection." + } + }, + { + "connection_is_proxied": { + "type": "boolean", + "default": false, + "required": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ] + } + }, + { + "pgvector": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "type": "string", + "description": "the host of the pgvector database" + } + }, + { + "port": { + "default": 5432, + "type": "integer", + "description": "the port of the pgvector database" + } + }, + { + "user": { + "referenceable": true, + "default": "postgres", + "type": "string", + "description": "the user of the pgvector database" + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "the password of the pgvector database" + } + }, + { + "database": { + "description": "the database of the pgvector database", + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.inject_template" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-sanitizer/3.10.x.json b/schemas/ai-sanitizer/3.10.x.json new file mode 100644 index 00000000..0a35f9df --- /dev/null +++ b/schemas/ai-sanitizer/3.10.x.json @@ -0,0 +1,177 @@ +{ + "fields": [ + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "The host of the sanitizer", + "default": "localhost", + "required": true, + "type": "string" + } + }, + { + "port": { + "description": "The port of the sanitizer", + "default": 8080, + "required": true, + "type": "number" + } + }, + { + "scheme": { + "description": "The protocol can be http and https", + "default": "http", + "required": true, + "type": "string" + } + }, + { + "timeout": { + "default": 10000, + "description": "Connection timeout with the sanitizer", + "type": "number" + } + }, + { + "keepalive_timeout": { + "default": 60000, + "description": "The keepalive timeout for the established http connnection", + "type": "number" + } + }, + { + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs", + "type": "boolean" + } + }, + { + "anonymize": { + "required": true, + "elements": { + "one_of": [ + "general", + "phone", + "email", + "creditcard", + "crypto", + "date", + "ssn", + "ip", + "nrp", + "domain", + "credentials", + "url", + "medical", + "driverlicense", + "passport", + "bank", + "nationalid", + "custom", + "all", + "all_and_credentials" + ], + "type": "string" + }, + "default": [ + "all_and_credentials" + ], + "type": "array", + "description": "List of types to be anonymized" + } + }, + { + "recover_redacted": { + "default": true, + "description": "Whether to recover redacted data", + "type": "boolean" + } + }, + { + "redact_type": { + "one_of": [ + "placeholder", + "synthetic" + ], + "default": "placeholder", + "description": "What value to be used to redacted to", + "type": "string" + } + }, + { + "custom_patterns": { + "required": false, + "elements": { + "fields": [ + { + "name": { + "required": true, + "type": "string" + } + }, + { + "regex": { + "required": true, + "type": "string" + } + }, + { + "score": { + "type": "number", + "default": 0.5, + "required": true, + "between": [ + 0, + 1 + ] + } + } + ], + "type": "record" + }, + "type": "array", + "len_min": 1, + "description": "List of custom patterns to be used for anonymization" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/confluent-consume/3.10.x.json b/schemas/confluent-consume/3.10.x.json new file mode 100644 index 00000000..311affbf --- /dev/null +++ b/schemas/confluent-consume/3.10.x.json @@ -0,0 +1,200 @@ +{ + "entity_checks": [], + "fields": [ + { + "protocols": { + "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null, + "reference": "consumer_groups", + "type": "foreign" + } + }, + { + "config": { + "entity_checks": [], + "type": "record", + "fields": [ + { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer", + "between": [ + 0, + 65535 + ] + } + } + ] + } + } + }, + { + "topics": { + "description": "The Kafka topics and their configuration you want to consume from.", + "type": "array", + "required": true, + "len_min": 1, + "elements": { + "type": "record", + "fields": [ + { + "name": { + "required": true, + "type": "string" + } + } + ] + } + } + }, + { + "mode": { + "description": "The mode of operation for the plugin.", + "type": "string", + "default": "http-get", + "one_of": [ + "server-sent-events", + "http-get" + ] + } + }, + { + "message_deserializer": { + "description": "The deserializer to use for the consumed messages.", + "type": "string", + "default": "noop", + "one_of": [ + "json", + "noop" + ] + } + }, + { + "auto_offset_reset": { + "description": "The offset to start from when there is no initial offset in the consumer group.", + "type": "string", + "default": "latest", + "one_of": [ + "earliest", + "latest" + ] + } + }, + { + "commit_strategy": { + "description": "The strategy to use for committing offsets.", + "type": "string", + "default": "auto", + "one_of": [ + "auto", + "off" + ] + } + }, + { + "timeout": { + "description": "Socket timeout in milliseconds.", + "type": "integer", + "default": 10000 + } + }, + { + "keepalive": { + "description": "Keepalive timeout in milliseconds.", + "type": "integer", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", + "referenceable": true, + "encrypted": true, + "type": "string", + "required": true + } + }, + { + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", + "referenceable": true, + "encrypted": true, + "type": "string", + "required": true + } + }, + { + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "referenceable": true, + "encrypted": true, + "type": "string", + "required": false + } + }, + { + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", + "referenceable": true, + "encrypted": true, + "type": "string", + "required": false + } + }, + { + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, + "auto": true, + "type": "string" + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-consume/3.10.x.json b/schemas/kafka-consume/3.10.x.json new file mode 100644 index 00000000..9e26dfee --- /dev/null +++ b/schemas/kafka-consume/3.10.x.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/schemas/request-callout/3.10.x.json b/schemas/request-callout/3.10.x.json new file mode 100644 index 00000000..9378e259 --- /dev/null +++ b/schemas/request-callout/3.10.x.json @@ -0,0 +1,534 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign" + } + }, + { + "protocols": { + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "callouts": { + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "required": true + } + }, + { + "depends_on": { + "required": false, + "elements": { + "type": "string" + }, + "type": "array", + "default": [] + } + }, + { + "request": { + "type": "record", + "fields": [ + { + "url": { + "required": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "method": { + "default": "GET", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "type": "string", + "match": "^%u+$" + } + }, + { + "http_opts": { + "default": [], + "type": "record", + "fields": [ + { + "ssl_verify": { + "type": "boolean", + "default": true + } + }, + { + "ssl_server_name": { + "type": "string", + "required": false + } + }, + { + "timeouts": { + "default": [], + "type": "record", + "fields": [ + { + "connect": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "write": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + } + ] + } + }, + { + "proxy": { + "default": [], + "type": "record", + "fields": [ + { + "auth_username": { + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "auth_password": { + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "http_proxy": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "https_proxy": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + } + ] + } + } + ] + } + }, + { + "query": { + "default": [], + "type": "record", + "fields": [ + { + "forward": { + "type": "boolean", + "default": false + } + }, + { + "custom": { + "required": false, + "keys": { + "type": "string" + }, + "type": "map", + "values": { + "type": "string", + "required": false + } + } + } + ] + } + }, + { + "headers": { + "default": [], + "type": "record", + "fields": [ + { + "forward": { + "type": "boolean", + "default": false + } + }, + { + "custom": { + "required": false, + "keys": { + "type": "string" + }, + "type": "map", + "values": { + "type": "string", + "required": false + } + } + } + ] + } + }, + { + "body": { + "default": [], + "type": "record", + "fields": [ + { + "forward": { + "type": "boolean", + "default": false + } + }, + { + "decode": { + "type": "boolean", + "default": false + } + }, + { + "custom": { + "required": false, + "keys": { + "type": "string" + }, + "type": "map", + "values": { + "type": "string", + "required": false + } + } + } + ] + } + }, + { + "error": { + "default": [], + "type": "record", + "fields": [ + { + "on_error": { + "default": "retry", + "type": "string", + "one_of": [ + "retry", + "fail", + "ignore" + ] + } + }, + { + "retry": { + "type": "integer", + "default": 2 + } + }, + { + "codes": { + "type": "array", + "elements": { + "type": "string", + "default": "400-599" + } + } + }, + { + "error_response_code": { + "type": "integer", + "default": 400 + } + }, + { + "error_response_msg": { + "type": "string", + "default": "service callout error" + } + } + ] + } + }, + { + "redirect": { + "default": [], + "type": "record", + "fields": [ + { + "on_redirect": { + "default": "continue", + "type": "string", + "one_of": [ + "follow", + "continue" + ] + } + }, + { + "codes": { + "type": "array", + "elements": { + "type": "string", + "default": "400-599" + } + } + } + ] + } + }, + { + "by_lua": { + "type": "string", + "required": false + } + } + ] + } + }, + { + "response": { + "required": true, + "type": "record", + "fields": [ + { + "headers": { + "default": [], + "type": "record", + "fields": [ + { + "store": { + "type": "boolean", + "default": true + } + } + ] + } + }, + { + "body": { + "default": [], + "type": "record", + "fields": [ + { + "store": { + "type": "boolean", + "default": true + } + }, + { + "decode": { + "type": "boolean", + "default": false + } + } + ] + } + }, + { + "by_lua": { + "type": "string", + "required": false + } + } + ] + } + }, + { + "cache": { + "default": [], + "type": "record", + "fields": [ + { + "bypass": { + "type": "boolean", + "default": false + } + } + ] + } + } + ] + }, + "type": "array" + } + }, + { + "cache": { + "fields": [ + { + "strategy": { + "default": "memory", + "type": "string", + "one_of": [ + "memory", + "disk" + ] + } + } + ], + "type": "record", + "required": true + } + }, + { + "upstream": { + "fields": [ + { + "by_lua": { + "type": "string", + "required": false + } + }, + { + "query": { + "default": [], + "fields": [ + { + "forward": { + "type": "boolean", + "default": true + } + }, + { + "custom": { + "required": false, + "keys": { + "type": "string" + }, + "type": "map", + "values": { + "type": "string", + "required": false + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "headers": { + "default": [], + "fields": [ + { + "forward": { + "type": "boolean", + "default": true + } + }, + { + "custom": { + "required": false, + "keys": { + "type": "string" + }, + "type": "map", + "values": { + "type": "string", + "required": false + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "body": { + "default": [], + "fields": [ + { + "forward": { + "type": "boolean", + "default": true + } + }, + { + "decode": { + "type": "boolean", + "default": true + } + }, + { + "custom": { + "required": false, + "keys": { + "type": "string" + }, + "type": "map", + "values": { + "type": "string", + "required": false + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [] +} \ No newline at end of file From 5fa903817c5db765f6c89dfd5e95e0acdbbba80f Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Tue, 11 Mar 2025 10:58:19 -0700 Subject: [PATCH 126/165] examples and schema updates for consume plugins (#95) --- examples/confluent-consume/_3.10.x.yaml | 13 +- examples/kafka-consume/_3.10.x.yaml | 12 +- schemas/confluent-consume/3.10.x.json | 96 +++++----- schemas/kafka-consume/3.10.x.json | 238 +++++++++++++++++++++++- 4 files changed, 310 insertions(+), 49 deletions(-) diff --git a/examples/confluent-consume/_3.10.x.yaml b/examples/confluent-consume/_3.10.x.yaml index bc1c121d..38774ad5 100644 --- a/examples/confluent-consume/_3.10.x.yaml +++ b/examples/confluent-consume/_3.10.x.yaml @@ -1 +1,12 @@ -name: confluent-consume \ No newline at end of file +name: confluent-consume +config: + bootstrap_servers: + - host: YOUR_BOOTSTRAP_SERVER + port: 9092 + topics: + - name: my-topic + mode: http-get + message_deserializer: json + auto_offset_reset: latest + cluster_api_key: YOUR_API_KEY + cluster_api_secret: YOUR_API_SECRET \ No newline at end of file diff --git a/examples/kafka-consume/_3.10.x.yaml b/examples/kafka-consume/_3.10.x.yaml index f12389c0..72499f2d 100644 --- a/examples/kafka-consume/_3.10.x.yaml +++ b/examples/kafka-consume/_3.10.x.yaml @@ -1 +1,11 @@ -name: kafka-consume \ No newline at end of file +name: kafka-consume +config: + bootstrap_servers: + - host: localhost + port: 9092 + topics: + - name: my-topic + mode: http-get + message_deserializer: json + auto_offset_reset: latest + commit_strategy: auto \ No newline at end of file diff --git a/schemas/confluent-consume/3.10.x.json b/schemas/confluent-consume/3.10.x.json index 311affbf..9965de16 100644 --- a/schemas/confluent-consume/3.10.x.json +++ b/schemas/confluent-consume/3.10.x.json @@ -1,64 +1,61 @@ { - "entity_checks": [], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "default": [ "grpc", "grpcs", "http", "https" ], + "description": "A set of strings representing HTTP protocols.", + "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" - } + ] + }, + "type": "set" } }, { "consumer_group": { - "description": "Custom type for representing a foreign key with a null value allowed.", - "eq": null, "reference": "consumer_groups", - "type": "foreign" + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null } }, { "config": { - "entity_checks": [], - "type": "record", "fields": [ { "bootstrap_servers": { - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { "type": "record", "fields": [ { "host": { + "type": "string", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "required": true } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true } } ] @@ -68,9 +65,7 @@ { "topics": { "description": "The Kafka topics and their configuration you want to consume from.", - "type": "array", "required": true, - "len_min": 1, "elements": { "type": "record", "fields": [ @@ -81,14 +76,17 @@ } } ] - } + }, + "type": "array", + "len_min": 1 } }, { "mode": { + "default": "http-get", "description": "The mode of operation for the plugin.", + "required": true, "type": "string", - "default": "http-get", "one_of": [ "server-sent-events", "http-get" @@ -97,9 +95,10 @@ }, { "message_deserializer": { + "default": "noop", "description": "The deserializer to use for the consumed messages.", + "required": true, "type": "string", - "default": "noop", "one_of": [ "json", "noop" @@ -108,9 +107,10 @@ }, { "auto_offset_reset": { + "default": "latest", "description": "The offset to start from when there is no initial offset in the consumer group.", + "required": true, "type": "string", - "default": "latest", "one_of": [ "earliest", "latest" @@ -119,9 +119,10 @@ }, { "commit_strategy": { + "default": "auto", "description": "The strategy to use for committing offsets.", + "required": true, "type": "string", - "default": "auto", "one_of": [ "auto", "off" @@ -130,16 +131,16 @@ }, { "timeout": { + "default": 10000, "description": "Socket timeout in milliseconds.", - "type": "integer", - "default": 10000 + "type": "integer" } }, { "keepalive": { + "default": 60000, "description": "Keepalive timeout in milliseconds.", - "type": "integer", - "default": 60000 + "type": "integer" } }, { @@ -150,51 +151,54 @@ }, { "cluster_api_key": { - "description": "Username/Apikey for SASL authentication.", - "referenceable": true, "encrypted": true, + "description": "Username/Apikey for SASL authentication.", + "required": true, "type": "string", - "required": true + "referenceable": true } }, { "cluster_api_secret": { - "description": "Password/ApiSecret for SASL authentication.", - "referenceable": true, "encrypted": true, + "description": "Password/ApiSecret for SASL authentication.", + "required": true, "type": "string", - "required": true + "referenceable": true } }, { "confluent_cloud_api_key": { - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", - "referenceable": true, "encrypted": true, + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "required": false, "type": "string", - "required": false + "referenceable": true } }, { "confluent_cloud_api_secret": { - "description": "The corresponding secret for the Confluent Cloud API key.", - "referenceable": true, "encrypted": true, + "description": "The corresponding secret for the Confluent Cloud API key.", + "required": false, "type": "string", - "required": false + "referenceable": true } }, { "cluster_name": { - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "required": false, + "type": "string", "auto": true, - "type": "string" + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false } } ], + "type": "record", + "entity_checks": [], "required": true } } - ] + ], + "entity_checks": [] } \ No newline at end of file diff --git a/schemas/kafka-consume/3.10.x.json b/schemas/kafka-consume/3.10.x.json index 9e26dfee..a3e693d8 100644 --- a/schemas/kafka-consume/3.10.x.json +++ b/schemas/kafka-consume/3.10.x.json @@ -1 +1,237 @@ -{} \ No newline at end of file +{ + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "bootstrap_servers": { + "elements": { + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com.", + "required": true + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true + } + } + ] + }, + "type": "set", + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "required": true + } + }, + { + "topics": { + "description": "The Kafka topics and their configuration you want to consume from.", + "required": true, + "elements": { + "type": "record", + "fields": [ + { + "name": { + "required": true, + "type": "string" + } + } + ] + }, + "type": "array", + "len_min": 1 + } + }, + { + "mode": { + "default": "http-get", + "description": "The mode of operation for the plugin.", + "required": true, + "type": "string", + "one_of": [ + "server-sent-events", + "http-get" + ] + } + }, + { + "message_deserializer": { + "default": "noop", + "description": "The deserializer to use for the consumed messages.", + "required": true, + "type": "string", + "one_of": [ + "json", + "noop" + ] + } + }, + { + "auto_offset_reset": { + "default": "latest", + "description": "The offset to start from when there is no initial offset in the consumer group.", + "required": true, + "type": "string", + "one_of": [ + "earliest", + "latest" + ] + } + }, + { + "commit_strategy": { + "default": "auto", + "description": "The strategy to use for committing offsets.", + "required": true, + "type": "string", + "one_of": [ + "auto", + "off" + ] + } + }, + { + "authentication": { + "type": "record", + "fields": [ + { + "strategy": { + "one_of": [ + "sasl" + ], + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "required": false + } + }, + { + "mechanism": { + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "required": false + } + }, + { + "tokenauth": { + "type": "boolean", + "description": "Enable this to indicate `DelegationToken` authentication", + "required": false + } + }, + { + "user": { + "encrypted": true, + "description": "Username for SASL authentication.", + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "password": { + "encrypted": true, + "description": "Password for SASL authentication.", + "required": false, + "type": "string", + "referenceable": true + } + } + ], + "required": true + } + }, + { + "security": { + "type": "record", + "fields": [ + { + "certificate_id": { + "uuid": true, + "type": "string", + "description": "UUID of certificate entity for mTLS authentication.", + "required": false + } + }, + { + "ssl": { + "type": "boolean", + "description": "Enables TLS.", + "required": false + } + } + ], + "required": true + } + }, + { + "cluster_name": { + "type": "string", + "description": "An identifier for the Kafka cluster.", + "required": false + } + } + ], + "type": "record", + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "required": true + } + } + ], + "entity_checks": [] +} \ No newline at end of file From 0a0ee90cf1ea03fd926605c4ae0fa670fdc8df86 Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Thu, 13 Mar 2025 12:54:09 -0300 Subject: [PATCH 127/165] Download Schemas for 3.10.x (#96) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- schemas/acl/3.10.x.json | 86 +- schemas/acme/3.10.x.json | 463 ++-- schemas/ai-azure-content-safety/3.10.x.json | 94 +- schemas/ai-prompt-decorator/3.10.x.json | 95 +- schemas/ai-prompt-guard/3.10.x.json | 111 +- schemas/ai-prompt-template/3.10.x.json | 58 +- schemas/ai-proxy-advanced/3.10.x.json | 1490 +++++++---- schemas/ai-proxy/3.10.x.json | 304 ++- schemas/ai-rag-injector/3.10.x.json | 646 +++-- schemas/ai-rate-limiting-advanced/3.10.x.json | 488 ++-- schemas/ai-request-transformer/3.10.x.json | 394 +-- schemas/ai-response-transformer/3.10.x.json | 390 +-- schemas/ai-sanitizer/3.10.x.json | 76 +- schemas/ai-semantic-cache/3.10.x.json | 899 ++++--- schemas/ai-semantic-prompt-guard/3.10.x.json | 887 ++++--- schemas/app-dynamics/3.10.x.json | 34 +- schemas/aws-lambda/3.10.x.json | 140 +- schemas/azure-functions/3.10.x.json | 80 +- schemas/basic-auth/3.10.x.json | 54 +- schemas/bot-detection/3.10.x.json | 64 +- schemas/canary/3.10.x.json | 148 +- schemas/confluent-consume/3.10.x.json | 92 +- schemas/confluent/3.10.x.json | 167 +- schemas/correlation-id/3.10.x.json | 46 +- schemas/cors/3.10.x.json | 96 +- schemas/datadog/3.10.x.json | 254 +- schemas/degraphql/3.10.x.json | 52 +- schemas/exit-transformer/3.10.x.json | 42 +- schemas/file-log/3.10.x.json | 62 +- schemas/forward-proxy/3.10.x.json | 156 +- .../graphql-proxy-cache-advanced/3.10.x.json | 421 +-- .../3.10.x.json | 461 ++-- schemas/grpc-gateway/3.10.x.json | 42 +- schemas/grpc-web/3.10.x.json | 52 +- schemas/header-cert-auth/3.10.x.json | 100 +- schemas/hmac-auth/3.10.x.json | 106 +- schemas/http-log/3.10.x.json | 118 +- schemas/injection-protection/3.10.x.json | 94 +- schemas/ip-restriction/3.10.x.json | 66 +- schemas/jq/3.10.x.json | 106 +- schemas/json-threat-protection/3.10.x.json | 142 +- schemas/jwe-decrypt/3.10.x.json | 54 +- schemas/jwt-signer/3.10.x.json | 582 ++-- schemas/jwt/3.10.x.json | 92 +- schemas/kafka-consume/3.10.x.json | 96 +- schemas/kafka-log/3.10.x.json | 158 +- schemas/kafka-upstream/3.10.x.json | 163 +- schemas/key-auth-enc/3.10.x.json | 70 +- schemas/key-auth/3.10.x.json | 180 +- schemas/konnect-application-auth/3.10.x.json | 2210 ++++++++-------- schemas/ldap-auth-advanced/3.10.x.json | 160 +- schemas/ldap-auth/3.10.x.json | 114 +- schemas/loggly/3.10.x.json | 72 +- schemas/mocking/3.10.x.json | 96 +- schemas/mtls-auth/3.10.x.json | 90 +- schemas/oas-validation/3.10.x.json | 126 +- schemas/oauth2-introspection/3.10.x.json | 90 +- schemas/oauth2/3.10.x.json | 172 +- schemas/opa/3.10.x.json | 78 +- schemas/openid-connect/3.10.x.json | 2349 +++++++++-------- schemas/opentelemetry/3.10.x.json | 222 +- schemas/post-function/3.10.x.json | 215 +- schemas/pre-function/3.10.x.json | 215 +- schemas/prometheus/3.10.x.json | 57 +- schemas/proxy-cache-advanced/3.10.x.json | 493 ++-- schemas/proxy-cache/3.10.x.json | 140 +- schemas/rate-limiting-advanced/3.10.x.json | 495 ++-- schemas/rate-limiting/3.10.x.json | 577 ++-- schemas/redirect/3.10.x.json | 34 +- schemas/request-callout/3.10.x.json | 686 +++-- schemas/request-size-limiting/3.10.x.json | 44 +- schemas/request-termination/3.10.x.json | 56 +- .../request-transformer-advanced/3.10.x.json | 254 +- schemas/request-transformer/3.10.x.json | 206 +- schemas/request-validator/3.10.x.json | 122 +- schemas/response-ratelimiting/3.10.x.json | 557 ++-- .../response-transformer-advanced/3.10.x.json | 226 +- schemas/response-transformer/3.10.x.json | 198 +- schemas/route-by-header/3.10.x.json | 50 +- .../route-transformer-advanced/3.10.x.json | 38 +- schemas/saml/3.10.x.json | 803 +++--- schemas/service-protection/3.10.x.json | 475 ++-- schemas/session/3.10.x.json | 232 +- schemas/standard-webhooks/3.10.x.json | 40 +- schemas/statsd-advanced/3.10.x.json | 376 +-- schemas/statsd/3.10.x.json | 194 +- schemas/syslog/3.10.x.json | 60 +- schemas/tcp-log/3.10.x.json | 74 +- schemas/tls-handshake-modifier/3.10.x.json | 38 +- schemas/tls-metadata-headers/3.10.x.json | 56 +- schemas/udp-log/3.10.x.json | 60 +- schemas/upstream-oauth/3.10.x.json | 611 ++--- schemas/upstream-timeout/3.10.x.json | 52 +- schemas/vault-auth/3.10.x.json | 72 +- schemas/websocket-size-limit/3.10.x.json | 36 +- schemas/websocket-validator/3.10.x.json | 164 +- schemas/xml-threat-protection/3.10.x.json | 150 +- schemas/zipkin/3.10.x.json | 207 +- 98 files changed, 13503 insertions(+), 11710 deletions(-) diff --git a/schemas/acl/3.10.x.json b/schemas/acl/3.10.x.json index ddcf7860..29f1d8e4 100644 --- a/schemas/acl/3.10.x.json +++ b/schemas/acl/3.10.x.json @@ -1,46 +1,26 @@ { - "entity_checks": [ - { - "only_one_of": [ - "config.allow", - "config.deny" - ] - }, - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -49,58 +29,78 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { "type": "string" - }, - "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", - "type": "array" + } } }, { "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { "type": "string" - }, - "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", - "type": "array" + } } }, { "hide_groups_header": { "default": false, "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "include_consumer_groups": { "default": false, "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "always_use_authenticated_groups": { "default": false, "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/acme/3.10.x.json b/schemas/acme/3.10.x.json index 677bf267..f67a4a3a 100644 --- a/schemas/acme/3.10.x.json +++ b/schemas/acme/3.10.x.json @@ -1,97 +1,47 @@ { - "entity_checks": [ - { - "conditional": { - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", - "if_match": { - "one_of": [ - "https://acme-v02.api.letsencrypt.org", - "https://acme-staging-v02.api.letsencrypt.org" - ] - }, - "then_field": "config.tos_accepted", - "if_field": "config.api_uri", - "then_match": { - "eq": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.storage_config.redis.host", - "if_field": "config.storage", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.storage_config.redis.port", - "if_field": "config.storage", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.storage" - ] - } - } - ], + "supported_partials": { + "redis-ce": [ + "config.storage_config.redis" + ] + }, "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "service": { - "reference": "services", - "eq": null, + "description": "A reference to the 'services' table with a null value allowed.", "type": "foreign", - "description": "A reference to the 'services' table with a null value allowed." + "eq": null, + "reference": "services" } }, { "route": { - "reference": "routes", - "eq": null, + "description": "A reference to the 'routes' table with a null value allowed.", "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed." + "eq": null, + "reference": "routes" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -100,19 +50,26 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", + "type": "string", + "required": true, "encrypted": true, "match": "%w*%p*@+%w*%.?%w*", - "required": true, - "type": "string", - "description": "The account identifier. Can be reused in a different plugin instance.", "referenceable": true } }, @@ -120,13 +77,12 @@ "account_key": { "type": "record", "description": "The private key associated with the account.", - "required": false, "fields": [ { "key_id": { "description": "The Key ID.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -135,37 +91,38 @@ "description": "The ID of the key set to associate the Key ID with." } } - ] + ], + "required": false } }, { "api_uri": { - "default": "https://acme-v02.api.letsencrypt.org/directory", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "default": "https://acme-v02.api.letsencrypt.org/directory", "type": "string" } }, { "tos_accepted": { - "default": false, "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "default": false, "type": "boolean" } }, { "eab_kid": { - "encrypted": true, "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "eab_hmac_key": { - "encrypted": true, "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { @@ -193,45 +150,45 @@ }, { "renew_threshold_days": { - "default": 14, "description": "Days remaining to renew the certificate before it expires.", + "default": 14, "type": "number" } }, { "domains": { "elements": { - "match_all": [ - { - "err": "invalid wildcard: must have at most one wildcard", - "pattern": "^[^*]*%*?[^*]*$" - } - ], - "type": "string", "match_any": { - "err": "invalid wildcard: must be placed at leftmost or rightmost label", "patterns": [ "^%*%.", "%.%*$", "^[^*]*$" - ] - } + ], + "err": "invalid wildcard: must be placed at leftmost or rightmost label" + }, + "type": "string", + "match_all": [ + { + "pattern": "^[^*]*%*?[^*]*$", + "err": "invalid wildcard: must have at most one wildcard" + } + ] }, - "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", - "type": "array" + "type": "array", + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" } }, { "allow_any_domain": { - "default": false, "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "default": false, "type": "boolean" } }, { "fail_backoff_minutes": { - "default": 5, "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "default": 5, "type": "number" } }, @@ -251,33 +208,105 @@ }, { "storage_config": { + "type": "record", "fields": [ { "shm": { + "type": "record", "fields": [ { "shm_name": { - "default": "kong", "description": "Name of shared memory zone used for Kong API gateway storage", - "type": "string" + "type": "string", + "default": "kong" } } ], - "required": true, - "type": "record" + "required": true } }, { "kong": { + "type": "record", "fields": [ ], - "required": true, - "type": "record" + "required": true } }, { "redis": { + "shorthand_fields": [ + { + "auth": { + "len_min": 0, + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", + "replaced_with": [ + { + "path": [ + "password" + ] + } + ] + } + } + }, + { + "ssl_server_name": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", + "replaced_with": [ + { + "path": [ + "server_name" + ] + } + ] + } + } + }, + { + "namespace": { + "len_min": 0, + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", + "replaced_with": [ + { + "path": [ + "extra_options", + "namespace" + ] + } + ] + } + } + }, + { + "scan_count": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", + "replaced_with": [ + { + "path": [ + "extra_options", + "scan_count" + ] + } + ] + } + } + } + ], + "type": "record", "fields": [ { "host": { @@ -287,180 +316,110 @@ }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "len_min": 0 + "type": "string", + "encrypted": true, + "len_min": 0, + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "extra_options": { "type": "record", "description": "Custom ACME Redis options", - "required": true, "fields": [ { "namespace": { - "required": true, + "len_min": 0, "type": "string", + "required": true, "default": "", - "description": "A namespace to prepend to all keys stored in Redis.", - "len_min": 0 + "description": "A namespace to prepend to all keys stored in Redis." } }, { "scan_count": { "default": 10, "description": "The number of keys to return in Redis SCAN calls.", - "required": false, - "type": "number" + "type": "number", + "required": false } } - ] - } - } - ], - "shorthand_fields": [ - { - "auth": { - "type": "string", - "deprecation": { - "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "password" - ] - } - ] - }, - "len_min": 0 - } - }, - { - "ssl_server_name": { - "deprecation": { - "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "server_name" - ] - } - ] - }, - "type": "string" - } - }, - { - "namespace": { - "type": "string", - "deprecation": { - "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "extra_options", - "namespace" - ] - } - ] - }, - "len_min": 0 - } - }, - { - "scan_count": { - "deprecation": { - "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "extra_options", - "scan_count" - ] - } - ] - }, - "type": "integer" + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "consul": { + "type": "record", "fields": [ { "https": { - "default": false, "description": "Boolean representation of https.", + "default": false, "type": "boolean" } }, @@ -472,12 +431,12 @@ }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { @@ -495,22 +454,22 @@ { "token": { "description": "Consul ACL token.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } } ], - "required": true, - "type": "record" + "required": true } }, { "vault": { + "type": "record", "fields": [ { "https": { - "default": false, "description": "Boolean representation of https.", + "default": false, "type": "boolean" } }, @@ -522,12 +481,12 @@ }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { @@ -545,14 +504,14 @@ { "token": { "description": "Consul ACL token.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "tls_verify": { - "default": true, "description": "Turn on TLS verification.", + "default": true, "type": "boolean" } }, @@ -592,31 +551,77 @@ } } ], - "required": true, - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "preferred_chain": { - "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", - "type": "string" + "type": "string", + "description": "A string value that specifies the preferred certificate chain to use when generating certificates." } }, { "enable_ipv4_common_name": { - "default": true, "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "default": true, "type": "boolean" } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_match": { + "eq": true + }, + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/" + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.host", + "if_field": "config.storage", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.port", + "if_field": "config.storage", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] } } ] diff --git a/schemas/ai-azure-content-safety/3.10.x.json b/schemas/ai-azure-content-safety/3.10.x.json index 0752c460..189c1774 100644 --- a/schemas/ai-azure-content-safety/3.10.x.json +++ b/schemas/ai-azure-content-safety/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,78 +13,85 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "content_safety_url": { "referenceable": true, "description": "Full URL, inc protocol, of the Azure Content Safety instance.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "azure_api_version": { - "required": true, + "len_min": 1, "type": "string", + "required": true, "default": "2023-10-01", - "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", - "len_min": 1 + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format." } }, { "azure_use_managed_identity": { - "default": false, "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "default": false, "type": "boolean" } }, { "azure_client_id": { "description": "If `azure_use_managed_identity` is true, set the client ID if required.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_client_secret": { "description": "If `azure_use_managed_identity` is true, set the client secret if required.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_tenant_id": { "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "content_safety_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", "referenceable": true } @@ -111,32 +109,32 @@ }, { "categories": { + "description": "Array of categories, and their thresholds, to measure on.", + "type": "array", "elements": { "type": "record", - "required": true, "fields": [ { "name": { - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "rejection_level": { - "required": true, - "type": "integer" + "type": "integer", + "required": true } } - ] - }, - "description": "Array of categories, and their thresholds, to measure on.", - "type": "array" + ], + "required": true + } } }, { "reveal_failure_reason": { - "default": true, "description": "Set true to tell the caller why their request was rejected, if so.", + "default": true, "type": "boolean" } }, @@ -153,24 +151,26 @@ }, { "blocklist_names": { + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "type": "array", "elements": { "type": "string" - }, - "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", - "type": "array" + } } }, { "halt_on_blocklist_hit": { - "default": true, "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "default": true, "type": "boolean" } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.10.x.json b/schemas/ai-prompt-decorator/3.10.x.json index 4002199f..472ad80c 100644 --- a/schemas/ai-prompt-decorator/3.10.x.json +++ b/schemas/ai-prompt-decorator/3.10.x.json @@ -1,24 +1,10 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.prompts.prepend", - "config.prompts.append" - ] - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -27,31 +13,36 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "prompts": { "type": "record", - "required": false, "fields": [ { "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", "len_max": 15, "required": false, - "type": "array", "elements": { "type": "record", - "required": false, "fields": [ { "role": { - "default": "system", - "type": "string", "required": true, + "type": "string", + "default": "system", "one_of": [ "system", "assistant", @@ -61,31 +52,31 @@ }, { "content": { - "len_max": 500, "type": "string", - "required": true, - "len_min": 1 + "len_min": 1, + "len_max": 500, + "required": true } } - ] + ], + "required": false }, - "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages." + "type": "array" } }, { "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", "len_max": 15, "required": false, - "type": "array", "elements": { "type": "record", - "required": false, "fields": [ { "role": { - "default": "system", - "type": "string", "required": true, + "type": "string", + "default": "system", "one_of": [ "system", "assistant", @@ -95,32 +86,54 @@ }, { "content": { - "len_max": 500, "type": "string", - "required": true, - "len_min": 1 + "len_min": 1, + "len_max": 500, + "required": true } } - ] + ], + "required": false }, - "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages." + "type": "array" } } - ] + ], + "required": false } }, { "max_request_body_size": { - "default": 8192, + "type": "integer", "description": "max allowed body size allowed to be introspected", "gt": 0, - "type": "integer" + "default": 8192 + } + }, + { + "llm_format": { + "description": "LLM input and output format and schema to use", + "type": "string", + "required": false, + "default": "openai", + "one_of": [ + "openai", + "bedrock", + "gemini" + ] } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.10.x.json b/schemas/ai-prompt-guard/3.10.x.json index 1eb02b54..4c2ae045 100644 --- a/schemas/ai-prompt-guard/3.10.x.json +++ b/schemas/ai-prompt-guard/3.10.x.json @@ -1,36 +1,10 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow_patterns", - "config.deny_patterns" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "config.allow_all_conversation_history", - "if_field": "config.match_all_roles", - "then_match": { - "eq": false - } - } - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -39,65 +13,104 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "allow_patterns": { - "len_max": 10, - "required": false, + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", "type": "array", + "required": false, "elements": { - "len_max": 500, "len_min": 1, - "type": "string" + "type": "string", + "len_max": 500 }, - "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat." + "len_max": 10 } }, { "deny_patterns": { - "len_max": 10, - "required": false, + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", "type": "array", + "required": false, "elements": { - "len_max": 500, "len_min": 1, - "type": "string" + "type": "string", + "len_max": 500 }, - "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat." + "len_max": 10 } }, { "allow_all_conversation_history": { - "default": false, + "type": "boolean", "description": "If true, will ignore all previous chat prompts from the conversation history.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "max_request_body_size": { - "default": 8192, + "type": "integer", "description": "max allowed body size allowed to be introspected", "gt": 0, - "type": "integer" + "default": 8192 } }, { "match_all_roles": { - "default": false, + "type": "boolean", "description": "If true, will match all roles in addition to 'user' role in conversation history.", - "required": true, - "type": "boolean" + "default": false, + "required": true + } + }, + { + "llm_format": { + "description": "LLM input and output format and schema to use", + "type": "string", + "required": false, + "default": "openai", + "one_of": [ + "openai", + "bedrock", + "gemini" + ] } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "config.allow_all_conversation_history", + "if_field": "config.match_all_roles", + "then_match": { + "eq": false + } } } ] diff --git a/schemas/ai-prompt-template/3.10.x.json b/schemas/ai-prompt-template/3.10.x.json index 2822bb38..bd55443b 100644 --- a/schemas/ai-prompt-template/3.10.x.json +++ b/schemas/ai-prompt-template/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,67 +13,76 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "templates": { "elements": { "type": "record", - "required": true, "fields": [ { "name": { "description": "Unique name for the template, can be called with `{template://NAME}`", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "template": { "description": "Template string for this request, supports mustache-style `{{placeholders}}`", - "required": true, - "type": "string" + "type": "string", + "required": true } } - ] + ], + "required": true }, "description": "Array of templates available to the request context.", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "allow_untemplated_requests": { "default": true, "description": "Set true to allow requests that don't call or match any template.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "log_original_request": { "default": false, "description": "Set true to add the original request to the Kong log plugin(s) output.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "max_request_body_size": { - "gt": 0, - "description": "max allowed body size allowed to be introspected", "default": 8192, - "type": "integer" + "description": "max allowed body size allowed to be introspected", + "type": "integer", + "gt": 0 } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-proxy-advanced/3.10.x.json b/schemas/ai-proxy-advanced/3.10.x.json index 0e657ace..8454ff52 100644 --- a/schemas/ai-proxy-advanced/3.10.x.json +++ b/schemas/ai-proxy-advanced/3.10.x.json @@ -1,33 +1,10 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.targets" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.targets", - "config.balancer" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -36,48 +13,56 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "balancer": { "type": "record", - "required": true, "fields": [ { "algorithm": { - "default": "round-robin", - "description": "Which load balancing algorithm to use.", "type": "string", + "description": "Which load balancing algorithm to use.", + "default": "round-robin", "one_of": [ "round-robin", "lowest-latency", "lowest-usage", "consistent-hashing", - "semantic" + "semantic", + "priority" ] } }, { "tokens_count_strategy": { - "default": "total-tokens", - "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", "type": "string", + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` and `cost`.", + "default": "total-tokens", "one_of": [ "total-tokens", "prompt-tokens", - "completion-tokens" + "completion-tokens", + "cost" ] } }, { "latency_strategy": { - "default": "tpot", - "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", "type": "string", + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", + "default": "tpot", "one_of": [ "tpot", "e2e" @@ -86,9 +71,9 @@ }, { "hash_on_header": { - "default": "X-Kong-LLM-Request-ID", "description": "The header to use for consistent-hashing.", - "type": "string" + "type": "string", + "default": "X-Kong-LLM-Request-ID" } }, { @@ -115,39 +100,110 @@ }, { "connect_timeout": { - "default": 60000, + "type": "integer", "between": [ 1, 2147483646 ], - "type": "integer" + "default": 60000 } }, { "write_timeout": { - "default": 60000, + "type": "integer", "between": [ 1, 2147483646 ], - "type": "integer" + "default": 60000 } }, { "read_timeout": { - "default": 60000, + "type": "integer", "between": [ 1, 2147483646 ], - "type": "integer" + "default": 60000 + } + }, + { + "failover_criteria": { + "default": [ + "error", + "timeout" + ], + "description": "Specifies in which cases an upstream response should be failover to the next target. Each option in the array is equivalent to the function of http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream", + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "error", + "timeout", + "invalid_header", + "http_500", + "http_502", + "http_503", + "http_504", + "http_403", + "http_404", + "http_429", + "non_idempotent" + ] + } } } - ] + ], + "required": true } }, { "embeddings": { + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" + ] + } + } + ], "fields": [ { "auth": { @@ -156,15 +212,15 @@ "header_name": { "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "header_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "referenceable": true } @@ -173,15 +229,15 @@ "param_name": { "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "param_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full parameter value for 'param_name'.", "referenceable": true } @@ -193,31 +249,31 @@ "body" ], "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_use_managed_identity": { "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "azure_client_id": { "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_client_secret": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "referenceable": true } @@ -226,23 +282,23 @@ "azure_tenant_id": { "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "gcp_use_service_account": { "default": false, "description": "Use service account auth for GCP-based providers and models.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "gcp_service_account_json": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "referenceable": true } @@ -250,8 +306,8 @@ { "aws_access_key_id": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "referenceable": true } @@ -259,8 +315,8 @@ { "aws_secret_access_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "referenceable": true } @@ -269,13 +325,13 @@ "allow_override": { "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { @@ -285,18 +341,22 @@ "provider": { "one_of": [ "openai", - "mistral" + "mistral", + "huggingface", + "azure", + "bedrock", + "gemini" ], "description": "AI provider format to use for embeddings API", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "name": { "description": "Model name to execute.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -305,24 +365,156 @@ { "upstream_url": { "description": "upstream url for the embeddings", - "required": false, - "type": "string" + "type": "string", + "required": false + } + }, + { + "azure": { + "fields": [ + { + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string", + "required": false + } + }, + { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string", + "required": false + } + }, + { + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string", + "required": false + } + } + ], + "type": "record", + "required": true + } + }, + { + "bedrock": { + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string", + "required": false + } + }, + { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string", + "required": false + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + } + ], + "type": "record", + "required": false + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string", + "required": false + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string", + "required": false + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string", + "required": false + } + } + ], + "type": "record", + "required": false + } + }, + { + "huggingface": { + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean", + "required": false + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean", + "required": false + } + } + ], + "type": "record", + "required": false } } ], "description": "Key/value settings for the model", - "required": false, - "type": "record" + "type": "record", + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { @@ -331,25 +523,26 @@ { "strategy": { "one_of": [ - "redis" + "redis", + "pgvector" ], "description": "which vector database driver to use", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "dimensions": { "description": "the desired dimensionality for the vectors", - "required": true, - "type": "integer" + "type": "integer", + "required": true } }, { "threshold": { "description": "the default similarity threshold for accepting semantic search results (float)", - "required": true, - "type": "number" + "type": "number", + "required": true } }, { @@ -359,331 +552,200 @@ "euclidean" ], "description": "the distance metric to use for vector searches", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "redis": { - "required": true, - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, + "fields": [ { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] + "host": { + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" + } }, { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] } }, { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ] } }, { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ] } }, { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ] } - } - ], - "shorthand_fields": [ + }, { - "timeout": { - "type": "integer", - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - } - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "len_min": 1, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "len_min": 1, - "type": "array" - } - } - ], - "fields": [ - { - "host": { - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "between": [ - 0, - 65535 - ], - "type": "integer" - } - }, - { - "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, + "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string" + ] } }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { + "type": "record", "fields": [ { "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" + ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { + "type": "record", "fields": [ { "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" + ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, @@ -691,219 +753,308 @@ "ssl": { "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ssl_verify": { "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "connection_is_proxied": { "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } - ] - } - } - ], - "required": false, - "type": "record" - } - }, - { - "response_streaming": { - "required": false, - "type": "string", - "default": "allow", - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", - "one_of": [ - "allow", - "deny", - "always" - ] - } - }, - { - "max_request_body_size": { - "default": 8192, - "description": "max allowed body size allowed to be introspected", - "gt": 0, - "type": "integer" - } - }, - { - "model_name_header": { - "default": true, - "description": "Display the model name selected in the X-Kong-LLM-Model response header", - "type": "boolean" - } - }, - { - "targets": { - "elements": { - "entity_checks": [ - { - "conditional": { - "then_err": "bedrock and gemini only support auth.allow_override = false", - "if_match": { - "one_of": [ - "bedrock", - "gemini" + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" ] }, - "then_field": "auth.allow_override", - "if_field": "model.provider", - "then_match": { - "eq": false - } - } - }, - { - "mutually_required": [ - "auth.header_name", - "auth.header_value" - ] - }, - { - "mutually_required": [ - "auth.param_name", - "auth.param_value", - "auth.param_location" - ] - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" ] }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "mistral" + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" ] }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "anthropic" - ] + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "required": true, + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } + } }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + } + } }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "route_type", - "model", - "logging" - ] - } + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + } + } + } + ] } - ], - "type": "record", + }, + { + "pgvector": { + "fields": [ + { + "host": { + "description": "the host of the pgvector database", + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "the port of the pgvector database", + "type": "integer", + "default": 5432 + } + }, + { + "user": { + "default": "postgres", + "description": "the user of the pgvector database", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "encrypted": true, + "description": "the password of the pgvector database", + "type": "string", + "referenceable": true + } + }, + { + "database": { + "description": "the database of the pgvector database", + "type": "string", + "default": "kong-pgvector" + } + }, + { + "timeout": { + "description": "the timeout of the pgvector database", + "type": "number", + "default": 5000 + } + }, + { + "ssl": { + "description": "whether to use ssl for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_required": { + "description": "whether ssl is required for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "whether to verify ssl for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "type": "string", + "one_of": [ + "tlsv1_2", + "tlsv1_3", + "any" + ] + } + }, + { + "ssl_cert": { + "type": "string", + "description": "the path of ssl cert to use for the pgvector database" + } + }, + { + "ssl_cert_key": { + "type": "string", + "description": "the path of ssl cert key to use for the pgvector database" + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": false + } + }, + { + "response_streaming": { + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "type": "string", + "required": false, + "default": "allow", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "model_name_header": { + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean", + "default": true + } + }, + { + "targets": { + "elements": { "required": true, "fields": [ { @@ -914,8 +1065,8 @@ "preserve" ], "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -925,15 +1076,15 @@ "header_name": { "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "header_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "referenceable": true } @@ -942,15 +1093,15 @@ "param_name": { "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "param_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full parameter value for 'param_name'.", "referenceable": true } @@ -962,31 +1113,31 @@ "body" ], "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_use_managed_identity": { "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "azure_client_id": { "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_client_secret": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "referenceable": true } @@ -995,23 +1146,23 @@ "azure_tenant_id": { "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "gcp_use_service_account": { "default": false, "description": "Use service account auth for GCP-based providers and models.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "gcp_service_account_json": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "referenceable": true } @@ -1019,8 +1170,8 @@ { "aws_access_key_id": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "referenceable": true } @@ -1028,8 +1179,8 @@ { "aws_secret_access_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "referenceable": true } @@ -1038,13 +1189,13 @@ "allow_override": { "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { @@ -1064,15 +1215,15 @@ "huggingface" ], "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "name": { "description": "Model name to execute.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1080,26 +1231,25 @@ "fields": [ { "max_tokens": { - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "input_cost": { "gt": 0, "description": "Defines the cost per 1M tokens in your prompt.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "output_cost": { "gt": 0, "description": "Defines the cost per 1M tokens in the output of the AI.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { @@ -1109,8 +1259,8 @@ 5 ], "description": "Defines the matching temperature, if using chat or completion models.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { @@ -1120,8 +1270,8 @@ 1 ], "description": "Defines the top-p probability mass, if supported.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { @@ -1131,37 +1281,37 @@ 500 ], "description": "Defines the top-k most likely tokens, if supported.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "anthropic_version": { "description": "Defines the schema/API version, if using Anthropic provider.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_instance": { "description": "Instance name for Azure OpenAI hosted models.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_api_version": { "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_deployment_id": { "description": "Deployment ID for Azure OpenAI instances.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1172,8 +1322,8 @@ "ollama" ], "description": "If using llama2 provider, select the upstream message format.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1183,22 +1333,26 @@ "ollama" ], "description": "If using mistral provider, select the upstream message format.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_url": { "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_path": { + "deprecation": { + "removal_in_version": "4.0", + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead" + }, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1216,42 +1370,69 @@ { "api_endpoint": { "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "project_id": { "description": "If running Gemini on Vertex, specify the project ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "location_id": { "description": "If running Gemini on Vertex, specify the location ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { "bedrock": { + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "fields": [ { "aws_region": { "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "required": false, - "type": "string" + "type": "string", + "required": false + } + }, + { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string", + "required": false + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { @@ -1260,31 +1441,31 @@ { "use_cache": { "description": "Use the cache layer on the inference API", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "wait_for_model": { "description": "Wait for the model if it is not ready", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } } ], "description": "Key/value settings for the model", - "required": false, - "type": "record" + "type": "record", + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -1300,9 +1481,9 @@ }, { "description": { - "description": "The semantic description of the target, required if using semantic load balancing.", - "required": false, - "type": "string" + "description": "The semantic description of the target, required if using semantic load balancing. Specially, setting this to 'CATCHALL' will indicate such target to be used when no other targets match the semantic threshold.", + "type": "string", + "required": false } }, { @@ -1312,32 +1493,209 @@ "log_statistics": { "default": false, "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "log_payloads": { "default": false, "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "type": "record", + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + }, + "then_err": "bedrock and gemini only support auth.allow_override = false" + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] } } ] }, - "required": true, - "type": "array" + "type": "array", + "required": true + } + }, + { + "llm_format": { + "description": "LLM input and output format and schema to use", + "type": "string", + "required": false, + "default": "openai", + "one_of": [ + "openai", + "bedrock", + "gemini" + ] } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.llm_format" + ] } } ] diff --git a/schemas/ai-proxy/3.10.x.json b/schemas/ai-proxy/3.10.x.json index d66b2f6d..b7d11799 100644 --- a/schemas/ai-proxy/3.10.x.json +++ b/schemas/ai-proxy/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,7 +13,13 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { @@ -30,7 +27,6 @@ "entity_checks": [ { "conditional": { - "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ "bedrock", @@ -41,7 +37,8 @@ "if_field": "model.provider", "then_match": { "eq": false - } + }, + "then_err": "bedrock and gemini only support auth.allow_override = false" } }, { @@ -165,8 +162,6 @@ } } ], - "type": "record", - "required": true, "fields": [ { "route_type": { @@ -176,8 +171,8 @@ "preserve" ], "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -187,15 +182,15 @@ "header_name": { "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "header_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "referenceable": true } @@ -204,15 +199,15 @@ "param_name": { "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "param_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full parameter value for 'param_name'.", "referenceable": true } @@ -224,31 +219,31 @@ "body" ], "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_use_managed_identity": { "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "azure_client_id": { "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_client_secret": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "referenceable": true } @@ -257,23 +252,23 @@ "azure_tenant_id": { "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "gcp_use_service_account": { "default": false, "description": "Use service account auth for GCP-based providers and models.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "gcp_service_account_json": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "referenceable": true } @@ -281,8 +276,8 @@ { "aws_access_key_id": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "referenceable": true } @@ -290,8 +285,8 @@ { "aws_secret_access_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "referenceable": true } @@ -300,13 +295,13 @@ "allow_override": { "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { @@ -326,15 +321,15 @@ "huggingface" ], "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "name": { "description": "Model name to execute.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -342,26 +337,25 @@ "fields": [ { "max_tokens": { - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "input_cost": { "gt": 0, "description": "Defines the cost per 1M tokens in your prompt.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "output_cost": { "gt": 0, "description": "Defines the cost per 1M tokens in the output of the AI.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { @@ -371,8 +365,8 @@ 5 ], "description": "Defines the matching temperature, if using chat or completion models.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { @@ -382,8 +376,8 @@ 1 ], "description": "Defines the top-p probability mass, if supported.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { @@ -393,37 +387,37 @@ 500 ], "description": "Defines the top-k most likely tokens, if supported.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "anthropic_version": { "description": "Defines the schema/API version, if using Anthropic provider.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_instance": { "description": "Instance name for Azure OpenAI hosted models.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_api_version": { "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_deployment_id": { "description": "Deployment ID for Azure OpenAI instances.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -434,8 +428,8 @@ "ollama" ], "description": "If using llama2 provider, select the upstream message format.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -445,22 +439,26 @@ "ollama" ], "description": "If using mistral provider, select the upstream message format.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_url": { "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_path": { + "deprecation": { + "removal_in_version": "4.0", + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead" + }, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -478,42 +476,69 @@ { "api_endpoint": { "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "project_id": { "description": "If running Gemini on Vertex, specify the project ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "location_id": { "description": "If running Gemini on Vertex, specify the location ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { "bedrock": { + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "fields": [ { "aws_region": { "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "required": false, - "type": "string" + "type": "string", + "required": false + } + }, + { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string", + "required": false + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } }, { @@ -522,31 +547,31 @@ { "use_cache": { "description": "Use the cache layer on the inference API", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "wait_for_model": { "description": "Wait for the model if it is not ready", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": false, - "type": "record" + "type": "record", + "required": false } } ], "description": "Key/value settings for the model", - "required": false, - "type": "record" + "type": "record", + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -556,29 +581,29 @@ "log_statistics": { "default": false, "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "log_payloads": { "default": false, "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "response_streaming": { - "required": false, + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "type": "string", + "required": false, "default": "allow", - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "one_of": [ "allow", "deny", @@ -588,20 +613,79 @@ }, { "max_request_body_size": { - "default": 8192, - "description": "max allowed body size allowed to be introspected", "gt": 0, - "type": "integer" + "description": "max allowed body size allowed to be introspected", + "type": "integer", + "default": 8192 } }, { "model_name_header": { - "default": true, "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "default": true, "type": "boolean" } + }, + { + "llm_format": { + "description": "LLM input and output format and schema to use", + "type": "string", + "required": false, + "default": "openai", + "one_of": [ + "openai", + "bedrock", + "gemini" + ] + } } - ] + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "config.route_type", + "if_field": "config.llm_format", + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "native provider options in llm_format can only be used with the 'llm/v1/chat' route_type" + } + }, + { + "conditional": { + "if_match": { + "eq": "bedrock" + }, + "then_field": "config.model.provider", + "if_field": "config.llm_format", + "then_match": { + "eq": "bedrock" + }, + "then_err": "native llm_format 'bedrock' can only be used with the 'bedrock' model.provider" + } + }, + { + "conditional": { + "if_match": { + "eq": "gemini" + }, + "then_field": "config.model.provider", + "if_field": "config.llm_format", + "then_match": { + "eq": "gemini" + }, + "then_err": "native llm_format 'gemini' can only be used with the 'gemini' model.provider" } } ] diff --git a/schemas/ai-rag-injector/3.10.x.json b/schemas/ai-rag-injector/3.10.x.json index 0d13a664..19f95f57 100644 --- a/schemas/ai-rag-injector/3.10.x.json +++ b/schemas/ai-rag-injector/3.10.x.json @@ -2,209 +2,216 @@ "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", + "type": "set", "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "default": [ "grpc", "grpcs", "http", "https" - ], - "type": "set", - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { + "type": "record", "fields": [ { "stop_on_failure": { "type": "boolean", + "description": "Halt the LLM request process in case of a vectordb or embeddings service failure", "default": false, - "required": true, - "description": "Halt the LLM request process in case of a vectordb or embeddings service failure" + "required": true } }, { "inject_as_role": { + "required": true, + "type": "string", + "default": "user", "one_of": [ "system", "assistant", "user" - ], - "default": "user", - "required": true, - "type": "string" + ] } }, { "inject_template": { + "type": "string", "default": "\n", - "required": true, - "type": "string" + "required": true } }, { "fetch_chunks_count": { "type": "number", + "description": "The maximum number of chunks to fetch from vectordb", "default": 5, - "required": true, - "description": "The maximum number of chunks to fetch from vectordb" + "required": true } }, { "vectordb_namespace": { "type": "string", + "description": "The namespace of the vectordb to use for embeddings lookup", "default": "kong_rag_injector", - "required": true, - "description": "The namespace of the vectordb to use for embeddings lookup" + "required": true } }, { "embeddings": { + "required": true, + "type": "record", "fields": [ { "auth": { + "type": "record", "fields": [ { "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "referenceable": true, "required": false, - "type": "string" + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "referenceable": true } }, { "header_value": { - "encrypted": true, - "required": false, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "type": "string", - "referenceable": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "required": false, + "encrypted": true, + "referenceable": true } }, { "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", - "referenceable": true, "required": false, - "type": "string" + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "referenceable": true } }, { "param_value": { - "encrypted": true, - "required": false, + "description": "Specify the full parameter value for 'param_name'.", "type": "string", - "referenceable": true, - "description": "Specify the full parameter value for 'param_name'." + "required": false, + "encrypted": true, + "referenceable": true } }, { "param_location": { + "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" - ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "required": false, - "type": "string" + ] } }, { "azure_use_managed_identity": { + "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "default": false, - "required": false, - "type": "boolean" + "required": false } }, { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "referenceable": true, "required": false, - "type": "string" + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string", + "referenceable": true } }, { "azure_client_secret": { - "encrypted": true, - "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "type": "string", - "referenceable": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "required": false, + "encrypted": true, + "referenceable": true } }, { "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "referenceable": true, "required": false, - "type": "string" + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string", + "referenceable": true } }, { "gcp_use_service_account": { + "type": "boolean", "description": "Use service account auth for GCP-based providers and models.", "default": false, - "required": false, - "type": "boolean" + "required": false } }, { "gcp_service_account_json": { - "encrypted": true, - "required": false, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "type": "string", - "referenceable": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "required": false, + "encrypted": true, + "referenceable": true } }, { "aws_access_key_id": { - "encrypted": true, - "required": false, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "type": "string", - "referenceable": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "required": false, + "encrypted": true, + "referenceable": true } }, { "aws_secret_access_key": { - "encrypted": true, - "required": false, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "type": "string", - "referenceable": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "required": false, + "encrypted": true, + "referenceable": true } }, { "allow_override": { + "type": "boolean", "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "default": false, - "required": false, - "type": "boolean" + "required": false } } ], - "required": false, - "type": "record" + "required": false } }, { "model": { + "type": "record", "fields": [ { "provider": { + "required": true, + "description": "AI provider format to use for embeddings API", + "type": "string", "one_of": [ "openai", "mistral", @@ -212,101 +219,127 @@ "azure", "bedrock", "gemini" - ], - "description": "AI provider format to use for embeddings API", - "required": true, - "type": "string" + ] } }, { "name": { "description": "Model name to execute.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "options": { + "type": "record", + "description": "Key/value settings for the model", "fields": [ { "upstream_url": { "description": "upstream url for the embeddings", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure": { + "type": "record", "fields": [ { "instance": { "description": "Instance name for Azure OpenAI hosted models.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "api_version": { + "type": "string", "description": "'api-version' for Azure OpenAI instances.", "default": "2023-05-15", - "required": false, - "type": "string" + "required": false } }, { "deployment_id": { "description": "Deployment ID for Azure OpenAI instances.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "required": true } }, { "bedrock": { + "required": false, + "type": "record", "fields": [ { "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string", + "required": false + } + }, + { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string", + "required": false + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { "type": "string", - "required": false, - "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option." + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." } } ], - "required": false, - "type": "record" + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ] } }, { "gemini": { + "required": false, + "type": "record", "fields": [ { "api_endpoint": { "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "project_id": { "description": "If running Gemini on Vertex, specify the project ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "location_id": { "description": "If running Gemini on Vertex, specify the location ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "type": "record", - "required": false, "entity_checks": [ { "mutually_required": [ @@ -320,40 +353,35 @@ }, { "huggingface": { + "type": "record", "fields": [ { "use_cache": { "description": "Use the cache layer on the inference API", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "wait_for_model": { "description": "Wait for the model if it is not ready", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": false, - "type": "record" + "required": false } } ], - "type": "record", - "required": false, - "description": "Key/value settings for the model" + "required": false } } ], - "required": true, - "type": "record" + "required": true } } ], - "type": "record", - "required": true, "entity_checks": [ { "conditional_at_least_one_of": { @@ -362,11 +390,11 @@ "azure" ] }, + "then_err": "must set %s for azure provider", "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure.instance" - ], - "then_err": "must set %s for azure provider" + ] } }, { @@ -376,11 +404,11 @@ "azure" ] }, + "then_err": "must set %s for azure provider", "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure.api_version" - ], - "then_err": "must set %s for azure provider" + ] } }, { @@ -390,11 +418,11 @@ "azure" ] }, + "then_err": "must set %s for azure provider", "if_field": "model.provider", "then_at_least_one_of": [ "model.options.azure.deployment_id" - ], - "then_err": "must set %s for azure provider" + ] } } ] @@ -409,16 +437,16 @@ "redis", "pgvector" ], + "description": "which vector database driver to use", "type": "string", - "required": true, - "description": "which vector database driver to use" + "required": true } }, { "dimensions": { + "description": "the desired dimensionality for the vectors", "type": "integer", - "required": true, - "description": "the desired dimensionality for the vectors" + "required": true } }, { @@ -427,314 +455,313 @@ "cosine", "euclidean" ], + "description": "the distance metric to use for vector searches", "type": "string", - "required": true, - "description": "the distance metric to use for vector searches" + "required": true } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "field_sources": [ - "database", - "connection_is_proxied" - ], - "run_with_missing_fields": true - } - }, - { - "custom_entity_check": { - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ], - "run_with_missing_fields": true - } - }, - { - "custom_entity_check": { - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ], - "run_with_missing_fields": true - } - } - ], "fields": [ { "host": { + "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "type": "string", - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, "type": "string", - "referenceable": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, "type": "string", - "referenceable": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, - "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "type": "integer" } }, { "keepalive_pool_size": { "type": "integer", + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, "between": [ 1, 2147483646 - ], - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + ] } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "type": "array", "required": false, "elements": { + "type": "record", "fields": [ { "host": { - "type": "string", "default": "127.0.0.1", - "required": true, - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string", + "required": true } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } - ], - "type": "record" + ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1, - "type": "array" + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "type": "array", "required": false, "elements": { + "type": "record", "fields": [ { "ip": { - "type": "string", "default": "127.0.0.1", - "required": true, - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string", + "required": true } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } - ], - "type": "record" + ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1, - "type": "array" + "len_min": 1 } }, { "ssl": { - "type": "boolean", "default": false, - "required": false, - "description": "If set to true, uses SSL to connect to Redis." + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", + "required": false } }, { "ssl_verify": { - "type": "boolean", "default": false, - "required": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "required": false } }, { "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "required": false } }, { "cluster_max_redirections": { - "type": "integer", "default": 5, - "required": false, - "description": "Maximum retry attempts for redirection." + "description": "Maximum retry attempts for redirection.", + "type": "integer", + "required": false } }, { "connection_is_proxied": { - "type": "boolean", "default": false, - "required": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -751,7 +778,8 @@ "read_timeout" ] } - ] + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" } } }, @@ -760,19 +788,19 @@ "elements": { "type": "string" }, + "len_min": 1, + "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] - }, - "len_min": 1, - "type": "array" + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + } } }, { @@ -780,19 +808,19 @@ "elements": { "type": "string" }, + "len_min": 1, + "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] - }, - "len_min": 1, - "type": "array" + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + } } } ] @@ -803,53 +831,105 @@ "fields": [ { "host": { - "default": "127.0.0.1", + "description": "the host of the pgvector database", "type": "string", - "description": "the host of the pgvector database" + "default": "127.0.0.1" } }, { "port": { - "default": 5432, + "description": "the port of the pgvector database", "type": "integer", - "description": "the port of the pgvector database" + "default": 5432 } }, { "user": { - "referenceable": true, "default": "postgres", + "description": "the user of the pgvector database", "type": "string", - "description": "the user of the pgvector database" + "referenceable": true } }, { "password": { "encrypted": true, - "referenceable": true, + "description": "the password of the pgvector database", "type": "string", - "description": "the password of the pgvector database" + "referenceable": true } }, { "database": { "description": "the database of the pgvector database", - "type": "string" + "type": "string", + "default": "kong-pgvector" + } + }, + { + "timeout": { + "description": "the timeout of the pgvector database", + "type": "number", + "default": 5000 + } + }, + { + "ssl": { + "description": "whether to use ssl for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_required": { + "description": "whether ssl is required for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "whether to verify ssl for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "type": "string", + "one_of": [ + "tlsv1_2", + "tlsv1_3", + "any" + ] + } + }, + { + "ssl_cert": { + "type": "string", + "description": "the path of ssl cert to use for the pgvector database" + } + }, + { + "ssl_cert_key": { + "type": "string", + "description": "the path of ssl cert key to use for the pgvector database" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "required": true } } ], diff --git a/schemas/ai-rate-limiting-advanced/3.10.x.json b/schemas/ai-rate-limiting-advanced/3.10.x.json index 07010f21..130dde83 100644 --- a/schemas/ai-rate-limiting-advanced/3.10.x.json +++ b/schemas/ai-rate-limiting-advanced/3.10.x.json @@ -1,25 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + }, "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -28,18 +18,25 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "identifier": { - "required": true, + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", "type": "string", + "required": true, "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "one_of": [ "ip", "credential", @@ -75,16 +72,19 @@ "fields": [ { "window_size": { - "description": "The window size to apply a limit (defined in seconds).", - "required": true, - "type": "number" + "elements": { + "type": "number" + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "type": "array", + "required": true } }, { "name": { - "type": "string", - "description": "The LLM provider to which the rate limit applies.", "required": true, + "description": "The LLM provider to which the rate limit applies.", + "type": "string", "one_of": [ "openai", "azure", @@ -101,24 +101,27 @@ }, { "limit": { - "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", - "required": true, - "type": "number" + "elements": { + "type": "number" + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "type": "array", + "required": true } } ] }, "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "strategy": { - "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", + "required": true, "default": "local", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", @@ -130,21 +133,21 @@ "dictionary_name": { "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "default": false, "type": "boolean" } }, { "retry_after_jitter_max": { - "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "default": 0, "type": "number" } }, @@ -156,236 +159,107 @@ }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], - "type": "string" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string", + "starts_with": "/" } }, { "redis": { - "required": true, "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array" - } - } - ], + "required": true, "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "connect_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "send_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "read_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, @@ -402,12 +276,12 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { @@ -429,8 +303,9 @@ }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -438,31 +313,31 @@ "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -470,64 +345,192 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { - "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "default": 5, + "required": false } }, { "connection_is_proxied": { - "default": false, + "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + } } } ] @@ -535,46 +538,46 @@ }, { "disable_penalty": { - "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "default": false, "type": "boolean" } }, { "request_prompt_count_function": { "description": "If defined, it use custom function to count requests for the request prompt provider", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "error_code": { - "gt": 0, + "type": "number", "description": "Set a custom error code to return when the rate limit is exceeded.", - "default": 429, - "type": "number" + "gt": 0, + "default": 429 } }, { "error_message": { - "default": "AI token rate limit exceeded for provider(s): ", "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "AI token rate limit exceeded for provider(s): ", "type": "string" } }, { "error_hide_providers": { - "default": false, "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "default": false, "type": "boolean" } }, { "tokens_count_strategy": { - "required": true, + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", "type": "string", + "required": true, "default": "total_tokens", - "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", "one_of": [ "total_tokens", "prompt_tokens", @@ -582,10 +585,31 @@ "cost" ] } + }, + { + "llm_format": { + "description": "LLM input and output format and schema to use", + "type": "string", + "required": false, + "default": "openai", + "one_of": [ + "openai", + "bedrock", + "gemini" + ] + } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/ai-request-transformer/3.10.x.json b/schemas/ai-request-transformer/3.10.x.json index 1373c841..fe8465c3 100644 --- a/schemas/ai-request-transformer/3.10.x.json +++ b/schemas/ai-request-transformer/3.10.x.json @@ -1,45 +1,10 @@ { - "entity_checks": [ - { - "conditional": { - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_field": "config.llm.route_type", - "if_field": "config.llm.route_type", - "then_match": { - "eq": "llm/v1/chat" - } - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -48,56 +13,63 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "config": { + "type": "record", "fields": [ { "prompt": { "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "transformation_extract_pattern": { "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "http_timeout": { - "default": 60000, + "type": "integer", "description": "Timeout in milliseconds for the AI upstream service.", - "required": true, - "type": "integer" + "default": 60000, + "required": true } }, { "https_verify": { - "default": true, + "type": "boolean", "description": "Verify the TLS certificate of the AI upstream service.", - "required": true, - "type": "boolean" + "default": true, + "required": true } }, { "max_request_body_size": { "gt": 0, "description": "max allowed body size allowed to be introspected", - "default": 8192, - "type": "integer" + "type": "integer", + "default": 8192 } }, { @@ -108,12 +80,12 @@ }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { @@ -124,12 +96,12 @@ }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { @@ -137,7 +109,6 @@ "entity_checks": [ { "conditional": { - "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ "bedrock", @@ -148,7 +119,8 @@ "if_field": "model.provider", "then_match": { "eq": false - } + }, + "then_err": "bedrock and gemini only support auth.allow_override = false" } }, { @@ -272,12 +244,13 @@ } } ], + "type": "record", "fields": [ { "route_type": { - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "required": true, + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "one_of": [ "llm/v1/chat", "llm/v1/completions", @@ -288,22 +261,21 @@ { "auth": { "type": "record", - "required": false, "fields": [ { "header_name": { "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "header_value": { - "encrypted": true, - "required": false, - "type": "string", "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, @@ -311,24 +283,24 @@ "param_name": { "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "param_value": { - "encrypted": true, - "required": false, - "type": "string", "description": "Specify the full parameter value for 'param_name'.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "param_location": { - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" @@ -337,26 +309,26 @@ }, { "azure_use_managed_identity": { - "default": false, + "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "azure_client_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "azure_client_secret": { - "encrypted": true, - "required": false, - "type": "string", "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, @@ -364,66 +336,66 @@ "azure_tenant_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "gcp_use_service_account": { - "default": false, + "type": "boolean", "description": "Use service account auth for GCP-based providers and models.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "gcp_service_account_json": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "aws_access_key_id": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "aws_secret_access_key": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "allow_override": { - "default": false, + "type": "boolean", "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "required": false, - "type": "boolean" + "default": false, + "required": false } } - ] + ], + "required": false } }, { "model": { "type": "record", - "required": true, "fields": [ { "provider": { - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "required": true, + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "one_of": [ "openai", "azure", @@ -440,107 +412,105 @@ { "name": { "description": "Model name to execute.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "options": { "type": "record", "description": "Key/value settings for the model", - "required": false, "fields": [ { "max_tokens": { - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "input_cost": { - "gt": 0, + "type": "number", "description": "Defines the cost per 1M tokens in your prompt.", - "required": false, - "type": "number" + "gt": 0, + "required": false } }, { "output_cost": { - "gt": 0, + "type": "number", "description": "Defines the cost per 1M tokens in the output of the AI.", - "required": false, - "type": "number" + "gt": 0, + "required": false } }, { "temperature": { + "type": "number", + "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models.", - "required": false, - "type": "number" + "required": false } }, { "top_p": { + "type": "number", + "description": "Defines the top-p probability mass, if supported.", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported.", - "required": false, - "type": "number" + "required": false } }, { "top_k": { + "type": "integer", + "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported.", - "required": false, - "type": "integer" + "required": false } }, { "anthropic_version": { "description": "Defines the schema/API version, if using Anthropic provider.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_instance": { "description": "Instance name for Azure OpenAI hosted models.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_api_version": { - "default": "2023-05-15", + "type": "string", "description": "'api-version' for Azure OpenAI instances.", - "required": false, - "type": "string" + "default": "2023-05-15", + "required": false } }, { "azure_deployment_id": { "description": "Deployment ID for Azure OpenAI instances.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "llama2_format": { - "type": "string", - "description": "If using llama2 provider, select the upstream message format.", "required": false, + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "one_of": [ "raw", "openai", @@ -550,9 +520,9 @@ }, { "mistral_format": { - "type": "string", - "description": "If using mistral provider, select the upstream message format.", "required": false, + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "one_of": [ "openai", "ollama" @@ -562,131 +532,191 @@ { "upstream_url": { "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_path": { - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "required": false, - "type": "string" + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead" + } } }, { "gemini": { - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } - ], - "type": "record", "required": false, + "type": "record", "fields": [ { "api_endpoint": { "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "project_id": { "description": "If running Gemini on Vertex, specify the project ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "location_id": { "description": "If running Gemini on Vertex, specify the location ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } } + ], + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } ] } }, { "bedrock": { - "type": "record", "required": false, + "type": "record", "fields": [ { "aws_region": { "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "required": false, - "type": "string" + "type": "string", + "required": false + } + }, + { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string", + "required": false + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." } } + ], + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } ] } }, { "huggingface": { "type": "record", - "required": false, "fields": [ { "use_cache": { "description": "Use the cache layer on the inference API", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "wait_for_model": { "description": "Wait for the model if it is not ready", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } - ] + ], + "required": false } } - ] + ], + "required": false } } - ] + ], + "required": true } }, { "logging": { "type": "record", - "required": true, "fields": [ { "log_statistics": { - "default": false, + "type": "boolean", "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "log_payloads": { - "default": false, + "type": "boolean", "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "required": true, - "type": "boolean" + "default": false, + "required": true } } - ] + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins" } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] } ] } \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.10.x.json b/schemas/ai-response-transformer/3.10.x.json index 30d69cd6..b77f499a 100644 --- a/schemas/ai-response-transformer/3.10.x.json +++ b/schemas/ai-response-transformer/3.10.x.json @@ -1,45 +1,10 @@ { - "entity_checks": [ - { - "conditional": { - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_field": "config.llm.route_type", - "if_field": "config.llm.route_type", - "then_match": { - "eq": "llm/v1/chat" - } - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -48,48 +13,55 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "prompt": { "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "transformation_extract_pattern": { "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "parse_llm_response_json_instructions": { - "default": false, + "type": "boolean", "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "http_timeout": { - "default": 60000, + "type": "integer", "description": "Timeout in milliseconds for the AI upstream service.", - "required": true, - "type": "integer" + "default": 60000, + "required": true } }, { "https_verify": { - "default": true, + "type": "boolean", "description": "Verify the TLS certificate of the AI upstream service.", - "required": true, - "type": "boolean" + "default": true, + "required": true } }, { @@ -108,12 +80,12 @@ }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { @@ -124,12 +96,12 @@ }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { @@ -137,7 +109,6 @@ "entity_checks": [ { "conditional": { - "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ "bedrock", @@ -148,7 +119,8 @@ "if_field": "model.provider", "then_match": { "eq": false - } + }, + "then_err": "bedrock and gemini only support auth.allow_override = false" } }, { @@ -272,12 +244,13 @@ } } ], + "type": "record", "fields": [ { "route_type": { - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "required": true, + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "one_of": [ "llm/v1/chat", "llm/v1/completions", @@ -288,22 +261,21 @@ { "auth": { "type": "record", - "required": false, "fields": [ { "header_name": { "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "header_value": { - "encrypted": true, - "required": false, - "type": "string", "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, @@ -311,24 +283,24 @@ "param_name": { "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "param_value": { - "encrypted": true, - "required": false, - "type": "string", "description": "Specify the full parameter value for 'param_name'.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "param_location": { - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" @@ -337,26 +309,26 @@ }, { "azure_use_managed_identity": { - "default": false, + "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "azure_client_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "azure_client_secret": { - "encrypted": true, - "required": false, - "type": "string", "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, @@ -364,66 +336,66 @@ "azure_tenant_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "gcp_use_service_account": { - "default": false, + "type": "boolean", "description": "Use service account auth for GCP-based providers and models.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "gcp_service_account_json": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "aws_access_key_id": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "aws_secret_access_key": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "allow_override": { - "default": false, + "type": "boolean", "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "required": false, - "type": "boolean" + "default": false, + "required": false } } - ] + ], + "required": false } }, { "model": { "type": "record", - "required": true, "fields": [ { "provider": { - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "required": true, + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "one_of": [ "openai", "azure", @@ -440,107 +412,105 @@ { "name": { "description": "Model name to execute.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "options": { "type": "record", "description": "Key/value settings for the model", - "required": false, "fields": [ { "max_tokens": { - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "input_cost": { - "gt": 0, + "type": "number", "description": "Defines the cost per 1M tokens in your prompt.", - "required": false, - "type": "number" + "gt": 0, + "required": false } }, { "output_cost": { - "gt": 0, + "type": "number", "description": "Defines the cost per 1M tokens in the output of the AI.", - "required": false, - "type": "number" + "gt": 0, + "required": false } }, { "temperature": { + "type": "number", + "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models.", - "required": false, - "type": "number" + "required": false } }, { "top_p": { + "type": "number", + "description": "Defines the top-p probability mass, if supported.", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported.", - "required": false, - "type": "number" + "required": false } }, { "top_k": { + "type": "integer", + "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported.", - "required": false, - "type": "integer" + "required": false } }, { "anthropic_version": { "description": "Defines the schema/API version, if using Anthropic provider.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_instance": { "description": "Instance name for Azure OpenAI hosted models.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "azure_api_version": { - "default": "2023-05-15", + "type": "string", "description": "'api-version' for Azure OpenAI instances.", - "required": false, - "type": "string" + "default": "2023-05-15", + "required": false } }, { "azure_deployment_id": { "description": "Deployment ID for Azure OpenAI instances.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "llama2_format": { - "type": "string", - "description": "If using llama2 provider, select the upstream message format.", "required": false, + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "one_of": [ "raw", "openai", @@ -550,9 +520,9 @@ }, { "mistral_format": { - "type": "string", - "description": "If using mistral provider, select the upstream message format.", "required": false, + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "one_of": [ "openai", "ollama" @@ -562,131 +532,191 @@ { "upstream_url": { "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_path": { - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "required": false, - "type": "string" + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead" + } } }, { "gemini": { - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } - ], - "type": "record", "required": false, + "type": "record", "fields": [ { "api_endpoint": { "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "project_id": { "description": "If running Gemini on Vertex, specify the project ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "location_id": { "description": "If running Gemini on Vertex, specify the location ID.", - "required": false, - "type": "string" + "type": "string", + "required": false } } + ], + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } ] } }, { "bedrock": { - "type": "record", "required": false, + "type": "record", "fields": [ { "aws_region": { "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "required": false, - "type": "string" + "type": "string", + "required": false + } + }, + { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string", + "required": false + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." } } + ], + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } ] } }, { "huggingface": { "type": "record", - "required": false, "fields": [ { "use_cache": { "description": "Use the cache layer on the inference API", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "wait_for_model": { "description": "Wait for the model if it is not ready", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } - ] + ], + "required": false } } - ] + ], + "required": false } } - ] + ], + "required": true } }, { "logging": { "type": "record", - "required": true, "fields": [ { "log_statistics": { - "default": false, + "type": "boolean", "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "log_payloads": { - "default": false, + "type": "boolean", "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "required": true, - "type": "boolean" + "default": false, + "required": true } } - ] + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + { + "conditional": { + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins" + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-sanitizer/3.10.x.json b/schemas/ai-sanitizer/3.10.x.json index 0a35f9df..01920229 100644 --- a/schemas/ai-sanitizer/3.10.x.json +++ b/schemas/ai-sanitizer/3.10.x.json @@ -2,78 +2,82 @@ "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", + "type": "set", "required": true, "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string" + ] }, "default": [ "grpc", "grpcs", "http", "https" - ], - "type": "set", - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { + "type": "record", "fields": [ { "host": { + "type": "string", "description": "The host of the sanitizer", "default": "localhost", - "required": true, - "type": "string" + "required": true } }, { "port": { + "type": "number", "description": "The port of the sanitizer", "default": 8080, - "required": true, - "type": "number" + "required": true } }, { "scheme": { + "type": "string", "description": "The protocol can be http and https", "default": "http", - "required": true, - "type": "string" + "required": true } }, { "timeout": { - "default": 10000, "description": "Connection timeout with the sanitizer", + "default": 10000, "type": "number" } }, { "keepalive_timeout": { - "default": 60000, "description": "The keepalive timeout for the established http connnection", + "default": 60000, "type": "number" } }, { "stop_on_error": { - "default": true, "description": "Stop processing if an error occurs", + "default": true, "type": "boolean" } }, { "anonymize": { + "description": "List of types to be anonymized", + "type": "array", "required": true, "elements": { + "type": "string", "one_of": [ "general", "phone", @@ -95,73 +99,69 @@ "custom", "all", "all_and_credentials" - ], - "type": "string" + ] }, "default": [ "all_and_credentials" - ], - "type": "array", - "description": "List of types to be anonymized" + ] } }, { "recover_redacted": { - "default": true, "description": "Whether to recover redacted data", + "default": true, "type": "boolean" } }, { "redact_type": { + "default": "placeholder", + "description": "What value to be used to redacted to", + "type": "string", "one_of": [ "placeholder", "synthetic" - ], - "default": "placeholder", - "description": "What value to be used to redacted to", - "type": "string" + ] } }, { "custom_patterns": { + "len_min": 1, + "type": "array", "required": false, "elements": { + "type": "record", "fields": [ { "name": { - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "regex": { - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "score": { - "type": "number", - "default": 0.5, - "required": true, "between": [ 0, 1 - ] + ], + "type": "number", + "default": 0.5, + "required": true } } - ], - "type": "record" + ] }, - "type": "array", - "len_min": 1, "description": "List of custom patterns to be used for anonymization" } } ], - "required": true, - "type": "record" + "required": true } } ], diff --git a/schemas/ai-semantic-cache/3.10.x.json b/schemas/ai-semantic-cache/3.10.x.json index afa47df0..ce64ef2e 100644 --- a/schemas/ai-semantic-cache/3.10.x.json +++ b/schemas/ai-semantic-cache/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,11 +13,18 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "message_countback": { @@ -41,31 +39,31 @@ }, { "ignore_system_prompts": { - "default": false, "description": "Ignore and discard any system prompts when Vectorizing the request", - "type": "boolean" + "type": "boolean", + "default": false } }, { "ignore_assistant_prompts": { - "default": false, "description": "Ignore and discard any assistant prompts when Vectorizing the request", - "type": "boolean" + "type": "boolean", + "default": false } }, { "ignore_tool_prompts": { - "default": false, "description": "Ignore and discard any tool prompts when Vectorizing the request", - "type": "boolean" + "type": "boolean", + "default": false } }, { "stop_on_failure": { - "default": false, + "type": "boolean", "description": "Halt the LLM request process in case of a caching system failure", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { @@ -78,44 +76,56 @@ }, { "cache_control": { - "default": false, + "type": "boolean", "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "exact_caching": { - "default": false, + "type": "boolean", "description": "When enabled, a first check for exact query will be done. It will impact DB size", - "required": true, - "type": "boolean" + "default": false, + "required": true + } + }, + { + "llm_format": { + "description": "LLM input and output format and schema to use", + "type": "string", + "required": false, + "default": "openai", + "one_of": [ + "openai", + "bedrock", + "gemini" + ] } }, { "embeddings": { - "type": "record", "required": true, + "type": "record", "fields": [ { "auth": { "type": "record", - "required": false, "fields": [ { "header_name": { "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "header_value": { - "encrypted": true, - "required": false, - "type": "string", "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, @@ -123,24 +133,24 @@ "param_name": { "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "param_value": { - "encrypted": true, - "required": false, - "type": "string", "description": "Specify the full parameter value for 'param_name'.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "param_location": { - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" @@ -149,26 +159,26 @@ }, { "azure_use_managed_identity": { - "default": false, + "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "azure_client_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "azure_client_secret": { - "encrypted": true, - "required": false, - "type": "string", "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, @@ -176,95 +186,276 @@ "azure_tenant_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "gcp_use_service_account": { - "default": false, + "type": "boolean", "description": "Use service account auth for GCP-based providers and models.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "gcp_service_account_json": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "aws_access_key_id": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "aws_secret_access_key": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "allow_override": { - "default": false, + "type": "boolean", "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "required": false, - "type": "boolean" + "default": false, + "required": false } } - ] + ], + "required": false } }, { "model": { "type": "record", - "required": true, "fields": [ { "provider": { - "type": "string", - "description": "AI provider format to use for embeddings API", "required": true, + "description": "AI provider format to use for embeddings API", + "type": "string", "one_of": [ "openai", - "mistral" + "mistral", + "huggingface", + "azure", + "bedrock", + "gemini" ] } }, { "name": { "description": "Model name to execute.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "options": { "type": "record", "description": "Key/value settings for the model", - "required": false, "fields": [ { "upstream_url": { "description": "upstream url for the embeddings", + "type": "string", + "required": false + } + }, + { + "azure": { + "type": "record", + "fields": [ + { + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string", + "required": false + } + }, + { + "api_version": { + "type": "string", + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "required": false + } + }, + { + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string", + "required": false + } + } + ], + "required": true + } + }, + { + "bedrock": { "required": false, - "type": "string" + "type": "record", + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string", + "required": false + } + }, + { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string", + "required": false + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ] + } + }, + { + "gemini": { + "required": false, + "type": "record", + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string", + "required": false + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string", + "required": false + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ] + } + }, + { + "huggingface": { + "type": "record", + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean", + "required": false + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean", + "required": false + } + } + ], + "required": false } } - ] + ], + "required": false } } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" ] } } @@ -274,37 +465,37 @@ { "vectordb": { "type": "record", - "required": true, "fields": [ { "strategy": { - "type": "string", - "description": "which vector database driver to use", "required": true, + "description": "which vector database driver to use", + "type": "string", "one_of": [ - "redis" + "redis", + "pgvector" ] } }, { "dimensions": { "description": "the desired dimensionality for the vectors", - "required": true, - "type": "integer" + "type": "integer", + "required": true } }, { "threshold": { "description": "the default similarity threshold for accepting semantic search results (float)", - "required": true, - "type": "number" + "type": "number", + "required": true } }, { "distance_metric": { - "type": "string", - "description": "the distance metric to use for vector searches", "required": true, + "description": "the distance metric to use for vector searches", + "type": "string", "one_of": [ "cosine", "euclidean" @@ -313,223 +504,94 @@ }, { "redis": { - "required": true, "type": "record", - "entity_checks": [ + "required": true, + "fields": [ { - "mutually_required": [ - "host", - "port" - ] + "host": { + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" + } }, { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "default": 6379 + } }, { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } }, { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "default": 2000 } }, { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "default": 2000 } }, { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true } }, { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "type": "string", + "referenceable": true } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array" - } - } - ], - "fields": [ - { - "host": { - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "between": [ - 0, - 65535 - ], - "type": "integer" - } - }, - { - "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" - } - }, - { - "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" - } - }, + }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, @@ -546,12 +608,12 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { @@ -573,8 +635,9 @@ }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -582,31 +645,31 @@ "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -614,76 +677,304 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { - "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "default": 5, + "required": false } }, { "connection_is_proxied": { - "default": false, + "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + } } } ] } + }, + { + "pgvector": { + "type": "record", + "fields": [ + { + "host": { + "description": "the host of the pgvector database", + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "the port of the pgvector database", + "type": "integer", + "default": 5432 + } + }, + { + "user": { + "type": "string", + "description": "the user of the pgvector database", + "default": "postgres", + "referenceable": true + } + }, + { + "password": { + "encrypted": true, + "description": "the password of the pgvector database", + "type": "string", + "referenceable": true + } + }, + { + "database": { + "description": "the database of the pgvector database", + "type": "string", + "default": "kong-pgvector" + } + }, + { + "timeout": { + "description": "the timeout of the pgvector database", + "type": "number", + "default": 5000 + } + }, + { + "ssl": { + "description": "whether to use ssl for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_required": { + "description": "whether ssl is required for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "whether to verify ssl for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_version": { + "type": "string", + "description": "the ssl version to use for the pgvector database", + "default": "tlsv1_2", + "one_of": [ + "tlsv1_2", + "tlsv1_3", + "any" + ] + } + }, + { + "ssl_cert": { + "type": "string", + "description": "the path of ssl cert to use for the pgvector database" + } + }, + { + "ssl_cert_key": { + "type": "string", + "description": "the path of ssl cert key to use for the pgvector database" + } + } + ], + "required": true + } } - ] + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-semantic-prompt-guard/3.10.x.json b/schemas/ai-semantic-prompt-guard/3.10.x.json index c1fac108..90872d10 100644 --- a/schemas/ai-semantic-prompt-guard/3.10.x.json +++ b/schemas/ai-semantic-prompt-guard/3.10.x.json @@ -1,24 +1,10 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.rules.allow_prompts", - "config.rules.deny_prompts" - ] - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -27,36 +13,42 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "embeddings": { - "type": "record", "required": true, + "type": "record", "fields": [ { "auth": { "type": "record", - "required": false, "fields": [ { "header_name": { "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "header_value": { - "encrypted": true, - "required": false, - "type": "string", "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, @@ -64,24 +56,24 @@ "param_name": { "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "param_value": { - "encrypted": true, - "required": false, - "type": "string", "description": "Specify the full parameter value for 'param_name'.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "param_location": { - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" @@ -90,26 +82,26 @@ }, { "azure_use_managed_identity": { - "default": false, + "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "azure_client_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "azure_client_secret": { - "encrypted": true, - "required": false, - "type": "string", "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, @@ -117,95 +109,276 @@ "azure_tenant_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "gcp_use_service_account": { - "default": false, + "type": "boolean", "description": "Use service account auth for GCP-based providers and models.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "gcp_service_account_json": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "aws_access_key_id": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "aws_secret_access_key": { - "encrypted": true, - "required": false, - "type": "string", "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "allow_override": { - "default": false, + "type": "boolean", "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "required": false, - "type": "boolean" + "default": false, + "required": false } } - ] + ], + "required": false } }, { "model": { "type": "record", - "required": true, "fields": [ { "provider": { - "type": "string", - "description": "AI provider format to use for embeddings API", "required": true, + "description": "AI provider format to use for embeddings API", + "type": "string", "one_of": [ "openai", - "mistral" + "mistral", + "huggingface", + "azure", + "bedrock", + "gemini" ] } }, { "name": { "description": "Model name to execute.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "options": { "type": "record", "description": "Key/value settings for the model", - "required": false, "fields": [ { "upstream_url": { "description": "upstream url for the embeddings", + "type": "string", + "required": false + } + }, + { + "azure": { + "type": "record", + "fields": [ + { + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string", + "required": false + } + }, + { + "api_version": { + "type": "string", + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "required": false + } + }, + { + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string", + "required": false + } + } + ], + "required": true + } + }, + { + "bedrock": { + "required": false, + "type": "record", + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string", + "required": false + } + }, + { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string", + "required": false + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ] + } + }, + { + "gemini": { "required": false, - "type": "string" + "type": "record", + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string", + "required": false + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string", + "required": false + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ] + } + }, + { + "huggingface": { + "type": "record", + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean", + "required": false + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean", + "required": false + } + } + ], + "required": false } } - ] + ], + "required": false } } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" ] } } @@ -215,37 +388,37 @@ { "vectordb": { "type": "record", - "required": true, "fields": [ { "strategy": { - "type": "string", - "description": "which vector database driver to use", "required": true, + "description": "which vector database driver to use", + "type": "string", "one_of": [ - "redis" + "redis", + "pgvector" ] } }, { "dimensions": { "description": "the desired dimensionality for the vectors", - "required": true, - "type": "integer" + "type": "integer", + "required": true } }, { "threshold": { "description": "the default similarity threshold for accepting semantic search results (float)", - "required": true, - "type": "number" + "type": "number", + "required": true } }, { "distance_metric": { - "type": "string", - "description": "the distance metric to use for vector searches", "required": true, + "description": "the distance metric to use for vector searches", + "type": "string", "one_of": [ "cosine", "euclidean" @@ -254,8 +427,239 @@ }, { "redis": { - "required": true, "type": "record", + "required": true, + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "type": "array", + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ] + }, + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "type": "array", + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ] + }, + "len_min": 1 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", + "required": false + } + }, + { + "cluster_max_redirections": { + "type": "integer", + "description": "Maximum retry attempts for redirection.", + "default": 5, + "required": false + } + }, + { + "connection_is_proxied": { + "type": "boolean", + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "required": false + } + } + ], "entity_checks": [ { "mutually_required": [ @@ -320,9 +724,10 @@ "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -340,8 +745,7 @@ ] } ] - }, - "type": "integer" + } } }, { @@ -350,9 +754,10 @@ "type": "string" }, "len_min": 1, + "type": "array", "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ @@ -360,8 +765,7 @@ ] } ] - }, - "type": "array" + } } }, { @@ -370,9 +774,10 @@ "type": "string" }, "len_min": 1, + "type": "array", "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ @@ -380,325 +785,211 @@ ] } ] - }, - "type": "array" + } } } - ], + ] + } + }, + { + "pgvector": { + "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", - "type": "string" + "description": "the host of the pgvector database", + "type": "string", + "default": "127.0.0.1" } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "between": [ - 0, - 65535 - ], - "type": "integer" - } - }, - { - "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" + "description": "the port of the pgvector database", + "type": "integer", + "default": 5432 } }, { - "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "user": { + "type": "string", + "description": "the user of the pgvector database", + "default": "postgres", + "referenceable": true } }, { "password": { "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" - } - }, - { - "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "description": "the password of the pgvector database", + "type": "string", + "referenceable": true } }, { - "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "database": { + "description": "the database of the pgvector database", + "type": "string", + "default": "kong-pgvector" } }, { - "database": { - "default": 0, - "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "timeout": { + "description": "the timeout of the pgvector database", + "type": "number", + "default": 5000 } }, { - "keepalive_pool_size": { - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "between": [ - 1, - 2147483646 - ], - "type": "integer" + "ssl": { + "description": "whether to use ssl for the pgvector database", + "type": "boolean", + "default": false } }, { - "keepalive_backlog": { - "between": [ - 0, - 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + "ssl_required": { + "description": "whether ssl is required for the pgvector database", + "type": "boolean", + "default": false } }, { - "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "ssl_verify": { + "description": "whether to verify ssl for the pgvector database", + "type": "boolean", + "default": false } }, { - "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "ssl_version": { "type": "string", + "description": "the ssl version to use for the pgvector database", + "default": "tlsv1_2", "one_of": [ - "master", - "slave", + "tlsv1_2", + "tlsv1_3", "any" ] } }, { - "sentinel_nodes": { - "required": false, - "type": "array", - "elements": { - "type": "record", - "fields": [ - { - "host": { - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" - } - }, - { - "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "between": [ - 0, - 65535 - ], - "type": "integer" - } - } - ] - }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 - } - }, - { - "cluster_nodes": { - "required": false, - "type": "array", - "elements": { - "type": "record", - "fields": [ - { - "ip": { - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" - } - }, - { - "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "between": [ - 0, - 65535 - ], - "type": "integer" - } - } - ] - }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 - } - }, - { - "ssl": { - "default": false, - "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" - } - }, - { - "ssl_verify": { - "default": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" - } - }, - { - "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" - } - }, - { - "cluster_max_redirections": { - "default": 5, - "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "ssl_cert": { + "type": "string", + "description": "the path of ssl cert to use for the pgvector database" } }, { - "connection_is_proxied": { - "default": false, - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "ssl_cert_key": { + "type": "string", + "description": "the path of ssl cert key to use for the pgvector database" } } - ] + ], + "required": true } } - ] + ], + "required": true } }, { "search": { "type": "record", - "required": false, "fields": [ { "threshold": { "default": 0.5, "description": "Threshold for the similarity score to be considered a match.", - "required": false, - "type": "number" + "type": "number", + "required": false } } - ] + ], + "required": false } }, { "rules": { "type": "record", - "required": true, "fields": [ { "match_all_conversation_history": { "default": false, "description": "If false, will ignore all previous chat prompts from the conversation history.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "allow_prompts": { - "len_max": 100, - "required": false, + "description": "List of prompts to allow.", "type": "array", + "required": false, "elements": { - "len_max": 500, "len_min": 1, - "type": "string" + "type": "string", + "len_max": 500 }, - "description": "List of prompts to allow." + "len_max": 100 } }, { "deny_prompts": { - "len_max": 100, - "required": false, + "description": "List of prompts to deny.", "type": "array", + "required": false, "elements": { - "len_max": 500, "len_min": 1, - "type": "string" + "type": "string", + "len_max": 500 }, - "description": "List of prompts to deny." + "len_max": 100 } }, { "max_request_body_size": { - "default": 8192, + "type": "integer", "description": "max allowed body size allowed to be introspected", "gt": 0, - "type": "integer" + "default": 8192 } }, { "match_all_roles": { - "default": false, + "type": "boolean", "description": "If true, will match all roles in addition to 'user' role in conversation history.", - "required": true, - "type": "boolean" + "default": false, + "required": true } } + ], + "required": true + } + }, + { + "llm_format": { + "description": "LLM input and output format and schema to use", + "type": "string", + "required": false, + "default": "openai", + "one_of": [ + "openai", + "bedrock", + "gemini" ] } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } ] } \ No newline at end of file diff --git a/schemas/app-dynamics/3.10.x.json b/schemas/app-dynamics/3.10.x.json index 8e65202b..95ad13cf 100644 --- a/schemas/app-dynamics/3.10.x.json +++ b/schemas/app-dynamics/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,25 +13,34 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.10.x.json b/schemas/aws-lambda/3.10.x.json index 583a9b6a..04dba6e4 100644 --- a/schemas/aws-lambda/3.10.x.json +++ b/schemas/aws-lambda/3.10.x.json @@ -1,31 +1,10 @@ { - "entity_checks": [ - { - "mutually_required": [ - "config.aws_key", - "config.aws_secret" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "config.proxy_url" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -34,64 +13,71 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "timeout": { "default": 60000, "description": "An optional timeout in milliseconds when invoking the function.", - "required": true, - "type": "number" + "type": "number", + "required": true } }, { "keepalive": { "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "required": true, - "type": "number" + "type": "number", + "required": true } }, { "aws_key": { - "encrypted": true, "description": "The AWS key credential to be used when invoking the function.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "aws_secret": { - "encrypted": true, "description": "The AWS secret credential to be used when invoking the function. ", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "aws_assume_role_arn": { - "encrypted": true, "description": "The target AWS IAM role ARN used to invoke the Lambda function.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "aws_role_session_name": { - "default": "kong", "description": "The identifier of the assumed role session.", + "default": "kong", "type": "string" } }, @@ -110,22 +96,22 @@ { "function_name": { "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "qualifier": { - "description": "The qualifier to use when invoking the function.", - "type": "string" + "type": "string", + "description": "The qualifier to use when invoking the function." } }, { "invocation_type": { - "required": true, + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "type": "string", + "required": true, "default": "RequestResponse", - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "one_of": [ "RequestResponse", "Event", @@ -135,10 +121,10 @@ }, { "log_type": { - "required": true, + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "type": "string", + "required": true, "default": "Tail", - "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "one_of": [ "Tail", "None" @@ -153,70 +139,70 @@ }, { "port": { - "default": 443, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 443 } }, { "disable_https": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer", "between": [ 100, 999 - ], - "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", - "type": "integer" + ] } }, { "forward_request_method": { - "default": false, "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "default": false, "type": "boolean" } }, { "forward_request_uri": { - "default": false, "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "default": false, "type": "boolean" } }, { "forward_request_headers": { - "default": false, "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "default": false, "type": "boolean" } }, { "forward_request_body": { - "default": false, "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "default": false, "type": "boolean" } }, { "is_proxy_integration": { - "default": false, "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "default": false, "type": "boolean" } }, { "awsgateway_compatible": { - "default": false, "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "default": false, "type": "boolean" } }, @@ -228,24 +214,24 @@ }, { "skip_large_bodies": { - "default": true, "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "default": true, "type": "boolean" } }, { "base64_encode_body": { - "default": true, "description": "An optional value that Base64-encodes the request body.", + "default": true, "type": "boolean" } }, { "aws_imds_protocol_version": { - "required": true, + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "type": "string", + "required": true, "default": "v1", - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "one_of": [ "v1", "v2" @@ -254,10 +240,10 @@ }, { "empty_arrays_mode": { - "required": true, + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", "type": "string", + "required": true, "default": "legacy", - "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", "one_of": [ "legacy", "correct" @@ -265,8 +251,22 @@ } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] } } ] diff --git a/schemas/azure-functions/3.10.x.json b/schemas/azure-functions/3.10.x.json index 19e89278..87043d49 100644 --- a/schemas/azure-functions/3.10.x.json +++ b/schemas/azure-functions/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,99 +19,107 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "timeout": { - "default": 600000, "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", - "type": "number" + "type": "number", + "default": 600000 } }, { "keepalive": { - "default": 60000, "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { "https": { - "default": true, "description": "Use of HTTPS to connect with the Azure Functions server.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "https_verify": { - "default": false, "description": "Set to `true` to authenticate the Azure Functions server.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "apikey": { "encrypted": true, "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "clientid": { "encrypted": true, "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "appname": { "description": "The Azure app name.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "hostdomain": { - "default": "azurewebsites.net", + "type": "string", "description": "The domain where the function resides.", - "required": true, - "type": "string" + "default": "azurewebsites.net", + "required": true } }, { "routeprefix": { - "default": "api", "description": "Route prefix to use.", - "type": "string" + "type": "string", + "default": "api" } }, { "functionname": { "description": "Name of the Azure function to invoke.", - "required": true, - "type": "string" + "type": "string", + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.10.x.json b/schemas/basic-auth/3.10.x.json index 0a5c8b49..da652430 100644 --- a/schemas/basic-auth/3.10.x.json +++ b/schemas/basic-auth/3.10.x.json @@ -1,26 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,20 +22,28 @@ "wss" ] }, - "required": true, - "type": "set" + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "anonymous": { @@ -55,24 +53,26 @@ }, { "hide_credentials": { - "default": false, + "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "realm": { - "default": "service", + "type": "string", "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "required": true, - "type": "string" + "default": "service", + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.10.x.json b/schemas/bot-detection/3.10.x.json index d48d260c..c83da6b6 100644 --- a/schemas/bot-detection/3.10.x.json +++ b/schemas/bot-detection/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -30,50 +21,59 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "allow": { - "elements": { - "type": "string", - "is_regex": true - }, - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "default": [ ], - "type": "array" + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "type": "array", + "elements": { + "type": "string", + "is_regex": true + } } }, { "deny": { - "elements": { - "type": "string", - "is_regex": true - }, - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "default": [ ], - "type": "array" + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "type": "array", + "elements": { + "type": "string", + "is_regex": true + } } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/canary/3.10.x.json b/schemas/canary/3.10.x.json index a020f33c..e5159bba 100644 --- a/schemas/canary/3.10.x.json +++ b/schemas/canary/3.10.x.json @@ -1,65 +1,26 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.upstream_uri", - "config.upstream_host", - "config.upstream_port" - ] - }, - { - "conditional": { - "if_match": { - "eq": "header" - }, - "then_field": "config.hash_header", - "if_field": "config.hash", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "config.upstream_host", - "if_field": "config.upstream_fallback", - "then_match": { - "required": true - } - } - } - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -68,12 +29,17 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { - "type": "record", "shorthand_fields": [ { "hash": { @@ -82,19 +48,19 @@ } } ], - "required": true, + "type": "record", "fields": [ { "start": { - "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", - "type": "number" + "type": "number", + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." } }, { "hash": { - "default": "consumer", - "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", "type": "string", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "default": "consumer", "one_of": [ "consumer", "ip", @@ -113,28 +79,28 @@ }, { "duration": { - "default": 3600, + "type": "number", "description": "The duration of the canary release in seconds.", - "gt": 0, - "type": "number" + "default": 3600, + "gt": 0 } }, { "steps": { - "default": 1000, + "type": "number", "description": "The number of steps for the canary release.", - "gt": 1, - "type": "number" + "default": 1000, + "gt": 1 } }, { "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "type": "number", "between": [ 0, 100 - ], - "description": "The percentage of traffic to be routed to the canary release.", - "type": "number" + ] } }, { @@ -145,36 +111,36 @@ }, { "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { "upstream_uri": { - "description": "The URI of the upstream server to be used for the canary release.", + "len_min": 1, "type": "string", - "len_min": 1 + "description": "The URI of the upstream server to be used for the canary release." } }, { "upstream_fallback": { "default": false, "description": "Specifies whether to fallback to the upstream server if the canary release fails.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "groups": { + "description": "The groups allowed to access the canary release.", + "type": "array", "elements": { "type": "string" - }, - "description": "The groups allowed to access the canary release.", - "type": "array" + } } }, { @@ -183,7 +149,41 @@ "description": "A string representing an HTTP header name." } } - ] + ], + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header", + "if_field": "config.hash", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback", + "then_match": { + "required": true + } } } ] diff --git a/schemas/confluent-consume/3.10.x.json b/schemas/confluent-consume/3.10.x.json index 9965de16..65cdb059 100644 --- a/schemas/confluent-consume/3.10.x.json +++ b/schemas/confluent-consume/3.10.x.json @@ -2,13 +2,8 @@ "fields": [ { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", "required": true, "elements": { "type": "string", @@ -19,42 +14,51 @@ "https" ] }, - "type": "set" + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "entity_checks": [ + + ], + "type": "record", "fields": [ { "bootstrap_servers": { - "type": "set", "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { "type": "record", "fields": [ { "host": { - "type": "string", "description": "A string representing a host name, such as example.com.", + "type": "string", "required": true } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true } } @@ -64,29 +68,29 @@ }, { "topics": { - "description": "The Kafka topics and their configuration you want to consume from.", + "len_min": 1, + "type": "array", "required": true, "elements": { "type": "record", "fields": [ { "name": { - "required": true, - "type": "string" + "type": "string", + "required": true } } ] }, - "type": "array", - "len_min": 1 + "description": "The Kafka topics and their configuration you want to consume from." } }, { "mode": { - "default": "http-get", "description": "The mode of operation for the plugin.", - "required": true, "type": "string", + "required": true, + "default": "http-get", "one_of": [ "server-sent-events", "http-get" @@ -95,10 +99,10 @@ }, { "message_deserializer": { - "default": "noop", "description": "The deserializer to use for the consumed messages.", - "required": true, "type": "string", + "required": true, + "default": "noop", "one_of": [ "json", "noop" @@ -107,10 +111,10 @@ }, { "auto_offset_reset": { - "default": "latest", "description": "The offset to start from when there is no initial offset in the consumer group.", - "required": true, "type": "string", + "required": true, + "default": "latest", "one_of": [ "earliest", "latest" @@ -119,10 +123,10 @@ }, { "commit_strategy": { - "default": "auto", "description": "The strategy to use for committing offsets.", - "required": true, "type": "string", + "required": true, + "default": "auto", "one_of": [ "auto", "off" @@ -131,74 +135,74 @@ }, { "timeout": { - "default": 10000, "description": "Socket timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "Keepalive timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 60000 } }, { "keepalive_enabled": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "cluster_api_key": { - "encrypted": true, "description": "Username/Apikey for SASL authentication.", - "required": true, "type": "string", + "required": true, + "encrypted": true, "referenceable": true } }, { "cluster_api_secret": { - "encrypted": true, "description": "Password/ApiSecret for SASL authentication.", - "required": true, "type": "string", + "required": true, + "encrypted": true, "referenceable": true } }, { "confluent_cloud_api_key": { - "encrypted": true, "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", - "required": false, "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "confluent_cloud_api_secret": { - "encrypted": true, "description": "The corresponding secret for the Confluent Cloud API key.", - "required": false, "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "cluster_name": { "type": "string", - "auto": true, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true, "required": false } } ], - "type": "record", - "entity_checks": [], "required": true } } ], - "entity_checks": [] + "entity_checks": [ + + ] } \ No newline at end of file diff --git a/schemas/confluent/3.10.x.json b/schemas/confluent/3.10.x.json index 534933d8..1a4eefb1 100644 --- a/schemas/confluent/3.10.x.json +++ b/schemas/confluent/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,15 +13,21 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -47,140 +44,168 @@ } } ], + "type": "record", "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { "type": "record", "fields": [ { "host": { "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, - "type": "integer" + "required": true } } ] + } + } + }, + { + "topics_query_arg": { + "description": "The request query parameter name that contains the topics to publish to", + "type": "string", + "required": false + } + }, + { + "allowed_topics": { + "elements": { + "type": "string" }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", - "type": "set" + "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", + "type": "array", + "required": false } }, { "topic": { - "description": "The Kafka topic to publish to.", - "required": true, - "type": "string" + "description": "The default Kafka topic to publish to if the query parameter defined in the `topics_query_arg` does not exist in the request", + "type": "string", + "required": true } }, { "timeout": { - "default": 10000, "description": "Socket timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "Keepalive timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 60000 } }, { "keepalive_enabled": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "cluster_api_key": { "encrypted": true, - "referenceable": true, "type": "string", + "required": true, "description": "Username/Apikey for SASL authentication.", - "required": true + "referenceable": true } }, { "cluster_api_secret": { "encrypted": true, - "referenceable": true, "type": "string", + "required": true, "description": "Password/ApiSecret for SASL authentication.", - "required": true + "referenceable": true } }, { "confluent_cloud_api_key": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", - "required": false + "referenceable": true } }, { "confluent_cloud_api_secret": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The corresponding secret for the Confluent Cloud API key.", - "required": false + "referenceable": true } }, { "forward_method": { - "default": false, "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_uri": { - "default": false, "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_headers": { - "default": false, "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_body": { - "default": true, "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": true + } + }, + { + "message_by_lua_functions": { + "elements": { + "type": "string" + }, + "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", + "type": "array", + "required": false } }, { "cluster_name": { - "auto": true, + "type": "string", "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "required": false, - "type": "string" + "auto": true, + "required": false } }, { "producer_request_acks": { - "default": 1, - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1, "one_of": [ -1, 0, @@ -190,64 +215,66 @@ }, { "producer_request_timeout": { - "default": 2000, "description": "Time to wait for a Produce response in milliseconds.", - "type": "integer" + "type": "integer", + "default": 2000 } }, { "producer_request_limits_messages_per_request": { - "default": 200, "description": "Maximum number of messages to include into a single producer request.", - "type": "integer" + "type": "integer", + "default": 200 } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, "description": "Maximum size of a Produce request in bytes.", - "type": "integer" + "type": "integer", + "default": 1048576 } }, { "producer_request_retries_max_attempts": { - "default": 10, "description": "Maximum number of retry attempts per single Produce request.", - "type": "integer" + "type": "integer", + "default": 10 } }, { "producer_request_retries_backoff_timeout": { - "default": 100, "description": "Backoff interval between retry attempts in milliseconds.", - "type": "integer" + "type": "integer", + "default": 100 } }, { "producer_async": { - "default": true, "description": "Flag to enable asynchronous mode.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "producer_async_flush_timeout": { - "default": 1000, "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 1000 } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 50000 } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/correlation-id/3.10.x.json b/schemas/correlation-id/3.10.x.json index 46723bf0..8799aed4 100644 --- a/schemas/correlation-id/3.10.x.json +++ b/schemas/correlation-id/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,33 +13,40 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "header_name": { - "default": "Kong-Request-ID", "description": "The HTTP header name to use for the correlation ID.", + "default": "Kong-Request-ID", "type": "string" } }, { "generator": { - "required": true, + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "type": "string", + "required": true, "default": "uuid#counter", - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "one_of": [ "uuid", "uuid#counter", @@ -58,16 +56,18 @@ }, { "echo_downstream": { - "default": false, + "type": "boolean", "description": "Whether to echo the header back to downstream (the client).", - "required": true, - "type": "boolean" + "default": false, + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/cors/3.10.x.json b/schemas/cors/3.10.x.json index 87f52a0e..2dfb819b 100644 --- a/schemas/cors/3.10.x.json +++ b/schemas/cors/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "one_of": [ "grpc", @@ -30,47 +21,54 @@ "https" ], "len_min": 1, - "required": true, - "type": "string" - } + "type": "string", + "required": true + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "type": "array", "elements": { "type": "string" - }, - "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", - "type": "array" + } } }, { "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "type": "array", "elements": { "type": "string" - }, - "description": "Value for the `Access-Control-Allow-Headers` header.", - "type": "array" + } } }, { "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "type": "array", "elements": { "type": "string" - }, - "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", - "type": "array" + } } }, { @@ -87,6 +85,7 @@ "CONNECT" ], "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -100,44 +99,53 @@ "TRACE", "CONNECT" ] - }, - "type": "array" + } } }, { "max_age": { - "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", - "type": "number" + "type": "number", + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." } }, { "credentials": { - "default": false, + "type": "boolean", "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "private_network": { - "default": false, + "type": "boolean", "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "preflight_continue": { - "default": false, + "type": "boolean", "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", - "required": true, - "type": "boolean" + "default": false, + "required": true + } + }, + { + "allow_origin_absent": { + "type": "boolean", + "description": "A boolean value that skip cors response headers when origin header of request is empty", + "default": true, + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/datadog/3.10.x.json b/schemas/datadog/3.10.x.json index 7157cc3d..e854b8ac 100644 --- a/schemas/datadog/3.10.x.json +++ b/schemas/datadog/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,67 +19,73 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "host": { "default": "localhost", "description": "A string representing a host name, such as example.com.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "port": { - "default": 8125, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 8125 } }, { "prefix": { - "default": "kong", "description": "String to be attached as a prefix to a metric's name.", - "type": "string" + "type": "string", + "default": "kong" } }, { "service_name_tag": { - "default": "name", "description": "String to be attached as the name of the service.", - "type": "string" + "type": "string", + "default": "name" } }, { "status_tag": { - "default": "status", "description": "String to be attached as the tag of the HTTP status.", - "type": "string" + "type": "string", + "default": "status" } }, { "consumer_tag": { - "default": "consumer", "description": "String to be attached as tag of the consumer.", - "type": "string" + "type": "string", + "default": "consumer" } }, { @@ -95,9 +93,9 @@ "description": "Number of times to retry when sending data to the upstream server.", "type": "integer", "deprecation": { + "removal_in_version": "4.0", "old_default": 10, - "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", - "removal_in_version": "4.0" + "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead" } } }, @@ -106,9 +104,9 @@ "description": "Maximum number of log entries to be sent on each message to the upstream server.", "type": "integer", "deprecation": { + "removal_in_version": "4.0", "old_default": 1, - "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0" + "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead" } } }, @@ -117,14 +115,15 @@ "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", "type": "number", "deprecation": { + "removal_in_version": "4.0", "old_default": 2, - "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0" + "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" } } }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { @@ -167,9 +166,9 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "default": 60 } }, { @@ -196,9 +195,9 @@ }, { "concurrency_limit": { - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "default": 1, "one_of": [ -1, 1 @@ -206,90 +205,22 @@ } } ], - "required": true, - "type": "record" + "required": true } }, { "metrics": { - "required": true, - "type": "array", - "default": [ - { - "name": "request_count", - "stat_type": "counter", - "tags": [ - "app:kong" - ], - "sample_rate": 1, - "consumer_identifier": "custom_id" - }, - { - "stat_type": "timer", - "name": "latency", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id" - }, - { - "stat_type": "timer", - "name": "request_size", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id" - }, - { - "stat_type": "timer", - "name": "response_size", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id" - }, - { - "stat_type": "timer", - "name": "upstream_latency", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id" - }, - { - "stat_type": "timer", - "name": "kong_latency", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id" - } - ], "description": "List of metrics to be logged.", + "type": "array", + "required": true, "elements": { - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } - ], + "type": "record", "fields": [ { "name": { - "type": "string", - "description": "Datadog metric’s name", "required": true, + "description": "Datadog metric’s name", + "type": "string", "one_of": [ "kong_latency", "latency", @@ -302,9 +233,9 @@ }, { "stat_type": { - "type": "string", - "description": "Determines what sort of event the metric represents", "required": true, + "description": "Determines what sort of event the metric represents", + "type": "string", "one_of": [ "counter", "gauge", @@ -318,22 +249,22 @@ }, { "tags": { - "elements": { - "match": "^.*[^:]$", - "type": "string" - }, "description": "List of tags", - "type": "array" + "type": "array", + "elements": { + "type": "string", + "match": "^.*[^:]$" + } } }, { "sample_rate": { + "description": "Sampling rate", + "type": "number", "between": [ 0, 1 - ], - "description": "Sampling rate", - "type": "number" + ] } }, { @@ -348,14 +279,83 @@ } } ], - "type": "record" - } + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ] + }, + "default": [ + { + "stat_type": "counter", + "name": "request_count", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "sample_rate": 1 + }, + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "latency", + "stat_type": "timer" + }, + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "request_size", + "stat_type": "timer" + }, + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "response_size", + "stat_type": "timer" + }, + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "upstream_latency", + "stat_type": "timer" + }, + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "name": "kong_latency", + "stat_type": "timer" + } + ] } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/degraphql/3.10.x.json b/schemas/degraphql/3.10.x.json index 36cd73d3..71c5f7ee 100644 --- a/schemas/degraphql/3.10.x.json +++ b/schemas/degraphql/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -30,39 +21,48 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "graphql_server_path": { - "required": true, - "type": "string", - "default": "/graphql", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string", + "required": true, + "default": "/graphql", "starts_with": "/" } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.10.x.json b/schemas/exit-transformer/3.10.x.json index 11f94588..4549e603 100644 --- a/schemas/exit-transformer/3.10.x.json +++ b/schemas/exit-transformer/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,47 +13,56 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "functions": { "elements": { "type": "string" }, - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "handle_unknown": { - "default": false, "description": "Determines whether to handle unknown status codes by transforming their responses.", + "default": false, "type": "boolean" } }, { "handle_unexpected": { - "default": false, "description": "Determines whether to handle unexpected errors by transforming their responses.", + "default": false, "type": "boolean" } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/file-log/3.10.x.json b/schemas/file-log/3.10.x.json index 6532d553..c0cf92cb 100644 --- a/schemas/file-log/3.10.x.json +++ b/schemas/file-log/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,57 +19,65 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "path": { - "match": "^[^*&%%\\`]+$", - "required": true, + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", "type": "string", - "err": "not a valid filename", - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." + "match": "^[^%s*&%%\\`][^*&%%\\`]*[^%s*&%%\\`]$", + "required": true, + "err": "not a valid filename" } }, { "reopen": { - "default": false, + "type": "boolean", "description": "Determines whether the log file is closed and reopened on every request.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "custom_fields_by_lua": { - "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, + "description": "Lua code as a key-value map", + "type": "map", "keys": { "type": "string", "len_min": 1 - }, - "type": "map" + } } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.10.x.json b/schemas/forward-proxy/3.10.x.json index 260aadee..3b2360e2 100644 --- a/schemas/forward-proxy/3.10.x.json +++ b/schemas/forward-proxy/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,74 +13,34 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "required": true, "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "http_proxy_host", - "https_proxy_host" - ] - }, - { - "at_least_one_of": [ - "http_proxy_port", - "https_proxy_port" - ] - }, - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], - "shorthand_fields": [ - { - "proxy_host": { - "deprecation": { - "removal_in_version": "4.0", - "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" - }, - "type": "string" - } - }, - { - "proxy_port": { - "deprecation": { - "removal_in_version": "4.0", - "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" - }, - "type": "integer" - } - } - ], + "required": true, "fields": [ { "x_headers": { - "required": true, + "description": "Determines how to handle headers when forwarding the request.", "type": "string", + "required": true, "default": "append", - "description": "Determines how to handle headers when forwarding the request.", "one_of": [ "append", "transparent", @@ -105,12 +56,12 @@ }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { @@ -121,20 +72,20 @@ }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { "proxy_scheme": { - "required": true, + "description": "The proxy scheme to use when connecting. Only `http` is supported.", "type": "string", + "required": true, "default": "http", - "description": "The proxy scheme to use when connecting. Only `http` is supported.", "one_of": [ "http" ] @@ -144,28 +95,77 @@ "auth_username": { "referenceable": true, "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "auth_password": { "referenceable": true, "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "https_verify": { "default": false, "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "shorthand_fields": [ + { + "proxy_host": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" + } + } + }, + { + "proxy_port": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" + } } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.10.x.json b/schemas/graphql-proxy-cache-advanced/3.10.x.json index e805038f..de121eda 100644 --- a/schemas/graphql-proxy-cache-advanced/3.10.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.10.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + }, "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,26 +18,33 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "strategy": { - "required": true, + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "type": "string", + "required": true, "default": "memory", - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "one_of": [ "memory", "redis" @@ -52,245 +55,116 @@ "cache_ttl": { "gt": 0, "description": "TTL in seconds of cache entities. Must be a value greater than 0.", - "default": 300, - "type": "integer" + "type": "integer", + "default": 300 } }, { "memory": { + "type": "record", "fields": [ { "dictionary_name": { "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", - "required": true, - "type": "string" + "type": "string", + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "redis": { - "required": true, "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array" - } - } - ], + "required": true, "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "connect_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "send_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "read_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, @@ -307,12 +181,12 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { @@ -334,8 +208,9 @@ }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -343,31 +218,31 @@ "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -375,64 +250,192 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { - "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "default": 5, + "required": false } }, { "connection_is_proxied": { - "default": false, + "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + } } } ] @@ -440,24 +443,26 @@ }, { "bypass_on_err": { - "default": false, "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "default": false, "type": "boolean" } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", - "type": "array" + } } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.10.x.json b/schemas/graphql-rate-limiting-advanced/3.10.x.json index 55336ec3..5fecbd31 100644 --- a/schemas/graphql-rate-limiting-advanced/3.10.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.10.x.json @@ -1,25 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + }, "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -28,26 +18,33 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "identifier": { - "required": true, + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "type": "string", + "required": true, "default": "consumer", - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "one_of": [ "ip", "credential", @@ -61,15 +58,15 @@ "type": "number" }, "description": "One or more window sizes to apply a limit to (defined in seconds).", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "window_type": { - "default": "sliding", - "description": "Sets the time window to either `sliding` or `fixed`.", "type": "string", + "description": "Sets the time window to either `sliding` or `fixed`.", + "default": "sliding", "one_of": [ "fixed", "sliding" @@ -82,30 +79,30 @@ "type": "number" }, "description": "One or more requests-per-window limits to apply.", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "sync_rate": { "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", - "required": true, - "type": "number" + "type": "number", + "required": true } }, { "namespace": { - "auto": true, "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "type": "string" + "type": "string", + "auto": true } }, { "strategy": { - "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "type": "string", + "required": true, "default": "cluster", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "one_of": [ "cluster", "redis" @@ -114,24 +111,24 @@ }, { "dictionary_name": { - "default": "kong_rate_limiting_counters", + "type": "string", "description": "The shared dictionary where counters will be stored until the next sync cycle.", - "required": true, - "type": "string" + "default": "kong_rate_limiting_counters", + "required": true } }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers. Available options: `true` or `false`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "cost_strategy": { - "default": "default", - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", "type": "string", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "default": "default", "one_of": [ "default", "node_quantifier" @@ -140,240 +137,111 @@ }, { "score_factor": { - "required": false, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", "type": "number", + "required": false, "gt": 0, - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", "default": 1 } }, { "max_cost": { - "default": 0, + "type": "number", "description": "A defined maximum cost per query. 0 means unlimited.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { "redis": { - "required": true, "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array" - } - } - ], + "required": true, "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "connect_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "send_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "read_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, @@ -390,12 +258,12 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { @@ -417,8 +285,9 @@ }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -426,31 +295,31 @@ "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -458,72 +327,208 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { - "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "default": 5, + "required": false } }, { "connection_is_proxied": { - "default": false, + "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + } } } ] } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/grpc-gateway/3.10.x.json b/schemas/grpc-gateway/3.10.x.json index cb4aab19..0e0f32ca 100644 --- a/schemas/grpc-gateway/3.10.x.json +++ b/schemas/grpc-gateway/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,33 +19,41 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "proto": { "description": "Describes the gRPC types and methods.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.10.x.json b/schemas/grpc-web/3.10.x.json index 95633634..aba58960 100644 --- a/schemas/grpc-web/3.10.x.json +++ b/schemas/grpc-web/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,48 +19,56 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "proto": { "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "pass_stripped_path": { "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "allow_origin_header": { - "default": "*", + "type": "string", "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", - "required": false, - "type": "string" + "default": "*", + "required": false } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/header-cert-auth/3.10.x.json b/schemas/header-cert-auth/3.10.x.json index 380d6860..64a4ce4b 100644 --- a/schemas/header-cert-auth/3.10.x.json +++ b/schemas/header-cert-auth/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -30,15 +21,21 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -57,19 +54,20 @@ ] } ], + "type": "record", "fields": [ { "certificate_header_name": { "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "certificate_header_format": { - "type": "string", - "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", "required": true, + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "type": "string", "one_of": [ "base64_encoded", "url_encoded" @@ -80,8 +78,8 @@ "secure_source": { "default": true, "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { @@ -92,8 +90,9 @@ }, { "consumer_by": { - "required": false, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -101,7 +100,6 @@ "custom_id" ] }, - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "default": [ "username", "custom_id" @@ -111,44 +109,44 @@ { "ca_certificates": { "elements": { - "uuid": true, - "type": "string" + "type": "string", + "uuid": true }, "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "cache_ttl": { "default": 60, "description": "Cache expiry time in seconds.", - "required": true, - "type": "number" + "type": "number", + "required": true } }, { "skip_consumer_lookup": { "default": false, "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "allow_partial_chain": { "default": false, "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "authenticated_group_by": { - "required": false, + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "type": "string", + "required": false, "default": "CN", - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ "CN", "DN" @@ -157,10 +155,10 @@ }, { "revocation_check_mode": { - "required": false, + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "type": "string", + "required": false, "default": "IGNORE_CA_ERROR", - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ "SKIP", "IGNORE_CA_ERROR", @@ -170,15 +168,15 @@ }, { "http_timeout": { - "default": 30000, "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "default": 30000, "type": "number" } }, { "cert_cache_ttl": { - "default": 60000, "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "default": 60000, "type": "number" } }, @@ -196,12 +194,12 @@ }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { @@ -212,18 +210,20 @@ }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.10.x.json b/schemas/hmac-auth/3.10.x.json index b922bd3e..241d07ac 100644 --- a/schemas/hmac-auth/3.10.x.json +++ b/schemas/hmac-auth/3.10.x.json @@ -1,32 +1,16 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] - } - } - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -38,65 +22,81 @@ "wss" ] }, - "required": true, - "type": "set" + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "hide_credentials": { - "default": false, + "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "clock_skew": { - "default": 300, - "description": "Clock skew in seconds to prevent replay attacks.", "gt": 0, + "description": "Clock skew in seconds to prevent replay attacks.", + "default": 300, "type": "number" } }, { "anonymous": { - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", - "type": "string" + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "validate_request_body": { - "default": false, + "type": "boolean", "description": "A boolean value telling the plugin to enable body validation.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "enforce_headers": { - "elements": { - "type": "string" - }, - "description": "A list of headers that the client should at least use for HTTP signature creation.", "default": [ ], - "type": "array" + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "type": "array", + "elements": { + "type": "string" + } } }, { "algorithms": { + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -105,27 +105,27 @@ "hmac-sha384", "hmac-sha512" ] - }, - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ], - "type": "array" + } } }, { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] } } ] diff --git a/schemas/http-log/3.10.x.json b/schemas/http-log/3.10.x.json index 0c018a80..8708abb5 100644 --- a/schemas/http-log/3.10.x.json +++ b/schemas/http-log/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,36 +19,42 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "http_endpoint": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true + "type": "string", + "required": true, + "encrypted": true, + "referenceable": true } }, { "method": { - "default": "POST", - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", "type": "string", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "default": "POST", "one_of": [ "POST", "PUT", @@ -66,9 +64,9 @@ }, { "content_type": { - "default": "application/json", - "description": "Indicates the type of data sent. The only available option is `application/json`.", "type": "string", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "default": "application/json", "one_of": [ "application/json", "application/json; charset=utf-8" @@ -77,16 +75,16 @@ }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number" + "type": "number", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { @@ -94,9 +92,9 @@ "description": "Number of times to retry when sending data to the upstream server.", "type": "integer", "deprecation": { + "removal_in_version": "4.0", "old_default": 10, - "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", - "removal_in_version": "4.0" + "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead" } } }, @@ -105,9 +103,9 @@ "description": "Maximum number of log entries to be sent on each message to the upstream server.", "type": "integer", "deprecation": { + "removal_in_version": "4.0", "old_default": 1, - "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0" + "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead" } } }, @@ -116,42 +114,43 @@ "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", "type": "number", "deprecation": { + "removal_in_version": "4.0", "old_default": 2, - "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0" + "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" } } }, { "headers": { "values": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "map", "keys": { - "description": "A string representing an HTTP header name.", "match_none": [ { - "err": "cannot contain 'Host' header", - "pattern": "^[Hh][Oo][Ss][Tt]$" + "pattern": "^[Hh][Oo][Ss][Tt]$", + "err": "cannot contain 'Host' header" }, { - "err": "cannot contain 'Content-Length' header", - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$", + "err": "cannot contain 'Content-Length' header" }, { - "err": "cannot contain 'Content-Type' header", - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", + "err": "cannot contain 'Content-Type' header" } ], + "description": "A string representing an HTTP header name.", "type": "string" - }, - "type": "map" + } } }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { @@ -194,9 +193,9 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "default": 60 } }, { @@ -223,9 +222,9 @@ }, { "concurrency_limit": { - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "default": 1, "one_of": [ -1, 1 @@ -233,28 +232,29 @@ } } ], - "required": true, - "type": "record" + "required": true } }, { "custom_fields_by_lua": { - "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, + "description": "Lua code as a key-value map", + "type": "map", "keys": { "type": "string", "len_min": 1 - }, - "type": "map" + } } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/injection-protection/3.10.x.json b/schemas/injection-protection/3.10.x.json index 1f100616..cc56d5ea 100644 --- a/schemas/injection-protection/3.10.x.json +++ b/schemas/injection-protection/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -30,15 +21,21 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -51,15 +48,13 @@ ] } ], + "type": "record", "fields": [ { "injection_types": { - "required": true, - "type": "set", - "default": [ - "sql" - ], "description": "The type of injections to check for.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -70,17 +65,17 @@ "xpath_extended", "java_exception" ] - } + }, + "default": [ + "sql" + ] } }, { "locations": { - "required": true, - "type": "set", - "default": [ - "path_and_query" - ], "description": "The locations to check for injection.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -88,7 +83,10 @@ "path_and_query", "body" ] - } + }, + "default": [ + "path_and_query" + ] } }, { @@ -99,16 +97,16 @@ { "name": { "description": "A unique name for this injection.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "regex": { - "description": "The regex to match against.", - "is_regex": true, "required": true, - "type": "string" + "description": "The regex to match against.", + "type": "string", + "is_regex": true } } ] @@ -120,10 +118,10 @@ }, { "enforcement_mode": { - "required": true, + "description": "Enforcement mode of the security policy.", "type": "string", + "required": true, "default": "block", - "description": "Enforcement mode of the security policy.", "one_of": [ "block", "log_only" @@ -132,28 +130,30 @@ }, { "error_status_code": { + "description": "The response status code when validation fails.", + "type": "integer", + "required": true, + "default": 400, "between": [ 400, 499 - ], - "required": true, - "type": "integer", - "default": 400, - "description": "The response status code when validation fails." + ] } }, { "error_message": { - "default": "Bad Request", + "type": "string", "description": "The response message when validation fails", - "required": true, - "type": "string" + "default": "Bad Request", + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.10.x.json b/schemas/ip-restriction/3.10.x.json index 6ce79129..4e05165b 100644 --- a/schemas/ip-restriction/3.10.x.json +++ b/schemas/ip-restriction/3.10.x.json @@ -1,28 +1,13 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "http", - "https", - "tcp", - "tls", - "grpc", - "grpcs" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -34,52 +19,67 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ] } }, { "config": { + "type": "record", "fields": [ { "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." - }, - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", - "type": "array" + } } }, { "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." - }, - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", - "type": "array" + } } }, { "status": { "description": "The HTTP status of the requests that will be rejected by the plugin.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "message": { "description": "The message to send as a response body to rejected requests.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/jq/3.10.x.json b/schemas/jq/3.10.x.json index 623393bd..d489732a 100644 --- a/schemas/jq/3.10.x.json +++ b/schemas/jq/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -30,7 +21,13 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { @@ -43,11 +40,12 @@ ] } ], + "type": "record", "fields": [ { "request_jq_program": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -56,62 +54,62 @@ ], "type": "record", - "required": false, "fields": [ { "compact_output": { "default": true, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "raw_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "join_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "ascii_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "sort_keys": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } } - ] + ], + "required": false } }, { "request_if_media_type": { + "type": "array", "elements": { "type": "string" }, "default": [ "application/json" ], - "required": false, - "type": "array" + "required": false } }, { "response_jq_program": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -120,78 +118,80 @@ ], "type": "record", - "required": false, "fields": [ { "compact_output": { "default": true, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "raw_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "join_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "ascii_output": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "sort_keys": { "default": false, - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } } - ] + ], + "required": false } }, { "response_if_media_type": { + "type": "array", "elements": { "type": "string" }, "default": [ "application/json" ], - "required": false, - "type": "array" + "required": false } }, { "response_if_status_code": { + "type": "array", "elements": { + "type": "integer", "between": [ 100, 599 - ], - "type": "integer" + ] }, "default": [ 200 ], - "required": false, - "type": "array" + "required": false } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/json-threat-protection/3.10.x.json b/schemas/json-threat-protection/3.10.x.json index e41dd894..9d2d886b 100644 --- a/schemas/json-threat-protection/3.10.x.json +++ b/schemas/json-threat-protection/3.10.x.json @@ -1,34 +1,18 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.max_body_size", - "config.max_container_depth" - ] - } - } - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -37,98 +21,113 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "max_body_size": { + "description": "Max size of the request body. -1 means unlimited.", + "type": "integer", + "required": false, + "default": 8192, "between": [ -1, 2147483648 - ], - "required": false, - "type": "integer", - "default": 8192, - "description": "Max size of the request body. -1 means unlimited." + ] } }, { "max_container_depth": { + "description": "Max nested depth of objects and arrays. -1 means unlimited.", + "type": "integer", + "required": false, + "default": -1, "between": [ -1, 2147483648 - ], - "required": false, - "type": "integer", - "default": -1, - "description": "Max nested depth of objects and arrays. -1 means unlimited." + ] } }, { "max_object_entry_count": { + "description": "Max number of entries in an object. -1 means unlimited.", + "type": "integer", + "required": false, + "default": -1, "between": [ -1, 2147483648 - ], - "required": false, - "type": "integer", - "default": -1, - "description": "Max number of entries in an object. -1 means unlimited." + ] } }, { "max_object_entry_name_length": { + "description": "Max string length of object name. -1 means unlimited.", + "type": "integer", + "required": false, + "default": -1, "between": [ -1, 2147483648 - ], - "required": false, - "type": "integer", - "default": -1, - "description": "Max string length of object name. -1 means unlimited." + ] } }, { "max_array_element_count": { + "description": "Max number of elements in an array. -1 means unlimited.", + "type": "integer", + "required": false, + "default": -1, "between": [ -1, 2147483648 - ], - "required": false, - "type": "integer", - "default": -1, - "description": "Max number of elements in an array. -1 means unlimited." + ] } }, { "max_string_value_length": { + "description": "Max string value length. -1 means unlimited.", + "type": "integer", + "required": false, + "default": -1, "between": [ -1, 2147483648 - ], - "required": false, - "type": "integer", - "default": -1, - "description": "Max string value length. -1 means unlimited." + ] + } + }, + { + "allow_duplicate_object_entry_name": { + "type": "boolean", + "description": "Allow or disallow duplicate object entry name.", + "default": true, + "required": false } }, { "enforcement_mode": { - "required": false, + "description": "Enforcement mode of the security policy.", "type": "string", + "required": false, "default": "block", - "description": "Enforcement mode of the security policy.", "one_of": [ "block", "log_only" @@ -137,27 +136,36 @@ }, { "error_status_code": { + "description": "The response status code when validation fails.", + "type": "integer", + "required": false, + "default": 400, "between": [ 400, 499 - ], - "required": false, - "type": "integer", - "default": 400, - "description": "The response status code when validation fails." + ] } }, { "error_message": { - "default": "Bad Request", + "type": "string", "description": "The response message when validation fails", - "required": false, - "type": "string" + "default": "Bad Request", + "required": false } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] } } ] diff --git a/schemas/jwe-decrypt/3.10.x.json b/schemas/jwe-decrypt/3.10.x.json index f414e64e..2ecc7791 100644 --- a/schemas/jwe-decrypt/3.10.x.json +++ b/schemas/jwe-decrypt/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,42 +13,49 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "config": { + "type": "record", "fields": [ { "lookup_header_name": { "default": "Authorization", "description": "The name of the header to look for the JWE token.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "forward_header_name": { "default": "Authorization", "description": "The name of the header that is used to set the decrypted value.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -66,21 +64,23 @@ "type": "string" }, "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "strict": { - "default": true, "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "default": true, "type": "boolean" } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.10.x.json b/schemas/jwt-signer/3.10.x.json index 613ca8b3..20462ed5 100644 --- a/schemas/jwt-signer/3.10.x.json +++ b/schemas/jwt-signer/3.10.x.json @@ -1,36 +1,18 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.access_token_upstream_header", - "config.channel_token_upstream_header", - "config.original_access_token_upstream_header", - "config.original_channel_token_upstream_header" - ] - } - } - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -39,174 +21,154 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "entity_checks": [ - { - "mutually_required": [ - "access_token_jwks_uri_client_username", - "access_token_jwks_uri_client_password" - ] - }, - { - "mutually_required": [ - "access_token_keyset_client_username", - "access_token_keyset_client_password" - ] - }, - { - "mutually_required": [ - "channel_token_jwks_uri_client_username", - "channel_token_jwks_uri_client_password" - ] - }, - { - "mutually_required": [ - "channel_token_keyset_client_username", - "channel_token_keyset_client_password" - ] - } - ], "type": "record", "required": true, "fields": [ { "realm": { "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "enable_hs_signatures": { - "default": false, + "type": "boolean", "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "enable_instrumentation": { - "default": false, + "type": "boolean", "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "access_token_issuer": { - "default": "kong", + "type": "string", "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", - "required": false, - "type": "string" + "default": "kong", + "required": false } }, { "access_token_keyset": { - "default": "kong", + "type": "string", "description": "The name of the keyset containing signing keys.", - "required": false, - "type": "string" + "default": "kong", + "required": false } }, { "access_token_keyset_client_username": { - "referenceable": true, - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", "required": false, - "type": "string" + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "type": "string", + "referenceable": true } }, { "access_token_keyset_client_password": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", - "required": false + "type": "string", + "required": false, + "encrypted": true, + "referenceable": true } }, { "access_token_keyset_client_certificate": { + "type": "foreign", "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", "reference": "certificates", - "required": false, - "type": "foreign" + "required": false } }, { "access_token_keyset_rotate_period": { - "default": 0, + "type": "number", "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { "access_token_jwks_uri": { "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "access_token_jwks_uri_client_username": { - "referenceable": true, - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", "required": false, - "type": "string" + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "type": "string", + "referenceable": true } }, { "access_token_jwks_uri_client_password": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", - "required": false + "type": "string", + "required": false, + "encrypted": true, + "referenceable": true } }, { "access_token_jwks_uri_client_certificate": { + "type": "foreign", "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", "reference": "certificates", - "required": false, - "type": "foreign" + "required": false } }, { "access_token_jwks_uri_rotate_period": { - "default": 0, + "type": "number", "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { "access_token_request_header": { - "default": "Authorization", + "type": "string", "description": "This parameter tells the name of the header where to look for the access token.", - "required": false, - "type": "string" + "default": "Authorization", + "required": false } }, { "access_token_leeway": { - "default": 0, + "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { @@ -215,18 +177,18 @@ "type": "string" }, "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "access_token_scopes_claim": { - "required": false, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "type": "array", + "required": false, "elements": { "type": "string" }, - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "default": [ "scope" ] @@ -238,14 +200,15 @@ "type": "string" }, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "access_token_consumer_by": { - "required": false, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -254,7 +217,6 @@ "custom_id" ] }, - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "default": [ "username", "custom_id" @@ -263,47 +225,47 @@ }, { "access_token_upstream_header": { - "default": "Authorization:Bearer", + "type": "string", "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", - "required": false, - "type": "string" + "default": "Authorization:Bearer", + "required": false } }, { "access_token_upstream_leeway": { - "default": 0, + "type": "number", "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { "access_token_introspection_endpoint": { "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "access_token_introspection_authorization": { "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "access_token_introspection_body_args": { "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "access_token_introspection_hint": { - "default": "access_token", + "type": "string", "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", - "required": false, - "type": "string" + "default": "access_token", + "required": false } }, { @@ -312,8 +274,8 @@ "type": "string" }, "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -322,18 +284,18 @@ "type": "string" }, "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "access_token_introspection_scopes_claim": { - "required": true, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "type": "array", + "required": true, "elements": { "type": "string" }, - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "default": [ "scope" ] @@ -345,14 +307,15 @@ "type": "string" }, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "access_token_introspection_consumer_by": { - "required": false, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -361,7 +324,6 @@ "custom_id" ] }, - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "default": [ "username", "custom_id" @@ -370,25 +332,25 @@ }, { "access_token_introspection_leeway": { - "default": 0, + "type": "number", "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { "access_token_introspection_timeout": { "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "access_token_signing_algorithm": { - "required": true, + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "type": "string", + "required": true, "default": "RS256", - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "one_of": [ "HS256", "HS384", @@ -407,15 +369,15 @@ }, { "add_access_token_claims": { + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "map", + "required": false, "values": { "type": "string" }, - "required": false, - "type": "map", "default": [ ], - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" } @@ -423,15 +385,15 @@ }, { "set_access_token_claims": { + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "map", + "required": false, "values": { "type": "string" }, - "required": false, - "type": "map", "default": [ ], - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" } @@ -439,12 +401,12 @@ }, { "remove_access_token_claims": { - "required": false, + "description": "remove claims. It should be an array, and each element is a claim key string.", "type": "array", + "required": false, "elements": { "type": "string" }, - "description": "remove claims. It should be an array, and each element is a claim key string.", "default": [ ] @@ -453,184 +415,184 @@ { "original_access_token_upstream_header": { "description": "The HTTP header name used to store the original access token.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "access_token_optional": { - "default": false, + "type": "boolean", "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "verify_access_token_signature": { - "default": true, + "type": "boolean", "description": "Quickly turn access token signature verification off and on as needed.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "verify_access_token_expiry": { - "default": true, + "type": "boolean", "description": "Quickly turn access token expiry verification off and on as needed.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "verify_access_token_scopes": { - "default": true, + "type": "boolean", "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "verify_access_token_introspection_expiry": { - "default": true, + "type": "boolean", "description": "Quickly turn access token introspection expiry verification off and on as needed.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "verify_access_token_introspection_scopes": { - "default": true, + "type": "boolean", "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "cache_access_token_introspection": { - "default": true, + "type": "boolean", "description": "Whether to cache access token introspection results.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "trust_access_token_introspection": { - "default": true, + "type": "boolean", "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "enable_access_token_introspection": { - "default": true, + "type": "boolean", "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "channel_token_issuer": { - "default": "kong", + "type": "string", "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", - "required": false, - "type": "string" + "default": "kong", + "required": false } }, { "channel_token_keyset": { - "default": "kong", + "type": "string", "description": "The name of the keyset containing signing keys.", - "required": false, - "type": "string" + "default": "kong", + "required": false } }, { "channel_token_keyset_client_username": { - "referenceable": true, - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", "required": false, - "type": "string" + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "type": "string", + "referenceable": true } }, { "channel_token_keyset_client_password": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", - "required": false + "type": "string", + "required": false, + "encrypted": true, + "referenceable": true } }, { "channel_token_keyset_client_certificate": { + "type": "foreign", "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", "reference": "certificates", - "required": false, - "type": "foreign" + "required": false } }, { "channel_token_keyset_rotate_period": { - "default": 0, + "type": "number", "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { "channel_token_jwks_uri": { "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "channel_token_jwks_uri_client_username": { - "referenceable": true, - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", "required": false, - "type": "string" + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "type": "string", + "referenceable": true } }, { "channel_token_jwks_uri_client_password": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", - "required": false + "type": "string", + "required": false, + "encrypted": true, + "referenceable": true } }, { "channel_token_jwks_uri_client_certificate": { + "type": "foreign", "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", "reference": "certificates", - "required": false, - "type": "foreign" + "required": false } }, { "channel_token_jwks_uri_rotate_period": { - "default": 0, + "type": "number", "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { "channel_token_request_header": { "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "channel_token_leeway": { - "default": 0, + "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { @@ -639,18 +601,18 @@ "type": "string" }, "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "channel_token_scopes_claim": { - "required": false, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "type": "array", + "required": false, "elements": { "type": "string" }, - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "default": [ "scope" ] @@ -662,8 +624,8 @@ "type": "string" }, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -687,23 +649,23 @@ { "channel_token_upstream_header": { "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "channel_token_upstream_leeway": { - "default": 0, + "type": "number", "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { "channel_token_introspection_endpoint": { "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -712,8 +674,8 @@ "type": "string" }, "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -722,8 +684,8 @@ "type": "string" }, "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -732,8 +694,8 @@ "type": "string" }, "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -742,8 +704,8 @@ "type": "string" }, "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -752,18 +714,18 @@ "type": "string" }, "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "channel_token_introspection_scopes_claim": { - "required": false, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "type": "array", + "required": false, "elements": { "type": "string" }, - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "default": [ "scope" ] @@ -775,14 +737,15 @@ "type": "string" }, "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "channel_token_introspection_consumer_by": { - "required": false, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -791,7 +754,6 @@ "custom_id" ] }, - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "default": [ "username", "custom_id" @@ -800,25 +762,25 @@ }, { "channel_token_introspection_leeway": { - "default": 0, + "type": "number", "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", - "required": false, - "type": "number" + "default": 0, + "required": false } }, { "channel_token_introspection_timeout": { "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "channel_token_signing_algorithm": { - "required": true, + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "type": "string", + "required": true, "default": "RS256", - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "one_of": [ "HS256", "HS384", @@ -837,15 +799,15 @@ }, { "add_channel_token_claims": { + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "map", + "required": false, "values": { "type": "string" }, - "required": false, - "type": "map", "default": [ ], - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" } @@ -853,15 +815,15 @@ }, { "set_channel_token_claims": { + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "map", + "required": false, "values": { "type": "string" }, - "required": false, - "type": "map", "default": [ ], - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" } @@ -869,12 +831,12 @@ }, { "remove_channel_token_claims": { - "required": false, + "description": "remove claims. It should be an array, and each element is a claim key string.", "type": "array", + "required": false, "elements": { "type": "string" }, - "description": "remove claims. It should be an array, and each element is a claim key string.", "default": [ ] @@ -883,92 +845,92 @@ { "original_channel_token_upstream_header": { "description": "The HTTP header name used to store the original channel token.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "channel_token_optional": { - "default": false, + "type": "boolean", "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "verify_channel_token_signature": { - "default": true, + "type": "boolean", "description": "Quickly turn on/off the channel token signature verification.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "verify_channel_token_expiry": { + "type": "boolean", "default": true, - "required": false, - "type": "boolean" + "required": false } }, { "verify_channel_token_scopes": { - "default": true, + "type": "boolean", "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "verify_channel_token_introspection_expiry": { - "default": true, + "type": "boolean", "description": "Quickly turn on/off the channel token introspection expiry verification.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "verify_channel_token_introspection_scopes": { - "default": true, + "type": "boolean", "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "cache_channel_token_introspection": { - "default": true, + "type": "boolean", "description": "Whether to cache channel token introspection results.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "trust_channel_token_introspection": { - "default": true, + "type": "boolean", "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "enable_channel_token_introspection": { - "default": true, + "type": "boolean", "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "add_claims": { + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "map", + "required": false, "values": { "type": "string" }, - "required": false, - "type": "map", "default": [ ], - "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" } @@ -976,20 +938,58 @@ }, { "set_claims": { + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "map", + "required": false, "values": { "type": "string" }, - "required": false, - "type": "map", "default": [ ], - "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" } } } + ], + "entity_checks": [ + { + "mutually_required": [ + "access_token_jwks_uri_client_username", + "access_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "access_token_keyset_client_username", + "access_token_keyset_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_jwks_uri_client_username", + "channel_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_keyset_client_username", + "channel_token_keyset_client_password" + ] + } + ] + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" ] } } diff --git a/schemas/jwt/3.10.x.json b/schemas/jwt/3.10.x.json index 06e0c528..0f444570 100644 --- a/schemas/jwt/3.10.x.json +++ b/schemas/jwt/3.10.x.json @@ -1,38 +1,18 @@ { - "entity_checks": [ - { - "conditional": { - "if_match": { - "gt": 0 - }, - "then_field": "config.claims_to_verify", - "if_field": "config.maximum_expiration", - "then_match": { - "contains": "exp" - } - } - } - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -41,19 +21,26 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "uri_param_names": { @@ -81,44 +68,44 @@ }, { "key_claim_name": { - "default": "iss", "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", - "type": "string" + "type": "string", + "default": "iss" } }, { "secret_is_base64": { - "default": false, + "type": "boolean", "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "type": "set", "elements": { "type": "string", "one_of": [ "exp", "nbf" ] - }, - "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", - "type": "set" + } } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "run_on_preflight": { - "default": true, + "type": "boolean", "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", - "required": true, - "type": "boolean" + "default": true, + "required": true } }, { @@ -147,13 +134,26 @@ { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration", + "then_match": { + "contains": "exp" + } } } ] diff --git a/schemas/kafka-consume/3.10.x.json b/schemas/kafka-consume/3.10.x.json index a3e693d8..372165ce 100644 --- a/schemas/kafka-consume/3.10.x.json +++ b/schemas/kafka-consume/3.10.x.json @@ -2,6 +2,7 @@ "fields": [ { "protocols": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -13,7 +14,6 @@ "wss" ] }, - "type": "set", "default": [ "grpc", "grpcs", @@ -27,14 +27,24 @@ }, { "consumer_group": { - "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "type": "record", "fields": [ { "bootstrap_servers": { @@ -43,54 +53,54 @@ "fields": [ { "host": { - "type": "string", "description": "A string representing a host name, such as example.com.", + "type": "string", "required": true } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true } } ] }, - "type": "set", "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "required": true } }, { "topics": { - "description": "The Kafka topics and their configuration you want to consume from.", + "len_min": 1, + "type": "array", "required": true, "elements": { "type": "record", "fields": [ { "name": { - "required": true, - "type": "string" + "type": "string", + "required": true } } ] }, - "type": "array", - "len_min": 1 + "description": "The Kafka topics and their configuration you want to consume from." } }, { "mode": { - "default": "http-get", "description": "The mode of operation for the plugin.", - "required": true, "type": "string", + "required": true, + "default": "http-get", "one_of": [ "server-sent-events", "http-get" @@ -99,10 +109,10 @@ }, { "message_deserializer": { - "default": "noop", "description": "The deserializer to use for the consumed messages.", - "required": true, "type": "string", + "required": true, + "default": "noop", "one_of": [ "json", "noop" @@ -111,10 +121,10 @@ }, { "auto_offset_reset": { - "default": "latest", "description": "The offset to start from when there is no initial offset in the consumer group.", - "required": true, "type": "string", + "required": true, + "default": "latest", "one_of": [ "earliest", "latest" @@ -123,10 +133,10 @@ }, { "commit_strategy": { - "default": "auto", "description": "The strategy to use for committing offsets.", - "required": true, "type": "string", + "required": true, + "default": "auto", "one_of": [ "auto", "off" @@ -139,48 +149,48 @@ "fields": [ { "strategy": { + "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string", "one_of": [ "sasl" - ], - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", - "required": false + ] } }, { "mechanism": { + "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", - "required": false + ] } }, { "tokenauth": { - "type": "boolean", "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean", "required": false } }, { "user": { - "encrypted": true, "description": "Username for SASL authentication.", - "required": false, "type": "string", + "required": false, + "encrypted": true, "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password for SASL authentication.", - "required": false, "type": "string", + "required": false, + "encrypted": true, "referenceable": true } } @@ -194,16 +204,16 @@ "fields": [ { "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", "uuid": true, "type": "string", - "description": "UUID of certificate entity for mTLS authentication.", "required": false } }, { "ssl": { - "type": "boolean", "description": "Enables TLS.", + "type": "boolean", "required": false } } @@ -213,25 +223,17 @@ }, { "cluster_name": { - "type": "string", "description": "An identifier for the Kafka cluster.", + "type": "string", "required": false } } ], - "type": "record", - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "authentication" - ] - } - } - ], "required": true } } ], - "entity_checks": [] + "entity_checks": [ + + ] } \ No newline at end of file diff --git a/schemas/kafka-log/3.10.x.json b/schemas/kafka-log/3.10.x.json index 2b4dc212..5e7fd696 100644 --- a/schemas/kafka-log/3.10.x.json +++ b/schemas/kafka-log/3.10.x.json @@ -1,18 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -24,16 +14,23 @@ "wss" ] }, - "required": true, - "type": "set" + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -47,48 +44,49 @@ } } ], + "type": "record", "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { "type": "record", "fields": [ { "host": { "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, - "type": "integer" + "required": true } } ] - }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", - "type": "set" + } } }, { "topic": { "description": "The Kafka topic to publish to.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "timeout": { - "default": 10000, "description": "Socket timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 10000 } }, { @@ -105,12 +103,13 @@ }, { "authentication": { + "type": "record", "fields": [ { "strategy": { - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string", "one_of": [ "sasl" ] @@ -118,9 +117,9 @@ }, { "mechanism": { - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256` or `SCRAM-SHA-512`.", + "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", @@ -131,69 +130,68 @@ { "tokenauth": { "description": "Enable this to indicate `DelegationToken` authentication", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "user": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "Username for SASL authentication.", - "required": false + "type": "string", + "required": false, + "encrypted": true, + "referenceable": true } }, { "password": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "Password for SASL authentication.", - "required": false + "type": "string", + "required": false, + "encrypted": true, + "referenceable": true } } ], - "required": true, - "type": "record" + "required": true } }, { "security": { + "type": "record", "fields": [ { "certificate_id": { - "required": false, - "description": "UUID of certificate entity for mTLS authentication.", "uuid": true, - "type": "string" + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "required": false } }, { "ssl": { "description": "Enables TLS.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": true, - "type": "record" + "required": true } }, { "cluster_name": { - "auto": true, + "type": "string", "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "required": false, - "type": "string" + "auto": true, + "required": false } }, { "producer_request_acks": { - "default": 1, - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1, "one_of": [ -1, 0, @@ -203,78 +201,80 @@ }, { "producer_request_timeout": { - "default": 2000, "description": "Time to wait for a Produce response in milliseconds", - "type": "integer" + "type": "integer", + "default": 2000 } }, { "producer_request_limits_messages_per_request": { - "default": 200, "description": "Maximum number of messages to include into a single Produce request.", - "type": "integer" + "type": "integer", + "default": 200 } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, "description": "Maximum size of a Produce request in bytes.", - "type": "integer" + "type": "integer", + "default": 1048576 } }, { "producer_request_retries_max_attempts": { - "default": 10, "description": "Maximum number of retry attempts per single Produce request.", - "type": "integer" + "type": "integer", + "default": 10 } }, { "producer_request_retries_backoff_timeout": { - "default": 100, "description": "Backoff interval between retry attempts in milliseconds.", - "type": "integer" + "type": "integer", + "default": 100 } }, { "producer_async": { - "default": true, "description": "Flag to enable asynchronous mode.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "producer_async_flush_timeout": { - "default": 1000, "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 1000 } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 50000 } }, { "custom_fields_by_lua": { - "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, + "description": "Lua code as a key-value map", + "type": "map", "keys": { "type": "string", "len_min": 1 - }, - "type": "map" + } } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.10.x.json b/schemas/kafka-upstream/3.10.x.json index e05b530c..3c123046 100644 --- a/schemas/kafka-upstream/3.10.x.json +++ b/schemas/kafka-upstream/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,15 +13,21 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -54,71 +51,90 @@ } } ], + "type": "record", "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { "type": "record", "fields": [ { "host": { "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, - "type": "integer" + "required": true } } ] + } + } + }, + { + "topics_query_arg": { + "description": "The request query parameter name that contains the topics to publish to", + "type": "string", + "required": false + } + }, + { + "allowed_topics": { + "elements": { + "type": "string" }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", - "type": "set" + "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", + "type": "array", + "required": false } }, { "topic": { - "description": "The Kafka topic to publish to.", - "required": true, - "type": "string" + "description": "The default Kafka topic to publish to if the query parameter defined in the `topics_query_arg` does not exist in the request", + "type": "string", + "required": true } }, { "timeout": { - "default": 10000, "description": "Socket timeout in milliseconds.", + "default": 10000, "type": "integer" } }, { "keepalive": { - "default": 60000, "description": "Keepalive timeout in milliseconds.", + "default": 60000, "type": "integer" } }, { "keepalive_enabled": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "authentication": { + "type": "record", "fields": [ { "strategy": { - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string", "one_of": [ "sasl" ] @@ -126,9 +142,9 @@ }, { "mechanism": { - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", @@ -139,90 +155,99 @@ { "tokenauth": { "description": "Enable this to indicate `DelegationToken` authentication.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "user": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "Username for SASL authentication.", - "required": false + "type": "string", + "required": false, + "encrypted": true, + "referenceable": true } }, { "password": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "Password for SASL authentication.", - "required": false + "type": "string", + "required": false, + "encrypted": true, + "referenceable": true } } ], - "required": true, - "type": "record" + "required": true } }, { "security": { + "type": "record", "fields": [ { "certificate_id": { - "uuid": true, "description": "UUID of certificate entity for mTLS authentication.", - "required": false, - "type": "string" + "uuid": true, + "type": "string", + "required": false } }, { "ssl": { "description": "Enables TLS.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": true, - "type": "record" + "required": true } }, { "forward_method": { - "default": false, "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false, "type": "boolean" } }, { "forward_uri": { - "default": false, "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false, "type": "boolean" } }, { "forward_headers": { - "default": false, "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": false, "type": "boolean" } }, { "forward_body": { - "default": true, "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "default": true, "type": "boolean" } }, + { + "message_by_lua_functions": { + "elements": { + "type": "string" + }, + "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", + "type": "array", + "required": false + } + }, { "cluster_name": { "auto": true, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -239,64 +264,66 @@ }, { "producer_request_timeout": { - "default": 2000, "description": "Time to wait for a Produce response in milliseconds.", + "default": 2000, "type": "integer" } }, { "producer_request_limits_messages_per_request": { - "default": 200, "description": "Maximum number of messages to include into a single producer request.", + "default": 200, "type": "integer" } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, "description": "Maximum size of a Produce request in bytes.", + "default": 1048576, "type": "integer" } }, { "producer_request_retries_max_attempts": { - "default": 10, "description": "Maximum number of retry attempts per single Produce request.", + "default": 10, "type": "integer" } }, { "producer_request_retries_backoff_timeout": { - "default": 100, "description": "Backoff interval between retry attempts in milliseconds.", + "default": 100, "type": "integer" } }, { "producer_async": { - "default": true, "description": "Flag to enable asynchronous mode.", + "default": true, "type": "boolean" } }, { "producer_async_flush_timeout": { - "default": 1000, "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "default": 1000, "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "default": 50000, "type": "integer" } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.10.x.json b/schemas/key-auth-enc/3.10.x.json index 0db052a3..8faa16a0 100644 --- a/schemas/key-auth-enc/3.10.x.json +++ b/schemas/key-auth-enc/3.10.x.json @@ -1,26 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,30 +22,38 @@ "wss" ] }, - "required": true, - "type": "set" + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "key_names": { - "required": true, + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "type": "array", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "default": [ "apikey" ] @@ -63,9 +61,9 @@ }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -76,43 +74,45 @@ }, { "key_in_header": { - "default": true, "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "key_in_query": { - "default": true, "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "key_in_body": { - "default": false, "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "run_on_preflight": { - "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth/3.10.x.json b/schemas/key-auth/3.10.x.json index dbb4a35d..abf5f9cb 100644 --- a/schemas/key-auth/3.10.x.json +++ b/schemas/key-auth/3.10.x.json @@ -1,26 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,30 +22,38 @@ "wss" ] }, - "required": true, - "type": "set" + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "key_names": { - "required": true, + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "type": "array", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "default": [ "apikey" ] @@ -63,61 +61,159 @@ }, { "hide_credentials": { - "default": false, + "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." } }, { "key_in_header": { - "default": true, + "type": "boolean", "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", - "required": true, - "type": "boolean" + "default": true, + "required": true } }, { "key_in_query": { - "default": true, + "type": "boolean", "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", - "required": true, - "type": "boolean" + "default": true, + "required": true } }, { "key_in_body": { - "default": false, + "type": "boolean", "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "run_on_preflight": { - "default": true, + "type": "boolean", "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", - "required": true, - "type": "boolean" + "default": true, + "required": true } }, { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "required": false, - "type": "string" + "type": "string", + "required": false + } + }, + { + "identity_realms": { + "default": [ + { + "region": null, + "id": null, + "scope": "cp" + } + ], + "description": "A configuration of Konnect Identity Realms that indicate where to source a consumer from.", + "type": "set", + "elements": { + "type": "record", + "fields": [ + { + "scope": { + "type": "string", + "one_of": [ + "cp", + "realm" + ] + } + }, + { + "id": { + "uuid": true, + "description": "A string representing a UUID (universally unique identifier).", + "type": "string", + "auto": false + } + }, + { + "region": { + "type": "string" + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": "realm" + }, + "then_field": "id", + "if_field": "scope", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "realm" + }, + "then_field": "region", + "if_field": "scope", + "then_match": { + "one_of": [ + "us", + "eu", + "au" + ] + } + } + }, + { + "conditional": { + "if_match": { + "eq": "cp" + }, + "then_field": "id", + "if_field": "scope", + "then_match": { + "eq": null, + "required": false + } + } + }, + { + "conditional": { + "if_match": { + "eq": "cp" + }, + "then_field": "region", + "if_field": "scope", + "then_match": { + "eq": null, + "required": false + } + } + } + ] + } } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.10.x.json b/schemas/konnect-application-auth/3.10.x.json index e7763990..a6ad3f77 100644 --- a/schemas/konnect-application-auth/3.10.x.json +++ b/schemas/konnect-application-auth/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -30,15 +21,21 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -46,16 +43,17 @@ "entity_checks": [ ], + "type": "record", "fields": [ { "key_names": { - "required": true, + "description": "The names of the headers containing the API key. You can specify multiple header names.", "type": "array", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, - "description": "The names of the headers containing the API key. You can specify multiple header names.", "default": [ "apikey" ] @@ -63,10 +61,10 @@ }, { "auth_type": { - "required": true, + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "type": "string", + "required": true, "default": "openid-connect", - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "one_of": [ "openid-connect", "key-auth", @@ -76,20 +74,20 @@ }, { "scope": { - "required": true, - "description": "The unique scope identifier for the plugin configuration.", "unique": true, - "type": "string" + "description": "The unique scope identifier for the plugin configuration.", + "type": "string", + "required": true } }, { "v2_strategies": { - "required": false, + "description": "The map of v2 strategies.", "type": "record", + "required": false, "default": [ ], - "description": "The map of v2 strategies.", "fields": [ { "key_auth": { @@ -99,37 +97,37 @@ { "strategy_id": { "description": "The strategy id the config is tied to.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "config": { "type": "record", - "required": true, "fields": [ { "key_names": { - "required": true, + "description": "The names of the headers containing the API key. You can specify multiple header names.", "type": "array", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." }, - "description": "The names of the headers containing the API key. You can specify multiple header names.", "default": [ "apikey" ] } } - ] + ], + "required": true } } ] }, "description": "List of key_auth strategies.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -140,8 +138,8 @@ { "strategy_id": { "description": "The strategy id the config is tied to.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { @@ -152,16 +150,16 @@ { "issuer": { "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "using_pseudo_issuer": { "default": false, "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -170,8 +168,8 @@ "type": "string" }, "description": "Extra header names passed to the discovery endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -180,8 +178,8 @@ "type": "string" }, "description": "Extra header values passed to the discovery endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -191,34 +189,23 @@ "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", - "required": false, - "type": "set" + "type": "set", + "required": false } }, { "rediscovery_lifetime": { "default": 30, "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "auth_methods": { - "required": false, - "type": "array", - "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ], "description": "Types of credentials/grants to enable.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -232,31 +219,42 @@ "refresh_token", "session" ] - } + }, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] } }, { "client_id": { - "encrypted": true, - "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "type": "array", + "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "encrypted": true } }, { "client_secret": { - "encrypted": true, - "required": false, + "description": "The client secret.", "type": "array", + "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "The client secret." + "encrypted": true } }, { @@ -274,199 +272,199 @@ ] }, "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "client_jwk": { "elements": { "type": "record", - "required": false, "fields": [ { "issuer": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kty": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "use": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "key_ops": { "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false }, - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "alg": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kid": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5u": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5c": { "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false }, - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "x5t": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5t#S256": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "k": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "x": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "y": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "crv": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "n": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "e": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "d": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "p": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "q": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "dp": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "dq": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "qi": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "oth": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "r": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "t": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } } - ] + ], + "required": false }, "description": "The JWK used for the private_key_jwt authentication.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -490,16 +488,16 @@ ] }, "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "client_arg": { "default": "client_id", "description": "The client to use for this request (the selection is made with a request parameter with the same name).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -509,32 +507,32 @@ "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, "description": "The redirect URI passed to the authorization and token endpoints.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "login_redirect_uri": { "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "logout_redirect_uri": { "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "description": "Where to redirect the client after the logout.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -544,32 +542,32 @@ "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, "description": "Where to redirect the client on forbidden requests.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "forbidden_error_message": { "default": "Forbidden", "description": "The error message for the forbidden requests (when not using the redirection).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "forbidden_destroy_session": { "default": true, "description": "Destroy any active session for the forbidden requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "unauthorized_destroy_session": { "default": true, "description": "Destroy any active session for the unauthorized requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -579,16 +577,16 @@ "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, "description": "Where to redirect the client on unauthorized requests.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "unauthorized_error_message": { "default": "Unauthorized", "description": "The error message for the unauthorized requests (when not using the redirection).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -598,16 +596,16 @@ "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, "description": "Where to redirect the client when unexpected errors happen with the requests.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "response_mode": { - "required": false, + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "type": "string", + "required": false, "default": "query", - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "one_of": [ "query", "form_post", @@ -621,29 +619,29 @@ }, { "response_type": { - "required": false, - "type": "array", - "default": [ - "code" - ], "description": "The response type passed to the authorization endpoint.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "code" + ] } }, { "scopes": { - "required": false, + "description": "The scopes passed to the authorization and token endpoints.", "type": "array", + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, "default": [ "openid" - ], - "description": "The scopes passed to the authorization and token endpoints.", - "elements": { - "referenceable": true, - "type": "string" - } + ] } }, { @@ -652,8 +650,8 @@ "type": "string" }, "description": "The audience passed to the authorization endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -662,8 +660,8 @@ "type": "string" }, "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -672,21 +670,21 @@ "type": "string" }, "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "scopes_claim": { - "required": false, - "type": "array", - "default": [ - "scope" - ], "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "scope" + ] } }, { @@ -695,44 +693,44 @@ "type": "string" }, "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "audience_claim": { - "required": false, - "type": "array", - "default": [ - "aud" - ], "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, "elements": { "type": "string" - } - } - }, - { + }, + "default": [ + "aud" + ] + } + }, + { "groups_required": { "elements": { "type": "string" }, "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "groups_claim": { - "required": false, - "type": "array", - "default": [ - "groups" - ], "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "groups" + ] } }, { @@ -741,21 +739,21 @@ "type": "string" }, "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "roles_claim": { - "required": false, - "type": "array", - "default": [ - "roles" - ], "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "roles" + ] } }, { @@ -764,15 +762,15 @@ "type": "string" }, "description": "The allowed values for the `hd` claim.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "max_age": { "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { @@ -781,22 +779,22 @@ "type": "string" }, "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "pushed_authorization_request_endpoint": { "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "pushed_authorization_request_endpoint_auth_method": { - "type": "string", - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -811,29 +809,29 @@ { "require_pushed_authorization_requests": { "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "require_proof_key_for_code_exchange": { "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "require_signed_request_object": { "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "authorization_endpoint": { "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -842,8 +840,8 @@ "type": "string" }, "description": "Extra query argument names passed to the authorization endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -852,8 +850,8 @@ "type": "string" }, "description": "Extra query argument values passed to the authorization endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -862,54 +860,54 @@ "type": "string" }, "description": "Extra query arguments passed from the client to the authorization endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "authorization_rolling_timeout": { "default": 600, "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "authorization_cookie_name": { "default": "authorization", "description": "The authorization cookie name.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "authorization_cookie_path": { - "required": false, - "type": "string", - "default": "/", - "description": "The authorization cookie Path flag.", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "description": "The authorization cookie Path flag.", + "type": "string", + "required": false, + "default": "/", "starts_with": "/" } }, { "authorization_cookie_domain": { "description": "The authorization cookie Domain flag.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "authorization_cookie_same_site": { - "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", + "required": false, "default": "Default", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", @@ -922,37 +920,37 @@ "authorization_cookie_http_only": { "default": true, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "authorization_cookie_secure": { "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "preserve_query_args": { "default": false, "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "token_endpoint": { "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "token_endpoint_auth_method": { - "type": "string", - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -970,8 +968,8 @@ "type": "string" }, "description": "Extra header names passed to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -980,8 +978,8 @@ "type": "string" }, "description": "Extra header values passed to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -990,8 +988,8 @@ "type": "string" }, "description": "Extra headers passed from the client to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1000,15 +998,15 @@ "type": "string" }, "description": "The names of token endpoint response headers to forward to the downstream client.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "token_headers_prefix": { "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1023,8 +1021,8 @@ ] }, "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1033,8 +1031,8 @@ "type": "string" }, "description": "Extra post argument names passed to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1043,8 +1041,8 @@ "type": "string" }, "description": "Extra post argument values passed to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1053,22 +1051,22 @@ "type": "string" }, "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "introspection_endpoint": { "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "introspection_endpoint_auth_method": { - "type": "string", - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1084,24 +1082,24 @@ "introspection_hint": { "default": "access_token", "description": "Introspection hint parameter value passed to the introspection endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "introspection_check_active": { "default": true, "description": "Check that the introspection response has an `active` claim with a value of `true`.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "introspection_accept": { - "required": false, + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "type": "string", + "required": false, "default": "application/json", - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/token-introspection+jwt", @@ -1115,20 +1113,20 @@ "type": "string" }, "description": "Extra header names passed to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "introspection_headers_values": { - "encrypted": true, - "required": false, + "description": "Extra header values passed to the introspection endpoint.", "type": "array", + "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "Extra header values passed to the introspection endpoint." + "encrypted": true } }, { @@ -1137,8 +1135,8 @@ "type": "string" }, "description": "Extra headers passed from the client to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1147,8 +1145,8 @@ "type": "string" }, "description": "Extra post argument names passed to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1157,8 +1155,8 @@ "type": "string" }, "description": "Extra post argument values passed to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1167,8 +1165,8 @@ "type": "string" }, "description": "Extra post arguments passed from the client to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1177,30 +1175,30 @@ "type": "string" }, "description": "Extra post arguments passed from the client headers to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "introspect_jwt_tokens": { "default": false, "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "revocation_endpoint": { "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "revocation_endpoint_auth_method": { - "type": "string", - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1215,23 +1213,23 @@ { "end_session_endpoint": { "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "userinfo_endpoint": { "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "userinfo_accept": { - "required": false, + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "type": "string", + "required": false, "default": "application/json", - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/jwt" @@ -1244,8 +1242,8 @@ "type": "string" }, "description": "Extra header names passed to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1254,8 +1252,8 @@ "type": "string" }, "description": "Extra header values passed to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1264,8 +1262,8 @@ "type": "string" }, "description": "Extra headers passed from the client to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1274,8 +1272,8 @@ "type": "string" }, "description": "Extra query argument names passed to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1284,8 +1282,8 @@ "type": "string" }, "description": "Extra query argument values passed to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1294,126 +1292,126 @@ "type": "string" }, "description": "Extra query arguments passed from the client to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "token_exchange_endpoint": { "description": "The token exchange endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_secret": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The session secret.", - "required": false + "referenceable": true } }, { "session_audience": { "default": "default", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_cookie_name": { "default": "session", "description": "The session cookie name.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_remember": { "default": false, "description": "Enables or disables persistent sessions.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_remember_cookie_name": { "default": "remember", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_remember_rolling_timeout": { "default": 604800, "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "session_remember_absolute_timeout": { "default": 2592000, "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "session_idling_timeout": { "default": 900, "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "session_rolling_timeout": { "default": 3600, "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "session_absolute_timeout": { "default": 86400, "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "session_cookie_path": { - "required": false, - "type": "string", - "default": "/", - "description": "The session cookie Path flag.", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "description": "The session cookie Path flag.", + "type": "string", + "required": false, + "default": "/", "starts_with": "/" } }, { "session_cookie_domain": { "description": "The session cookie Domain flag.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_cookie_same_site": { - "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", + "required": false, "default": "Lax", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", @@ -1426,15 +1424,15 @@ "session_cookie_http_only": { "default": true, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_cookie_secure": { "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -1452,8 +1450,8 @@ ] }, "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", - "required": false, - "type": "set" + "type": "set", + "required": false } }, { @@ -1471,16 +1469,16 @@ ] }, "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", - "required": false, - "type": "set" + "type": "set", + "required": false } }, { "session_storage": { - "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "type": "string", + "required": false, "default": "cookie", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "one_of": [ "cookie", "memcache", @@ -1493,206 +1491,75 @@ "session_store_metadata": { "default": false, "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_enforce_same_subject": { "default": false, "description": "When set to `true`, audiences are forced to share the same subject.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_hash_subject": { "default": false, "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_hash_storage_key": { "default": false, "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_memcached_prefix": { "description": "The memcached session key prefix.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_memcached_socket": { "description": "The memcached unix socket path.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_memcached_host": { "default": "127.0.0.1", "description": "The memcached host.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_memcached_port": { + "description": "The memcached port.", + "type": "integer", + "required": false, + "default": 11211, "between": [ 0, 65535 - ], - "required": false, - "type": "integer", - "default": 11211, - "description": "The memcached port." + ] } }, { "redis": { - "required": true, - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "type": "integer", - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - } - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "len_min": 1, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "len_min": 1, - "type": "array" - } - } - ], "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -1700,182 +1567,182 @@ "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } }, { "connect_timeout": { "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { "send_timeout": { "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { "read_timeout": { "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, + "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string" + ] } }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { + "type": "record", "fields": [ { "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" + ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { + "type": "record", "fields": [ { "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" + ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, @@ -1883,91 +1750,217 @@ "ssl": { "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ssl_verify": { "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "connection_is_proxied": { "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "prefix": { "description": "The Redis session key prefix.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "socket": { "description": "The Redis unix socket path.", - "required": false, - "type": "string" + "type": "string", + "required": false } } - ] - } - }, - { - "reverify": { - "default": false, - "description": "Specifies whether to always verify tokens stored in the session.", - "required": false, - "type": "boolean" - } - }, - { - "jwt_session_claim": { - "default": "sid", - "description": "The claim to match against the JWT session cookie.", - "required": false, - "type": "string" - } - }, - { - "jwt_session_cookie": { + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "required": true, + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + } + } + } + ] + } + }, + { + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean", + "required": false + } + }, + { + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string", + "required": false + } + }, + { + "jwt_session_cookie": { "description": "The name of the JWT session cookie.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "bearer_token_param_type": { - "required": false, - "type": "array", - "default": [ - "header", - "query", - "body" - ], "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1976,26 +1969,26 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "bearer_token_cookie_name": { "description": "The name of the cookie in which the bearer token is passed.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "client_credentials_param_type": { - "required": false, - "type": "array", - "default": [ - "header", - "query", - "body" - ], "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2003,19 +1996,19 @@ "query", "body" ] - } - } - }, - { - "password_param_type": { - "required": false, - "type": "array", + }, "default": [ "header", "query", "body" - ], + ] + } + }, + { + "password_param_type": { "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2023,19 +2016,19 @@ "query", "body" ] - } - } - }, - { - "id_token_param_type": { - "required": false, - "type": "array", + }, "default": [ "header", "query", "body" - ], + ] + } + }, + { + "id_token_param_type": { "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2043,26 +2036,26 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "id_token_param_name": { "description": "The name of the parameter used to pass the id token.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "refresh_token_param_type": { - "required": false, - "type": "array", - "default": [ - "header", - "query", - "body" - ], "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2070,22 +2063,27 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "refresh_token_param_name": { "description": "The name of the parameter used to pass the refresh token.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "refresh_tokens": { "default": true, "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -2094,8 +2092,8 @@ "type": "string" }, "description": "The upstream header claims. Only top level claims are supported.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -2104,79 +2102,79 @@ "type": "string" }, "description": "The upstream header names for the claim values.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "upstream_access_token_header": { "default": "authorization:bearer", "description": "The upstream access token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_access_token_jwk_header": { "description": "The upstream access token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_id_token_header": { "description": "The upstream id token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_id_token_jwk_header": { "description": "The upstream id token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_refresh_token_header": { "description": "The upstream refresh token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_user_info_header": { "description": "The upstream user info header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_user_info_jwt_header": { "description": "The upstream user info JWT header (in case the user info returns a JWT response).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_introspection_header": { "description": "The upstream introspection header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_introspection_jwt_header": { "description": "The upstream introspection JWT header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_session_id_header": { "description": "The upstream session id header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -2185,8 +2183,8 @@ "type": "string" }, "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -2195,88 +2193,85 @@ "type": "string" }, "description": "The downstream header names for the claim values.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "downstream_access_token_header": { "description": "The downstream access token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_access_token_jwk_header": { "description": "The downstream access token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_id_token_header": { "description": "The downstream id token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_id_token_jwk_header": { "description": "The downstream id token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_refresh_token_header": { "description": "The downstream refresh token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_user_info_header": { "description": "The downstream user info header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_user_info_jwt_header": { "description": "The downstream user info JWT header (in case the user info returns a JWT response).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_introspection_header": { "description": "The downstream introspection header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_introspection_jwt_header": { "description": "The downstream introspection JWT header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_session_id_header": { "description": "The downstream session id header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "login_methods": { - "required": false, - "type": "array", - "default": [ - "authorization_code" - ], "description": "Enable login functionality with specified grants.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2290,15 +2285,18 @@ "refresh_token", "session" ] - } + }, + "default": [ + "authorization_code" + ] } }, { "login_action": { - "required": false, + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "type": "string", + "required": false, "default": "upstream", - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "one_of": [ "upstream", "response", @@ -2308,12 +2306,9 @@ }, { "login_tokens": { - "required": false, - "type": "array", - "default": [ - "id_token" - ], "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2323,15 +2318,18 @@ "tokens", "introspection" ] - } + }, + "default": [ + "id_token" + ] } }, { "login_redirect_mode": { - "required": false, + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "type": "string", + "required": false, "default": "fragment", - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "one_of": [ "query", "fragment" @@ -2341,33 +2339,29 @@ { "logout_query_arg": { "description": "The request query argument that activates the logout.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "logout_post_arg": { "description": "The request body argument that activates the logout.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "logout_uri_suffix": { "description": "The request URI suffix that activates the logout.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "logout_methods": { - "required": false, - "type": "array", - "default": [ - "POST", - "DELETE" - ], "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2375,31 +2369,35 @@ "GET", "DELETE" ] - } + }, + "default": [ + "POST", + "DELETE" + ] } }, { "logout_revoke": { "default": false, "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "logout_revoke_access_token": { "default": true, "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "logout_revoke_refresh_token": { "default": true, "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -2408,19 +2406,15 @@ "type": "string" }, "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "consumer_by": { - "required": false, - "type": "array", - "default": [ - "username", - "custom_id" - ], "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2428,93 +2422,94 @@ "username", "custom_id" ] - } + }, + "default": [ + "username", + "custom_id" + ] } }, { "consumer_optional": { "default": false, "description": "Do not terminate the request if consumer mapping fails.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "credential_claim": { - "required": false, - "type": "array", - "default": [ - "sub" - ], "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "sub" + ] } }, { "anonymous": { "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "run_on_preflight": { "default": true, "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "leeway": { "default": 0, "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "verify_parameters": { "default": false, "description": "Verify plugin configuration against discovery.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "verify_nonce": { "default": true, "description": "Verify nonce on authorization code flow.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "verify_claims": { "default": true, "description": "Verify tokens for standard claims.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "verify_signature": { "default": true, "description": "Verify signature of tokens.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ignore_signature": { - "required": false, - "type": "array", - "default": [ - - ], "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2526,15 +2521,18 @@ "introspection", "userinfo" ] - } + }, + "default": [ + + ] } }, { "enable_hs_signatures": { "default": false, "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -2554,231 +2552,231 @@ ] }, "description": "Disable issuing the session cookie with the specified grants.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "cache_ttl": { "default": 3600, "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_max": { "description": "The maximum cache ttl in seconds (enforced).", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_min": { "description": "The minimum cache ttl in seconds (enforced).", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_neg": { "description": "The negative cache ttl in seconds.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_resurrect": { "description": "The resurrection ttl in seconds.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_tokens": { "default": true, "description": "Cache the token endpoint requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "cache_tokens_salt": { - "auto": true, + "type": "string", "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", - "required": false, - "type": "string" + "auto": true, + "required": false } }, { "cache_introspection": { "default": true, "description": "Cache the introspection endpoint requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "cache_token_exchange": { "default": true, "description": "Cache the token exchange endpoint requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "cache_user_info": { "default": true, "description": "Cache the user info requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "search_user_info": { "default": false, "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "hide_credentials": { "default": false, "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "http_version": { "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "http_proxy": { "description": "The HTTP proxy.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "http_proxy_authorization": { "required": false, "description": "The HTTP proxy authorization.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "https_proxy": { "description": "The HTTPS proxy.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "https_proxy_authorization": { "required": false, "description": "The HTTPS proxy authorization.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "no_proxy": { "description": "Do not use proxy with these hosts.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "keepalive": { "default": true, "description": "Use keepalive with the HTTP client.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ssl_verify": { "default": false, "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "timeout": { "default": 10000, "description": "Network IO timeout in milliseconds.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "display_errors": { "default": false, "description": "Display errors on failure responses.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "by_username_ignore_case": { "default": false, "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "resolve_distributed_claims": { "default": false, "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "expose_error_code": { - "default": true, "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "token_cache_key_include_scope": { - "default": false, "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "introspection_token_param_name": { "default": "token", "description": "Designate token's parameter name for introspection.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "revocation_token_param_name": { "default": "token", "description": "Designate token's parameter name for revocation.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "proof_of_possession_mtls": { - "required": false, + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "type": "string", + "required": false, "default": "off", - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "one_of": [ "off", "strict", @@ -2790,318 +2788,189 @@ "proof_of_possession_auth_methods_validation": { "default": true, "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "tls_client_auth_cert_id": { - "auto": false, - "required": false, - "type": "string", "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", - "uuid": true + "type": "string", + "required": false, + "uuid": true, + "auto": false } }, { "tls_client_auth_ssl_verify": { "default": true, "description": "Verify identity provider server certificate during mTLS client authentication.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "mtls_token_endpoint": { "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "mtls_introspection_endpoint": { "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false, - "type": "string" - } - }, - { - "mtls_revocation_endpoint": { - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false, - "type": "string" - } - }, - { - "proof_of_possession_dpop": { - "required": false, - "type": "string", - "default": "off", - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", - "one_of": [ - "off", - "strict", - "optional" - ] - } - }, - { - "dpop_use_nonce": { - "default": false, - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", - "required": false, - "type": "boolean" - } - }, - { - "dpop_proof_lifetime": { - "default": 300, - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", - "required": false, - "type": "number" - } - }, - { - "claims_forbidden": { - "elements": { - "type": "string" - }, - "description": "If given, these claims are forbidden in the token payload.", - "required": false, - "type": "array" - } - }, - { - "cluster_cache_strategy": { - "required": false, "type": "string", - "default": "off", - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", - "one_of": [ - "off", - "redis" - ] - } - }, - { - "cluster_cache_redis": { - "required": true, - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array" - } - } - ], + "required": false + } + }, + { + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string", + "required": false + } + }, + { + "proof_of_possession_dpop": { + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "type": "string", + "required": false, + "default": "off", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean", + "required": false + } + }, + { + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number", + "required": false + } + }, + { + "claims_forbidden": { + "elements": { + "type": "string" + }, + "description": "If given, these claims are forbidden in the token payload.", + "type": "array", + "required": false + } + }, + { + "cluster_cache_strategy": { + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "type": "string", + "required": false, + "default": "off", + "one_of": [ + "off", + "redis" + ] + } + }, + { + "cluster_cache_redis": { + "type": "record", + "required": true, "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "connect_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "send_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "read_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, @@ -3118,12 +2987,12 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { @@ -3145,8 +3014,9 @@ }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -3154,31 +3024,31 @@ "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -3186,64 +3056,192 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { - "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "default": 5, + "required": false } }, { "connection_is_proxied": { - "default": false, + "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + } } } ] @@ -3255,17 +3253,19 @@ ] }, "description": "List of openid_connect strategies.", - "required": false, - "type": "array" + "type": "array", + "required": false } } ] } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.10.x.json b/schemas/ldap-auth-advanced/3.10.x.json index 545178ce..c5451b2f 100644 --- a/schemas/ldap-auth-advanced/3.10.x.json +++ b/schemas/ldap-auth-advanced/3.10.x.json @@ -1,24 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -30,152 +14,161 @@ "wss" ] }, - "required": true, - "type": "set" + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "config": { + "type": "record", "fields": [ { "ldap_host": { "description": "Host on which the LDAP server is running.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "ldap_password": { - "encrypted": true, "description": "The password to the LDAP server.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "ldap_port": { - "default": 389, "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", - "type": "number" + "type": "number", + "default": 389 } }, { "bind_dn": { "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "ldaps": { - "default": false, + "type": "boolean", "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "start_tls": { - "default": false, + "type": "boolean", "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "verify_ldap_host": { - "default": false, + "type": "boolean", "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "base_dn": { "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "attribute": { "description": "Attribute to be used to search the user; e.g., \"cn\".", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "cache_ttl": { - "default": 60, + "type": "number", "description": "Cache expiry time in seconds.", - "required": true, - "type": "number" + "default": 60, + "required": true } }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number" + "type": "number", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { "anonymous": { "default": "", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "len_min": 0, - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." } }, { "header_type": { - "default": "ldap", "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", - "type": "string" + "type": "string", + "default": "ldap" } }, { "consumer_optional": { - "default": false, + "type": "boolean", "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "consumer_by": { - "required": false, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -183,7 +176,6 @@ "custom_id" ] }, - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "default": [ "username", "custom_id" @@ -192,29 +184,29 @@ }, { "group_base_dn": { - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", - "type": "string" + "type": "string", + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." } }, { "group_name_attribute": { - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", - "type": "string" + "type": "string", + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." } }, { "group_member_attribute": { - "default": "memberOf", "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", - "type": "string" + "type": "string", + "default": "memberOf" } }, { "log_search_results": { - "default": false, + "type": "boolean", "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { @@ -223,20 +215,28 @@ "type": "string" }, "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/ldap-auth/3.10.x.json b/schemas/ldap-auth/3.10.x.json index c165cd47..6701bc3e 100644 --- a/schemas/ldap-auth/3.10.x.json +++ b/schemas/ldap-auth/3.10.x.json @@ -1,26 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,16 +22,23 @@ "wss" ] }, - "required": true, - "type": "set" + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -49,7 +46,6 @@ "entity_checks": [ { "conditional": { - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", "if_match": { "eq": true }, @@ -57,96 +53,98 @@ "if_field": "ldaps", "then_match": { "eq": false - } + }, + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously" } } ], + "type": "record", "fields": [ { "ldap_host": { "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "ldap_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "required": true, + "default": 389, "between": [ 0, 65535 - ], - "required": true, - "type": "integer", - "default": 389, - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "ldaps": { - "default": false, + "type": "boolean", "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "start_tls": { - "default": false, + "type": "boolean", "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "verify_ldap_host": { - "default": false, + "type": "boolean", "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "base_dn": { "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "attribute": { "description": "Attribute to be used to search the user; e.g. cn", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "cache_ttl": { - "default": 60, + "type": "number", "description": "Cache expiry time in seconds.", - "required": true, - "type": "number" + "default": 60, + "required": true } }, { "hide_credentials": { - "default": false, + "type": "boolean", "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number" + "type": "number", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { @@ -157,22 +155,24 @@ }, { "header_type": { - "default": "ldap", "description": "An optional string to use as part of the Authorization header", - "type": "string" + "type": "string", + "default": "ldap" } }, { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/loggly/3.10.x.json b/schemas/loggly/3.10.x.json index 7f4564c6..506858c7 100644 --- a/schemas/loggly/3.10.x.json +++ b/schemas/loggly/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,57 +19,63 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "host": { - "default": "logs-01.loggly.com", "description": "A string representing a host name, such as example.com.", + "default": "logs-01.loggly.com", "type": "string" } }, { "port": { - "default": 514, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 514 } }, { "key": { - "encrypted": true, "referenceable": true, - "required": true, - "type": "string" + "encrypted": true, + "type": "string", + "required": true } }, { "tags": { - "default": [ - "kong" - ], "elements": { "type": "string" }, - "type": "set" + "type": "set", + "default": [ + "kong" + ] } }, { @@ -146,28 +144,30 @@ }, { "timeout": { - "default": 10000, - "type": "number" + "type": "number", + "default": 10000 } }, { "custom_fields_by_lua": { - "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, + "description": "Lua code as a key-value map", + "type": "map", "keys": { "type": "string", "len_min": 1 - }, - "type": "map" + } } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/mocking/3.10.x.json b/schemas/mocking/3.10.x.json index 246c1047..b7c4f65f 100644 --- a/schemas/mocking/3.10.x.json +++ b/schemas/mocking/3.10.x.json @@ -1,24 +1,10 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -27,105 +13,119 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "api_specification_filename": { "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "api_specification": { "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "random_delay": { - "default": false, "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "max_delay_time": { - "default": 1, "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", - "type": "number" + "type": "number", + "default": 1 } }, { "min_delay_time": { - "default": 0.001, "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", - "type": "number" + "type": "number", + "default": 0.001 } }, { "random_examples": { - "default": false, "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "type": "array", "elements": { "type": "integer" - }, - "description": "A global list of the HTTP status codes that can only be selected and returned.", - "type": "array" + } } }, { "random_status_code": { - "default": false, + "type": "boolean", "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "include_base_path": { - "default": false, + "type": "boolean", "description": "Indicates whether to include the base path when performing path match evaluation.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "custom_base_path": { - "required": false, - "type": "string", - "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string", + "required": false, "starts_with": "/" } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.10.x.json b/schemas/mtls-auth/3.10.x.json index d65a598b..8d29debf 100644 --- a/schemas/mtls-auth/3.10.x.json +++ b/schemas/mtls-auth/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -30,15 +21,21 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -57,6 +54,7 @@ ] } ], + "type": "record", "fields": [ { "anonymous": { @@ -66,8 +64,9 @@ }, { "consumer_by": { - "required": false, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -75,7 +74,6 @@ "custom_id" ] }, - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "default": [ "username", "custom_id" @@ -85,44 +83,44 @@ { "ca_certificates": { "elements": { - "uuid": true, - "type": "string" + "type": "string", + "uuid": true }, "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "cache_ttl": { "default": 60, "description": "Cache expiry time in seconds.", - "required": true, - "type": "number" + "type": "number", + "required": true } }, { "skip_consumer_lookup": { "default": false, "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "allow_partial_chain": { "default": false, "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "authenticated_group_by": { - "required": false, + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "type": "string", + "required": false, "default": "CN", - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ "CN", "DN" @@ -131,10 +129,10 @@ }, { "revocation_check_mode": { - "required": false, + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "type": "string", + "required": false, "default": "IGNORE_CA_ERROR", - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ "SKIP", "IGNORE_CA_ERROR", @@ -144,22 +142,22 @@ }, { "http_timeout": { - "default": 30000, "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "default": 30000, "type": "number" } }, { "cert_cache_ttl": { - "default": 60000, "description": "The length of time in seconds between refreshes of the revocation check status cache.", + "default": 60000, "type": "number" } }, { "send_ca_dn": { - "default": false, "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "default": false, "type": "boolean" } }, @@ -177,12 +175,12 @@ }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { @@ -193,18 +191,20 @@ }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.10.x.json b/schemas/oas-validation/3.10.x.json index ada2985b..4a089166 100644 --- a/schemas/oas-validation/3.10.x.json +++ b/schemas/oas-validation/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,149 +13,158 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "api_spec": { "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "verbose_response": { - "default": false, + "type": "boolean", "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "validate_request_body": { - "default": true, + "type": "boolean", "description": "If set to true, validates the request body content against the API specification.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "notify_only_request_validation_failure": { - "default": false, + "type": "boolean", "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "validate_request_header_params": { - "default": true, + "type": "boolean", "description": "If set to true, validates HTTP header parameters against the API specification.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "validate_request_query_params": { - "default": true, + "type": "boolean", "description": "If set to true, validates query parameters against the API specification.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "validate_request_uri_params": { - "default": true, + "type": "boolean", "description": "If set to true, validates URI parameters in the request against the API specification.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "validate_response_body": { - "default": false, + "type": "boolean", "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "notify_only_response_body_validation_failure": { - "default": false, + "type": "boolean", "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "query_parameter_check": { - "default": false, + "type": "boolean", "description": "If set to true, checks if query parameters in the request exist in the API specification.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "header_parameter_check": { - "default": false, + "type": "boolean", "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "allowed_header_parameters": { - "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "type": "string", "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", - "required": false, - "type": "string" + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "required": false } }, { "include_base_path": { - "default": false, + "type": "boolean", "description": "Indicates whether to include the base path when performing path match evaluation.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "api_spec_encoded": { - "default": true, + "type": "boolean", "description": "Indicates whether the api_spec is URI-Encoded.", - "required": true, - "type": "boolean" + "default": true, + "required": true } }, { "custom_base_path": { - "required": false, - "type": "string", - "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string", + "required": false, "starts_with": "/" } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.10.x.json b/schemas/oauth2-introspection/3.10.x.json index 8b041407..f947e1af 100644 --- a/schemas/oauth2-introspection/3.10.x.json +++ b/schemas/oauth2-introspection/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -30,32 +21,39 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "introspection_url": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "ttl": { - "default": 30, "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", - "type": "number" + "type": "number", + "default": 30 } }, { @@ -67,62 +65,62 @@ { "authorization_value": { "encrypted": true, - "required": true, "type": "string", + "required": true, "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "referenceable": true } }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "integer" + "type": "integer", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "type": "integer" + "type": "integer", + "default": 60000 } }, { "introspect_request": { - "default": false, + "type": "boolean", "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "run_on_preflight": { - "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "anonymous": { - "default": "", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "len_min": 0, + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "default": "", "type": "string" } }, { "consumer_by": { - "required": true, + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "type": "string", + "required": true, "default": "username", - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "one_of": [ "username", "client_id" @@ -131,15 +129,15 @@ }, { "custom_introspection_headers": { + "description": "A list of custom headers to be added in the introspection request.", + "type": "map", + "required": true, "values": { "type": "string" }, - "required": true, - "type": "map", "default": [ ], - "description": "A list of custom headers to be added in the introspection request.", "keys": { "type": "string" } @@ -147,21 +145,23 @@ }, { "custom_claims_forward": { - "required": true, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "type": "set", + "required": true, "elements": { "type": "string" }, - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "default": [ ] } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2/3.10.x.json b/schemas/oauth2/3.10.x.json index 2c0e00b3..ef4fda1a 100644 --- a/schemas/oauth2/3.10.x.json +++ b/schemas/oauth2/3.10.x.json @@ -1,26 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,172 +22,167 @@ "wss" ] }, - "required": true, - "type": "set" + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "entity_checks": [ - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "scopes", - "if_field": "mandatory_scope", - "then_match": { - "required": true - } - } - } - ], + "type": "record", + "required": true, "fields": [ { "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "type": "array", "elements": { "type": "string" - }, - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", - "type": "array" + } } }, { "mandatory_scope": { - "default": false, + "type": "boolean", "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "provision_key": { - "encrypted": true, "unique": true, - "type": "string", "description": "The unique key the plugin has generated when it has been added to the Service.", + "type": "string", "required": true, - "auto": true + "auto": true, + "encrypted": true } }, { "token_expiration": { - "default": 7200, + "type": "number", "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", - "required": true, - "type": "number" + "default": 7200, + "required": true } }, { "enable_authorization_code": { - "default": false, + "type": "boolean", "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "enable_implicit_grant": { - "default": false, + "type": "boolean", "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "enable_client_credentials": { - "default": false, + "type": "boolean", "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "enable_password_grant": { - "default": false, + "type": "boolean", "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "hide_credentials": { - "default": false, + "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "accept_http_if_already_terminated": { - "default": false, + "type": "boolean", "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", - "type": "string" + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." } }, { "global_credentials": { - "default": false, + "type": "boolean", "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "auth_header_name": { - "default": "authorization", "description": "The name of the header that is supposed to carry the access token.", - "type": "string" + "type": "string", + "default": "authorization" } }, { "refresh_token_ttl": { + "description": "Time-to-live value for data", + "type": "number", + "required": true, + "default": 1209600, "between": [ 0, 100000000 - ], - "required": true, - "type": "number", - "default": 1209600, - "description": "Time-to-live value for data" + ] } }, { "reuse_refresh_token": { - "default": false, + "type": "boolean", "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "persistent_refresh_token": { + "type": "boolean", "default": false, - "required": true, - "type": "boolean" + "required": true } }, { "pkce": { - "required": false, + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "type": "string", + "required": false, "default": "lax", - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "one_of": [ "none", "lax", @@ -208,14 +193,29 @@ { "realm": { "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "required": false, - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "scopes", + "if_field": "mandatory_scope", + "then_match": { + "required": true + } + } + } + ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/opa/3.10.x.json b/schemas/opa/3.10.x.json index 1b302c32..98fff2ed 100644 --- a/schemas/opa/3.10.x.json +++ b/schemas/opa/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -30,19 +21,26 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "opa_protocol": { @@ -59,54 +57,54 @@ "opa_host": { "default": "localhost", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "opa_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "required": true, + "default": 8181, "between": [ 0, 65535 - ], - "required": true, - "type": "integer", - "default": 8181, - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "opa_path": { - "required": true, - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string", + "required": true, "starts_with": "/" } }, { "include_service_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "default": false, "type": "boolean" } }, { "include_route_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "default": false, "type": "boolean" } }, { "include_consumer_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "default": false, "type": "boolean" } }, @@ -118,15 +116,15 @@ }, { "include_parsed_json_body_in_opa_input": { - "default": false, "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "default": false, "type": "boolean" } }, { "include_uri_captures_in_opa_input": { - "default": false, "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "default": false, "type": "boolean" } }, @@ -134,14 +132,16 @@ "ssl_verify": { "default": true, "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.10.x.json b/schemas/openid-connect/3.10.x.json index 7a0c9dd9..30edf9a8 100644 --- a/schemas/openid-connect/3.10.x.json +++ b/schemas/openid-connect/3.10.x.json @@ -1,33 +1,23 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + }, "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -36,161 +26,167 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "shorthand_fields": [ { "authorization_cookie_lifetime": { + "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" - }, - "type": "number" + } } }, { "authorization_cookie_samesite": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" - }, - "type": "string" + } } }, { "authorization_cookie_httponly": { + "type": "boolean", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" - }, - "type": "boolean" + } } }, { "session_cookie_lifetime": { + "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" - }, - "type": "number" + } } }, { "session_cookie_idletime": { + "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" - }, - "type": "number" + } } }, { "session_cookie_samesite": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" - }, - "type": "string" + } } }, { "session_cookie_httponly": { + "type": "boolean", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" - }, - "type": "boolean" + } } }, { "session_memcache_prefix": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" - }, - "type": "string" + } } }, { "session_memcache_socket": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" - }, - "type": "string" + } } }, { "session_memcache_host": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" - }, - "type": "string" + } } }, { "session_memcache_port": { + "type": "integer", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" - }, - "type": "integer" + } } }, { "session_cookie_renew": { + "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_renew option does not exist anymore" - }, - "type": "number" + } } }, { "session_cookie_maxsize": { + "type": "integer", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" - }, - "type": "integer" + } } }, { "session_strategy": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_strategy option does not exist anymore" - }, - "type": "string" + } } }, { "session_compressor": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_compressor option does not exist anymore" - }, - "type": "string" + } } }, { "session_redis_prefix": { + "type": "string", "deprecation": { - "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", "replaced_with": [ { "path": [ @@ -199,15 +195,15 @@ ] } ] - }, - "type": "string" + } } }, { "session_redis_socket": { + "type": "string", "deprecation": { - "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", "replaced_with": [ { "path": [ @@ -216,15 +212,15 @@ ] } ] - }, - "type": "string" + } } }, { "session_redis_host": { + "type": "string", "deprecation": { - "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", "replaced_with": [ { "path": [ @@ -233,15 +229,15 @@ ] } ] - }, - "type": "string" + } } }, { "session_redis_port": { + "type": "integer", "deprecation": { - "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", "replaced_with": [ { "path": [ @@ -250,15 +246,15 @@ ] } ] - }, - "type": "integer" + } } }, { "session_redis_username": { + "type": "string", "deprecation": { - "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", "removal_in_version": "4.0", + "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", "replaced_with": [ { "path": [ @@ -267,15 +263,15 @@ ] } ] - }, - "type": "string" + } } }, { "session_redis_password": { + "type": "string", "deprecation": { - "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", "replaced_with": [ { "path": [ @@ -284,15 +280,15 @@ ] } ] - }, - "type": "string" + } } }, { "session_redis_connect_timeout": { + "type": "integer", "deprecation": { - "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", "replaced_with": [ { "path": [ @@ -301,15 +297,15 @@ ] } ] - }, - "type": "integer" + } } }, { "session_redis_read_timeout": { + "type": "integer", "deprecation": { - "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", "replaced_with": [ { "path": [ @@ -318,15 +314,15 @@ ] } ] - }, - "type": "integer" + } } }, { "session_redis_send_timeout": { + "type": "integer", "deprecation": { - "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", "replaced_with": [ { "path": [ @@ -335,15 +331,15 @@ ] } ] - }, - "type": "integer" + } } }, { "session_redis_ssl": { + "type": "boolean", "deprecation": { - "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", "replaced_with": [ { "path": [ @@ -352,15 +348,15 @@ ] } ] - }, - "type": "boolean" + } } }, { "session_redis_ssl_verify": { + "type": "boolean", "deprecation": { - "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", "replaced_with": [ { "path": [ @@ -369,15 +365,15 @@ ] } ] - }, - "type": "boolean" + } } }, { "session_redis_server_name": { + "type": "string", "deprecation": { - "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", "replaced_with": [ { "path": [ @@ -386,8 +382,7 @@ ] } ] - }, - "type": "string" + } } }, { @@ -399,27 +394,27 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, "type": "array", "deprecation": { - "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", "replaced_with": [ { "path": [ @@ -433,9 +428,10 @@ }, { "session_redis_cluster_max_redirections": { + "type": "integer", "deprecation": { - "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", "replaced_with": [ { "path": [ @@ -444,26 +440,25 @@ ] } ] - }, - "type": "integer" + } } } ], - "required": true, + "type": "record", "fields": [ { "issuer": { "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "using_pseudo_issuer": { "default": false, "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -472,8 +467,8 @@ "type": "string" }, "description": "Extra header names passed to the discovery endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -482,8 +477,8 @@ "type": "string" }, "description": "Extra header values passed to the discovery endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -493,34 +488,23 @@ "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", - "required": false, - "type": "set" + "type": "set", + "required": false } }, { "rediscovery_lifetime": { "default": 30, "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "auth_methods": { - "required": false, - "type": "array", - "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ], "description": "Types of credentials/grants to enable.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -534,31 +518,42 @@ "refresh_token", "session" ] - } + }, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] } }, { "client_id": { - "encrypted": true, - "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "type": "array", + "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "encrypted": true } }, { "client_secret": { - "encrypted": true, - "required": false, + "description": "The client secret.", "type": "array", + "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "The client secret." + "encrypted": true } }, { @@ -576,199 +571,199 @@ ] }, "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "client_jwk": { "elements": { "type": "record", - "required": false, "fields": [ { "issuer": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kty": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "use": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "key_ops": { "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false }, - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "alg": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "kid": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5u": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5c": { "elements": { - "required": false, - "type": "string" + "type": "string", + "required": false }, - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "x5t": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "x5t#S256": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "k": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "x": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "y": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "crv": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "n": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "e": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "d": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "p": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "q": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "dp": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "dq": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "qi": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "oth": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "r": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "t": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } } - ] + ], + "required": false }, "description": "The JWK used for the private_key_jwt authentication.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -792,16 +787,16 @@ ] }, "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "client_arg": { "default": "client_id", "description": "The client to use for this request (the selection is made with a request parameter with the same name).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -811,32 +806,32 @@ "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, "description": "The redirect URI passed to the authorization and token endpoints.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "login_redirect_uri": { "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "logout_redirect_uri": { "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "description": "Where to redirect the client after the logout.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -846,32 +841,32 @@ "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, "description": "Where to redirect the client on forbidden requests.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "forbidden_error_message": { "default": "Forbidden", "description": "The error message for the forbidden requests (when not using the redirection).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "forbidden_destroy_session": { "default": true, "description": "Destroy any active session for the forbidden requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "unauthorized_destroy_session": { "default": true, "description": "Destroy any active session for the unauthorized requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -881,16 +876,16 @@ "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, "description": "Where to redirect the client on unauthorized requests.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "unauthorized_error_message": { "default": "Unauthorized", "description": "The error message for the unauthorized requests (when not using the redirection).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -900,16 +895,16 @@ "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, "description": "Where to redirect the client when unexpected errors happen with the requests.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "response_mode": { - "required": false, + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "type": "string", + "required": false, "default": "query", - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "one_of": [ "query", "form_post", @@ -923,29 +918,29 @@ }, { "response_type": { - "required": false, - "type": "array", - "default": [ - "code" - ], "description": "The response type passed to the authorization endpoint.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "code" + ] } }, { "scopes": { - "required": false, + "description": "The scopes passed to the authorization and token endpoints.", "type": "array", + "required": false, + "elements": { + "type": "string", + "referenceable": true + }, "default": [ "openid" - ], - "description": "The scopes passed to the authorization and token endpoints.", - "elements": { - "referenceable": true, - "type": "string" - } + ] } }, { @@ -954,8 +949,8 @@ "type": "string" }, "description": "The audience passed to the authorization endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -964,8 +959,8 @@ "type": "string" }, "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -974,21 +969,21 @@ "type": "string" }, "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "scopes_claim": { - "required": false, - "type": "array", - "default": [ - "scope" - ], "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "scope" + ] } }, { @@ -997,21 +992,21 @@ "type": "string" }, "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "audience_claim": { - "required": false, - "type": "array", - "default": [ - "aud" - ], "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "aud" + ] } }, { @@ -1020,21 +1015,21 @@ "type": "string" }, "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "groups_claim": { - "required": false, - "type": "array", - "default": [ - "groups" - ], "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "groups" + ] } }, { @@ -1043,21 +1038,21 @@ "type": "string" }, "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "roles_claim": { - "required": false, - "type": "array", - "default": [ - "roles" - ], "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "roles" + ] } }, { @@ -1066,15 +1061,15 @@ "type": "string" }, "description": "The allowed values for the `hd` claim.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "max_age": { "description": "The maximum age (in seconds) compared to the `auth_time` claim.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { @@ -1083,22 +1078,22 @@ "type": "string" }, "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "pushed_authorization_request_endpoint": { "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "pushed_authorization_request_endpoint_auth_method": { - "type": "string", - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1113,29 +1108,29 @@ { "require_pushed_authorization_requests": { "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "require_proof_key_for_code_exchange": { "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "require_signed_request_object": { "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "authorization_endpoint": { "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1144,8 +1139,8 @@ "type": "string" }, "description": "Extra query argument names passed to the authorization endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1154,8 +1149,8 @@ "type": "string" }, "description": "Extra query argument values passed to the authorization endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1164,54 +1159,54 @@ "type": "string" }, "description": "Extra query arguments passed from the client to the authorization endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "authorization_rolling_timeout": { "default": 600, "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "authorization_cookie_name": { "default": "authorization", "description": "The authorization cookie name.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "authorization_cookie_path": { - "required": false, - "type": "string", - "default": "/", - "description": "The authorization cookie Path flag.", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "description": "The authorization cookie Path flag.", + "type": "string", + "required": false, + "default": "/", "starts_with": "/" } }, { "authorization_cookie_domain": { "description": "The authorization cookie Domain flag.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "authorization_cookie_same_site": { - "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", + "required": false, "default": "Default", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", @@ -1224,37 +1219,37 @@ "authorization_cookie_http_only": { "default": true, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "authorization_cookie_secure": { "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "preserve_query_args": { "default": false, "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "token_endpoint": { "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "token_endpoint_auth_method": { - "type": "string", - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1272,8 +1267,8 @@ "type": "string" }, "description": "Extra header names passed to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1282,8 +1277,8 @@ "type": "string" }, "description": "Extra header values passed to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1292,8 +1287,8 @@ "type": "string" }, "description": "Extra headers passed from the client to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1302,15 +1297,15 @@ "type": "string" }, "description": "The names of token endpoint response headers to forward to the downstream client.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "token_headers_prefix": { "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -1325,8 +1320,8 @@ ] }, "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1335,8 +1330,8 @@ "type": "string" }, "description": "Extra post argument names passed to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1345,8 +1340,8 @@ "type": "string" }, "description": "Extra post argument values passed to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1355,22 +1350,22 @@ "type": "string" }, "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "introspection_endpoint": { "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "introspection_endpoint_auth_method": { - "type": "string", - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1386,24 +1381,24 @@ "introspection_hint": { "default": "access_token", "description": "Introspection hint parameter value passed to the introspection endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "introspection_check_active": { "default": true, "description": "Check that the introspection response has an `active` claim with a value of `true`.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "introspection_accept": { - "required": false, + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "type": "string", + "required": false, "default": "application/json", - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/token-introspection+jwt", @@ -1417,20 +1412,20 @@ "type": "string" }, "description": "Extra header names passed to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "introspection_headers_values": { - "encrypted": true, - "required": false, + "description": "Extra header values passed to the introspection endpoint.", "type": "array", + "required": false, "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "description": "Extra header values passed to the introspection endpoint." + "encrypted": true } }, { @@ -1439,8 +1434,8 @@ "type": "string" }, "description": "Extra headers passed from the client to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1449,8 +1444,8 @@ "type": "string" }, "description": "Extra post argument names passed to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1459,9 +1454,9 @@ "type": "string" }, "description": "Extra post argument values passed to the introspection endpoint.", - "required": false, - "type": "array" - } + "type": "array", + "required": false + } }, { "introspection_post_args_client": { @@ -1469,8 +1464,8 @@ "type": "string" }, "description": "Extra post arguments passed from the client to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1479,30 +1474,30 @@ "type": "string" }, "description": "Extra post arguments passed from the client headers to the introspection endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "introspect_jwt_tokens": { "default": false, "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "revocation_endpoint": { "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "revocation_endpoint_auth_method": { - "type": "string", - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1517,23 +1512,23 @@ { "end_session_endpoint": { "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "userinfo_endpoint": { "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "userinfo_accept": { - "required": false, + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "type": "string", + "required": false, "default": "application/json", - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/jwt" @@ -1546,8 +1541,8 @@ "type": "string" }, "description": "Extra header names passed to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1556,8 +1551,8 @@ "type": "string" }, "description": "Extra header values passed to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1566,8 +1561,8 @@ "type": "string" }, "description": "Extra headers passed from the client to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1576,8 +1571,8 @@ "type": "string" }, "description": "Extra query argument names passed to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1586,8 +1581,8 @@ "type": "string" }, "description": "Extra query argument values passed to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -1596,126 +1591,126 @@ "type": "string" }, "description": "Extra query arguments passed from the client to the user info endpoint.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "token_exchange_endpoint": { "description": "The token exchange endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_secret": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The session secret.", - "required": false + "referenceable": true } }, { "session_audience": { "default": "default", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_cookie_name": { "default": "session", "description": "The session cookie name.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_remember": { "default": false, "description": "Enables or disables persistent sessions.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_remember_cookie_name": { "default": "remember", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_remember_rolling_timeout": { "default": 604800, "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "session_remember_absolute_timeout": { "default": 2592000, "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "session_idling_timeout": { "default": 900, "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "session_rolling_timeout": { "default": 3600, "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "session_absolute_timeout": { "default": 86400, "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "session_cookie_path": { - "required": false, - "type": "string", - "default": "/", - "description": "The session cookie Path flag.", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "description": "The session cookie Path flag.", + "type": "string", + "required": false, + "default": "/", "starts_with": "/" } }, { "session_cookie_domain": { "description": "The session cookie Domain flag.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_cookie_same_site": { - "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", + "required": false, "default": "Lax", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", @@ -1728,15 +1723,15 @@ "session_cookie_http_only": { "default": true, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_cookie_secure": { "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -1754,8 +1749,8 @@ ] }, "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", - "required": false, - "type": "set" + "type": "set", + "required": false } }, { @@ -1773,16 +1768,16 @@ ] }, "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", - "required": false, - "type": "set" + "type": "set", + "required": false } }, { "session_storage": { - "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "type": "string", + "required": false, "default": "cookie", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "one_of": [ "cookie", "memcache", @@ -1795,389 +1790,258 @@ "session_store_metadata": { "default": false, "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_enforce_same_subject": { "default": false, "description": "When set to `true`, audiences are forced to share the same subject.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_hash_subject": { "default": false, "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_hash_storage_key": { "default": false, "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_memcached_prefix": { "description": "The memcached session key prefix.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_memcached_socket": { "description": "The memcached unix socket path.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_memcached_host": { "default": "127.0.0.1", "description": "The memcached host.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_memcached_port": { + "description": "The memcached port.", + "type": "integer", + "required": false, + "default": 11211, "between": [ 0, 65535 - ], - "required": false, - "type": "integer", - "default": 11211, - "description": "The memcached port." + ] } }, { "redis": { - "required": true, - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, + "fields": [ { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] + "host": { + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" + } }, { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] } }, { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ] } }, { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ] } }, { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ] } - } - ], - "shorthand_fields": [ + }, { - "timeout": { - "type": "integer", - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - } + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true } }, { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "len_min": 1, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "len_min": 1, - "type": "array" - } - } - ], - "fields": [ - { - "host": { - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "between": [ - 0, - 65535 - ], - "type": "integer" - } - }, - { - "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "between": [ - 0, - 2147483646 - ], - "type": "integer" - } - }, - { - "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" - } - }, - { - "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, + "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string" + ] } }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { + "type": "record", "fields": [ { "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" + ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { + "type": "record", "fields": [ { "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" + ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, @@ -2185,53 +2049,184 @@ "ssl": { "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ssl_verify": { "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "connection_is_proxied": { "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "prefix": { "description": "The Redis session key prefix.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "socket": { "description": "The Redis unix socket path.", - "required": false, - "type": "string" + "type": "string", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "required": true, + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + } } } ] @@ -2241,35 +2236,30 @@ "reverify": { "default": false, "description": "Specifies whether to always verify tokens stored in the session.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "jwt_session_claim": { "default": "sid", "description": "The claim to match against the JWT session cookie.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "jwt_session_cookie": { "description": "The name of the JWT session cookie.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "bearer_token_param_type": { - "required": false, - "type": "array", - "default": [ - "header", - "query", - "body" - ], "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2278,26 +2268,26 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "bearer_token_cookie_name": { "description": "The name of the cookie in which the bearer token is passed.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "client_credentials_param_type": { - "required": false, - "type": "array", - "default": [ - "header", - "query", - "body" - ], "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2305,19 +2295,19 @@ "query", "body" ] - } - } - }, - { - "password_param_type": { - "required": false, - "type": "array", + }, "default": [ "header", "query", "body" - ], + ] + } + }, + { + "password_param_type": { "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2325,19 +2315,19 @@ "query", "body" ] - } - } - }, - { - "id_token_param_type": { - "required": false, - "type": "array", + }, "default": [ "header", "query", "body" - ], + ] + } + }, + { + "id_token_param_type": { "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2345,26 +2335,26 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "id_token_param_name": { "description": "The name of the parameter used to pass the id token.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "refresh_token_param_type": { - "required": false, - "type": "array", - "default": [ - "header", - "query", - "body" - ], "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2372,22 +2362,27 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "refresh_token_param_name": { "description": "The name of the parameter used to pass the refresh token.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "refresh_tokens": { "default": true, "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -2396,8 +2391,8 @@ "type": "string" }, "description": "The upstream header claims. Only top level claims are supported.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -2406,79 +2401,79 @@ "type": "string" }, "description": "The upstream header names for the claim values.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "upstream_access_token_header": { "default": "authorization:bearer", "description": "The upstream access token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_access_token_jwk_header": { "description": "The upstream access token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_id_token_header": { "description": "The upstream id token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_id_token_jwk_header": { "description": "The upstream id token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_refresh_token_header": { "description": "The upstream refresh token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_user_info_header": { "description": "The upstream user info header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_user_info_jwt_header": { "description": "The upstream user info JWT header (in case the user info returns a JWT response).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_introspection_header": { "description": "The upstream introspection header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_introspection_jwt_header": { "description": "The upstream introspection JWT header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "upstream_session_id_header": { "description": "The upstream session id header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -2487,8 +2482,8 @@ "type": "string" }, "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { @@ -2497,88 +2492,85 @@ "type": "string" }, "description": "The downstream header names for the claim values.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "downstream_access_token_header": { "description": "The downstream access token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_access_token_jwk_header": { "description": "The downstream access token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_id_token_header": { "description": "The downstream id token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_id_token_jwk_header": { "description": "The downstream id token JWK header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_refresh_token_header": { "description": "The downstream refresh token header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_user_info_header": { "description": "The downstream user info header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_user_info_jwt_header": { "description": "The downstream user info JWT header (in case the user info returns a JWT response).", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_introspection_header": { "description": "The downstream introspection header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_introspection_jwt_header": { "description": "The downstream introspection JWT header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "downstream_session_id_header": { "description": "The downstream session id header.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "login_methods": { - "required": false, - "type": "array", - "default": [ - "authorization_code" - ], "description": "Enable login functionality with specified grants.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2592,15 +2584,18 @@ "refresh_token", "session" ] - } + }, + "default": [ + "authorization_code" + ] } }, { "login_action": { - "required": false, + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "type": "string", + "required": false, "default": "upstream", - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "one_of": [ "upstream", "response", @@ -2610,12 +2605,9 @@ }, { "login_tokens": { - "required": false, - "type": "array", - "default": [ - "id_token" - ], "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2625,15 +2617,18 @@ "tokens", "introspection" ] - } + }, + "default": [ + "id_token" + ] } }, { "login_redirect_mode": { - "required": false, + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "type": "string", + "required": false, "default": "fragment", - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "one_of": [ "query", "fragment" @@ -2643,33 +2638,29 @@ { "logout_query_arg": { "description": "The request query argument that activates the logout.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "logout_post_arg": { "description": "The request body argument that activates the logout.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "logout_uri_suffix": { "description": "The request URI suffix that activates the logout.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "logout_methods": { - "required": false, - "type": "array", - "default": [ - "POST", - "DELETE" - ], "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2677,31 +2668,35 @@ "GET", "DELETE" ] - } + }, + "default": [ + "POST", + "DELETE" + ] } }, { "logout_revoke": { "default": false, "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "logout_revoke_access_token": { "default": true, "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "logout_revoke_refresh_token": { "default": true, "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -2710,19 +2705,15 @@ "type": "string" }, "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "consumer_by": { - "required": false, - "type": "array", - "default": [ - "username", - "custom_id" - ], "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2730,93 +2721,94 @@ "username", "custom_id" ] - } + }, + "default": [ + "username", + "custom_id" + ] } }, { "consumer_optional": { "default": false, "description": "Do not terminate the request if consumer mapping fails.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "credential_claim": { - "required": false, - "type": "array", - "default": [ - "sub" - ], "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "sub" + ] } }, { "anonymous": { "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "run_on_preflight": { "default": true, "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "leeway": { "default": 0, "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "verify_parameters": { "default": false, "description": "Verify plugin configuration against discovery.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "verify_nonce": { "default": true, "description": "Verify nonce on authorization code flow.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "verify_claims": { "default": true, "description": "Verify tokens for standard claims.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "verify_signature": { "default": true, "description": "Verify signature of tokens.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ignore_signature": { - "required": false, - "type": "array", - "default": [ - - ], "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2828,15 +2820,18 @@ "introspection", "userinfo" ] - } + }, + "default": [ + + ] } }, { "enable_hs_signatures": { "default": false, "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { @@ -2856,231 +2851,231 @@ ] }, "description": "Disable issuing the session cookie with the specified grants.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "cache_ttl": { "default": 3600, "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_max": { "description": "The maximum cache ttl in seconds (enforced).", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_min": { "description": "The minimum cache ttl in seconds (enforced).", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_neg": { "description": "The negative cache ttl in seconds.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_ttl_resurrect": { "description": "The resurrection ttl in seconds.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "cache_tokens": { "default": true, "description": "Cache the token endpoint requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "cache_tokens_salt": { - "auto": true, + "type": "string", "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", - "required": false, - "type": "string" + "auto": true, + "required": false } }, { "cache_introspection": { "default": true, "description": "Cache the introspection endpoint requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "cache_token_exchange": { "default": true, "description": "Cache the token exchange endpoint requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "cache_user_info": { "default": true, "description": "Cache the user info requests.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "search_user_info": { "default": false, "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "hide_credentials": { "default": false, "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "http_version": { "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "http_proxy": { "description": "The HTTP proxy.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "http_proxy_authorization": { "required": false, "description": "The HTTP proxy authorization.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "https_proxy": { "description": "The HTTPS proxy.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "https_proxy_authorization": { "required": false, "description": "The HTTPS proxy authorization.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "no_proxy": { "description": "Do not use proxy with these hosts.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "keepalive": { "default": true, "description": "Use keepalive with the HTTP client.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ssl_verify": { "default": false, "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "timeout": { "default": 10000, "description": "Network IO timeout in milliseconds.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "display_errors": { "default": false, "description": "Display errors on failure responses.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "by_username_ignore_case": { "default": false, "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "resolve_distributed_claims": { "default": false, "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "expose_error_code": { - "default": true, "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "token_cache_key_include_scope": { - "default": false, "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "introspection_token_param_name": { "default": "token", "description": "Designate token's parameter name for introspection.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "revocation_token_param_name": { "default": "token", "description": "Designate token's parameter name for revocation.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "proof_of_possession_mtls": { - "required": false, + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "type": "string", + "required": false, "default": "off", - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "one_of": [ "off", "strict", @@ -3092,318 +3087,189 @@ "proof_of_possession_auth_methods_validation": { "default": true, "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "tls_client_auth_cert_id": { - "auto": false, - "required": false, - "type": "string", "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", - "uuid": true + "type": "string", + "required": false, + "uuid": true, + "auto": false } }, { "tls_client_auth_ssl_verify": { "default": true, "description": "Verify identity provider server certificate during mTLS client authentication.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "mtls_token_endpoint": { "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "mtls_introspection_endpoint": { "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "mtls_revocation_endpoint": { "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", - "required": false, - "type": "string" - } - }, - { - "proof_of_possession_dpop": { - "required": false, - "type": "string", - "default": "off", - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", - "one_of": [ - "off", - "strict", - "optional" - ] - } - }, - { - "dpop_use_nonce": { - "default": false, - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", - "required": false, - "type": "boolean" - } - }, - { - "dpop_proof_lifetime": { - "default": 300, - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", - "required": false, - "type": "number" - } - }, - { - "claims_forbidden": { - "elements": { - "type": "string" - }, - "description": "If given, these claims are forbidden in the token payload.", - "required": false, - "type": "array" - } - }, - { - "cluster_cache_strategy": { - "required": false, - "type": "string", - "default": "off", - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", - "one_of": [ - "off", - "redis" - ] - } - }, - { - "cluster_cache_redis": { - "required": true, - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array" - } - } - ], + "type": "string", + "required": false + } + }, + { + "proof_of_possession_dpop": { + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "type": "string", + "required": false, + "default": "off", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean", + "required": false + } + }, + { + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number", + "required": false + } + }, + { + "claims_forbidden": { + "elements": { + "type": "string" + }, + "description": "If given, these claims are forbidden in the token payload.", + "type": "array", + "required": false + } + }, + { + "cluster_cache_strategy": { + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "type": "string", + "required": false, + "default": "off", + "one_of": [ + "off", + "redis" + ] + } + }, + { + "cluster_cache_redis": { + "type": "record", + "required": true, "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "connect_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "send_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "read_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, @@ -3420,12 +3286,12 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { @@ -3447,8 +3313,9 @@ }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -3456,31 +3323,31 @@ "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -3488,69 +3355,207 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { - "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "default": 5, + "required": false } }, { "connection_is_proxied": { - "default": false, + "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + } } } ] } } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" ] } } diff --git a/schemas/opentelemetry/3.10.x.json b/schemas/opentelemetry/3.10.x.json index 573b5251..729055a4 100644 --- a/schemas/opentelemetry/3.10.x.json +++ b/schemas/opentelemetry/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,91 +13,75 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "required": true, "type": "record", - "entity_checks": [ - { - "at_least_one_of": [ - "traces_endpoint", - "logs_endpoint" - ] - } - ], - "shorthand_fields": [ - { - "endpoint": { - "deprecation": { - "removal_in_version": "4.0", - "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead" - }, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true, - "type": "string" - } - } - ], + "required": true, "fields": [ { "traces_endpoint": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "logs_endpoint": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "headers": { "values": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "map", "keys": { "type": "string", "description": "A string representing an HTTP header name." - }, - "type": "map" + } } }, { "resource_attributes": { "values": { - "required": true, - "type": "string" + "type": "string", + "required": true }, + "type": "map", "keys": { - "required": true, - "type": "string" - }, - "type": "map" + "type": "string", + "required": true + } } }, { "queue": { + "type": "record", "default": { "max_batch_size": 200 }, - "type": "record", - "required": true, "fields": [ { "max_batch_size": { @@ -149,9 +124,9 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "default": 60 } }, { @@ -178,16 +153,17 @@ }, { "concurrency_limit": { - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "default": 1, "one_of": [ -1, 1 ] } } - ] + ], + "required": true } }, { @@ -195,9 +171,9 @@ "description": "The number of spans to be sent in a single batch.", "type": "integer", "deprecation": { + "removal_in_version": "4.0", "old_default": 200, - "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0" + "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead" } } }, @@ -206,43 +182,43 @@ "description": "The delay, in seconds, between two consecutive batches.", "type": "integer", "deprecation": { + "removal_in_version": "4.0", "old_default": 3, - "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0" + "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead" } } }, { "connect_timeout": { - "default": 1000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 1000 } }, { "send_timeout": { - "default": 5000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 5000 } }, { "read_timeout": { - "default": 5000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 5000 } }, { @@ -252,14 +228,7 @@ }, { "header_type": { - "required": false, "type": "string", - "default": "preserve", - "deprecation": { - "old_default": "preserve", - "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0" - }, "one_of": [ "preserve", "ignore", @@ -270,8 +239,16 @@ "ot", "aws", "gcp", - "datadog" - ] + "datadog", + "instana" + ], + "deprecation": { + "removal_in_version": "4.0", + "old_default": "preserve", + "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead" + }, + "default": "preserve", + "required": false } }, { @@ -281,87 +258,114 @@ 1 ], "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "propagation": { - "default": { - "default_format": "w3c" - }, "fields": [ { "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array", "elements": { "type": "string", "one_of": [ - "gcp", + "w3c", + "b3", "jaeger", - "aws", "ot", - "w3c", "datadog", - "b3" + "aws", + "gcp", + "instana" ] - }, - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", - "type": "array" + } } }, { "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array", "elements": { "type": "string" - }, - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", - "type": "array" + } } }, { "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array", "elements": { "type": "string", "one_of": [ "preserve", - "gcp", + "w3c", + "b3", "b3-single", "jaeger", - "aws", "ot", - "w3c", "datadog", - "b3" + "aws", + "gcp", + "instana" ] - }, - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", - "type": "array" + } } }, { "default_format": { - "type": "string", - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", - "required": true, "one_of": [ - "gcp", + "w3c", + "b3", "b3-single", "jaeger", - "aws", "ot", - "w3c", "datadog", - "b3" - ] + "aws", + "gcp", + "instana" + ], + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", + "required": true } } ], - "required": true, - "type": "record" + "default": { + "default_format": "w3c" + }, + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "traces_endpoint", + "logs_endpoint" + ] + } + ], + "shorthand_fields": [ + { + "endpoint": { + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead" + } } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/post-function/3.10.x.json b/schemas/post-function/3.10.x.json index 6835bfd9..14303e48 100644 --- a/schemas/post-function/3.10.x.json +++ b/schemas/post-function/3.10.x.json @@ -1,75 +1,29 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ - { - "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "elements": { - "type": "string", - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] - }, - "required": false, - "type": "set" - } - }, { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -81,148 +35,169 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "certificate": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "rewrite": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "access": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "header_filter": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "body_filter": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "log": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "ws_handshake": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "ws_client_frame": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "ws_upstream_frame": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "ws_close": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.10.x.json b/schemas/pre-function/3.10.x.json index 6835bfd9..14303e48 100644 --- a/schemas/pre-function/3.10.x.json +++ b/schemas/pre-function/3.10.x.json @@ -1,75 +1,29 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ - { - "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "elements": { - "type": "string", - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] - }, - "required": false, - "type": "set" - } - }, { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -81,148 +35,169 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "certificate": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "rewrite": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "access": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "header_filter": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "body_filter": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "log": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "ws_handshake": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "ws_client_frame": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "ws_upstream_frame": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "ws_close": { + "type": "array", + "elements": { + "type": "string", + "required": false + }, "default": [ ], - "elements": { - "required": false, - "type": "string" - }, - "required": true, - "type": "array" + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.10.x.json b/schemas/prometheus/3.10.x.json index ff139dbf..30707a5a 100644 --- a/schemas/prometheus/3.10.x.json +++ b/schemas/prometheus/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,68 +19,83 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "per_consumer": { - "default": false, "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "default": false, "type": "boolean" } }, { "status_code_metrics": { - "default": false, "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "default": false, "type": "boolean" } }, { "ai_metrics": { - "default": false, "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", + "default": false, "type": "boolean" } }, { "latency_metrics": { - "default": false, "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "default": false, "type": "boolean" } }, { "bandwidth_metrics": { - "default": false, "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "default": false, "type": "boolean" } }, { "upstream_health_metrics": { - "default": false, "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "default": false, + "type": "boolean" + } + }, + { + "wasm_metrics": { + "description": "A boolean value that determines if Wasm metrics should be collected.", + "default": false, "type": "boolean" } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.10.x.json b/schemas/proxy-cache-advanced/3.10.x.json index 63d95361..a1286afa 100644 --- a/schemas/proxy-cache-advanced/3.10.x.json +++ b/schemas/proxy-cache-advanced/3.10.x.json @@ -1,25 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + }, "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -28,41 +18,44 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "response_code": { - "required": true, - "type": "array", - "default": [ - 200, - 301, - 404 - ], "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "type": "array", + "required": true, "elements": { + "type": "integer", "between": [ 100, 900 - ], - "type": "integer" + ] }, + "default": [ + 200, + 301, + 404 + ], "len_min": 1 } }, { "request_method": { - "required": true, - "type": "array", - "default": [ - "GET", - "HEAD" - ], "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "type": "array", + "required": true, "elements": { "type": "string", "one_of": [ @@ -72,21 +65,25 @@ "PATCH", "PUT" ] - } + }, + "default": [ + "GET", + "HEAD" + ] } }, { "content_type": { - "required": true, + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "type": "array", + "required": true, + "elements": { + "type": "string" + }, "default": [ "text/plain", "application/json" - ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", - "elements": { - "type": "string" - } + ] } }, { @@ -99,9 +96,9 @@ }, { "strategy": { - "type": "string", - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "required": true, + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "type": "string", "one_of": [ "memory", "redis" @@ -110,18 +107,18 @@ }, { "cache_control": { - "default": false, + "type": "boolean", "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "ignore_uri_case": { - "default": false, + "type": "boolean", "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { @@ -132,43 +129,42 @@ }, { "memory": { + "type": "record", "fields": [ { "dictionary_name": { - "default": "kong_db_cache", + "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "required": true, - "type": "string" + "default": "kong_db_cache", + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration. By default, the max number of params accepted is 100. You can change this value via the `lua_max_post_args` in `kong.conf`.", + "type": "array", "elements": { "type": "string" - }, - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", - "type": "array" + } } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", - "type": "array" + } } }, { "response_headers": { "type": "record", "description": "Caching related diagnostic headers that should be included in cached responses", - "required": true, "fields": [ { "age": { @@ -188,228 +184,100 @@ "type": "boolean" } } - ] + ], + "required": true } }, { "redis": { - "required": true, "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array" - } - } - ], + "required": true, "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "connect_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "send_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "read_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, @@ -426,12 +294,12 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { @@ -453,8 +321,9 @@ }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -462,31 +331,31 @@ "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -494,64 +363,192 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { - "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "default": 5, + "required": false } }, { "connection_is_proxied": { - "default": false, + "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + } } } ] @@ -559,14 +556,22 @@ }, { "bypass_on_err": { - "default": false, "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", - "type": "boolean" + "type": "boolean", + "default": false } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/proxy-cache/3.10.x.json b/schemas/proxy-cache/3.10.x.json index c639f5af..de198d01 100644 --- a/schemas/proxy-cache/3.10.x.json +++ b/schemas/proxy-cache/3.10.x.json @@ -1,27 +1,13 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -33,43 +19,45 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "response_code": { - "required": true, - "type": "array", - "default": [ - 200, - 301, - 404 - ], "description": "Upstream response status code considered cacheable.", + "type": "array", + "required": true, "elements": { + "type": "integer", "between": [ 100, 900 - ], - "type": "integer" + ] }, + "default": [ + 200, + 301, + 404 + ], "len_min": 1 } }, { "request_method": { - "required": true, - "type": "array", - "default": [ - "GET", - "HEAD" - ], "description": "Downstream request methods considered cacheable.", + "type": "array", + "required": true, "elements": { "type": "string", "one_of": [ @@ -79,21 +67,25 @@ "PATCH", "PUT" ] - } + }, + "default": [ + "GET", + "HEAD" + ] } }, { "content_type": { - "required": true, + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "type": "array", + "required": true, + "elements": { + "type": "string" + }, "default": [ "text/plain", "application/json" - ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", - "elements": { - "type": "string" - } + ] } }, { @@ -106,9 +98,9 @@ }, { "strategy": { - "type": "string", - "description": "The backing data store in which to hold cache entities.", "required": true, + "description": "The backing data store in which to hold cache entities.", + "type": "string", "one_of": [ "memory" ] @@ -116,17 +108,17 @@ }, { "cache_control": { - "default": false, + "type": "boolean", "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "ignore_uri_case": { + "type": "boolean", "default": false, - "required": false, - "type": "boolean" + "required": false } }, { @@ -137,68 +129,76 @@ }, { "memory": { + "type": "record", "fields": [ { "dictionary_name": { - "default": "kong_db_cache", + "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "required": true, - "type": "string" + "default": "kong_db_cache", + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", - "type": "array" + } } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", - "type": "array" + } } }, { "response_headers": { "type": "record", "description": "Caching related diagnostic headers that should be included in cached responses", - "required": true, "fields": [ { "age": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Status": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Key": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } } - ] + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting-advanced/3.10.x.json b/schemas/rate-limiting-advanced/3.10.x.json index a2ecf410..2a22687b 100644 --- a/schemas/rate-limiting-advanced/3.10.x.json +++ b/schemas/rate-limiting-advanced/3.10.x.json @@ -1,25 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + }, "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -28,18 +18,25 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "identifier": { - "required": true, + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", "type": "string", + "required": true, "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "one_of": [ "ip", "credential", @@ -53,6 +50,8 @@ }, { "compound_identifier": { + "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -64,9 +63,7 @@ "path", "consumer-group" ] - }, - "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", - "type": "array" + } } }, { @@ -75,8 +72,8 @@ "type": "number" }, "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { @@ -96,30 +93,30 @@ "type": "number" }, "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." } }, { "namespace": { "auto": true, "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "strategy": { - "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", + "required": true, "default": "local", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", @@ -131,29 +128,29 @@ "dictionary_name": { "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "lock_dictionary_name": { "default": "kong_locks", "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "default": false, "type": "boolean" } }, { "retry_after_jitter_max": { - "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "default": 0, "type": "number" } }, @@ -165,155 +162,24 @@ }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], - "type": "string" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string", + "starts_with": "/" } }, { "redis": { - "required": true, - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "type": "integer", - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - } - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "len_min": 1, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "len_min": 1, - "type": "array" - } - } - ], "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -321,182 +187,182 @@ "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } }, { "connect_timeout": { "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { "send_timeout": { "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { "read_timeout": { "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, + "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string" + ] } }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { + "type": "record", "fields": [ { "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" + ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { + "type": "record", "fields": [ { "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" + ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, @@ -504,95 +370,234 @@ "ssl": { "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ssl_verify": { "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "connection_is_proxied": { "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "redis_proxy_type": { - "type": "string", - "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", - "required": false, "one_of": [ "envoy_v1.31" + ], + "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", + "type": "string", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" ] } } + ], + "type": "record", + "required": true, + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + } + } + } ] } }, { "enforce_consumer_groups": { - "default": false, "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "default": false, "type": "boolean" } }, { "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "type": "array", "elements": { "type": "string" - }, - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", - "type": "array" + } } }, { "disable_penalty": { - "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "default": false, "type": "boolean" } }, { "error_code": { - "default": 429, - "description": "Set a custom error code to return when the rate limit is exceeded.", "gt": 0, - "type": "number" + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number", + "default": 429 } }, { "error_message": { - "default": "API rate limit exceeded", "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded", "type": "string" } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting/3.10.x.json b/schemas/rate-limiting/3.10.x.json index fc7061fb..8a398313 100644 --- a/schemas/rate-limiting/3.10.x.json +++ b/schemas/rate-limiting/3.10.x.json @@ -1,88 +1,15 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.host", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.port", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.timeout", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "header" - }, - "then_field": "config.header_name", - "if_field": "config.limit_by", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "path" - }, - "then_field": "config.path", - "if_field": "config.limit_by", - "then_match": { - "required": true - } - } - } - ], + "supported_partials": { + "redis-ce": [ + "config.redis" + ] + }, "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -91,51 +18,214 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "shorthand_fields": [ + { + "redis_host": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + } + } + }, + { + "redis_port": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + } + } + }, + { + "redis_password": { + "len_min": 0, + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + } + } + }, + { + "redis_username": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + } + } + }, + { + "redis_ssl": { + "type": "boolean", + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + } + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + } + } + }, + { + "redis_server_name": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + } + } + }, + { + "redis_timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ] + } + } + }, + { + "redis_database": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ] + } + } + } + ], + "type": "record", "fields": [ { "second": { - "gt": 0, "description": "The number of HTTP requests that can be made per second.", + "gt": 0, "type": "number" } }, { "minute": { - "gt": 0, "description": "The number of HTTP requests that can be made per minute.", + "gt": 0, "type": "number" } }, { "hour": { - "gt": 0, "description": "The number of HTTP requests that can be made per hour.", + "gt": 0, "type": "number" } }, { "day": { - "gt": 0, "description": "The number of HTTP requests that can be made per day.", + "gt": 0, "type": "number" } }, { "month": { - "gt": 0, "description": "The number of HTTP requests that can be made per month.", + "gt": 0, "type": "number" } }, { "year": { - "gt": 0, "description": "The number of HTTP requests that can be made per year.", + "gt": 0, "type": "number" } }, @@ -163,43 +253,42 @@ }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], - "type": "string" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string", + "starts_with": "/" } }, { "policy": { - "type": "string", - "default": "local", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "len_min": 0, + "type": "string", "one_of": [ "local", "cluster", "redis" - ] + ], + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits." } }, { "fault_tolerant": { "default": true, "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "redis": { "type": "record", "description": "Redis configuration", - "required": true, "fields": [ { "host": { @@ -209,95 +298,96 @@ }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "len_min": 0 + "type": "string", + "encrypted": true, + "len_min": 0, + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } } - ] + ], + "required": true } }, { "hide_client_headers": { "default": false, "description": "Optionally hide informative response headers.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "error_code": { - "gt": 0, - "description": "Set a custom error code to return when the rate limit is exceeded.", "default": 429, - "type": "number" + "description": "Set a custom error code to return when the rate limit is exceeded.", + "type": "number", + "gt": 0 } }, { "error_message": { - "default": "API rate limit exceeded", "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded", "type": "string" } }, @@ -305,169 +395,84 @@ "sync_rate": { "default": -1, "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", - "required": true, - "type": "number" + "type": "number", + "required": true } } ], - "shorthand_fields": [ - { - "redis_host": { - "deprecation": { - "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "host" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_port": { - "deprecation": { - "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "port" - ] - } - ] - }, - "type": "integer" - } - }, - { - "redis_password": { - "type": "string", - "deprecation": { - "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "password" - ] - } - ] - }, - "len_min": 0 - } - }, - { - "redis_username": { - "deprecation": { - "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "username" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_ssl": { - "deprecation": { - "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "redis_ssl_verify": { - "deprecation": { - "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl_verify" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "redis_server_name": { - "deprecation": { - "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "server_name" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_timeout": { - "deprecation": { - "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "redis_database": { - "deprecation": { - "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "database" - ] - } - ] - }, - "type": "integer" - } - } - ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name", + "if_field": "config.limit_by", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "path" + }, + "then_field": "config.path", + "if_field": "config.limit_by", + "then_match": { + "required": true + } } } ] diff --git a/schemas/redirect/3.10.x.json b/schemas/redirect/3.10.x.json index 32153288..af11a01f 100644 --- a/schemas/redirect/3.10.x.json +++ b/schemas/redirect/3.10.x.json @@ -1,8 +1,10 @@ { - "entity_checks": [], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -17,45 +19,45 @@ "grpcs", "http", "https" - ], - "type": "set", - "required": true, - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { "type": "record", - "required": true, "fields": [ { "status_code": { + "description": "The response code to send. Must be an integer between 100 and 599.", + "type": "integer", + "required": true, + "default": 301, "between": [ 100, 599 - ], - "default": 301, - "type": "integer", - "required": true, - "description": "The response code to send. Must be an integer between 100 and 599." + ] } }, { "location": { + "description": "The URL to redirect to", "type": "string", - "required": true, - "description": "The URL to redirect to" + "required": true } }, { "keep_incoming_path": { + "description": "Use the incoming request's path and query string in the redirect URL", "type": "boolean", - "default": false, - "description": "Use the incoming request's path and query string in the redirect URL" + "default": false } } - ] + ], + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-callout/3.10.x.json b/schemas/request-callout/3.10.x.json index 9378e259..b4940175 100644 --- a/schemas/request-callout/3.10.x.json +++ b/schemas/request-callout/3.10.x.json @@ -1,17 +1,9 @@ { "fields": [ - { - "consumer": { - "reference": "consumers", - "eq": null, - "description": "Custom type for representing a foreign key with a null value allowed.", - "type": "foreign" - } - }, { "protocols": { - "type": "set", "description": "A set of strings representing HTTP protocols.", + "type": "set", "required": true, "elements": { "type": "string", @@ -32,10 +24,10 @@ }, { "config": { + "type": "record", "fields": [ { "callouts": { - "required": false, "elements": { "type": "record", "fields": [ @@ -47,12 +39,15 @@ }, { "depends_on": { - "required": false, + "type": "array", "elements": { - "type": "string" + "type": "string", + "required": true }, - "type": "array", - "default": [] + "default": [ + + ], + "required": true } }, { @@ -61,39 +56,37 @@ "fields": [ { "url": { - "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "required": true } }, { "method": { - "default": "GET", "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string", + "required": true, + "default": "GET", "match": "^%u+$" } }, { "http_opts": { - "default": [], "type": "record", "fields": [ { "ssl_verify": { - "type": "boolean", - "default": true + "default": false, + "type": "boolean" } }, { "ssl_server_name": { - "type": "string", - "required": false + "type": "string" } }, { "timeouts": { - "default": [], "type": "record", "fields": [ { @@ -126,204 +119,189 @@ ] } } + ], + "entity_checks": [ + { + "mutually_required": [ + "connect", + "write", + "read" + ] + } ] } }, { "proxy": { - "default": [], "type": "record", "fields": [ { "auth_username": { "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "auth_password": { "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { - "http_proxy": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "https_proxy": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } }, { - "https_proxy": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "http_proxy": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." } } ] } } - ] + ], + "required": true } }, { "query": { - "default": [], "type": "record", "fields": [ { "forward": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "custom": { - "required": false, - "keys": { - "type": "string" - }, - "type": "map", "values": { "type": "string", "required": false + }, + "required": false, + "type": "map", + "keys": { + "type": "string" } } } - ] + ], + "required": true } }, { "headers": { - "default": [], "type": "record", "fields": [ { "forward": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "custom": { - "required": false, - "keys": { - "type": "string" - }, - "type": "map", "values": { "type": "string", "required": false + }, + "required": false, + "type": "map", + "keys": { + "type": "string" } } } - ] + ], + "required": true } }, { "body": { - "default": [], "type": "record", "fields": [ { "forward": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "decode": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "custom": { - "required": false, - "keys": { - "type": "string" - }, - "type": "map", "values": { "type": "string", "required": false + }, + "required": false, + "type": "map", + "keys": { + "type": "string" } } } - ] + ], + "required": true } }, { "error": { - "default": [], "type": "record", "fields": [ { "on_error": { - "default": "retry", + "default": "fail", "type": "string", "one_of": [ "retry", "fail", - "ignore" + "continue" ] } }, { - "retry": { - "type": "integer", - "default": 2 + "retries": { + "default": 2, + "type": "integer" } }, { - "codes": { + "http_statuses": { "type": "array", "elements": { - "type": "string", - "default": "400-599" + "type": "integer", + "between": [ + 100, + 999 + ] } } }, { "error_response_code": { - "type": "integer", - "default": 400 + "default": 400, + "type": "integer" } }, { "error_response_msg": { - "type": "string", - "default": "service callout error" + "default": "service callout error", + "type": "string" } } - ] - } - }, - { - "redirect": { - "default": [], - "type": "record", - "fields": [ - { - "on_redirect": { - "default": "continue", - "type": "string", - "one_of": [ - "follow", - "continue" - ] - } - }, - { - "codes": { - "type": "array", - "elements": { - "type": "string", - "default": "400-599" - } - } - } - ] + ], + "required": true } }, { @@ -332,46 +310,46 @@ "required": false } } - ] + ], + "required": true } }, { "response": { - "required": true, "type": "record", "fields": [ { "headers": { - "default": [], "type": "record", "fields": [ { "store": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } } - ] + ], + "required": true } }, { "body": { - "default": [], "type": "record", "fields": [ { "store": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "decode": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } - ] + ], + "required": true } }, { @@ -380,48 +358,443 @@ "required": false } } - ] + ], + "required": true } }, { "cache": { - "default": [], "type": "record", "fields": [ { "bypass": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } - ] + ], + "required": true } } ] }, - "type": "array" + "type": "array", + "required": true } }, { "cache": { + "type": "record", "fields": [ { "strategy": { - "default": "memory", + "required": true, + "default": "off", "type": "string", "one_of": [ "memory", - "disk" + "redis", + "off" ] } + }, + { + "memory": { + "type": "record", + "fields": [ + { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string", + "required": true + } + } + ], + "required": true + } + }, + { + "redis": { + "type": "record", + "required": true, + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + }, + { + "connect_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "send_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "read_timeout": { + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "type": "array", + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ] + }, + "len_min": 1 + } + }, + { + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "type": "array", + "required": false, + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string", + "required": true + } + }, + { + "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ] + }, + "len_min": 1 + } + }, + { + "ssl": { + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "required": false + } + }, + { + "ssl_verify": { + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "required": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", + "required": false + } + }, + { + "cluster_max_redirections": { + "type": "integer", + "description": "Maximum retry attempts for redirection.", + "default": 5, + "required": false + } + }, + { + "connection_is_proxied": { + "type": "boolean", + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + } + } + } + ] + } + }, + { + "cache_ttl": { + "gt": 0, + "description": "TTL in seconds of cache entities.", + "type": "integer", + "default": 300 + } } ], - "type": "record", "required": true } }, { "upstream": { + "type": "record", "fields": [ { "by_lua": { @@ -431,104 +804,101 @@ }, { "query": { - "default": [], + "type": "record", "fields": [ { "forward": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "custom": { - "required": false, - "keys": { - "type": "string" - }, - "type": "map", "values": { "type": "string", "required": false + }, + "required": false, + "type": "map", + "keys": { + "type": "string" } } } ], - "type": "record", "required": true } }, { "headers": { - "default": [], + "type": "record", "fields": [ { "forward": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "custom": { - "required": false, - "keys": { - "type": "string" - }, - "type": "map", "values": { "type": "string", "required": false + }, + "required": false, + "type": "map", + "keys": { + "type": "string" } } } ], - "type": "record", "required": true } }, { "body": { - "default": [], + "type": "record", "fields": [ { "forward": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "decode": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "custom": { - "required": false, - "keys": { - "type": "string" - }, - "type": "map", "values": { "type": "string", "required": false + }, + "required": false, + "type": "map", + "keys": { + "type": "string" } } } ], - "type": "record", "required": true } } ], - "type": "record", "required": true } } ], - "type": "record", "required": true } } ], - "entity_checks": [] + "entity_checks": [ + + ] } \ No newline at end of file diff --git a/schemas/request-size-limiting/3.10.x.json b/schemas/request-size-limiting/3.10.x.json index bcef5a46..f11b1d6a 100644 --- a/schemas/request-size-limiting/3.10.x.json +++ b/schemas/request-size-limiting/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,33 +13,40 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "allowed_payload_size": { - "default": 128, "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "default": 128, "type": "integer" } }, { "size_unit": { - "required": true, + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "type": "string", + "required": true, "default": "megabytes", - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "one_of": [ "megabytes", "kilobytes", @@ -60,14 +58,16 @@ "require_content_length": { "default": false, "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-termination/3.10.x.json b/schemas/request-termination/3.10.x.json index a95ead36..3f73ff4a 100644 --- a/schemas/request-termination/3.10.x.json +++ b/schemas/request-termination/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,48 +13,55 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "status_code": { + "description": "The response code to send. Must be an integer between 100 and 599.", + "type": "integer", + "required": true, + "default": 503, "between": [ 100, 599 - ], - "required": true, - "type": "integer", - "default": 503, - "description": "The response code to send. Must be an integer between 100 and 599." + ] } }, { "message": { - "description": "The message to send, if using the default response generator.", - "type": "string" + "type": "string", + "description": "The message to send, if using the default response generator." } }, { "content_type": { - "description": "Content type of the raw response configured with `config.body`.", - "type": "string" + "type": "string", + "description": "Content type of the raw response configured with `config.body`." } }, { "body": { - "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", - "type": "string" + "type": "string", + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." } }, { "echo": { - "default": false, + "type": "boolean", "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { @@ -73,9 +71,11 @@ } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.10.x.json b/schemas/request-transformer-advanced/3.10.x.json index 90f58ca4..822027a4 100644 --- a/schemas/request-transformer-advanced/3.10.x.json +++ b/schemas/request-transformer-advanced/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,148 +13,153 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "http_method": { "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", - "match": "^%u+$", - "type": "string" + "type": "string", + "match": "^%u+$" } }, { "remove": { + "type": "record", "fields": [ { "body": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "querystring": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "rename": { + "type": "record", "fields": [ { "body": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "querystring": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "replace": { + "type": "record", "fields": [ { "body": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "querystring": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { "type": "string", "one_of": [ @@ -172,7 +168,10 @@ "string" ] }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { @@ -181,54 +180,51 @@ } } ], - "required": true, - "type": "record" + "required": true } }, { "add": { + "type": "record", "fields": [ { "body": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "querystring": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { "type": "string", "one_of": [ @@ -237,58 +233,58 @@ "string" ] }, - "type": "array" + "type": "array", + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "append": { + "type": "record", "fields": [ { "body": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "querystring": { - "default": [ - - ], "elements": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { "type": "string", "one_of": [ @@ -297,41 +293,45 @@ "string" ] }, - "type": "array" + "type": "array", + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "allow": { + "type": "record", "fields": [ { "body": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "required": true, - "type": "record" + "required": true } }, { "dots_in_keys": { - "default": true, "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "default": true, "type": "boolean" } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.10.x.json b/schemas/request-transformer/3.10.x.json index ee8d790f..4cf18fa7 100644 --- a/schemas/request-transformer/3.10.x.json +++ b/schemas/request-transformer/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,148 +19,155 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "http_method": { "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", - "match": "^%u+$", - "type": "string" + "type": "string", + "match": "^%u+$" } }, { "remove": { + "type": "record", "fields": [ { "body": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "headers": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "querystring": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "rename": { + "type": "record", "fields": [ { "body": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "headers": { - "default": [ - - ], + "type": "array", "elements": { "type": "string", "match": "^[^:]+:.*$" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "querystring": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "replace": { + "type": "record", "fields": [ { "body": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "headers": { - "default": [ - - ], + "type": "array", "elements": { "type": "string", "match": "^[^:]+:.*$" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "querystring": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { @@ -177,104 +176,105 @@ } } ], - "required": true, - "type": "record" + "required": true } }, { "add": { + "type": "record", "fields": [ { "body": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "headers": { - "default": [ - - ], + "type": "array", "elements": { "type": "string", "match": "^[^:]+:.*$" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "querystring": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "append": { + "type": "record", "fields": [ { "body": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "headers": { - "default": [ - - ], + "type": "array", "elements": { "type": "string", "match": "^[^:]+:.*$" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "querystring": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-validator/3.10.x.json b/schemas/request-validator/3.10.x.json index b8b9d41d..616a4d4a 100644 --- a/schemas/request-validator/3.10.x.json +++ b/schemas/request-validator/3.10.x.json @@ -1,25 +1,10 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -28,15 +13,21 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -49,12 +40,13 @@ ] } ], + "type": "record", "fields": [ { "body_schema": { "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { @@ -63,19 +55,19 @@ "application/json" ], "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "type": "set", "elements": { - "required": true, - "type": "string" - }, - "type": "set" + "type": "string", + "required": true + } } }, { "version": { - "required": true, + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "type": "string", + "required": true, "default": "kong", - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "one_of": [ "kong", "draft4" @@ -85,29 +77,13 @@ { "parameter_schema": { "elements": { - "entity_checks": [ - { - "mutually_required": [ - "style", - "explode", - "schema" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "style", - "in" - ] - } - } - ], + "type": "record", "fields": [ { "in": { - "type": "string", - "description": "The location of the parameter.", "required": true, + "description": "The location of the parameter.", + "type": "string", "one_of": [ "query", "header", @@ -118,15 +94,15 @@ { "name": { "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "required": { "description": "Determines whether this parameter is mandatory.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { @@ -157,32 +133,56 @@ } } ], - "type": "record" + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ] }, "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", - "required": false, - "type": "array" + "type": "array", + "required": false } }, { "verbose_response": { "default": false, "description": "If enabled, the plugin returns more verbose and detailed validation errors.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "content_type_parameter_validation": { "default": true, "description": "Determines whether to enable parameters validation of request content-type.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/response-ratelimiting/3.10.x.json b/schemas/response-ratelimiting/3.10.x.json index b6e0eba1..0b7430b9 100644 --- a/schemas/response-ratelimiting/3.10.x.json +++ b/schemas/response-ratelimiting/3.10.x.json @@ -1,54 +1,15 @@ { - "entity_checks": [ - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.host", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.port", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.timeout", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - } - ], + "supported_partials": { + "redis-ce": [ + "config.redis" + ] + }, "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -57,32 +18,195 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "shorthand_fields": [ + { + "redis_host": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + } + } + }, + { + "redis_port": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + } + } + }, + { + "redis_password": { + "len_min": 0, + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + } + } + }, + { + "redis_username": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + } + } + }, + { + "redis_ssl": { + "type": "boolean", + "deprecation": { + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + } + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "deprecation": { + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + } + } + }, + { + "redis_server_name": { + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + } + } + }, + { + "redis_timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ] + } + } + }, + { + "redis_database": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ] + } + } + } + ], + "type": "record", "fields": [ { "header_name": { - "default": "x-kong-limit", "description": "The name of the response header used to increment the counters.", - "type": "string" + "type": "string", + "default": "x-kong-limit" } }, { "limit_by": { - "default": "consumer", - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "type": "string", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "default": "consumer", "one_of": [ "consumer", "credential", @@ -92,9 +216,9 @@ }, { "policy": { - "default": "local", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "type": "string", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "default": "local", "one_of": [ "local", "cluster", @@ -104,17 +228,16 @@ }, { "fault_tolerant": { - "default": true, + "type": "boolean", "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", - "required": true, - "type": "boolean" + "default": true, + "required": true } }, { "redis": { "type": "record", "description": "Redis configuration", - "required": true, "fields": [ { "host": { @@ -124,315 +247,197 @@ }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, - "referenceable": true, - "type": "string", "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "len_min": 0 + "type": "string", + "encrypted": true, + "len_min": 0, + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } } - ] + ], + "required": true } }, { "block_on_first_violation": { - "default": false, + "type": "boolean", "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "hide_client_headers": { - "default": false, + "type": "boolean", "description": "Optionally hide informative response headers.", - "required": true, - "type": "boolean" + "default": false, + "required": true } }, { "limits": { + "description": "A map that defines rate limits for the plugin.", + "type": "map", + "required": true, "values": { - "entity_checks": [ - { - "at_least_one_of": [ - "second", - "minute", - "hour", - "day", - "month", - "year" - ] - } - ], - "type": "record", - "required": true, "fields": [ { "second": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "minute": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "hour": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "day": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "month": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { "year": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } } - ] - }, - "required": true, - "type": "map", - "description": "A map that defines rate limits for the plugin.", - "keys": { - "type": "string" - }, - "len_min": 1 - } - } - ], - "shorthand_fields": [ - { - "redis_host": { - "deprecation": { - "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "host" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_port": { - "deprecation": { - "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "port" - ] - } - ] - }, - "type": "integer" - } - }, - { - "redis_password": { - "len_min": 0, - "deprecation": { - "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "password" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_username": { - "deprecation": { - "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "username" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_ssl": { - "deprecation": { - "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "redis_ssl_verify": { - "deprecation": { - "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl_verify" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "redis_server_name": { - "deprecation": { - "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "server_name" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_timeout": { - "deprecation": { - "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "redis_database": { - "deprecation": { - "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", - "removal_in_version": "4.0", - "replaced_with": [ + ], + "entity_checks": [ { - "path": [ - "redis", - "database" + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" ] } - ] + ], + "type": "record", + "required": true }, - "type": "integer" + "len_min": 1, + "keys": { + "type": "string" + } } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + } } } ] diff --git a/schemas/response-transformer-advanced/3.10.x.json b/schemas/response-transformer-advanced/3.10.x.json index acf4ee71..619e9224 100644 --- a/schemas/response-transformer-advanced/3.10.x.json +++ b/schemas/response-transformer-advanced/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,109 +13,114 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "remove": { + "type": "record", "fields": [ { "json": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "rename": { + "type": "record", "fields": [ { "headers": { - "default": [ - - ], "elements": { "type": "string", "match": "^[^:]+:.*$" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "replace": { + "type": "record", "fields": [ { "body": { - "description": "String with which to replace the entire response body.", - "type": "string" + "type": "string", + "description": "String with which to replace the entire response body." } }, { "json": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { "type": "string", "one_of": [ @@ -133,55 +129,55 @@ "string" ] }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "add": { + "type": "record", "fields": [ { "json": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { "type": "string", "one_of": [ @@ -190,55 +186,55 @@ "string" ] }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "append": { + "type": "record", "fields": [ { "json": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json_types": { - "default": [ - - ], "elements": { "type": "string", "one_of": [ @@ -247,104 +243,108 @@ "string" ] }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "headers": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "allow": { + "type": "record", "fields": [ { "json": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "required": true, - "type": "record" + "required": true } }, { "transform": { + "type": "record", "fields": [ { "functions": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "if_status": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } }, { "json": { - "default": [ - - ], "elements": { "type": "string" }, - "type": "array" + "type": "array", + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "dots_in_keys": { - "default": true, "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "default": true, "type": "boolean" } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.10.x.json b/schemas/response-transformer/3.10.x.json index eb4a6258..ccf1f248 100644 --- a/schemas/response-transformer/3.10.x.json +++ b/schemas/response-transformer/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,102 +13,107 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "remove": { + "type": "record", "fields": [ { "json": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } }, { "headers": { - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "rename": { + "type": "record", "fields": [ { "json": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "headers": { - "default": [ - - ], + "type": "array", "elements": { "type": "string", "match": "^[^:]+:.*$" }, - "required": true, - "type": "array" + "default": [ + + ], + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "replace": { + "type": "record", "fields": [ { "json": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "json_types": { - "required": true, - "type": "array", - "default": [ - - ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "type": "array", + "required": true, "elements": { "type": "string", "one_of": [ @@ -125,51 +121,51 @@ "number", "string" ] - } + }, + "default": [ + + ] } }, { "headers": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, - "required": true, - "type": "array" + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "add": { + "type": "record", "fields": [ { "json": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "json_types": { - "required": true, - "type": "array", - "default": [ - - ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "type": "array", + "required": true, "elements": { "type": "string", "one_of": [ @@ -177,51 +173,51 @@ "number", "string" ] - } + }, + "default": [ + + ] } }, { "headers": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, - "required": true, - "type": "array" + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "append": { + "type": "record", "fields": [ { "json": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, - "required": true, - "type": "array" + "required": true } }, { "json_types": { - "required": true, - "type": "array", - "default": [ - - ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "type": "array", + "required": true, "elements": { "type": "string", "one_of": [ @@ -229,31 +225,35 @@ "number", "string" ] - } + }, + "default": [ + + ] } }, { "headers": { + "type": "array", + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, "default": [ ], - "elements": { - "match": "^[^:]+:.*$", - "type": "string" - }, - "required": true, - "type": "array" + "required": true } } ], - "required": true, - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.10.x.json b/schemas/route-by-header/3.10.x.json index fb2008cd..89baa133 100644 --- a/schemas/route-by-header/3.10.x.json +++ b/schemas/route-by-header/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,19 +13,26 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "rules": { @@ -42,37 +40,39 @@ ], "description": "Route by header rules.", + "type": "array", "elements": { "type": "record", "fields": [ { "upstream_name": { - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "condition": { + "len_min": 1, + "type": "map", + "required": true, "values": { "type": "string" }, - "required": true, - "type": "map", "keys": { "type": "string" - }, - "len_min": 1 + } } } ] - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.10.x.json b/schemas/route-transformer-advanced/3.10.x.json index a640c0ff..0a4c440b 100644 --- a/schemas/route-transformer-advanced/3.10.x.json +++ b/schemas/route-transformer-advanced/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,15 +13,21 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -44,6 +41,7 @@ ] } ], + "type": "record", "fields": [ { "path": { @@ -62,14 +60,16 @@ }, { "escape_path": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/saml/3.10.x.json b/schemas/saml/3.10.x.json index b9a8bf2e..df58bf13 100644 --- a/schemas/saml/3.10.x.json +++ b/schemas/saml/3.10.x.json @@ -1,33 +1,23 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + }, "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -36,143 +26,149 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { - "type": "record", "shorthand_fields": [ { "session_cookie_lifetime": { + "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" - }, - "type": "number" + } } }, { "session_cookie_idletime": { + "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" - }, - "type": "number" + } } }, { "session_cookie_samesite": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" - }, - "type": "string" + } } }, { "session_cookie_httponly": { + "type": "boolean", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" - }, - "type": "boolean" + } } }, { "session_memcache_prefix": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" - }, - "type": "string" + } } }, { "session_memcache_socket": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" - }, - "type": "string" + } } }, { "session_memcache_host": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" - }, - "type": "string" + } } }, { "session_memcache_port": { + "type": "integer", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" - }, - "type": "integer" + } } }, { "session_cookie_renew": { + "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_renew option does not exist anymore" - }, - "type": "number" + } } }, { "session_cookie_maxsize": { + "type": "integer", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" - }, - "type": "integer" + } } }, { "session_strategy": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_strategy option does not exist anymore" - }, - "type": "string" + } } }, { "session_compressor": { + "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_compressor option does not exist anymore" - }, - "type": "string" + } } }, { "session_auth_ttl": { + "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_auth_ttl option does not exist anymore" - }, - "type": "number" + } } }, { "session_redis_prefix": { + "type": "string", "deprecation": { - "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", "replaced_with": [ { "path": [ @@ -181,15 +177,15 @@ ] } ] - }, - "type": "string" + } } }, { "session_redis_socket": { + "type": "string", "deprecation": { - "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", "replaced_with": [ { "path": [ @@ -198,15 +194,15 @@ ] } ] - }, - "type": "string" + } } }, { "session_redis_host": { + "type": "string", "deprecation": { - "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", "replaced_with": [ { "path": [ @@ -215,15 +211,15 @@ ] } ] - }, - "type": "string" + } } }, { "session_redis_port": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", "replaced_with": [ { "path": [ @@ -232,15 +228,15 @@ ] } ] - }, - "type": "integer" + } } }, { "session_redis_username": { + "type": "string", "deprecation": { - "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", "removal_in_version": "4.0", + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", "replaced_with": [ { "path": [ @@ -249,15 +245,15 @@ ] } ] - }, - "type": "string" + } } }, { "session_redis_password": { + "type": "string", "deprecation": { - "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", "replaced_with": [ { "path": [ @@ -266,15 +262,15 @@ ] } ] - }, - "type": "string" + } } }, { "session_redis_connect_timeout": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", "replaced_with": [ { "path": [ @@ -283,15 +279,15 @@ ] } ] - }, - "type": "integer" + } } }, { "session_redis_read_timeout": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", "replaced_with": [ { "path": [ @@ -300,15 +296,15 @@ ] } ] - }, - "type": "integer" + } } }, { "session_redis_send_timeout": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", "replaced_with": [ { "path": [ @@ -317,15 +313,15 @@ ] } ] - }, - "type": "integer" + } } }, { "session_redis_ssl": { + "type": "boolean", "deprecation": { - "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", "replaced_with": [ { "path": [ @@ -334,15 +330,15 @@ ] } ] - }, - "type": "boolean" + } } }, { "session_redis_ssl_verify": { + "type": "boolean", "deprecation": { - "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", "replaced_with": [ { "path": [ @@ -351,15 +347,15 @@ ] } ] - }, - "type": "boolean" + } } }, { "session_redis_server_name": { + "type": "string", "deprecation": { - "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", "replaced_with": [ { "path": [ @@ -368,8 +364,7 @@ ] } ] - }, - "type": "string" + } } }, { @@ -381,27 +376,27 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, "type": "array", "deprecation": { - "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", "replaced_with": [ { "path": [ @@ -415,9 +410,10 @@ }, { "session_redis_cluster_max_redirections": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", "replaced_with": [ { "path": [ @@ -426,15 +422,15 @@ ] } ] - }, - "type": "integer" + } } }, { "session_redis_cluster_maxredirections": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", "removal_in_version": "4.0", + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", "replaced_with": [ { "path": [ @@ -443,76 +439,75 @@ ] } ] - }, - "type": "integer" + } } } ], - "required": true, + "type": "record", "fields": [ { "assertion_consumer_path": { - "required": true, - "type": "string", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string", + "required": true, "starts_with": "/" } }, { "idp_sso_url": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "idp_certificate": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", - "required": false + "referenceable": true } }, { "response_encryption_key": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The private encryption key required to decrypt encrypted assertions.", - "required": false + "referenceable": true } }, { "request_signing_key": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", - "required": false + "referenceable": true } }, { "request_signing_certificate": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The certificate for signing requests.", - "required": false + "referenceable": true } }, { "request_signature_algorithm": { - "required": false, + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "type": "string", + "required": false, "default": "SHA256", - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "one_of": [ "SHA256", "SHA384", @@ -522,10 +517,10 @@ }, { "request_digest_algorithm": { - "required": false, + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "type": "string", + "required": false, "default": "SHA256", - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "one_of": [ "SHA256", "SHA1" @@ -534,10 +529,10 @@ }, { "response_signature_algorithm": { - "required": false, + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "type": "string", + "required": false, "default": "SHA256", - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "one_of": [ "SHA256", "SHA384", @@ -547,10 +542,10 @@ }, { "response_digest_algorithm": { - "required": false, + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "type": "string", + "required": false, "default": "SHA256", - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "one_of": [ "SHA256", "SHA1" @@ -560,16 +555,16 @@ { "issuer": { "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "nameid_format": { - "required": false, + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "type": "string", + "required": false, "default": "EmailAddress", - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "one_of": [ "Unspecified", "EmailAddress", @@ -580,131 +575,131 @@ }, { "validate_assertion_signature": { - "default": true, + "type": "boolean", "description": "Enable signature validation for SAML responses.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "anonymous": { "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_secret": { - "len_max": 32, "match": "^[0-9a-zA-Z/_+]+$", - "referenceable": true, - "type": "string", - "required": true, "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "len_max": 32, + "required": true, "encrypted": true, - "len_min": 32 + "len_min": 32, + "type": "string", + "referenceable": true } }, { "session_audience": { - "default": "default", + "type": "string", "description": "The session audience, for example \"my-application\"", - "required": false, - "type": "string" + "default": "default", + "required": false } }, { "session_cookie_name": { - "default": "session", + "type": "string", "description": "The session cookie name.", - "required": false, - "type": "string" + "default": "session", + "required": false } }, { "session_remember": { - "default": false, + "type": "boolean", "description": "Enables or disables persistent sessions", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "session_remember_cookie_name": { - "default": "remember", + "type": "string", "description": "Persistent session cookie name", - "required": false, - "type": "string" + "default": "remember", + "required": false } }, { "session_remember_rolling_timeout": { - "default": 604800, + "type": "number", "description": "Persistent session rolling timeout in seconds.", - "required": false, - "type": "number" + "default": 604800, + "required": false } }, { "session_remember_absolute_timeout": { - "default": 2592000, + "type": "number", "description": "Persistent session absolute timeout in seconds.", - "required": false, - "type": "number" + "default": 2592000, + "required": false } }, { "session_idling_timeout": { - "default": 900, + "type": "number", "description": "The session cookie idle time in seconds.", - "required": false, - "type": "number" + "default": 900, + "required": false } }, { "session_rolling_timeout": { - "default": 3600, + "type": "number", "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "required": false, - "type": "number" + "default": 3600, + "required": false } }, { "session_absolute_timeout": { - "default": 86400, + "type": "number", "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "required": false, - "type": "number" + "default": 86400, + "required": false } }, { "session_cookie_path": { - "required": false, - "type": "string", - "default": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { - "err": "must not have empty segments", - "pattern": "//" + "pattern": "//", + "err": "must not have empty segments" } ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string", + "required": false, + "default": "/", "starts_with": "/" } }, { "session_cookie_domain": { "description": "The session cookie domain flag.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_cookie_same_site": { - "required": false, + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", + "required": false, "default": "Lax", - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", @@ -715,21 +710,22 @@ }, { "session_cookie_http_only": { - "default": true, + "type": "boolean", "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "required": false, - "type": "boolean" + "default": true, + "required": false } }, { "session_cookie_secure": { "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "session_request_headers": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -741,12 +737,12 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_response_headers": { + "type": "set", "elements": { "type": "string", "one_of": [ @@ -758,16 +754,15 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_storage": { - "required": false, + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "type": "string", + "required": false, "default": "cookie", - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "one_of": [ "cookie", "memcache", @@ -778,208 +773,77 @@ }, { "session_store_metadata": { - "default": false, + "type": "boolean", "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "session_enforce_same_subject": { - "default": false, + "type": "boolean", "description": "When set to `true`, audiences are forced to share the same subject.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "session_hash_subject": { - "default": false, + "type": "boolean", "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "session_hash_storage_key": { - "default": false, + "type": "boolean", "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "session_memcached_prefix": { "description": "The memcached session key prefix.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_memcached_socket": { "description": "The memcached unix socket path.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "session_memcached_host": { - "default": "127.0.0.1", + "type": "string", "description": "The memcached host.", - "required": false, - "type": "string" + "default": "127.0.0.1", + "required": false } }, { "session_memcached_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "required": false, + "default": 11211, "between": [ 0, 65535 - ], - "required": false, - "type": "integer", - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "redis": { - "required": true, - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "type": "integer", - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - } - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "len_min": 1, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "len_min": 1, - "type": "array" - } - } - ], "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -987,182 +851,182 @@ "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } }, { "connect_timeout": { "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { "send_timeout": { "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { "read_timeout": { "default": 2000, "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer" + ] } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, + "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string" + ] } }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { + "type": "record", "fields": [ { "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" + ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { + "type": "record", "fields": [ { "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { "default": 6379, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer" + ] } } - ], - "type": "record" + ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, @@ -1170,58 +1034,199 @@ "ssl": { "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "ssl_verify": { "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "type": "integer", + "required": false } }, { "connection_is_proxied": { "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "type": "boolean", + "required": false } }, { "prefix": { "description": "The Redis session key prefix.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "socket": { "description": "The Redis unix socket path.", - "required": false, - "type": "string" + "type": "string", + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "required": true, + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + } } } ] } } + ], + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" ] } } diff --git a/schemas/service-protection/3.10.x.json b/schemas/service-protection/3.10.x.json index c53e3deb..2fbd7347 100644 --- a/schemas/service-protection/3.10.x.json +++ b/schemas/service-protection/3.10.x.json @@ -1,49 +1,39 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + }, "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "route": { - "reference": "routes", - "eq": null, + "description": "A reference to the 'routes' table with a null value allowed.", "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed." + "eq": null, + "reference": "routes" } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -52,11 +42,18 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "window_size": { @@ -64,15 +61,15 @@ "type": "number" }, "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "window_type": { - "default": "sliding", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "default": "sliding", "one_of": [ "fixed", "sliding" @@ -85,30 +82,30 @@ "type": "number" }, "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", - "required": true, - "type": "array" + "type": "array", + "required": true } }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." } }, { "namespace": { - "auto": true, + "type": "string", "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", - "required": true, - "type": "string" + "auto": true, + "required": true } }, { "strategy": { - "required": true, + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", + "required": true, "default": "local", - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", @@ -118,253 +115,124 @@ }, { "dictionary_name": { - "default": "kong_rate_limiting_counters", + "type": "string", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "required": true, - "type": "string" + "default": "kong_rate_limiting_counters", + "required": true } }, { "lock_dictionary_name": { - "default": "kong_locks", + "type": "string", "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", - "required": true, - "type": "string" + "default": "kong_locks", + "required": true } }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "retry_after_jitter_max": { - "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "type": "number" + "type": "number", + "default": 0 } }, { "redis": { - "required": true, "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array" - } - } - ], + "required": true, "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "connect_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "send_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "read_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, @@ -381,12 +249,12 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { @@ -408,8 +276,9 @@ }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -417,31 +286,31 @@ "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -449,64 +318,192 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { - "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "default": 5, + "required": false } }, { "connection_is_proxied": { - "default": false, + "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + } } } ] @@ -514,9 +511,9 @@ }, { "disable_penalty": { - "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -529,14 +526,22 @@ }, { "error_message": { - "default": "API rate limit exceeded", "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string" + "type": "string", + "default": "API rate limit exceeded" } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/session/3.10.x.json b/schemas/session/3.10.x.json index cf9a5e2d..9260b418 100644 --- a/schemas/session/3.10.x.json +++ b/schemas/session/3.10.x.json @@ -1,29 +1,21 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -35,37 +27,80 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "type": "record", "fields": [ { "secret": { - "encrypted": true, - "referenceable": true, - "type": "string", - "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", "description": "The secret that is used in keyed HMAC generation.", - "required": false + "type": "string", + "required": false, + "encrypted": true, + "default": "e5LBiB0qbGGgh4BBf3E8HWBbKBFHsz007KeVri6SIUAp", + "referenceable": true } }, { "storage": { - "default": "cookie", - "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", "type": "string", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "default": "cookie", "one_of": [ "cookie", "kong" @@ -74,64 +109,64 @@ }, { "audience": { - "default": "default", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "type": "string" + "type": "string", + "default": "default" } }, { "idling_timeout": { - "default": 900, "description": "The session cookie idle time, in seconds.", - "type": "number" + "type": "number", + "default": 900 } }, { "rolling_timeout": { - "default": 3600, "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", - "type": "number" + "type": "number", + "default": 3600 } }, { "absolute_timeout": { - "default": 86400, "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", - "type": "number" + "type": "number", + "default": 86400 } }, { "stale_ttl": { - "default": 10, "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", - "type": "number" + "type": "number", + "default": 10 } }, { "cookie_name": { - "default": "session", "description": "The name of the cookie.", - "type": "string" + "type": "string", + "default": "session" } }, { "cookie_path": { - "default": "/", "description": "The resource in the host where the cookie is available.", - "type": "string" + "type": "string", + "default": "/" } }, { "cookie_domain": { - "description": "The domain with which the cookie is intended to be exchanged.", - "type": "string" + "type": "string", + "description": "The domain with which the cookie is intended to be exchanged." } }, { "cookie_same_site": { - "default": "Strict", - "description": "Determines whether and how a cookie may be sent with cross-site requests.", "type": "string", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "default": "Strict", "one_of": [ "Strict", "Lax", @@ -142,48 +177,50 @@ }, { "cookie_http_only": { - "default": true, "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "cookie_secure": { - "default": true, "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "remember": { - "default": false, "description": "Enables or disables persistent sessions.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "remember_cookie_name": { - "default": "remember", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "type": "string" + "type": "string", + "default": "remember" } }, { "remember_rolling_timeout": { - "default": 604800, "description": "The persistent session rolling timeout window, in seconds.", - "type": "number" + "type": "number", + "default": 604800 } }, { "remember_absolute_timeout": { - "default": 2592000, "description": "The persistent session absolute timeout limit, in seconds.", - "type": "number" + "type": "number", + "default": 2592000 } }, { "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set", "elements": { "type": "string", "one_of": [ @@ -195,13 +232,13 @@ "rolling-timeout", "absolute-timeout" ] - }, - "description": "List of information to include, as headers, in the response to the downstream.", - "type": "set" + } } }, { "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set", "elements": { "type": "string", "one_of": [ @@ -213,19 +250,23 @@ "rolling-timeout", "absolute-timeout" ] - }, - "description": "List of information to include, as headers, in the response to the downstream.", - "type": "set" + } } }, { "read_body_for_logout": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "logout_methods": { + "default": [ + "POST", + "DELETE" + ], + "description": "A set of HTTP methods that the plugin will respond to.", + "type": "set", "elements": { "type": "string", "one_of": [ @@ -233,70 +274,43 @@ "POST", "DELETE" ] - }, - "description": "A set of HTTP methods that the plugin will respond to.", - "default": [ - "POST", - "DELETE" - ], - "type": "set" + } } }, { "logout_query_arg": { - "default": "session_logout", "description": "The query argument passed to logout requests.", - "type": "string" + "type": "string", + "default": "session_logout" } }, { "logout_post_arg": { - "default": "session_logout", "description": "The POST argument passed to logout requests. Do not change this property.", - "type": "string" - } - } - ], - "shorthand_fields": [ - { - "cookie_lifetime": { - "type": "number" - } - }, - { - "cookie_idletime": { - "type": "number" - } - }, - { - "cookie_renew": { - "type": "number" - } - }, - { - "cookie_discard": { - "type": "number" - } - }, - { - "cookie_samesite": { - "type": "string" + "type": "string", + "default": "session_logout" } }, { - "cookie_httponly": { - "type": "boolean" + "hash_subject": { + "description": "Whether to hash or not the subject when store_metadata is enabled.", + "type": "boolean", + "default": false } }, { - "cookie_persistent": { - "type": "boolean" + "store_metadata": { + "description": "Whether to also store metadata of sessions, such as collecting data of sessions for a specific audience belonging to a specific subject.", + "type": "boolean", + "default": false } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/standard-webhooks/3.10.x.json b/schemas/standard-webhooks/3.10.x.json index bf13b5b6..4d3c1746 100644 --- a/schemas/standard-webhooks/3.10.x.json +++ b/schemas/standard-webhooks/3.10.x.json @@ -1,27 +1,18 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -30,34 +21,43 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "secret_v1": { "encrypted": true, - "required": true, "type": "string", + "required": true, "description": "Webhook secret", "referenceable": true } }, { "tolerance_second": { - "required": true, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", "type": "integer", + "required": true, "gt": -1, - "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", "default": 300 } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.10.x.json b/schemas/statsd-advanced/3.10.x.json index aafa408b..8b4b539a 100644 --- a/schemas/statsd-advanced/3.10.x.json +++ b/schemas/statsd-advanced/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,193 +19,62 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "host": { - "default": "localhost", "description": "A string representing a host name, such as example.com.", + "default": "localhost", "type": "string" } }, { "port": { - "default": 8125, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 8125 } }, { "prefix": { - "default": "kong", "description": "String to prefix to each metric's name.", - "type": "string" + "type": "string", + "default": "kong" } }, { "metrics": { - "default": [ - { - "stat_type": "counter", - "sample_rate": 1, - "name": "request_count" - }, - { - "stat_type": "timer", - "name": "latency" - }, - { - "stat_type": "timer", - "name": "request_size" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "status_count" - }, - { - "stat_type": "timer", - "name": "response_size" - }, - { - "stat_type": "set", - "name": "unique_users" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "request_per_user" - }, - { - "stat_type": "timer", - "name": "upstream_latency" - }, - { - "stat_type": "timer", - "name": "kong_latency" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_user" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_workspace" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_user_per_route" - }, - { - "stat_type": "gauge", - "sample_rate": 1, - "name": "shdict_usage" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "cache_datastore_hits_total" - }, - { - "stat_type": "counter", - "sample_rate": 1, - "name": "cache_datastore_misses_total" - } - ], - "description": "List of Metrics to be logged.", "elements": { - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "unique_users" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "set" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "request_count", - "status_count", - "request_per_user", - "status_count_per_user", - "status_count_per_workspace", - "status_count_per_user_per_route", - "cache_datastore_hits_total", - "cache_datastore_misses_total" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "counter" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "shdict_usage" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "gauge" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } - ], + "type": "record", "fields": [ { "name": { - "type": "string", "required": true, + "type": "string", "one_of": [ "kong_latency", "latency", @@ -235,8 +96,8 @@ }, { "stat_type": { - "type": "string", "required": true, + "type": "string", "one_of": [ "counter", "gauge", @@ -249,8 +110,8 @@ }, { "sample_rate": { - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { @@ -284,52 +145,189 @@ } } ], - "type": "record" + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "set" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "counter" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "gauge" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ] }, + "description": "List of Metrics to be logged.", + "default": [ + { + "stat_type": "counter", + "name": "request_count", + "sample_rate": 1 + }, + { + "name": "latency", + "stat_type": "timer" + }, + { + "name": "request_size", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "status_count", + "sample_rate": 1 + }, + { + "name": "response_size", + "stat_type": "timer" + }, + { + "name": "unique_users", + "stat_type": "set" + }, + { + "stat_type": "counter", + "name": "request_per_user", + "sample_rate": 1 + }, + { + "name": "upstream_latency", + "stat_type": "timer" + }, + { + "name": "kong_latency", + "stat_type": "timer" + }, + { + "stat_type": "counter", + "name": "status_count_per_user", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_workspace", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "status_count_per_user_per_route", + "sample_rate": 1 + }, + { + "stat_type": "gauge", + "name": "shdict_usage", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_hits_total", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_misses_total", + "sample_rate": 1 + } + ], "type": "array" } }, { "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" - }, - "description": "List of status code ranges that are allowed to be logged in metrics.", - "type": "array" + } } }, { "udp_packet_size": { - "default": 0, - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", "between": [ 0, 65507 ], + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "default": 0, "type": "number" } }, { "use_tcp": { - "default": false, "description": "Use TCP instead of UDP.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "hostname_in_prefix": { - "default": false, "description": "Include the `hostname` in the `prefix` for each metric name.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "consumer_identifier_default": { - "required": true, + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "type": "string", + "required": true, "default": "custom_id", - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "one_of": [ "consumer_id", "custom_id", @@ -339,10 +337,10 @@ }, { "service_identifier_default": { - "required": true, + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "type": "string", + "required": true, "default": "service_name_or_host", - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "one_of": [ "service_id", "service_name", @@ -353,10 +351,10 @@ }, { "workspace_identifier_default": { - "required": true, + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "type": "string", + "required": true, "default": "workspace_id", - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "one_of": [ "workspace_id", "workspace_name" @@ -365,6 +363,7 @@ }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { @@ -407,9 +406,9 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "default": 60 } }, { @@ -436,9 +435,9 @@ }, { "concurrency_limit": { - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "default": 1, "one_of": [ -1, 1 @@ -446,14 +445,15 @@ } } ], - "required": true, - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd/3.10.x.json b/schemas/statsd/3.10.x.json index 042741d2..45fe5c66 100644 --- a/schemas/statsd/3.10.x.json +++ b/schemas/statsd/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,44 +19,50 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "host": { - "default": "localhost", "description": "The IP address or hostname of StatsD server to send data to.", + "default": "localhost", "type": "string" } }, { "port": { - "default": 8125, + "type": "integer", "description": "The port of StatsD server to send data to.", "between": [ 0, 65535 ], - "type": "integer" + "default": 8125 } }, { "prefix": { - "default": "kong", "description": "String to prefix to each metric's name.", + "default": "kong", "type": "string" } }, @@ -73,49 +71,49 @@ "default": [ { "stat_type": "counter", - "sample_rate": 1, - "name": "request_count" + "name": "request_count", + "sample_rate": 1 }, { - "stat_type": "timer", - "name": "latency" + "name": "latency", + "stat_type": "timer" }, { "stat_type": "counter", - "sample_rate": 1, - "name": "request_size" + "name": "request_size", + "sample_rate": 1 }, { "stat_type": "counter", - "sample_rate": 1, - "name": "status_count" + "name": "status_count", + "sample_rate": 1 }, { "stat_type": "counter", - "sample_rate": 1, - "name": "response_size" + "name": "response_size", + "sample_rate": 1 }, { - "stat_type": "set", - "name": "unique_users" + "name": "unique_users", + "stat_type": "set" }, { "stat_type": "counter", - "sample_rate": 1, - "name": "request_per_user" + "name": "request_per_user", + "sample_rate": 1 }, { - "stat_type": "timer", - "name": "upstream_latency" + "name": "upstream_latency", + "stat_type": "timer" }, { - "stat_type": "timer", - "name": "kong_latency" + "name": "kong_latency", + "stat_type": "timer" }, { "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_user" + "name": "status_count_per_user", + "sample_rate": 1 }, { "stat_type": "counter", @@ -124,13 +122,13 @@ }, { "stat_type": "counter", - "sample_rate": 1, - "name": "status_count_per_user_per_route" + "name": "status_count_per_user_per_route", + "sample_rate": 1 }, { "stat_type": "gauge", - "sample_rate": 1, - "name": "shdict_usage" + "name": "shdict_usage", + "sample_rate": 1 }, { "stat_type": "counter", @@ -144,30 +142,15 @@ } ], "description": "List of metrics to be logged.", + "type": "array", "elements": { - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } - ], + "type": "record", "fields": [ { "name": { - "type": "string", - "description": "StatsD metric’s name.", "required": true, + "description": "StatsD metric’s name.", + "type": "string", "one_of": [ "kong_latency", "latency", @@ -189,9 +172,9 @@ }, { "stat_type": { - "type": "string", - "description": "Determines what sort of event a metric represents.", "required": true, + "description": "Determines what sort of event a metric represents.", + "type": "string", "one_of": [ "counter", "gauge", @@ -204,8 +187,8 @@ }, { "sample_rate": { - "gt": 0, "description": "Sampling rate", + "gt": 0, "type": "number" } }, @@ -243,48 +226,63 @@ } } ], - "type": "record" - }, - "type": "array" + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ] + } } }, { "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" - }, - "description": "List of status code ranges that are allowed to be logged in metrics.", - "type": "array" + } } }, { "udp_packet_size": { - "default": 0, "between": [ 0, 65507 ], - "type": "number" + "type": "number", + "default": 0 } }, { "use_tcp": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "hostname_in_prefix": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "consumer_identifier_default": { + "required": true, "default": "custom_id", "type": "string", - "required": true, "one_of": [ "consumer_id", "custom_id", @@ -294,9 +292,9 @@ }, { "service_identifier_default": { + "required": true, "default": "service_name_or_host", "type": "string", - "required": true, "one_of": [ "service_id", "service_name", @@ -307,9 +305,9 @@ }, { "workspace_identifier_default": { + "required": true, "default": "workspace_id", "type": "string", - "required": true, "one_of": [ "workspace_id", "workspace_name" @@ -320,9 +318,9 @@ "retry_count": { "type": "integer", "deprecation": { + "removal_in_version": "4.0", "old_default": 10, - "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", - "removal_in_version": "4.0" + "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead" } } }, @@ -330,9 +328,9 @@ "queue_size": { "type": "integer", "deprecation": { + "removal_in_version": "4.0", "old_default": 1, - "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0" + "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead" } } }, @@ -340,16 +338,16 @@ "flush_timeout": { "type": "number", "deprecation": { + "removal_in_version": "4.0", "old_default": 2, - "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0" + "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" } } }, { "tag_style": { - "type": "string", "required": false, + "type": "string", "one_of": [ "dogstatsd", "influxdb", @@ -360,6 +358,7 @@ }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { @@ -402,9 +401,9 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "default": 60 } }, { @@ -431,9 +430,9 @@ }, { "concurrency_limit": { - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "default": 1, "one_of": [ -1, 1 @@ -441,14 +440,15 @@ } } ], - "required": true, - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/syslog/3.10.x.json b/schemas/syslog/3.10.x.json index 27f2ac90..9df71398 100644 --- a/schemas/syslog/3.10.x.json +++ b/schemas/syslog/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,27 +19,33 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "log_level": { + "required": true, "default": "info", "type": "string", - "required": true, "one_of": [ "debug", "info", @@ -62,9 +60,9 @@ }, { "successful_severity": { + "required": true, "default": "info", "type": "string", - "required": true, "one_of": [ "debug", "info", @@ -79,9 +77,9 @@ }, { "client_errors_severity": { + "required": true, "default": "info", "type": "string", - "required": true, "one_of": [ "debug", "info", @@ -96,9 +94,9 @@ }, { "server_errors_severity": { + "required": true, "default": "info", "type": "string", - "required": true, "one_of": [ "debug", "info", @@ -113,24 +111,24 @@ }, { "custom_fields_by_lua": { - "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, + "description": "Lua code as a key-value map", + "type": "map", "keys": { "type": "string", "len_min": 1 - }, - "type": "map" + } } }, { "facility": { - "required": true, + "description": "The facility is used by the operating system to decide how to handle each log message.", "type": "string", + "required": true, "default": "user", - "description": "The facility is used by the operating system to decide how to handle each log message.", "one_of": [ "auth", "authpriv", @@ -156,9 +154,11 @@ } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.10.x.json b/schemas/tcp-log/3.10.x.json index e51f9399..32675025 100644 --- a/schemas/tcp-log/3.10.x.json +++ b/schemas/tcp-log/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,86 +19,94 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "host": { "description": "The IP address or host name to send data to.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { + "type": "integer", + "description": "The port to send data to on the upstream server.", "between": [ 0, 65535 ], - "description": "The port to send data to on the upstream server.", - "required": true, - "type": "integer" + "required": true } }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number" + "type": "number", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { "tls": { "default": false, "description": "Indicates whether to perform a TLS handshake against the remote server.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "tls_sni": { - "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", - "type": "string" + "type": "string", + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." } }, { "custom_fields_by_lua": { - "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "map", "keys": { "type": "string", "len_min": 1 - }, - "type": "map" + } } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.10.x.json b/schemas/tls-handshake-modifier/3.10.x.json index 28e50f31..9897e76f 100644 --- a/schemas/tls-handshake-modifier/3.10.x.json +++ b/schemas/tls-handshake-modifier/3.10.x.json @@ -1,22 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "default": [ - "https", - "grpcs" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -25,36 +19,42 @@ "tls" ] }, - "required": true, - "type": "set" + "default": [ + "https", + "grpcs" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "tls_client_certificate": { - "required": false, + "description": "TLS Client Certificate", "type": "string", + "required": false, "default": "REQUEST", - "description": "TLS Client Certificate", "one_of": [ "REQUEST" ] } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.10.x.json b/schemas/tls-metadata-headers/3.10.x.json index 68ca8cad..ba68fe43 100644 --- a/schemas/tls-metadata-headers/3.10.x.json +++ b/schemas/tls-metadata-headers/3.10.x.json @@ -1,22 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "protocols": { - "default": [ - "https", - "grpcs" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -25,25 +19,29 @@ "tls" ] }, - "required": true, - "type": "set" + "default": [ + "https", + "grpcs" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "inject_client_cert_details": { - "default": false, "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "default": false, "type": "boolean" } }, @@ -51,46 +49,48 @@ "client_cert_header_name": { "default": "X-Client-Cert", "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "client_serial_header_name": { "default": "X-Client-Cert-Serial", "description": "Define the HTTP header name used for the serial number of the client certificate.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "client_cert_issuer_dn_header_name": { "default": "X-Client-Cert-Issuer-DN", "description": "Define the HTTP header name used for the issuer DN of the client certificate.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "client_cert_subject_dn_header_name": { "default": "X-Client-Cert-Subject-DN", "description": "Define the HTTP header name used for the subject DN of the client certificate.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "client_cert_fingerprint_header_name": { "default": "X-Client-Cert-Fingerprint", "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", - "required": true, - "type": "string" + "type": "string", + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/udp-log/3.10.x.json b/schemas/udp-log/3.10.x.json index eae6394a..d2fe7fbf 100644 --- a/schemas/udp-log/3.10.x.json +++ b/schemas/udp-log/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,65 +19,73 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "host": { "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, - "type": "integer" + "required": true } }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "default": 10000, "type": "number" } }, { "custom_fields_by_lua": { - "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, + "description": "Lua code as a key-value map", + "type": "map", "keys": { "type": "string", "len_min": 1 - }, - "type": "map" + } } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/upstream-oauth/3.10.x.json b/schemas/upstream-oauth/3.10.x.json index 484a5470..2442ae63 100644 --- a/schemas/upstream-oauth/3.10.x.json +++ b/schemas/upstream-oauth/3.10.x.json @@ -1,32 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], + "supported_partials": { + "redis-ee": [ + "config.cache.redis" + ] + }, "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -35,21 +18,29 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "config": { + "type": "record", "fields": [ { "client": { + "type": "record", "fields": [ { "auth_method": { - "required": true, + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", "type": "string", + "required": true, "default": "client_secret_post", - "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", "one_of": [ "client_secret_post", "client_secret_basic", @@ -60,10 +51,10 @@ }, { "client_secret_jwt_alg": { - "required": true, + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", "type": "string", + "required": true, "default": "HS512", - "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", "one_of": [ "HS512", "HS256" @@ -74,121 +65,121 @@ "http_version": { "default": 1.1, "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", - "required": false, - "type": "number" + "type": "number", + "required": false } }, { "http_proxy": { "description": "The proxy to use when making HTTP requests to the IdP.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "http_proxy_authorization": { "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "https_proxy": { "description": "The proxy to use when making HTTPS requests to the IdP.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "https_proxy_authorization": { "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "no_proxy": { "description": "A comma-separated list of hosts that should not be proxied.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "timeout": { + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "type": "integer", + "required": true, + "default": 10000, "between": [ 0, 2147483646 - ], - "required": true, - "type": "integer", - "default": 10000, - "description": "Network I/O timeout for requests to the IdP in milliseconds." + ] } }, { "keep_alive": { - "default": true, + "type": "boolean", "description": "Whether to use keepalive connections to the IdP.", - "required": true, - "type": "boolean" + "default": true, + "required": true } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", - "required": false, - "type": "boolean" + "default": false, + "required": false } } ], - "required": true, - "type": "record" + "required": true } }, { "oauth": { + "type": "record", "fields": [ { "token_endpoint": { "description": "The token endpoint URI.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "token_headers": { "values": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "description": "Extra headers to be passed in the token endpoint request.", + "type": "map", "keys": { "type": "string", "description": "A string representing an HTTP header name." - }, - "type": "map" + } } }, { "token_post_args": { "values": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "description": "Extra post arguments to be passed in the token endpoint request.", + "type": "map", "keys": { "type": "string" - }, - "type": "map" + } } }, { "grant_type": { - "required": true, + "description": "The OAuth grant type to be used.", "type": "string", + "required": true, "default": "client_credentials", - "description": "The OAuth grant type to be used.", "one_of": [ "client_credentials", "password" @@ -198,79 +189,79 @@ { "client_id": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The client ID for the application registration in the IdP.", - "required": false + "referenceable": true } }, { "client_secret": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The client secret for the application registration in the IdP.", - "required": false + "referenceable": true } }, { "username": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The username to use if `config.oauth.grant_type` is set to `password`.", - "required": false + "referenceable": true } }, { "password": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The password to use if `config.oauth.grant_type` is set to `password`.", - "required": false + "referenceable": true } }, { "scopes": { - "required": false, - "type": "array", - "default": [ - "openid" - ], "description": "List of scopes to request from the IdP when obtaining a new token.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + "openid" + ] } }, { "audience": { - "required": false, - "type": "array", - "default": [ - - ], "description": "List of audiences passed to the IdP when obtaining a new token.", + "type": "array", + "required": false, "elements": { "type": "string" - } + }, + "default": [ + + ] } } ], - "required": true, - "type": "record" + "required": true } }, { "cache": { + "type": "record", "fields": [ { "strategy": { - "required": true, + "description": "The method Kong should use to cache tokens issued by the IdP.", "type": "string", + "required": true, "default": "memory", - "description": "The method Kong should use to cache tokens issued by the IdP.", "one_of": [ "memory", "redis" @@ -279,239 +270,110 @@ }, { "memory": { + "type": "record", "fields": [ { "dictionary_name": { - "default": "kong_db_cache", + "type": "string", "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", - "required": true, - "type": "string" + "default": "kong_db_cache", + "required": true } } ], - "required": true, - "type": "record" + "required": true } }, { "redis": { - "required": true, "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - }, - "type": "array" - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - }, - "type": "array" - } - } - ], + "required": true, "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } }, { "connect_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "send_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "read_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "type": "string", + "referenceable": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, @@ -528,12 +390,12 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { @@ -555,8 +417,9 @@ }, { "sentinel_nodes": { - "required": false, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -564,31 +427,31 @@ "host": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "len_min": 1 } }, { "cluster_nodes": { - "required": false, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", + "required": false, "elements": { "type": "record", "fields": [ @@ -596,64 +459,192 @@ "ip": { "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "port": { - "default": 6379, + "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer" + "default": 6379 } } ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "len_min": 1 } }, { "ssl": { - "default": false, + "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "ssl_verify": { - "default": false, + "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, - "type": "boolean" + "default": false, + "required": false } }, { "server_name": { "description": "A string representing an SNI (server name indication) value for TLS.", - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "cluster_max_redirections": { - "default": 5, + "type": "integer", "description": "Maximum retry attempts for redirection.", - "required": false, - "type": "integer" + "default": 5, + "required": false } }, { "connection_is_proxied": { - "default": false, + "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, - "type": "boolean" + "default": false, + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + } + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "type": "array", + "deprecation": { + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + } } } ] @@ -661,74 +652,74 @@ }, { "eagerly_expire": { - "required": true, - "type": "integer", - "gt": -1, "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", - "default": 5 + "type": "integer", + "required": true, + "default": 5, + "gt": -1 } }, { "default_ttl": { - "default": 3600, - "description": "The lifetime of a token without an explicit `expires_in` value.", "gt": 0, + "description": "The lifetime of a token without an explicit `expires_in` value.", + "default": 3600, "type": "number" } } ], - "required": true, - "type": "record" + "required": true } }, { "behavior": { + "type": "record", "fields": [ { "upstream_access_token_header_name": { - "required": true, + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", "type": "string", + "required": true, "default": "Authorization", - "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", "len_min": 0 } }, { "idp_error_response_status_code": { + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", + "type": "integer", + "required": true, + "default": 502, "between": [ 500, 599 - ], - "required": true, - "type": "integer", - "default": 502, - "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP." + ] } }, { "idp_error_response_content_type": { - "required": true, + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "type": "string", + "required": true, "default": "application/json; charset=utf-8", - "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0 } }, { "idp_error_response_message": { - "required": true, + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "type": "string", + "required": true, "default": "Failed to authenticate request to upstream", - "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0 } }, { "idp_error_response_body_template": { - "required": true, + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "type": "string", + "required": true, "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", - "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0 } }, @@ -738,24 +729,38 @@ 401 ], "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", + "type": "array", "elements": { + "type": "integer", "between": [ 100, 599 - ], - "type": "integer" - }, - "type": "array" + ] + } } } ], - "required": true, - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/upstream-timeout/3.10.x.json b/schemas/upstream-timeout/3.10.x.json index d14b02ad..b0968c3a 100644 --- a/schemas/upstream-timeout/3.10.x.json +++ b/schemas/upstream-timeout/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,54 +13,63 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + ] } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + ] } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.10.x.json b/schemas/vault-auth/3.10.x.json index d42bfd70..4a29cda1 100644 --- a/schemas/vault-auth/3.10.x.json +++ b/schemas/vault-auth/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,65 +13,72 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "consumer": { - "reference": "consumers", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumers" } }, { "config": { + "type": "record", "fields": [ { "access_token_name": { - "required": true, - "type": "string", - "default": "access_token", "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "type": "string", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." - } + }, + "default": "access_token" } }, { "secret_token_name": { - "required": true, - "type": "string", - "default": "secret_token", "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "type": "string", + "required": true, "elements": { "type": "string", "description": "A string representing an HTTP header name." - } + }, + "default": "secret_token" } }, { "vault": { + "type": "foreign", "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", "reference": "vault_auth_vaults", - "required": true, - "type": "foreign" + "required": true } }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -91,22 +89,24 @@ }, { "tokens_in_body": { - "default": false, "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "run_on_preflight": { - "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "type": "boolean" + "type": "boolean", + "default": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.10.x.json b/schemas/websocket-size-limit/3.10.x.json index 6e1e3593..4f008496 100644 --- a/schemas/websocket-size-limit/3.10.x.json +++ b/schemas/websocket-size-limit/3.10.x.json @@ -1,14 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "default": [ - "ws", - "wss" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -16,16 +10,19 @@ "wss" ] }, - "required": true, - "type": "set" + "default": [ + "ws", + "wss" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -38,31 +35,34 @@ ] } ], + "type": "record", "fields": [ { "client_max_payload": { + "type": "integer", "between": [ 1, 33554432 ], - "required": false, - "type": "integer" + "required": false } }, { "upstream_max_payload": { + "type": "integer", "between": [ 1, 33554432 ], - "required": false, - "type": "integer" + "required": false } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.10.x.json b/schemas/websocket-validator/3.10.x.json index 4bbf094d..106d861e 100644 --- a/schemas/websocket-validator/3.10.x.json +++ b/schemas/websocket-validator/3.10.x.json @@ -1,14 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "default": [ - "ws", - "wss" - ], + "type": "set", "elements": { "type": "string", "one_of": [ @@ -16,16 +10,19 @@ "wss" ] }, - "required": true, - "type": "set" + "default": [ + "ws", + "wss" + ], + "required": true } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -38,40 +35,23 @@ ] } ], + "type": "record", "fields": [ { "client": { - "entity_checks": [ - { - "at_least_one_of": [ - "text", - "binary" - ] - } - ], - "type": "record", "required": false, + "type": "record", "fields": [ { "text": { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], - "type": "record", "required": false, + "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" ] @@ -80,15 +60,11 @@ { "schema": { "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "required": true, - "type": "string" + "type": "string", + "required": true } } - ] - } - }, - { - "binary": { + ], "entity_checks": [ { "custom_entity_check": { @@ -98,15 +74,19 @@ ] } } - ], - "type": "record", + ] + } + }, + { + "binary": { "required": false, + "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" ] @@ -115,18 +95,24 @@ { "schema": { "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "required": true, - "type": "string" + "type": "string", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] } } ] } } - ] - } - }, - { - "upstream": { + ], "entity_checks": [ { "at_least_one_of": [ @@ -134,30 +120,24 @@ "binary" ] } - ], - "type": "record", + ] + } + }, + { + "upstream": { "required": false, + "type": "record", "fields": [ { "text": { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } - ], - "type": "record", "required": false, + "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" ] @@ -166,15 +146,11 @@ { "schema": { "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "required": true, - "type": "string" + "type": "string", + "required": true } } - ] - } - }, - { - "binary": { + ], "entity_checks": [ { "custom_entity_check": { @@ -184,15 +160,19 @@ ] } } - ], - "type": "record", + ] + } + }, + { + "binary": { "required": false, + "type": "record", "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" ] @@ -201,20 +181,40 @@ { "schema": { "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "required": true, - "type": "string" + "type": "string", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] } } ] } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } ] } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.10.x.json b/schemas/xml-threat-protection/3.10.x.json index 5a48ae6a..4eb473a5 100644 --- a/schemas/xml-threat-protection/3.10.x.json +++ b/schemas/xml-threat-protection/3.10.x.json @@ -1,19 +1,10 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing HTTP protocols.", + "type": "set", + "required": true, "elements": { "type": "string", "one_of": [ @@ -22,15 +13,21 @@ "http", "https" ] - } + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { @@ -73,228 +70,231 @@ } } ], + "type": "record", "fields": [ { "checked_content_types": { - "required": true, - "type": "set", - "default": [ - "application/xml" - ], "description": "A list of Content-Type values with payloads that must be validated.", + "type": "set", + "required": true, "elements": { - "match": "^[^%s]+%/[^ ;]+$", "required": true, - "type": "string" - } + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" + }, + "default": [ + "application/xml" + ] } }, { "allowed_content_types": { - "required": true, - "type": "set", - "default": [ - - ], "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "type": "set", + "required": true, "elements": { - "match": "^[^%s]+%/[^ ;]+$", "required": true, - "type": "string" - } + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" + }, + "default": [ + + ] } }, { "allow_dtd": { "default": false, "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "namespace_aware": { "default": true, "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", - "required": true, - "type": "boolean" + "type": "boolean", + "required": true } }, { "max_depth": { - "required": true, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", "default": 50 } }, { "max_children": { - "required": true, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", "default": 100 } }, { "max_attributes": { - "required": true, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", "default": 100 } }, { "max_namespaces": { - "required": false, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", "type": "integer", + "required": false, "gt": 0, - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", "default": 20 } }, { "document": { - "required": true, + "description": "Maximum size of the entire document.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum size of the entire document.", "default": 10485760 } }, { "buffer": { - "required": true, + "description": "Maximum size of the unparsed buffer (see below).", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum size of the unparsed buffer (see below).", "default": 1048576 } }, { "comment": { - "required": true, + "description": "Maximum size of comments.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum size of comments.", "default": 1024 } }, { "localname": { - "required": true, + "description": "Maximum size of the localname. This applies to tags and attributes.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum size of the localname. This applies to tags and attributes.", "default": 1024 } }, { "prefix": { - "required": false, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "type": "integer", + "required": false, "gt": 0, - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "default": 1024 } }, { "namespaceuri": { - "required": false, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "type": "integer", + "required": false, "gt": 0, - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "default": 1024 } }, { "attribute": { - "required": true, + "description": "Maximum size of the attribute value.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum size of the attribute value.", "default": 1048576 } }, { "text": { - "required": true, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "default": 1048576 } }, { "pitarget": { - "required": true, + "description": "Maximum size of processing instruction targets.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum size of processing instruction targets.", "default": 1024 } }, { "pidata": { - "required": true, + "description": "Maximum size of processing instruction data.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum size of processing instruction data.", "default": 1024 } }, { "entityname": { - "required": true, + "description": "Maximum size of entity names in EntityDecl.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum size of entity names in EntityDecl.", "default": 1024 } }, { "entity": { - "required": true, + "description": "Maximum size of entity values in EntityDecl.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum size of entity values in EntityDecl.", "default": 1024 } }, { "entityproperty": { - "required": true, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "type": "integer", + "required": true, "gt": 0, - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "default": 1024 } }, { "bla_max_amplification": { - "required": true, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", "type": "number", + "required": true, "gt": 1, - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", "default": 100 } }, { "bla_threshold": { - "required": true, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", "type": "integer", + "required": true, "gt": 1024, - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", "default": 8388608 } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/zipkin/3.10.x.json b/schemas/zipkin/3.10.x.json index f08c4023..289cec4f 100644 --- a/schemas/zipkin/3.10.x.json +++ b/schemas/zipkin/3.10.x.json @@ -1,21 +1,13 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "description": "A set of strings representing protocols.", + "type": "set", + "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,28 +19,34 @@ "udp", "ws", "wss" - ], - "type": "string" - } + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] } }, { "consumer_group": { - "reference": "consumer_groups", - "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "eq": null, + "reference": "consumer_groups" } }, { "config": { + "type": "record", "fields": [ { "local_service_name": { - "default": "kong", + "type": "string", "description": "The name of the service as displayed in Zipkin.", - "required": true, - "type": "string" + "default": "kong", + "required": true } }, { @@ -76,18 +74,18 @@ }, { "include_credential": { - "default": true, + "type": "boolean", "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", - "required": true, - "type": "boolean" + "default": true, + "required": true } }, { "traceid_byte_count": { - "required": true, + "description": "The length in bytes of each request's Trace ID.", "type": "integer", + "required": true, "default": 16, - "description": "The length in bytes of each request's Trace ID.", "one_of": [ 8, 16 @@ -96,10 +94,13 @@ }, { "header_type": { - "required": true, - "type": "string", - "default": "preserve", "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "old_default": "preserve", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead" + }, "one_of": [ "preserve", "ignore", @@ -110,21 +111,22 @@ "ot", "aws", "datadog", - "gcp" + "gcp", + "instana" ], - "deprecation": { - "old_default": "preserve", - "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0" - } + "default": "preserve", + "required": true } }, { "default_header_type": { - "required": true, - "type": "string", - "default": "b3", "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "type": "string", + "deprecation": { + "removal_in_version": "4.0", + "old_default": "b3", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead" + }, "one_of": [ "b3", "b3-single", @@ -133,25 +135,25 @@ "ot", "aws", "datadog", - "gcp" + "gcp", + "instana" ], - "deprecation": { - "old_default": "b3", - "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", - "removal_in_version": "4.0" - } + "default": "b3", + "required": true } }, { "tags_header": { - "default": "Zipkin-Tags", + "type": "string", "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", - "required": true, - "type": "string" + "default": "Zipkin-Tags", + "required": true } }, { "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", + "type": "array", "elements": { "type": "record", "fields": [ @@ -172,28 +174,26 @@ "lc", "peer.hostname" ], - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "value": { - "required": true, - "type": "string" + "type": "string", + "required": true } } ] - }, - "description": "The tags specified on this property will be added to the generated request traces.", - "type": "array" + } } }, { "http_span_name": { - "required": true, + "description": "Specify whether to include the HTTP path in the span name.", "type": "string", + "required": true, "default": "method", - "description": "Specify whether to include the HTTP path in the span name.", "one_of": [ "method", "method_path" @@ -202,35 +202,35 @@ }, { "connect_timeout": { - "default": 2000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 2000 } }, { "send_timeout": { - "default": 5000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 5000 } }, { "read_timeout": { - "default": 5000, + "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "type": "integer" + "default": 5000 } }, { @@ -240,10 +240,10 @@ }, { "phase_duration_flavor": { - "required": true, + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "type": "string", + "required": true, "default": "annotations", - "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "one_of": [ "annotations", "tags" @@ -252,6 +252,7 @@ }, { "queue": { + "type": "record", "fields": [ { "max_batch_size": { @@ -294,9 +295,9 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number" + "type": "number", + "default": 60 } }, { @@ -323,9 +324,9 @@ }, { "concurrency_limit": { - "default": 1, - "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "default": 1, "one_of": [ -1, 1 @@ -333,89 +334,93 @@ } } ], - "required": true, - "type": "record" + "required": true } }, { "propagation": { - "default": { - "default_format": "b3" - }, "fields": [ { "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array", "elements": { "type": "string", "one_of": [ - "gcp", + "w3c", + "b3", "jaeger", - "aws", "ot", - "w3c", "datadog", - "b3" + "aws", + "gcp", + "instana" ] - }, - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", - "type": "array" + } } }, { "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array", "elements": { "type": "string" - }, - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", - "type": "array" + } } }, { "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array", "elements": { "type": "string", "one_of": [ "preserve", - "gcp", + "w3c", + "b3", "b3-single", "jaeger", - "aws", "ot", - "w3c", "datadog", - "b3" + "aws", + "gcp", + "instana" ] - }, - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", - "type": "array" + } } }, { "default_format": { - "type": "string", - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", - "required": true, "one_of": [ - "gcp", + "w3c", + "b3", "b3-single", "jaeger", - "aws", "ot", - "w3c", "datadog", - "b3" - ] + "aws", + "gcp", + "instana" + ], + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", + "required": true } } ], - "required": true, - "type": "record" + "default": { + "default_format": "b3" + }, + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file From b0302dfcab6e5922e2ab35776ba2c6ec9acfcd6d Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 13 Mar 2025 15:55:49 +0000 Subject: [PATCH 128/165] Referenceable fields for 3.10.x --- data/referenceable_fields/3.10.x.json | 46 +++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) diff --git a/data/referenceable_fields/3.10.x.json b/data/referenceable_fields/3.10.x.json index d74a28ee..63994128 100644 --- a/data/referenceable_fields/3.10.x.json +++ b/data/referenceable_fields/3.10.x.json @@ -39,6 +39,8 @@ "config.vectordb.redis.password", "config.vectordb.redis.sentinel_username", "config.vectordb.redis.sentinel_password", + "config.vectordb.pgvector.user", + "config.vectordb.pgvector.password", "config.targets.auth.header_name", "config.targets.auth.header_value", "config.targets.auth.param_name", @@ -50,6 +52,24 @@ "config.targets.auth.aws_access_key_id", "config.targets.auth.aws_secret_access_key" ], + "ai-rag-injector": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password", + "config.vectordb.pgvector.user", + "config.vectordb.pgvector.password" + ], "ai-rate-limiting-advanced": [ "config.redis.username", "config.redis.password", @@ -94,7 +114,9 @@ "config.vectordb.redis.username", "config.vectordb.redis.password", "config.vectordb.redis.sentinel_username", - "config.vectordb.redis.sentinel_password" + "config.vectordb.redis.sentinel_password", + "config.vectordb.pgvector.user", + "config.vectordb.pgvector.password" ], "ai-semantic-prompt-guard": [ "config.embeddings.auth.header_name", @@ -110,7 +132,9 @@ "config.vectordb.redis.username", "config.vectordb.redis.password", "config.vectordb.redis.sentinel_username", - "config.vectordb.redis.sentinel_password" + "config.vectordb.redis.sentinel_password", + "config.vectordb.pgvector.user", + "config.vectordb.pgvector.password" ], "aws-lambda": [ "config.aws_key", @@ -127,6 +151,12 @@ "config.confluent_cloud_api_key", "config.confluent_cloud_api_secret" ], + "confluent-consume": [ + "config.cluster_api_key", + "config.cluster_api_secret", + "config.confluent_cloud_api_key", + "config.confluent_cloud_api_secret" + ], "datadog": [ "config.host" ], @@ -163,6 +193,10 @@ "config.channel_token_jwks_uri_client_username", "config.channel_token_jwks_uri_client_password" ], + "kafka-consume": [ + "config.authentication.user", + "config.authentication.password" + ], "kafka-log": [ "config.authentication.user", "config.authentication.password" @@ -260,6 +294,14 @@ "config.redis.sentinel_username", "config.redis.sentinel_password" ], + "request-callout": [ + "config.callouts.request.http_opts.proxy.auth_username", + "config.callouts.request.http_opts.proxy.auth_password", + "config.cache.redis.username", + "config.cache.redis.password", + "config.cache.redis.sentinel_username", + "config.cache.redis.sentinel_password" + ], "request-transformer-advanced": [ "config.rename.body", "config.rename.headers", From 868ff230bcd4262fe94c279236462ae41428ef43 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 13 Mar 2025 15:55:29 +0000 Subject: [PATCH 129/165] Plugin Priorities for 3.10.x --- data/priorities/ee/3.10.x.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/data/priorities/ee/3.10.x.json b/data/priorities/ee/3.10.x.json index 75c7cb74..bf765560 100644 --- a/data/priorities/ee/3.10.x.json +++ b/data/priorities/ee/3.10.x.json @@ -46,6 +46,7 @@ "response-ratelimiting": 900, "route-by-header": 850, "oas-validation": 840, + "request-callout": 812, "jq": 811, "request-transformer-advanced": 802, "request-transformer": 801, @@ -53,7 +54,9 @@ "response-transformer-advanced": 800, "route-transformer-advanced": 780, "redirect": 779, + "ai-rag-injector": 778, "ai-request-transformer": 777, + "ai-sanitizer": 776, "ai-semantic-prompt-guard": 775, "ai-azure-content-safety": 774, "ai-prompt-template": 773, @@ -65,6 +68,8 @@ "ai-semantic-cache": 765, "standard-webhooks": 760, "upstream-oauth": 760, + "confluent-consume": 754, + "kafka-consume": 753, "confluent": 752, "kafka-upstream": 751, "aws-lambda": 750, From cea0ea503f4196d924f36c844e5355d3b78b5c5a Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 13 Mar 2025 15:55:18 +0000 Subject: [PATCH 130/165] JSON Schemas for 3.10.x --- json_schemas/ai-prompt-decorator/3.10.json | 10 + json_schemas/ai-prompt-guard/3.10.json | 10 + json_schemas/ai-proxy-advanced/3.10.json | 215 +++++- json_schemas/ai-proxy/3.10.json | 23 +- json_schemas/ai-rag-injector/3.10.json | 593 ++++++++++++++++ .../ai-rate-limiting-advanced/3.10.json | 32 +- json_schemas/ai-request-transformer/3.10.json | 13 +- .../ai-response-transformer/3.10.json | 13 +- json_schemas/ai-sanitizer/3.10.json | 194 ++++++ json_schemas/ai-semantic-cache/3.10.json | 168 ++++- .../ai-semantic-prompt-guard/3.10.json | 168 ++++- json_schemas/confluent-consume/3.10.json | 185 +++++ json_schemas/confluent/3.10.json | 26 +- json_schemas/cors/3.10.json | 5 + json_schemas/file-log/3.10.json | 2 +- json_schemas/json-threat-protection/3.10.json | 5 + json_schemas/kafka-consume/3.10.json | 212 ++++++ json_schemas/kafka-log/3.10.json | 2 +- json_schemas/kafka-upstream/3.10.json | 26 +- json_schemas/key-auth/3.10.json | 34 + json_schemas/opentelemetry/3.10.json | 4 + json_schemas/prometheus/3.10.json | 5 + json_schemas/proxy-cache-advanced/3.10.json | 2 +- json_schemas/rate-limiting-advanced/3.10.json | 2 +- json_schemas/request-callout/3.10.json | 631 ++++++++++++++++++ json_schemas/session/3.10.json | 12 +- json_schemas/zipkin/3.10.json | 5 + 27 files changed, 2576 insertions(+), 21 deletions(-) create mode 100644 json_schemas/ai-rag-injector/3.10.json create mode 100644 json_schemas/ai-sanitizer/3.10.json create mode 100644 json_schemas/confluent-consume/3.10.json create mode 100644 json_schemas/kafka-consume/3.10.json create mode 100644 json_schemas/request-callout/3.10.json diff --git a/json_schemas/ai-prompt-decorator/3.10.json b/json_schemas/ai-prompt-decorator/3.10.json index 0559463c..0bf6f29f 100644 --- a/json_schemas/ai-prompt-decorator/3.10.json +++ b/json_schemas/ai-prompt-decorator/3.10.json @@ -2,6 +2,16 @@ "properties": { "config": { "properties": { + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "bedrock", + "gemini", + "openai" + ], + "type": "string" + }, "max_request_body_size": { "default": 8192, "description": "max allowed body size allowed to be introspected", diff --git a/json_schemas/ai-prompt-guard/3.10.json b/json_schemas/ai-prompt-guard/3.10.json index 536e841e..3f9cacf9 100644 --- a/json_schemas/ai-prompt-guard/3.10.json +++ b/json_schemas/ai-prompt-guard/3.10.json @@ -33,6 +33,16 @@ "maxLength": 10, "type": "array" }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "bedrock", + "gemini", + "openai" + ], + "type": "string" + }, "match_all_roles": { "default": false, "description": "If true, will match all roles in addition to 'user' role in conversation history.", diff --git a/json_schemas/ai-proxy-advanced/3.10.json b/json_schemas/ai-proxy-advanced/3.10.json index 52ab213c..3d832dc6 100644 --- a/json_schemas/ai-proxy-advanced/3.10.json +++ b/json_schemas/ai-proxy-advanced/3.10.json @@ -11,6 +11,7 @@ "consistent-hashing", "lowest-latency", "lowest-usage", + "priority", "round-robin", "semantic" ], @@ -22,6 +23,33 @@ "minimum": 1, "type": "integer" }, + "failover_criteria": { + "default": [ + "error", + "timeout" + ], + "description": "Specifies in which cases an upstream response should be failover to the next target. Each option in the array is equivalent to the function of http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream", + "items": { + "enum": [ + "error", + "http_403", + "http_404", + "http_429", + "http_500", + "http_502", + "http_503", + "http_504", + "invalid_header", + "non_idempotent", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, "hash_on_header": { "default": "X-Kong-LLM-Request-ID", "description": "The header to use for consistent-hashing.", @@ -58,9 +86,10 @@ }, "tokens_count_strategy": { "default": "total-tokens", - "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` and `cost`.", "enum": [ "completion-tokens", + "cost", "prompt-tokens", "total-tokens" ], @@ -160,19 +189,104 @@ "options": { "description": "Key/value settings for the model", "properties": { + "azure": { + "properties": { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, "upstream_url": { "description": "upstream url for the embeddings", "type": "string" } }, "required": [ - + "azure" ], "type": "object" }, "provider": { "description": "AI provider format to use for embeddings API", "enum": [ + "azure", + "bedrock", + "gemini", + "huggingface", "mistral", "openai" ], @@ -191,6 +305,16 @@ ], "type": "object" }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "bedrock", + "gemini", + "openai" + ], + "type": "string" + }, "max_request_body_size": { "default": 8192, "description": "max allowed body size allowed to be introspected", @@ -287,7 +411,7 @@ "type": "object" }, "description": { - "description": "The semantic description of the target, required if using semantic load balancing.", + "description": "The semantic description of the target, required if using semantic load balancing. Specially, setting this to 'CATCHALL' will indicate such target to be used when no other targets match the semantic threshold.", "type": "string" }, "logging": { @@ -336,9 +460,21 @@ }, "bedrock": { "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, "aws_region": { "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } }, "required": [ @@ -397,7 +533,6 @@ "type": "string" }, "max_tokens": { - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer" }, @@ -507,6 +642,76 @@ ], "type": "string" }, + "pgvector": { + "properties": { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + }, + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + }, + "password": { + "description": "the password of the pgvector database", + "type": "string" + }, + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + }, + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + }, + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + }, + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + }, + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + }, + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "enum": [ + "any", + "tlsv1_2", + "tlsv1_3" + ], + "type": "string" + }, + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + }, + "user": { + "default": "postgres", + "description": "the user of the pgvector database", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, "redis": { "properties": { "cluster_max_redirections": { @@ -691,6 +896,7 @@ "strategy": { "description": "which vector database driver to use", "enum": [ + "pgvector", "redis" ], "type": "string" @@ -703,6 +909,7 @@ "required": [ "dimensions", "distance_metric", + "pgvector", "redis", "strategy", "threshold" diff --git a/json_schemas/ai-proxy/3.10.json b/json_schemas/ai-proxy/3.10.json index 2c314291..13ec1c5f 100644 --- a/json_schemas/ai-proxy/3.10.json +++ b/json_schemas/ai-proxy/3.10.json @@ -73,6 +73,16 @@ ], "type": "object" }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "bedrock", + "gemini", + "openai" + ], + "type": "string" + }, "logging": { "properties": { "log_payloads": { @@ -125,9 +135,21 @@ }, "bedrock": { "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, "aws_region": { "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } }, "required": [ @@ -186,7 +208,6 @@ "type": "string" }, "max_tokens": { - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer" }, diff --git a/json_schemas/ai-rag-injector/3.10.json b/json_schemas/ai-rag-injector/3.10.json new file mode 100644 index 00000000..a607fd26 --- /dev/null +++ b/json_schemas/ai-rag-injector/3.10.json @@ -0,0 +1,593 @@ +{ + "properties": { + "config": { + "properties": { + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "azure": { + "properties": { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [ + "azure" + ], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "azure", + "bedrock", + "gemini", + "huggingface", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "fetch_chunks_count": { + "default": 5, + "description": "The maximum number of chunks to fetch from vectordb", + "type": "number" + }, + "inject_as_role": { + "default": "user", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + }, + "inject_template": { + "default": "\n", + "type": "string" + }, + "stop_on_failure": { + "default": false, + "description": "Halt the LLM request process in case of a vectordb or embeddings service failure", + "type": "boolean" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "pgvector": { + "properties": { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + }, + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + }, + "password": { + "description": "the password of the pgvector database", + "type": "string" + }, + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + }, + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + }, + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + }, + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + }, + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + }, + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "enum": [ + "any", + "tlsv1_2", + "tlsv1_3" + ], + "type": "string" + }, + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + }, + "user": { + "default": "postgres", + "description": "the user of the pgvector database", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "pgvector", + "redis" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "vectordb_namespace": { + "default": "kong_rag_injector", + "description": "The namespace of the vectordb to use for embeddings lookup", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.10.json b/json_schemas/ai-rate-limiting-advanced/3.10.json index 01df41c1..40fb85d9 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.10.json +++ b/json_schemas/ai-rate-limiting-advanced/3.10.json @@ -39,7 +39,7 @@ }, "identifier": { "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", "enum": [ "consumer", "consumer-group", @@ -51,13 +51,29 @@ ], "type": "string" }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "bedrock", + "gemini", + "openai" + ], + "type": "string" + }, "llm_providers": { "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", "items": { "properties": { "limit": { - "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", - "type": "number" + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" }, "name": { "description": "The LLM provider to which the rate limit applies.", @@ -76,8 +92,14 @@ "type": "string" }, "window_size": { - "description": "The window size to apply a limit (defined in seconds).", - "type": "number" + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" } }, "required": [ diff --git a/json_schemas/ai-request-transformer/3.10.json b/json_schemas/ai-request-transformer/3.10.json index d3ad7417..db7b5c6b 100644 --- a/json_schemas/ai-request-transformer/3.10.json +++ b/json_schemas/ai-request-transformer/3.10.json @@ -151,9 +151,21 @@ }, "bedrock": { "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, "aws_region": { "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } }, "required": [ @@ -212,7 +224,6 @@ "type": "string" }, "max_tokens": { - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer" }, diff --git a/json_schemas/ai-response-transformer/3.10.json b/json_schemas/ai-response-transformer/3.10.json index a38e4531..c76b7391 100644 --- a/json_schemas/ai-response-transformer/3.10.json +++ b/json_schemas/ai-response-transformer/3.10.json @@ -151,9 +151,21 @@ }, "bedrock": { "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, "aws_region": { "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } }, "required": [ @@ -212,7 +224,6 @@ "type": "string" }, "max_tokens": { - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer" }, diff --git a/json_schemas/ai-sanitizer/3.10.json b/json_schemas/ai-sanitizer/3.10.json new file mode 100644 index 00000000..2fe62504 --- /dev/null +++ b/json_schemas/ai-sanitizer/3.10.json @@ -0,0 +1,194 @@ +{ + "properties": { + "config": { + "properties": { + "anonymize": { + "default": [ + "all_and_credentials" + ], + "description": "List of types to be anonymized", + "items": { + "enum": [ + "all", + "all_and_credentials", + "bank", + "credentials", + "creditcard", + "crypto", + "custom", + "date", + "domain", + "driverlicense", + "email", + "general", + "ip", + "medical", + "nationalid", + "nrp", + "passport", + "phone", + "ssn", + "url" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "custom_patterns": { + "description": "List of custom patterns to be used for anonymization", + "items": { + "properties": { + "name": { + "type": "string" + }, + "regex": { + "type": "string" + }, + "score": { + "default": 0.5, + "maximum": 1, + "minimum": 0, + "type": "number" + } + }, + "required": [ + "name", + "regex" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "host": { + "default": "localhost", + "description": "The host of the sanitizer", + "type": "string" + }, + "keepalive_timeout": { + "default": 60000, + "description": "The keepalive timeout for the established http connnection", + "type": "number" + }, + "port": { + "default": 8080, + "description": "The port of the sanitizer", + "type": "number" + }, + "recover_redacted": { + "default": true, + "description": "Whether to recover redacted data", + "type": "boolean" + }, + "redact_type": { + "default": "placeholder", + "description": "What value to be used to redacted to", + "enum": [ + "placeholder", + "synthetic" + ], + "type": "string" + }, + "scheme": { + "default": "http", + "description": "The protocol can be http and https", + "type": "string" + }, + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Connection timeout with the sanitizer", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-semantic-cache/3.10.json b/json_schemas/ai-semantic-cache/3.10.json index 633270b1..1945aee9 100644 --- a/json_schemas/ai-semantic-cache/3.10.json +++ b/json_schemas/ai-semantic-cache/3.10.json @@ -95,19 +95,104 @@ "options": { "description": "Key/value settings for the model", "properties": { + "azure": { + "properties": { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, "upstream_url": { "description": "upstream url for the embeddings", "type": "string" } }, "required": [ - + "azure" ], "type": "object" }, "provider": { "description": "AI provider format to use for embeddings API", "enum": [ + "azure", + "bedrock", + "gemini", + "huggingface", "mistral", "openai" ], @@ -145,6 +230,16 @@ "description": "Ignore and discard any tool prompts when Vectorizing the request", "type": "boolean" }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "bedrock", + "gemini", + "openai" + ], + "type": "string" + }, "message_countback": { "default": 1, "description": "Number of messages in the chat history to Vectorize/Cache", @@ -171,6 +266,76 @@ ], "type": "string" }, + "pgvector": { + "properties": { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + }, + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + }, + "password": { + "description": "the password of the pgvector database", + "type": "string" + }, + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + }, + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + }, + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + }, + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + }, + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + }, + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "enum": [ + "any", + "tlsv1_2", + "tlsv1_3" + ], + "type": "string" + }, + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + }, + "user": { + "default": "postgres", + "description": "the user of the pgvector database", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, "redis": { "properties": { "cluster_max_redirections": { @@ -355,6 +520,7 @@ "strategy": { "description": "which vector database driver to use", "enum": [ + "pgvector", "redis" ], "type": "string" diff --git a/json_schemas/ai-semantic-prompt-guard/3.10.json b/json_schemas/ai-semantic-prompt-guard/3.10.json index c979375d..54a0fc50 100644 --- a/json_schemas/ai-semantic-prompt-guard/3.10.json +++ b/json_schemas/ai-semantic-prompt-guard/3.10.json @@ -84,19 +84,104 @@ "options": { "description": "Key/value settings for the model", "properties": { + "azure": { + "properties": { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, "upstream_url": { "description": "upstream url for the embeddings", "type": "string" } }, "required": [ - + "azure" ], "type": "object" }, "provider": { "description": "AI provider format to use for embeddings API", "enum": [ + "azure", + "bedrock", + "gemini", + "huggingface", "mistral", "openai" ], @@ -114,6 +199,16 @@ ], "type": "object" }, + "llm_format": { + "default": "openai", + "description": "LLM input and output format and schema to use", + "enum": [ + "bedrock", + "gemini", + "openai" + ], + "type": "string" + }, "rules": { "properties": { "allow_prompts": { @@ -191,6 +286,76 @@ ], "type": "string" }, + "pgvector": { + "properties": { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + }, + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + }, + "password": { + "description": "the password of the pgvector database", + "type": "string" + }, + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + }, + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + }, + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + }, + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + }, + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + }, + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "enum": [ + "any", + "tlsv1_2", + "tlsv1_3" + ], + "type": "string" + }, + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + }, + "user": { + "default": "postgres", + "description": "the user of the pgvector database", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, "redis": { "properties": { "cluster_max_redirections": { @@ -375,6 +540,7 @@ "strategy": { "description": "which vector database driver to use", "enum": [ + "pgvector", "redis" ], "type": "string" diff --git a/json_schemas/confluent-consume/3.10.json b/json_schemas/confluent-consume/3.10.json new file mode 100644 index 00000000..70519aff --- /dev/null +++ b/json_schemas/confluent-consume/3.10.json @@ -0,0 +1,185 @@ +{ + "properties": { + "config": { + "properties": { + "auto_offset_reset": { + "default": "latest", + "description": "The offset to start from when there is no initial offset in the consumer group.", + "enum": [ + "earliest", + "latest" + ], + "type": "string" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", + "type": "string" + }, + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", + "type": "string" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "commit_strategy": { + "default": "auto", + "description": "The strategy to use for committing offsets.", + "enum": [ + "auto", + "off" + ], + "type": "string" + }, + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "type": "string" + }, + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "message_deserializer": { + "default": "noop", + "description": "The deserializer to use for the consumed messages.", + "enum": [ + "json", + "noop" + ], + "type": "string" + }, + "mode": { + "default": "http-get", + "description": "The mode of operation for the plugin.", + "enum": [ + "http-get", + "server-sent-events" + ], + "type": "string" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topics": { + "description": "The Kafka topics and their configuration you want to consume from.", + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/confluent/3.10.json b/json_schemas/confluent/3.10.json index 2eda69cb..be3d6570 100644 --- a/json_schemas/confluent/3.10.json +++ b/json_schemas/confluent/3.10.json @@ -2,6 +2,16 @@ "properties": { "config": { "properties": { + "allowed_topics": { + "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, "bootstrap_servers": { "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "items": { @@ -74,6 +84,16 @@ "default": false, "type": "boolean" }, + "message_by_lua_functions": { + "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, "producer_async": { "default": true, "description": "Flag to enable asynchronous mode.", @@ -130,7 +150,11 @@ "type": "integer" }, "topic": { - "description": "The Kafka topic to publish to.", + "description": "The default Kafka topic to publish to if the query parameter defined in the `topics_query_arg` does not exist in the request", + "type": "string" + }, + "topics_query_arg": { + "description": "The request query parameter name that contains the topics to publish to", "type": "string" } }, diff --git a/json_schemas/cors/3.10.json b/json_schemas/cors/3.10.json index b0254d05..dea2367f 100644 --- a/json_schemas/cors/3.10.json +++ b/json_schemas/cors/3.10.json @@ -2,6 +2,11 @@ "properties": { "config": { "properties": { + "allow_origin_absent": { + "default": true, + "description": "A boolean value that skip cors response headers when origin header of request is empty", + "type": "boolean" + }, "credentials": { "default": false, "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", diff --git a/json_schemas/file-log/3.10.json b/json_schemas/file-log/3.10.json index 7b34b71e..bdc87bcb 100644 --- a/json_schemas/file-log/3.10.json +++ b/json_schemas/file-log/3.10.json @@ -9,7 +9,7 @@ }, "path": { "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", - "pattern": "^[^*&%%\\`]+$", + "pattern": "^[^[\\t\\n\\v\\f\\r ]*&%%\\`][^*&%%\\`]*[^[\\t\\n\\v\\f\\r ]*&%%\\`]$", "type": "string" }, "reopen": { diff --git a/json_schemas/json-threat-protection/3.10.json b/json_schemas/json-threat-protection/3.10.json index 43827bd8..14c237d5 100644 --- a/json_schemas/json-threat-protection/3.10.json +++ b/json_schemas/json-threat-protection/3.10.json @@ -2,6 +2,11 @@ "properties": { "config": { "properties": { + "allow_duplicate_object_entry_name": { + "default": true, + "description": "Allow or disallow duplicate object entry name.", + "type": "boolean" + }, "enforcement_mode": { "default": "block", "description": "Enforcement mode of the security policy.", diff --git a/json_schemas/kafka-consume/3.10.json b/json_schemas/kafka-consume/3.10.json new file mode 100644 index 00000000..10ae7600 --- /dev/null +++ b/json_schemas/kafka-consume/3.10.json @@ -0,0 +1,212 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "auto_offset_reset": { + "default": "latest", + "description": "The offset to start from when there is no initial offset in the consumer group.", + "enum": [ + "earliest", + "latest" + ], + "type": "string" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster.", + "type": "string" + }, + "commit_strategy": { + "default": "auto", + "description": "The strategy to use for committing offsets.", + "enum": [ + "auto", + "off" + ], + "type": "string" + }, + "message_deserializer": { + "default": "noop", + "description": "The deserializer to use for the consumed messages.", + "enum": [ + "json", + "noop" + ], + "type": "string" + }, + "mode": { + "default": "http-get", + "description": "The mode of operation for the plugin.", + "enum": [ + "http-get", + "server-sent-events" + ], + "type": "string" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "topics": { + "description": "The Kafka topics and their configuration you want to consume from.", + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/kafka-log/3.10.json b/json_schemas/kafka-log/3.10.json index 3cc3b73a..81b292d6 100644 --- a/json_schemas/kafka-log/3.10.json +++ b/json_schemas/kafka-log/3.10.json @@ -5,7 +5,7 @@ "authentication": { "properties": { "mechanism": { - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256` or `SCRAM-SHA-512`.", "enum": [ "PLAIN", "SCRAM-SHA-256", diff --git a/json_schemas/kafka-upstream/3.10.json b/json_schemas/kafka-upstream/3.10.json index 4fa1cc92..cd93a5bd 100644 --- a/json_schemas/kafka-upstream/3.10.json +++ b/json_schemas/kafka-upstream/3.10.json @@ -2,6 +2,16 @@ "properties": { "config": { "properties": { + "allowed_topics": { + "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, "authentication": { "properties": { "mechanism": { @@ -94,6 +104,16 @@ "default": false, "type": "boolean" }, + "message_by_lua_functions": { + "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, "producer_async": { "default": true, "description": "Flag to enable asynchronous mode.", @@ -167,7 +187,11 @@ "type": "integer" }, "topic": { - "description": "The Kafka topic to publish to.", + "description": "The default Kafka topic to publish to if the query parameter defined in the `topics_query_arg` does not exist in the request", + "type": "string" + }, + "topics_query_arg": { + "description": "The request query parameter name that contains the topics to publish to", "type": "string" } }, diff --git a/json_schemas/key-auth/3.10.json b/json_schemas/key-auth/3.10.json index a37eb540..c1800b24 100644 --- a/json_schemas/key-auth/3.10.json +++ b/json_schemas/key-auth/3.10.json @@ -11,6 +11,40 @@ "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", "type": "boolean" }, + "identity_realms": { + "default": [ + { + "id": null, + "region": null, + "scope": "cp" + } + ], + "description": "A configuration of Konnect Identity Realms that indicate where to source a consumer from.", + "items": { + "properties": { + "id": { + "description": "A string representing a UUID (universally unique identifier).", + "type": "string", + "uuid": true + }, + "region": { + "type": "string" + }, + "scope": { + "enum": [ + "cp", + "realm" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "type": "array" + }, "key_in_body": { "default": false, "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", diff --git a/json_schemas/opentelemetry/3.10.json b/json_schemas/opentelemetry/3.10.json index bfad5c8a..37adf193 100644 --- a/json_schemas/opentelemetry/3.10.json +++ b/json_schemas/opentelemetry/3.10.json @@ -26,6 +26,7 @@ "datadog", "gcp", "ignore", + "instana", "jaeger", "ot", "preserve", @@ -68,6 +69,7 @@ "b3-single", "datadog", "gcp", + "instana", "jaeger", "ot", "w3c" @@ -82,6 +84,7 @@ "b3", "datadog", "gcp", + "instana", "jaeger", "ot", "w3c" @@ -102,6 +105,7 @@ "b3-single", "datadog", "gcp", + "instana", "jaeger", "ot", "preserve", diff --git a/json_schemas/prometheus/3.10.json b/json_schemas/prometheus/3.10.json index c2bc326c..f9e0b0b9 100644 --- a/json_schemas/prometheus/3.10.json +++ b/json_schemas/prometheus/3.10.json @@ -31,6 +31,11 @@ "default": false, "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", "type": "boolean" + }, + "wasm_metrics": { + "default": false, + "description": "A boolean value that determines if Wasm metrics should be collected.", + "type": "boolean" } }, "required": [ diff --git a/json_schemas/proxy-cache-advanced/3.10.json b/json_schemas/proxy-cache-advanced/3.10.json index 2b2bfc0b..f8bba648 100644 --- a/json_schemas/proxy-cache-advanced/3.10.json +++ b/json_schemas/proxy-cache-advanced/3.10.json @@ -314,7 +314,7 @@ "type": "array" }, "vary_query_params": { - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration. By default, the max number of params accepted is 100. You can change this value via the `lua_max_post_args` in `kong.conf`.", "items": { "required": [ diff --git a/json_schemas/rate-limiting-advanced/3.10.json b/json_schemas/rate-limiting-advanced/3.10.json index ddf292ba..6a2835ca 100644 --- a/json_schemas/rate-limiting-advanced/3.10.json +++ b/json_schemas/rate-limiting-advanced/3.10.json @@ -68,7 +68,7 @@ }, "identifier": { "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", "enum": [ "consumer", "consumer-group", diff --git a/json_schemas/request-callout/3.10.json b/json_schemas/request-callout/3.10.json new file mode 100644 index 00000000..bd8473ad --- /dev/null +++ b/json_schemas/request-callout/3.10.json @@ -0,0 +1,631 @@ +{ + "properties": { + "config": { + "properties": { + "cache": { + "properties": { + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "minimum": 0, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "default": "off", + "enum": [ + "memory", + "off", + "redis" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "callouts": { + "items": { + "properties": { + "cache": { + "properties": { + "bypass": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "depends_on": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "request": { + "properties": { + "body": { + "properties": { + "custom": { + "additionalProperties": true, + "type": "object" + }, + "decode": { + "default": false, + "type": "boolean" + }, + "forward": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "by_lua": { + "type": "string" + }, + "error": { + "properties": { + "error_response_code": { + "default": 400, + "type": "integer" + }, + "error_response_msg": { + "default": "service callout error", + "type": "string" + }, + "http_statuses": { + "items": { + "maximum": 999, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "on_error": { + "default": "fail", + "enum": [ + "continue", + "fail", + "retry" + ], + "type": "string" + }, + "retries": { + "default": 2, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "headers": { + "properties": { + "custom": { + "additionalProperties": true, + "type": "object" + }, + "forward": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "http_opts": { + "properties": { + "proxy": { + "properties": { + "auth_password": { + "type": "string" + }, + "auth_username": { + "type": "string" + }, + "http_proxy": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "https_proxy": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "ssl_server_name": { + "type": "string" + }, + "ssl_verify": { + "default": false, + "type": "boolean" + }, + "timeouts": { + "properties": { + "connect": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "write": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "method": { + "default": "GET", + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^%u+$", + "type": "string" + }, + "query": { + "properties": { + "custom": { + "additionalProperties": true, + "type": "object" + }, + "forward": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + "required": [ + "body", + "error", + "headers", + "http_opts", + "query", + "url" + ], + "type": "object" + }, + "response": { + "properties": { + "body": { + "properties": { + "decode": { + "default": false, + "type": "boolean" + }, + "store": { + "default": true, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "by_lua": { + "type": "string" + }, + "headers": { + "properties": { + "store": { + "default": true, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + "body", + "headers" + ], + "type": "object" + } + }, + "required": [ + "cache", + "name", + "request", + "response" + ], + "type": "object" + }, + "type": "array" + }, + "upstream": { + "properties": { + "body": { + "properties": { + "custom": { + "additionalProperties": true, + "type": "object" + }, + "decode": { + "default": true, + "type": "boolean" + }, + "forward": { + "default": true, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "by_lua": { + "type": "string" + }, + "headers": { + "properties": { + "custom": { + "additionalProperties": true, + "type": "object" + }, + "forward": { + "default": true, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "query": { + "properties": { + "custom": { + "additionalProperties": true, + "type": "object" + }, + "forward": { + "default": true, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/session/3.10.json b/json_schemas/session/3.10.json index ce22bca5..bb942b58 100644 --- a/json_schemas/session/3.10.json +++ b/json_schemas/session/3.10.json @@ -47,6 +47,11 @@ "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", "type": "boolean" }, + "hash_subject": { + "default": false, + "description": "Whether to hash or not the subject when store_metadata is enabled.", + "type": "boolean" + }, "idling_timeout": { "default": 900, "description": "The session cookie idle time, in seconds.", @@ -149,7 +154,7 @@ "type": "number" }, "secret": { - "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", + "default": "e5LBiB0qbGGgh4BBf3E8HWBbKBFHsz007KeVri6SIUAp", "description": "The secret that is used in keyed HMAC generation.", "type": "string" }, @@ -166,6 +171,11 @@ "kong" ], "type": "string" + }, + "store_metadata": { + "default": false, + "description": "Whether to also store metadata of sessions, such as collecting data of sessions for a specific audience belonging to a specific subject.", + "type": "boolean" } }, "required": [ diff --git a/json_schemas/zipkin/3.10.json b/json_schemas/zipkin/3.10.json index 0e5554bb..c6b1f4a6 100644 --- a/json_schemas/zipkin/3.10.json +++ b/json_schemas/zipkin/3.10.json @@ -18,6 +18,7 @@ "b3-single", "datadog", "gcp", + "instana", "jaeger", "ot", "w3c" @@ -38,6 +39,7 @@ "datadog", "gcp", "ignore", + "instana", "jaeger", "ot", "preserve", @@ -103,6 +105,7 @@ "b3-single", "datadog", "gcp", + "instana", "jaeger", "ot", "w3c" @@ -117,6 +120,7 @@ "b3", "datadog", "gcp", + "instana", "jaeger", "ot", "w3c" @@ -137,6 +141,7 @@ "b3-single", "datadog", "gcp", + "instana", "jaeger", "ot", "preserve", From 5f5c0012e5f1177057f10bd6263c96ec798a9b02 Mon Sep 17 00:00:00 2001 From: Michael Heap Date: Sat, 15 Mar 2025 07:46:01 +0000 Subject: [PATCH 131/165] Pin all GitHub Actions (#100) --- .github/workflows/copy-data-files.yml | 4 ++-- .github/workflows/copy-examples.yml | 4 ++-- .github/workflows/copy-schemas.yml | 4 ++-- .github/workflows/download-schemas.yml | 4 ++-- .github/workflows/generate-json-schemas.yml | 4 ++-- .github/workflows/generate-plugin-priorities.yml | 4 ++-- .../workflows/generate-referenceable-fields.yml | 4 ++-- .github/workflows/security.yaml | 15 +++++++++++++++ .github/workflows/sync-docs.yml | 2 +- .github/workflows/validate_examples.yml | 2 +- 10 files changed, 31 insertions(+), 16 deletions(-) create mode 100644 .github/workflows/security.yaml diff --git a/.github/workflows/copy-data-files.yml b/.github/workflows/copy-data-files.yml index 9e96055c..2911031c 100644 --- a/.github/workflows/copy-data-files.yml +++ b/.github/workflows/copy-data-files.yml @@ -14,14 +14,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install dependencies uses: ./.github/reusable-steps/install-deps - name: Run copy_data_files run: | bundle exec ./plugins copy_data_files --version=${{ github.event.inputs.version }} - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: ${{ secrets.PAT }} title: "Copy latest data files to ${{ github.event.inputs.version }}" diff --git a/.github/workflows/copy-examples.yml b/.github/workflows/copy-examples.yml index 0612c4a2..f653f11a 100644 --- a/.github/workflows/copy-examples.yml +++ b/.github/workflows/copy-examples.yml @@ -14,14 +14,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install dependencies uses: ./.github/reusable-steps/install-deps - name: Run copy_examples run: | bundle exec ./plugins copy_examples --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: ${{ secrets.PAT }} title: "Copy latest examples to ${{ github.event.inputs.version }}" diff --git a/.github/workflows/copy-schemas.yml b/.github/workflows/copy-schemas.yml index 04478fb0..fdd67d52 100644 --- a/.github/workflows/copy-schemas.yml +++ b/.github/workflows/copy-schemas.yml @@ -14,14 +14,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install dependencies uses: ./.github/reusable-steps/install-deps - name: Run copy_schemas run: | bundle exec ./plugins copy_schemas --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: ${{ secrets.PAT }} title: "Copy latest schemas to ${{ github.event.inputs.version }}" diff --git a/.github/workflows/download-schemas.yml b/.github/workflows/download-schemas.yml index 792a27e5..da4d6976 100644 --- a/.github/workflows/download-schemas.yml +++ b/.github/workflows/download-schemas.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install dependencies uses: ./.github/reusable-steps/install-deps - name: Run Kong EE @@ -39,7 +39,7 @@ jobs: run: | bundle exec ./plugins download_schemas --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: ${{ secrets.PAT }} title: "Download Schemas for ${{ github.event.inputs.version }}" diff --git a/.github/workflows/generate-json-schemas.yml b/.github/workflows/generate-json-schemas.yml index f2d6d82a..ab8ec9eb 100644 --- a/.github/workflows/generate-json-schemas.yml +++ b/.github/workflows/generate-json-schemas.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install dependencies uses: ./.github/reusable-steps/install-deps - name: Run Kong EE @@ -39,7 +39,7 @@ jobs: run: | bundle exec ./plugins convert_json_schema --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: ${{ secrets.PAT }} title: "Generate JSON Schemas for ${{ github.event.inputs.version }}" diff --git a/.github/workflows/generate-plugin-priorities.yml b/.github/workflows/generate-plugin-priorities.yml index 5a3817db..45eaecdc 100644 --- a/.github/workflows/generate-plugin-priorities.yml +++ b/.github/workflows/generate-plugin-priorities.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install dependencies uses: ./.github/reusable-steps/install-deps - name: Run Kong EE @@ -54,7 +54,7 @@ jobs: run: | bundle exec ./plugins generate_plugin_priorities --type=${{ github.event.inputs.kong-edition }} --version=${{ github.event.inputs.version }} --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: ${{ secrets.PAT }} title: "Plugin Priorities for ${{ github.event.inputs.version }}" diff --git a/.github/workflows/generate-referenceable-fields.yml b/.github/workflows/generate-referenceable-fields.yml index 0e48bdde..d09e6c51 100644 --- a/.github/workflows/generate-referenceable-fields.yml +++ b/.github/workflows/generate-referenceable-fields.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install dependencies uses: ./.github/reusable-steps/install-deps - name: Run Kong EE @@ -39,7 +39,7 @@ jobs: run: | bundle exec ./plugins generate_referenceable_fields_list --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: ${{ secrets.PAT }} title: "Referenceable fields for ${{ github.event.inputs.version }}" diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 00000000..1397617b --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,15 @@ +on: push + +name: Security + +jobs: + ensure-pinned-actions: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Ensure SHA pinned actions + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@25ed13d0628a1601b4b44048e63cc4328ed03633 # v3 + with: + allowlist: | + Kong/ diff --git a/.github/workflows/sync-docs.yml b/.github/workflows/sync-docs.yml index bde8cae2..20c963d5 100644 --- a/.github/workflows/sync-docs.yml +++ b/.github/workflows/sync-docs.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Repository Dispatch - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 with: token: ${{ secrets.PAT }} repository: Kong/docs.konghq.com diff --git a/.github/workflows/validate_examples.yml b/.github/workflows/validate_examples.yml index 15323038..39399ad3 100644 --- a/.github/workflows/validate_examples.yml +++ b/.github/workflows/validate_examples.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install dependencies uses: ./.github/reusable-steps/install-deps - name: Run Kong EE From 480e0e9488e21a9274c110337253ceaa8d045bf9 Mon Sep 17 00:00:00 2001 From: lena-larionova Date: Mon, 17 Mar 2025 10:54:02 -0700 Subject: [PATCH 132/165] regenerate schema for request callout plugin --- schemas/request-callout/3.10.x.json | 535 +++++++++++++++------------- 1 file changed, 291 insertions(+), 244 deletions(-) diff --git a/schemas/request-callout/3.10.x.json b/schemas/request-callout/3.10.x.json index b4940175..14e32422 100644 --- a/schemas/request-callout/3.10.x.json +++ b/schemas/request-callout/3.10.x.json @@ -1,98 +1,100 @@ { + "entity_checks": [], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { - "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "string", + "len_min": 1, + "required": true }, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ] + "type": "set", + "required": true, + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "fields": [ { "callouts": { + "required": true, + "type": "array", "elements": { - "type": "record", "fields": [ { "name": { "type": "string", - "required": true + "required": true, + "description": "A string identifier for a callout. A callout object is referenceablevia its name in the kong.ctx.shared.callouts." } }, { "depends_on": { - "type": "array", + "default": [], "elements": { - "type": "string", - "required": true + "required": true, + "type": "string" }, - "default": [ - - ], - "required": true + "type": "array", + "required": true, + "description": "An array of callout names the current callout depends on.This dependency determines the callout execution order." } }, { "request": { - "type": "record", "fields": [ { "url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": true + "required": true, + "description": "The URL that will be requested." } }, { "method": { - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", - "type": "string", - "required": true, "default": "GET", - "match": "^%u+$" + "required": true, + "type": "string", + "match": "^%u+$", + "description": "The HTTP method that will be requested." } }, { "http_opts": { - "type": "record", "fields": [ { "ssl_verify": { "default": false, - "type": "boolean" + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." } }, { "ssl_server_name": { + "description": "The SNI used in the callout request. Defaults to host if omitted.", "type": "string" } }, { "timeouts": { - "type": "record", "fields": [ { "connect": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "The socket connect timeout.", "between": [ 0, 2147483646 @@ -101,8 +103,8 @@ }, { "write": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "The socket write timeout.", "between": [ 0, 2147483646 @@ -111,8 +113,8 @@ }, { "read": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", + "description": "The socket read timeout. ", "between": [ 0, 2147483646 @@ -120,6 +122,7 @@ } } ], + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -128,136 +131,151 @@ "read" ] } - ] + ], + "description": "Socket timeouts in milliseconds. All or none must be set." } }, { "proxy": { - "type": "record", "fields": [ { "auth_username": { - "required": false, + "description": "The username to authenticate with, if the forward proxy is protected by basic authentication.", "type": "string", - "referenceable": true + "referenceable": true, + "required": false } }, { "auth_password": { - "required": false, + "description": "The password to authenticate with, if the forward proxy is protected by basic authentication.", "type": "string", - "referenceable": true + "referenceable": true, + "required": false } }, { "https_proxy": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "The HTTPS proxy URL. This proxy server will be used for HTTPS requests.", + "type": "string" } }, { "http_proxy": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "The HTTP proxy URL. This proxy server will be used for HTTP requests.", + "type": "string" } } - ] + ], + "type": "record", + "description": "Proxy settings." } } ], + "type": "record", + "description": "HTTP connection parameters.", "required": true } }, { "query": { - "type": "record", "fields": [ { "forward": { "default": false, - "type": "boolean" + "type": "boolean", + "description": "If true, forwards the incoming request's query params to the callout request. " } }, { "custom": { "values": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "required": false, "type": "map", "keys": { "type": "string" - } + }, + "description": "The custom query params to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code)." } } ], + "type": "record", + "description": "Callout request query param customizations.", "required": true } }, { "headers": { - "type": "record", "fields": [ { "forward": { "default": false, - "type": "boolean" + "type": "boolean", + "description": "If true, forwards the incoming request's headers to the callout request. " } }, { "custom": { "values": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "required": false, "type": "map", "keys": { "type": "string" - } + }, + "description": "The custom headers to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code)." } } ], + "type": "record", + "description": "Callout request header customizations.", "required": true } }, { "body": { - "type": "record", "fields": [ { "forward": { "default": false, - "type": "boolean" + "type": "boolean", + "description": "If true, forwards the incoming request's body to the callout request." } }, { "decode": { "default": false, - "type": "boolean" + "type": "boolean", + "description": "If true, decodes the request's body to make it available for customizations." } }, { "custom": { "values": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "required": false, "type": "map", "keys": { "type": "string" - } + }, + "description": "The custom body fields to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code)." } } ], + "type": "record", + "description": "Callout request body customizations.", "required": true } }, { "error": { - "type": "record", "fields": [ { "on_error": { @@ -273,255 +291,270 @@ { "retries": { "default": 2, - "type": "integer" + "type": "integer", + "description": "The number of retries the plugin will attempt on TCP and HTTP errors if `on_error` is set to `retry`." } }, { "http_statuses": { - "type": "array", "elements": { "type": "integer", "between": [ 100, 999 ] - } + }, + "type": "array", + "description": "The list of HTTP status codes considered errors under the error handling policy." } }, { "error_response_code": { "default": 400, - "type": "integer" + "type": "integer", + "description": "The error code to respond with if `on_error` is `fail` or if `retries` is achieved." } }, { "error_response_msg": { "default": "service callout error", - "type": "string" + "type": "string", + "description": "The error mesasge to respond with if `on_error` is `fail` or if `retries` is achieved.Templating with Lua expressions is supported." } } ], + "type": "record", + "description": "The error handling policy the plugin will apply to TCP and HTTP errors.", "required": true } }, { "by_lua": { "type": "string", - "required": false + "required": false, + "description": "Lua code that executes before the callout request is made.Standard Lua sandboxing restrictions apply." } } ], + "type": "record", + "description": "The customizations for the callout request.", "required": true } }, { "response": { - "type": "record", "fields": [ { "headers": { - "type": "record", "fields": [ { "store": { "default": true, - "type": "boolean" + "type": "boolean", + "description": "If false, skips storing the callout response headers intokong.ctx.shared.callouts..response.headers." } } ], + "type": "record", + "description": "Callout response header customizations.", "required": true } }, { "body": { - "type": "record", "fields": [ { "store": { "default": true, - "type": "boolean" + "type": "boolean", + "description": "If false, skips storing the callout response body into kong.ctx.shared.callouts..response.body." } }, { "decode": { "default": false, - "type": "boolean" + "type": "boolean", + "description": "If true, decodes the response body before storing into the context. Only JSON is supported." } } ], + "type": "record", "required": true } }, { "by_lua": { "type": "string", - "required": false + "required": false, + "description": "Lua code that executes after the callout request is made, before caching takes place. Standard Lua sandboxing restrictions apply." } } ], + "type": "record", + "description": "Configurations of callout response handling.", "required": true } }, { "cache": { - "type": "record", "fields": [ { "bypass": { "default": false, - "type": "boolean" + "type": "boolean", + "description": "If true, skips caching the callout response." } } ], + "type": "record", + "description": "Callout caching configuration.", "required": true } } - ] + ], + "type": "record" }, - "type": "array", - "required": true + "description": "A collection of callout objects, where each object represents an HTTPrequest made in the context of a proxy request." } }, { "cache": { - "type": "record", "fields": [ { "strategy": { - "required": true, "default": "off", + "description": "The backing data store in which to hold cache entities. Accepted values are: `off`, `memory`, and `redis`.", "type": "string", "one_of": [ "memory", "redis", "off" - ] + ], + "required": true } }, { "memory": { - "type": "record", "fields": [ { "dictionary_name": { "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "type": "string", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true } } ], + "type": "record", "required": true } }, { "redis": { - "type": "record", - "required": true, "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "type": "string" + "type": "string", + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379 + ] } }, { "connect_timeout": { + "default": 2000, "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000 + ] } }, { "send_timeout": { + "default": 2000, "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000 + ] } }, { "read_timeout": { + "default": 2000, "type": "integer", "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ], - "default": 2000 + ] } }, { "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." } }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, "type": "string", - "referenceable": true + "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." } }, { "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "referenceable": true + "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." } }, { "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, "type": "string", - "referenceable": true + "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, - "type": "integer" + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy" } }, { "keepalive_pool_size": { "default": 256, + "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { "keepalive_backlog": { - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer", + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 @@ -530,193 +563,131 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string", + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." } }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "type": "array", - "required": false, "elements": { - "type": "record", "fields": [ { "host": { "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true + "required": true, + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379 + ] } } - ] + ], + "type": "record" }, - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "type": "array", + "len_min": 1, + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "type": "array", - "required": false, "elements": { - "type": "record", "fields": [ { "ip": { "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true + "required": true, + "description": "A string representing a host name, such as example.com." } }, { "port": { + "default": 6379, "type": "integer", "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ], - "default": 6379 + ] } } - ] + ], + "type": "record" }, - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "type": "array", + "len_min": 1, + "required": false } }, { "ssl": { + "default": false, "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "default": false, "required": false } }, { "ssl_verify": { + "default": false, "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, "required": false } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "required": false + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS." } }, { "cluster_max_redirections": { - "type": "integer", - "description": "Maximum retry attempts for redirection.", "default": 5, - "required": false + "type": "integer", + "required": false, + "description": "Maximum retry attempts for redirection." } }, { "connection_is_proxied": { + "default": false, "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "default": false, "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { - "removal_in_version": "4.0", "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -734,19 +705,15 @@ ] } ] - } + }, + "type": "integer" } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { - "removal_in_version": "4.0", "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -754,19 +721,19 @@ ] } ] + }, + "type": "array", + "len_min": 1, + "elements": { + "type": "string" } } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { - "removal_in_version": "4.0", "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -774,131 +741,211 @@ ] } ] + }, + "type": "array", + "len_min": 1, + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true } } + }, + { + "custom_entity_check": { + "field_sources": [ + "database", + "connection_is_proxied" + ], + "run_with_missing_fields": true + } + }, + { + "custom_entity_check": { + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ], + "run_with_missing_fields": true + } + }, + { + "custom_entity_check": { + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ], + "run_with_missing_fields": true + } } - ] + ], + "required": true } }, { "cache_ttl": { - "gt": 0, - "description": "TTL in seconds of cache entities.", + "default": 300, "type": "integer", - "default": 300 + "description": "TTL in seconds of cache entities.", + "gt": 0 } } ], + "type": "record", + "description": "Plugin global caching configuration.", "required": true } }, { "upstream": { - "type": "record", "fields": [ { "by_lua": { "type": "string", - "required": false + "required": false, + "description": "Lua code that executes before the upstream request is made. Standard Lua sandboxing restrictions apply." } }, { "query": { - "type": "record", "fields": [ { "forward": { "default": true, - "type": "boolean" + "type": "boolean", + "description": "If false, does not forward request query params to upstream request." } }, { "custom": { "values": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "required": false, "type": "map", "keys": { "type": "string" - } + }, + "description": "The custom query params to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code)." } } ], + "type": "record", + "description": "Upstream request query param customizations.", "required": true } }, { "headers": { - "type": "record", "fields": [ { "forward": { "default": true, - "type": "boolean" + "type": "boolean", + "description": "If false, does not forward request headers to upstream request." } }, { "custom": { "values": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "required": false, "type": "map", "keys": { "type": "string" - } + }, + "description": "The custom headers to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code)." } } ], + "type": "record", + "description": "Callout request header customizations.", "required": true } }, { "body": { - "type": "record", "fields": [ { "forward": { "default": true, - "type": "boolean" + "type": "boolean", + "description": "If false, skips forwarding the incoming request's body to the upstream request." } }, { "decode": { "default": true, - "type": "boolean" + "type": "boolean", + "description": "If true, decodes the request's body to make it available for upstream by_lua customizations." } }, { "custom": { "values": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "required": false, "type": "map", "keys": { "type": "string" - } + }, + "description": "The custom body fields to be added in the upstream request body. Values can contain Lua expressions in the form $(some_lua_code)." } } ], + "type": "record", + "description": "Callout request body customizations.", "required": true } } ], + "type": "record", + "description": "Customizations to the upstream request.", "required": true } } ], + "type": "record", "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file From 6cd885e738c0f06dc77878620c7411deb1b2e6ae Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 9 Dec 2024 13:51:00 +0100 Subject: [PATCH 133/165] Fix json-schema Github action, it doesn't need to have Gateway running --- .github/workflows/generate-json-schemas.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/.github/workflows/generate-json-schemas.yml b/.github/workflows/generate-json-schemas.yml index ab8ec9eb..50f08d7f 100644 --- a/.github/workflows/generate-json-schemas.yml +++ b/.github/workflows/generate-json-schemas.yml @@ -2,24 +2,12 @@ name: Generate json schemas on: workflow_dispatch: inputs: - kong-image-tag: - required: true - type: string - description: | - Kong Docker image tag to run, 3.6.1.4. version: required: true type: string description: | Kong Gateway release, e.x. 3.4.x. Used by some commands for storing files in the corresponding folder. - kong-image-name: - type: choice - description: | - Kong Docker image name to use, e.g. kong-gateway, kong-gateway-dev. - options: - - kong-gateway - - kong-gateway-dev jobs: generate-json-schemas: @@ -29,12 +17,6 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install dependencies uses: ./.github/reusable-steps/install-deps - - name: Run Kong EE - uses: ./.github/reusable-steps/run-kong-ee - with: - op-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - kong-image-tag: ${{ github.event.inputs.kong-image-tag }} - kong-image-name: ${{ github.event.inputs.kong-image-name }} - name: Run convert_json_schema run: | bundle exec ./plugins convert_json_schema --version=${{ github.event.inputs.version }} --plugins $(ls ./schemas) --verbose @@ -48,6 +30,3 @@ jobs: delete-branch: true add-paths: | ./json_schemas/* - - name: Cleanup - if: always() - uses: ./.github/reusable-steps/cleanup From 7b64f9da19603e569b46410821d548d22bf5e348 Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Mon, 9 Dec 2024 12:53:36 +0000 Subject: [PATCH 134/165] JSON Schemas for 2.8.x --- json_schemas/acl/2.8.json | 126 ++ json_schemas/acme/2.8.json | 272 +++ .../application-registration/2.8.json | 80 + json_schemas/aws-lambda/2.8.json | 235 +++ json_schemas/azure-functions/2.8.json | 125 ++ json_schemas/basic-auth/2.8.json | 88 + json_schemas/bot-detection/2.8.json | 125 ++ json_schemas/canary/2.8.json | 140 ++ json_schemas/correlation-id/2.8.json | 118 ++ json_schemas/cors/2.8.json | 186 ++ json_schemas/datadog/2.8.json | 201 ++ json_schemas/degraphql/2.8.json | 68 + json_schemas/exit-transformer/2.8.json | 92 + json_schemas/file-log/2.8.json | 111 ++ json_schemas/forward-proxy/2.8.json | 134 ++ .../graphql-proxy-cache-advanced/2.8.json | 107 + .../graphql-rate-limiting-advanced/2.8.json | 294 +++ json_schemas/grpc-gateway/2.8.json | 74 + json_schemas/grpc-web/2.8.json | 83 + json_schemas/hmac-auth/2.8.json | 134 ++ json_schemas/http-log/2.8.json | 168 ++ json_schemas/ip-restriction/2.8.json | 139 ++ json_schemas/jq/2.8.json | 199 ++ json_schemas/jwt-signer/2.8.json | 563 ++++++ json_schemas/jwt/2.8.json | 160 ++ json_schemas/kafka-log/2.8.json | 237 +++ json_schemas/kafka-upstream/2.8.json | 258 +++ json_schemas/key-auth-enc/2.8.json | 125 ++ json_schemas/key-auth/2.8.json | 123 ++ json_schemas/ldap-auth-advanced/2.8.json | 190 ++ json_schemas/ldap-auth/2.8.json | 157 ++ json_schemas/loggly/2.8.json | 195 ++ json_schemas/mocking/2.8.json | 110 ++ json_schemas/mtls-auth/2.8.json | 180 ++ json_schemas/oauth2-introspection/2.8.json | 138 ++ json_schemas/oauth2/2.8.json | 184 ++ json_schemas/opa/2.8.json | 125 ++ json_schemas/openid-connect/2.8.json | 1759 +++++++++++++++++ json_schemas/post-function/2.8.json | 138 ++ json_schemas/pre-function/2.8.json | 145 ++ json_schemas/prometheus/2.8.json | 75 + json_schemas/proxy-cache-advanced/2.8.json | 323 +++ json_schemas/proxy-cache/2.8.json | 198 ++ json_schemas/rate-limiting-advanced/2.8.json | 324 +++ json_schemas/rate-limiting/2.8.json | 214 ++ json_schemas/request-size-limiting/2.8.json | 115 ++ json_schemas/request-termination/2.8.json | 123 ++ .../request-transformer-advanced/2.8.json | 385 ++++ json_schemas/request-transformer/2.8.json | 375 ++++ json_schemas/request-validator/2.8.json | 147 ++ json_schemas/response-ratelimiting/2.8.json | 172 ++ .../response-transformer-advanced/2.8.json | 461 +++++ json_schemas/response-transformer/2.8.json | 344 ++++ json_schemas/route-by-header/2.8.json | 101 + .../route-transformer-advanced/2.8.json | 87 + json_schemas/session/2.8.json | 154 ++ json_schemas/statsd-advanced/2.8.json | 206 ++ json_schemas/statsd/2.8.json | 175 ++ json_schemas/syslog/2.8.json | 187 ++ json_schemas/tcp-log/2.8.json | 133 ++ json_schemas/udp-log/2.8.json | 122 ++ json_schemas/upstream-timeout/2.8.json | 116 ++ json_schemas/vault-auth/2.8.json | 104 + json_schemas/zipkin/2.8.json | 175 ++ 64 files changed, 12902 insertions(+) create mode 100644 json_schemas/acl/2.8.json create mode 100644 json_schemas/acme/2.8.json create mode 100644 json_schemas/application-registration/2.8.json create mode 100644 json_schemas/aws-lambda/2.8.json create mode 100644 json_schemas/azure-functions/2.8.json create mode 100644 json_schemas/basic-auth/2.8.json create mode 100644 json_schemas/bot-detection/2.8.json create mode 100644 json_schemas/canary/2.8.json create mode 100644 json_schemas/correlation-id/2.8.json create mode 100644 json_schemas/cors/2.8.json create mode 100644 json_schemas/datadog/2.8.json create mode 100644 json_schemas/degraphql/2.8.json create mode 100644 json_schemas/exit-transformer/2.8.json create mode 100644 json_schemas/file-log/2.8.json create mode 100644 json_schemas/forward-proxy/2.8.json create mode 100644 json_schemas/graphql-proxy-cache-advanced/2.8.json create mode 100644 json_schemas/graphql-rate-limiting-advanced/2.8.json create mode 100644 json_schemas/grpc-gateway/2.8.json create mode 100644 json_schemas/grpc-web/2.8.json create mode 100644 json_schemas/hmac-auth/2.8.json create mode 100644 json_schemas/http-log/2.8.json create mode 100644 json_schemas/ip-restriction/2.8.json create mode 100644 json_schemas/jq/2.8.json create mode 100644 json_schemas/jwt-signer/2.8.json create mode 100644 json_schemas/jwt/2.8.json create mode 100644 json_schemas/kafka-log/2.8.json create mode 100644 json_schemas/kafka-upstream/2.8.json create mode 100644 json_schemas/key-auth-enc/2.8.json create mode 100644 json_schemas/key-auth/2.8.json create mode 100644 json_schemas/ldap-auth-advanced/2.8.json create mode 100644 json_schemas/ldap-auth/2.8.json create mode 100644 json_schemas/loggly/2.8.json create mode 100644 json_schemas/mocking/2.8.json create mode 100644 json_schemas/mtls-auth/2.8.json create mode 100644 json_schemas/oauth2-introspection/2.8.json create mode 100644 json_schemas/oauth2/2.8.json create mode 100644 json_schemas/opa/2.8.json create mode 100644 json_schemas/openid-connect/2.8.json create mode 100644 json_schemas/post-function/2.8.json create mode 100644 json_schemas/pre-function/2.8.json create mode 100644 json_schemas/prometheus/2.8.json create mode 100644 json_schemas/proxy-cache-advanced/2.8.json create mode 100644 json_schemas/proxy-cache/2.8.json create mode 100644 json_schemas/rate-limiting-advanced/2.8.json create mode 100644 json_schemas/rate-limiting/2.8.json create mode 100644 json_schemas/request-size-limiting/2.8.json create mode 100644 json_schemas/request-termination/2.8.json create mode 100644 json_schemas/request-transformer-advanced/2.8.json create mode 100644 json_schemas/request-transformer/2.8.json create mode 100644 json_schemas/request-validator/2.8.json create mode 100644 json_schemas/response-ratelimiting/2.8.json create mode 100644 json_schemas/response-transformer-advanced/2.8.json create mode 100644 json_schemas/response-transformer/2.8.json create mode 100644 json_schemas/route-by-header/2.8.json create mode 100644 json_schemas/route-transformer-advanced/2.8.json create mode 100644 json_schemas/session/2.8.json create mode 100644 json_schemas/statsd-advanced/2.8.json create mode 100644 json_schemas/statsd/2.8.json create mode 100644 json_schemas/syslog/2.8.json create mode 100644 json_schemas/tcp-log/2.8.json create mode 100644 json_schemas/udp-log/2.8.json create mode 100644 json_schemas/upstream-timeout/2.8.json create mode 100644 json_schemas/vault-auth/2.8.json create mode 100644 json_schemas/zipkin/2.8.json diff --git a/json_schemas/acl/2.8.json b/json_schemas/acl/2.8.json new file mode 100644 index 00000000..e4eb6e69 --- /dev/null +++ b/json_schemas/acl/2.8.json @@ -0,0 +1,126 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "Arbitrary group names that are allowed to consume the Service or Route. One of `config.allow` or `config.deny` must be specified.", + "examples": [ + [ + "group1", + "group2" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "Arbitrary group names that are not allowed to consume the Service or Route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_groups_header": { + "default": false, + "description": "Flag that if enabled (`true`), prevents the `X-Consumer-Groups` header to be sent in the request to the Upstream service.", + "examples": [ + true + ], + "type": "boolean" + } + }, + "required": [ + + ], + "shorthand_fields": { + "blacklist": { + "items": { + "is_regex": true, + "type": "string" + }, + "type": "array" + }, + "whitelist": { + "items": { + "is_regex": true, + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/acme/2.8.json b/json_schemas/acme/2.8.json new file mode 100644 index 00000000..5fae69d7 --- /dev/null +++ b/json_schemas/acme/2.8.json @@ -0,0 +1,272 @@ +{ + "properties": { + "config": { + "properties": { + "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", + "examples": [ + "example@example.com" + ], + "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", + "type": "string" + }, + "allow_any_domain": { + "default": false, + "type": "boolean" + }, + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "The ACMEv2 API endpoint to use. You can specify the [Let's Encrypt staging environment](https://letsencrypt.org/docs/staging-environment/) for testing. Kong doesn't automatically delete staging certificates. If you use the same domain in test and production environments, you need to manually delete those certificates after testing.", + "type": "string" + }, + "cert_type": { + "default": "rsa", + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", + "enum": [ + "ecc", + "rsa" + ], + "type": "string" + }, + "domains": { + "description": "The list of domains to create certificates for. To match subdomains under `example.com`, use `*.example.com`.\nRegex pattern is not supported.\n\nThis parameter is only used to match domains, not to specify the Common Name\nor Subject Alternative Name to create certificates. Each domain must have its own certificate.\nThe ACME plugin checks this configuration before checking any certificate in `storage` when serving the certificate of a request.\n\nIf this field is left empty, all top-level domains (TLDs) are allowed.", + "items": { + "match_all": { + "pattern": "^[^*]*%*?[^*]*$" + }, + "match_any": { + "patterns": [ + "%.%*$", + "^%*%.", + "^[^*]*$" + ] + }, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "type": "string" + }, + "fail_backoff_minutes": { + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" + }, + "preferred_chain": { + "type": "string" + }, + "renew_threshold_days": { + "default": 14, + "description": " Days remaining to renew the certificate before it expires.", + "type": "number" + }, + "rsa_key_size": { + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "enum": [ + 2048, + 3072, + 4096 + ], + "type": "integer" + }, + "storage": { + "default": "shm", + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", + "enum": [ + "consul", + "kong", + "redis", + "shm", + "vault" + ], + "type": "string" + }, + "storage_config": { + "properties": { + "consul": { + "properties": { + "host": { + "type": "string" + }, + "https": { + "default": false, + "type": "boolean" + }, + "kv_path": { + "type": "string" + }, + "port": { + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "type": "number" + }, + "token": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "kong": { + "additionalProperties": true, + "properties": { + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "auth": { + "type": "string" + }, + "database": { + "type": "number" + }, + "host": { + "type": "string" + }, + "port": { + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "shm": { + "properties": { + "shm_name": { + "default": "kong", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "vault": { + "properties": { + "auth_method": { + "type": "string" + }, + "auth_path": { + "type": "string" + }, + "auth_role": { + "type": "string" + }, + "host": { + "type": "string" + }, + "https": { + "default": false, + "type": "boolean" + }, + "jwt_path": { + "type": "string" + }, + "kv_path": { + "type": "string" + }, + "port": { + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "type": "number" + }, + "tls_server_name": { + "type": "string" + }, + "tls_verify": { + "default": true, + "type": "boolean" + }, + "token": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "tos_accepted": { + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the [Terms of Service](https://letsencrypt.org/repository/).", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/application-registration/2.8.json b/json_schemas/application-registration/2.8.json new file mode 100644 index 00000000..fe9da919 --- /dev/null +++ b/json_schemas/application-registration/2.8.json @@ -0,0 +1,80 @@ +{ + "properties": { + "config": { + "properties": { + "auto_approve": { + "default": false, + "description": "If enabled, all new Service Contracts requests are automatically\napproved. See [Enable automatic registration approval](#enable-automatic-registration-approval). Otherwise, Dev Portal admins must manually approve requests.", + "examples": [ + false + ], + "type": "boolean" + }, + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "examples": [ + "" + ], + "type": "string" + }, + "display_name": { + "description": "Unique display name used for a Service in the Developer Portal.", + "examples": [ + "" + ], + "type": "string" + }, + "show_issuer": { + "default": false, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "examples": [ + false + ], + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/aws-lambda/2.8.json b/json_schemas/aws-lambda/2.8.json new file mode 100644 index 00000000..5869617d --- /dev/null +++ b/json_schemas/aws-lambda/2.8.json @@ -0,0 +1,235 @@ +{ + "properties": { + "config": { + "properties": { + "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function. Typically this is\nused for a cross-account Lambda function invocation.", + "examples": [ + "" + ], + "type": "string" + }, + "aws_key": { + "description": "The AWS key credential to be used when invoking the function. The `aws_key` value is required\nif `aws_secret` is defined. If `aws_key` and `aws_secret` are not set, the plugin uses an\nIAM role inherited from the instance running Kong to authenticate. Can be symmetrically encrypted\nif using Kong Gateway and [data encryption](/gateway/latest/kong-production/db-encryption/)\nis configured.", + "examples": [ + "" + ], + "type": "string" + }, + "aws_region": { + "description": "The AWS region where the Lambda function is located. The plugin does not\nattempt to validate the supplied region name. If an invalid region name\nis provided, the plugin responds with an HTTP `500 Internal Server Error`\nat runtime and logs a DNS resolution failure.\n\nThe plugin will automatically\ndetect the AWS region on runtime via `AWS_REGION` or `AWS_DEFAULT_REGION` environment\nvariables when neither `aws_region` nor `host` is specified in plugin configuration.\nUsing environment variables enables regionally distributed Kong cluster nodes\nto connect to the closest AWS region. If `aws_region`, `host` and environment\nvariables have not been specified, the plugin responds with an HTTP\n`500 Internal Server Error` at run-time.", + "examples": [ + "" + ], + "type": "string" + }, + "aws_role_session_name": { + "default": "kong", + "description": "The identifier of the assumed role session. It is used for uniquely identifying\na session when the same target role is assumed by different principals or\nfor different reasons. The role session name is also used in the ARN of the assumed role principle.", + "examples": [ + "" + ], + "type": "string" + }, + "aws_secret": { + "description": "The AWS secret credential to be used when invoking the function. The `aws_secret` value is required\nif `aws_key` is defined. If `aws_key` and `aws_secret` are not set, the plugin uses an\nIAM role inherited from the instance running Kong to authenticate. Can be symmetrically encrypted\nif using Kong Gateway and [data encryption](/gateway/latest/kong-production/db-encryption/)\nis configured.", + "examples": [ + "" + ], + "type": "string" + }, + "awsgateway_compatible": { + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" + }, + "base64_encode_body": { + "default": true, + "type": "boolean" + }, + "forward_request_body": { + "default": false, + "description": "An optional value that defines whether the request body is sent in the `request_body` field of the JSON-encoded request.\nIf the body arguments can be parsed, they are sent in the separate `request_body_args` field of the request.\nThe body arguments can be parsed for `application/json`, `application/x-www-form-urlencoded`, and `multipart/form-data` content types.", + "type": "boolean" + }, + "forward_request_headers": { + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are\nsent as a map in the `request_headers` field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_method": { + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is\nsent in the `request_method` field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_uri": { + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in\nthe `request_uri` field of the JSON-encoded request. Request URI arguments (if any) are sent in\nthe separate `request_uri_args` field of the JSON body.", + "type": "boolean" + }, + "function_name": { + "description": "The AWS Lambda function name to invoke. This may contain\nthe function name only (`my-function`), the full ARN\n(arn:aws:lambda:us-west-2:123456789012:function:my-function) or a\npartial ARN (123456789012:function:my-function). You can also append a version\nnumber or alias to any of the formats.", + "examples": [ + "" + ], + "type": "string" + }, + "host": { + "description": "The host where the Lambda function is located. This value can point to a\nlocal Lambda server, allowing for easier debugging.\n\nEither `aws_region` or `host` must be provided.", + "type": "string" + }, + "invocation_type": { + "default": "RequestResponse", + "description": "The [`InvocationType`](http://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html#API_Invoke_RequestSyntax) to use when invoking the function. Available types are `RequestResponse`, `Event`, `DryRun`.", + "enum": [ + "DryRun", + "Event", + "RequestResponse" + ], + "type": "string" + }, + "is_proxy_integration": { + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to\n[this format](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#api-gateway-simple-proxy-for-lambda-output-format).", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "log_type": { + "default": "Tail", + "enum": [ + "None", + "Tail" + ], + "type": "string" + }, + "port": { + "default": 443, + "description": "The TCP port that the plugin uses to connect to the server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "proxy_scheme": { + "description": "{:.important}\n> As of Kong Gateway 2.8.0.0, this parameter is deprecated.\n>

\n> If running Kong Gateway 2.7.x or earlier, the\n`proxy_scheme` value is required if `proxy_url` is defined. In 2.8.x or\nlater versions, `proxy_scheme` is not required.\n\nAn optional value that defines which HTTP scheme to use for connecting through the proxy server. The\nsupported schemes are `http` and `https`.", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "proxy_url": { + "description": "An optional value that defines whether the plugin should connect through\nthe given proxy server URL. Include the request scheme in the URL, which\nmust be `http`. For example: `http://my-proxy-server:3128`.\n\nKong Gateway uses HTTP tunneling via the [CONNECT HTTP](https://httpwg.org/specs/rfc7231.html#CONNECT)\nmethod so that no details of the AWS Lambda request are leaked to the proxy server.", + "examples": [ + "http://my-proxy-server:3128" + ], + "type": "string" + }, + "qualifier": { + "description": "The [`Qualifier`](http://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html#API_Invoke_RequestSyntax) to use when invoking the function.", + "type": "string" + }, + "skip_large_bodies": { + "default": true, + "description": "An optional value that defines whether Kong should send large\nbodies that are buffered to disk. Note that enabling this option will have an impact\non system memory depending on the number of requests simultaneously in flight at any given point in time\nand on the maximum size of each request. Also this option blocks all requests being handled by the\nnginx workers. That could be tens of thousands of other transactions that are not being processed. For small I/O\noperations, such a delay would generally not be problematic. In cases where the body size is in the order of MB,\nsuch a delay would cause notable interruptions in request processing. Given all of the potential\ndownsides resulting from enabling this option, consider increasing the\n[client_body_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size)\nvalue instead.", + "type": "boolean" + }, + "timeout": { + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", + "type": "number" + }, + "unhandled_status": { + "description": "The response status code to use (instead of the default `200`, `202`, or `204`) in the case of an\n[`Unhandled` Function Error](https://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html#API_Invoke_ResponseSyntax).", + "maximum": 999, + "minimum": 100, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/azure-functions/2.8.json b/json_schemas/azure-functions/2.8.json new file mode 100644 index 00000000..8ae58938 --- /dev/null +++ b/json_schemas/azure-functions/2.8.json @@ -0,0 +1,125 @@ +{ + "properties": { + "config": { + "properties": { + "apikey": { + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "examples": [ + "" + ], + "type": "string" + }, + "appname": { + "description": "The Azure app name.", + "examples": [ + "" + ], + "type": "string" + }, + "clientid": { + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "type": "string" + }, + "functionname": { + "description": "Name of the Azure function to invoke.", + "examples": [ + "" + ], + "type": "string" + }, + "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", + "examples": [ + "azurewebsites.net" + ], + "type": "string" + }, + "https": { + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" + }, + "https_verify": { + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" + }, + "routeprefix": { + "default": "api", + "description": "Route prefix to use.", + "type": "string" + }, + "timeout": { + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/basic-auth/2.8.json b/json_schemas/basic-auth/2.8.json new file mode 100644 index 00000000..fa36a1a9 --- /dev/null +++ b/json_schemas/basic-auth/2.8.json @@ -0,0 +1,88 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails.\nIf empty (default), the request will fail with an authentication failure `4xx`. Note that this value\nmust refer to the consumer `id` attribute that is internal to Kong, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "examples": [ + true + ], + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/bot-detection/2.8.json b/json_schemas/bot-detection/2.8.json new file mode 100644 index 00000000..6dbbea2f --- /dev/null +++ b/json_schemas/bot-detection/2.8.json @@ -0,0 +1,125 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "default": [ + + ], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "deny": { + "default": [ + + ], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "examples": [ + [ + "helloworld" + ] + ], + "items": { + "is_regex": true, + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "shorthand_fields": { + "blacklist": { + "items": { + "is_regex": true, + "type": "string" + }, + "type": "array" + }, + "whitelist": { + "items": { + "is_regex": true, + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/canary/2.8.json b/json_schemas/canary/2.8.json new file mode 100644 index 00000000..61c8f82c --- /dev/null +++ b/json_schemas/canary/2.8.json @@ -0,0 +1,140 @@ +{ + "properties": { + "config": { + "properties": { + "canary_by_header_name": { + "description": "Header name that, when present on a request, overrides the configured canary\nfunctionality.\n\n* If the configured header is present with the value `always`, the request will\nalways go to the canary upstream.\n* If the header is present with the value `never`, the request will never go to the\ncanary upstream.\n\nFor all other values, the configured canary rules will be applied.", + "type": "string" + }, + "duration": { + "default": 3600, + "description": "The duration of the transition in seconds. Ignored when `percentage` is set, or\nwhen using `allow` or `deny` in `hash`.", + "minimum": 0, + "type": "number" + }, + "groups": { + "description": "An array of strings with the group names that are allowed or denied. Set `hash` to either `allow` (the listed groups\ngo into the canary) or `deny` (the listed groups will NOT go into the canary.)", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hash": { + "default": "consumer", + "description": "Entity to be used for hashing. Options: `consumer`, `ip`, `header`, `allow`, `deny`, or `none`.\nWhen using `consumer` or `ip`, make sure to properly set the settings for trusted IPs\n(see the `trusted_ips` and `real_ip_header` settings in the Kong configuration file.)", + "enum": [ + "allow", + "consumer", + "deny", + "header", + "ip", + "none" + ], + "type": "string" + }, + "hash_header": { + "description": "Header name whose value will be used as hash input. Required if `config.hash` is set to `header`.", + "type": "string" + }, + "percentage": { + "description": "Fixed percentage of traffic to be routed to new target, if given overrides `start` and `duration`. The\nvalue must be between 0 and 100.", + "examples": [ + 50 + ], + "maximum": 100, + "minimum": 0, + "type": "number" + }, + "start": { + "description": "Future time in seconds since epoch, when the canary release will start.\nIgnored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + }, + "steps": { + "default": 1000, + "description": "Number of steps the release should be broken into.", + "minimum": 1, + "type": "number" + }, + "upstream_fallback": { + "default": false, + "type": "boolean" + }, + "upstream_host": { + "description": "The target hostname where traffic will be routed. Required if `upstream_uri` and `upstream_port` are not set.", + "examples": [ + "example.com" + ], + "type": "string" + }, + "upstream_port": { + "description": "The target port where traffic will be routed. Required if `upstream_uri` and `upstream_host` are not set.\nMust be a value between 0 and 65535.", + "examples": [ + 80 + ], + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "upstream_uri": { + "description": "The Upstream URI where traffic will be routed. Required if `upstream_port` and `upstream_host` are not set.", + "minLength": 1, + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "hash": { + "type": "string" + } + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/correlation-id/2.8.json b/json_schemas/correlation-id/2.8.json new file mode 100644 index 00000000..e9827c83 --- /dev/null +++ b/json_schemas/correlation-id/2.8.json @@ -0,0 +1,118 @@ +{ + "properties": { + "config": { + "properties": { + "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", + "examples": [ + false + ], + "type": "boolean" + }, + "generator": { + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "enum": [ + "tracker", + "uuid", + "uuid#counter" + ], + "examples": [ + "uuid#counter" + ], + "type": "string" + }, + "header_name": { + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "examples": [ + "Kong-Request-ID" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/cors/2.8.json b/json_schemas/cors/2.8.json new file mode 100644 index 00000000..a637af87 --- /dev/null +++ b/json_schemas/cors/2.8.json @@ -0,0 +1,186 @@ +{ + "properties": { + "config": { + "properties": { + "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "examples": [ + true + ], + "type": "boolean" + }, + "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "examples": [ + [ + "X-Auth-Token" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "examples": [ + [ + "Accept", + "Accept-Version", + "Content-Length", + "Content-MD5", + "Content-Type", + "Date", + "X-Auth-Token" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "examples": [ + 3600 + ], + "type": "number" + }, + "methods": { + "default": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "examples": [ + [ + "GET", + "POST" + ] + ], + "items": { + "enum": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "examples": [ + [ + "http://mockbin.com" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/datadog/2.8.json b/json_schemas/datadog/2.8.json new file mode 100644 index 00000000..2e413c54 --- /dev/null +++ b/json_schemas/datadog/2.8.json @@ -0,0 +1,201 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_tag": { + "default": "consumer", + "description": "String to be attached as tag of the consumer.", + "type": "string" + }, + "host": { + "default": "localhost", + "description": "The IP address or hostname to send data to.", + "examples": [ + "127.0.0.1" + ], + "type": "string" + }, + "metrics": { + "default": [ + { + "consumer_identifier": "custom_id", + "name": "kong_latency", + "sample_rate": 1, + "stat_type": "timer", + "tags": [ + "app:kong" + ] + } + ], + "description": "List of metrics to be logged. Available values are described at [Metrics](#metrics).\nBy default, the plugin logs all available metrics. If you specify an array of metrics,\nonly the listed metrics are logged.", + "items": { + "properties": { + "consumer_identifier": { + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "enum": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "stat_type": { + "enum": [ + "counter", + "distribution", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "tags": { + "items": { + "pattern": "^.*[^:]$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "The port to send data to on the upstream server.", + "examples": [ + 8125 + ], + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" + }, + "service_name_tag": { + "default": "name", + "description": "String to be attached as the name of the service.", + "type": "string" + }, + "status_tag": { + "default": "status", + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/degraphql/2.8.json b/json_schemas/degraphql/2.8.json new file mode 100644 index 00000000..6dde9831 --- /dev/null +++ b/json_schemas/degraphql/2.8.json @@ -0,0 +1,68 @@ +{ + "properties": { + "config": { + "additionalProperties": true, + "properties": { + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/exit-transformer/2.8.json b/json_schemas/exit-transformer/2.8.json new file mode 100644 index 00000000..06e9af14 --- /dev/null +++ b/json_schemas/exit-transformer/2.8.json @@ -0,0 +1,92 @@ +{ + "properties": { + "config": { + "properties": { + "functions": { + "description": "Array of functions used to transform any Kong proxy exit response.", + "examples": [ + [ + "return function(status, body, header) return status, body, headers end" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "handle_unexpected": { + "default": false, + "description": "Allow transform to apply to unexpected request (400) responses.", + "type": "boolean" + }, + "handle_unknown": { + "default": false, + "description": "Allow transform to apply to unmatched Service, Route, or Workspace (404) responses.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/file-log/2.8.json b/json_schemas/file-log/2.8.json new file mode 100644 index 00000000..38c1e50f --- /dev/null +++ b/json_schemas/file-log/2.8.json @@ -0,0 +1,111 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and\nthe value is a chunk of Lua code, whose return value sets or replaces\nthe log field value. Requires Kong 2.4.x or above.", + "type": "object" + }, + "path": { + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet. Make sure Kong has write permissions to this file.", + "examples": [ + "/tmp/file.log" + ], + "pattern": "^[^*&%%\\`]+$", + "type": "string" + }, + "reopen": { + "default": false, + "description": "Determines whether the log file is closed and reopened on every request. If the file\nis not reopened, and has been removed/rotated, the plugin keeps writing to the\nstale file descriptor, and hence loses information.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/forward-proxy/2.8.json b/json_schemas/forward-proxy/2.8.json new file mode 100644 index 00000000..ea31543e --- /dev/null +++ b/json_schemas/forward-proxy/2.8.json @@ -0,0 +1,134 @@ +{ + "properties": { + "config": { + "properties": { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "examples": [ + "example_pass" + ], + "type": "string" + }, + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "examples": [ + "example_user" + ], + "type": "string" + }, + "http_proxy_host": { + "description": "The HTTP hostname or IP address of the forward proxy to which to connect.\n Required if `http_proxy_port` is set.\n\nAt least one of `http_proxy_host` or `https_proxy_host` must be specified.\n\nIf `http_proxy_host` isn't set, the plugin falls back to the value\nconfigured in `https_proxy_host`.", + "examples": [ + "example.com" + ], + "type": "string" + }, + "http_proxy_port": { + "description": "The TCP port of the HTTP forward proxy to which to connect.\nRequired if `http_proxy_host` is set.\n\nAt least one of `http_proxy_port` or `https_proxy_port` must be specified.\n\nIf `http_proxy_port` isn't set, the plugin falls back to the value\nconfigured in `https_proxy_port`.", + "examples": [ + 80 + ], + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_proxy_host": { + "description": "The HTTPS hostname or IP address of the forward proxy to which to connect.\nRequired if `https_proxy_port` is set.\n\nAt least one of `http_proxy_host` or `https_proxy_host` must be specified.\n\nIf `https_proxy_host` isn't set, the plugin falls back to the value\nconfigured in `http_proxy_host`.", + "type": "string" + }, + "https_proxy_port": { + "description": "The TCP port of the HTTPS forward proxy to which to connect.\nRequired if `https_proxy_host` is set.\n\nAt least one of `http_proxy_port` or `https_proxy_port` must be specified.\n\nIf `https_proxy_port` isn't set, the plugin falls back to the value\nconfigured in `http_proxy_port`.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates\nspecified in\n[lua_ssl_trusted_certificate](https://www.nginx.com/resources/wiki/modules/lua/#lua-ssl-trusted-certificate).", + "examples": [ + false + ], + "type": "boolean" + }, + "proxy_scheme": { + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "enum": [ + "http" + ], + "examples": [ + "http" + ], + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "proxy_host": { + "type": "string" + }, + "proxy_port": { + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/graphql-proxy-cache-advanced/2.8.json b/json_schemas/graphql-proxy-cache-advanced/2.8.json new file mode 100644 index 00000000..af8cce11 --- /dev/null +++ b/json_schemas/graphql-proxy-cache-advanced/2.8.json @@ -0,0 +1,107 @@ +{ + "properties": { + "config": { + "properties": { + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note\n that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "enum": [ + "memory" + ], + "examples": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/2.8.json b/json_schemas/graphql-rate-limiting-advanced/2.8.json new file mode 100644 index 00000000..fe0ea1aa --- /dev/null +++ b/json_schemas/graphql-rate-limiting-advanced/2.8.json @@ -0,0 +1,294 @@ +{ + "properties": { + "config": { + "properties": { + "cost_strategy": { + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or\n`node_quantifier`. See [default](/hub/kong-inc/graphql-rate-limiting-advanced/#default) and\n[node_quantifier](/hub/kong-inc/graphql-rate-limiting-advanced/#node_quantifier) respectively.", + "enum": [ + "default", + "node_quantifier" + ], + "type": "string" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply.", + "examples": [ + [ + 5 + ] + ], + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "max_cost": { + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", + "type": "number" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter\ndata and sync configuration is shared in a namespace.\n\n{:.important}\n> **Important**: If managing Kong Gateway with **declarative configuration** or running\nKong Gateway in **DB-less mode**, set the `namespace` explicitly in your declarative configuration.\n>

\n> If not set, you will run into the following issues:\n* In DB-less mode, this field will be regenerated automatically on every configuration change.\n* If applying declarative configuration with decK, decK will automatically fail the update and require a\n`namespace` value.", + "examples": [ + "example_namespace" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connection when the `redis` strategy is defined. Defining this value implies using Redis cluster.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for Redis connection when the `redis` strategy is defined.", + "type": "integer" + }, + "host": { + "description": "Host to use for Redis connection when the `redis` strategy is defined.", + "type": "string" + }, + "keepalive_backlog": { + "description": "If specified, limits the total number of opened connections for a pool. If the\nconnection pool is full, all connection queues beyond the maximum limit go into\nthe backlog queue. Once the backlog queue is full, subsequent connect operations\nwill fail and return `nil`. Queued connect operations resume once the number of\nconnections in the pool is less than `keepalive_pool_size`. Note that queued\nconnect operations are subject to set timeouts.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote\nserver, per worker process. If no `keepalive_pool_size` is specified and no `keepalive_backlog`\nis specified, no pool is created. If no `keepalive_pool_size` is specified and `keepalive_backlog`\nis specified, then the pool uses the default value `30`.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connection when the `redis` strategy is defined.\nIf undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "Port to use for Redis connection when the `redis` strategy is defined.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connection when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connection when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connection when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance.\nIf undefined, ACL authentication will not be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "Specifies the server name for the new TLS extension Server Name Indication (SNI) when connecting over SSL.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, then uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, then verifies the validity of the server SSL certificate. Note that you need to configure the\n[lua_ssl_trusted_certificate](/gateway/latest/reference/configuration/#lua_ssl_trusted_certificate)\nto specify the CA (or server) certificate used by your redis server. You may also need to configure\n[lua_ssl_verify_depth](/gateway/latest/reference/configuration/#lua_ssl_verify_depth) accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "Connection timeout (in milliseconds) to use for Redis connection when the `redis` strategy is defined.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connection when the `redis` strategy is defined and ACL authentication is desired.\nIf undefined, ACL authentication will not be performed.\n\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "score_factor": { + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "minimum": 0, + "type": "number" + }, + "strategy": { + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the\nlimits. Available values are:\n- `cluster`: Counters are stored in the Kong datastore and shared across\nthe nodes.\n- `redis`: Counters are stored on a Redis server and shared\nacross the nodes.\n\nIn DB-less and hybrid modes, the `cluster` config strategy is not\nsupported.\n\n{:.important}\n> There is no local storage strategy. However, you can achieve local\nrate limiting by using a placeholder `strategy` value (either `cluster` or `redis`)\nand a `sync_rate` of `-1`. This setting stores counters in-memory on the\nnode.\n

If using `redis` as the placeholder value, you must fill in all\nadditional `redis` configuration parameters with placeholder values.\n\nFor details on which strategy should be used, refer to the\n[implementation considerations](/hub/kong-inc/rate-limiting/#implementation-considerations).", + "enum": [ + "cluster", + "redis" + ], + "examples": [ + "cluster" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0\nresults in synchronous behavior; a value of -1 ignores sync behavior\nentirely and only stores counters in node memory. A value greater than\n0 syncs the counters in that many number of seconds.", + "examples": [ + -1 + ], + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "examples": [ + [ + 30 + ] + ], + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/grpc-gateway/2.8.json b/json_schemas/grpc-gateway/2.8.json new file mode 100644 index 00000000..b3a597b5 --- /dev/null +++ b/json_schemas/grpc-gateway/2.8.json @@ -0,0 +1,74 @@ +{ + "properties": { + "config": { + "properties": { + "proto": { + "description": "Describes the gRPC types and methods.\n[HTTP configuration](https://github.com/googleapis/googleapis/blob/fc37c47e70b83c1cc5cc1616c9a307c4303fe789/google/api/http.proto)\nmust be defined in the file.", + "examples": [ + "path/to/hello.proto" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/grpc-web/2.8.json b/json_schemas/grpc-web/2.8.json new file mode 100644 index 00000000..56a2d422 --- /dev/null +++ b/json_schemas/grpc-web/2.8.json @@ -0,0 +1,83 @@ +{ + "properties": { + "config": { + "properties": { + "allow_origin_header": { + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to\nthe gRPC-Web client. The default of `*` is appropriate for requests without\ncredentials. In other cases, specify the allowed origins of the client code.\nFor more information, see [MDN Web Docs - Access-Control-Allow-Origin](https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).", + "type": "string" + }, + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service (see the `strip_path` Route attribute).", + "type": "boolean" + }, + "proto": { + "description": "If present, describes the gRPC types and methods.\nRequired to support payload transcoding. When absent, the\nweb client must use application/grpw-web+proto content.", + "examples": [ + "path/to/hello.proto" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/hmac-auth/2.8.json b/json_schemas/hmac-auth/2.8.json new file mode 100644 index 00000000..f8214fb6 --- /dev/null +++ b/json_schemas/hmac-auth/2.8.json @@ -0,0 +1,134 @@ +{ + "properties": { + "config": { + "properties": { + "algorithms": { + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "items": { + "enum": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "anonymous": { + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails.\nIf empty (default), the request will fail with an authentication failure `4xx`. Note that this value\nmust refer to the consumer `id` attribute that is internal to Kong Gateway, and **not** its `custom_id`.", + "type": "string" + }, + "clock_skew": { + "default": 300, + "description": "[Clock Skew](https://tools.ietf.org/html/draft-cavage-http-signatures-00#section-3.4) in seconds to prevent replay attacks.", + "minimum": 0, + "type": "number" + }, + "enforce_headers": { + "default": [ + + ], + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e. the `Authorization` header) before proxying it.", + "examples": [ + false + ], + "type": "boolean" + }, + "validate_request_body": { + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/http-log/2.8.json b/json_schemas/http-log/2.8.json new file mode 100644 index 00000000..939516d1 --- /dev/null +++ b/json_schemas/http-log/2.8.json @@ -0,0 +1,168 @@ +{ + "properties": { + "config": { + "properties": { + "content_type": { + "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "enum": [ + "application/json" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and\nthe value is a chunk of Lua code, whose return value sets or replaces\nthe log field value.", + "type": "object" + }, + "flush_timeout": { + "default": 2, + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "examples": [ + 2 + ], + "type": "number" + }, + "headers": { + "additionalProperties": true, + "description": "\nAn optional table of headers added to the HTTP message to the upstream server.\nThe table contains arrays of values, indexed by the header name (multiple values per header).\n\nThe following headers are not allowed: `Host`, `Content-Length`, `Content-Type`.", + "type": "object" + }, + "http_endpoint": { + "description": "The HTTP URL endpoint (including the protocol to use) to which the data is sent.\n\nIf the `http_endpoint` contains a username and password (for example,\n`http://bob:password@example.com/logs`), then Kong Gateway automatically includes\na basic-auth `Authorization` header in the log requests.", + "examples": [ + "http://mockbin.org/bin/:id" + ], + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "examples": [ + 1000 + ], + "type": "number" + }, + "method": { + "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are\n`POST` (default), `PUT`, and `PATCH`.", + "enum": [ + "PATCH", + "POST", + "PUT" + ], + "examples": [ + "POST" + ], + "type": "string" + }, + "queue_size": { + "default": 1, + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "default": 10, + "description": "Number of times to retry when sending data to the upstream server.", + "examples": [ + 15 + ], + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "examples": [ + 1000 + ], + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ip-restriction/2.8.json b/json_schemas/ip-restriction/2.8.json new file mode 100644 index 00000000..7fb10853 --- /dev/null +++ b/json_schemas/ip-restriction/2.8.json @@ -0,0 +1,139 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.\n\nNote: We have deprecated the usage of `whitelist` and `blacklist` in favor of `allow` and `deny`.", + "examples": [ + [ + "143.1.0.0/24", + "54.13.21.1" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.\n\nNote: We have deprecated the usage of `whitelist` and `blacklist` in favor of `allow` and `deny`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "message": { + "description": "The message to send as a response body to rejected requests.", + "type": "string" + }, + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "type": "number" + } + }, + "required": [ + + ], + "shorthand_fields": { + "blacklist": { + "items": { + "is_regex": true, + "type": "string" + }, + "type": "array" + }, + "whitelist": { + "items": { + "is_regex": true, + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jq/2.8.json b/json_schemas/jq/2.8.json new file mode 100644 index 00000000..ebbb7d73 --- /dev/null +++ b/json_schemas/jq/2.8.json @@ -0,0 +1,199 @@ +{ + "properties": { + "config": { + "properties": { + "request_if_media_type": { + "default": [ + "application/json" + ], + "description": "A list of media type strings. The media type included in the `Content-Type` request header **must**\nmatch one of the media types on this list for the program to run.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "request_jq_program": { + "description": "The jq program to run on the request body. For example, `.[0] | { \"X-Foo\": .foo }`.\nEither `request_jq_program` or `response_jq_plugin` **must** be included in the configuration.", + "examples": [ + ".[0]" + ], + "type": "string" + }, + "request_jq_program_options": { + "description": "Boolean option flags to modify the run behavior of the jq program run on the request body.\n- `compact_output`: Returns output in a compact form without additional spacing,\n and with each JSON object on a single line. Defaults to `true`. Set to `false` for 'pretty' output.\n- `raw_output`: Outputs as raw strings, not JSON quoted. Default is `false`.\n- `join_output`: Similar to `raw_output` but does not output newline separators. Default is `false`.\n- `ascii_output`: jq usually outputs non-ASCII Unicode codepoints as UTF-8, even if the input specified\n them as escape sequences (like `μ`). Using this option, you can force jq to produce pure ASCII\n output, replacing every non-ASCII character with the equivalent escape sequence. Default is `false`.\n- `sort_keys`: Outputs the fields of each object with the keys in sorted order. Default is `false`.", + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "response_if_media_type": { + "default": [ + "application/json" + ], + "description": "A list of media type strings. The media type included in the `Content-Type` response header **must**\nmatch one of the media types on this list for the program to run.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_if_status_code": { + "default": [ + 200 + ], + "description": "A list of HTTP response status codes. The response status code **must**\nmatch one of the response status codes on this list for the program to run.", + "items": { + "maximum": 599, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "response_jq_program": { + "description": "The jq program to run on the response body. For example, `.[0] | { \"X-Foo\": .foo }`.\nEither `request_jq_program` or `response_jq_plugin` **must** be included in configuration.", + "type": "string" + }, + "response_jq_program_options": { + "description": "Boolean option flags to modify the run behavior of the jq program run on the response body.\n- `compact_output`: Returns output in a compact form without additional spacing,\n and with each JSON object on a single line. Defaults to `true`. Set to `false` for 'pretty' output.\n- `raw_output`: Outputs as raw strings, not JSON quoted. Default is `false`.\n- `join_output`: Similar to `raw_output` but does not output newline separators. Default is `false`.\n- `ascii_output`: jq usually outputs non-ASCII Unicode codepoints as UTF-8, even if the input specified\n them as escape sequences (like `μ`). Using this option, you can force jq to produce pure ASCII\n output, replacing every non-ASCII character with the equivalent escape sequence. Default is `false`.\n- `sort_keys`: Outputs the fields of each object with the keys in sorted order. Default is `false`.", + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwt-signer/2.8.json b/json_schemas/jwt-signer/2.8.json new file mode 100644 index 00000000..7aac8639 --- /dev/null +++ b/json_schemas/jwt-signer/2.8.json @@ -0,0 +1,563 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping,\nit tries to find a matching Kong consumer from properties defined using\nthis configuration parameter. The parameter can take an array of\nalues. Valid values are `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary\nclaim specified with this configuration parameter (for example, `sub` or `username`) in\nan access token to Kong consumer entity. Kong consumers have an `id`, a `username`,\nand a `custom_id`. The `config.access_token_consumer_by` parameter\ntells the plugin which of these Kong consumer properties can be used for mapping.\nIf this parameter is enabled but the mapping fails, such as when there's\na non-existent Kong consumer, the plugin responds with `403 Forbidden`.\nKong [consumer mapping](#consumer-mapping) is useful when you want to communicate this information\nto other plugins such as [ACL](/hub/kong-inc/acl/) or [rate limiting](/hub/kong-inc/rate-limiting/).\nThe JWT Signer plugin also sets a couple of standard Kong\nupstream consumer headers.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being\nthe JWT Signer plugin), you can specify the `Authorization` header's value with this\nconfiguration parameter. For example, if you use client credentials, enter\nthe value of `\"Basic base64encode('client_id:client_secret')\"`\nto this configuration parameter. You are responsible for providing the full string\nof the header and doing all of the necessary encodings (such as base64)\nrequired on a given endpoint.", + "type": "string" + }, + "access_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to an introspection endpoint\nwhen the plugin introspects the opaque access token, use this config parameter\nto specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "type": "string" + }, + "access_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to\nfind a matching Kong consumer from properties defined using this configuration parameter. The parameter\ncan take an array of values. Valid values are `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary\nclaim specified with this configuration parameter (such as `sub` or `username`)\nin access token introspection results to the Kong consumer entity. Kong consumers\nhave an `id`, a `username`, and a `custom_id`. The\n`config.access_token_introspection_consumer_by` parameter tells the plugin which of these\nKong consumer properties can be used for mapping. If this parameter is enabled\nbut the mapping fails, such as when there's\na non-existent Kong consumer, the plugin responds\nwith `403 Forbidden`. Kong [consumer mapping](#consumer-mapping) is useful when you want to\ncommunicate this information to other plugins such as [ACL](/hub/kong-inc/acl/)\nor [rate limiting](/hub/kong-inc/rate-limiting/). The JWT Signer plugin also\nsets a couple of standard Kong upstream consumer headers.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token\nintrospection, you need to specify the OAuth 2.0 introspection endpoint URI\nwith this configuration parameter. Otherwise, the plugin does not try\nintrospection and returns `401 Unauthorized` instead.", + "type": "string" + }, + "access_token_introspection_hint": { + "default": "access_token", + "description": "If you need to give `hint` parameter when introspecting an access token,\nuse this parameter to specify the value. By default, the plugin\nsends `hint=access_token`.", + "type": "string" + }, + "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys\n(or claims) within the introspection results (`JSON`), the plugin can use that value\ninstead of the introspection results when doing expiry verification and\nsigning of the new token issued by Kong. For example, if you specify\n`[ \"token_string\" ]`, which can be given as `\"token_string\"` (form post)\nto this configuration parameter, the plugin looks for key `token_string`\nin JSON of the introspection results and uses that as an access token instead\nof using introspection JSON directly. If the key cannot be found, the\nplugin responds with `401 Unauthorized`. Also if the key is found\nbut cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer introspection results\nand Kong. The value is added to introspection results (`JSON`) `exp` claim/property before\nchecking token expiry against Kong servers current time in seconds. You\ncan disable access token introspection `expiry` verification altogether\nwith `config.verify_access_token_introspection_expiry`.", + "type": "number" + }, + "access_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim/property in access token introspection results\n(`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`.\nThis supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`,\nhich can be given as `realm_access,roles` (form post). If the claim is not found in access\ntoken introspection results, and you have specified `config.access_token_introspection_scopes_required`,\nthe plugin responds with `403 Forbidden`.", + "examples": [ + [ + "scope" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an\nintrospection claim/property specified by `config.access_token_introspection_scopes_claim`.\nFor example, `[ \"employee demo-service\", \"superadmin\" ]` can be given as `\"employee demo-service,superadmin\"`\n(form post) would mean that the claim needs to have values `\"employee\"` and `\"demo-service\"` **OR**\nthat the claim needs to have value of `\"superadmin\"` to be successfully authorized for the upstream\naccess. If required scopes are not found in access token introspection results (`JSON`),\nthe plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request.\nThe plugin tries to introspect twice if the first request\nfails for some reason. If both requests timeout, then the plugin runs two times the\n`config.access_token_introspection_timeout` on access token introspection.", + "type": "number" + }, + "access_token_issuer": { + "default": "kong", + "description": "The `iss` claim of a signed or re-signed access token is set to this value.\nOriginal `iss` claim of the incoming token (possibly introspected) is\nstored in `original_iss` claim of the newly signed access token.", + "type": "string" + }, + "access_token_jwks_uri": { + "description": "If you want to use `config.verify_access_token_signature`, you must specify\nthe URI where the plugin can fetch the public keys (JWKS) to verify the\nsignature of the access token. If you don't specify a URI and you pass a\nJWT token to the plugin, then the plugin responds with\n`401 Unauthorized`.", + "type": "string" + }, + "access_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "access_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value\nis added to the token's `exp` claim before checking token expiry against\nKong servers' current time in seconds. You can disable access token\n`expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number" + }, + "access_token_optional": { + "default": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified,\nthe plugin cannot verify the access token. In that case, the plugin normally responds\nwith `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error).\nUse this parameter to allow the request to proceed even when there is no token to check.\nIf the token is provided, then this parameter has no effect (look other parameters to enable and\ndisable checks in that case).", + "type": "boolean" + }, + "access_token_request_header": { + "default": "Authorization", + "description": "This parameter tells the name of the header where to look for the access token.\nBy default, the plugin searches it from `Authorization: Bearer ` header\n(the value being magic key `authorization:bearer`). If you don't want to\ndo anything with `access token`, then you can set this to `null` or `\"\"` (empty string).\nAny header can be used to pass the access token to the plugin. Two predefined\nvalues are `authorization:bearer` and `authorization:basic`.", + "type": "string" + }, + "access_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in an access token to verify against values of\n`config.access_token_scopes_required`. This supports nested claims. For\nexample, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, which can\nbe given as `realm_access,roles` (form post).\nIf the claim is not found in the access token, and you have specified\n`config.access_token_scopes_required`,\nthe plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a\nclaim specified by `config.access_token_scopes_claim`. For example,\n`[ \"employee demo-service\", \"superadmin\" ]` can be given as\n`\"employee demo-service,superadmin\"` (form post) would mean that the claim\nneeds to have values `\"employee\"` and `\"demo-service\"` **OR** that the claim\nneeds to have the value of `\"superadmin\"` to be successfully authorized for\nthe upstream access. If required scopes are\nnot found in access token, the plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`,\nit also re-signs the original access token using the private keys of the JWT Signer plugin.\nSpecify the algorithm that is used to sign the token. Currently\nsupported values:\n- `\"HS256\"`\n- `\"HS384\"`\n- `\"HS512\"`\n- `\"RS256\"`\n- `\"RS512\"`\n- `\"ES256\"`\n- `\"ES384\"`\n- `\"ES512\"`\n- `\"PS256\"`\n- `\"PS384\"`\n- `\"PS512\"`\n- `\"EdDSA\"`\nThe `config.access_token_issuer`\nspecifies which `keyset` is used to sign the new token issued by Kong using\nthe specified signing algorithm.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "access_token_upstream_header": { + "default": "Authorization:Bearer", + "description": "Removes the `config.access_token_request_header` from the request after reading its\nvalue. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string" + }, + "access_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using a negative value) expiry\ntime (in seconds) of the original access token, you can specify a value that is added to\nthe original access token's `exp` claim.", + "type": "number" + }, + "cache_access_token_introspection": { + "default": true, + "description": "Whether to cache access token introspection results.", + "type": "boolean" + }, + "cache_channel_token_introspection": { + "default": true, + "description": "Whether to cache channel token introspection results.", + "type": "boolean" + }, + "channel_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries\nto find a matching Kong consumer from properties defined using this configuration parameter.\nThe parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with\nthis configuration parameter (such as `sub` or `username`) in a channel token to a Kong consumer entity. Kong\nconsumers have an `id`, a `username`, and a `custom_id`. The `config.channel_token_consumer_by` parameter\ntells the plugin which Kong consumer properties can be used for mapping. If this\nparameter is enabled but the mapping fails, such as when there's\na non-existent Kong consumer, the plugin responds\nwith `403 Forbidden`. Kong [consumer mapping](#consumer-mapping) is useful\nwhen you want to communicate this information\nto other plugins such as [ACL](/hub/kong-inc/acl/) or [rate limiting](/hub/kong-inc/rate-limiting/).\nThe JWT Signer plugin also sets a couple of standard Kong upstream consumer headers.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being this plugin), you can specify\nthe `Authorization` header's value with this configuration parameter. If you use client credentials,\nyou should enter the value of `\"Basic base64encode('client_id:client_secret')\"` to this configuration parameter.\nYou are responsible for providing the full string of the header and doing\nall the necessary encodings (such as base64) required on a given endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the\nopaque channel token, you can use this config parameter to specify them. You should URL encode the value.\nFor example: `resource=` or `a=1&b=&c`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to\nfind a matching Kong consumer from properties defined using this configuration parameter. The parameter\ncan take an array of values. Valid values are `id`, `username` and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with\nthis configuration parameter (such as `sub` or `username`) in channel token introspection results to\nKong consumer entity. Kong consumers have an `id`, a `username` and a `custom_id`. The\n`config.channel_token_introspection_consumer_by` parameter tells the plugin which of these\nKong consumer properties can be used for mapping. If this parameter is enabled\nbut the mapping fails, such as when there's\na non-existent Kong consumer, the plugin responds with `403 Forbidden`. Kong\n[consumer mapping](#consumer-mapping)\nis useful when you want to communicate this information to other plugins such as\n[ACL](/hub/kong-inc/acl/) or [rate limiting](/hub/kong-inc/rate-limiting/). The\nJWT Signer plugin also sets a couple of standard\nKong upstream consumer headers.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_endpoint": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to\nspecify the OAuth 2.0 introspection endpoint URI with this configuration parameter.\nOtherwise the plugin will not try introspection, and instead returns `401 Unauthorized`\nwhen using opaque channel tokens.", + "type": "string" + }, + "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to\nspecify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection\nresults (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification\nand signing of the new token issued by Kong. For example, if you specify `[ \"token_string\" ]`, which can be given as\n`\"token_string\"` (form post) to this configuration parameter, the plugin looks for key `token_string`\nin JSON of the introspection results and uses that as a channel token instead of using introspection JSON\ndirectly. If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key\nis found but cannot be decoded as JWT, the plugin responds with `401 Unauthorized`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_leeway": { + "default": 0, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong.\nThe value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry\nagainst Kong servers current time (in seconds). You can disable channel token introspection `expiry`\nverification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number" + }, + "channel_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`)\nto be verified against values of `config.channel_token_introspection_scopes_required`. This supports\nnested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, which can be given as\n`realm_access,roles` (form post). If the claim is not found in channel token introspection results,\nand you have specified `config.channel_token_introspection_scopes_required`, the plugin responds\nwith `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection\nclaim/property specified by `config.channel_token_introspection_scopes_claim`.\nFor example, `[ \"employee demo-service\", \"superadmin\" ]`, which can be given as `\"employee demo-service,superadmin\"`\n(form post) would mean that the claim needs to have the values `\"employee\"` and `\"demo-service\"` **OR** that the\nclaim needs to have the value of `\"superadmin\"` to be successfully authorized for the upstream access.\nIf required scopes are not found in channel token introspection results (`JSON`), the plugin\nresponds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request\nfails for some reason. If both requests timeout, then the plugin runs two times the\n`config.access_token_introspection_timeout` on channel token introspection.", + "type": "number" + }, + "channel_token_issuer": { + "default": "kong", + "description": "The `iss` claim of the re-signed channel token is set to this value, which\nis `kong` by default. The original `iss` claim of the incoming token\n(possibly introspected) is stored in the `original_iss` claim of\nthe newly signed channel token.", + "type": "string" + }, + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where\nthe plugin can fetch the public keys (JWKS) to verify the signature of the channel token.\nIf you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds\nwith `401 Unauthorized`.", + "type": "string" + }, + "channel_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "channel_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value\nwill be added to token's `exp` claim before checking token expiry against Kong servers current\ntime in seconds. You can disable channel token `expiry` verification altogether with\n`config.verify_channel_token_expiry`.", + "type": "number" + }, + "channel_token_optional": { + "default": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified,\nthe plugin cannot verify the channel token. In that case, the plugin normally responds\nwith `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error).\nEnable this parameter to allow the request to proceed even when there is no channel token\nto check. If the channel token is provided, then this parameter has no effect\n(look other parameters to enable and disable checks in that case).", + "type": "boolean" + }, + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token.\nBy default, the plugin doesn't look for the channel token. If you don't want to\ndo anything with the channel token, then you can set this to `null` or `\"\"`\n(empty string). Any header can be used to pass the channel\ntoken to this plugin. Two predefined values are `authorization:bearer`\nand `authorization:basic`.", + "type": "string" + }, + "channel_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in a channel token to verify against values of\n`config.channel_token_scopes_required`. This supports nested claims. With Keycloak, you could\nuse `[ \"realm_access\", \"roles\" ]`, which can be given as `realm_access,roles` (form post).\nIf the claim is not found in the channel token, and you have specified `config.channel_token_scopes_required`,\nthe plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim\nspecified by `config.channel_token_scopes_claim`. For example, if `[ \"employee demo-service\", \"superadmin\" ]`\nwas given as `\"employee demo-service,superadmin\"` (form post), the claim needs\nto have values `\"employee\"` and `\"demo-service\"`, **OR** that the claim needs to have the value of\n`\"superadmin\"` to be successfully authorized for the upstream access. If required scopes are not\nfound in the channel token, the plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`,\nit also re-signs the original channel token using private keys of this plugin.\nSpecify the algorithm that is used to sign the token. Currently\nsupported values:\n - `\"HS256\"`\n- `\"HS384\"`\n- `\"HS512\"`\n- `\"RS256\"`\n- `\"RS512\"`\n- `\"ES256\"`\n- `\"ES384\"`\n- `\"ES512\"`\n- `\"PS256\"`\n- `\"PS384\"`\n- `\"PS512\"`\n- `\"EdDSA\"`\n\nThe `config.channel_token_issuer` specifies which `keyset`\nis used to sign the new token issued by Kong using the specified signing algorithm.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request\nafter reading its value.\nWith `config.channel_token_upstream_header`, you can specify the upstream header where the plugin\nadds the Kong-signed token. If you don't specify a value (so `null` or `\"\"` empty string),\nthe plugin does not attempt to re-sign the token.", + "type": "string" + }, + "channel_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token,\nyou can specify a value that is added to the original channel token's `exp` claim.", + "type": "number" + }, + "enable_access_token_introspection": { + "default": true, + "description": "If you don't want to support opaque access tokens, change this\nconfiguration parameter to `false` to disable introspection.", + "type": "boolean" + }, + "enable_channel_token_introspection": { + "default": true, + "description": "If you don't want to support opaque channel tokens, disable introspection by\nchanging this configuration parameter to `false`.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not\naccepted by default. If you need to accept such tokens for verification,\nenable this setting.", + "type": "boolean" + }, + "enable_instrumentation": { + "default": false, + "description": "When you are experiencing problems in production and don't want to change\nthe logging level on Kong nodes, which requires a reload, use this\nparameter to enable instrumentation for the request. The parameter writes\nlog entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean" + }, + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected\nerror, the plugin sends an `WWW-Authenticate` header with the `realm`\nattribute value.", + "type": "string" + }, + "trust_access_token_introspection": { + "default": true, + "description": "When you provide a opaque access token that the plugin introspects, and you do expiry\nand scopes verification on introspection results, you probably don't want to do another\nround of checks on the payload before the plugin signs a new token. Or that you don't\nwant to do checks to a JWT token provided with introspection JSON specified with\n`config.access_token_introspection_jwt_claim`. Use this parameter to enable and\ndisable further checks on a payload before the new token is signed. If you set this\nto `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean" + }, + "trust_channel_token_introspection": { + "default": true, + "description": "When you provide an opaque channel token that the plugin introspects, and you do expiry\nand scopes verification on introspection results, you probably don't want to do another\nround of checks on the payload before the plugin signs a new token. Or you don't\nwant to do checks to a JWT token provided with introspection JSON specified with\n`config.channel_token_introspection_jwt_claim`. Use this parameter to enable or\ndisable further checks on a payload before the new token is signed. If you set this\nto `true` (default), the expiry or scopes are not checked on a payload.", + "type": "boolean" + }, + "verify_access_token_expiry": { + "default": true, + "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_expiry": { + "default": true, + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_scopes": { + "default": true, + "description": "Quickly turn off and on the access token\nintrospection scopes verification, specified with\n`config.access_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_scopes": { + "default": true, + "description": "Quickly turn off and on the access token\nrequired scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_signature": { + "default": true, + "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean" + }, + "verify_channel_token_expiry": { + "default": true, + "type": "boolean" + }, + "verify_channel_token_introspection_expiry": { + "default": true, + "description": "Quickly turn on/off the channel token introspection expiry\nverification.", + "type": "boolean" + }, + "verify_channel_token_introspection_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token introspection scopes\nverification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token required scopes\nverification specified with `config.channel_token_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_signature": { + "default": true, + "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwt/2.8.json b/json_schemas/jwt/2.8.json new file mode 100644 index 00000000..110152b2 --- /dev/null +++ b/json_schemas/jwt/2.8.json @@ -0,0 +1,160 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails.\nIf empty (default), the request will fail with an authentication failure `4xx`. Note that this value\nmust refer to the consumer `id` attribute that is internal to Kong Gateway, and **not** its `custom_id`.", + "type": "string" + }, + "claims_to_verify": { + "description": "A list of registered claims (according to [RFC 7519](https://tools.ietf.org/html/rfc7519)) that Kong can verify as well. Accepted values: one of `exp` or `nbf`.", + "items": { + "enum": [ + "exp", + "nbf" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "cookie_names": { + "default": [ + + ], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_names": { + "default": [ + "authorization" + ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "key_claim_name": { + "default": "iss", + "description": "The name of the claim in which the `key` identifying the secret **must** be passed. Starting with version `0.13.1`, the plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" + }, + "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to `maximum_expiration` seconds in the future. Any JWT that has a longer lifetime is rejected (HTTP 403). If this value is specified, `exp` must be specified as well in the `claims_to_verify` property. The default value of `0` represents an indefinite period. Potential clock skew should be considered when configuring this setting.", + "maximum": 31536000, + "minimum": 0, + "type": "number" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "secret_is_base64": { + "default": false, + "description": "If true, the plugin assumes the credential's `secret` to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean" + }, + "uri_param_names": { + "default": [ + "jwt" + ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "examples": [ + [ + "paramName_2.2.x" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/kafka-log/2.8.json b/json_schemas/kafka-log/2.8.json new file mode 100644 index 00000000..d33a4ece --- /dev/null +++ b/json_schemas/kafka-log/2.8.json @@ -0,0 +1,237 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism.\n\nSupported options: `PLAIN` or `SCRAM-SHA-256`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a\nrandom string. You can also set your own custom cluster identifier.\n\nIf more than one Kafka plugin is configured without a `cluster_name`\n(that is, if the default autogenerated value is removed),\nthese plugins will use the same producer, and by extension, the same\ncluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before\nconsidering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the\nleader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "examples": [ + "TOPIC" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/kafka-upstream/2.8.json b/json_schemas/kafka-upstream/2.8.json new file mode 100644 index 00000000..886d69af --- /dev/null +++ b/json_schemas/kafka-upstream/2.8.json @@ -0,0 +1,258 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism.\n\nSupported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "type": "string" + }, + "port": { + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a\nrandom string. You can also set your own custom cluster identifier.\n\nIf more than one Kafka plugin is configured without a `cluster_name`\n(that is, if the default autogenerated value is removed),\nthese plugins will use the same producer, and by extension, the same\ncluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true:\n`forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true:\n`forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true:\n`forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message.\nAt least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`,\n`forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before\nconsidering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the\nleader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "examples": [ + "TOPIC" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/key-auth-enc/2.8.json b/json_schemas/key-auth-enc/2.8.json new file mode 100644 index 00000000..d610211c --- /dev/null +++ b/json_schemas/key-auth-enc/2.8.json @@ -0,0 +1,125 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails.\nIf empty (default), the request will fail with an authentication failure `4xx`. Note that this value\nmust refer to the consumer `id` attribute that is internal to Kong Gateway, and **not** its `custom_id`.", + "legacy": true, + "type": "string", + "uuid": true + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`,\nthe plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the\nauthentication key in one of those key names, and the plugin will try to read the credential from a\nheader, request body, or query string parameter with the same name.\n\nKey names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "examples": [ + [ + "apikey" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests.\nIf set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/key-auth/2.8.json b/json_schemas/key-auth/2.8.json new file mode 100644 index 00000000..059254fa --- /dev/null +++ b/json_schemas/key-auth/2.8.json @@ -0,0 +1,123 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails.\nIf empty (default), the request will fail with an authentication failure `4xx`. Note that this value\nmust refer to the consumer `id` attribute that is internal to Kong Gateway, and **not** its `custom_id`.\nFor more information, see [Anonymous Access](/gateway/latest/kong-plugins/authentication/reference/#anonymous-access).", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`,\nthe plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the\nauthentication key in one of those key names, and the plugin will try to read the credential from a\nheader, request body, or query string parameter with the same name.\n
**Note**: The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "examples": [ + [ + "apikey" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests.\nIf set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/2.8.json b/json_schemas/ldap-auth-advanced/2.8.json new file mode 100644 index 00000000..f24ef15a --- /dev/null +++ b/json_schemas/ldap-auth-advanced/2.8.json @@ -0,0 +1,190 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails.\nIf empty (default), the request will fail with an authentication failure `4xx`. Note that this value\nmust refer to the consumer `id` attribute that is internal to Kong Gateway, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "examples": [ + "cn" + ], + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., \"dc=example,dc=com\".", + "examples": [ + "dc=example,dc=com" + ], + "type": "string" + }, + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn`\nshould have permissions to search for the user being authenticated.", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "examples": [ + 60 + ], + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the\nLDAP authenticated user. If `consumer_optional=false`, LDAP authenticated users can still access upstream resources.\n\nTo prevent access from LDAP users that are not associated with consumers, set `consumer_optional=false`, set the `anonymous` field to an\nexisting `consumer_id`, then use the [Request Termination plugin](/hub/kong-inc/request-termination/) to deny any requests from the anonymous consumer.", + "type": "boolean" + }, + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.", + "type": "string" + }, + "group_member_attribute": { + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" + }, + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically\ncalled `name` (in Active Directory) or `cn` (in OpenLDAP). This\nfield is case-insensitive.", + "type": "string" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this:\n`Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be\n`Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `\"ldap\"` and `\"basic\"`.", + "examples": [ + "ldap" + ], + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "examples": [ + "ldap.example.com" + ], + "type": "string" + }, + "ldap_password": { + "description": "The password to the LDAP server.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default\nport for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is\nconfigured, you must use port 636.", + "examples": [ + 389 + ], + "type": "number" + }, + "ldaps": { + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured\nto TLS) to connect to the LDAP server. When `ldaps` is\nconfigured, you must use port 636. If the `ldap` setting is enabled, ensure the\n`start_tls` setting is disabled.", + "type": "boolean" + }, + "log_search_results": { + "default": false, + "description": "Displays all the LDAP search results received from the LDAP\nserver for debugging purposes. Not recommended to be enabled in\na production environment.", + "type": "boolean" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation\nover `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps`\nsetting is disabled.", + "examples": [ + true + ], + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "examples": [ + false + ], + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth/2.8.json b/json_schemas/ldap-auth/2.8.json new file mode 100644 index 00000000..0d4a8a3b --- /dev/null +++ b/json_schemas/ldap-auth/2.8.json @@ -0,0 +1,157 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails.\nIf empty (default), the request fails with an authentication failure `4xx`. Note that this value\nmust refer to the consumer `id` attribute that is internal to Kong Gateway, and **not** its `custom_id`.", + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "examples": [ + "cn" + ], + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., \"dc=example,dc=com\".", + "examples": [ + "dc=example,dc=com" + ], + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `\"ldap\"` and `\"basic\"`.", + "examples": [ + "ldap" + ], + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "examples": [ + true + ], + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "examples": [ + "ldap.example.com" + ], + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default\nport for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is\nconfigured, you must use port 636.", + "examples": [ + 389 + ], + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "ldaps": { + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is\nconfigured, you must use port 636. If the `ldap` setting is enabled, ensure the\n`start_tls` setting is disabled.", + "type": "boolean" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap`\nconnection. If the `start_tls` setting is enabled, ensure the `ldaps`\nsetting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/loggly/2.8.json b/json_schemas/loggly/2.8.json new file mode 100644 index 00000000..e3027264 --- /dev/null +++ b/json_schemas/loggly/2.8.json @@ -0,0 +1,195 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "description": "An optional logging severity assigned to all the failed requests with a response\nstatus code 400 or higher but less than 500. Available options: `debug`, `info`,\n`notice`, `warning`, `err`, `crit`, `alert`, `emerg`.", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and\nthe value is a chunk of Lua code, whose return value sets or replaces\nthe log field value.", + "type": "object" + }, + "host": { + "default": "logs-01.loggly.com", + "description": "The IP address or hostname of Loggly server.", + "type": "string" + }, + "key": { + "description": "Loggly [customer token](https://www.loggly.com/docs/customer-token-authentication-token/).", + "examples": [ + "YOUR_LOGGLY_SERVICE_TOKEN" + ], + "type": "string" + }, + "log_level": { + "default": "info", + "description": "An optional logging severity, any request with equal or higher severity will be\nlogged to Loggly. Available options: `debug`, `info`, `notice`, `warning`, `err`,\n`crit`, `alert`, `emerg`.", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "port": { + "default": 514, + "description": "The UDP port to send data to on the Loggly server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_errors_severity": { + "default": "info", + "description": "An optional logging severity assigned to all the failed requests with response status\ncode 500 or higher. Available options: `debug`, `info`, `notice`, `warning`, `err`,\n`crit`, `alert`, `emerg`.", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "description": "An optional logging severity assigned to all the successful requests with a response\nstatus code 400. Available options: `debug`, `info`, `notice`, `warning`, `err`,\n`crit`, `alert`, `emerg`.", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "tags": { + "default": [ + "kong" + ], + "description": "An optional list of [tags](https://www.loggly.com/docs/tags/) to support segmentation and filtering of logs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the Loggly server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/mocking/2.8.json b/json_schemas/mocking/2.8.json new file mode 100644 index 00000000..14d6c3d2 --- /dev/null +++ b/json_schemas/mocking/2.8.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode.\nWith this configuration option, you can include the full specification as part of the configuration,\ninstead of referring to a separate file with `api_specification_filename` that lives next to the Kong Gateway.\nIn Kong Manager, you can copy and paste the contents of the spec directly into\nthe `Config.Api Specification` text field.", + "examples": [ + "openapi: 3.0.1\ninfo:\n title: OpenAPI 3.0 API\n description: This is a simple API\n contact:\n email: example@example.com\n version: 1.0.0\n" + ], + "type": "string" + }, + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot\nuse this option for DB-less or hybrid mode.", + "type": "string" + }, + "max_delay_time": { + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled\nand you want to adjust the default. The value must be greater than the\n`min_delay_time`.", + "examples": [ + 1 + ], + "type": "number" + }, + "min_delay_time": { + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled\nand you want to adjust the default. The value must be less than the\n`max_delay_time`.", + "examples": [ + 0.001 + ], + "type": "number" + }, + "random_delay": { + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate\nreal-time response times by APIs.", + "examples": [ + true + ], + "type": "boolean" + }, + "random_examples": { + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "examples": [ + true + ], + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/mtls-auth/2.8.json b/json_schemas/mtls-auth/2.8.json new file mode 100644 index 00000000..40e99943 --- /dev/null +++ b/json_schemas/mtls-auth/2.8.json @@ -0,0 +1,180 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID) value to use as an \"anonymous\" consumer if authentication fails.\nIf the request is left empty (which it is by default), it fails with an authentication failure of either\n`HTTP 495` if the client presented a certificate that is not acceptable, or `HTTP 496` if the client failed\nto present certificate as requested. Please note that this value must refer to the consumer `id`\nattribute, which is internal to Kong, and **not** its `custom_id`.", + "legacy": true, + "type": "string", + "uuid": true + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or\n`DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a\nvalid certificate can access the Service/API. To restrict usage to only some of the authenticated users,\nalso add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate.\nAt least one is required but you can specify as many as needed. The value of this array is comprised\nof primary keys (`id`).", + "examples": [ + [ + "fdac360e-7b19-4ade-a553-6dd22937c82f" + ] + ], + "items": { + "required": [ + + ], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "http_proxy_host": { + "examples": [ + "example" + ], + "type": "string" + }, + "http_proxy_port": { + "description": "The HTTP hostname or IP address of a proxy. Use this setting with\n`http_proxy_port` to access a certificate revocation list\n(CRL) or an OCSP server.\n\nRequired if `http_proxy_port` is set.", + "examples": [ + 80 + ], + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "The HTTPS hostname or IP address of a proxy. Use this setting with\n`https_proxy_port` to access a certificate revocation list\n(CRL) or an OCSP server.\n\nRequired if `https_proxy_port` is set.", + "type": "string" + }, + "https_proxy_port": { + "description": "The TCP port of the HTTPS proxy.\n\nRequired if `https_proxy_host` is set.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": ">**Known Issue:** The default value `IGNORE_CA_ERROR` has a known issue in versions 1.5.0.0 and later.m As a workaround, manually set the value to `SKIP`.\n\nControls client certificate revocation check behavior. Valid values are `SKIP`, `IGNORE_CA_ERROR`, or `STRICT`.\nIf set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects\nthe revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`,\nthe plugin only treats the certificate as valid when it's able to verify the revocation status, and a missing\nOCSP or CRL URL in the certificate or a failure to connect to the server results in a revoked status.\nIf both OCSP and CRL URL are set, the plugin always checks OCSP first, and only checks the CRL URL if\nit can't communicate with the OCSP server.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/2.8.json b/json_schemas/oauth2-introspection/2.8.json new file mode 100644 index 00000000..8b869261 --- /dev/null +++ b/json_schemas/oauth2-introspection/2.8.json @@ -0,0 +1,138 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails. If empty (default), the request fails with an authentication failure `4xx`.", + "minLength": 0, + "type": "string" + }, + "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "examples": [ + "Basic MG9hNWlpbjpPcGVuU2VzYW1l" + ], + "type": "string" + }, + "consumer_by": { + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id`\nwith the consumer's username. OAuth2 `username` is mapped to a consumer's\n`username` field, while an OAuth2 `client_id` maps to a consumer's\n`custom_id`.", + "enum": [ + "client_id", + "username" + ], + "examples": [ + "username" + ], + "type": "string" + }, + "custom_claims_forward": { + "default": [ + + ], + "description": "A list of custom claims to be forwarded from the introspection response\nto the upstream request. Claims are forwarded in headers with prefix\n`X-Credential-{claim-name}`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "custom_introspection_headers": { + "additionalProperties": true, + "description": "A list of custom headers to be added in the introspection request.", + "type": "object" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "introspect_request": { + "default": false, + "description": "A boolean indicating whether to forward information about the current\ndownstream request to the introspect endpoint. If true, headers\n`X-Request-Path` and `X-Request-Http-Method` will be inserted into the\nintrospect request.", + "type": "boolean" + }, + "introspection_url": { + "description": "The full URL to the third-party introspection endpoint.\n\nIf the introspection endpoint is `https`, [`lua_ssl_trusted_certificate`](/gateway/latest/reference/configuration/#lua_ssl_trusted_certificate)\nmust be set in `kong.conf` to ensure the plugin can connect\nto the endpoint. The CA bundle file location depends on your OS. See the\n[configuration reference](/gateway/latest/reference/configuration/#lua_ssl_trusted_certificate) for a list.\n\nStarting with Kong v2.2, users can set `lua_ssl_trusted_certificate=system`\nto automatically use the CA bundle from the OS.", + "examples": [ + "https://example-url.com" + ], + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" + }, + "token_type_hint": { + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" + }, + "ttl": { + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oauth2/2.8.json b/json_schemas/oauth2/2.8.json new file mode 100644 index 00000000..e4d348ad --- /dev/null +++ b/json_schemas/oauth2/2.8.json @@ -0,0 +1,184 @@ +{ + "properties": { + "config": { + "properties": { + "accept_http_if_already_terminated": { + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer and the\n`x-forwarded-proto: https` header has been added to the request. Only enable this option\nif the Kong server cannot be publicly accessed and the only entry point is such proxy or load balancer.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails.\nIf empty (default), the request fails with an authentication failure `4xx`. Note that this value\nmust refer to the consumer `id` attribute that is internal to Kong Gateway, and **not** its `custom_id`.", + "type": "string" + }, + "auth_header_name": { + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token. Default: `authorization`.", + "type": "string" + }, + "enable_authorization_code": { + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow ([RFC 6742 Section 4.1](https://tools.ietf.org/html/rfc6749#section-4.1)).", + "examples": [ + true + ], + "type": "boolean" + }, + "enable_client_credentials": { + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow ([RFC 6742 Section 4.4](https://tools.ietf.org/html/rfc6749#section-4.4)).", + "type": "boolean" + }, + "enable_implicit_grant": { + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process ([RFC 6742 Section 4.2](https://tools.ietf.org/html/rfc6749#section-4.2)).", + "type": "boolean" + }, + "enable_password_grant": { + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow ([RFC 6742 Section 4.3](https://tools.ietf.org/html/rfc6749#section-4.3)).", + "type": "boolean" + }, + "global_credentials": { + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with\nany other Service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "type": "boolean" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.\nIf `true`, the plugin will strip the credential from the request (the header containing the client credentials)\nbefore proxying it.", + "type": "boolean" + }, + "mandatory_scope": { + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "examples": [ + true + ], + "type": "boolean" + }, + "persistent_refresh_token": { + "default": false, + "type": "boolean" + }, + "pkce": { + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be\nhandled by the plugin. The possible modes are `none`, `lax`, and `strict`.\nThe `strict` mode enforces PKCE on both authorization and token endpoints for\nall the clients. The `lax` mode enforces PKCE for public clients, but it does\nnot enforce it for confidential clients. The `none` mode does not enforce PKCE\non any client. In any case, if a client asks for PKCE on authorization\nendpoint, the PKCE is also enforced on token endpoint.", + "enum": [ + "lax", + "none", + "strict" + ], + "type": "string" + }, + "provision_key": { + "description": "The unique key the plugin has generated when it has been added to the Service.", + "examples": [ + "" + ], + "type": "string" + }, + "refresh_token_ttl": { + "default": 1209600, + "description": "An optional integer value telling the plugin how many seconds a token/refresh token pair is valid for,\nand can be used to generate a new access token. Default value is 2 weeks. Set to `0` to keep the token/refresh\ntoken pair valid indefinitely.", + "type": "number" + }, + "reuse_refresh_token": { + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is\nreused when refreshing an access token.", + "type": "boolean" + }, + "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is\nset to `true`, then `scopes` are required.", + "examples": [ + [ + "address", + "email", + "phone" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_expiration": { + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will\nneed to refresh the token. Set to `0` to disable the expiration.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/opa/2.8.json b/json_schemas/opa/2.8.json new file mode 100644 index 00000000..d86a93d7 --- /dev/null +++ b/json_schemas/opa/2.8.json @@ -0,0 +1,125 @@ +{ + "properties": { + "config": { + "properties": { + "include_consumer_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" + }, + "include_route_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_service_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "opa_host": { + "default": "localhost", + "description": "The DNS name or IP address of the OPA server.", + "examples": [ + "localhost" + ], + "type": "string" + }, + "opa_path": { + "description": "The HTTP path to use when making a request to the OPA server. This is usually the path to the policy and rule to evaluate, prefixed with `/v1/data/`. For example,\nif you want to evaluate the `allow` rule inside `example.kong` package, then the path would be `/v1/data/example/kong/allowBoolean`.", + "examples": [ + "/v1/data/example/kong/allowBoolean" + ], + "type": "string" + }, + "opa_port": { + "default": 8181, + "description": "The port of the OPA server.", + "examples": [ + 8181 + ], + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "enum": [ + "http", + "https" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/openid-connect/2.8.json b/json_schemas/openid-connect/2.8.json new file mode 100644 index 00000000..355cf7e3 --- /dev/null +++ b/json_schemas/openid-connect/2.8.json @@ -0,0 +1,1759 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails.\nIf empty (default), the request will fail with an authentication failure `4xx`. Note that this value\nmust refer to the consumer `id` attribute that is internal to Kong Gateway, and **not** its `custom_id`.", + "legacy": true, + "type": "string", + "uuid": true + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.\n- When `[\"audience1 audience2\"]` are in the same array indices, both `audience1` AND `audience2` need to be present in access token (or introspection results).\n- When `[\"audience1\", \"audience2\"]` are in different array indices, either `audience1` OR `audience2` need to be present in access token (or introspection results).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable:\n- `password`: OAuth legacy password grant\n- `client_credentials`: OAuth client credentials grant\n- `authorization_code`: authorization code flow\n- `bearer`: JWT access token verification\n- `introspection`: OAuth introspection\n- `userinfo`: OpenID Connect user info endpoint authentication\n- `kong_oauth2`: Kong OAuth plugin issued tokens verification\n- `refresh_token`: OAuth refresh token grant\n- `session`: session cookie authentication", + "examples": [ + [ + "authorization_code", + "session" + ] + ], + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together\nwith ACL plugin, but it also enables IdP managed groups with other applications\nand integrations (for example, Kong Manager and Dev Portal). The OpenID Connect\nplugin itself does not do anything other than set the context value.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_httponly": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_lifetime": { + "default": 600, + "description": "The authorization cookie lifetime in seconds.", + "type": "number" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_samesite": { + "default": "off", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks:\n- `Strict`: Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.\n- `Lax`: Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (for instance, when following a link).\n- `None`: Cookies will be sent in all contexts, for example in responses to both first-party and cross-origin requests. If `SameSite=None` is set, the cookie Secure attribute must also be set (or the cookie will be blocked).\n- `off`: Do not set the SameSite flag.", + "enum": [ + "Lax", + "None", + "Strict", + "off" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost),\nand therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token:\n- `header`: search the HTTP headers\n- `query`: search the URL's query string\n- `body`: search the HTTP request body\n- `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that us used for caching the token\nendpoint requests.\n> If you use multiple plugin instances of the OpenID Connect\n> plugin and want to share token endpoint caches between the plugin\n> instances, set the salt to the same value on each plugin instance.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "client_alg": { + "description": "The algorithm to use for `client_secret_jwt` (only `HS***`) or `private_key_jwt` authentication:\n- `HS256`: HMAC using SHA-256\n- `HS384`: HMAC using SHA-384\n- `HS512`: HMAC using SHA-512\n- `RS256`: RSASSA-PKCS1-v1_5 using SHA-256\n- `RS512`: RSASSA-PKCS1-v1_5 using SHA-512\n- `ES256`: ECDSA using P-256 and SHA-256\n- `ES384`: ECDSA using P-384 and SHA-384\n- `ES512`: ECDSA using P-521 and SHA-512\n- `PS256`: RSASSA-PSS using SHA-256 and MGF1 with SHA-256\n- `PS384`: RSASSA-PSS using SHA-384 and MGF1 with SHA-384\n- `PS512`: RSASSA-PSS using SHA-512 and MGF1 with SHA-512\n- `EdDSA`: EdDSA with Ed25519", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).\nFor example, setting this value to `Client`, and sending the request header `Client: 1` will cause the plugin\nto use the first client (see: `config.client_id`) from the client array.", + "type": "string" + }, + "client_auth": { + "description": "The authentication method used by the client (plugin) when calling the endpoints:\n- `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header\n- `client_secret_post`: send `client_id` and `client_secret` as part of the body\n- `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body\n- `private_key_jwt`: send client assertion signed with the `private key` as part of the body\n- `none`: do not authenticate\n> Private keys can be stored in a database, and they are by the default automatically generated\n> in the database. It is also possible to specify private keys with `config.client_jwk` directly\n> in the plugin configuration.", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials:\n- `header`: search the HTTP headers\n- `query`: search the URL's query string\n- `body`: search from the HTTP request body", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nOther settings that are associated with the client are:\n- `config.client_secret`\n- `config.client_auth`\n- `config.client_jwk`\n- `config.client_alg`\n- `config.redirect_uri`\n- `config.login_redirect_uri`\n- `config.logout_redirect_uri`\n- `config.unauthorized_redirect_uri`\n- `config.forbidden_redirect_uri`\n- `config.unexpected_redirect_uri`\n\nUse the same array index when configuring related settings for the client.", + "examples": [ + [ + "" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the `private_key_jwt` authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "type": "string" + }, + "key_ops": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "type": "string" + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.\n> Specify one if using `client_secret_*` authentication with the client on\n> the identity provider endpoints.", + "examples": [ + [ + "" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping:\n- `id`: try to find the matching Consumer by `id`\n- `username`: try to find the matching Consumer by `username`\n- `custom_id`: try to find the matching Consumer by `custom_id`", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants:\n- `password`: do not start a session with the password grant\n- `client_credentials`: do not start a session with the client credentials grant\n- `authorization_code`: do not start a session after authorization code flow\n- `bearer`: do not start session with JWT access token authentication\n- `introspection`: do not start session with introspection authentication\n- `userinfo`: do not start session with user info authentication\n- `kong_oauth2`: do not start session with Kong OAuth authentication\n- `refresh_token` do not start session with refresh token grant\n- `session`: do not renew the session with session cookie authentication", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint.", + "type": "string" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.\n- When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in access token (or introspection results).\n- When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in access token (or introspection results).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request.\n> If multiple credentials are sent with the same request, the plugin will\n> remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin:\n- `1.1`: HTTP 1.1 (the default)\n- `1.0`: HTTP 1.0", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token:\n- `header`: search the HTTP headers\n- `query`: search the URL's query string\n- `body`: search the HTTP request body", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [ + + ], + "description": "Skip the token signature verification on certain grants:\n- `password`: OAuth password grant\n- `client_credentials`: OAuth client credentials grant\n- `authorization_code`: authorization code flow\n- `refresh_token`: OAuth refresh token grant\n- `session`: session cookie authentication\n- `introspection`: OAuth introspection\n- `userinfo`: OpenID Connect user info endpoint authentication", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests:\n- `application/json`: introspection response as JSON\n- `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document)\n- `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method:\n- `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header\n- `client_secret_post`: send `client_id` and `client_secret` as part of the body\n- `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body\n- `private_key_jwt`: send client assertion signed with the `private key` as part of the body\n- `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier).\n> When using Kong with the database, the discovery information and the JWKS\n> are cached to the Kong configuration database.", + "examples": [ + "http://example.org" + ], + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Allow some leeway on the ttl / expiry verification.", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login:\n- `upstream`: proxy request to upstream service\n- `response`: terminate request with a response\n- `redirect`: redirect to a different location", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants:\n- `password`: enable for OAuth password grant\n- `client_credentials`: enable OAuth client credentials grant\n- `authorization_code`: enable for authorization code flow\n- `bearer`: enable for JWT access token authentication\n- `introspection`: enable for OAuth introspection authentication\n- `userinfo`: enable for OpenID Connect user info endpoint authentication\n- `kong_oauth2`: enable for Kong OAuth Plugin authentication\n- `refresh_token`: enable for OAuth refresh token grant\n- `session`: enable for session cookie authentication", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`:\n- `query`: place tokens in query string\n- `fragment`: place tokens in url fragment (not readable by servers)", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.\n> Tip: Leave this empty and the plugin will redirect the client to the URL that originally initiated the\n> flow with possible query args preserved from the original request when `config.preserve_query_args`\n> is enabled.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment:\n- `id_token`: include id token\n- `access_token`: include access token\n- `refresh_token`: include refresh token\n- `tokens`: include the full token endpoint response\n- `introspection`: include introspection response", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout:\n- `POST`: HTTP POST method\n- `GET`: HTTP GET method\n- `DELETE`: HTTP DELETE method", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password:\n- `header`: search the HTTP headers\n- `query`: search the URL's query string\n- `body`: search the HTTP request body", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.\n> When this parameter is used with the `config.login_action=redirect` parameter, the browser location\n> will change and display the original query arguments. Otherwise, the upstream request\n> is modified to include the original query arguments, and the browser will not display\n> them in the location field.", + "type": "boolean" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.\n> The re-discovery usually happens when the plugin cannot find a key for verifying\n> the signature. For example, if a token is presented for which Kong does not have a\n> JWK cached, it will poll the discovery endpoint for new JWK data. If that discovery\n> attempt does not yield a JWK that can validate the token, Kong will wait the specified\n> number of seconds before retrying the discovery.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token:\n- `header`: search the HTTP headers\n- `query`: search the URL's query string\n- `body`: search the HTTP request body", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the\nplugin has a `refresh_token` available.", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members\nof the JSON object containing the claims.\nIf this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "The response mode passed to the authorization endpoint:\n- `query`: Instructs the identity provider to pass parameters in query string\n- `form_post`: Instructs the identity provider to pass parameters in request body\n- `fragment`: Instructs the identity provider to pass parameters in uri fragment (rarely useful as the plugin itself cannot read it)", + "enum": [ + "form_post", + "fragment", + "query" + ], + "examples": [ + "form_post" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method:\n- `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header\n- `client_secret_post`: send `client_id` and `client_secret` as part of the body\n- `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body\n- `private_key_jwt`: send client assertion signed with the `private key` as part of the body\n- `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt" + ], + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.\n- When `[\"role1 role2\"]` are in the same array indices, both `role1` AND `role2` need to be present in access token (or introspection results).\n- When `[\"role1\", \"role2\"]` are in different array indices, either `role1` OR `role2` need to be present in access token (or introspection results).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.\n- When `[\"scope1 scope2\"]` are in the same array indices, both `scope1` AND `scope2` need to be present in access token (or introspection results).\n- When `[\"scope1\", \"scope2\"]` are in different array indices, either `scope1` OR `scope2` need to be present in access token (or introspection results).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping,\ncredential mapping, authenticated groups, and upstream and downstream headers.\n> This requires an extra round-trip and can add latency, but the plugin can also cache\n> user info requests (see: `config.cache_user_info`).", + "type": "boolean" + }, + "session_compressor": { + "default": "none", + "description": "The session strategy:\n- `none`: no compression\n- `zlib`: use zlib to compress cookie data", + "enum": [ + "none", + "zlib" + ], + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_httponly": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_idletime": { + "description": "The session cookie idle time in seconds.", + "type": "number" + }, + "session_cookie_lifetime": { + "default": 3600, + "description": "The session cookie lifetime in seconds.", + "type": "number" + }, + "session_cookie_maxsize": { + "default": 4000, + "description": "The maximum size of each cookie chunk in bytes.", + "type": "integer" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_renew": { + "default": 600, + "description": "The number of seconds prior to the `session_cookie_lifetime` that the session cookie will be renewed.", + "type": "number" + }, + "session_cookie_samesite": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks:\n- `Strict`: Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.\n- `Lax`: Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (for example, when following a link).\n- `None`: Cookies will be sent in all contexts, for example in responses to both first-party and cross-origin requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked)\n- `off`: Do not set the SameSite flag.", + "enum": [ + "Lax", + "None", + "Strict", + "off" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost),\nand therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_memcache_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcache_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcache_prefix": { + "default": "sessions", + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcache_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_redis_cluster_maxredirections": { + "description": "The Redis cluster maximum redirects.", + "type": "integer" + }, + "session_redis_cluster_nodes": { + "description": "The Redis cluster node host. Takes an array of host records, with\neither `ip` or `host`, and `port` values.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "type": "string" + }, + "port": { + "default": 6379, + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "description": "The Redis connection timeout in milliseconds.", + "type": "integer" + }, + "session_redis_host": { + "default": "127.0.0.1", + "description": "The Redis host", + "type": "string" + }, + "session_redis_password": { + "description": "Password to use for Redis connection when the `redis` session storage is defined.\nIf undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "session_redis_port": { + "default": 6379, + "description": "The Redis port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_redis_prefix": { + "default": "sessions", + "description": "The Redis session key prefix.", + "type": "string" + }, + "session_redis_read_timeout": { + "description": "The Redis read timeout in milliseconds.", + "type": "integer" + }, + "session_redis_send_timeout": { + "description": "The Redis send timeout in milliseconds.", + "type": "integer" + }, + "session_redis_server_name": { + "description": "The SNI used for connecting the Redis server.", + "type": "string" + }, + "session_redis_socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "session_redis_ssl": { + "default": false, + "description": "Use SSL/TLS for Redis connection.", + "type": "boolean" + }, + "session_redis_ssl_verify": { + "default": false, + "description": "Verify Redis server certificate.", + "type": "boolean" + }, + "session_redis_username": { + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired.\nIf undefined, ACL authentication will not be performed.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + }, + "session_secret": { + "description": "The session secret.", + "examples": [ + "" + ], + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data:\n- `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database)\n- `memcache`: stores session data in memcached\n- `redis`: stores session data in Redis", + "enum": [ + "cookie", + "memcache", + "redis" + ], + "type": "string" + }, + "session_strategy": { + "default": "default", + "description": "The session strategy:\n- `default`: reuses session identifiers over modifications (but can be problematic with single-page applications with a lot of concurrent asynchronous requests)\n- `regenerate`: generates a new session identifier on each modification and does not use expiry for signature verification (useful in single-page applications or SPAs)", + "enum": [ + "default", + "regenerate" + ], + "type": "string" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "token_endpoint": { + "description": "The token endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method:\n- `client_secret_basic`: send `client_id` and `client_secret` in `Authorization: Basic` header\n- `client_secret_post`: send `client_id` and `client_secret` as part of the body\n- `client_secret_jwt`: send client assertion signed with the `client_secret` as part of the body\n- `private_key_jwt`: send client assertion signed with the `private key` as part of the body\n- `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants:\n- `password`: with OAuth password grant\n- `client_credentials`: with OAuth client credentials grant\n- `authorization_code`: with authorization code flow\n- `refresh_token` with refresh token grant", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using:\n- Request Body\n- Query parameters\n\nThis parameter can be used with `scope` values, like this:\n\n`config.token_post_args_client=scope`\n\nIn this case, the token would take the `scope` value from the query parameter or from the request body and send it to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests:\n- `application/json`: user info response as JSON\n- `application/jwt`: user info response as JWT (from the obsolete IETF draft document)", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + + ], + "shorthands": { + }, + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/post-function/2.8.json b/json_schemas/post-function/2.8.json new file mode 100644 index 00000000..32d562e7 --- /dev/null +++ b/json_schemas/post-function/2.8.json @@ -0,0 +1,138 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "functions": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/pre-function/2.8.json b/json_schemas/pre-function/2.8.json new file mode 100644 index 00000000..0f10f85b --- /dev/null +++ b/json_schemas/pre-function/2.8.json @@ -0,0 +1,145 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [ + + ], + "description": "Array of stringified Lua code to be cached and run in sequence during the access phase.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [ + + ], + "description": "Array of stringified Lua code to be cached and run in sequence during the body_filter phase.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [ + + ], + "description": "Array of stringified Lua code to be cached and run in sequence during the certificate phase.\n\n*Note*: This only runs on global plugins.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "functions": { + "default": [ + + ], + "description": "*Deprecated*. Use `config.access` instead.\n\nArray of stringified Lua code to be cached and run in sequence during access phase.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [ + + ], + "description": "Array of stringified Lua code to be cached and run in sequence during the header_filter phase.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [ + + ], + "description": "Array of stringified Lua code to be cached and run in sequence during the log phase.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [ + + ], + "description": "Array of stringified Lua code to be cached and run in sequence during the rewrite phase.\n\n *Note*: This only runs on global plugins.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/prometheus/2.8.json b/json_schemas/prometheus/2.8.json new file mode 100644 index 00000000..a8d5e6e7 --- /dev/null +++ b/json_schemas/prometheus/2.8.json @@ -0,0 +1,75 @@ +{ + "properties": { + "config": { + "properties": { + "per_consumer": { + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be\ncollected.\nIf enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes`\nmetrics fill in the consumer label when available.", + "examples": [ + false + ], + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/2.8.json b/json_schemas/proxy-cache-advanced/2.8.json new file mode 100644 index 00000000..b84df8f1 --- /dev/null +++ b/json_schemas/proxy-cache-advanced/2.8.json @@ -0,0 +1,323 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in [RFC7234](https://tools.ietf.org/html/rfc7234#section-5.2).", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "examples": [ + [ + "application/json", + "text/plain" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connection when the `redis` strategy is defined.\nDefining this value implies using Redis cluster. Each string element must\nbe a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for Redis connection when the `redis` strategy is defined.", + "type": "integer" + }, + "host": { + "description": "Host to use for Redis connection when the redis strategy is defined.", + "type": "string" + }, + "keepalive_backlog": { + "description": "If specified, limits the total number of opened connections for a pool. If the\nconnection pool is full, all connection queues beyond the maximum limit go into\nthe backlog queue. Once the backlog queue is full, subsequent connect operations\nwill fail and return `nil`. Queued connect operations resume once the number of\nconnections in the pool is less than `keepalive_pool_size`. Note that queued\nconnect operations are subject to set timeouts.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote\nserver, per worker process. If no `keepalive_pool_size` is specified and no `keepalive_backlog`\nis specified, no pool is created. If no `keepalive_pool_size` is specified and `keepalive_backlog`\nis specified, then the pool uses the default value `30`.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connection when the `redis` strategy is defined.\nIf undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "Port to use for Redis connections when the `redis` strategy is defined. Must be a\nvalue between 0 and 65535. Default: 6379.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined.\nDefining this value implies using Redis Sentinel. Each string element must\nbe a hostname. The minimum length of the array is 1 element.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connection when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance.\nIf undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value\nimplies using Redis Sentinel. Available options: `master`, `slave`, `any`.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance.\nIf undefined, ACL authentication will not be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "Specifies the server name for the new TLS extension Server Name Indication (SNI) when connecting over SSL.\n**Note:** This parameter is only available for Kong Gateway versions\n2.2.x and later.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to `true`, then uses SSL to connect to Redis.\n**Note:** This parameter is only available for Kong Gateway versions\n2.2.x and later.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to `true`, then verifies the validity of the server SSL certificate. Note that you need to configure the\n[lua_ssl_trusted_certificate](/gateway/latest/reference/configuration/#lua_ssl_trusted_certificate)\nto specify the CA (or server) certificate used by your Redis server. You may also need to configure\n[lua_ssl_verify_depth](/gateway/latest/reference/configuration/#lua_ssl_verify_depth) accordingly.\n**Note:** This parameter is only available for Kong Gateway versions\n2.2.x and later.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "Connection timeout to use for Redis connection when the `redis` strategy is defined.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "examples": [ + [ + "GET", + "HEAD" + ] + ], + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value\nbetween 100 and 900.", + "examples": [ + [ + 200 + ] + ], + "items": { + "maximum": 900, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent\nof `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "enum": [ + "memory", + "redis" + ], + "examples": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache/2.8.json b/json_schemas/proxy-cache/2.8.json new file mode 100644 index 00000000..08ffe21e --- /dev/null +++ b/json_schemas/proxy-cache/2.8.json @@ -0,0 +1,198 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in [RFC7234](https://tools.ietf.org/html/rfc7234#section-5.2).", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL, in seconds, of cache entities.", + "examples": [ + 300 + ], + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "examples": [ + [ + "application/json", + "text/plain" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "examples": [ + [ + "GET", + "HEAD" + ] + ], + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", + "examples": [ + [ + 200 + ] + ], + "items": { + "maximum": 900, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities. The only accepted value is `memory`.", + "enum": [ + "memory" + ], + "examples": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/2.8.json b/json_schemas/rate-limiting-advanced/2.8.json new file mode 100644 index 00000000..3fd6bff9 --- /dev/null +++ b/json_schemas/rate-limiting-advanced/2.8.json @@ -0,0 +1,324 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting\nsettings for the given Route or Service. Required if\n`enforce_consumer_groups` is set to `true`.\nFlipping `enforce_consumer_groups` from `true` to `false` disables the\ngroup override, but does not clear the list of consumer groups.\nYou can then flip `enforce_consumer_groups` to `true` to re-enforce the\ngroups.", + "examples": [ + [ + "group1", + "group2" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is\nconfigured to synchronize counter data externally (that is \n`config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't\n`-1`), this dictionary serves as a buffer to populate counters in the\ndata store on each synchronization cycle.", + "type": "string" + }, + "enforce_consumer_groups": { + "default": false, + "description": "Set to `true` to enable `consumer_groups`, which allows the settings\nfrom one of the allowed consumer groups to override the given plugin\nconfiguration.", + "examples": [ + true + ], + "type": "boolean" + }, + "header_name": { + "description": "Header name to use as the rate limit key when `config.identifier` is\nconfigured with the value `header`. Ignored when `config.identifier` is not `header`.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise\nprovide information about the current status of limits and counters as\ndescribed in the paragraph [Headers sent to the client](#headers-sent-to-the-client).\nAvailable options: `true` or `false`.", + "examples": [ + false + ], + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key.\nDefines the scope used to increment the rate limiting counters.\nCan be `ip`, `credential`, `consumer`, `service`, `header`, or `path`.", + "enum": [ + "consumer", + "credential", + "header", + "ip", + "path", + "service" + ], + "examples": [ + "consumer" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching\nnumber of window limits and sizes specified.", + "examples": [ + [ + 5 + ] + ], + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter\ndata and sync configuration is isolated in each namespace.\n{:.important}\n> **Important**: If managing Kong Gateway with **declarative configuration** or running\nKong Gateway in **DB-less mode**, set the `namespace` explicitly in your declarative configuration.\n>

\n> If not set, you will run into the following issues:\n* In DB-less mode, this field will be regenerated automatically on every configuration change.\n* If applying declarative configuration with decK, decK will automatically fail the update and require a \n`namespace` value.", + "examples": [ + "example_namespace" + ], + "type": "string" + }, + "path": { + "type": "string" + }, + "redis": { + "properties": { + "cluster_addresses": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined.\nDefining this value implies using Redis cluster. Each string element must\nconsist of a hostname (or IP address) and port. The minimum length of the array is 1 element.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "description": "Connection timeout to use for Redis connection when the `redis` strategy is defined.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "database": { + "default": 0, + "description": "Database to use for Redis connection when the `redis` strategy is defined.", + "type": "integer" + }, + "host": { + "description": "Host to use for Redis connection when the `redis` strategy is defined.\nThis parameter accepts a hostname or an IP address as a value.", + "type": "string" + }, + "keepalive_backlog": { + "description": "If specified, limits the total number of opened connections for a pool. If the\nconnection pool is full, all connection queues beyond the maximum limit go into\nthe backlog queue. Once the backlog queue is full, subsequent connect operations\nwill fail and return `nil`. Queued connect operations resume once the number of\nconnections in the pool is less than `keepalive_pool_size`. Note that queued\nconnect operations are subject to set timeouts.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 30, + "description": "The size limit for every cosocket connection pool associated with every remote\nserver, per worker process. If no `keepalive_pool_size` is specified and no `keepalive_backlog`\nis specified, no pool is created. If no `keepalive_pool_size` is specified and `keepalive_backlog`\nis specified, then the pool uses the default value `30`.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connection when the `redis` strategy is defined.\nIf undefined, no AUTH commands are sent to Redis.", + "type": "string" + }, + "port": { + "description": "Specifies the Redis server port when using the `redis` strategy. Must be a\nvalue between 0 and 65535. Default: 6379.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "Read timeout to use for Redis connection when the `redis` strategy is defined.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "Send timeout to use for Redis connection when the `redis` strategy is defined.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_addresses": { + "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined.\nDefining this value implies using Redis Sentinel. Each string element must\nconsist of a hostname (or IP address) and port. The minimum length of the array is 1 element.", + "items": { + "required": [ + + ], + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections when the `redis` strategy is defined.\nDefining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance.\nIf undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined.\nDefining this value implies using Redis Sentinel. Available options: `master`, `slave`, `any`.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance.\nIf undefined, ACL authentication will not be performed. This requires Redis v6.2.0+.", + "type": "string" + }, + "server_name": { + "description": "Specifies the server name for the new TLS extension Server Name Indication (SNI) when connecting over SSL.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, then uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, then verifies the validity of the server SSL certificate. Note that you need to configure the\n[lua_ssl_trusted_certificate](/gateway/latest/reference/configuration/#lua_ssl_trusted_certificate)\nto specify the CA (or server) certificate used by your redis server. You may also need to configure\n[lua_ssl_verify_depth](/gateway/latest/reference/configuration/#lua_ssl_verify_depth) accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "Connection timeout (in milliseconds) to use for Redis connection when the `redis` strategy is defined.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connection when the `redis` strategy is defined and ACL authentication is desired.\nIf undefined, ACL authentication will not be performed.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After`\nheader of denied requests (status = `429`) in order to prevent all the clients\nfrom coming back at the same time. The lower bound of the jitter is `0`; in this case,\nthe `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the\nlimits. Available values are:\n- `cluster`: Counters are stored in the Kong datastore and shared across\n the nodes.\n- `redis`: Counters are stored on a Redis server and shared\n across the nodes.\n- `local`: Counters are stored locally in-memory on the node (same effect\n as setting `sync_rate` to `-1`).\n\nIn DB-less, hybrid mode, and Konnect, the `cluster` config strategy\nis not supported.\n\nFor details on which strategy should be used, refer to the\n[implementation considerations](/hub/kong-inc/rate-limiting/#implementation-considerations).", + "enum": [ + "cluster", + "local", + "redis" + ], + "examples": [ + "local" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0\nresults in synchronous behavior; a value of -1 ignores sync behavior\nentirely and only stores counters in node memory. A value greater than\n0 will sync the counters in the specified number of seconds. The minimum\nallowed interval is 0.02 seconds (20ms).", + "examples": [ + -1 + ], + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There\nmust be a matching number of window limits and sizes specified.", + "examples": [ + [ + 30 + ] + ], + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`.\nSliding windows apply the rate limiting logic while taking into account\nprevious hit rates (from the window that immediately precedes the current)\nusing a dynamic weight.\nFixed windows consist of buckets that are statically assigned to a\ndefinitive time range, each request is mapped to only one fixed window\nbased on its timestamp and will affect only that window's counters.\nFor more information refer to the\n[Enterprise Rate Limiting Library Overview](/gateway/latest/reference/rate-limiting/#overview).", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting/2.8.json b/json_schemas/rate-limiting/2.8.json new file mode 100644 index 00000000..c8e30304 --- /dev/null +++ b/json_schemas/rate-limiting/2.8.json @@ -0,0 +1,214 @@ +{ + "properties": { + "config": { + "properties": { + "day": { + "description": "The number of HTTP requests that can be made per day.", + "minimum": 0, + "type": "number" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "description": "Header name to be used if `limit_by` is set to `header`.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "hour": { + "description": "The number of HTTP requests that can be made per hour.", + "examples": [ + 10000 + ], + "minimum": 0, + "type": "number" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits. Available values are:\n- `consumer`\n- `credential`\n- `ip`\n- `service`\n- `header` (The `header_name` configuration must be provided.)\n- `path` (The `path` configuration must be provided.)\n\nIf the entity value for aggregating the limits cannot be determined, the system falls back to `ip`.", + "enum": [ + "consumer", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "minute": { + "description": "The number of HTTP requests that can be made per minute.", + "minimum": 0, + "type": "number" + }, + "month": { + "description": "The number of HTTP requests that can be made per month.", + "minimum": 0, + "type": "number" + }, + "path": { + "description": "Path to be used if `limit_by` is set to `path`.", + "type": "string" + }, + "policy": { + "default": "cluster", + "description": "The rate-limiting policies to use for retrieving and incrementing the\nlimits. Available values are:\n- `local`: Counters are stored locally in-memory on the node.\n- `cluster`: Counters are stored in the Kong data store and shared across\nthe nodes.\n- `redis`: Counters are stored on a Redis server and shared\nacross the nodes.\n\nIn DB-less, hybrid mode, and Konnect, the `cluster` config policy is not supported.\nFor DB-less mode or Konnect, use one of `redis` or `local`; for hybrid mode, use\n`redis`, or `local` for data planes only.\n\nFor details on which policy should be used, refer to the\n[implementation considerations](#implementation-considerations).", + "enum": [ + "cluster", + "local", + "redis" + ], + "examples": [ + "local" + ], + "minLength": 0, + "type": "string" + }, + "redis_database": { + "default": 0, + "description": "When using the `redis` policy, this property specifies the Redis database to use.", + "type": "integer" + }, + "redis_host": { + "description": "When using the `redis` policy, this property specifies the address to the Redis server.", + "type": "string" + }, + "redis_password": { + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "minLength": 0, + "type": "string" + }, + "redis_port": { + "default": 6379, + "description": "When using the `redis` policy, this property specifies the port of the Redis server. By default is `6379`.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "redis_server_name": { + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies the server name for the TLS extension Server Name Indication (SNI)", + "type": "string" + }, + "redis_ssl": { + "default": false, + "description": "When using the `redis` policy, this property specifies if SSL is used to connect to the Redis server.", + "type": "boolean" + }, + "redis_ssl_verify": { + "default": false, + "description": "When using the `redis` policy with `redis_ssl` set to `true`, this property specifies it server SSL certificate is validated. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.", + "type": "boolean" + }, + "redis_timeout": { + "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", + "type": "number" + }, + "redis_username": { + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired. \n\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + }, + "second": { + "description": "The number of HTTP requests that can be made per second.", + "examples": [ + 5 + ], + "minimum": 0, + "type": "number" + }, + "year": { + "description": "The number of HTTP requests that can be made per year.", + "minimum": 0, + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-size-limiting/2.8.json b/json_schemas/request-size-limiting/2.8.json new file mode 100644 index 00000000..9e6e804a --- /dev/null +++ b/json_schemas/request-size-limiting/2.8.json @@ -0,0 +1,115 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_payload_size": { + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "examples": [ + 128 + ], + "type": "integer" + }, + "require_content_length": { + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "examples": [ + false + ], + "type": "boolean" + }, + "size_unit": { + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "enum": [ + "bytes", + "kilobytes", + "megabytes" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-termination/2.8.json b/json_schemas/request-termination/2.8.json new file mode 100644 index 00000000..340d9c22 --- /dev/null +++ b/json_schemas/request-termination/2.8.json @@ -0,0 +1,123 @@ +{ + "properties": { + "config": { + "properties": { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + }, + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + }, + "echo": { + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean" + }, + "message": { + "description": "The message to send, if using the default response generator.", + "examples": [ + "So long and thanks for all the fish!" + ], + "type": "string" + }, + "status_code": { + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599.", + "examples": [ + 403 + ], + "maximum": 599, + "minimum": 100, + "type": "integer" + }, + "trigger": { + "description": "When not set, the plugin always activates. When set to a string, the plugin will activate exclusively on requests containing either a header or a query parameter that is named the string.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-transformer-advanced/2.8.json b/json_schemas/request-transformer-advanced/2.8.json new file mode 100644 index 00000000..30b9464b --- /dev/null +++ b/json_schemas/request-transformer-advanced/2.8.json @@ -0,0 +1,385 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [ + + ], + "description": "List of `paramname:value` pairs. If and only if content-type is one the following: [`application/json, multipart/form-data`, `application/x-www-form-urlencoded`]; and the parameter is not present, add a new parameter with the given value to form-encoded body.\nIgnored if the parameter is already present.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If and only if the header is not already set,\nset a new header with the given value. Ignored if the header is already set.", + "examples": [ + [ + "x-another-header:something", + "x-new-header:value" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "description": "List of `queryname:value` pairs. If and only if the querystring name is not already set,\nset a new querystring with the given value. Ignored if the querystring name is already set.", + "examples": [ + [ + "another-param:some_value", + "new-param:some_value" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "allow": { + "properties": { + "body": { + "description": "Set of parameter names. If and only if content-type is one the following:\n[`application/json`, `multipart/form-data`, `application/x-www-form-urlencoded`]; allow only allowed parameters in the body.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [ + + ], + "description": "List of `paramname:value` pairs. If the content-type is one the following: [`application/json`, `application/x-www-form-urlencoded`]; add a new parameter with the given value if the parameter is not present. Otherwise, if it is already present,\nthe two values (old and new) will be aggregated in an array.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If the header is not set, set it with the given value.\nIf it is already set, a new header with the same name and the new value will be set.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "description": "List of `queryname:value` pairs. If the querystring is not set, set it with the given value.\nIf it is already set, a new querystring with the same name and the new value will be set.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "http_method": { + "description": "Changes the HTTP method for the upstream request.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [ + + ], + "description": "List of parameter names. Remove the parameter if and only if content-type is one of the\nfollowing: [`application/json`, `multipart/form-data`, `application/x-www-form-urlencoded`]; and parameter is present.", + "examples": [ + [ + "formparam-another-one", + "formparam-toremove" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "description": "List of header names. Unset the headers with the given name.", + "examples": [ + [ + "x-another-one", + "x-toremove" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "description": "List of querystring names. Remove the querystring if it is present.", + "examples": [ + [ + "qs-old-name:qs-new-name", + "qs2-old-name:qs2-new-name" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [ + + ], + "description": "List of parameter `name:value` pairs. Rename the parameter name if and only if content-type is\none of the following: [`application/json`, `multipart/form-data`, `application/x-www-form-urlencoded`]; and parameter is present.", + "examples": [ + [ + "param-old:param-new", + "param2-old:param2-new" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If and only if the header is already set,\nrename the header. The value is unchanged. Ignored if the header is not already set.", + "examples": [ + [ + "another-old-name:another-new-name", + "header-old-name:header-new-name" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "description": "List of `queryname:value` pairs. If and only if the field name is already set,\nrename the field name. The value is unchanged. Ignored if the field name is not already set.", + "examples": [ + [ + "qs-old-name:qs-new-name", + "qs2-old-name:qs2-new-name" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [ + + ], + "description": "List of paramname:value pairs. If and only if content-type is one the\nfollowing: [`application/json`, `multipart/form-data`, `application/x-www-form-urlencoded`];\nand the parameter is already present, replace its old value with the new one. Ignored if the parameter is not already present.", + "examples": [ + [ + "body-param1:new-value-1", + "body-param2:new-value-2" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "description": "List of headername:value pairs. If and only if the header is already set,\nreplace its old value with the new one. Ignored if the header is not already set.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "description": "List of queryname:value pairs. If and only if the querystring name is already set,\nreplace its old value with the new one. Ignored if the header is not already set.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "uri": { + "description": "Updates the upstream request URI with given value. This value can only\nbe used to update the path part of the URI; not the scheme, nor the hostname.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "shorthands": { + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-transformer/2.8.json b/json_schemas/request-transformer/2.8.json new file mode 100644 index 00000000..a2e5c78a --- /dev/null +++ b/json_schemas/request-transformer/2.8.json @@ -0,0 +1,375 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [ + + ], + "description": "List of `paramname:value` pairs. If and only if content-type is one the\nfollowing [`application/json`, `multipart/form-data`, `application/x-www-form-urlencoded`]\nand the parameter is not present, add a new parameter with the given value to the form-encoded\nbody. Ignored if the parameter is already present.", + "examples": [ + [ + "another-form-param:some_value", + "new-form-param:some_value" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If and only if the header is not already set, set a new header\nwith the given value. Ignored if the header is already set.", + "examples": [ + [ + "x-another-header:something", + "x-new-header:value" + ] + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "description": "List of `queryname:value` pairs. If and only if the querystring is not already set, set a new\nquerystring with the given value. Ignored if the querystring is already set.", + "examples": [ + [ + "another-param:some_value", + "new-param:some_value" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [ + + ], + "description": "List of `paramname:value` pairs. If the content-type is one the following\n[`application/json`, `application/x-www-form-urlencoded`], add a new parameter\nwith the given value if the parameter is not present. Otherwise, if it is already present,\naggregate the two values (old and new) in an array.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If the header is not set, set it with the given value.\nIf it is already set, an additional new header with the same name and the new value will be appended.", + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "description": "List of `queryname:value` pairs. If the querystring is not set, set it with the given value. If it is already set, a new querystring with the same name and the new value will be set.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "http_method": { + "description": "Sets the HTTP method for the upstream request.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [ + + ], + "description": "List of parameter names. Remove the parameter if and only if content-type is one the following:\n[`application/json`, `multipart/form-data`, `application/x-www-form-urlencoded`] and the parameter is present.", + "examples": [ + [ + "formparam-another-one", + "formparam-toremove" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "description": "List of header names. Unset the headers with the given name.", + "examples": [ + [ + "x-another-one", + "x-toremove" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "description": "List of querystring names. Remove the querystring if it is present.", + "examples": [ + [ + "qs-old-name:qs-new-name", + "qs2-old-name:qs2-new-name" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [ + + ], + "description": "List of `paramname:value` pairs. Rename the parameter name if and only if\ncontent-type is one the following [`application/json`, `multipart/form-data`, `application/x-www-form-urlencoded`]\nand the parameter is present.", + "examples": [ + [ + "param-old:param-new", + "param2-old:param2-new" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If and only if the header is already set, rename\nthe header. The value is unchanged. Ignored if the header is not already set.", + "examples": [ + [ + "another-old-name:another-new-name", + "header-old-name:header-new-name" + ] + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "description": "List of queryname:value pairs. If and only if the field name is already set, rename the field name.\nThe value is unchanged. Ignored if the field name is not already set.", + "examples": [ + [ + "qs-old-name:qs-new-name", + "qs2-old-name:qs2-new-name" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [ + + ], + "description": "List of `paramname:value` pairs. If and only if content-type is one the following\n[`application/json`, `multipart/form-data`, `application/x-www-form-urlencoded`] and the\nparameter is already present, replace its old value with the new one. Ignored if\nthe parameter is not already present.", + "examples": [ + [ + "body-param1:new-value-1", + "body-param2:new-value-2" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If and only if the header is already set, replace\nits old value with the new one. Ignored if the header is not already set.", + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "description": "List of `queryname:value pairs`. If and only if the field name is already set,\nreplace its old value with the new one. Ignored if the field name is not already set.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "uri": { + "description": "Updates the upstream request URI with a given value. This value can be used to update\nonly the path part of the URI, not the scheme or the hostname.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-validator/2.8.json b/json_schemas/request-validator/2.8.json new file mode 100644 index 00000000..92f02747 --- /dev/null +++ b/json_schemas/request-validator/2.8.json @@ -0,0 +1,147 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_content_types": { + "default": [ + "application/json" + ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.\n\n{:.note}\n> **Notes:** \n* Body validation is only done for `application/json` and skipped for any other allowed content types.\n* Only one parameter is supported. If a request sends more than one parameter with the Content-Type header, only the first parameter is evaluated and the rest are truncated.\nThe type, subtype, parameter names, and the value of the charset parameter are not case sensitive based on the RFC explanation.\n* Parameter does not need to be explicitly configured to allow a request passed with a parameter content-type. The parameter is checked only if the request carries the parameter and it's explicitly configured. For example, a request with `application/json; charset=UTF-8` is to be considered valid for `application/json`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema`\nmust be specified.", + "examples": [ + "[{\"name\":{\"type\": \"string\", \"required\": true}}]" + ], + "type": "string" + }, + "parameter_schema": { + "description": "Array of parameter validator specifications. For details and examples, see\n[Parameter Schema Definition](#parameter-schema-definition). One of `body_schema` or `parameter_schema`\nmust be specified.", + "items": { + "properties": { + "explode": { + "type": "boolean" + }, + "in": { + "enum": [ + "header", + "path", + "query" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "required": { + "type": "boolean" + }, + "schema": { + "type": "string" + }, + "style": { + "enum": [ + "deepObject", + "form", + "label", + "matrix", + "pipeDelimited", + "simple", + "spaceDelimited" + ], + "type": "string" + } + }, + "required": [ + "in", + "name", + "required" + ], + "type": "object" + }, + "type": "array" + }, + "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors\n(for example, the name of the required field that is missing).", + "type": "boolean" + }, + "version": { + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema\nvalidator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "enum": [ + "draft4", + "kong" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-ratelimiting/2.8.json b/json_schemas/response-ratelimiting/2.8.json new file mode 100644 index 00000000..71feb4e6 --- /dev/null +++ b/json_schemas/response-ratelimiting/2.8.json @@ -0,0 +1,172 @@ +{ + "properties": { + "config": { + "properties": { + "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "type": "boolean" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limits": { + "additionalProperties": true, + "examples": { + "limit_name": { + "minute": 10 + } + }, + "minLength": 1, + "type": "object" + }, + "policy": { + "default": "cluster", + "description": "The rate-limiting policies to use for retrieving and incrementing the\nlimits. Available values are:\n- `local`: Counters are stored locally in-memory on the node.\n- `cluster`: Counters are stored in the Kong datastore and shared across\nthe nodes.\n- `redis`: Counters are stored on a Redis server and shared\nacross the nodes.\n\nIn DB-less, hybrid mode, and Konnect, the `cluster` config policy is not supported.\nFor DB-less mode or Konnect, use one of `redis` or `local`; for hybrid mode, use\n`redis`, or `local` for data planes only.\n\nFor details on which policy should be used, refer to the\n[implementation considerations](/hub/kong-inc/rate-limiting/#implementation-considerations).", + "enum": [ + "cluster", + "local", + "redis" + ], + "examples": [ + "local" + ], + "type": "string" + }, + "redis_database": { + "default": 0, + "description": "When using the `redis` policy, this property specifies Redis database to use.", + "type": "number" + }, + "redis_host": { + "description": "When using the `redis` policy, this property specifies the address to the Redis server.", + "type": "string" + }, + "redis_password": { + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "minLength": 0, + "type": "string" + }, + "redis_port": { + "default": 6379, + "description": "When using the `redis` policy, this property specifies the port of the Redis server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "redis_timeout": { + "default": 2000, + "description": "When using the `redis` policy, this property specifies the timeout in milliseconds of any command submitted to the Redis server.", + "type": "number" + }, + "redis_username": { + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-transformer-advanced/2.8.json b/json_schemas/response-transformer-advanced/2.8.json new file mode 100644 index 00000000..daa27893 --- /dev/null +++ b/json_schemas/response-transformer-advanced/2.8.json @@ -0,0 +1,461 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If and only if the header is not already set, set a new header with the given value. Ignored if the header is already set.", + "examples": [ + [ + "x-another-header:something", + "x-new-header:value" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "description": "List of response status codes or status code ranges to which the transformation will apply. Empty means all response codes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "description": "List of `name:value` pairs. If and only if the property is not present, add a new property with the given value to the JSON body. Ignored if the property is already present.", + "examples": [ + [ + "another-json-key:some_value", + "new-json-key:some_value" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when adding a new JSON property.", + "examples": [ + [ + "boolean", + "number", + "string" + ] + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "allow": { + "properties": { + "json": { + "description": "Set of parameter names. Only allowed parameters are present in the JSON response body.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If the header is not set, set it with the given value. If it is already set, a new header with the same name and the new value will be set.", + "examples": [ + [ + "x-another-header:some_value", + "x-existing-header:some_value" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "description": "List of response status codes or status code ranges to which the transformation will apply. Empty means all response codes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "description": "List of `name:value` pairs. If the property is not present in the JSON body, add it with the given value. If it is already present, the two values (old and new) will be aggregated in an array.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending JSON properties.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean" + }, + "remove": { + "properties": { + "headers": { + "default": [ + + ], + "description": "List of `headername[:value]`. If only `headername` is given, unset the header field with the given `headername`. If `headername:value` is given, unset the header field `headername` when it has a specific `value`. If `value` starts and ends with a `/` (slash character), then it is considered to be a regular expression. Note that in accordance with [RFC 7230](https://httpwg.org/specs/rfc7230.html#field.order) multiple header values with the same header name are allowed if the entire field value for that header field is defined as a comma-separated list or the header field is a `Set-Cookie` header field.", + "examples": [ + [ + "Set-Cookie:/JSESSIONID=.*/", + "x-another-one:application/json", + "x-another-regex://status/$/", + "x-list-of-values:v1,v2,v3", + "x-one-more-regex:/^/begin//", + "x-toremove" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "description": "List of response status codes or status code ranges to which the transformation will apply. Empty means all response codes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "description": "List of property names. Remove the property from the JSON body if it is present.", + "examples": [ + [ + "another-json-key", + "json-key-toremove" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [ + + ], + "description": "List of `headername1:headername2` pairs. If a header with `headername1` exists and `headername2` is valid, rename header to `headername2`.", + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "description": "List of response status codes or status code ranges to which the transformation will apply. Empty means all response codes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + }, + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If and only if the header is already set, replace its old value with the new one. Ignored if the header is not already set.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "description": "List of response status codes or status code ranges to which the transformation will apply. Empty means all response codes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "description": "List of property `name:value` pairs. If and only if the parameter is already present, replace its old value with the new one. Ignored if the parameter is not already present.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when replacing JSON properties.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "transform": { + "properties": { + "functions": { + "default": [ + + ], + "description": "Set of Lua functions to perform arbitrary transforms in a response JSON body.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "description": "List of response status codes or ranges to which the arbitrary transformation applies. Leaving empty implies that the transformations apply to all response codes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "description": "Apply Lua functions to a particular list of JSON property `name` or `name:value` pairs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "shorthands": { + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-transformer/2.8.json b/json_schemas/response-transformer/2.8.json new file mode 100644 index 00000000..c8e313fb --- /dev/null +++ b/json_schemas/response-transformer/2.8.json @@ -0,0 +1,344 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If and only if the header is not already set, set a new header with the given value. Ignored if the header is already set.", + "examples": [ + [ + "x-another-header:something", + "x-new-header:value" + ] + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "description": "List of `property:value` pairs. If and only if the property is not present, add a new property with the given value to the JSON body. Ignored if the property is already present.", + "examples": [ + [ + "another-json-key:some_value", + "new-json-key:some_value" + ] + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when adding\na new JSON property. Each string element can be one of: boolean, number, or string.", + "examples": [ + [ + "boolean", + "number", + "string" + ] + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If the header is not set, set it with the given value. If it is\nalready set, a new header with the same name and the new value will be set. Each string\nelement can be one of: boolean, number, or string.", + "examples": [ + [ + "x-another-header:some_value", + "x-existing-header:some_value" + ] + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "description": "List of `property:value` pairs. If the property is not present in the JSON body, add it with the given value. If it is already present, the two values (old and new) will be aggregated in an array.", + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "remove": { + "properties": { + "headers": { + "default": [ + + ], + "description": "List of header names. Unset the header(s) with the given name.", + "examples": [ + [ + "x-another-one", + "x-toremove" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "description": "List of property names. Remove the property from the JSON body if it is present.", + "examples": [ + [ + "another-json-key", + "json-key-toremove" + ] + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [ + + ], + "description": "List of `original_header_name:new_header_name` pairs. If the header `original_headername` is already set, rename it to `new_headername`. Ignored if the header is not already set.", + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "headers": { + "default": [ + + ], + "description": "List of `headername:value` pairs. If and only if the header is already set, replace its old value with the new one. Ignored if the header is not already set.", + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "description": "List of `property:value` pairs. If and only if the parameter is already present, replace its old value with the new one. Ignored if the parameter is not already present.", + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when\nreplacing JSON properties. Each string\nelement can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/route-by-header/2.8.json b/json_schemas/route-by-header/2.8.json new file mode 100644 index 00000000..47b888ba --- /dev/null +++ b/json_schemas/route-by-header/2.8.json @@ -0,0 +1,101 @@ +{ + "properties": { + "config": { + "properties": { + "rules": { + "default": [ + + ], + "description": "List of [rules](#rules)", + "examples": [ + [ + { + "condition": { + "location": "us-east" + }, + "upstream_name": "bar.domain.com" + } + ] + ], + "items": { + "properties": { + "condition": { + "additionalProperties": true, + "minLength": 1, + "type": "object" + }, + "upstream_name": { + "type": "string" + } + }, + "required": [ + "condition", + "upstream_name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/route-transformer-advanced/2.8.json b/json_schemas/route-transformer-advanced/2.8.json new file mode 100644 index 00000000..a0c9a9ce --- /dev/null +++ b/json_schemas/route-transformer-advanced/2.8.json @@ -0,0 +1,87 @@ +{ + "properties": { + "config": { + "properties": { + "escape_path": { + "default": false, + "description": "If set to true, the path is escaped after being transformed.", + "type": "boolean" + }, + "host": { + "description": "Updates the upstream request Host with given value/template. This value can only be used to update the routing, it will not update the Host-header value. One of `config.path` or `config.host` or `config.port` must be specified.", + "type": "string" + }, + "path": { + "description": "Updates the upstream request path with given value/template. This value can only be used to update the path part of the URI, not the scheme, nor the hostname. One of `config.path` or `config.host` or `config.port` must be specified.", + "examples": [ + "/path" + ], + "type": "string" + }, + "port": { + "description": "Updates the upstream request Port with given value/template. Note that the port as set may be overridden again by DNS resolution (in case of SRV records,or an Upstream) One of `config.path` or `config.host` or `config.port` must be specified.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/session/2.8.json b/json_schemas/session/2.8.json new file mode 100644 index 00000000..d98bc182 --- /dev/null +++ b/json_schemas/session/2.8.json @@ -0,0 +1,154 @@ +{ + "properties": { + "config": { + "properties": { + "cookie_discard": { + "default": 10, + "description": "The duration in seconds after which an old session’s TTL is updated that an old cookie is discarded.", + "type": "number" + }, + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + }, + "cookie_httponly": { + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server. See the\n[Restrict access to cookies docs on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Restrict_access_to_cookies).", + "type": "boolean" + }, + "cookie_idletime": { + "description": "The cookie idle time (in seconds); if a cookie is not used for this time\nperiod, the session becomes invalid. This value is not set by default,\nmeaning idle time checks are disabled.", + "type": "number" + }, + "cookie_lifetime": { + "default": 3600, + "description": "The duration in seconds that the session will remain open.", + "type": "number" + }, + "cookie_name": { + "default": "session", + "description": "The name of the cookie.", + "type": "string" + }, + "cookie_path": { + "default": "/", + "description": "The resource in the host where the cookie is available.", + "type": "string" + }, + "cookie_renew": { + "default": 600, + "description": "The remaining duration in seconds of a session at which point the Plugin renews the session.", + "type": "number" + }, + "cookie_samesite": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests. \n\n\n* `Strict`: The browser sends cookies only if the request originated from the website that set the cookie.\n* `Lax`: Same-site cookies are withheld on cross-domain subrequests, but are sent when a user navigates\nto the URL from an external site, for example, by following a link. \n* `None` or `off`: Disables the same-site attribute so that a cookie may be sent with cross-site requests. \n`None` requires the Secure attribute (`cookie_secure`) in latest browser versions. For more information, \nsee the [SameSite cookies docs on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).", + "enum": [ + "Lax", + "None", + "Strict", + "off" + ], + "type": "string" + }, + "cookie_secure": { + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted\nrequest over the HTTPS protocol. See the\n[Restrict access to cookies docs on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Restrict_access_to_cookies).", + "type": "boolean" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The methods that may be used to end sessions: POST, DELETE, GET.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" + }, + "logout_query_arg": { + "default": "session_logout", + "description": "The query argument passed to logout requests.", + "type": "string" + }, + "secret": { + "default": "UnXKQHe8y4hyiLqpH0BX9pSz4blZuZvIFhg11Zv87dEe", + "description": "The secret that is used in keyed HMAC generation.", + "examples": [ + "opensesame" + ], + "type": "string" + }, + "storage": { + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database\nstrategy; the cookie will not contain any session data. `cookie`: Stores encrypted\nsession data within the cookie itself.", + "enum": [ + "cookie", + "kong" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/statsd-advanced/2.8.json b/json_schemas/statsd-advanced/2.8.json new file mode 100644 index 00000000..7591ce2b --- /dev/null +++ b/json_schemas/statsd-advanced/2.8.json @@ -0,0 +1,206 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "examples": [ + [ + "200-205", + "400-499" + ] + ], + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "host": { + "default": "localhost", + "description": "The IP address or hostname of the StatsD server.", + "examples": [ + "127.0.0.1" + ], + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" + }, + "metrics": { + "default": [ + { + "consumer_identifier": "custom_id", + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "service_identifier": "service_name_or_host", + "stat_type": "counter", + "workspace_identifier": "workspace_id" + } + ], + "description": "List of Metrics to be logged. Available values are described under [Metrics](#metrics).", + "items": { + "properties": { + "consumer_identifier": { + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "The port of the StatsD server.", + "examples": [ + 8125 + ], + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the\nUDP packet. Must be a number between 0 and 65507 (inclusive).", + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/statsd/2.8.json b/json_schemas/statsd/2.8.json new file mode 100644 index 00000000..4df6aa3a --- /dev/null +++ b/json_schemas/statsd/2.8.json @@ -0,0 +1,175 @@ +{ + "properties": { + "config": { + "properties": { + "host": { + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "examples": [ + "127.0.0.1" + ], + "type": "string" + }, + "metrics": { + "default": [ + { + "consumer_identifier": "custom_id", + "name": "status_count_per_user", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of metrics to be logged. Available values are described under [Metrics](#metrics).", + "items": { + "properties": { + "consumer_identifier": { + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "enum": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "minimum": 0, + "type": "number" + }, + "stat_type": { + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "examples": [ + 8125 + ], + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/syslog/2.8.json b/json_schemas/syslog/2.8.json new file mode 100644 index 00000000..8b7ef182 --- /dev/null +++ b/json_schemas/syslog/2.8.json @@ -0,0 +1,187 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "description": "An optional logging severity assigned to all the failed requests with a\nresponse status code 400 or higher but less than 500. Available options: `debug`, `info`, `notice`,\n `warning`, `err`, `crit`, `alert`, `emerg`.", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and\nthe value is a chunk of Lua code, whose return value sets or replaces\nthe log field value.", + "type": "object" + }, + "facility": { + "description": "The facility is used by the operating system to decide how to handle each log message. This\noptional argument defines what must be the facility set by the plugin when logging. Available\noptions: `auth`, `authpriv`, `cron`, `daemon`, `ftp`, `kern`, `lpr`, `mail`, `news`, `syslog`,\n`user`, `uucp`, `local0`, `local1`, `local2`, `local3`, `local4`, `local5`, `local6`, `local7`.", + "enum": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp" + ], + "type": "string" + }, + "log_level": { + "default": "info", + "description": "An optional logging severity. Any request with equal or higher severity\nwill be logged to System log. Available options: `debug`, `info`, `notice`, `warning`, `err`, `crit`, `alert`, `emerg`.", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "examples": [ + "info" + ], + "type": "string" + }, + "server_errors_severity": { + "default": "info", + "description": "An optional logging severity assigned to all the failed requests with a\nresponse status code 500 or higher. Available options: `debug`, `info`, `notice`, `warning`, `err`, `crit`, `alert`, `emerg`.", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "description": "An optional logging severity assigned to all the successful requests with a response\nstatus code less then 400. Available options: `debug`, `info`, `notice`, `warning`, `err`, `crit`, `alert`, `emerg`.", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/tcp-log/2.8.json b/json_schemas/tcp-log/2.8.json new file mode 100644 index 00000000..a2586a49 --- /dev/null +++ b/json_schemas/tcp-log/2.8.json @@ -0,0 +1,133 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and\nthe value is a chunk of Lua code, whose return value sets or replaces\nthe log field value.", + "type": "object" + }, + "host": { + "description": "The IP address or host name to send data to.", + "examples": [ + "127.0.0.1" + ], + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "port": { + "description": "The port to send data to on the upstream server.", + "examples": [ + 9999 + ], + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + }, + "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "type": "boolean" + }, + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/udp-log/2.8.json b/json_schemas/udp-log/2.8.json new file mode 100644 index 00000000..46480e68 --- /dev/null +++ b/json_schemas/udp-log/2.8.json @@ -0,0 +1,122 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and\nthe value is a chunk of Lua code, whose return value sets or replaces\nthe log field value.", + "type": "object" + }, + "host": { + "description": "The IP address or host name to send data to.", + "examples": [ + "127.0.0.1" + ], + "type": "string" + }, + "port": { + "description": "The port to send data to on the upstream server.", + "examples": [ + 9999 + ], + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "examples": [ + 10000 + ], + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/upstream-timeout/2.8.json b/json_schemas/upstream-timeout/2.8.json new file mode 100644 index 00000000..fb4cb775 --- /dev/null +++ b/json_schemas/upstream-timeout/2.8.json @@ -0,0 +1,116 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "description": "The timeout, in milliseconds, for establishing a connection to the upstream server.\nOverrides the service object [`connect_timeout`](/gateway/latest/how-kong-works/routing-traffic/#proxying-and-upstream-timeouts) setting, if the setting exists.", + "examples": [ + 4000 + ], + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "The timeout, in milliseconds, between two\nsuccessive read operations when receiving a response from the upstream server.\nOverrides the service object [`read_timeout`](/gateway/latest/how-kong-works/routing-traffic/#proxying-and-upstream-timeouts) setting, if the setting exists.", + "examples": [ + 5000 + ], + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "The timeout, in milliseconds, between two\nsuccessive write operations when sending a request to the upstream server.\nOverrides the service object [`write_timeout`](/gateway/latest/how-kong-works/routing-traffic/#proxying-and-upstream-timeouts) setting, if the setting exists.", + "examples": [ + 5000 + ], + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/vault-auth/2.8.json b/json_schemas/vault-auth/2.8.json new file mode 100644 index 00000000..7eb2c7b0 --- /dev/null +++ b/json_schemas/vault-auth/2.8.json @@ -0,0 +1,104 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_name": { + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "anonymous": { + "description": "An optional string (consumer UUID) value to use as an anonymous consumer if authentication fails.\nIf empty (default), the request fails with an authentication failure `4xx`. Note that this value\nmust refer to the consumer `id` attribute that is internal to Kong Gateway, and **not** its `custom_id`.", + "legacy": true, + "type": "string", + "uuid": true + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "secret_token_name": { + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "tokens_in_body": { + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "vault": { + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "examples": { + "id": "00000000-0000-0000-0000-000000000000" + }, + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/zipkin/2.8.json b/json_schemas/zipkin/2.8.json new file mode 100644 index 00000000..4c3da7ff --- /dev/null +++ b/json_schemas/zipkin/2.8.json @@ -0,0 +1,175 @@ +{ + "properties": { + "config": { + "properties": { + "default_header_type": { + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers\nand when `config.header_type` is set to `\"preserve\"`.\nWhen `header_type` is set to any other value, `default_header_type` is ignored.\n\nPossible values are `b3`, `b3-single`, `w3c`, `jaeger`, or `ot`.\nSee the entry for `header_type` for value definitions.", + "enum": [ + "b3", + "b3-single", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "default_service_name": { + "description": "Set a default service name to override `unknown-service-name` in the \nZipkin spans.", + "type": "string" + }, + "header_type": { + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request.\nThis property codifies what kind of tracing header the plugin expects on incoming requests.\n\nPossible values: `b3`, `b3-single`, `w3c`, `preserve`, `jaeger`, `ot`, or `ignore`.\n* `b3`: Expects [Zipkin's B3 multiple headers](https://github.com/openzipkin/b3-propagation#multiple-headers)\non incoming requests, and will add them to the transmitted requests if the headers are missing from those requests.\n* `b3-single`: Expects or adds Zipkin's B3 single-header tracing headers.\n* `w3c`: Expects or adds W3C's traceparent tracing header.\n* `preserve`: Does not expect any format, and will transmit whatever header is recognized or present,\nwith a default of `b3` if none is found. In case of a mismatch between the expected and incoming\ntracing headers (for example, when `header_type` is set to `b3` but a w3c-style tracing header is\nfound in the incoming request), then the plugin will add both kinds of tracing headers\nto the request and generate a mismatch warning in the logs.\n* `jaeger`: Expects or adds\n[Jaeger-style tracing headers](https://www.jaegertracing.io/docs/1.22/client-libraries/#propagation-format) (`uber-trace-id`).\n* `ot`: Expects or adds [OpenTelemetry tracing headers](https://github.com/open-telemetry/opentelemetry-java/blob/96e8523544f04c305da5382854eee06218599075/extensions/trace_propagators/src/main/java/io/opentelemetry/extensions/trace/propagation/OtTracerPropagator.java) of the form `ot-tracer-*`.\n* `ignore`: Does not read any tracing headers from the incoming request.\nStarts a new request using the `default_header_type` value, or falls back to\n`b3` if there is no `default_header_type` value set.", + "enum": [ + "b3", + "b3-single", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "http_endpoint": { + "description": "The full HTTP(S) endpoint to which Zipkin spans should be sent by Kong.\nIf not specified, the Zipkin plugin will only act as a tracing header\ngenerator/transmitter.", + "examples": [ + "http://your.zipkin.collector:9411/api/v2/spans" + ], + "type": "string" + }, + "include_credential": { + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer\nshould be included in metadata sent to the Zipkin server.", + "examples": [ + true + ], + "type": "boolean" + }, + "local_service_name": { + "default": "kong", + "description": "The name of the service as displayed in Zipkin. Customize this name to\ntell your Kong Gateway services apart in Zipkin request traces.", + "type": "string" + }, + "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs.\nSet to `0` to turn sampling off, or to `1` to sample **all** requests. The\nvalue must be between zero (0) and one (1), inclusive.", + "examples": [ + 0.001 + ], + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces. For example:\n`[ { \"name\": \"color\", \"value\": \"red\" } ]`.", + "items": { + "properties": { + "name": { + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "tags_header": { + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP\nrequests that come with a header named as configured by this property. The\nformat is `name_of_tag=value_of_tag`, separated by semicolons (`;`).\n\nFor example: with the default value, a request with the header\n`Zipkin-Tags: fg=blue; bg=red` will generate a trace with the tag `fg` with\nvalue `blue`, and another tag called `bg` with value `red`.", + "type": "string" + }, + "traceid_byte_count": { + "default": 16, + "description": "The length in bytes of each request's Trace ID. The value can be either `8` or `16`.", + "enum": [ + 8, + 16 + ], + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file From ceb4b20e7c41f85441eab29198733defa88cceec Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 25 Mar 2025 04:35:40 +0100 Subject: [PATCH 135/165] Download Schemas for 3.10.x (#102) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- schemas/acl/3.10.x.json | 50 +- schemas/acme/3.10.x.json | 406 ++-- schemas/ai-azure-content-safety/3.10.x.json | 66 +- schemas/ai-prompt-decorator/3.10.x.json | 78 +- schemas/ai-prompt-guard/3.10.x.json | 86 +- schemas/ai-prompt-template/3.10.x.json | 32 +- schemas/ai-proxy-advanced/3.10.x.json | 891 +++++---- schemas/ai-proxy/3.10.x.json | 248 +-- schemas/ai-rag-injector/3.10.x.json | 518 ++--- schemas/ai-rate-limiting-advanced/3.10.x.json | 336 ++-- schemas/ai-request-transformer/3.10.x.json | 262 +-- schemas/ai-response-transformer/3.10.x.json | 262 +-- schemas/ai-sanitizer/3.10.x.json | 56 +- schemas/ai-semantic-cache/3.10.x.json | 514 ++--- schemas/ai-semantic-prompt-guard/3.10.x.json | 546 +++--- schemas/app-dynamics/3.10.x.json | 18 +- schemas/aws-lambda/3.10.x.json | 146 +- schemas/azure-functions/3.10.x.json | 28 +- schemas/basic-auth/3.10.x.json | 24 +- schemas/bot-detection/3.10.x.json | 30 +- schemas/canary/3.10.x.json | 134 +- schemas/confluent-consume/3.10.x.json | 86 +- schemas/confluent/3.10.x.json | 70 +- schemas/correlation-id/3.10.x.json | 28 +- schemas/cors/3.10.x.json | 42 +- schemas/datadog/3.10.x.json | 234 +-- schemas/degraphql/3.10.x.json | 32 +- schemas/exit-transformer/3.10.x.json | 18 +- schemas/file-log/3.10.x.json | 38 +- schemas/forward-proxy/3.10.x.json | 132 +- .../graphql-proxy-cache-advanced/3.10.x.json | 266 +-- .../3.10.x.json | 314 ++-- schemas/grpc-gateway/3.10.x.json | 22 +- schemas/grpc-web/3.10.x.json | 24 +- schemas/header-cert-auth/3.10.x.json | 98 +- schemas/hmac-auth/3.10.x.json | 62 +- schemas/http-log/3.10.x.json | 126 +- schemas/injection-protection/3.10.x.json | 68 +- schemas/ip-restriction/3.10.x.json | 36 +- schemas/jq/3.10.x.json | 80 +- schemas/json-threat-protection/3.10.x.json | 90 +- schemas/jwe-decrypt/3.10.x.json | 30 +- schemas/jwt-signer/3.10.x.json | 450 ++--- schemas/jwt/3.10.x.json | 76 +- schemas/kafka-consume/3.10.x.json | 86 +- schemas/kafka-log/3.10.x.json | 62 +- schemas/kafka-upstream/3.10.x.json | 58 +- schemas/key-auth-enc/3.10.x.json | 34 +- schemas/key-auth/3.10.x.json | 116 +- schemas/konnect-application-auth/3.10.x.json | 1658 ++++++++--------- schemas/ldap-auth-advanced/3.10.x.json | 92 +- schemas/ldap-auth/3.10.x.json | 54 +- schemas/loggly/3.10.x.json | 74 +- schemas/mocking/3.10.x.json | 58 +- schemas/mtls-auth/3.10.x.json | 104 +- schemas/oas-validation/3.10.x.json | 54 +- schemas/oauth2-introspection/3.10.x.json | 66 +- schemas/oauth2/3.10.x.json | 96 +- schemas/opa/3.10.x.json | 46 +- schemas/openid-connect/3.10.x.json | 1582 ++++++++-------- schemas/opentelemetry/3.10.x.json | 168 +- schemas/post-function/3.10.x.json | 152 +- schemas/pre-function/3.10.x.json | 152 +- schemas/prometheus/3.10.x.json | 50 +- schemas/proxy-cache-advanced/3.10.x.json | 344 ++-- schemas/proxy-cache/3.10.x.json | 102 +- schemas/rate-limiting-advanced/3.10.x.json | 338 ++-- schemas/rate-limiting/3.10.x.json | 320 ++-- schemas/redirect/3.10.x.json | 20 +- schemas/request-callout/3.10.x.json | 667 +++---- schemas/request-size-limiting/3.10.x.json | 28 +- schemas/request-termination/3.10.x.json | 38 +- .../request-transformer-advanced/3.10.x.json | 134 +- schemas/request-transformer/3.10.x.json | 64 +- schemas/request-validator/3.10.x.json | 98 +- schemas/response-ratelimiting/3.10.x.json | 494 ++--- .../response-transformer-advanced/3.10.x.json | 182 +- schemas/response-transformer/3.10.x.json | 96 +- schemas/route-by-header/3.10.x.json | 40 +- .../route-transformer-advanced/3.10.x.json | 18 +- schemas/saml/3.10.x.json | 646 +++---- schemas/service-protection/3.10.x.json | 312 ++-- schemas/session/3.10.x.json | 122 +- schemas/standard-webhooks/3.10.x.json | 32 +- schemas/statsd-advanced/3.10.x.json | 318 ++-- schemas/statsd/3.10.x.json | 286 +-- schemas/syslog/3.10.x.json | 62 +- schemas/tcp-log/3.10.x.json | 38 +- schemas/tls-handshake-modifier/3.10.x.json | 30 +- schemas/tls-metadata-headers/3.10.x.json | 36 +- schemas/udp-log/3.10.x.json | 38 +- schemas/upstream-oauth/3.10.x.json | 420 ++--- schemas/upstream-timeout/3.10.x.json | 36 +- schemas/vault-auth/3.10.x.json | 60 +- schemas/websocket-size-limit/3.10.x.json | 16 +- schemas/websocket-validator/3.10.x.json | 132 +- schemas/xml-threat-protection/3.10.x.json | 202 +- schemas/zipkin/3.10.x.json | 168 +- 98 files changed, 8927 insertions(+), 8925 deletions(-) diff --git a/schemas/acl/3.10.x.json b/schemas/acl/3.10.x.json index 29f1d8e4..3137cc09 100644 --- a/schemas/acl/3.10.x.json +++ b/schemas/acl/3.10.x.json @@ -1,26 +1,37 @@ { + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -30,12 +41,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -62,25 +76,25 @@ }, { "hide_groups_header": { - "default": false, "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", "type": "boolean", + "default": false, "required": true } }, { "include_consumer_groups": { - "default": false, "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", "type": "boolean", + "default": false, "required": false } }, { "always_use_authenticated_groups": { - "default": false, "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", "type": "boolean", + "default": false, "required": true } } @@ -88,19 +102,5 @@ "required": true } } - ], - "entity_checks": [ - { - "only_one_of": [ - "config.allow", - "config.deny" - ] - }, - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } ] } \ No newline at end of file diff --git a/schemas/acme/3.10.x.json b/schemas/acme/3.10.x.json index f67a4a3a..55421531 100644 --- a/schemas/acme/3.10.x.json +++ b/schemas/acme/3.10.x.json @@ -1,4 +1,53 @@ { + "entity_checks": [ + { + "conditional": { + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_match": { + "eq": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.host", + "if_field": "config.storage", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.port", + "if_field": "config.storage", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ], "supported_partials": { "redis-ce": [ "config.storage_config.redis" @@ -7,41 +56,38 @@ "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "service": { + "reference": "services", "description": "A reference to the 'services' table with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "services" + "eq": null } }, { "route": { + "reference": "routes", "description": "A reference to the 'routes' table with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "routes" + "eq": null } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -51,12 +97,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -65,18 +114,19 @@ "fields": [ { "account_email": { - "description": "The account identifier. Can be reused in a different plugin instance.", "type": "string", - "required": true, - "encrypted": true, "match": "%w*%p*@+%w*%.?%w*", - "referenceable": true + "referenceable": true, + "description": "The account identifier. Can be reused in a different plugin instance.", + "encrypted": true, + "required": true } }, { "account_key": { - "type": "record", "description": "The private key associated with the account.", + "type": "record", + "required": false, "fields": [ { "key_id": { @@ -87,12 +137,11 @@ }, { "key_set": { - "type": "string", - "description": "The ID of the key set to associate the Key ID with." + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" } } - ], - "required": false + ] } }, { @@ -127,8 +176,8 @@ }, { "cert_type": { - "default": "rsa", "description": "The certificate type to create. The possible values are `rsa` for RSA certificate or `ecc` for EC certificate.", + "default": "rsa", "type": "string", "one_of": [ "rsa", @@ -138,8 +187,8 @@ }, { "rsa_key_size": { - "default": 4096, "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "default": 4096, "type": "number", "one_of": [ 2048, @@ -157,25 +206,25 @@ }, { "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", "elements": { + "match_all": [ + { + "err": "invalid wildcard: must have at most one wildcard", + "pattern": "^[^*]*%*?[^*]*$" + } + ], + "type": "string", "match_any": { + "err": "invalid wildcard: must be placed at leftmost or rightmost label", "patterns": [ "^%*%.", "%.%*$", "^[^*]*$" - ], - "err": "invalid wildcard: must be placed at leftmost or rightmost label" - }, - "type": "string", - "match_all": [ - { - "pattern": "^[^*]*%*?[^*]*$", - "err": "invalid wildcard: must have at most one wildcard" - } - ] + ] + } }, - "type": "array", - "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" + "type": "array" } }, { @@ -194,8 +243,8 @@ }, { "storage": { - "default": "shm", "description": "The backend storage type to use. In DB-less mode and Konnect, `kong` storage is unavailable. In hybrid mode and Konnect, `shm` storage is unavailable. `shm` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `kong`, `redis`, `consul`, or `vault` in production.", + "default": "shm", "type": "string", "one_of": [ "kong", @@ -236,104 +285,33 @@ }, { "redis": { - "shorthand_fields": [ - { - "auth": { - "len_min": 0, - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", - "replaced_with": [ - { - "path": [ - "password" - ] - } - ] - } - } - }, - { - "ssl_server_name": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", - "replaced_with": [ - { - "path": [ - "server_name" - ] - } - ] - } - } - }, - { - "namespace": { - "len_min": 0, - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", - "replaced_with": [ - { - "path": [ - "extra_options", - "namespace" - ] - } - ] - } - } - }, - { - "scan_count": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", - "replaced_with": [ - { - "path": [ - "extra_options", - "scan_count" - ] - } - ] - } - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -345,11 +323,11 @@ }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", + "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "len_min": 0, - "referenceable": true + "len_min": 0 } }, { @@ -361,16 +339,16 @@ }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", "default": false, "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", "default": false, "required": false } @@ -384,22 +362,22 @@ }, { "extra_options": { - "type": "record", "description": "Custom ACME Redis options", + "type": "record", "fields": [ { "namespace": { - "len_min": 0, "type": "string", - "required": true, + "len_min": 0, + "description": "A namespace to prepend to all keys stored in Redis.", "default": "", - "description": "A namespace to prepend to all keys stored in Redis." + "required": true } }, { "scan_count": { - "default": 10, "description": "The number of keys to return in Redis SCAN calls.", + "default": 10, "type": "number", "required": false } @@ -409,6 +387,77 @@ } } ], + "type": "record", + "shorthand_fields": [ + { + "auth": { + "type": "string", + "len_min": 0, + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "password" + ] + } + ], + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead" + } + } + }, + { + "ssl_server_name": { + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "server_name" + ] + } + ], + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead" + }, + "type": "string" + } + }, + { + "namespace": { + "type": "string", + "len_min": 0, + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "extra_options", + "namespace" + ] + } + ], + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead" + } + } + }, + { + "scan_count": { + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "extra_options", + "scan_count" + ] + } + ], + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead" + }, + "type": "integer" + } + } + ], "required": true } }, @@ -425,30 +474,30 @@ }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { @@ -475,30 +524,30 @@ }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { @@ -517,14 +566,14 @@ }, { "tls_server_name": { - "type": "string", - "description": "SNI used in request, default to host if omitted." + "description": "SNI used in request, default to host if omitted.", + "type": "string" } }, { "auth_method": { - "default": "token", "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "default": "token", "type": "string", "one_of": [ "token", @@ -534,20 +583,20 @@ }, { "auth_path": { - "type": "string", - "description": "Vault's authentication path to use." + "description": "Vault's authentication path to use.", + "type": "string" } }, { "auth_role": { - "type": "string", - "description": "The role to try and assign." + "description": "The role to try and assign.", + "type": "string" } }, { "jwt_path": { - "type": "string", - "description": "The path to the JWT." + "description": "The path to the JWT.", + "type": "string" } } ], @@ -560,8 +609,8 @@ }, { "preferred_chain": { - "type": "string", - "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" } }, { @@ -575,54 +624,5 @@ "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "https://acme-v02.api.letsencrypt.org", - "https://acme-staging-v02.api.letsencrypt.org" - ] - }, - "then_field": "config.tos_accepted", - "if_field": "config.api_uri", - "then_match": { - "eq": true - }, - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/" - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.storage_config.redis.host", - "if_field": "config.storage", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.storage_config.redis.port", - "if_field": "config.storage", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.storage" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ai-azure-content-safety/3.10.x.json b/schemas/ai-azure-content-safety/3.10.x.json index 189c1774..3d5cc205 100644 --- a/schemas/ai-azure-content-safety/3.10.x.json +++ b/schemas/ai-azure-content-safety/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,28 +14,31 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -44,26 +47,26 @@ "fields": [ { "content_safety_url": { - "referenceable": true, "description": "Full URL, inc protocol, of the Azure Content Safety instance.", "type": "string", - "required": true + "required": true, + "referenceable": true } }, { "azure_api_version": { - "len_min": 1, "type": "string", - "required": true, + "len_min": 1, + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", "default": "2023-10-01", - "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format." + "required": true } }, { "azure_use_managed_identity": { "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -89,18 +92,18 @@ }, { "content_safety_key": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", - "referenceable": true + "encrypted": true, + "required": false } }, { "text_source": { - "default": "concatenate_all_content", "description": "Select where to pick the 'text' for the Azure Content Services request.", "type": "string", + "default": "concatenate_all_content", "one_of": [ "concatenate_all_content", "concatenate_user_content" @@ -113,36 +116,36 @@ "type": "array", "elements": { "type": "record", + "required": true, "fields": [ { "name": { - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "rejection_level": { - "type": "integer", - "required": true + "required": true, + "type": "integer" } } - ], - "required": true + ] } } }, { "reveal_failure_reason": { "description": "Set true to tell the caller why their request was rejected, if so.", - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "output_type": { - "default": "FourSeverityLevels", "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", "type": "string", + "default": "FourSeverityLevels", "one_of": [ "FourSeverityLevels", "EightSeverityLevels" @@ -161,16 +164,13 @@ { "halt_on_blocklist_hit": { "description": "Tells Azure to reject the request if any blocklist filter is hit.", - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.10.x.json b/schemas/ai-prompt-decorator/3.10.x.json index 472ad80c..56cf1d87 100644 --- a/schemas/ai-prompt-decorator/3.10.x.json +++ b/schemas/ai-prompt-decorator/3.10.x.json @@ -1,10 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +19,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -29,111 +37,103 @@ { "prompts": { "type": "record", + "required": false, "fields": [ { "prepend": { - "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "type": "array", "len_max": 15, - "required": false, + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", "elements": { "type": "record", + "required": false, "fields": [ { "role": { - "required": true, - "type": "string", "default": "system", + "type": "string", "one_of": [ "system", "assistant", "user" - ] + ], + "required": true } }, { "content": { + "len_max": 500, "type": "string", "len_min": 1, - "len_max": 500, "required": true } } - ], - "required": false + ] }, - "type": "array" + "required": false } }, { "append": { - "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "type": "array", "len_max": 15, - "required": false, + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", "elements": { "type": "record", + "required": false, "fields": [ { "role": { - "required": true, - "type": "string", "default": "system", + "type": "string", "one_of": [ "system", "assistant", "user" - ] + ], + "required": true } }, { "content": { + "len_max": 500, "type": "string", "len_min": 1, - "len_max": 500, "required": true } } - ], - "required": false + ] }, - "type": "array" + "required": false } } - ], - "required": false + ] } }, { "max_request_body_size": { - "type": "integer", "description": "max allowed body size allowed to be introspected", - "gt": 0, - "default": 8192 + "type": "integer", + "default": 8192, + "gt": 0 } }, { "llm_format": { - "description": "LLM input and output format and schema to use", "type": "string", - "required": false, - "default": "openai", + "description": "LLM input and output format and schema to use", "one_of": [ "openai", "bedrock", "gemini" - ] + ], + "default": "openai", + "required": false } } ], "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.prompts.prepend", - "config.prompts.append" - ] - } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.10.x.json b/schemas/ai-prompt-guard/3.10.x.json index 4c2ae045..38648982 100644 --- a/schemas/ai-prompt-guard/3.10.x.json +++ b/schemas/ai-prompt-guard/3.10.x.json @@ -1,10 +1,27 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "config.allow_all_conversation_history", + "if_field": "config.match_all_roles", + "then_match": { + "eq": false + } + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +31,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -28,90 +48,70 @@ "fields": [ { "allow_patterns": { - "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", "type": "array", - "required": false, + "len_max": 10, + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", "elements": { - "len_min": 1, + "len_max": 500, "type": "string", - "len_max": 500 + "len_min": 1 }, - "len_max": 10 + "required": false } }, { "deny_patterns": { - "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", "type": "array", - "required": false, + "len_max": 10, + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", "elements": { - "len_min": 1, + "len_max": 500, "type": "string", - "len_max": 500 + "len_min": 1 }, - "len_max": 10 + "required": false } }, { "allow_all_conversation_history": { - "type": "boolean", "description": "If true, will ignore all previous chat prompts from the conversation history.", + "type": "boolean", "default": false, "required": true } }, { "max_request_body_size": { - "type": "integer", - "description": "max allowed body size allowed to be introspected", "gt": 0, - "default": 8192 + "default": 8192, + "type": "integer", + "description": "max allowed body size allowed to be introspected" } }, { "match_all_roles": { - "type": "boolean", "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean", "default": false, "required": true } }, { "llm_format": { - "description": "LLM input and output format and schema to use", "type": "string", - "required": false, - "default": "openai", + "description": "LLM input and output format and schema to use", "one_of": [ "openai", "bedrock", "gemini" - ] + ], + "default": "openai", + "required": false } } ], "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow_patterns", - "config.deny_patterns" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "config.allow_all_conversation_history", - "if_field": "config.match_all_roles", - "then_match": { - "eq": false - } - } - } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-template/3.10.x.json b/schemas/ai-prompt-template/3.10.x.json index bd55443b..77a8657e 100644 --- a/schemas/ai-prompt-template/3.10.x.json +++ b/schemas/ai-prompt-template/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +14,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -28,8 +31,11 @@ "fields": [ { "templates": { + "description": "Array of templates available to the request context.", + "type": "array", "elements": { "type": "record", + "required": true, "fields": [ { "name": { @@ -45,44 +51,38 @@ "required": true } } - ], - "required": true + ] }, - "description": "Array of templates available to the request context.", - "type": "array", "required": true } }, { "allow_untemplated_requests": { - "default": true, "description": "Set true to allow requests that don't call or match any template.", "type": "boolean", + "default": true, "required": true } }, { "log_original_request": { - "default": false, "description": "Set true to add the original request to the Kong log plugin(s) output.", "type": "boolean", + "default": false, "required": true } }, { "max_request_body_size": { - "default": 8192, - "description": "max allowed body size allowed to be introspected", + "gt": 0, "type": "integer", - "gt": 0 + "description": "max allowed body size allowed to be introspected", + "default": 8192 } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-proxy-advanced/3.10.x.json b/schemas/ai-proxy-advanced/3.10.x.json index 8454ff52..55cd619e 100644 --- a/schemas/ai-proxy-advanced/3.10.x.json +++ b/schemas/ai-proxy-advanced/3.10.x.json @@ -1,10 +1,33 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.llm_format" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +37,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -29,12 +55,13 @@ { "balancer": { "type": "record", + "required": true, "fields": [ { "algorithm": { - "type": "string", "description": "Which load balancing algorithm to use.", "default": "round-robin", + "type": "string", "one_of": [ "round-robin", "lowest-latency", @@ -47,9 +74,9 @@ }, { "tokens_count_strategy": { - "type": "string", "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` and `cost`.", "default": "total-tokens", + "type": "string", "one_of": [ "total-tokens", "prompt-tokens", @@ -60,9 +87,9 @@ }, { "latency_strategy": { - "type": "string", "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", "default": "tpot", + "type": "string", "one_of": [ "tpot", "e2e" @@ -72,68 +99,64 @@ { "hash_on_header": { "description": "The header to use for consistent-hashing.", - "type": "string", - "default": "X-Kong-LLM-Request-ID" + "default": "X-Kong-LLM-Request-ID", + "type": "string" } }, { "slots": { - "default": 10000, "description": "The number of slots in the load balancer algorithm.", + "default": 10000, + "type": "integer", "between": [ 10, 65536 - ], - "type": "integer" + ] } }, { "retries": { - "default": 5, "description": "The number of retries to execute upon failure to proxy.", + "default": 5, + "type": "integer", "between": [ 0, 32767 - ], - "type": "integer" + ] } }, { "connect_timeout": { - "type": "integer", "between": [ 1, 2147483646 ], - "default": 60000 + "default": 60000, + "type": "integer" } }, { "write_timeout": { - "type": "integer", "between": [ 1, 2147483646 ], - "default": 60000 + "default": 60000, + "type": "integer" } }, { "read_timeout": { - "type": "integer", "between": [ 1, 2147483646 ], - "default": 60000 + "default": 60000, + "type": "integer" } }, { "failover_criteria": { - "default": [ - "error", - "timeout" - ], "description": "Specifies in which cases an upstream response should be failover to the next target. Each option in the array is equivalent to the function of http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream", "type": "array", "elements": { @@ -151,11 +174,14 @@ "http_429", "non_idempotent" ] - } + }, + "default": [ + "error", + "timeout" + ] } } - ], - "required": true + ] } }, { @@ -204,141 +230,145 @@ } } ], + "type": "record", "fields": [ { "auth": { + "type": "record", "fields": [ { "header_name": { - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", + "referenceable": true, "required": false } }, { "header_value": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "referenceable": true + "encrypted": true, + "required": false } }, { "param_name": { - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", + "referenceable": true, "required": false } }, { "param_value": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Specify the full parameter value for 'param_name'.", - "referenceable": true + "encrypted": true, + "required": false } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string", "required": false } }, { "azure_use_managed_identity": { - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", + "default": false, "required": false } }, { "azure_client_id": { - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", + "referenceable": true, "required": false } }, { "azure_client_secret": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "referenceable": true + "encrypted": true, + "required": false } }, { "azure_tenant_id": { - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", + "referenceable": true, "required": false } }, { "gcp_use_service_account": { - "default": false, "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", + "default": false, "required": false } }, { "gcp_service_account_json": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "referenceable": true + "encrypted": true, + "required": false } }, { "aws_access_key_id": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "referenceable": true + "encrypted": true, + "required": false } }, { "aws_secret_access_key": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "referenceable": true + "encrypted": true, + "required": false } }, { "allow_override": { - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", + "default": false, "required": false } } ], - "type": "record", "required": false } }, { "model": { + "type": "record", "fields": [ { "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", "one_of": [ "openai", "mistral", @@ -347,8 +377,6 @@ "bedrock", "gemini" ], - "description": "AI provider format to use for embeddings API", - "type": "string", "required": true } }, @@ -361,6 +389,8 @@ }, { "options": { + "description": "Key/value settings for the model", + "type": "record", "fields": [ { "upstream_url": { @@ -371,6 +401,7 @@ }, { "azure": { + "type": "record", "fields": [ { "instance": { @@ -381,9 +412,9 @@ }, { "api_version": { - "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", "type": "string", + "default": "2023-05-15", "required": false } }, @@ -395,7 +426,6 @@ } } ], - "type": "record", "required": true } }, @@ -409,6 +439,7 @@ ] } ], + "type": "record", "fields": [ { "aws_region": { @@ -426,18 +457,17 @@ }, { "aws_role_session_name": { - "type": "string", - "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } } ], - "type": "record", "required": false } }, @@ -452,6 +482,7 @@ ] } ], + "type": "record", "fields": [ { "api_endpoint": { @@ -475,12 +506,12 @@ } } ], - "type": "record", "required": false } }, { "huggingface": { + "type": "record", "fields": [ { "use_cache": { @@ -497,37 +528,33 @@ } } ], - "type": "record", "required": false } } ], - "description": "Key/value settings for the model", - "type": "record", "required": false } } ], - "type": "record", "required": true } } ], - "type": "record", "required": false } }, { "vectordb": { + "type": "record", "fields": [ { "strategy": { + "description": "which vector database driver to use", + "type": "string", "one_of": [ "redis", "pgvector" ], - "description": "which vector database driver to use", - "type": "string", "required": true } }, @@ -547,17 +574,79 @@ }, { "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", "one_of": [ "cosine", "euclidean" ], - "description": "the distance metric to use for vector searches", - "type": "string", "required": true } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { @@ -568,46 +657,46 @@ }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -649,13 +738,13 @@ }, { "keepalive_pool_size": { - "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, "between": [ 1, 2147483646 - ] + ], + "type": "integer" } }, { @@ -670,8 +759,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -687,80 +776,80 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, - "elements": { - "type": "record", + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "elements": { "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "ssl": { - "default": false, "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean", "required": false } }, { "ssl_verify": { - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean", "required": false } @@ -774,88 +863,24 @@ }, { "cluster_max_redirections": { - "default": 5, "description": "Maximum retry attempts for redirection.", + "default": 5, "type": "integer", "required": false } }, { "connection_is_proxied": { - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "required": true, "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -876,16 +901,16 @@ } ], "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - } + }, + "type": "integer" } }, { "sentinel_addresses": { + "type": "array", "elements": { "type": "string" }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -896,16 +921,16 @@ } ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - } + }, + "len_min": 1 } }, { "cluster_addresses": { + "type": "array", "elements": { "type": "string" }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -916,14 +941,17 @@ } ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - } + }, + "len_min": 1 } } - ] + ], + "required": true } }, { "pgvector": { + "type": "record", "fields": [ { "host": { @@ -941,17 +969,17 @@ }, { "user": { - "default": "postgres", "description": "the user of the pgvector database", "type": "string", + "default": "postgres", "referenceable": true } }, { "password": { - "encrypted": true, "description": "the password of the pgvector database", "type": "string", + "encrypted": true, "referenceable": true } }, @@ -992,217 +1020,356 @@ }, { "ssl_version": { - "default": "tlsv1_2", "description": "the ssl version to use for the pgvector database", "type": "string", "one_of": [ "tlsv1_2", "tlsv1_3", "any" - ] + ], + "default": "tlsv1_2" } }, { "ssl_cert": { - "type": "string", - "description": "the path of ssl cert to use for the pgvector database" + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" } }, { "ssl_cert_key": { - "type": "string", - "description": "the path of ssl cert key to use for the pgvector database" + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" } } ], - "type": "record", "required": true } } ], - "type": "record", "required": false } }, { "response_streaming": { - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "type": "string", - "required": false, - "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "one_of": [ "allow", "deny", "always" - ] + ], + "default": "allow", + "required": false } }, { "max_request_body_size": { - "default": 8192, "description": "max allowed body size allowed to be introspected", - "gt": 0, - "type": "integer" + "default": 8192, + "type": "integer", + "gt": 0 } }, { "model_name_header": { "description": "Display the model name selected in the X-Kong-LLM-Model response header", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "targets": { "elements": { - "required": true, + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "type": "record", "fields": [ { "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" ], - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "type": "string", "required": true } }, { "auth": { + "type": "record", "fields": [ { "header_name": { - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", + "referenceable": true, "required": false } }, { "header_value": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "referenceable": true + "encrypted": true, + "required": false } }, { "param_name": { - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", + "referenceable": true, "required": false } }, { "param_value": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Specify the full parameter value for 'param_name'.", - "referenceable": true + "encrypted": true, + "required": false } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string", "required": false } }, { "azure_use_managed_identity": { - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", + "default": false, "required": false } }, { "azure_client_id": { - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", + "referenceable": true, "required": false } }, { "azure_client_secret": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "referenceable": true + "encrypted": true, + "required": false } }, { "azure_tenant_id": { - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", + "referenceable": true, "required": false } }, { "gcp_use_service_account": { - "default": false, "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", + "default": false, "required": false } }, { "gcp_service_account_json": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "referenceable": true + "encrypted": true, + "required": false } }, { "aws_access_key_id": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "referenceable": true + "encrypted": true, + "required": false } }, { "aws_secret_access_key": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "referenceable": true + "encrypted": true, + "required": false } }, { "allow_override": { - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", + "default": false, "required": false } } ], - "type": "record", "required": false } }, { "model": { + "type": "record", "fields": [ { "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "one_of": [ "openai", "azure", @@ -1214,8 +1381,6 @@ "bedrock", "huggingface" ], - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "type": "string", "required": true } }, @@ -1228,6 +1393,8 @@ }, { "options": { + "description": "Key/value settings for the model", + "type": "record", "fields": [ { "max_tokens": { @@ -1238,50 +1405,50 @@ }, { "input_cost": { - "gt": 0, "description": "Defines the cost per 1M tokens in your prompt.", "type": "number", + "gt": 0, "required": false } }, { "output_cost": { - "gt": 0, "description": "Defines the cost per 1M tokens in the output of the AI.", "type": "number", + "gt": 0, "required": false } }, { "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models.", - "type": "number", "required": false } }, { "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "type": "number", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported.", - "type": "number", "required": false } }, { "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported.", - "type": "integer", "required": false } }, @@ -1301,9 +1468,9 @@ }, { "azure_api_version": { - "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", "type": "string", + "default": "2023-05-15", "required": false } }, @@ -1316,24 +1483,24 @@ }, { "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "one_of": [ "raw", "openai", "ollama" ], - "description": "If using llama2 provider, select the upstream message format.", - "type": "string", "required": false } }, { "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "one_of": [ "openai", "ollama" ], - "description": "If using mistral provider, select the upstream message format.", - "type": "string", "required": false } }, @@ -1346,12 +1513,12 @@ }, { "upstream_path": { - "deprecation": { - "removal_in_version": "4.0", - "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead" - }, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "type": "string", + "deprecation": { + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead", + "removal_in_version": "4.0" + }, "required": false } }, @@ -1366,6 +1533,7 @@ ] } ], + "type": "record", "fields": [ { "api_endpoint": { @@ -1389,7 +1557,6 @@ } } ], - "type": "record", "required": false } }, @@ -1403,6 +1570,7 @@ ] } ], + "type": "record", "fields": [ { "aws_region": { @@ -1420,23 +1588,23 @@ }, { "aws_role_session_name": { - "type": "string", - "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } } ], - "type": "record", "required": false } }, { "huggingface": { + "type": "record", "fields": [ { "use_cache": { @@ -1453,30 +1621,26 @@ } } ], - "type": "record", "required": false } } ], - "description": "Key/value settings for the model", - "type": "record", "required": false } } ], - "type": "record", "required": true } }, { "weight": { - "default": 100, "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "default": 100, + "type": "integer", "between": [ 1, 65535 - ], - "type": "integer" + ] } }, { @@ -1488,167 +1652,28 @@ }, { "logging": { + "type": "record", "fields": [ { "log_statistics": { - "default": false, "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "type": "boolean", + "default": false, "required": true } }, { "log_payloads": { - "default": false, "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "type": "boolean", + "default": false, "required": true } } ], - "type": "record", "required": true } } - ], - "type": "record", - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "bedrock", - "gemini" - ] - }, - "then_field": "auth.allow_override", - "if_field": "model.provider", - "then_match": { - "eq": false - }, - "then_err": "bedrock and gemini only support auth.allow_override = false" - } - }, - { - "mutually_required": [ - "auth.header_name", - "auth.header_value" - ] - }, - { - "mutually_required": [ - "auth.param_name", - "auth.param_value", - "auth.param_location" - ] - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "mistral" - ] - }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "anthropic" - ] - }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "llama2" - ] - }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "route_type", - "model", - "logging" - ] - } - } ] }, "type": "array", @@ -1657,46 +1682,20 @@ }, { "llm_format": { - "description": "LLM input and output format and schema to use", "type": "string", - "required": false, - "default": "openai", + "description": "LLM input and output format and schema to use", "one_of": [ "openai", "bedrock", "gemini" - ] + ], + "default": "openai", + "required": false } } ], "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.targets", - "config.balancer" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.targets", - "config.balancer" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.targets", - "config.llm_format" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ai-proxy/3.10.x.json b/schemas/ai-proxy/3.10.x.json index b7d11799..a083f75a 100644 --- a/schemas/ai-proxy/3.10.x.json +++ b/schemas/ai-proxy/3.10.x.json @@ -1,10 +1,51 @@ { + "entity_checks": [ + { + "conditional": { + "then_err": "native provider options in llm_format can only be used with the 'llm/v1/chat' route_type", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "config.route_type", + "if_field": "config.llm_format", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "conditional": { + "then_err": "native llm_format 'bedrock' can only be used with the 'bedrock' model.provider", + "if_match": { + "eq": "bedrock" + }, + "then_field": "config.model.provider", + "if_field": "config.llm_format", + "then_match": { + "eq": "bedrock" + } + } + }, + { + "conditional": { + "then_err": "native llm_format 'gemini' can only be used with the 'gemini' model.provider", + "if_match": { + "eq": "gemini" + }, + "then_field": "config.model.provider", + "if_field": "config.llm_format", + "then_match": { + "eq": "gemini" + } + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +55,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -27,6 +71,7 @@ "entity_checks": [ { "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ "bedrock", @@ -37,8 +82,7 @@ "if_field": "model.provider", "then_match": { "eq": false - }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + } } }, { @@ -162,153 +206,157 @@ } } ], + "type": "record", "fields": [ { "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" ], - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "type": "string", "required": true } }, { "auth": { + "type": "record", "fields": [ { "header_name": { - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", + "referenceable": true, "required": false } }, { "header_value": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "referenceable": true + "encrypted": true, + "required": false } }, { "param_name": { - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", + "referenceable": true, "required": false } }, { "param_value": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Specify the full parameter value for 'param_name'.", - "referenceable": true + "encrypted": true, + "required": false } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string", "required": false } }, { "azure_use_managed_identity": { - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", + "default": false, "required": false } }, { "azure_client_id": { - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", + "referenceable": true, "required": false } }, { "azure_client_secret": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "referenceable": true + "encrypted": true, + "required": false } }, { "azure_tenant_id": { - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", + "referenceable": true, "required": false } }, { "gcp_use_service_account": { - "default": false, "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", + "default": false, "required": false } }, { "gcp_service_account_json": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "referenceable": true + "encrypted": true, + "required": false } }, { "aws_access_key_id": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "referenceable": true + "encrypted": true, + "required": false } }, { "aws_secret_access_key": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "referenceable": true + "encrypted": true, + "required": false } }, { "allow_override": { - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", + "default": false, "required": false } } ], - "type": "record", "required": false } }, { "model": { + "type": "record", "fields": [ { "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "one_of": [ "openai", "azure", @@ -320,8 +368,6 @@ "bedrock", "huggingface" ], - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "type": "string", "required": true } }, @@ -334,6 +380,8 @@ }, { "options": { + "description": "Key/value settings for the model", + "type": "record", "fields": [ { "max_tokens": { @@ -344,50 +392,50 @@ }, { "input_cost": { - "gt": 0, "description": "Defines the cost per 1M tokens in your prompt.", "type": "number", + "gt": 0, "required": false } }, { "output_cost": { - "gt": 0, "description": "Defines the cost per 1M tokens in the output of the AI.", "type": "number", + "gt": 0, "required": false } }, { "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models.", - "type": "number", "required": false } }, { "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "type": "number", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported.", - "type": "number", "required": false } }, { "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported.", - "type": "integer", "required": false } }, @@ -407,9 +455,9 @@ }, { "azure_api_version": { - "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", "type": "string", + "default": "2023-05-15", "required": false } }, @@ -422,24 +470,24 @@ }, { "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "one_of": [ "raw", "openai", "ollama" ], - "description": "If using llama2 provider, select the upstream message format.", - "type": "string", "required": false } }, { "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "one_of": [ "openai", "ollama" ], - "description": "If using mistral provider, select the upstream message format.", - "type": "string", "required": false } }, @@ -452,12 +500,12 @@ }, { "upstream_path": { - "deprecation": { - "removal_in_version": "4.0", - "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead" - }, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "type": "string", + "deprecation": { + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead", + "removal_in_version": "4.0" + }, "required": false } }, @@ -472,6 +520,7 @@ ] } ], + "type": "record", "fields": [ { "api_endpoint": { @@ -495,7 +544,6 @@ } } ], - "type": "record", "required": false } }, @@ -509,6 +557,7 @@ ] } ], + "type": "record", "fields": [ { "aws_region": { @@ -526,23 +575,23 @@ }, { "aws_role_session_name": { - "type": "string", - "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } } ], - "type": "record", "required": false } }, { "huggingface": { + "type": "record", "fields": [ { "use_cache": { @@ -559,134 +608,85 @@ } } ], - "type": "record", "required": false } } ], - "description": "Key/value settings for the model", - "type": "record", "required": false } } ], - "type": "record", "required": true } }, { "logging": { + "type": "record", "fields": [ { "log_statistics": { - "default": false, "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "type": "boolean", + "default": false, "required": true } }, { "log_payloads": { - "default": false, "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "type": "boolean", + "default": false, "required": true } } ], - "type": "record", "required": true } }, { "response_streaming": { - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "type": "string", - "required": false, - "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "one_of": [ "allow", "deny", "always" - ] + ], + "default": "allow", + "required": false } }, { "max_request_body_size": { "gt": 0, - "description": "max allowed body size allowed to be introspected", "type": "integer", + "description": "max allowed body size allowed to be introspected", "default": 8192 } }, { "model_name_header": { "description": "Display the model name selected in the X-Kong-LLM-Model response header", - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "llm_format": { - "description": "LLM input and output format and schema to use", "type": "string", - "required": false, - "default": "openai", + "description": "LLM input and output format and schema to use", "one_of": [ "openai", "bedrock", "gemini" - ] + ], + "default": "openai", + "required": false } } ], - "type": "record", "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "bedrock", - "gemini" - ] - }, - "then_field": "config.route_type", - "if_field": "config.llm_format", - "then_match": { - "eq": "llm/v1/chat" - }, - "then_err": "native provider options in llm_format can only be used with the 'llm/v1/chat' route_type" - } - }, - { - "conditional": { - "if_match": { - "eq": "bedrock" - }, - "then_field": "config.model.provider", - "if_field": "config.llm_format", - "then_match": { - "eq": "bedrock" - }, - "then_err": "native llm_format 'bedrock' can only be used with the 'bedrock' model.provider" - } - }, - { - "conditional": { - "if_match": { - "eq": "gemini" - }, - "then_field": "config.model.provider", - "if_field": "config.llm_format", - "then_match": { - "eq": "gemini" - }, - "then_err": "native llm_format 'gemini' can only be used with the 'gemini' model.provider" - } - } ] } \ No newline at end of file diff --git a/schemas/ai-rag-injector/3.10.x.json b/schemas/ai-rag-injector/3.10.x.json index 19f95f57..a4b3943c 100644 --- a/schemas/ai-rag-injector/3.10.x.json +++ b/schemas/ai-rag-injector/3.10.x.json @@ -1,10 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.inject_template" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +20,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -28,188 +37,232 @@ "fields": [ { "stop_on_failure": { - "type": "boolean", "description": "Halt the LLM request process in case of a vectordb or embeddings service failure", + "type": "boolean", "default": false, "required": true } }, { "inject_as_role": { - "required": true, - "type": "string", - "default": "user", "one_of": [ "system", "assistant", "user" - ] + ], + "type": "string", + "default": "user", + "required": true } }, { "inject_template": { - "type": "string", "default": "\n", + "type": "string", "required": true } }, { "fetch_chunks_count": { - "type": "number", "description": "The maximum number of chunks to fetch from vectordb", + "type": "number", "default": 5, "required": true } }, { "vectordb_namespace": { - "type": "string", "description": "The namespace of the vectordb to use for embeddings lookup", + "type": "string", "default": "kong_rag_injector", "required": true } }, { "embeddings": { - "required": true, + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" + ] + } + } + ], "type": "record", + "required": true, "fields": [ { "auth": { "type": "record", + "required": false, "fields": [ { "header_name": { - "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", + "required": false, "referenceable": true } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "type": "string", - "required": false, + "referenceable": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "encrypted": true, - "referenceable": true + "required": false } }, { "param_name": { - "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", + "required": false, "referenceable": true } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", "type": "string", - "required": false, + "referenceable": true, + "description": "Specify the full parameter value for 'param_name'.", "encrypted": true, - "referenceable": true + "required": false } }, { "param_location": { - "required": false, "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", "one_of": [ "query", "body" - ] + ], + "required": false } }, { "azure_use_managed_identity": { - "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", "default": false, "required": false } }, { "azure_client_id": { - "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", + "required": false, "referenceable": true } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "type": "string", - "required": false, + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "encrypted": true, - "referenceable": true + "required": false } }, { "azure_tenant_id": { - "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", + "required": false, "referenceable": true } }, { "gcp_use_service_account": { - "type": "boolean", "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", "default": false, "required": false } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "encrypted": true, - "referenceable": true + "required": false } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "encrypted": true, - "referenceable": true + "required": false } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "encrypted": true, - "referenceable": true + "required": false } }, { "allow_override": { - "type": "boolean", "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", "default": false, "required": false } } - ], - "required": false + ] } }, { "model": { "type": "record", + "required": true, "fields": [ { "provider": { - "required": true, "description": "AI provider format to use for embeddings API", "type": "string", "one_of": [ @@ -219,7 +272,8 @@ "azure", "bedrock", "gemini" - ] + ], + "required": true } }, { @@ -231,8 +285,9 @@ }, { "options": { - "type": "record", "description": "Key/value settings for the model", + "type": "record", + "required": false, "fields": [ { "upstream_url": { @@ -254,8 +309,8 @@ }, { "api_version": { - "type": "string", "description": "'api-version' for Azure OpenAI instances.", + "type": "string", "default": "2023-05-15", "required": false } @@ -273,8 +328,16 @@ }, { "bedrock": { - "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "type": "record", + "required": false, "fields": [ { "aws_region": { @@ -292,31 +355,32 @@ }, { "aws_role_session_name": { - "type": "string", - "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } } - ], - "entity_checks": [ - { - "mutually_required": [ - "aws_assume_role_arn", - "aws_role_session_name" - ] - } ] } }, { "gemini": { - "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], "type": "record", + "required": false, "fields": [ { "api_endpoint": { @@ -339,21 +403,13 @@ "required": false } } - ], - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } ] } }, { "huggingface": { "type": "record", + "required": false, "fields": [ { "use_cache": { @@ -369,59 +425,12 @@ "required": false } } - ], - "required": false + ] } } - ], - "required": false + ] } } - ], - "required": true - } - } - ], - "entity_checks": [ - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.instance" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.api_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.deployment_id" ] } } @@ -430,15 +439,16 @@ }, { "vectordb": { + "type": "record", "fields": [ { "strategy": { + "description": "which vector database driver to use", + "type": "string", "one_of": [ "redis", "pgvector" ], - "description": "which vector database driver to use", - "type": "string", "required": true } }, @@ -451,17 +461,79 @@ }, { "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", "one_of": [ "cosine", "euclidean" ], - "description": "the distance metric to use for vector searches", - "type": "string", "required": true } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { @@ -472,46 +544,46 @@ }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -553,13 +625,13 @@ }, { "keepalive_pool_size": { - "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, "between": [ 1, 2147483646 - ] + ], + "type": "integer" } }, { @@ -574,8 +646,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -591,80 +663,80 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "ssl": { - "default": false, "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean", "required": false } }, { "ssl_verify": { - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean", "required": false } @@ -678,88 +750,24 @@ }, { "cluster_max_redirections": { - "default": 5, "description": "Maximum retry attempts for redirection.", + "default": 5, "type": "integer", "required": false } }, { "connection_is_proxied": { - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "required": true, "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -780,16 +788,16 @@ } ], "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - } + }, + "type": "integer" } }, { "sentinel_addresses": { + "type": "array", "elements": { "type": "string" }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -800,16 +808,16 @@ } ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - } + }, + "len_min": 1 } }, { "cluster_addresses": { + "type": "array", "elements": { "type": "string" }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -820,14 +828,18 @@ } ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - } + }, + "len_min": 1 } } - ] + ], + "required": true } }, { "pgvector": { + "type": "record", + "required": true, "fields": [ { "host": { @@ -845,17 +857,17 @@ }, { "user": { - "default": "postgres", "description": "the user of the pgvector database", "type": "string", + "default": "postgres", "referenceable": true } }, { "password": { - "encrypted": true, "description": "the password of the pgvector database", "type": "string", + "encrypted": true, "referenceable": true } }, @@ -896,35 +908,32 @@ }, { "ssl_version": { - "default": "tlsv1_2", "description": "the ssl version to use for the pgvector database", "type": "string", "one_of": [ "tlsv1_2", "tlsv1_3", "any" - ] + ], + "default": "tlsv1_2" } }, { "ssl_cert": { - "type": "string", - "description": "the path of ssl cert to use for the pgvector database" + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" } }, { "ssl_cert_key": { - "type": "string", - "description": "the path of ssl cert key to use for the pgvector database" + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" } } - ], - "type": "record", - "required": true + ] } } ], - "type": "record", "required": true } } @@ -932,14 +941,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.inject_template" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ai-rate-limiting-advanced/3.10.x.json b/schemas/ai-rate-limiting-advanced/3.10.x.json index 130dde83..2fbb2e9b 100644 --- a/schemas/ai-rate-limiting-advanced/3.10.x.json +++ b/schemas/ai-rate-limiting-advanced/3.10.x.json @@ -1,4 +1,13 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "supported_partials": { "redis-ee": [ "config.redis" @@ -7,9 +16,6 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -19,12 +25,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -33,10 +42,8 @@ "fields": [ { "identifier": { - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", "type": "string", - "required": true, - "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", "one_of": [ "ip", "credential", @@ -45,13 +52,15 @@ "header", "path", "consumer-group" - ] + ], + "default": "consumer", + "required": true } }, { "window_type": { - "default": "sliding", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "default": "sliding", "type": "string", "one_of": [ "fixed", @@ -61,28 +70,29 @@ }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "llm_providers": { + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "type": "array", "elements": { "type": "record", "fields": [ { "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "type": "array", "elements": { "type": "number" }, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", - "type": "array", "required": true } }, { "name": { - "required": true, "description": "The LLM provider to which the rate limit applies.", "type": "string", "one_of": [ @@ -96,43 +106,42 @@ "gemini", "huggingface", "requestPrompt" - ] + ], + "required": true } }, { "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "type": "array", "elements": { "type": "number" }, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", - "type": "array", "required": true } } ] }, - "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", - "type": "array", "required": true } }, { "strategy": { - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", - "required": true, - "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", "local" - ] + ], + "default": "local", + "required": true } }, { "dictionary_name": { - "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "default": "kong_rate_limiting_counters", "type": "string", "required": true } @@ -153,27 +162,87 @@ }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { + "starts_with": "/", + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "type": "string", - "starts_with": "/" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", - "required": true, "fields": [ { "host": { @@ -184,46 +253,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -265,13 +334,13 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -286,8 +355,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -303,81 +372,81 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "type": "boolean", "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": false } }, @@ -390,89 +459,26 @@ }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", "default": 5, + "type": "integer", "required": false } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -489,51 +495,54 @@ "read_timeout" ] } - ] - } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] - } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] - } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } } - ] + ], + "required": true } }, { @@ -552,10 +561,10 @@ }, { "error_code": { - "type": "number", "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, "gt": 0, - "default": 429 + "type": "number" } }, { @@ -574,43 +583,34 @@ }, { "tokens_count_strategy": { - "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", "type": "string", - "required": true, - "default": "total_tokens", + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", "one_of": [ "total_tokens", "prompt_tokens", "completion_tokens", "cost" - ] + ], + "default": "total_tokens", + "required": true } }, { "llm_format": { - "description": "LLM input and output format and schema to use", "type": "string", - "required": false, - "default": "openai", + "description": "LLM input and output format and schema to use", "one_of": [ "openai", "bedrock", "gemini" - ] + ], + "default": "openai", + "required": false } } ], "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.10.x.json b/schemas/ai-request-transformer/3.10.x.json index fe8465c3..abd0bb15 100644 --- a/schemas/ai-request-transformer/3.10.x.json +++ b/schemas/ai-request-transformer/3.10.x.json @@ -1,10 +1,36 @@ { + "entity_checks": [ + { + "conditional": { + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +40,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { @@ -50,58 +79,58 @@ }, { "http_timeout": { - "type": "integer", "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer", "default": 60000, "required": true } }, { "https_verify": { - "type": "boolean", "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean", "default": true, "required": true } }, { "max_request_body_size": { - "gt": 0, "description": "max allowed body size allowed to be introspected", "type": "integer", - "default": 8192 + "default": 8192, + "gt": 0 } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -109,6 +138,7 @@ "entity_checks": [ { "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ "bedrock", @@ -119,8 +149,7 @@ "if_field": "model.provider", "then_match": { "eq": false - }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + } } }, { @@ -248,152 +277,152 @@ "fields": [ { "route_type": { - "required": true, "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "type": "string", "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ] + ], + "required": true } }, { "auth": { "type": "record", + "required": false, "fields": [ { "header_name": { - "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", + "required": false, "referenceable": true } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "type": "string", - "required": false, + "referenceable": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "encrypted": true, - "referenceable": true + "required": false } }, { "param_name": { - "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", + "required": false, "referenceable": true } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", "type": "string", - "required": false, + "referenceable": true, + "description": "Specify the full parameter value for 'param_name'.", "encrypted": true, - "referenceable": true + "required": false } }, { "param_location": { - "required": false, "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", "one_of": [ "query", "body" - ] + ], + "required": false } }, { "azure_use_managed_identity": { - "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", "default": false, "required": false } }, { "azure_client_id": { - "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", + "required": false, "referenceable": true } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "type": "string", - "required": false, + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "encrypted": true, - "referenceable": true + "required": false } }, { "azure_tenant_id": { - "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", + "required": false, "referenceable": true } }, { "gcp_use_service_account": { - "type": "boolean", "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", "default": false, "required": false } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "encrypted": true, - "referenceable": true + "required": false } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "encrypted": true, - "referenceable": true + "required": false } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "encrypted": true, - "referenceable": true + "required": false } }, { "allow_override": { - "type": "boolean", "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", "default": false, "required": false } } - ], - "required": false + ] } }, { "model": { "type": "record", + "required": true, "fields": [ { "provider": { - "required": true, "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "type": "string", "one_of": [ @@ -406,7 +435,8 @@ "gemini", "bedrock", "huggingface" - ] + ], + "required": true } }, { @@ -418,8 +448,9 @@ }, { "options": { - "type": "record", "description": "Key/value settings for the model", + "type": "record", + "required": false, "fields": [ { "max_tokens": { @@ -430,24 +461,24 @@ }, { "input_cost": { - "type": "number", "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number", "gt": 0, "required": false } }, { "output_cost": { - "type": "number", "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number", "gt": 0, "required": false } }, { "temperature": { - "type": "number", "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", "between": [ 0, 5 @@ -457,8 +488,8 @@ }, { "top_p": { - "type": "number", "description": "Defines the top-p probability mass, if supported.", + "type": "number", "between": [ 0, 1 @@ -468,8 +499,8 @@ }, { "top_k": { - "type": "integer", "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", "between": [ 0, 500 @@ -493,8 +524,8 @@ }, { "azure_api_version": { - "type": "string", "description": "'api-version' for Azure OpenAI instances.", + "type": "string", "default": "2023-05-15", "required": false } @@ -508,25 +539,25 @@ }, { "llama2_format": { - "required": false, "description": "If using llama2 provider, select the upstream message format.", "type": "string", "one_of": [ "raw", "openai", "ollama" - ] + ], + "required": false } }, { "mistral_format": { - "required": false, "description": "If using mistral provider, select the upstream message format.", "type": "string", "one_of": [ "openai", "ollama" - ] + ], + "required": false } }, { @@ -538,19 +569,28 @@ }, { "upstream_path": { - "required": false, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "type": "string", + "required": false, "deprecation": { - "removal_in_version": "4.0", - "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead" + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead", + "removal_in_version": "4.0" } } }, { "gemini": { - "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], "type": "record", + "required": false, "fields": [ { "api_endpoint": { @@ -573,22 +613,21 @@ "required": false } } - ], - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } ] } }, { "bedrock": { - "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "type": "record", + "required": false, "fields": [ { "aws_region": { @@ -606,30 +645,23 @@ }, { "aws_role_session_name": { - "type": "string", - "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } } - ], - "entity_checks": [ - { - "mutually_required": [ - "aws_assume_role_arn", - "aws_role_session_name" - ] - } ] } }, { "huggingface": { "type": "record", + "required": false, "fields": [ { "use_cache": { @@ -645,40 +677,37 @@ "required": false } } - ], - "required": false + ] } } - ], - "required": false + ] } } - ], - "required": true + ] } }, { "logging": { "type": "record", + "required": true, "fields": [ { "log_statistics": { - "type": "boolean", "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean", "default": false, "required": true } }, { "log_payloads": { - "type": "boolean", "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean", "default": false, "required": true } } - ], - "required": true + ] } } ], @@ -689,34 +718,5 @@ "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_field": "config.llm.route_type", - "if_field": "config.llm.route_type", - "then_match": { - "eq": "llm/v1/chat" - }, - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins" - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } ] } \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.10.x.json b/schemas/ai-response-transformer/3.10.x.json index b77f499a..afa1c58b 100644 --- a/schemas/ai-response-transformer/3.10.x.json +++ b/schemas/ai-response-transformer/3.10.x.json @@ -1,10 +1,36 @@ { + "entity_checks": [ + { + "conditional": { + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +40,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -42,66 +71,66 @@ }, { "parse_llm_response_json_instructions": { - "type": "boolean", "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", "default": false, + "type": "boolean", "required": true } }, { "http_timeout": { - "type": "integer", "description": "Timeout in milliseconds for the AI upstream service.", "default": 60000, + "type": "integer", "required": true } }, { "https_verify": { - "type": "boolean", "description": "Verify the TLS certificate of the AI upstream service.", "default": true, + "type": "boolean", "required": true } }, { "max_request_body_size": { - "default": 8192, - "description": "max allowed body size allowed to be introspected", "gt": 0, - "type": "integer" + "default": 8192, + "type": "integer", + "description": "max allowed body size allowed to be introspected" } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -109,6 +138,7 @@ "entity_checks": [ { "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ "bedrock", @@ -119,8 +149,7 @@ "if_field": "model.provider", "then_match": { "eq": false - }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + } } }, { @@ -248,152 +277,152 @@ "fields": [ { "route_type": { - "required": true, "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "type": "string", "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ] + ], + "required": true } }, { "auth": { "type": "record", + "required": false, "fields": [ { "header_name": { - "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", + "required": false, "referenceable": true } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "type": "string", - "required": false, + "referenceable": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "encrypted": true, - "referenceable": true + "required": false } }, { "param_name": { - "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", + "required": false, "referenceable": true } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", "type": "string", - "required": false, + "referenceable": true, + "description": "Specify the full parameter value for 'param_name'.", "encrypted": true, - "referenceable": true + "required": false } }, { "param_location": { - "required": false, "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", "one_of": [ "query", "body" - ] + ], + "required": false } }, { "azure_use_managed_identity": { - "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", "default": false, "required": false } }, { "azure_client_id": { - "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", + "required": false, "referenceable": true } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "type": "string", - "required": false, + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "encrypted": true, - "referenceable": true + "required": false } }, { "azure_tenant_id": { - "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", + "required": false, "referenceable": true } }, { "gcp_use_service_account": { - "type": "boolean", "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", "default": false, "required": false } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "encrypted": true, - "referenceable": true + "required": false } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "encrypted": true, - "referenceable": true + "required": false } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "encrypted": true, - "referenceable": true + "required": false } }, { "allow_override": { - "type": "boolean", "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", "default": false, "required": false } } - ], - "required": false + ] } }, { "model": { "type": "record", + "required": true, "fields": [ { "provider": { - "required": true, "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "type": "string", "one_of": [ @@ -406,7 +435,8 @@ "gemini", "bedrock", "huggingface" - ] + ], + "required": true } }, { @@ -418,8 +448,9 @@ }, { "options": { - "type": "record", "description": "Key/value settings for the model", + "type": "record", + "required": false, "fields": [ { "max_tokens": { @@ -430,24 +461,24 @@ }, { "input_cost": { - "type": "number", "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number", "gt": 0, "required": false } }, { "output_cost": { - "type": "number", "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number", "gt": 0, "required": false } }, { "temperature": { - "type": "number", "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", "between": [ 0, 5 @@ -457,8 +488,8 @@ }, { "top_p": { - "type": "number", "description": "Defines the top-p probability mass, if supported.", + "type": "number", "between": [ 0, 1 @@ -468,8 +499,8 @@ }, { "top_k": { - "type": "integer", "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", "between": [ 0, 500 @@ -493,8 +524,8 @@ }, { "azure_api_version": { - "type": "string", "description": "'api-version' for Azure OpenAI instances.", + "type": "string", "default": "2023-05-15", "required": false } @@ -508,25 +539,25 @@ }, { "llama2_format": { - "required": false, "description": "If using llama2 provider, select the upstream message format.", "type": "string", "one_of": [ "raw", "openai", "ollama" - ] + ], + "required": false } }, { "mistral_format": { - "required": false, "description": "If using mistral provider, select the upstream message format.", "type": "string", "one_of": [ "openai", "ollama" - ] + ], + "required": false } }, { @@ -538,19 +569,28 @@ }, { "upstream_path": { - "required": false, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "type": "string", + "required": false, "deprecation": { - "removal_in_version": "4.0", - "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead" + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead", + "removal_in_version": "4.0" } } }, { "gemini": { - "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], "type": "record", + "required": false, "fields": [ { "api_endpoint": { @@ -573,22 +613,21 @@ "required": false } } - ], - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } ] } }, { "bedrock": { - "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "type": "record", + "required": false, "fields": [ { "aws_region": { @@ -606,30 +645,23 @@ }, { "aws_role_session_name": { - "type": "string", - "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } } - ], - "entity_checks": [ - { - "mutually_required": [ - "aws_assume_role_arn", - "aws_role_session_name" - ] - } ] } }, { "huggingface": { "type": "record", + "required": false, "fields": [ { "use_cache": { @@ -645,40 +677,37 @@ "required": false } } - ], - "required": false + ] } } - ], - "required": false + ] } } - ], - "required": true + ] } }, { "logging": { "type": "record", + "required": true, "fields": [ { "log_statistics": { - "type": "boolean", "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean", "default": false, "required": true } }, { "log_payloads": { - "type": "boolean", "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean", "default": false, "required": true } } - ], - "required": true + ] } } ], @@ -689,34 +718,5 @@ "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_field": "config.llm.route_type", - "if_field": "config.llm.route_type", - "then_match": { - "eq": "llm/v1/chat" - }, - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins" - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } ] } \ No newline at end of file diff --git a/schemas/ai-sanitizer/3.10.x.json b/schemas/ai-sanitizer/3.10.x.json index 01920229..e2540b8c 100644 --- a/schemas/ai-sanitizer/3.10.x.json +++ b/schemas/ai-sanitizer/3.10.x.json @@ -1,10 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +20,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -28,24 +37,24 @@ "fields": [ { "host": { - "type": "string", "description": "The host of the sanitizer", + "type": "string", "default": "localhost", "required": true } }, { "port": { - "type": "number", "description": "The port of the sanitizer", + "type": "number", "default": 8080, "required": true } }, { "scheme": { - "type": "string", "description": "The protocol can be http and https", + "type": "string", "default": "http", "required": true } @@ -73,9 +82,6 @@ }, { "anonymize": { - "description": "List of types to be anonymized", - "type": "array", - "required": true, "elements": { "type": "string", "one_of": [ @@ -101,9 +107,12 @@ "all_and_credentials" ] }, + "description": "List of types to be anonymized", "default": [ "all_and_credentials" - ] + ], + "type": "array", + "required": true } }, { @@ -115,8 +124,8 @@ }, { "redact_type": { - "default": "placeholder", "description": "What value to be used to redacted to", + "default": "placeholder", "type": "string", "one_of": [ "placeholder", @@ -126,22 +135,22 @@ }, { "custom_patterns": { - "len_min": 1, "type": "array", - "required": false, + "len_min": 1, + "description": "List of custom patterns to be used for anonymization", "elements": { "type": "record", "fields": [ { "name": { - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "regex": { - "type": "string", - "required": true + "required": true, + "type": "string" } }, { @@ -157,21 +166,12 @@ } ] }, - "description": "List of custom patterns to be used for anonymization" + "required": false } } ], "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ai-semantic-cache/3.10.x.json b/schemas/ai-semantic-cache/3.10.x.json index ce64ef2e..78e934df 100644 --- a/schemas/ai-semantic-cache/3.10.x.json +++ b/schemas/ai-semantic-cache/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +14,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -28,13 +31,13 @@ "fields": [ { "message_countback": { - "default": 1, "description": "Number of messages in the chat history to Vectorize/Cache", + "type": "number", + "default": 1, "between": [ 1, 1000 - ], - "type": "number" + ] } }, { @@ -60,190 +63,234 @@ }, { "stop_on_failure": { - "type": "boolean", "description": "Halt the LLM request process in case of a caching system failure", + "type": "boolean", "default": false, "required": true } }, { "cache_ttl": { - "default": 300, - "description": "TTL in seconds of cache entities. Must be a value greater than 0.", "gt": 0, - "type": "integer" + "type": "integer", + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "default": 300 } }, { "cache_control": { - "type": "boolean", "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean", "default": false, "required": true } }, { "exact_caching": { - "type": "boolean", "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "type": "boolean", "default": false, "required": true } }, { "llm_format": { - "description": "LLM input and output format and schema to use", "type": "string", - "required": false, - "default": "openai", + "description": "LLM input and output format and schema to use", "one_of": [ "openai", "bedrock", "gemini" - ] + ], + "default": "openai", + "required": false } }, { "embeddings": { - "required": true, + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" + ] + } + } + ], "type": "record", + "required": true, "fields": [ { "auth": { "type": "record", + "required": false, "fields": [ { "header_name": { - "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", + "required": false, "referenceable": true } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "type": "string", - "required": false, + "referenceable": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "encrypted": true, - "referenceable": true + "required": false } }, { "param_name": { - "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", + "required": false, "referenceable": true } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", "type": "string", - "required": false, + "referenceable": true, + "description": "Specify the full parameter value for 'param_name'.", "encrypted": true, - "referenceable": true + "required": false } }, { "param_location": { - "required": false, "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", "one_of": [ "query", "body" - ] + ], + "required": false } }, { "azure_use_managed_identity": { - "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", "default": false, "required": false } }, { "azure_client_id": { - "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", + "required": false, "referenceable": true } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "type": "string", - "required": false, + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "encrypted": true, - "referenceable": true + "required": false } }, { "azure_tenant_id": { - "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", + "required": false, "referenceable": true } }, { "gcp_use_service_account": { - "type": "boolean", "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", "default": false, "required": false } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "encrypted": true, - "referenceable": true + "required": false } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "encrypted": true, - "referenceable": true + "required": false } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "encrypted": true, - "referenceable": true + "required": false } }, { "allow_override": { - "type": "boolean", "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", "default": false, "required": false } } - ], - "required": false + ] } }, { "model": { "type": "record", + "required": true, "fields": [ { "provider": { - "required": true, "description": "AI provider format to use for embeddings API", "type": "string", "one_of": [ @@ -253,7 +300,8 @@ "azure", "bedrock", "gemini" - ] + ], + "required": true } }, { @@ -265,8 +313,9 @@ }, { "options": { - "type": "record", "description": "Key/value settings for the model", + "type": "record", + "required": false, "fields": [ { "upstream_url": { @@ -288,8 +337,8 @@ }, { "api_version": { - "type": "string", "description": "'api-version' for Azure OpenAI instances.", + "type": "string", "default": "2023-05-15", "required": false } @@ -307,8 +356,16 @@ }, { "bedrock": { - "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "type": "record", + "required": false, "fields": [ { "aws_region": { @@ -326,31 +383,32 @@ }, { "aws_role_session_name": { - "type": "string", - "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } } - ], - "entity_checks": [ - { - "mutually_required": [ - "aws_assume_role_arn", - "aws_role_session_name" - ] - } ] } }, { "gemini": { - "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], "type": "record", + "required": false, "fields": [ { "api_endpoint": { @@ -373,21 +431,13 @@ "required": false } } - ], - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } ] } }, { "huggingface": { "type": "record", + "required": false, "fields": [ { "use_cache": { @@ -403,59 +453,12 @@ "required": false } } - ], - "required": false + ] } } - ], - "required": false + ] } } - ], - "required": true - } - } - ], - "entity_checks": [ - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.instance" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.api_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.deployment_id" ] } } @@ -465,16 +468,17 @@ { "vectordb": { "type": "record", + "required": true, "fields": [ { "strategy": { - "required": true, "description": "which vector database driver to use", "type": "string", "one_of": [ "redis", "pgvector" - ] + ], + "required": true } }, { @@ -493,19 +497,79 @@ }, { "distance_metric": { - "required": true, "description": "the distance metric to use for vector searches", "type": "string", "one_of": [ "cosine", "euclidean" - ] + ], + "required": true } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", - "required": true, "fields": [ { "host": { @@ -516,46 +580,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -597,13 +661,13 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -618,8 +682,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -635,81 +699,81 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "type": "boolean", "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": false } }, @@ -722,89 +786,26 @@ }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", "default": 5, + "type": "integer", "required": false } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -821,51 +822,54 @@ "read_timeout" ] } - ] - } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] - } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] - } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } } - ] + ], + "required": true } }, { @@ -888,17 +892,17 @@ }, { "user": { - "type": "string", "description": "the user of the pgvector database", + "type": "string", "default": "postgres", "referenceable": true } }, { "password": { - "encrypted": true, "description": "the password of the pgvector database", "type": "string", + "encrypted": true, "referenceable": true } }, @@ -939,8 +943,8 @@ }, { "ssl_version": { - "type": "string", "description": "the ssl version to use for the pgvector database", + "type": "string", "default": "tlsv1_2", "one_of": [ "tlsv1_2", @@ -951,30 +955,26 @@ }, { "ssl_cert": { - "type": "string", - "description": "the path of ssl cert to use for the pgvector database" + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" } }, { "ssl_cert_key": { - "type": "string", - "description": "the path of ssl cert key to use for the pgvector database" + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" } } ], "required": true } } - ], - "required": true + ] } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ai-semantic-prompt-guard/3.10.x.json b/schemas/ai-semantic-prompt-guard/3.10.x.json index 90872d10..ed873086 100644 --- a/schemas/ai-semantic-prompt-guard/3.10.x.json +++ b/schemas/ai-semantic-prompt-guard/3.10.x.json @@ -1,10 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +19,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -28,145 +36,189 @@ "fields": [ { "embeddings": { - "required": true, + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" + ] + } + } + ], "type": "record", + "required": true, "fields": [ { "auth": { "type": "record", + "required": false, "fields": [ { "header_name": { - "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", + "required": false, "referenceable": true } }, { "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "type": "string", - "required": false, + "referenceable": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "encrypted": true, - "referenceable": true + "required": false } }, { "param_name": { - "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", + "required": false, "referenceable": true } }, { "param_value": { - "description": "Specify the full parameter value for 'param_name'.", "type": "string", - "required": false, + "referenceable": true, + "description": "Specify the full parameter value for 'param_name'.", "encrypted": true, - "referenceable": true + "required": false } }, { "param_location": { - "required": false, "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", "one_of": [ "query", "body" - ] + ], + "required": false } }, { "azure_use_managed_identity": { - "type": "boolean", "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", "default": false, "required": false } }, { "azure_client_id": { - "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", + "required": false, "referenceable": true } }, { "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "type": "string", - "required": false, + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "encrypted": true, - "referenceable": true + "required": false } }, { "azure_tenant_id": { - "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", + "required": false, "referenceable": true } }, { "gcp_use_service_account": { - "type": "boolean", "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", "default": false, "required": false } }, { "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "encrypted": true, - "referenceable": true + "required": false } }, { "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "encrypted": true, - "referenceable": true + "required": false } }, { "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "type": "string", - "required": false, + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "encrypted": true, - "referenceable": true + "required": false } }, { "allow_override": { - "type": "boolean", "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", "default": false, "required": false } } - ], - "required": false + ] } }, { "model": { "type": "record", + "required": true, "fields": [ { "provider": { - "required": true, "description": "AI provider format to use for embeddings API", "type": "string", "one_of": [ @@ -176,7 +228,8 @@ "azure", "bedrock", "gemini" - ] + ], + "required": true } }, { @@ -188,8 +241,9 @@ }, { "options": { - "type": "record", "description": "Key/value settings for the model", + "type": "record", + "required": false, "fields": [ { "upstream_url": { @@ -211,8 +265,8 @@ }, { "api_version": { - "type": "string", "description": "'api-version' for Azure OpenAI instances.", + "type": "string", "default": "2023-05-15", "required": false } @@ -230,8 +284,16 @@ }, { "bedrock": { - "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "type": "record", + "required": false, "fields": [ { "aws_region": { @@ -249,31 +311,32 @@ }, { "aws_role_session_name": { - "type": "string", - "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" } } - ], - "entity_checks": [ - { - "mutually_required": [ - "aws_assume_role_arn", - "aws_role_session_name" - ] - } ] } }, { "gemini": { - "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], "type": "record", + "required": false, "fields": [ { "api_endpoint": { @@ -296,21 +359,13 @@ "required": false } } - ], - "entity_checks": [ - { - "mutually_required": [ - "api_endpoint", - "project_id", - "location_id" - ] - } ] } }, { "huggingface": { "type": "record", + "required": false, "fields": [ { "use_cache": { @@ -326,59 +381,12 @@ "required": false } } - ], - "required": false + ] } } - ], - "required": false + ] } } - ], - "required": true - } - } - ], - "entity_checks": [ - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.instance" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.api_version" - ] - } - }, - { - "conditional_at_least_one_of": { - "if_match": { - "one_of": [ - "azure" - ] - }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.deployment_id" ] } } @@ -388,16 +396,17 @@ { "vectordb": { "type": "record", + "required": true, "fields": [ { "strategy": { - "required": true, "description": "which vector database driver to use", "type": "string", "one_of": [ "redis", "pgvector" - ] + ], + "required": true } }, { @@ -416,19 +425,79 @@ }, { "distance_metric": { - "required": true, "description": "the distance metric to use for vector searches", "type": "string", "one_of": [ "cosine", "euclidean" - ] + ], + "required": true } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", - "required": true, "fields": [ { "host": { @@ -439,46 +508,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -520,13 +589,13 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -541,8 +610,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -558,81 +627,81 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "type": "boolean", "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": false } }, @@ -645,89 +714,26 @@ }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", "default": 5, + "type": "integer", "required": false } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -744,51 +750,54 @@ "read_timeout" ] } - ] - } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] - } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] - } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } } - ] + ], + "required": true } }, { @@ -811,17 +820,17 @@ }, { "user": { - "type": "string", "description": "the user of the pgvector database", + "type": "string", "default": "postgres", "referenceable": true } }, { "password": { - "encrypted": true, "description": "the password of the pgvector database", "type": "string", + "encrypted": true, "referenceable": true } }, @@ -862,8 +871,8 @@ }, { "ssl_version": { - "type": "string", "description": "the ssl version to use for the pgvector database", + "type": "string", "default": "tlsv1_2", "one_of": [ "tlsv1_2", @@ -874,122 +883,113 @@ }, { "ssl_cert": { - "type": "string", - "description": "the path of ssl cert to use for the pgvector database" + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" } }, { "ssl_cert_key": { - "type": "string", - "description": "the path of ssl cert key to use for the pgvector database" + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" } } ], "required": true } } - ], - "required": true + ] } }, { "search": { "type": "record", + "required": false, "fields": [ { "threshold": { - "default": 0.5, "description": "Threshold for the similarity score to be considered a match.", + "default": 0.5, "type": "number", "required": false } } - ], - "required": false + ] } }, { "rules": { "type": "record", + "required": true, "fields": [ { "match_all_conversation_history": { - "default": false, "description": "If false, will ignore all previous chat prompts from the conversation history.", + "default": false, "type": "boolean", "required": false } }, { "allow_prompts": { - "description": "List of prompts to allow.", "type": "array", - "required": false, + "description": "List of prompts to allow.", + "len_max": 100, "elements": { - "len_min": 1, + "len_max": 500, "type": "string", - "len_max": 500 + "len_min": 1 }, - "len_max": 100 + "required": false } }, { "deny_prompts": { - "description": "List of prompts to deny.", "type": "array", - "required": false, + "description": "List of prompts to deny.", + "len_max": 100, "elements": { - "len_min": 1, + "len_max": 500, "type": "string", - "len_max": 500 + "len_min": 1 }, - "len_max": 100 + "required": false } }, { "max_request_body_size": { - "type": "integer", "description": "max allowed body size allowed to be introspected", - "gt": 0, - "default": 8192 + "type": "integer", + "default": 8192, + "gt": 0 } }, { "match_all_roles": { - "type": "boolean", "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean", "default": false, "required": true } } - ], - "required": true + ] } }, { "llm_format": { - "description": "LLM input and output format and schema to use", "type": "string", - "required": false, - "default": "openai", + "description": "LLM input and output format and schema to use", "one_of": [ "openai", "bedrock", "gemini" - ] + ], + "default": "openai", + "required": false } } ], "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.rules.allow_prompts", - "config.rules.deny_prompts" - ] - } ] } \ No newline at end of file diff --git a/schemas/app-dynamics/3.10.x.json b/schemas/app-dynamics/3.10.x.json index 95ad13cf..792a48cc 100644 --- a/schemas/app-dynamics/3.10.x.json +++ b/schemas/app-dynamics/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -39,8 +42,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.10.x.json b/schemas/aws-lambda/3.10.x.json index 04dba6e4..e1d581fa 100644 --- a/schemas/aws-lambda/3.10.x.json +++ b/schemas/aws-lambda/3.10.x.json @@ -1,10 +1,22 @@ { + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +26,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -36,61 +51,61 @@ "fields": [ { "timeout": { - "default": 60000, "description": "An optional timeout in milliseconds when invoking the function.", "type": "number", + "default": 60000, "required": true } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "type": "number", + "default": 60000, "required": true } }, { "aws_key": { "description": "The AWS key credential to be used when invoking the function.", - "encrypted": true, "type": "string", + "encrypted": true, "referenceable": true } }, { "aws_secret": { "description": "The AWS secret credential to be used when invoking the function. ", - "encrypted": true, "type": "string", + "encrypted": true, "referenceable": true } }, { "aws_assume_role_arn": { "description": "The target AWS IAM role ARN used to invoke the Lambda function.", - "encrypted": true, "type": "string", + "encrypted": true, "referenceable": true } }, { "aws_role_session_name": { "description": "The identifier of the assumed role session.", - "default": "kong", - "type": "string" + "type": "string", + "default": "kong" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "aws_region": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { @@ -102,50 +117,50 @@ }, { "qualifier": { - "type": "string", - "description": "The qualifier to use when invoking the function." + "description": "The qualifier to use when invoking the function.", + "type": "string" } }, { "invocation_type": { - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "type": "string", - "required": true, - "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "one_of": [ "RequestResponse", "Event", "DryRun" - ] + ], + "default": "RequestResponse", + "required": true } }, { "log_type": { - "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "type": "string", - "required": true, - "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "one_of": [ "Tail", "None" - ] + ], + "default": "Tail", + "required": true } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 443 + "default": 443, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -167,107 +182,92 @@ { "forward_request_method": { "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_request_uri": { "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_request_headers": { "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_request_body": { "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "is_proxy_integration": { "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "awsgateway_compatible": { "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "proxy_url": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "skip_large_bodies": { "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "base64_encode_body": { "description": "An optional value that Base64-encodes the request body.", - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "aws_imds_protocol_version": { - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "type": "string", - "required": true, - "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "one_of": [ "v1", "v2" - ] + ], + "default": "v1", + "required": true } }, { "empty_arrays_mode": { - "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", "type": "string", - "required": true, - "default": "legacy", + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", "one_of": [ "legacy", "correct" - ] + ], + "default": "legacy", + "required": true } } ], "required": true } } - ], - "entity_checks": [ - { - "mutually_required": [ - "config.aws_key", - "config.aws_secret" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "config.proxy_url" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/azure-functions/3.10.x.json b/schemas/azure-functions/3.10.x.json index 87043d49..a8594f04 100644 --- a/schemas/azure-functions/3.10.x.json +++ b/schemas/azure-functions/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -71,17 +74,17 @@ }, { "apikey": { - "encrypted": true, "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", "type": "string", + "encrypted": true, "referenceable": true } }, { "clientid": { - "encrypted": true, "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", "type": "string", + "encrypted": true, "referenceable": true } }, @@ -94,8 +97,8 @@ }, { "hostdomain": { - "type": "string", "description": "The domain where the function resides.", + "type": "string", "default": "azurewebsites.net", "required": true } @@ -118,8 +121,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.10.x.json b/schemas/basic-auth/3.10.x.json index da652430..faa469e5 100644 --- a/schemas/basic-auth/3.10.x.json +++ b/schemas/basic-auth/3.10.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -22,6 +24,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -35,10 +38,10 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -47,22 +50,22 @@ "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "hide_credentials": { - "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "type": "boolean", "default": false, "required": true } }, { "realm": { - "type": "string", "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string", "default": "service", "required": true } @@ -71,8 +74,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.10.x.json b/schemas/bot-detection/3.10.x.json index c83da6b6..757d71a3 100644 --- a/schemas/bot-detection/3.10.x.json +++ b/schemas/bot-detection/3.10.x.json @@ -1,18 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,20 +22,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -44,11 +47,11 @@ "fields": [ { "allow": { + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "type": "array", "default": [ ], - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", - "type": "array", "elements": { "type": "string", "is_regex": true @@ -57,11 +60,11 @@ }, { "deny": { + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "type": "array", "default": [ ], - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", - "type": "array", "elements": { "type": "string", "is_regex": true @@ -72,8 +75,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/canary/3.10.x.json b/schemas/canary/3.10.x.json index e5159bba..0ec422ea 100644 --- a/schemas/canary/3.10.x.json +++ b/schemas/canary/3.10.x.json @@ -1,26 +1,56 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header", + "if_field": "config.hash", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback", + "then_match": { + "required": true + } + } + } + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -30,37 +60,41 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "config": { + "required": true, + "type": "record", "shorthand_fields": [ { "hash": { - "type": "string", - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" } } ], - "type": "record", "fields": [ { "start": { - "type": "number", - "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" } }, { "hash": { - "type": "string", "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", "default": "consumer", + "type": "string", "one_of": [ "consumer", "ip", @@ -73,24 +107,24 @@ }, { "hash_header": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "duration": { - "type": "number", - "description": "The duration of the canary release in seconds.", + "gt": 0, "default": 3600, - "gt": 0 + "description": "The duration of the canary release in seconds.", + "type": "number" } }, { "steps": { - "type": "number", - "description": "The number of steps for the canary release.", + "gt": 1, "default": 1000, - "gt": 1 + "description": "The number of steps for the canary release.", + "type": "number" } }, { @@ -105,32 +139,32 @@ }, { "upstream_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "upstream_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "upstream_uri": { - "len_min": 1, + "description": "The URI of the upstream server to be used for the canary release.", "type": "string", - "description": "The URI of the upstream server to be used for the canary release." + "len_min": 1 } }, { "upstream_fallback": { - "default": false, "description": "Specifies whether to fallback to the upstream server if the canary release fails.", "type": "boolean", + "default": false, "required": true } }, @@ -145,45 +179,11 @@ }, { "canary_by_header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } - ], - "required": true - } - } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.upstream_uri", - "config.upstream_host", - "config.upstream_port" - ] - }, - { - "conditional": { - "if_match": { - "eq": "header" - }, - "then_field": "config.hash_header", - "if_field": "config.hash", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "config.upstream_host", - "if_field": "config.upstream_fallback", - "then_match": { - "required": true - } + ] } } ] diff --git a/schemas/confluent-consume/3.10.x.json b/schemas/confluent-consume/3.10.x.json index 65cdb059..4539a378 100644 --- a/schemas/confluent-consume/3.10.x.json +++ b/schemas/confluent-consume/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -53,12 +56,12 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true } } @@ -68,9 +71,9 @@ }, { "topics": { - "len_min": 1, "type": "array", - "required": true, + "len_min": 1, + "description": "The Kafka topics and their configuration you want to consume from.", "elements": { "type": "record", "fields": [ @@ -82,55 +85,55 @@ } ] }, - "description": "The Kafka topics and their configuration you want to consume from." + "required": true } }, { "mode": { - "description": "The mode of operation for the plugin.", "type": "string", - "required": true, - "default": "http-get", + "description": "The mode of operation for the plugin.", "one_of": [ "server-sent-events", "http-get" - ] + ], + "default": "http-get", + "required": true } }, { "message_deserializer": { - "description": "The deserializer to use for the consumed messages.", "type": "string", - "required": true, - "default": "noop", + "description": "The deserializer to use for the consumed messages.", "one_of": [ "json", "noop" - ] + ], + "default": "noop", + "required": true } }, { "auto_offset_reset": { - "description": "The offset to start from when there is no initial offset in the consumer group.", "type": "string", - "required": true, - "default": "latest", + "description": "The offset to start from when there is no initial offset in the consumer group.", "one_of": [ "earliest", "latest" - ] + ], + "default": "latest", + "required": true } }, { "commit_strategy": { - "description": "The strategy to use for committing offsets.", "type": "string", - "required": true, - "default": "auto", + "description": "The strategy to use for committing offsets.", "one_of": [ "auto", "off" - ] + ], + "default": "auto", + "required": true } }, { @@ -155,44 +158,44 @@ }, { "cluster_api_key": { - "description": "Username/Apikey for SASL authentication.", "type": "string", - "required": true, + "referenceable": true, + "description": "Username/Apikey for SASL authentication.", "encrypted": true, - "referenceable": true + "required": true } }, { "cluster_api_secret": { - "description": "Password/ApiSecret for SASL authentication.", "type": "string", - "required": true, + "referenceable": true, + "description": "Password/ApiSecret for SASL authentication.", "encrypted": true, - "referenceable": true + "required": true } }, { "confluent_cloud_api_key": { - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", "type": "string", - "required": false, + "referenceable": true, + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", "encrypted": true, - "referenceable": true + "required": false } }, { "confluent_cloud_api_secret": { - "description": "The corresponding secret for the Confluent Cloud API key.", "type": "string", - "required": false, + "referenceable": true, + "description": "The corresponding secret for the Confluent Cloud API key.", "encrypted": true, - "referenceable": true + "required": false } }, { "cluster_name": { - "type": "string", "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string", "auto": true, "required": false } @@ -201,8 +204,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/confluent/3.10.x.json b/schemas/confluent/3.10.x.json index 1a4eefb1..e57cb780 100644 --- a/schemas/confluent/3.10.x.json +++ b/schemas/confluent/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -62,12 +65,12 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true } } @@ -84,11 +87,11 @@ }, { "allowed_topics": { + "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", + "type": "array", "elements": { "type": "string" }, - "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", - "type": "array", "required": false } }, @@ -115,44 +118,44 @@ }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "cluster_api_key": { - "encrypted": true, "type": "string", - "required": true, + "referenceable": true, "description": "Username/Apikey for SASL authentication.", - "referenceable": true + "encrypted": true, + "required": true } }, { "cluster_api_secret": { - "encrypted": true, "type": "string", - "required": true, + "referenceable": true, "description": "Password/ApiSecret for SASL authentication.", - "referenceable": true + "encrypted": true, + "required": true } }, { "confluent_cloud_api_key": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", - "referenceable": true + "encrypted": true, + "required": false } }, { "confluent_cloud_api_secret": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The corresponding secret for the Confluent Cloud API key.", - "referenceable": true + "encrypted": true, + "required": false } }, { @@ -185,32 +188,32 @@ }, { "message_by_lua_functions": { + "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", + "type": "array", "elements": { "type": "string" }, - "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", - "type": "array", "required": false } }, { "cluster_name": { - "type": "string", "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "auto": true, - "required": false + "type": "string", + "required": false, + "auto": true } }, { "producer_request_acks": { - "type": "integer", "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", - "default": 1, + "type": "integer", "one_of": [ -1, 0, 1 - ] + ], + "default": 1 } }, { @@ -273,8 +276,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/correlation-id/3.10.x.json b/schemas/correlation-id/3.10.x.json index 8799aed4..61008053 100644 --- a/schemas/correlation-id/3.10.x.json +++ b/schemas/correlation-id/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -43,22 +46,22 @@ }, { "generator": { - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "type": "string", - "required": true, - "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "one_of": [ "uuid", "uuid#counter", "tracker" - ] + ], + "default": "uuid#counter", + "required": true } }, { "echo_downstream": { - "type": "boolean", "description": "Whether to echo the header back to downstream (the client).", "default": false, + "type": "boolean", "required": true } } @@ -66,8 +69,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/cors/3.10.x.json b/schemas/cors/3.10.x.json index 2dfb819b..b47cf1dd 100644 --- a/schemas/cors/3.10.x.json +++ b/schemas/cors/3.10.x.json @@ -1,43 +1,46 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { + "required": true, "one_of": [ "grpc", "grpcs", "http", "https" ], - "len_min": 1, "type": "string", - "required": true + "len_min": 1 }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -73,6 +76,8 @@ }, { "methods": { + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "type": "array", "default": [ "GET", "HEAD", @@ -84,8 +89,6 @@ "TRACE", "CONNECT" ], - "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", - "type": "array", "elements": { "type": "string", "one_of": [ @@ -104,38 +107,38 @@ }, { "max_age": { - "type": "number", - "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" } }, { "credentials": { - "type": "boolean", "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "type": "boolean", "default": false, "required": true } }, { "private_network": { - "type": "boolean", "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "type": "boolean", "default": false, "required": true } }, { "preflight_continue": { - "type": "boolean", "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "type": "boolean", "default": false, "required": true } }, { "allow_origin_absent": { - "type": "boolean", "description": "A boolean value that skip cors response headers when origin header of request is empty", + "type": "boolean", "default": true, "required": true } @@ -144,8 +147,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/datadog/3.10.x.json b/schemas/datadog/3.10.x.json index e854b8ac..30802ecb 100644 --- a/schemas/datadog/3.10.x.json +++ b/schemas/datadog/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -43,21 +46,21 @@ "fields": [ { "host": { - "default": "localhost", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "localhost", "referenceable": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 8125 + "default": 8125, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -93,9 +96,9 @@ "description": "Number of times to retry when sending data to the upstream server.", "type": "integer", "deprecation": { - "removal_in_version": "4.0", + "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", "old_default": 10, - "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead" + "removal_in_version": "4.0" } } }, @@ -104,9 +107,9 @@ "description": "Maximum number of log entries to be sent on each message to the upstream server.", "type": "integer", "deprecation": { - "removal_in_version": "4.0", + "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "old_default": 1, - "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + "removal_in_version": "4.0" } } }, @@ -115,9 +118,9 @@ "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", "type": "number", "deprecation": { - "removal_in_version": "4.0", + "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "old_default": 2, - "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + "removal_in_version": "4.0" } } }, @@ -127,77 +130,77 @@ "fields": [ { "max_batch_size": { - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number" + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number", - "default": 60 + "default": 60, + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number" + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "type": "number", "between": [ 0.001, 1000000 - ], - "type": "number" + ] } }, { "concurrency_limit": { - "type": "integer", "description": "The number of of queue delivery timers. -1 indicates unlimited.", "default": 1, + "type": "integer", "one_of": [ -1, 1 @@ -210,15 +213,81 @@ }, { "metrics": { - "description": "List of metrics to be logged.", "type": "array", - "required": true, + "description": "List of metrics to be logged.", + "default": [ + { + "name": "request_count", + "consumer_identifier": "custom_id", + "sample_rate": 1, + "stat_type": "counter", + "tags": [ + "app:kong" + ] + }, + { + "stat_type": "timer", + "name": "latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "request_size", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "response_size", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "upstream_latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "kong_latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + } + ], "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], "type": "record", "fields": [ { "name": { - "required": true, "description": "Datadog metric’s name", "type": "string", "one_of": [ @@ -228,12 +297,12 @@ "request_size", "response_size", "upstream_latency" - ] + ], + "required": true } }, { "stat_type": { - "required": true, "description": "Determines what sort of event the metric represents", "type": "string", "one_of": [ @@ -244,7 +313,8 @@ "set", "timer", "distribution" - ] + ], + "required": true } }, { @@ -252,8 +322,8 @@ "description": "List of tags", "type": "array", "elements": { - "type": "string", - "match": "^.*[^:]$" + "match": "^.*[^:]$", + "type": "string" } } }, @@ -278,84 +348,14 @@ ] } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } ] }, - "default": [ - { - "stat_type": "counter", - "name": "request_count", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id", - "sample_rate": 1 - }, - { - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "latency", - "stat_type": "timer" - }, - { - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "request_size", - "stat_type": "timer" - }, - { - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "response_size", - "stat_type": "timer" - }, - { - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "upstream_latency", - "stat_type": "timer" - }, - { - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id", - "name": "kong_latency", - "stat_type": "timer" - } - ] + "required": true } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/degraphql/3.10.x.json b/schemas/degraphql/3.10.x.json index 71c5f7ee..156c4fb5 100644 --- a/schemas/degraphql/3.10.x.json +++ b/schemas/degraphql/3.10.x.json @@ -1,18 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,20 +22,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -44,25 +47,22 @@ "fields": [ { "graphql_server_path": { + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "type": "string", - "required": true, "default": "/graphql", - "starts_with": "/" + "starts_with": "/", + "required": true } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.10.x.json b/schemas/exit-transformer/3.10.x.json index 4549e603..56603b78 100644 --- a/schemas/exit-transformer/3.10.x.json +++ b/schemas/exit-transformer/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -61,8 +64,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/file-log/3.10.x.json b/schemas/file-log/3.10.x.json index c0cf92cb..1d7cb32b 100644 --- a/schemas/file-log/3.10.x.json +++ b/schemas/file-log/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -43,29 +46,29 @@ "fields": [ { "path": { - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", "type": "string", "match": "^[^%s*&%%\\`][^*&%%\\`]*[^%s*&%%\\`]$", - "required": true, - "err": "not a valid filename" + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "err": "not a valid filename", + "required": true } }, { "reopen": { - "type": "boolean", "description": "Determines whether the log file is closed and reopened on every request.", "default": false, + "type": "boolean", "required": true } }, { "custom_fields_by_lua": { - "values": { - "type": "string", - "len_min": 1 - }, "description": "Lua code as a key-value map", "type": "map", + "values": { + "len_min": 1, + "type": "string" + }, "keys": { "type": "string", "len_min": 1 @@ -76,8 +79,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.10.x.json b/schemas/forward-proxy/3.10.x.json index 3b2360e2..ed10c8af 100644 --- a/schemas/forward-proxy/3.10.x.json +++ b/schemas/forward-proxy/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,158 +14,158 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], "type": "record", - "required": true, "fields": [ { "x_headers": { - "description": "Determines how to handle headers when forwarding the request.", "type": "string", - "required": true, - "default": "append", + "description": "Determines how to handle headers when forwarding the request.", "one_of": [ "append", "transparent", "delete" - ] + ], + "default": "append", + "required": true } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "proxy_scheme": { - "description": "The proxy scheme to use when connecting. Only `http` is supported.", "type": "string", - "required": true, - "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", "one_of": [ "http" - ] + ], + "default": "http", + "required": true } }, { "auth_username": { - "referenceable": true, "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "type": "string", + "referenceable": true, "required": false } }, { "auth_password": { - "referenceable": true, "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", "type": "string", + "referenceable": true, "required": false } }, { "https_verify": { - "default": false, "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "default": false, "type": "boolean", "required": true } } ], - "entity_checks": [ - { - "at_least_one_of": [ - "http_proxy_host", - "https_proxy_host" - ] - }, - { - "at_least_one_of": [ - "http_proxy_port", - "https_proxy_port" - ] - }, - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], "shorthand_fields": [ { "proxy_host": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" - } + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead", + "removal_in_version": "4.0" + }, + "type": "string" } }, { "proxy_port": { - "type": "integer", "deprecation": { - "removal_in_version": "4.0", - "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" - } + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.10.x.json b/schemas/graphql-proxy-cache-advanced/3.10.x.json index de121eda..6d4ab6e4 100644 --- a/schemas/graphql-proxy-cache-advanced/3.10.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.10.x.json @@ -1,4 +1,7 @@ { + "entity_checks": [ + + ], "supported_partials": { "redis-ee": [ "config.redis" @@ -7,9 +10,6 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -19,20 +19,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -41,21 +44,21 @@ "fields": [ { "strategy": { - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "type": "string", - "required": true, - "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "one_of": [ "memory", "redis" - ] + ], + "default": "memory", + "required": true } }, { "cache_ttl": { "gt": 0, - "description": "TTL in seconds of cache entities. Must be a value greater than 0.", "type": "integer", + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", "default": 300 } }, @@ -65,9 +68,9 @@ "fields": [ { "dictionary_name": { - "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", "type": "string", + "default": "kong_db_cache", "required": true } } @@ -77,8 +80,68 @@ }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", - "required": true, "fields": [ { "host": { @@ -89,46 +152,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -170,13 +233,13 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -191,8 +254,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -208,81 +271,81 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "type": "boolean", "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": false } }, @@ -295,89 +358,26 @@ }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", "default": 5, + "type": "integer", "required": false } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -394,51 +394,54 @@ "read_timeout" ] } - ] - } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] - } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] - } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } } - ] + ], + "required": true } }, { @@ -461,8 +464,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.10.x.json b/schemas/graphql-rate-limiting-advanced/3.10.x.json index 5fecbd31..a14be4b8 100644 --- a/schemas/graphql-rate-limiting-advanced/3.10.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.10.x.json @@ -1,4 +1,13 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "supported_partials": { "redis-ee": [ "config.redis" @@ -7,9 +16,6 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -19,20 +25,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -41,45 +50,45 @@ "fields": [ { "identifier": { - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "type": "string", - "required": true, - "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "one_of": [ "ip", "credential", "consumer" - ] + ], + "default": "consumer", + "required": true } }, { "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "type": "array", "elements": { "type": "number" }, - "description": "One or more window sizes to apply a limit to (defined in seconds).", - "type": "array", "required": true } }, { "window_type": { - "type": "string", "description": "Sets the time window to either `sliding` or `fixed`.", - "default": "sliding", + "type": "string", "one_of": [ "fixed", "sliding" - ] + ], + "default": "sliding" } }, { "limit": { + "description": "One or more requests-per-window limits to apply.", + "type": "array", "elements": { "type": "number" }, - "description": "One or more requests-per-window limits to apply.", - "type": "array", "required": true } }, @@ -99,21 +108,21 @@ }, { "strategy": { - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "type": "string", - "required": true, - "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "one_of": [ "cluster", "redis" - ] + ], + "default": "cluster", + "required": true } }, { "dictionary_name": { - "type": "string", "description": "The shared dictionary where counters will be stored until the next sync cycle.", "default": "kong_rate_limiting_counters", + "type": "string", "required": true } }, @@ -126,36 +135,96 @@ }, { "cost_strategy": { - "type": "string", "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", - "default": "default", + "type": "string", "one_of": [ "default", "node_quantifier" - ] + ], + "default": "default" } }, { "score_factor": { - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", - "type": "number", - "required": false, "gt": 0, - "default": 1 + "type": "number", + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "default": 1, + "required": false } }, { "max_cost": { - "type": "number", "description": "A defined maximum cost per query. 0 means unlimited.", "default": 0, + "type": "number", "required": false } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", - "required": true, "fields": [ { "host": { @@ -166,46 +235,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -247,13 +316,13 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -268,8 +337,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -285,81 +354,81 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "type": "boolean", "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": false } }, @@ -372,89 +441,26 @@ }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", "default": 5, + "type": "integer", "required": false } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -471,65 +477,59 @@ "read_timeout" ] } - ] - } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] - } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] - } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } } - ] + ], + "required": true } } ], "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/grpc-gateway/3.10.x.json b/schemas/grpc-gateway/3.10.x.json index 0e0f32ca..ac6f957e 100644 --- a/schemas/grpc-gateway/3.10.x.json +++ b/schemas/grpc-gateway/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -52,8 +55,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.10.x.json b/schemas/grpc-web/3.10.x.json index aba58960..0b80221d 100644 --- a/schemas/grpc-web/3.10.x.json +++ b/schemas/grpc-web/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -57,9 +60,9 @@ }, { "allow_origin_header": { - "type": "string", "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", "default": "*", + "type": "string", "required": false } } @@ -67,8 +70,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/header-cert-auth/3.10.x.json b/schemas/header-cert-auth/3.10.x.json index 64a4ce4b..bb7ec605 100644 --- a/schemas/header-cert-auth/3.10.x.json +++ b/schemas/header-cert-auth/3.10.x.json @@ -1,18 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,20 +22,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -65,34 +68,37 @@ }, { "certificate_header_format": { - "required": true, "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", "type": "string", "one_of": [ "base64_encoded", "url_encoded" - ] + ], + "required": true } }, { "secure_source": { - "default": true, "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "default": true, "type": "boolean", "required": true } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "consumer_by": { - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "type": "array", - "required": false, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -100,70 +106,67 @@ "custom_id" ] }, - "default": [ - "username", - "custom_id" - ] + "required": false } }, { "ca_certificates": { - "elements": { - "type": "string", - "uuid": true - }, "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "type": "array", + "elements": { + "uuid": true, + "type": "string" + }, "required": true } }, { "cache_ttl": { - "default": 60, "description": "Cache expiry time in seconds.", + "default": 60, "type": "number", "required": true } }, { "skip_consumer_lookup": { - "default": false, "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "default": false, "type": "boolean", "required": true } }, { "allow_partial_chain": { - "default": false, "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "default": false, "type": "boolean", "required": true } }, { "authenticated_group_by": { - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "type": "string", - "required": false, - "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ "CN", "DN" - ] + ], + "default": "CN", + "required": false } }, { "revocation_check_mode": { - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "type": "string", - "required": false, - "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ] + ], + "default": "IGNORE_CA_ERROR", + "required": false } }, { @@ -182,48 +185,45 @@ }, { "default_consumer": { - "type": "string", - "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.10.x.json b/schemas/hmac-auth/3.10.x.json index 241d07ac..1120bc8f 100644 --- a/schemas/hmac-auth/3.10.x.json +++ b/schemas/hmac-auth/3.10.x.json @@ -1,16 +1,24 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -22,6 +30,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -35,10 +44,10 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -47,54 +56,48 @@ "fields": [ { "hide_credentials": { - "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "default": false, + "type": "boolean", "required": true } }, { "clock_skew": { - "gt": 0, "description": "Clock skew in seconds to prevent replay attacks.", "default": 300, - "type": "number" + "type": "number", + "gt": 0 } }, { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "validate_request_body": { - "type": "boolean", "description": "A boolean value telling the plugin to enable body validation.", "default": false, + "type": "boolean", "required": true } }, { "enforce_headers": { - "default": [ - - ], "description": "A list of headers that the client should at least use for HTTP signature creation.", "type": "array", "elements": { "type": "string" - } + }, + "default": [ + + ] } }, { "algorithms": { - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ], "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", "type": "array", "elements": { @@ -105,7 +108,13 @@ "hmac-sha384", "hmac-sha512" ] - } + }, + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] } }, { @@ -119,14 +128,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/http-log/3.10.x.json b/schemas/http-log/3.10.x.json index 8708abb5..6b003a47 100644 --- a/schemas/http-log/3.10.x.json +++ b/schemas/http-log/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -43,17 +46,17 @@ "fields": [ { "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", - "required": true, + "referenceable": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "encrypted": true, - "referenceable": true + "required": true } }, { "method": { - "type": "string", "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "type": "string", "default": "POST", "one_of": [ "POST", @@ -64,8 +67,8 @@ }, { "content_type": { - "type": "string", "description": "Indicates the type of data sent. The only available option is `application/json`.", + "type": "string", "default": "application/json", "one_of": [ "application/json", @@ -76,15 +79,15 @@ { "timeout": { "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number", - "default": 10000 + "default": 10000, + "type": "number" } }, { "keepalive": { "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", - "type": "number", - "default": 60000 + "default": 60000, + "type": "number" } }, { @@ -92,9 +95,9 @@ "description": "Number of times to retry when sending data to the upstream server.", "type": "integer", "deprecation": { - "removal_in_version": "4.0", + "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", "old_default": 10, - "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead" + "removal_in_version": "4.0" } } }, @@ -103,9 +106,9 @@ "description": "Maximum number of log entries to be sent on each message to the upstream server.", "type": "integer", "deprecation": { - "removal_in_version": "4.0", + "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "old_default": 1, - "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + "removal_in_version": "4.0" } } }, @@ -114,37 +117,37 @@ "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", "type": "number", "deprecation": { - "removal_in_version": "4.0", + "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "old_default": 2, - "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + "removal_in_version": "4.0" } } }, { "headers": { - "values": { - "type": "string", - "referenceable": true - }, "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", "type": "map", + "values": { + "referenceable": true, + "type": "string" + }, "keys": { + "description": "A string representing an HTTP header name.", + "type": "string", "match_none": [ { - "pattern": "^[Hh][Oo][Ss][Tt]$", - "err": "cannot contain 'Host' header" + "err": "cannot contain 'Host' header", + "pattern": "^[Hh][Oo][Ss][Tt]$" }, { - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$", - "err": "cannot contain 'Content-Length' header" + "err": "cannot contain 'Content-Length' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" }, { - "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$", - "err": "cannot contain 'Content-Type' header" + "err": "cannot contain 'Content-Type' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" } - ], - "description": "A string representing an HTTP header name.", - "type": "string" + ] } } }, @@ -154,77 +157,77 @@ "fields": [ { "max_batch_size": { - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number" + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number", - "default": 60 + "default": 60, + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number" + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "type": "number", "between": [ 0.001, 1000000 - ], - "type": "number" + ] } }, { "concurrency_limit": { - "type": "integer", "description": "The number of of queue delivery timers. -1 indicates unlimited.", "default": 1, + "type": "integer", "one_of": [ -1, 1 @@ -237,12 +240,12 @@ }, { "custom_fields_by_lua": { - "values": { - "type": "string", - "len_min": 1 - }, "description": "Lua code as a key-value map", "type": "map", + "values": { + "len_min": 1, + "type": "string" + }, "keys": { "type": "string", "len_min": 1 @@ -253,8 +256,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/injection-protection/3.10.x.json b/schemas/injection-protection/3.10.x.json index cc56d5ea..b8adc0d7 100644 --- a/schemas/injection-protection/3.10.x.json +++ b/schemas/injection-protection/3.10.x.json @@ -1,18 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,20 +22,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -52,9 +55,11 @@ "fields": [ { "injection_types": { - "description": "The type of injections to check for.", "type": "set", - "required": true, + "description": "The type of injections to check for.", + "default": [ + "sql" + ], "elements": { "type": "string", "one_of": [ @@ -66,16 +71,16 @@ "java_exception" ] }, - "default": [ - "sql" - ] + "required": true } }, { "locations": { - "description": "The locations to check for injection.", "type": "set", - "required": true, + "description": "The locations to check for injection.", + "default": [ + "path_and_query" + ], "elements": { "type": "string", "one_of": [ @@ -84,13 +89,13 @@ "body" ] }, - "default": [ - "path_and_query" - ] + "required": true } }, { "custom_injections": { + "description": "Custom regexes to check for.", + "type": "array", "elements": { "type": "record", "fields": [ @@ -103,48 +108,46 @@ }, { "regex": { - "required": true, "description": "The regex to match against.", + "is_regex": true, "type": "string", - "is_regex": true + "required": true } } ] }, - "description": "Custom regexes to check for.", - "default": null, - "type": "array" + "default": null } }, { "enforcement_mode": { - "description": "Enforcement mode of the security policy.", "type": "string", - "required": true, - "default": "block", + "description": "Enforcement mode of the security policy.", "one_of": [ "block", "log_only" - ] + ], + "default": "block", + "required": true } }, { "error_status_code": { - "description": "The response status code when validation fails.", "type": "integer", - "required": true, + "description": "The response status code when validation fails.", "default": 400, "between": [ 400, 499 - ] + ], + "required": true } }, { "error_message": { - "type": "string", "description": "The response message when validation fails", "default": "Bad Request", + "type": "string", "required": true } } @@ -152,8 +155,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.10.x.json b/schemas/ip-restriction/3.10.x.json index 4e05165b..7a0757c2 100644 --- a/schemas/ip-restriction/3.10.x.json +++ b/schemas/ip-restriction/3.10.x.json @@ -1,13 +1,17 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,8 +23,10 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "http", "https", @@ -28,7 +34,9 @@ "tls", "grpc", "grpcs" - ] + ], + "type": "set", + "required": true } }, { @@ -40,8 +48,8 @@ "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" } } }, @@ -50,8 +58,8 @@ "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" } } }, @@ -73,13 +81,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } ] } \ No newline at end of file diff --git a/schemas/jq/3.10.x.json b/schemas/jq/3.10.x.json index d489732a..f5d53baa 100644 --- a/schemas/jq/3.10.x.json +++ b/schemas/jq/3.10.x.json @@ -1,18 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,12 +22,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -44,145 +47,145 @@ "fields": [ { "request_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "request_jq_program_options": { + "required": false, + "type": "record", "default": [ ], - "type": "record", "fields": [ { "compact_output": { - "default": true, "type": "boolean", + "default": true, "required": true } }, { "raw_output": { - "default": false, "type": "boolean", + "default": false, "required": true } }, { "join_output": { - "default": false, "type": "boolean", + "default": false, "required": true } }, { "ascii_output": { - "default": false, "type": "boolean", + "default": false, "required": true } }, { "sort_keys": { - "default": false, "type": "boolean", + "default": false, "required": true } } - ], - "required": false + ] } }, { "request_if_media_type": { + "default": [ + "application/json" + ], "type": "array", "elements": { "type": "string" }, - "default": [ - "application/json" - ], "required": false } }, { "response_jq_program": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "response_jq_program_options": { + "required": false, + "type": "record", "default": [ ], - "type": "record", "fields": [ { "compact_output": { - "default": true, "type": "boolean", + "default": true, "required": true } }, { "raw_output": { - "default": false, "type": "boolean", + "default": false, "required": true } }, { "join_output": { - "default": false, "type": "boolean", + "default": false, "required": true } }, { "ascii_output": { - "default": false, "type": "boolean", + "default": false, "required": true } }, { "sort_keys": { - "default": false, "type": "boolean", + "default": false, "required": true } } - ], - "required": false + ] } }, { "response_if_media_type": { + "default": [ + "application/json" + ], "type": "array", "elements": { "type": "string" }, - "default": [ - "application/json" - ], "required": false } }, { "response_if_status_code": { + "default": [ + 200 + ], "type": "array", "elements": { - "type": "integer", "between": [ 100, 599 - ] + ], + "type": "integer" }, - "default": [ - 200 - ], "required": false } } @@ -190,8 +193,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/json-threat-protection/3.10.x.json b/schemas/json-threat-protection/3.10.x.json index 9d2d886b..c88dbf3d 100644 --- a/schemas/json-threat-protection/3.10.x.json +++ b/schemas/json-threat-protection/3.10.x.json @@ -1,18 +1,25 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] + } + } + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,20 +29,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -44,113 +54,113 @@ "fields": [ { "max_body_size": { - "description": "Max size of the request body. -1 means unlimited.", "type": "integer", - "required": false, + "description": "Max size of the request body. -1 means unlimited.", "default": 8192, "between": [ -1, 2147483648 - ] + ], + "required": false } }, { "max_container_depth": { - "description": "Max nested depth of objects and arrays. -1 means unlimited.", "type": "integer", - "required": false, + "description": "Max nested depth of objects and arrays. -1 means unlimited.", "default": -1, "between": [ -1, 2147483648 - ] + ], + "required": false } }, { "max_object_entry_count": { - "description": "Max number of entries in an object. -1 means unlimited.", "type": "integer", - "required": false, + "description": "Max number of entries in an object. -1 means unlimited.", "default": -1, "between": [ -1, 2147483648 - ] + ], + "required": false } }, { "max_object_entry_name_length": { - "description": "Max string length of object name. -1 means unlimited.", "type": "integer", - "required": false, + "description": "Max string length of object name. -1 means unlimited.", "default": -1, "between": [ -1, 2147483648 - ] + ], + "required": false } }, { "max_array_element_count": { - "description": "Max number of elements in an array. -1 means unlimited.", "type": "integer", - "required": false, + "description": "Max number of elements in an array. -1 means unlimited.", "default": -1, "between": [ -1, 2147483648 - ] + ], + "required": false } }, { "max_string_value_length": { - "description": "Max string value length. -1 means unlimited.", "type": "integer", - "required": false, + "description": "Max string value length. -1 means unlimited.", "default": -1, "between": [ -1, 2147483648 - ] + ], + "required": false } }, { "allow_duplicate_object_entry_name": { - "type": "boolean", "description": "Allow or disallow duplicate object entry name.", "default": true, + "type": "boolean", "required": false } }, { "enforcement_mode": { - "description": "Enforcement mode of the security policy.", "type": "string", - "required": false, - "default": "block", + "description": "Enforcement mode of the security policy.", "one_of": [ "block", "log_only" - ] + ], + "default": "block", + "required": false } }, { "error_status_code": { - "description": "The response status code when validation fails.", "type": "integer", - "required": false, + "description": "The response status code when validation fails.", "default": 400, "between": [ 400, 499 - ] + ], + "required": false } }, { "error_message": { - "type": "string", "description": "The response message when validation fails", "default": "Bad Request", + "type": "string", "required": false } } @@ -158,15 +168,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.max_body_size", - "config.max_container_depth" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.10.x.json b/schemas/jwe-decrypt/3.10.x.json index 2ecc7791..cf442932 100644 --- a/schemas/jwe-decrypt/3.10.x.json +++ b/schemas/jwe-decrypt/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,28 +14,31 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { @@ -44,27 +47,27 @@ "fields": [ { "lookup_header_name": { - "default": "Authorization", "description": "The name of the header to look for the JWE token.", + "default": "Authorization", "type": "string", "required": true } }, { "forward_header_name": { - "default": "Authorization", "description": "The name of the header that is used to set the decrypted value.", + "default": "Authorization", "type": "string", "required": true } }, { "key_sets": { + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "type": "array", "elements": { "type": "string" }, - "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", - "type": "array", "required": true } }, @@ -79,8 +82,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.10.x.json b/schemas/jwt-signer/3.10.x.json index 20462ed5..1f595ac9 100644 --- a/schemas/jwt-signer/3.10.x.json +++ b/schemas/jwt-signer/3.10.x.json @@ -1,18 +1,27 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" + ] + } + } + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,24 +31,53 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "config": { + "entity_checks": [ + { + "mutually_required": [ + "access_token_jwks_uri_client_username", + "access_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "access_token_keyset_client_username", + "access_token_keyset_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_jwks_uri_client_username", + "channel_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_keyset_client_username", + "channel_token_keyset_client_password" + ] + } + ], "type": "record", "required": true, "fields": [ @@ -52,65 +90,65 @@ }, { "enable_hs_signatures": { - "type": "boolean", "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean", "default": false, "required": false } }, { "enable_instrumentation": { - "type": "boolean", "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean", "default": false, "required": false } }, { "access_token_issuer": { - "type": "string", "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string", "default": "kong", "required": false } }, { "access_token_keyset": { - "type": "string", "description": "The name of the keyset containing signing keys.", + "type": "string", "default": "kong", "required": false } }, { "access_token_keyset_client_username": { - "required": false, "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", "type": "string", - "referenceable": true + "referenceable": true, + "required": false } }, { "access_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", "type": "string", - "required": false, + "referenceable": true, + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", "encrypted": true, - "referenceable": true + "required": false } }, { "access_token_keyset_client_certificate": { - "type": "foreign", "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "type": "foreign", "reference": "certificates", "required": false } }, { "access_token_keyset_rotate_period": { - "type": "number", "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number", "default": 0, "required": false } @@ -124,91 +162,94 @@ }, { "access_token_jwks_uri_client_username": { - "required": false, "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", "type": "string", - "referenceable": true + "referenceable": true, + "required": false } }, { "access_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", "type": "string", - "required": false, + "referenceable": true, + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", "encrypted": true, - "referenceable": true + "required": false } }, { "access_token_jwks_uri_client_certificate": { - "type": "foreign", "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "foreign", "reference": "certificates", "required": false } }, { "access_token_jwks_uri_rotate_period": { - "type": "number", "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number", "default": 0, "required": false } }, { "access_token_request_header": { - "type": "string", "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string", "default": "Authorization", "required": false } }, { "access_token_leeway": { - "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number", "default": 0, "required": false } }, { "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "type": "array", "elements": { "type": "string" }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", - "type": "array", "required": false } }, { "access_token_scopes_claim": { - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "type": "array", - "required": false, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "default": [ + "scope" + ], "elements": { "type": "string" }, - "default": [ - "scope" - ] + "required": false } }, { "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "type": "array", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", - "type": "array", "required": false } }, { "access_token_consumer_by": { - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "type": "array", - "required": false, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -217,24 +258,21 @@ "custom_id" ] }, - "default": [ - "username", - "custom_id" - ] + "required": false } }, { "access_token_upstream_header": { - "type": "string", "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string", "default": "Authorization:Bearer", "required": false } }, { "access_token_upstream_leeway": { - "type": "number", "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number", "default": 0, "required": false } @@ -262,60 +300,63 @@ }, { "access_token_introspection_hint": { - "type": "string", "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string", "default": "access_token", "required": false } }, { "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "type": "array", "elements": { "type": "string" }, - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", - "type": "array", "required": false } }, { "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "type": "array", "elements": { "type": "string" }, - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", - "type": "array", "required": false } }, { "access_token_introspection_scopes_claim": { - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "type": "array", - "required": true, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "default": [ + "scope" + ], "elements": { "type": "string" }, - "default": [ - "scope" - ] + "required": true } }, { "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "type": "array", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", - "type": "array", "required": false } }, { "access_token_introspection_consumer_by": { - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "type": "array", - "required": false, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -324,16 +365,13 @@ "custom_id" ] }, - "default": [ - "username", - "custom_id" - ] + "required": false } }, { "access_token_introspection_leeway": { - "type": "number", "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number", "default": 0, "required": false } @@ -347,10 +385,8 @@ }, { "access_token_signing_algorithm": { - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "type": "string", - "required": true, - "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "one_of": [ "HS256", "HS384", @@ -364,52 +400,54 @@ "PS384", "PS512", "EdDSA" - ] + ], + "default": "RS256", + "required": true } }, { "add_access_token_claims": { - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "map", - "required": false, + "keys": { + "type": "string" + }, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, "default": [ ], - "keys": { - "type": "string" - } + "required": false } }, { "set_access_token_claims": { - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "map", - "required": false, + "keys": { + "type": "string" + }, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, "default": [ ], - "keys": { - "type": "string" - } + "required": false } }, { "remove_access_token_claims": { - "description": "remove claims. It should be an array, and each element is a claim key string.", "type": "array", - "required": false, + "description": "remove claims. It should be an array, and each element is a claim key string.", + "default": [ + + ], "elements": { "type": "string" }, - "default": [ - - ] + "required": false } }, { @@ -421,121 +459,121 @@ }, { "access_token_optional": { - "type": "boolean", "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean", "default": false, "required": false } }, { "verify_access_token_signature": { - "type": "boolean", "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean", "default": true, "required": false } }, { "verify_access_token_expiry": { - "type": "boolean", "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean", "default": true, "required": false } }, { "verify_access_token_scopes": { - "type": "boolean", "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean", "default": true, "required": false } }, { "verify_access_token_introspection_expiry": { - "type": "boolean", "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean", "default": true, "required": false } }, { "verify_access_token_introspection_scopes": { - "type": "boolean", "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean", "default": true, "required": false } }, { "cache_access_token_introspection": { - "type": "boolean", "description": "Whether to cache access token introspection results.", + "type": "boolean", "default": true, "required": false } }, { "trust_access_token_introspection": { - "type": "boolean", "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean", "default": true, "required": false } }, { "enable_access_token_introspection": { - "type": "boolean", "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean", "default": true, "required": false } }, { "channel_token_issuer": { - "type": "string", "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string", "default": "kong", "required": false } }, { "channel_token_keyset": { - "type": "string", "description": "The name of the keyset containing signing keys.", + "type": "string", "default": "kong", "required": false } }, { "channel_token_keyset_client_username": { - "required": false, "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", "type": "string", - "referenceable": true + "referenceable": true, + "required": false } }, { "channel_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", "type": "string", - "required": false, + "referenceable": true, + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", "encrypted": true, - "referenceable": true + "required": false } }, { "channel_token_keyset_client_certificate": { - "type": "foreign", "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "type": "foreign", "reference": "certificates", "required": false } }, { "channel_token_keyset_rotate_period": { - "type": "number", "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number", "default": 0, "required": false } @@ -549,33 +587,33 @@ }, { "channel_token_jwks_uri_client_username": { - "required": false, "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", "type": "string", - "referenceable": true + "referenceable": true, + "required": false } }, { "channel_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", "type": "string", - "required": false, + "referenceable": true, + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", "encrypted": true, - "referenceable": true + "required": false } }, { "channel_token_jwks_uri_client_certificate": { - "type": "foreign", "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "foreign", "reference": "certificates", "required": false } }, { "channel_token_jwks_uri_rotate_period": { - "type": "number", "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number", "default": 0, "required": false } @@ -589,47 +627,53 @@ }, { "channel_token_leeway": { - "type": "number", "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number", "default": 0, "required": false } }, { "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "type": "array", "elements": { "type": "string" }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", - "type": "array", "required": false } }, { "channel_token_scopes_claim": { - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "type": "array", - "required": false, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "default": [ + "scope" + ], "elements": { "type": "string" }, - "default": [ - "scope" - ] + "required": false } }, { "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "type": "array", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", - "type": "array", "required": false } }, { "channel_token_consumer_by": { + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "type": "array", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -637,13 +681,7 @@ "username", "custom_id" ] - }, - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "default": [ - "username", - "custom_id" - ], - "type": "array" + } } }, { @@ -655,8 +693,8 @@ }, { "channel_token_upstream_leeway": { - "type": "number", "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number", "default": 0, "required": false } @@ -670,82 +708,85 @@ }, { "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "type": "string", "elements": { "type": "string" }, - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", - "type": "string", "required": false } }, { "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "type": "string", "elements": { "type": "string" }, - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", - "type": "string", "required": false } }, { "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "type": "string", "elements": { "type": "string" }, - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", - "type": "string", "required": false } }, { "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "type": "array", "elements": { "type": "string" }, - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", - "type": "array", "required": false } }, { "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "type": "array", "elements": { "type": "string" }, - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", - "type": "array", "required": false } }, { "channel_token_introspection_scopes_claim": { - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "type": "array", - "required": false, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "default": [ + "scope" + ], "elements": { "type": "string" }, - "default": [ - "scope" - ] + "required": false } }, { "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "type": "array", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", - "type": "array", "required": false } }, { "channel_token_introspection_consumer_by": { - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "type": "array", - "required": false, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -754,16 +795,13 @@ "custom_id" ] }, - "default": [ - "username", - "custom_id" - ] + "required": false } }, { "channel_token_introspection_leeway": { - "type": "number", "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number", "default": 0, "required": false } @@ -777,10 +815,8 @@ }, { "channel_token_signing_algorithm": { - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "type": "string", - "required": true, - "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "one_of": [ "HS256", "HS384", @@ -794,52 +830,54 @@ "PS384", "PS512", "EdDSA" - ] + ], + "default": "RS256", + "required": true } }, { "add_channel_token_claims": { - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "map", - "required": false, + "keys": { + "type": "string" + }, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, "default": [ ], - "keys": { - "type": "string" - } + "required": false } }, { "set_channel_token_claims": { - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "map", - "required": false, + "keys": { + "type": "string" + }, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, "default": [ ], - "keys": { - "type": "string" - } + "required": false } }, { "remove_channel_token_claims": { - "description": "remove claims. It should be an array, and each element is a claim key string.", "type": "array", - "required": false, + "description": "remove claims. It should be an array, and each element is a claim key string.", + "default": [ + + ], "elements": { "type": "string" }, - "default": [ - - ] + "required": false } }, { @@ -851,16 +889,16 @@ }, { "channel_token_optional": { - "type": "boolean", "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean", "default": false, "required": false } }, { "verify_channel_token_signature": { - "type": "boolean", "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean", "default": true, "required": false } @@ -874,122 +912,84 @@ }, { "verify_channel_token_scopes": { - "type": "boolean", "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean", "default": true, "required": false } }, { "verify_channel_token_introspection_expiry": { - "type": "boolean", "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean", "default": true, "required": false } }, { "verify_channel_token_introspection_scopes": { - "type": "boolean", "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean", "default": true, "required": false } }, { "cache_channel_token_introspection": { - "type": "boolean", "description": "Whether to cache channel token introspection results.", + "type": "boolean", "default": true, "required": false } }, { "trust_channel_token_introspection": { - "type": "boolean", "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean", "default": true, "required": false } }, { "enable_channel_token_introspection": { - "type": "boolean", "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean", "default": true, "required": false } }, { "add_claims": { - "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "map", - "required": false, + "keys": { + "type": "string" + }, + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, "default": [ ], - "keys": { - "type": "string" - } + "required": false } }, { "set_claims": { - "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "map", - "required": false, + "keys": { + "type": "string" + }, + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "values": { "type": "string" }, "default": [ ], - "keys": { - "type": "string" - } + "required": false } } - ], - "entity_checks": [ - { - "mutually_required": [ - "access_token_jwks_uri_client_username", - "access_token_jwks_uri_client_password" - ] - }, - { - "mutually_required": [ - "access_token_keyset_client_username", - "access_token_keyset_client_password" - ] - }, - { - "mutually_required": [ - "channel_token_jwks_uri_client_username", - "channel_token_jwks_uri_client_password" - ] - }, - { - "mutually_required": [ - "channel_token_keyset_client_username", - "channel_token_keyset_client_password" - ] - } - ] - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.access_token_upstream_header", - "config.channel_token_upstream_header", - "config.original_access_token_upstream_header", - "config.original_channel_token_upstream_header" ] } } diff --git a/schemas/jwt/3.10.x.json b/schemas/jwt/3.10.x.json index 0f444570..ecc92de6 100644 --- a/schemas/jwt/3.10.x.json +++ b/schemas/jwt/3.10.x.json @@ -1,18 +1,29 @@ { + "entity_checks": [ + { + "conditional": { + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration", + "then_match": { + "contains": "exp" + } + } + } + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,20 +33,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -44,26 +58,26 @@ "fields": [ { "uri_param_names": { + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "type": "set", "elements": { "type": "string" }, - "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "default": [ "jwt" - ], - "type": "set" + ] } }, { "cookie_names": { + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "type": "set", "elements": { "type": "string" }, - "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "default": [ - ], - "type": "set" + ] } }, { @@ -75,8 +89,8 @@ }, { "secret_is_base64": { - "type": "boolean", "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean", "default": false, "required": true } @@ -96,39 +110,39 @@ }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "run_on_preflight": { - "type": "boolean", "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean", "default": true, "required": true } }, { "maximum_expiration": { - "default": 0, "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "type": "number", + "default": 0, "between": [ 0, 31536000 - ], - "type": "number" + ] } }, { "header_names": { + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "type": "set", "elements": { "type": "string" }, - "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "default": [ "authorization" - ], - "type": "set" + ] } }, { @@ -142,19 +156,5 @@ "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "gt": 0 - }, - "then_field": "config.claims_to_verify", - "if_field": "config.maximum_expiration", - "then_match": { - "contains": "exp" - } - } - } ] } \ No newline at end of file diff --git a/schemas/kafka-consume/3.10.x.json b/schemas/kafka-consume/3.10.x.json index 372165ce..727f8b8b 100644 --- a/schemas/kafka-consume/3.10.x.json +++ b/schemas/kafka-consume/3.10.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -14,6 +16,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -27,10 +30,10 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -48,6 +51,8 @@ "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { "type": "record", "fields": [ @@ -60,87 +65,85 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true } } ] }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", - "type": "set", "required": true } }, { "topics": { - "len_min": 1, "type": "array", - "required": true, + "len_min": 1, + "description": "The Kafka topics and their configuration you want to consume from.", "elements": { "type": "record", "fields": [ { "name": { - "type": "string", - "required": true + "required": true, + "type": "string" } } ] }, - "description": "The Kafka topics and their configuration you want to consume from." + "required": true } }, { "mode": { - "description": "The mode of operation for the plugin.", "type": "string", - "required": true, - "default": "http-get", + "description": "The mode of operation for the plugin.", "one_of": [ "server-sent-events", "http-get" - ] + ], + "default": "http-get", + "required": true } }, { "message_deserializer": { - "description": "The deserializer to use for the consumed messages.", "type": "string", - "required": true, - "default": "noop", + "description": "The deserializer to use for the consumed messages.", "one_of": [ "json", "noop" - ] + ], + "default": "noop", + "required": true } }, { "auto_offset_reset": { - "description": "The offset to start from when there is no initial offset in the consumer group.", "type": "string", - "required": true, - "default": "latest", + "description": "The offset to start from when there is no initial offset in the consumer group.", "one_of": [ "earliest", "latest" - ] + ], + "default": "latest", + "required": true } }, { "commit_strategy": { - "description": "The strategy to use for committing offsets.", "type": "string", - "required": true, - "default": "auto", + "description": "The strategy to use for committing offsets.", "one_of": [ "auto", "off" - ] + ], + "default": "auto", + "required": true } }, { @@ -149,24 +152,24 @@ "fields": [ { "strategy": { - "required": false, "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "type": "string", "one_of": [ "sasl" - ] + ], + "required": false } }, { "mechanism": { - "required": false, "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "required": false } }, { @@ -178,20 +181,20 @@ }, { "user": { - "description": "Username for SASL authentication.", "type": "string", - "required": false, + "referenceable": true, + "description": "Username for SASL authentication.", "encrypted": true, - "referenceable": true + "required": false } }, { "password": { - "description": "Password for SASL authentication.", "type": "string", - "required": false, + "referenceable": true, + "description": "Password for SASL authentication.", "encrypted": true, - "referenceable": true + "required": false } } ], @@ -205,9 +208,9 @@ { "certificate_id": { "description": "UUID of certificate entity for mTLS authentication.", - "uuid": true, "type": "string", - "required": false + "required": false, + "uuid": true } }, { @@ -232,8 +235,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/kafka-log/3.10.x.json b/schemas/kafka-log/3.10.x.json index 5e7fd696..c726d219 100644 --- a/schemas/kafka-log/3.10.x.json +++ b/schemas/kafka-log/3.10.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -14,6 +16,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -27,10 +30,10 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -62,12 +65,12 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true } } @@ -91,14 +94,14 @@ }, { "keepalive": { - "default": 60000, - "type": "integer" + "type": "integer", + "default": 60000 } }, { "keepalive_enabled": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -107,24 +110,24 @@ "fields": [ { "strategy": { - "required": false, "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "type": "string", "one_of": [ "sasl" - ] + ], + "required": false } }, { "mechanism": { - "required": false, "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256` or `SCRAM-SHA-512`.", "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "required": false } }, { @@ -136,20 +139,20 @@ }, { "user": { - "description": "Username for SASL authentication.", "type": "string", - "required": false, + "referenceable": true, + "description": "Username for SASL authentication.", "encrypted": true, - "referenceable": true + "required": false } }, { "password": { - "description": "Password for SASL authentication.", "type": "string", - "required": false, + "referenceable": true, + "description": "Password for SASL authentication.", "encrypted": true, - "referenceable": true + "required": false } } ], @@ -162,9 +165,9 @@ "fields": [ { "certificate_id": { - "uuid": true, "description": "UUID of certificate entity for mTLS authentication.", "type": "string", + "uuid": true, "required": false } }, @@ -181,22 +184,22 @@ }, { "cluster_name": { - "type": "string", "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string", "auto": true, "required": false } }, { "producer_request_acks": { - "type": "integer", "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", - "default": 1, + "type": "integer", "one_of": [ -1, 0, 1 - ] + ], + "default": 1 } }, { @@ -257,12 +260,12 @@ }, { "custom_fields_by_lua": { - "values": { - "type": "string", - "len_min": 1 - }, "description": "Lua code as a key-value map", "type": "map", + "values": { + "len_min": 1, + "type": "string" + }, "keys": { "type": "string", "len_min": 1 @@ -273,8 +276,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.10.x.json b/schemas/kafka-upstream/3.10.x.json index 3c123046..3817ecb4 100644 --- a/schemas/kafka-upstream/3.10.x.json +++ b/schemas/kafka-upstream/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -69,12 +72,12 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true } } @@ -91,11 +94,11 @@ }, { "allowed_topics": { + "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", + "type": "array", "elements": { "type": "string" }, - "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", - "type": "array", "required": false } }, @@ -132,24 +135,24 @@ "fields": [ { "strategy": { - "required": false, "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "type": "string", "one_of": [ "sasl" - ] + ], + "required": false } }, { "mechanism": { - "required": false, "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ] + ], + "required": false } }, { @@ -161,20 +164,20 @@ }, { "user": { - "description": "Username for SASL authentication.", "type": "string", - "required": false, + "referenceable": true, + "description": "Username for SASL authentication.", "encrypted": true, - "referenceable": true + "required": false } }, { "password": { - "description": "Password for SASL authentication.", "type": "string", - "required": false, + "referenceable": true, + "description": "Password for SASL authentication.", "encrypted": true, - "referenceable": true + "required": false } } ], @@ -188,8 +191,8 @@ { "certificate_id": { "description": "UUID of certificate entity for mTLS authentication.", - "uuid": true, "type": "string", + "uuid": true, "required": false } }, @@ -234,26 +237,26 @@ }, { "message_by_lua_functions": { + "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", + "type": "array", "elements": { "type": "string" }, - "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", - "type": "array", "required": false } }, { "cluster_name": { - "auto": true, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "type": "string", - "required": false + "required": false, + "auto": true } }, { "producer_request_acks": { - "default": 1, "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1, "type": "integer", "one_of": [ -1, @@ -322,8 +325,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.10.x.json b/schemas/key-auth-enc/3.10.x.json index 8faa16a0..ca122104 100644 --- a/schemas/key-auth-enc/3.10.x.json +++ b/schemas/key-auth-enc/3.10.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -22,6 +24,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -35,10 +38,10 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -47,16 +50,16 @@ "fields": [ { "key_names": { - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "type": "array", - "required": true, - "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - }, + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "default": [ "apikey" - ] + ], + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "required": true } }, { @@ -68,8 +71,8 @@ }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { @@ -111,8 +114,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/key-auth/3.10.x.json b/schemas/key-auth/3.10.x.json index abf5f9cb..dc98b704 100644 --- a/schemas/key-auth/3.10.x.json +++ b/schemas/key-auth/3.10.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -22,6 +24,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -35,10 +38,10 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -47,60 +50,60 @@ "fields": [ { "key_names": { - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "type": "array", - "required": true, - "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - }, + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "default": [ "apikey" - ] + ], + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "required": true } }, { "hide_credentials": { - "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean", "default": false, "required": true } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" } }, { "key_in_header": { - "type": "boolean", "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean", "default": true, "required": true } }, { "key_in_query": { - "type": "boolean", "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean", "default": true, "required": true } }, { "key_in_body": { - "type": "boolean", "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean", "default": false, "required": true } }, { "run_on_preflight": { - "type": "boolean", "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean", "default": true, "required": true } @@ -114,41 +117,9 @@ }, { "identity_realms": { - "default": [ - { - "region": null, - "id": null, - "scope": "cp" - } - ], "description": "A configuration of Konnect Identity Realms that indicate where to source a consumer from.", "type": "set", "elements": { - "type": "record", - "fields": [ - { - "scope": { - "type": "string", - "one_of": [ - "cp", - "realm" - ] - } - }, - { - "id": { - "uuid": true, - "description": "A string representing a UUID (universally unique identifier).", - "type": "string", - "auto": false - } - }, - { - "region": { - "type": "string" - } - } - ], "entity_checks": [ { "conditional": { @@ -170,11 +141,7 @@ "then_field": "region", "if_field": "scope", "then_match": { - "one_of": [ - "us", - "eu", - "au" - ] + "required": true } } }, @@ -204,16 +171,45 @@ } } } + ], + "type": "record", + "fields": [ + { + "scope": { + "type": "string", + "one_of": [ + "cp", + "realm" + ] + } + }, + { + "id": { + "description": "A string representing a UUID (universally unique identifier).", + "type": "string", + "auto": false, + "uuid": true + } + }, + { + "region": { + "type": "string" + } + } ] - } + }, + "default": [ + { + "scope": "cp", + "region": null, + "id": null + } + ] } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.10.x.json b/schemas/konnect-application-auth/3.10.x.json index a6ad3f77..075d1580 100644 --- a/schemas/konnect-application-auth/3.10.x.json +++ b/schemas/konnect-application-auth/3.10.x.json @@ -1,18 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,20 +22,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -47,50 +50,47 @@ "fields": [ { "key_names": { - "description": "The names of the headers containing the API key. You can specify multiple header names.", "type": "array", - "required": true, - "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - }, + "description": "The names of the headers containing the API key. You can specify multiple header names.", "default": [ "apikey" - ] + ], + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "required": true } }, { "auth_type": { - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "type": "string", - "required": true, - "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "one_of": [ "openid-connect", "key-auth", "v2-strategies" - ] + ], + "default": "openid-connect", + "required": true } }, { "scope": { - "unique": true, "description": "The unique scope identifier for the plugin configuration.", + "unique": true, "type": "string", "required": true } }, { "v2_strategies": { - "description": "The map of v2 strategies.", "type": "record", - "required": false, - "default": [ - - ], "fields": [ { "key_auth": { + "description": "List of key_auth strategies.", + "type": "array", "elements": { "type": "record", "fields": [ @@ -104,34 +104,34 @@ { "config": { "type": "record", + "required": true, "fields": [ { "key_names": { - "description": "The names of the headers containing the API key. You can specify multiple header names.", "type": "array", - "required": true, - "elements": { - "type": "string", - "description": "A string representing an HTTP header name." - }, + "description": "The names of the headers containing the API key. You can specify multiple header names.", "default": [ "apikey" - ] + ], + "elements": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "required": true } } - ], - "required": true + ] } } ] }, - "description": "List of key_auth strategies.", - "type": "array", "required": false } }, { "openid_connect": { + "description": "List of openid_connect strategies.", + "type": "array", "elements": { "type": "record", "fields": [ @@ -156,56 +156,66 @@ }, { "using_pseudo_issuer": { - "default": false, "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "default": false, "type": "boolean", "required": false } }, { "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the discovery endpoint.", - "type": "array", "required": false } }, { "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the discovery endpoint.", - "type": "array", "required": false } }, { "extra_jwks_uris": { - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "type": "set", + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, "required": false } }, { "rediscovery_lifetime": { - "default": 30, "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "default": 30, "type": "number", "required": false } }, { "auth_methods": { - "description": "Types of credentials/grants to enable.", "type": "array", - "required": false, + "description": "Types of credentials/grants to enable.", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], "elements": { "type": "string", "one_of": [ @@ -220,45 +230,37 @@ "session" ] }, - "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ] + "required": false } }, { "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "type": "array", - "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "encrypted": true + "required": false } }, { "client_secret": { - "description": "The client secret.", "type": "array", - "required": false, + "description": "The client secret.", + "encrypted": true, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "encrypted": true + "required": false } }, { "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -271,39 +273,40 @@ "none" ] }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "type": "array", "required": false } }, { "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "type": "array", "elements": { "type": "record", + "required": false, "fields": [ { "issuer": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kty": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "use": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "key_ops": { "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "type": "array", "required": false @@ -311,27 +314,27 @@ }, { "alg": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kid": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5u": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5c": { "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "type": "array", "required": false @@ -339,136 +342,135 @@ }, { "x5t": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5t#S256": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "k": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "x": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "y": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "crv": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "n": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "e": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "d": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "p": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "q": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "dp": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "dq": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "qi": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "oth": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "r": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "t": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } } - ], - "required": false + ] }, - "description": "The JWK used for the private_key_jwt authentication.", - "type": "array", "required": false } }, { "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -487,125 +489,121 @@ "EdDSA" ] }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "type": "array", "required": false } }, { "client_arg": { - "default": "client_id", "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "default": "client_id", "type": "string", "required": false } }, { "redirect_uri": { - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, "description": "The redirect URI passed to the authorization and token endpoints.", "type": "array", + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, "required": false } }, { "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "referenceable": true }, - "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "type": "array", "required": false } }, { "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "type": "array", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "referenceable": true }, - "description": "Where to redirect the client after the logout.", - "type": "array", "required": false } }, { "forbidden_redirect_uri": { - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, "description": "Where to redirect the client on forbidden requests.", "type": "array", + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, "required": false } }, { "forbidden_error_message": { - "default": "Forbidden", "description": "The error message for the forbidden requests (when not using the redirection).", + "default": "Forbidden", "type": "string", "required": false } }, { "forbidden_destroy_session": { - "default": true, "description": "Destroy any active session for the forbidden requests.", + "default": true, "type": "boolean", "required": false } }, { "unauthorized_destroy_session": { - "default": true, "description": "Destroy any active session for the unauthorized requests.", + "default": true, "type": "boolean", "required": false } }, { "unauthorized_redirect_uri": { - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, "description": "Where to redirect the client on unauthorized requests.", "type": "array", + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, "required": false } }, { "unauthorized_error_message": { - "default": "Unauthorized", "description": "The error message for the unauthorized requests (when not using the redirection).", + "default": "Unauthorized", "type": "string", "required": false } }, { "unexpected_redirect_uri": { - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, "description": "Where to redirect the client when unexpected errors happen with the requests.", "type": "array", + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, "required": false } }, { "response_mode": { - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "type": "string", - "required": false, - "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "one_of": [ "query", "form_post", @@ -614,155 +612,157 @@ "form_post.jwt", "fragment.jwt", "jwt" - ] + ], + "default": "query", + "required": false } }, { "response_type": { - "description": "The response type passed to the authorization endpoint.", "type": "array", - "required": false, + "description": "The response type passed to the authorization endpoint.", + "default": [ + "code" + ], "elements": { "type": "string" }, - "default": [ - "code" - ] + "required": false } }, { "scopes": { - "description": "The scopes passed to the authorization and token endpoints.", "type": "array", - "required": false, - "elements": { - "type": "string", - "referenceable": true - }, + "description": "The scopes passed to the authorization and token endpoints.", "default": [ "openid" - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "required": false } }, { "audience": { + "description": "The audience passed to the authorization endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "The audience passed to the authorization endpoint.", - "type": "array", "required": false } }, { "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array", "elements": { "type": "string" }, - "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "type": "array", "required": false } }, { "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false } }, { "scopes_claim": { - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", - "required": false, + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "scope" + ], "elements": { "type": "string" }, - "default": [ - "scope" - ] + "required": false } }, { "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false } }, { "audience_claim": { - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", - "required": false, + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "aud" + ], "elements": { "type": "string" }, - "default": [ - "aud" - ] + "required": false } }, { "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false } }, { "groups_claim": { - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", - "required": false, + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "groups" + ], "elements": { "type": "string" }, - "default": [ - "groups" - ] + "required": false } }, { "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false } }, { "roles_claim": { - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", - "required": false, + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "roles" + ], "elements": { "type": "string" }, - "default": [ - "roles" - ] + "required": false } }, { "domains": { + "description": "The allowed values for the `hd` claim.", + "type": "array", "elements": { "type": "string" }, - "description": "The allowed values for the `hd` claim.", - "type": "array", "required": false } }, @@ -775,11 +775,11 @@ }, { "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "elements": { "type": "string" }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false } }, @@ -792,7 +792,6 @@ }, { "pushed_authorization_request_endpoint_auth_method": { - "required": false, "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", "one_of": [ @@ -803,7 +802,8 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "required": false } }, { @@ -836,63 +836,63 @@ }, { "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the authorization endpoint.", - "type": "array", "required": false } }, { "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the authorization endpoint.", - "type": "array", "required": false } }, { "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the authorization endpoint.", - "type": "array", "required": false } }, { "authorization_rolling_timeout": { - "default": 600, "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 600, "type": "number", "required": false } }, { "authorization_cookie_name": { - "default": "authorization", "description": "The authorization cookie name.", + "default": "authorization", "type": "string", "required": false } }, { "authorization_cookie_path": { + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "description": "The authorization cookie Path flag.", - "type": "string", - "required": false, + "starts_with": "/", "default": "/", - "starts_with": "/" + "description": "The authorization cookie Path flag.", + "required": false } }, { @@ -904,22 +904,22 @@ }, { "authorization_cookie_same_site": { - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", - "required": false, - "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Default", + "required": false } }, { "authorization_cookie_http_only": { - "default": true, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean", "required": false } @@ -933,8 +933,8 @@ }, { "preserve_query_args": { - "default": false, "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "default": false, "type": "boolean", "required": false } @@ -948,7 +948,6 @@ }, { "token_endpoint_auth_method": { - "required": false, "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", "one_of": [ @@ -959,46 +958,47 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "required": false } }, { "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the token endpoint.", - "type": "array", "required": false } }, { "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the token endpoint.", - "type": "array", "required": false } }, { "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the token endpoint.", - "type": "array", "required": false } }, { "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "type": "array", "elements": { "type": "string" }, - "description": "The names of token endpoint response headers to forward to the downstream client.", - "type": "array", "required": false } }, @@ -1011,6 +1011,8 @@ }, { "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -1020,38 +1022,36 @@ "refresh_token" ] }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", - "type": "array", "required": false } }, { "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the token endpoint.", - "type": "array", "required": false } }, { "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the token endpoint.", - "type": "array", "required": false } }, { "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", - "type": "array", "required": false } }, @@ -1064,7 +1064,6 @@ }, { "introspection_endpoint_auth_method": { - "required": false, "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", "one_of": [ @@ -1075,114 +1074,115 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "required": false } }, { "introspection_hint": { - "default": "access_token", "description": "Introspection hint parameter value passed to the introspection endpoint.", + "default": "access_token", "type": "string", "required": false } }, { "introspection_check_active": { - "default": true, "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "default": true, "type": "boolean", "required": false } }, { "introspection_accept": { - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "type": "string", - "required": false, - "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ] + ], + "default": "application/json", + "required": false } }, { "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the introspection endpoint.", - "type": "array", "required": false } }, { "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", "type": "array", - "required": false, + "description": "Extra header values passed to the introspection endpoint.", + "encrypted": true, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "encrypted": true + "required": false } }, { "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the introspection endpoint.", - "type": "array", "required": false } }, { "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the introspection endpoint.", - "type": "array", "required": false } }, { "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the introspection endpoint.", - "type": "array", "required": false } }, { "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client to the introspection endpoint.", - "type": "array", "required": false } }, { "introspection_post_args_client_headers": { + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client headers to the introspection endpoint.", - "type": "array", "required": false } }, { "introspect_jwt_tokens": { - "default": false, "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "default": false, "type": "boolean", "required": false } @@ -1196,7 +1196,6 @@ }, { "revocation_endpoint_auth_method": { - "required": false, "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", "one_of": [ @@ -1207,7 +1206,8 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "required": false } }, { @@ -1226,73 +1226,73 @@ }, { "userinfo_accept": { - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "type": "string", - "required": false, - "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/jwt" - ] + ], + "default": "application/json", + "required": false } }, { "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the user info endpoint.", - "type": "array", "required": false } }, { "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the user info endpoint.", - "type": "array", "required": false } }, { "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the user info endpoint.", - "type": "array", "required": false } }, { "userinfo_query_args_names": { - "elements": { - "type": "string" - }, "description": "Extra query argument names passed to the user info endpoint.", "type": "array", + "elements": { + "type": "string" + }, "required": false } }, { "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the user info endpoint.", - "type": "array", "required": false } }, { "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the user info endpoint.", - "type": "array", "required": false } }, @@ -1305,98 +1305,98 @@ }, { "session_secret": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The session secret.", - "referenceable": true + "encrypted": true, + "required": false } }, { "session_audience": { - "default": "default", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default", "type": "string", "required": false } }, { "session_cookie_name": { - "default": "session", "description": "The session cookie name.", + "default": "session", "type": "string", "required": false } }, { "session_remember": { - "default": false, "description": "Enables or disables persistent sessions.", + "default": false, "type": "boolean", "required": false } }, { "session_remember_cookie_name": { - "default": "remember", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember", "type": "string", "required": false } }, { "session_remember_rolling_timeout": { - "default": 604800, "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "default": 604800, "type": "number", "required": false } }, { "session_remember_absolute_timeout": { - "default": 2592000, "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 2592000, "type": "number", "required": false } }, { "session_idling_timeout": { - "default": 900, "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "default": 900, "type": "number", "required": false } }, { "session_rolling_timeout": { - "default": 3600, "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 3600, "type": "number", "required": false } }, { "session_absolute_timeout": { - "default": 86400, "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 86400, "type": "number", "required": false } }, { "session_cookie_path": { + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "description": "The session cookie Path flag.", - "type": "string", - "required": false, + "starts_with": "/", "default": "/", - "starts_with": "/" + "description": "The session cookie Path flag.", + "required": false } }, { @@ -1408,22 +1408,22 @@ }, { "session_cookie_same_site": { - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", - "required": false, - "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Lax", + "required": false } }, { "session_cookie_http_only": { - "default": true, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean", "required": false } @@ -1437,6 +1437,7 @@ }, { "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "elements": { "type": "string", "one_of": [ @@ -1449,13 +1450,13 @@ "absolute-timeout" ] }, - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "type": "set", "required": false } }, { "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "elements": { "type": "string", "one_of": [ @@ -1468,53 +1469,52 @@ "absolute-timeout" ] }, - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "type": "set", "required": false } }, { "session_storage": { - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "type": "string", - "required": false, - "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "default": "cookie", + "required": false } }, { "session_store_metadata": { - "default": false, "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "default": false, "type": "boolean", "required": false } }, { "session_enforce_same_subject": { - "default": false, "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false, "type": "boolean", "required": false } }, { "session_hash_subject": { - "default": false, "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false, "type": "boolean", "required": false } }, { "session_hash_storage_key": { - "default": false, "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false, "type": "boolean", "required": false } @@ -1535,26 +1535,156 @@ }, { "session_memcached_host": { - "default": "127.0.0.1", "description": "The memcached host.", + "default": "127.0.0.1", "type": "string", "required": false } }, { "session_memcached_port": { - "description": "The memcached port.", "type": "integer", - "required": false, + "description": "The memcached port.", "default": 11211, "between": [ 0, 65535 - ] + ], + "required": false } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "type": "array", + "elements": { + "type": "string" + }, + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "type": "array", + "elements": { + "type": "string" + }, + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "len_min": 1 + } + } + ], "fields": [ { "host": { @@ -1565,46 +1695,46 @@ }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -1646,13 +1776,13 @@ }, { "keepalive_pool_size": { - "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, "between": [ 1, 2147483646 - ] + ], + "type": "integer" } }, { @@ -1667,8 +1797,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -1684,80 +1814,80 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "ssl": { - "default": false, "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean", "required": false } }, { "ssl_verify": { - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean", "required": false } @@ -1771,16 +1901,16 @@ }, { "cluster_max_redirections": { - "default": 5, "description": "Maximum retry attempts for redirection.", + "default": 5, "type": "integer", "required": false } }, { "connection_is_proxied": { - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, "type": "boolean", "required": false } @@ -1799,152 +1929,21 @@ "required": false } } - ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "required": true, - "shorthand_fields": [ - { - "timeout": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - } - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", - "deprecation": { - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - } - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", - "deprecation": { - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - } - } - } ] } }, { "reverify": { - "default": false, "description": "Specifies whether to always verify tokens stored in the session.", + "default": false, "type": "boolean", "required": false } }, { "jwt_session_claim": { - "default": "sid", "description": "The claim to match against the JWT session cookie.", + "default": "sid", "type": "string", "required": false } @@ -1958,9 +1957,13 @@ }, { "bearer_token_param_type": { - "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "type": "array", - "required": false, + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "default": [ + "header", + "query", + "body" + ], "elements": { "type": "string", "one_of": [ @@ -1970,11 +1973,7 @@ "body" ] }, - "default": [ - "header", - "query", - "body" - ] + "required": false } }, { @@ -1986,9 +1985,13 @@ }, { "client_credentials_param_type": { - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "type": "array", - "required": false, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "default": [ + "header", + "query", + "body" + ], "elements": { "type": "string", "one_of": [ @@ -1997,18 +2000,18 @@ "body" ] }, - "default": [ - "header", - "query", - "body" - ] + "required": false } }, { "password_param_type": { - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "type": "array", - "required": false, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ], "elements": { "type": "string", "one_of": [ @@ -2017,18 +2020,18 @@ "body" ] }, - "default": [ - "header", - "query", - "body" - ] + "required": false } }, { "id_token_param_type": { - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "type": "array", - "required": false, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ], "elements": { "type": "string", "one_of": [ @@ -2037,11 +2040,7 @@ "body" ] }, - "default": [ - "header", - "query", - "body" - ] + "required": false } }, { @@ -2053,9 +2052,13 @@ }, { "refresh_token_param_type": { - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "type": "array", - "required": false, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ], "elements": { "type": "string", "one_of": [ @@ -2064,11 +2067,7 @@ "body" ] }, - "default": [ - "header", - "query", - "body" - ] + "required": false } }, { @@ -2080,36 +2079,36 @@ }, { "refresh_tokens": { - "default": true, "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "default": true, "type": "boolean", "required": false } }, { "upstream_headers_claims": { + "description": "The upstream header claims. Only top level claims are supported.", + "type": "array", "elements": { "type": "string" }, - "description": "The upstream header claims. Only top level claims are supported.", - "type": "array", "required": false } }, { "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "type": "array", "elements": { "type": "string" }, - "description": "The upstream header names for the claim values.", - "type": "array", "required": false } }, { "upstream_access_token_header": { - "default": "authorization:bearer", "description": "The upstream access token header.", + "default": "authorization:bearer", "type": "string", "required": false } @@ -2179,21 +2178,21 @@ }, { "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "elements": { "type": "string" }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false } }, { "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "type": "array", "elements": { "type": "string" }, - "description": "The downstream header names for the claim values.", - "type": "array", "required": false } }, @@ -2269,9 +2268,11 @@ }, { "login_methods": { - "description": "Enable login functionality with specified grants.", "type": "array", - "required": false, + "description": "Enable login functionality with specified grants.", + "default": [ + "authorization_code" + ], "elements": { "type": "string", "one_of": [ @@ -2286,29 +2287,29 @@ "session" ] }, - "default": [ - "authorization_code" - ] + "required": false } }, { "login_action": { - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "type": "string", - "required": false, - "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "one_of": [ "upstream", "response", "redirect" - ] + ], + "default": "upstream", + "required": false } }, { "login_tokens": { - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "type": "array", - "required": false, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "default": [ + "id_token" + ], "elements": { "type": "string", "one_of": [ @@ -2319,21 +2320,19 @@ "introspection" ] }, - "default": [ - "id_token" - ] + "required": false } }, { "login_redirect_mode": { - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "type": "string", - "required": false, - "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "one_of": [ "query", "fragment" - ] + ], + "default": "fragment", + "required": false } }, { @@ -2359,9 +2358,12 @@ }, { "logout_methods": { - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "type": "array", - "required": false, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "default": [ + "POST", + "DELETE" + ], "elements": { "type": "string", "one_of": [ @@ -2370,51 +2372,51 @@ "DELETE" ] }, - "default": [ - "POST", - "DELETE" - ] + "required": false } }, { "logout_revoke": { - "default": false, "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "default": false, "type": "boolean", "required": false } }, { "logout_revoke_access_token": { - "default": true, "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean", "required": false } }, { "logout_revoke_refresh_token": { - "default": true, "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean", "required": false } }, { "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "elements": { "type": "string" }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false } }, { "consumer_by": { - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "type": "array", - "required": false, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -2423,31 +2425,28 @@ "custom_id" ] }, - "default": [ - "username", - "custom_id" - ] + "required": false } }, { "consumer_optional": { - "default": false, "description": "Do not terminate the request if consumer mapping fails.", + "default": false, "type": "boolean", "required": false } }, { "credential_claim": { - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", - "required": false, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "sub" + ], "elements": { "type": "string" }, - "default": [ - "sub" - ] + "required": false } }, { @@ -2459,57 +2458,59 @@ }, { "run_on_preflight": { - "default": true, "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "default": true, "type": "boolean", "required": false } }, { "leeway": { - "default": 0, "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "default": 0, "type": "number", "required": false } }, { "verify_parameters": { - "default": false, "description": "Verify plugin configuration against discovery.", + "default": false, "type": "boolean", "required": false } }, { "verify_nonce": { - "default": true, "description": "Verify nonce on authorization code flow.", + "default": true, "type": "boolean", "required": false } }, { "verify_claims": { - "default": true, "description": "Verify tokens for standard claims.", + "default": true, "type": "boolean", "required": false } }, { "verify_signature": { - "default": true, "description": "Verify signature of tokens.", + "default": true, "type": "boolean", "required": false } }, { "ignore_signature": { - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "type": "array", - "required": false, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -2522,21 +2523,21 @@ "userinfo" ] }, - "default": [ - - ] + "required": false } }, { "enable_hs_signatures": { - "default": false, "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "default": false, "type": "boolean", "required": false } }, { "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -2551,15 +2552,13 @@ "session" ] }, - "description": "Disable issuing the session cookie with the specified grants.", - "type": "array", "required": false } }, { "cache_ttl": { - "default": 3600, "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "default": 3600, "type": "number", "required": false } @@ -2594,65 +2593,65 @@ }, { "cache_tokens": { - "default": true, "description": "Cache the token endpoint requests.", + "default": true, "type": "boolean", "required": false } }, { "cache_tokens_salt": { - "type": "string", "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", - "auto": true, - "required": false + "type": "string", + "required": false, + "auto": true } }, { "cache_introspection": { - "default": true, "description": "Cache the introspection endpoint requests.", + "default": true, "type": "boolean", "required": false } }, { "cache_token_exchange": { - "default": true, "description": "Cache the token exchange endpoint requests.", + "default": true, "type": "boolean", "required": false } }, { "cache_user_info": { - "default": true, "description": "Cache the user info requests.", + "default": true, "type": "boolean", "required": false } }, { "search_user_info": { - "default": false, "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "default": false, "type": "boolean", "required": false } }, { "hide_credentials": { - "default": false, "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "default": false, "type": "boolean", "required": false } }, { "http_version": { - "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", "type": "number", + "default": 1.1, "required": false } }, @@ -2665,9 +2664,9 @@ }, { "http_proxy_authorization": { - "required": false, "description": "The HTTP proxy authorization.", "type": "string", + "required": false, "referenceable": true } }, @@ -2680,9 +2679,9 @@ }, { "https_proxy_authorization": { - "required": false, "description": "The HTTPS proxy authorization.", "type": "string", + "required": false, "referenceable": true } }, @@ -2695,48 +2694,48 @@ }, { "keepalive": { - "default": true, "description": "Use keepalive with the HTTP client.", + "default": true, "type": "boolean", "required": false } }, { "ssl_verify": { - "default": false, "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "default": false, "type": "boolean", "required": false } }, { "timeout": { - "default": 10000, "description": "Network IO timeout in milliseconds.", + "default": 10000, "type": "number", "required": false } }, { "display_errors": { - "default": false, "description": "Display errors on failure responses.", + "default": false, "type": "boolean", "required": false } }, { "by_username_ignore_case": { - "default": false, "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "default": false, "type": "boolean", "required": false } }, { "resolve_distributed_claims": { - "default": false, "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "default": false, "type": "boolean", "required": false } @@ -2744,67 +2743,67 @@ { "expose_error_code": { "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "token_cache_key_include_scope": { "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "introspection_token_param_name": { - "default": "token", "description": "Designate token's parameter name for introspection.", + "default": "token", "type": "string", "required": false } }, { "revocation_token_param_name": { - "default": "token", "description": "Designate token's parameter name for revocation.", + "default": "token", "type": "string", "required": false } }, { "proof_of_possession_mtls": { - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "type": "string", - "required": false, - "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "one_of": [ "off", "strict", "optional" - ] + ], + "default": "off", + "required": false } }, { "proof_of_possession_auth_methods_validation": { - "default": true, "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "default": true, "type": "boolean", "required": false } }, { "tls_client_auth_cert_id": { - "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", "type": "string", + "auto": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", "required": false, - "uuid": true, - "auto": false + "uuid": true } }, { "tls_client_auth_ssl_verify": { - "default": true, "description": "Verify identity provider server certificate during mTLS client authentication.", + "default": true, "type": "boolean", "required": false } @@ -2832,59 +2831,187 @@ }, { "proof_of_possession_dpop": { - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "type": "string", - "required": false, - "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "one_of": [ "off", "strict", "optional" - ] + ], + "default": "off", + "required": false } }, { "dpop_use_nonce": { - "default": false, "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "default": false, "type": "boolean", "required": false } }, { "dpop_proof_lifetime": { - "default": 300, "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "default": 300, "type": "number", "required": false } }, { "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "type": "array", "elements": { "type": "string" }, - "description": "If given, these claims are forbidden in the token payload.", - "type": "array", "required": false } }, { "cluster_cache_strategy": { - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "type": "string", - "required": false, - "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "one_of": [ "off", "redis" - ] + ], + "default": "off", + "required": false } }, { "cluster_cache_redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", - "required": true, + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + } + ], "fields": [ { "host": { @@ -2895,46 +3022,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -2976,13 +3103,13 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -2997,8 +3124,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -3014,81 +3141,81 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "type": "boolean", "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": false } }, @@ -3101,149 +3228,20 @@ }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", "default": 5, + "type": "integer", "required": false } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "type": "boolean", "required": false } } - ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ] - } - } - }, - { - "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", - "deprecation": { - "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ] - } - } - }, - { - "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", - "deprecation": { - "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ] - } - } - } ] } } @@ -3252,20 +3250,20 @@ } ] }, - "description": "List of openid_connect strategies.", - "type": "array", "required": false } } - ] + ], + "description": "The map of v2 strategies.", + "default": [ + + ], + "required": false } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.10.x.json b/schemas/ldap-auth-advanced/3.10.x.json index c5451b2f..b7da08d9 100644 --- a/schemas/ldap-auth-advanced/3.10.x.json +++ b/schemas/ldap-auth-advanced/3.10.x.json @@ -1,8 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -14,6 +22,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -27,18 +36,18 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { @@ -63,8 +72,8 @@ { "ldap_port": { "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", - "type": "number", - "default": 389 + "default": 389, + "type": "number" } }, { @@ -76,25 +85,25 @@ }, { "ldaps": { - "type": "boolean", "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "default": false, + "type": "boolean", "required": true } }, { "start_tls": { - "type": "boolean", "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "default": false, + "type": "boolean", "required": true } }, { "verify_ldap_host": { - "type": "boolean", "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "default": false, + "type": "boolean", "required": true } }, @@ -114,61 +123,64 @@ }, { "cache_ttl": { - "type": "number", "description": "Cache expiry time in seconds.", "default": 60, + "type": "number", "required": true } }, { "hide_credentials": { "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "timeout": { "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number", - "default": 10000 + "default": 10000, + "type": "number" } }, { "keepalive": { "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number", - "default": 60000 + "default": 60000, + "type": "number" } }, { "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "default": "", - "len_min": 0, "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "len_min": 0 } }, { "header_type": { "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", - "type": "string", - "default": "ldap" + "default": "ldap", + "type": "string" } }, { "consumer_optional": { - "type": "boolean", "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", "default": false, + "type": "boolean", "required": false } }, { "consumer_by": { - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "type": "array", - "required": false, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -176,46 +188,43 @@ "custom_id" ] }, - "default": [ - "username", - "custom_id" - ] + "required": false } }, { "group_base_dn": { - "type": "string", - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" } }, { "group_name_attribute": { - "type": "string", - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" } }, { "group_member_attribute": { "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", - "type": "string", - "default": "memberOf" + "default": "memberOf", + "type": "string" } }, { "log_search_results": { - "type": "boolean", "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", "default": false, + "type": "boolean", "required": false } }, { "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "type": "array", "elements": { "type": "string" }, - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", - "type": "array", "required": false } }, @@ -230,14 +239,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/ldap-auth/3.10.x.json b/schemas/ldap-auth/3.10.x.json index 6701bc3e..ae60021d 100644 --- a/schemas/ldap-auth/3.10.x.json +++ b/schemas/ldap-auth/3.10.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -22,6 +24,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -35,10 +38,10 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -46,6 +49,7 @@ "entity_checks": [ { "conditional": { + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", "if_match": { "eq": true }, @@ -53,8 +57,7 @@ "if_field": "ldaps", "then_match": { "eq": false - }, - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously" + } } } ], @@ -69,37 +72,37 @@ }, { "ldap_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", - "required": true, - "default": 389, "between": [ 0, 65535 - ] + ], + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true } }, { "ldaps": { - "type": "boolean", "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "default": false, + "type": "boolean", "required": true } }, { "start_tls": { - "type": "boolean", "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "default": false, + "type": "boolean", "required": true } }, { "verify_ldap_host": { - "type": "boolean", "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "default": false, + "type": "boolean", "required": true } }, @@ -119,45 +122,45 @@ }, { "cache_ttl": { - "type": "number", "description": "Cache expiry time in seconds.", "default": 60, + "type": "number", "required": true } }, { "hide_credentials": { - "type": "boolean", "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "default": false, + "type": "boolean", "required": true } }, { "timeout": { "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number", - "default": 10000 + "default": 10000, + "type": "number" } }, { "keepalive": { "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number", - "default": 60000 + "default": 60000, + "type": "number" } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" } }, { "header_type": { "description": "An optional string to use as part of the Authorization header", - "type": "string", - "default": "ldap" + "default": "ldap", + "type": "string" } }, { @@ -171,8 +174,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/loggly/3.10.x.json b/schemas/loggly/3.10.x.json index 506858c7..a8ec52da 100644 --- a/schemas/loggly/3.10.x.json +++ b/schemas/loggly/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -50,38 +53,36 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 514 + "default": 514, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "key": { "referenceable": true, - "encrypted": true, "type": "string", + "encrypted": true, "required": true } }, { "tags": { + "default": [ + "kong" + ], "elements": { "type": "string" }, - "type": "set", - "default": [ - "kong" - ] + "type": "set" } }, { "log_level": { - "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -91,13 +92,13 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string" } }, { "successful_severity": { - "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -107,13 +108,13 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string" } }, { "client_errors_severity": { - "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -123,13 +124,13 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string" } }, { "server_errors_severity": { - "default": "info", - "type": "string", "one_of": [ "debug", "info", @@ -139,23 +140,25 @@ "crit", "alert", "emerg" - ] + ], + "default": "info", + "type": "string" } }, { "timeout": { - "type": "number", - "default": 10000 + "default": 10000, + "type": "number" } }, { "custom_fields_by_lua": { - "values": { - "type": "string", - "len_min": 1 - }, "description": "Lua code as a key-value map", "type": "map", + "values": { + "len_min": 1, + "type": "string" + }, "keys": { "type": "string", "len_min": 1 @@ -166,8 +169,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/mocking/3.10.x.json b/schemas/mocking/3.10.x.json index b7c4f65f..786685d0 100644 --- a/schemas/mocking/3.10.x.json +++ b/schemas/mocking/3.10.x.json @@ -1,10 +1,15 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +19,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -51,29 +59,29 @@ { "random_delay": { "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "max_delay_time": { "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", - "type": "number", - "default": 1 + "default": 1, + "type": "number" } }, { "min_delay_time": { "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", - "type": "number", - "default": 0.001 + "default": 0.001, + "type": "number" } }, { "random_examples": { "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { @@ -87,45 +95,37 @@ }, { "random_status_code": { - "type": "boolean", "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", "default": false, + "type": "boolean", "required": true } }, { "include_base_path": { - "type": "boolean", "description": "Indicates whether to include the base path when performing path match evaluation.", "default": false, + "type": "boolean", "required": true } }, { "custom_base_path": { + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", - "type": "string", - "required": false, - "starts_with": "/" + "starts_with": "/", + "required": false } } ], "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.10.x.json b/schemas/mtls-auth/3.10.x.json index 8d29debf..c413ea03 100644 --- a/schemas/mtls-auth/3.10.x.json +++ b/schemas/mtls-auth/3.10.x.json @@ -1,18 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,20 +22,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -58,15 +61,18 @@ "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "consumer_by": { - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "type": "array", - "required": false, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -74,137 +80,131 @@ "custom_id" ] }, - "default": [ - "username", - "custom_id" - ] + "required": false } }, { "ca_certificates": { - "elements": { - "type": "string", - "uuid": true - }, "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "type": "array", + "elements": { + "uuid": true, + "type": "string" + }, "required": true } }, { "cache_ttl": { - "default": 60, "description": "Cache expiry time in seconds.", "type": "number", + "default": 60, "required": true } }, { "skip_consumer_lookup": { - "default": false, "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "type": "boolean", + "default": false, "required": true } }, { "allow_partial_chain": { - "default": false, "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "type": "boolean", + "default": false, "required": true } }, { "authenticated_group_by": { - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "type": "string", - "required": false, - "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ "CN", "DN" - ] + ], + "default": "CN", + "required": false } }, { "revocation_check_mode": { - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "type": "string", - "required": false, - "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" - ] + ], + "default": "IGNORE_CA_ERROR", + "required": false } }, { "http_timeout": { "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", - "default": 30000, - "type": "number" + "type": "number", + "default": 30000 } }, { "cert_cache_ttl": { "description": "The length of time in seconds between refreshes of the revocation check status cache.", - "default": 60000, - "type": "number" + "type": "number", + "default": 60000 } }, { "send_ca_dn": { "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "default_consumer": { - "type": "string", - "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.10.x.json b/schemas/oas-validation/3.10.x.json index 4a089166..80b14ed5 100644 --- a/schemas/oas-validation/3.10.x.json +++ b/schemas/oas-validation/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -43,128 +46,125 @@ }, { "verbose_response": { - "type": "boolean", "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "type": "boolean", "default": false, "required": false } }, { "validate_request_body": { - "type": "boolean", "description": "If set to true, validates the request body content against the API specification.", + "type": "boolean", "default": true, "required": false } }, { "notify_only_request_validation_failure": { - "type": "boolean", "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "type": "boolean", "default": false, "required": false } }, { "validate_request_header_params": { - "type": "boolean", "description": "If set to true, validates HTTP header parameters against the API specification.", + "type": "boolean", "default": true, "required": false } }, { "validate_request_query_params": { - "type": "boolean", "description": "If set to true, validates query parameters against the API specification.", + "type": "boolean", "default": true, "required": false } }, { "validate_request_uri_params": { - "type": "boolean", "description": "If set to true, validates URI parameters in the request against the API specification.", + "type": "boolean", "default": true, "required": false } }, { "validate_response_body": { - "type": "boolean", "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "type": "boolean", "default": false, "required": false } }, { "notify_only_response_body_validation_failure": { - "type": "boolean", "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "type": "boolean", "default": false, "required": false } }, { "query_parameter_check": { - "type": "boolean", "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "type": "boolean", "default": false, "required": true } }, { "header_parameter_check": { - "type": "boolean", "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "type": "boolean", "default": false, "required": true } }, { "allowed_header_parameters": { - "type": "string", "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "type": "string", "default": "Host,Content-Type,User-Agent,Accept,Content-Length", "required": false } }, { "include_base_path": { - "type": "boolean", "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean", "default": false, "required": true } }, { "api_spec_encoded": { - "type": "boolean", "description": "Indicates whether the api_spec is URI-Encoded.", + "type": "boolean", "default": true, "required": true } }, { "custom_base_path": { + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", - "type": "string", - "required": false, - "starts_with": "/" + "starts_with": "/", + "required": false } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.10.x.json b/schemas/oauth2-introspection/3.10.x.json index f947e1af..3b4172e8 100644 --- a/schemas/oauth2-introspection/3.10.x.json +++ b/schemas/oauth2-introspection/3.10.x.json @@ -1,18 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,20 +22,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -58,17 +61,17 @@ }, { "token_type_hint": { - "type": "string", - "description": "The `token_type_hint` value to associate to introspection requests." + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" } }, { "authorization_value": { - "encrypted": true, "type": "string", - "required": true, + "referenceable": true, "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", - "referenceable": true + "encrypted": true, + "required": true } }, { @@ -87,8 +90,8 @@ }, { "introspect_request": { - "type": "boolean", "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "type": "boolean", "default": false, "required": true } @@ -109,59 +112,56 @@ }, { "anonymous": { - "len_min": 0, "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string", "default": "", - "type": "string" + "len_min": 0 } }, { "consumer_by": { - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "type": "string", - "required": true, - "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "one_of": [ "username", "client_id" - ] + ], + "default": "username", + "required": true } }, { "custom_introspection_headers": { - "description": "A list of custom headers to be added in the introspection request.", "type": "map", - "required": true, + "keys": { + "type": "string" + }, + "description": "A list of custom headers to be added in the introspection request.", "values": { "type": "string" }, "default": [ ], - "keys": { - "type": "string" - } + "required": true } }, { "custom_claims_forward": { - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "type": "set", - "required": true, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "default": [ + + ], "elements": { "type": "string" }, - "default": [ - - ] + "required": true } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/oauth2/3.10.x.json b/schemas/oauth2/3.10.x.json index ef4fda1a..b274e9d6 100644 --- a/schemas/oauth2/3.10.x.json +++ b/schemas/oauth2/3.10.x.json @@ -1,16 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -22,6 +24,7 @@ "wss" ] }, + "type": "set", "default": [ "grpc", "grpcs", @@ -35,14 +38,28 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "config": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "scopes", + "if_field": "mandatory_scope", + "then_match": { + "required": true + } + } + } + ], "type": "record", "required": true, "fields": [ @@ -57,116 +74,116 @@ }, { "mandatory_scope": { - "type": "boolean", "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", "default": false, + "type": "boolean", "required": true } }, { "provision_key": { - "unique": true, - "description": "The unique key the plugin has generated when it has been added to the Service.", "type": "string", - "required": true, "auto": true, - "encrypted": true + "description": "The unique key the plugin has generated when it has been added to the Service.", + "unique": true, + "encrypted": true, + "required": true } }, { "token_expiration": { - "type": "number", "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", "default": 7200, + "type": "number", "required": true } }, { "enable_authorization_code": { - "type": "boolean", "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", "default": false, + "type": "boolean", "required": true } }, { "enable_implicit_grant": { - "type": "boolean", "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", "default": false, + "type": "boolean", "required": true } }, { "enable_client_credentials": { - "type": "boolean", "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", "default": false, + "type": "boolean", "required": true } }, { "enable_password_grant": { - "type": "boolean", "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", "default": false, + "type": "boolean", "required": true } }, { "hide_credentials": { - "type": "boolean", "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "default": false, + "type": "boolean", "required": true } }, { "accept_http_if_already_terminated": { - "type": "boolean", "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", "default": false, + "type": "boolean", "required": true } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "global_credentials": { - "type": "boolean", "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", "default": false, + "type": "boolean", "required": true } }, { "auth_header_name": { "description": "The name of the header that is supposed to carry the access token.", - "type": "string", - "default": "authorization" + "default": "authorization", + "type": "string" } }, { "refresh_token_ttl": { - "description": "Time-to-live value for data", "type": "number", - "required": true, - "default": 1209600, "between": [ 0, 100000000 - ] + ], + "default": 1209600, + "description": "Time-to-live value for data", + "required": true } }, { "reuse_refresh_token": { - "type": "boolean", "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", "default": false, + "type": "boolean", "required": true } }, @@ -179,15 +196,15 @@ }, { "pkce": { - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "type": "string", - "required": false, - "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "one_of": [ "none", "lax", "strict" - ] + ], + "default": "lax", + "required": false } }, { @@ -197,25 +214,8 @@ "required": false } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "scopes", - "if_field": "mandatory_scope", - "then_match": { - "required": true - } - } - } ] } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/opa/3.10.x.json b/schemas/opa/3.10.x.json index 98fff2ed..f1c525f2 100644 --- a/schemas/opa/3.10.x.json +++ b/schemas/opa/3.10.x.json @@ -1,18 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,20 +22,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -44,8 +47,8 @@ "fields": [ { "opa_protocol": { - "default": "http", "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "default": "http", "type": "string", "one_of": [ "http", @@ -55,36 +58,36 @@ }, { "opa_host": { - "default": "localhost", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "localhost", "required": true } }, { "opa_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", - "required": true, - "default": 8181, "between": [ 0, 65535 - ] + ], + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true } }, { "opa_path": { + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], + "starts_with": "/", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "type": "string", - "required": true, - "starts_with": "/" + "required": true } }, { @@ -130,8 +133,8 @@ }, { "ssl_verify": { - "default": true, "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "default": true, "type": "boolean", "required": true } @@ -140,8 +143,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.10.x.json b/schemas/openid-connect/3.10.x.json index 30edf9a8..f278e384 100644 --- a/schemas/openid-connect/3.10.x.json +++ b/schemas/openid-connect/3.10.x.json @@ -1,4 +1,13 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "supported_partials": { "redis-ee": [ "config.redis" @@ -7,17 +16,14 @@ "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -27,165 +33,168 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "config": { + "required": true, + "type": "record", "shorthand_fields": [ { "authorization_cookie_lifetime": { - "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" - } + }, + "type": "number" } }, { "authorization_cookie_samesite": { - "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" - } + }, + "type": "string" } }, { "authorization_cookie_httponly": { - "type": "boolean", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" - } + }, + "type": "boolean" } }, { "session_cookie_lifetime": { - "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" - } + }, + "type": "number" } }, { "session_cookie_idletime": { - "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" - } + }, + "type": "number" } }, { "session_cookie_samesite": { - "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" - } + }, + "type": "string" } }, { "session_cookie_httponly": { - "type": "boolean", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" - } + }, + "type": "boolean" } }, { "session_memcache_prefix": { - "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" - } + }, + "type": "string" } }, { "session_memcache_socket": { - "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" - } + }, + "type": "string" } }, { "session_memcache_host": { - "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" - } + }, + "type": "string" } }, { "session_memcache_port": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" - } + }, + "type": "integer" } }, { "session_cookie_renew": { - "type": "number", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_renew option does not exist anymore" - } + }, + "type": "number" } }, { "session_cookie_maxsize": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" - } + }, + "type": "integer" } }, { "session_strategy": { - "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_strategy option does not exist anymore" - } + }, + "type": "string" } }, { "session_compressor": { - "type": "string", "deprecation": { "removal_in_version": "4.0", "message": "openid-connect: config.session_compressor option does not exist anymore" - } + }, + "type": "string" } }, { "session_redis_prefix": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", "replaced_with": [ { @@ -194,15 +203,15 @@ "prefix" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_redis_socket": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", "replaced_with": [ { @@ -211,15 +220,15 @@ "socket" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_redis_host": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", "replaced_with": [ { @@ -228,15 +237,15 @@ "host" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_redis_port": { - "type": "integer", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", "replaced_with": [ { @@ -245,15 +254,15 @@ "port" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "integer" } }, { "session_redis_username": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", "replaced_with": [ { @@ -262,15 +271,15 @@ "username" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_redis_password": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", "replaced_with": [ { @@ -279,15 +288,15 @@ "password" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_redis_connect_timeout": { - "type": "integer", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", "replaced_with": [ { @@ -296,15 +305,15 @@ "connect_timeout" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", "replaced_with": [ { @@ -313,15 +322,15 @@ "read_timeout" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", "replaced_with": [ { @@ -330,15 +339,15 @@ "send_timeout" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "integer" } }, { "session_redis_ssl": { - "type": "boolean", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", "replaced_with": [ { @@ -347,15 +356,15 @@ "ssl" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "boolean" } }, { "session_redis_ssl_verify": { - "type": "boolean", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", "replaced_with": [ { @@ -364,15 +373,15 @@ "ssl_verify" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "boolean" } }, { "session_redis_server_name": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", "replaced_with": [ { @@ -381,8 +390,10 @@ "server_name" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "string" } }, { @@ -392,28 +403,27 @@ "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, "type": "array", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", "replaced_with": [ { @@ -422,15 +432,14 @@ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0" } } }, { "session_redis_cluster_max_redirections": { - "type": "integer", "deprecation": { - "removal_in_version": "4.0", "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", "replaced_with": [ { @@ -439,12 +448,13 @@ "cluster_max_redirections" ] } - ] - } + ], + "removal_in_version": "4.0" + }, + "type": "integer" } } ], - "type": "record", "fields": [ { "issuer": { @@ -455,56 +465,66 @@ }, { "using_pseudo_issuer": { - "default": false, "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "default": false, "type": "boolean", "required": false } }, { "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the discovery endpoint.", - "type": "array", "required": false } }, { "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the discovery endpoint.", - "type": "array", "required": false } }, { "extra_jwks_uris": { - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "type": "set", + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, "required": false } }, { "rediscovery_lifetime": { - "default": 30, "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "default": 30, "type": "number", "required": false } }, { "auth_methods": { - "description": "Types of credentials/grants to enable.", "type": "array", - "required": false, + "description": "Types of credentials/grants to enable.", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], "elements": { "type": "string", "one_of": [ @@ -519,45 +539,37 @@ "session" ] }, - "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ] + "required": false } }, { "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "type": "array", - "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "encrypted": true, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "encrypted": true + "required": false } }, { "client_secret": { - "description": "The client secret.", "type": "array", - "required": false, + "description": "The client secret.", + "encrypted": true, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "encrypted": true + "required": false } }, { "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -570,39 +582,40 @@ "none" ] }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "type": "array", "required": false } }, { "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "type": "array", "elements": { "type": "record", + "required": false, "fields": [ { "issuer": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kty": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "use": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "key_ops": { "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "type": "array", "required": false @@ -610,27 +623,27 @@ }, { "alg": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "kid": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5u": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5c": { "elements": { - "type": "string", - "required": false + "required": false, + "type": "string" }, "type": "array", "required": false @@ -638,136 +651,135 @@ }, { "x5t": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "x5t#S256": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "k": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "x": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "y": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "crv": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "n": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "e": { - "type": "string", - "required": false + "required": false, + "type": "string" } }, { "d": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "p": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "q": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "dp": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "dq": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "qi": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "oth": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "r": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } }, { "t": { - "required": false, - "encrypted": true, + "referenceable": true, "type": "string", - "referenceable": true + "encrypted": true, + "required": false } } - ], - "required": false + ] }, - "description": "The JWK used for the private_key_jwt authentication.", - "type": "array", "required": false } }, { "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -786,125 +798,121 @@ "EdDSA" ] }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "type": "array", "required": false } }, { "client_arg": { - "default": "client_id", "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "default": "client_id", "type": "string", "required": false } }, { "redirect_uri": { - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, "description": "The redirect URI passed to the authorization and token endpoints.", "type": "array", + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, "required": false } }, { "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "referenceable": true }, - "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "type": "array", "required": false } }, { "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "type": "array", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", "referenceable": true }, - "description": "Where to redirect the client after the logout.", - "type": "array", "required": false } }, { "forbidden_redirect_uri": { - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, "description": "Where to redirect the client on forbidden requests.", "type": "array", + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, "required": false } }, { "forbidden_error_message": { - "default": "Forbidden", "description": "The error message for the forbidden requests (when not using the redirection).", + "default": "Forbidden", "type": "string", "required": false } }, { "forbidden_destroy_session": { - "default": true, "description": "Destroy any active session for the forbidden requests.", + "default": true, "type": "boolean", "required": false } }, { "unauthorized_destroy_session": { - "default": true, "description": "Destroy any active session for the unauthorized requests.", + "default": true, "type": "boolean", "required": false } }, { "unauthorized_redirect_uri": { - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, "description": "Where to redirect the client on unauthorized requests.", "type": "array", + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, "required": false } }, { "unauthorized_error_message": { - "default": "Unauthorized", "description": "The error message for the unauthorized requests (when not using the redirection).", + "default": "Unauthorized", "type": "string", "required": false } }, { "unexpected_redirect_uri": { - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, "description": "Where to redirect the client when unexpected errors happen with the requests.", "type": "array", + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, "required": false } }, { "response_mode": { - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "type": "string", - "required": false, - "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "one_of": [ "query", "form_post", @@ -913,155 +921,157 @@ "form_post.jwt", "fragment.jwt", "jwt" - ] + ], + "default": "query", + "required": false } }, { "response_type": { - "description": "The response type passed to the authorization endpoint.", "type": "array", - "required": false, + "description": "The response type passed to the authorization endpoint.", + "default": [ + "code" + ], "elements": { "type": "string" }, - "default": [ - "code" - ] + "required": false } }, { "scopes": { - "description": "The scopes passed to the authorization and token endpoints.", "type": "array", - "required": false, - "elements": { - "type": "string", - "referenceable": true - }, + "description": "The scopes passed to the authorization and token endpoints.", "default": [ "openid" - ] + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "required": false } }, { "audience": { + "description": "The audience passed to the authorization endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "The audience passed to the authorization endpoint.", - "type": "array", "required": false } }, { "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array", "elements": { "type": "string" }, - "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "type": "array", "required": false } }, { "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false } }, { "scopes_claim": { - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", - "required": false, + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "scope" + ], "elements": { "type": "string" }, - "default": [ - "scope" - ] + "required": false } }, { "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false } }, { "audience_claim": { - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", - "required": false, + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "aud" + ], "elements": { "type": "string" }, - "default": [ - "aud" - ] + "required": false } }, { "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false } }, { "groups_claim": { - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", - "required": false, + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "groups" + ], "elements": { "type": "string" }, - "default": [ - "groups" - ] + "required": false } }, { "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "elements": { "type": "string" }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "type": "array", "required": false } }, { "roles_claim": { - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", - "required": false, + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "roles" + ], "elements": { "type": "string" }, - "default": [ - "roles" - ] + "required": false } }, { "domains": { + "description": "The allowed values for the `hd` claim.", + "type": "array", "elements": { "type": "string" }, - "description": "The allowed values for the `hd` claim.", - "type": "array", "required": false } }, @@ -1074,11 +1084,11 @@ }, { "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "elements": { "type": "string" }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false } }, @@ -1091,7 +1101,6 @@ }, { "pushed_authorization_request_endpoint_auth_method": { - "required": false, "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", "one_of": [ @@ -1102,7 +1111,8 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "required": false } }, { @@ -1135,63 +1145,63 @@ }, { "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the authorization endpoint.", - "type": "array", "required": false } }, { "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the authorization endpoint.", - "type": "array", "required": false } }, { "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the authorization endpoint.", - "type": "array", "required": false } }, { "authorization_rolling_timeout": { - "default": 600, "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 600, "type": "number", "required": false } }, { "authorization_cookie_name": { - "default": "authorization", "description": "The authorization cookie name.", + "default": "authorization", "type": "string", "required": false } }, { "authorization_cookie_path": { + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "description": "The authorization cookie Path flag.", - "type": "string", - "required": false, + "starts_with": "/", "default": "/", - "starts_with": "/" + "description": "The authorization cookie Path flag.", + "required": false } }, { @@ -1203,22 +1213,22 @@ }, { "authorization_cookie_same_site": { - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", - "required": false, - "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Default", + "required": false } }, { "authorization_cookie_http_only": { - "default": true, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean", "required": false } @@ -1232,8 +1242,8 @@ }, { "preserve_query_args": { - "default": false, "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "default": false, "type": "boolean", "required": false } @@ -1247,7 +1257,6 @@ }, { "token_endpoint_auth_method": { - "required": false, "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", "one_of": [ @@ -1258,46 +1267,47 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "required": false } }, { "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the token endpoint.", - "type": "array", "required": false } }, { "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the token endpoint.", - "type": "array", "required": false } }, { "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the token endpoint.", - "type": "array", "required": false } }, { "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "type": "array", "elements": { "type": "string" }, - "description": "The names of token endpoint response headers to forward to the downstream client.", - "type": "array", "required": false } }, @@ -1310,6 +1320,8 @@ }, { "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -1319,38 +1331,36 @@ "refresh_token" ] }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", - "type": "array", "required": false } }, { "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the token endpoint.", - "type": "array", "required": false } }, { "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the token endpoint.", - "type": "array", "required": false } }, { "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", - "type": "array", "required": false } }, @@ -1363,7 +1373,6 @@ }, { "introspection_endpoint_auth_method": { - "required": false, "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", "one_of": [ @@ -1374,114 +1383,115 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "required": false } }, { "introspection_hint": { - "default": "access_token", "description": "Introspection hint parameter value passed to the introspection endpoint.", + "default": "access_token", "type": "string", "required": false } }, { "introspection_check_active": { - "default": true, "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "default": true, "type": "boolean", "required": false } }, { "introspection_accept": { - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "type": "string", - "required": false, - "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" - ] + ], + "default": "application/json", + "required": false } }, { "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the introspection endpoint.", - "type": "array", "required": false } }, { "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", "type": "array", - "required": false, + "description": "Extra header values passed to the introspection endpoint.", + "encrypted": true, "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "encrypted": true + "required": false } }, { "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the introspection endpoint.", - "type": "array", "required": false } }, { "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the introspection endpoint.", - "type": "array", "required": false } }, { "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the introspection endpoint.", - "type": "array", "required": false } }, { "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client to the introspection endpoint.", - "type": "array", "required": false } }, { "introspection_post_args_client_headers": { + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client headers to the introspection endpoint.", - "type": "array", "required": false } }, { "introspect_jwt_tokens": { - "default": false, "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "default": false, "type": "boolean", "required": false } @@ -1495,7 +1505,6 @@ }, { "revocation_endpoint_auth_method": { - "required": false, "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", "one_of": [ @@ -1506,7 +1515,8 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ] + ], + "required": false } }, { @@ -1525,73 +1535,73 @@ }, { "userinfo_accept": { - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "type": "string", - "required": false, - "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "one_of": [ "application/json", "application/jwt" - ] + ], + "default": "application/json", + "required": false } }, { "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header names passed to the user info endpoint.", - "type": "array", "required": false } }, { "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the user info endpoint.", - "type": "array", "required": false } }, { "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the user info endpoint.", - "type": "array", "required": false } }, { "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the user info endpoint.", - "type": "array", "required": false } }, { "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the user info endpoint.", - "type": "array", "required": false } }, { "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "type": "array", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the user info endpoint.", - "type": "array", "required": false } }, @@ -1604,98 +1614,98 @@ }, { "session_secret": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The session secret.", - "referenceable": true + "encrypted": true, + "required": false } }, { "session_audience": { - "default": "default", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default", "type": "string", "required": false } }, { "session_cookie_name": { - "default": "session", "description": "The session cookie name.", + "default": "session", "type": "string", "required": false } }, { "session_remember": { - "default": false, "description": "Enables or disables persistent sessions.", + "default": false, "type": "boolean", "required": false } }, { "session_remember_cookie_name": { - "default": "remember", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember", "type": "string", "required": false } }, { "session_remember_rolling_timeout": { - "default": 604800, "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "default": 604800, "type": "number", "required": false } }, { "session_remember_absolute_timeout": { - "default": 2592000, "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 2592000, "type": "number", "required": false } }, { "session_idling_timeout": { - "default": 900, "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "default": 900, "type": "number", "required": false } }, { "session_rolling_timeout": { - "default": 3600, "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 3600, "type": "number", "required": false } }, { "session_absolute_timeout": { - "default": 86400, "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 86400, "type": "number", "required": false } }, { "session_cookie_path": { + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "description": "The session cookie Path flag.", - "type": "string", - "required": false, + "starts_with": "/", "default": "/", - "starts_with": "/" + "description": "The session cookie Path flag.", + "required": false } }, { @@ -1707,22 +1717,22 @@ }, { "session_cookie_same_site": { - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", - "required": false, - "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Lax", + "required": false } }, { "session_cookie_http_only": { - "default": true, "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean", "required": false } @@ -1736,6 +1746,7 @@ }, { "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "elements": { "type": "string", "one_of": [ @@ -1748,13 +1759,13 @@ "absolute-timeout" ] }, - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "type": "set", "required": false } }, { "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "elements": { "type": "string", "one_of": [ @@ -1767,53 +1778,52 @@ "absolute-timeout" ] }, - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "type": "set", "required": false } }, { "session_storage": { - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "type": "string", - "required": false, - "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "default": "cookie", + "required": false } }, { "session_store_metadata": { - "default": false, "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "default": false, "type": "boolean", "required": false } }, { "session_enforce_same_subject": { - "default": false, "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false, "type": "boolean", "required": false } }, { "session_hash_subject": { - "default": false, "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false, "type": "boolean", "required": false } }, { "session_hash_storage_key": { - "default": false, "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false, "type": "boolean", "required": false } @@ -1834,26 +1844,88 @@ }, { "session_memcached_host": { - "default": "127.0.0.1", "description": "The memcached host.", + "default": "127.0.0.1", "type": "string", "required": false } }, { "session_memcached_port": { - "description": "The memcached port.", "type": "integer", - "required": false, + "description": "The memcached port.", "default": 11211, "between": [ 0, 65535 - ] + ], + "required": false } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { @@ -1864,49 +1936,49 @@ }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] - } - }, - { + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", @@ -1945,13 +2017,13 @@ }, { "keepalive_pool_size": { - "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, "between": [ 1, 2147483646 - ] + ], + "type": "integer" } }, { @@ -1966,8 +2038,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -1983,80 +2055,80 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "ssl": { - "default": false, "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean", "required": false } }, { "ssl_verify": { - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean", "required": false } @@ -2070,16 +2142,16 @@ }, { "cluster_max_redirections": { - "default": 5, "description": "Maximum retry attempts for redirection.", + "default": 5, "type": "integer", "required": false } }, { "connection_is_proxied": { - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, "type": "boolean", "required": false } @@ -2099,73 +2171,9 @@ } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "required": true, "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -2186,16 +2194,16 @@ } ], "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - } + }, + "type": "integer" } }, { "sentinel_addresses": { + "type": "array", "elements": { "type": "string" }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -2206,16 +2214,16 @@ } ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - } + }, + "len_min": 1 } }, { "cluster_addresses": { + "type": "array", "elements": { "type": "string" }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -2226,24 +2234,26 @@ } ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - } + }, + "len_min": 1 } } - ] + ], + "required": true } }, { "reverify": { - "default": false, "description": "Specifies whether to always verify tokens stored in the session.", + "default": false, "type": "boolean", "required": false } }, { "jwt_session_claim": { - "default": "sid", "description": "The claim to match against the JWT session cookie.", + "default": "sid", "type": "string", "required": false } @@ -2257,9 +2267,13 @@ }, { "bearer_token_param_type": { - "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "type": "array", - "required": false, + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "default": [ + "header", + "query", + "body" + ], "elements": { "type": "string", "one_of": [ @@ -2269,11 +2283,7 @@ "body" ] }, - "default": [ - "header", - "query", - "body" - ] + "required": false } }, { @@ -2285,9 +2295,13 @@ }, { "client_credentials_param_type": { - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "type": "array", - "required": false, + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "default": [ + "header", + "query", + "body" + ], "elements": { "type": "string", "one_of": [ @@ -2296,18 +2310,18 @@ "body" ] }, - "default": [ - "header", - "query", - "body" - ] + "required": false } }, { "password_param_type": { - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "type": "array", - "required": false, + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ], "elements": { "type": "string", "one_of": [ @@ -2316,18 +2330,18 @@ "body" ] }, - "default": [ - "header", - "query", - "body" - ] + "required": false } }, { "id_token_param_type": { - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "type": "array", - "required": false, + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ], "elements": { "type": "string", "one_of": [ @@ -2336,11 +2350,7 @@ "body" ] }, - "default": [ - "header", - "query", - "body" - ] + "required": false } }, { @@ -2352,9 +2362,13 @@ }, { "refresh_token_param_type": { - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "type": "array", - "required": false, + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "default": [ + "header", + "query", + "body" + ], "elements": { "type": "string", "one_of": [ @@ -2363,11 +2377,7 @@ "body" ] }, - "default": [ - "header", - "query", - "body" - ] + "required": false } }, { @@ -2379,36 +2389,36 @@ }, { "refresh_tokens": { - "default": true, "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "default": true, "type": "boolean", "required": false } }, { "upstream_headers_claims": { + "description": "The upstream header claims. Only top level claims are supported.", + "type": "array", "elements": { "type": "string" }, - "description": "The upstream header claims. Only top level claims are supported.", - "type": "array", "required": false } }, { "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "type": "array", "elements": { "type": "string" }, - "description": "The upstream header names for the claim values.", - "type": "array", "required": false } }, { "upstream_access_token_header": { - "default": "authorization:bearer", "description": "The upstream access token header.", + "default": "authorization:bearer", "type": "string", "required": false } @@ -2478,21 +2488,21 @@ }, { "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "elements": { "type": "string" }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false } }, { "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "type": "array", "elements": { "type": "string" }, - "description": "The downstream header names for the claim values.", - "type": "array", "required": false } }, @@ -2568,9 +2578,11 @@ }, { "login_methods": { - "description": "Enable login functionality with specified grants.", "type": "array", - "required": false, + "description": "Enable login functionality with specified grants.", + "default": [ + "authorization_code" + ], "elements": { "type": "string", "one_of": [ @@ -2585,29 +2597,29 @@ "session" ] }, - "default": [ - "authorization_code" - ] + "required": false } }, { "login_action": { - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "type": "string", - "required": false, - "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "one_of": [ "upstream", "response", "redirect" - ] + ], + "default": "upstream", + "required": false } }, { "login_tokens": { - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "type": "array", - "required": false, + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "default": [ + "id_token" + ], "elements": { "type": "string", "one_of": [ @@ -2618,21 +2630,19 @@ "introspection" ] }, - "default": [ - "id_token" - ] + "required": false } }, { "login_redirect_mode": { - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "type": "string", - "required": false, - "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "one_of": [ "query", "fragment" - ] + ], + "default": "fragment", + "required": false } }, { @@ -2658,9 +2668,12 @@ }, { "logout_methods": { - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "type": "array", - "required": false, + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "default": [ + "POST", + "DELETE" + ], "elements": { "type": "string", "one_of": [ @@ -2669,51 +2682,51 @@ "DELETE" ] }, - "default": [ - "POST", - "DELETE" - ] + "required": false } }, { "logout_revoke": { - "default": false, "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "default": false, "type": "boolean", "required": false } }, { "logout_revoke_access_token": { - "default": true, "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean", "required": false } }, { "logout_revoke_refresh_token": { - "default": true, "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean", "required": false } }, { "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "type": "array", "elements": { "type": "string" }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "type": "array", "required": false } }, { "consumer_by": { - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "type": "array", - "required": false, + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "default": [ + "username", + "custom_id" + ], "elements": { "type": "string", "one_of": [ @@ -2722,31 +2735,28 @@ "custom_id" ] }, - "default": [ - "username", - "custom_id" - ] + "required": false } }, { "consumer_optional": { - "default": false, "description": "Do not terminate the request if consumer mapping fails.", + "default": false, "type": "boolean", "required": false } }, { "credential_claim": { - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", - "required": false, + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "default": [ + "sub" + ], "elements": { "type": "string" }, - "default": [ - "sub" - ] + "required": false } }, { @@ -2758,57 +2768,59 @@ }, { "run_on_preflight": { - "default": true, "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "default": true, "type": "boolean", "required": false } }, { "leeway": { - "default": 0, "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "default": 0, "type": "number", "required": false } }, { "verify_parameters": { - "default": false, "description": "Verify plugin configuration against discovery.", + "default": false, "type": "boolean", "required": false } }, { "verify_nonce": { - "default": true, "description": "Verify nonce on authorization code flow.", + "default": true, "type": "boolean", "required": false } }, { "verify_claims": { - "default": true, "description": "Verify tokens for standard claims.", + "default": true, "type": "boolean", "required": false } }, { "verify_signature": { - "default": true, "description": "Verify signature of tokens.", + "default": true, "type": "boolean", "required": false } }, { "ignore_signature": { - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "type": "array", - "required": false, + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -2821,21 +2833,21 @@ "userinfo" ] }, - "default": [ - - ] + "required": false } }, { "enable_hs_signatures": { - "default": false, "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "default": false, "type": "boolean", "required": false } }, { "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "type": "array", "elements": { "type": "string", "one_of": [ @@ -2850,15 +2862,13 @@ "session" ] }, - "description": "Disable issuing the session cookie with the specified grants.", - "type": "array", "required": false } }, { "cache_ttl": { - "default": 3600, "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "default": 3600, "type": "number", "required": false } @@ -2893,65 +2903,65 @@ }, { "cache_tokens": { - "default": true, "description": "Cache the token endpoint requests.", + "default": true, "type": "boolean", "required": false } }, { "cache_tokens_salt": { - "type": "string", "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", - "auto": true, - "required": false + "type": "string", + "required": false, + "auto": true } }, { "cache_introspection": { - "default": true, "description": "Cache the introspection endpoint requests.", + "default": true, "type": "boolean", "required": false } }, { "cache_token_exchange": { - "default": true, "description": "Cache the token exchange endpoint requests.", + "default": true, "type": "boolean", "required": false } }, { "cache_user_info": { - "default": true, "description": "Cache the user info requests.", + "default": true, "type": "boolean", "required": false } }, { "search_user_info": { - "default": false, "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "default": false, "type": "boolean", "required": false } }, { "hide_credentials": { - "default": false, "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "default": false, "type": "boolean", "required": false } }, { "http_version": { - "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", "type": "number", + "default": 1.1, "required": false } }, @@ -2964,9 +2974,9 @@ }, { "http_proxy_authorization": { - "required": false, "description": "The HTTP proxy authorization.", "type": "string", + "required": false, "referenceable": true } }, @@ -2979,9 +2989,9 @@ }, { "https_proxy_authorization": { - "required": false, "description": "The HTTPS proxy authorization.", "type": "string", + "required": false, "referenceable": true } }, @@ -2994,48 +3004,48 @@ }, { "keepalive": { - "default": true, "description": "Use keepalive with the HTTP client.", + "default": true, "type": "boolean", "required": false } }, { "ssl_verify": { - "default": false, "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "default": false, "type": "boolean", "required": false } }, { "timeout": { - "default": 10000, "description": "Network IO timeout in milliseconds.", + "default": 10000, "type": "number", "required": false } }, { "display_errors": { - "default": false, "description": "Display errors on failure responses.", + "default": false, "type": "boolean", "required": false } }, { "by_username_ignore_case": { - "default": false, "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "default": false, "type": "boolean", "required": false } }, { "resolve_distributed_claims": { - "default": false, "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "default": false, "type": "boolean", "required": false } @@ -3043,67 +3053,67 @@ { "expose_error_code": { "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "token_cache_key_include_scope": { "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "introspection_token_param_name": { - "default": "token", "description": "Designate token's parameter name for introspection.", + "default": "token", "type": "string", "required": false } }, { "revocation_token_param_name": { - "default": "token", "description": "Designate token's parameter name for revocation.", + "default": "token", "type": "string", "required": false } }, { "proof_of_possession_mtls": { - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "type": "string", - "required": false, - "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "one_of": [ "off", "strict", "optional" - ] + ], + "default": "off", + "required": false } }, { "proof_of_possession_auth_methods_validation": { - "default": true, "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "default": true, "type": "boolean", "required": false } }, { "tls_client_auth_cert_id": { - "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", "type": "string", + "auto": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", "required": false, - "uuid": true, - "auto": false + "uuid": true } }, { "tls_client_auth_ssl_verify": { - "default": true, "description": "Verify identity provider server certificate during mTLS client authentication.", + "default": true, "type": "boolean", "required": false } @@ -3131,59 +3141,119 @@ }, { "proof_of_possession_dpop": { - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "type": "string", - "required": false, - "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "one_of": [ "off", "strict", "optional" - ] + ], + "default": "off", + "required": false } }, { "dpop_use_nonce": { - "default": false, "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "default": false, "type": "boolean", "required": false } }, { "dpop_proof_lifetime": { - "default": 300, "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "default": 300, "type": "number", "required": false } }, { "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "type": "array", "elements": { "type": "string" }, - "description": "If given, these claims are forbidden in the token payload.", - "type": "array", "required": false } }, { "cluster_cache_strategy": { - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "type": "string", - "required": false, - "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "one_of": [ "off", "redis" - ] + ], + "default": "off", + "required": false } }, { "cluster_cache_redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", - "required": true, "fields": [ { "host": { @@ -3194,46 +3264,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -3275,13 +3345,13 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -3296,8 +3366,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -3313,81 +3383,81 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "type": "boolean", "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": false } }, @@ -3400,89 +3470,26 @@ }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", "default": 5, + "type": "integer", "required": false } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -3499,63 +3506,56 @@ "read_timeout" ] } - ] - } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] - } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] - } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } } - ] + ], + "required": true } } - ], - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" ] } } diff --git a/schemas/opentelemetry/3.10.x.json b/schemas/opentelemetry/3.10.x.json index 729055a4..ce77a55e 100644 --- a/schemas/opentelemetry/3.10.x.json +++ b/schemas/opentelemetry/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,26 +14,36 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "traces_endpoint", + "logs_endpoint" + ] + } + ], "type": "record", - "required": true, "fields": [ { "traces_endpoint": { @@ -51,33 +61,34 @@ }, { "headers": { - "values": { - "type": "string", - "referenceable": true - }, "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "type": "map", + "values": { + "referenceable": true, + "type": "string" + }, "keys": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } }, { "resource_attributes": { + "type": "map", "values": { - "type": "string", - "required": true + "required": true, + "type": "string" }, - "type": "map", "keys": { - "type": "string", - "required": true + "required": true, + "type": "string" } } }, { "queue": { + "required": true, "type": "record", "default": { "max_batch_size": 200 @@ -85,85 +96,84 @@ "fields": [ { "max_batch_size": { - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number" + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number", - "default": 60 + "default": 60, + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number" + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "type": "number", "between": [ 0.001, 1000000 - ], - "type": "number" + ] } }, { "concurrency_limit": { - "type": "integer", "description": "The number of of queue delivery timers. -1 indicates unlimited.", "default": 1, + "type": "integer", "one_of": [ -1, 1 ] } } - ], - "required": true + ] } }, { @@ -171,9 +181,9 @@ "description": "The number of spans to be sent in a single batch.", "type": "integer", "deprecation": { - "removal_in_version": "4.0", + "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", "old_default": 200, - "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead" + "removal_in_version": "4.0" } } }, @@ -182,43 +192,43 @@ "description": "The delay, in seconds, between two consecutive batches.", "type": "integer", "deprecation": { - "removal_in_version": "4.0", + "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", "old_default": 3, - "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead" + "removal_in_version": "4.0" } } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 1000 + "default": 1000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 5000 + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 5000 + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -229,6 +239,11 @@ { "header_type": { "type": "string", + "deprecation": { + "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", + "old_default": "preserve", + "removal_in_version": "4.0" + }, "one_of": [ "preserve", "ignore", @@ -242,23 +257,18 @@ "datadog", "instana" ], - "deprecation": { - "removal_in_version": "4.0", - "old_default": "preserve", - "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead" - }, "default": "preserve", "required": false } }, { "sampling_rate": { + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "type": "number", "between": [ 0, 1 ], - "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", - "type": "number", "required": false } }, @@ -272,14 +282,14 @@ "elements": { "type": "string", "one_of": [ - "w3c", - "b3", "jaeger", "ot", "datadog", "aws", "gcp", - "instana" + "instana", + "w3c", + "b3" ] } } @@ -301,34 +311,34 @@ "type": "string", "one_of": [ "preserve", - "w3c", - "b3", "b3-single", "jaeger", "ot", "datadog", "aws", "gcp", - "instana" + "instana", + "w3c", + "b3" ] } } }, { "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", "one_of": [ - "w3c", - "b3", "b3-single", "jaeger", "ot", "datadog", "aws", "gcp", - "instana" + "instana", + "w3c", + "b3" ], - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", - "type": "string", "required": true } } @@ -341,31 +351,21 @@ } } ], - "entity_checks": [ - { - "at_least_one_of": [ - "traces_endpoint", - "logs_endpoint" - ] - } - ], "shorthand_fields": [ { "endpoint": { - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string", + "referenceable": true, "deprecation": { "removal_in_version": "4.0", "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead" } } } - ] + ], + "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/post-function/3.10.x.json b/schemas/post-function/3.10.x.json index 14303e48..e246d457 100644 --- a/schemas/post-function/3.10.x.json +++ b/schemas/post-function/3.10.x.json @@ -1,29 +1,41 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -35,14 +47,18 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -51,131 +67,131 @@ "fields": [ { "certificate": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "rewrite": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "access": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "header_filter": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "body_filter": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "log": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "ws_handshake": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "ws_client_frame": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "ws_upstream_frame": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "ws_close": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } } @@ -183,21 +199,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.10.x.json b/schemas/pre-function/3.10.x.json index 14303e48..e246d457 100644 --- a/schemas/pre-function/3.10.x.json +++ b/schemas/pre-function/3.10.x.json @@ -1,29 +1,41 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -35,14 +47,18 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -51,131 +67,131 @@ "fields": [ { "certificate": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "rewrite": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "access": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "header_filter": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "body_filter": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "log": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "ws_handshake": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "ws_client_frame": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "ws_upstream_frame": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } }, { "ws_close": { - "type": "array", - "elements": { - "type": "string", - "required": false - }, "default": [ ], + "type": "array", + "elements": { + "required": false, + "type": "string" + }, "required": true } } @@ -183,21 +199,5 @@ "required": true } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.10.x.json b/schemas/prometheus/3.10.x.json index 30707a5a..2f89b69a 100644 --- a/schemas/prometheus/3.10.x.json +++ b/schemas/prometheus/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -44,58 +47,55 @@ { "per_consumer": { "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "status_code_metrics": { "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "ai_metrics": { "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "latency_metrics": { "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "bandwidth_metrics": { "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "upstream_health_metrics": { "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "wasm_metrics": { "description": "A boolean value that determines if Wasm metrics should be collected.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.10.x.json b/schemas/proxy-cache-advanced/3.10.x.json index a1286afa..e8092b3c 100644 --- a/schemas/proxy-cache-advanced/3.10.x.json +++ b/schemas/proxy-cache-advanced/3.10.x.json @@ -1,4 +1,13 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "supported_partials": { "redis-ee": [ "config.redis" @@ -7,9 +16,6 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -19,12 +25,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -33,29 +42,32 @@ "fields": [ { "response_code": { - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "type": "array", - "required": true, - "elements": { - "type": "integer", - "between": [ - 100, - 900 - ] - }, + "len_min": 1, + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "default": [ 200, 301, 404 ], - "len_min": 1 + "elements": { + "between": [ + 100, + 900 + ], + "type": "integer" + }, + "required": true } }, { "request_method": { - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", "type": "array", - "required": true, + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "default": [ + "GET", + "HEAD" + ], "elements": { "type": "string", "one_of": [ @@ -66,65 +78,62 @@ "PUT" ] }, - "default": [ - "GET", - "HEAD" - ] + "required": true } }, { "content_type": { - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "type": "array", - "required": true, - "elements": { - "type": "string" - }, + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "default": [ "text/plain", "application/json" - ] + ], + "elements": { + "type": "string" + }, + "required": true } }, { "cache_ttl": { - "default": 300, - "description": "TTL in seconds of cache entities.", "gt": 0, - "type": "integer" + "default": 300, + "type": "integer", + "description": "TTL in seconds of cache entities." } }, { "strategy": { - "required": true, "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "type": "string", "one_of": [ "memory", "redis" - ] + ], + "required": true } }, { "cache_control": { - "type": "boolean", "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "default": false, + "type": "boolean", "required": true } }, { "ignore_uri_case": { - "type": "boolean", "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "default": false, + "type": "boolean", "required": false } }, { "storage_ttl": { - "type": "integer", - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" } }, { @@ -133,9 +142,9 @@ "fields": [ { "dictionary_name": { - "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "default": "kong_db_cache", + "type": "string", "required": true } } @@ -163,25 +172,25 @@ }, { "response_headers": { - "type": "record", "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", "fields": [ { "age": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Status": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "X-Cache-Key": { - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } } ], @@ -190,8 +199,68 @@ }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", - "required": true, "fields": [ { "host": { @@ -202,46 +271,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -283,13 +352,13 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -304,8 +373,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -321,81 +390,81 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "type": "boolean", "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": false } }, @@ -408,89 +477,26 @@ }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", "default": 5, + "type": "integer", "required": false } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -507,72 +513,66 @@ "read_timeout" ] } - ] - } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] - } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] - } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } } - ] + ], + "required": true } }, { "bypass_on_err": { "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } } ], "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/proxy-cache/3.10.x.json b/schemas/proxy-cache/3.10.x.json index de198d01..85f8c01b 100644 --- a/schemas/proxy-cache/3.10.x.json +++ b/schemas/proxy-cache/3.10.x.json @@ -1,13 +1,18 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,14 +24,18 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -35,29 +44,32 @@ "fields": [ { "response_code": { - "description": "Upstream response status code considered cacheable.", "type": "array", - "required": true, - "elements": { - "type": "integer", - "between": [ - 100, - 900 - ] - }, + "len_min": 1, + "description": "Upstream response status code considered cacheable.", "default": [ 200, 301, 404 ], - "len_min": 1 + "elements": { + "between": [ + 100, + 900 + ], + "type": "integer" + }, + "required": true } }, { "request_method": { - "description": "Downstream request methods considered cacheable.", "type": "array", - "required": true, + "description": "Downstream request methods considered cacheable.", + "default": [ + "GET", + "HEAD" + ], "elements": { "type": "string", "one_of": [ @@ -68,49 +80,46 @@ "PUT" ] }, - "default": [ - "GET", - "HEAD" - ] + "required": true } }, { "content_type": { - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "type": "array", - "required": true, - "elements": { - "type": "string" - }, + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "default": [ "text/plain", "application/json" - ] + ], + "elements": { + "type": "string" + }, + "required": true } }, { "cache_ttl": { + "gt": 0, "default": 300, "description": "TTL, in seconds, of cache entities.", - "gt": 0, "type": "integer" } }, { "strategy": { - "required": true, "description": "The backing data store in which to hold cache entities.", "type": "string", "one_of": [ "memory" - ] + ], + "required": true } }, { "cache_control": { - "type": "boolean", "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "default": false, + "type": "boolean", "required": true } }, @@ -123,8 +132,8 @@ }, { "storage_ttl": { - "type": "integer", - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" } }, { @@ -133,9 +142,9 @@ "fields": [ { "dictionary_name": { - "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "default": "kong_db_cache", + "type": "string", "required": true } } @@ -163,25 +172,25 @@ }, { "response_headers": { - "type": "record", "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", "fields": [ { "age": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "X-Cache-Status": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "X-Cache-Key": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } } ], @@ -192,14 +201,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.10.x.json b/schemas/rate-limiting-advanced/3.10.x.json index 2a22687b..d138341c 100644 --- a/schemas/rate-limiting-advanced/3.10.x.json +++ b/schemas/rate-limiting-advanced/3.10.x.json @@ -1,4 +1,13 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "supported_partials": { "redis-ee": [ "config.redis" @@ -7,9 +16,6 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -19,12 +25,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -33,10 +42,8 @@ "fields": [ { "identifier": { - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", "type": "string", - "required": true, - "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", "one_of": [ "ip", "credential", @@ -45,7 +52,9 @@ "header", "path", "consumer-group" - ] + ], + "default": "consumer", + "required": true } }, { @@ -68,19 +77,19 @@ }, { "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "type": "array", "elements": { "type": "number" }, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", - "type": "array", "required": true } }, { "window_type": { - "default": "sliding", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "type": "string", + "default": "sliding", "one_of": [ "fixed", "sliding" @@ -89,92 +98,154 @@ }, { "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "type": "array", "elements": { "type": "number" }, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", - "type": "array", "required": true } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "namespace": { - "auto": true, "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", "type": "string", - "required": true + "required": true, + "auto": true } }, { "strategy": { - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", - "required": true, - "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", "local" - ] + ], + "default": "local", + "required": true } }, { "dictionary_name": { - "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", "type": "string", + "default": "kong_rate_limiting_counters", "required": true } }, { "lock_dictionary_name": { - "default": "kong_locks", "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf.", "type": "string", + "default": "kong_locks", "required": true } }, { "hide_client_headers": { "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "retry_after_jitter_max": { "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "default": 0, - "type": "number" + "type": "number", + "default": 0 } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { + "starts_with": "/", + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "type": "string", - "starts_with": "/" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { @@ -185,46 +256,46 @@ }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -266,13 +337,13 @@ }, { "keepalive_pool_size": { - "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, "between": [ 1, 2147483646 - ] + ], + "type": "integer" } }, { @@ -287,8 +358,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -304,80 +375,80 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "ssl": { - "default": false, "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean", "required": false } }, { "ssl_verify": { - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean", "required": false } @@ -391,98 +462,34 @@ }, { "cluster_max_redirections": { - "default": 5, "description": "Maximum retry attempts for redirection.", + "default": 5, "type": "integer", "required": false } }, { "connection_is_proxied": { - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, "type": "boolean", "required": false } }, { "redis_proxy_type": { + "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", + "type": "string", "one_of": [ "envoy_v1.31" ], - "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", - "type": "string", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "required": true, "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -503,16 +510,16 @@ } ], "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - } + }, + "type": "integer" } }, { "sentinel_addresses": { + "type": "array", "elements": { "type": "string" }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -523,16 +530,16 @@ } ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - } + }, + "len_min": 1 } }, { "cluster_addresses": { + "type": "array", "elements": { "type": "string" }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -543,17 +550,19 @@ } ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - } + }, + "len_min": 1 } } - ] + ], + "required": true } }, { "enforce_consumer_groups": { "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -568,37 +577,28 @@ { "disable_penalty": { "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "error_code": { - "gt": 0, "description": "Set a custom error code to return when the rate limit is exceeded.", "type": "number", - "default": 429 + "default": 429, + "gt": 0 } }, { "error_message": { "description": "Set a custom error message to return when the rate limit is exceeded.", - "default": "API rate limit exceeded", - "type": "string" + "type": "string", + "default": "API rate limit exceeded" } } ], "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/rate-limiting/3.10.x.json b/schemas/rate-limiting/3.10.x.json index 8a398313..da255ec3 100644 --- a/schemas/rate-limiting/3.10.x.json +++ b/schemas/rate-limiting/3.10.x.json @@ -1,4 +1,76 @@ { + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name", + "if_field": "config.limit_by", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "path" + }, + "then_field": "config.path", + "if_field": "config.limit_by", + "then_match": { + "required": true + } + } + } + ], "supported_partials": { "redis-ce": [ "config.redis" @@ -7,9 +79,6 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -19,23 +88,26 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "config": { + "required": true, + "type": "record", "shorthand_fields": [ { "redis_host": { - "type": "string", "deprecation": { "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", "replaced_with": [ { "path": [ @@ -43,16 +115,16 @@ "host" ] } - ] - } + ], + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead" + }, + "type": "string" } }, { "redis_port": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", "replaced_with": [ { "path": [ @@ -60,17 +132,18 @@ "port" ] } - ] - } + ], + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead" + }, + "type": "integer" } }, { "redis_password": { - "len_min": 0, "type": "string", + "len_min": 0, "deprecation": { "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", "replaced_with": [ { "path": [ @@ -78,16 +151,15 @@ "password" ] } - ] + ], + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead" } } }, { "redis_username": { - "type": "string", "deprecation": { "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", "replaced_with": [ { "path": [ @@ -95,16 +167,16 @@ "username" ] } - ] - } + ], + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead" + }, + "type": "string" } }, { "redis_ssl": { - "type": "boolean", "deprecation": { "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", "replaced_with": [ { "path": [ @@ -112,16 +184,16 @@ "ssl" ] } - ] - } + ], + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead" + }, + "type": "boolean" } }, { "redis_ssl_verify": { - "type": "boolean", "deprecation": { "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", "replaced_with": [ { "path": [ @@ -129,16 +201,16 @@ "ssl_verify" ] } - ] - } + ], + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead" + }, + "type": "boolean" } }, { "redis_server_name": { - "type": "string", "deprecation": { "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", "replaced_with": [ { "path": [ @@ -146,16 +218,16 @@ "server_name" ] } - ] - } + ], + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead" + }, + "type": "string" } }, { "redis_timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", "replaced_with": [ { "path": [ @@ -163,16 +235,16 @@ "timeout" ] } - ] - } + ], + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead" + }, + "type": "integer" } }, { "redis_database": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", "replaced_with": [ { "path": [ @@ -180,60 +252,60 @@ "database" ] } - ] - } + ], + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead" + }, + "type": "integer" } } ], - "type": "record", "fields": [ { "second": { - "description": "The number of HTTP requests that can be made per second.", "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per second." } }, { "minute": { - "description": "The number of HTTP requests that can be made per minute.", "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per minute." } }, { "hour": { - "description": "The number of HTTP requests that can be made per hour.", "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per hour." } }, { "day": { - "description": "The number of HTTP requests that can be made per day.", "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per day." } }, { "month": { - "description": "The number of HTTP requests that can be made per month.", "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per month." } }, { "year": { - "description": "The number of HTTP requests that can be made per year.", "gt": 0, - "type": "number" + "type": "number", + "description": "The number of HTTP requests that can be made per year." } }, { "limit_by": { - "default": "consumer", "description": "The entity that is used when aggregating the limits.", - "type": "string", + "default": "consumer", "one_of": [ "consumer", "credential", @@ -242,80 +314,81 @@ "header", "path", "consumer-group" - ] + ], + "type": "string" } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { + "starts_with": "/", + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "type": "string", - "starts_with": "/" + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "policy": { - "len_min": 0, "type": "string", + "len_min": 0, + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "default": "local", "one_of": [ "local", "cluster", "redis" - ], - "default": "local", - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + ] } }, { "fault_tolerant": { - "default": true, "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "default": true, "type": "boolean", "required": true } }, { "redis": { - "type": "record", "description": "Redis configuration", + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -327,11 +400,11 @@ }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", + "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "len_min": 0, - "referenceable": true + "len_min": 0 } }, { @@ -343,16 +416,16 @@ }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", "default": false, "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", "default": false, "required": false } @@ -370,18 +443,18 @@ }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers.", + "default": false, "type": "boolean", "required": true } }, { "error_code": { - "default": 429, "description": "Set a custom error code to return when the rate limit is exceeded.", - "type": "number", - "gt": 0 + "default": 429, + "gt": 0, + "type": "number" } }, { @@ -393,86 +466,13 @@ }, { "sync_rate": { - "default": -1, "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "default": -1, "type": "number", "required": true } } - ], - "required": true - } - } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.host", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.port", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.timeout", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "header" - }, - "then_field": "config.header_name", - "if_field": "config.limit_by", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "path" - }, - "then_field": "config.path", - "if_field": "config.limit_by", - "then_match": { - "required": true - } + ] } } ] diff --git a/schemas/redirect/3.10.x.json b/schemas/redirect/3.10.x.json index af11a01f..51d47bdc 100644 --- a/schemas/redirect/3.10.x.json +++ b/schemas/redirect/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +14,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -28,14 +31,14 @@ "fields": [ { "status_code": { - "description": "The response code to send. Must be an integer between 100 and 599.", "type": "integer", - "required": true, + "description": "The response code to send. Must be an integer between 100 and 599.", "default": 301, "between": [ 100, 599 - ] + ], + "required": true } }, { @@ -56,8 +59,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-callout/3.10.x.json b/schemas/request-callout/3.10.x.json index 14e32422..4c92e8f2 100644 --- a/schemas/request-callout/3.10.x.json +++ b/schemas/request-callout/3.10.x.json @@ -1,85 +1,96 @@ { - "entity_checks": [], + "entity_checks": [ + + ], "fields": [ { "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], "elements": { + "type": "string", "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string", - "len_min": 1, - "required": true + ] }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "type": "set", - "required": true, - "description": "A set of strings representing HTTP protocols." + "required": true } }, { "config": { + "type": "record", "fields": [ { "callouts": { - "required": true, + "description": "A collection of callout objects, where each object represents an HTTPrequest made in the context of a proxy request.", "type": "array", "elements": { + "type": "record", "fields": [ { "name": { + "description": "A string identifier for a callout. A callout object is referenceablevia its name in the kong.ctx.shared.callouts.", "type": "string", - "required": true, - "description": "A string identifier for a callout. A callout object is referenceablevia its name in the kong.ctx.shared.callouts." + "required": true } }, { "depends_on": { - "default": [], + "type": "array", + "description": "An array of callout names the current callout depends on.This dependency determines the callout execution order.", + "default": [ + + ], "elements": { - "required": true, - "type": "string" + "type": "string", + "required": true }, - "type": "array", - "required": true, - "description": "An array of callout names the current callout depends on.This dependency determines the callout execution order." + "required": true } }, { "request": { + "description": "The customizations for the callout request.", + "type": "record", + "required": true, "fields": [ { "url": { + "description": "The URL that will be requested.", "type": "string", "required": true, - "description": "The URL that will be requested." + "referenceable": true } }, { "method": { - "default": "GET", - "required": true, "type": "string", "match": "^%u+$", - "description": "The HTTP method that will be requested." + "description": "The HTTP method that will be requested.", + "default": "GET", + "required": true } }, { "http_opts": { + "description": "HTTP connection parameters.", + "type": "record", + "required": true, "fields": [ { "ssl_verify": { - "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "default": false } }, { @@ -90,11 +101,22 @@ }, { "timeouts": { + "description": "Socket timeouts in milliseconds. All or none must be set.", + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "connect", + "write", + "read" + ] + } + ], "fields": [ { "connect": { - "type": "integer", "description": "The socket connect timeout.", + "type": "integer", "between": [ 0, 2147483646 @@ -103,8 +125,8 @@ }, { "write": { - "type": "integer", "description": "The socket write timeout.", + "type": "integer", "between": [ 0, 2147483646 @@ -113,30 +135,21 @@ }, { "read": { - "type": "integer", "description": "The socket read timeout. ", + "type": "integer", "between": [ 0, 2147483646 ] } } - ], - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "connect", - "write", - "read" - ] - } - ], - "description": "Socket timeouts in milliseconds. All or none must be set." + ] } }, { "proxy": { + "description": "Proxy settings.", + "type": "record", "fields": [ { "auth_username": { @@ -166,385 +179,444 @@ "type": "string" } } - ], - "type": "record", - "description": "Proxy settings." + ] } } - ], - "type": "record", - "description": "HTTP connection parameters.", - "required": true + ] } }, { "query": { + "description": "Callout request query param customizations.", + "type": "record", + "required": true, "fields": [ { "forward": { - "default": false, + "description": "If true, forwards the incoming request's query params to the callout request. ", "type": "boolean", - "description": "If true, forwards the incoming request's query params to the callout request. " + "default": false } }, { "custom": { - "values": { - "required": false, - "type": "string" - }, - "required": false, "type": "map", "keys": { "type": "string" }, - "description": "The custom query params to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code)." + "description": "The custom query params to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false } } - ], - "type": "record", - "description": "Callout request query param customizations.", - "required": true + ] } }, { "headers": { + "description": "Callout request header customizations.", + "type": "record", + "required": true, "fields": [ { "forward": { - "default": false, + "description": "If true, forwards the incoming request's headers to the callout request. ", "type": "boolean", - "description": "If true, forwards the incoming request's headers to the callout request. " + "default": false } }, { "custom": { - "values": { - "required": false, - "type": "string" - }, - "required": false, "type": "map", "keys": { "type": "string" }, - "description": "The custom headers to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code)." + "description": "The custom headers to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false } } - ], - "type": "record", - "description": "Callout request header customizations.", - "required": true + ] } }, { "body": { + "description": "Callout request body customizations.", + "type": "record", + "required": true, "fields": [ { "forward": { - "default": false, + "description": "If true, forwards the incoming request's body to the callout request.", "type": "boolean", - "description": "If true, forwards the incoming request's body to the callout request." + "default": false } }, { "decode": { - "default": false, + "description": "If true, decodes the request's body to make it available for customizations.", "type": "boolean", - "description": "If true, decodes the request's body to make it available for customizations." + "default": false } }, { "custom": { - "values": { - "required": false, - "type": "string" - }, - "required": false, "type": "map", "keys": { "type": "string" }, - "description": "The custom body fields to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code)." + "description": "The custom body fields to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false } } - ], - "type": "record", - "description": "Callout request body customizations.", - "required": true + ] } }, { "error": { + "description": "The error handling policy the plugin will apply to TCP and HTTP errors.", + "type": "record", + "required": true, "fields": [ { "on_error": { - "default": "fail", - "type": "string", "one_of": [ "retry", "fail", "continue" - ] + ], + "default": "fail", + "type": "string" } }, { "retries": { - "default": 2, + "description": "The number of retries the plugin will attempt on TCP and HTTP errors if `on_error` is set to `retry`.", "type": "integer", - "description": "The number of retries the plugin will attempt on TCP and HTTP errors if `on_error` is set to `retry`." + "default": 2 } }, { "http_statuses": { + "description": "The list of HTTP status codes considered errors under the error handling policy.", + "type": "array", "elements": { - "type": "integer", "between": [ 100, 999 - ] - }, - "type": "array", - "description": "The list of HTTP status codes considered errors under the error handling policy." + ], + "type": "integer" + } } }, { "error_response_code": { - "default": 400, + "description": "The error code to respond with if `on_error` is `fail` or if `retries` is achieved.", "type": "integer", - "description": "The error code to respond with if `on_error` is `fail` or if `retries` is achieved." + "default": 400 } }, { "error_response_msg": { - "default": "service callout error", + "description": "The error mesasge to respond with if `on_error` is `fail` or if `retries` is achieved.Templating with Lua expressions is supported.", "type": "string", - "description": "The error mesasge to respond with if `on_error` is `fail` or if `retries` is achieved.Templating with Lua expressions is supported." + "default": "service callout error" } } - ], - "type": "record", - "description": "The error handling policy the plugin will apply to TCP and HTTP errors.", - "required": true + ] } }, { "by_lua": { + "description": "Lua code that executes before the callout request is made.Standard Lua sandboxing restrictions apply.", "type": "string", - "required": false, - "description": "Lua code that executes before the callout request is made.Standard Lua sandboxing restrictions apply." + "required": false } } - ], - "type": "record", - "description": "The customizations for the callout request.", - "required": true + ] } }, { "response": { + "description": "Configurations of callout response handling.", + "type": "record", + "required": true, "fields": [ { "headers": { + "description": "Callout response header customizations.", + "type": "record", + "required": true, "fields": [ { "store": { - "default": true, + "description": "If false, skips storing the callout response headers intokong.ctx.shared.callouts..response.headers.", "type": "boolean", - "description": "If false, skips storing the callout response headers intokong.ctx.shared.callouts..response.headers." + "default": true } } - ], - "type": "record", - "description": "Callout response header customizations.", - "required": true + ] } }, { "body": { + "type": "record", + "required": true, "fields": [ { "store": { - "default": true, + "description": "If false, skips storing the callout response body into kong.ctx.shared.callouts..response.body.", "type": "boolean", - "description": "If false, skips storing the callout response body into kong.ctx.shared.callouts..response.body." + "default": true } }, { "decode": { - "default": false, + "description": "If true, decodes the response body before storing into the context. Only JSON is supported.", "type": "boolean", - "description": "If true, decodes the response body before storing into the context. Only JSON is supported." + "default": false } } - ], - "type": "record", - "required": true + ] } }, { "by_lua": { + "description": "Lua code that executes after the callout request is made, before caching takes place. Standard Lua sandboxing restrictions apply.", "type": "string", - "required": false, - "description": "Lua code that executes after the callout request is made, before caching takes place. Standard Lua sandboxing restrictions apply." + "required": false } } - ], - "type": "record", - "description": "Configurations of callout response handling.", - "required": true + ] } }, { "cache": { + "description": "Callout caching configuration.", + "type": "record", + "required": true, "fields": [ { "bypass": { - "default": false, + "description": "If true, skips caching the callout response.", "type": "boolean", - "description": "If true, skips caching the callout response." + "default": false } } - ], - "type": "record", - "description": "Callout caching configuration.", - "required": true + ] } } - ], - "type": "record" + ] }, - "description": "A collection of callout objects, where each object represents an HTTPrequest made in the context of a proxy request." + "required": true } }, { "cache": { + "description": "Plugin global caching configuration.", + "type": "record", + "required": true, "fields": [ { "strategy": { - "default": "off", - "description": "The backing data store in which to hold cache entities. Accepted values are: `off`, `memory`, and `redis`.", "type": "string", + "description": "The backing data store in which to hold cache entities. Accepted values are: `off`, `memory`, and `redis`.", "one_of": [ "memory", "redis", "off" ], + "default": "off", "required": true } }, { "memory": { + "type": "record", "fields": [ { "dictionary_name": { - "default": "kong_db_cache", - "type": "string", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string", + "default": "kong_db_cache", "required": true } } ], - "type": "record", "required": true } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { + "description": "A string representing a host name, such as example.com.", "default": "127.0.0.1", - "type": "string", - "description": "A string representing a host name, such as example.com." + "type": "string" } }, { "port": { - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, "type": "string", - "referenceable": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, "type": "string", - "referenceable": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, - "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "type": "integer" } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "between": [ 1, 2147483646 @@ -553,8 +625,8 @@ }, { "keepalive_backlog": { - "type": "integer", "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 @@ -569,115 +641,115 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "type": "array", + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { + "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true, - "description": "A string representing a host name, such as example.com." + "default": "127.0.0.1", + "required": true } }, { "port": { - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } - ], - "type": "record" + ] }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "type": "array", - "len_min": 1, "required": false } }, { "cluster_nodes": { + "type": "array", + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { + "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", "type": "string", - "required": true, - "description": "A string representing a host name, such as example.com." + "default": "127.0.0.1", + "required": true } }, { "port": { - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 - ] + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } - ], - "type": "record" + ] }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "type": "array", - "len_min": 1, "required": false } }, { "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", "default": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis.", "required": false } }, { "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false } }, { "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "required": false } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "default": 5, "type": "integer", - "required": false, - "description": "Maximum retry attempts for redirection." + "required": false } }, { "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false } } @@ -686,7 +758,6 @@ { "timeout": { "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "removal_in_version": "4.0", "replaced_with": [ { @@ -704,7 +775,8 @@ "read_timeout" ] } - ] + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" }, "type": "integer" } @@ -712,7 +784,6 @@ { "sentinel_addresses": { "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0", "replaced_with": [ { @@ -720,19 +791,19 @@ "sentinel_nodes" ] } - ] + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" }, "type": "array", - "len_min": 1, "elements": { "type": "string" - } + }, + "len_min": 1 } }, { "cluster_addresses": { "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0", "replaced_with": [ { @@ -740,75 +811,14 @@ "cluster_nodes" ] } - ] + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" }, "type": "array", - "len_min": 1, "elements": { "type": "string" - } - } - } - ], - "type": "record", - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true }, - "if_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "field_sources": [ - "database", - "connection_is_proxied" - ], - "run_with_missing_fields": true - } - }, - { - "custom_entity_check": { - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ], - "run_with_missing_fields": true - } - }, - { - "custom_entity_check": { - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ], - "run_with_missing_fields": true + "len_min": 1 } } ], @@ -817,133 +827,132 @@ }, { "cache_ttl": { - "default": 300, - "type": "integer", "description": "TTL in seconds of cache entities.", + "type": "integer", + "default": 300, "gt": 0 } } - ], - "type": "record", - "description": "Plugin global caching configuration.", - "required": true + ] } }, { "upstream": { + "description": "Customizations to the upstream request.", + "type": "record", "fields": [ { "by_lua": { + "description": "Lua code that executes before the upstream request is made. Standard Lua sandboxing restrictions apply.", "type": "string", - "required": false, - "description": "Lua code that executes before the upstream request is made. Standard Lua sandboxing restrictions apply." + "required": false } }, { "query": { + "description": "Upstream request query param customizations.", + "type": "record", + "required": true, "fields": [ { "forward": { - "default": true, + "description": "If false, does not forward request query params to upstream request.", "type": "boolean", - "description": "If false, does not forward request query params to upstream request." + "default": true } }, { "custom": { - "values": { - "required": false, - "type": "string" - }, - "required": false, "type": "map", "keys": { "type": "string" }, - "description": "The custom query params to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code)." + "description": "The custom query params to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false } } - ], - "type": "record", - "description": "Upstream request query param customizations.", - "required": true + ] } }, { "headers": { + "description": "Callout request header customizations.", + "type": "record", + "required": true, "fields": [ { "forward": { - "default": true, + "description": "If false, does not forward request headers to upstream request.", "type": "boolean", - "description": "If false, does not forward request headers to upstream request." + "default": true } }, { "custom": { - "values": { - "required": false, - "type": "string" - }, - "required": false, "type": "map", "keys": { "type": "string" }, - "description": "The custom headers to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code)." + "description": "The custom headers to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false } } - ], - "type": "record", - "description": "Callout request header customizations.", - "required": true + ] } }, { "body": { + "description": "Callout request body customizations.", + "type": "record", + "required": true, "fields": [ { "forward": { - "default": true, + "description": "If false, skips forwarding the incoming request's body to the upstream request.", "type": "boolean", - "description": "If false, skips forwarding the incoming request's body to the upstream request." + "default": true } }, { "decode": { - "default": true, + "description": "If true, decodes the request's body to make it available for upstream by_lua customizations.", "type": "boolean", - "description": "If true, decodes the request's body to make it available for upstream by_lua customizations." + "default": true } }, { "custom": { - "values": { - "required": false, - "type": "string" - }, - "required": false, "type": "map", "keys": { "type": "string" }, - "description": "The custom body fields to be added in the upstream request body. Values can contain Lua expressions in the form $(some_lua_code)." + "description": "The custom body fields to be added in the upstream request body. Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false } } - ], - "type": "record", - "description": "Callout request body customizations.", - "required": true + ] } } ], - "type": "record", - "description": "Customizations to the upstream request.", "required": true } } ], - "type": "record", "required": true } } diff --git a/schemas/request-size-limiting/3.10.x.json b/schemas/request-size-limiting/3.10.x.json index f11b1d6a..d9d0bc10 100644 --- a/schemas/request-size-limiting/3.10.x.json +++ b/schemas/request-size-limiting/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -43,21 +46,21 @@ }, { "size_unit": { - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "type": "string", - "required": true, - "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "one_of": [ "megabytes", "kilobytes", "bytes" - ] + ], + "default": "megabytes", + "required": true } }, { "require_content_length": { - "default": false, "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "default": false, "type": "boolean", "required": true } @@ -66,8 +69,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-termination/3.10.x.json b/schemas/request-termination/3.10.x.json index 3f73ff4a..b27ff5f6 100644 --- a/schemas/request-termination/3.10.x.json +++ b/schemas/request-termination/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +14,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -28,54 +31,51 @@ "fields": [ { "status_code": { - "description": "The response code to send. Must be an integer between 100 and 599.", "type": "integer", - "required": true, + "description": "The response code to send. Must be an integer between 100 and 599.", "default": 503, "between": [ 100, 599 - ] + ], + "required": true } }, { "message": { - "type": "string", - "description": "The message to send, if using the default response generator." + "description": "The message to send, if using the default response generator.", + "type": "string" } }, { "content_type": { - "type": "string", - "description": "Content type of the raw response configured with `config.body`." + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" } }, { "body": { - "type": "string", - "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" } }, { "echo": { - "type": "boolean", "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean", "default": false, "required": true } }, { "trigger": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.10.x.json b/schemas/request-transformer-advanced/3.10.x.json index 822027a4..019f100e 100644 --- a/schemas/request-transformer-advanced/3.10.x.json +++ b/schemas/request-transformer-advanced/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +14,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -42,10 +45,10 @@ "elements": { "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { @@ -53,10 +56,10 @@ "elements": { "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { @@ -64,10 +67,10 @@ "elements": { "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } } ], @@ -81,37 +84,37 @@ { "body": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { "headers": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { "querystring": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } } ], @@ -125,37 +128,37 @@ { "body": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { "headers": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { "querystring": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { @@ -168,10 +171,10 @@ "string" ] }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { @@ -190,37 +193,37 @@ { "body": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { "headers": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { "querystring": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { @@ -233,10 +236,10 @@ "string" ] }, - "type": "array", "default": [ - ] + ], + "type": "array" } } ], @@ -250,37 +253,37 @@ { "body": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { "headers": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { "querystring": { "elements": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, - "type": "array", "default": [ - ] + ], + "type": "array" } }, { @@ -293,10 +296,10 @@ "string" ] }, - "type": "array", "default": [ - ] + ], + "type": "array" } } ], @@ -330,8 +333,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.10.x.json b/schemas/request-transformer/3.10.x.json index 4cf18fa7..ce38146a 100644 --- a/schemas/request-transformer/3.10.x.json +++ b/schemas/request-transformer/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,14 +18,18 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -46,10 +49,10 @@ "fields": [ { "body": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -58,10 +61,10 @@ }, { "headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -70,10 +73,10 @@ }, { "querystring": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -90,10 +93,10 @@ "fields": [ { "body": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -102,11 +105,11 @@ }, { "headers": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -115,10 +118,10 @@ }, { "querystring": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -135,10 +138,10 @@ "fields": [ { "body": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -147,11 +150,11 @@ }, { "headers": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -160,10 +163,10 @@ }, { "querystring": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -185,10 +188,10 @@ "fields": [ { "body": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -197,11 +200,11 @@ }, { "headers": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -210,10 +213,10 @@ }, { "querystring": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -230,10 +233,10 @@ "fields": [ { "body": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -242,11 +245,11 @@ }, { "headers": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -255,10 +258,10 @@ }, { "querystring": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -273,8 +276,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/request-validator/3.10.x.json b/schemas/request-validator/3.10.x.json index 616a4d4a..0298f115 100644 --- a/schemas/request-validator/3.10.x.json +++ b/schemas/request-validator/3.10.x.json @@ -1,10 +1,16 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +20,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -51,44 +60,63 @@ }, { "allowed_content_types": { + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "type": "set", "default": [ "application/json" ], - "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", - "type": "set", "elements": { - "type": "string", - "required": true + "required": true, + "type": "string" } } }, { "version": { - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "type": "string", - "required": true, + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "default": "kong", "one_of": [ "kong", "draft4" - ] + ], + "required": true } }, { "parameter_schema": { + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "array", "elements": { + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ], "type": "record", "fields": [ { "in": { - "required": true, "description": "The location of the parameter.", "type": "string", "one_of": [ "query", "header", "path" - ] + ], + "required": true } }, { @@ -122,53 +150,34 @@ }, { "explode": { - "type": "boolean", - "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" } }, { "schema": { - "type": "string", - "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating." - } - } - ], - "entity_checks": [ - { - "mutually_required": [ - "style", - "explode", - "schema" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "style", - "in" - ] + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" } } ] }, - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", - "type": "array", "required": false } }, { "verbose_response": { - "default": false, "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "type": "boolean", + "default": false, "required": true } }, { "content_type_parameter_validation": { - "default": true, "description": "Determines whether to enable parameters validation of request content-type.", "type": "boolean", + "default": true, "required": true } } @@ -176,14 +185,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.10.x.json b/schemas/response-ratelimiting/3.10.x.json index 0b7430b9..5f746c6c 100644 --- a/schemas/response-ratelimiting/3.10.x.json +++ b/schemas/response-ratelimiting/3.10.x.json @@ -1,4 +1,42 @@ { + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + } + ], "supported_partials": { "redis-ce": [ "config.redis" @@ -7,9 +45,6 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -19,181 +54,27 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "config": { - "shorthand_fields": [ - { - "redis_host": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", - "replaced_with": [ - { - "path": [ - "redis", - "host" - ] - } - ] - } - } - }, - { - "redis_port": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", - "replaced_with": [ - { - "path": [ - "redis", - "port" - ] - } - ] - } - } - }, - { - "redis_password": { - "len_min": 0, - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", - "replaced_with": [ - { - "path": [ - "redis", - "password" - ] - } - ] - } - } - }, - { - "redis_username": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", - "replaced_with": [ - { - "path": [ - "redis", - "username" - ] - } - ] - } - } - }, - { - "redis_ssl": { - "type": "boolean", - "deprecation": { - "removal_in_version": "4.0", - "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "replaced_with": [ - { - "path": [ - "redis", - "ssl" - ] - } - ] - } - } - }, - { - "redis_ssl_verify": { - "type": "boolean", - "deprecation": { - "removal_in_version": "4.0", - "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "replaced_with": [ - { - "path": [ - "redis", - "ssl_verify" - ] - } - ] - } - } - }, - { - "redis_server_name": { - "type": "string", - "deprecation": { - "removal_in_version": "4.0", - "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "replaced_with": [ - { - "path": [ - "redis", - "server_name" - ] - } - ] - } - } - }, - { - "redis_timeout": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "replaced_with": [ - { - "path": [ - "redis", - "timeout" - ] - } - ] - } - } - }, - { - "redis_database": { - "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", - "replaced_with": [ - { - "path": [ - "redis", - "database" - ] - } - ] - } - } - } - ], - "type": "record", "fields": [ { "header_name": { @@ -204,9 +85,9 @@ }, { "limit_by": { - "type": "string", "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "default": "consumer", + "type": "string", "one_of": [ "consumer", "credential", @@ -216,9 +97,9 @@ }, { "policy": { - "type": "string", "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "default": "local", + "type": "string", "one_of": [ "local", "cluster", @@ -228,43 +109,43 @@ }, { "fault_tolerant": { - "type": "boolean", "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean", "default": true, "required": true } }, { "redis": { - "type": "record", "description": "Redis configuration", + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -276,11 +157,11 @@ }, { "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", + "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "len_min": 0, - "referenceable": true + "len_min": 0 } }, { @@ -292,16 +173,16 @@ }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean", "default": false, "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", "default": false, "required": false } @@ -319,126 +200,245 @@ }, { "block_on_first_violation": { - "type": "boolean", "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "type": "boolean", "default": false, "required": true } }, { "hide_client_headers": { - "type": "boolean", "description": "Optionally hide informative response headers.", + "type": "boolean", "default": false, "required": true } }, { "limits": { - "description": "A map that defines rate limits for the plugin.", "type": "map", - "required": true, + "len_min": 1, + "description": "A map that defines rate limits for the plugin.", "values": { + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], + "type": "record", + "required": true, "fields": [ { "second": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "minute": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "hour": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "day": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "month": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { "year": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } } + ] + }, + "keys": { + "type": "string" + }, + "required": true + } + } + ], + "type": "record", + "shorthand_fields": [ + { + "redis_host": { + "deprecation": { + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } ], - "entity_checks": [ + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "redis_port": { + "deprecation": { + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + "replaced_with": [ { - "at_least_one_of": [ - "second", - "minute", - "hour", - "day", - "month", - "year" + "path": [ + "redis", + "port" ] } ], - "type": "record", - "required": true + "removal_in_version": "4.0" }, - "len_min": 1, - "keys": { - "type": "string" + "type": "integer" + } + }, + { + "redis_password": { + "type": "string", + "len_min": 0, + "deprecation": { + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "removal_in_version": "4.0" } } + }, + { + "redis_username": { + "deprecation": { + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "redis_ssl": { + "deprecation": { + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "redis_ssl_verify": { + "deprecation": { + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "redis_server_name": { + "deprecation": { + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "redis_timeout": { + "deprecation": { + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ], + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "redis_database": { + "deprecation": { + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ], + "removal_in_version": "4.0" + }, + "type": "integer" + } } ], "required": true } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.host", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.port", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.timeout", - "if_field": "config.policy", - "then_match": { - "required": true - } - } - } ] } \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.10.x.json b/schemas/response-transformer-advanced/3.10.x.json index 619e9224..f90a06b3 100644 --- a/schemas/response-transformer-advanced/3.10.x.json +++ b/schemas/response-transformer-advanced/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +14,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -32,35 +35,35 @@ "fields": [ { "json": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], @@ -73,25 +76,25 @@ "fields": [ { "headers": { - "elements": { - "type": "string", - "match": "^[^:]+:.*$" - }, - "type": "array", "default": [ - ] + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], @@ -104,23 +107,26 @@ "fields": [ { "body": { - "type": "string", - "description": "String with which to replace the entire response body." + "description": "String with which to replace the entire response body.", + "type": "string" } }, { "json": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json_types": { + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -129,32 +135,29 @@ "string" ] }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], @@ -167,17 +170,20 @@ "fields": [ { "json": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json_types": { + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -186,32 +192,29 @@ "string" ] }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], @@ -224,17 +227,20 @@ "fields": [ { "json": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json_types": { + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -243,32 +249,29 @@ "string" ] }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "headers": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], @@ -297,35 +300,35 @@ "fields": [ { "functions": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "if_status": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } }, { "json": { + "default": [ + + ], "elements": { "type": "string" }, - "type": "array", - "default": [ - - ] + "type": "array" } } ], @@ -343,8 +346,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.10.x.json b/schemas/response-transformer/3.10.x.json index ccf1f248..6d49d0ce 100644 --- a/schemas/response-transformer/3.10.x.json +++ b/schemas/response-transformer/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,12 +14,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -32,10 +35,10 @@ "fields": [ { "json": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -44,10 +47,10 @@ }, { "headers": { - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ ], @@ -64,11 +67,11 @@ "fields": [ { "json": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -77,11 +80,11 @@ }, { "headers": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -98,11 +101,11 @@ "fields": [ { "json": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -111,9 +114,11 @@ }, { "json_types": { - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "type": "array", - "required": true, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -122,18 +127,16 @@ "string" ] }, - "default": [ - - ] + "required": true } }, { "headers": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -150,11 +153,11 @@ "fields": [ { "json": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -163,9 +166,11 @@ }, { "json_types": { - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "type": "array", - "required": true, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -174,18 +179,16 @@ "string" ] }, - "default": [ - - ] + "required": true } }, { "headers": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -202,11 +205,11 @@ "fields": [ { "json": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -215,9 +218,11 @@ }, { "json_types": { - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "type": "array", - "required": true, + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "default": [ + + ], "elements": { "type": "string", "one_of": [ @@ -226,18 +231,16 @@ "string" ] }, - "default": [ - - ] + "required": true } }, { "headers": { - "type": "array", "elements": { - "type": "string", - "match": "^[^:]+:.*$" + "match": "^[^:]+:.*$", + "type": "string" }, + "type": "array", "default": [ ], @@ -252,8 +255,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.10.x.json b/schemas/route-by-header/3.10.x.json index 89baa133..e6b60cc1 100644 --- a/schemas/route-by-header/3.10.x.json +++ b/schemas/route-by-header/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -36,9 +39,6 @@ "fields": [ { "rules": { - "default": [ - - ], "description": "Route by header rules.", "type": "array", "elements": { @@ -46,33 +46,33 @@ "fields": [ { "upstream_name": { - "type": "string", - "required": true + "required": true, + "type": "string" } }, { "condition": { - "len_min": 1, "type": "map", - "required": true, - "values": { + "keys": { "type": "string" }, - "keys": { + "values": { "type": "string" - } + }, + "len_min": 1, + "required": true } } ] - } + }, + "default": [ + + ] } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.10.x.json b/schemas/route-transformer-advanced/3.10.x.json index 0a4c440b..6e948d2e 100644 --- a/schemas/route-transformer-advanced/3.10.x.json +++ b/schemas/route-transformer-advanced/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -68,8 +71,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/saml/3.10.x.json b/schemas/saml/3.10.x.json index df58bf13..957e0ba7 100644 --- a/schemas/saml/3.10.x.json +++ b/schemas/saml/3.10.x.json @@ -1,4 +1,13 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "supported_partials": { "redis-ee": [ "config.redis" @@ -7,17 +16,14 @@ "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -27,148 +33,151 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "config": { + "required": true, + "type": "record", "shorthand_fields": [ { "session_cookie_lifetime": { - "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" - } + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" } }, { "session_cookie_idletime": { - "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" - } + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" } }, { "session_cookie_samesite": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" - } + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_cookie_httponly": { - "type": "boolean", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" - } + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" } }, { "session_memcache_prefix": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" - } + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_memcache_socket": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" - } + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_memcache_host": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" - } + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_memcache_port": { - "type": "integer", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" - } + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" } }, { "session_cookie_renew": { - "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_renew option does not exist anymore" - } + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" } }, { "session_cookie_maxsize": { - "type": "integer", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" - } + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "integer" } }, { "session_strategy": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_strategy option does not exist anymore" - } + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_compressor": { - "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_compressor option does not exist anymore" - } + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" } }, { "session_auth_ttl": { - "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_auth_ttl option does not exist anymore" - } + "message": "openid-connect: config.session_auth_ttl option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" } }, { "session_redis_prefix": { - "type": "string", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", "replaced_with": [ { "path": [ @@ -176,16 +185,16 @@ "prefix" ] } - ] - } + ], + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead" + }, + "type": "string" } }, { "session_redis_socket": { - "type": "string", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", "replaced_with": [ { "path": [ @@ -193,16 +202,16 @@ "socket" ] } - ] - } + ], + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead" + }, + "type": "string" } }, { "session_redis_host": { - "type": "string", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", "replaced_with": [ { "path": [ @@ -210,16 +219,16 @@ "host" ] } - ] - } + ], + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead" + }, + "type": "string" } }, { "session_redis_port": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", "replaced_with": [ { "path": [ @@ -227,16 +236,16 @@ "port" ] } - ] - } + ], + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead" + }, + "type": "integer" } }, { "session_redis_username": { - "type": "string", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", "replaced_with": [ { "path": [ @@ -244,16 +253,16 @@ "username" ] } - ] - } + ], + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead" + }, + "type": "string" } }, { "session_redis_password": { - "type": "string", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", "replaced_with": [ { "path": [ @@ -261,16 +270,16 @@ "password" ] } - ] - } + ], + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead" + }, + "type": "string" } }, { "session_redis_connect_timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", "replaced_with": [ { "path": [ @@ -278,16 +287,16 @@ "connect_timeout" ] } - ] - } + ], + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead" + }, + "type": "integer" } }, { "session_redis_read_timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", "replaced_with": [ { "path": [ @@ -295,16 +304,16 @@ "read_timeout" ] } - ] - } + ], + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead" + }, + "type": "integer" } }, { "session_redis_send_timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", "replaced_with": [ { "path": [ @@ -312,16 +321,16 @@ "send_timeout" ] } - ] - } + ], + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead" + }, + "type": "integer" } }, { "session_redis_ssl": { - "type": "boolean", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", "replaced_with": [ { "path": [ @@ -329,16 +338,16 @@ "ssl" ] } - ] - } + ], + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead" + }, + "type": "boolean" } }, { "session_redis_ssl_verify": { - "type": "boolean", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", "replaced_with": [ { "path": [ @@ -346,16 +355,16 @@ "ssl_verify" ] } - ] - } + ], + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead" + }, + "type": "boolean" } }, { "session_redis_server_name": { - "type": "string", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", "replaced_with": [ { "path": [ @@ -363,8 +372,10 @@ "server_name" ] } - ] - } + ], + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead" + }, + "type": "string" } }, { @@ -374,21 +385,21 @@ "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] @@ -396,7 +407,6 @@ "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", "replaced_with": [ { "path": [ @@ -404,16 +414,15 @@ "cluster_nodes" ] } - ] + ], + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead" } } }, { "session_redis_cluster_max_redirections": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", "replaced_with": [ { "path": [ @@ -421,16 +430,16 @@ "cluster_max_redirections" ] } - ] - } + ], + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead" + }, + "type": "integer" } }, { "session_redis_cluster_maxredirections": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", "replaced_with": [ { "path": [ @@ -438,25 +447,26 @@ "cluster_max_redirections" ] } - ] - } + ], + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead" + }, + "type": "integer" } } ], - "type": "record", "fields": [ { "assertion_consumer_path": { + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], + "starts_with": "/", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "type": "string", - "required": true, - "starts_with": "/" + "required": true } }, { @@ -468,88 +478,88 @@ }, { "idp_certificate": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", - "referenceable": true + "encrypted": true, + "required": false } }, { "response_encryption_key": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The private encryption key required to decrypt encrypted assertions.", - "referenceable": true + "encrypted": true, + "required": false } }, { "request_signing_key": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", - "referenceable": true + "encrypted": true, + "required": false } }, { "request_signing_certificate": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The certificate for signing requests.", - "referenceable": true + "encrypted": true, + "required": false } }, { "request_signature_algorithm": { - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "type": "string", - "required": false, - "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "one_of": [ "SHA256", "SHA384", "SHA512" - ] + ], + "default": "SHA256", + "required": false } }, { "request_digest_algorithm": { - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "type": "string", - "required": false, - "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "one_of": [ "SHA256", "SHA1" - ] + ], + "default": "SHA256", + "required": false } }, { "response_signature_algorithm": { - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "type": "string", - "required": false, - "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "one_of": [ "SHA256", "SHA384", "SHA512" - ] + ], + "default": "SHA256", + "required": false } }, { "response_digest_algorithm": { - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "type": "string", - "required": false, - "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "one_of": [ "SHA256", "SHA1" - ] + ], + "default": "SHA256", + "required": false } }, { @@ -561,22 +571,22 @@ }, { "nameid_format": { - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "type": "string", - "required": false, - "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "one_of": [ "Unspecified", "EmailAddress", "Persistent", "Transient" - ] + ], + "default": "EmailAddress", + "required": false } }, { "validate_assertion_signature": { - "type": "boolean", "description": "Enable signature validation for SAML responses.", + "type": "boolean", "default": true, "required": false } @@ -590,101 +600,101 @@ }, { "session_secret": { + "len_max": 32, + "type": "string", "match": "^[0-9a-zA-Z/_+]+$", + "referenceable": true, "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", - "len_max": 32, - "required": true, "encrypted": true, "len_min": 32, - "type": "string", - "referenceable": true + "required": true } }, { "session_audience": { - "type": "string", "description": "The session audience, for example \"my-application\"", + "type": "string", "default": "default", "required": false } }, { "session_cookie_name": { - "type": "string", "description": "The session cookie name.", + "type": "string", "default": "session", "required": false } }, { "session_remember": { - "type": "boolean", "description": "Enables or disables persistent sessions", + "type": "boolean", "default": false, "required": false } }, { "session_remember_cookie_name": { - "type": "string", "description": "Persistent session cookie name", + "type": "string", "default": "remember", "required": false } }, { "session_remember_rolling_timeout": { - "type": "number", "description": "Persistent session rolling timeout in seconds.", + "type": "number", "default": 604800, "required": false } }, { "session_remember_absolute_timeout": { - "type": "number", "description": "Persistent session absolute timeout in seconds.", + "type": "number", "default": 2592000, "required": false } }, { "session_idling_timeout": { - "type": "number", "description": "The session cookie idle time in seconds.", + "type": "number", "default": 900, "required": false } }, { "session_rolling_timeout": { - "type": "number", "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number", "default": 3600, "required": false } }, { "session_absolute_timeout": { - "type": "number", "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number", "default": 86400, "required": false } }, { "session_cookie_path": { + "type": "string", "match_none": [ { - "pattern": "//", - "err": "must not have empty segments" + "err": "must not have empty segments", + "pattern": "//" } ], "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", - "type": "string", - "required": false, "default": "/", - "starts_with": "/" + "starts_with": "/", + "required": false } }, { @@ -696,22 +706,22 @@ }, { "session_cookie_same_site": { - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "type": "string", - "required": false, - "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ "Strict", "Lax", "None", "Default" - ] + ], + "default": "Lax", + "required": false } }, { "session_cookie_http_only": { - "type": "boolean", "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", "default": true, "required": false } @@ -759,46 +769,46 @@ }, { "session_storage": { - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "type": "string", - "required": false, - "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "one_of": [ "cookie", "memcache", "memcached", "redis" - ] + ], + "default": "cookie", + "required": false } }, { "session_store_metadata": { - "type": "boolean", "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean", "default": false, "required": false } }, { "session_enforce_same_subject": { - "type": "boolean", "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean", "default": false, "required": false } }, { "session_hash_subject": { - "type": "boolean", "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean", "default": false, "required": false } }, { "session_hash_storage_key": { - "type": "boolean", "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean", "default": false, "required": false } @@ -819,26 +829,88 @@ }, { "session_memcached_host": { - "type": "string", "description": "The memcached host.", + "type": "string", "default": "127.0.0.1", "required": false } }, { "session_memcached_port": { - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", - "required": false, - "default": 11211, "between": [ 0, 65535 - ] + ], + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": false } }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "fields": [ { "host": { @@ -849,46 +921,46 @@ }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } }, { "connect_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "send_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { "read_timeout": { - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" } }, { @@ -930,13 +1002,13 @@ }, { "keepalive_pool_size": { - "type": "integer", "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, "between": [ 1, 2147483646 - ] + ], + "type": "integer" } }, { @@ -951,8 +1023,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -968,80 +1040,80 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer", "between": [ 0, 65535 - ] + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" } } - ] + ], + "type": "record" }, - "len_min": 1 + "required": false } }, { "ssl": { - "default": false, "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean", "required": false } }, { "ssl_verify": { - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean", "required": false } @@ -1055,16 +1127,16 @@ }, { "cluster_max_redirections": { - "default": 5, "description": "Maximum retry attempts for redirection.", + "default": 5, "type": "integer", "required": false } }, { "connection_is_proxied": { - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, "type": "boolean", "required": false } @@ -1084,73 +1156,9 @@ } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "required": true, "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -1171,16 +1179,16 @@ } ], "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - } + }, + "type": "integer" } }, { "sentinel_addresses": { + "type": "array", "elements": { "type": "string" }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -1191,16 +1199,16 @@ } ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - } + }, + "len_min": 1 } }, { "cluster_addresses": { + "type": "array", "elements": { "type": "string" }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", "replaced_with": [ @@ -1211,22 +1219,14 @@ } ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - } + }, + "len_min": 1 } } - ] + ], + "required": true } } - ], - "required": true - } - } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" ] } } diff --git a/schemas/service-protection/3.10.x.json b/schemas/service-protection/3.10.x.json index 2fbd7347..0050c926 100644 --- a/schemas/service-protection/3.10.x.json +++ b/schemas/service-protection/3.10.x.json @@ -1,4 +1,13 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "supported_partials": { "redis-ee": [ "config.redis" @@ -7,33 +16,30 @@ "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "route": { + "reference": "routes", "description": "A reference to the 'routes' table with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "routes" + "eq": null } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -43,12 +49,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -57,74 +66,74 @@ "fields": [ { "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "type": "array", "elements": { "type": "number" }, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", - "type": "array", "required": true } }, { "window_type": { - "type": "string", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", - "default": "sliding", + "type": "string", "one_of": [ "fixed", "sliding" - ] + ], + "default": "sliding" } }, { "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "type": "array", "elements": { "type": "number" }, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", - "type": "array", "required": true } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "namespace": { - "type": "string", "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "type": "string", "auto": true, "required": true } }, { "strategy": { - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "type": "string", - "required": true, - "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ "cluster", "redis", "local" - ] + ], + "default": "local", + "required": true } }, { "dictionary_name": { - "type": "string", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string", "default": "kong_rate_limiting_counters", "required": true } }, { "lock_dictionary_name": { - "type": "string", "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", + "type": "string", "default": "kong_locks", "required": true } @@ -145,8 +154,68 @@ }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", - "required": true, "fields": [ { "host": { @@ -157,46 +226,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -238,13 +307,13 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -259,8 +328,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -276,81 +345,81 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "type": "boolean", "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": false } }, @@ -363,89 +432,26 @@ }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", "default": 5, + "type": "integer", "required": false } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -462,51 +468,54 @@ "read_timeout" ] } - ] - } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] - } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] - } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } } - ] + ], + "required": true } }, { @@ -518,10 +527,10 @@ }, { "error_code": { - "default": 429, - "description": "Set a custom error code to return when the rate limit is exceeded.", "gt": 0, - "type": "number" + "type": "number", + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded." } }, { @@ -535,14 +544,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/session/3.10.x.json b/schemas/session/3.10.x.json index 9260b418..df565cd4 100644 --- a/schemas/session/3.10.x.json +++ b/schemas/session/3.10.x.json @@ -1,21 +1,20 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -27,79 +26,45 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "config": { - "shorthand_fields": [ - { - "cookie_lifetime": { - "type": "number" - } - }, - { - "cookie_idletime": { - "type": "number" - } - }, - { - "cookie_renew": { - "type": "number" - } - }, - { - "cookie_discard": { - "type": "number" - } - }, - { - "cookie_samesite": { - "type": "string" - } - }, - { - "cookie_httponly": { - "type": "boolean" - } - }, - { - "cookie_persistent": { - "type": "boolean" - } - } - ], - "type": "record", "fields": [ { "secret": { - "description": "The secret that is used in keyed HMAC generation.", "type": "string", - "required": false, + "referenceable": true, + "description": "The secret that is used in keyed HMAC generation.", "encrypted": true, - "default": "e5LBiB0qbGGgh4BBf3E8HWBbKBFHsz007KeVri6SIUAp", - "referenceable": true + "default": "WKzHLADIGTA9J6nV29ppiqFxmLWstNnPGEtEJ2gQA70z", + "required": false } }, { "storage": { - "type": "string", "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "type": "string", "default": "cookie", "one_of": [ "cookie", @@ -158,14 +123,14 @@ }, { "cookie_domain": { - "type": "string", - "description": "The domain with which the cookie is intended to be exchanged." + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" } }, { "cookie_same_site": { - "type": "string", "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "type": "string", "default": "Strict", "one_of": [ "Strict", @@ -261,12 +226,12 @@ }, { "logout_methods": { + "description": "A set of HTTP methods that the plugin will respond to.", + "type": "set", "default": [ "POST", "DELETE" ], - "description": "A set of HTTP methods that the plugin will respond to.", - "type": "set", "elements": { "type": "string", "one_of": [ @@ -306,11 +271,46 @@ } } ], + "type": "record", + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/standard-webhooks/3.10.x.json b/schemas/standard-webhooks/3.10.x.json index 4d3c1746..9420b097 100644 --- a/schemas/standard-webhooks/3.10.x.json +++ b/schemas/standard-webhooks/3.10.x.json @@ -1,18 +1,18 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -22,12 +22,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -36,28 +39,25 @@ "fields": [ { "secret_v1": { - "encrypted": true, "type": "string", - "required": true, + "referenceable": true, "description": "Webhook secret", - "referenceable": true + "encrypted": true, + "required": true } }, { "tolerance_second": { - "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", - "type": "integer", - "required": true, "gt": -1, - "default": 300 + "type": "integer", + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "default": 300, + "required": true } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.10.x.json b/schemas/statsd-advanced/3.10.x.json index 8b4b539a..302883f1 100644 --- a/schemas/statsd-advanced/3.10.x.json +++ b/schemas/statsd-advanced/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -50,13 +53,13 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 8125 + "default": 8125, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { @@ -68,13 +71,79 @@ }, { "metrics": { + "description": "List of Metrics to be logged.", + "type": "array", "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "set" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "counter" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "gauge" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], "type": "record", "fields": [ { "name": { - "required": true, - "type": "string", "one_of": [ "kong_latency", "latency", @@ -91,13 +160,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "type": "string", + "required": true } }, { "stat_type": { - "required": true, - "type": "string", "one_of": [ "counter", "gauge", @@ -105,13 +174,15 @@ "meter", "set", "timer" - ] + ], + "type": "string", + "required": true } }, { "sample_rate": { - "type": "number", - "gt": 0 + "gt": 0, + "type": "number" } }, { @@ -144,147 +215,79 @@ ] } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "unique_users" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "set" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "request_count", - "status_count", - "request_per_user", - "status_count_per_user", - "status_count_per_workspace", - "status_count_per_user_per_route", - "cache_datastore_hits_total", - "cache_datastore_misses_total" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "counter" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "shdict_usage" - ] - }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "gauge" - } - } - }, - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } ] }, - "description": "List of Metrics to be logged.", "default": [ { - "stat_type": "counter", + "sample_rate": 1, "name": "request_count", - "sample_rate": 1 + "stat_type": "counter" }, { - "name": "latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "latency" }, { - "name": "request_size", - "stat_type": "timer" + "stat_type": "timer", + "name": "request_size" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count", - "sample_rate": 1 + "stat_type": "counter" }, { - "name": "response_size", - "stat_type": "timer" + "stat_type": "timer", + "name": "response_size" }, { - "name": "unique_users", - "stat_type": "set" + "stat_type": "set", + "name": "unique_users" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "request_per_user", - "sample_rate": 1 + "stat_type": "counter" }, { - "name": "upstream_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "upstream_latency" }, { - "name": "kong_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "kong_latency" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_workspace", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user_per_route", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "gauge", + "sample_rate": 1, "name": "shdict_usage", - "sample_rate": 1 + "stat_type": "gauge" }, { - "stat_type": "counter", "name": "cache_datastore_hits_total", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" }, { - "stat_type": "counter", "name": "cache_datastore_misses_total", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" } - ], - "type": "array" + ] } }, { @@ -292,20 +295,20 @@ "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array", "elements": { - "type": "string", - "match": "^[0-9]+-[0-9]+$" + "match": "^[0-9]+-[0-9]+$", + "type": "string" } } }, { "udp_packet_size": { + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "type": "number", + "default": 0, "between": [ 0, 65507 - ], - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", - "default": 0, - "type": "number" + ] } }, { @@ -324,41 +327,41 @@ }, { "consumer_identifier_default": { - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "type": "string", - "required": true, - "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "default": "custom_id", + "required": true } }, { "service_identifier_default": { - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "type": "string", - "required": true, - "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ] + ], + "default": "service_name_or_host", + "required": true } }, { "workspace_identifier_default": { - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "type": "string", - "required": true, - "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "default": "workspace_id", + "required": true } }, { @@ -367,77 +370,77 @@ "fields": [ { "max_batch_size": { - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number" + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number", - "default": 60 + "default": 60, + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number" + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "type": "number", "between": [ 0.001, 1000000 - ], - "type": "number" + ] } }, { "concurrency_limit": { - "type": "integer", "description": "The number of of queue delivery timers. -1 indicates unlimited.", "default": 1, + "type": "integer", "one_of": [ -1, 1 @@ -452,8 +455,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/statsd/3.10.x.json b/schemas/statsd/3.10.x.json index 45fe5c66..ff349530 100644 --- a/schemas/statsd/3.10.x.json +++ b/schemas/statsd/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -50,105 +53,48 @@ }, { "port": { - "type": "integer", "description": "The port of StatsD server to send data to.", + "default": 8125, "between": [ 0, 65535 ], - "default": 8125 + "type": "integer" } }, { "prefix": { "description": "String to prefix to each metric's name.", - "default": "kong", - "type": "string" + "type": "string", + "default": "kong" } }, { "metrics": { - "default": [ - { - "stat_type": "counter", - "name": "request_count", - "sample_rate": 1 - }, - { - "name": "latency", - "stat_type": "timer" - }, - { - "stat_type": "counter", - "name": "request_size", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "response_size", - "sample_rate": 1 - }, - { - "name": "unique_users", - "stat_type": "set" - }, - { - "stat_type": "counter", - "name": "request_per_user", - "sample_rate": 1 - }, - { - "name": "upstream_latency", - "stat_type": "timer" - }, - { - "name": "kong_latency", - "stat_type": "timer" - }, - { - "stat_type": "counter", - "name": "status_count_per_user", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count_per_workspace", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "status_count_per_user_per_route", - "sample_rate": 1 - }, - { - "stat_type": "gauge", - "name": "shdict_usage", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "cache_datastore_hits_total", - "sample_rate": 1 - }, - { - "stat_type": "counter", - "name": "cache_datastore_misses_total", - "sample_rate": 1 - } - ], "description": "List of metrics to be logged.", "type": "array", "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], "type": "record", "fields": [ { "name": { - "required": true, "description": "StatsD metric’s name.", "type": "string", "one_of": [ @@ -167,12 +113,12 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ] + ], + "required": true } }, { "stat_type": { - "required": true, "description": "Determines what sort of event a metric represents.", "type": "string", "one_of": [ @@ -182,14 +128,15 @@ "meter", "set", "timer" - ] + ], + "required": true } }, { "sample_rate": { "description": "Sampling rate", - "gt": 0, - "type": "number" + "type": "number", + "gt": 0 } }, { @@ -225,25 +172,81 @@ ] } } - ], - "entity_checks": [ - { - "conditional": { - "if_match": { - "one_of": [ - "counter", - "gauge" - ] - }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } - } - } ] - } + }, + "default": [ + { + "sample_rate": 1, + "name": "request_count", + "stat_type": "counter" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "sample_rate": 1, + "name": "request_size", + "stat_type": "counter" + }, + { + "name": "status_count", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "response_size", + "stat_type": "counter" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "name": "request_per_user", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "name": "status_count_per_user", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "sample_rate": 1, + "name": "status_count_per_workspace", + "stat_type": "counter" + }, + { + "name": "status_count_per_user_per_route", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "name": "shdict_usage", + "sample_rate": 1, + "stat_type": "gauge" + }, + { + "name": "cache_datastore_hits_total", + "sample_rate": 1, + "stat_type": "counter" + }, + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ] } }, { @@ -251,8 +254,8 @@ "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array", "elements": { - "type": "string", - "match": "^[0-9]+-[0-9]+$" + "match": "^[0-9]+-[0-9]+$", + "type": "string" } } }, @@ -280,19 +283,18 @@ }, { "consumer_identifier_default": { - "required": true, "default": "custom_id", "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ] + ], + "required": true } }, { "service_identifier_default": { - "required": true, "default": "service_name_or_host", "type": "string", "one_of": [ @@ -300,18 +302,19 @@ "service_name", "service_host", "service_name_or_host" - ] + ], + "required": true } }, { "workspace_identifier_default": { - "required": true, "default": "workspace_id", "type": "string", "one_of": [ "workspace_id", "workspace_name" - ] + ], + "required": true } }, { @@ -346,14 +349,14 @@ }, { "tag_style": { - "required": false, - "type": "string", "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ] + ], + "type": "string", + "required": false } }, { @@ -362,77 +365,77 @@ "fields": [ { "max_batch_size": { - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number" + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number", - "default": 60 + "default": 60, + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number" + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "type": "number", "between": [ 0.001, 1000000 - ], - "type": "number" + ] } }, { "concurrency_limit": { - "type": "integer", "description": "The number of of queue delivery timers. -1 indicates unlimited.", "default": 1, + "type": "integer", "one_of": [ -1, 1 @@ -447,8 +450,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/syslog/3.10.x.json b/schemas/syslog/3.10.x.json index 9df71398..98f64b13 100644 --- a/schemas/syslog/3.10.x.json +++ b/schemas/syslog/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -43,9 +46,8 @@ "fields": [ { "log_level": { - "required": true, - "default": "info", "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -55,14 +57,14 @@ "crit", "alert", "emerg" - ] + ], + "required": true } }, { "successful_severity": { - "required": true, - "default": "info", "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -72,14 +74,14 @@ "crit", "alert", "emerg" - ] + ], + "required": true } }, { "client_errors_severity": { - "required": true, - "default": "info", "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -89,14 +91,14 @@ "crit", "alert", "emerg" - ] + ], + "required": true } }, { "server_errors_severity": { - "required": true, - "default": "info", "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -106,17 +108,18 @@ "crit", "alert", "emerg" - ] + ], + "required": true } }, { "custom_fields_by_lua": { - "values": { - "type": "string", - "len_min": 1 - }, "description": "Lua code as a key-value map", "type": "map", + "values": { + "len_min": 1, + "type": "string" + }, "keys": { "type": "string", "len_min": 1 @@ -125,10 +128,8 @@ }, { "facility": { - "description": "The facility is used by the operating system to decide how to handle each log message.", "type": "string", - "required": true, - "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", "one_of": [ "auth", "authpriv", @@ -150,15 +151,14 @@ "local5", "local6", "local7" - ] + ], + "default": "user", + "required": true } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.10.x.json b/schemas/tcp-log/3.10.x.json index 32675025..43130c62 100644 --- a/schemas/tcp-log/3.10.x.json +++ b/schemas/tcp-log/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -50,8 +53,8 @@ }, { "port": { - "type": "integer", "description": "The port to send data to on the upstream server.", + "type": "integer", "between": [ 0, 65535 @@ -75,26 +78,26 @@ }, { "tls": { - "default": false, "description": "Indicates whether to perform a TLS handshake against the remote server.", "type": "boolean", + "default": false, "required": true } }, { "tls_sni": { - "type": "string", - "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" } }, { "custom_fields_by_lua": { - "values": { - "type": "string", - "len_min": 1 - }, "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "type": "map", + "values": { + "len_min": 1, + "type": "string" + }, "keys": { "type": "string", "len_min": 1 @@ -105,8 +108,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.10.x.json b/schemas/tls-handshake-modifier/3.10.x.json index 9897e76f..e2dcbb58 100644 --- a/schemas/tls-handshake-modifier/3.10.x.json +++ b/schemas/tls-handshake-modifier/3.10.x.json @@ -1,15 +1,22 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { + "default": [ + "https", + "grpcs" + ], "type": "set", "elements": { "type": "string", @@ -19,19 +26,15 @@ "tls" ] }, - "default": [ - "https", - "grpcs" - ], "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -40,21 +43,18 @@ "fields": [ { "tls_client_certificate": { - "description": "TLS Client Certificate", "type": "string", - "required": false, - "default": "REQUEST", + "description": "TLS Client Certificate", "one_of": [ "REQUEST" - ] + ], + "default": "REQUEST", + "required": false } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.10.x.json b/schemas/tls-metadata-headers/3.10.x.json index ba68fe43..b9ea5bb4 100644 --- a/schemas/tls-metadata-headers/3.10.x.json +++ b/schemas/tls-metadata-headers/3.10.x.json @@ -1,15 +1,22 @@ { + "entity_checks": [ + + ], "fields": [ { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { "protocols": { + "default": [ + "https", + "grpcs" + ], "type": "set", "elements": { "type": "string", @@ -19,19 +26,15 @@ "tls" ] }, - "default": [ - "https", - "grpcs" - ], "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -41,47 +44,47 @@ { "inject_client_cert_details": { "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "client_cert_header_name": { - "default": "X-Client-Cert", "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "type": "string", + "default": "X-Client-Cert", "required": true } }, { "client_serial_header_name": { - "default": "X-Client-Cert-Serial", "description": "Define the HTTP header name used for the serial number of the client certificate.", "type": "string", + "default": "X-Client-Cert-Serial", "required": true } }, { "client_cert_issuer_dn_header_name": { - "default": "X-Client-Cert-Issuer-DN", "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "type": "string", + "default": "X-Client-Cert-Issuer-DN", "required": true } }, { "client_cert_subject_dn_header_name": { - "default": "X-Client-Cert-Subject-DN", "description": "Define the HTTP header name used for the subject DN of the client certificate.", "type": "string", + "default": "X-Client-Cert-Subject-DN", "required": true } }, { "client_cert_fingerprint_header_name": { - "default": "X-Client-Cert-Fingerprint", "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "type": "string", + "default": "X-Client-Cert-Fingerprint", "required": true } } @@ -89,8 +92,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/udp-log/3.10.x.json b/schemas/udp-log/3.10.x.json index d2fe7fbf..21c259da 100644 --- a/schemas/udp-log/3.10.x.json +++ b/schemas/udp-log/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -50,30 +53,30 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true } }, { "timeout": { "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "default": 10000, - "type": "number" + "type": "number", + "default": 10000 } }, { "custom_fields_by_lua": { - "values": { - "type": "string", - "len_min": 1 - }, "description": "Lua code as a key-value map", "type": "map", + "values": { + "len_min": 1, + "type": "string" + }, "keys": { "type": "string", "len_min": 1 @@ -84,8 +87,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/upstream-oauth/3.10.x.json b/schemas/upstream-oauth/3.10.x.json index 2442ae63..6b3a3d15 100644 --- a/schemas/upstream-oauth/3.10.x.json +++ b/schemas/upstream-oauth/3.10.x.json @@ -1,4 +1,20 @@ { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], "supported_partials": { "redis-ee": [ "config.cache.redis" @@ -7,9 +23,6 @@ "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -19,12 +32,15 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { @@ -37,35 +53,35 @@ "fields": [ { "auth_method": { - "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", "type": "string", - "required": true, + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", "default": "client_secret_post", "one_of": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "none" - ] + ], + "required": true } }, { "client_secret_jwt_alg": { - "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", "type": "string", - "required": true, + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", "default": "HS512", "one_of": [ "HS512", "HS256" - ] + ], + "required": true } }, { "http_version": { - "default": 1.1, "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", "type": "number", + "default": 1.1, "required": false } }, @@ -106,28 +122,28 @@ }, { "timeout": { - "description": "Network I/O timeout for requests to the IdP in milliseconds.", "type": "integer", - "required": true, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", "default": 10000, "between": [ 0, 2147483646 - ] + ], + "required": true } }, { "keep_alive": { - "type": "boolean", "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean", "default": true, "required": true } }, { "ssl_verify": { - "type": "boolean", "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean", "default": false, "required": false } @@ -149,26 +165,26 @@ }, { "token_headers": { + "description": "Extra headers to be passed in the token endpoint request.", + "type": "map", "values": { "type": "string", "referenceable": true }, - "description": "Extra headers to be passed in the token endpoint request.", - "type": "map", "keys": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } }, { "token_post_args": { + "description": "Extra post arguments to be passed in the token endpoint request.", + "type": "map", "values": { "type": "string", "referenceable": true }, - "description": "Extra post arguments to be passed in the token endpoint request.", - "type": "map", "keys": { "type": "string" } @@ -176,76 +192,76 @@ }, { "grant_type": { - "description": "The OAuth grant type to be used.", "type": "string", - "required": true, + "description": "The OAuth grant type to be used.", "default": "client_credentials", "one_of": [ "client_credentials", "password" - ] + ], + "required": true } }, { "client_id": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The client ID for the application registration in the IdP.", - "referenceable": true + "encrypted": true, + "required": false } }, { "client_secret": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The client secret for the application registration in the IdP.", - "referenceable": true + "encrypted": true, + "required": false } }, { "username": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The username to use if `config.oauth.grant_type` is set to `password`.", - "referenceable": true + "encrypted": true, + "required": false } }, { "password": { - "encrypted": true, "type": "string", - "required": false, + "referenceable": true, "description": "The password to use if `config.oauth.grant_type` is set to `password`.", - "referenceable": true + "encrypted": true, + "required": false } }, { "scopes": { - "description": "List of scopes to request from the IdP when obtaining a new token.", "type": "array", - "required": false, + "description": "List of scopes to request from the IdP when obtaining a new token.", + "default": [ + "openid" + ], "elements": { "type": "string" }, - "default": [ - "openid" - ] + "required": false } }, { "audience": { - "description": "List of audiences passed to the IdP when obtaining a new token.", "type": "array", - "required": false, + "description": "List of audiences passed to the IdP when obtaining a new token.", + "default": [ + + ], "elements": { "type": "string" }, - "default": [ - - ] + "required": false } } ], @@ -258,14 +274,14 @@ "fields": [ { "strategy": { - "description": "The method Kong should use to cache tokens issued by the IdP.", "type": "string", - "required": true, + "description": "The method Kong should use to cache tokens issued by the IdP.", "default": "memory", "one_of": [ "memory", "redis" - ] + ], + "required": true } }, { @@ -274,8 +290,8 @@ "fields": [ { "dictionary_name": { - "type": "string", "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "type": "string", "default": "kong_db_cache", "required": true } @@ -286,8 +302,68 @@ }, { "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "type": "record", - "required": true, "fields": [ { "host": { @@ -298,46 +374,46 @@ }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -379,13 +455,13 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", "between": [ 1, 2147483646 - ], - "type": "integer" + ] } }, { @@ -400,8 +476,8 @@ }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { @@ -417,81 +493,81 @@ }, { "sentinel_nodes": { - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "cluster_nodes": { - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "type": "array", - "required": false, + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "type": "record", "fields": [ { "ip": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", "type": "string", + "default": "127.0.0.1", "required": true } }, { "port": { - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379 + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." } } ] }, - "len_min": 1 + "required": false } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", "default": false, + "type": "boolean", "required": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "default": false, + "type": "boolean", "required": false } }, @@ -504,89 +580,26 @@ }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", "default": 5, + "type": "integer", "required": false } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "default": false, + "type": "boolean", "required": false } } ], - "entity_checks": [ - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], "shorthand_fields": [ { "timeout": { - "type": "integer", "deprecation": { "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", "replaced_with": [ { "path": [ @@ -603,68 +616,71 @@ "read_timeout" ] } - ] - } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] - } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, - "len_min": 1, - "type": "array", "deprecation": { "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] - } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 } } - ] + ], + "required": true } }, { "eagerly_expire": { - "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", + "gt": -1, "type": "integer", - "required": true, + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", "default": 5, - "gt": -1 + "required": true } }, { "default_ttl": { - "gt": 0, "description": "The lifetime of a token without an explicit `expires_in` value.", - "default": 3600, - "type": "number" + "type": "number", + "gt": 0, + "default": 3600 } } ], @@ -677,65 +693,65 @@ "fields": [ { "upstream_access_token_header_name": { - "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", "type": "string", - "required": true, + "len_min": 0, + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", "default": "Authorization", - "len_min": 0 + "required": true } }, { "idp_error_response_status_code": { - "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", "type": "integer", - "required": true, + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", "default": 502, "between": [ 500, 599 - ] + ], + "required": true } }, { "idp_error_response_content_type": { - "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "type": "string", - "required": true, + "len_min": 0, + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "default": "application/json; charset=utf-8", - "len_min": 0 + "required": true } }, { "idp_error_response_message": { - "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "type": "string", - "required": true, + "len_min": 0, + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "default": "Failed to authenticate request to upstream", - "len_min": 0 + "required": true } }, { "idp_error_response_body_template": { - "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "type": "string", - "required": true, + "len_min": 0, + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", - "len_min": 0 + "required": true } }, { "purge_token_on_upstream_status_codes": { + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", + "type": "array", "default": [ 401 ], - "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", - "type": "array", "elements": { - "type": "integer", "between": [ 100, 599 - ] + ], + "type": "integer" } } } @@ -747,21 +763,5 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } ] } \ No newline at end of file diff --git a/schemas/upstream-timeout/3.10.x.json b/schemas/upstream-timeout/3.10.x.json index b0968c3a..2a5dd3f9 100644 --- a/schemas/upstream-timeout/3.10.x.json +++ b/schemas/upstream-timeout/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -36,40 +39,37 @@ "fields": [ { "read_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "connect_timeout": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.10.x.json b/schemas/vault-auth/3.10.x.json index 4a29cda1..7046dcf0 100644 --- a/schemas/vault-auth/3.10.x.json +++ b/schemas/vault-auth/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,28 +14,31 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { "consumer": { + "reference": "consumers", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumers" + "eq": null } }, { @@ -44,69 +47,66 @@ "fields": [ { "access_token_name": { - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "type": "string", - "required": true, + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "default": "access_token", "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, - "default": "access_token" + "required": true } }, { "secret_token_name": { - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "type": "string", - "required": true, + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "default": "secret_token", "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, - "default": "secret_token" + "required": true } }, { "vault": { - "type": "foreign", "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", "reference": "vault_auth_vaults", + "type": "foreign", "required": true } }, { "hide_credentials": { "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "tokens_in_body": { "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "run_on_preflight": { "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.10.x.json b/schemas/websocket-size-limit/3.10.x.json index 4f008496..adf519e3 100644 --- a/schemas/websocket-size-limit/3.10.x.json +++ b/schemas/websocket-size-limit/3.10.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -10,6 +12,7 @@ "wss" ] }, + "type": "set", "default": [ "ws", "wss" @@ -19,10 +22,10 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -39,21 +42,21 @@ "fields": [ { "client_max_payload": { - "type": "integer", "between": [ 1, 33554432 ], + "type": "integer", "required": false } }, { "upstream_max_payload": { - "type": "integer", "between": [ 1, 33554432 ], + "type": "integer", "required": false } } @@ -61,8 +64,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.10.x.json b/schemas/websocket-validator/3.10.x.json index 106d861e..6d173fdb 100644 --- a/schemas/websocket-validator/3.10.x.json +++ b/schemas/websocket-validator/3.10.x.json @@ -1,8 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "type": "set", "elements": { "type": "string", "one_of": [ @@ -10,6 +12,7 @@ "wss" ] }, + "type": "set", "default": [ "ws", "wss" @@ -19,10 +22,10 @@ }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -39,22 +42,40 @@ "fields": [ { "client": { - "required": false, + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], "type": "record", + "required": false, "fields": [ { "text": { - "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], "type": "record", + "required": false, "fields": [ { "type": { - "required": true, "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "type": "string", "one_of": [ "draft4" - ] + ], + "required": true } }, { @@ -64,7 +85,11 @@ "required": true } } - ], + ] + } + }, + { + "binary": { "entity_checks": [ { "custom_entity_check": { @@ -74,22 +99,18 @@ ] } } - ] - } - }, - { - "binary": { - "required": false, + ], "type": "record", + "required": false, "fields": [ { "type": { - "required": true, "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "type": "string", "one_of": [ "draft4" - ] + ], + "required": true } }, { @@ -99,20 +120,14 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } ] } } - ], + ] + } + }, + { + "upstream": { "entity_checks": [ { "at_least_one_of": [ @@ -120,27 +135,33 @@ "binary" ] } - ] - } - }, - { - "upstream": { - "required": false, + ], "type": "record", + "required": false, "fields": [ { "text": { - "required": false, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], "type": "record", + "required": false, "fields": [ { "type": { - "required": true, "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "type": "string", "one_of": [ "draft4" - ] + ], + "required": true } }, { @@ -150,7 +171,11 @@ "required": true } } - ], + ] + } + }, + { + "binary": { "entity_checks": [ { "custom_entity_check": { @@ -160,22 +185,18 @@ ] } } - ] - } - }, - { - "binary": { - "required": false, + ], "type": "record", + "required": false, "fields": [ { "type": { - "required": true, "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "type": "string", "one_of": [ "draft4" - ] + ], + "required": true } }, { @@ -185,27 +206,9 @@ "required": true } } - ], - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "type", - "schema" - ] - } - } ] } } - ], - "entity_checks": [ - { - "at_least_one_of": [ - "text", - "binary" - ] - } ] } } @@ -213,8 +216,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.10.x.json b/schemas/xml-threat-protection/3.10.x.json index 4eb473a5..da4fddce 100644 --- a/schemas/xml-threat-protection/3.10.x.json +++ b/schemas/xml-threat-protection/3.10.x.json @@ -1,10 +1,10 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing HTTP protocols.", - "type": "set", - "required": true, "elements": { "type": "string", "one_of": [ @@ -14,20 +14,23 @@ "https" ] }, + "description": "A set of strings representing HTTP protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -74,227 +77,224 @@ "fields": [ { "checked_content_types": { - "description": "A list of Content-Type values with payloads that must be validated.", "type": "set", - "required": true, + "description": "A list of Content-Type values with payloads that must be validated.", + "default": [ + "application/xml" + ], "elements": { - "required": true, "type": "string", - "match": "^[^%s]+%/[^ ;]+$" + "match": "^[^%s]+%/[^ ;]+$", + "required": true }, - "default": [ - "application/xml" - ] + "required": true } }, { "allowed_content_types": { - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "type": "set", - "required": true, + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "default": [ + + ], "elements": { - "required": true, "type": "string", - "match": "^[^%s]+%/[^ ;]+$" + "match": "^[^%s]+%/[^ ;]+$", + "required": true }, - "default": [ - - ] + "required": true } }, { "allow_dtd": { - "default": false, "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "default": false, "type": "boolean", "required": true } }, { "namespace_aware": { - "default": true, "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "default": true, "type": "boolean", "required": true } }, { "max_depth": { - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", - "type": "integer", - "required": true, "gt": 0, - "default": 50 + "type": "integer", + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "default": 50, + "required": true } }, { "max_children": { - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", - "type": "integer", - "required": true, "gt": 0, - "default": 100 + "type": "integer", + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "default": 100, + "required": true } }, { "max_attributes": { - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", - "type": "integer", - "required": true, "gt": 0, - "default": 100 + "type": "integer", + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "default": 100, + "required": true } }, { "max_namespaces": { - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", - "type": "integer", - "required": false, "gt": 0, - "default": 20 + "type": "integer", + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "default": 20, + "required": false } }, { "document": { - "description": "Maximum size of the entire document.", - "type": "integer", - "required": true, "gt": 0, - "default": 10485760 + "type": "integer", + "description": "Maximum size of the entire document.", + "default": 10485760, + "required": true } }, { "buffer": { - "description": "Maximum size of the unparsed buffer (see below).", - "type": "integer", - "required": true, "gt": 0, - "default": 1048576 + "type": "integer", + "description": "Maximum size of the unparsed buffer (see below).", + "default": 1048576, + "required": true } }, { "comment": { - "description": "Maximum size of comments.", - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "type": "integer", + "description": "Maximum size of comments.", + "default": 1024, + "required": true } }, { "localname": { - "description": "Maximum size of the localname. This applies to tags and attributes.", - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "type": "integer", + "description": "Maximum size of the localname. This applies to tags and attributes.", + "default": 1024, + "required": true } }, { "prefix": { - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", - "type": "integer", - "required": false, "gt": 0, - "default": 1024 + "type": "integer", + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "default": 1024, + "required": false } }, { "namespaceuri": { - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", - "type": "integer", - "required": false, "gt": 0, - "default": 1024 + "type": "integer", + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "default": 1024, + "required": false } }, { "attribute": { - "description": "Maximum size of the attribute value.", - "type": "integer", - "required": true, "gt": 0, - "default": 1048576 + "type": "integer", + "description": "Maximum size of the attribute value.", + "default": 1048576, + "required": true } }, { "text": { - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", - "type": "integer", - "required": true, "gt": 0, - "default": 1048576 + "type": "integer", + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "default": 1048576, + "required": true } }, { "pitarget": { - "description": "Maximum size of processing instruction targets.", - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "type": "integer", + "description": "Maximum size of processing instruction targets.", + "default": 1024, + "required": true } }, { "pidata": { - "description": "Maximum size of processing instruction data.", - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "type": "integer", + "description": "Maximum size of processing instruction data.", + "default": 1024, + "required": true } }, { "entityname": { - "description": "Maximum size of entity names in EntityDecl.", - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "type": "integer", + "description": "Maximum size of entity names in EntityDecl.", + "default": 1024, + "required": true } }, { "entity": { - "description": "Maximum size of entity values in EntityDecl.", - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "type": "integer", + "description": "Maximum size of entity values in EntityDecl.", + "default": 1024, + "required": true } }, { "entityproperty": { - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", - "type": "integer", - "required": true, "gt": 0, - "default": 1024 + "type": "integer", + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "default": 1024, + "required": true } }, { "bla_max_amplification": { - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", - "type": "number", - "required": true, "gt": 1, - "default": 100 + "type": "number", + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "default": 100, + "required": true } }, { "bla_threshold": { - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", - "type": "integer", - "required": true, "gt": 1024, - "default": 8388608 + "type": "integer", + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "default": 8388608, + "required": true } } ], "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file diff --git a/schemas/zipkin/3.10.x.json b/schemas/zipkin/3.10.x.json index 289cec4f..c24af748 100644 --- a/schemas/zipkin/3.10.x.json +++ b/schemas/zipkin/3.10.x.json @@ -1,13 +1,12 @@ { + "entity_checks": [ + + ], "fields": [ { "protocols": { - "description": "A set of strings representing protocols.", - "type": "set", - "required": true, "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", - "type": "string", "one_of": [ "grpc", "grpcs", @@ -19,22 +18,26 @@ "udp", "ws", "wss" - ] + ], + "type": "string" }, + "description": "A set of strings representing protocols.", "default": [ "grpc", "grpcs", "http", "https" - ] + ], + "type": "set", + "required": true } }, { "consumer_group": { + "reference": "consumer_groups", "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", - "eq": null, - "reference": "consumer_groups" + "eq": null } }, { @@ -43,64 +46,65 @@ "fields": [ { "local_service_name": { - "type": "string", "description": "The name of the service as displayed in Zipkin.", + "type": "string", "default": "kong", "required": true } }, { "http_endpoint": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "sample_ratio": { - "default": 0.001, "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "type": "number", + "default": 0.001, "between": [ 0, 1 - ], - "type": "number" + ] } }, { "default_service_name": { - "type": "string", - "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" } }, { "include_credential": { - "type": "boolean", "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "type": "boolean", "default": true, "required": true } }, { "traceid_byte_count": { - "description": "The length in bytes of each request's Trace ID.", "type": "integer", - "required": true, - "default": 16, + "description": "The length in bytes of each request's Trace ID.", "one_of": [ 8, 16 - ] + ], + "default": 16, + "required": true } }, { "header_type": { - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "type": "string", "deprecation": { - "removal_in_version": "4.0", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", "old_default": "preserve", - "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead" + "removal_in_version": "4.0" }, + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "default": "preserve", "one_of": [ "preserve", "ignore", @@ -114,19 +118,19 @@ "gcp", "instana" ], - "default": "preserve", "required": true } }, { "default_header_type": { - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "type": "string", "deprecation": { - "removal_in_version": "4.0", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", "old_default": "b3", - "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead" + "removal_in_version": "4.0" }, + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "default": "b3", "one_of": [ "b3", "b3-single", @@ -138,14 +142,13 @@ "gcp", "instana" ], - "default": "b3", "required": true } }, { "tags_header": { - "type": "string", "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "type": "string", "default": "Zipkin-Tags", "required": true } @@ -159,6 +162,7 @@ "fields": [ { "name": { + "type": "string", "not_one_of": [ "error", "http.method", @@ -174,14 +178,13 @@ "lc", "peer.hostname" ], - "type": "string", "required": true } }, { "value": { - "type": "string", - "required": true + "required": true, + "type": "string" } } ] @@ -190,47 +193,47 @@ }, { "http_span_name": { - "description": "Specify whether to include the HTTP path in the span name.", "type": "string", - "required": true, - "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", "one_of": [ "method", "method_path" - ] + ], + "default": "method", + "required": true } }, { "connect_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000 + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "send_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 5000 + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { "read_timeout": { - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 5000 + "default": 5000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." } }, { @@ -240,14 +243,14 @@ }, { "phase_duration_flavor": { - "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "type": "string", - "required": true, - "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "one_of": [ "annotations", "tags" - ] + ], + "default": "annotations", + "required": true } }, { @@ -256,77 +259,77 @@ "fields": [ { "max_batch_size": { - "default": 1, - "description": "Maximum number of entries that can be processed at a time.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 1, + "type": "integer", + "description": "Maximum number of entries that can be processed at a time." } }, { "max_coalescing_delay": { - "default": 1, - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", "between": [ 0, 3600 ], - "type": "number" + "default": 1, + "type": "number", + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." } }, { "max_entries": { - "default": 10000, - "description": "Maximum number of entries that can be waiting on the queue.", "between": [ 1, 1000000 ], - "type": "integer" + "default": 10000, + "type": "integer", + "description": "Maximum number of entries that can be waiting on the queue." } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", - "type": "number", - "default": 60 + "default": 60, + "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, - "description": "Time in seconds before the initial retry is made for a failing batch.", "between": [ 0.001, 1000000 ], - "type": "number" + "default": 0.01, + "type": "number", + "description": "Time in seconds before the initial retry is made for a failing batch." } }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, + "type": "number", "between": [ 0.001, 1000000 - ], - "type": "number" + ] } }, { "concurrency_limit": { - "type": "integer", "description": "The number of of queue delivery timers. -1 indicates unlimited.", "default": 1, + "type": "integer", "one_of": [ -1, 1 @@ -347,14 +350,14 @@ "elements": { "type": "string", "one_of": [ - "w3c", - "b3", "jaeger", "ot", "datadog", "aws", "gcp", - "instana" + "instana", + "w3c", + "b3" ] } } @@ -376,34 +379,34 @@ "type": "string", "one_of": [ "preserve", - "w3c", - "b3", "b3-single", "jaeger", "ot", "datadog", "aws", "gcp", - "instana" + "instana", + "w3c", + "b3" ] } } }, { "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", "one_of": [ - "w3c", - "b3", "b3-single", "jaeger", "ot", "datadog", "aws", "gcp", - "instana" + "instana", + "w3c", + "b3" ], - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", - "type": "string", "required": true } } @@ -419,8 +422,5 @@ "required": true } } - ], - "entity_checks": [ - ] } \ No newline at end of file From ff229d8e63de75c4bc1af93dd176466405b14228 Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 25 Mar 2025 04:37:51 +0100 Subject: [PATCH 136/165] JSON Schemas for 3.10.x (#103) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- .../konnect-application-auth/3.10.json | 4 +- json_schemas/request-callout/3.10.json | 63 ++++++++++++++++--- json_schemas/session/3.10.json | 2 +- 3 files changed, 58 insertions(+), 11 deletions(-) diff --git a/json_schemas/konnect-application-auth/3.10.json b/json_schemas/konnect-application-auth/3.10.json index 17240508..43573756 100644 --- a/json_schemas/konnect-application-auth/3.10.json +++ b/json_schemas/konnect-application-auth/3.10.json @@ -2246,9 +2246,7 @@ } }, "required": [ - "cluster_cache_redis", - "issuer", - "redis" + "issuer" ], "type": "object" }, diff --git a/json_schemas/request-callout/3.10.json b/json_schemas/request-callout/3.10.json index bd8473ad..3105e35c 100644 --- a/json_schemas/request-callout/3.10.json +++ b/json_schemas/request-callout/3.10.json @@ -3,6 +3,7 @@ "config": { "properties": { "cache": { + "description": "Plugin global caching configuration.", "properties": { "cache_ttl": { "default": 300, @@ -206,6 +207,7 @@ }, "strategy": { "default": "off", + "description": "The backing data store in which to hold cache entities. Accepted values are: `off`, `memory`, and `redis`.", "enum": [ "memory", "off", @@ -220,12 +222,15 @@ "type": "object" }, "callouts": { + "description": "A collection of callout objects, where each object represents an HTTPrequest made in the context of a proxy request.", "items": { "properties": { "cache": { + "description": "Callout caching configuration.", "properties": { "bypass": { "default": false, + "description": "If true, skips caching the callout response.", "type": "boolean" } }, @@ -238,6 +243,7 @@ "default": [ ], + "description": "An array of callout names the current callout depends on.This dependency determines the callout execution order.", "items": { "required": [ @@ -247,22 +253,28 @@ "type": "array" }, "name": { + "description": "A string identifier for a callout. A callout object is referenceablevia its name in the kong.ctx.shared.callouts.", "type": "string" }, "request": { + "description": "The customizations for the callout request.", "properties": { "body": { + "description": "Callout request body customizations.", "properties": { "custom": { "additionalProperties": true, + "description": "The custom body fields to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", "type": "object" }, "decode": { "default": false, + "description": "If true, decodes the request's body to make it available for customizations.", "type": "boolean" }, "forward": { "default": false, + "description": "If true, forwards the incoming request's body to the callout request.", "type": "boolean" } }, @@ -272,19 +284,24 @@ "type": "object" }, "by_lua": { + "description": "Lua code that executes before the callout request is made.Standard Lua sandboxing restrictions apply.", "type": "string" }, "error": { + "description": "The error handling policy the plugin will apply to TCP and HTTP errors.", "properties": { "error_response_code": { "default": 400, + "description": "The error code to respond with if `on_error` is `fail` or if `retries` is achieved.", "type": "integer" }, "error_response_msg": { "default": "service callout error", + "description": "The error mesasge to respond with if `on_error` is `fail` or if `retries` is achieved.Templating with Lua expressions is supported.", "type": "string" }, "http_statuses": { + "description": "The list of HTTP status codes considered errors under the error handling policy.", "items": { "maximum": 999, "minimum": 100, @@ -306,6 +323,7 @@ }, "retries": { "default": 2, + "description": "The number of retries the plugin will attempt on TCP and HTTP errors if `on_error` is set to `retry`.", "type": "integer" } }, @@ -315,13 +333,16 @@ "type": "object" }, "headers": { + "description": "Callout request header customizations.", "properties": { "custom": { "additionalProperties": true, + "description": "The custom headers to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", "type": "object" }, "forward": { "default": false, + "description": "If true, forwards the incoming request's headers to the callout request. ", "type": "boolean" } }, @@ -331,21 +352,25 @@ "type": "object" }, "http_opts": { + "description": "HTTP connection parameters.", "properties": { "proxy": { + "description": "Proxy settings.", "properties": { "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected by basic authentication.", "type": "string" }, "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected by basic authentication.", "type": "string" }, "http_proxy": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "The HTTP proxy URL. This proxy server will be used for HTTP requests.", "type": "string" }, "https_proxy": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "The HTTPS proxy URL. This proxy server will be used for HTTPS requests.", "type": "string" } }, @@ -355,28 +380,31 @@ "type": "object" }, "ssl_server_name": { + "description": "The SNI used in the callout request. Defaults to host if omitted.", "type": "string" }, "ssl_verify": { "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean" }, "timeouts": { + "description": "Socket timeouts in milliseconds. All or none must be set.", "properties": { "connect": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "description": "The socket connect timeout.", "maximum": 2147483646, "minimum": 0, "type": "integer" }, "read": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "description": "The socket read timeout. ", "maximum": 2147483646, "minimum": 0, "type": "integer" }, "write": { - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "description": "The socket write timeout.", "maximum": 2147483646, "minimum": 0, "type": "integer" @@ -395,18 +423,21 @@ }, "method": { "default": "GET", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "description": "The HTTP method that will be requested.", "pattern": "^%u+$", "type": "string" }, "query": { + "description": "Callout request query param customizations.", "properties": { "custom": { "additionalProperties": true, + "description": "The custom query params to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", "type": "object" }, "forward": { "default": false, + "description": "If true, forwards the incoming request's query params to the callout request. ", "type": "boolean" } }, @@ -416,7 +447,7 @@ "type": "object" }, "url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "The URL that will be requested.", "type": "string" } }, @@ -431,15 +462,18 @@ "type": "object" }, "response": { + "description": "Configurations of callout response handling.", "properties": { "body": { "properties": { "decode": { "default": false, + "description": "If true, decodes the response body before storing into the context. Only JSON is supported.", "type": "boolean" }, "store": { "default": true, + "description": "If false, skips storing the callout response body into kong.ctx.shared.callouts..response.body.", "type": "boolean" } }, @@ -449,12 +483,15 @@ "type": "object" }, "by_lua": { + "description": "Lua code that executes after the callout request is made, before caching takes place. Standard Lua sandboxing restrictions apply.", "type": "string" }, "headers": { + "description": "Callout response header customizations.", "properties": { "store": { "default": true, + "description": "If false, skips storing the callout response headers intokong.ctx.shared.callouts..response.headers.", "type": "boolean" } }, @@ -482,19 +519,24 @@ "type": "array" }, "upstream": { + "description": "Customizations to the upstream request.", "properties": { "body": { + "description": "Callout request body customizations.", "properties": { "custom": { "additionalProperties": true, + "description": "The custom body fields to be added in the upstream request body. Values can contain Lua expressions in the form $(some_lua_code).", "type": "object" }, "decode": { "default": true, + "description": "If true, decodes the request's body to make it available for upstream by_lua customizations.", "type": "boolean" }, "forward": { "default": true, + "description": "If false, skips forwarding the incoming request's body to the upstream request.", "type": "boolean" } }, @@ -504,16 +546,20 @@ "type": "object" }, "by_lua": { + "description": "Lua code that executes before the upstream request is made. Standard Lua sandboxing restrictions apply.", "type": "string" }, "headers": { + "description": "Callout request header customizations.", "properties": { "custom": { "additionalProperties": true, + "description": "The custom headers to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code).", "type": "object" }, "forward": { "default": true, + "description": "If false, does not forward request headers to upstream request.", "type": "boolean" } }, @@ -523,13 +569,16 @@ "type": "object" }, "query": { + "description": "Upstream request query param customizations.", "properties": { "custom": { "additionalProperties": true, + "description": "The custom query params to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code).", "type": "object" }, "forward": { "default": true, + "description": "If false, does not forward request query params to upstream request.", "type": "boolean" } }, diff --git a/json_schemas/session/3.10.json b/json_schemas/session/3.10.json index bb942b58..432e205c 100644 --- a/json_schemas/session/3.10.json +++ b/json_schemas/session/3.10.json @@ -154,7 +154,7 @@ "type": "number" }, "secret": { - "default": "e5LBiB0qbGGgh4BBf3E8HWBbKBFHsz007KeVri6SIUAp", + "default": "WKzHLADIGTA9J6nV29ppiqFxmLWstNnPGEtEJ2gQA70z", "description": "The secret that is used in keyed HMAC generation.", "type": "string" }, From f46a02c7c05490dd8410c60331ec40666b526689 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Tue, 25 Mar 2025 14:41:02 +0100 Subject: [PATCH 137/165] Add `referenceable` to the field's description in json_schemas --- lib/convert_json_schema.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index bfb88ac7..5b72aba5 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -85,6 +85,14 @@ def convert_to_json_schema(props) fields['format'] = 'uuid' end + if k =='referenceable' + note = 'This field is *referenceable*.' + if fields.key?('description') + fields['description'] << "\n#{note}" + else + fields['description'] = note + end + end # Remove unused fields next if [ From 10e6a9424127963ecffd3fcddbac936f171c0ab2 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Tue, 25 Mar 2025 17:00:48 +0100 Subject: [PATCH 138/165] Link to vaults entity page instead of using italics in the description of referenceable fields --- lib/convert_json_schema.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index 5b72aba5..8372fa69 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -86,7 +86,7 @@ def convert_to_json_schema(props) end if k =='referenceable' - note = 'This field is *referenceable*.' + note = 'This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).' if fields.key?('description') fields['description'] << "\n#{note}" else From c13feefffbd7ed5d541c341a10a7cbd8cfda1fcf Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 25 Mar 2025 16:03:46 +0000 Subject: [PATCH 139/165] JSON Schemas for 3.10.x --- json_schemas/acme/3.10.json | 10 ++--- .../ai-azure-content-safety/3.10.json | 2 +- json_schemas/ai-proxy-advanced/3.10.json | 28 +++++++------- json_schemas/ai-proxy/3.10.json | 8 ++-- json_schemas/ai-rag-injector/3.10.json | 20 +++++----- .../ai-rate-limiting-advanced/3.10.json | 8 ++-- json_schemas/ai-request-transformer/3.10.json | 8 ++-- .../ai-response-transformer/3.10.json | 8 ++-- json_schemas/ai-semantic-cache/3.10.json | 20 +++++----- .../ai-semantic-prompt-guard/3.10.json | 20 +++++----- json_schemas/aws-lambda/3.10.json | 6 +-- json_schemas/azure-functions/3.10.json | 4 +- json_schemas/datadog-tracing/3.10.json | 1 + json_schemas/datadog/3.10.json | 2 +- json_schemas/forward-proxy/3.10.json | 4 +- .../graphql-proxy-cache-advanced/3.10.json | 8 ++-- .../graphql-rate-limiting-advanced/3.10.json | 8 ++-- json_schemas/jwt-signer/3.10.json | 8 ++-- .../konnect-application-auth/3.10.json | 38 +++++++++++++------ json_schemas/ldap-auth-advanced/3.10.json | 4 +- json_schemas/loggly/3.10.json | 1 + json_schemas/openid-connect/3.10.json | 38 +++++++++++++------ json_schemas/opentelemetry/3.10.json | 6 +-- json_schemas/proxy-cache-advanced/3.10.json | 8 ++-- json_schemas/rate-limiting-advanced/3.10.json | 8 ++-- json_schemas/rate-limiting/3.10.json | 2 +- json_schemas/request-callout/3.10.json | 14 +++---- .../request-transformer-advanced/3.10.json | 12 ++++++ json_schemas/response-ratelimiting/3.10.json | 2 +- json_schemas/saml/3.10.json | 8 ++-- json_schemas/service-protection/3.10.json | 8 ++-- json_schemas/upstream-oauth/3.10.json | 8 ++-- 32 files changed, 186 insertions(+), 144 deletions(-) diff --git a/json_schemas/acme/3.10.json b/json_schemas/acme/3.10.json index a7102b7c..4e0c2b55 100644 --- a/json_schemas/acme/3.10.json +++ b/json_schemas/acme/3.10.json @@ -64,11 +64,11 @@ "type": "array" }, "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "enable_ipv4_common_name": { @@ -140,7 +140,7 @@ "type": "number" }, "token": { - "description": "Consul ACL token.", + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -223,7 +223,7 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -317,7 +317,7 @@ "type": "boolean" }, "token": { - "description": "Consul ACL token.", + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-azure-content-safety/3.10.json b/json_schemas/ai-azure-content-safety/3.10.json index b87a3b14..06420513 100644 --- a/json_schemas/ai-azure-content-safety/3.10.json +++ b/json_schemas/ai-azure-content-safety/3.10.json @@ -59,7 +59,7 @@ "type": "string" }, "content_safety_url": { - "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "description": "Full URL, inc protocol, of the Azure Content Safety instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "halt_on_blocklist_hit": { diff --git a/json_schemas/ai-proxy-advanced/3.10.json b/json_schemas/ai-proxy-advanced/3.10.json index 3d832dc6..a9e0e8df 100644 --- a/json_schemas/ai-proxy-advanced/3.10.json +++ b/json_schemas/ai-proxy-advanced/3.10.json @@ -125,7 +125,7 @@ "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -133,7 +133,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -151,7 +151,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -167,7 +167,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { @@ -355,7 +355,7 @@ "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -363,7 +363,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -381,7 +381,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -397,7 +397,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { @@ -655,7 +655,7 @@ "type": "string" }, "password": { - "description": "the password of the pgvector database", + "description": "the password of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -703,7 +703,7 @@ }, "user": { "default": "postgres", - "description": "the user of the pgvector database", + "description": "the user of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -780,7 +780,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -834,7 +834,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -847,7 +847,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -865,7 +865,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-proxy/3.10.json b/json_schemas/ai-proxy/3.10.json index 13ec1c5f..7998df25 100644 --- a/json_schemas/ai-proxy/3.10.json +++ b/json_schemas/ai-proxy/3.10.json @@ -18,7 +18,7 @@ "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -26,7 +26,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -44,7 +44,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -60,7 +60,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { diff --git a/json_schemas/ai-rag-injector/3.10.json b/json_schemas/ai-rag-injector/3.10.json index a607fd26..d7b0168b 100644 --- a/json_schemas/ai-rag-injector/3.10.json +++ b/json_schemas/ai-rag-injector/3.10.json @@ -20,7 +20,7 @@ "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -28,7 +28,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -46,7 +46,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -62,7 +62,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { @@ -249,7 +249,7 @@ "type": "string" }, "password": { - "description": "the password of the pgvector database", + "description": "the password of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -297,7 +297,7 @@ }, "user": { "default": "postgres", - "description": "the user of the pgvector database", + "description": "the user of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -374,7 +374,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -428,7 +428,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -441,7 +441,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -459,7 +459,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-rate-limiting-advanced/3.10.json b/json_schemas/ai-rate-limiting-advanced/3.10.json index 40fb85d9..0c08bf61 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.10.json +++ b/json_schemas/ai-rate-limiting-advanced/3.10.json @@ -183,7 +183,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -237,7 +237,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -250,7 +250,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -268,7 +268,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-request-transformer/3.10.json b/json_schemas/ai-request-transformer/3.10.json index db7b5c6b..6a900cf8 100644 --- a/json_schemas/ai-request-transformer/3.10.json +++ b/json_schemas/ai-request-transformer/3.10.json @@ -50,7 +50,7 @@ "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -58,7 +58,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -76,7 +76,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -92,7 +92,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { diff --git a/json_schemas/ai-response-transformer/3.10.json b/json_schemas/ai-response-transformer/3.10.json index c76b7391..32684125 100644 --- a/json_schemas/ai-response-transformer/3.10.json +++ b/json_schemas/ai-response-transformer/3.10.json @@ -50,7 +50,7 @@ "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -58,7 +58,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -76,7 +76,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -92,7 +92,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { diff --git a/json_schemas/ai-semantic-cache/3.10.json b/json_schemas/ai-semantic-cache/3.10.json index 1945aee9..5688932a 100644 --- a/json_schemas/ai-semantic-cache/3.10.json +++ b/json_schemas/ai-semantic-cache/3.10.json @@ -31,7 +31,7 @@ "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -39,7 +39,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -57,7 +57,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -73,7 +73,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { @@ -279,7 +279,7 @@ "type": "string" }, "password": { - "description": "the password of the pgvector database", + "description": "the password of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -327,7 +327,7 @@ }, "user": { "default": "postgres", - "description": "the user of the pgvector database", + "description": "the user of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -404,7 +404,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -458,7 +458,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -471,7 +471,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -489,7 +489,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-semantic-prompt-guard/3.10.json b/json_schemas/ai-semantic-prompt-guard/3.10.json index 54a0fc50..1cefe6db 100644 --- a/json_schemas/ai-semantic-prompt-guard/3.10.json +++ b/json_schemas/ai-semantic-prompt-guard/3.10.json @@ -20,7 +20,7 @@ "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -28,7 +28,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -46,7 +46,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -62,7 +62,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { @@ -299,7 +299,7 @@ "type": "string" }, "password": { - "description": "the password of the pgvector database", + "description": "the password of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -347,7 +347,7 @@ }, "user": { "default": "postgres", - "description": "the user of the pgvector database", + "description": "the user of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -424,7 +424,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -478,7 +478,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -491,7 +491,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -509,7 +509,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/aws-lambda/3.10.json b/json_schemas/aws-lambda/3.10.json index 5bbe2019..166740b4 100644 --- a/json_schemas/aws-lambda/3.10.json +++ b/json_schemas/aws-lambda/3.10.json @@ -3,7 +3,7 @@ "config": { "properties": { "aws_assume_role_arn": { - "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_imds_protocol_version": { @@ -16,7 +16,7 @@ "type": "string" }, "aws_key": { - "description": "The AWS key credential to be used when invoking the function.", + "description": "The AWS key credential to be used when invoking the function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_region": { @@ -29,7 +29,7 @@ "type": "string" }, "aws_secret": { - "description": "The AWS secret credential to be used when invoking the function. ", + "description": "The AWS secret credential to be used when invoking the function. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_sts_endpoint_url": { diff --git a/json_schemas/azure-functions/3.10.json b/json_schemas/azure-functions/3.10.json index 66d15b39..4a188c42 100644 --- a/json_schemas/azure-functions/3.10.json +++ b/json_schemas/azure-functions/3.10.json @@ -3,7 +3,7 @@ "config": { "properties": { "apikey": { - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "appname": { @@ -11,7 +11,7 @@ "type": "string" }, "clientid": { - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "functionname": { diff --git a/json_schemas/datadog-tracing/3.10.json b/json_schemas/datadog-tracing/3.10.json index 9774fc0f..b5723945 100644 --- a/json_schemas/datadog-tracing/3.10.json +++ b/json_schemas/datadog-tracing/3.10.json @@ -17,6 +17,7 @@ "type": "integer" }, "endpoint": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "environment": { diff --git a/json_schemas/datadog/3.10.json b/json_schemas/datadog/3.10.json index fbc2d98e..12d04755 100644 --- a/json_schemas/datadog/3.10.json +++ b/json_schemas/datadog/3.10.json @@ -13,7 +13,7 @@ }, "host": { "default": "localhost", - "description": "A string representing a host name, such as example.com.", + "description": "A string representing a host name, such as example.com.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "metrics": { diff --git a/json_schemas/forward-proxy/3.10.json b/json_schemas/forward-proxy/3.10.json index ad6b829b..c0f4b52a 100644 --- a/json_schemas/forward-proxy/3.10.json +++ b/json_schemas/forward-proxy/3.10.json @@ -3,11 +3,11 @@ "config": { "properties": { "auth_password": { - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "auth_username": { - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_proxy_host": { diff --git a/json_schemas/graphql-proxy-cache-advanced/3.10.json b/json_schemas/graphql-proxy-cache-advanced/3.10.json index fbd4614b..46c5d48b 100644 --- a/json_schemas/graphql-proxy-cache-advanced/3.10.json +++ b/json_schemas/graphql-proxy-cache-advanced/3.10.json @@ -94,7 +94,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -148,7 +148,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -161,7 +161,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -179,7 +179,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/graphql-rate-limiting-advanced/3.10.json b/json_schemas/graphql-rate-limiting-advanced/3.10.json index d7a3788e..6fedc860 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.10.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.10.json @@ -118,7 +118,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -172,7 +172,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -185,7 +185,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -203,7 +203,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/jwt-signer/3.10.json b/json_schemas/jwt-signer/3.10.json index 6b424d39..d6619d16 100644 --- a/json_schemas/jwt-signer/3.10.json +++ b/json_schemas/jwt-signer/3.10.json @@ -137,7 +137,7 @@ "type": "string" }, "access_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_jwks_uri_rotate_period": { @@ -159,7 +159,7 @@ "type": "string" }, "access_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_keyset_rotate_period": { @@ -411,7 +411,7 @@ "type": "string" }, "channel_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_jwks_uri_rotate_period": { @@ -433,7 +433,7 @@ "type": "string" }, "channel_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_keyset_rotate_period": { diff --git a/json_schemas/konnect-application-auth/3.10.json b/json_schemas/konnect-application-auth/3.10.json index 43573756..e8b6d2b5 100644 --- a/json_schemas/konnect-application-auth/3.10.json +++ b/json_schemas/konnect-application-auth/3.10.json @@ -388,6 +388,7 @@ "client_id": { "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -406,12 +407,15 @@ "type": "string" }, "d": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -421,6 +425,7 @@ "type": "string" }, "k": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { @@ -442,21 +447,27 @@ "type": "string" }, "oth": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -497,6 +508,7 @@ "client_secret": { "description": "The client secret.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -572,7 +584,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -626,7 +638,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -639,7 +651,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -657,7 +669,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -946,7 +958,7 @@ "type": "string" }, "http_proxy_authorization": { - "description": "The HTTP proxy authorization.", + "description": "The HTTP proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_version": { @@ -959,7 +971,7 @@ "type": "string" }, "https_proxy_authorization": { - "description": "The HTTPS proxy authorization.", + "description": "The HTTPS proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "id_token_param_name": { @@ -1068,6 +1080,7 @@ "introspection_headers_values": { "description": "Extra header values passed to the introspection endpoint.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -1204,7 +1217,7 @@ "login_redirect_uri": { "description": "Where to redirect the client when `login_action` is set to `redirect`.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -1262,7 +1275,7 @@ "logout_redirect_uri": { "description": "Where to redirect the client after the logout.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -1455,7 +1468,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1513,7 +1526,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1526,7 +1539,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -1548,7 +1561,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -1715,6 +1728,7 @@ ], "description": "The scopes passed to the authorization and token endpoints.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], diff --git a/json_schemas/ldap-auth-advanced/3.10.json b/json_schemas/ldap-auth-advanced/3.10.json index 354b9d7a..d4ce271e 100644 --- a/json_schemas/ldap-auth-advanced/3.10.json +++ b/json_schemas/ldap-auth-advanced/3.10.json @@ -17,7 +17,7 @@ "type": "string" }, "bind_dn": { - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "cache_ttl": { @@ -91,7 +91,7 @@ "type": "string" }, "ldap_password": { - "description": "The password to the LDAP server.", + "description": "The password to the LDAP server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "ldap_port": { diff --git a/json_schemas/loggly/3.10.json b/json_schemas/loggly/3.10.json index 81d78b5b..7a26a98b 100644 --- a/json_schemas/loggly/3.10.json +++ b/json_schemas/loggly/3.10.json @@ -27,6 +27,7 @@ "type": "string" }, "key": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "log_level": { diff --git a/json_schemas/openid-connect/3.10.json b/json_schemas/openid-connect/3.10.json index 89d6c676..3c83ad57 100644 --- a/json_schemas/openid-connect/3.10.json +++ b/json_schemas/openid-connect/3.10.json @@ -311,6 +311,7 @@ "client_id": { "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -329,12 +330,15 @@ "type": "string" }, "d": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -344,6 +348,7 @@ "type": "string" }, "k": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { @@ -365,21 +370,27 @@ "type": "string" }, "oth": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -420,6 +431,7 @@ "client_secret": { "description": "The client secret.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -495,7 +507,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -549,7 +561,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -562,7 +574,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -580,7 +592,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -869,7 +881,7 @@ "type": "string" }, "http_proxy_authorization": { - "description": "The HTTP proxy authorization.", + "description": "The HTTP proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_version": { @@ -882,7 +894,7 @@ "type": "string" }, "https_proxy_authorization": { - "description": "The HTTPS proxy authorization.", + "description": "The HTTPS proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "id_token_param_name": { @@ -991,6 +1003,7 @@ "introspection_headers_values": { "description": "Extra header values passed to the introspection endpoint.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -1127,7 +1140,7 @@ "login_redirect_uri": { "description": "Where to redirect the client when `login_action` is set to `redirect`.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -1185,7 +1198,7 @@ "logout_redirect_uri": { "description": "Where to redirect the client after the logout.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -1378,7 +1391,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1436,7 +1449,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1449,7 +1462,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -1471,7 +1484,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -1638,6 +1651,7 @@ ], "description": "The scopes passed to the authorization and token endpoints.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], diff --git a/json_schemas/opentelemetry/3.10.json b/json_schemas/opentelemetry/3.10.json index 37adf193..01e5d3d2 100644 --- a/json_schemas/opentelemetry/3.10.json +++ b/json_schemas/opentelemetry/3.10.json @@ -43,7 +43,7 @@ "type": "string" }, "logs_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "propagation": { @@ -213,7 +213,7 @@ "type": "integer" }, "traces_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -222,7 +222,7 @@ ], "shorthand_fields": { "endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/proxy-cache-advanced/3.10.json b/json_schemas/proxy-cache-advanced/3.10.json index f8bba648..2e5c8466 100644 --- a/json_schemas/proxy-cache-advanced/3.10.json +++ b/json_schemas/proxy-cache-advanced/3.10.json @@ -118,7 +118,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -172,7 +172,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -185,7 +185,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -203,7 +203,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/rate-limiting-advanced/3.10.json b/json_schemas/rate-limiting-advanced/3.10.json index 6a2835ca..8345e866 100644 --- a/json_schemas/rate-limiting-advanced/3.10.json +++ b/json_schemas/rate-limiting-advanced/3.10.json @@ -171,7 +171,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -232,7 +232,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -245,7 +245,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -263,7 +263,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/rate-limiting/3.10.json b/json_schemas/rate-limiting/3.10.json index 9deecb91..ea98ab40 100644 --- a/json_schemas/rate-limiting/3.10.json +++ b/json_schemas/rate-limiting/3.10.json @@ -122,7 +122,7 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/request-callout/3.10.json b/json_schemas/request-callout/3.10.json index 3105e35c..19da4a70 100644 --- a/json_schemas/request-callout/3.10.json +++ b/json_schemas/request-callout/3.10.json @@ -92,7 +92,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -146,7 +146,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -159,7 +159,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -177,7 +177,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -358,11 +358,11 @@ "description": "Proxy settings.", "properties": { "auth_password": { - "description": "The password to authenticate with, if the forward proxy is protected by basic authentication.", + "description": "The password to authenticate with, if the forward proxy is protected by basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "auth_username": { - "description": "The username to authenticate with, if the forward proxy is protected by basic authentication.", + "description": "The username to authenticate with, if the forward proxy is protected by basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_proxy": { @@ -447,7 +447,7 @@ "type": "object" }, "url": { - "description": "The URL that will be requested.", + "description": "The URL that will be requested.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/request-transformer-advanced/3.10.json b/json_schemas/request-transformer-advanced/3.10.json index 6c9653b2..f2a4a54a 100644 --- a/json_schemas/request-transformer-advanced/3.10.json +++ b/json_schemas/request-transformer-advanced/3.10.json @@ -9,6 +9,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -21,6 +22,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -50,6 +52,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -87,6 +90,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -99,6 +103,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -128,6 +133,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -202,6 +208,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -214,6 +221,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -226,6 +234,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -246,6 +255,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -258,6 +268,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -287,6 +298,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], diff --git a/json_schemas/response-ratelimiting/3.10.json b/json_schemas/response-ratelimiting/3.10.json index bfd951ef..229ec4dc 100644 --- a/json_schemas/response-ratelimiting/3.10.json +++ b/json_schemas/response-ratelimiting/3.10.json @@ -94,7 +94,7 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/saml/3.10.json b/json_schemas/saml/3.10.json index 699d06ce..71a92cb9 100644 --- a/json_schemas/saml/3.10.json +++ b/json_schemas/saml/3.10.json @@ -101,7 +101,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -159,7 +159,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -172,7 +172,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -194,7 +194,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/service-protection/3.10.json b/json_schemas/service-protection/3.10.json index 3e87cc14..a0134073 100644 --- a/json_schemas/service-protection/3.10.json +++ b/json_schemas/service-protection/3.10.json @@ -115,7 +115,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -169,7 +169,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -182,7 +182,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -200,7 +200,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/upstream-oauth/3.10.json b/json_schemas/upstream-oauth/3.10.json index 483a4342..52fecf57 100644 --- a/json_schemas/upstream-oauth/3.10.json +++ b/json_schemas/upstream-oauth/3.10.json @@ -151,7 +151,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -205,7 +205,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -218,7 +218,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -236,7 +236,7 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, From c17d17c7ddb5f503540b2d0d032a7327cfc9cdcf Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 25 Mar 2025 16:07:27 +0000 Subject: [PATCH 140/165] JSON Schemas for 3.9.x --- json_schemas/acl/3.9.json | 28 +- json_schemas/acme/3.9.json | 59 ++- json_schemas/ai-azure-content-safety/3.9.json | 26 +- json_schemas/ai-prompt-decorator/3.9.json | 32 +- json_schemas/ai-prompt-guard/3.9.json | 36 +- json_schemas/ai-prompt-template/3.9.json | 28 +- json_schemas/ai-proxy-advanced/3.9.json | 108 +++-- json_schemas/ai-proxy/3.9.json | 68 ++- .../ai-rate-limiting-advanced/3.9.json | 48 ++- json_schemas/ai-request-transformer/3.9.json | 76 ++-- json_schemas/ai-response-transformer/3.9.json | 80 ++-- json_schemas/ai-semantic-cache/3.9.json | 88 ++-- .../ai-semantic-prompt-guard/3.9.json | 104 +++-- json_schemas/app-dynamics/3.9.json | 27 +- .../application-registration/3.9.json | 12 +- json_schemas/aws-lambda/3.9.json | 30 +- json_schemas/azure-functions/3.9.json | 28 +- json_schemas/basic-auth/3.9.json | 20 +- json_schemas/bot-detection/3.9.json | 36 +- json_schemas/canary/3.9.json | 24 +- json_schemas/confluent/3.9.json | 24 +- json_schemas/correlation-id/3.9.json | 24 +- json_schemas/cors/3.9.json | 36 +- json_schemas/datadog-tracing/3.9.json | 25 +- json_schemas/datadog/3.9.json | 34 +- json_schemas/degraphql/3.9.json | 20 +- json_schemas/exit-transformer/3.9.json | 28 +- json_schemas/file-log/3.9.json | 24 +- json_schemas/forward-proxy/3.9.json | 24 +- .../graphql-proxy-cache-advanced/3.9.json | 52 ++- .../graphql-rate-limiting-advanced/3.9.json | 52 ++- json_schemas/grpc-gateway/3.9.json | 24 +- json_schemas/grpc-web/3.9.json | 24 +- json_schemas/header-cert-auth/3.9.json | 28 +- json_schemas/hmac-auth/3.9.json | 32 +- json_schemas/http-log/3.9.json | 28 +- json_schemas/injection-protection/3.9.json | 28 +- json_schemas/ip-restriction/3.9.json | 36 +- json_schemas/jq/3.9.json | 44 +- json_schemas/json-threat-protection/3.9.json | 20 +- json_schemas/jwe-decrypt/3.9.json | 24 +- json_schemas/jwt-signer/3.9.json | 120 ++++-- json_schemas/jwt/3.9.json | 40 +- json_schemas/kafka-log/3.9.json | 32 +- json_schemas/kafka-upstream/3.9.json | 32 +- json_schemas/key-auth-enc/3.9.json | 24 +- json_schemas/key-auth/3.9.json | 24 +- .../konnect-application-auth/3.9.json | 402 +++++++++++++----- json_schemas/ldap-auth-advanced/3.9.json | 32 +- json_schemas/ldap-auth/3.9.json | 20 +- json_schemas/loggly/3.9.json | 29 +- json_schemas/mocking/3.9.json | 28 +- json_schemas/mtls-auth/3.9.json | 28 +- json_schemas/oas-validation/3.9.json | 24 +- json_schemas/oauth2-introspection/3.9.json | 30 +- json_schemas/oauth2/3.9.json | 24 +- json_schemas/opa/3.9.json | 20 +- json_schemas/openid-connect/3.9.json | 386 ++++++++++++----- json_schemas/opentelemetry/3.9.json | 46 +- json_schemas/post-function/3.9.json | 100 +++-- json_schemas/pre-function/3.9.json | 100 +++-- json_schemas/prometheus/3.9.json | 24 +- json_schemas/proxy-cache-advanced/3.9.json | 76 +++- json_schemas/proxy-cache/3.9.json | 56 ++- json_schemas/rate-limiting-advanced/3.9.json | 64 ++- json_schemas/rate-limiting/3.9.json | 34 +- json_schemas/redirect/3.9.json | 28 +- json_schemas/request-size-limiting/3.9.json | 24 +- json_schemas/request-termination/3.9.json | 28 +- .../request-transformer-advanced/3.9.json | 212 ++++++--- json_schemas/request-transformer/3.9.json | 168 ++++++-- json_schemas/request-validator/3.9.json | 28 +- json_schemas/response-ratelimiting/3.9.json | 30 +- .../response-transformer-advanced/3.9.json | 220 +++++++--- json_schemas/response-transformer/3.9.json | 152 +++++-- json_schemas/route-by-header/3.9.json | 28 +- .../route-transformer-advanced/3.9.json | 24 +- json_schemas/saml/3.9.json | 48 ++- json_schemas/service-protection/3.9.json | 44 +- json_schemas/session/3.9.json | 32 +- json_schemas/standard-webhooks/3.9.json | 26 +- json_schemas/statsd-advanced/3.9.json | 32 +- json_schemas/statsd/3.9.json | 32 +- json_schemas/syslog/3.9.json | 24 +- json_schemas/tcp-log/3.9.json | 24 +- json_schemas/tls-handshake-modifier/3.9.json | 20 +- json_schemas/tls-metadata-headers/3.9.json | 20 +- json_schemas/udp-log/3.9.json | 24 +- json_schemas/upstream-oauth/3.9.json | 84 +++- json_schemas/upstream-timeout/3.9.json | 24 +- json_schemas/vault-auth/3.9.json | 28 +- json_schemas/websocket-size-limit/3.9.json | 24 +- json_schemas/websocket-validator/3.9.json | 32 +- json_schemas/xml-threat-protection/3.9.json | 36 +- json_schemas/zipkin/3.9.json | 40 +- 95 files changed, 3626 insertions(+), 1294 deletions(-) diff --git a/json_schemas/acl/3.9.json b/json_schemas/acl/3.9.json index 303d1f68..c78c25f3 100644 --- a/json_schemas/acl/3.9.json +++ b/json_schemas/acl/3.9.json @@ -5,7 +5,9 @@ "allow": { "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -18,7 +20,9 @@ "deny": { "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -34,7 +38,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -52,7 +58,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -65,7 +73,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -76,9 +86,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/acme/3.9.json b/json_schemas/acme/3.9.json index 5502c1be..519cb9e8 100644 --- a/json_schemas/acme/3.9.json +++ b/json_schemas/acme/3.9.json @@ -3,7 +3,7 @@ "config": { "properties": { "account_email": { - "description": "The account identifier. Can be reused in a different plugin instance.", + "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", "type": "string" }, @@ -56,17 +56,19 @@ "^[^*]*$" ] }, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "enable_ipv4_common_name": { @@ -138,17 +140,22 @@ "type": "number" }, "token": { - "description": "Consul ACL token.", + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "kong": { "additionalProperties": true, - "properties": {}, - "required": [], + "properties": { + }, + "required": [ + + ], "type": "object" }, "redis": { @@ -173,7 +180,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "host": { @@ -214,11 +223,13 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "auth": { "minLength": 0, @@ -245,7 +256,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "vault": { @@ -304,15 +317,19 @@ "type": "boolean" }, "token": { - "description": "Consul ACL token.", + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "tos_accepted": { @@ -321,7 +338,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -339,11 +358,15 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.9.json b/json_schemas/ai-azure-content-safety/3.9.json index 7fc1e807..cfcbebfa 100644 --- a/json_schemas/ai-azure-content-safety/3.9.json +++ b/json_schemas/ai-azure-content-safety/3.9.json @@ -28,7 +28,9 @@ "blocklist_names": { "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -53,7 +55,7 @@ "type": "array" }, "content_safety_key": { - "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "content_safety_url": { @@ -89,7 +91,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -107,7 +111,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -120,7 +126,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -131,9 +139,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-decorator/3.9.json b/json_schemas/ai-prompt-decorator/3.9.json index f9a591c8..0559463c 100644 --- a/json_schemas/ai-prompt-decorator/3.9.json +++ b/json_schemas/ai-prompt-decorator/3.9.json @@ -65,11 +65,15 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -80,7 +84,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -91,7 +97,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -109,7 +117,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -122,7 +132,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -133,9 +145,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-guard/3.9.json b/json_schemas/ai-prompt-guard/3.9.json index 95c822a7..536e841e 100644 --- a/json_schemas/ai-prompt-guard/3.9.json +++ b/json_schemas/ai-prompt-guard/3.9.json @@ -12,7 +12,9 @@ "items": { "maxLength": 500, "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "maxLength": 10, @@ -23,7 +25,9 @@ "items": { "maxLength": 500, "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "maxLength": 10, @@ -41,7 +45,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -52,7 +58,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -63,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -81,7 +91,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -94,7 +106,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -105,9 +119,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.9.json b/json_schemas/ai-prompt-template/3.9.json index 594030d0..99f12ea0 100644 --- a/json_schemas/ai-prompt-template/3.9.json +++ b/json_schemas/ai-prompt-template/3.9.json @@ -40,7 +40,9 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -51,7 +53,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -62,7 +66,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -80,7 +86,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -93,7 +101,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -104,9 +114,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy-advanced/3.9.json b/json_schemas/ai-proxy-advanced/3.9.json index 53725f79..2d8f9810 100644 --- a/json_schemas/ai-proxy-advanced/3.9.json +++ b/json_schemas/ai-proxy-advanced/3.9.json @@ -73,7 +73,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "embeddings": { @@ -86,11 +88,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -98,7 +100,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -111,7 +113,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -124,7 +126,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -140,11 +142,13 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -161,7 +165,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -217,11 +223,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -229,7 +235,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -242,7 +248,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -255,7 +261,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -271,11 +277,13 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "description": { @@ -295,7 +303,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -331,7 +341,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "gemini": { @@ -349,7 +361,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "huggingface": { @@ -363,7 +377,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "input_cost": { @@ -425,7 +441,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -513,7 +531,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -555,7 +575,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -600,14 +620,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -620,7 +642,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -638,11 +660,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -686,7 +710,9 @@ "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -697,7 +723,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -708,7 +736,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -726,7 +756,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -739,7 +771,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -750,9 +784,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.9.json b/json_schemas/ai-proxy/3.9.json index e29f7235..c59dc832 100644 --- a/json_schemas/ai-proxy/3.9.json +++ b/json_schemas/ai-proxy/3.9.json @@ -10,11 +10,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -22,7 +22,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -35,7 +35,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -48,7 +48,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -64,11 +64,13 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "logging": { @@ -84,7 +86,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "max_request_body_size": { @@ -126,7 +130,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "gemini": { @@ -144,7 +150,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "huggingface": { @@ -158,7 +166,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "input_cost": { @@ -220,7 +230,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -239,7 +251,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model_name_header": { @@ -267,7 +281,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -278,7 +294,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -289,7 +307,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -307,7 +327,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -320,7 +342,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -331,9 +355,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.9.json b/json_schemas/ai-rate-limiting-advanced/3.9.json index 3cd6918f..e71d1c05 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.9.json +++ b/json_schemas/ai-rate-limiting-advanced/3.9.json @@ -117,7 +117,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -159,7 +161,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -204,14 +206,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -224,7 +228,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -242,11 +246,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -312,7 +318,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -323,7 +331,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -334,7 +344,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -352,7 +364,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -365,7 +379,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -376,9 +392,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.9.json b/json_schemas/ai-request-transformer/3.9.json index f2f3db42..a314d401 100644 --- a/json_schemas/ai-request-transformer/3.9.json +++ b/json_schemas/ai-request-transformer/3.9.json @@ -42,23 +42,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -67,7 +67,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -76,11 +76,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -92,15 +92,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "logging": { @@ -116,7 +118,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -152,7 +156,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "gemini": { @@ -170,7 +176,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "huggingface": { @@ -184,7 +192,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "input_cost": { @@ -246,7 +256,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -265,7 +277,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "route_type": { @@ -278,7 +292,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "max_request_body_size": { @@ -296,7 +312,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -307,7 +325,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -325,7 +345,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -338,7 +360,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -349,9 +373,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.9.json b/json_schemas/ai-response-transformer/3.9.json index 65979cd1..aae73e51 100644 --- a/json_schemas/ai-response-transformer/3.9.json +++ b/json_schemas/ai-response-transformer/3.9.json @@ -42,23 +42,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -67,7 +67,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -76,11 +76,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -92,15 +92,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "logging": { @@ -116,7 +118,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -152,7 +156,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "gemini": { @@ -170,7 +176,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "huggingface": { @@ -184,7 +192,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "input_cost": { @@ -246,7 +256,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -265,7 +277,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "route_type": { @@ -278,7 +292,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "max_request_body_size": { @@ -301,7 +317,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -312,7 +330,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -323,7 +343,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -341,7 +363,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -354,7 +378,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -365,9 +391,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-semantic-cache/3.9.json b/json_schemas/ai-semantic-cache/3.9.json index 142bc35a..be340741 100644 --- a/json_schemas/ai-semantic-cache/3.9.json +++ b/json_schemas/ai-semantic-cache/3.9.json @@ -23,23 +23,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -48,7 +48,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -57,11 +57,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -73,15 +73,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -98,7 +100,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -110,11 +114,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "exact_caching": { @@ -187,7 +195,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -229,7 +239,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -274,14 +284,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -294,7 +306,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -312,11 +324,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -350,11 +364,15 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -365,7 +383,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -376,7 +396,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -394,7 +416,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -407,7 +431,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -418,9 +444,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-semantic-prompt-guard/3.9.json b/json_schemas/ai-semantic-prompt-guard/3.9.json index 32b4d423..6bab0187 100644 --- a/json_schemas/ai-semantic-prompt-guard/3.9.json +++ b/json_schemas/ai-semantic-prompt-guard/3.9.json @@ -12,23 +12,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -37,7 +37,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -46,11 +46,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -62,15 +62,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -87,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -99,11 +103,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rules": { @@ -113,7 +121,9 @@ "items": { "maxLength": 500, "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "maxLength": 100, @@ -124,7 +134,9 @@ "items": { "maxLength": 500, "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "maxLength": 100, @@ -147,7 +159,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "search": { @@ -158,7 +172,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "vectordb": { @@ -199,7 +215,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -241,7 +259,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -286,14 +304,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -306,7 +326,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -324,11 +344,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -362,11 +384,15 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -377,7 +403,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -388,7 +416,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -406,7 +436,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -419,7 +451,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -430,9 +464,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/app-dynamics/3.9.json b/json_schemas/app-dynamics/3.9.json index 984044ad..fa37327f 100644 --- a/json_schemas/app-dynamics/3.9.json +++ b/json_schemas/app-dynamics/3.9.json @@ -2,8 +2,11 @@ "properties": { "config": { "additionalProperties": true, - "properties": {}, - "required": [], + "properties": { + }, + "required": [ + + ], "type": "object" }, "consumer": { @@ -14,7 +17,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -32,7 +37,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -45,7 +52,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -56,9 +65,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/application-registration/3.9.json b/json_schemas/application-registration/3.9.json index c0e82ee3..42680aeb 100644 --- a/json_schemas/application-registration/3.9.json +++ b/json_schemas/application-registration/3.9.json @@ -26,7 +26,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -44,11 +46,15 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/aws-lambda/3.9.json b/json_schemas/aws-lambda/3.9.json index 531f6aac..166740b4 100644 --- a/json_schemas/aws-lambda/3.9.json +++ b/json_schemas/aws-lambda/3.9.json @@ -3,7 +3,7 @@ "config": { "properties": { "aws_assume_role_arn": { - "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_imds_protocol_version": { @@ -16,7 +16,7 @@ "type": "string" }, "aws_key": { - "description": "The AWS key credential to be used when invoking the function.", + "description": "The AWS key credential to be used when invoking the function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_region": { @@ -29,7 +29,7 @@ "type": "string" }, "aws_secret": { - "description": "The AWS secret credential to be used when invoking the function. ", + "description": "The AWS secret credential to be used when invoking the function. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_sts_endpoint_url": { @@ -148,7 +148,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -159,7 +161,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -177,7 +181,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -190,7 +196,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -201,9 +209,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/azure-functions/3.9.json b/json_schemas/azure-functions/3.9.json index 8c4378f8..4a188c42 100644 --- a/json_schemas/azure-functions/3.9.json +++ b/json_schemas/azure-functions/3.9.json @@ -3,7 +3,7 @@ "config": { "properties": { "apikey": { - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "appname": { @@ -11,7 +11,7 @@ "type": "string" }, "clientid": { - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "functionname": { @@ -49,7 +49,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -60,7 +62,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -85,7 +89,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -98,7 +104,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -109,9 +117,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/basic-auth/3.9.json b/json_schemas/basic-auth/3.9.json index d67e26e6..da803a97 100644 --- a/json_schemas/basic-auth/3.9.json +++ b/json_schemas/basic-auth/3.9.json @@ -17,7 +17,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -39,7 +41,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -52,7 +56,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -63,9 +69,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/bot-detection/3.9.json b/json_schemas/bot-detection/3.9.json index 0a4e686c..2233a89d 100644 --- a/json_schemas/bot-detection/3.9.json +++ b/json_schemas/bot-detection/3.9.json @@ -3,27 +3,37 @@ "config": { "properties": { "allow": { - "default": [], + "default": [ + + ], "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "items": { "is_regex": true, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "deny": { - "default": [], + "default": [ + + ], "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "items": { "is_regex": true, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -41,7 +51,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -54,7 +66,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -65,9 +79,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/canary/3.9.json b/json_schemas/canary/3.9.json index b7ecf25f..39072c60 100644 --- a/json_schemas/canary/3.9.json +++ b/json_schemas/canary/3.9.json @@ -15,7 +15,9 @@ "groups": { "description": "The groups allowed to access the canary release.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -74,7 +76,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "hash": { "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", @@ -98,7 +102,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -111,7 +117,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -122,9 +130,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/confluent/3.9.json b/json_schemas/confluent/3.9.json index 8355c951..2eda69cb 100644 --- a/json_schemas/confluent/3.9.json +++ b/json_schemas/confluent/3.9.json @@ -134,7 +134,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -145,7 +147,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -163,7 +167,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -176,7 +182,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -187,9 +195,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/correlation-id/3.9.json b/json_schemas/correlation-id/3.9.json index a6dd6f8d..776a2f3e 100644 --- a/json_schemas/correlation-id/3.9.json +++ b/json_schemas/correlation-id/3.9.json @@ -23,7 +23,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -34,7 +36,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -52,7 +56,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -65,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -76,9 +84,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/cors/3.9.json b/json_schemas/cors/3.9.json index d3d2518f..b0254d05 100644 --- a/json_schemas/cors/3.9.json +++ b/json_schemas/cors/3.9.json @@ -10,7 +10,9 @@ "exposed_headers": { "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -18,7 +20,9 @@ "headers": { "description": "Value for the `Access-Control-Allow-Headers` header.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -52,7 +56,9 @@ "PUT", "TRACE" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -60,7 +66,9 @@ "origins": { "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -76,7 +84,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -95,7 +105,9 @@ "https" ], "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -108,7 +120,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -119,9 +133,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/datadog-tracing/3.9.json b/json_schemas/datadog-tracing/3.9.json index a599aec1..b5723945 100644 --- a/json_schemas/datadog-tracing/3.9.json +++ b/json_schemas/datadog-tracing/3.9.json @@ -17,6 +17,7 @@ "type": "integer" }, "endpoint": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "environment": { @@ -40,7 +41,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -51,7 +54,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -69,7 +74,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -82,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -93,9 +102,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/datadog/3.9.json b/json_schemas/datadog/3.9.json index b32b6dcf..12d04755 100644 --- a/json_schemas/datadog/3.9.json +++ b/json_schemas/datadog/3.9.json @@ -13,7 +13,7 @@ }, "host": { "default": "localhost", - "description": "A string representing a host name, such as example.com.", + "description": "A string representing a host name, such as example.com.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "metrics": { @@ -75,7 +75,9 @@ "description": "List of tags", "items": { "pattern": "^.*[^:]$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -157,7 +159,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "queue_size": { @@ -179,7 +183,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -190,7 +196,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -215,7 +223,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -228,7 +238,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -239,9 +251,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/degraphql/3.9.json b/json_schemas/degraphql/3.9.json index 305dfff1..4d44acc6 100644 --- a/json_schemas/degraphql/3.9.json +++ b/json_schemas/degraphql/3.9.json @@ -8,7 +8,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -26,7 +28,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -39,7 +43,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -50,9 +56,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.9.json b/json_schemas/exit-transformer/3.9.json index 423006b1..f65b3b1f 100644 --- a/json_schemas/exit-transformer/3.9.json +++ b/json_schemas/exit-transformer/3.9.json @@ -4,7 +4,9 @@ "properties": { "functions": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -20,7 +22,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -31,7 +35,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -49,7 +55,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -62,7 +70,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -73,9 +83,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/file-log/3.9.json b/json_schemas/file-log/3.9.json index 1144bb8d..7b34b71e 100644 --- a/json_schemas/file-log/3.9.json +++ b/json_schemas/file-log/3.9.json @@ -18,7 +18,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -29,7 +31,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -54,7 +58,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -67,7 +73,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -78,9 +86,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/forward-proxy/3.9.json b/json_schemas/forward-proxy/3.9.json index 800452c3..ad6b829b 100644 --- a/json_schemas/forward-proxy/3.9.json +++ b/json_schemas/forward-proxy/3.9.json @@ -54,7 +54,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "proxy_host": { "type": "string" @@ -73,7 +75,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -91,7 +95,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -104,7 +110,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -115,9 +123,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/graphql-proxy-cache-advanced/3.9.json b/json_schemas/graphql-proxy-cache-advanced/3.9.json index 8fc6a4c4..46c5d48b 100644 --- a/json_schemas/graphql-proxy-cache-advanced/3.9.json +++ b/json_schemas/graphql-proxy-cache-advanced/3.9.json @@ -21,7 +21,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "redis": { @@ -48,7 +50,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -90,7 +94,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -135,14 +139,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -155,7 +161,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -173,11 +179,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -211,13 +219,17 @@ "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -228,7 +240,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -246,7 +260,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -259,7 +275,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -270,9 +288,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.9.json b/json_schemas/graphql-rate-limiting-advanced/3.9.json index 7121732c..6fedc860 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.9.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.9.json @@ -34,7 +34,9 @@ "limit": { "description": "One or more requests-per-window limits to apply.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -72,7 +74,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -114,7 +118,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -159,14 +163,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -179,7 +185,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -197,11 +203,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -245,7 +253,9 @@ "window_size": { "description": "One or more window sizes to apply a limit to (defined in seconds).", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -260,7 +270,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -271,7 +283,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -289,7 +303,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -302,7 +318,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -313,9 +331,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/grpc-gateway/3.9.json b/json_schemas/grpc-gateway/3.9.json index f9b0ae1e..2ae37a8c 100644 --- a/json_schemas/grpc-gateway/3.9.json +++ b/json_schemas/grpc-gateway/3.9.json @@ -7,7 +7,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -18,7 +20,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -43,7 +47,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -56,7 +62,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -67,9 +75,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/grpc-web/3.9.json b/json_schemas/grpc-web/3.9.json index 41a21e62..31f56172 100644 --- a/json_schemas/grpc-web/3.9.json +++ b/json_schemas/grpc-web/3.9.json @@ -16,7 +16,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -27,7 +29,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -52,7 +56,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -65,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -76,9 +84,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/header-cert-auth/3.9.json b/json_schemas/header-cert-auth/3.9.json index 0b872fc3..cd742de3 100644 --- a/json_schemas/header-cert-auth/3.9.json +++ b/json_schemas/header-cert-auth/3.9.json @@ -23,7 +23,9 @@ "ca_certificates": { "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "items": { - "required": [], + "required": [ + + ], "type": "string", "uuid": true }, @@ -62,7 +64,9 @@ "custom_id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -117,7 +121,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -135,7 +141,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -148,7 +156,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -159,9 +169,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/hmac-auth/3.9.json b/json_schemas/hmac-auth/3.9.json index 163911ba..1e3ae8ec 100644 --- a/json_schemas/hmac-auth/3.9.json +++ b/json_schemas/hmac-auth/3.9.json @@ -17,7 +17,9 @@ "hmac-sha384", "hmac-sha512" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -33,10 +35,14 @@ "type": "number" }, "enforce_headers": { - "default": [], + "default": [ + + ], "description": "A list of headers that the client should at least use for HTTP signature creation.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -56,7 +62,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -78,7 +86,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -91,7 +101,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -102,9 +114,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/http-log/3.9.json b/json_schemas/http-log/3.9.json index 548d1ad5..2d6b5c6c 100644 --- a/json_schemas/http-log/3.9.json +++ b/json_schemas/http-log/3.9.json @@ -100,7 +100,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "queue_size": { @@ -117,7 +119,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -128,7 +132,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -153,7 +159,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -166,7 +174,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -177,9 +187,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/injection-protection/3.9.json b/json_schemas/injection-protection/3.9.json index 199f956b..52949341 100644 --- a/json_schemas/injection-protection/3.9.json +++ b/json_schemas/injection-protection/3.9.json @@ -60,7 +60,9 @@ "xpath_abbreviated", "xpath_extended" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -76,13 +78,17 @@ "headers", "path_and_query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -100,7 +106,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -113,7 +121,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -124,9 +134,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ip-restriction/3.9.json b/json_schemas/ip-restriction/3.9.json index 00e778e7..83800949 100644 --- a/json_schemas/ip-restriction/3.9.json +++ b/json_schemas/ip-restriction/3.9.json @@ -6,7 +6,9 @@ "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "items": { "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -15,7 +17,9 @@ "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "items": { "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -29,7 +33,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -40,7 +46,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -51,7 +59,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -78,7 +88,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -91,7 +103,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -102,9 +116,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jq/3.9.json b/json_schemas/jq/3.9.json index 562724b3..7a686c75 100644 --- a/json_schemas/jq/3.9.json +++ b/json_schemas/jq/3.9.json @@ -7,7 +7,9 @@ "application/json" ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -38,7 +40,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "response_if_media_type": { @@ -46,7 +50,9 @@ "application/json" ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -58,7 +64,9 @@ "items": { "maximum": 599, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "type": "array" @@ -89,11 +97,15 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -104,7 +116,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -122,7 +136,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -135,7 +151,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -146,9 +164,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/json-threat-protection/3.9.json b/json_schemas/json-threat-protection/3.9.json index 86d98f32..43827bd8 100644 --- a/json_schemas/json-threat-protection/3.9.json +++ b/json_schemas/json-threat-protection/3.9.json @@ -66,7 +66,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -84,7 +86,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -97,7 +101,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -108,9 +114,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.9.json b/json_schemas/jwe-decrypt/3.9.json index dd09fa60..019e6fb1 100644 --- a/json_schemas/jwe-decrypt/3.9.json +++ b/json_schemas/jwe-decrypt/3.9.json @@ -10,7 +10,9 @@ "key_sets": { "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -26,7 +28,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -44,7 +48,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -57,7 +63,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -68,9 +76,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jwt-signer/3.9.json b/json_schemas/jwt-signer/3.9.json index 3be7f441..6b424d39 100644 --- a/json_schemas/jwt-signer/3.9.json +++ b/json_schemas/jwt-signer/3.9.json @@ -14,7 +14,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -22,7 +24,9 @@ "access_token_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -47,7 +51,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -55,7 +61,9 @@ "access_token_introspection_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -72,7 +80,9 @@ "access_token_introspection_jwt_claim": { "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -88,7 +98,9 @@ ], "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -96,7 +108,9 @@ "access_token_introspection_scopes_required": { "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -174,7 +188,9 @@ ], "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -182,7 +198,9 @@ "access_token_scopes_required": { "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -253,7 +271,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -261,7 +281,9 @@ "channel_token_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -269,7 +291,9 @@ "channel_token_introspection_authorization": { "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -277,7 +301,9 @@ "channel_token_introspection_body_args": { "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -294,7 +320,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -302,7 +330,9 @@ "channel_token_introspection_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -314,7 +344,9 @@ "channel_token_introspection_hint": { "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -322,7 +354,9 @@ "channel_token_introspection_jwt_claim": { "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -338,7 +372,9 @@ ], "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -346,7 +382,9 @@ "channel_token_introspection_scopes_required": { "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -423,7 +461,9 @@ ], "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -431,7 +471,9 @@ "channel_token_scopes_required": { "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -497,19 +539,27 @@ "type": "string" }, "remove_access_token_claims": { - "default": [], + "default": [ + + ], "description": "remove claims. It should be an array, and each element is a claim key string.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "remove_channel_token_claims": { - "default": [], + "default": [ + + ], "description": "remove claims. It should be an array, and each element is a claim key string.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -589,7 +639,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -607,7 +659,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -620,7 +674,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -631,9 +687,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jwt/3.9.json b/json_schemas/jwt/3.9.json index 256f1af8..6a6338ce 100644 --- a/json_schemas/jwt/3.9.json +++ b/json_schemas/jwt/3.9.json @@ -13,16 +13,22 @@ "exp", "nbf" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "cookie_names": { - "default": [], + "default": [ + + ], "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -33,7 +39,9 @@ ], "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -70,13 +78,17 @@ ], "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -94,7 +106,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -107,7 +121,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -118,9 +134,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/kafka-log/3.9.json b/json_schemas/kafka-log/3.9.json index 03450b52..3cc3b73a 100644 --- a/json_schemas/kafka-log/3.9.json +++ b/json_schemas/kafka-log/3.9.json @@ -33,7 +33,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "bootstrap_servers": { @@ -138,7 +140,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "timeout": { @@ -151,7 +155,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -162,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -184,7 +192,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -197,7 +207,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -208,9 +220,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.9.json b/json_schemas/kafka-upstream/3.9.json index 28be0e0e..4fa1cc92 100644 --- a/json_schemas/kafka-upstream/3.9.json +++ b/json_schemas/kafka-upstream/3.9.json @@ -33,7 +33,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "bootstrap_servers": { @@ -154,7 +156,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "timeout": { @@ -167,7 +171,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -178,7 +184,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -196,7 +204,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -209,7 +219,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -220,9 +232,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/key-auth-enc/3.9.json b/json_schemas/key-auth-enc/3.9.json index e436fd07..393987e0 100644 --- a/json_schemas/key-auth-enc/3.9.json +++ b/json_schemas/key-auth-enc/3.9.json @@ -33,7 +33,9 @@ "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -48,7 +50,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -70,7 +74,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -83,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -94,9 +102,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/key-auth/3.9.json b/json_schemas/key-auth/3.9.json index 42a51f9a..a37eb540 100644 --- a/json_schemas/key-auth/3.9.json +++ b/json_schemas/key-auth/3.9.json @@ -33,7 +33,9 @@ "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -48,7 +50,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -70,7 +74,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -83,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -94,9 +102,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.9.json b/json_schemas/konnect-application-auth/3.9.json index 582fcff7..6b9a6b29 100644 --- a/json_schemas/konnect-application-auth/3.9.json +++ b/json_schemas/konnect-application-auth/3.9.json @@ -19,7 +19,9 @@ "description": "The names of the headers containing the API key. You can specify multiple header names.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -44,13 +46,17 @@ "description": "The names of the headers containing the API key. You can specify multiple header names.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "strategy_id": { @@ -80,7 +86,9 @@ "audience": { "description": "The audience passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -91,7 +99,9 @@ ], "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -99,7 +109,9 @@ "audience_required": { "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -129,7 +141,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -137,7 +151,9 @@ "authenticated_groups_claim": { "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -183,7 +199,9 @@ "authorization_query_args_client": { "description": "Extra query arguments passed from the client to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -191,7 +209,9 @@ "authorization_query_args_names": { "description": "Extra query argument names passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -199,7 +219,9 @@ "authorization_query_args_values": { "description": "Extra query argument values passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -227,7 +249,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -285,7 +309,9 @@ "claims_forbidden": { "description": "If given, these claims are forbidden in the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -308,7 +334,9 @@ "RS384", "RS512" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -330,7 +358,9 @@ "self_signed_tls_client_auth", "tls_client_auth" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -348,7 +378,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -356,7 +388,10 @@ "client_id": { "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -372,12 +407,15 @@ "type": "string" }, "d": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -387,11 +425,14 @@ "type": "string" }, "k": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -406,21 +447,27 @@ "type": "string" }, "oth": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -431,7 +478,9 @@ }, "x5c": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -449,7 +498,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "type": "array" @@ -457,7 +508,10 @@ "client_secret": { "description": "The client secret.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -486,7 +540,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -528,7 +584,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -573,14 +629,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -593,7 +651,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -611,11 +669,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -658,7 +718,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -666,7 +728,9 @@ "consumer_claim": { "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -682,7 +746,9 @@ ], "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -701,7 +767,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -709,7 +777,9 @@ "discovery_headers_names": { "description": "Extra header names passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -717,7 +787,9 @@ "discovery_headers_values": { "description": "Extra header values passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -730,7 +802,9 @@ "domains": { "description": "The allowed values for the `hd` claim.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -746,7 +820,9 @@ "downstream_headers_claims": { "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -754,7 +830,9 @@ "downstream_headers_names": { "description": "The downstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -819,7 +897,9 @@ "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -838,7 +918,9 @@ "description": "Where to redirect the client on forbidden requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -849,7 +931,9 @@ ], "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -857,7 +941,9 @@ "groups_required": { "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -872,7 +958,7 @@ "type": "string" }, "http_proxy_authorization": { - "description": "The HTTP proxy authorization.", + "description": "The HTTP proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_version": { @@ -885,7 +971,7 @@ "type": "string" }, "https_proxy_authorization": { - "description": "The HTTPS proxy authorization.", + "description": "The HTTPS proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "id_token_param_name": { @@ -905,13 +991,17 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ignore_signature": { - "default": [], + "default": [ + + ], "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "items": { "enum": [ @@ -923,7 +1013,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -968,7 +1060,9 @@ "introspection_headers_client": { "description": "Extra headers passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -976,7 +1070,9 @@ "introspection_headers_names": { "description": "Extra header names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -984,7 +1080,10 @@ "introspection_headers_values": { "description": "Extra header values passed to the introspection endpoint.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -997,7 +1096,9 @@ "introspection_post_args_client": { "description": "Extra post arguments passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1005,7 +1106,9 @@ "introspection_post_args_client_headers": { "description": "Extra post arguments passed from the client headers to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1013,7 +1116,9 @@ "introspection_post_args_names": { "description": "Extra post argument names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1021,7 +1126,9 @@ "introspection_post_args_values": { "description": "Extra post argument values passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1038,7 +1145,9 @@ "issuers_allowed": { "description": "The issuers allowed to be present in the tokens (`iss` claim).", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1089,7 +1198,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1106,8 +1217,10 @@ "login_redirect_uri": { "description": "Where to redirect the client when `login_action` is set to `redirect`.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1125,7 +1238,9 @@ "refresh_token", "tokens" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1142,7 +1257,9 @@ "GET", "POST" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1158,8 +1275,10 @@ "logout_redirect_uri": { "description": "Where to redirect the client after the logout.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1216,7 +1335,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1272,7 +1393,9 @@ "description": "The redirect URI passed to the authorization and token endpoints.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1301,7 +1424,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -1343,7 +1468,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1392,14 +1517,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1412,7 +1539,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -1434,11 +1561,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -1482,7 +1611,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1529,7 +1660,9 @@ ], "description": "The response type passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1567,7 +1700,9 @@ ], "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1575,7 +1710,9 @@ "roles_required": { "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1591,7 +1728,10 @@ ], "description": "The scopes passed to the authorization and token endpoints.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1602,7 +1742,9 @@ ], "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1610,7 +1752,9 @@ "scopes_required": { "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1736,7 +1880,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1753,7 +1899,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1832,7 +1980,9 @@ "token_headers_client": { "description": "Extra headers passed from the client to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1846,7 +1996,9 @@ "password", "refresh_token" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1854,7 +2006,9 @@ "token_headers_names": { "description": "Extra header names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1866,7 +2020,9 @@ "token_headers_replay": { "description": "The names of token endpoint response headers to forward to the downstream client.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1874,7 +2030,9 @@ "token_headers_values": { "description": "Extra header values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1882,7 +2040,9 @@ "token_post_args_client": { "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1890,7 +2050,9 @@ "token_post_args_names": { "description": "Extra post argument names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1898,7 +2060,9 @@ "token_post_args_values": { "description": "Extra post argument values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1917,7 +2081,9 @@ "description": "Where to redirect the client on unauthorized requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1926,7 +2092,9 @@ "description": "Where to redirect the client when unexpected errors happen with the requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1943,7 +2111,9 @@ "upstream_headers_claims": { "description": "The upstream header claims. Only top level claims are supported.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1951,7 +2121,9 @@ "upstream_headers_names": { "description": "The upstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2004,7 +2176,9 @@ "userinfo_headers_client": { "description": "Extra headers passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2012,7 +2186,9 @@ "userinfo_headers_names": { "description": "Extra header names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2020,7 +2196,9 @@ "userinfo_headers_values": { "description": "Extra header values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2028,7 +2206,9 @@ "userinfo_query_args_client": { "description": "Extra query arguments passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2036,7 +2216,9 @@ "userinfo_query_args_names": { "description": "Extra query argument names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2044,7 +2226,9 @@ "userinfo_query_args_values": { "description": "Extra query argument values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2095,11 +2279,15 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -2117,7 +2305,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2130,7 +2320,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -2141,9 +2333,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.9.json b/json_schemas/ldap-auth-advanced/3.9.json index 3963afba..d4ce271e 100644 --- a/json_schemas/ldap-auth-advanced/3.9.json +++ b/json_schemas/ldap-auth-advanced/3.9.json @@ -17,7 +17,7 @@ "type": "string" }, "bind_dn": { - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "cache_ttl": { @@ -36,7 +36,9 @@ "custom_id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -62,7 +64,9 @@ "groups_required": { "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -87,7 +91,7 @@ "type": "string" }, "ldap_password": { - "description": "The password to the LDAP server.", + "description": "The password to the LDAP server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "ldap_port": { @@ -125,7 +129,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -147,7 +153,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -160,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -171,9 +181,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.9.json b/json_schemas/ldap-auth/3.9.json index 01d68fe9..e4d24f03 100644 --- a/json_schemas/ldap-auth/3.9.json +++ b/json_schemas/ldap-auth/3.9.json @@ -70,7 +70,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -92,7 +94,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -105,7 +109,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -116,9 +122,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/loggly/3.9.json b/json_schemas/loggly/3.9.json index 5c5621cc..7a26a98b 100644 --- a/json_schemas/loggly/3.9.json +++ b/json_schemas/loggly/3.9.json @@ -27,6 +27,7 @@ "type": "string" }, "key": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "log_level": { @@ -83,7 +84,9 @@ "kong" ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -93,7 +96,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -104,7 +109,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -129,7 +136,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -142,7 +151,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -153,9 +164,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/mocking/3.9.json b/json_schemas/mocking/3.9.json index ef0dfd5c..ceb3d3a9 100644 --- a/json_schemas/mocking/3.9.json +++ b/json_schemas/mocking/3.9.json @@ -22,7 +22,9 @@ "included_status_codes": { "description": "A global list of the HTTP status codes that can only be selected and returned.", "items": { - "required": [], + "required": [ + + ], "type": "integer" }, "type": "array" @@ -53,7 +55,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -64,7 +68,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -82,7 +88,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -95,7 +103,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -106,9 +116,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.9.json b/json_schemas/mtls-auth/3.9.json index 4f4afe55..0fae0bda 100644 --- a/json_schemas/mtls-auth/3.9.json +++ b/json_schemas/mtls-auth/3.9.json @@ -23,7 +23,9 @@ "ca_certificates": { "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "items": { - "required": [], + "required": [ + + ], "type": "string", "uuid": true }, @@ -50,7 +52,9 @@ "custom_id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -105,7 +109,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -123,7 +129,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -136,7 +144,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -147,9 +157,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/oas-validation/3.9.json b/json_schemas/oas-validation/3.9.json index a73a7a5d..1e421781 100644 --- a/json_schemas/oas-validation/3.9.json +++ b/json_schemas/oas-validation/3.9.json @@ -76,7 +76,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -87,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -105,7 +109,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -118,7 +124,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -129,9 +137,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.9.json b/json_schemas/oauth2-introspection/3.9.json index 5b600229..482e4d6e 100644 --- a/json_schemas/oauth2-introspection/3.9.json +++ b/json_schemas/oauth2-introspection/3.9.json @@ -9,7 +9,7 @@ "type": "string" }, "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "consumer_by": { @@ -22,10 +22,14 @@ "type": "string" }, "custom_claims_forward": { - "default": [], + "default": [ + + ], "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -74,7 +78,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -92,7 +98,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -105,7 +113,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -116,9 +126,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/oauth2/3.9.json b/json_schemas/oauth2/3.9.json index 612af7ab..ccfd1b4a 100644 --- a/json_schemas/oauth2/3.9.json +++ b/json_schemas/oauth2/3.9.json @@ -88,7 +88,9 @@ "scopes": { "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -99,7 +101,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -121,7 +125,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -134,7 +140,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -145,9 +153,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/opa/3.9.json b/json_schemas/opa/3.9.json index 60c4b8fc..58dc36d0 100644 --- a/json_schemas/opa/3.9.json +++ b/json_schemas/opa/3.9.json @@ -62,7 +62,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -80,7 +82,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -93,7 +97,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -104,9 +110,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/openid-connect/3.9.json b/json_schemas/openid-connect/3.9.json index 1acdd149..3c83ad57 100644 --- a/json_schemas/openid-connect/3.9.json +++ b/json_schemas/openid-connect/3.9.json @@ -9,7 +9,9 @@ "audience": { "description": "The audience passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -20,7 +22,9 @@ ], "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -28,7 +32,9 @@ "audience_required": { "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -58,7 +64,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -66,7 +74,9 @@ "authenticated_groups_claim": { "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -112,7 +122,9 @@ "authorization_query_args_client": { "description": "Extra query arguments passed from the client to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -120,7 +132,9 @@ "authorization_query_args_names": { "description": "Extra query argument names passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -128,7 +142,9 @@ "authorization_query_args_values": { "description": "Extra query argument values passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -156,7 +172,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -214,7 +232,9 @@ "claims_forbidden": { "description": "If given, these claims are forbidden in the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -237,7 +257,9 @@ "RS384", "RS512" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -259,7 +281,9 @@ "self_signed_tls_client_auth", "tls_client_auth" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -277,7 +301,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -285,7 +311,10 @@ "client_id": { "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -301,12 +330,15 @@ "type": "string" }, "d": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -316,11 +348,14 @@ "type": "string" }, "k": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -335,21 +370,27 @@ "type": "string" }, "oth": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -360,7 +401,9 @@ }, "x5c": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -378,7 +421,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "type": "array" @@ -386,7 +431,10 @@ "client_secret": { "description": "The client secret.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -415,7 +463,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -457,7 +507,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -502,14 +552,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -522,7 +574,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -540,11 +592,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -587,7 +641,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -595,7 +651,9 @@ "consumer_claim": { "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -611,7 +669,9 @@ ], "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -630,7 +690,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -638,7 +700,9 @@ "discovery_headers_names": { "description": "Extra header names passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -646,7 +710,9 @@ "discovery_headers_values": { "description": "Extra header values passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -659,7 +725,9 @@ "domains": { "description": "The allowed values for the `hd` claim.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -675,7 +743,9 @@ "downstream_headers_claims": { "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -683,7 +753,9 @@ "downstream_headers_names": { "description": "The downstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -748,7 +820,9 @@ "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -767,7 +841,9 @@ "description": "Where to redirect the client on forbidden requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -778,7 +854,9 @@ ], "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -786,7 +864,9 @@ "groups_required": { "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -801,7 +881,7 @@ "type": "string" }, "http_proxy_authorization": { - "description": "The HTTP proxy authorization.", + "description": "The HTTP proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_version": { @@ -814,7 +894,7 @@ "type": "string" }, "https_proxy_authorization": { - "description": "The HTTPS proxy authorization.", + "description": "The HTTPS proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "id_token_param_name": { @@ -834,13 +914,17 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ignore_signature": { - "default": [], + "default": [ + + ], "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "items": { "enum": [ @@ -852,7 +936,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -897,7 +983,9 @@ "introspection_headers_client": { "description": "Extra headers passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -905,7 +993,9 @@ "introspection_headers_names": { "description": "Extra header names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -913,7 +1003,10 @@ "introspection_headers_values": { "description": "Extra header values passed to the introspection endpoint.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -926,7 +1019,9 @@ "introspection_post_args_client": { "description": "Extra post arguments passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -934,7 +1029,9 @@ "introspection_post_args_client_headers": { "description": "Extra post arguments passed from the client headers to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -942,7 +1039,9 @@ "introspection_post_args_names": { "description": "Extra post argument names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -950,7 +1049,9 @@ "introspection_post_args_values": { "description": "Extra post argument values passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -967,7 +1068,9 @@ "issuers_allowed": { "description": "The issuers allowed to be present in the tokens (`iss` claim).", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1018,7 +1121,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1035,8 +1140,10 @@ "login_redirect_uri": { "description": "Where to redirect the client when `login_action` is set to `redirect`.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1054,7 +1161,9 @@ "refresh_token", "tokens" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1071,7 +1180,9 @@ "GET", "POST" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1087,8 +1198,10 @@ "logout_redirect_uri": { "description": "Where to redirect the client after the logout.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1145,7 +1258,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1201,7 +1316,9 @@ "description": "The redirect URI passed to the authorization and token endpoints.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1230,7 +1347,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -1272,7 +1391,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1321,14 +1440,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1341,7 +1462,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -1363,11 +1484,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -1411,7 +1534,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1458,7 +1583,9 @@ ], "description": "The response type passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1496,7 +1623,9 @@ ], "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1504,7 +1633,9 @@ "roles_required": { "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1520,7 +1651,10 @@ ], "description": "The scopes passed to the authorization and token endpoints.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1531,7 +1665,9 @@ ], "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1539,7 +1675,9 @@ "scopes_required": { "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1665,7 +1803,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1682,7 +1822,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1761,7 +1903,9 @@ "token_headers_client": { "description": "Extra headers passed from the client to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1775,7 +1919,9 @@ "password", "refresh_token" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1783,7 +1929,9 @@ "token_headers_names": { "description": "Extra header names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1795,7 +1943,9 @@ "token_headers_replay": { "description": "The names of token endpoint response headers to forward to the downstream client.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1803,7 +1953,9 @@ "token_headers_values": { "description": "Extra header values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1811,7 +1963,9 @@ "token_post_args_client": { "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1819,7 +1973,9 @@ "token_post_args_names": { "description": "Extra post argument names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1827,7 +1983,9 @@ "token_post_args_values": { "description": "Extra post argument values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1846,7 +2004,9 @@ "description": "Where to redirect the client on unauthorized requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1855,7 +2015,9 @@ "description": "Where to redirect the client when unexpected errors happen with the requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1872,7 +2034,9 @@ "upstream_headers_claims": { "description": "The upstream header claims. Only top level claims are supported.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1880,7 +2044,9 @@ "upstream_headers_names": { "description": "The upstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1933,7 +2099,9 @@ "userinfo_headers_client": { "description": "Extra headers passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1941,7 +2109,9 @@ "userinfo_headers_names": { "description": "Extra header names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1949,7 +2119,9 @@ "userinfo_headers_values": { "description": "Extra header values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1957,7 +2129,9 @@ "userinfo_query_args_client": { "description": "Extra query arguments passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1965,7 +2139,9 @@ "userinfo_query_args_names": { "description": "Extra query argument names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1973,7 +2149,9 @@ "userinfo_query_args_values": { "description": "Extra query argument values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2004,7 +2182,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "authorization_cookie_httponly": { "type": "boolean" @@ -2128,7 +2308,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2141,7 +2323,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -2152,9 +2336,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.9.json b/json_schemas/opentelemetry/3.9.json index a7e8e181..fae04180 100644 --- a/json_schemas/opentelemetry/3.9.json +++ b/json_schemas/opentelemetry/3.9.json @@ -42,7 +42,7 @@ "type": "string" }, "logs_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "propagation": { @@ -53,7 +53,9 @@ "clear": { "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -84,7 +86,9 @@ "ot", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -103,7 +107,9 @@ "preserve", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -173,7 +179,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "read_timeout": { @@ -201,14 +209,16 @@ "type": "integer" }, "traces_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -222,7 +232,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -240,7 +252,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -253,7 +267,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -264,9 +280,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/post-function/3.9.json b/json_schemas/post-function/3.9.json index 33806f8a..fda803ac 100644 --- a/json_schemas/post-function/3.9.json +++ b/json_schemas/post-function/3.9.json @@ -3,87 +3,129 @@ "config": { "properties": { "access": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "body_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "certificate": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "header_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "log": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "rewrite": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_client_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_close": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_handshake": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_upstream_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -108,7 +150,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -121,7 +165,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -132,9 +178,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/pre-function/3.9.json b/json_schemas/pre-function/3.9.json index 33806f8a..fda803ac 100644 --- a/json_schemas/pre-function/3.9.json +++ b/json_schemas/pre-function/3.9.json @@ -3,87 +3,129 @@ "config": { "properties": { "access": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "body_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "certificate": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "header_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "log": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "rewrite": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_client_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_close": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_handshake": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_upstream_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -108,7 +150,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -121,7 +165,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -132,9 +178,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/prometheus/3.9.json b/json_schemas/prometheus/3.9.json index 30370b04..c2bc326c 100644 --- a/json_schemas/prometheus/3.9.json +++ b/json_schemas/prometheus/3.9.json @@ -33,7 +33,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -44,7 +46,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -69,7 +73,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -82,7 +88,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -93,9 +101,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.9.json b/json_schemas/proxy-cache-advanced/3.9.json index 8cad5e05..d674bb8f 100644 --- a/json_schemas/proxy-cache-advanced/3.9.json +++ b/json_schemas/proxy-cache-advanced/3.9.json @@ -25,7 +25,9 @@ ], "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -43,7 +45,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "redis": { @@ -70,7 +74,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -112,7 +118,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -157,14 +163,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -177,7 +185,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -195,11 +203,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -235,7 +245,9 @@ "POST", "PUT" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -250,7 +262,9 @@ "items": { "maximum": 900, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "minLength": 1, @@ -272,7 +286,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "storage_ttl": { @@ -290,7 +306,9 @@ "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -298,13 +316,17 @@ "vary_query_params": { "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -315,7 +337,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -326,7 +350,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -344,7 +370,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -357,7 +385,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -368,9 +398,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.9.json b/json_schemas/proxy-cache/3.9.json index d0b32ca7..c2f2d7c7 100644 --- a/json_schemas/proxy-cache/3.9.json +++ b/json_schemas/proxy-cache/3.9.json @@ -20,7 +20,9 @@ ], "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -37,7 +39,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "request_method": { @@ -54,7 +58,9 @@ "POST", "PUT" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -69,7 +75,9 @@ "items": { "maximum": 900, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "minLength": 1, @@ -91,7 +99,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "storage_ttl": { @@ -108,7 +118,9 @@ "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -116,13 +128,17 @@ "vary_query_params": { "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -133,7 +149,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -144,7 +162,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -169,7 +189,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -182,7 +204,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -193,9 +217,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.9.json b/json_schemas/rate-limiting-advanced/3.9.json index db6b2311..0050c3da 100644 --- a/json_schemas/rate-limiting-advanced/3.9.json +++ b/json_schemas/rate-limiting-advanced/3.9.json @@ -14,7 +14,9 @@ "path", "service" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -22,7 +24,9 @@ "consumer_groups": { "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -79,7 +83,9 @@ "limit": { "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -121,7 +127,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -163,7 +171,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -215,14 +223,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -235,7 +245,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -253,11 +263,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -301,7 +313,9 @@ "window_size": { "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -316,7 +330,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -327,7 +343,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -338,7 +356,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -356,7 +376,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -369,7 +391,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -380,9 +404,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting/3.9.json b/json_schemas/rate-limiting/3.9.json index 59814145..ea98ab40 100644 --- a/json_schemas/rate-limiting/3.9.json +++ b/json_schemas/rate-limiting/3.9.json @@ -122,11 +122,13 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "second": { @@ -145,7 +147,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "redis_database": { "type": "integer" @@ -186,7 +190,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -197,7 +203,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -215,7 +223,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -228,7 +238,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -239,9 +251,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/redirect/3.9.json b/json_schemas/redirect/3.9.json index 36342a35..dea922d4 100644 --- a/json_schemas/redirect/3.9.json +++ b/json_schemas/redirect/3.9.json @@ -19,7 +19,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -30,7 +32,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -41,7 +45,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -59,7 +65,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -72,7 +80,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -83,9 +93,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-size-limiting/3.9.json b/json_schemas/request-size-limiting/3.9.json index 3d4e9633..5259ed13 100644 --- a/json_schemas/request-size-limiting/3.9.json +++ b/json_schemas/request-size-limiting/3.9.json @@ -23,7 +23,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -34,7 +36,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -52,7 +56,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -65,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -76,9 +84,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-termination/3.9.json b/json_schemas/request-termination/3.9.json index 96110caf..b9c25a41 100644 --- a/json_schemas/request-termination/3.9.json +++ b/json_schemas/request-termination/3.9.json @@ -31,7 +31,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -42,7 +44,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -53,7 +57,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -71,7 +77,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -84,7 +92,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -95,9 +105,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-transformer-advanced/3.9.json b/json_schemas/request-transformer-advanced/3.9.json index b7a77c42..f2a4a54a 100644 --- a/json_schemas/request-transformer-advanced/3.9.json +++ b/json_schemas/request-transformer-advanced/3.9.json @@ -5,100 +5,146 @@ "add": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "allow": { "properties": { "body": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "dots_in_keys": { @@ -114,98 +160,148 @@ "remove": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -214,11 +310,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -229,7 +329,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -240,7 +342,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -258,7 +362,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -271,7 +377,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -282,9 +390,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-transformer/3.9.json b/json_schemas/request-transformer/3.9.json index 8a4551c8..ce375bb6 100644 --- a/json_schemas/request-transformer/3.9.json +++ b/json_schemas/request-transformer/3.9.json @@ -5,63 +5,91 @@ "add": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "http_method": { @@ -72,87 +100,127 @@ "remove": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -161,11 +229,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -176,7 +248,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -187,7 +261,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -212,7 +288,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -225,7 +303,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -236,9 +316,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-validator/3.9.json b/json_schemas/request-validator/3.9.json index 5da7629d..71fb676d 100644 --- a/json_schemas/request-validator/3.9.json +++ b/json_schemas/request-validator/3.9.json @@ -8,7 +8,9 @@ ], "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -89,7 +91,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -100,7 +104,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -118,7 +124,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -131,7 +139,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -142,9 +152,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/response-ratelimiting/3.9.json b/json_schemas/response-ratelimiting/3.9.json index 211dcfe2..229ec4dc 100644 --- a/json_schemas/response-ratelimiting/3.9.json +++ b/json_schemas/response-ratelimiting/3.9.json @@ -94,15 +94,19 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "redis_database": { "type": "integer" @@ -143,7 +147,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -161,7 +167,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -174,7 +182,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -185,9 +195,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/response-transformer-advanced/3.9.json b/json_schemas/response-transformer-advanced/3.9.json index e5c923b4..251e8dc2 100644 --- a/json_schemas/response-transformer-advanced/3.9.json +++ b/json_schemas/response-transformer-advanced/3.9.json @@ -5,100 +5,140 @@ "add": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "allow": { "properties": { "json": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "dots_in_keys": { @@ -109,54 +149,78 @@ "remove": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { @@ -166,78 +230,112 @@ "type": "string" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "transform": { "properties": { "functions": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -248,7 +346,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -259,7 +359,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -277,7 +379,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -290,7 +394,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -301,9 +407,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/response-transformer/3.9.json b/json_schemas/response-transformer/3.9.json index 340a58e4..c4180b30 100644 --- a/json_schemas/response-transformer/3.9.json +++ b/json_schemas/response-transformer/3.9.json @@ -5,25 +5,35 @@ "add": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "items": { "enum": [ @@ -31,37 +41,51 @@ "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "items": { "enum": [ @@ -69,83 +93,117 @@ "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "remove": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "items": { "enum": [ @@ -153,17 +211,23 @@ "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -174,7 +238,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -185,7 +251,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -203,7 +271,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -216,7 +286,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -227,9 +299,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/route-by-header/3.9.json b/json_schemas/route-by-header/3.9.json index 2e8bace4..308bac74 100644 --- a/json_schemas/route-by-header/3.9.json +++ b/json_schemas/route-by-header/3.9.json @@ -3,7 +3,9 @@ "config": { "properties": { "rules": { - "default": [], + "default": [ + + ], "description": "Route by header rules.", "items": { "properties": { @@ -25,7 +27,9 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -36,7 +40,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -54,7 +60,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -67,7 +75,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -78,9 +88,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/route-transformer-advanced/3.9.json b/json_schemas/route-transformer-advanced/3.9.json index 759d3aa2..55afb37a 100644 --- a/json_schemas/route-transformer-advanced/3.9.json +++ b/json_schemas/route-transformer-advanced/3.9.json @@ -16,7 +16,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -27,7 +29,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -45,7 +49,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -58,7 +64,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -69,9 +77,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/saml/3.9.json b/json_schemas/saml/3.9.json index cca343c0..71a92cb9 100644 --- a/json_schemas/saml/3.9.json +++ b/json_schemas/saml/3.9.json @@ -57,7 +57,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -99,7 +101,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -148,14 +150,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -168,7 +172,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -190,11 +194,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -381,7 +387,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -397,7 +405,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -436,7 +446,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "session_auth_ttl": { "type": "number" @@ -557,7 +569,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -570,7 +584,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -581,9 +597,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/service-protection/3.9.json b/json_schemas/service-protection/3.9.json index 803c767d..a0134073 100644 --- a/json_schemas/service-protection/3.9.json +++ b/json_schemas/service-protection/3.9.json @@ -31,7 +31,9 @@ "limit": { "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -69,7 +71,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -111,7 +115,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -156,14 +160,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -176,7 +182,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -194,11 +200,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -242,7 +250,9 @@ "window_size": { "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -257,7 +267,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -275,7 +287,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -288,9 +302,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/session/3.9.json b/json_schemas/session/3.9.json index 499b70ec..ce22bca5 100644 --- a/json_schemas/session/3.9.json +++ b/json_schemas/session/3.9.json @@ -64,7 +64,9 @@ "GET", "POST" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -115,7 +117,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -132,7 +136,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -162,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cookie_discard": { "type": "number" @@ -210,7 +218,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -223,7 +233,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -234,9 +246,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/standard-webhooks/3.9.json b/json_schemas/standard-webhooks/3.9.json index b2cd7c32..1faa2af3 100644 --- a/json_schemas/standard-webhooks/3.9.json +++ b/json_schemas/standard-webhooks/3.9.json @@ -3,7 +3,7 @@ "config": { "properties": { "secret_v1": { - "description": "Webhook secret", + "description": "Webhook secret\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "tolerance_second": { @@ -13,7 +13,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -24,7 +26,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -42,7 +46,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -55,7 +61,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -66,9 +74,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/statsd-advanced/3.9.json b/json_schemas/statsd-advanced/3.9.json index b842a66d..be532c92 100644 --- a/json_schemas/statsd-advanced/3.9.json +++ b/json_schemas/statsd-advanced/3.9.json @@ -6,7 +6,9 @@ "description": "List of status code ranges that are allowed to be logged in metrics.", "items": { "pattern": "^[0-9]+-[0-9]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -178,7 +180,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service_identifier_default": { @@ -214,7 +218,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -225,7 +231,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -250,7 +258,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -263,7 +273,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -274,9 +286,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/statsd/3.9.json b/json_schemas/statsd/3.9.json index 930ae300..a55fdecc 100644 --- a/json_schemas/statsd/3.9.json +++ b/json_schemas/statsd/3.9.json @@ -6,7 +6,9 @@ "description": "List of status code ranges that are allowed to be logged in metrics.", "items": { "pattern": "^[0-9]+-[0-9]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -185,7 +187,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "queue_size": { @@ -232,7 +236,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -243,7 +249,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -268,7 +276,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -281,7 +291,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -292,9 +304,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/syslog/3.9.json b/json_schemas/syslog/3.9.json index fbbdbdbe..90bd9094 100644 --- a/json_schemas/syslog/3.9.json +++ b/json_schemas/syslog/3.9.json @@ -91,7 +91,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -102,7 +104,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -127,7 +131,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -140,7 +146,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -151,9 +159,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/tcp-log/3.9.json b/json_schemas/tcp-log/3.9.json index 028dafde..91b64178 100644 --- a/json_schemas/tcp-log/3.9.json +++ b/json_schemas/tcp-log/3.9.json @@ -37,7 +37,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -48,7 +50,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -73,7 +77,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -86,7 +92,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -97,9 +105,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/tls-handshake-modifier/3.9.json b/json_schemas/tls-handshake-modifier/3.9.json index fcfac7cc..358d3225 100644 --- a/json_schemas/tls-handshake-modifier/3.9.json +++ b/json_schemas/tls-handshake-modifier/3.9.json @@ -11,7 +11,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -26,7 +28,9 @@ "https", "tls" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -39,7 +43,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -50,9 +56,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/tls-metadata-headers/3.9.json b/json_schemas/tls-metadata-headers/3.9.json index d878d7ab..3ae3ee64 100644 --- a/json_schemas/tls-metadata-headers/3.9.json +++ b/json_schemas/tls-metadata-headers/3.9.json @@ -33,7 +33,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -48,7 +50,9 @@ "https", "tls" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -61,7 +65,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -72,9 +78,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/udp-log/3.9.json b/json_schemas/udp-log/3.9.json index adfff403..1c727685 100644 --- a/json_schemas/udp-log/3.9.json +++ b/json_schemas/udp-log/3.9.json @@ -23,7 +23,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -34,7 +36,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -59,7 +63,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -72,7 +78,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -83,9 +91,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/upstream-oauth/3.9.json b/json_schemas/upstream-oauth/3.9.json index c26c2dc7..52fecf57 100644 --- a/json_schemas/upstream-oauth/3.9.json +++ b/json_schemas/upstream-oauth/3.9.json @@ -37,7 +37,9 @@ "items": { "maximum": 599, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "type": "array" @@ -49,7 +51,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "cache": { @@ -74,7 +78,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "redis": { @@ -101,7 +107,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -143,7 +151,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -188,14 +196,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -208,7 +218,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -226,11 +236,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -262,7 +274,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "client": { @@ -330,16 +344,22 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "oauth": { "properties": { "audience": { - "default": [], + "default": [ + + ], "description": "List of audiences passed to the IdP when obtaining a new token.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -371,7 +391,9 @@ ], "description": "List of scopes to request from the IdP when obtaining a new token.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -395,11 +417,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -410,7 +436,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -421,7 +449,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -439,7 +469,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -452,7 +484,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -463,9 +497,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/upstream-timeout/3.9.json b/json_schemas/upstream-timeout/3.9.json index 681120b5..6ba90827 100644 --- a/json_schemas/upstream-timeout/3.9.json +++ b/json_schemas/upstream-timeout/3.9.json @@ -21,7 +21,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -32,7 +34,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -50,7 +54,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -63,7 +69,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -74,9 +82,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/vault-auth/3.9.json b/json_schemas/vault-auth/3.9.json index 3f52bdea..08e8cc3b 100644 --- a/json_schemas/vault-auth/3.9.json +++ b/json_schemas/vault-auth/3.9.json @@ -7,7 +7,9 @@ "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -31,7 +33,9 @@ "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -46,7 +50,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -64,7 +70,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -77,7 +85,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -88,9 +98,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/websocket-size-limit/3.9.json b/json_schemas/websocket-size-limit/3.9.json index b46f162b..483c3c46 100644 --- a/json_schemas/websocket-size-limit/3.9.json +++ b/json_schemas/websocket-size-limit/3.9.json @@ -13,7 +13,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -24,7 +26,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -38,7 +42,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -51,7 +57,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -62,9 +70,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/websocket-validator/3.9.json b/json_schemas/websocket-validator/3.9.json index 8c23be44..65cf170c 100644 --- a/json_schemas/websocket-validator/3.9.json +++ b/json_schemas/websocket-validator/3.9.json @@ -45,7 +45,9 @@ "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "upstream": { @@ -91,11 +93,15 @@ "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -106,7 +112,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -120,7 +128,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -133,7 +143,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -144,9 +156,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/xml-threat-protection/3.9.json b/json_schemas/xml-threat-protection/3.9.json index 0fea5bfa..48a6bd95 100644 --- a/json_schemas/xml-threat-protection/3.9.json +++ b/json_schemas/xml-threat-protection/3.9.json @@ -8,11 +8,15 @@ "type": "boolean" }, "allowed_content_types": { - "default": [], + "default": [ + + ], "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "items": { "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -48,7 +52,9 @@ "description": "A list of Content-Type values with payloads that must be validated.", "items": { "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -149,7 +155,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -160,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -178,7 +188,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -191,7 +203,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -202,9 +216,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/zipkin/3.9.json b/json_schemas/zipkin/3.9.json index 354c7064..0e5554bb 100644 --- a/json_schemas/zipkin/3.9.json +++ b/json_schemas/zipkin/3.9.json @@ -88,7 +88,9 @@ "clear": { "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -119,7 +121,9 @@ "ot", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -138,7 +142,9 @@ "preserve", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -205,7 +211,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "read_timeout": { @@ -278,7 +286,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -289,7 +299,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -314,7 +326,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -327,7 +341,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -338,9 +354,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file From 0592058cb4891bdc897a56a416f8364afb477a94 Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 25 Mar 2025 16:20:55 +0000 Subject: [PATCH 141/165] JSON Schemas for 3.7.x --- json_schemas/acl/3.7.json | 28 +- json_schemas/acme/3.7.json | 51 ++- json_schemas/ai-azure-content-safety/3.7.json | 24 +- json_schemas/ai-prompt-decorator/3.7.json | 32 +- json_schemas/ai-prompt-guard/3.7.json | 44 ++- json_schemas/ai-prompt-template/3.7.json | 24 +- json_schemas/ai-proxy/3.7.json | 44 ++- .../ai-rate-limiting-advanced/3.7.json | 48 ++- json_schemas/ai-request-transformer/3.7.json | 52 ++- json_schemas/ai-response-transformer/3.7.json | 52 ++- json_schemas/app-dynamics/3.7.json | 27 +- .../application-registration/3.7.json | 12 +- json_schemas/aws-lambda/3.7.json | 24 +- json_schemas/azure-functions/3.7.json | 24 +- json_schemas/basic-auth/3.7.json | 20 +- json_schemas/bot-detection/3.7.json | 36 +- json_schemas/canary/3.7.json | 24 +- json_schemas/correlation-id/3.7.json | 24 +- json_schemas/cors/3.7.json | 36 +- json_schemas/datadog/3.7.json | 34 +- json_schemas/degraphql/3.7.json | 20 +- json_schemas/exit-transformer/3.7.json | 28 +- json_schemas/file-log/3.7.json | 24 +- json_schemas/forward-proxy/3.7.json | 28 +- .../graphql-proxy-cache-advanced/3.7.json | 52 ++- .../graphql-rate-limiting-advanced/3.7.json | 52 ++- json_schemas/grpc-gateway/3.7.json | 24 +- json_schemas/grpc-web/3.7.json | 24 +- json_schemas/hmac-auth/3.7.json | 32 +- json_schemas/http-log/3.7.json | 28 +- json_schemas/ip-restriction/3.7.json | 36 +- json_schemas/jq/3.7.json | 44 ++- json_schemas/jwe-decrypt/3.7.json | 24 +- json_schemas/jwt-signer/3.7.json | 128 +++++-- json_schemas/jwt/3.7.json | 40 +- json_schemas/kafka-log/3.7.json | 32 +- json_schemas/kafka-upstream/3.7.json | 32 +- json_schemas/key-auth-enc/3.7.json | 24 +- json_schemas/key-auth/3.7.json | 24 +- .../konnect-application-auth/3.7.json | 356 +++++++++++++----- json_schemas/ldap-auth-advanced/3.7.json | 28 +- json_schemas/ldap-auth/3.7.json | 20 +- json_schemas/loggly/3.7.json | 29 +- json_schemas/mocking/3.7.json | 28 +- json_schemas/mtls-auth/3.7.json | 28 +- json_schemas/oas-validation/3.7.json | 24 +- json_schemas/oauth2-introspection/3.7.json | 28 +- json_schemas/oauth2/3.7.json | 24 +- json_schemas/opa/3.7.json | 20 +- json_schemas/openid-connect/3.7.json | 340 +++++++++++++---- json_schemas/opentelemetry/3.7.json | 42 ++- json_schemas/post-function/3.7.json | 100 +++-- json_schemas/pre-function/3.7.json | 100 +++-- json_schemas/prometheus/3.7.json | 24 +- json_schemas/proxy-cache-advanced/3.7.json | 76 ++-- json_schemas/proxy-cache/3.7.json | 56 ++- json_schemas/rate-limiting-advanced/3.7.json | 60 ++- json_schemas/rate-limiting/3.7.json | 32 +- json_schemas/request-size-limiting/3.7.json | 24 +- json_schemas/request-termination/3.7.json | 28 +- .../request-transformer-advanced/3.7.json | 212 ++++++++--- json_schemas/request-transformer/3.7.json | 168 ++++++--- json_schemas/request-validator/3.7.json | 28 +- json_schemas/response-ratelimiting/3.7.json | 28 +- .../response-transformer-advanced/3.7.json | 220 ++++++++--- json_schemas/response-transformer/3.7.json | 144 +++++-- json_schemas/route-by-header/3.7.json | 28 +- .../route-transformer-advanced/3.7.json | 24 +- json_schemas/saml/3.7.json | 32 +- json_schemas/session/3.7.json | 32 +- json_schemas/statsd-advanced/3.7.json | 32 +- json_schemas/statsd/3.7.json | 32 +- json_schemas/syslog/3.7.json | 24 +- json_schemas/tcp-log/3.7.json | 24 +- json_schemas/tls-handshake-modifier/3.7.json | 20 +- json_schemas/tls-metadata-headers/3.7.json | 20 +- json_schemas/udp-log/3.7.json | 24 +- json_schemas/upstream-timeout/3.7.json | 24 +- json_schemas/vault-auth/3.7.json | 28 +- json_schemas/websocket-size-limit/3.7.json | 24 +- json_schemas/websocket-validator/3.7.json | 32 +- json_schemas/xml-threat-protection/3.7.json | 36 +- json_schemas/zipkin/3.7.json | 40 +- 83 files changed, 3060 insertions(+), 1039 deletions(-) diff --git a/json_schemas/acl/3.7.json b/json_schemas/acl/3.7.json index 2971cdc9..51d27bd8 100644 --- a/json_schemas/acl/3.7.json +++ b/json_schemas/acl/3.7.json @@ -5,7 +5,9 @@ "allow": { "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -13,7 +15,9 @@ "deny": { "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -28,7 +32,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -46,7 +52,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -59,7 +67,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -70,9 +80,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/acme/3.7.json b/json_schemas/acme/3.7.json index 4f34c195..b1a9993e 100644 --- a/json_schemas/acme/3.7.json +++ b/json_schemas/acme/3.7.json @@ -56,17 +56,19 @@ "^[^*]*$" ] }, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "enable_ipv4_common_name": { @@ -142,13 +144,18 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "kong": { "additionalProperties": true, - "properties": {}, - "required": [], + "properties": { + }, + "required": [ + + ], "type": "object" }, "redis": { @@ -173,7 +180,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "host": { @@ -218,7 +227,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "auth": { "minLength": 0, @@ -259,7 +270,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "vault": { @@ -322,11 +335,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "tos_accepted": { @@ -335,7 +352,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -353,11 +372,15 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.7.json b/json_schemas/ai-azure-content-safety/3.7.json index 7fc1e807..b87a3b14 100644 --- a/json_schemas/ai-azure-content-safety/3.7.json +++ b/json_schemas/ai-azure-content-safety/3.7.json @@ -28,7 +28,9 @@ "blocklist_names": { "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -89,7 +91,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -107,7 +111,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -120,7 +126,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -131,9 +139,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-decorator/3.7.json b/json_schemas/ai-prompt-decorator/3.7.json index 91013ece..b6f1eb69 100644 --- a/json_schemas/ai-prompt-decorator/3.7.json +++ b/json_schemas/ai-prompt-decorator/3.7.json @@ -59,11 +59,15 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -74,7 +78,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -85,7 +91,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -103,7 +111,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -116,7 +126,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -127,9 +139,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-guard/3.7.json b/json_schemas/ai-prompt-guard/3.7.json index 6a26d4a7..7ba1573f 100644 --- a/json_schemas/ai-prompt-guard/3.7.json +++ b/json_schemas/ai-prompt-guard/3.7.json @@ -8,31 +8,41 @@ "type": "boolean" }, "allow_patterns": { - "default": [], + "default": [ + + ], "description": "Array of valid patterns, or valid questions from the 'user' role in chat.", "items": { "maxLength": 500, "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "maxLength": 10, "type": "array" }, "deny_patterns": { - "default": [], + "default": [ + + ], "description": "Array of invalid patterns, or invalid questions from the 'user' role in chat.", "items": { "maxLength": 500, "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "maxLength": 10, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -43,7 +53,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -54,7 +66,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -72,7 +86,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -85,7 +101,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -96,9 +114,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.7.json b/json_schemas/ai-prompt-template/3.7.json index 2be256bc..40b85af2 100644 --- a/json_schemas/ai-prompt-template/3.7.json +++ b/json_schemas/ai-prompt-template/3.7.json @@ -34,7 +34,9 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -45,7 +47,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -63,7 +67,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -76,7 +82,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -87,9 +95,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.7.json b/json_schemas/ai-proxy/3.7.json index f950282e..db84b20e 100644 --- a/json_schemas/ai-proxy/3.7.json +++ b/json_schemas/ai-proxy/3.7.json @@ -5,7 +5,7 @@ "auth": { "properties": { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -13,7 +13,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -22,7 +22,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -38,7 +38,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { @@ -46,7 +46,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "logging": { @@ -62,7 +64,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -150,7 +154,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -166,7 +172,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "route_type": { @@ -179,7 +187,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -190,7 +200,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -208,7 +220,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -221,9 +235,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.7.json b/json_schemas/ai-rate-limiting-advanced/3.7.json index 75ac96e4..18c7f716 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.7.json +++ b/json_schemas/ai-rate-limiting-advanced/3.7.json @@ -95,7 +95,9 @@ "cluster_addresses": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "minLength": 1, @@ -130,7 +132,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -154,7 +156,9 @@ "sentinel_addresses": { "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "minLength": 1, @@ -165,7 +169,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -178,7 +182,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -203,11 +207,13 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "request_prompt_count_function": { @@ -253,7 +259,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -264,7 +272,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -275,7 +285,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -293,7 +305,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -306,7 +320,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -317,9 +333,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.7.json b/json_schemas/ai-request-transformer/3.7.json index b85135a1..3a2ada1e 100644 --- a/json_schemas/ai-request-transformer/3.7.json +++ b/json_schemas/ai-request-transformer/3.7.json @@ -37,7 +37,7 @@ "auth": { "properties": { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -45,7 +45,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -54,7 +54,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -70,7 +70,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { @@ -78,7 +78,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "logging": { @@ -94,7 +96,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -182,7 +186,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -198,7 +204,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "route_type": { @@ -211,7 +219,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "prompt": { @@ -223,7 +233,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -234,7 +246,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -252,7 +266,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -265,7 +281,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -276,9 +294,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.7.json b/json_schemas/ai-response-transformer/3.7.json index af73ad32..28ae8692 100644 --- a/json_schemas/ai-response-transformer/3.7.json +++ b/json_schemas/ai-response-transformer/3.7.json @@ -37,7 +37,7 @@ "auth": { "properties": { "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { @@ -45,7 +45,7 @@ "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -54,7 +54,7 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { @@ -70,7 +70,7 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { @@ -78,7 +78,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "logging": { @@ -94,7 +96,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -182,7 +186,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -198,7 +204,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "route_type": { @@ -211,7 +219,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "parse_llm_response_json_instructions": { @@ -228,7 +238,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -239,7 +251,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -257,7 +271,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -270,7 +286,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -281,9 +299,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/app-dynamics/3.7.json b/json_schemas/app-dynamics/3.7.json index 984044ad..fa37327f 100644 --- a/json_schemas/app-dynamics/3.7.json +++ b/json_schemas/app-dynamics/3.7.json @@ -2,8 +2,11 @@ "properties": { "config": { "additionalProperties": true, - "properties": {}, - "required": [], + "properties": { + }, + "required": [ + + ], "type": "object" }, "consumer": { @@ -14,7 +17,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -32,7 +37,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -45,7 +52,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -56,9 +65,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/application-registration/3.7.json b/json_schemas/application-registration/3.7.json index c0e82ee3..42680aeb 100644 --- a/json_schemas/application-registration/3.7.json +++ b/json_schemas/application-registration/3.7.json @@ -26,7 +26,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -44,11 +46,15 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/aws-lambda/3.7.json b/json_schemas/aws-lambda/3.7.json index f24daea8..add72c32 100644 --- a/json_schemas/aws-lambda/3.7.json +++ b/json_schemas/aws-lambda/3.7.json @@ -139,7 +139,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -150,7 +152,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -168,7 +172,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -181,7 +187,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -192,9 +200,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/azure-functions/3.7.json b/json_schemas/azure-functions/3.7.json index 8c4378f8..66d15b39 100644 --- a/json_schemas/azure-functions/3.7.json +++ b/json_schemas/azure-functions/3.7.json @@ -49,7 +49,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -60,7 +62,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -85,7 +89,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -98,7 +104,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -109,9 +117,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/basic-auth/3.7.json b/json_schemas/basic-auth/3.7.json index d67e26e6..da803a97 100644 --- a/json_schemas/basic-auth/3.7.json +++ b/json_schemas/basic-auth/3.7.json @@ -17,7 +17,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -39,7 +41,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -52,7 +56,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -63,9 +69,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/bot-detection/3.7.json b/json_schemas/bot-detection/3.7.json index 0a4e686c..2233a89d 100644 --- a/json_schemas/bot-detection/3.7.json +++ b/json_schemas/bot-detection/3.7.json @@ -3,27 +3,37 @@ "config": { "properties": { "allow": { - "default": [], + "default": [ + + ], "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "items": { "is_regex": true, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "deny": { - "default": [], + "default": [ + + ], "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "items": { "is_regex": true, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -41,7 +51,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -54,7 +66,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -65,9 +79,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/canary/3.7.json b/json_schemas/canary/3.7.json index b7ecf25f..39072c60 100644 --- a/json_schemas/canary/3.7.json +++ b/json_schemas/canary/3.7.json @@ -15,7 +15,9 @@ "groups": { "description": "The groups allowed to access the canary release.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -74,7 +76,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "hash": { "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", @@ -98,7 +102,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -111,7 +117,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -122,9 +130,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/correlation-id/3.7.json b/json_schemas/correlation-id/3.7.json index a6dd6f8d..776a2f3e 100644 --- a/json_schemas/correlation-id/3.7.json +++ b/json_schemas/correlation-id/3.7.json @@ -23,7 +23,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -34,7 +36,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -52,7 +56,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -65,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -76,9 +84,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/cors/3.7.json b/json_schemas/cors/3.7.json index d3d2518f..b0254d05 100644 --- a/json_schemas/cors/3.7.json +++ b/json_schemas/cors/3.7.json @@ -10,7 +10,9 @@ "exposed_headers": { "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -18,7 +20,9 @@ "headers": { "description": "Value for the `Access-Control-Allow-Headers` header.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -52,7 +56,9 @@ "PUT", "TRACE" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -60,7 +66,9 @@ "origins": { "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -76,7 +84,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -95,7 +105,9 @@ "https" ], "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -108,7 +120,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -119,9 +133,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/datadog/3.7.json b/json_schemas/datadog/3.7.json index f355efac..7ce5f0f9 100644 --- a/json_schemas/datadog/3.7.json +++ b/json_schemas/datadog/3.7.json @@ -13,7 +13,7 @@ }, "host": { "default": "localhost", - "description": "A string representing a host name, such as example.com.", + "description": "A string representing a host name, such as example.com.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "metrics": { @@ -75,7 +75,9 @@ "description": "List of tags", "items": { "pattern": "^.*[^:]$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -148,7 +150,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "queue_size": { @@ -170,7 +174,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -181,7 +187,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -206,7 +214,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -219,7 +229,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -230,9 +242,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/degraphql/3.7.json b/json_schemas/degraphql/3.7.json index 305dfff1..4d44acc6 100644 --- a/json_schemas/degraphql/3.7.json +++ b/json_schemas/degraphql/3.7.json @@ -8,7 +8,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -26,7 +28,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -39,7 +43,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -50,9 +56,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.7.json b/json_schemas/exit-transformer/3.7.json index 423006b1..f65b3b1f 100644 --- a/json_schemas/exit-transformer/3.7.json +++ b/json_schemas/exit-transformer/3.7.json @@ -4,7 +4,9 @@ "properties": { "functions": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -20,7 +22,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -31,7 +35,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -49,7 +55,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -62,7 +70,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -73,9 +83,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/file-log/3.7.json b/json_schemas/file-log/3.7.json index 1144bb8d..7b34b71e 100644 --- a/json_schemas/file-log/3.7.json +++ b/json_schemas/file-log/3.7.json @@ -18,7 +18,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -29,7 +31,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -54,7 +58,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -67,7 +73,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -78,9 +86,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/forward-proxy/3.7.json b/json_schemas/forward-proxy/3.7.json index 800452c3..c0f4b52a 100644 --- a/json_schemas/forward-proxy/3.7.json +++ b/json_schemas/forward-proxy/3.7.json @@ -3,11 +3,11 @@ "config": { "properties": { "auth_password": { - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "auth_username": { - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_proxy_host": { @@ -54,7 +54,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "proxy_host": { "type": "string" @@ -73,7 +75,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -91,7 +95,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -104,7 +110,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -115,9 +123,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/graphql-proxy-cache-advanced/3.7.json b/json_schemas/graphql-proxy-cache-advanced/3.7.json index 7d98ca7d..f00b2a7d 100644 --- a/json_schemas/graphql-proxy-cache-advanced/3.7.json +++ b/json_schemas/graphql-proxy-cache-advanced/3.7.json @@ -21,7 +21,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "redis": { @@ -29,7 +31,9 @@ "cluster_addresses": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "minLength": 1, @@ -64,7 +68,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -88,7 +92,9 @@ "sentinel_addresses": { "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "minLength": 1, @@ -99,7 +105,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -112,7 +118,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -137,11 +143,13 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "strategy": { @@ -156,13 +164,17 @@ "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -173,7 +185,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -191,7 +205,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -204,7 +220,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -215,9 +233,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.7.json b/json_schemas/graphql-rate-limiting-advanced/3.7.json index 168be8f4..39ee8d45 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.7.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.7.json @@ -34,7 +34,9 @@ "limit": { "description": "One or more requests-per-window limits to apply.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -53,7 +55,9 @@ "cluster_addresses": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "minLength": 1, @@ -88,7 +92,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -112,7 +116,9 @@ "sentinel_addresses": { "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "minLength": 1, @@ -123,7 +129,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -136,7 +142,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -161,11 +167,13 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "score_factor": { @@ -190,7 +198,9 @@ "window_size": { "description": "One or more window sizes to apply a limit to (defined in seconds).", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -205,7 +215,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -216,7 +228,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -234,7 +248,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -247,7 +263,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -258,9 +276,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/grpc-gateway/3.7.json b/json_schemas/grpc-gateway/3.7.json index f9b0ae1e..2ae37a8c 100644 --- a/json_schemas/grpc-gateway/3.7.json +++ b/json_schemas/grpc-gateway/3.7.json @@ -7,7 +7,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -18,7 +20,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -43,7 +47,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -56,7 +62,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -67,9 +75,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/grpc-web/3.7.json b/json_schemas/grpc-web/3.7.json index 41a21e62..31f56172 100644 --- a/json_schemas/grpc-web/3.7.json +++ b/json_schemas/grpc-web/3.7.json @@ -16,7 +16,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -27,7 +29,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -52,7 +56,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -65,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -76,9 +84,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/hmac-auth/3.7.json b/json_schemas/hmac-auth/3.7.json index 9a65d4f2..b4b59358 100644 --- a/json_schemas/hmac-auth/3.7.json +++ b/json_schemas/hmac-auth/3.7.json @@ -17,7 +17,9 @@ "hmac-sha384", "hmac-sha512" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -33,10 +35,14 @@ "type": "number" }, "enforce_headers": { - "default": [], + "default": [ + + ], "description": "A list of headers that the client should at least use for HTTP signature creation.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -52,7 +58,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -74,7 +82,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -87,7 +97,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -98,9 +110,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/http-log/3.7.json b/json_schemas/http-log/3.7.json index 94995b98..f1249e24 100644 --- a/json_schemas/http-log/3.7.json +++ b/json_schemas/http-log/3.7.json @@ -91,7 +91,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "queue_size": { @@ -108,7 +110,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -119,7 +123,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -144,7 +150,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -157,7 +165,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -168,9 +178,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ip-restriction/3.7.json b/json_schemas/ip-restriction/3.7.json index 00e778e7..83800949 100644 --- a/json_schemas/ip-restriction/3.7.json +++ b/json_schemas/ip-restriction/3.7.json @@ -6,7 +6,9 @@ "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "items": { "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -15,7 +17,9 @@ "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "items": { "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -29,7 +33,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -40,7 +46,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -51,7 +59,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -78,7 +88,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -91,7 +103,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -102,9 +116,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jq/3.7.json b/json_schemas/jq/3.7.json index 562724b3..7a686c75 100644 --- a/json_schemas/jq/3.7.json +++ b/json_schemas/jq/3.7.json @@ -7,7 +7,9 @@ "application/json" ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -38,7 +40,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "response_if_media_type": { @@ -46,7 +50,9 @@ "application/json" ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -58,7 +64,9 @@ "items": { "maximum": 599, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "type": "array" @@ -89,11 +97,15 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -104,7 +116,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -122,7 +136,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -135,7 +151,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -146,9 +164,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.7.json b/json_schemas/jwe-decrypt/3.7.json index dd09fa60..019e6fb1 100644 --- a/json_schemas/jwe-decrypt/3.7.json +++ b/json_schemas/jwe-decrypt/3.7.json @@ -10,7 +10,9 @@ "key_sets": { "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -26,7 +28,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -44,7 +48,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -57,7 +63,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -68,9 +76,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jwt-signer/3.7.json b/json_schemas/jwt-signer/3.7.json index 3be7f441..d6619d16 100644 --- a/json_schemas/jwt-signer/3.7.json +++ b/json_schemas/jwt-signer/3.7.json @@ -14,7 +14,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -22,7 +24,9 @@ "access_token_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -47,7 +51,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -55,7 +61,9 @@ "access_token_introspection_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -72,7 +80,9 @@ "access_token_introspection_jwt_claim": { "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -88,7 +98,9 @@ ], "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -96,7 +108,9 @@ "access_token_introspection_scopes_required": { "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -123,7 +137,7 @@ "type": "string" }, "access_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_jwks_uri_rotate_period": { @@ -145,7 +159,7 @@ "type": "string" }, "access_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_keyset_rotate_period": { @@ -174,7 +188,9 @@ ], "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -182,7 +198,9 @@ "access_token_scopes_required": { "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -253,7 +271,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -261,7 +281,9 @@ "channel_token_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -269,7 +291,9 @@ "channel_token_introspection_authorization": { "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -277,7 +301,9 @@ "channel_token_introspection_body_args": { "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -294,7 +320,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -302,7 +330,9 @@ "channel_token_introspection_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -314,7 +344,9 @@ "channel_token_introspection_hint": { "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -322,7 +354,9 @@ "channel_token_introspection_jwt_claim": { "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -338,7 +372,9 @@ ], "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -346,7 +382,9 @@ "channel_token_introspection_scopes_required": { "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -373,7 +411,7 @@ "type": "string" }, "channel_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_jwks_uri_rotate_period": { @@ -395,7 +433,7 @@ "type": "string" }, "channel_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_keyset_rotate_period": { @@ -423,7 +461,9 @@ ], "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -431,7 +471,9 @@ "channel_token_scopes_required": { "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -497,19 +539,27 @@ "type": "string" }, "remove_access_token_claims": { - "default": [], + "default": [ + + ], "description": "remove claims. It should be an array, and each element is a claim key string.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "remove_channel_token_claims": { - "default": [], + "default": [ + + ], "description": "remove claims. It should be an array, and each element is a claim key string.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -589,7 +639,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -607,7 +659,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -620,7 +674,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -631,9 +687,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jwt/3.7.json b/json_schemas/jwt/3.7.json index d94b4103..0353cf17 100644 --- a/json_schemas/jwt/3.7.json +++ b/json_schemas/jwt/3.7.json @@ -13,16 +13,22 @@ "exp", "nbf" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "cookie_names": { - "default": [], + "default": [ + + ], "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -33,7 +39,9 @@ ], "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -66,13 +74,17 @@ ], "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -90,7 +102,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -103,7 +117,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -114,9 +130,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/kafka-log/3.7.json b/json_schemas/kafka-log/3.7.json index 03450b52..3cc3b73a 100644 --- a/json_schemas/kafka-log/3.7.json +++ b/json_schemas/kafka-log/3.7.json @@ -33,7 +33,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "bootstrap_servers": { @@ -138,7 +140,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "timeout": { @@ -151,7 +155,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -162,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -184,7 +192,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -197,7 +207,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -208,9 +220,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.7.json b/json_schemas/kafka-upstream/3.7.json index 28be0e0e..4fa1cc92 100644 --- a/json_schemas/kafka-upstream/3.7.json +++ b/json_schemas/kafka-upstream/3.7.json @@ -33,7 +33,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "bootstrap_servers": { @@ -154,7 +156,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "timeout": { @@ -167,7 +171,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -178,7 +184,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -196,7 +204,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -209,7 +219,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -220,9 +232,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/key-auth-enc/3.7.json b/json_schemas/key-auth-enc/3.7.json index c5bdb71f..4feac78a 100644 --- a/json_schemas/key-auth-enc/3.7.json +++ b/json_schemas/key-auth-enc/3.7.json @@ -33,7 +33,9 @@ "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -44,7 +46,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -66,7 +70,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -79,7 +85,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -90,9 +98,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/key-auth/3.7.json b/json_schemas/key-auth/3.7.json index 42a51f9a..a37eb540 100644 --- a/json_schemas/key-auth/3.7.json +++ b/json_schemas/key-auth/3.7.json @@ -33,7 +33,9 @@ "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -48,7 +50,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -70,7 +74,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -83,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -94,9 +102,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.7.json b/json_schemas/konnect-application-auth/3.7.json index c142c978..640075ea 100644 --- a/json_schemas/konnect-application-auth/3.7.json +++ b/json_schemas/konnect-application-auth/3.7.json @@ -19,7 +19,9 @@ "description": "The names of the headers containing the API key. You can specify multiple header names.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -44,13 +46,17 @@ "description": "The names of the headers containing the API key. You can specify multiple header names.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "strategy_id": { @@ -80,7 +86,9 @@ "audience": { "description": "The audience passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -91,7 +99,9 @@ ], "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -99,7 +109,9 @@ "audience_required": { "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -129,7 +141,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -137,7 +151,9 @@ "authenticated_groups_claim": { "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -183,7 +199,9 @@ "authorization_query_args_client": { "description": "Extra query arguments passed from the client to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -191,7 +209,9 @@ "authorization_query_args_names": { "description": "Extra query argument names passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -199,7 +219,9 @@ "authorization_query_args_values": { "description": "Extra query argument values passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -227,7 +249,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -300,7 +324,9 @@ "RS384", "RS512" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -322,7 +348,9 @@ "self_signed_tls_client_auth", "tls_client_auth" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -340,7 +368,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -348,7 +378,10 @@ "client_id": { "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -364,12 +397,15 @@ "type": "string" }, "d": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -379,11 +415,14 @@ "type": "string" }, "k": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -398,21 +437,27 @@ "type": "string" }, "oth": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -423,7 +468,9 @@ }, "x5c": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -441,7 +488,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "type": "array" @@ -449,7 +498,10 @@ "client_secret": { "description": "The client secret.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -466,7 +518,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -474,7 +528,9 @@ "consumer_claim": { "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -490,7 +546,9 @@ ], "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -509,7 +567,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -517,7 +577,9 @@ "discovery_headers_names": { "description": "Extra header names passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -525,7 +587,9 @@ "discovery_headers_values": { "description": "Extra header values passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -538,7 +602,9 @@ "domains": { "description": "The allowed values for the `hd` claim.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -554,7 +620,9 @@ "downstream_headers_claims": { "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -562,7 +630,9 @@ "downstream_headers_names": { "description": "The downstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -627,7 +697,9 @@ "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -646,7 +718,9 @@ "description": "Where to redirect the client on forbidden requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -657,7 +731,9 @@ ], "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -665,7 +741,9 @@ "groups_required": { "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -713,13 +791,17 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ignore_signature": { - "default": [], + "default": [ + + ], "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "items": { "enum": [ @@ -731,7 +813,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -776,7 +860,9 @@ "introspection_headers_client": { "description": "Extra headers passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -784,7 +870,9 @@ "introspection_headers_names": { "description": "Extra header names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -792,7 +880,10 @@ "introspection_headers_values": { "description": "Extra header values passed to the introspection endpoint.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -805,7 +896,9 @@ "introspection_post_args_client": { "description": "Extra post arguments passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -813,7 +906,9 @@ "introspection_post_args_names": { "description": "Extra post argument names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -821,7 +916,9 @@ "introspection_post_args_values": { "description": "Extra post argument values passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -838,7 +935,9 @@ "issuers_allowed": { "description": "The issuers allowed to be present in the tokens (`iss` claim).", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -889,7 +988,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -906,8 +1007,10 @@ "login_redirect_uri": { "description": "Where to redirect the client when `login_action` is set to `redirect`.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -925,7 +1028,9 @@ "refresh_token", "tokens" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -942,7 +1047,9 @@ "GET", "POST" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -958,8 +1065,10 @@ "logout_redirect_uri": { "description": "Where to redirect the client after the logout.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1016,7 +1125,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1072,7 +1183,9 @@ "description": "The redirect URI passed to the authorization and token endpoints.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1099,7 +1212,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1146,7 +1261,9 @@ ], "description": "The response type passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1184,7 +1301,9 @@ ], "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1192,7 +1311,9 @@ "roles_required": { "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1208,7 +1329,10 @@ ], "description": "The scopes passed to the authorization and token endpoints.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1219,7 +1343,9 @@ ], "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1227,7 +1353,9 @@ "scopes_required": { "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1342,7 +1470,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "type": "array" @@ -1398,7 +1528,7 @@ "type": "boolean" }, "session_redis_username": { - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_remember": { @@ -1433,7 +1563,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1450,7 +1582,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1529,7 +1663,9 @@ "token_headers_client": { "description": "Extra headers passed from the client to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1543,7 +1679,9 @@ "password", "refresh_token" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1551,7 +1689,9 @@ "token_headers_names": { "description": "Extra header names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1563,7 +1703,9 @@ "token_headers_replay": { "description": "The names of token endpoint response headers to forward to the downstream client.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1571,7 +1713,9 @@ "token_headers_values": { "description": "Extra header values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1579,7 +1723,9 @@ "token_post_args_client": { "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1587,7 +1733,9 @@ "token_post_args_names": { "description": "Extra post argument names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1595,7 +1743,9 @@ "token_post_args_values": { "description": "Extra post argument values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1614,7 +1764,9 @@ "description": "Where to redirect the client on unauthorized requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1623,7 +1775,9 @@ "description": "Where to redirect the client when unexpected errors happen with the requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1640,7 +1794,9 @@ "upstream_headers_claims": { "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1648,7 +1804,9 @@ "upstream_headers_names": { "description": "The upstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1701,7 +1859,9 @@ "userinfo_headers_client": { "description": "Extra headers passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1709,7 +1869,9 @@ "userinfo_headers_names": { "description": "Extra header names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1717,7 +1879,9 @@ "userinfo_headers_values": { "description": "Extra header values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1725,7 +1889,9 @@ "userinfo_query_args_client": { "description": "Extra query arguments passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1733,7 +1899,9 @@ "userinfo_query_args_names": { "description": "Extra query argument names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1741,7 +1909,9 @@ "userinfo_query_args_values": { "description": "Extra query argument values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1790,11 +1960,15 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -1812,7 +1986,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1825,7 +2001,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -1836,9 +2014,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.7.json b/json_schemas/ldap-auth-advanced/3.7.json index 2d5fdb43..d84a3b6c 100644 --- a/json_schemas/ldap-auth-advanced/3.7.json +++ b/json_schemas/ldap-auth-advanced/3.7.json @@ -36,7 +36,9 @@ "custom_id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -62,7 +64,9 @@ "groups_required": { "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -121,7 +125,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -143,7 +149,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -156,7 +164,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -167,9 +177,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.7.json b/json_schemas/ldap-auth/3.7.json index dc78488a..be31c67d 100644 --- a/json_schemas/ldap-auth/3.7.json +++ b/json_schemas/ldap-auth/3.7.json @@ -66,7 +66,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -88,7 +90,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -101,7 +105,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -112,9 +118,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/loggly/3.7.json b/json_schemas/loggly/3.7.json index 5c5621cc..7a26a98b 100644 --- a/json_schemas/loggly/3.7.json +++ b/json_schemas/loggly/3.7.json @@ -27,6 +27,7 @@ "type": "string" }, "key": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "log_level": { @@ -83,7 +84,9 @@ "kong" ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -93,7 +96,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -104,7 +109,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -129,7 +136,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -142,7 +151,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -153,9 +164,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/mocking/3.7.json b/json_schemas/mocking/3.7.json index ef0dfd5c..ceb3d3a9 100644 --- a/json_schemas/mocking/3.7.json +++ b/json_schemas/mocking/3.7.json @@ -22,7 +22,9 @@ "included_status_codes": { "description": "A global list of the HTTP status codes that can only be selected and returned.", "items": { - "required": [], + "required": [ + + ], "type": "integer" }, "type": "array" @@ -53,7 +55,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -64,7 +68,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -82,7 +88,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -95,7 +103,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -106,9 +116,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.7.json b/json_schemas/mtls-auth/3.7.json index e2d663a5..910e220b 100644 --- a/json_schemas/mtls-auth/3.7.json +++ b/json_schemas/mtls-auth/3.7.json @@ -23,7 +23,9 @@ "ca_certificates": { "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "items": { - "required": [], + "required": [ + + ], "type": "string", "uuid": true }, @@ -50,7 +52,9 @@ "custom_id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -105,7 +109,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -123,7 +129,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -136,7 +144,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -147,9 +157,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/oas-validation/3.7.json b/json_schemas/oas-validation/3.7.json index a73a7a5d..1e421781 100644 --- a/json_schemas/oas-validation/3.7.json +++ b/json_schemas/oas-validation/3.7.json @@ -76,7 +76,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -87,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -105,7 +109,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -118,7 +124,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -129,9 +137,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.7.json b/json_schemas/oauth2-introspection/3.7.json index 5b600229..64bc7359 100644 --- a/json_schemas/oauth2-introspection/3.7.json +++ b/json_schemas/oauth2-introspection/3.7.json @@ -22,10 +22,14 @@ "type": "string" }, "custom_claims_forward": { - "default": [], + "default": [ + + ], "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -74,7 +78,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -92,7 +98,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -105,7 +113,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -116,9 +126,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/oauth2/3.7.json b/json_schemas/oauth2/3.7.json index cd4abae2..34faf0bb 100644 --- a/json_schemas/oauth2/3.7.json +++ b/json_schemas/oauth2/3.7.json @@ -84,7 +84,9 @@ "scopes": { "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -95,7 +97,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -117,7 +121,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -130,7 +136,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -141,9 +149,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/opa/3.7.json b/json_schemas/opa/3.7.json index 60c4b8fc..58dc36d0 100644 --- a/json_schemas/opa/3.7.json +++ b/json_schemas/opa/3.7.json @@ -62,7 +62,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -80,7 +82,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -93,7 +97,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -104,9 +110,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/openid-connect/3.7.json b/json_schemas/openid-connect/3.7.json index 7b5543c6..18ca4453 100644 --- a/json_schemas/openid-connect/3.7.json +++ b/json_schemas/openid-connect/3.7.json @@ -9,7 +9,9 @@ "audience": { "description": "The audience passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -20,7 +22,9 @@ ], "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -28,7 +32,9 @@ "audience_required": { "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -58,7 +64,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -66,7 +74,9 @@ "authenticated_groups_claim": { "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -112,7 +122,9 @@ "authorization_query_args_client": { "description": "Extra query arguments passed from the client to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -120,7 +132,9 @@ "authorization_query_args_names": { "description": "Extra query argument names passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -128,7 +142,9 @@ "authorization_query_args_values": { "description": "Extra query argument values passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -156,7 +172,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -229,7 +247,9 @@ "RS384", "RS512" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -251,7 +271,9 @@ "self_signed_tls_client_auth", "tls_client_auth" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -269,7 +291,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -277,7 +301,10 @@ "client_id": { "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -293,12 +320,15 @@ "type": "string" }, "d": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -308,11 +338,14 @@ "type": "string" }, "k": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -327,21 +360,27 @@ "type": "string" }, "oth": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -352,7 +391,9 @@ }, "x5c": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -370,7 +411,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "type": "array" @@ -378,7 +421,10 @@ "client_secret": { "description": "The client secret.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -395,7 +441,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -403,7 +451,9 @@ "consumer_claim": { "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -419,7 +469,9 @@ ], "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -438,7 +490,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -446,7 +500,9 @@ "discovery_headers_names": { "description": "Extra header names passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -454,7 +510,9 @@ "discovery_headers_values": { "description": "Extra header values passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -467,7 +525,9 @@ "domains": { "description": "The allowed values for the `hd` claim.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -483,7 +543,9 @@ "downstream_headers_claims": { "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -491,7 +553,9 @@ "downstream_headers_names": { "description": "The downstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -556,7 +620,9 @@ "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -575,7 +641,9 @@ "description": "Where to redirect the client on forbidden requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -586,7 +654,9 @@ ], "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -594,7 +664,9 @@ "groups_required": { "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -642,13 +714,17 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ignore_signature": { - "default": [], + "default": [ + + ], "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "items": { "enum": [ @@ -660,7 +736,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -705,7 +783,9 @@ "introspection_headers_client": { "description": "Extra headers passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -713,7 +793,9 @@ "introspection_headers_names": { "description": "Extra header names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -721,7 +803,10 @@ "introspection_headers_values": { "description": "Extra header values passed to the introspection endpoint.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -734,7 +819,9 @@ "introspection_post_args_client": { "description": "Extra post arguments passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -742,7 +829,9 @@ "introspection_post_args_names": { "description": "Extra post argument names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -750,7 +839,9 @@ "introspection_post_args_values": { "description": "Extra post argument values passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -767,7 +858,9 @@ "issuers_allowed": { "description": "The issuers allowed to be present in the tokens (`iss` claim).", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -818,7 +911,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -835,8 +930,10 @@ "login_redirect_uri": { "description": "Where to redirect the client when `login_action` is set to `redirect`.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -854,7 +951,9 @@ "refresh_token", "tokens" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -871,7 +970,9 @@ "GET", "POST" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -887,8 +988,10 @@ "logout_redirect_uri": { "description": "Where to redirect the client after the logout.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -945,7 +1048,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1001,7 +1106,9 @@ "description": "The redirect URI passed to the authorization and token endpoints.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1028,7 +1135,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1075,7 +1184,9 @@ ], "description": "The response type passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1113,7 +1224,9 @@ ], "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1121,7 +1234,9 @@ "roles_required": { "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1137,7 +1252,10 @@ ], "description": "The scopes passed to the authorization and token endpoints.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1148,7 +1266,9 @@ ], "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1156,7 +1276,9 @@ "scopes_required": { "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1271,7 +1393,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "type": "array" @@ -1327,7 +1451,7 @@ "type": "boolean" }, "session_redis_username": { - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_remember": { @@ -1362,7 +1486,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1379,7 +1505,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1458,7 +1586,9 @@ "token_headers_client": { "description": "Extra headers passed from the client to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1472,7 +1602,9 @@ "password", "refresh_token" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1480,7 +1612,9 @@ "token_headers_names": { "description": "Extra header names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1492,7 +1626,9 @@ "token_headers_replay": { "description": "The names of token endpoint response headers to forward to the downstream client.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1500,7 +1636,9 @@ "token_headers_values": { "description": "Extra header values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1508,7 +1646,9 @@ "token_post_args_client": { "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1516,7 +1656,9 @@ "token_post_args_names": { "description": "Extra post argument names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1524,7 +1666,9 @@ "token_post_args_values": { "description": "Extra post argument values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1543,7 +1687,9 @@ "description": "Where to redirect the client on unauthorized requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1552,7 +1698,9 @@ "description": "Where to redirect the client when unexpected errors happen with the requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1569,7 +1717,9 @@ "upstream_headers_claims": { "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1577,7 +1727,9 @@ "upstream_headers_names": { "description": "The upstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1630,7 +1782,9 @@ "userinfo_headers_client": { "description": "Extra headers passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1638,7 +1792,9 @@ "userinfo_headers_names": { "description": "Extra header names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1646,7 +1802,9 @@ "userinfo_headers_values": { "description": "Extra header values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1654,7 +1812,9 @@ "userinfo_query_args_client": { "description": "Extra query arguments passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1662,7 +1822,9 @@ "userinfo_query_args_names": { "description": "Extra query argument names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1670,7 +1832,9 @@ "userinfo_query_args_values": { "description": "Extra query argument values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1701,7 +1865,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "authorization_cookie_httponly": { "type": "boolean" @@ -1769,7 +1935,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1782,7 +1950,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -1793,9 +1963,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.7.json b/json_schemas/opentelemetry/3.7.json index 5b19a1c1..5995c91b 100644 --- a/json_schemas/opentelemetry/3.7.json +++ b/json_schemas/opentelemetry/3.7.json @@ -18,7 +18,7 @@ "type": "integer" }, "endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_type": { @@ -53,7 +53,9 @@ "clear": { "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -84,7 +86,9 @@ "ot", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -103,7 +107,9 @@ "preserve", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -164,7 +170,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "read_timeout": { @@ -192,7 +200,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -203,7 +213,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -221,7 +233,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -234,7 +248,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -245,9 +261,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/post-function/3.7.json b/json_schemas/post-function/3.7.json index 33806f8a..fda803ac 100644 --- a/json_schemas/post-function/3.7.json +++ b/json_schemas/post-function/3.7.json @@ -3,87 +3,129 @@ "config": { "properties": { "access": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "body_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "certificate": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "header_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "log": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "rewrite": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_client_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_close": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_handshake": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_upstream_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -108,7 +150,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -121,7 +165,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -132,9 +178,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/pre-function/3.7.json b/json_schemas/pre-function/3.7.json index 33806f8a..fda803ac 100644 --- a/json_schemas/pre-function/3.7.json +++ b/json_schemas/pre-function/3.7.json @@ -3,87 +3,129 @@ "config": { "properties": { "access": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "body_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "certificate": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "header_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "log": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "rewrite": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_client_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_close": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_handshake": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_upstream_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -108,7 +150,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -121,7 +165,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -132,9 +178,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/prometheus/3.7.json b/json_schemas/prometheus/3.7.json index 278323fc..543bef23 100644 --- a/json_schemas/prometheus/3.7.json +++ b/json_schemas/prometheus/3.7.json @@ -28,7 +28,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -39,7 +41,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -64,7 +68,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -77,7 +83,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -88,9 +96,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.7.json b/json_schemas/proxy-cache-advanced/3.7.json index 2fb2192c..c7c15c2d 100644 --- a/json_schemas/proxy-cache-advanced/3.7.json +++ b/json_schemas/proxy-cache-advanced/3.7.json @@ -25,7 +25,9 @@ ], "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -43,7 +45,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "redis": { @@ -51,7 +55,9 @@ "cluster_addresses": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "minLength": 1, @@ -86,7 +92,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -110,7 +116,9 @@ "sentinel_addresses": { "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "minLength": 1, @@ -121,7 +129,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -134,7 +142,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -159,11 +167,13 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "request_method": { @@ -180,7 +190,9 @@ "POST", "PUT" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -195,7 +207,9 @@ "items": { "maximum": 900, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "minLength": 1, @@ -217,7 +231,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "storage_ttl": { @@ -235,7 +251,9 @@ "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -243,13 +261,17 @@ "vary_query_params": { "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -260,7 +282,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -271,7 +295,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -289,7 +315,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -302,7 +330,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -313,9 +343,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.7.json b/json_schemas/proxy-cache/3.7.json index d0b32ca7..c2f2d7c7 100644 --- a/json_schemas/proxy-cache/3.7.json +++ b/json_schemas/proxy-cache/3.7.json @@ -20,7 +20,9 @@ ], "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -37,7 +39,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "request_method": { @@ -54,7 +58,9 @@ "POST", "PUT" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -69,7 +75,9 @@ "items": { "maximum": 900, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "minLength": 1, @@ -91,7 +99,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "storage_ttl": { @@ -108,7 +118,9 @@ "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -116,13 +128,17 @@ "vary_query_params": { "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -133,7 +149,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -144,7 +162,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -169,7 +189,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -182,7 +204,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -193,9 +217,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.7.json b/json_schemas/rate-limiting-advanced/3.7.json index e0c10f30..388bd475 100644 --- a/json_schemas/rate-limiting-advanced/3.7.json +++ b/json_schemas/rate-limiting-advanced/3.7.json @@ -5,7 +5,9 @@ "consumer_groups": { "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -62,7 +64,9 @@ "limit": { "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -80,7 +84,9 @@ "cluster_addresses": { "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Cluster. Each string element must be a hostname. The minimum length of the array is 1 element.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "minLength": 1, @@ -115,7 +121,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -139,7 +145,9 @@ "sentinel_addresses": { "description": "Sentinel addresses to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel. Each string element must be a hostname. The minimum length of the array is 1 element.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "minLength": 1, @@ -150,7 +158,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -163,7 +171,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -188,11 +196,13 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "retry_after_jitter_max": { @@ -217,7 +227,9 @@ "window_size": { "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -232,7 +244,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -243,7 +257,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -254,7 +270,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -272,7 +290,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -285,7 +305,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -296,9 +318,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting/3.7.json b/json_schemas/rate-limiting/3.7.json index aef90ea0..7335a799 100644 --- a/json_schemas/rate-limiting/3.7.json +++ b/json_schemas/rate-limiting/3.7.json @@ -126,7 +126,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "second": { @@ -145,7 +147,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "redis_database": { "translate_backwards": [ @@ -222,7 +226,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -233,7 +239,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -251,7 +259,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -264,7 +274,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -275,9 +287,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-size-limiting/3.7.json b/json_schemas/request-size-limiting/3.7.json index 3d4e9633..5259ed13 100644 --- a/json_schemas/request-size-limiting/3.7.json +++ b/json_schemas/request-size-limiting/3.7.json @@ -23,7 +23,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -34,7 +36,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -52,7 +56,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -65,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -76,9 +84,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-termination/3.7.json b/json_schemas/request-termination/3.7.json index 96110caf..b9c25a41 100644 --- a/json_schemas/request-termination/3.7.json +++ b/json_schemas/request-termination/3.7.json @@ -31,7 +31,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -42,7 +44,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -53,7 +57,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -71,7 +77,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -84,7 +92,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -95,9 +105,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-transformer-advanced/3.7.json b/json_schemas/request-transformer-advanced/3.7.json index b7a77c42..f2a4a54a 100644 --- a/json_schemas/request-transformer-advanced/3.7.json +++ b/json_schemas/request-transformer-advanced/3.7.json @@ -5,100 +5,146 @@ "add": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "allow": { "properties": { "body": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "dots_in_keys": { @@ -114,98 +160,148 @@ "remove": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -214,11 +310,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -229,7 +329,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -240,7 +342,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -258,7 +362,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -271,7 +377,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -282,9 +390,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-transformer/3.7.json b/json_schemas/request-transformer/3.7.json index 8a4551c8..ce375bb6 100644 --- a/json_schemas/request-transformer/3.7.json +++ b/json_schemas/request-transformer/3.7.json @@ -5,63 +5,91 @@ "add": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "http_method": { @@ -72,87 +100,127 @@ "remove": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -161,11 +229,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -176,7 +248,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -187,7 +261,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -212,7 +288,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -225,7 +303,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -236,9 +316,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-validator/3.7.json b/json_schemas/request-validator/3.7.json index 5da7629d..71fb676d 100644 --- a/json_schemas/request-validator/3.7.json +++ b/json_schemas/request-validator/3.7.json @@ -8,7 +8,9 @@ ], "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -89,7 +91,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -100,7 +104,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -118,7 +124,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -131,7 +139,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -142,9 +152,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/response-ratelimiting/3.7.json b/json_schemas/response-ratelimiting/3.7.json index 6b390f52..8fe18405 100644 --- a/json_schemas/response-ratelimiting/3.7.json +++ b/json_schemas/response-ratelimiting/3.7.json @@ -98,11 +98,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "redis_database": { "translate_backwards": [ @@ -179,7 +183,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -197,7 +203,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -210,7 +218,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -221,9 +231,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/response-transformer-advanced/3.7.json b/json_schemas/response-transformer-advanced/3.7.json index e5c923b4..251e8dc2 100644 --- a/json_schemas/response-transformer-advanced/3.7.json +++ b/json_schemas/response-transformer-advanced/3.7.json @@ -5,100 +5,140 @@ "add": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "allow": { "properties": { "json": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "dots_in_keys": { @@ -109,54 +149,78 @@ "remove": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { @@ -166,78 +230,112 @@ "type": "string" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "transform": { "properties": { "functions": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -248,7 +346,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -259,7 +359,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -277,7 +379,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -290,7 +394,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -301,9 +407,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/response-transformer/3.7.json b/json_schemas/response-transformer/3.7.json index 5af6f89e..5ef1b874 100644 --- a/json_schemas/response-transformer/3.7.json +++ b/json_schemas/response-transformer/3.7.json @@ -5,25 +5,35 @@ "add": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "items": { "enum": [ @@ -31,37 +41,51 @@ "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "items": { "enum": [ @@ -69,74 +93,104 @@ "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "remove": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "items": { "enum": [ @@ -144,17 +198,23 @@ "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -165,7 +225,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -176,7 +238,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -194,7 +258,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -207,7 +273,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -218,9 +286,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/route-by-header/3.7.json b/json_schemas/route-by-header/3.7.json index 2e8bace4..308bac74 100644 --- a/json_schemas/route-by-header/3.7.json +++ b/json_schemas/route-by-header/3.7.json @@ -3,7 +3,9 @@ "config": { "properties": { "rules": { - "default": [], + "default": [ + + ], "description": "Route by header rules.", "items": { "properties": { @@ -25,7 +27,9 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -36,7 +40,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -54,7 +60,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -67,7 +75,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -78,9 +88,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/route-transformer-advanced/3.7.json b/json_schemas/route-transformer-advanced/3.7.json index 759d3aa2..55afb37a 100644 --- a/json_schemas/route-transformer-advanced/3.7.json +++ b/json_schemas/route-transformer-advanced/3.7.json @@ -16,7 +16,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -27,7 +29,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -45,7 +49,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -58,7 +64,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -69,9 +77,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/saml/3.7.json b/json_schemas/saml/3.7.json index 4d9e1c85..1a9c27ca 100644 --- a/json_schemas/saml/3.7.json +++ b/json_schemas/saml/3.7.json @@ -188,7 +188,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "type": "array" @@ -278,7 +280,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -294,7 +298,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -333,7 +339,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "session_auth_ttl": { "type": "number" @@ -395,7 +403,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -408,7 +418,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -419,9 +431,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/session/3.7.json b/json_schemas/session/3.7.json index 14760087..424479e9 100644 --- a/json_schemas/session/3.7.json +++ b/json_schemas/session/3.7.json @@ -64,7 +64,9 @@ "GET", "POST" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -115,7 +117,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -132,7 +136,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -162,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cookie_discard": { "type": "number" @@ -210,7 +218,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -223,7 +233,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -234,9 +246,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/statsd-advanced/3.7.json b/json_schemas/statsd-advanced/3.7.json index 5788dbfe..3495f1a3 100644 --- a/json_schemas/statsd-advanced/3.7.json +++ b/json_schemas/statsd-advanced/3.7.json @@ -6,7 +6,9 @@ "description": "List of status code ranges that are allowed to be logged in metrics.", "items": { "pattern": "^[0-9]+-[0-9]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -169,7 +171,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service_identifier_default": { @@ -205,7 +209,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -216,7 +222,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -241,7 +249,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -254,7 +264,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -265,9 +277,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/statsd/3.7.json b/json_schemas/statsd/3.7.json index 591323c0..16f7a39c 100644 --- a/json_schemas/statsd/3.7.json +++ b/json_schemas/statsd/3.7.json @@ -6,7 +6,9 @@ "description": "List of status code ranges that are allowed to be logged in metrics.", "items": { "pattern": "^[0-9]+-[0-9]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -176,7 +178,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "queue_size": { @@ -223,7 +227,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -234,7 +240,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -259,7 +267,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -272,7 +282,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -283,9 +295,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/syslog/3.7.json b/json_schemas/syslog/3.7.json index fbbdbdbe..90bd9094 100644 --- a/json_schemas/syslog/3.7.json +++ b/json_schemas/syslog/3.7.json @@ -91,7 +91,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -102,7 +104,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -127,7 +131,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -140,7 +146,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -151,9 +159,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/tcp-log/3.7.json b/json_schemas/tcp-log/3.7.json index 028dafde..91b64178 100644 --- a/json_schemas/tcp-log/3.7.json +++ b/json_schemas/tcp-log/3.7.json @@ -37,7 +37,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -48,7 +50,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -73,7 +77,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -86,7 +92,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -97,9 +105,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/tls-handshake-modifier/3.7.json b/json_schemas/tls-handshake-modifier/3.7.json index fcfac7cc..358d3225 100644 --- a/json_schemas/tls-handshake-modifier/3.7.json +++ b/json_schemas/tls-handshake-modifier/3.7.json @@ -11,7 +11,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -26,7 +28,9 @@ "https", "tls" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -39,7 +43,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -50,9 +56,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/tls-metadata-headers/3.7.json b/json_schemas/tls-metadata-headers/3.7.json index d878d7ab..3ae3ee64 100644 --- a/json_schemas/tls-metadata-headers/3.7.json +++ b/json_schemas/tls-metadata-headers/3.7.json @@ -33,7 +33,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -48,7 +50,9 @@ "https", "tls" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -61,7 +65,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -72,9 +78,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/udp-log/3.7.json b/json_schemas/udp-log/3.7.json index adfff403..1c727685 100644 --- a/json_schemas/udp-log/3.7.json +++ b/json_schemas/udp-log/3.7.json @@ -23,7 +23,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -34,7 +36,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -59,7 +63,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -72,7 +78,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -83,9 +91,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/upstream-timeout/3.7.json b/json_schemas/upstream-timeout/3.7.json index 681120b5..6ba90827 100644 --- a/json_schemas/upstream-timeout/3.7.json +++ b/json_schemas/upstream-timeout/3.7.json @@ -21,7 +21,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -32,7 +34,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -50,7 +54,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -63,7 +69,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -74,9 +82,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/vault-auth/3.7.json b/json_schemas/vault-auth/3.7.json index 3f52bdea..08e8cc3b 100644 --- a/json_schemas/vault-auth/3.7.json +++ b/json_schemas/vault-auth/3.7.json @@ -7,7 +7,9 @@ "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -31,7 +33,9 @@ "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -46,7 +50,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -64,7 +70,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -77,7 +85,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -88,9 +98,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/websocket-size-limit/3.7.json b/json_schemas/websocket-size-limit/3.7.json index b46f162b..483c3c46 100644 --- a/json_schemas/websocket-size-limit/3.7.json +++ b/json_schemas/websocket-size-limit/3.7.json @@ -13,7 +13,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -24,7 +26,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -38,7 +42,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -51,7 +57,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -62,9 +70,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/websocket-validator/3.7.json b/json_schemas/websocket-validator/3.7.json index 8c23be44..65cf170c 100644 --- a/json_schemas/websocket-validator/3.7.json +++ b/json_schemas/websocket-validator/3.7.json @@ -45,7 +45,9 @@ "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "upstream": { @@ -91,11 +93,15 @@ "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -106,7 +112,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -120,7 +128,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -133,7 +143,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -144,9 +156,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/xml-threat-protection/3.7.json b/json_schemas/xml-threat-protection/3.7.json index 0fea5bfa..48a6bd95 100644 --- a/json_schemas/xml-threat-protection/3.7.json +++ b/json_schemas/xml-threat-protection/3.7.json @@ -8,11 +8,15 @@ "type": "boolean" }, "allowed_content_types": { - "default": [], + "default": [ + + ], "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "items": { "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -48,7 +52,9 @@ "description": "A list of Content-Type values with payloads that must be validated.", "items": { "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -149,7 +155,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -160,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -178,7 +188,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -191,7 +203,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -202,9 +216,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/zipkin/3.7.json b/json_schemas/zipkin/3.7.json index e8004732..a5627e88 100644 --- a/json_schemas/zipkin/3.7.json +++ b/json_schemas/zipkin/3.7.json @@ -88,7 +88,9 @@ "clear": { "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -119,7 +121,9 @@ "ot", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -138,7 +142,9 @@ "preserve", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -196,7 +202,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "read_timeout": { @@ -269,7 +277,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -280,7 +290,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -305,7 +317,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -318,7 +332,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -329,9 +345,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file From 8dcb147c5c337d99bf77cd2e0d3dcedad3700344 Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 25 Mar 2025 16:25:29 +0000 Subject: [PATCH 142/165] JSON Schemas for 3.4.x --- json_schemas/acme/3.4.json | 12 +++++----- json_schemas/forward-proxy/3.4.json | 4 ++-- json_schemas/kafka-log/3.4.json | 4 ++-- json_schemas/ldap-auth-advanced/3.4.json | 4 ++-- json_schemas/loggly/3.4.json | 1 + json_schemas/oauth2-introspection/3.4.json | 2 +- json_schemas/openid-connect/3.4.json | 24 +++++++++++++++---- json_schemas/opentelemetry/3.4.json | 2 +- .../request-transformer-advanced/3.4.json | 12 ++++++++++ json_schemas/saml/3.4.json | 14 +++++------ 10 files changed, 53 insertions(+), 26 deletions(-) diff --git a/json_schemas/acme/3.4.json b/json_schemas/acme/3.4.json index 8f14ffbf..86754cc8 100644 --- a/json_schemas/acme/3.4.json +++ b/json_schemas/acme/3.4.json @@ -3,7 +3,7 @@ "config": { "properties": { "account_email": { - "description": "The account identifier. Can be reused in a different plugin instance.", + "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", "type": "string" }, @@ -64,11 +64,11 @@ "type": "array" }, "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "enable_ipv4_common_name": { @@ -140,7 +140,7 @@ "type": "number" }, "token": { - "description": "Consul ACL token.", + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -161,7 +161,7 @@ "redis": { "properties": { "auth": { - "description": "The Redis password to use for authentication. ", + "description": "The Redis password to use for authentication. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "database": { @@ -273,7 +273,7 @@ "type": "boolean" }, "token": { - "description": "Consul ACL token.", + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/forward-proxy/3.4.json b/json_schemas/forward-proxy/3.4.json index ad6b829b..c0f4b52a 100644 --- a/json_schemas/forward-proxy/3.4.json +++ b/json_schemas/forward-proxy/3.4.json @@ -3,11 +3,11 @@ "config": { "properties": { "auth_password": { - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "auth_username": { - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_proxy_host": { diff --git a/json_schemas/kafka-log/3.4.json b/json_schemas/kafka-log/3.4.json index 3cc3b73a..5f48ce50 100644 --- a/json_schemas/kafka-log/3.4.json +++ b/json_schemas/kafka-log/3.4.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ldap-auth-advanced/3.4.json b/json_schemas/ldap-auth-advanced/3.4.json index d84a3b6c..8b7ec70a 100644 --- a/json_schemas/ldap-auth-advanced/3.4.json +++ b/json_schemas/ldap-auth-advanced/3.4.json @@ -17,7 +17,7 @@ "type": "string" }, "bind_dn": { - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "cache_ttl": { @@ -91,7 +91,7 @@ "type": "string" }, "ldap_password": { - "description": "The password to the LDAP server.", + "description": "The password to the LDAP server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "ldap_port": { diff --git a/json_schemas/loggly/3.4.json b/json_schemas/loggly/3.4.json index 81d78b5b..7a26a98b 100644 --- a/json_schemas/loggly/3.4.json +++ b/json_schemas/loggly/3.4.json @@ -27,6 +27,7 @@ "type": "string" }, "key": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "log_level": { diff --git a/json_schemas/oauth2-introspection/3.4.json b/json_schemas/oauth2-introspection/3.4.json index 64bc7359..482e4d6e 100644 --- a/json_schemas/oauth2-introspection/3.4.json +++ b/json_schemas/oauth2-introspection/3.4.json @@ -9,7 +9,7 @@ "type": "string" }, "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "consumer_by": { diff --git a/json_schemas/openid-connect/3.4.json b/json_schemas/openid-connect/3.4.json index f37bcc5b..1b820c4c 100644 --- a/json_schemas/openid-connect/3.4.json +++ b/json_schemas/openid-connect/3.4.json @@ -298,6 +298,7 @@ "client_id": { "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -315,12 +316,15 @@ "type": "string" }, "d": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -330,6 +334,7 @@ "type": "string" }, "k": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { @@ -351,21 +356,27 @@ "type": "string" }, "oth": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -406,6 +417,7 @@ "client_secret": { "description": "The client secret.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -773,6 +785,7 @@ "introspection_headers_values": { "description": "Extra header values passed to the introspection endpoint.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -894,7 +907,7 @@ "login_redirect_uri": { "description": "Where to redirect the client when `login_action` is set to `redirect`.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -952,7 +965,7 @@ "logout_redirect_uri": { "description": "Where to redirect the client after the logout.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -1139,6 +1152,7 @@ ], "description": "The scopes passed to the authorization and token endpoints.", "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -1296,7 +1310,7 @@ "type": "string" }, "session_redis_password": { - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_redis_port": { @@ -1337,7 +1351,7 @@ "type": "boolean" }, "session_redis_username": { - "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "description": "Username to use for Redis connection when the `redis` session storage is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_remember": { @@ -1402,7 +1416,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_storage": { diff --git a/json_schemas/opentelemetry/3.4.json b/json_schemas/opentelemetry/3.4.json index 423c1bc6..eb3f2c9b 100644 --- a/json_schemas/opentelemetry/3.4.json +++ b/json_schemas/opentelemetry/3.4.json @@ -18,7 +18,7 @@ "type": "integer" }, "endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_type": { diff --git a/json_schemas/request-transformer-advanced/3.4.json b/json_schemas/request-transformer-advanced/3.4.json index 6c9653b2..f2a4a54a 100644 --- a/json_schemas/request-transformer-advanced/3.4.json +++ b/json_schemas/request-transformer-advanced/3.4.json @@ -9,6 +9,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -21,6 +22,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -50,6 +52,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -87,6 +90,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -99,6 +103,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -128,6 +133,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -202,6 +208,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -214,6 +221,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -226,6 +234,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -246,6 +255,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -258,6 +268,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], @@ -287,6 +298,7 @@ ], "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ ], diff --git a/json_schemas/saml/3.4.json b/json_schemas/saml/3.4.json index 1a9c27ca..62644a5d 100644 --- a/json_schemas/saml/3.4.json +++ b/json_schemas/saml/3.4.json @@ -11,7 +11,7 @@ "type": "string" }, "idp_certificate": { - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "idp_sso_url": { @@ -53,11 +53,11 @@ "type": "string" }, "request_signing_certificate": { - "description": "The certificate for signing requests.", + "description": "The certificate for signing requests.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "request_signing_key": { - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "response_digest_algorithm": { @@ -70,7 +70,7 @@ "type": "string" }, "response_encryption_key": { - "description": "The private encryption key required to decrypt encrypted assertions.", + "description": "The private encryption key required to decrypt encrypted assertions.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "response_signature_algorithm": { @@ -205,7 +205,7 @@ "type": "string" }, "session_redis_password": { - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_redis_port": { @@ -246,7 +246,7 @@ "type": "boolean" }, "session_redis_username": { - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_remember": { @@ -311,7 +311,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "maxLength": 32, "minLength": 32, "pattern": "^[0-9a-zA-Z/_+]+$", From 82d790181117661216d1a0a65b5ce2cb58032653 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 26 Mar 2025 16:22:16 -0700 Subject: [PATCH 143/165] generate examples for AI plugins: (#109) --- examples/ai-rag-injector/_3.10.x.yaml | 21 ++++++++++++++++++++- examples/ai-sanitizer/_3.10.x.yaml | 9 ++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/examples/ai-rag-injector/_3.10.x.yaml b/examples/ai-rag-injector/_3.10.x.yaml index 0c2337fe..a60e56ee 100644 --- a/examples/ai-rag-injector/_3.10.x.yaml +++ b/examples/ai-rag-injector/_3.10.x.yaml @@ -1 +1,20 @@ -name: ai-rag-injector \ No newline at end of file +name: ai-rag-injector +config: + inject_template: | + Only use the following information surrounded by and your existing knowledge to provide the best possible answer to the user. + + User's question: + embeddings: + auth: + header_name: Authorization + header_value: Bearer + model: + provider: openai + name: text-embedding-3-large + vectordb: + strategy: redis + redis: + host: exampleredis.com + port: 80 + distance_metric: cosine + dimensions: 76 \ No newline at end of file diff --git a/examples/ai-sanitizer/_3.10.x.yaml b/examples/ai-sanitizer/_3.10.x.yaml index 94dcfb5c..d7085a54 100644 --- a/examples/ai-sanitizer/_3.10.x.yaml +++ b/examples/ai-sanitizer/_3.10.x.yaml @@ -1 +1,8 @@ -name: ai-sanitizer \ No newline at end of file +name: ai-sanitizer +config: + port: 9000 + anonymize: + - phone + - general + recover_redacted: false + redact_type: synthetic From 08f0ed3e1446b7d3825ab1e7ed8f79ba72e12106 Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 1 Apr 2025 01:36:56 +0200 Subject: [PATCH 144/165] Copy latest schemas to 3.11.x (#112) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- schemas/acl/3.11.x.json | 106 + schemas/acme/3.11.x.json | 623 +++ schemas/ai-azure-content-safety/3.11.x.json | 176 + schemas/ai-prompt-decorator/3.11.x.json | 126 + schemas/ai-prompt-guard/3.11.x.json | 104 + schemas/ai-prompt-template/3.11.x.json | 88 + schemas/ai-proxy-advanced/3.11.x.json | 1344 +++++++ schemas/ai-proxy/3.11.x.json | 608 +++ schemas/ai-rag-injector/3.11.x.json | 945 +++++ schemas/ai-rate-limiting-advanced/3.11.x.json | 592 +++ schemas/ai-request-transformer/3.11.x.json | 692 ++++ schemas/ai-response-transformer/3.11.x.json | 692 ++++ schemas/ai-sanitizer/3.11.x.json | 177 + schemas/ai-semantic-cache/3.11.x.json | 689 ++++ schemas/ai-semantic-prompt-guard/3.11.x.json | 704 ++++ schemas/app-dynamics/3.11.x.json | 46 + schemas/application-registration/3.11.x.json | 108 + schemas/aws-lambda/3.11.x.json | 273 ++ schemas/azure-functions/3.11.x.json | 125 + schemas/basic-auth/3.11.x.json | 78 + schemas/bot-detection/3.11.x.json | 79 + schemas/canary/3.11.x.json | 190 + schemas/confluent-consume/3.11.x.json | 208 + schemas/confluent/3.11.x.json | 253 ++ schemas/correlation-id/3.11.x.json | 73 + schemas/cors/3.11.x.json | 143 + schemas/datadog-tracing/3.11.x.json | 103 + schemas/datadog/3.11.x.json | 361 ++ schemas/degraphql/3.11.x.json | 68 + schemas/exit-transformer/3.11.x.json | 68 + schemas/file-log/3.11.x.json | 83 + schemas/forward-proxy/3.11.x.json | 171 + .../graphql-proxy-cache-advanced/3.11.x.json | 463 +++ .../3.11.x.json | 530 +++ schemas/grpc-gateway/3.11.x.json | 59 + schemas/grpc-web/3.11.x.json | 74 + schemas/header-cert-auth/3.11.x.json | 229 ++ schemas/hmac-auth/3.11.x.json | 132 + schemas/http-log/3.11.x.json | 260 ++ schemas/injection-protection/3.11.x.json | 159 + schemas/ip-restriction/3.11.x.json | 85 + schemas/jq/3.11.x.json | 197 + schemas/json-threat-protection/3.11.x.json | 164 + schemas/jwe-decrypt/3.11.x.json | 86 + schemas/jwt-signer/3.11.x.json | 997 +++++ schemas/jwt/3.11.x.json | 160 + schemas/kafka-consume/3.11.x.json | 239 ++ schemas/kafka-log/3.11.x.json | 280 ++ schemas/kafka-upstream/3.11.x.json | 302 ++ schemas/key-auth-enc/3.11.x.json | 118 + schemas/key-auth/3.11.x.json | 123 + schemas/konnect-application-auth/3.11.x.json | 3271 +++++++++++++++ schemas/ldap-auth-advanced/3.11.x.json | 243 ++ schemas/ldap-auth/3.11.x.json | 178 + schemas/loggly/3.11.x.json | 173 + schemas/mocking/3.11.x.json | 131 + schemas/mtls-auth/3.11.x.json | 210 + schemas/oas-validation/3.11.x.json | 170 + schemas/oauth2-introspection/3.11.x.json | 167 + schemas/oauth2/3.11.x.json | 221 + schemas/opa/3.11.x.json | 147 + schemas/openid-connect/3.11.x.json | 3558 +++++++++++++++++ schemas/opentelemetry/3.11.x.json | 367 ++ schemas/post-function/3.11.x.json | 228 ++ schemas/pre-function/3.11.x.json | 228 ++ schemas/prometheus/3.11.x.json | 94 + schemas/proxy-cache-advanced/3.11.x.json | 573 +++ schemas/proxy-cache/3.11.x.json | 205 + schemas/rate-limiting-advanced/3.11.x.json | 599 +++ schemas/rate-limiting/3.11.x.json | 474 +++ schemas/redirect/3.11.x.json | 61 + schemas/request-callout/3.11.x.json | 960 +++++ schemas/request-size-limiting/3.11.x.json | 73 + schemas/request-termination/3.11.x.json | 81 + .../request-transformer-advanced/3.11.x.json | 337 ++ schemas/request-transformer/3.11.x.json | 280 ++ schemas/request-validator/3.11.x.json | 189 + schemas/response-ratelimiting/3.11.x.json | 439 ++ .../response-transformer-advanced/3.11.x.json | 350 ++ schemas/response-transformer/3.11.x.json | 259 ++ schemas/route-by-header/3.11.x.json | 78 + .../route-transformer-advanced/3.11.x.json | 75 + schemas/saml/3.11.x.json | 1229 ++++++ schemas/service-protection/3.11.x.json | 543 +++ schemas/session/3.11.x.json | 302 ++ schemas/standard-webhooks/3.11.x.json | 63 + schemas/statsd-advanced/3.11.x.json | 459 +++ schemas/statsd/3.11.x.json | 454 +++ schemas/syslog/3.11.x.json | 164 + schemas/tcp-log/3.11.x.json | 112 + schemas/tls-handshake-modifier/3.11.x.json | 60 + schemas/tls-metadata-headers/3.11.x.json | 96 + schemas/udp-log/3.11.x.json | 91 + schemas/upstream-oauth/3.11.x.json | 762 ++++ schemas/upstream-timeout/3.11.x.json | 75 + schemas/vault-auth/3.11.x.json | 112 + schemas/websocket-size-limit/3.11.x.json | 68 + schemas/websocket-validator/3.11.x.json | 220 + schemas/xml-threat-protection/3.11.x.json | 300 ++ schemas/zipkin/3.11.x.json | 421 ++ 100 files changed, 34703 insertions(+) create mode 100644 schemas/acl/3.11.x.json create mode 100644 schemas/acme/3.11.x.json create mode 100644 schemas/ai-azure-content-safety/3.11.x.json create mode 100644 schemas/ai-prompt-decorator/3.11.x.json create mode 100644 schemas/ai-prompt-guard/3.11.x.json create mode 100644 schemas/ai-prompt-template/3.11.x.json create mode 100644 schemas/ai-proxy-advanced/3.11.x.json create mode 100644 schemas/ai-proxy/3.11.x.json create mode 100644 schemas/ai-rag-injector/3.11.x.json create mode 100644 schemas/ai-rate-limiting-advanced/3.11.x.json create mode 100644 schemas/ai-request-transformer/3.11.x.json create mode 100644 schemas/ai-response-transformer/3.11.x.json create mode 100644 schemas/ai-sanitizer/3.11.x.json create mode 100644 schemas/ai-semantic-cache/3.11.x.json create mode 100644 schemas/ai-semantic-prompt-guard/3.11.x.json create mode 100644 schemas/app-dynamics/3.11.x.json create mode 100644 schemas/application-registration/3.11.x.json create mode 100644 schemas/aws-lambda/3.11.x.json create mode 100644 schemas/azure-functions/3.11.x.json create mode 100644 schemas/basic-auth/3.11.x.json create mode 100644 schemas/bot-detection/3.11.x.json create mode 100644 schemas/canary/3.11.x.json create mode 100644 schemas/confluent-consume/3.11.x.json create mode 100644 schemas/confluent/3.11.x.json create mode 100644 schemas/correlation-id/3.11.x.json create mode 100644 schemas/cors/3.11.x.json create mode 100644 schemas/datadog-tracing/3.11.x.json create mode 100644 schemas/datadog/3.11.x.json create mode 100644 schemas/degraphql/3.11.x.json create mode 100644 schemas/exit-transformer/3.11.x.json create mode 100644 schemas/file-log/3.11.x.json create mode 100644 schemas/forward-proxy/3.11.x.json create mode 100644 schemas/graphql-proxy-cache-advanced/3.11.x.json create mode 100644 schemas/graphql-rate-limiting-advanced/3.11.x.json create mode 100644 schemas/grpc-gateway/3.11.x.json create mode 100644 schemas/grpc-web/3.11.x.json create mode 100644 schemas/header-cert-auth/3.11.x.json create mode 100644 schemas/hmac-auth/3.11.x.json create mode 100644 schemas/http-log/3.11.x.json create mode 100644 schemas/injection-protection/3.11.x.json create mode 100644 schemas/ip-restriction/3.11.x.json create mode 100644 schemas/jq/3.11.x.json create mode 100644 schemas/json-threat-protection/3.11.x.json create mode 100644 schemas/jwe-decrypt/3.11.x.json create mode 100644 schemas/jwt-signer/3.11.x.json create mode 100644 schemas/jwt/3.11.x.json create mode 100644 schemas/kafka-consume/3.11.x.json create mode 100644 schemas/kafka-log/3.11.x.json create mode 100644 schemas/kafka-upstream/3.11.x.json create mode 100644 schemas/key-auth-enc/3.11.x.json create mode 100644 schemas/key-auth/3.11.x.json create mode 100644 schemas/konnect-application-auth/3.11.x.json create mode 100644 schemas/ldap-auth-advanced/3.11.x.json create mode 100644 schemas/ldap-auth/3.11.x.json create mode 100644 schemas/loggly/3.11.x.json create mode 100644 schemas/mocking/3.11.x.json create mode 100644 schemas/mtls-auth/3.11.x.json create mode 100644 schemas/oas-validation/3.11.x.json create mode 100644 schemas/oauth2-introspection/3.11.x.json create mode 100644 schemas/oauth2/3.11.x.json create mode 100644 schemas/opa/3.11.x.json create mode 100644 schemas/openid-connect/3.11.x.json create mode 100644 schemas/opentelemetry/3.11.x.json create mode 100644 schemas/post-function/3.11.x.json create mode 100644 schemas/pre-function/3.11.x.json create mode 100644 schemas/prometheus/3.11.x.json create mode 100644 schemas/proxy-cache-advanced/3.11.x.json create mode 100644 schemas/proxy-cache/3.11.x.json create mode 100644 schemas/rate-limiting-advanced/3.11.x.json create mode 100644 schemas/rate-limiting/3.11.x.json create mode 100644 schemas/redirect/3.11.x.json create mode 100644 schemas/request-callout/3.11.x.json create mode 100644 schemas/request-size-limiting/3.11.x.json create mode 100644 schemas/request-termination/3.11.x.json create mode 100644 schemas/request-transformer-advanced/3.11.x.json create mode 100644 schemas/request-transformer/3.11.x.json create mode 100644 schemas/request-validator/3.11.x.json create mode 100644 schemas/response-ratelimiting/3.11.x.json create mode 100644 schemas/response-transformer-advanced/3.11.x.json create mode 100644 schemas/response-transformer/3.11.x.json create mode 100644 schemas/route-by-header/3.11.x.json create mode 100644 schemas/route-transformer-advanced/3.11.x.json create mode 100644 schemas/saml/3.11.x.json create mode 100644 schemas/service-protection/3.11.x.json create mode 100644 schemas/session/3.11.x.json create mode 100644 schemas/standard-webhooks/3.11.x.json create mode 100644 schemas/statsd-advanced/3.11.x.json create mode 100644 schemas/statsd/3.11.x.json create mode 100644 schemas/syslog/3.11.x.json create mode 100644 schemas/tcp-log/3.11.x.json create mode 100644 schemas/tls-handshake-modifier/3.11.x.json create mode 100644 schemas/tls-metadata-headers/3.11.x.json create mode 100644 schemas/udp-log/3.11.x.json create mode 100644 schemas/upstream-oauth/3.11.x.json create mode 100644 schemas/upstream-timeout/3.11.x.json create mode 100644 schemas/vault-auth/3.11.x.json create mode 100644 schemas/websocket-size-limit/3.11.x.json create mode 100644 schemas/websocket-validator/3.11.x.json create mode 100644 schemas/xml-threat-protection/3.11.x.json create mode 100644 schemas/zipkin/3.11.x.json diff --git a/schemas/acl/3.11.x.json b/schemas/acl/3.11.x.json new file mode 100644 index 00000000..ddcf7860 --- /dev/null +++ b/schemas/acl/3.11.x.json @@ -0,0 +1,106 @@ +{ + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "allow": { + "elements": { + "type": "string" + }, + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array" + } + }, + { + "deny": { + "elements": { + "type": "string" + }, + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array" + } + }, + { + "hide_groups_header": { + "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "required": true, + "type": "boolean" + } + }, + { + "include_consumer_groups": { + "default": false, + "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", + "required": false, + "type": "boolean" + } + }, + { + "always_use_authenticated_groups": { + "default": false, + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/acme/3.11.x.json b/schemas/acme/3.11.x.json new file mode 100644 index 00000000..677bf267 --- /dev/null +++ b/schemas/acme/3.11.x.json @@ -0,0 +1,623 @@ +{ + "entity_checks": [ + { + "conditional": { + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_match": { + "eq": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.host", + "if_field": "config.storage", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.port", + "if_field": "config.storage", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "service": { + "reference": "services", + "eq": null, + "type": "foreign", + "description": "A reference to the 'services' table with a null value allowed." + } + }, + { + "route": { + "reference": "routes", + "eq": null, + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "account_email": { + "encrypted": true, + "match": "%w*%p*@+%w*%.?%w*", + "required": true, + "type": "string", + "description": "The account identifier. Can be reused in a different plugin instance.", + "referenceable": true + } + }, + { + "account_key": { + "type": "record", + "description": "The private key associated with the account.", + "required": false, + "fields": [ + { + "key_id": { + "description": "The Key ID.", + "required": true, + "type": "string" + } + }, + { + "key_set": { + "type": "string", + "description": "The ID of the key set to associate the Key ID with." + } + } + ] + } + }, + { + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "tos_accepted": { + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" + } + }, + { + "eab_kid": { + "encrypted": true, + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "referenceable": true, + "type": "string" + } + }, + { + "eab_hmac_key": { + "encrypted": true, + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "referenceable": true, + "type": "string" + } + }, + { + "cert_type": { + "default": "rsa", + "description": "The certificate type to create. The possible values are `rsa` for RSA certificate or `ecc` for EC certificate.", + "type": "string", + "one_of": [ + "rsa", + "ecc" + ] + } + }, + { + "rsa_key_size": { + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "type": "number", + "one_of": [ + 2048, + 3072, + 4096 + ] + } + }, + { + "renew_threshold_days": { + "default": 14, + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" + } + }, + { + "domains": { + "elements": { + "match_all": [ + { + "err": "invalid wildcard: must have at most one wildcard", + "pattern": "^[^*]*%*?[^*]*$" + } + ], + "type": "string", + "match_any": { + "err": "invalid wildcard: must be placed at leftmost or rightmost label", + "patterns": [ + "^%*%.", + "%.%*$", + "^[^*]*$" + ] + } + }, + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "type": "array" + } + }, + { + "allow_any_domain": { + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" + } + }, + { + "fail_backoff_minutes": { + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" + } + }, + { + "storage": { + "default": "shm", + "description": "The backend storage type to use. In DB-less mode and Konnect, `kong` storage is unavailable. In hybrid mode and Konnect, `shm` storage is unavailable. `shm` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `kong`, `redis`, `consul`, or `vault` in production.", + "type": "string", + "one_of": [ + "kong", + "shm", + "redis", + "consul", + "vault" + ] + } + }, + { + "storage_config": { + "fields": [ + { + "shm": { + "fields": [ + { + "shm_name": { + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "kong": { + "fields": [ + + ], + "required": true, + "type": "record" + } + }, + { + "redis": { + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "extra_options": { + "type": "record", + "description": "Custom ACME Redis options", + "required": true, + "fields": [ + { + "namespace": { + "required": true, + "type": "string", + "default": "", + "description": "A namespace to prepend to all keys stored in Redis.", + "len_min": 0 + } + }, + { + "scan_count": { + "default": 10, + "description": "The number of keys to return in Redis SCAN calls.", + "required": false, + "type": "number" + } + } + ] + } + } + ], + "shorthand_fields": [ + { + "auth": { + "type": "string", + "deprecation": { + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "password" + ] + } + ] + }, + "len_min": 0 + } + }, + { + "ssl_server_name": { + "deprecation": { + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "namespace": { + "type": "string", + "deprecation": { + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "extra_options", + "namespace" + ] + } + ] + }, + "len_min": 0 + } + }, + { + "scan_count": { + "deprecation": { + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "extra_options", + "scan_count" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "consul": { + "fields": [ + { + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "kv_path": { + "type": "string", + "description": "KV prefix path." + } + }, + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds." + } + }, + { + "token": { + "description": "Consul ACL token.", + "referenceable": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "vault": { + "fields": [ + { + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "kv_path": { + "type": "string", + "description": "KV prefix path." + } + }, + { + "timeout": { + "type": "number", + "description": "Timeout in milliseconds." + } + }, + { + "token": { + "description": "Consul ACL token.", + "referenceable": true, + "type": "string" + } + }, + { + "tls_verify": { + "default": true, + "description": "Turn on TLS verification.", + "type": "boolean" + } + }, + { + "tls_server_name": { + "type": "string", + "description": "SNI used in request, default to host if omitted." + } + }, + { + "auth_method": { + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "type": "string", + "one_of": [ + "token", + "kubernetes" + ] + } + }, + { + "auth_path": { + "type": "string", + "description": "Vault's authentication path to use." + } + }, + { + "auth_role": { + "type": "string", + "description": "The role to try and assign." + } + }, + { + "jwt_path": { + "type": "string", + "description": "The path to the JWT." + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "preferred_chain": { + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" + } + }, + { + "enable_ipv4_common_name": { + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-azure-content-safety/3.11.x.json b/schemas/ai-azure-content-safety/3.11.x.json new file mode 100644 index 00000000..0752c460 --- /dev/null +++ b/schemas/ai-azure-content-safety/3.11.x.json @@ -0,0 +1,176 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "content_safety_url": { + "referenceable": true, + "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "required": true, + "type": "string" + } + }, + { + "azure_api_version": { + "required": true, + "type": "string", + "default": "2023-10-01", + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "len_min": 1 + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "type": "boolean" + } + }, + { + "azure_client_id": { + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", + "required": false, + "type": "string" + } + }, + { + "azure_client_secret": { + "description": "If `azure_use_managed_identity` is true, set the client secret if required.", + "required": false, + "type": "string" + } + }, + { + "azure_tenant_id": { + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", + "required": false, + "type": "string" + } + }, + { + "content_safety_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "referenceable": true + } + }, + { + "text_source": { + "default": "concatenate_all_content", + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "type": "string", + "one_of": [ + "concatenate_all_content", + "concatenate_user_content" + ] + } + }, + { + "categories": { + "elements": { + "type": "record", + "required": true, + "fields": [ + { + "name": { + "required": true, + "type": "string" + } + }, + { + "rejection_level": { + "required": true, + "type": "integer" + } + } + ] + }, + "description": "Array of categories, and their thresholds, to measure on.", + "type": "array" + } + }, + { + "reveal_failure_reason": { + "default": true, + "description": "Set true to tell the caller why their request was rejected, if so.", + "type": "boolean" + } + }, + { + "output_type": { + "default": "FourSeverityLevels", + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "type": "string", + "one_of": [ + "FourSeverityLevels", + "EightSeverityLevels" + ] + } + }, + { + "blocklist_names": { + "elements": { + "type": "string" + }, + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "type": "array" + } + }, + { + "halt_on_blocklist_hit": { + "default": true, + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.11.x.json b/schemas/ai-prompt-decorator/3.11.x.json new file mode 100644 index 00000000..4002199f --- /dev/null +++ b/schemas/ai-prompt-decorator/3.11.x.json @@ -0,0 +1,126 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "prompts": { + "type": "record", + "required": false, + "fields": [ + { + "prepend": { + "len_max": 15, + "required": false, + "type": "array", + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "role": { + "default": "system", + "type": "string", + "required": true, + "one_of": [ + "system", + "assistant", + "user" + ] + } + }, + { + "content": { + "len_max": 500, + "type": "string", + "required": true, + "len_min": 1 + } + } + ] + }, + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages." + } + }, + { + "append": { + "len_max": 15, + "required": false, + "type": "array", + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "role": { + "default": "system", + "type": "string", + "required": true, + "one_of": [ + "system", + "assistant", + "user" + ] + } + }, + { + "content": { + "len_max": 500, + "type": "string", + "required": true, + "len_min": 1 + } + } + ] + }, + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages." + } + } + ] + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.11.x.json b/schemas/ai-prompt-guard/3.11.x.json new file mode 100644 index 00000000..1eb02b54 --- /dev/null +++ b/schemas/ai-prompt-guard/3.11.x.json @@ -0,0 +1,104 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "config.allow_all_conversation_history", + "if_field": "config.match_all_roles", + "then_match": { + "eq": false + } + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "allow_patterns": { + "len_max": 10, + "required": false, + "type": "array", + "elements": { + "len_max": 500, + "len_min": 1, + "type": "string" + }, + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat." + } + }, + { + "deny_patterns": { + "len_max": 10, + "required": false, + "type": "array", + "elements": { + "len_max": 500, + "len_min": 1, + "type": "string" + }, + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat." + } + }, + { + "allow_all_conversation_history": { + "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "required": true, + "type": "boolean" + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-template/3.11.x.json b/schemas/ai-prompt-template/3.11.x.json new file mode 100644 index 00000000..2822bb38 --- /dev/null +++ b/schemas/ai-prompt-template/3.11.x.json @@ -0,0 +1,88 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "templates": { + "elements": { + "type": "record", + "required": true, + "fields": [ + { + "name": { + "description": "Unique name for the template, can be called with `{template://NAME}`", + "required": true, + "type": "string" + } + }, + { + "template": { + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "required": true, + "type": "string" + } + } + ] + }, + "description": "Array of templates available to the request context.", + "required": true, + "type": "array" + } + }, + { + "allow_untemplated_requests": { + "default": true, + "description": "Set true to allow requests that don't call or match any template.", + "required": true, + "type": "boolean" + } + }, + { + "log_original_request": { + "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + }, + { + "max_request_body_size": { + "gt": 0, + "description": "max allowed body size allowed to be introspected", + "default": 8192, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-proxy-advanced/3.11.x.json b/schemas/ai-proxy-advanced/3.11.x.json new file mode 100644 index 00000000..0e657ace --- /dev/null +++ b/schemas/ai-proxy-advanced/3.11.x.json @@ -0,0 +1,1344 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "balancer": { + "type": "record", + "required": true, + "fields": [ + { + "algorithm": { + "default": "round-robin", + "description": "Which load balancing algorithm to use.", + "type": "string", + "one_of": [ + "round-robin", + "lowest-latency", + "lowest-usage", + "consistent-hashing", + "semantic" + ] + } + }, + { + "tokens_count_strategy": { + "default": "total-tokens", + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "type": "string", + "one_of": [ + "total-tokens", + "prompt-tokens", + "completion-tokens" + ] + } + }, + { + "latency_strategy": { + "default": "tpot", + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", + "type": "string", + "one_of": [ + "tpot", + "e2e" + ] + } + }, + { + "hash_on_header": { + "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing.", + "type": "string" + } + }, + { + "slots": { + "default": 10000, + "description": "The number of slots in the load balancer algorithm.", + "between": [ + 10, + 65536 + ], + "type": "integer" + } + }, + { + "retries": { + "default": 5, + "description": "The number of retries to execute upon failure to proxy.", + "between": [ + 0, + 32767 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 60000, + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "write_timeout": { + "default": 60000, + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 60000, + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + } + ] + } + }, + { + "embeddings": { + "fields": [ + { + "auth": { + "fields": [ + { + "header_name": { + "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "one_of": [ + "query", + "body" + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "type": "string" + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "required": false, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "required": false, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "one_of": [ + "openai", + "mistral" + ], + "description": "AI provider format to use for embeddings API", + "required": true, + "type": "string" + } + }, + { + "name": { + "description": "Model name to execute.", + "required": true, + "type": "string" + } + }, + { + "options": { + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "required": false, + "type": "string" + } + } + ], + "description": "Key/value settings for the model", + "required": false, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "vectordb": { + "fields": [ + { + "strategy": { + "one_of": [ + "redis" + ], + "description": "which vector database driver to use", + "required": true, + "type": "string" + } + }, + { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "required": true, + "type": "integer" + } + }, + { + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "required": true, + "type": "number" + } + }, + { + "distance_metric": { + "one_of": [ + "cosine", + "euclidean" + ], + "description": "the distance metric to use for vector searches", + "required": true, + "type": "string" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ], + "required": false, + "type": "record" + } + }, + { + "response_streaming": { + "required": false, + "type": "string", + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + } + }, + { + "targets": { + "elements": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "type": "record", + "required": true, + "fields": [ + { + "route_type": { + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "required": true, + "type": "string" + } + }, + { + "auth": { + "fields": [ + { + "header_name": { + "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "one_of": [ + "query", + "body" + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "type": "string" + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "required": false, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "required": false, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock", + "huggingface" + ], + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "required": true, + "type": "string" + } + }, + { + "name": { + "description": "Model name to execute.", + "required": false, + "type": "string" + } + }, + { + "options": { + "fields": [ + { + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, + "type": "integer" + } + }, + { + "input_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in your prompt.", + "required": false, + "type": "number" + } + }, + { + "output_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "required": false, + "type": "number" + } + }, + { + "temperature": { + "between": [ + 0, + 5 + ], + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "type": "number" + } + }, + { + "top_p": { + "between": [ + 0, + 1 + ], + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "type": "number" + } + }, + { + "top_k": { + "between": [ + 0, + 500 + ], + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "type": "integer" + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false, + "type": "string" + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "required": false, + "type": "string" + } + }, + { + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "llama2_format": { + "one_of": [ + "raw", + "openai", + "ollama" + ], + "description": "If using llama2 provider, select the upstream message format.", + "required": false, + "type": "string" + } + }, + { + "mistral_format": { + "one_of": [ + "openai", + "ollama" + ], + "description": "If using mistral provider, select the upstream message format.", + "required": false, + "type": "string" + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "required": false, + "type": "string" + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, + "type": "string" + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, + "type": "string" + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, + "type": "string" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "bedrock": { + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "required": false, + "type": "string" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "huggingface": { + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + } + ], + "description": "Key/value settings for the model", + "required": false, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "between": [ + 1, + 65535 + ], + "type": "integer" + } + }, + { + "description": { + "description": "The semantic description of the target, required if using semantic load balancing.", + "required": false, + "type": "string" + } + }, + { + "logging": { + "fields": [ + { + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + }, + { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-proxy/3.11.x.json b/schemas/ai-proxy/3.11.x.json new file mode 100644 index 00000000..d66b2f6d --- /dev/null +++ b/schemas/ai-proxy/3.11.x.json @@ -0,0 +1,608 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "type": "record", + "required": true, + "fields": [ + { + "route_type": { + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "required": true, + "type": "string" + } + }, + { + "auth": { + "fields": [ + { + "header_name": { + "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "required": false, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "one_of": [ + "query", + "body" + ], + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "type": "string" + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "required": false, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "required": false, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "model": { + "fields": [ + { + "provider": { + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock", + "huggingface" + ], + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "required": true, + "type": "string" + } + }, + { + "name": { + "description": "Model name to execute.", + "required": false, + "type": "string" + } + }, + { + "options": { + "fields": [ + { + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, + "type": "integer" + } + }, + { + "input_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in your prompt.", + "required": false, + "type": "number" + } + }, + { + "output_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "required": false, + "type": "number" + } + }, + { + "temperature": { + "between": [ + 0, + 5 + ], + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "type": "number" + } + }, + { + "top_p": { + "between": [ + 0, + 1 + ], + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "type": "number" + } + }, + { + "top_k": { + "between": [ + 0, + 500 + ], + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "type": "integer" + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false, + "type": "string" + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "required": false, + "type": "string" + } + }, + { + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "llama2_format": { + "one_of": [ + "raw", + "openai", + "ollama" + ], + "description": "If using llama2 provider, select the upstream message format.", + "required": false, + "type": "string" + } + }, + { + "mistral_format": { + "one_of": [ + "openai", + "ollama" + ], + "description": "If using mistral provider, select the upstream message format.", + "required": false, + "type": "string" + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "required": false, + "type": "string" + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, + "type": "string" + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, + "type": "string" + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, + "type": "string" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "bedrock": { + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "required": false, + "type": "string" + } + } + ], + "required": false, + "type": "record" + } + }, + { + "huggingface": { + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ], + "required": false, + "type": "record" + } + } + ], + "description": "Key/value settings for the model", + "required": false, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "logging": { + "fields": [ + { + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + }, + { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "response_streaming": { + "required": false, + "type": "string", + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", + "deny", + "always" + ] + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-rag-injector/3.11.x.json b/schemas/ai-rag-injector/3.11.x.json new file mode 100644 index 00000000..a4b3943c --- /dev/null +++ b/schemas/ai-rag-injector/3.11.x.json @@ -0,0 +1,945 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.inject_template" + ] + } + } + ], + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "stop_on_failure": { + "description": "Halt the LLM request process in case of a vectordb or embeddings service failure", + "type": "boolean", + "default": false, + "required": true + } + }, + { + "inject_as_role": { + "one_of": [ + "system", + "assistant", + "user" + ], + "type": "string", + "default": "user", + "required": true + } + }, + { + "inject_template": { + "default": "\n", + "type": "string", + "required": true + } + }, + { + "fetch_chunks_count": { + "description": "The maximum number of chunks to fetch from vectordb", + "type": "number", + "default": 5, + "required": true + } + }, + { + "vectordb_namespace": { + "description": "The namespace of the vectordb to use for embeddings lookup", + "type": "string", + "default": "kong_rag_injector", + "required": true + } + }, + { + "embeddings": { + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" + ] + } + } + ], + "type": "record", + "required": true, + "fields": [ + { + "auth": { + "type": "record", + "required": false, + "fields": [ + { + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "header_value": { + "type": "string", + "referenceable": true, + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "encrypted": true, + "required": false + } + }, + { + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "param_value": { + "type": "string", + "referenceable": true, + "description": "Specify the full parameter value for 'param_name'.", + "encrypted": true, + "required": false + } + }, + { + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", + "one_of": [ + "query", + "body" + ], + "required": false + } + }, + { + "azure_use_managed_identity": { + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean", + "default": false, + "required": false + } + }, + { + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "azure_client_secret": { + "type": "string", + "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "encrypted": true, + "required": false + } + }, + { + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string", + "required": false, + "referenceable": true + } + }, + { + "gcp_use_service_account": { + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean", + "default": false, + "required": false + } + }, + { + "gcp_service_account_json": { + "type": "string", + "referenceable": true, + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "encrypted": true, + "required": false + } + }, + { + "aws_access_key_id": { + "type": "string", + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "encrypted": true, + "required": false + } + }, + { + "aws_secret_access_key": { + "type": "string", + "referenceable": true, + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "encrypted": true, + "required": false + } + }, + { + "allow_override": { + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean", + "default": false, + "required": false + } + } + ] + } + }, + { + "model": { + "type": "record", + "required": true, + "fields": [ + { + "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", + "one_of": [ + "openai", + "mistral", + "huggingface", + "azure", + "bedrock", + "gemini" + ], + "required": true + } + }, + { + "name": { + "description": "Model name to execute.", + "type": "string", + "required": true + } + }, + { + "options": { + "description": "Key/value settings for the model", + "type": "record", + "required": false, + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string", + "required": false + } + }, + { + "azure": { + "type": "record", + "fields": [ + { + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string", + "required": false + } + }, + { + "api_version": { + "description": "'api-version' for Azure OpenAI instances.", + "type": "string", + "default": "2023-05-15", + "required": false + } + }, + { + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string", + "required": false + } + } + ], + "required": true + } + }, + { + "bedrock": { + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], + "type": "record", + "required": false, + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string", + "required": false + } + }, + { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string", + "required": false + } + }, + { + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + } + }, + { + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + } + } + ] + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record", + "required": false, + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string", + "required": false + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string", + "required": false + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string", + "required": false + } + } + ] + } + }, + { + "huggingface": { + "type": "record", + "required": false, + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean", + "required": false + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean", + "required": false + } + } + ] + } + } + ] + } + } + ] + } + } + ] + } + }, + { + "vectordb": { + "type": "record", + "fields": [ + { + "strategy": { + "description": "which vector database driver to use", + "type": "string", + "one_of": [ + "redis", + "pgvector" + ], + "required": true + } + }, + { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer", + "required": true + } + }, + { + "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", + "one_of": [ + "cosine", + "euclidean" + ], + "required": true + } + }, + { + "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "type": "array", + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "elements": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string", + "default": "127.0.0.1", + "required": true + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" + }, + "required": false + } + }, + { + "cluster_nodes": { + "type": "array", + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "type": "string", + "default": "127.0.0.1", + "required": true + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "type": "record" + }, + "required": false + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean", + "required": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean", + "required": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", + "required": false + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer", + "required": false + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean", + "required": false + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "type": "array", + "elements": { + "type": "string" + }, + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "type": "array", + "elements": { + "type": "string" + }, + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "len_min": 1 + } + } + ], + "required": true + } + }, + { + "pgvector": { + "type": "record", + "required": true, + "fields": [ + { + "host": { + "description": "the host of the pgvector database", + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "the port of the pgvector database", + "type": "integer", + "default": 5432 + } + }, + { + "user": { + "description": "the user of the pgvector database", + "type": "string", + "default": "postgres", + "referenceable": true + } + }, + { + "password": { + "description": "the password of the pgvector database", + "type": "string", + "encrypted": true, + "referenceable": true + } + }, + { + "database": { + "description": "the database of the pgvector database", + "type": "string", + "default": "kong-pgvector" + } + }, + { + "timeout": { + "description": "the timeout of the pgvector database", + "type": "number", + "default": 5000 + } + }, + { + "ssl": { + "description": "whether to use ssl for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_required": { + "description": "whether ssl is required for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "whether to verify ssl for the pgvector database", + "type": "boolean", + "default": false + } + }, + { + "ssl_version": { + "description": "the ssl version to use for the pgvector database", + "type": "string", + "one_of": [ + "tlsv1_2", + "tlsv1_3", + "any" + ], + "default": "tlsv1_2" + } + }, + { + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + } + }, + { + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + } + } + ] + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-rate-limiting-advanced/3.11.x.json b/schemas/ai-rate-limiting-advanced/3.11.x.json new file mode 100644 index 00000000..07010f21 --- /dev/null +++ b/schemas/ai-rate-limiting-advanced/3.11.x.json @@ -0,0 +1,592 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "required": true, + "type": "string", + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "sync_rate": { + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + } + }, + { + "llm_providers": { + "elements": { + "type": "record", + "fields": [ + { + "window_size": { + "description": "The window size to apply a limit (defined in seconds).", + "required": true, + "type": "number" + } + }, + { + "name": { + "type": "string", + "description": "The LLM provider to which the rate limit applies.", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "bedrock", + "gemini", + "huggingface", + "requestPrompt" + ] + } + }, + { + "limit": { + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", + "required": true, + "type": "number" + } + } + ] + }, + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "required": true, + "type": "array" + } + }, + { + "strategy": { + "required": true, + "type": "string", + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "required": true, + "type": "string" + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + } + }, + { + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "type": "string" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "type": "boolean" + } + }, + { + "request_prompt_count_function": { + "description": "If defined, it use custom function to count requests for the request prompt provider", + "required": false, + "type": "string" + } + }, + { + "error_code": { + "gt": 0, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, + "type": "number" + } + }, + { + "error_message": { + "default": "AI token rate limit exceeded for provider(s): ", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + } + }, + { + "error_hide_providers": { + "default": false, + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "type": "boolean" + } + }, + { + "tokens_count_strategy": { + "required": true, + "type": "string", + "default": "total_tokens", + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", + "one_of": [ + "total_tokens", + "prompt_tokens", + "completion_tokens", + "cost" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.11.x.json b/schemas/ai-request-transformer/3.11.x.json new file mode 100644 index 00000000..1373c841 --- /dev/null +++ b/schemas/ai-request-transformer/3.11.x.json @@ -0,0 +1,692 @@ +{ + "entity_checks": [ + { + "conditional": { + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", + "required": true, + "type": "string" + } + }, + { + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", + "required": false, + "type": "string" + } + }, + { + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "required": true, + "type": "integer" + } + }, + { + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "required": true, + "type": "boolean" + } + }, + { + "max_request_body_size": { + "gt": 0, + "description": "max allowed body size allowed to be introspected", + "default": 8192, + "type": "integer" + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "llm": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "fields": [ + { + "route_type": { + "type": "string", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "required": true, + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "type": "record", + "required": false, + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "model": { + "type": "record", + "required": true, + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock", + "huggingface" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "required": false, + "type": "string" + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, + "fields": [ + { + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, + "type": "integer" + } + }, + { + "input_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in your prompt.", + "required": false, + "type": "number" + } + }, + { + "output_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "required": false, + "type": "number" + } + }, + { + "temperature": { + "between": [ + 0, + 5 + ], + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "type": "number" + } + }, + { + "top_p": { + "between": [ + 0, + 1 + ], + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "type": "number" + } + }, + { + "top_k": { + "between": [ + 0, + 500 + ], + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "type": "integer" + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false, + "type": "string" + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "required": false, + "type": "string" + } + }, + { + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "llama2_format": { + "type": "string", + "description": "If using llama2 provider, select the upstream message format.", + "required": false, + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "type": "string", + "description": "If using mistral provider, select the upstream message format.", + "required": false, + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "required": false, + "type": "string" + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record", + "required": false, + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, + "type": "string" + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, + "type": "string" + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "bedrock": { + "type": "record", + "required": false, + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "huggingface": { + "type": "record", + "required": false, + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ] + } + }, + { + "logging": { + "type": "record", + "required": true, + "fields": [ + { + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + }, + { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.11.x.json b/schemas/ai-response-transformer/3.11.x.json new file mode 100644 index 00000000..30d69cd6 --- /dev/null +++ b/schemas/ai-response-transformer/3.11.x.json @@ -0,0 +1,692 @@ +{ + "entity_checks": [ + { + "conditional": { + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", + "required": true, + "type": "string" + } + }, + { + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", + "required": false, + "type": "string" + } + }, + { + "parse_llm_response_json_instructions": { + "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "required": true, + "type": "boolean" + } + }, + { + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "required": true, + "type": "integer" + } + }, + { + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "required": true, + "type": "boolean" + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "llm": { + "entity_checks": [ + { + "conditional": { + "then_err": "bedrock and gemini only support auth.allow_override = false", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_match": { + "eq": false + } + } + }, + { + "mutually_required": [ + "auth.header_name", + "auth.header_value" + ] + }, + { + "mutually_required": [ + "auth.param_name", + "auth.param_value", + "auth.param_location" + ] + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for llama2 provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "mistral" + ] + }, + "then_err": "must set %s for mistral provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "anthropic" + ] + }, + "then_err": "must set %s for anthropic provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ] + } + }, + { + "conditional_at_least_one_of": { + "if_match": { + "one_of": [ + "llama2" + ] + }, + "then_err": "must set %s for self-hosted providers/models", + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model", + "logging" + ] + } + } + ], + "fields": [ + { + "route_type": { + "type": "string", + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "required": true, + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + } + }, + { + "auth": { + "type": "record", + "required": false, + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "model": { + "type": "record", + "required": true, + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "required": true, + "one_of": [ + "openai", + "azure", + "anthropic", + "cohere", + "mistral", + "llama2", + "gemini", + "bedrock", + "huggingface" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "required": false, + "type": "string" + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, + "fields": [ + { + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "required": false, + "type": "integer" + } + }, + { + "input_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in your prompt.", + "required": false, + "type": "number" + } + }, + { + "output_cost": { + "gt": 0, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "required": false, + "type": "number" + } + }, + { + "temperature": { + "between": [ + 0, + 5 + ], + "description": "Defines the matching temperature, if using chat or completion models.", + "required": false, + "type": "number" + } + }, + { + "top_p": { + "between": [ + 0, + 1 + ], + "description": "Defines the top-p probability mass, if supported.", + "required": false, + "type": "number" + } + }, + { + "top_k": { + "between": [ + 0, + 500 + ], + "description": "Defines the top-k most likely tokens, if supported.", + "required": false, + "type": "integer" + } + }, + { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "required": false, + "type": "string" + } + }, + { + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "required": false, + "type": "string" + } + }, + { + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "required": false, + "type": "string" + } + }, + { + "llama2_format": { + "type": "string", + "description": "If using llama2 provider, select the upstream message format.", + "required": false, + "one_of": [ + "raw", + "openai", + "ollama" + ] + } + }, + { + "mistral_format": { + "type": "string", + "description": "If using mistral provider, select the upstream message format.", + "required": false, + "one_of": [ + "openai", + "ollama" + ] + } + }, + { + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, + "type": "string" + } + }, + { + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "required": false, + "type": "string" + } + }, + { + "gemini": { + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "type": "record", + "required": false, + "fields": [ + { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "required": false, + "type": "string" + } + }, + { + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "required": false, + "type": "string" + } + }, + { + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "bedrock": { + "type": "record", + "required": false, + "fields": [ + { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "huggingface": { + "type": "record", + "required": false, + "fields": [ + { + "use_cache": { + "description": "Use the cache layer on the inference API", + "required": false, + "type": "boolean" + } + }, + { + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ] + } + }, + { + "logging": { + "type": "record", + "required": true, + "fields": [ + { + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + }, + { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "required": true, + "type": "boolean" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-sanitizer/3.11.x.json b/schemas/ai-sanitizer/3.11.x.json new file mode 100644 index 00000000..e2540b8c --- /dev/null +++ b/schemas/ai-sanitizer/3.11.x.json @@ -0,0 +1,177 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "host": { + "description": "The host of the sanitizer", + "type": "string", + "default": "localhost", + "required": true + } + }, + { + "port": { + "description": "The port of the sanitizer", + "type": "number", + "default": 8080, + "required": true + } + }, + { + "scheme": { + "description": "The protocol can be http and https", + "type": "string", + "default": "http", + "required": true + } + }, + { + "timeout": { + "description": "Connection timeout with the sanitizer", + "default": 10000, + "type": "number" + } + }, + { + "keepalive_timeout": { + "description": "The keepalive timeout for the established http connnection", + "default": 60000, + "type": "number" + } + }, + { + "stop_on_error": { + "description": "Stop processing if an error occurs", + "default": true, + "type": "boolean" + } + }, + { + "anonymize": { + "elements": { + "type": "string", + "one_of": [ + "general", + "phone", + "email", + "creditcard", + "crypto", + "date", + "ssn", + "ip", + "nrp", + "domain", + "credentials", + "url", + "medical", + "driverlicense", + "passport", + "bank", + "nationalid", + "custom", + "all", + "all_and_credentials" + ] + }, + "description": "List of types to be anonymized", + "default": [ + "all_and_credentials" + ], + "type": "array", + "required": true + } + }, + { + "recover_redacted": { + "description": "Whether to recover redacted data", + "default": true, + "type": "boolean" + } + }, + { + "redact_type": { + "description": "What value to be used to redacted to", + "default": "placeholder", + "type": "string", + "one_of": [ + "placeholder", + "synthetic" + ] + } + }, + { + "custom_patterns": { + "type": "array", + "len_min": 1, + "description": "List of custom patterns to be used for anonymization", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "required": true, + "type": "string" + } + }, + { + "regex": { + "required": true, + "type": "string" + } + }, + { + "score": { + "between": [ + 0, + 1 + ], + "type": "number", + "default": 0.5, + "required": true + } + } + ] + }, + "required": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-semantic-cache/3.11.x.json b/schemas/ai-semantic-cache/3.11.x.json new file mode 100644 index 00000000..afa47df0 --- /dev/null +++ b/schemas/ai-semantic-cache/3.11.x.json @@ -0,0 +1,689 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "message_countback": { + "default": 1, + "description": "Number of messages in the chat history to Vectorize/Cache", + "between": [ + 1, + 1000 + ], + "type": "number" + } + }, + { + "ignore_system_prompts": { + "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request", + "type": "boolean" + } + }, + { + "ignore_assistant_prompts": { + "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request", + "type": "boolean" + } + }, + { + "ignore_tool_prompts": { + "default": false, + "description": "Ignore and discard any tool prompts when Vectorizing the request", + "type": "boolean" + } + }, + { + "stop_on_failure": { + "default": false, + "description": "Halt the LLM request process in case of a caching system failure", + "required": true, + "type": "boolean" + } + }, + { + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "gt": 0, + "type": "integer" + } + }, + { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean" + } + }, + { + "exact_caching": { + "default": false, + "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "required": true, + "type": "boolean" + } + }, + { + "embeddings": { + "type": "record", + "required": true, + "fields": [ + { + "auth": { + "type": "record", + "required": false, + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "model": { + "type": "record", + "required": true, + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider format to use for embeddings API", + "required": true, + "one_of": [ + "openai", + "mistral" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "required": true, + "type": "string" + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "required": false, + "type": "string" + } + } + ] + } + } + ] + } + } + ] + } + }, + { + "vectordb": { + "type": "record", + "required": true, + "fields": [ + { + "strategy": { + "type": "string", + "description": "which vector database driver to use", + "required": true, + "one_of": [ + "redis" + ] + } + }, + { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "required": true, + "type": "integer" + } + }, + { + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "required": true, + "type": "number" + } + }, + { + "distance_metric": { + "type": "string", + "description": "the distance metric to use for vector searches", + "required": true, + "one_of": [ + "cosine", + "euclidean" + ] + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-semantic-prompt-guard/3.11.x.json b/schemas/ai-semantic-prompt-guard/3.11.x.json new file mode 100644 index 00000000..c1fac108 --- /dev/null +++ b/schemas/ai-semantic-prompt-guard/3.11.x.json @@ -0,0 +1,704 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "embeddings": { + "type": "record", + "required": true, + "fields": [ + { + "auth": { + "type": "record", + "required": false, + "fields": [ + { + "header_name": { + "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "header_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "referenceable": true + } + }, + { + "param_name": { + "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, + "type": "string" + } + }, + { + "param_value": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Specify the full parameter value for 'param_name'.", + "referenceable": true + } + }, + { + "param_location": { + "type": "string", + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "required": false, + "one_of": [ + "query", + "body" + ] + } + }, + { + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "required": false, + "type": "boolean" + } + }, + { + "azure_client_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, + "type": "string" + } + }, + { + "azure_client_secret": { + "encrypted": true, + "required": false, + "type": "string", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "referenceable": true + } + }, + { + "azure_tenant_id": { + "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, + "type": "string" + } + }, + { + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "required": false, + "type": "boolean" + } + }, + { + "gcp_service_account_json": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "referenceable": true + } + }, + { + "aws_access_key_id": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "aws_secret_access_key": { + "encrypted": true, + "required": false, + "type": "string", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "referenceable": true + } + }, + { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "model": { + "type": "record", + "required": true, + "fields": [ + { + "provider": { + "type": "string", + "description": "AI provider format to use for embeddings API", + "required": true, + "one_of": [ + "openai", + "mistral" + ] + } + }, + { + "name": { + "description": "Model name to execute.", + "required": true, + "type": "string" + } + }, + { + "options": { + "type": "record", + "description": "Key/value settings for the model", + "required": false, + "fields": [ + { + "upstream_url": { + "description": "upstream url for the embeddings", + "required": false, + "type": "string" + } + } + ] + } + } + ] + } + } + ] + } + }, + { + "vectordb": { + "type": "record", + "required": true, + "fields": [ + { + "strategy": { + "type": "string", + "description": "which vector database driver to use", + "required": true, + "one_of": [ + "redis" + ] + } + }, + { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "required": true, + "type": "integer" + } + }, + { + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "required": true, + "type": "number" + } + }, + { + "distance_metric": { + "type": "string", + "description": "the distance metric to use for vector searches", + "required": true, + "one_of": [ + "cosine", + "euclidean" + ] + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + }, + { + "search": { + "type": "record", + "required": false, + "fields": [ + { + "threshold": { + "default": 0.5, + "description": "Threshold for the similarity score to be considered a match.", + "required": false, + "type": "number" + } + } + ] + } + }, + { + "rules": { + "type": "record", + "required": true, + "fields": [ + { + "match_all_conversation_history": { + "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history.", + "required": false, + "type": "boolean" + } + }, + { + "allow_prompts": { + "len_max": 100, + "required": false, + "type": "array", + "elements": { + "len_max": 500, + "len_min": 1, + "type": "string" + }, + "description": "List of prompts to allow." + } + }, + { + "deny_prompts": { + "len_max": 100, + "required": false, + "type": "array", + "elements": { + "len_max": 500, + "len_min": 1, + "type": "string" + }, + "description": "List of prompts to deny." + } + }, + { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "gt": 0, + "type": "integer" + } + }, + { + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "required": true, + "type": "boolean" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/app-dynamics/3.11.x.json b/schemas/app-dynamics/3.11.x.json new file mode 100644 index 00000000..8e65202b --- /dev/null +++ b/schemas/app-dynamics/3.11.x.json @@ -0,0 +1,46 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/application-registration/3.11.x.json b/schemas/application-registration/3.11.x.json new file mode 100644 index 00000000..604ffb5c --- /dev/null +++ b/schemas/application-registration/3.11.x.json @@ -0,0 +1,108 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "service": { + "reference": "services", + "on_delete": "cascade", + "type": "foreign", + "ne": null + } + }, + { + "route": { + "reference": "routes", + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "type": "set", + "required": true, + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "config": { + "fields": [ + { + "display_name": { + "required": true, + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string", + "unique": true + } + }, + { + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string", + "unique": true + } + }, + { + "auto_approve": { + "required": true, + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "type": "boolean", + "default": false + } + }, + { + "show_issuer": { + "required": true, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "type": "boolean", + "default": false + } + }, + { + "enable_proxy_with_consumer_credential": { + "required": true, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean", + "default": false + } + } + ], + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file diff --git a/schemas/aws-lambda/3.11.x.json b/schemas/aws-lambda/3.11.x.json new file mode 100644 index 00000000..583a9b6a --- /dev/null +++ b/schemas/aws-lambda/3.11.x.json @@ -0,0 +1,273 @@ +{ + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "timeout": { + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", + "required": true, + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "required": true, + "type": "number" + } + }, + { + "aws_key": { + "encrypted": true, + "description": "The AWS key credential to be used when invoking the function.", + "referenceable": true, + "type": "string" + } + }, + { + "aws_secret": { + "encrypted": true, + "description": "The AWS secret credential to be used when invoking the function. ", + "referenceable": true, + "type": "string" + } + }, + { + "aws_assume_role_arn": { + "encrypted": true, + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "referenceable": true, + "type": "string" + } + }, + { + "aws_role_session_name": { + "default": "kong", + "description": "The identifier of the assumed role session.", + "type": "string" + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "aws_region": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "required": false, + "type": "string" + } + }, + { + "qualifier": { + "description": "The qualifier to use when invoking the function.", + "type": "string" + } + }, + { + "invocation_type": { + "required": true, + "type": "string", + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "one_of": [ + "RequestResponse", + "Event", + "DryRun" + ] + } + }, + { + "log_type": { + "required": true, + "type": "string", + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "one_of": [ + "Tail", + "None" + ] + } + }, + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "disable_https": { + "default": false, + "type": "boolean" + } + }, + { + "unhandled_status": { + "between": [ + 100, + 999 + ], + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer" + } + }, + { + "forward_request_method": { + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" + } + }, + { + "forward_request_uri": { + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" + } + }, + { + "forward_request_headers": { + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" + } + }, + { + "forward_request_body": { + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" + } + }, + { + "is_proxy_integration": { + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" + } + }, + { + "awsgateway_compatible": { + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" + } + }, + { + "proxy_url": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "skip_large_bodies": { + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" + } + }, + { + "base64_encode_body": { + "default": true, + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" + } + }, + { + "aws_imds_protocol_version": { + "required": true, + "type": "string", + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "one_of": [ + "v1", + "v2" + ] + } + }, + { + "empty_arrays_mode": { + "required": true, + "type": "string", + "default": "legacy", + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", + "one_of": [ + "legacy", + "correct" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/azure-functions/3.11.x.json b/schemas/azure-functions/3.11.x.json new file mode 100644 index 00000000..19e89278 --- /dev/null +++ b/schemas/azure-functions/3.11.x.json @@ -0,0 +1,125 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "timeout": { + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" + } + }, + { + "https": { + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" + } + }, + { + "https_verify": { + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" + } + }, + { + "apikey": { + "encrypted": true, + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "referenceable": true, + "type": "string" + } + }, + { + "clientid": { + "encrypted": true, + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "referenceable": true, + "type": "string" + } + }, + { + "appname": { + "description": "The Azure app name.", + "required": true, + "type": "string" + } + }, + { + "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", + "required": true, + "type": "string" + } + }, + { + "routeprefix": { + "default": "api", + "description": "Route prefix to use.", + "type": "string" + } + }, + { + "functionname": { + "description": "Name of the Azure function to invoke.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/basic-auth/3.11.x.json b/schemas/basic-auth/3.11.x.json new file mode 100644 index 00000000..0a5c8b49 --- /dev/null +++ b/schemas/basic-auth/3.11.x.json @@ -0,0 +1,78 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "anonymous": { + "type": "string", + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "required": true, + "type": "boolean" + } + }, + { + "realm": { + "default": "service", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/bot-detection/3.11.x.json b/schemas/bot-detection/3.11.x.json new file mode 100644 index 00000000..d48d260c --- /dev/null +++ b/schemas/bot-detection/3.11.x.json @@ -0,0 +1,79 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "allow": { + "elements": { + "type": "string", + "is_regex": true + }, + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "default": [ + + ], + "type": "array" + } + }, + { + "deny": { + "elements": { + "type": "string", + "is_regex": true + }, + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "default": [ + + ], + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/canary/3.11.x.json b/schemas/canary/3.11.x.json new file mode 100644 index 00000000..a020f33c --- /dev/null +++ b/schemas/canary/3.11.x.json @@ -0,0 +1,190 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header", + "if_field": "config.hash", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host", + "if_field": "config.upstream_fallback", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "hash": { + "type": "string", + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + } + } + ], + "required": true, + "fields": [ + { + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + } + }, + { + "hash": { + "default": "consumer", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "type": "string", + "one_of": [ + "consumer", + "ip", + "none", + "allow", + "deny", + "header" + ] + } + }, + { + "hash_header": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "duration": { + "default": 3600, + "description": "The duration of the canary release in seconds.", + "gt": 0, + "type": "number" + } + }, + { + "steps": { + "default": 1000, + "description": "The number of steps for the canary release.", + "gt": 1, + "type": "number" + } + }, + { + "percentage": { + "between": [ + 0, + 100 + ], + "description": "The percentage of traffic to be routed to the canary release.", + "type": "number" + } + }, + { + "upstream_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "upstream_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "type": "string", + "len_min": 1 + } + }, + { + "upstream_fallback": { + "default": false, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "required": true, + "type": "boolean" + } + }, + { + "groups": { + "elements": { + "type": "string" + }, + "description": "The groups allowed to access the canary release.", + "type": "array" + } + }, + { + "canary_by_header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/confluent-consume/3.11.x.json b/schemas/confluent-consume/3.11.x.json new file mode 100644 index 00000000..4539a378 --- /dev/null +++ b/schemas/confluent-consume/3.11.x.json @@ -0,0 +1,208 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "required": true + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null + } + }, + { + "config": { + "entity_checks": [ + + ], + "type": "record", + "fields": [ + { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string", + "required": true + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true + } + } + ] + } + } + }, + { + "topics": { + "type": "array", + "len_min": 1, + "description": "The Kafka topics and their configuration you want to consume from.", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "type": "string", + "required": true + } + } + ] + }, + "required": true + } + }, + { + "mode": { + "type": "string", + "description": "The mode of operation for the plugin.", + "one_of": [ + "server-sent-events", + "http-get" + ], + "default": "http-get", + "required": true + } + }, + { + "message_deserializer": { + "type": "string", + "description": "The deserializer to use for the consumed messages.", + "one_of": [ + "json", + "noop" + ], + "default": "noop", + "required": true + } + }, + { + "auto_offset_reset": { + "type": "string", + "description": "The offset to start from when there is no initial offset in the consumer group.", + "one_of": [ + "earliest", + "latest" + ], + "default": "latest", + "required": true + } + }, + { + "commit_strategy": { + "type": "string", + "description": "The strategy to use for committing offsets.", + "one_of": [ + "auto", + "off" + ], + "default": "auto", + "required": true + } + }, + { + "timeout": { + "description": "Socket timeout in milliseconds.", + "type": "integer", + "default": 10000 + } + }, + { + "keepalive": { + "description": "Keepalive timeout in milliseconds.", + "type": "integer", + "default": 60000 + } + }, + { + "keepalive_enabled": { + "type": "boolean", + "default": false + } + }, + { + "cluster_api_key": { + "type": "string", + "referenceable": true, + "description": "Username/Apikey for SASL authentication.", + "encrypted": true, + "required": true + } + }, + { + "cluster_api_secret": { + "type": "string", + "referenceable": true, + "description": "Password/ApiSecret for SASL authentication.", + "encrypted": true, + "required": true + } + }, + { + "confluent_cloud_api_key": { + "type": "string", + "referenceable": true, + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "encrypted": true, + "required": false + } + }, + { + "confluent_cloud_api_secret": { + "type": "string", + "referenceable": true, + "description": "The corresponding secret for the Confluent Cloud API key.", + "encrypted": true, + "required": false + } + }, + { + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string", + "auto": true, + "required": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/confluent/3.11.x.json b/schemas/confluent/3.11.x.json new file mode 100644 index 00000000..534933d8 --- /dev/null +++ b/schemas/confluent/3.11.x.json @@ -0,0 +1,253 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + } + ], + "fields": [ + { + "bootstrap_servers": { + "elements": { + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" + } + } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set" + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "required": true, + "type": "string" + } + }, + { + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + } + }, + { + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "cluster_api_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Username/Apikey for SASL authentication.", + "required": true + } + }, + { + "cluster_api_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password/ApiSecret for SASL authentication.", + "required": true + } + }, + { + "confluent_cloud_api_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "required": false + } + }, + { + "confluent_cloud_api_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The corresponding secret for the Confluent Cloud API key.", + "required": false + } + }, + { + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "cluster_name": { + "auto": true, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, + "type": "string" + } + }, + { + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + } + }, + { + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + } + }, + { + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + } + }, + { + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + } + }, + { + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + } + }, + { + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + } + }, + { + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/correlation-id/3.11.x.json b/schemas/correlation-id/3.11.x.json new file mode 100644 index 00000000..46723bf0 --- /dev/null +++ b/schemas/correlation-id/3.11.x.json @@ -0,0 +1,73 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "header_name": { + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" + } + }, + { + "generator": { + "required": true, + "type": "string", + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "one_of": [ + "uuid", + "uuid#counter", + "tracker" + ] + } + }, + { + "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/cors/3.11.x.json b/schemas/cors/3.11.x.json new file mode 100644 index 00000000..87f52a0e --- /dev/null +++ b/schemas/cors/3.11.x.json @@ -0,0 +1,143 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "len_min": 1, + "required": true, + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "origins": { + "elements": { + "type": "string" + }, + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "type": "array" + } + }, + { + "headers": { + "elements": { + "type": "string" + }, + "description": "Value for the `Access-Control-Allow-Headers` header.", + "type": "array" + } + }, + { + "exposed_headers": { + "elements": { + "type": "string" + }, + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "type": "array" + } + }, + { + "methods": { + "default": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "elements": { + "type": "string", + "one_of": [ + "GET", + "HEAD", + "PUT", + "PATCH", + "POST", + "DELETE", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "type": "array" + } + }, + { + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" + } + }, + { + "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "required": true, + "type": "boolean" + } + }, + { + "private_network": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "required": true, + "type": "boolean" + } + }, + { + "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/datadog-tracing/3.11.x.json b/schemas/datadog-tracing/3.11.x.json new file mode 100644 index 00000000..450d1bc3 --- /dev/null +++ b/schemas/datadog-tracing/3.11.x.json @@ -0,0 +1,103 @@ +{ + "fields": [ + { + "consumer": { + "eq": null, + "type": "foreign", + "reference": "consumers" + } + }, + { + "protocols": { + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + }, + { + "config": { + "fields": [ + { + "endpoint": { + "type": "string", + "referenceable": true + } + }, + { + "service_name": { + "required": true, + "type": "string", + "default": "kong" + } + }, + { + "environment": { + "type": "string", + "default": "none" + } + }, + { + "batch_span_count": { + "required": true, + "type": "integer", + "default": 200 + } + }, + { + "batch_flush_delay": { + "required": true, + "type": "integer", + "default": 3 + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 1000 + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 5000 + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "type": "integer", + "default": 5000 + } + } + ], + "type": "record", + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/datadog/3.11.x.json b/schemas/datadog/3.11.x.json new file mode 100644 index 00000000..7157cc3d --- /dev/null +++ b/schemas/datadog/3.11.x.json @@ -0,0 +1,361 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "referenceable": true, + "type": "string" + } + }, + { + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "prefix": { + "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" + } + }, + { + "service_name_tag": { + "default": "name", + "description": "String to be attached as the name of the service.", + "type": "string" + } + }, + { + "status_tag": { + "default": "status", + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" + } + }, + { + "consumer_tag": { + "default": "consumer", + "description": "String to be attached as tag of the consumer.", + "type": "string" + } + }, + { + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 10, + "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 1, + "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", + "deprecation": { + "old_default": 2, + "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ], + "required": true, + "type": "record" + } + }, + { + "metrics": { + "required": true, + "type": "array", + "default": [ + { + "name": "request_count", + "stat_type": "counter", + "tags": [ + "app:kong" + ], + "sample_rate": 1, + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "request_size", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "response_size", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "upstream_latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + }, + { + "stat_type": "timer", + "name": "kong_latency", + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id" + } + ], + "description": "List of metrics to be logged.", + "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "name": { + "type": "string", + "description": "Datadog metric’s name", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ] + } + }, + { + "stat_type": { + "type": "string", + "description": "Determines what sort of event the metric represents", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer", + "distribution" + ] + } + }, + { + "tags": { + "elements": { + "match": "^.*[^:]$", + "type": "string" + }, + "description": "List of tags", + "type": "array" + } + }, + { + "sample_rate": { + "between": [ + 0, + 1 + ], + "description": "Sampling rate", + "type": "number" + } + }, + { + "consumer_identifier": { + "description": "Authenticated user detail", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + } + ], + "type": "record" + } + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/degraphql/3.11.x.json b/schemas/degraphql/3.11.x.json new file mode 100644 index 00000000..36cd73d3 --- /dev/null +++ b/schemas/degraphql/3.11.x.json @@ -0,0 +1,68 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "graphql_server_path": { + "required": true, + "type": "string", + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/exit-transformer/3.11.x.json b/schemas/exit-transformer/3.11.x.json new file mode 100644 index 00000000..11f94588 --- /dev/null +++ b/schemas/exit-transformer/3.11.x.json @@ -0,0 +1,68 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "functions": { + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "handle_unknown": { + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean" + } + }, + { + "handle_unexpected": { + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/file-log/3.11.x.json b/schemas/file-log/3.11.x.json new file mode 100644 index 00000000..6532d553 --- /dev/null +++ b/schemas/file-log/3.11.x.json @@ -0,0 +1,83 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "path": { + "match": "^[^*&%%\\`]+$", + "required": true, + "type": "string", + "err": "not a valid filename", + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." + } + }, + { + "reopen": { + "default": false, + "description": "Determines whether the log file is closed and reopened on every request.", + "required": true, + "type": "boolean" + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/forward-proxy/3.11.x.json b/schemas/forward-proxy/3.11.x.json new file mode 100644 index 00000000..260aadee --- /dev/null +++ b/schemas/forward-proxy/3.11.x.json @@ -0,0 +1,171 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "shorthand_fields": [ + { + "proxy_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" + }, + "type": "string" + } + }, + { + "proxy_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" + }, + "type": "integer" + } + } + ], + "fields": [ + { + "x_headers": { + "required": true, + "type": "string", + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", + "one_of": [ + "append", + "transparent", + "delete" + ] + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "proxy_scheme": { + "required": true, + "type": "string", + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "one_of": [ + "http" + ] + } + }, + { + "auth_username": { + "referenceable": true, + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "required": false, + "type": "string" + } + }, + { + "auth_password": { + "referenceable": true, + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "required": false, + "type": "string" + } + }, + { + "https_verify": { + "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "required": true, + "type": "boolean" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.11.x.json b/schemas/graphql-proxy-cache-advanced/3.11.x.json new file mode 100644 index 00000000..e805038f --- /dev/null +++ b/schemas/graphql-proxy-cache-advanced/3.11.x.json @@ -0,0 +1,463 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "strategy": { + "required": true, + "type": "string", + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "cache_ttl": { + "gt": 0, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "default": 300, + "type": "integer" + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + } + }, + { + "vary_headers": { + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.11.x.json b/schemas/graphql-rate-limiting-advanced/3.11.x.json new file mode 100644 index 00000000..55336ec3 --- /dev/null +++ b/schemas/graphql-rate-limiting-advanced/3.11.x.json @@ -0,0 +1,530 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "required": true, + "type": "string", + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "one_of": [ + "ip", + "credential", + "consumer" + ] + } + }, + { + "window_size": { + "elements": { + "type": "number" + }, + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "required": true, + "type": "array" + } + }, + { + "window_type": { + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "type": "string", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "elements": { + "type": "number" + }, + "description": "One or more requests-per-window limits to apply.", + "required": true, + "type": "array" + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "required": true, + "type": "number" + } + }, + { + "namespace": { + "auto": true, + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + } + }, + { + "strategy": { + "required": true, + "type": "string", + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "one_of": [ + "cluster", + "redis" + ] + } + }, + { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "required": true, + "type": "string" + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" + } + }, + { + "cost_strategy": { + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "type": "string", + "one_of": [ + "default", + "node_quantifier" + ] + } + }, + { + "score_factor": { + "required": false, + "type": "number", + "gt": 0, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "default": 1 + } + }, + { + "max_cost": { + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", + "required": false, + "type": "number" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/grpc-gateway/3.11.x.json b/schemas/grpc-gateway/3.11.x.json new file mode 100644 index 00000000..cb4aab19 --- /dev/null +++ b/schemas/grpc-gateway/3.11.x.json @@ -0,0 +1,59 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "proto": { + "description": "Describes the gRPC types and methods.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/grpc-web/3.11.x.json b/schemas/grpc-web/3.11.x.json new file mode 100644 index 00000000..95633634 --- /dev/null +++ b/schemas/grpc-web/3.11.x.json @@ -0,0 +1,74 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "proto": { + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "required": false, + "type": "string" + } + }, + { + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "required": false, + "type": "boolean" + } + }, + { + "allow_origin_header": { + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/header-cert-auth/3.11.x.json b/schemas/header-cert-auth/3.11.x.json new file mode 100644 index 00000000..380d6860 --- /dev/null +++ b/schemas/header-cert-auth/3.11.x.json @@ -0,0 +1,229 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "fields": [ + { + "certificate_header_name": { + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", + "required": true, + "type": "string" + } + }, + { + "certificate_header_format": { + "type": "string", + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "required": true, + "one_of": [ + "base64_encoded", + "url_encoded" + ] + } + }, + { + "secure_source": { + "default": true, + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "required": true, + "type": "boolean" + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "ca_certificates": { + "elements": { + "uuid": true, + "type": "string" + }, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, + "type": "array" + } + }, + { + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" + } + }, + { + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "required": true, + "type": "boolean" + } + }, + { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "required": true, + "type": "boolean" + } + }, + { + "authenticated_group_by": { + "required": false, + "type": "string", + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "one_of": [ + "CN", + "DN" + ] + } + }, + { + "revocation_check_mode": { + "required": false, + "type": "string", + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ] + } + }, + { + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + } + }, + { + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + } + }, + { + "default_consumer": { + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/hmac-auth/3.11.x.json b/schemas/hmac-auth/3.11.x.json new file mode 100644 index 00000000..b922bd3e --- /dev/null +++ b/schemas/hmac-auth/3.11.x.json @@ -0,0 +1,132 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true, + "type": "boolean" + } + }, + { + "clock_skew": { + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", + "gt": 0, + "type": "number" + } + }, + { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + } + }, + { + "validate_request_body": { + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", + "required": true, + "type": "boolean" + } + }, + { + "enforce_headers": { + "elements": { + "type": "string" + }, + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "default": [ + + ], + "type": "array" + } + }, + { + "algorithms": { + "elements": { + "type": "string", + "one_of": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] + }, + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "type": "array" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/http-log/3.11.x.json b/schemas/http-log/3.11.x.json new file mode 100644 index 00000000..0c018a80 --- /dev/null +++ b/schemas/http-log/3.11.x.json @@ -0,0 +1,260 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "http_endpoint": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true + } + }, + { + "method": { + "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "type": "string", + "one_of": [ + "POST", + "PUT", + "PATCH" + ] + } + }, + { + "content_type": { + "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "type": "string", + "one_of": [ + "application/json", + "application/json; charset=utf-8" + ] + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" + } + }, + { + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 10, + "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", + "deprecation": { + "old_default": 1, + "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", + "deprecation": { + "old_default": 2, + "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "headers": { + "values": { + "referenceable": true, + "type": "string" + }, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "keys": { + "description": "A string representing an HTTP header name.", + "match_none": [ + { + "err": "cannot contain 'Host' header", + "pattern": "^[Hh][Oo][Ss][Tt]$" + }, + { + "err": "cannot contain 'Content-Length' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Ll][Ee][nn][Gg][Tt][Hh]$" + }, + { + "err": "cannot contain 'Content-Type' header", + "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" + } + ], + "type": "string" + }, + "type": "map" + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ], + "required": true, + "type": "record" + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/injection-protection/3.11.x.json b/schemas/injection-protection/3.11.x.json new file mode 100644 index 00000000..1f100616 --- /dev/null +++ b/schemas/injection-protection/3.11.x.json @@ -0,0 +1,159 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "injection_types", + "custom_injections" + ] + } + ], + "fields": [ + { + "injection_types": { + "required": true, + "type": "set", + "default": [ + "sql" + ], + "description": "The type of injections to check for.", + "elements": { + "type": "string", + "one_of": [ + "sql", + "js", + "ssi", + "xpath_abbreviated", + "xpath_extended", + "java_exception" + ] + } + } + }, + { + "locations": { + "required": true, + "type": "set", + "default": [ + "path_and_query" + ], + "description": "The locations to check for injection.", + "elements": { + "type": "string", + "one_of": [ + "headers", + "path_and_query", + "body" + ] + } + } + }, + { + "custom_injections": { + "elements": { + "type": "record", + "fields": [ + { + "name": { + "description": "A unique name for this injection.", + "required": true, + "type": "string" + } + }, + { + "regex": { + "description": "The regex to match against.", + "is_regex": true, + "required": true, + "type": "string" + } + } + ] + }, + "description": "Custom regexes to check for.", + "default": null, + "type": "array" + } + }, + { + "enforcement_mode": { + "required": true, + "type": "string", + "default": "block", + "description": "Enforcement mode of the security policy.", + "one_of": [ + "block", + "log_only" + ] + } + }, + { + "error_status_code": { + "between": [ + 400, + 499 + ], + "required": true, + "type": "integer", + "default": 400, + "description": "The response status code when validation fails." + } + }, + { + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ip-restriction/3.11.x.json b/schemas/ip-restriction/3.11.x.json new file mode 100644 index 00000000..6ce79129 --- /dev/null +++ b/schemas/ip-restriction/3.11.x.json @@ -0,0 +1,85 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "http", + "https", + "tcp", + "tls", + "grpc", + "grpcs" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "config": { + "fields": [ + { + "allow": { + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "type": "array" + } + }, + { + "deny": { + "elements": { + "type": "string", + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." + }, + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "type": "array" + } + }, + { + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "required": false, + "type": "number" + } + }, + { + "message": { + "description": "The message to send as a response body to rejected requests.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/jq/3.11.x.json b/schemas/jq/3.11.x.json new file mode 100644 index 00000000..623393bd --- /dev/null +++ b/schemas/jq/3.11.x.json @@ -0,0 +1,197 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "request_jq_program", + "response_jq_program" + ] + } + ], + "fields": [ + { + "request_jq_program": { + "required": false, + "type": "string" + } + }, + { + "request_jq_program_options": { + "default": [ + + ], + "type": "record", + "required": false, + "fields": [ + { + "compact_output": { + "default": true, + "required": true, + "type": "boolean" + } + }, + { + "raw_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "join_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "ascii_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "sort_keys": { + "default": false, + "required": true, + "type": "boolean" + } + } + ] + } + }, + { + "request_if_media_type": { + "elements": { + "type": "string" + }, + "default": [ + "application/json" + ], + "required": false, + "type": "array" + } + }, + { + "response_jq_program": { + "required": false, + "type": "string" + } + }, + { + "response_jq_program_options": { + "default": [ + + ], + "type": "record", + "required": false, + "fields": [ + { + "compact_output": { + "default": true, + "required": true, + "type": "boolean" + } + }, + { + "raw_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "join_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "ascii_output": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "sort_keys": { + "default": false, + "required": true, + "type": "boolean" + } + } + ] + } + }, + { + "response_if_media_type": { + "elements": { + "type": "string" + }, + "default": [ + "application/json" + ], + "required": false, + "type": "array" + } + }, + { + "response_if_status_code": { + "elements": { + "between": [ + 100, + 599 + ], + "type": "integer" + }, + "default": [ + 200 + ], + "required": false, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/json-threat-protection/3.11.x.json b/schemas/json-threat-protection/3.11.x.json new file mode 100644 index 00000000..e41dd894 --- /dev/null +++ b/schemas/json-threat-protection/3.11.x.json @@ -0,0 +1,164 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "max_body_size": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": 8192, + "description": "Max size of the request body. -1 means unlimited." + } + }, + { + "max_container_depth": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": -1, + "description": "Max nested depth of objects and arrays. -1 means unlimited." + } + }, + { + "max_object_entry_count": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": -1, + "description": "Max number of entries in an object. -1 means unlimited." + } + }, + { + "max_object_entry_name_length": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": -1, + "description": "Max string length of object name. -1 means unlimited." + } + }, + { + "max_array_element_count": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": -1, + "description": "Max number of elements in an array. -1 means unlimited." + } + }, + { + "max_string_value_length": { + "between": [ + -1, + 2147483648 + ], + "required": false, + "type": "integer", + "default": -1, + "description": "Max string value length. -1 means unlimited." + } + }, + { + "enforcement_mode": { + "required": false, + "type": "string", + "default": "block", + "description": "Enforcement mode of the security policy.", + "one_of": [ + "block", + "log_only" + ] + } + }, + { + "error_status_code": { + "between": [ + 400, + 499 + ], + "required": false, + "type": "integer", + "default": 400, + "description": "The response status code when validation fails." + } + }, + { + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.11.x.json b/schemas/jwe-decrypt/3.11.x.json new file mode 100644 index 00000000..f414e64e --- /dev/null +++ b/schemas/jwe-decrypt/3.11.x.json @@ -0,0 +1,86 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "lookup_header_name": { + "default": "Authorization", + "description": "The name of the header to look for the JWE token.", + "required": true, + "type": "string" + } + }, + { + "forward_header_name": { + "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", + "required": true, + "type": "string" + } + }, + { + "key_sets": { + "elements": { + "type": "string" + }, + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "required": true, + "type": "array" + } + }, + { + "strict": { + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwt-signer/3.11.x.json b/schemas/jwt-signer/3.11.x.json new file mode 100644 index 00000000..613ca8b3 --- /dev/null +++ b/schemas/jwt-signer/3.11.x.json @@ -0,0 +1,997 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "mutually_required": [ + "access_token_jwks_uri_client_username", + "access_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "access_token_keyset_client_username", + "access_token_keyset_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_jwks_uri_client_username", + "channel_token_jwks_uri_client_password" + ] + }, + { + "mutually_required": [ + "channel_token_keyset_client_username", + "channel_token_keyset_client_password" + ] + } + ], + "type": "record", + "required": true, + "fields": [ + { + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "required": false, + "type": "string" + } + }, + { + "enable_hs_signatures": { + "default": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "required": false, + "type": "boolean" + } + }, + { + "enable_instrumentation": { + "default": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "required": false, + "type": "boolean" + } + }, + { + "access_token_issuer": { + "default": "kong", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "required": false, + "type": "string" + } + }, + { + "access_token_keyset_client_username": { + "referenceable": true, + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "required": false, + "type": "string" + } + }, + { + "access_token_keyset_client_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "required": false + } + }, + { + "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "reference": "certificates", + "required": false, + "type": "foreign" + } + }, + { + "access_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" + } + }, + { + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_jwks_uri_client_username": { + "referenceable": true, + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "required": false, + "type": "string" + } + }, + { + "access_token_jwks_uri_client_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "required": false + } + }, + { + "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "reference": "certificates", + "required": false, + "type": "foreign" + } + }, + { + "access_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" + } + }, + { + "access_token_request_header": { + "default": "Authorization", + "description": "This parameter tells the name of the header where to look for the access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "required": false, + "type": "number" + } + }, + { + "access_token_scopes_required": { + "elements": { + "type": "string" + }, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "required": false, + "type": "array" + } + }, + { + "access_token_scopes_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "default": [ + "scope" + ] + } + }, + { + "access_token_consumer_claim": { + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "required": false, + "type": "array" + } + }, + { + "access_token_consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "access_token_upstream_header": { + "default": "Authorization:Bearer", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "required": false, + "type": "string" + } + }, + { + "access_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "required": false, + "type": "number" + } + }, + { + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_hint": { + "default": "access_token", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "required": false, + "type": "string" + } + }, + { + "access_token_introspection_jwt_claim": { + "elements": { + "type": "string" + }, + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "required": false, + "type": "array" + } + }, + { + "access_token_introspection_scopes_required": { + "elements": { + "type": "string" + }, + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "required": false, + "type": "array" + } + }, + { + "access_token_introspection_scopes_claim": { + "required": true, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "default": [ + "scope" + ] + } + }, + { + "access_token_introspection_consumer_claim": { + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "required": false, + "type": "array" + } + }, + { + "access_token_introspection_consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "access_token_introspection_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "required": false, + "type": "number" + } + }, + { + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "required": false, + "type": "number" + } + }, + { + "access_token_signing_algorithm": { + "required": true, + "type": "string", + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + }, + { + "add_access_token_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + }, + { + "set_access_token_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + }, + { + "remove_access_token_claims": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "remove claims. It should be an array, and each element is a claim key string.", + "default": [ + + ] + } + }, + { + "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", + "required": false, + "type": "string" + } + }, + { + "access_token_optional": { + "default": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "required": false, + "type": "boolean" + } + }, + { + "verify_access_token_signature": { + "default": true, + "description": "Quickly turn access token signature verification off and on as needed.", + "required": false, + "type": "boolean" + } + }, + { + "verify_access_token_expiry": { + "default": true, + "description": "Quickly turn access token expiry verification off and on as needed.", + "required": false, + "type": "boolean" + } + }, + { + "verify_access_token_scopes": { + "default": true, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "required": false, + "type": "boolean" + } + }, + { + "verify_access_token_introspection_expiry": { + "default": true, + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "required": false, + "type": "boolean" + } + }, + { + "verify_access_token_introspection_scopes": { + "default": true, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "required": false, + "type": "boolean" + } + }, + { + "cache_access_token_introspection": { + "default": true, + "description": "Whether to cache access token introspection results.", + "required": false, + "type": "boolean" + } + }, + { + "trust_access_token_introspection": { + "default": true, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "required": false, + "type": "boolean" + } + }, + { + "enable_access_token_introspection": { + "default": true, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "required": false, + "type": "boolean" + } + }, + { + "channel_token_issuer": { + "default": "kong", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "required": false, + "type": "string" + } + }, + { + "channel_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "required": false, + "type": "string" + } + }, + { + "channel_token_keyset_client_username": { + "referenceable": true, + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "required": false, + "type": "string" + } + }, + { + "channel_token_keyset_client_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "required": false + } + }, + { + "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "reference": "certificates", + "required": false, + "type": "foreign" + } + }, + { + "channel_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" + } + }, + { + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "required": false, + "type": "string" + } + }, + { + "channel_token_jwks_uri_client_username": { + "referenceable": true, + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "required": false, + "type": "string" + } + }, + { + "channel_token_jwks_uri_client_password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "required": false + } + }, + { + "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "reference": "certificates", + "required": false, + "type": "foreign" + } + }, + { + "channel_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "required": false, + "type": "number" + } + }, + { + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "required": false, + "type": "string" + } + }, + { + "channel_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "required": false, + "type": "number" + } + }, + { + "channel_token_scopes_required": { + "elements": { + "type": "string" + }, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "required": false, + "type": "array" + } + }, + { + "channel_token_scopes_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "default": [ + "scope" + ] + } + }, + { + "channel_token_consumer_claim": { + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "required": false, + "type": "array" + } + }, + { + "channel_token_consumer_by": { + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "default": [ + "username", + "custom_id" + ], + "type": "array" + } + }, + { + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "required": false, + "type": "string" + } + }, + { + "channel_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "required": false, + "type": "number" + } + }, + { + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "required": false, + "type": "string" + } + }, + { + "channel_token_introspection_authorization": { + "elements": { + "type": "string" + }, + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "required": false, + "type": "string" + } + }, + { + "channel_token_introspection_body_args": { + "elements": { + "type": "string" + }, + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "required": false, + "type": "string" + } + }, + { + "channel_token_introspection_hint": { + "elements": { + "type": "string" + }, + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "required": false, + "type": "string" + } + }, + { + "channel_token_introspection_jwt_claim": { + "elements": { + "type": "string" + }, + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "required": false, + "type": "array" + } + }, + { + "channel_token_introspection_scopes_required": { + "elements": { + "type": "string" + }, + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "required": false, + "type": "array" + } + }, + { + "channel_token_introspection_scopes_claim": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "default": [ + "scope" + ] + } + }, + { + "channel_token_introspection_consumer_claim": { + "elements": { + "type": "string" + }, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "required": false, + "type": "array" + } + }, + { + "channel_token_introspection_consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + }, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "channel_token_introspection_leeway": { + "default": 0, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "required": false, + "type": "number" + } + }, + { + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "required": false, + "type": "number" + } + }, + { + "channel_token_signing_algorithm": { + "required": true, + "type": "string", + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } + }, + { + "add_channel_token_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + }, + { + "set_channel_token_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + }, + { + "remove_channel_token_claims": { + "required": false, + "type": "array", + "elements": { + "type": "string" + }, + "description": "remove claims. It should be an array, and each element is a claim key string.", + "default": [ + + ] + } + }, + { + "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", + "required": false, + "type": "string" + } + }, + { + "channel_token_optional": { + "default": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "required": false, + "type": "boolean" + } + }, + { + "verify_channel_token_signature": { + "default": true, + "description": "Quickly turn on/off the channel token signature verification.", + "required": false, + "type": "boolean" + } + }, + { + "verify_channel_token_expiry": { + "default": true, + "required": false, + "type": "boolean" + } + }, + { + "verify_channel_token_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "required": false, + "type": "boolean" + } + }, + { + "verify_channel_token_introspection_expiry": { + "default": true, + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "required": false, + "type": "boolean" + } + }, + { + "verify_channel_token_introspection_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "required": false, + "type": "boolean" + } + }, + { + "cache_channel_token_introspection": { + "default": true, + "description": "Whether to cache channel token introspection results.", + "required": false, + "type": "boolean" + } + }, + { + "trust_channel_token_introspection": { + "default": true, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "required": false, + "type": "boolean" + } + }, + { + "enable_channel_token_introspection": { + "default": true, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "required": false, + "type": "boolean" + } + }, + { + "add_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + }, + { + "set_claims": { + "values": { + "type": "string" + }, + "required": false, + "type": "map", + "default": [ + + ], + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "keys": { + "type": "string" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/jwt/3.11.x.json b/schemas/jwt/3.11.x.json new file mode 100644 index 00000000..06e0c528 --- /dev/null +++ b/schemas/jwt/3.11.x.json @@ -0,0 +1,160 @@ +{ + "entity_checks": [ + { + "conditional": { + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify", + "if_field": "config.maximum_expiration", + "then_match": { + "contains": "exp" + } + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "uri_param_names": { + "elements": { + "type": "string" + }, + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "default": [ + "jwt" + ], + "type": "set" + } + }, + { + "cookie_names": { + "elements": { + "type": "string" + }, + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "default": [ + + ], + "type": "set" + } + }, + { + "key_claim_name": { + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" + } + }, + { + "secret_is_base64": { + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "required": true, + "type": "boolean" + } + }, + { + "claims_to_verify": { + "elements": { + "type": "string", + "one_of": [ + "exp", + "nbf" + ] + }, + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "type": "set" + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "required": true, + "type": "boolean" + } + }, + { + "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "between": [ + 0, + 31536000 + ], + "type": "number" + } + }, + { + "header_names": { + "elements": { + "type": "string" + }, + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "default": [ + "authorization" + ], + "type": "set" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-consume/3.11.x.json b/schemas/kafka-consume/3.11.x.json new file mode 100644 index 00000000..727f8b8b --- /dev/null +++ b/schemas/kafka-consume/3.11.x.json @@ -0,0 +1,239 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": true + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "description": "Custom type for representing a foreign key with a null value allowed.", + "type": "foreign", + "eq": null + } + }, + { + "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "type": "record", + "fields": [ + { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string", + "required": true + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true + } + } + ] + }, + "required": true + } + }, + { + "topics": { + "type": "array", + "len_min": 1, + "description": "The Kafka topics and their configuration you want to consume from.", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "required": true, + "type": "string" + } + } + ] + }, + "required": true + } + }, + { + "mode": { + "type": "string", + "description": "The mode of operation for the plugin.", + "one_of": [ + "server-sent-events", + "http-get" + ], + "default": "http-get", + "required": true + } + }, + { + "message_deserializer": { + "type": "string", + "description": "The deserializer to use for the consumed messages.", + "one_of": [ + "json", + "noop" + ], + "default": "noop", + "required": true + } + }, + { + "auto_offset_reset": { + "type": "string", + "description": "The offset to start from when there is no initial offset in the consumer group.", + "one_of": [ + "earliest", + "latest" + ], + "default": "latest", + "required": true + } + }, + { + "commit_strategy": { + "type": "string", + "description": "The strategy to use for committing offsets.", + "one_of": [ + "auto", + "off" + ], + "default": "auto", + "required": true + } + }, + { + "authentication": { + "type": "record", + "fields": [ + { + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string", + "one_of": [ + "sasl" + ], + "required": false + } + }, + { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "type": "string", + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "required": false + } + }, + { + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean", + "required": false + } + }, + { + "user": { + "type": "string", + "referenceable": true, + "description": "Username for SASL authentication.", + "encrypted": true, + "required": false + } + }, + { + "password": { + "type": "string", + "referenceable": true, + "description": "Password for SASL authentication.", + "encrypted": true, + "required": false + } + } + ], + "required": true + } + }, + { + "security": { + "type": "record", + "fields": [ + { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "required": false, + "uuid": true + } + }, + { + "ssl": { + "description": "Enables TLS.", + "type": "boolean", + "required": false + } + } + ], + "required": true + } + }, + { + "cluster_name": { + "description": "An identifier for the Kafka cluster.", + "type": "string", + "required": false + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-log/3.11.x.json b/schemas/kafka-log/3.11.x.json new file mode 100644 index 00000000..2b4dc212 --- /dev/null +++ b/schemas/kafka-log/3.11.x.json @@ -0,0 +1,280 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "fields": [ + { + "bootstrap_servers": { + "elements": { + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" + } + } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set" + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "required": true, + "type": "string" + } + }, + { + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + } + }, + { + "keepalive": { + "default": 60000, + "type": "integer" + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "authentication": { + "fields": [ + { + "strategy": { + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "required": false, + "one_of": [ + "sasl" + ] + } + }, + { + "mechanism": { + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "required": false, + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ] + } + }, + { + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "required": false, + "type": "boolean" + } + }, + { + "user": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Username for SASL authentication.", + "required": false + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password for SASL authentication.", + "required": false + } + } + ], + "required": true, + "type": "record" + } + }, + { + "security": { + "fields": [ + { + "certificate_id": { + "required": false, + "description": "UUID of certificate entity for mTLS authentication.", + "uuid": true, + "type": "string" + } + }, + { + "ssl": { + "description": "Enables TLS.", + "required": false, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "cluster_name": { + "auto": true, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, + "type": "string" + } + }, + { + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer" + } + }, + { + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + } + }, + { + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + } + }, + { + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + } + }, + { + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + } + }, + { + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + } + }, + { + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/kafka-upstream/3.11.x.json b/schemas/kafka-upstream/3.11.x.json new file mode 100644 index 00000000..e05b530c --- /dev/null +++ b/schemas/kafka-upstream/3.11.x.json @@ -0,0 +1,302 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "forward_method", + "forward_uri", + "forward_headers", + "forward_body" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "authentication" + ] + } + } + ], + "fields": [ + { + "bootstrap_servers": { + "elements": { + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" + } + } + ] + }, + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set" + } + }, + { + "topic": { + "description": "The Kafka topic to publish to.", + "required": true, + "type": "string" + } + }, + { + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + } + }, + { + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + } + }, + { + "keepalive_enabled": { + "default": false, + "type": "boolean" + } + }, + { + "authentication": { + "fields": [ + { + "strategy": { + "type": "string", + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "required": false, + "one_of": [ + "sasl" + ] + } + }, + { + "mechanism": { + "type": "string", + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "required": false, + "one_of": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ] + } + }, + { + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "required": false, + "type": "boolean" + } + }, + { + "user": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Username for SASL authentication.", + "required": false + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password for SASL authentication.", + "required": false + } + } + ], + "required": true, + "type": "record" + } + }, + { + "security": { + "fields": [ + { + "certificate_id": { + "uuid": true, + "description": "UUID of certificate entity for mTLS authentication.", + "required": false, + "type": "string" + } + }, + { + "ssl": { + "description": "Enables TLS.", + "required": false, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + } + }, + { + "cluster_name": { + "auto": true, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, + "type": "string" + } + }, + { + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", + "one_of": [ + -1, + 0, + 1 + ] + } + }, + { + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + } + }, + { + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + } + }, + { + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + } + }, + { + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + } + }, + { + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + } + }, + { + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + } + }, + { + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + } + }, + { + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/key-auth-enc/3.11.x.json b/schemas/key-auth-enc/3.11.x.json new file mode 100644 index 00000000..0db052a3 --- /dev/null +++ b/schemas/key-auth-enc/3.11.x.json @@ -0,0 +1,118 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "default": [ + "apikey" + ] + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + } + }, + { + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + } + }, + { + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/key-auth/3.11.x.json b/schemas/key-auth/3.11.x.json new file mode 100644 index 00000000..dbb4a35d --- /dev/null +++ b/schemas/key-auth/3.11.x.json @@ -0,0 +1,123 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "default": [ + "apikey" + ] + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "required": true, + "type": "boolean" + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + } + }, + { + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "required": true, + "type": "boolean" + } + }, + { + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "required": true, + "type": "boolean" + } + }, + { + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "required": true, + "type": "boolean" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "required": true, + "type": "boolean" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.11.x.json b/schemas/konnect-application-auth/3.11.x.json new file mode 100644 index 00000000..e7763990 --- /dev/null +++ b/schemas/konnect-application-auth/3.11.x.json @@ -0,0 +1,3271 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + + ], + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "default": [ + "apikey" + ] + } + }, + { + "auth_type": { + "required": true, + "type": "string", + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "one_of": [ + "openid-connect", + "key-auth", + "v2-strategies" + ] + } + }, + { + "scope": { + "required": true, + "description": "The unique scope identifier for the plugin configuration.", + "unique": true, + "type": "string" + } + }, + { + "v2_strategies": { + "required": false, + "type": "record", + "default": [ + + ], + "description": "The map of v2 strategies.", + "fields": [ + { + "key_auth": { + "elements": { + "type": "record", + "fields": [ + { + "strategy_id": { + "description": "The strategy id the config is tied to.", + "required": true, + "type": "string" + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "key_names": { + "required": true, + "type": "array", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "default": [ + "apikey" + ] + } + } + ] + } + } + ] + }, + "description": "List of key_auth strategies.", + "required": false, + "type": "array" + } + }, + { + "openid_connect": { + "elements": { + "type": "record", + "fields": [ + { + "strategy_id": { + "description": "The strategy id the config is tied to.", + "required": true, + "type": "string" + } + }, + { + "config": { + "description": "openid-connect plugin configuration.", + "type": "record", + "fields": [ + { + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, + "type": "string" + } + }, + { + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "required": false, + "type": "boolean" + } + }, + { + "discovery_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the discovery endpoint.", + "required": false, + "type": "array" + } + }, + { + "discovery_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the discovery endpoint.", + "required": false, + "type": "array" + } + }, + { + "extra_jwks_uris": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "required": false, + "type": "set" + } + }, + { + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "required": false, + "type": "number" + } + }, + { + "auth_methods": { + "required": false, + "type": "array", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "description": "Types of credentials/grants to enable.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + } + }, + { + "client_id": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + } + }, + { + "client_secret": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client secret." + } + }, + { + "client_auth": { + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "required": false, + "type": "array" + } + }, + { + "client_jwk": { + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "issuer": { + "required": false, + "type": "string" + } + }, + { + "kty": { + "required": false, + "type": "string" + } + }, + { + "use": { + "required": false, + "type": "string" + } + }, + { + "key_ops": { + "elements": { + "required": false, + "type": "string" + }, + "required": false, + "type": "array" + } + }, + { + "alg": { + "required": false, + "type": "string" + } + }, + { + "kid": { + "required": false, + "type": "string" + } + }, + { + "x5u": { + "required": false, + "type": "string" + } + }, + { + "x5c": { + "elements": { + "required": false, + "type": "string" + }, + "required": false, + "type": "array" + } + }, + { + "x5t": { + "required": false, + "type": "string" + } + }, + { + "x5t#S256": { + "required": false, + "type": "string" + } + }, + { + "k": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "x": { + "required": false, + "type": "string" + } + }, + { + "y": { + "required": false, + "type": "string" + } + }, + { + "crv": { + "required": false, + "type": "string" + } + }, + { + "n": { + "required": false, + "type": "string" + } + }, + { + "e": { + "required": false, + "type": "string" + } + }, + { + "d": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "p": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "q": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "dp": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "dq": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "qi": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "oth": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "r": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "t": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + } + ] + }, + "description": "The JWK used for the private_key_jwt authentication.", + "required": false, + "type": "array" + } + }, + { + "client_alg": { + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + }, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "required": false, + "type": "array" + } + }, + { + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "required": false, + "type": "string" + } + }, + { + "redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "The redirect URI passed to the authorization and token endpoints.", + "required": false, + "type": "array" + } + }, + { + "login_redirect_uri": { + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + }, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "required": false, + "type": "array" + } + }, + { + "logout_redirect_uri": { + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + }, + "description": "Where to redirect the client after the logout.", + "required": false, + "type": "array" + } + }, + { + "forbidden_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on forbidden requests.", + "required": false, + "type": "array" + } + }, + { + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "required": false, + "type": "string" + } + }, + { + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "required": false, + "type": "boolean" + } + }, + { + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "required": false, + "type": "boolean" + } + }, + { + "unauthorized_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on unauthorized requests.", + "required": false, + "type": "array" + } + }, + { + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "required": false, + "type": "string" + } + }, + { + "unexpected_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "required": false, + "type": "array" + } + }, + { + "response_mode": { + "required": false, + "type": "string", + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ] + } + }, + { + "response_type": { + "required": false, + "type": "array", + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "elements": { + "type": "string" + } + } + }, + { + "scopes": { + "required": false, + "type": "array", + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "audience": { + "elements": { + "type": "string" + }, + "description": "The audience passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "issuers_allowed": { + "elements": { + "type": "string" + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "required": false, + "type": "array" + } + }, + { + "scopes_required": { + "elements": { + "type": "string" + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "scopes_claim": { + "required": false, + "type": "array", + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "audience_required": { + "elements": { + "type": "string" + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "audience_claim": { + "required": false, + "type": "array", + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "groups_required": { + "elements": { + "type": "string" + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "groups_claim": { + "required": false, + "type": "array", + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "roles_required": { + "elements": { + "type": "string" + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "roles_claim": { + "required": false, + "type": "array", + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "domains": { + "elements": { + "type": "string" + }, + "description": "The allowed values for the `hd` claim.", + "required": false, + "type": "array" + } + }, + { + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "required": false, + "type": "number" + } + }, + { + "authenticated_groups_claim": { + "elements": { + "type": "string" + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "required": false, + "type": "boolean" + } + }, + { + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "required": false, + "type": "boolean" + } + }, + { + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "required": false, + "type": "boolean" + } + }, + { + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "authorization_query_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_query_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_query_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "required": false, + "type": "string" + } + }, + { + "authorization_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "The authorization cookie Path flag.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "required": false, + "type": "string" + } + }, + { + "authorization_cookie_same_site": { + "required": false, + "type": "string", + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "required": false, + "type": "boolean" + } + }, + { + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "token_endpoint_auth_method": { + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "token_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_replay": { + "elements": { + "type": "string" + }, + "description": "The names of token endpoint response headers to forward to the downstream client.", + "required": false, + "type": "array" + } + }, + { + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "required": false, + "type": "string" + } + }, + { + "token_headers_grants": { + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_client": { + "elements": { + "type": "string" + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "introspection_endpoint_auth_method": { + "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "required": false, + "type": "string" + } + }, + { + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "required": false, + "type": "boolean" + } + }, + { + "introspection_accept": { + "required": false, + "type": "string", + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ] + } + }, + { + "introspection_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_headers_values": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "Extra header values passed to the introspection endpoint." + } + }, + { + "introspection_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_client_headers": { + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "required": false, + "type": "boolean" + } + }, + { + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "revocation_endpoint_auth_method": { + "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_accept": { + "required": false, + "type": "string", + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/jwt" + ] + } + }, + { + "userinfo_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "required": false, + "type": "string" + } + }, + { + "session_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The session secret.", + "required": false + } + }, + { + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "required": false, + "type": "string" + } + }, + { + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "required": false, + "type": "boolean" + } + }, + { + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" + } + }, + { + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "required": false, + "type": "number" + } + }, + { + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" + } + }, + { + "session_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "The session cookie Path flag.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_same_site": { + "required": false, + "type": "string", + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "session_request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, + "type": "set" + } + }, + { + "session_response_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, + "type": "set" + } + }, + { + "session_storage": { + "required": false, + "type": "string", + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "type": "boolean" + } + }, + { + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_port": { + "between": [ + 0, + 65535 + ], + "required": false, + "type": "integer", + "default": 11211, + "description": "The memcached port." + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + }, + { + "prefix": { + "description": "The Redis session key prefix.", + "required": false, + "type": "string" + } + }, + { + "socket": { + "description": "The Redis unix socket path.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "required": false, + "type": "boolean" + } + }, + { + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "required": false, + "type": "string" + } + }, + { + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "required": false, + "type": "string" + } + }, + { + "bearer_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + } + } + }, + { + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "required": false, + "type": "string" + } + }, + { + "client_credentials_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "password_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "id_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "required": false, + "type": "string" + } + }, + { + "refresh_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "required": false, + "type": "string" + } + }, + { + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "required": false, + "type": "boolean" + } + }, + { + "upstream_headers_claims": { + "elements": { + "type": "string" + }, + "description": "The upstream header claims. Only top level claims are supported.", + "required": false, + "type": "array" + } + }, + { + "upstream_headers_names": { + "elements": { + "type": "string" + }, + "description": "The upstream header names for the claim values.", + "required": false, + "type": "array" + } + }, + { + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "required": false, + "type": "string" + } + }, + { + "upstream_id_token_header": { + "description": "The upstream id token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "required": false, + "type": "string" + } + }, + { + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_user_info_header": { + "description": "The upstream user info header.", + "required": false, + "type": "string" + } + }, + { + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "required": false, + "type": "string" + } + }, + { + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "required": false, + "type": "string" + } + }, + { + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "required": false, + "type": "string" + } + }, + { + "upstream_session_id_header": { + "description": "The upstream session id header.", + "required": false, + "type": "string" + } + }, + { + "downstream_headers_claims": { + "elements": { + "type": "string" + }, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "downstream_headers_names": { + "elements": { + "type": "string" + }, + "description": "The downstream header names for the claim values.", + "required": false, + "type": "array" + } + }, + { + "downstream_access_token_header": { + "description": "The downstream access token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "required": false, + "type": "string" + } + }, + { + "downstream_id_token_header": { + "description": "The downstream id token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "required": false, + "type": "string" + } + }, + { + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_user_info_header": { + "description": "The downstream user info header.", + "required": false, + "type": "string" + } + }, + { + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "required": false, + "type": "string" + } + }, + { + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "required": false, + "type": "string" + } + }, + { + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "required": false, + "type": "string" + } + }, + { + "downstream_session_id_header": { + "description": "The downstream session id header.", + "required": false, + "type": "string" + } + }, + { + "login_methods": { + "required": false, + "type": "array", + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + } + }, + { + "login_action": { + "required": false, + "type": "string", + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "one_of": [ + "upstream", + "response", + "redirect" + ] + } + }, + { + "login_tokens": { + "required": false, + "type": "array", + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + } + } + }, + { + "login_redirect_mode": { + "required": false, + "type": "string", + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "one_of": [ + "query", + "fragment" + ] + } + }, + { + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_methods": { + "required": false, + "type": "array", + "default": [ + "POST", + "DELETE" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + } + } + }, + { + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "required": false, + "type": "boolean" + } + }, + { + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" + } + }, + { + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" + } + }, + { + "consumer_claim": { + "elements": { + "type": "string" + }, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "default": [ + "username", + "custom_id" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + } + } + }, + { + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "required": false, + "type": "boolean" + } + }, + { + "credential_claim": { + "required": false, + "type": "array", + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "required": false, + "type": "string" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "required": false, + "type": "boolean" + } + }, + { + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "required": false, + "type": "number" + } + }, + { + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "required": false, + "type": "boolean" + } + }, + { + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "required": false, + "type": "boolean" + } + }, + { + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "required": false, + "type": "boolean" + } + }, + { + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "required": false, + "type": "boolean" + } + }, + { + "ignore_signature": { + "required": false, + "type": "array", + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + } + } + }, + { + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "required": false, + "type": "boolean" + } + }, + { + "disable_session": { + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Disable issuing the session cookie with the specified grants.", + "required": false, + "type": "array" + } + }, + { + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "required": false, + "type": "number" + } + }, + { + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_tokens_salt": { + "auto": true, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false, + "type": "string" + } + }, + { + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "required": false, + "type": "boolean" + } + }, + { + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "required": false, + "type": "boolean" + } + }, + { + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "required": false, + "type": "boolean" + } + }, + { + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "required": false, + "type": "number" + } + }, + { + "http_proxy": { + "description": "The HTTP proxy.", + "required": false, + "type": "string" + } + }, + { + "http_proxy_authorization": { + "required": false, + "description": "The HTTP proxy authorization.", + "referenceable": true, + "type": "string" + } + }, + { + "https_proxy": { + "description": "The HTTPS proxy.", + "required": false, + "type": "string" + } + }, + { + "https_proxy_authorization": { + "required": false, + "description": "The HTTPS proxy authorization.", + "referenceable": true, + "type": "string" + } + }, + { + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "required": false, + "type": "string" + } + }, + { + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "required": false, + "type": "boolean" + } + }, + { + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "required": false, + "type": "number" + } + }, + { + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "required": false, + "type": "boolean" + } + }, + { + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "required": false, + "type": "boolean" + } + }, + { + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "required": false, + "type": "boolean" + } + }, + { + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + } + }, + { + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + } + }, + { + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "required": false, + "type": "string" + } + }, + { + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_mtls": { + "required": false, + "type": "string", + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "required": false, + "type": "boolean" + } + }, + { + "tls_client_auth_cert_id": { + "auto": false, + "required": false, + "type": "string", + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "uuid": true + } + }, + { + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "required": false, + "type": "boolean" + } + }, + { + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_dpop": { + "required": false, + "type": "string", + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "required": false, + "type": "boolean" + } + }, + { + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "required": false, + "type": "number" + } + }, + { + "claims_forbidden": { + "elements": { + "type": "string" + }, + "description": "If given, these claims are forbidden in the token payload.", + "required": false, + "type": "array" + } + }, + { + "cluster_cache_strategy": { + "required": false, + "type": "string", + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "one_of": [ + "off", + "redis" + ] + } + }, + { + "cluster_cache_redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ] + }, + "description": "List of openid_connect strategies.", + "required": false, + "type": "array" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.11.x.json b/schemas/ldap-auth-advanced/3.11.x.json new file mode 100644 index 00000000..545178ce --- /dev/null +++ b/schemas/ldap-auth-advanced/3.11.x.json @@ -0,0 +1,243 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "required": true, + "type": "string" + } + }, + { + "ldap_password": { + "encrypted": true, + "description": "The password to the LDAP server.", + "referenceable": true, + "type": "string" + } + }, + { + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" + } + }, + { + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "referenceable": true, + "type": "string" + } + }, + { + "ldaps": { + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "required": true, + "type": "boolean" + } + }, + { + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "required": true, + "type": "boolean" + } + }, + { + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "required": true, + "type": "boolean" + } + }, + { + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "required": true, + "type": "string" + } + }, + { + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "required": true, + "type": "string" + } + }, + { + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + } + }, + { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0, + "type": "string" + } + }, + { + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" + } + }, + { + "consumer_optional": { + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "required": false, + "type": "boolean" + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + } + }, + { + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + } + }, + { + "group_member_attribute": { + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" + } + }, + { + "log_search_results": { + "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "required": false, + "type": "boolean" + } + }, + { + "groups_required": { + "elements": { + "type": "string" + }, + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "required": false, + "type": "array" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/ldap-auth/3.11.x.json b/schemas/ldap-auth/3.11.x.json new file mode 100644 index 00000000..c165cd47 --- /dev/null +++ b/schemas/ldap-auth/3.11.x.json @@ -0,0 +1,178 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "conditional": { + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", + "if_match": { + "eq": true + }, + "then_field": "start_tls", + "if_field": "ldaps", + "then_match": { + "eq": false + } + } + } + ], + "fields": [ + { + "ldap_host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "ldap_port": { + "between": [ + 0, + 65535 + ], + "required": true, + "type": "integer", + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "ldaps": { + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "required": true, + "type": "boolean" + } + }, + { + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "required": true, + "type": "boolean" + } + }, + { + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "required": true, + "type": "boolean" + } + }, + { + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "required": true, + "type": "string" + } + }, + { + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "required": true, + "type": "string" + } + }, + { + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "required": true, + "type": "boolean" + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + } + }, + { + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header", + "type": "string" + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/loggly/3.11.x.json b/schemas/loggly/3.11.x.json new file mode 100644 index 00000000..7f4564c6 --- /dev/null +++ b/schemas/loggly/3.11.x.json @@ -0,0 +1,173 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "key": { + "encrypted": true, + "referenceable": true, + "required": true, + "type": "string" + } + }, + { + "tags": { + "default": [ + "kong" + ], + "elements": { + "type": "string" + }, + "type": "set" + } + }, + { + "log_level": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "successful_severity": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "client_errors_severity": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "server_errors_severity": { + "default": "info", + "type": "string", + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "timeout": { + "default": 10000, + "type": "number" + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/mocking/3.11.x.json b/schemas/mocking/3.11.x.json new file mode 100644 index 00000000..246c1047 --- /dev/null +++ b/schemas/mocking/3.11.x.json @@ -0,0 +1,131 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "required": false, + "type": "string" + } + }, + { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "required": false, + "type": "string" + } + }, + { + "random_delay": { + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean" + } + }, + { + "max_delay_time": { + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number" + } + }, + { + "min_delay_time": { + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number" + } + }, + { + "random_examples": { + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean" + } + }, + { + "included_status_codes": { + "elements": { + "type": "integer" + }, + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "type": "array" + } + }, + { + "random_status_code": { + "default": false, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "required": true, + "type": "boolean" + } + }, + { + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true, + "type": "boolean" + } + }, + { + "custom_base_path": { + "required": false, + "type": "string", + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/mtls-auth/3.11.x.json b/schemas/mtls-auth/3.11.x.json new file mode 100644 index 00000000..d65a598b --- /dev/null +++ b/schemas/mtls-auth/3.11.x.json @@ -0,0 +1,210 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "fields": [ + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "elements": { + "type": "string", + "one_of": [ + "username", + "custom_id" + ] + }, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "default": [ + "username", + "custom_id" + ] + } + }, + { + "ca_certificates": { + "elements": { + "uuid": true, + "type": "string" + }, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, + "type": "array" + } + }, + { + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "required": true, + "type": "number" + } + }, + { + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "required": true, + "type": "boolean" + } + }, + { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "required": true, + "type": "boolean" + } + }, + { + "authenticated_group_by": { + "required": false, + "type": "string", + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "one_of": [ + "CN", + "DN" + ] + } + }, + { + "revocation_check_mode": { + "required": false, + "type": "string", + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ] + } + }, + { + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + } + }, + { + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in seconds between refreshes of the revocation check status cache.", + "type": "number" + } + }, + { + "send_ca_dn": { + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" + } + }, + { + "default_consumer": { + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "http_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "http_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + }, + { + "https_proxy_host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "https_proxy_port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/oas-validation/3.11.x.json b/schemas/oas-validation/3.11.x.json new file mode 100644 index 00000000..ada2985b --- /dev/null +++ b/schemas/oas-validation/3.11.x.json @@ -0,0 +1,170 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "required": true, + "type": "string" + } + }, + { + "verbose_response": { + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "required": false, + "type": "boolean" + } + }, + { + "validate_request_body": { + "default": true, + "description": "If set to true, validates the request body content against the API specification.", + "required": false, + "type": "boolean" + } + }, + { + "notify_only_request_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "required": false, + "type": "boolean" + } + }, + { + "validate_request_header_params": { + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", + "required": false, + "type": "boolean" + } + }, + { + "validate_request_query_params": { + "default": true, + "description": "If set to true, validates query parameters against the API specification.", + "required": false, + "type": "boolean" + } + }, + { + "validate_request_uri_params": { + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", + "required": false, + "type": "boolean" + } + }, + { + "validate_response_body": { + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "required": false, + "type": "boolean" + } + }, + { + "notify_only_response_body_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "required": false, + "type": "boolean" + } + }, + { + "query_parameter_check": { + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "required": true, + "type": "boolean" + } + }, + { + "header_parameter_check": { + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "required": true, + "type": "boolean" + } + }, + { + "allowed_header_parameters": { + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "required": false, + "type": "string" + } + }, + { + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "required": true, + "type": "boolean" + } + }, + { + "api_spec_encoded": { + "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", + "required": true, + "type": "boolean" + } + }, + { + "custom_base_path": { + "required": false, + "type": "string", + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.11.x.json b/schemas/oauth2-introspection/3.11.x.json new file mode 100644 index 00000000..8b041407 --- /dev/null +++ b/schemas/oauth2-introspection/3.11.x.json @@ -0,0 +1,167 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, + "type": "string" + } + }, + { + "ttl": { + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" + } + }, + { + "token_type_hint": { + "type": "string", + "description": "The `token_type_hint` value to associate to introspection requests." + } + }, + { + "authorization_value": { + "encrypted": true, + "required": true, + "type": "string", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "referenceable": true + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" + } + }, + { + "introspect_request": { + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "required": true, + "type": "boolean" + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + } + }, + { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "len_min": 0, + "type": "string" + } + }, + { + "consumer_by": { + "required": true, + "type": "string", + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "one_of": [ + "username", + "client_id" + ] + } + }, + { + "custom_introspection_headers": { + "values": { + "type": "string" + }, + "required": true, + "type": "map", + "default": [ + + ], + "description": "A list of custom headers to be added in the introspection request.", + "keys": { + "type": "string" + } + } + }, + { + "custom_claims_forward": { + "required": true, + "type": "set", + "elements": { + "type": "string" + }, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "default": [ + + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/oauth2/3.11.x.json b/schemas/oauth2/3.11.x.json new file mode 100644 index 00000000..2c0e00b3 --- /dev/null +++ b/schemas/oauth2/3.11.x.json @@ -0,0 +1,221 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "scopes", + "if_field": "mandatory_scope", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "scopes": { + "elements": { + "type": "string" + }, + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "type": "array" + } + }, + { + "mandatory_scope": { + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "required": true, + "type": "boolean" + } + }, + { + "provision_key": { + "encrypted": true, + "unique": true, + "type": "string", + "description": "The unique key the plugin has generated when it has been added to the Service.", + "required": true, + "auto": true + } + }, + { + "token_expiration": { + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "required": true, + "type": "number" + } + }, + { + "enable_authorization_code": { + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "required": true, + "type": "boolean" + } + }, + { + "enable_implicit_grant": { + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "required": true, + "type": "boolean" + } + }, + { + "enable_client_credentials": { + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "required": true, + "type": "boolean" + } + }, + { + "enable_password_grant": { + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "required": true, + "type": "boolean" + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "required": true, + "type": "boolean" + } + }, + { + "accept_http_if_already_terminated": { + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "required": true, + "type": "boolean" + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + } + }, + { + "global_credentials": { + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "required": true, + "type": "boolean" + } + }, + { + "auth_header_name": { + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", + "type": "string" + } + }, + { + "refresh_token_ttl": { + "between": [ + 0, + 100000000 + ], + "required": true, + "type": "number", + "default": 1209600, + "description": "Time-to-live value for data" + } + }, + { + "reuse_refresh_token": { + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "required": true, + "type": "boolean" + } + }, + { + "persistent_refresh_token": { + "default": false, + "required": true, + "type": "boolean" + } + }, + { + "pkce": { + "required": false, + "type": "string", + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "one_of": [ + "none", + "lax", + "strict" + ] + } + }, + { + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/opa/3.11.x.json b/schemas/opa/3.11.x.json new file mode 100644 index 00000000..1b302c32 --- /dev/null +++ b/schemas/opa/3.11.x.json @@ -0,0 +1,147 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "type": "string", + "one_of": [ + "http", + "https" + ] + } + }, + { + "opa_host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "opa_port": { + "between": [ + 0, + 65535 + ], + "required": true, + "type": "integer", + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "opa_path": { + "required": true, + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "include_service_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" + } + }, + { + "include_route_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" + } + }, + { + "include_consumer_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" + } + }, + { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + } + }, + { + "include_parsed_json_body_in_opa_input": { + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" + } + }, + { + "include_uri_captures_in_opa_input": { + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/openid-connect/3.11.x.json b/schemas/openid-connect/3.11.x.json new file mode 100644 index 00000000..7a0c9dd9 --- /dev/null +++ b/schemas/openid-connect/3.11.x.json @@ -0,0 +1,3558 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" + }, + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" + }, + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" + }, + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" + }, + "type": "string" + } + }, + { + "session_redis_prefix": { + "deprecation": { + "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_socket": { + "deprecation": { + "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_host": { + "deprecation": { + "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_port": { + "deprecation": { + "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_username": { + "deprecation": { + "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_password": { + "deprecation": { + "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_connect_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_read_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_send_timeout": { + "deprecation": { + "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_ssl": { + "deprecation": { + "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "session_redis_ssl_verify": { + "deprecation": { + "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "session_redis_server_name": { + "deprecation": { + "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_cluster_nodes": { + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "type": "array", + "deprecation": { + "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ] + } + } + }, + { + "session_redis_cluster_max_redirections": { + "deprecation": { + "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "fields": [ + { + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, + "type": "string" + } + }, + { + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "required": false, + "type": "boolean" + } + }, + { + "discovery_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the discovery endpoint.", + "required": false, + "type": "array" + } + }, + { + "discovery_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the discovery endpoint.", + "required": false, + "type": "array" + } + }, + { + "extra_jwks_uris": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "required": false, + "type": "set" + } + }, + { + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "required": false, + "type": "number" + } + }, + { + "auth_methods": { + "required": false, + "type": "array", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ], + "description": "Types of credentials/grants to enable.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + } + }, + { + "client_id": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + } + }, + { + "client_secret": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "The client secret." + } + }, + { + "client_auth": { + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + }, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "required": false, + "type": "array" + } + }, + { + "client_jwk": { + "elements": { + "type": "record", + "required": false, + "fields": [ + { + "issuer": { + "required": false, + "type": "string" + } + }, + { + "kty": { + "required": false, + "type": "string" + } + }, + { + "use": { + "required": false, + "type": "string" + } + }, + { + "key_ops": { + "elements": { + "required": false, + "type": "string" + }, + "required": false, + "type": "array" + } + }, + { + "alg": { + "required": false, + "type": "string" + } + }, + { + "kid": { + "required": false, + "type": "string" + } + }, + { + "x5u": { + "required": false, + "type": "string" + } + }, + { + "x5c": { + "elements": { + "required": false, + "type": "string" + }, + "required": false, + "type": "array" + } + }, + { + "x5t": { + "required": false, + "type": "string" + } + }, + { + "x5t#S256": { + "required": false, + "type": "string" + } + }, + { + "k": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "x": { + "required": false, + "type": "string" + } + }, + { + "y": { + "required": false, + "type": "string" + } + }, + { + "crv": { + "required": false, + "type": "string" + } + }, + { + "n": { + "required": false, + "type": "string" + } + }, + { + "e": { + "required": false, + "type": "string" + } + }, + { + "d": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "p": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "q": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "dp": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "dq": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "qi": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "oth": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "r": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + }, + { + "t": { + "encrypted": true, + "required": false, + "referenceable": true, + "type": "string" + } + } + ] + }, + "description": "The JWK used for the private_key_jwt authentication.", + "required": false, + "type": "array" + } + }, + { + "client_alg": { + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + }, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "required": false, + "type": "array" + } + }, + { + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "required": false, + "type": "string" + } + }, + { + "redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "The redirect URI passed to the authorization and token endpoints.", + "required": false, + "type": "array" + } + }, + { + "login_redirect_uri": { + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + }, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "required": false, + "type": "array" + } + }, + { + "logout_redirect_uri": { + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + }, + "description": "Where to redirect the client after the logout.", + "required": false, + "type": "array" + } + }, + { + "forbidden_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on forbidden requests.", + "required": false, + "type": "array" + } + }, + { + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "required": false, + "type": "string" + } + }, + { + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "required": false, + "type": "boolean" + } + }, + { + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "required": false, + "type": "boolean" + } + }, + { + "unauthorized_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client on unauthorized requests.", + "required": false, + "type": "array" + } + }, + { + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "required": false, + "type": "string" + } + }, + { + "unexpected_redirect_uri": { + "elements": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + }, + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "required": false, + "type": "array" + } + }, + { + "response_mode": { + "required": false, + "type": "string", + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ] + } + }, + { + "response_type": { + "required": false, + "type": "array", + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "elements": { + "type": "string" + } + } + }, + { + "scopes": { + "required": false, + "type": "array", + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "elements": { + "referenceable": true, + "type": "string" + } + } + }, + { + "audience": { + "elements": { + "type": "string" + }, + "description": "The audience passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "issuers_allowed": { + "elements": { + "type": "string" + }, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "required": false, + "type": "array" + } + }, + { + "scopes_required": { + "elements": { + "type": "string" + }, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "scopes_claim": { + "required": false, + "type": "array", + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "audience_required": { + "elements": { + "type": "string" + }, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "audience_claim": { + "required": false, + "type": "array", + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "groups_required": { + "elements": { + "type": "string" + }, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "groups_claim": { + "required": false, + "type": "array", + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "roles_required": { + "elements": { + "type": "string" + }, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "required": false, + "type": "array" + } + }, + { + "roles_claim": { + "required": false, + "type": "array", + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "domains": { + "elements": { + "type": "string" + }, + "description": "The allowed values for the `hd` claim.", + "required": false, + "type": "array" + } + }, + { + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "required": false, + "type": "number" + } + }, + { + "authenticated_groups_claim": { + "elements": { + "type": "string" + }, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "pushed_authorization_request_endpoint_auth_method": { + "type": "string", + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "required": false, + "type": "boolean" + } + }, + { + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "required": false, + "type": "boolean" + } + }, + { + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "required": false, + "type": "boolean" + } + }, + { + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "authorization_query_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_query_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_query_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "required": false, + "type": "array" + } + }, + { + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "required": false, + "type": "string" + } + }, + { + "authorization_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "The authorization cookie Path flag.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "required": false, + "type": "string" + } + }, + { + "authorization_cookie_same_site": { + "required": false, + "type": "string", + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "required": false, + "type": "boolean" + } + }, + { + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "token_endpoint_auth_method": { + "type": "string", + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "token_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_headers_replay": { + "elements": { + "type": "string" + }, + "description": "The names of token endpoint response headers to forward to the downstream client.", + "required": false, + "type": "array" + } + }, + { + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "required": false, + "type": "string" + } + }, + { + "token_headers_grants": { + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + }, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_post_args_client": { + "elements": { + "type": "string" + }, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "introspection_endpoint_auth_method": { + "type": "string", + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "required": false, + "type": "string" + } + }, + { + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "required": false, + "type": "boolean" + } + }, + { + "introspection_accept": { + "required": false, + "type": "string", + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ] + } + }, + { + "introspection_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_headers_values": { + "encrypted": true, + "required": false, + "type": "array", + "elements": { + "referenceable": true, + "type": "string" + }, + "description": "Extra header values passed to the introspection endpoint." + } + }, + { + "introspection_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra post argument names passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra post argument values passed to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspection_post_args_client_headers": { + "elements": { + "type": "string" + }, + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "required": false, + "type": "array" + } + }, + { + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "required": false, + "type": "boolean" + } + }, + { + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "revocation_endpoint_auth_method": { + "type": "string", + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } + }, + { + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "userinfo_accept": { + "required": false, + "type": "string", + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "one_of": [ + "application/json", + "application/jwt" + ] + } + }, + { + "userinfo_headers_names": { + "elements": { + "type": "string" + }, + "description": "Extra header names passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_headers_values": { + "elements": { + "type": "string" + }, + "description": "Extra header values passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_headers_client": { + "elements": { + "type": "string" + }, + "description": "Extra headers passed from the client to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_names": { + "elements": { + "type": "string" + }, + "description": "Extra query argument names passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_values": { + "elements": { + "type": "string" + }, + "description": "Extra query argument values passed to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "userinfo_query_args_client": { + "elements": { + "type": "string" + }, + "description": "Extra query arguments passed from the client to the user info endpoint.", + "required": false, + "type": "array" + } + }, + { + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "required": false, + "type": "string" + } + }, + { + "session_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The session secret.", + "required": false + } + }, + { + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "required": false, + "type": "string" + } + }, + { + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "required": false, + "type": "boolean" + } + }, + { + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "required": false, + "type": "string" + } + }, + { + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" + } + }, + { + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "required": false, + "type": "number" + } + }, + { + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "required": false, + "type": "number" + } + }, + { + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "required": false, + "type": "number" + } + }, + { + "session_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "The session cookie Path flag.", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_same_site": { + "required": false, + "type": "string", + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "session_request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, + "type": "set" + } + }, + { + "session_response_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, + "type": "set" + } + }, + { + "session_storage": { + "required": false, + "type": "string", + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "type": "boolean" + } + }, + { + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_port": { + "between": [ + 0, + 65535 + ], + "required": false, + "type": "integer", + "default": 11211, + "description": "The memcached port." + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + }, + { + "prefix": { + "description": "The Redis session key prefix.", + "required": false, + "type": "string" + } + }, + { + "socket": { + "description": "The Redis unix socket path.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "required": false, + "type": "boolean" + } + }, + { + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "required": false, + "type": "string" + } + }, + { + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "required": false, + "type": "string" + } + }, + { + "bearer_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "elements": { + "type": "string", + "one_of": [ + "header", + "cookie", + "query", + "body" + ] + } + } + }, + { + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "required": false, + "type": "string" + } + }, + { + "client_credentials_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "password_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "id_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "required": false, + "type": "string" + } + }, + { + "refresh_token_param_type": { + "required": false, + "type": "array", + "default": [ + "header", + "query", + "body" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "elements": { + "type": "string", + "one_of": [ + "header", + "query", + "body" + ] + } + } + }, + { + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "required": false, + "type": "string" + } + }, + { + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "required": false, + "type": "boolean" + } + }, + { + "upstream_headers_claims": { + "elements": { + "type": "string" + }, + "description": "The upstream header claims. Only top level claims are supported.", + "required": false, + "type": "array" + } + }, + { + "upstream_headers_names": { + "elements": { + "type": "string" + }, + "description": "The upstream header names for the claim values.", + "required": false, + "type": "array" + } + }, + { + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "required": false, + "type": "string" + } + }, + { + "upstream_id_token_header": { + "description": "The upstream id token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "required": false, + "type": "string" + } + }, + { + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "required": false, + "type": "string" + } + }, + { + "upstream_user_info_header": { + "description": "The upstream user info header.", + "required": false, + "type": "string" + } + }, + { + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "required": false, + "type": "string" + } + }, + { + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "required": false, + "type": "string" + } + }, + { + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "required": false, + "type": "string" + } + }, + { + "upstream_session_id_header": { + "description": "The upstream session id header.", + "required": false, + "type": "string" + } + }, + { + "downstream_headers_claims": { + "elements": { + "type": "string" + }, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "downstream_headers_names": { + "elements": { + "type": "string" + }, + "description": "The downstream header names for the claim values.", + "required": false, + "type": "array" + } + }, + { + "downstream_access_token_header": { + "description": "The downstream access token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "required": false, + "type": "string" + } + }, + { + "downstream_id_token_header": { + "description": "The downstream id token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "required": false, + "type": "string" + } + }, + { + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "required": false, + "type": "string" + } + }, + { + "downstream_user_info_header": { + "description": "The downstream user info header.", + "required": false, + "type": "string" + } + }, + { + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "required": false, + "type": "string" + } + }, + { + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "required": false, + "type": "string" + } + }, + { + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "required": false, + "type": "string" + } + }, + { + "downstream_session_id_header": { + "description": "The downstream session id header.", + "required": false, + "type": "string" + } + }, + { + "login_methods": { + "required": false, + "type": "array", + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + } + } + }, + { + "login_action": { + "required": false, + "type": "string", + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "one_of": [ + "upstream", + "response", + "redirect" + ] + } + }, + { + "login_tokens": { + "required": false, + "type": "array", + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "elements": { + "type": "string", + "one_of": [ + "id_token", + "access_token", + "refresh_token", + "tokens", + "introspection" + ] + } + } + }, + { + "login_redirect_mode": { + "required": false, + "type": "string", + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "one_of": [ + "query", + "fragment" + ] + } + }, + { + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "required": false, + "type": "string" + } + }, + { + "logout_methods": { + "required": false, + "type": "array", + "default": [ + "POST", + "DELETE" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "elements": { + "type": "string", + "one_of": [ + "POST", + "GET", + "DELETE" + ] + } + } + }, + { + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "required": false, + "type": "boolean" + } + }, + { + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" + } + }, + { + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "required": false, + "type": "boolean" + } + }, + { + "consumer_claim": { + "elements": { + "type": "string" + }, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "type": "array" + } + }, + { + "consumer_by": { + "required": false, + "type": "array", + "default": [ + "username", + "custom_id" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "elements": { + "type": "string", + "one_of": [ + "id", + "username", + "custom_id" + ] + } + } + }, + { + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "required": false, + "type": "boolean" + } + }, + { + "credential_claim": { + "required": false, + "type": "array", + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "elements": { + "type": "string" + } + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "required": false, + "type": "string" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "required": false, + "type": "boolean" + } + }, + { + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "required": false, + "type": "number" + } + }, + { + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "required": false, + "type": "boolean" + } + }, + { + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "required": false, + "type": "boolean" + } + }, + { + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "required": false, + "type": "boolean" + } + }, + { + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "required": false, + "type": "boolean" + } + }, + { + "ignore_signature": { + "required": false, + "type": "array", + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token", + "session", + "introspection", + "userinfo" + ] + } + } + }, + { + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "required": false, + "type": "boolean" + } + }, + { + "disable_session": { + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] + }, + "description": "Disable issuing the session cookie with the specified grants.", + "required": false, + "type": "array" + } + }, + { + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "required": false, + "type": "number" + } + }, + { + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "required": false, + "type": "number" + } + }, + { + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_tokens_salt": { + "auto": true, + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "required": false, + "type": "string" + } + }, + { + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "required": false, + "type": "boolean" + } + }, + { + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "required": false, + "type": "boolean" + } + }, + { + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "required": false, + "type": "boolean" + } + }, + { + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "required": false, + "type": "boolean" + } + }, + { + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "required": false, + "type": "number" + } + }, + { + "http_proxy": { + "description": "The HTTP proxy.", + "required": false, + "type": "string" + } + }, + { + "http_proxy_authorization": { + "required": false, + "description": "The HTTP proxy authorization.", + "referenceable": true, + "type": "string" + } + }, + { + "https_proxy": { + "description": "The HTTPS proxy.", + "required": false, + "type": "string" + } + }, + { + "https_proxy_authorization": { + "required": false, + "description": "The HTTPS proxy authorization.", + "referenceable": true, + "type": "string" + } + }, + { + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "required": false, + "type": "string" + } + }, + { + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "required": false, + "type": "boolean" + } + }, + { + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "required": false, + "type": "number" + } + }, + { + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "required": false, + "type": "boolean" + } + }, + { + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "required": false, + "type": "boolean" + } + }, + { + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "required": false, + "type": "boolean" + } + }, + { + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + } + }, + { + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + } + }, + { + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "required": false, + "type": "string" + } + }, + { + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_mtls": { + "required": false, + "type": "string", + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "required": false, + "type": "boolean" + } + }, + { + "tls_client_auth_cert_id": { + "auto": false, + "required": false, + "type": "string", + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "uuid": true + } + }, + { + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "required": false, + "type": "boolean" + } + }, + { + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, + "type": "string" + } + }, + { + "proof_of_possession_dpop": { + "required": false, + "type": "string", + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "one_of": [ + "off", + "strict", + "optional" + ] + } + }, + { + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "required": false, + "type": "boolean" + } + }, + { + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "required": false, + "type": "number" + } + }, + { + "claims_forbidden": { + "elements": { + "type": "string" + }, + "description": "If given, these claims are forbidden in the token payload.", + "required": false, + "type": "array" + } + }, + { + "cluster_cache_strategy": { + "required": false, + "type": "string", + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "one_of": [ + "off", + "redis" + ] + } + }, + { + "cluster_cache_redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/opentelemetry/3.11.x.json b/schemas/opentelemetry/3.11.x.json new file mode 100644 index 00000000..573b5251 --- /dev/null +++ b/schemas/opentelemetry/3.11.x.json @@ -0,0 +1,367 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "required": true, + "type": "record", + "entity_checks": [ + { + "at_least_one_of": [ + "traces_endpoint", + "logs_endpoint" + ] + } + ], + "shorthand_fields": [ + { + "endpoint": { + "deprecation": { + "removal_in_version": "4.0", + "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead" + }, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + } + } + ], + "fields": [ + { + "traces_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + } + }, + { + "logs_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "referenceable": true, + "type": "string" + } + }, + { + "headers": { + "values": { + "referenceable": true, + "type": "string" + }, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "map" + } + }, + { + "resource_attributes": { + "values": { + "required": true, + "type": "string" + }, + "keys": { + "required": true, + "type": "string" + }, + "type": "map" + } + }, + { + "queue": { + "default": { + "max_batch_size": 200 + }, + "type": "record", + "required": true, + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ] + } + }, + { + "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer", + "deprecation": { + "old_default": 200, + "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer", + "deprecation": { + "old_default": 3, + "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "header_type": { + "required": false, + "type": "string", + "default": "preserve", + "deprecation": { + "old_default": "preserve", + "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "gcp", + "datadog" + ] + } + }, + { + "sampling_rate": { + "between": [ + 0, + 1 + ], + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "required": false, + "type": "number" + } + }, + { + "propagation": { + "default": { + "default_format": "w3c" + }, + "fields": [ + { + "extract": { + "elements": { + "type": "string", + "one_of": [ + "gcp", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + }, + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array" + } + }, + { + "clear": { + "elements": { + "type": "string" + }, + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array" + } + }, + { + "inject": { + "elements": { + "type": "string", + "one_of": [ + "preserve", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + }, + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array" + } + }, + { + "default_format": { + "type": "string", + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "required": true, + "one_of": [ + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/post-function/3.11.x.json b/schemas/post-function/3.11.x.json new file mode 100644 index 00000000..6835bfd9 --- /dev/null +++ b/schemas/post-function/3.11.x.json @@ -0,0 +1,228 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], + "fields": [ + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": false, + "type": "set" + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "config": { + "fields": [ + { + "certificate": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "rewrite": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "access": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "header_filter": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "body_filter": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "log": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_handshake": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_client_frame": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_upstream_frame": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_close": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/pre-function/3.11.x.json b/schemas/pre-function/3.11.x.json new file mode 100644 index 00000000..6835bfd9 --- /dev/null +++ b/schemas/pre-function/3.11.x.json @@ -0,0 +1,228 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } + ], + "fields": [ + { + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] + }, + "required": false, + "type": "set" + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "config": { + "fields": [ + { + "certificate": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "rewrite": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "access": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "header_filter": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "body_filter": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "log": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_handshake": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_client_frame": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_upstream_frame": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "ws_close": { + "default": [ + + ], + "elements": { + "required": false, + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/prometheus/3.11.x.json b/schemas/prometheus/3.11.x.json new file mode 100644 index 00000000..ff139dbf --- /dev/null +++ b/schemas/prometheus/3.11.x.json @@ -0,0 +1,94 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "per_consumer": { + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" + } + }, + { + "status_code_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" + } + }, + { + "ai_metrics": { + "default": false, + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", + "type": "boolean" + } + }, + { + "latency_metrics": { + "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" + } + }, + { + "bandwidth_metrics": { + "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" + } + }, + { + "upstream_health_metrics": { + "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.11.x.json b/schemas/proxy-cache-advanced/3.11.x.json new file mode 100644 index 00000000..63d95361 --- /dev/null +++ b/schemas/proxy-cache-advanced/3.11.x.json @@ -0,0 +1,573 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "response_code": { + "required": true, + "type": "array", + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "elements": { + "between": [ + 100, + 900 + ], + "type": "integer" + }, + "len_min": 1 + } + }, + { + "request_method": { + "required": true, + "type": "array", + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + } + } + }, + { + "content_type": { + "required": true, + "type": "array", + "default": [ + "text/plain", + "application/json" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "elements": { + "type": "string" + } + } + }, + { + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "gt": 0, + "type": "integer" + } + }, + { + "strategy": { + "type": "string", + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "required": true, + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean" + } + }, + { + "ignore_uri_case": { + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "required": false, + "type": "boolean" + } + }, + { + "storage_ttl": { + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "vary_query_params": { + "elements": { + "type": "string" + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array" + } + }, + { + "vary_headers": { + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array" + } + }, + { + "response_headers": { + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", + "required": true, + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ] + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/proxy-cache/3.11.x.json b/schemas/proxy-cache/3.11.x.json new file mode 100644 index 00000000..c639f5af --- /dev/null +++ b/schemas/proxy-cache/3.11.x.json @@ -0,0 +1,205 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "config": { + "fields": [ + { + "response_code": { + "required": true, + "type": "array", + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", + "elements": { + "between": [ + 100, + 900 + ], + "type": "integer" + }, + "len_min": 1 + } + }, + { + "request_method": { + "required": true, + "type": "array", + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "elements": { + "type": "string", + "one_of": [ + "HEAD", + "GET", + "POST", + "PATCH", + "PUT" + ] + } + } + }, + { + "content_type": { + "required": true, + "type": "array", + "default": [ + "text/plain", + "application/json" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "elements": { + "type": "string" + } + } + }, + { + "cache_ttl": { + "default": 300, + "description": "TTL, in seconds, of cache entities.", + "gt": 0, + "type": "integer" + } + }, + { + "strategy": { + "type": "string", + "description": "The backing data store in which to hold cache entities.", + "required": true, + "one_of": [ + "memory" + ] + } + }, + { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "required": true, + "type": "boolean" + } + }, + { + "ignore_uri_case": { + "default": false, + "required": false, + "type": "boolean" + } + }, + { + "storage_ttl": { + "type": "integer", + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "vary_query_params": { + "elements": { + "type": "string" + }, + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array" + } + }, + { + "vary_headers": { + "elements": { + "type": "string" + }, + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array" + } + }, + { + "response_headers": { + "type": "record", + "description": "Caching related diagnostic headers that should be included in cached responses", + "required": true, + "fields": [ + { + "age": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Status": { + "default": true, + "type": "boolean" + } + }, + { + "X-Cache-Key": { + "default": true, + "type": "boolean" + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.11.x.json b/schemas/rate-limiting-advanced/3.11.x.json new file mode 100644 index 00000000..a2ecf410 --- /dev/null +++ b/schemas/rate-limiting-advanced/3.11.x.json @@ -0,0 +1,599 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "identifier": { + "required": true, + "type": "string", + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "compound_identifier": { + "elements": { + "type": "string", + "one_of": [ + "ip", + "credential", + "consumer", + "service", + "header", + "path", + "consumer-group" + ] + }, + "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", + "type": "array" + } + }, + { + "window_size": { + "elements": { + "type": "number" + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" + } + }, + { + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "elements": { + "type": "number" + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + } + }, + { + "namespace": { + "auto": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "required": true, + "type": "string" + } + }, + { + "strategy": { + "required": true, + "type": "string", + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "required": true, + "type": "string" + } + }, + { + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf.", + "required": true, + "type": "string" + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + } + }, + { + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "type": "string" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + }, + { + "redis_proxy_type": { + "type": "string", + "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", + "required": false, + "one_of": [ + "envoy_v1.31" + ] + } + } + ] + } + }, + { + "enforce_consumer_groups": { + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" + } + }, + { + "consumer_groups": { + "elements": { + "type": "string" + }, + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "type": "array" + } + }, + { + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + } + }, + { + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "gt": 0, + "type": "number" + } + }, + { + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/rate-limiting/3.11.x.json b/schemas/rate-limiting/3.11.x.json new file mode 100644 index 00000000..fc7061fb --- /dev/null +++ b/schemas/rate-limiting/3.11.x.json @@ -0,0 +1,474 @@ +{ + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name", + "if_field": "config.limit_by", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "path" + }, + "then_field": "config.path", + "if_field": "config.limit_by", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "second": { + "gt": 0, + "description": "The number of HTTP requests that can be made per second.", + "type": "number" + } + }, + { + "minute": { + "gt": 0, + "description": "The number of HTTP requests that can be made per minute.", + "type": "number" + } + }, + { + "hour": { + "gt": 0, + "description": "The number of HTTP requests that can be made per hour.", + "type": "number" + } + }, + { + "day": { + "gt": 0, + "description": "The number of HTTP requests that can be made per day.", + "type": "number" + } + }, + { + "month": { + "gt": 0, + "description": "The number of HTTP requests that can be made per month.", + "type": "number" + } + }, + { + "year": { + "gt": 0, + "description": "The number of HTTP requests that can be made per year.", + "type": "number" + } + }, + { + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "type": "string", + "one_of": [ + "consumer", + "credential", + "ip", + "service", + "header", + "path", + "consumer-group" + ] + } + }, + { + "header_name": { + "type": "string", + "description": "A string representing an HTTP header name." + } + }, + { + "path": { + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "type": "string" + } + }, + { + "policy": { + "type": "string", + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, + "one_of": [ + "local", + "cluster", + "redis" + ] + } + }, + { + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "required": true, + "type": "boolean" + } + }, + { + "redis": { + "type": "record", + "description": "Redis configuration", + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "required": true, + "type": "boolean" + } + }, + { + "error_code": { + "gt": 0, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, + "type": "number" + } + }, + { + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + } + }, + { + "sync_rate": { + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "required": true, + "type": "number" + } + } + ], + "shorthand_fields": [ + { + "redis_host": { + "deprecation": { + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_port": { + "deprecation": { + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + }, + "type": "integer" + } + }, + { + "redis_password": { + "type": "string", + "deprecation": { + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + }, + "len_min": 0 + } + }, + { + "redis_username": { + "deprecation": { + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_ssl": { + "deprecation": { + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "redis_ssl_verify": { + "deprecation": { + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "redis_server_name": { + "deprecation": { + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_timeout": { + "deprecation": { + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "redis_database": { + "deprecation": { + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/redirect/3.11.x.json b/schemas/redirect/3.11.x.json new file mode 100644 index 00000000..32153288 --- /dev/null +++ b/schemas/redirect/3.11.x.json @@ -0,0 +1,61 @@ +{ + "entity_checks": [], + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "required": true, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "type": "record", + "required": true, + "fields": [ + { + "status_code": { + "between": [ + 100, + 599 + ], + "default": 301, + "type": "integer", + "required": true, + "description": "The response code to send. Must be an integer between 100 and 599." + } + }, + { + "location": { + "type": "string", + "required": true, + "description": "The URL to redirect to" + } + }, + { + "keep_incoming_path": { + "type": "boolean", + "default": false, + "description": "Use the incoming request's path and query string in the redirect URL" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-callout/3.11.x.json b/schemas/request-callout/3.11.x.json new file mode 100644 index 00000000..4c92e8f2 --- /dev/null +++ b/schemas/request-callout/3.11.x.json @@ -0,0 +1,960 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols.", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "required": true + } + }, + { + "config": { + "type": "record", + "fields": [ + { + "callouts": { + "description": "A collection of callout objects, where each object represents an HTTPrequest made in the context of a proxy request.", + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "name": { + "description": "A string identifier for a callout. A callout object is referenceablevia its name in the kong.ctx.shared.callouts.", + "type": "string", + "required": true + } + }, + { + "depends_on": { + "type": "array", + "description": "An array of callout names the current callout depends on.This dependency determines the callout execution order.", + "default": [ + + ], + "elements": { + "type": "string", + "required": true + }, + "required": true + } + }, + { + "request": { + "description": "The customizations for the callout request.", + "type": "record", + "required": true, + "fields": [ + { + "url": { + "description": "The URL that will be requested.", + "type": "string", + "required": true, + "referenceable": true + } + }, + { + "method": { + "type": "string", + "match": "^%u+$", + "description": "The HTTP method that will be requested.", + "default": "GET", + "required": true + } + }, + { + "http_opts": { + "description": "HTTP connection parameters.", + "type": "record", + "required": true, + "fields": [ + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean", + "default": false + } + }, + { + "ssl_server_name": { + "description": "The SNI used in the callout request. Defaults to host if omitted.", + "type": "string" + } + }, + { + "timeouts": { + "description": "Socket timeouts in milliseconds. All or none must be set.", + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "connect", + "write", + "read" + ] + } + ], + "fields": [ + { + "connect": { + "description": "The socket connect timeout.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "write": { + "description": "The socket write timeout.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "read": { + "description": "The socket read timeout. ", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + } + ] + } + }, + { + "proxy": { + "description": "Proxy settings.", + "type": "record", + "fields": [ + { + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected by basic authentication.", + "type": "string", + "referenceable": true, + "required": false + } + }, + { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected by basic authentication.", + "type": "string", + "referenceable": true, + "required": false + } + }, + { + "https_proxy": { + "description": "The HTTPS proxy URL. This proxy server will be used for HTTPS requests.", + "type": "string" + } + }, + { + "http_proxy": { + "description": "The HTTP proxy URL. This proxy server will be used for HTTP requests.", + "type": "string" + } + } + ] + } + } + ] + } + }, + { + "query": { + "description": "Callout request query param customizations.", + "type": "record", + "required": true, + "fields": [ + { + "forward": { + "description": "If true, forwards the incoming request's query params to the callout request. ", + "type": "boolean", + "default": false + } + }, + { + "custom": { + "type": "map", + "keys": { + "type": "string" + }, + "description": "The custom query params to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false + } + } + ] + } + }, + { + "headers": { + "description": "Callout request header customizations.", + "type": "record", + "required": true, + "fields": [ + { + "forward": { + "description": "If true, forwards the incoming request's headers to the callout request. ", + "type": "boolean", + "default": false + } + }, + { + "custom": { + "type": "map", + "keys": { + "type": "string" + }, + "description": "The custom headers to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false + } + } + ] + } + }, + { + "body": { + "description": "Callout request body customizations.", + "type": "record", + "required": true, + "fields": [ + { + "forward": { + "description": "If true, forwards the incoming request's body to the callout request.", + "type": "boolean", + "default": false + } + }, + { + "decode": { + "description": "If true, decodes the request's body to make it available for customizations.", + "type": "boolean", + "default": false + } + }, + { + "custom": { + "type": "map", + "keys": { + "type": "string" + }, + "description": "The custom body fields to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false + } + } + ] + } + }, + { + "error": { + "description": "The error handling policy the plugin will apply to TCP and HTTP errors.", + "type": "record", + "required": true, + "fields": [ + { + "on_error": { + "one_of": [ + "retry", + "fail", + "continue" + ], + "default": "fail", + "type": "string" + } + }, + { + "retries": { + "description": "The number of retries the plugin will attempt on TCP and HTTP errors if `on_error` is set to `retry`.", + "type": "integer", + "default": 2 + } + }, + { + "http_statuses": { + "description": "The list of HTTP status codes considered errors under the error handling policy.", + "type": "array", + "elements": { + "between": [ + 100, + 999 + ], + "type": "integer" + } + } + }, + { + "error_response_code": { + "description": "The error code to respond with if `on_error` is `fail` or if `retries` is achieved.", + "type": "integer", + "default": 400 + } + }, + { + "error_response_msg": { + "description": "The error mesasge to respond with if `on_error` is `fail` or if `retries` is achieved.Templating with Lua expressions is supported.", + "type": "string", + "default": "service callout error" + } + } + ] + } + }, + { + "by_lua": { + "description": "Lua code that executes before the callout request is made.Standard Lua sandboxing restrictions apply.", + "type": "string", + "required": false + } + } + ] + } + }, + { + "response": { + "description": "Configurations of callout response handling.", + "type": "record", + "required": true, + "fields": [ + { + "headers": { + "description": "Callout response header customizations.", + "type": "record", + "required": true, + "fields": [ + { + "store": { + "description": "If false, skips storing the callout response headers intokong.ctx.shared.callouts..response.headers.", + "type": "boolean", + "default": true + } + } + ] + } + }, + { + "body": { + "type": "record", + "required": true, + "fields": [ + { + "store": { + "description": "If false, skips storing the callout response body into kong.ctx.shared.callouts..response.body.", + "type": "boolean", + "default": true + } + }, + { + "decode": { + "description": "If true, decodes the response body before storing into the context. Only JSON is supported.", + "type": "boolean", + "default": false + } + } + ] + } + }, + { + "by_lua": { + "description": "Lua code that executes after the callout request is made, before caching takes place. Standard Lua sandboxing restrictions apply.", + "type": "string", + "required": false + } + } + ] + } + }, + { + "cache": { + "description": "Callout caching configuration.", + "type": "record", + "required": true, + "fields": [ + { + "bypass": { + "description": "If true, skips caching the callout response.", + "type": "boolean", + "default": false + } + } + ] + } + } + ] + }, + "required": true + } + }, + { + "cache": { + "description": "Plugin global caching configuration.", + "type": "record", + "required": true, + "fields": [ + { + "strategy": { + "type": "string", + "description": "The backing data store in which to hold cache entities. Accepted values are: `off`, `memory`, and `redis`.", + "one_of": [ + "memory", + "redis", + "off" + ], + "default": "off", + "required": true + } + }, + { + "memory": { + "type": "record", + "fields": [ + { + "dictionary_name": { + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string", + "default": "kong_db_cache", + "required": true + } + } + ], + "required": true + } + }, + { + "redis": { + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "default": 2000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "type": "integer", + "between": [ + 1, + 2147483646 + ] + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "type": "array", + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string", + "default": "127.0.0.1", + "required": true + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ] + }, + "required": false + } + }, + { + "cluster_nodes": { + "type": "array", + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "type": "string", + "default": "127.0.0.1", + "required": true + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "default": 6379, + "type": "integer", + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ] + }, + "required": false + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, + "type": "boolean", + "required": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean", + "required": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", + "required": false + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "default": 5, + "type": "integer", + "required": false + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "default": false, + "type": "boolean", + "required": false + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + }, + { + "cluster_addresses": { + "deprecation": { + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "type": "array", + "elements": { + "type": "string" + }, + "len_min": 1 + } + } + ], + "required": true + } + }, + { + "cache_ttl": { + "description": "TTL in seconds of cache entities.", + "type": "integer", + "default": 300, + "gt": 0 + } + } + ] + } + }, + { + "upstream": { + "description": "Customizations to the upstream request.", + "type": "record", + "fields": [ + { + "by_lua": { + "description": "Lua code that executes before the upstream request is made. Standard Lua sandboxing restrictions apply.", + "type": "string", + "required": false + } + }, + { + "query": { + "description": "Upstream request query param customizations.", + "type": "record", + "required": true, + "fields": [ + { + "forward": { + "description": "If false, does not forward request query params to upstream request.", + "type": "boolean", + "default": true + } + }, + { + "custom": { + "type": "map", + "keys": { + "type": "string" + }, + "description": "The custom query params to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false + } + } + ] + } + }, + { + "headers": { + "description": "Callout request header customizations.", + "type": "record", + "required": true, + "fields": [ + { + "forward": { + "description": "If false, does not forward request headers to upstream request.", + "type": "boolean", + "default": true + } + }, + { + "custom": { + "type": "map", + "keys": { + "type": "string" + }, + "description": "The custom headers to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false + } + } + ] + } + }, + { + "body": { + "description": "Callout request body customizations.", + "type": "record", + "required": true, + "fields": [ + { + "forward": { + "description": "If false, skips forwarding the incoming request's body to the upstream request.", + "type": "boolean", + "default": true + } + }, + { + "decode": { + "description": "If true, decodes the request's body to make it available for upstream by_lua customizations.", + "type": "boolean", + "default": true + } + }, + { + "custom": { + "type": "map", + "keys": { + "type": "string" + }, + "description": "The custom body fields to be added in the upstream request body. Values can contain Lua expressions in the form $(some_lua_code).", + "values": { + "type": "string", + "referenceable": true, + "required": false + }, + "required": false + } + } + ] + } + } + ], + "required": true + } + } + ], + "required": true + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-size-limiting/3.11.x.json b/schemas/request-size-limiting/3.11.x.json new file mode 100644 index 00000000..bcef5a46 --- /dev/null +++ b/schemas/request-size-limiting/3.11.x.json @@ -0,0 +1,73 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "allowed_payload_size": { + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer" + } + }, + { + "size_unit": { + "required": true, + "type": "string", + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "one_of": [ + "megabytes", + "kilobytes", + "bytes" + ] + } + }, + { + "require_content_length": { + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-termination/3.11.x.json b/schemas/request-termination/3.11.x.json new file mode 100644 index 00000000..a95ead36 --- /dev/null +++ b/schemas/request-termination/3.11.x.json @@ -0,0 +1,81 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "status_code": { + "between": [ + 100, + 599 + ], + "required": true, + "type": "integer", + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599." + } + }, + { + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + } + }, + { + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + } + }, + { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + } + }, + { + "echo": { + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "required": true, + "type": "boolean" + } + }, + { + "trigger": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.11.x.json b/schemas/request-transformer-advanced/3.11.x.json new file mode 100644 index 00000000..90f58ca4 --- /dev/null +++ b/schemas/request-transformer-advanced/3.11.x.json @@ -0,0 +1,337 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "match": "^%u+$", + "type": "string" + } + }, + { + "remove": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "rename": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "replace": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "uri": { + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "add": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "append": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "referenceable": true, + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "allow": { + "fields": [ + { + "body": { + "elements": { + "type": "string" + }, + "type": "set" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "dots_in_keys": { + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-transformer/3.11.x.json b/schemas/request-transformer/3.11.x.json new file mode 100644 index 00000000..ee8d790f --- /dev/null +++ b/schemas/request-transformer/3.11.x.json @@ -0,0 +1,280 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "config": { + "fields": [ + { + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "match": "^%u+$", + "type": "string" + } + }, + { + "remove": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "rename": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "replace": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "uri": { + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "add": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "append": { + "fields": [ + { + "body": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" + } + }, + { + "querystring": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/request-validator/3.11.x.json b/schemas/request-validator/3.11.x.json new file mode 100644 index 00000000..b8b9d41d --- /dev/null +++ b/schemas/request-validator/3.11.x.json @@ -0,0 +1,189 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "body_schema", + "parameter_schema" + ] + } + ], + "fields": [ + { + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "required": false, + "type": "string" + } + }, + { + "allowed_content_types": { + "default": [ + "application/json" + ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "elements": { + "required": true, + "type": "string" + }, + "type": "set" + } + }, + { + "version": { + "required": true, + "type": "string", + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "one_of": [ + "kong", + "draft4" + ] + } + }, + { + "parameter_schema": { + "elements": { + "entity_checks": [ + { + "mutually_required": [ + "style", + "explode", + "schema" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "style", + "in" + ] + } + } + ], + "fields": [ + { + "in": { + "type": "string", + "description": "The location of the parameter.", + "required": true, + "one_of": [ + "query", + "header", + "path" + ] + } + }, + { + "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "required": true, + "type": "string" + } + }, + { + "required": { + "description": "Determines whether this parameter is mandatory.", + "required": true, + "type": "boolean" + } + }, + { + "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "type": "string", + "one_of": [ + "label", + "form", + "matrix", + "simple", + "spaceDelimited", + "pipeDelimited", + "deepObject" + ] + } + }, + { + "explode": { + "type": "boolean", + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + } + }, + { + "schema": { + "type": "string", + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating." + } + } + ], + "type": "record" + }, + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "required": false, + "type": "array" + } + }, + { + "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "required": true, + "type": "boolean" + } + }, + { + "content_type_parameter_validation": { + "default": true, + "description": "Determines whether to enable parameters validation of request content-type.", + "required": true, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.11.x.json b/schemas/response-ratelimiting/3.11.x.json new file mode 100644 index 00000000..b6e0eba1 --- /dev/null +++ b/schemas/response-ratelimiting/3.11.x.json @@ -0,0 +1,439 @@ +{ + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "if_field": "config.policy", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "header_name": { + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" + } + }, + { + "limit_by": { + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "type": "string", + "one_of": [ + "consumer", + "credential", + "ip" + ] + } + }, + { + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "type": "string", + "one_of": [ + "local", + "cluster", + "redis" + ] + } + }, + { + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "required": true, + "type": "boolean" + } + }, + { + "redis": { + "type": "record", + "description": "Redis configuration", + "required": true, + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "len_min": 0 + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + } + ] + } + }, + { + "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "required": true, + "type": "boolean" + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "required": true, + "type": "boolean" + } + }, + { + "limits": { + "values": { + "entity_checks": [ + { + "at_least_one_of": [ + "second", + "minute", + "hour", + "day", + "month", + "year" + ] + } + ], + "type": "record", + "required": true, + "fields": [ + { + "second": { + "gt": 0, + "type": "number" + } + }, + { + "minute": { + "gt": 0, + "type": "number" + } + }, + { + "hour": { + "gt": 0, + "type": "number" + } + }, + { + "day": { + "gt": 0, + "type": "number" + } + }, + { + "month": { + "gt": 0, + "type": "number" + } + }, + { + "year": { + "gt": 0, + "type": "number" + } + } + ] + }, + "required": true, + "type": "map", + "description": "A map that defines rate limits for the plugin.", + "keys": { + "type": "string" + }, + "len_min": 1 + } + } + ], + "shorthand_fields": [ + { + "redis_host": { + "deprecation": { + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_port": { + "deprecation": { + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + }, + "type": "integer" + } + }, + { + "redis_password": { + "len_min": 0, + "deprecation": { + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_username": { + "deprecation": { + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_ssl": { + "deprecation": { + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "redis_ssl_verify": { + "deprecation": { + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "redis_server_name": { + "deprecation": { + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "redis_timeout": { + "deprecation": { + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "redis_database": { + "deprecation": { + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.11.x.json b/schemas/response-transformer-advanced/3.11.x.json new file mode 100644 index 00000000..acf4ee71 --- /dev/null +++ b/schemas/response-transformer-advanced/3.11.x.json @@ -0,0 +1,350 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "remove": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "rename": { + "fields": [ + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "replace": { + "fields": [ + { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + } + }, + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "add": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "append": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json_types": { + "default": [ + + ], + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + }, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "allow": { + "fields": [ + { + "json": { + "elements": { + "type": "string" + }, + "type": "set" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "transform": { + "fields": [ + { + "functions": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "if_status": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "dots_in_keys": { + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/response-transformer/3.11.x.json b/schemas/response-transformer/3.11.x.json new file mode 100644 index 00000000..eb4a6258 --- /dev/null +++ b/schemas/response-transformer/3.11.x.json @@ -0,0 +1,259 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "remove": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "rename": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "type": "string", + "match": "^[^:]+:.*$" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "replace": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "json_types": { + "required": true, + "type": "array", + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "add": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "json_types": { + "required": true, + "type": "array", + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "append": { + "fields": [ + { + "json": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + }, + { + "json_types": { + "required": true, + "type": "array", + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "elements": { + "type": "string", + "one_of": [ + "boolean", + "number", + "string" + ] + } + } + }, + { + "headers": { + "default": [ + + ], + "elements": { + "match": "^[^:]+:.*$", + "type": "string" + }, + "required": true, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/route-by-header/3.11.x.json b/schemas/route-by-header/3.11.x.json new file mode 100644 index 00000000..fb2008cd --- /dev/null +++ b/schemas/route-by-header/3.11.x.json @@ -0,0 +1,78 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "rules": { + "default": [ + + ], + "description": "Route by header rules.", + "elements": { + "type": "record", + "fields": [ + { + "upstream_name": { + "required": true, + "type": "string" + } + }, + { + "condition": { + "values": { + "type": "string" + }, + "required": true, + "type": "map", + "keys": { + "type": "string" + }, + "len_min": 1 + } + } + ] + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.11.x.json b/schemas/route-transformer-advanced/3.11.x.json new file mode 100644 index 00000000..a640c0ff --- /dev/null +++ b/schemas/route-transformer-advanced/3.11.x.json @@ -0,0 +1,75 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "path", + "port", + "host" + ] + } + ], + "fields": [ + { + "path": { + "type": "string" + } + }, + { + "port": { + "type": "string" + } + }, + { + "host": { + "type": "string" + } + }, + { + "escape_path": { + "default": false, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/saml/3.11.x.json b/schemas/saml/3.11.x.json new file mode 100644 index 00000000..b9a8bf2e --- /dev/null +++ b/schemas/saml/3.11.x.json @@ -0,0 +1,1229 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "type": "record", + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_renew option does not exist anymore" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_strategy option does not exist anymore" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_compressor option does not exist anymore" + }, + "type": "string" + } + }, + { + "session_auth_ttl": { + "deprecation": { + "removal_in_version": "4.0", + "message": "openid-connect: config.session_auth_ttl option does not exist anymore" + }, + "type": "number" + } + }, + { + "session_redis_prefix": { + "deprecation": { + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_socket": { + "deprecation": { + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_host": { + "deprecation": { + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_port": { + "deprecation": { + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_username": { + "deprecation": { + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_password": { + "deprecation": { + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_connect_timeout": { + "deprecation": { + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_read_timeout": { + "deprecation": { + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_send_timeout": { + "deprecation": { + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_ssl": { + "deprecation": { + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "session_redis_ssl_verify": { + "deprecation": { + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ] + }, + "type": "boolean" + } + }, + { + "session_redis_server_name": { + "deprecation": { + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ] + }, + "type": "string" + } + }, + { + "session_redis_cluster_nodes": { + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "type": "array", + "deprecation": { + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ] + } + } + }, + { + "session_redis_cluster_max_redirections": { + "deprecation": { + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ] + }, + "type": "integer" + } + }, + { + "session_redis_cluster_maxredirections": { + "deprecation": { + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ] + }, + "type": "integer" + } + } + ], + "required": true, + "fields": [ + { + "assertion_consumer_path": { + "required": true, + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, + "type": "string" + } + }, + { + "idp_certificate": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "required": false + } + }, + { + "response_encryption_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The private encryption key required to decrypt encrypted assertions.", + "required": false + } + }, + { + "request_signing_key": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "required": false + } + }, + { + "request_signing_certificate": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The certificate for signing requests.", + "required": false + } + }, + { + "request_signature_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "request_digest_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "response_signature_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ] + } + }, + { + "response_digest_algorithm": { + "required": false, + "type": "string", + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "one_of": [ + "SHA256", + "SHA1" + ] + } + }, + { + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "required": true, + "type": "string" + } + }, + { + "nameid_format": { + "required": false, + "type": "string", + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ] + } + }, + { + "validate_assertion_signature": { + "default": true, + "description": "Enable signature validation for SAML responses.", + "required": false, + "type": "boolean" + } + }, + { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "required": false, + "type": "string" + } + }, + { + "session_secret": { + "len_max": 32, + "match": "^[0-9a-zA-Z/_+]+$", + "referenceable": true, + "type": "string", + "required": true, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "encrypted": true, + "len_min": 32 + } + }, + { + "session_audience": { + "default": "default", + "description": "The session audience, for example \"my-application\"", + "required": false, + "type": "string" + } + }, + { + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "required": false, + "type": "string" + } + }, + { + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions", + "required": false, + "type": "boolean" + } + }, + { + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name", + "required": false, + "type": "string" + } + }, + { + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "required": false, + "type": "number" + } + }, + { + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "required": false, + "type": "number" + } + }, + { + "session_idling_timeout": { + "default": 900, + "description": "The session cookie idle time in seconds.", + "required": false, + "type": "number" + } + }, + { + "session_rolling_timeout": { + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number" + } + }, + { + "session_absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number" + } + }, + { + "session_cookie_path": { + "required": false, + "type": "string", + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "match_none": [ + { + "err": "must not have empty segments", + "pattern": "//" + } + ], + "starts_with": "/" + } + }, + { + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "required": false, + "type": "string" + } + }, + { + "session_cookie_same_site": { + "required": false, + "type": "string", + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "required": false, + "type": "boolean" + } + }, + { + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "required": false, + "type": "boolean" + } + }, + { + "session_request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "type": "set" + } + }, + { + "session_response_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "type": "set" + } + }, + { + "session_storage": { + "required": false, + "type": "string", + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "one_of": [ + "cookie", + "memcache", + "memcached", + "redis" + ] + } + }, + { + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean" + } + }, + { + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "required": false, + "type": "boolean" + } + }, + { + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "required": false, + "type": "string" + } + }, + { + "session_memcached_port": { + "between": [ + 0, + 65535 + ], + "required": false, + "type": "integer", + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + } + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "len_min": 1, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "one_of": [ + "master", + "slave", + "any" + ], + "type": "string" + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ], + "type": "record" + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + }, + { + "prefix": { + "description": "The Redis session key prefix.", + "required": false, + "type": "string" + } + }, + { + "socket": { + "description": "The Redis unix socket path.", + "required": false, + "type": "string" + } + } + ] + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/service-protection/3.11.x.json b/schemas/service-protection/3.11.x.json new file mode 100644 index 00000000..c53e3deb --- /dev/null +++ b/schemas/service-protection/3.11.x.json @@ -0,0 +1,543 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "route": { + "reference": "routes", + "eq": null, + "type": "foreign", + "description": "A reference to the 'routes' table with a null value allowed." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "window_size": { + "elements": { + "type": "number" + }, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" + } + }, + { + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", + "one_of": [ + "fixed", + "sliding" + ] + } + }, + { + "limit": { + "elements": { + "type": "number" + }, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array" + } + }, + { + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + } + }, + { + "namespace": { + "auto": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "required": true, + "type": "string" + } + }, + { + "strategy": { + "required": true, + "type": "string", + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "one_of": [ + "cluster", + "redis", + "local" + ] + } + }, + { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "required": true, + "type": "string" + } + }, + { + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", + "required": true, + "type": "string" + } + }, + { + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + } + }, + { + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + } + }, + { + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "gt": 0, + "type": "number" + } + }, + { + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/session/3.11.x.json b/schemas/session/3.11.x.json new file mode 100644 index 00000000..cf9a5e2d --- /dev/null +++ b/schemas/session/3.11.x.json @@ -0,0 +1,302 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", + "description": "The secret that is used in keyed HMAC generation.", + "required": false + } + }, + { + "storage": { + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "type": "string", + "one_of": [ + "cookie", + "kong" + ] + } + }, + { + "audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + } + }, + { + "idling_timeout": { + "default": 900, + "description": "The session cookie idle time, in seconds.", + "type": "number" + } + }, + { + "rolling_timeout": { + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number" + } + }, + { + "absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + } + }, + { + "stale_ttl": { + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number" + } + }, + { + "cookie_name": { + "default": "session", + "description": "The name of the cookie.", + "type": "string" + } + }, + { + "cookie_path": { + "default": "/", + "description": "The resource in the host where the cookie is available.", + "type": "string" + } + }, + { + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + } + }, + { + "cookie_same_site": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "type": "string", + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ] + } + }, + { + "cookie_http_only": { + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean" + } + }, + { + "cookie_secure": { + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean" + } + }, + { + "remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + } + }, + { + "remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + } + }, + { + "remember_rolling_timeout": { + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number" + } + }, + { + "remember_absolute_timeout": { + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number" + } + }, + { + "response_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" + } + }, + { + "request_headers": { + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + }, + "description": "List of information to include, as headers, in the response to the downstream.", + "type": "set" + } + }, + { + "read_body_for_logout": { + "default": false, + "type": "boolean" + } + }, + { + "logout_methods": { + "elements": { + "type": "string", + "one_of": [ + "GET", + "POST", + "DELETE" + ] + }, + "description": "A set of HTTP methods that the plugin will respond to.", + "default": [ + "POST", + "DELETE" + ], + "type": "set" + } + }, + { + "logout_query_arg": { + "default": "session_logout", + "description": "The query argument passed to logout requests.", + "type": "string" + } + }, + { + "logout_post_arg": { + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" + } + } + ], + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/standard-webhooks/3.11.x.json b/schemas/standard-webhooks/3.11.x.json new file mode 100644 index 00000000..bf13b5b6 --- /dev/null +++ b/schemas/standard-webhooks/3.11.x.json @@ -0,0 +1,63 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "secret_v1": { + "encrypted": true, + "required": true, + "type": "string", + "description": "Webhook secret", + "referenceable": true + } + }, + { + "tolerance_second": { + "required": true, + "type": "integer", + "gt": -1, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "default": 300 + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/statsd-advanced/3.11.x.json b/schemas/statsd-advanced/3.11.x.json new file mode 100644 index 00000000..aafa408b --- /dev/null +++ b/schemas/statsd-advanced/3.11.x.json @@ -0,0 +1,459 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + } + }, + { + "metrics": { + "default": [ + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_count" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "timer", + "name": "request_size" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count" + }, + { + "stat_type": "timer", + "name": "response_size" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_per_user" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_workspace" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user_per_route" + }, + { + "stat_type": "gauge", + "sample_rate": 1, + "name": "shdict_usage" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_hits_total" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "cache_datastore_misses_total" + } + ], + "description": "List of Metrics to be logged.", + "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "unique_users" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "set" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "request_count", + "status_count", + "request_per_user", + "status_count_per_user", + "status_count_per_workspace", + "status_count_per_user_per_route", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "counter" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "shdict_usage" + ] + }, + "then_field": "stat_type", + "if_field": "name", + "then_match": { + "eq": "gauge" + } + } + }, + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "name": { + "type": "string", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "type": "string", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "gt": 0, + "type": "number" + } + }, + { + "consumer_identifier": { + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "type": "record" + }, + "type": "array" + } + }, + { + "allow_status_codes": { + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array" + } + }, + { + "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "between": [ + 0, + 65507 + ], + "type": "number" + } + }, + { + "use_tcp": { + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" + } + }, + { + "hostname_in_prefix": { + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" + } + }, + { + "consumer_identifier_default": { + "required": true, + "type": "string", + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier_default": { + "required": true, + "type": "string", + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier_default": { + "required": true, + "type": "string", + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/statsd/3.11.x.json b/schemas/statsd/3.11.x.json new file mode 100644 index 00000000..042741d2 --- /dev/null +++ b/schemas/statsd/3.11.x.json @@ -0,0 +1,454 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" + } + }, + { + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + } + }, + { + "metrics": { + "default": [ + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_count" + }, + { + "stat_type": "timer", + "name": "latency" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_size" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "response_size" + }, + { + "stat_type": "set", + "name": "unique_users" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "request_per_user" + }, + { + "stat_type": "timer", + "name": "upstream_latency" + }, + { + "stat_type": "timer", + "name": "kong_latency" + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user" + }, + { + "stat_type": "counter", + "name": "status_count_per_workspace", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "sample_rate": 1, + "name": "status_count_per_user_per_route" + }, + { + "stat_type": "gauge", + "sample_rate": 1, + "name": "shdict_usage" + }, + { + "stat_type": "counter", + "name": "cache_datastore_hits_total", + "sample_rate": 1 + }, + { + "stat_type": "counter", + "name": "cache_datastore_misses_total", + "sample_rate": 1 + } + ], + "description": "List of metrics to be logged.", + "elements": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "one_of": [ + "counter", + "gauge" + ] + }, + "then_field": "sample_rate", + "if_field": "stat_type", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "name": { + "type": "string", + "description": "StatsD metric’s name.", + "required": true, + "one_of": [ + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "status_count", + "status_count_per_user", + "unique_users", + "upstream_latency", + "status_count_per_workspace", + "status_count_per_user_per_route", + "shdict_usage", + "cache_datastore_hits_total", + "cache_datastore_misses_total" + ] + } + }, + { + "stat_type": { + "type": "string", + "description": "Determines what sort of event a metric represents.", + "required": true, + "one_of": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ] + } + }, + { + "sample_rate": { + "gt": 0, + "description": "Sampling rate", + "type": "number" + } + }, + { + "consumer_identifier": { + "description": "Authenticated user detail.", + "type": "string", + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier": { + "description": "Service detail.", + "type": "string", + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier": { + "description": "Workspace detail.", + "type": "string", + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + } + ], + "type": "record" + }, + "type": "array" + } + }, + { + "allow_status_codes": { + "elements": { + "type": "string", + "match": "^[0-9]+-[0-9]+$" + }, + "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array" + } + }, + { + "udp_packet_size": { + "default": 0, + "between": [ + 0, + 65507 + ], + "type": "number" + } + }, + { + "use_tcp": { + "default": false, + "type": "boolean" + } + }, + { + "hostname_in_prefix": { + "default": false, + "type": "boolean" + } + }, + { + "consumer_identifier_default": { + "default": "custom_id", + "type": "string", + "required": true, + "one_of": [ + "consumer_id", + "custom_id", + "username" + ] + } + }, + { + "service_identifier_default": { + "default": "service_name_or_host", + "type": "string", + "required": true, + "one_of": [ + "service_id", + "service_name", + "service_host", + "service_name_or_host" + ] + } + }, + { + "workspace_identifier_default": { + "default": "workspace_id", + "type": "string", + "required": true, + "one_of": [ + "workspace_id", + "workspace_name" + ] + } + }, + { + "retry_count": { + "type": "integer", + "deprecation": { + "old_default": 10, + "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", + "removal_in_version": "4.0" + } + } + }, + { + "queue_size": { + "type": "integer", + "deprecation": { + "old_default": 1, + "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", + "removal_in_version": "4.0" + } + } + }, + { + "flush_timeout": { + "type": "number", + "deprecation": { + "old_default": 2, + "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", + "removal_in_version": "4.0" + } + } + }, + { + "tag_style": { + "type": "string", + "required": false, + "one_of": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ] + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/syslog/3.11.x.json b/schemas/syslog/3.11.x.json new file mode 100644 index 00000000..27f2ac90 --- /dev/null +++ b/schemas/syslog/3.11.x.json @@ -0,0 +1,164 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "log_level": { + "default": "info", + "type": "string", + "required": true, + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "successful_severity": { + "default": "info", + "type": "string", + "required": true, + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "client_errors_severity": { + "default": "info", + "type": "string", + "required": true, + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "server_errors_severity": { + "default": "info", + "type": "string", + "required": true, + "one_of": [ + "debug", + "info", + "notice", + "warning", + "err", + "crit", + "alert", + "emerg" + ] + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + }, + { + "facility": { + "required": true, + "type": "string", + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "one_of": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/tcp-log/3.11.x.json b/schemas/tcp-log/3.11.x.json new file mode 100644 index 00000000..e51f9399 --- /dev/null +++ b/schemas/tcp-log/3.11.x.json @@ -0,0 +1,112 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "The IP address or host name to send data to.", + "required": true, + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "The port to send data to on the upstream server.", + "required": true, + "type": "integer" + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + { + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + } + }, + { + "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "required": true, + "type": "boolean" + } + }, + { + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + { + "custom_fields_by_lua": { + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.11.x.json b/schemas/tls-handshake-modifier/3.11.x.json new file mode 100644 index 00000000..28e50f31 --- /dev/null +++ b/schemas/tls-handshake-modifier/3.11.x.json @@ -0,0 +1,60 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "https", + "grpcs" + ], + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "tls_client_certificate": { + "required": false, + "type": "string", + "default": "REQUEST", + "description": "TLS Client Certificate", + "one_of": [ + "REQUEST" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.11.x.json b/schemas/tls-metadata-headers/3.11.x.json new file mode 100644 index 00000000..68ca8cad --- /dev/null +++ b/schemas/tls-metadata-headers/3.11.x.json @@ -0,0 +1,96 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "protocols": { + "default": [ + "https", + "grpcs" + ], + "elements": { + "type": "string", + "one_of": [ + "https", + "grpcs", + "tls" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "inject_client_cert_details": { + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" + } + }, + { + "client_cert_header_name": { + "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "required": true, + "type": "string" + } + }, + { + "client_serial_header_name": { + "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "required": true, + "type": "string" + } + }, + { + "client_cert_issuer_dn_header_name": { + "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "required": true, + "type": "string" + } + }, + { + "client_cert_subject_dn_header_name": { + "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "required": true, + "type": "string" + } + }, + { + "client_cert_fingerprint_header_name": { + "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/udp-log/3.11.x.json b/schemas/udp-log/3.11.x.json new file mode 100644 index 00000000..eae6394a --- /dev/null +++ b/schemas/udp-log/3.11.x.json @@ -0,0 +1,91 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "host": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, + "type": "integer" + } + }, + { + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + { + "custom_fields_by_lua": { + "description": "Lua code as a key-value map", + "values": { + "len_min": 1, + "type": "string" + }, + "keys": { + "type": "string", + "len_min": 1 + }, + "type": "map" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/upstream-oauth/3.11.x.json b/schemas/upstream-oauth/3.11.x.json new file mode 100644 index 00000000..484a5470 --- /dev/null +++ b/schemas/upstream-oauth/3.11.x.json @@ -0,0 +1,762 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "client": { + "fields": [ + { + "auth_method": { + "required": true, + "type": "string", + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "one_of": [ + "client_secret_post", + "client_secret_basic", + "client_secret_jwt", + "none" + ] + } + }, + { + "client_secret_jwt_alg": { + "required": true, + "type": "string", + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "one_of": [ + "HS512", + "HS256" + ] + } + }, + { + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "required": false, + "type": "number" + } + }, + { + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "required": false, + "type": "string" + } + }, + { + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "required": false, + "type": "string" + } + }, + { + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "required": false, + "type": "string" + } + }, + { + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "required": false, + "type": "string" + } + }, + { + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "required": false, + "type": "string" + } + }, + { + "timeout": { + "between": [ + 0, + 2147483646 + ], + "required": true, + "type": "integer", + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds." + } + }, + { + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "required": true, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "required": false, + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "oauth": { + "fields": [ + { + "token_endpoint": { + "description": "The token endpoint URI.", + "required": true, + "type": "string" + } + }, + { + "token_headers": { + "values": { + "referenceable": true, + "type": "string" + }, + "description": "Extra headers to be passed in the token endpoint request.", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "type": "map" + } + }, + { + "token_post_args": { + "values": { + "referenceable": true, + "type": "string" + }, + "description": "Extra post arguments to be passed in the token endpoint request.", + "keys": { + "type": "string" + }, + "type": "map" + } + }, + { + "grant_type": { + "required": true, + "type": "string", + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "one_of": [ + "client_credentials", + "password" + ] + } + }, + { + "client_id": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client ID for the application registration in the IdP.", + "required": false + } + }, + { + "client_secret": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The client secret for the application registration in the IdP.", + "required": false + } + }, + { + "username": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "required": false + } + }, + { + "password": { + "encrypted": true, + "referenceable": true, + "type": "string", + "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "required": false + } + }, + { + "scopes": { + "required": false, + "type": "array", + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "elements": { + "type": "string" + } + } + }, + { + "audience": { + "required": false, + "type": "array", + "default": [ + + ], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "elements": { + "type": "string" + } + } + } + ], + "required": true, + "type": "record" + } + }, + { + "cache": { + "fields": [ + { + "strategy": { + "required": true, + "type": "string", + "default": "memory", + "description": "The method Kong should use to cache tokens issued by the IdP.", + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "required": true, + "type": "string" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "redis": { + "required": true, + "type": "record", + "entity_checks": [ + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "host", + "if_field": "connection_is_proxied", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ] + }, + "type": "integer" + } + }, + { + "sentinel_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ] + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "elements": { + "type": "string" + }, + "len_min": 1, + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0", + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ] + }, + "type": "array" + } + } + ], + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "referenceable": true, + "type": "string" + } + }, + { + "password": { + "encrypted": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "referenceable": true, + "type": "string" + } + }, + { + "sentinel_password": { + "encrypted": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "referenceable": true, + "type": "string" + } + }, + { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + } + }, + { + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "between": [ + 0, + 2147483646 + ], + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer" + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string" + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + }, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "len_min": 1 + } + }, + { + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean" + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, + "type": "string" + } + }, + { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer" + } + }, + { + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean" + } + } + ] + } + }, + { + "eagerly_expire": { + "required": true, + "type": "integer", + "gt": -1, + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", + "default": 5 + } + }, + { + "default_ttl": { + "default": 3600, + "description": "The lifetime of a token without an explicit `expires_in` value.", + "gt": 0, + "type": "number" + } + } + ], + "required": true, + "type": "record" + } + }, + { + "behavior": { + "fields": [ + { + "upstream_access_token_header_name": { + "required": true, + "type": "string", + "default": "Authorization", + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", + "len_min": 0 + } + }, + { + "idp_error_response_status_code": { + "between": [ + 500, + 599 + ], + "required": true, + "type": "integer", + "default": 502, + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP." + } + }, + { + "idp_error_response_content_type": { + "required": true, + "type": "string", + "default": "application/json; charset=utf-8", + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0 + } + }, + { + "idp_error_response_message": { + "required": true, + "type": "string", + "default": "Failed to authenticate request to upstream", + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0 + } + }, + { + "idp_error_response_body_template": { + "required": true, + "type": "string", + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "len_min": 0 + } + }, + { + "purge_token_on_upstream_status_codes": { + "default": [ + 401 + ], + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", + "elements": { + "between": [ + 100, + 599 + ], + "type": "integer" + }, + "type": "array" + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/upstream-timeout/3.11.x.json b/schemas/upstream-timeout/3.11.x.json new file mode 100644 index 00000000..d14b02ad --- /dev/null +++ b/schemas/upstream-timeout/3.11.x.json @@ -0,0 +1,75 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "read_timeout": { + "between": [ + 0, + 2147483646 + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "send_timeout": { + "between": [ + 0, + 2147483646 + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + }, + { + "connect_timeout": { + "between": [ + 0, + 2147483646 + ], + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/vault-auth/3.11.x.json b/schemas/vault-auth/3.11.x.json new file mode 100644 index 00000000..d42bfd70 --- /dev/null +++ b/schemas/vault-auth/3.11.x.json @@ -0,0 +1,112 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "consumer": { + "reference": "consumers", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "access_token_name": { + "required": true, + "type": "string", + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + }, + { + "secret_token_name": { + "required": true, + "type": "string", + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "elements": { + "type": "string", + "description": "A string representing an HTTP header name." + } + } + }, + { + "vault": { + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "reference": "vault_auth_vaults", + "required": true, + "type": "foreign" + } + }, + { + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "tokens_in_body": { + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + } + }, + { + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.11.x.json b/schemas/websocket-size-limit/3.11.x.json new file mode 100644 index 00000000..6e1e3593 --- /dev/null +++ b/schemas/websocket-size-limit/3.11.x.json @@ -0,0 +1,68 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "default": [ + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "client_max_payload", + "upstream_max_payload" + ] + } + ], + "fields": [ + { + "client_max_payload": { + "between": [ + 1, + 33554432 + ], + "required": false, + "type": "integer" + } + }, + { + "upstream_max_payload": { + "between": [ + 1, + 33554432 + ], + "required": false, + "type": "integer" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/websocket-validator/3.11.x.json b/schemas/websocket-validator/3.11.x.json new file mode 100644 index 00000000..4bbf094d --- /dev/null +++ b/schemas/websocket-validator/3.11.x.json @@ -0,0 +1,220 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "default": [ + "ws", + "wss" + ], + "elements": { + "type": "string", + "one_of": [ + "ws", + "wss" + ] + }, + "required": true, + "type": "set" + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "at_least_one_of": [ + "client", + "upstream" + ] + } + ], + "fields": [ + { + "client": { + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "type": "record", + "required": false, + "fields": [ + { + "text": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "required": false, + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true, + "type": "string" + } + } + ] + } + }, + { + "binary": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "required": false, + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true, + "type": "string" + } + } + ] + } + } + ] + } + }, + { + "upstream": { + "entity_checks": [ + { + "at_least_one_of": [ + "text", + "binary" + ] + } + ], + "type": "record", + "required": false, + "fields": [ + { + "text": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "required": false, + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true, + "type": "string" + } + } + ] + } + }, + { + "binary": { + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "type", + "schema" + ] + } + } + ], + "type": "record", + "required": false, + "fields": [ + { + "type": { + "type": "string", + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "required": true, + "one_of": [ + "draft4" + ] + } + }, + { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "required": true, + "type": "string" + } + } + ] + } + } + ] + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.11.x.json b/schemas/xml-threat-protection/3.11.x.json new file mode 100644 index 00000000..5a48ae6a --- /dev/null +++ b/schemas/xml-threat-protection/3.11.x.json @@ -0,0 +1,300 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "max_namespaces", + "if_field": "namespace_aware", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "prefix", + "if_field": "namespace_aware", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_match": { + "eq": true + }, + "then_field": "namespaceuri", + "if_field": "namespace_aware", + "then_match": { + "required": true + } + } + } + ], + "fields": [ + { + "checked_content_types": { + "required": true, + "type": "set", + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "required": true, + "type": "string" + } + } + }, + { + "allowed_content_types": { + "required": true, + "type": "set", + "default": [ + + ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "elements": { + "match": "^[^%s]+%/[^ ;]+$", + "required": true, + "type": "string" + } + } + }, + { + "allow_dtd": { + "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "required": true, + "type": "boolean" + } + }, + { + "namespace_aware": { + "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "required": true, + "type": "boolean" + } + }, + { + "max_depth": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "default": 50 + } + }, + { + "max_children": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "default": 100 + } + }, + { + "max_attributes": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "default": 100 + } + }, + { + "max_namespaces": { + "required": false, + "type": "integer", + "gt": 0, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "default": 20 + } + }, + { + "document": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of the entire document.", + "default": 10485760 + } + }, + { + "buffer": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of the unparsed buffer (see below).", + "default": 1048576 + } + }, + { + "comment": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of comments.", + "default": 1024 + } + }, + { + "localname": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "default": 1024 + } + }, + { + "prefix": { + "required": false, + "type": "integer", + "gt": 0, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "default": 1024 + } + }, + { + "namespaceuri": { + "required": false, + "type": "integer", + "gt": 0, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "default": 1024 + } + }, + { + "attribute": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of the attribute value.", + "default": 1048576 + } + }, + { + "text": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "default": 1048576 + } + }, + { + "pitarget": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of processing instruction targets.", + "default": 1024 + } + }, + { + "pidata": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of processing instruction data.", + "default": 1024 + } + }, + { + "entityname": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of entity names in EntityDecl.", + "default": 1024 + } + }, + { + "entity": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of entity values in EntityDecl.", + "default": 1024 + } + }, + { + "entityproperty": { + "required": true, + "type": "integer", + "gt": 0, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "default": 1024 + } + }, + { + "bla_max_amplification": { + "required": true, + "type": "number", + "gt": 1, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "default": 100 + } + }, + { + "bla_threshold": { + "required": true, + "type": "integer", + "gt": 1024, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "default": 8388608 + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file diff --git a/schemas/zipkin/3.11.x.json b/schemas/zipkin/3.11.x.json new file mode 100644 index 00000000..f08c4023 --- /dev/null +++ b/schemas/zipkin/3.11.x.json @@ -0,0 +1,421 @@ +{ + "entity_checks": [ + + ], + "fields": [ + { + "protocols": { + "required": true, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "one_of": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "type": "string" + } + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "eq": null, + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "fields": [ + { + "local_service_name": { + "default": "kong", + "description": "The name of the service as displayed in Zipkin.", + "required": true, + "type": "string" + } + }, + { + "http_endpoint": { + "type": "string", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + } + }, + { + "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "between": [ + 0, + 1 + ], + "type": "number" + } + }, + { + "default_service_name": { + "type": "string", + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + } + }, + { + "include_credential": { + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "required": true, + "type": "boolean" + } + }, + { + "traceid_byte_count": { + "required": true, + "type": "integer", + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "one_of": [ + 8, + 16 + ] + } + }, + { + "header_type": { + "required": true, + "type": "string", + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "one_of": [ + "preserve", + "ignore", + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ], + "deprecation": { + "old_default": "preserve", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + } + } + }, + { + "default_header_type": { + "required": true, + "type": "string", + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "one_of": [ + "b3", + "b3-single", + "w3c", + "jaeger", + "ot", + "aws", + "datadog", + "gcp" + ], + "deprecation": { + "old_default": "b3", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", + "removal_in_version": "4.0" + } + } + }, + { + "tags_header": { + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "required": true, + "type": "string" + } + }, + { + "static_tags": { + "elements": { + "type": "record", + "fields": [ + { + "name": { + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "required": true, + "type": "string" + } + }, + { + "value": { + "required": true, + "type": "string" + } + } + ] + }, + "description": "The tags specified on this property will be added to the generated request traces.", + "type": "array" + } + }, + { + "http_span_name": { + "required": true, + "type": "string", + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "one_of": [ + "method", + "method_path" + ] + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "http_response_header_for_traceid": { + "type": "string" + } + }, + { + "phase_duration_flavor": { + "required": true, + "type": "string", + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "one_of": [ + "annotations", + "tags" + ] + } + }, + { + "queue": { + "fields": [ + { + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "between": [ + 0, + 3600 + ], + "type": "number" + } + }, + { + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "between": [ + 1, + 1000000 + ], + "type": "integer" + } + }, + { + "max_bytes": { + "type": "integer", + "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + } + }, + { + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + { + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "between": [ + 0.001, + 1000000 + ], + "type": "number" + } + }, + { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "type": "integer", + "one_of": [ + -1, + 1 + ] + } + } + ], + "required": true, + "type": "record" + } + }, + { + "propagation": { + "default": { + "default_format": "b3" + }, + "fields": [ + { + "extract": { + "elements": { + "type": "string", + "one_of": [ + "gcp", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + }, + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "type": "array" + } + }, + { + "clear": { + "elements": { + "type": "string" + }, + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "type": "array" + } + }, + { + "inject": { + "elements": { + "type": "string", + "one_of": [ + "preserve", + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + }, + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "type": "array" + } + }, + { + "default_format": { + "type": "string", + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "required": true, + "one_of": [ + "gcp", + "b3-single", + "jaeger", + "aws", + "ot", + "w3c", + "datadog", + "b3" + ] + } + } + ], + "required": true, + "type": "record" + } + } + ], + "required": true, + "type": "record" + } + } + ] +} \ No newline at end of file From 9e3673d679bd19241da40adbcd1f77138a4965c2 Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 1 Apr 2025 01:37:18 +0200 Subject: [PATCH 145/165] Copy latest examples to 3.11.x (#113) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- examples/acl/_3.11.x.yaml | 6 +++ examples/acme/_3.11.x.yaml | 3 ++ examples/ai-azure-content-safety/_3.11.x.yaml | 9 ++++ examples/ai-prompt-decorator/_3.11.x.yaml | 13 ++++++ examples/ai-prompt-guard/_3.11.x.yaml | 9 ++++ examples/ai-prompt-template/_3.11.x.yaml | 23 ++++++++++ examples/ai-proxy-advanced/_3.11.x.yaml | 15 +++++++ examples/ai-proxy/_3.11.x.yaml | 12 ++++++ examples/ai-rag-injector/_3.11.x.yaml | 20 +++++++++ .../ai-rate-limiting-advanced/_3.11.x.yaml | 9 ++++ examples/ai-request-transformer/_3.11.x.yaml | 18 ++++++++ examples/ai-response-transformer/_3.11.x.yaml | 21 +++++++++ examples/ai-sanitizer/_3.11.x.yaml | 8 ++++ examples/ai-semantic-cache/_3.11.x.yaml | 14 ++++++ .../ai-semantic-prompt-guard/_3.11.x.yaml | 23 ++++++++++ examples/app-dynamics/_3.11.x.yaml | 2 + .../application-registration/_3.11.x.yaml | 7 +++ examples/aws-lambda/_3.11.x.yaml | 9 ++++ examples/azure-functions/_3.11.x.yaml | 6 +++ examples/basic-auth/_3.11.x.yaml | 3 ++ examples/bot-detection/_3.11.x.yaml | 4 ++ examples/canary/_3.11.x.yaml | 5 +++ examples/confluent-consume/_3.11.x.yaml | 12 ++++++ examples/confluent/_3.11.x.yaml | 9 ++++ examples/correlation-id/_3.11.x.yaml | 5 +++ examples/cors/_3.11.x.yaml | 19 ++++++++ examples/datadog/_3.11.x.yaml | 6 +++ examples/degraphql/_3.11.x.yaml | 3 ++ examples/exit-transformer/_3.11.x.yaml | 4 ++ examples/file-log/_3.11.x.yaml | 3 ++ examples/forward-proxy/_3.11.x.yaml | 9 ++++ .../graphql-proxy-cache-advanced/_3.11.x.yaml | 3 ++ .../_3.11.x.yaml | 9 ++++ examples/grpc-gateway/_3.11.x.yaml | 3 ++ examples/grpc-web/_3.11.x.yaml | 3 ++ examples/header-cert-auth/_3.11.x.yaml | 7 +++ examples/hmac-auth/_3.11.x.yaml | 3 ++ examples/http-log/_3.11.x.yaml | 8 ++++ examples/injection-protection/_3.11.x.yaml | 9 ++++ examples/ip-restriction/_3.11.x.yaml | 5 +++ examples/jq/_3.11.x.yaml | 3 ++ examples/json-threat-protection/_3.11.x.yaml | 11 +++++ examples/jwe-decrypt/_3.11.x.yaml | 4 ++ examples/jwt-signer/_3.11.x.yaml | 4 ++ examples/jwt/_3.11.x.yaml | 4 ++ examples/kafka-consume/_3.11.x.yaml | 11 +++++ examples/kafka-log/_3.11.x.yaml | 3 ++ examples/kafka-upstream/_3.11.x.yaml | 3 ++ examples/key-auth-enc/_3.11.x.yaml | 4 ++ examples/key-auth/_3.11.x.yaml | 4 ++ .../konnect-application-auth/_3.11.x.yaml | 3 ++ examples/ldap-auth-advanced/_3.11.x.yaml | 10 +++++ examples/ldap-auth/_3.11.x.yaml | 8 ++++ examples/loggly/_3.11.x.yaml | 3 ++ examples/mocking/_3.11.x.yaml | 14 ++++++ examples/mtls-auth/_3.11.x.yaml | 6 +++ examples/oas-validation/_3.11.x.yaml | 29 +++++++++++++ examples/oauth2-introspection/_3.11.x.yaml | 5 +++ examples/oauth2/_3.11.x.yaml | 9 ++++ examples/opa/_3.11.x.yaml | 5 +++ examples/openid-connect/_3.11.x.yaml | 12 ++++++ examples/opentelemetry/_3.11.x.yaml | 6 +++ examples/post-function/_3.11.x.yaml | 6 +++ examples/pre-function/_3.11.x.yaml | 6 +++ examples/prometheus/_3.11.x.yaml | 4 ++ examples/proxy-cache-advanced/_3.11.x.yaml | 11 +++++ examples/proxy-cache/_3.11.x.yaml | 12 ++++++ examples/rate-limiting-advanced/_3.11.x.yaml | 11 +++++ examples/rate-limiting/_3.11.x.yaml | 5 +++ examples/redirect/_3.11.x.yaml | 3 ++ examples/request-callout/_3.11.x.yaml | 1 + examples/request-size-limiting/_3.11.x.yaml | 4 ++ examples/request-termination/_3.11.x.yaml | 4 ++ .../request-transformer-advanced/_3.11.x.yaml | 43 +++++++++++++++++++ examples/request-transformer/_3.11.x.yaml | 36 ++++++++++++++++ examples/request-validator/_3.11.x.yaml | 3 ++ examples/response-ratelimiting/_3.11.x.yaml | 8 ++++ .../_3.11.x.yaml | 31 +++++++++++++ examples/response-transformer/_3.11.x.yaml | 24 +++++++++++ examples/route-by-header/_3.11.x.yaml | 8 ++++ .../route-transformer-advanced/_3.11.x.yaml | 3 ++ examples/saml/_3.11.x.yaml | 12 ++++++ examples/service-protection/_3.11.x.yaml | 8 ++++ examples/session/_3.11.x.yaml | 3 ++ examples/standard-webhooks/_3.11.x.yaml | 3 ++ examples/statsd-advanced/_3.11.x.yaml | 7 +++ examples/statsd/_3.11.x.yaml | 9 ++++ examples/syslog/_3.11.x.yaml | 3 ++ examples/tcp-log/_3.11.x.yaml | 4 ++ examples/tls-handshake-modifier/_3.11.x.yaml | 1 + examples/tls-metadata-headers/_3.11.x.yaml | 4 ++ examples/udp-log/_3.11.x.yaml | 5 +++ examples/upstream-oauth/_3.11.x.yaml | 12 ++++++ examples/upstream-timeout/_3.11.x.yaml | 5 +++ examples/vault-auth/_3.11.x.yaml | 4 ++ examples/websocket-size-limit/_3.11.x.yaml | 4 ++ examples/websocket-validator/_3.11.x.yaml | 14 ++++++ examples/xml-threat-protection/_3.11.x.yaml | 6 +++ examples/zipkin/_3.11.x.yaml | 5 +++ 99 files changed, 852 insertions(+) create mode 100644 examples/acl/_3.11.x.yaml create mode 100644 examples/acme/_3.11.x.yaml create mode 100644 examples/ai-azure-content-safety/_3.11.x.yaml create mode 100644 examples/ai-prompt-decorator/_3.11.x.yaml create mode 100644 examples/ai-prompt-guard/_3.11.x.yaml create mode 100644 examples/ai-prompt-template/_3.11.x.yaml create mode 100644 examples/ai-proxy-advanced/_3.11.x.yaml create mode 100644 examples/ai-proxy/_3.11.x.yaml create mode 100644 examples/ai-rag-injector/_3.11.x.yaml create mode 100644 examples/ai-rate-limiting-advanced/_3.11.x.yaml create mode 100644 examples/ai-request-transformer/_3.11.x.yaml create mode 100644 examples/ai-response-transformer/_3.11.x.yaml create mode 100644 examples/ai-sanitizer/_3.11.x.yaml create mode 100644 examples/ai-semantic-cache/_3.11.x.yaml create mode 100644 examples/ai-semantic-prompt-guard/_3.11.x.yaml create mode 100644 examples/app-dynamics/_3.11.x.yaml create mode 100644 examples/application-registration/_3.11.x.yaml create mode 100644 examples/aws-lambda/_3.11.x.yaml create mode 100644 examples/azure-functions/_3.11.x.yaml create mode 100644 examples/basic-auth/_3.11.x.yaml create mode 100644 examples/bot-detection/_3.11.x.yaml create mode 100644 examples/canary/_3.11.x.yaml create mode 100644 examples/confluent-consume/_3.11.x.yaml create mode 100644 examples/confluent/_3.11.x.yaml create mode 100644 examples/correlation-id/_3.11.x.yaml create mode 100644 examples/cors/_3.11.x.yaml create mode 100644 examples/datadog/_3.11.x.yaml create mode 100644 examples/degraphql/_3.11.x.yaml create mode 100644 examples/exit-transformer/_3.11.x.yaml create mode 100644 examples/file-log/_3.11.x.yaml create mode 100644 examples/forward-proxy/_3.11.x.yaml create mode 100644 examples/graphql-proxy-cache-advanced/_3.11.x.yaml create mode 100644 examples/graphql-rate-limiting-advanced/_3.11.x.yaml create mode 100644 examples/grpc-gateway/_3.11.x.yaml create mode 100644 examples/grpc-web/_3.11.x.yaml create mode 100644 examples/header-cert-auth/_3.11.x.yaml create mode 100644 examples/hmac-auth/_3.11.x.yaml create mode 100644 examples/http-log/_3.11.x.yaml create mode 100644 examples/injection-protection/_3.11.x.yaml create mode 100644 examples/ip-restriction/_3.11.x.yaml create mode 100644 examples/jq/_3.11.x.yaml create mode 100644 examples/json-threat-protection/_3.11.x.yaml create mode 100644 examples/jwe-decrypt/_3.11.x.yaml create mode 100644 examples/jwt-signer/_3.11.x.yaml create mode 100644 examples/jwt/_3.11.x.yaml create mode 100644 examples/kafka-consume/_3.11.x.yaml create mode 100644 examples/kafka-log/_3.11.x.yaml create mode 100644 examples/kafka-upstream/_3.11.x.yaml create mode 100644 examples/key-auth-enc/_3.11.x.yaml create mode 100644 examples/key-auth/_3.11.x.yaml create mode 100644 examples/konnect-application-auth/_3.11.x.yaml create mode 100644 examples/ldap-auth-advanced/_3.11.x.yaml create mode 100644 examples/ldap-auth/_3.11.x.yaml create mode 100644 examples/loggly/_3.11.x.yaml create mode 100644 examples/mocking/_3.11.x.yaml create mode 100644 examples/mtls-auth/_3.11.x.yaml create mode 100644 examples/oas-validation/_3.11.x.yaml create mode 100644 examples/oauth2-introspection/_3.11.x.yaml create mode 100644 examples/oauth2/_3.11.x.yaml create mode 100644 examples/opa/_3.11.x.yaml create mode 100644 examples/openid-connect/_3.11.x.yaml create mode 100644 examples/opentelemetry/_3.11.x.yaml create mode 100644 examples/post-function/_3.11.x.yaml create mode 100644 examples/pre-function/_3.11.x.yaml create mode 100644 examples/prometheus/_3.11.x.yaml create mode 100644 examples/proxy-cache-advanced/_3.11.x.yaml create mode 100644 examples/proxy-cache/_3.11.x.yaml create mode 100644 examples/rate-limiting-advanced/_3.11.x.yaml create mode 100644 examples/rate-limiting/_3.11.x.yaml create mode 100644 examples/redirect/_3.11.x.yaml create mode 100644 examples/request-callout/_3.11.x.yaml create mode 100644 examples/request-size-limiting/_3.11.x.yaml create mode 100644 examples/request-termination/_3.11.x.yaml create mode 100644 examples/request-transformer-advanced/_3.11.x.yaml create mode 100644 examples/request-transformer/_3.11.x.yaml create mode 100644 examples/request-validator/_3.11.x.yaml create mode 100644 examples/response-ratelimiting/_3.11.x.yaml create mode 100644 examples/response-transformer-advanced/_3.11.x.yaml create mode 100644 examples/response-transformer/_3.11.x.yaml create mode 100644 examples/route-by-header/_3.11.x.yaml create mode 100644 examples/route-transformer-advanced/_3.11.x.yaml create mode 100644 examples/saml/_3.11.x.yaml create mode 100644 examples/service-protection/_3.11.x.yaml create mode 100644 examples/session/_3.11.x.yaml create mode 100644 examples/standard-webhooks/_3.11.x.yaml create mode 100644 examples/statsd-advanced/_3.11.x.yaml create mode 100644 examples/statsd/_3.11.x.yaml create mode 100644 examples/syslog/_3.11.x.yaml create mode 100644 examples/tcp-log/_3.11.x.yaml create mode 100644 examples/tls-handshake-modifier/_3.11.x.yaml create mode 100644 examples/tls-metadata-headers/_3.11.x.yaml create mode 100644 examples/udp-log/_3.11.x.yaml create mode 100644 examples/upstream-oauth/_3.11.x.yaml create mode 100644 examples/upstream-timeout/_3.11.x.yaml create mode 100644 examples/vault-auth/_3.11.x.yaml create mode 100644 examples/websocket-size-limit/_3.11.x.yaml create mode 100644 examples/websocket-validator/_3.11.x.yaml create mode 100644 examples/xml-threat-protection/_3.11.x.yaml create mode 100644 examples/zipkin/_3.11.x.yaml diff --git a/examples/acl/_3.11.x.yaml b/examples/acl/_3.11.x.yaml new file mode 100644 index 00000000..a76559c0 --- /dev/null +++ b/examples/acl/_3.11.x.yaml @@ -0,0 +1,6 @@ +name: acl +config: + allow: + - group1 + - group2 + hide_groups_header: true diff --git a/examples/acme/_3.11.x.yaml b/examples/acme/_3.11.x.yaml new file mode 100644 index 00000000..6b35cddc --- /dev/null +++ b/examples/acme/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: acme +config: + account_email: example@example.com diff --git a/examples/ai-azure-content-safety/_3.11.x.yaml b/examples/ai-azure-content-safety/_3.11.x.yaml new file mode 100644 index 00000000..75f6cffb --- /dev/null +++ b/examples/ai-azure-content-safety/_3.11.x.yaml @@ -0,0 +1,9 @@ +name: ai-azure-content-safety +config: + content_safety_url: http//: + azure_use_managed_identity: false + reveal_failure_reason: true + content_safety_key: anything + categories: + - { name: "Hate", rejection_level: 2 } + - { name: "Violence", rejection_level: 2 } diff --git a/examples/ai-prompt-decorator/_3.11.x.yaml b/examples/ai-prompt-decorator/_3.11.x.yaml new file mode 100644 index 00000000..50a84994 --- /dev/null +++ b/examples/ai-prompt-decorator/_3.11.x.yaml @@ -0,0 +1,13 @@ +name: ai-prompt-decorator +config: + prompts: + prepend: + - role: "system" + content: "You are data scientist, specialising in survey analytics." + - role: "user" + content: "Classify this test result set as positive, negative, or neutral." + - role: "assistant" + content: "These tests are NEUTRAL." + append: + - role: "user" + content: "Do not mention any real participants name in your justification." diff --git a/examples/ai-prompt-guard/_3.11.x.yaml b/examples/ai-prompt-guard/_3.11.x.yaml new file mode 100644 index 00000000..bd724506 --- /dev/null +++ b/examples/ai-prompt-guard/_3.11.x.yaml @@ -0,0 +1,9 @@ +name: ai-prompt-guard +config: + allow_all_conversation_history: true + allow_patterns: + - ".*(P|p)ears.*" + - ".*(P|p)eaches.*" + deny_patterns: + - ".*(A|a)pples.*" + - ".*(O|o)ranges.*" diff --git a/examples/ai-prompt-template/_3.11.x.yaml b/examples/ai-prompt-template/_3.11.x.yaml new file mode 100644 index 00000000..1ed007fc --- /dev/null +++ b/examples/ai-prompt-template/_3.11.x.yaml @@ -0,0 +1,23 @@ +name: ai-prompt-template +config: + allow_untemplated_requests: true + templates: + - name: "developer-chat" + template: |- + { + "messages": [ + { + "role": "system", + "content": "You are a {{program}} expert, in {{language}} programming language." + }, + { + "role": "user", + "content": "Write me a {{program}} program." + } + ] + } + - name: "summarize-prompt" + template: |- + { + "prompt": "Summarize the following text for me: {{text}}" + } diff --git a/examples/ai-proxy-advanced/_3.11.x.yaml b/examples/ai-proxy-advanced/_3.11.x.yaml new file mode 100644 index 00000000..54acb74f --- /dev/null +++ b/examples/ai-proxy-advanced/_3.11.x.yaml @@ -0,0 +1,15 @@ +name: ai-proxy-advanced +config: + targets: + - route_type: llm/v1/chat + auth: + header_name: Authorization + header_value: Bearer token + model: + provider: openai + - route_type: llm/v1/chat + model: + provider: llama2 + options: + llama2_format: openai + upstream_url: http://httpbin diff --git a/examples/ai-proxy/_3.11.x.yaml b/examples/ai-proxy/_3.11.x.yaml new file mode 100644 index 00000000..a16a3dd4 --- /dev/null +++ b/examples/ai-proxy/_3.11.x.yaml @@ -0,0 +1,12 @@ +name: ai-proxy +config: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 512 + temperature: 1.0 diff --git a/examples/ai-rag-injector/_3.11.x.yaml b/examples/ai-rag-injector/_3.11.x.yaml new file mode 100644 index 00000000..a60e56ee --- /dev/null +++ b/examples/ai-rag-injector/_3.11.x.yaml @@ -0,0 +1,20 @@ +name: ai-rag-injector +config: + inject_template: | + Only use the following information surrounded by and your existing knowledge to provide the best possible answer to the user. + + User's question: + embeddings: + auth: + header_name: Authorization + header_value: Bearer + model: + provider: openai + name: text-embedding-3-large + vectordb: + strategy: redis + redis: + host: exampleredis.com + port: 80 + distance_metric: cosine + dimensions: 76 \ No newline at end of file diff --git a/examples/ai-rate-limiting-advanced/_3.11.x.yaml b/examples/ai-rate-limiting-advanced/_3.11.x.yaml new file mode 100644 index 00000000..9831356c --- /dev/null +++ b/examples/ai-rate-limiting-advanced/_3.11.x.yaml @@ -0,0 +1,9 @@ +name: ai-rate-limiting-advanced +config: + llm_providers: + - name: openai + limit: 1000 + window_size: 3600 + - name: mistral + limit: 100 + window_size: 60 diff --git a/examples/ai-request-transformer/_3.11.x.yaml b/examples/ai-request-transformer/_3.11.x.yaml new file mode 100644 index 00000000..b8275ac7 --- /dev/null +++ b/examples/ai-request-transformer/_3.11.x.yaml @@ -0,0 +1,18 @@ +name: ai-request-transformer +config: + prompt: "Mask any credit card numbers in my JSON message. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + llm: + route_type: "llm/v1/chat" + auth: + header_name: "Authorization" + header_value: "Bearer " + logging: + log_statistics: true + log_payloads: false + model: + provider: "openai" + name: "gpt-4" + options: + max_tokens: 1024 + temperature: 1.0 diff --git a/examples/ai-response-transformer/_3.11.x.yaml b/examples/ai-response-transformer/_3.11.x.yaml new file mode 100644 index 00000000..4c62a8e2 --- /dev/null +++ b/examples/ai-response-transformer/_3.11.x.yaml @@ -0,0 +1,21 @@ +name: ai-response-transformer +config: + prompt: "For any city name, put the country that it's in, in brackets next to it. Reply with only the JSON result." + transformation_extract_pattern: '\\{((.|\n)*)\\}' + parse_llm_response_json_instructions: false + llm: + route_type: "llm/v1/chat" + auth: + header_name: "api-key" + header_value: "" + logging: + log_statistics: true + log_payloads: false + model: + provider: "azure" + name: "gpt-35-turbo" + options: + max_tokens: 1024 + temperature: 1.0 + azure_instance: "azure-openai-instance-name" + azure_deployment_id: "gpt-3-5-deployment" diff --git a/examples/ai-sanitizer/_3.11.x.yaml b/examples/ai-sanitizer/_3.11.x.yaml new file mode 100644 index 00000000..d7085a54 --- /dev/null +++ b/examples/ai-sanitizer/_3.11.x.yaml @@ -0,0 +1,8 @@ +name: ai-sanitizer +config: + port: 9000 + anonymize: + - phone + - general + recover_redacted: false + redact_type: synthetic diff --git a/examples/ai-semantic-cache/_3.11.x.yaml b/examples/ai-semantic-cache/_3.11.x.yaml new file mode 100644 index 00000000..e273c72f --- /dev/null +++ b/examples/ai-semantic-cache/_3.11.x.yaml @@ -0,0 +1,14 @@ +name: ai-semantic-cache +config: + embeddings: + model: + provider: openai + name: text-embedding-3-large + vectordb: + strategy: redis + dimensions: 3072 + threshold: 0.1 + distance_metric: cosine + redis: + host: exampleredis.com + port: 80 diff --git a/examples/ai-semantic-prompt-guard/_3.11.x.yaml b/examples/ai-semantic-prompt-guard/_3.11.x.yaml new file mode 100644 index 00000000..8cbb9571 --- /dev/null +++ b/examples/ai-semantic-prompt-guard/_3.11.x.yaml @@ -0,0 +1,23 @@ +name: ai-semantic-prompt-guard +config: + embeddings: + auth: + header_name: Authorization + header_value: Bearer + model: + name: text-embedding-3-small + provider: openai + search: + threshold: 0.7 + vectordb: + strategy: redis + distance_metric: cosine + threshold: 0.5 + dimensions: 1024 + redis: + host: localhost + port: 6379 + rules: + match_all_conversation_history: true + allow_prompts: + - Questions about Kong \ No newline at end of file diff --git a/examples/app-dynamics/_3.11.x.yaml b/examples/app-dynamics/_3.11.x.yaml new file mode 100644 index 00000000..fb73f97b --- /dev/null +++ b/examples/app-dynamics/_3.11.x.yaml @@ -0,0 +1,2 @@ +name: app-dynamics +config: {} diff --git a/examples/application-registration/_3.11.x.yaml b/examples/application-registration/_3.11.x.yaml new file mode 100644 index 00000000..a52184fb --- /dev/null +++ b/examples/application-registration/_3.11.x.yaml @@ -0,0 +1,7 @@ +name: application-registration +service: SERVICE_NAME +config: + auto_approve: false + description: + display_name: + show_issuer: false diff --git a/examples/aws-lambda/_3.11.x.yaml b/examples/aws-lambda/_3.11.x.yaml new file mode 100644 index 00000000..5eddd18d --- /dev/null +++ b/examples/aws-lambda/_3.11.x.yaml @@ -0,0 +1,9 @@ +name: aws-lambda +config: + aws_key: + aws_secret: + aws_region: + aws_assume_role_arn: + aws_role_session_name: + function_name: + proxy_url: http://my-proxy-server:3128 diff --git a/examples/azure-functions/_3.11.x.yaml b/examples/azure-functions/_3.11.x.yaml new file mode 100644 index 00000000..00f73c86 --- /dev/null +++ b/examples/azure-functions/_3.11.x.yaml @@ -0,0 +1,6 @@ +name: azure-functions +config: + functionname: + appname: + hostdomain: azurewebsites.net + apikey: diff --git a/examples/basic-auth/_3.11.x.yaml b/examples/basic-auth/_3.11.x.yaml new file mode 100644 index 00000000..40fcf8c2 --- /dev/null +++ b/examples/basic-auth/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: basic-auth +config: + hide_credentials: true diff --git a/examples/bot-detection/_3.11.x.yaml b/examples/bot-detection/_3.11.x.yaml new file mode 100644 index 00000000..e4f2eb24 --- /dev/null +++ b/examples/bot-detection/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: bot-detection +config: + deny: + - helloworld diff --git a/examples/canary/_3.11.x.yaml b/examples/canary/_3.11.x.yaml new file mode 100644 index 00000000..928424f8 --- /dev/null +++ b/examples/canary/_3.11.x.yaml @@ -0,0 +1,5 @@ +name: canary +config: + percentage: 50 + upstream_host: example.com + upstream_port: 80 diff --git a/examples/confluent-consume/_3.11.x.yaml b/examples/confluent-consume/_3.11.x.yaml new file mode 100644 index 00000000..38774ad5 --- /dev/null +++ b/examples/confluent-consume/_3.11.x.yaml @@ -0,0 +1,12 @@ +name: confluent-consume +config: + bootstrap_servers: + - host: YOUR_BOOTSTRAP_SERVER + port: 9092 + topics: + - name: my-topic + mode: http-get + message_deserializer: json + auto_offset_reset: latest + cluster_api_key: YOUR_API_KEY + cluster_api_secret: YOUR_API_SECRET \ No newline at end of file diff --git a/examples/confluent/_3.11.x.yaml b/examples/confluent/_3.11.x.yaml new file mode 100644 index 00000000..d4bd8e82 --- /dev/null +++ b/examples/confluent/_3.11.x.yaml @@ -0,0 +1,9 @@ +name: confluent +config: + bootstrap_servers: + - host: example.com + port: 80 + producer_async: false + topic: 'kong-test' + cluster_api_key: CONFLUENT_CLUSTER_API_KEY + cluster_api_secret: CONFLUENT_CLUSTER_API_SECRET \ No newline at end of file diff --git a/examples/correlation-id/_3.11.x.yaml b/examples/correlation-id/_3.11.x.yaml new file mode 100644 index 00000000..31240989 --- /dev/null +++ b/examples/correlation-id/_3.11.x.yaml @@ -0,0 +1,5 @@ +name: correlation-id +config: + header_name: Kong-Request-ID + generator: uuid#counter + echo_downstream: false diff --git a/examples/cors/_3.11.x.yaml b/examples/cors/_3.11.x.yaml new file mode 100644 index 00000000..c2046281 --- /dev/null +++ b/examples/cors/_3.11.x.yaml @@ -0,0 +1,19 @@ +name: cors +config: + origins: + - http://mockbin.com + methods: + - GET + - POST + headers: + - Accept + - Accept-Version + - Content-Length + - Content-MD5 + - Content-Type + - Date + - X-Auth-Token + exposed_headers: + - X-Auth-Token + credentials: true + max_age: 3600 diff --git a/examples/datadog/_3.11.x.yaml b/examples/datadog/_3.11.x.yaml new file mode 100644 index 00000000..957e300c --- /dev/null +++ b/examples/datadog/_3.11.x.yaml @@ -0,0 +1,6 @@ +name: datadog +config: + host: 127.0.0.1 + port: 8125 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/degraphql/_3.11.x.yaml b/examples/degraphql/_3.11.x.yaml new file mode 100644 index 00000000..84443323 --- /dev/null +++ b/examples/degraphql/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: degraphql +config: + graphql_server_path: '/graphql' diff --git a/examples/exit-transformer/_3.11.x.yaml b/examples/exit-transformer/_3.11.x.yaml new file mode 100644 index 00000000..c7f0c5d4 --- /dev/null +++ b/examples/exit-transformer/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: exit-transformer +config: + functions: + - "return function(status, body, headers) return status, body, headers end" diff --git a/examples/file-log/_3.11.x.yaml b/examples/file-log/_3.11.x.yaml new file mode 100644 index 00000000..aefd2bdc --- /dev/null +++ b/examples/file-log/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: file-log +config: + path: /tmp/file.log diff --git a/examples/forward-proxy/_3.11.x.yaml b/examples/forward-proxy/_3.11.x.yaml new file mode 100644 index 00000000..7fb797ca --- /dev/null +++ b/examples/forward-proxy/_3.11.x.yaml @@ -0,0 +1,9 @@ +name: forward-proxy +config: + http_proxy_host: example.com + http_proxy_port: 80 + proxy_scheme: http + auth_username: example_user + auth_password: example_pass + https_verify: false + x_headers: transparent diff --git a/examples/graphql-proxy-cache-advanced/_3.11.x.yaml b/examples/graphql-proxy-cache-advanced/_3.11.x.yaml new file mode 100644 index 00000000..e1ce637b --- /dev/null +++ b/examples/graphql-proxy-cache-advanced/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: graphql-proxy-cache-advanced +config: + strategy: memory diff --git a/examples/graphql-rate-limiting-advanced/_3.11.x.yaml b/examples/graphql-rate-limiting-advanced/_3.11.x.yaml new file mode 100644 index 00000000..10985f83 --- /dev/null +++ b/examples/graphql-rate-limiting-advanced/_3.11.x.yaml @@ -0,0 +1,9 @@ +name: graphql-rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + sync_rate: -1 + namespace: example_namespace + strategy: cluster diff --git a/examples/grpc-gateway/_3.11.x.yaml b/examples/grpc-gateway/_3.11.x.yaml new file mode 100644 index 00000000..36b576ea --- /dev/null +++ b/examples/grpc-gateway/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: grpc-gateway +config: + proto: path/to/hello.proto diff --git a/examples/grpc-web/_3.11.x.yaml b/examples/grpc-web/_3.11.x.yaml new file mode 100644 index 00000000..e4f2c597 --- /dev/null +++ b/examples/grpc-web/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: grpc-web +config: + proto: path/to/hello.proto diff --git a/examples/header-cert-auth/_3.11.x.yaml b/examples/header-cert-auth/_3.11.x.yaml new file mode 100644 index 00000000..0bbd7799 --- /dev/null +++ b/examples/header-cert-auth/_3.11.x.yaml @@ -0,0 +1,7 @@ +name: header-cert-auth +config: + ca_certificates: + - "0D769DE8-7CC0-4541-989B-F9C23E20054C" + certificate_header_name: ssl-client-cert + certificate_header_format: base64_encoded + secure_source: false \ No newline at end of file diff --git a/examples/hmac-auth/_3.11.x.yaml b/examples/hmac-auth/_3.11.x.yaml new file mode 100644 index 00000000..ba1ae19d --- /dev/null +++ b/examples/hmac-auth/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: hmac-auth +config: + hide_credentials: false diff --git a/examples/http-log/_3.11.x.yaml b/examples/http-log/_3.11.x.yaml new file mode 100644 index 00000000..dd88c67c --- /dev/null +++ b/examples/http-log/_3.11.x.yaml @@ -0,0 +1,8 @@ +name: http-log +config: + http_endpoint: http://mockbin.org/bin/:id + method: POST + timeout: 1000 + keepalive: 1000 + flush_timeout: 2 + retry_count: 15 diff --git a/examples/injection-protection/_3.11.x.yaml b/examples/injection-protection/_3.11.x.yaml new file mode 100644 index 00000000..9e7e487e --- /dev/null +++ b/examples/injection-protection/_3.11.x.yaml @@ -0,0 +1,9 @@ +name: injection-protection +config: + injection_types: + - "sql" + locations: + - "path_and_query" + enforcement_mode: block + error_status_code: 400 + error_message: Bad Request diff --git a/examples/ip-restriction/_3.11.x.yaml b/examples/ip-restriction/_3.11.x.yaml new file mode 100644 index 00000000..4ca5298d --- /dev/null +++ b/examples/ip-restriction/_3.11.x.yaml @@ -0,0 +1,5 @@ +name: ip-restriction +config: + allow: + - 54.13.21.1 + - 143.1.0.0/24 diff --git a/examples/jq/_3.11.x.yaml b/examples/jq/_3.11.x.yaml new file mode 100644 index 00000000..d69ce58d --- /dev/null +++ b/examples/jq/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: jq +config: + request_jq_program: .[0] diff --git a/examples/json-threat-protection/_3.11.x.yaml b/examples/json-threat-protection/_3.11.x.yaml new file mode 100644 index 00000000..787fdad7 --- /dev/null +++ b/examples/json-threat-protection/_3.11.x.yaml @@ -0,0 +1,11 @@ +name: json-threat-protection +config: + max_body_size: 10 + max_container_depth: 1 + max_object_entry_count: 2 + max_object_entry_name_length: 3 + max_array_element_count: 4 + max_string_value_length: 5 + enforcement_mode: block + error_status_code: 400 + error_message: BadRequest \ No newline at end of file diff --git a/examples/jwe-decrypt/_3.11.x.yaml b/examples/jwe-decrypt/_3.11.x.yaml new file mode 100644 index 00000000..f413b0e5 --- /dev/null +++ b/examples/jwe-decrypt/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: jwe-decrypt +config: + key_sets: + - dummyID diff --git a/examples/jwt-signer/_3.11.x.yaml b/examples/jwt-signer/_3.11.x.yaml new file mode 100644 index 00000000..71443348 --- /dev/null +++ b/examples/jwt-signer/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: jwt-signer +config: + access_token_introspection_scopes_claim: + - scope diff --git a/examples/jwt/_3.11.x.yaml b/examples/jwt/_3.11.x.yaml new file mode 100644 index 00000000..60fd478d --- /dev/null +++ b/examples/jwt/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: jwt +config: + uri_param_names: + - paramName_2.2.x diff --git a/examples/kafka-consume/_3.11.x.yaml b/examples/kafka-consume/_3.11.x.yaml new file mode 100644 index 00000000..72499f2d --- /dev/null +++ b/examples/kafka-consume/_3.11.x.yaml @@ -0,0 +1,11 @@ +name: kafka-consume +config: + bootstrap_servers: + - host: localhost + port: 9092 + topics: + - name: my-topic + mode: http-get + message_deserializer: json + auto_offset_reset: latest + commit_strategy: auto \ No newline at end of file diff --git a/examples/kafka-log/_3.11.x.yaml b/examples/kafka-log/_3.11.x.yaml new file mode 100644 index 00000000..efb1efa7 --- /dev/null +++ b/examples/kafka-log/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: kafka-log +config: + topic: TOPIC diff --git a/examples/kafka-upstream/_3.11.x.yaml b/examples/kafka-upstream/_3.11.x.yaml new file mode 100644 index 00000000..64ff19e5 --- /dev/null +++ b/examples/kafka-upstream/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: kafka-upstream +config: + topic: TOPIC diff --git a/examples/key-auth-enc/_3.11.x.yaml b/examples/key-auth-enc/_3.11.x.yaml new file mode 100644 index 00000000..9f1a6093 --- /dev/null +++ b/examples/key-auth-enc/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: key-auth-enc +config: + key_names: + - apikey diff --git a/examples/key-auth/_3.11.x.yaml b/examples/key-auth/_3.11.x.yaml new file mode 100644 index 00000000..f8ef72c5 --- /dev/null +++ b/examples/key-auth/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: key-auth +config: + key_names: + - apikey diff --git a/examples/konnect-application-auth/_3.11.x.yaml b/examples/konnect-application-auth/_3.11.x.yaml new file mode 100644 index 00000000..e54993e5 --- /dev/null +++ b/examples/konnect-application-auth/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: konnect-application-auth +config: + scope: 'uuid' diff --git a/examples/ldap-auth-advanced/_3.11.x.yaml b/examples/ldap-auth-advanced/_3.11.x.yaml new file mode 100644 index 00000000..5396d6cf --- /dev/null +++ b/examples/ldap-auth-advanced/_3.11.x.yaml @@ -0,0 +1,10 @@ +name: ldap-auth-advanced +config: + ldap_host: ldap.example.com + ldap_port: 389 + start_tls: true + base_dn: dc=example,dc=com + verify_ldap_host: false + attribute: cn + cache_ttl: 60 + header_type: ldap diff --git a/examples/ldap-auth/_3.11.x.yaml b/examples/ldap-auth/_3.11.x.yaml new file mode 100644 index 00000000..fe95f595 --- /dev/null +++ b/examples/ldap-auth/_3.11.x.yaml @@ -0,0 +1,8 @@ +name: ldap-auth +config: + hide_credentials: true + ldap_host: ldap.example.com + ldap_port: 389 + base_dn: dc=example,dc=com + attribute: cn + header_type: ldap diff --git a/examples/loggly/_3.11.x.yaml b/examples/loggly/_3.11.x.yaml new file mode 100644 index 00000000..186454f8 --- /dev/null +++ b/examples/loggly/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: loggly +config: + key: YOUR_LOGGLY_SERVICE_TOKEN diff --git a/examples/mocking/_3.11.x.yaml b/examples/mocking/_3.11.x.yaml new file mode 100644 index 00000000..549e1f46 --- /dev/null +++ b/examples/mocking/_3.11.x.yaml @@ -0,0 +1,14 @@ +name: mocking +config: + random_delay: true + max_delay_time: 1 + min_delay_time: 0.001 + random_examples: true + api_specification: | + openapi: 3.0.1 + info: + title: OpenAPI 3.0 API + description: This is a simple API + contact: + email: example@example.com + version: 1.0.0 diff --git a/examples/mtls-auth/_3.11.x.yaml b/examples/mtls-auth/_3.11.x.yaml new file mode 100644 index 00000000..4bcdb7fd --- /dev/null +++ b/examples/mtls-auth/_3.11.x.yaml @@ -0,0 +1,6 @@ +name: mtls-auth +config: + ca_certificates: + - fdac360e-7b19-4ade-a553-6dd22937c82f + http_proxy_host: example + http_proxy_port: 80 diff --git a/examples/oas-validation/_3.11.x.yaml b/examples/oas-validation/_3.11.x.yaml new file mode 100644 index 00000000..2eb7dc89 --- /dev/null +++ b/examples/oas-validation/_3.11.x.yaml @@ -0,0 +1,29 @@ +name: oas-validation +config: + api_spec: | + openapi: 3.0.0 + info: + version: "2.19.3" + title: Xero Finance API + description: The Finance API is a collection of endpoints which customers can use in the course of a loan application, which may assist lenders to gain the confidence they need to provide capital. + termsOfService: "https://developer.xero.com/xero-developer-platform-terms-conditions/" + contact: + name: "Xero Platform Team" + email: "api@xero.com" + url: "https://developer.xero.com" + license: + name: MIT + url: 'https://github.com/XeroAPI/Xero-OpenAPI/blob/master/LICENSE' + servers: + - description: Xero API servers + url: https://api.xero.com/finance.xro/1.0 + paths: + /CashValidation: + get: + security: + - OAuth2: [finance.cashvalidation.read] + tags: + - Finance + summary: Get cash validation + operationId: getCashValidation + description: Summarizes the total cash position for each account for an org diff --git a/examples/oauth2-introspection/_3.11.x.yaml b/examples/oauth2-introspection/_3.11.x.yaml new file mode 100644 index 00000000..bdf723af --- /dev/null +++ b/examples/oauth2-introspection/_3.11.x.yaml @@ -0,0 +1,5 @@ +name: oauth2-introspection +config: + introspection_url: https://example-url.com + authorization_value: Basic MG9hNWlpbjpPcGVuU2VzYW1l + consumer_by: username diff --git a/examples/oauth2/_3.11.x.yaml b/examples/oauth2/_3.11.x.yaml new file mode 100644 index 00000000..d733d558 --- /dev/null +++ b/examples/oauth2/_3.11.x.yaml @@ -0,0 +1,9 @@ +name: oauth2 +config: + scopes: + - email + - phone + - address + mandatory_scope: true + provision_key: + enable_authorization_code: true diff --git a/examples/opa/_3.11.x.yaml b/examples/opa/_3.11.x.yaml new file mode 100644 index 00000000..51ff2b78 --- /dev/null +++ b/examples/opa/_3.11.x.yaml @@ -0,0 +1,5 @@ +name: opa +config: + opa_host: localhost + opa_port: 8181 + opa_path: /v1/data/example/kong/allowBoolean diff --git a/examples/openid-connect/_3.11.x.yaml b/examples/openid-connect/_3.11.x.yaml new file mode 100644 index 00000000..69f30114 --- /dev/null +++ b/examples/openid-connect/_3.11.x.yaml @@ -0,0 +1,12 @@ +name: openid-connect +config: + auth_methods: + - authorization_code + - session + issuer: http://example.org + client_id: + - + client_secret: + - + session_secret: + response_mode: form_post diff --git a/examples/opentelemetry/_3.11.x.yaml b/examples/opentelemetry/_3.11.x.yaml new file mode 100644 index 00000000..02aeaa66 --- /dev/null +++ b/examples/opentelemetry/_3.11.x.yaml @@ -0,0 +1,6 @@ +name: opentelemetry +config: + traces_endpoint: http://opentelemetry.collector:4318/v1/traces + logs_endpoint: http://opentelemetry.collector:4318/v1/logs + headers: + X-Auth-Token: secret-token diff --git a/examples/post-function/_3.11.x.yaml b/examples/post-function/_3.11.x.yaml new file mode 100644 index 00000000..f980a541 --- /dev/null +++ b/examples/post-function/_3.11.x.yaml @@ -0,0 +1,6 @@ +name: post-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/pre-function/_3.11.x.yaml b/examples/pre-function/_3.11.x.yaml new file mode 100644 index 00000000..62ffe4dd --- /dev/null +++ b/examples/pre-function/_3.11.x.yaml @@ -0,0 +1,6 @@ +name: pre-function +config: + access: + - | + kong.log.err("foo") + kong.response.exit(418) diff --git a/examples/prometheus/_3.11.x.yaml b/examples/prometheus/_3.11.x.yaml new file mode 100644 index 00000000..6b7b3b62 --- /dev/null +++ b/examples/prometheus/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: prometheus +config: + per_consumer: false + diff --git a/examples/proxy-cache-advanced/_3.11.x.yaml b/examples/proxy-cache-advanced/_3.11.x.yaml new file mode 100644 index 00000000..d070db76 --- /dev/null +++ b/examples/proxy-cache-advanced/_3.11.x.yaml @@ -0,0 +1,11 @@ +name: proxy-cache-advanced +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + strategy: memory diff --git a/examples/proxy-cache/_3.11.x.yaml b/examples/proxy-cache/_3.11.x.yaml new file mode 100644 index 00000000..ce185e5e --- /dev/null +++ b/examples/proxy-cache/_3.11.x.yaml @@ -0,0 +1,12 @@ +name: proxy-cache +config: + response_code: + - 200 + request_method: + - GET + - HEAD + content_type: + - text/plain + - application/json + cache_ttl: 300 + strategy: memory diff --git a/examples/rate-limiting-advanced/_3.11.x.yaml b/examples/rate-limiting-advanced/_3.11.x.yaml new file mode 100644 index 00000000..7fee7c38 --- /dev/null +++ b/examples/rate-limiting-advanced/_3.11.x.yaml @@ -0,0 +1,11 @@ +name: rate-limiting-advanced +config: + limit: + - 5 + window_size: + - 30 + identifier: consumer + sync_rate: -1 + namespace: example_namespace + strategy: local + hide_client_headers: false diff --git a/examples/rate-limiting/_3.11.x.yaml b/examples/rate-limiting/_3.11.x.yaml new file mode 100644 index 00000000..f43f89fd --- /dev/null +++ b/examples/rate-limiting/_3.11.x.yaml @@ -0,0 +1,5 @@ +name: rate-limiting +config: + second: 5 + hour: 10000 + policy: local diff --git a/examples/redirect/_3.11.x.yaml b/examples/redirect/_3.11.x.yaml new file mode 100644 index 00000000..5c02d0ed --- /dev/null +++ b/examples/redirect/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: redirect +config: + location: "https://example.com" \ No newline at end of file diff --git a/examples/request-callout/_3.11.x.yaml b/examples/request-callout/_3.11.x.yaml new file mode 100644 index 00000000..44c2aa93 --- /dev/null +++ b/examples/request-callout/_3.11.x.yaml @@ -0,0 +1 @@ +name: request-callout \ No newline at end of file diff --git a/examples/request-size-limiting/_3.11.x.yaml b/examples/request-size-limiting/_3.11.x.yaml new file mode 100644 index 00000000..983d6d9e --- /dev/null +++ b/examples/request-size-limiting/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: request-size-limiting +config: + allowed_payload_size: 128 + require_content_length: false diff --git a/examples/request-termination/_3.11.x.yaml b/examples/request-termination/_3.11.x.yaml new file mode 100644 index 00000000..7be67818 --- /dev/null +++ b/examples/request-termination/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: request-termination +config: + status_code: 403 + message: So long and thanks for all the fish! diff --git a/examples/request-transformer-advanced/_3.11.x.yaml b/examples/request-transformer-advanced/_3.11.x.yaml new file mode 100644 index 00000000..999898e7 --- /dev/null +++ b/examples/request-transformer-advanced/_3.11.x.yaml @@ -0,0 +1,43 @@ +name: request-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one + remove: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + remove: + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + rename: + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + rename: + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + add: + querystring: + - new-param:some_value + - another-param:some_value + add: + json_types: + - string + - boolean + - number diff --git a/examples/request-transformer/_3.11.x.yaml b/examples/request-transformer/_3.11.x.yaml new file mode 100644 index 00000000..3e9148f5 --- /dev/null +++ b/examples/request-transformer/_3.11.x.yaml @@ -0,0 +1,36 @@ +name: request-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + querystring: + - qs-toremove + - qs2-toremove + body: + - formparam-toremove + - formparam-another-one + replace: + body: + - body-param1:new-value-1 + - body-param2:new-value-2 + rename: + headers: + - header-old-name:header-new-name + - another-old-name:another-new-name + querystring: + - qs-old-name:qs-new-name + - qs2-old-name:qs2-new-name + body: + - param-old:param-new + - param2-old:param2-new + add: + headers: + - x-new-header:value + - x-another-header:something + querystring: + - new-param:some_value + - another-param:some_value + body: + - new-form-param:some_value + - another-form-param:some_value diff --git a/examples/request-validator/_3.11.x.yaml b/examples/request-validator/_3.11.x.yaml new file mode 100644 index 00000000..89251acf --- /dev/null +++ b/examples/request-validator/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: request-validator +config: + body_schema: '[{"name":{"type": "string", "required": true}}]' diff --git a/examples/response-ratelimiting/_3.11.x.yaml b/examples/response-ratelimiting/_3.11.x.yaml new file mode 100644 index 00000000..a3860b2a --- /dev/null +++ b/examples/response-ratelimiting/_3.11.x.yaml @@ -0,0 +1,8 @@ +name: response-ratelimiting +config: + limits: + limit_name: + limits: + limit_name: + minute: 10 + policy: local diff --git a/examples/response-transformer-advanced/_3.11.x.yaml b/examples/response-transformer-advanced/_3.11.x.yaml new file mode 100644 index 00000000..4942c5c5 --- /dev/null +++ b/examples/response-transformer-advanced/_3.11.x.yaml @@ -0,0 +1,31 @@ +name: response-transformer-advanced +config: + remove: + headers: + - x-toremove + - x-another-one:application/json + - x-list-of-values:v1,v2,v3 + - Set-Cookie:/JSESSIONID=.*/ + - x-another-regex://status/$/ + - x-one-more-regex:/^/begin// + remove: + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + add: + json: + - new-json-key:some_value + - another-json-key:some_value + add: + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/response-transformer/_3.11.x.yaml b/examples/response-transformer/_3.11.x.yaml new file mode 100644 index 00000000..aab7075a --- /dev/null +++ b/examples/response-transformer/_3.11.x.yaml @@ -0,0 +1,24 @@ +name: response-transformer +config: + remove: + headers: + - x-toremove + - x-another-one + json: + - json-key-toremove + - another-json-key + add: + headers: + - x-new-header:value + - x-another-header:something + json: + - new-json-key:some_value + - another-json-key:some_value + json_types: + - string + - boolean + - number + append: + headers: + - x-existing-header:some_value + - x-another-header:some_value diff --git a/examples/route-by-header/_3.11.x.yaml b/examples/route-by-header/_3.11.x.yaml new file mode 100644 index 00000000..e2854428 --- /dev/null +++ b/examples/route-by-header/_3.11.x.yaml @@ -0,0 +1,8 @@ +name: route-by-header +config: + rules: + - + upstream_name: bar.domain.com + condition: + location: us-east + diff --git a/examples/route-transformer-advanced/_3.11.x.yaml b/examples/route-transformer-advanced/_3.11.x.yaml new file mode 100644 index 00000000..098f0994 --- /dev/null +++ b/examples/route-transformer-advanced/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: route-transformer-advanced +config: + path: /path diff --git a/examples/saml/_3.11.x.yaml b/examples/saml/_3.11.x.yaml new file mode 100644 index 00000000..18b41c3f --- /dev/null +++ b/examples/saml/_3.11.x.yaml @@ -0,0 +1,12 @@ +name: saml +config: + anonymous: anonymous + assertion_consumer_path: /acs-uri + idp_sso_url: http://example.org/sso-uri + validate_assertion_signature: true + session_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + issuer: AzureAD_Identity_ID + idp_certificate: | + -----BEGIN CERTIFICATE----- + + -----END CERTIFICATE----- diff --git a/examples/service-protection/_3.11.x.yaml b/examples/service-protection/_3.11.x.yaml new file mode 100644 index 00000000..73702a32 --- /dev/null +++ b/examples/service-protection/_3.11.x.yaml @@ -0,0 +1,8 @@ +name: service-protection +config: + window_size: + - 30 + window_type: sliding + limit: + - 5 + namespace: example_namespace diff --git a/examples/session/_3.11.x.yaml b/examples/session/_3.11.x.yaml new file mode 100644 index 00000000..1c5100d2 --- /dev/null +++ b/examples/session/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: session +config: + secret: opensesame diff --git a/examples/standard-webhooks/_3.11.x.yaml b/examples/standard-webhooks/_3.11.x.yaml new file mode 100644 index 00000000..e2e66d71 --- /dev/null +++ b/examples/standard-webhooks/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: standard-webhooks +config: + secret_v1: example-secret diff --git a/examples/statsd-advanced/_3.11.x.yaml b/examples/statsd-advanced/_3.11.x.yaml new file mode 100644 index 00000000..cfd68de0 --- /dev/null +++ b/examples/statsd-advanced/_3.11.x.yaml @@ -0,0 +1,7 @@ +name: statsd-advanced +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 diff --git a/examples/statsd/_3.11.x.yaml b/examples/statsd/_3.11.x.yaml new file mode 100644 index 00000000..796222aa --- /dev/null +++ b/examples/statsd/_3.11.x.yaml @@ -0,0 +1,9 @@ +name: statsd +config: + host: 127.0.0.1 + port: 8125 + allow_status_codes: + - 200-205 + - 400-499 + flush_timeout: 2 + retry_count: 10 diff --git a/examples/syslog/_3.11.x.yaml b/examples/syslog/_3.11.x.yaml new file mode 100644 index 00000000..9cc23ca1 --- /dev/null +++ b/examples/syslog/_3.11.x.yaml @@ -0,0 +1,3 @@ +name: syslog +config: + log_level: info diff --git a/examples/tcp-log/_3.11.x.yaml b/examples/tcp-log/_3.11.x.yaml new file mode 100644 index 00000000..4e155f5a --- /dev/null +++ b/examples/tcp-log/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: tcp-log +config: + host: 127.0.0.1 + port: 9999 diff --git a/examples/tls-handshake-modifier/_3.11.x.yaml b/examples/tls-handshake-modifier/_3.11.x.yaml new file mode 100644 index 00000000..52561153 --- /dev/null +++ b/examples/tls-handshake-modifier/_3.11.x.yaml @@ -0,0 +1 @@ +name: tls-handshake-modifier diff --git a/examples/tls-metadata-headers/_3.11.x.yaml b/examples/tls-metadata-headers/_3.11.x.yaml new file mode 100644 index 00000000..98df21ec --- /dev/null +++ b/examples/tls-metadata-headers/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: tls-metadata-headers +config: + inject_client_cert_details: true + client_cert_header_name: X-Forwarded-Client-Cert diff --git a/examples/udp-log/_3.11.x.yaml b/examples/udp-log/_3.11.x.yaml new file mode 100644 index 00000000..bfd35c0a --- /dev/null +++ b/examples/udp-log/_3.11.x.yaml @@ -0,0 +1,5 @@ +name: udp-log +config: + host: 127.0.0.1 + port: 9999 + timeout: 10000 diff --git a/examples/upstream-oauth/_3.11.x.yaml b/examples/upstream-oauth/_3.11.x.yaml new file mode 100644 index 00000000..2c80a4ac --- /dev/null +++ b/examples/upstream-oauth/_3.11.x.yaml @@ -0,0 +1,12 @@ +name: upstream-oauth +config: + oauth: + token_endpoint: "http://test.test" + grant_type: client_credentials + client_id: CLIENT_CREDENTIALS_GRANT_POST_AUTH_CLIENT_ID + client_secret: CLIENT_CREDENTIALS_GRANT_POST_AUTH_CLIENT_SECRET + scopes: + - "openid" + - "profile" + behavior: + upstream_access_token_header_name: X-Custom-Auth \ No newline at end of file diff --git a/examples/upstream-timeout/_3.11.x.yaml b/examples/upstream-timeout/_3.11.x.yaml new file mode 100644 index 00000000..962a6cdf --- /dev/null +++ b/examples/upstream-timeout/_3.11.x.yaml @@ -0,0 +1,5 @@ +name: upstream-timeout +config: + connect_timeout: 4000 + send_timeout: 5000 + read_timeout: 5000 diff --git a/examples/vault-auth/_3.11.x.yaml b/examples/vault-auth/_3.11.x.yaml new file mode 100644 index 00000000..8a2e5285 --- /dev/null +++ b/examples/vault-auth/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: vault-auth +config: + vault: + id: 00000000-0000-0000-0000-000000000000 diff --git a/examples/websocket-size-limit/_3.11.x.yaml b/examples/websocket-size-limit/_3.11.x.yaml new file mode 100644 index 00000000..7274d312 --- /dev/null +++ b/examples/websocket-size-limit/_3.11.x.yaml @@ -0,0 +1,4 @@ +name: websocket-size-limit +config: + client_max_payload: 1024 + upstream_max_payload: 16384 diff --git a/examples/websocket-validator/_3.11.x.yaml b/examples/websocket-validator/_3.11.x.yaml new file mode 100644 index 00000000..12fe18ac --- /dev/null +++ b/examples/websocket-validator/_3.11.x.yaml @@ -0,0 +1,14 @@ +name: websocket-validator +config: + client: + text: + type: draft4 + schema: | + { + "type": "object", + "properties": { + "foo": { "type": "string" }, + "bar": { "type": "string" } + }, + "required": [ "foo", "bar" ] + } diff --git a/examples/xml-threat-protection/_3.11.x.yaml b/examples/xml-threat-protection/_3.11.x.yaml new file mode 100644 index 00000000..a25f15fc --- /dev/null +++ b/examples/xml-threat-protection/_3.11.x.yaml @@ -0,0 +1,6 @@ +name: xml-threat-protection +config: + max_depth: 50 + localname: 512 + prefix: 512 + namespaceuri: 1024 diff --git a/examples/zipkin/_3.11.x.yaml b/examples/zipkin/_3.11.x.yaml new file mode 100644 index 00000000..62ab05c8 --- /dev/null +++ b/examples/zipkin/_3.11.x.yaml @@ -0,0 +1,5 @@ +name: zipkin +config: + http_endpoint: http://your.zipkin.collector:9411/api/v2/spans + sample_ratio: 0.001 + include_credential: true From b6495df2fedc26fd014b2b7d9d9b3b2ded798ddd Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 1 Apr 2025 01:37:42 +0200 Subject: [PATCH 146/165] Copy latest data files to 3.11.x (#114) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- data/priorities/ee/3.11.x.json | 94 ++++++++ data/priorities/oss/3.11.x.json | 47 ++++ data/referenceable_fields/3.11.x.json | 316 ++++++++++++++++++++++++++ 3 files changed, 457 insertions(+) create mode 100644 data/priorities/ee/3.11.x.json create mode 100644 data/priorities/oss/3.11.x.json create mode 100644 data/referenceable_fields/3.11.x.json diff --git a/data/priorities/ee/3.11.x.json b/data/priorities/ee/3.11.x.json new file mode 100644 index 00000000..75c7cb74 --- /dev/null +++ b/data/priorities/ee/3.11.x.json @@ -0,0 +1,94 @@ +{ + "pre-function": 1000000, + "app-dynamics": 999999, + "correlation-id": 100001, + "zipkin": 100000, + "exit-transformer": 9999, + "bot-detection": 2500, + "cors": 2000, + "jwe-decrypt": 1999, + "session": 1900, + "acme": 1705, + "oauth2-introspection": 1700, + "mtls-auth": 1600, + "degraphql": 1500, + "jwt": 1450, + "oauth2": 1400, + "vault-auth": 1350, + "key-auth": 1250, + "key-auth-enc": 1250, + "ldap-auth": 1200, + "ldap-auth-advanced": 1200, + "basic-auth": 1100, + "openid-connect": 1050, + "hmac-auth": 1030, + "jwt-signer": 1020, + "saml": 1010, + "header-cert-auth": 1009, + "json-threat-protection": 1009, + "xml-threat-protection": 1008, + "injection-protection": 1007, + "websocket-validator": 1006, + "websocket-size-limit": 1003, + "request-validator": 999, + "grpc-gateway": 998, + "tls-handshake-modifier": 997, + "tls-metadata-headers": 996, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "opa": 920, + "service-protection": 915, + "rate-limiting": 910, + "rate-limiting-advanced": 910, + "ai-rate-limiting-advanced": 905, + "graphql-rate-limiting-advanced": 902, + "response-ratelimiting": 900, + "route-by-header": 850, + "oas-validation": 840, + "jq": 811, + "request-transformer-advanced": 802, + "request-transformer": 801, + "response-transformer": 800, + "response-transformer-advanced": 800, + "route-transformer-advanced": 780, + "redirect": 779, + "ai-request-transformer": 777, + "ai-semantic-prompt-guard": 775, + "ai-azure-content-safety": 774, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-proxy-advanced": 770, + "ai-response-transformer": 768, + "ai-semantic-cache": 765, + "standard-webhooks": 760, + "upstream-oauth": 760, + "confluent": 752, + "kafka-upstream": 751, + "aws-lambda": 750, + "azure-functions": 749, + "upstream-timeout": 400, + "proxy-cache": 100, + "proxy-cache-advanced": 100, + "graphql-proxy-cache-advanced": 99, + "forward-proxy": 50, + "canary": 20, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "statsd-advanced": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "kafka-log": 5, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "mocking": -1, + "post-function": -1000 +} \ No newline at end of file diff --git a/data/priorities/oss/3.11.x.json b/data/priorities/oss/3.11.x.json new file mode 100644 index 00000000..b5b4aa12 --- /dev/null +++ b/data/priorities/oss/3.11.x.json @@ -0,0 +1,47 @@ +{ + "pre-function": 1000000, + "correlation-id": 100001, + "zipkin": 100000, + "bot-detection": 2500, + "cors": 2000, + "session": 1900, + "acme": 1705, + "jwt": 1450, + "oauth2": 1400, + "key-auth": 1250, + "ldap-auth": 1200, + "basic-auth": 1100, + "hmac-auth": 1030, + "grpc-gateway": 998, + "ip-restriction": 990, + "request-size-limiting": 951, + "acl": 950, + "rate-limiting": 910, + "response-ratelimiting": 900, + "request-transformer": 801, + "response-transformer": 800, + "redirect": 779, + "ai-request-transformer": 777, + "ai-prompt-template": 773, + "ai-prompt-decorator": 772, + "ai-prompt-guard": 771, + "ai-proxy": 770, + "ai-response-transformer": 768, + "standard-webhooks": 760, + "aws-lambda": 750, + "azure-functions": 749, + "proxy-cache": 100, + "opentelemetry": 14, + "prometheus": 13, + "http-log": 12, + "statsd": 11, + "datadog": 10, + "file-log": 9, + "udp-log": 8, + "tcp-log": 7, + "loggly": 6, + "syslog": 4, + "grpc-web": 3, + "request-termination": 2, + "post-function": -1000 +} \ No newline at end of file diff --git a/data/referenceable_fields/3.11.x.json b/data/referenceable_fields/3.11.x.json new file mode 100644 index 00000000..d74a28ee --- /dev/null +++ b/data/referenceable_fields/3.11.x.json @@ -0,0 +1,316 @@ +{ + "acme": [ + "config.account_email", + "config.eab_kid", + "config.eab_hmac_key", + "config.storage_config.redis.username", + "config.storage_config.redis.password", + "config.storage_config.consul.token", + "config.storage_config.vault.token" + ], + "ai-azure-content-safety": [ + "config.content_safety_url", + "config.content_safety_key" + ], + "ai-proxy": [ + "config.auth.header_name", + "config.auth.header_value", + "config.auth.param_name", + "config.auth.param_value", + "config.auth.azure_client_id", + "config.auth.azure_client_secret", + "config.auth.azure_tenant_id", + "config.auth.gcp_service_account_json", + "config.auth.aws_access_key_id", + "config.auth.aws_secret_access_key" + ], + "ai-proxy-advanced": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password", + "config.targets.auth.header_name", + "config.targets.auth.header_value", + "config.targets.auth.param_name", + "config.targets.auth.param_value", + "config.targets.auth.azure_client_id", + "config.targets.auth.azure_client_secret", + "config.targets.auth.azure_tenant_id", + "config.targets.auth.gcp_service_account_json", + "config.targets.auth.aws_access_key_id", + "config.targets.auth.aws_secret_access_key" + ], + "ai-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "ai-request-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key" + ], + "ai-response-transformer": [ + "config.llm.auth.header_name", + "config.llm.auth.header_value", + "config.llm.auth.param_name", + "config.llm.auth.param_value", + "config.llm.auth.azure_client_id", + "config.llm.auth.azure_client_secret", + "config.llm.auth.azure_tenant_id", + "config.llm.auth.gcp_service_account_json", + "config.llm.auth.aws_access_key_id", + "config.llm.auth.aws_secret_access_key" + ], + "ai-semantic-cache": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password" + ], + "ai-semantic-prompt-guard": [ + "config.embeddings.auth.header_name", + "config.embeddings.auth.header_value", + "config.embeddings.auth.param_name", + "config.embeddings.auth.param_value", + "config.embeddings.auth.azure_client_id", + "config.embeddings.auth.azure_client_secret", + "config.embeddings.auth.azure_tenant_id", + "config.embeddings.auth.gcp_service_account_json", + "config.embeddings.auth.aws_access_key_id", + "config.embeddings.auth.aws_secret_access_key", + "config.vectordb.redis.username", + "config.vectordb.redis.password", + "config.vectordb.redis.sentinel_username", + "config.vectordb.redis.sentinel_password" + ], + "aws-lambda": [ + "config.aws_key", + "config.aws_secret", + "config.aws_assume_role_arn" + ], + "azure-functions": [ + "config.apikey", + "config.clientid" + ], + "confluent": [ + "config.cluster_api_key", + "config.cluster_api_secret", + "config.confluent_cloud_api_key", + "config.confluent_cloud_api_secret" + ], + "datadog": [ + "config.host" + ], + "datadog-tracing": [ + "config.endpoint" + ], + "forward-proxy": [ + "config.auth_username", + "config.auth_password" + ], + "graphql-proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "graphql-rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "http-log": [ + "config.http_endpoint", + "config.headers" + ], + "jwt-signer": [ + "config.access_token_keyset_client_username", + "config.access_token_keyset_client_password", + "config.access_token_jwks_uri_client_username", + "config.access_token_jwks_uri_client_password", + "config.channel_token_keyset_client_username", + "config.channel_token_keyset_client_password", + "config.channel_token_jwks_uri_client_username", + "config.channel_token_jwks_uri_client_password" + ], + "kafka-log": [ + "config.authentication.user", + "config.authentication.password" + ], + "kafka-upstream": [ + "config.authentication.user", + "config.authentication.password" + ], + "konnect-application-auth": [ + "config.v2_strategies.openid_connect.config.client_id", + "config.v2_strategies.openid_connect.config.client_secret", + "config.v2_strategies.openid_connect.config.client_jwk.k", + "config.v2_strategies.openid_connect.config.client_jwk.d", + "config.v2_strategies.openid_connect.config.client_jwk.p", + "config.v2_strategies.openid_connect.config.client_jwk.q", + "config.v2_strategies.openid_connect.config.client_jwk.dp", + "config.v2_strategies.openid_connect.config.client_jwk.dq", + "config.v2_strategies.openid_connect.config.client_jwk.qi", + "config.v2_strategies.openid_connect.config.client_jwk.oth", + "config.v2_strategies.openid_connect.config.client_jwk.r", + "config.v2_strategies.openid_connect.config.client_jwk.t", + "config.v2_strategies.openid_connect.config.login_redirect_uri", + "config.v2_strategies.openid_connect.config.logout_redirect_uri", + "config.v2_strategies.openid_connect.config.scopes", + "config.v2_strategies.openid_connect.config.introspection_headers_values", + "config.v2_strategies.openid_connect.config.session_secret", + "config.v2_strategies.openid_connect.config.redis.username", + "config.v2_strategies.openid_connect.config.redis.password", + "config.v2_strategies.openid_connect.config.redis.sentinel_username", + "config.v2_strategies.openid_connect.config.redis.sentinel_password", + "config.v2_strategies.openid_connect.config.http_proxy_authorization", + "config.v2_strategies.openid_connect.config.https_proxy_authorization", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.username", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.password", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_username", + "config.v2_strategies.openid_connect.config.cluster_cache_redis.sentinel_password" + ], + "ldap-auth-advanced": [ + "config.ldap_password", + "config.bind_dn" + ], + "loggly": [ + "config.key" + ], + "oauth2-introspection": [ + "config.authorization_value" + ], + "openid-connect": [ + "config.client_id", + "config.client_secret", + "config.client_jwk.k", + "config.client_jwk.d", + "config.client_jwk.p", + "config.client_jwk.q", + "config.client_jwk.dp", + "config.client_jwk.dq", + "config.client_jwk.qi", + "config.client_jwk.oth", + "config.client_jwk.r", + "config.client_jwk.t", + "config.login_redirect_uri", + "config.logout_redirect_uri", + "config.scopes", + "config.introspection_headers_values", + "config.session_secret", + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password", + "config.http_proxy_authorization", + "config.https_proxy_authorization", + "config.cluster_cache_redis.username", + "config.cluster_cache_redis.password", + "config.cluster_cache_redis.sentinel_username", + "config.cluster_cache_redis.sentinel_password" + ], + "opentelemetry": [ + "config.traces_endpoint", + "config.logs_endpoint", + "config.headers" + ], + "proxy-cache-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "rate-limiting": [ + "config.redis.username", + "config.redis.password" + ], + "rate-limiting-advanced": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "request-transformer-advanced": [ + "config.rename.body", + "config.rename.headers", + "config.rename.querystring", + "config.replace.body", + "config.replace.headers", + "config.replace.querystring", + "config.add.body", + "config.add.headers", + "config.add.querystring", + "config.append.body", + "config.append.headers", + "config.append.querystring" + ], + "response-ratelimiting": [ + "config.redis.username", + "config.redis.password" + ], + "saml": [ + "config.idp_certificate", + "config.response_encryption_key", + "config.request_signing_key", + "config.request_signing_certificate", + "config.session_secret", + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "service-protection": [ + "config.redis.username", + "config.redis.password", + "config.redis.sentinel_username", + "config.redis.sentinel_password" + ], + "session": [ + "config.secret" + ], + "standard-webhooks": [ + "config.secret_v1" + ], + "upstream-oauth": [ + "config.oauth.token_headers", + "config.oauth.token_post_args", + "config.oauth.client_id", + "config.oauth.client_secret", + "config.oauth.username", + "config.oauth.password", + "config.cache.redis.username", + "config.cache.redis.password", + "config.cache.redis.sentinel_username", + "config.cache.redis.sentinel_password" + ] +} \ No newline at end of file From dd035ab7d61ce759929404ae1df88f196e768646 Mon Sep 17 00:00:00 2001 From: kong-docs <116832528+kong-docs@users.noreply.github.com> Date: Tue, 1 Apr 2025 01:38:32 +0200 Subject: [PATCH 147/165] JSON Schemas for 3.11.x (#115) Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- json_schemas/acl/3.11.json | 98 + json_schemas/acme/3.11.json | 372 +++ .../ai-azure-content-safety/3.11.json | 151 ++ json_schemas/ai-prompt-decorator/3.11.json | 157 ++ json_schemas/ai-prompt-guard/3.11.json | 131 + json_schemas/ai-prompt-template/3.11.json | 126 + json_schemas/ai-proxy-advanced/3.11.json | 796 ++++++ json_schemas/ai-proxy/3.11.json | 367 +++ json_schemas/ai-rag-injector/3.11.json | 593 +++++ .../ai-rate-limiting-advanced/3.11.json | 404 +++ json_schemas/ai-request-transformer/3.11.json | 385 +++ .../ai-response-transformer/3.11.json | 403 +++ json_schemas/ai-sanitizer/3.11.json | 194 ++ json_schemas/ai-semantic-cache/3.11.json | 456 ++++ .../ai-semantic-prompt-guard/3.11.json | 476 ++++ json_schemas/app-dynamics/3.11.json | 77 + .../application-registration/3.11.json | 60 + json_schemas/aws-lambda/3.11.json | 221 ++ json_schemas/azure-functions/3.11.json | 129 + json_schemas/basic-auth/3.11.json | 81 + json_schemas/bot-detection/3.11.json | 91 + json_schemas/canary/3.11.json | 142 + json_schemas/confluent-consume/3.11.json | 185 ++ json_schemas/confluent/3.11.json | 207 ++ json_schemas/correlation-id/3.11.json | 96 + json_schemas/cors/3.11.json | 145 + json_schemas/datadog-tracing/3.11.json | 114 + json_schemas/datadog/3.11.json | 263 ++ json_schemas/degraphql/3.11.json | 68 + json_schemas/exit-transformer/3.11.json | 95 + json_schemas/file-log/3.11.json | 98 + json_schemas/forward-proxy/3.11.json | 135 + .../graphql-proxy-cache-advanced/3.11.json | 300 +++ .../graphql-rate-limiting-advanced/3.11.json | 343 +++ json_schemas/grpc-gateway/3.11.json | 87 + json_schemas/grpc-web/3.11.json | 96 + json_schemas/header-cert-auth/3.11.json | 181 ++ json_schemas/hmac-auth/3.11.json | 126 + json_schemas/http-log/3.11.json | 199 ++ json_schemas/injection-protection/3.11.json | 146 + json_schemas/ip-restriction/3.11.json | 128 + json_schemas/jq/3.11.json | 176 ++ json_schemas/json-threat-protection/3.11.json | 126 + json_schemas/jwe-decrypt/3.11.json | 88 + json_schemas/jwt-signer/3.11.json | 699 +++++ json_schemas/jwt/3.11.json | 146 + json_schemas/kafka-consume/3.11.json | 212 ++ json_schemas/kafka-log/3.11.json | 232 ++ json_schemas/kafka-upstream/3.11.json | 244 ++ json_schemas/key-auth-enc/3.11.json | 114 + json_schemas/key-auth/3.11.json | 114 + .../konnect-application-auth/3.11.json | 2345 ++++++++++++++++ json_schemas/ldap-auth-advanced/3.11.json | 193 ++ json_schemas/ldap-auth/3.11.json | 134 + json_schemas/loggly/3.11.json | 176 ++ json_schemas/mocking/3.11.json | 128 + json_schemas/mtls-auth/3.11.json | 169 ++ json_schemas/oas-validation/3.11.json | 149 ++ json_schemas/oauth2-introspection/3.11.json | 138 + json_schemas/oauth2/3.11.json | 165 ++ json_schemas/opa/3.11.json | 122 + json_schemas/openid-connect/3.11.json | 2348 +++++++++++++++++ json_schemas/opentelemetry/3.11.json | 292 ++ json_schemas/post-function/3.11.json | 190 ++ json_schemas/pre-function/3.11.json | 190 ++ json_schemas/prometheus/3.11.json | 113 + json_schemas/proxy-cache-advanced/3.11.json | 410 +++ json_schemas/proxy-cache/3.11.json | 229 ++ json_schemas/rate-limiting-advanced/3.11.json | 416 +++ json_schemas/rate-limiting/3.11.json | 263 ++ json_schemas/redirect/3.11.json | 105 + json_schemas/request-callout/3.11.json | 680 +++++ json_schemas/request-size-limiting/3.11.json | 96 + json_schemas/request-termination/3.11.json | 117 + .../request-transformer-advanced/3.11.json | 402 +++ json_schemas/request-transformer/3.11.json | 328 +++ json_schemas/request-validator/3.11.json | 164 ++ json_schemas/response-ratelimiting/3.11.json | 207 ++ .../response-transformer-advanced/3.11.json | 419 +++ json_schemas/response-transformer/3.11.json | 311 +++ json_schemas/route-by-header/3.11.json | 100 + .../route-transformer-advanced/3.11.json | 89 + json_schemas/saml/3.11.json | 609 +++++ json_schemas/service-protection/3.11.json | 314 +++ json_schemas/session/3.11.json | 258 ++ json_schemas/standard-webhooks/3.11.json | 86 + json_schemas/statsd-advanced/3.11.json | 298 +++ json_schemas/statsd/3.11.json | 316 +++ json_schemas/syslog/3.11.json | 171 ++ json_schemas/tcp-log/3.11.json | 117 + json_schemas/tls-handshake-modifier/3.11.json | 68 + json_schemas/tls-metadata-headers/3.11.json | 90 + json_schemas/udp-log/3.11.json | 103 + json_schemas/upstream-oauth/3.11.json | 509 ++++ json_schemas/upstream-timeout/3.11.json | 94 + json_schemas/vault-auth/3.11.json | 110 + json_schemas/websocket-size-limit/3.11.json | 82 + json_schemas/websocket-validator/3.11.json | 168 ++ json_schemas/xml-threat-protection/3.11.json | 228 ++ json_schemas/zipkin/3.11.json | 366 +++ 100 files changed, 26248 insertions(+) create mode 100644 json_schemas/acl/3.11.json create mode 100644 json_schemas/acme/3.11.json create mode 100644 json_schemas/ai-azure-content-safety/3.11.json create mode 100644 json_schemas/ai-prompt-decorator/3.11.json create mode 100644 json_schemas/ai-prompt-guard/3.11.json create mode 100644 json_schemas/ai-prompt-template/3.11.json create mode 100644 json_schemas/ai-proxy-advanced/3.11.json create mode 100644 json_schemas/ai-proxy/3.11.json create mode 100644 json_schemas/ai-rag-injector/3.11.json create mode 100644 json_schemas/ai-rate-limiting-advanced/3.11.json create mode 100644 json_schemas/ai-request-transformer/3.11.json create mode 100644 json_schemas/ai-response-transformer/3.11.json create mode 100644 json_schemas/ai-sanitizer/3.11.json create mode 100644 json_schemas/ai-semantic-cache/3.11.json create mode 100644 json_schemas/ai-semantic-prompt-guard/3.11.json create mode 100644 json_schemas/app-dynamics/3.11.json create mode 100644 json_schemas/application-registration/3.11.json create mode 100644 json_schemas/aws-lambda/3.11.json create mode 100644 json_schemas/azure-functions/3.11.json create mode 100644 json_schemas/basic-auth/3.11.json create mode 100644 json_schemas/bot-detection/3.11.json create mode 100644 json_schemas/canary/3.11.json create mode 100644 json_schemas/confluent-consume/3.11.json create mode 100644 json_schemas/confluent/3.11.json create mode 100644 json_schemas/correlation-id/3.11.json create mode 100644 json_schemas/cors/3.11.json create mode 100644 json_schemas/datadog-tracing/3.11.json create mode 100644 json_schemas/datadog/3.11.json create mode 100644 json_schemas/degraphql/3.11.json create mode 100644 json_schemas/exit-transformer/3.11.json create mode 100644 json_schemas/file-log/3.11.json create mode 100644 json_schemas/forward-proxy/3.11.json create mode 100644 json_schemas/graphql-proxy-cache-advanced/3.11.json create mode 100644 json_schemas/graphql-rate-limiting-advanced/3.11.json create mode 100644 json_schemas/grpc-gateway/3.11.json create mode 100644 json_schemas/grpc-web/3.11.json create mode 100644 json_schemas/header-cert-auth/3.11.json create mode 100644 json_schemas/hmac-auth/3.11.json create mode 100644 json_schemas/http-log/3.11.json create mode 100644 json_schemas/injection-protection/3.11.json create mode 100644 json_schemas/ip-restriction/3.11.json create mode 100644 json_schemas/jq/3.11.json create mode 100644 json_schemas/json-threat-protection/3.11.json create mode 100644 json_schemas/jwe-decrypt/3.11.json create mode 100644 json_schemas/jwt-signer/3.11.json create mode 100644 json_schemas/jwt/3.11.json create mode 100644 json_schemas/kafka-consume/3.11.json create mode 100644 json_schemas/kafka-log/3.11.json create mode 100644 json_schemas/kafka-upstream/3.11.json create mode 100644 json_schemas/key-auth-enc/3.11.json create mode 100644 json_schemas/key-auth/3.11.json create mode 100644 json_schemas/konnect-application-auth/3.11.json create mode 100644 json_schemas/ldap-auth-advanced/3.11.json create mode 100644 json_schemas/ldap-auth/3.11.json create mode 100644 json_schemas/loggly/3.11.json create mode 100644 json_schemas/mocking/3.11.json create mode 100644 json_schemas/mtls-auth/3.11.json create mode 100644 json_schemas/oas-validation/3.11.json create mode 100644 json_schemas/oauth2-introspection/3.11.json create mode 100644 json_schemas/oauth2/3.11.json create mode 100644 json_schemas/opa/3.11.json create mode 100644 json_schemas/openid-connect/3.11.json create mode 100644 json_schemas/opentelemetry/3.11.json create mode 100644 json_schemas/post-function/3.11.json create mode 100644 json_schemas/pre-function/3.11.json create mode 100644 json_schemas/prometheus/3.11.json create mode 100644 json_schemas/proxy-cache-advanced/3.11.json create mode 100644 json_schemas/proxy-cache/3.11.json create mode 100644 json_schemas/rate-limiting-advanced/3.11.json create mode 100644 json_schemas/rate-limiting/3.11.json create mode 100644 json_schemas/redirect/3.11.json create mode 100644 json_schemas/request-callout/3.11.json create mode 100644 json_schemas/request-size-limiting/3.11.json create mode 100644 json_schemas/request-termination/3.11.json create mode 100644 json_schemas/request-transformer-advanced/3.11.json create mode 100644 json_schemas/request-transformer/3.11.json create mode 100644 json_schemas/request-validator/3.11.json create mode 100644 json_schemas/response-ratelimiting/3.11.json create mode 100644 json_schemas/response-transformer-advanced/3.11.json create mode 100644 json_schemas/response-transformer/3.11.json create mode 100644 json_schemas/route-by-header/3.11.json create mode 100644 json_schemas/route-transformer-advanced/3.11.json create mode 100644 json_schemas/saml/3.11.json create mode 100644 json_schemas/service-protection/3.11.json create mode 100644 json_schemas/session/3.11.json create mode 100644 json_schemas/standard-webhooks/3.11.json create mode 100644 json_schemas/statsd-advanced/3.11.json create mode 100644 json_schemas/statsd/3.11.json create mode 100644 json_schemas/syslog/3.11.json create mode 100644 json_schemas/tcp-log/3.11.json create mode 100644 json_schemas/tls-handshake-modifier/3.11.json create mode 100644 json_schemas/tls-metadata-headers/3.11.json create mode 100644 json_schemas/udp-log/3.11.json create mode 100644 json_schemas/upstream-oauth/3.11.json create mode 100644 json_schemas/upstream-timeout/3.11.json create mode 100644 json_schemas/vault-auth/3.11.json create mode 100644 json_schemas/websocket-size-limit/3.11.json create mode 100644 json_schemas/websocket-validator/3.11.json create mode 100644 json_schemas/xml-threat-protection/3.11.json create mode 100644 json_schemas/zipkin/3.11.json diff --git a/json_schemas/acl/3.11.json b/json_schemas/acl/3.11.json new file mode 100644 index 00000000..c78c25f3 --- /dev/null +++ b/json_schemas/acl/3.11.json @@ -0,0 +1,98 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "always_use_authenticated_groups": { + "default": false, + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", + "type": "boolean" + }, + "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_groups_header": { + "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", + "type": "boolean" + }, + "include_consumer_groups": { + "default": false, + "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/acme/3.11.json b/json_schemas/acme/3.11.json new file mode 100644 index 00000000..519cb9e8 --- /dev/null +++ b/json_schemas/acme/3.11.json @@ -0,0 +1,372 @@ +{ + "properties": { + "config": { + "properties": { + "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", + "type": "string" + }, + "account_key": { + "description": "The private key associated with the account.", + "properties": { + "key_id": { + "description": "The Key ID.", + "type": "string" + }, + "key_set": { + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" + } + }, + "required": [ + "key_id" + ], + "type": "object" + }, + "allow_any_domain": { + "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "type": "boolean" + }, + "api_uri": { + "default": "https://acme-v02.api.letsencrypt.org/directory", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "cert_type": { + "default": "rsa", + "description": "The certificate type to create. The possible values are `rsa` for RSA certificate or `ecc` for EC certificate.", + "enum": [ + "ecc", + "rsa" + ], + "type": "string" + }, + "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", + "items": { + "match_all": { + "pattern": "^[^*]*%*?[^*]*$" + }, + "match_any": { + "patterns": [ + "%.%*$", + "^%*%.", + "^[^*]*$" + ] + }, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "enable_ipv4_common_name": { + "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "type": "boolean" + }, + "fail_backoff_minutes": { + "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "type": "number" + }, + "preferred_chain": { + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" + }, + "renew_threshold_days": { + "default": 14, + "description": "Days remaining to renew the certificate before it expires.", + "type": "number" + }, + "rsa_key_size": { + "default": 4096, + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", + "enum": [ + 2048, + 3072, + 4096 + ], + "type": "integer" + }, + "storage": { + "default": "shm", + "description": "The backend storage type to use. In DB-less mode and Konnect, `kong` storage is unavailable. In hybrid mode and Konnect, `shm` storage is unavailable. `shm` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `kong`, `redis`, `consul`, or `vault` in production.", + "enum": [ + "consul", + "kong", + "redis", + "shm", + "vault" + ], + "type": "string" + }, + "storage_config": { + "properties": { + "consul": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "token": { + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "kong": { + "additionalProperties": true, + "properties": { + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "extra_options": { + "description": "Custom ACME Redis options", + "properties": { + "namespace": { + "default": "", + "description": "A namespace to prepend to all keys stored in Redis.", + "minLength": 0, + "type": "string" + }, + "scan_count": { + "default": 10, + "description": "The number of keys to return in Redis SCAN calls.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "auth": { + "minLength": 0, + "type": "string" + }, + "namespace": { + "minLength": 0, + "type": "string" + }, + "scan_count": { + "type": "integer" + }, + "ssl_server_name": { + "type": "string" + } + }, + "type": "object" + }, + "shm": { + "properties": { + "shm_name": { + "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "vault": { + "properties": { + "auth_method": { + "default": "token", + "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "enum": [ + "kubernetes", + "token" + ], + "type": "string" + }, + "auth_path": { + "description": "Vault's authentication path to use.", + "type": "string" + }, + "auth_role": { + "description": "The role to try and assign.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https": { + "default": false, + "description": "Boolean representation of https.", + "type": "boolean" + }, + "jwt_path": { + "description": "The path to the JWT.", + "type": "string" + }, + "kv_path": { + "description": "KV prefix path.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "description": "Timeout in milliseconds.", + "type": "number" + }, + "tls_server_name": { + "description": "SNI used in request, default to host if omitted.", + "type": "string" + }, + "tls_verify": { + "default": true, + "description": "Turn on TLS verification.", + "type": "boolean" + }, + "token": { + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "tos_accepted": { + "default": false, + "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.11.json b/json_schemas/ai-azure-content-safety/3.11.json new file mode 100644 index 00000000..cfcbebfa --- /dev/null +++ b/json_schemas/ai-azure-content-safety/3.11.json @@ -0,0 +1,151 @@ +{ + "properties": { + "config": { + "properties": { + "azure_api_version": { + "default": "2023-10-01", + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", + "minLength": 1, + "type": "string" + }, + "azure_client_id": { + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", + "type": "string" + }, + "azure_client_secret": { + "description": "If `azure_use_managed_identity` is true, set the client secret if required.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "type": "boolean" + }, + "blocklist_names": { + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "categories": { + "description": "Array of categories, and their thresholds, to measure on.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "rejection_level": { + "type": "integer" + } + }, + "required": [ + "name", + "rejection_level" + ], + "type": "object" + }, + "type": "array" + }, + "content_safety_key": { + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "content_safety_url": { + "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "type": "string" + }, + "halt_on_blocklist_hit": { + "default": true, + "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "type": "boolean" + }, + "output_type": { + "default": "FourSeverityLevels", + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", + "enum": [ + "EightSeverityLevels", + "FourSeverityLevels" + ], + "type": "string" + }, + "reveal_failure_reason": { + "default": true, + "description": "Set true to tell the caller why their request was rejected, if so.", + "type": "boolean" + }, + "text_source": { + "default": "concatenate_all_content", + "description": "Select where to pick the 'text' for the Azure Content Services request.", + "enum": [ + "concatenate_all_content", + "concatenate_user_content" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-decorator/3.11.json b/json_schemas/ai-prompt-decorator/3.11.json new file mode 100644 index 00000000..0559463c --- /dev/null +++ b/json_schemas/ai-prompt-decorator/3.11.json @@ -0,0 +1,157 @@ +{ + "properties": { + "config": { + "properties": { + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "prompts": { + "properties": { + "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + }, + "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "items": { + "properties": { + "content": { + "maxLength": 500, + "minLength": 1, + "type": "string" + }, + "role": { + "default": "system", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + } + }, + "required": [ + "content" + ], + "type": "object" + }, + "maxLength": 15, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-guard/3.11.json b/json_schemas/ai-prompt-guard/3.11.json new file mode 100644 index 00000000..536e841e --- /dev/null +++ b/json_schemas/ai-prompt-guard/3.11.json @@ -0,0 +1,131 @@ +{ + "properties": { + "config": { + "properties": { + "allow_all_conversation_history": { + "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "allow_patterns": { + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "deny_patterns": { + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "maxLength": 10, + "type": "array" + }, + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.11.json b/json_schemas/ai-prompt-template/3.11.json new file mode 100644 index 00000000..99f12ea0 --- /dev/null +++ b/json_schemas/ai-prompt-template/3.11.json @@ -0,0 +1,126 @@ +{ + "properties": { + "config": { + "properties": { + "allow_untemplated_requests": { + "default": true, + "description": "Set true to allow requests that don't call or match any template.", + "type": "boolean" + }, + "log_original_request": { + "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "templates": { + "description": "Array of templates available to the request context.", + "items": { + "properties": { + "name": { + "description": "Unique name for the template, can be called with `{template://NAME}`", + "type": "string" + }, + "template": { + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", + "type": "string" + } + }, + "required": [ + "name", + "template" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-proxy-advanced/3.11.json b/json_schemas/ai-proxy-advanced/3.11.json new file mode 100644 index 00000000..2d8f9810 --- /dev/null +++ b/json_schemas/ai-proxy-advanced/3.11.json @@ -0,0 +1,796 @@ +{ + "properties": { + "config": { + "properties": { + "balancer": { + "properties": { + "algorithm": { + "default": "round-robin", + "description": "Which load balancing algorithm to use.", + "enum": [ + "consistent-hashing", + "lowest-latency", + "lowest-usage", + "round-robin", + "semantic" + ], + "type": "string" + }, + "connect_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "hash_on_header": { + "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing.", + "type": "string" + }, + "latency_strategy": { + "default": "tpot", + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", + "enum": [ + "e2e", + "tpot" + ], + "type": "string" + }, + "read_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "retries": { + "default": 5, + "description": "The number of retries to execute upon failure to proxy.", + "maximum": 32767, + "minimum": 0, + "type": "integer" + }, + "slots": { + "default": 10000, + "description": "The number of slots in the load balancer algorithm.", + "maximum": 65536, + "minimum": 10, + "type": "integer" + }, + "tokens_count_strategy": { + "default": "total-tokens", + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", + "enum": [ + "completion-tokens", + "prompt-tokens", + "total-tokens" + ], + "type": "string" + }, + "write_timeout": { + "default": 60000, + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + "name", + "provider" + ], + "type": "object" + } + }, + "required": [ + "model" + ], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "targets": { + "items": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "description": { + "description": "The semantic description of the target, required if using semantic load balancing.", + "type": "string" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + "provider" + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + }, + "weight": { + "default": 100, + "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "maximum": 65535, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "logging", + "model", + "route_type" + ], + "type": "object" + }, + "type": "array" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [ + "dimensions", + "distance_metric", + "redis", + "strategy", + "threshold" + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.11.json b/json_schemas/ai-proxy/3.11.json new file mode 100644 index 00000000..c59dc832 --- /dev/null +++ b/json_schemas/ai-proxy/3.11.json @@ -0,0 +1,367 @@ +{ + "properties": { + "config": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "model_name_header": { + "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "type": "boolean" + }, + "response_streaming": { + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "enum": [ + "allow", + "always", + "deny" + ], + "type": "string" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-rag-injector/3.11.json b/json_schemas/ai-rag-injector/3.11.json new file mode 100644 index 00000000..d7b0168b --- /dev/null +++ b/json_schemas/ai-rag-injector/3.11.json @@ -0,0 +1,593 @@ +{ + "properties": { + "config": { + "properties": { + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "azure": { + "properties": { + "api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bedrock": { + "properties": { + "aws_assume_role_arn": { + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + }, + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + }, + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [ + "azure" + ], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "azure", + "bedrock", + "gemini", + "huggingface", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "fetch_chunks_count": { + "default": 5, + "description": "The maximum number of chunks to fetch from vectordb", + "type": "number" + }, + "inject_as_role": { + "default": "user", + "enum": [ + "assistant", + "system", + "user" + ], + "type": "string" + }, + "inject_template": { + "default": "\n", + "type": "string" + }, + "stop_on_failure": { + "default": false, + "description": "Halt the LLM request process in case of a vectordb or embeddings service failure", + "type": "boolean" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "pgvector": { + "properties": { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + }, + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + }, + "password": { + "description": "the password of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + }, + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + }, + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + }, + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + }, + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + }, + "ssl_version": { + "default": "tlsv1_2", + "description": "the ssl version to use for the pgvector database", + "enum": [ + "any", + "tlsv1_2", + "tlsv1_3" + ], + "type": "string" + }, + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + }, + "user": { + "default": "postgres", + "description": "the user of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "pgvector", + "redis" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "vectordb_namespace": { + "default": "kong_rag_injector", + "description": "The namespace of the vectordb to use for embeddings lookup", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.11.json b/json_schemas/ai-rate-limiting-advanced/3.11.json new file mode 100644 index 00000000..e71d1c05 --- /dev/null +++ b/json_schemas/ai-rate-limiting-advanced/3.11.json @@ -0,0 +1,404 @@ +{ + "properties": { + "config": { + "properties": { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_hide_providers": { + "default": false, + "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "type": "boolean" + }, + "error_message": { + "default": "AI token rate limit exceeded for provider(s): ", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "llm_providers": { + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "items": { + "properties": { + "limit": { + "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", + "type": "number" + }, + "name": { + "description": "The LLM provider to which the rate limit applies.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai", + "requestPrompt" + ], + "type": "string" + }, + "window_size": { + "description": "The window size to apply a limit (defined in seconds).", + "type": "number" + } + }, + "required": [ + "limit", + "name", + "window_size" + ], + "type": "object" + }, + "type": "array" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "request_prompt_count_function": { + "description": "If defined, it use custom function to count requests for the request prompt provider", + "type": "string" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "tokens_count_strategy": { + "default": "total_tokens", + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", + "enum": [ + "completion_tokens", + "cost", + "prompt_tokens", + "total_tokens" + ], + "type": "string" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.11.json b/json_schemas/ai-request-transformer/3.11.json new file mode 100644 index 00000000..a314d401 --- /dev/null +++ b/json_schemas/ai-request-transformer/3.11.json @@ -0,0 +1,385 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.11.json b/json_schemas/ai-response-transformer/3.11.json new file mode 100644 index 00000000..aae73e51 --- /dev/null +++ b/json_schemas/ai-response-transformer/3.11.json @@ -0,0 +1,403 @@ +{ + "properties": { + "config": { + "properties": { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "type": "boolean" + }, + "llm": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "logging": { + "properties": { + "log_payloads": { + "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "type": "boolean" + }, + "log_statistics": { + "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "anthropic_version": { + "description": "Defines the schema/API version, if using Anthropic provider.", + "type": "string" + }, + "azure_api_version": { + "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", + "type": "string" + }, + "azure_deployment_id": { + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + }, + "azure_instance": { + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + }, + "bedrock": { + "properties": { + "aws_region": { + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "gemini": { + "properties": { + "api_endpoint": { + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + }, + "location_id": { + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + }, + "project_id": { + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "huggingface": { + "properties": { + "use_cache": { + "description": "Use the cache layer on the inference API", + "type": "boolean" + }, + "wait_for_model": { + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "input_cost": { + "description": "Defines the cost per 1M tokens in your prompt.", + "minimum": 0, + "type": "number" + }, + "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "enum": [ + "ollama", + "openai", + "raw" + ], + "type": "string" + }, + "max_tokens": { + "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", + "type": "integer" + }, + "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "enum": [ + "ollama", + "openai" + ], + "type": "string" + }, + "output_cost": { + "description": "Defines the cost per 1M tokens in the output of the AI.", + "minimum": 0, + "type": "number" + }, + "temperature": { + "description": "Defines the matching temperature, if using chat or completion models.", + "maximum": 5, + "minimum": 0, + "type": "number" + }, + "top_k": { + "description": "Defines the top-k most likely tokens, if supported.", + "maximum": 500, + "minimum": 0, + "type": "integer" + }, + "top_p": { + "description": "Defines the top-p probability mass, if supported.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "upstream_path": { + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "type": "string" + }, + "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "enum": [ + "anthropic", + "azure", + "bedrock", + "cohere", + "gemini", + "huggingface", + "llama2", + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "enum": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + }, + "parse_llm_response_json_instructions": { + "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", + "type": "boolean" + }, + "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", + "type": "string" + }, + "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-sanitizer/3.11.json b/json_schemas/ai-sanitizer/3.11.json new file mode 100644 index 00000000..2fe62504 --- /dev/null +++ b/json_schemas/ai-sanitizer/3.11.json @@ -0,0 +1,194 @@ +{ + "properties": { + "config": { + "properties": { + "anonymize": { + "default": [ + "all_and_credentials" + ], + "description": "List of types to be anonymized", + "items": { + "enum": [ + "all", + "all_and_credentials", + "bank", + "credentials", + "creditcard", + "crypto", + "custom", + "date", + "domain", + "driverlicense", + "email", + "general", + "ip", + "medical", + "nationalid", + "nrp", + "passport", + "phone", + "ssn", + "url" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "custom_patterns": { + "description": "List of custom patterns to be used for anonymization", + "items": { + "properties": { + "name": { + "type": "string" + }, + "regex": { + "type": "string" + }, + "score": { + "default": 0.5, + "maximum": 1, + "minimum": 0, + "type": "number" + } + }, + "required": [ + "name", + "regex" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "host": { + "default": "localhost", + "description": "The host of the sanitizer", + "type": "string" + }, + "keepalive_timeout": { + "default": 60000, + "description": "The keepalive timeout for the established http connnection", + "type": "number" + }, + "port": { + "default": 8080, + "description": "The port of the sanitizer", + "type": "number" + }, + "recover_redacted": { + "default": true, + "description": "Whether to recover redacted data", + "type": "boolean" + }, + "redact_type": { + "default": "placeholder", + "description": "What value to be used to redacted to", + "enum": [ + "placeholder", + "synthetic" + ], + "type": "string" + }, + "scheme": { + "default": "http", + "description": "The protocol can be http and https", + "type": "string" + }, + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Connection timeout with the sanitizer", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-semantic-cache/3.11.json b/json_schemas/ai-semantic-cache/3.11.json new file mode 100644 index 00000000..be340741 --- /dev/null +++ b/json_schemas/ai-semantic-cache/3.11.json @@ -0,0 +1,456 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "exact_caching": { + "default": false, + "description": "When enabled, a first check for exact query will be done. It will impact DB size", + "type": "boolean" + }, + "ignore_assistant_prompts": { + "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request", + "type": "boolean" + }, + "ignore_system_prompts": { + "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request", + "type": "boolean" + }, + "ignore_tool_prompts": { + "default": false, + "description": "Ignore and discard any tool prompts when Vectorizing the request", + "type": "boolean" + }, + "message_countback": { + "default": 1, + "description": "Number of messages in the chat history to Vectorize/Cache", + "maximum": 1000, + "minimum": 1, + "type": "number" + }, + "stop_on_failure": { + "default": false, + "description": "Halt the LLM request process in case of a caching system failure", + "type": "boolean" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ai-semantic-prompt-guard/3.11.json b/json_schemas/ai-semantic-prompt-guard/3.11.json new file mode 100644 index 00000000..6bab0187 --- /dev/null +++ b/json_schemas/ai-semantic-prompt-guard/3.11.json @@ -0,0 +1,476 @@ +{ + "properties": { + "config": { + "properties": { + "embeddings": { + "properties": { + "auth": { + "properties": { + "allow_override": { + "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "type": "boolean" + }, + "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_tenant_id": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "azure_use_managed_identity": { + "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "type": "boolean" + }, + "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "gcp_use_service_account": { + "default": false, + "description": "Use service account auth for GCP-based providers and models.", + "type": "boolean" + }, + "header_name": { + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "enum": [ + "body", + "query" + ], + "type": "string" + }, + "param_name": { + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "param_value": { + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "model": { + "properties": { + "name": { + "description": "Model name to execute.", + "type": "string" + }, + "options": { + "description": "Key/value settings for the model", + "properties": { + "upstream_url": { + "description": "upstream url for the embeddings", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "provider": { + "description": "AI provider format to use for embeddings API", + "enum": [ + "mistral", + "openai" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "rules": { + "properties": { + "allow_prompts": { + "description": "List of prompts to allow.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "deny_prompts": { + "description": "List of prompts to deny.", + "items": { + "maxLength": 500, + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "maxLength": 100, + "type": "array" + }, + "match_all_conversation_history": { + "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history.", + "type": "boolean" + }, + "match_all_roles": { + "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "type": "boolean" + }, + "max_request_body_size": { + "default": 8192, + "description": "max allowed body size allowed to be introspected", + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "search": { + "properties": { + "threshold": { + "default": 0.5, + "description": "Threshold for the similarity score to be considered a match.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "vectordb": { + "properties": { + "dimensions": { + "description": "the desired dimensionality for the vectors", + "type": "integer" + }, + "distance_metric": { + "description": "the distance metric to use for vector searches", + "enum": [ + "cosine", + "euclidean" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "description": "which vector database driver to use", + "enum": [ + "redis" + ], + "type": "string" + }, + "threshold": { + "description": "the default similarity threshold for accepting semantic search results (float)", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/app-dynamics/3.11.json b/json_schemas/app-dynamics/3.11.json new file mode 100644 index 00000000..fa37327f --- /dev/null +++ b/json_schemas/app-dynamics/3.11.json @@ -0,0 +1,77 @@ +{ + "properties": { + "config": { + "additionalProperties": true, + "properties": { + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/application-registration/3.11.json b/json_schemas/application-registration/3.11.json new file mode 100644 index 00000000..42680aeb --- /dev/null +++ b/json_schemas/application-registration/3.11.json @@ -0,0 +1,60 @@ +{ + "properties": { + "config": { + "properties": { + "auto_approve": { + "default": false, + "description": "If enabled, all new Service Contracts requests are automatically approved.", + "type": "boolean" + }, + "description": { + "description": "Unique description displayed in information about a Service in the Developer Portal.", + "type": "string" + }, + "display_name": { + "description": "Unique display name used for a Service in the Developer Portal.", + "type": "string" + }, + "enable_proxy_with_consumer_credential": { + "default": false, + "description": "If enabled, the Route of the Service can be accessed using the Consumer's credential", + "type": "boolean" + }, + "show_issuer": { + "default": false, + "description": "Displays the **Issuer URL** in the **Service Details** dialog.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/aws-lambda/3.11.json b/json_schemas/aws-lambda/3.11.json new file mode 100644 index 00000000..166740b4 --- /dev/null +++ b/json_schemas/aws-lambda/3.11.json @@ -0,0 +1,221 @@ +{ + "properties": { + "config": { + "properties": { + "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "aws_imds_protocol_version": { + "default": "v1", + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "enum": [ + "v1", + "v2" + ], + "type": "string" + }, + "aws_key": { + "description": "The AWS key credential to be used when invoking the function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "aws_region": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "aws_role_session_name": { + "default": "kong", + "description": "The identifier of the assumed role session.", + "type": "string" + }, + "aws_secret": { + "description": "The AWS secret credential to be used when invoking the function. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "aws_sts_endpoint_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "awsgateway_compatible": { + "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", + "type": "boolean" + }, + "base64_encode_body": { + "default": true, + "description": "An optional value that Base64-encodes the request body.", + "type": "boolean" + }, + "disable_https": { + "default": false, + "type": "boolean" + }, + "empty_arrays_mode": { + "default": "legacy", + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", + "enum": [ + "correct", + "legacy" + ], + "type": "string" + }, + "forward_request_body": { + "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", + "type": "boolean" + }, + "forward_request_headers": { + "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_method": { + "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", + "type": "boolean" + }, + "forward_request_uri": { + "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", + "type": "boolean" + }, + "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", + "type": "string" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "invocation_type": { + "default": "RequestResponse", + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "enum": [ + "DryRun", + "Event", + "RequestResponse" + ], + "type": "string" + }, + "is_proxy_integration": { + "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "log_type": { + "default": "Tail", + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "enum": [ + "None", + "Tail" + ], + "type": "string" + }, + "port": { + "default": 443, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "proxy_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "qualifier": { + "description": "The qualifier to use when invoking the function.", + "type": "string" + }, + "skip_large_bodies": { + "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", + "type": "boolean" + }, + "timeout": { + "default": 60000, + "description": "An optional timeout in milliseconds when invoking the function.", + "type": "number" + }, + "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "maximum": 999, + "minimum": 100, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/azure-functions/3.11.json b/json_schemas/azure-functions/3.11.json new file mode 100644 index 00000000..4a188c42 --- /dev/null +++ b/json_schemas/azure-functions/3.11.json @@ -0,0 +1,129 @@ +{ + "properties": { + "config": { + "properties": { + "apikey": { + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "appname": { + "description": "The Azure app name.", + "type": "string" + }, + "clientid": { + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "functionname": { + "description": "Name of the Azure function to invoke.", + "type": "string" + }, + "hostdomain": { + "default": "azurewebsites.net", + "description": "The domain where the function resides.", + "type": "string" + }, + "https": { + "default": true, + "description": "Use of HTTPS to connect with the Azure Functions server.", + "type": "boolean" + }, + "https_verify": { + "default": false, + "description": "Set to `true` to authenticate the Azure Functions server.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "type": "number" + }, + "routeprefix": { + "default": "api", + "description": "Route prefix to use.", + "type": "string" + }, + "timeout": { + "default": 600000, + "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/basic-auth/3.11.json b/json_schemas/basic-auth/3.11.json new file mode 100644 index 00000000..da803a97 --- /dev/null +++ b/json_schemas/basic-auth/3.11.json @@ -0,0 +1,81 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", + "type": "boolean" + }, + "realm": { + "default": "service", + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/bot-detection/3.11.json b/json_schemas/bot-detection/3.11.json new file mode 100644 index 00000000..2233a89d --- /dev/null +++ b/json_schemas/bot-detection/3.11.json @@ -0,0 +1,91 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "default": [ + + ], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "deny": { + "default": [ + + ], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", + "items": { + "is_regex": true, + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/canary/3.11.json b/json_schemas/canary/3.11.json new file mode 100644 index 00000000..39072c60 --- /dev/null +++ b/json_schemas/canary/3.11.json @@ -0,0 +1,142 @@ +{ + "properties": { + "config": { + "properties": { + "canary_by_header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "duration": { + "default": 3600, + "description": "The duration of the canary release in seconds.", + "minimum": 0, + "type": "number" + }, + "groups": { + "description": "The groups allowed to access the canary release.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hash": { + "default": "consumer", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "enum": [ + "allow", + "consumer", + "deny", + "header", + "ip", + "none" + ], + "type": "string" + }, + "hash_header": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "maximum": 100, + "minimum": 0, + "type": "number" + }, + "start": { + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" + }, + "steps": { + "default": 1000, + "description": "The number of steps for the canary release.", + "minimum": 1, + "type": "number" + }, + "upstream_fallback": { + "default": false, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "type": "boolean" + }, + "upstream_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", + "minLength": 1, + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "hash": { + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/confluent-consume/3.11.json b/json_schemas/confluent-consume/3.11.json new file mode 100644 index 00000000..70519aff --- /dev/null +++ b/json_schemas/confluent-consume/3.11.json @@ -0,0 +1,185 @@ +{ + "properties": { + "config": { + "properties": { + "auto_offset_reset": { + "default": "latest", + "description": "The offset to start from when there is no initial offset in the consumer group.", + "enum": [ + "earliest", + "latest" + ], + "type": "string" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", + "type": "string" + }, + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", + "type": "string" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "commit_strategy": { + "default": "auto", + "description": "The strategy to use for committing offsets.", + "enum": [ + "auto", + "off" + ], + "type": "string" + }, + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "type": "string" + }, + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "message_deserializer": { + "default": "noop", + "description": "The deserializer to use for the consumed messages.", + "enum": [ + "json", + "noop" + ], + "type": "string" + }, + "mode": { + "default": "http-get", + "description": "The mode of operation for the plugin.", + "enum": [ + "http-get", + "server-sent-events" + ], + "type": "string" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topics": { + "description": "The Kafka topics and their configuration you want to consume from.", + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/confluent/3.11.json b/json_schemas/confluent/3.11.json new file mode 100644 index 00000000..2eda69cb --- /dev/null +++ b/json_schemas/confluent/3.11.json @@ -0,0 +1,207 @@ +{ + "properties": { + "config": { + "properties": { + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", + "type": "string" + }, + "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", + "type": "string" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "type": "string" + }, + "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/correlation-id/3.11.json b/json_schemas/correlation-id/3.11.json new file mode 100644 index 00000000..776a2f3e --- /dev/null +++ b/json_schemas/correlation-id/3.11.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "echo_downstream": { + "default": false, + "description": "Whether to echo the header back to downstream (the client).", + "type": "boolean" + }, + "generator": { + "default": "uuid#counter", + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", + "enum": [ + "tracker", + "uuid", + "uuid#counter" + ], + "type": "string" + }, + "header_name": { + "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/cors/3.11.json b/json_schemas/cors/3.11.json new file mode 100644 index 00000000..b0254d05 --- /dev/null +++ b/json_schemas/cors/3.11.json @@ -0,0 +1,145 @@ +{ + "properties": { + "config": { + "properties": { + "credentials": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "type": "boolean" + }, + "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "max_age": { + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" + }, + "methods": { + "default": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "items": { + "enum": [ + "CONNECT", + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", + "TRACE" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "preflight_continue": { + "default": false, + "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "type": "boolean" + }, + "private_network": { + "default": false, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "minLength": 1, + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/datadog-tracing/3.11.json b/json_schemas/datadog-tracing/3.11.json new file mode 100644 index 00000000..b5723945 --- /dev/null +++ b/json_schemas/datadog-tracing/3.11.json @@ -0,0 +1,114 @@ +{ + "properties": { + "config": { + "properties": { + "batch_flush_delay": { + "default": 3, + "type": "integer" + }, + "batch_span_count": { + "default": 200, + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "endpoint": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "environment": { + "default": "none", + "type": "string" + }, + "read_timeout": { + "default": 5000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 5000, + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "service_name": { + "default": "kong", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/datadog/3.11.json b/json_schemas/datadog/3.11.json new file mode 100644 index 00000000..12d04755 --- /dev/null +++ b/json_schemas/datadog/3.11.json @@ -0,0 +1,263 @@ +{ + "properties": { + "config": { + "properties": { + "consumer_tag": { + "default": "consumer", + "description": "String to be attached as tag of the consumer.", + "type": "string" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "metrics": { + "default": [ + { + "consumer_identifier": "custom_id", + "name": "kong_latency", + "sample_rate": 1, + "stat_type": "timer", + "tags": [ + "app:kong" + ] + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "Datadog metric’s name", + "enum": [ + "kong_latency", + "latency", + "request_count", + "request_size", + "response_size", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "stat_type": { + "description": "Determines what sort of event the metric represents", + "enum": [ + "counter", + "distribution", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "tags": { + "description": "List of tags", + "items": { + "pattern": "^.*[^:]$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to be attached as a prefix to a metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "service_name_tag": { + "default": "name", + "description": "String to be attached as the name of the service.", + "type": "string" + }, + "status_tag": { + "default": "status", + "description": "String to be attached as the tag of the HTTP status.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/degraphql/3.11.json b/json_schemas/degraphql/3.11.json new file mode 100644 index 00000000..4d44acc6 --- /dev/null +++ b/json_schemas/degraphql/3.11.json @@ -0,0 +1,68 @@ +{ + "properties": { + "config": { + "properties": { + "graphql_server_path": { + "default": "/graphql", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.11.json b/json_schemas/exit-transformer/3.11.json new file mode 100644 index 00000000..f65b3b1f --- /dev/null +++ b/json_schemas/exit-transformer/3.11.json @@ -0,0 +1,95 @@ +{ + "properties": { + "config": { + "properties": { + "functions": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "handle_unexpected": { + "default": false, + "description": "Determines whether to handle unexpected errors by transforming their responses.", + "type": "boolean" + }, + "handle_unknown": { + "default": false, + "description": "Determines whether to handle unknown status codes by transforming their responses.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/file-log/3.11.json b/json_schemas/file-log/3.11.json new file mode 100644 index 00000000..7b34b71e --- /dev/null +++ b/json_schemas/file-log/3.11.json @@ -0,0 +1,98 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "path": { + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "pattern": "^[^*&%%\\`]+$", + "type": "string" + }, + "reopen": { + "default": false, + "description": "Determines whether the log file is closed and reopened on every request.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/forward-proxy/3.11.json b/json_schemas/forward-proxy/3.11.json new file mode 100644 index 00000000..ad6b829b --- /dev/null +++ b/json_schemas/forward-proxy/3.11.json @@ -0,0 +1,135 @@ +{ + "properties": { + "config": { + "properties": { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "https_verify": { + "default": false, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + }, + "proxy_scheme": { + "default": "http", + "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "enum": [ + "http" + ], + "type": "string" + }, + "x_headers": { + "default": "append", + "description": "Determines how to handle headers when forwarding the request.", + "enum": [ + "append", + "delete", + "transparent" + ], + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "proxy_host": { + "type": "string" + }, + "proxy_port": { + "type": "integer" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/graphql-proxy-cache-advanced/3.11.json b/json_schemas/graphql-proxy-cache-advanced/3.11.json new file mode 100644 index 00000000..46c5d48b --- /dev/null +++ b/json_schemas/graphql-proxy-cache-advanced/3.11.json @@ -0,0 +1,300 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "minimum": 0, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.11.json b/json_schemas/graphql-rate-limiting-advanced/3.11.json new file mode 100644 index 00000000..6fedc860 --- /dev/null +++ b/json_schemas/graphql-rate-limiting-advanced/3.11.json @@ -0,0 +1,343 @@ +{ + "properties": { + "config": { + "properties": { + "cost_strategy": { + "default": "default", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "enum": [ + "default", + "node_quantifier" + ], + "type": "string" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "max_cost": { + "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", + "type": "number" + }, + "namespace": { + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "score_factor": { + "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", + "minimum": 0, + "type": "number" + }, + "strategy": { + "default": "cluster", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds).", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window to either `sliding` or `fixed`.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/grpc-gateway/3.11.json b/json_schemas/grpc-gateway/3.11.json new file mode 100644 index 00000000..2ae37a8c --- /dev/null +++ b/json_schemas/grpc-gateway/3.11.json @@ -0,0 +1,87 @@ +{ + "properties": { + "config": { + "properties": { + "proto": { + "description": "Describes the gRPC types and methods.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/grpc-web/3.11.json b/json_schemas/grpc-web/3.11.json new file mode 100644 index 00000000..31f56172 --- /dev/null +++ b/json_schemas/grpc-web/3.11.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "allow_origin_header": { + "default": "*", + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "type": "string" + }, + "pass_stripped_path": { + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", + "type": "boolean" + }, + "proto": { + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/header-cert-auth/3.11.json b/json_schemas/header-cert-auth/3.11.json new file mode 100644 index 00000000..cd742de3 --- /dev/null +++ b/json_schemas/header-cert-auth/3.11.json @@ -0,0 +1,181 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "required": [ + + ], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "certificate_header_format": { + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "enum": [ + "base64_encoded", + "url_encoded" + ], + "type": "string" + }, + "certificate_header_name": { + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "secure_source": { + "default": true, + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/hmac-auth/3.11.json b/json_schemas/hmac-auth/3.11.json new file mode 100644 index 00000000..1e3ae8ec --- /dev/null +++ b/json_schemas/hmac-auth/3.11.json @@ -0,0 +1,126 @@ +{ + "properties": { + "config": { + "properties": { + "algorithms": { + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", + "items": { + "enum": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "anonymous": { + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "clock_skew": { + "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", + "minimum": 0, + "type": "number" + }, + "enforce_headers": { + "default": [ + + ], + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "validate_request_body": { + "default": false, + "description": "A boolean value telling the plugin to enable body validation.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/http-log/3.11.json b/json_schemas/http-log/3.11.json new file mode 100644 index 00000000..2d6b5c6c --- /dev/null +++ b/json_schemas/http-log/3.11.json @@ -0,0 +1,199 @@ +{ + "properties": { + "config": { + "properties": { + "content_type": { + "default": "application/json", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "enum": [ + "application/json", + "application/json; charset=utf-8" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" + }, + "headers": { + "additionalProperties": true, + "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", + "type": "object" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", + "type": "number" + }, + "method": { + "default": "POST", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "enum": [ + "PATCH", + "POST", + "PUT" + ], + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" + }, + "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/injection-protection/3.11.json b/json_schemas/injection-protection/3.11.json new file mode 100644 index 00000000..52949341 --- /dev/null +++ b/json_schemas/injection-protection/3.11.json @@ -0,0 +1,146 @@ +{ + "properties": { + "config": { + "properties": { + "custom_injections": { + "default": null, + "description": "Custom regexes to check for.", + "items": { + "properties": { + "name": { + "description": "A unique name for this injection.", + "type": "string" + }, + "regex": { + "description": "The regex to match against.", + "is_regex": true, + "type": "string" + } + }, + "required": [ + "name", + "regex" + ], + "type": "object" + }, + "type": "array" + }, + "enforcement_mode": { + "default": "block", + "description": "Enforcement mode of the security policy.", + "enum": [ + "block", + "log_only" + ], + "type": "string" + }, + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "type": "string" + }, + "error_status_code": { + "default": 400, + "description": "The response status code when validation fails.", + "maximum": 499, + "minimum": 400, + "type": "integer" + }, + "injection_types": { + "default": [ + "sql" + ], + "description": "The type of injections to check for.", + "items": { + "enum": [ + "java_exception", + "js", + "sql", + "ssi", + "xpath_abbreviated", + "xpath_extended" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "locations": { + "default": [ + "path_and_query" + ], + "description": "The locations to check for injection.", + "items": { + "enum": [ + "body", + "headers", + "path_and_query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ip-restriction/3.11.json b/json_schemas/ip-restriction/3.11.json new file mode 100644 index 00000000..83800949 --- /dev/null +++ b/json_schemas/ip-restriction/3.11.json @@ -0,0 +1,128 @@ +{ + "properties": { + "config": { + "properties": { + "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", + "items": { + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "message": { + "description": "The message to send as a response body to rejected requests.", + "type": "string" + }, + "status": { + "description": "The HTTP status of the requests that will be rejected by the plugin.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jq/3.11.json b/json_schemas/jq/3.11.json new file mode 100644 index 00000000..7a686c75 --- /dev/null +++ b/json_schemas/jq/3.11.json @@ -0,0 +1,176 @@ +{ + "properties": { + "config": { + "properties": { + "request_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "request_jq_program": { + "type": "string" + }, + "request_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "response_if_media_type": { + "default": [ + "application/json" + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_if_status_code": { + "default": [ + 200 + ], + "items": { + "maximum": 599, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "response_jq_program": { + "type": "string" + }, + "response_jq_program_options": { + "properties": { + "ascii_output": { + "default": false, + "type": "boolean" + }, + "compact_output": { + "default": true, + "type": "boolean" + }, + "join_output": { + "default": false, + "type": "boolean" + }, + "raw_output": { + "default": false, + "type": "boolean" + }, + "sort_keys": { + "default": false, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/json-threat-protection/3.11.json b/json_schemas/json-threat-protection/3.11.json new file mode 100644 index 00000000..43827bd8 --- /dev/null +++ b/json_schemas/json-threat-protection/3.11.json @@ -0,0 +1,126 @@ +{ + "properties": { + "config": { + "properties": { + "enforcement_mode": { + "default": "block", + "description": "Enforcement mode of the security policy.", + "enum": [ + "block", + "log_only" + ], + "type": "string" + }, + "error_message": { + "default": "Bad Request", + "description": "The response message when validation fails", + "type": "string" + }, + "error_status_code": { + "default": 400, + "description": "The response status code when validation fails.", + "maximum": 499, + "minimum": 400, + "type": "integer" + }, + "max_array_element_count": { + "default": -1, + "description": "Max number of elements in an array. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_body_size": { + "default": 8192, + "description": "Max size of the request body. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_container_depth": { + "default": -1, + "description": "Max nested depth of objects and arrays. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_object_entry_count": { + "default": -1, + "description": "Max number of entries in an object. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_object_entry_name_length": { + "default": -1, + "description": "Max string length of object name. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + }, + "max_string_value_length": { + "default": -1, + "description": "Max string value length. -1 means unlimited.", + "maximum": 2147483648, + "minimum": -1, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.11.json b/json_schemas/jwe-decrypt/3.11.json new file mode 100644 index 00000000..019e6fb1 --- /dev/null +++ b/json_schemas/jwe-decrypt/3.11.json @@ -0,0 +1,88 @@ +{ + "properties": { + "config": { + "properties": { + "forward_header_name": { + "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", + "type": "string" + }, + "key_sets": { + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "lookup_header_name": { + "default": "Authorization", + "description": "The name of the header to look for the JWE token.", + "type": "string" + }, + "strict": { + "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwt-signer/3.11.json b/json_schemas/jwt-signer/3.11.json new file mode 100644 index 00000000..6b424d39 --- /dev/null +++ b/json_schemas/jwt-signer/3.11.json @@ -0,0 +1,699 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", + "type": "string" + }, + "access_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "type": "string" + }, + "access_token_introspection_hint": { + "default": "access_token", + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", + "type": "string" + }, + "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", + "type": "number" + }, + "access_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", + "type": "number" + }, + "access_token_issuer": { + "default": "kong", + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", + "type": "string" + }, + "access_token_jwks_uri": { + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "type": "string" + }, + "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "access_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "type": "string" + }, + "access_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "type": "string" + }, + "access_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "access_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "type": "string" + }, + "access_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "type": "string" + }, + "access_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "access_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", + "type": "number" + }, + "access_token_optional": { + "default": false, + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", + "type": "boolean" + }, + "access_token_request_header": { + "default": "Authorization", + "description": "This parameter tells the name of the header where to look for the access token.", + "type": "string" + }, + "access_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "access_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "access_token_upstream_header": { + "default": "Authorization:Bearer", + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", + "type": "string" + }, + "access_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", + "type": "number" + }, + "add_access_token_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_channel_token_claims": { + "additionalProperties": true, + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "add_claims": { + "additionalProperties": true, + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "cache_access_token_introspection": { + "default": true, + "description": "Whether to cache access token introspection results.", + "type": "boolean" + }, + "cache_channel_token_introspection": { + "default": true, + "description": "Whether to cache channel token introspection results.", + "type": "boolean" + }, + "channel_token_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_endpoint": { + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "type": "string" + }, + "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_leeway": { + "default": 0, + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", + "type": "number" + }, + "channel_token_introspection_scopes_claim": { + "default": [ + "scope" + ], + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", + "type": "number" + }, + "channel_token_issuer": { + "default": "kong", + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", + "type": "string" + }, + "channel_token_jwks_uri": { + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "type": "string" + }, + "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "channel_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "type": "string" + }, + "channel_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "type": "string" + }, + "channel_token_jwks_uri_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_keyset": { + "default": "kong", + "description": "The name of the keyset containing signing keys.", + "type": "string" + }, + "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", + "type": "string" + }, + "channel_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "type": "string" + }, + "channel_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "type": "string" + }, + "channel_token_keyset_rotate_period": { + "default": 0, + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", + "type": "number" + }, + "channel_token_leeway": { + "default": 0, + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", + "type": "number" + }, + "channel_token_optional": { + "default": false, + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", + "type": "boolean" + }, + "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", + "type": "string" + }, + "channel_token_scopes_claim": { + "default": [ + "scope" + ], + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "channel_token_signing_algorithm": { + "default": "RS256", + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS512" + ], + "type": "string" + }, + "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", + "type": "string" + }, + "channel_token_upstream_leeway": { + "default": 0, + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", + "type": "number" + }, + "enable_access_token_introspection": { + "default": true, + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", + "type": "boolean" + }, + "enable_channel_token_introspection": { + "default": true, + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", + "type": "boolean" + }, + "enable_instrumentation": { + "default": false, + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", + "type": "boolean" + }, + "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", + "type": "string" + }, + "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", + "type": "string" + }, + "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", + "type": "string" + }, + "remove_access_token_claims": { + "default": [ + + ], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "remove_channel_token_claims": { + "default": [ + + ], + "description": "remove claims. It should be an array, and each element is a claim key string.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "set_access_token_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_channel_token_claims": { + "additionalProperties": true, + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "set_claims": { + "additionalProperties": true, + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", + "type": "object" + }, + "trust_access_token_introspection": { + "default": true, + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", + "type": "boolean" + }, + "trust_channel_token_introspection": { + "default": true, + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", + "type": "boolean" + }, + "verify_access_token_expiry": { + "default": true, + "description": "Quickly turn access token expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_expiry": { + "default": true, + "description": "Quickly turn access token introspection expiry verification off and on as needed.", + "type": "boolean" + }, + "verify_access_token_introspection_scopes": { + "default": true, + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_scopes": { + "default": true, + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", + "type": "boolean" + }, + "verify_access_token_signature": { + "default": true, + "description": "Quickly turn access token signature verification off and on as needed.", + "type": "boolean" + }, + "verify_channel_token_expiry": { + "default": true, + "type": "boolean" + }, + "verify_channel_token_introspection_expiry": { + "default": true, + "description": "Quickly turn on/off the channel token introspection expiry verification.", + "type": "boolean" + }, + "verify_channel_token_introspection_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_scopes": { + "default": true, + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", + "type": "boolean" + }, + "verify_channel_token_signature": { + "default": true, + "description": "Quickly turn on/off the channel token signature verification.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/jwt/3.11.json b/json_schemas/jwt/3.11.json new file mode 100644 index 00000000..6a6338ce --- /dev/null +++ b/json_schemas/jwt/3.11.json @@ -0,0 +1,146 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "items": { + "enum": [ + "exp", + "nbf" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "cookie_names": { + "default": [ + + ], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_names": { + "default": [ + "authorization" + ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "key_claim_name": { + "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", + "type": "string" + }, + "maximum_expiration": { + "default": 0, + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "maximum": 31536000, + "minimum": 0, + "type": "number" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "type": "boolean" + }, + "secret_is_base64": { + "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "type": "boolean" + }, + "uri_param_names": { + "default": [ + "jwt" + ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/kafka-consume/3.11.json b/json_schemas/kafka-consume/3.11.json new file mode 100644 index 00000000..10ae7600 --- /dev/null +++ b/json_schemas/kafka-consume/3.11.json @@ -0,0 +1,212 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "auto_offset_reset": { + "default": "latest", + "description": "The offset to start from when there is no initial offset in the consumer group.", + "enum": [ + "earliest", + "latest" + ], + "type": "string" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster.", + "type": "string" + }, + "commit_strategy": { + "default": "auto", + "description": "The strategy to use for committing offsets.", + "enum": [ + "auto", + "off" + ], + "type": "string" + }, + "message_deserializer": { + "default": "noop", + "description": "The deserializer to use for the consumed messages.", + "enum": [ + "json", + "noop" + ], + "type": "string" + }, + "mode": { + "default": "http-get", + "description": "The mode of operation for the plugin.", + "enum": [ + "http-get", + "server-sent-events" + ], + "type": "string" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "topics": { + "description": "The Kafka topics and their configuration you want to consume from.", + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/kafka-log/3.11.json b/json_schemas/kafka-log/3.11.json new file mode 100644 index 00000000..3cc3b73a --- /dev/null +++ b/json_schemas/kafka-log/3.11.json @@ -0,0 +1,232 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "keepalive": { + "default": 60000, + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single Produce request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.11.json b/json_schemas/kafka-upstream/3.11.json new file mode 100644 index 00000000..4fa1cc92 --- /dev/null +++ b/json_schemas/kafka-upstream/3.11.json @@ -0,0 +1,244 @@ +{ + "properties": { + "config": { + "properties": { + "authentication": { + "properties": { + "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "enum": [ + "PLAIN", + "SCRAM-SHA-256", + "SCRAM-SHA-512" + ], + "type": "string" + }, + "password": { + "description": "Password for SASL authentication.", + "type": "string" + }, + "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "enum": [ + "sasl" + ], + "type": "string" + }, + "tokenauth": { + "description": "Enable this to indicate `DelegationToken` authentication.", + "type": "boolean" + }, + "user": { + "description": "Username for SASL authentication.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "items": { + "properties": { + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + "host", + "port" + ], + "type": "object" + }, + "type": "array" + }, + "cluster_name": { + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string" + }, + "forward_body": { + "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_headers": { + "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_method": { + "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "forward_uri": { + "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "Keepalive timeout in milliseconds.", + "type": "integer" + }, + "keepalive_enabled": { + "default": false, + "type": "boolean" + }, + "producer_async": { + "default": true, + "description": "Flag to enable asynchronous mode.", + "type": "boolean" + }, + "producer_async_buffering_limits_messages_in_memory": { + "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "type": "integer" + }, + "producer_async_flush_timeout": { + "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "type": "integer" + }, + "producer_request_acks": { + "default": 1, + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "enum": [ + -1, + 0, + 1 + ], + "type": "integer" + }, + "producer_request_limits_bytes_per_request": { + "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", + "type": "integer" + }, + "producer_request_limits_messages_per_request": { + "default": 200, + "description": "Maximum number of messages to include into a single producer request.", + "type": "integer" + }, + "producer_request_retries_backoff_timeout": { + "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", + "type": "integer" + }, + "producer_request_retries_max_attempts": { + "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", + "type": "integer" + }, + "producer_request_timeout": { + "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", + "type": "integer" + }, + "security": { + "properties": { + "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true + }, + "ssl": { + "description": "Enables TLS.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "timeout": { + "default": 10000, + "description": "Socket timeout in milliseconds.", + "type": "integer" + }, + "topic": { + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/key-auth-enc/3.11.json b/json_schemas/key-auth-enc/3.11.json new file mode 100644 index 00000000..393987e0 --- /dev/null +++ b/json_schemas/key-auth-enc/3.11.json @@ -0,0 +1,114 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/key-auth/3.11.json b/json_schemas/key-auth/3.11.json new file mode 100644 index 00000000..a37eb540 --- /dev/null +++ b/json_schemas/key-auth/3.11.json @@ -0,0 +1,114 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", + "type": "boolean" + }, + "key_in_body": { + "default": false, + "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "key_in_header": { + "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "type": "boolean" + }, + "key_in_query": { + "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "type": "boolean" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.11.json b/json_schemas/konnect-application-auth/3.11.json new file mode 100644 index 00000000..6b9a6b29 --- /dev/null +++ b/json_schemas/konnect-application-auth/3.11.json @@ -0,0 +1,2345 @@ +{ + "properties": { + "config": { + "properties": { + "auth_type": { + "default": "openid-connect", + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", + "enum": [ + "key-auth", + "openid-connect", + "v2-strategies" + ], + "type": "string" + }, + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scope": { + "description": "The unique scope identifier for the plugin configuration.", + "type": "string" + }, + "v2_strategies": { + "description": "The map of v2 strategies.", + "properties": { + "key_auth": { + "description": "List of key_auth strategies.", + "items": { + "properties": { + "config": { + "properties": { + "key_names": { + "default": [ + "apikey" + ], + "description": "The names of the headers containing the API key. You can specify multiple header names.", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "config", + "strategy_id" + ], + "type": "object" + }, + "type": "array" + }, + "openid_connect": { + "description": "List of openid_connect strategies.", + "items": { + "properties": { + "config": { + "description": "openid-connect plugin configuration.", + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "dp": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "dq": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "key_ops": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "p": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "q": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "qi": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "r": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "t": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "cluster_cache_redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "cluster_cache_strategy": { + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "enum": [ + "off", + "redis" + ], + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_client_headers": { + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "uuid": true + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. Only top level claims are supported.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + "cluster_cache_redis", + "issuer", + "redis" + ], + "type": "object" + }, + "strategy_id": { + "description": "The strategy id the config is tied to.", + "type": "string" + } + }, + "required": [ + "strategy_id" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.11.json b/json_schemas/ldap-auth-advanced/3.11.json new file mode 100644 index 00000000..d4ce271e --- /dev/null +++ b/json_schemas/ldap-auth-advanced/3.11.json @@ -0,0 +1,193 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g., \"cn\".", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", + "type": "string" + }, + "bind_dn": { + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", + "type": "boolean" + }, + "group_base_dn": { + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" + }, + "group_member_attribute": { + "default": "memberOf", + "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "type": "string" + }, + "group_name_attribute": { + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" + }, + "groups_required": { + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "Host on which the LDAP server is running.", + "type": "string" + }, + "ldap_password": { + "description": "The password to the LDAP server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "type": "number" + }, + "ldaps": { + "default": false, + "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "log_search_results": { + "default": false, + "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.11.json b/json_schemas/ldap-auth/3.11.json new file mode 100644 index 00000000..e4d24f03 --- /dev/null +++ b/json_schemas/ldap-auth/3.11.json @@ -0,0 +1,134 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" + }, + "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", + "type": "string" + }, + "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", + "type": "string" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "header_type": { + "default": "ldap", + "description": "An optional string to use as part of the Authorization header", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "type": "number" + }, + "ldap_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "ldap_port": { + "default": 389, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "ldaps": { + "default": false, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "type": "boolean" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "start_tls": { + "default": false, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "type": "number" + }, + "verify_ldap_host": { + "default": false, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/loggly/3.11.json b/json_schemas/loggly/3.11.json new file mode 100644 index 00000000..7a26a98b --- /dev/null +++ b/json_schemas/loggly/3.11.json @@ -0,0 +1,176 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "default": "logs-01.loggly.com", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "key": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "port": { + "default": 514, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "tags": { + "default": [ + "kong" + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "timeout": { + "default": 10000, + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/mocking/3.11.json b/json_schemas/mocking/3.11.json new file mode 100644 index 00000000..ceb3d3a9 --- /dev/null +++ b/json_schemas/mocking/3.11.json @@ -0,0 +1,128 @@ +{ + "properties": { + "config": { + "properties": { + "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", + "type": "string" + }, + "api_specification_filename": { + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "type": "string" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", + "items": { + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "max_delay_time": { + "default": 1, + "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "type": "number" + }, + "min_delay_time": { + "default": 0.001, + "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "type": "number" + }, + "random_delay": { + "default": false, + "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "type": "boolean" + }, + "random_examples": { + "default": false, + "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "type": "boolean" + }, + "random_status_code": { + "default": false, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.11.json b/json_schemas/mtls-auth/3.11.json new file mode 100644 index 00000000..0fae0bda --- /dev/null +++ b/json_schemas/mtls-auth/3.11.json @@ -0,0 +1,169 @@ +{ + "properties": { + "config": { + "properties": { + "allow_partial_chain": { + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "authenticated_group_by": { + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", + "enum": [ + "CN", + "DN" + ], + "type": "string" + }, + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "items": { + "required": [ + + ], + "type": "string", + "uuid": true + }, + "type": "array" + }, + "cache_ttl": { + "default": 60, + "description": "Cache expiry time in seconds.", + "type": "number" + }, + "cert_cache_ttl": { + "default": 60000, + "description": "The length of time in seconds between refreshes of the revocation check status cache.", + "type": "number" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", + "items": { + "enum": [ + "custom_id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "default_consumer": { + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "http_timeout": { + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", + "type": "number" + }, + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "revocation_check_mode": { + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", + "enum": [ + "IGNORE_CA_ERROR", + "SKIP", + "STRICT" + ], + "type": "string" + }, + "send_ca_dn": { + "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", + "type": "boolean" + }, + "skip_consumer_lookup": { + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oas-validation/3.11.json b/json_schemas/oas-validation/3.11.json new file mode 100644 index 00000000..1e421781 --- /dev/null +++ b/json_schemas/oas-validation/3.11.json @@ -0,0 +1,149 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_header_parameters": { + "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", + "type": "string" + }, + "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", + "type": "string" + }, + "api_spec_encoded": { + "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", + "type": "boolean" + }, + "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "type": "string" + }, + "header_parameter_check": { + "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", + "type": "boolean" + }, + "include_base_path": { + "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "type": "boolean" + }, + "notify_only_request_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", + "type": "boolean" + }, + "notify_only_response_body_validation_failure": { + "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", + "type": "boolean" + }, + "query_parameter_check": { + "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", + "type": "boolean" + }, + "validate_request_body": { + "default": true, + "description": "If set to true, validates the request body content against the API specification.", + "type": "boolean" + }, + "validate_request_header_params": { + "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", + "type": "boolean" + }, + "validate_request_query_params": { + "default": true, + "description": "If set to true, validates query parameters against the API specification.", + "type": "boolean" + }, + "validate_request_uri_params": { + "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", + "type": "boolean" + }, + "validate_response_body": { + "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", + "type": "boolean" + }, + "verbose_response": { + "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.11.json b/json_schemas/oauth2-introspection/3.11.json new file mode 100644 index 00000000..482e4d6e --- /dev/null +++ b/json_schemas/oauth2-introspection/3.11.json @@ -0,0 +1,138 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "default": "", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "minLength": 0, + "type": "string" + }, + "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "consumer_by": { + "default": "username", + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "enum": [ + "client_id", + "username" + ], + "type": "string" + }, + "custom_claims_forward": { + "default": [ + + ], + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "custom_introspection_headers": { + "additionalProperties": true, + "description": "A list of custom headers to be added in the introspection request.", + "type": "object" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", + "type": "boolean" + }, + "introspect_request": { + "default": false, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "type": "boolean" + }, + "introspection_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "integer" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "integer" + }, + "token_type_hint": { + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" + }, + "ttl": { + "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/oauth2/3.11.json b/json_schemas/oauth2/3.11.json new file mode 100644 index 00000000..ccfd1b4a --- /dev/null +++ b/json_schemas/oauth2/3.11.json @@ -0,0 +1,165 @@ +{ + "properties": { + "config": { + "properties": { + "accept_http_if_already_terminated": { + "default": false, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "type": "boolean" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" + }, + "auth_header_name": { + "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", + "type": "string" + }, + "enable_authorization_code": { + "default": false, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "type": "boolean" + }, + "enable_client_credentials": { + "default": false, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "type": "boolean" + }, + "enable_implicit_grant": { + "default": false, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "type": "boolean" + }, + "enable_password_grant": { + "default": false, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "type": "boolean" + }, + "global_credentials": { + "default": false, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "type": "boolean" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "type": "boolean" + }, + "mandatory_scope": { + "default": false, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "type": "boolean" + }, + "persistent_refresh_token": { + "default": false, + "type": "boolean" + }, + "pkce": { + "default": "lax", + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "enum": [ + "lax", + "none", + "strict" + ], + "type": "string" + }, + "provision_key": { + "description": "The unique key the plugin has generated when it has been added to the Service.", + "type": "string" + }, + "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "type": "string" + }, + "refresh_token_ttl": { + "default": 1209600, + "description": "Time-to-live value for data", + "maximum": 100000000, + "minimum": 0, + "type": "number" + }, + "reuse_refresh_token": { + "default": false, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "type": "boolean" + }, + "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_expiration": { + "default": 7200, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/opa/3.11.json b/json_schemas/opa/3.11.json new file mode 100644 index 00000000..58dc36d0 --- /dev/null +++ b/json_schemas/opa/3.11.json @@ -0,0 +1,122 @@ +{ + "properties": { + "config": { + "properties": { + "include_body_in_opa_input": { + "default": false, + "type": "boolean" + }, + "include_consumer_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "type": "boolean" + }, + "include_parsed_json_body_in_opa_input": { + "default": false, + "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "type": "boolean" + }, + "include_route_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_service_in_opa_input": { + "default": false, + "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "type": "boolean" + }, + "include_uri_captures_in_opa_input": { + "default": false, + "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "type": "boolean" + }, + "opa_host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "opa_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "opa_port": { + "default": 8181, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "opa_protocol": { + "default": "http", + "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "enum": [ + "http", + "https" + ], + "type": "string" + }, + "ssl_verify": { + "default": true, + "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/openid-connect/3.11.json b/json_schemas/openid-connect/3.11.json new file mode 100644 index 00000000..3c83ad57 --- /dev/null +++ b/json_schemas/openid-connect/3.11.json @@ -0,0 +1,2348 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "audience": { + "description": "The audience passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_claim": { + "default": [ + "aud" + ], + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "auth_methods": { + "default": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "description": "Types of credentials/grants to enable.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string" + }, + "authorization_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "authorization_cookie_name": { + "default": "authorization", + "description": "The authorization cookie name.", + "type": "string" + }, + "authorization_cookie_path": { + "default": "/", + "description": "The authorization cookie Path flag.", + "type": "string" + }, + "authorization_cookie_same_site": { + "default": "Default", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "authorization_rolling_timeout": { + "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "bearer_token_cookie_name": { + "description": "The name of the cookie in which the bearer token is passed.", + "type": "string" + }, + "bearer_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", + "items": { + "enum": [ + "body", + "cookie", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "by_username_ignore_case": { + "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "type": "boolean" + }, + "cache_introspection": { + "default": true, + "description": "Cache the introspection endpoint requests.", + "type": "boolean" + }, + "cache_token_exchange": { + "default": true, + "description": "Cache the token exchange endpoint requests.", + "type": "boolean" + }, + "cache_tokens": { + "default": true, + "description": "Cache the token endpoint requests.", + "type": "boolean" + }, + "cache_tokens_salt": { + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string" + }, + "cache_ttl": { + "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "type": "number" + }, + "cache_ttl_max": { + "description": "The maximum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_min": { + "description": "The minimum cache ttl in seconds (enforced).", + "type": "number" + }, + "cache_ttl_neg": { + "description": "The negative cache ttl in seconds.", + "type": "number" + }, + "cache_ttl_resurrect": { + "description": "The resurrection ttl in seconds.", + "type": "number" + }, + "cache_user_info": { + "default": true, + "description": "Cache the user info requests.", + "type": "boolean" + }, + "claims_forbidden": { + "description": "If given, these claims are forbidden in the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "items": { + "enum": [ + "ES256", + "ES384", + "ES512", + "EdDSA", + "HS256", + "HS384", + "HS512", + "PS256", + "PS384", + "PS512", + "RS256", + "RS384", + "RS512" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_arg": { + "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string" + }, + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "items": { + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_credentials_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "items": { + "properties": { + "alg": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "d": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "dp": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "dq": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "e": { + "type": "string" + }, + "issuer": { + "type": "string" + }, + "k": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "key_ops": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "kid": { + "type": "string" + }, + "kty": { + "type": "string" + }, + "n": { + "type": "string" + }, + "oth": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "p": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "q": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "qi": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "r": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "t": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "use": { + "type": "string" + }, + "x": { + "type": "string" + }, + "x5c": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + }, + "y": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "type": "array" + }, + "client_secret": { + "description": "The client secret.", + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "cluster_cache_redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "cluster_cache_strategy": { + "default": "off", + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "enum": [ + "off", + "redis" + ], + "type": "string" + }, + "consumer_by": { + "default": [ + "custom_id", + "username" + ], + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", + "items": { + "enum": [ + "custom_id", + "id", + "username" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_claim": { + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_optional": { + "default": false, + "description": "Do not terminate the request if consumer mapping fails.", + "type": "boolean" + }, + "credential_claim": { + "default": [ + "sub" + ], + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "disable_session": { + "description": "Disable issuing the session cookie with the specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "display_errors": { + "default": false, + "description": "Display errors on failure responses.", + "type": "boolean" + }, + "domains": { + "description": "The allowed values for the `hd` claim.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_access_token_header": { + "description": "The downstream access token header.", + "type": "string" + }, + "downstream_access_token_jwk_header": { + "description": "The downstream access token JWK header.", + "type": "string" + }, + "downstream_headers_claims": { + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_headers_names": { + "description": "The downstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "downstream_id_token_header": { + "description": "The downstream id token header.", + "type": "string" + }, + "downstream_id_token_jwk_header": { + "description": "The downstream id token JWK header.", + "type": "string" + }, + "downstream_introspection_header": { + "description": "The downstream introspection header.", + "type": "string" + }, + "downstream_introspection_jwt_header": { + "description": "The downstream introspection JWT header.", + "type": "string" + }, + "downstream_refresh_token_header": { + "description": "The downstream refresh token header.", + "type": "string" + }, + "downstream_session_id_header": { + "description": "The downstream session id header.", + "type": "string" + }, + "downstream_user_info_header": { + "description": "The downstream user info header.", + "type": "string" + }, + "downstream_user_info_jwt_header": { + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "dpop_proof_lifetime": { + "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", + "type": "number" + }, + "dpop_use_nonce": { + "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "type": "boolean" + }, + "enable_hs_signatures": { + "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "type": "boolean" + }, + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "expose_error_code": { + "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", + "type": "boolean" + }, + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "forbidden_destroy_session": { + "default": true, + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean" + }, + "forbidden_error_message": { + "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string" + }, + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_claim": { + "default": [ + "groups" + ], + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "hide_credentials": { + "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "type": "boolean" + }, + "http_proxy": { + "description": "The HTTP proxy.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The HTTP proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The HTTPS proxy.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The HTTPS proxy authorization.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "id_token_param_name": { + "description": "The name of the parameter used to pass the id token.", + "type": "string" + }, + "id_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_signature": { + "default": [ + + ], + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "introspection", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspect_jwt_tokens": { + "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean" + }, + "introspection_accept": { + "default": "application/json", + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt", + "application/token-introspection+jwt" + ], + "type": "string" + }, + "introspection_check_active": { + "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "type": "boolean" + }, + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_hint": { + "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string" + }, + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_client_headers": { + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "introspection_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for introspection.", + "type": "string" + }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "type": "string" + }, + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "jwt_session_claim": { + "default": "sid", + "description": "The claim to match against the JWT session cookie.", + "type": "string" + }, + "jwt_session_cookie": { + "description": "The name of the JWT session cookie.", + "type": "string" + }, + "keepalive": { + "default": true, + "description": "Use keepalive with the HTTP client.", + "type": "boolean" + }, + "leeway": { + "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "type": "number" + }, + "login_action": { + "default": "upstream", + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "enum": [ + "redirect", + "response", + "upstream" + ], + "type": "string" + }, + "login_methods": { + "default": [ + "authorization_code" + ], + "description": "Enable login functionality with specified grants.", + "items": { + "enum": [ + "authorization_code", + "bearer", + "client_credentials", + "introspection", + "kong_oauth2", + "password", + "refresh_token", + "session", + "userinfo" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_redirect_mode": { + "default": "fragment", + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "enum": [ + "fragment", + "query" + ], + "type": "string" + }, + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "login_tokens": { + "default": [ + "id_token" + ], + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", + "items": { + "enum": [ + "access_token", + "id_token", + "introspection", + "refresh_token", + "tokens" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "description": "The request body argument that activates the logout.", + "type": "string" + }, + "logout_query_arg": { + "description": "The request query argument that activates the logout.", + "type": "string" + }, + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_revoke": { + "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "type": "boolean" + }, + "logout_revoke_access_token": { + "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_revoke_refresh_token": { + "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "type": "boolean" + }, + "logout_uri_suffix": { + "description": "The request URI suffix that activates the logout.", + "type": "string" + }, + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number" + }, + "mtls_introspection_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_revocation_endpoint": { + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "mtls_token_endpoint": { + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "type": "string" + }, + "no_proxy": { + "description": "Do not use proxy with these hosts.", + "type": "string" + }, + "password_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "preserve_query_args": { + "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean" + }, + "proof_of_possession_auth_methods_validation": { + "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "type": "boolean" + }, + "proof_of_possession_dpop": { + "default": "off", + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "proof_of_possession_mtls": { + "default": "off", + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "enum": [ + "off", + "optional", + "strict" + ], + "type": "string" + }, + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "rediscovery_lifetime": { + "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number" + }, + "refresh_token_param_name": { + "description": "The name of the parameter used to pass the refresh token.", + "type": "string" + }, + "refresh_token_param_type": { + "default": [ + "body", + "header", + "query" + ], + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", + "items": { + "enum": [ + "body", + "header", + "query" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "refresh_tokens": { + "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "type": "boolean" + }, + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean" + }, + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean" + }, + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean" + }, + "resolve_distributed_claims": { + "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "type": "boolean" + }, + "response_mode": { + "default": "query", + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "enum": [ + "form_post", + "form_post.jwt", + "fragment", + "fragment.jwt", + "jwt", + "query", + "query.jwt" + ], + "type": "string" + }, + "response_type": { + "default": [ + "code" + ], + "description": "The response type passed to the authorization endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "reverify": { + "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "type": "boolean" + }, + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "revocation_token_param_name": { + "default": "token", + "description": "Designate token's parameter name for revocation.", + "type": "string" + }, + "roles_claim": { + "default": [ + "roles" + ], + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "run_on_preflight": { + "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "type": "boolean" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "The scopes passed to the authorization and token endpoints.", + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_claim": { + "default": [ + "scope" + ], + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "search_user_info": { + "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "type": "boolean" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "The session cookie Path flag.", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "The memcached port.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number" + }, + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number" + }, + "session_secret": { + "description": "The session secret.", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network IO timeout in milliseconds.", + "type": "number" + }, + "tls_client_auth_cert_id": { + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "type": "string", + "uuid": true + }, + "tls_client_auth_ssl_verify": { + "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "type": "boolean" + }, + "token_cache_key_include_scope": { + "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", + "type": "boolean" + }, + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none", + "private_key_jwt", + "self_signed_tls_client_auth", + "tls_client_auth" + ], + "type": "string" + }, + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", + "type": "string" + }, + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", + "items": { + "enum": [ + "authorization_code", + "client_credentials", + "password", + "refresh_token" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string" + }, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unauthorized_destroy_session": { + "default": true, + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean" + }, + "unauthorized_error_message": { + "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string" + }, + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", + "items": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_access_token_header": { + "default": "authorization:bearer", + "description": "The upstream access token header.", + "type": "string" + }, + "upstream_access_token_jwk_header": { + "description": "The upstream access token JWK header.", + "type": "string" + }, + "upstream_headers_claims": { + "description": "The upstream header claims. Only top level claims are supported.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_headers_names": { + "description": "The upstream header names for the claim values.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "upstream_id_token_header": { + "description": "The upstream id token header.", + "type": "string" + }, + "upstream_id_token_jwk_header": { + "description": "The upstream id token JWK header.", + "type": "string" + }, + "upstream_introspection_header": { + "description": "The upstream introspection header.", + "type": "string" + }, + "upstream_introspection_jwt_header": { + "description": "The upstream introspection JWT header.", + "type": "string" + }, + "upstream_refresh_token_header": { + "description": "The upstream refresh token header.", + "type": "string" + }, + "upstream_session_id_header": { + "description": "The upstream session id header.", + "type": "string" + }, + "upstream_user_info_header": { + "description": "The upstream user info header.", + "type": "string" + }, + "upstream_user_info_jwt_header": { + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", + "type": "string" + }, + "userinfo_accept": { + "default": "application/json", + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "enum": [ + "application/json", + "application/jwt" + ], + "type": "string" + }, + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "type": "string" + }, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "using_pseudo_issuer": { + "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean" + }, + "verify_claims": { + "default": true, + "description": "Verify tokens for standard claims.", + "type": "boolean" + }, + "verify_nonce": { + "default": true, + "description": "Verify nonce on authorization code flow.", + "type": "boolean" + }, + "verify_parameters": { + "default": false, + "description": "Verify plugin configuration against discovery.", + "type": "boolean" + }, + "verify_signature": { + "default": true, + "description": "Verify signature of tokens.", + "type": "boolean" + } + }, + "required": [ + + ], + "shorthand_fields": { + "authorization_cookie_httponly": { + "type": "boolean" + }, + "authorization_cookie_lifetime": { + "type": "number" + }, + "authorization_cookie_samesite": { + "type": "string" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "type": "integer" + }, + "session_redis_cluster_nodes": { + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "type": "integer" + }, + "session_redis_host": { + "type": "string" + }, + "session_redis_password": { + "type": "string" + }, + "session_redis_port": { + "type": "integer" + }, + "session_redis_prefix": { + "type": "string" + }, + "session_redis_read_timeout": { + "type": "integer" + }, + "session_redis_send_timeout": { + "type": "integer" + }, + "session_redis_server_name": { + "type": "string" + }, + "session_redis_socket": { + "type": "string" + }, + "session_redis_ssl": { + "type": "boolean" + }, + "session_redis_ssl_verify": { + "type": "boolean" + }, + "session_redis_username": { + "type": "string" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.11.json b/json_schemas/opentelemetry/3.11.json new file mode 100644 index 00000000..fae04180 --- /dev/null +++ b/json_schemas/opentelemetry/3.11.json @@ -0,0 +1,292 @@ +{ + "properties": { + "config": { + "properties": { + "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" + }, + "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer" + }, + "connect_timeout": { + "default": 1000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "header_type": { + "default": "preserve", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "headers": { + "additionalProperties": true, + "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "object" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "logs_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "propagation": { + "default": { + "default_format": "w3c" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "default_format" + ], + "type": "object" + }, + "queue": { + "default": { + "max_batch_size": 200 + }, + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "resource_attributes": { + "additionalProperties": true, + "type": "object" + }, + "sampling_rate": { + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "traces_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/post-function/3.11.json b/json_schemas/post-function/3.11.json new file mode 100644 index 00000000..fda803ac --- /dev/null +++ b/json_schemas/post-function/3.11.json @@ -0,0 +1,190 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/pre-function/3.11.json b/json_schemas/pre-function/3.11.json new file mode 100644 index 00000000..fda803ac --- /dev/null +++ b/json_schemas/pre-function/3.11.json @@ -0,0 +1,190 @@ +{ + "properties": { + "config": { + "properties": { + "access": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "certificate": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "header_filter": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "log": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rewrite": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_client_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_close": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_handshake": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ws_upstream_frame": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/prometheus/3.11.json b/json_schemas/prometheus/3.11.json new file mode 100644 index 00000000..c2bc326c --- /dev/null +++ b/json_schemas/prometheus/3.11.json @@ -0,0 +1,113 @@ +{ + "properties": { + "config": { + "properties": { + "ai_metrics": { + "default": false, + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", + "type": "boolean" + }, + "bandwidth_metrics": { + "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "latency_metrics": { + "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", + "type": "boolean" + }, + "per_consumer": { + "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", + "type": "boolean" + }, + "status_code_metrics": { + "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", + "type": "boolean" + }, + "upstream_health_metrics": { + "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.11.json b/json_schemas/proxy-cache-advanced/3.11.json new file mode 100644 index 00000000..d674bb8f --- /dev/null +++ b/json_schemas/proxy-cache-advanced/3.11.json @@ -0,0 +1,410 @@ +{ + "properties": { + "config": { + "properties": { + "bypass_on_err": { + "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "type": "boolean" + }, + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.11.json b/json_schemas/proxy-cache/3.11.json new file mode 100644 index 00000000..c2f2d7c7 --- /dev/null +++ b/json_schemas/proxy-cache/3.11.json @@ -0,0 +1,229 @@ +{ + "properties": { + "config": { + "properties": { + "cache_control": { + "default": false, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "type": "boolean" + }, + "cache_ttl": { + "default": 300, + "description": "TTL, in seconds, of cache entities.", + "minimum": 0, + "type": "integer" + }, + "content_type": { + "default": [ + "application/json", + "text/plain" + ], + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "ignore_uri_case": { + "default": false, + "type": "boolean" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "request_method": { + "default": [ + "GET", + "HEAD" + ], + "description": "Downstream request methods considered cacheable.", + "items": { + "enum": [ + "GET", + "HEAD", + "PATCH", + "POST", + "PUT" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_code": { + "default": [ + 200, + 301, + 404 + ], + "description": "Upstream response status code considered cacheable.", + "items": { + "maximum": 900, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "minLength": 1, + "type": "array" + }, + "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "properties": { + "X-Cache-Key": { + "default": true, + "type": "boolean" + }, + "X-Cache-Status": { + "default": true, + "type": "boolean" + }, + "age": { + "default": true, + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "storage_ttl": { + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" + }, + "strategy": { + "description": "The backing data store in which to hold cache entities.", + "enum": [ + "memory" + ], + "type": "string" + }, + "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.11.json b/json_schemas/rate-limiting-advanced/3.11.json new file mode 100644 index 00000000..0050c3da --- /dev/null +++ b/json_schemas/rate-limiting-advanced/3.11.json @@ -0,0 +1,416 @@ +{ + "properties": { + "config": { + "properties": { + "compound_identifier": { + "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", + "items": { + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "enforce_consumer_groups": { + "default": false, + "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "identifier": { + "default": "consumer", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf.", + "type": "string" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "redis_proxy_type": { + "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", + "enum": [ + "envoy_v1.31" + ], + "type": "string" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/rate-limiting/3.11.json b/json_schemas/rate-limiting/3.11.json new file mode 100644 index 00000000..ea98ab40 --- /dev/null +++ b/json_schemas/rate-limiting/3.11.json @@ -0,0 +1,263 @@ +{ + "properties": { + "config": { + "properties": { + "day": { + "description": "The number of HTTP requests that can be made per day.", + "minimum": 0, + "type": "number" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "description": "A string representing an HTTP header name.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "hour": { + "description": "The number of HTTP requests that can be made per hour.", + "minimum": 0, + "type": "number" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that is used when aggregating the limits.", + "enum": [ + "consumer", + "consumer-group", + "credential", + "header", + "ip", + "path", + "service" + ], + "type": "string" + }, + "minute": { + "description": "The number of HTTP requests that can be made per minute.", + "minimum": 0, + "type": "number" + }, + "month": { + "description": "The number of HTTP requests that can be made per month.", + "minimum": 0, + "type": "number" + }, + "path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "minLength": 0, + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "second": { + "description": "The number of HTTP requests that can be made per second.", + "minimum": 0, + "type": "number" + }, + "sync_rate": { + "default": -1, + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", + "type": "number" + }, + "year": { + "description": "The number of HTTP requests that can be made per year.", + "minimum": 0, + "type": "number" + } + }, + "required": [ + + ], + "shorthand_fields": { + "redis_database": { + "type": "integer" + }, + "redis_host": { + "type": "string" + }, + "redis_password": { + "minLength": 0, + "type": "string" + }, + "redis_port": { + "type": "integer" + }, + "redis_server_name": { + "type": "string" + }, + "redis_ssl": { + "type": "boolean" + }, + "redis_ssl_verify": { + "type": "boolean" + }, + "redis_timeout": { + "type": "integer" + }, + "redis_username": { + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/redirect/3.11.json b/json_schemas/redirect/3.11.json new file mode 100644 index 00000000..dea922d4 --- /dev/null +++ b/json_schemas/redirect/3.11.json @@ -0,0 +1,105 @@ +{ + "properties": { + "config": { + "properties": { + "keep_incoming_path": { + "default": false, + "description": "Use the incoming request's path and query string in the redirect URL", + "type": "boolean" + }, + "location": { + "description": "The URL to redirect to", + "type": "string" + }, + "status_code": { + "default": 301, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-callout/3.11.json b/json_schemas/request-callout/3.11.json new file mode 100644 index 00000000..19da4a70 --- /dev/null +++ b/json_schemas/request-callout/3.11.json @@ -0,0 +1,680 @@ +{ + "properties": { + "config": { + "properties": { + "cache": { + "description": "Plugin global caching configuration.", + "properties": { + "cache_ttl": { + "default": 300, + "description": "TTL in seconds of cache entities.", + "minimum": 0, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "default": "off", + "description": "The backing data store in which to hold cache entities. Accepted values are: `off`, `memory`, and `redis`.", + "enum": [ + "memory", + "off", + "redis" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "callouts": { + "description": "A collection of callout objects, where each object represents an HTTPrequest made in the context of a proxy request.", + "items": { + "properties": { + "cache": { + "description": "Callout caching configuration.", + "properties": { + "bypass": { + "default": false, + "description": "If true, skips caching the callout response.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "depends_on": { + "default": [ + + ], + "description": "An array of callout names the current callout depends on.This dependency determines the callout execution order.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "name": { + "description": "A string identifier for a callout. A callout object is referenceablevia its name in the kong.ctx.shared.callouts.", + "type": "string" + }, + "request": { + "description": "The customizations for the callout request.", + "properties": { + "body": { + "description": "Callout request body customizations.", + "properties": { + "custom": { + "additionalProperties": true, + "description": "The custom body fields to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", + "type": "object" + }, + "decode": { + "default": false, + "description": "If true, decodes the request's body to make it available for customizations.", + "type": "boolean" + }, + "forward": { + "default": false, + "description": "If true, forwards the incoming request's body to the callout request.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "by_lua": { + "description": "Lua code that executes before the callout request is made.Standard Lua sandboxing restrictions apply.", + "type": "string" + }, + "error": { + "description": "The error handling policy the plugin will apply to TCP and HTTP errors.", + "properties": { + "error_response_code": { + "default": 400, + "description": "The error code to respond with if `on_error` is `fail` or if `retries` is achieved.", + "type": "integer" + }, + "error_response_msg": { + "default": "service callout error", + "description": "The error mesasge to respond with if `on_error` is `fail` or if `retries` is achieved.Templating with Lua expressions is supported.", + "type": "string" + }, + "http_statuses": { + "description": "The list of HTTP status codes considered errors under the error handling policy.", + "items": { + "maximum": 999, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "on_error": { + "default": "fail", + "enum": [ + "continue", + "fail", + "retry" + ], + "type": "string" + }, + "retries": { + "default": 2, + "description": "The number of retries the plugin will attempt on TCP and HTTP errors if `on_error` is set to `retry`.", + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "headers": { + "description": "Callout request header customizations.", + "properties": { + "custom": { + "additionalProperties": true, + "description": "The custom headers to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", + "type": "object" + }, + "forward": { + "default": false, + "description": "If true, forwards the incoming request's headers to the callout request. ", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "http_opts": { + "description": "HTTP connection parameters.", + "properties": { + "proxy": { + "description": "Proxy settings.", + "properties": { + "auth_password": { + "description": "The password to authenticate with, if the forward proxy is protected by basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "auth_username": { + "description": "The username to authenticate with, if the forward proxy is protected by basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "http_proxy": { + "description": "The HTTP proxy URL. This proxy server will be used for HTTP requests.", + "type": "string" + }, + "https_proxy": { + "description": "The HTTPS proxy URL. This proxy server will be used for HTTPS requests.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "ssl_server_name": { + "description": "The SNI used in the callout request. Defaults to host if omitted.", + "type": "string" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeouts": { + "description": "Socket timeouts in milliseconds. All or none must be set.", + "properties": { + "connect": { + "description": "The socket connect timeout.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read": { + "description": "The socket read timeout. ", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "write": { + "description": "The socket write timeout.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "method": { + "default": "GET", + "description": "The HTTP method that will be requested.", + "pattern": "^%u+$", + "type": "string" + }, + "query": { + "description": "Callout request query param customizations.", + "properties": { + "custom": { + "additionalProperties": true, + "description": "The custom query params to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", + "type": "object" + }, + "forward": { + "default": false, + "description": "If true, forwards the incoming request's query params to the callout request. ", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "url": { + "description": "The URL that will be requested.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + "body", + "error", + "headers", + "http_opts", + "query", + "url" + ], + "type": "object" + }, + "response": { + "description": "Configurations of callout response handling.", + "properties": { + "body": { + "properties": { + "decode": { + "default": false, + "description": "If true, decodes the response body before storing into the context. Only JSON is supported.", + "type": "boolean" + }, + "store": { + "default": true, + "description": "If false, skips storing the callout response body into kong.ctx.shared.callouts..response.body.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "by_lua": { + "description": "Lua code that executes after the callout request is made, before caching takes place. Standard Lua sandboxing restrictions apply.", + "type": "string" + }, + "headers": { + "description": "Callout response header customizations.", + "properties": { + "store": { + "default": true, + "description": "If false, skips storing the callout response headers intokong.ctx.shared.callouts..response.headers.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + "body", + "headers" + ], + "type": "object" + } + }, + "required": [ + "cache", + "name", + "request", + "response" + ], + "type": "object" + }, + "type": "array" + }, + "upstream": { + "description": "Customizations to the upstream request.", + "properties": { + "body": { + "description": "Callout request body customizations.", + "properties": { + "custom": { + "additionalProperties": true, + "description": "The custom body fields to be added in the upstream request body. Values can contain Lua expressions in the form $(some_lua_code).", + "type": "object" + }, + "decode": { + "default": true, + "description": "If true, decodes the request's body to make it available for upstream by_lua customizations.", + "type": "boolean" + }, + "forward": { + "default": true, + "description": "If false, skips forwarding the incoming request's body to the upstream request.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "by_lua": { + "description": "Lua code that executes before the upstream request is made. Standard Lua sandboxing restrictions apply.", + "type": "string" + }, + "headers": { + "description": "Callout request header customizations.", + "properties": { + "custom": { + "additionalProperties": true, + "description": "The custom headers to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code).", + "type": "object" + }, + "forward": { + "default": true, + "description": "If false, does not forward request headers to upstream request.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "query": { + "description": "Upstream request query param customizations.", + "properties": { + "custom": { + "additionalProperties": true, + "description": "The custom query params to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code).", + "type": "object" + }, + "forward": { + "default": true, + "description": "If false, does not forward request query params to upstream request.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-size-limiting/3.11.json b/json_schemas/request-size-limiting/3.11.json new file mode 100644 index 00000000..5259ed13 --- /dev/null +++ b/json_schemas/request-size-limiting/3.11.json @@ -0,0 +1,96 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_payload_size": { + "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", + "type": "integer" + }, + "require_content_length": { + "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "type": "boolean" + }, + "size_unit": { + "default": "megabytes", + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "enum": [ + "bytes", + "kilobytes", + "megabytes" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-termination/3.11.json b/json_schemas/request-termination/3.11.json new file mode 100644 index 00000000..b9c25a41 --- /dev/null +++ b/json_schemas/request-termination/3.11.json @@ -0,0 +1,117 @@ +{ + "properties": { + "config": { + "properties": { + "body": { + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", + "type": "string" + }, + "content_type": { + "description": "Content type of the raw response configured with `config.body`.", + "type": "string" + }, + "echo": { + "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", + "type": "boolean" + }, + "message": { + "description": "The message to send, if using the default response generator.", + "type": "string" + }, + "status_code": { + "default": 503, + "description": "The response code to send. Must be an integer between 100 and 599.", + "maximum": 599, + "minimum": 100, + "type": "integer" + }, + "trigger": { + "description": "A string representing an HTTP header name.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-transformer-advanced/3.11.json b/json_schemas/request-transformer-advanced/3.11.json new file mode 100644 index 00000000..f2a4a54a --- /dev/null +++ b/json_schemas/request-transformer-advanced/3.11.json @@ -0,0 +1,402 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "allow": { + "properties": { + "body": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "type": "boolean" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-transformer/3.11.json b/json_schemas/request-transformer/3.11.json new file mode 100644 index 00000000..ce375bb6 --- /dev/null +++ b/json_schemas/request-transformer/3.11.json @@ -0,0 +1,328 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", + "pattern": "^[A-Z]+$", + "type": "string" + }, + "remove": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "querystring": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "uri": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/request-validator/3.11.json b/json_schemas/request-validator/3.11.json new file mode 100644 index 00000000..71fb676d --- /dev/null +++ b/json_schemas/request-validator/3.11.json @@ -0,0 +1,164 @@ +{ + "properties": { + "config": { + "properties": { + "allowed_content_types": { + "default": [ + "application/json" + ], + "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", + "type": "string" + }, + "content_type_parameter_validation": { + "default": true, + "description": "Determines whether to enable parameters validation of request content-type.", + "type": "boolean" + }, + "parameter_schema": { + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", + "items": { + "properties": { + "explode": { + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" + }, + "in": { + "description": "The location of the parameter.", + "enum": [ + "header", + "path", + "query" + ], + "type": "string" + }, + "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", + "type": "string" + }, + "required": { + "description": "Determines whether this parameter is mandatory.", + "type": "boolean" + }, + "schema": { + "description": "Requred when `style` and `explode` are set. This is the schema defining the type used for the parameter. It is validated using `draft4` for JSON Schema draft 4 compliant validator. In addition to being a valid JSON Schema, the parameter schema MUST have a top-level `type` property to enable proper deserialization before validating.", + "type": "string" + }, + "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "enum": [ + "deepObject", + "form", + "label", + "matrix", + "pipeDelimited", + "simple", + "spaceDelimited" + ], + "type": "string" + } + }, + "required": [ + "in", + "name", + "required" + ], + "type": "object" + }, + "type": "array" + }, + "verbose_response": { + "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", + "type": "boolean" + }, + "version": { + "default": "kong", + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "enum": [ + "draft4", + "kong" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-ratelimiting/3.11.json b/json_schemas/response-ratelimiting/3.11.json new file mode 100644 index 00000000..229ec4dc --- /dev/null +++ b/json_schemas/response-ratelimiting/3.11.json @@ -0,0 +1,207 @@ +{ + "properties": { + "config": { + "properties": { + "block_on_first_violation": { + "default": false, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "type": "boolean" + }, + "fault_tolerant": { + "default": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "type": "boolean" + }, + "header_name": { + "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers.", + "type": "boolean" + }, + "limit_by": { + "default": "consumer", + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", + "enum": [ + "consumer", + "credential", + "ip" + ], + "type": "string" + }, + "limits": { + "additionalProperties": true, + "description": "A map that defines rate limits for the plugin.", + "minLength": 1, + "type": "object" + }, + "policy": { + "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "redis": { + "description": "Redis configuration", + "properties": { + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "minLength": 0, + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "shorthand_fields": { + "redis_database": { + "type": "integer" + }, + "redis_host": { + "type": "string" + }, + "redis_password": { + "minLength": 0, + "type": "string" + }, + "redis_port": { + "type": "integer" + }, + "redis_server_name": { + "type": "string" + }, + "redis_ssl": { + "type": "boolean" + }, + "redis_ssl_verify": { + "type": "boolean" + }, + "redis_timeout": { + "type": "integer" + }, + "redis_username": { + "type": "string" + } + }, + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-transformer-advanced/3.11.json b/json_schemas/response-transformer-advanced/3.11.json new file mode 100644 index 00000000..251e8dc2 --- /dev/null +++ b/json_schemas/response-transformer-advanced/3.11.json @@ -0,0 +1,419 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "allow": { + "properties": { + "json": { + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "dots_in_keys": { + "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "type": "boolean" + }, + "remove": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "body": { + "description": "String with which to replace the entire response body.", + "type": "string" + }, + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "transform": { + "properties": { + "functions": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "if_status": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/response-transformer/3.11.json b/json_schemas/response-transformer/3.11.json new file mode 100644 index 00000000..c4180b30 --- /dev/null +++ b/json_schemas/response-transformer/3.11.json @@ -0,0 +1,311 @@ +{ + "properties": { + "config": { + "properties": { + "add": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "append": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "remove": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "rename": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "replace": { + "properties": { + "headers": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json": { + "default": [ + + ], + "items": { + "pattern": "^[^:]+:.*$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "json_types": { + "default": [ + + ], + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", + "items": { + "enum": [ + "boolean", + "number", + "string" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/route-by-header/3.11.json b/json_schemas/route-by-header/3.11.json new file mode 100644 index 00000000..308bac74 --- /dev/null +++ b/json_schemas/route-by-header/3.11.json @@ -0,0 +1,100 @@ +{ + "properties": { + "config": { + "properties": { + "rules": { + "default": [ + + ], + "description": "Route by header rules.", + "items": { + "properties": { + "condition": { + "additionalProperties": true, + "minLength": 1, + "type": "object" + }, + "upstream_name": { + "type": "string" + } + }, + "required": [ + "condition", + "upstream_name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/route-transformer-advanced/3.11.json b/json_schemas/route-transformer-advanced/3.11.json new file mode 100644 index 00000000..55afb37a --- /dev/null +++ b/json_schemas/route-transformer-advanced/3.11.json @@ -0,0 +1,89 @@ +{ + "properties": { + "config": { + "properties": { + "escape_path": { + "default": false, + "type": "boolean" + }, + "host": { + "type": "string" + }, + "path": { + "type": "string" + }, + "port": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/saml/3.11.json b/json_schemas/saml/3.11.json new file mode 100644 index 00000000..71a92cb9 --- /dev/null +++ b/json_schemas/saml/3.11.json @@ -0,0 +1,609 @@ +{ + "properties": { + "config": { + "properties": { + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "type": "string" + }, + "assertion_consumer_path": { + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "idp_certificate": { + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "type": "string" + }, + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "type": "string" + }, + "nameid_format": { + "default": "EmailAddress", + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "enum": [ + "EmailAddress", + "Persistent", + "Transient", + "Unspecified" + ], + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "description": "The Redis session key prefix.", + "type": "string" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "socket": { + "description": "The Redis unix socket path.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "request_digest_algorithm": { + "default": "SHA256", + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "request_signature_algorithm": { + "default": "SHA256", + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "request_signing_certificate": { + "description": "The certificate for signing requests.", + "type": "string" + }, + "request_signing_key": { + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "type": "string" + }, + "response_digest_algorithm": { + "default": "SHA256", + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "enum": [ + "SHA1", + "SHA256" + ], + "type": "string" + }, + "response_encryption_key": { + "description": "The private encryption key required to decrypt encrypted assertions.", + "type": "string" + }, + "response_signature_algorithm": { + "default": "SHA256", + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "enum": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string" + }, + "session_absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_audience": { + "default": "default", + "description": "The session audience, for example \"my-application\"", + "type": "string" + }, + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "type": "string" + }, + "session_cookie_http_only": { + "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean" + }, + "session_cookie_name": { + "default": "session", + "description": "The session cookie name.", + "type": "string" + }, + "session_cookie_path": { + "default": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "type": "string" + }, + "session_cookie_same_site": { + "default": "Lax", + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean" + }, + "session_enforce_same_subject": { + "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "type": "boolean" + }, + "session_hash_storage_key": { + "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "type": "boolean" + }, + "session_hash_subject": { + "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "type": "boolean" + }, + "session_idling_timeout": { + "default": 900, + "description": "The session cookie idle time in seconds.", + "type": "number" + }, + "session_memcached_host": { + "default": "127.0.0.1", + "description": "The memcached host.", + "type": "string" + }, + "session_memcached_port": { + "default": 11211, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "session_memcached_prefix": { + "description": "The memcached session key prefix.", + "type": "string" + }, + "session_memcached_socket": { + "description": "The memcached unix socket path.", + "type": "string" + }, + "session_remember": { + "default": false, + "description": "Enables or disables persistent sessions", + "type": "boolean" + }, + "session_remember_absolute_timeout": { + "default": 2592000, + "description": "Persistent session absolute timeout in seconds.", + "type": "number" + }, + "session_remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name", + "type": "string" + }, + "session_remember_rolling_timeout": { + "default": 604800, + "description": "Persistent session rolling timeout in seconds.", + "type": "number" + }, + "session_request_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_response_headers": { + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "session_rolling_timeout": { + "default": 3600, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "session_secret": { + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "maxLength": 32, + "minLength": 32, + "pattern": "^[0-9a-zA-Z/_+]+$", + "type": "string" + }, + "session_storage": { + "default": "cookie", + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", + "enum": [ + "cookie", + "memcache", + "memcached", + "redis" + ], + "type": "string" + }, + "session_store_metadata": { + "default": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "type": "boolean" + }, + "validate_assertion_signature": { + "default": true, + "description": "Enable signature validation for SAML responses.", + "type": "boolean" + } + }, + "required": [ + + ], + "shorthand_fields": { + "session_auth_ttl": { + "type": "number" + }, + "session_compressor": { + "type": "string" + }, + "session_cookie_httponly": { + "type": "boolean" + }, + "session_cookie_idletime": { + "type": "number" + }, + "session_cookie_lifetime": { + "type": "number" + }, + "session_cookie_maxsize": { + "type": "integer" + }, + "session_cookie_renew": { + "type": "number" + }, + "session_cookie_samesite": { + "type": "string" + }, + "session_memcache_host": { + "type": "string" + }, + "session_memcache_port": { + "type": "integer" + }, + "session_memcache_prefix": { + "type": "string" + }, + "session_memcache_socket": { + "type": "string" + }, + "session_redis_cluster_max_redirections": { + "type": "integer" + }, + "session_redis_cluster_maxredirections": { + "type": "integer" + }, + "session_redis_cluster_nodes": { + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "session_redis_connect_timeout": { + "type": "integer" + }, + "session_redis_host": { + "type": "string" + }, + "session_redis_password": { + "type": "string" + }, + "session_redis_port": { + "type": "integer" + }, + "session_redis_prefix": { + "type": "string" + }, + "session_redis_read_timeout": { + "type": "integer" + }, + "session_redis_send_timeout": { + "type": "integer" + }, + "session_redis_server_name": { + "type": "string" + }, + "session_redis_socket": { + "type": "string" + }, + "session_redis_ssl": { + "type": "boolean" + }, + "session_redis_ssl_verify": { + "type": "boolean" + }, + "session_redis_username": { + "type": "string" + }, + "session_strategy": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/service-protection/3.11.json b/json_schemas/service-protection/3.11.json new file mode 100644 index 00000000..a0134073 --- /dev/null +++ b/json_schemas/service-protection/3.11.json @@ -0,0 +1,314 @@ +{ + "properties": { + "config": { + "properties": { + "dictionary_name": { + "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "type": "string" + }, + "disable_penalty": { + "default": false, + "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "type": "boolean" + }, + "error_code": { + "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", + "minimum": 0, + "type": "number" + }, + "error_message": { + "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", + "type": "string" + }, + "hide_client_headers": { + "default": false, + "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "type": "boolean" + }, + "limit": { + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "lock_dictionary_name": { + "default": "kong_locks", + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", + "type": "string" + }, + "namespace": { + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "type": "string" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "retry_after_jitter_max": { + "default": 0, + "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "type": "number" + }, + "strategy": { + "default": "local", + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", + "enum": [ + "cluster", + "local", + "redis" + ], + "type": "string" + }, + "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" + }, + "window_size": { + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "items": { + "required": [ + + ], + "type": "number" + }, + "type": "array" + }, + "window_type": { + "default": "sliding", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "enum": [ + "fixed", + "sliding" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/session/3.11.json b/json_schemas/session/3.11.json new file mode 100644 index 00000000..ce22bca5 --- /dev/null +++ b/json_schemas/session/3.11.json @@ -0,0 +1,258 @@ +{ + "properties": { + "config": { + "properties": { + "absolute_timeout": { + "default": 86400, + "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "type": "number" + }, + "audience": { + "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "type": "string" + }, + "cookie_domain": { + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" + }, + "cookie_http_only": { + "default": true, + "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "type": "boolean" + }, + "cookie_name": { + "default": "session", + "description": "The name of the cookie.", + "type": "string" + }, + "cookie_path": { + "default": "/", + "description": "The resource in the host where the cookie is available.", + "type": "string" + }, + "cookie_same_site": { + "default": "Strict", + "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "enum": [ + "Default", + "Lax", + "None", + "Strict" + ], + "type": "string" + }, + "cookie_secure": { + "default": true, + "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "type": "boolean" + }, + "idling_timeout": { + "default": 900, + "description": "The session cookie idle time, in seconds.", + "type": "number" + }, + "logout_methods": { + "default": [ + "DELETE", + "POST" + ], + "description": "A set of HTTP methods that the plugin will respond to.", + "items": { + "enum": [ + "DELETE", + "GET", + "POST" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "logout_post_arg": { + "default": "session_logout", + "description": "The POST argument passed to logout requests. Do not change this property.", + "type": "string" + }, + "logout_query_arg": { + "default": "session_logout", + "description": "The query argument passed to logout requests.", + "type": "string" + }, + "read_body_for_logout": { + "default": false, + "type": "boolean" + }, + "remember": { + "default": false, + "description": "Enables or disables persistent sessions.", + "type": "boolean" + }, + "remember_absolute_timeout": { + "default": 2592000, + "description": "The persistent session absolute timeout limit, in seconds.", + "type": "number" + }, + "remember_cookie_name": { + "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string" + }, + "remember_rolling_timeout": { + "default": 604800, + "description": "The persistent session rolling timeout window, in seconds.", + "type": "number" + }, + "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", + "items": { + "enum": [ + "absolute-timeout", + "audience", + "id", + "idling-timeout", + "rolling-timeout", + "subject", + "timeout" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "rolling_timeout": { + "default": 3600, + "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "type": "number" + }, + "secret": { + "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", + "description": "The secret that is used in keyed HMAC generation.", + "type": "string" + }, + "stale_ttl": { + "default": 10, + "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "type": "number" + }, + "storage": { + "default": "cookie", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "enum": [ + "cookie", + "kong" + ], + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cookie_discard": { + "type": "number" + }, + "cookie_httponly": { + "type": "boolean" + }, + "cookie_idletime": { + "type": "number" + }, + "cookie_lifetime": { + "type": "number" + }, + "cookie_persistent": { + "type": "boolean" + }, + "cookie_renew": { + "type": "number" + }, + "cookie_samesite": { + "type": "string" + } + }, + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/standard-webhooks/3.11.json b/json_schemas/standard-webhooks/3.11.json new file mode 100644 index 00000000..1faa2af3 --- /dev/null +++ b/json_schemas/standard-webhooks/3.11.json @@ -0,0 +1,86 @@ +{ + "properties": { + "config": { + "properties": { + "secret_v1": { + "description": "Webhook secret\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "tolerance_second": { + "default": 300, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", + "minimum": -1, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/statsd-advanced/3.11.json b/json_schemas/statsd-advanced/3.11.json new file mode 100644 index 00000000..be532c92 --- /dev/null +++ b/json_schemas/statsd-advanced/3.11.json @@ -0,0 +1,298 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "host": { + "default": "localhost", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of Metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "description": "Use TCP instead of UDP.", + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/statsd/3.11.json b/json_schemas/statsd/3.11.json new file mode 100644 index 00000000..a55fdecc --- /dev/null +++ b/json_schemas/statsd/3.11.json @@ -0,0 +1,316 @@ +{ + "properties": { + "config": { + "properties": { + "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", + "items": { + "pattern": "^[0-9]+-[0-9]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "consumer_identifier_default": { + "default": "custom_id", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "flush_timeout": { + "type": "number" + }, + "host": { + "default": "localhost", + "description": "The IP address or hostname of StatsD server to send data to.", + "type": "string" + }, + "hostname_in_prefix": { + "default": false, + "type": "boolean" + }, + "metrics": { + "default": [ + { + "name": "cache_datastore_misses_total", + "sample_rate": 1, + "stat_type": "counter" + } + ], + "description": "List of metrics to be logged.", + "items": { + "properties": { + "consumer_identifier": { + "description": "Authenticated user detail.", + "enum": [ + "consumer_id", + "custom_id", + "username" + ], + "type": "string" + }, + "name": { + "description": "StatsD metric’s name.", + "enum": [ + "cache_datastore_hits_total", + "cache_datastore_misses_total", + "kong_latency", + "latency", + "request_count", + "request_per_user", + "request_size", + "response_size", + "shdict_usage", + "status_count", + "status_count_per_user", + "status_count_per_user_per_route", + "status_count_per_workspace", + "unique_users", + "upstream_latency" + ], + "type": "string" + }, + "sample_rate": { + "description": "Sampling rate", + "minimum": 0, + "type": "number" + }, + "service_identifier": { + "description": "Service detail.", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "stat_type": { + "description": "Determines what sort of event a metric represents.", + "enum": [ + "counter", + "gauge", + "histogram", + "meter", + "set", + "timer" + ], + "type": "string" + }, + "workspace_identifier": { + "description": "Workspace detail.", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + "name", + "stat_type" + ], + "type": "object" + }, + "type": "array" + }, + "port": { + "default": 8125, + "description": "The port of StatsD server to send data to.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": "kong", + "description": "String to prefix to each metric's name.", + "type": "string" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "queue_size": { + "type": "integer" + }, + "retry_count": { + "type": "integer" + }, + "service_identifier_default": { + "default": "service_name_or_host", + "enum": [ + "service_host", + "service_id", + "service_name", + "service_name_or_host" + ], + "type": "string" + }, + "tag_style": { + "enum": [ + "dogstatsd", + "influxdb", + "librato", + "signalfx" + ], + "type": "string" + }, + "udp_packet_size": { + "default": 0, + "maximum": 65507, + "minimum": 0, + "type": "number" + }, + "use_tcp": { + "default": false, + "type": "boolean" + }, + "workspace_identifier_default": { + "default": "workspace_id", + "enum": [ + "workspace_id", + "workspace_name" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/syslog/3.11.json b/json_schemas/syslog/3.11.json new file mode 100644 index 00000000..90bd9094 --- /dev/null +++ b/json_schemas/syslog/3.11.json @@ -0,0 +1,171 @@ +{ + "properties": { + "config": { + "properties": { + "client_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "facility": { + "default": "user", + "description": "The facility is used by the operating system to decide how to handle each log message.", + "enum": [ + "auth", + "authpriv", + "cron", + "daemon", + "ftp", + "kern", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7", + "lpr", + "mail", + "news", + "syslog", + "user", + "uucp" + ], + "type": "string" + }, + "log_level": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "server_errors_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + }, + "successful_severity": { + "default": "info", + "enum": [ + "alert", + "crit", + "debug", + "emerg", + "err", + "info", + "notice", + "warning" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/tcp-log/3.11.json b/json_schemas/tcp-log/3.11.json new file mode 100644 index 00000000..91b64178 --- /dev/null +++ b/json_schemas/tcp-log/3.11.json @@ -0,0 +1,117 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", + "type": "object" + }, + "host": { + "description": "The IP address or host name to send data to.", + "type": "string" + }, + "keepalive": { + "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "type": "number" + }, + "port": { + "description": "The port to send data to on the upstream server.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + }, + "tls": { + "default": false, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "type": "boolean" + }, + "tls_sni": { + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/tls-handshake-modifier/3.11.json b/json_schemas/tls-handshake-modifier/3.11.json new file mode 100644 index 00000000..358d3225 --- /dev/null +++ b/json_schemas/tls-handshake-modifier/3.11.json @@ -0,0 +1,68 @@ +{ + "properties": { + "config": { + "properties": { + "tls_client_certificate": { + "default": "REQUEST", + "description": "TLS Client Certificate", + "enum": [ + "REQUEST" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/tls-metadata-headers/3.11.json b/json_schemas/tls-metadata-headers/3.11.json new file mode 100644 index 00000000..3ae3ee64 --- /dev/null +++ b/json_schemas/tls-metadata-headers/3.11.json @@ -0,0 +1,90 @@ +{ + "properties": { + "config": { + "properties": { + "client_cert_fingerprint_header_name": { + "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "type": "string" + }, + "client_cert_header_name": { + "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "type": "string" + }, + "client_cert_issuer_dn_header_name": { + "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "type": "string" + }, + "client_cert_subject_dn_header_name": { + "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "type": "string" + }, + "client_serial_header_name": { + "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "type": "string" + }, + "inject_client_cert_details": { + "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", + "type": "boolean" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpcs", + "https" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "grpcs", + "https", + "tls" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/udp-log/3.11.json b/json_schemas/udp-log/3.11.json new file mode 100644 index 00000000..1c727685 --- /dev/null +++ b/json_schemas/udp-log/3.11.json @@ -0,0 +1,103 @@ +{ + "properties": { + "config": { + "properties": { + "custom_fields_by_lua": { + "additionalProperties": true, + "description": "Lua code as a key-value map", + "type": "object" + }, + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "timeout": { + "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/upstream-oauth/3.11.json b/json_schemas/upstream-oauth/3.11.json new file mode 100644 index 00000000..52fecf57 --- /dev/null +++ b/json_schemas/upstream-oauth/3.11.json @@ -0,0 +1,509 @@ +{ + "properties": { + "config": { + "properties": { + "behavior": { + "properties": { + "idp_error_response_body_template": { + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_content_type": { + "default": "application/json; charset=utf-8", + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_message": { + "default": "Failed to authenticate request to upstream", + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", + "minLength": 0, + "type": "string" + }, + "idp_error_response_status_code": { + "default": 502, + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", + "maximum": 599, + "minimum": 500, + "type": "integer" + }, + "purge_token_on_upstream_status_codes": { + "default": [ + 401 + ], + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", + "items": { + "maximum": 599, + "minimum": 100, + "required": [ + + ], + "type": "integer" + }, + "type": "array" + }, + "upstream_access_token_header_name": { + "default": "Authorization", + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", + "minLength": 0, + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "cache": { + "properties": { + "default_ttl": { + "default": 3600, + "description": "The lifetime of a token without an explicit `expires_in` value.", + "minimum": 0, + "type": "number" + }, + "eagerly_expire": { + "default": 5, + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", + "minimum": -1, + "type": "integer" + }, + "memory": { + "properties": { + "dictionary_name": { + "default": "kong_db_cache", + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "redis": { + "properties": { + "cluster_max_redirections": { + "default": 5, + "description": "Maximum retry attempts for redirection.", + "type": "integer" + }, + "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "items": { + "properties": { + "ip": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "connection_is_proxied": { + "default": false, + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" + }, + "database": { + "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", + "type": "integer" + }, + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "keepalive_pool_size": { + "default": 256, + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "maximum": 2147483646, + "minimum": 1, + "type": "integer" + }, + "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sentinel_master": { + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" + }, + "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "items": { + "properties": { + "host": { + "default": "127.0.0.1", + "description": "A string representing a host name, such as example.com.", + "type": "string" + }, + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "maximum": 65535, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "enum": [ + "any", + "master", + "slave" + ], + "type": "string" + }, + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + }, + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + }, + "ssl": { + "default": false, + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" + }, + "ssl_verify": { + "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" + }, + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "type": "string" + } + }, + "required": [ + + ], + "shorthand_fields": { + "cluster_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "sentinel_addresses": { + "items": { + "type": "string" + }, + "minLength": 1, + "type": "array" + }, + "timeout": { + "type": "integer" + } + }, + "type": "object" + }, + "strategy": { + "default": "memory", + "description": "The method Kong should use to cache tokens issued by the IdP.", + "enum": [ + "memory", + "redis" + ], + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "client": { + "properties": { + "auth_method": { + "default": "client_secret_post", + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "enum": [ + "client_secret_basic", + "client_secret_jwt", + "client_secret_post", + "none" + ], + "type": "string" + }, + "client_secret_jwt_alg": { + "default": "HS512", + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "enum": [ + "HS256", + "HS512" + ], + "type": "string" + }, + "http_proxy": { + "description": "The proxy to use when making HTTP requests to the IdP.", + "type": "string" + }, + "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", + "type": "string" + }, + "http_version": { + "default": 1.1, + "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", + "type": "number" + }, + "https_proxy": { + "description": "The proxy to use when making HTTPS requests to the IdP.", + "type": "string" + }, + "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", + "type": "string" + }, + "keep_alive": { + "default": true, + "description": "Whether to use keepalive connections to the IdP.", + "type": "boolean" + }, + "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", + "type": "string" + }, + "ssl_verify": { + "default": false, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "oauth": { + "properties": { + "audience": { + "default": [ + + ], + "description": "List of audiences passed to the IdP when obtaining a new token.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "client_id": { + "description": "The client ID for the application registration in the IdP.", + "type": "string" + }, + "client_secret": { + "description": "The client secret for the application registration in the IdP.", + "type": "string" + }, + "grant_type": { + "default": "client_credentials", + "description": "The OAuth grant type to be used.", + "enum": [ + "client_credentials", + "password" + ], + "type": "string" + }, + "password": { + "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "type": "string" + }, + "scopes": { + "default": [ + "openid" + ], + "description": "List of scopes to request from the IdP when obtaining a new token.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "token_endpoint": { + "description": "The token endpoint URI.", + "type": "string" + }, + "token_headers": { + "additionalProperties": true, + "description": "Extra headers to be passed in the token endpoint request.", + "type": "object" + }, + "token_post_args": { + "additionalProperties": true, + "description": "Extra post arguments to be passed in the token endpoint request.", + "type": "object" + }, + "username": { + "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/upstream-timeout/3.11.json b/json_schemas/upstream-timeout/3.11.json new file mode 100644 index 00000000..6ba90827 --- /dev/null +++ b/json_schemas/upstream-timeout/3.11.json @@ -0,0 +1,94 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/vault-auth/3.11.json b/json_schemas/vault-auth/3.11.json new file mode 100644 index 00000000..08e8cc3b --- /dev/null +++ b/json_schemas/vault-auth/3.11.json @@ -0,0 +1,110 @@ +{ + "properties": { + "config": { + "properties": { + "access_token_name": { + "default": "access_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" + }, + "hide_credentials": { + "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "type": "boolean" + }, + "run_on_preflight": { + "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "type": "boolean" + }, + "secret_token_name": { + "default": "secret_token", + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", + "items": { + "description": "A string representing an HTTP header name.", + "required": [ + + ], + "type": "string" + }, + "type": "string" + }, + "tokens_in_body": { + "default": false, + "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "type": "boolean" + }, + "vault": { + "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/websocket-size-limit/3.11.json b/json_schemas/websocket-size-limit/3.11.json new file mode 100644 index 00000000..483c3c46 --- /dev/null +++ b/json_schemas/websocket-size-limit/3.11.json @@ -0,0 +1,82 @@ +{ + "properties": { + "config": { + "properties": { + "client_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + }, + "upstream_max_payload": { + "maximum": 33554432, + "minimum": 1, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/websocket-validator/3.11.json b/json_schemas/websocket-validator/3.11.json new file mode 100644 index 00000000..65cf170c --- /dev/null +++ b/json_schemas/websocket-validator/3.11.json @@ -0,0 +1,168 @@ +{ + "properties": { + "config": { + "properties": { + "client": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "upstream": { + "properties": { + "binary": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + }, + "text": { + "properties": { + "schema": { + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", + "type": "string" + }, + "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "enum": [ + "draft4" + ], + "type": "string" + } + }, + "required": [ + "schema", + "type" + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "ws", + "wss" + ], + "description": "A list of the request protocols that will trigger this plugin. The default value, as well as the possible values allowed on this field, may change depending on the plugin type. For example, plugins that only work in stream mode will only support tcp and tls.", + "items": { + "enum": [ + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/xml-threat-protection/3.11.json b/json_schemas/xml-threat-protection/3.11.json new file mode 100644 index 00000000..48a6bd95 --- /dev/null +++ b/json_schemas/xml-threat-protection/3.11.json @@ -0,0 +1,228 @@ +{ + "properties": { + "config": { + "properties": { + "allow_dtd": { + "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", + "type": "boolean" + }, + "allowed_content_types": { + "default": [ + + ], + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "attribute": { + "default": 1048576, + "description": "Maximum size of the attribute value.", + "minimum": 0, + "type": "integer" + }, + "bla_max_amplification": { + "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", + "minimum": 1, + "type": "number" + }, + "bla_threshold": { + "default": 8388608, + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", + "minimum": 1024, + "type": "integer" + }, + "buffer": { + "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", + "minimum": 0, + "type": "integer" + }, + "checked_content_types": { + "default": [ + "application/xml" + ], + "description": "A list of Content-Type values with payloads that must be validated.", + "items": { + "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "comment": { + "default": 1024, + "description": "Maximum size of comments.", + "minimum": 0, + "type": "integer" + }, + "document": { + "default": 10485760, + "description": "Maximum size of the entire document.", + "minimum": 0, + "type": "integer" + }, + "entity": { + "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityname": { + "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "entityproperty": { + "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", + "minimum": 0, + "type": "integer" + }, + "localname": { + "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", + "minimum": 0, + "type": "integer" + }, + "max_attributes": { + "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", + "minimum": 0, + "type": "integer" + }, + "max_children": { + "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", + "minimum": 0, + "type": "integer" + }, + "max_depth": { + "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", + "minimum": 0, + "type": "integer" + }, + "max_namespaces": { + "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "namespace_aware": { + "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", + "type": "boolean" + }, + "namespaceuri": { + "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "pidata": { + "default": 1024, + "description": "Maximum size of processing instruction data.", + "minimum": 0, + "type": "integer" + }, + "pitarget": { + "default": 1024, + "description": "Maximum size of processing instruction targets.", + "minimum": 0, + "type": "integer" + }, + "prefix": { + "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", + "minimum": 0, + "type": "integer" + }, + "text": { + "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", + "minimum": 0, + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file diff --git a/json_schemas/zipkin/3.11.json b/json_schemas/zipkin/3.11.json new file mode 100644 index 00000000..0e5554bb --- /dev/null +++ b/json_schemas/zipkin/3.11.json @@ -0,0 +1,366 @@ +{ + "properties": { + "config": { + "properties": { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "default_header_type": { + "default": "b3", + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "default_service_name": { + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" + }, + "header_type": { + "default": "preserve", + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "ignore", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "type": "string" + }, + "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + }, + "http_response_header_for_traceid": { + "type": "string" + }, + "http_span_name": { + "default": "method", + "description": "Specify whether to include the HTTP path in the span name.", + "enum": [ + "method", + "method_path" + ], + "type": "string" + }, + "include_credential": { + "default": true, + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", + "type": "boolean" + }, + "local_service_name": { + "default": "kong", + "description": "The name of the service as displayed in Zipkin.", + "type": "string" + }, + "phase_duration_flavor": { + "default": "annotations", + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", + "enum": [ + "annotations", + "tags" + ], + "type": "string" + }, + "propagation": { + "default": { + "default_format": "b3" + }, + "properties": { + "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", + "items": { + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "type": "string" + }, + "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", + "items": { + "enum": [ + "aws", + "b3", + "datadog", + "gcp", + "jaeger", + "ot", + "w3c" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", + "items": { + "enum": [ + "aws", + "b3", + "b3-single", + "datadog", + "gcp", + "jaeger", + "ot", + "preserve", + "w3c" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "default_format" + ], + "type": "object" + }, + "queue": { + "properties": { + "concurrency_limit": { + "default": 1, + "description": "The number of of queue delivery timers. -1 indicates unlimited.", + "enum": [ + -1, + 1 + ], + "type": "integer" + }, + "initial_retry_delay": { + "default": 0.01, + "description": "Time in seconds before the initial retry is made for a failing batch.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_batch_size": { + "default": 1, + "description": "Maximum number of entries that can be processed at a time.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_bytes": { + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" + }, + "max_coalescing_delay": { + "default": 1, + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "maximum": 3600, + "minimum": 0, + "type": "number" + }, + "max_entries": { + "default": 10000, + "description": "Maximum number of entries that can be waiting on the queue.", + "maximum": 1000000, + "minimum": 1, + "type": "integer" + }, + "max_retry_delay": { + "default": 60, + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "maximum": 1000000, + "minimum": 0.001, + "type": "number" + }, + "max_retry_time": { + "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "type": "number" + } + }, + "required": [ + + ], + "type": "object" + }, + "read_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "sample_ratio": { + "default": 0.001, + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "maximum": 1, + "minimum": 0, + "type": "number" + }, + "send_timeout": { + "default": 5000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "maximum": 2147483646, + "minimum": 0, + "type": "integer" + }, + "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", + "items": { + "properties": { + "name": { + "not_one_of": [ + "error", + "http.method", + "http.path", + "http.status_code", + "kong.balancer.state", + "kong.balancer.try", + "kong.consumer", + "kong.credential", + "kong.node.id", + "kong.route", + "kong.service", + "lc", + "peer.hostname" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "tags_header": { + "default": "Zipkin-Tags", + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", + "type": "string" + }, + "traceid_byte_count": { + "default": 16, + "description": "The length in bytes of each request's Trace ID.", + "enum": [ + 8, + 16 + ], + "type": "integer" + } + }, + "required": [ + + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing protocols.", + "items": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "enum": [ + "grpc", + "grpcs", + "http", + "https", + "tcp", + "tls", + "tls_passthrough", + "udp", + "ws", + "wss" + ], + "required": [ + + ], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + + ], + "type": "object" + } + }, + "required": [ + + ] +} \ No newline at end of file From e05b1f65aabf8c2e42f75ff791ad5c8bb3bb28bb Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 31 Mar 2025 14:25:42 +0200 Subject: [PATCH 148/165] Add note about fields that have `encrypted: true` to their descriptions --- lib/convert_json_schema.rb | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index 8372fa69..562328b5 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -85,7 +85,16 @@ def convert_to_json_schema(props) fields['format'] = 'uuid' end - if k =='referenceable' + if k == 'encrypted' + note = 'This field is [encrypted](/gateway/keyring/).' + if fields.key?('description') + fields['description'] << "\n#{note}" + else + fields['description'] = note + end + end + + if k == 'referenceable' note = 'This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).' if fields.key?('description') fields['description'] << "\n#{note}" @@ -94,6 +103,14 @@ def convert_to_json_schema(props) end end + if k == 'description' + if fields.key?('description') + fields['description'] = "#{v}\n#{fields['description']}" + else + fields['description'] = v + end + end + # Remove unused fields next if [ 'entity_checks', @@ -105,7 +122,8 @@ def convert_to_json_schema(props) 'auto', 'match_none', 'starts_with', - 'deprecation' + 'deprecation', + 'description' ].include?(k) if k == 'type' && v == 'foreign' From deb2c10fccb2f996f0306582b3167cc7579369ff Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 1 Apr 2025 06:26:16 +0000 Subject: [PATCH 149/165] JSON Schemas for 3.11.x --- json_schemas/acme/3.11.json | 8 ++-- .../ai-azure-content-safety/3.11.json | 4 +- json_schemas/ai-proxy-advanced/3.11.json | 44 +++++++++---------- json_schemas/ai-proxy/3.11.json | 20 ++++----- json_schemas/ai-rag-injector/3.11.json | 18 ++++---- .../ai-rate-limiting-advanced/3.11.json | 4 +- json_schemas/ai-request-transformer/3.11.json | 12 ++--- .../ai-response-transformer/3.11.json | 12 ++--- json_schemas/ai-semantic-cache/3.11.json | 16 +++---- .../ai-semantic-prompt-guard/3.11.json | 16 +++---- .../application-registration/3.11.json | 3 +- json_schemas/aws-lambda/3.11.json | 6 +-- json_schemas/azure-functions/3.11.json | 4 +- json_schemas/confluent-consume/3.11.json | 8 ++-- json_schemas/confluent/3.11.json | 8 ++-- json_schemas/forward-proxy/3.11.json | 4 +- .../graphql-proxy-cache-advanced/3.11.json | 4 +- .../graphql-rate-limiting-advanced/3.11.json | 4 +- json_schemas/http-log/3.11.json | 2 +- json_schemas/jwt-signer/3.11.json | 16 +++---- json_schemas/kafka-consume/3.11.json | 4 +- json_schemas/kafka-log/3.11.json | 4 +- json_schemas/kafka-upstream/3.11.json | 4 +- .../konnect-application-auth/3.11.json | 36 +++++++-------- json_schemas/ldap-auth-advanced/3.11.json | 2 +- json_schemas/loggly/3.11.json | 2 +- json_schemas/oauth2-introspection/3.11.json | 2 +- json_schemas/oauth2/3.11.json | 2 +- json_schemas/openid-connect/3.11.json | 36 +++++++-------- json_schemas/proxy-cache-advanced/3.11.json | 4 +- json_schemas/rate-limiting-advanced/3.11.json | 4 +- json_schemas/rate-limiting/3.11.json | 2 +- json_schemas/request-callout/3.11.json | 4 +- json_schemas/response-ratelimiting/3.11.json | 2 +- json_schemas/saml/3.11.json | 14 +++--- json_schemas/service-protection/3.11.json | 4 +- json_schemas/session/3.11.json | 2 +- json_schemas/standard-webhooks/3.11.json | 2 +- json_schemas/upstream-oauth/3.11.json | 12 ++--- 39 files changed, 178 insertions(+), 177 deletions(-) diff --git a/json_schemas/acme/3.11.json b/json_schemas/acme/3.11.json index 519cb9e8..68ed1e1b 100644 --- a/json_schemas/acme/3.11.json +++ b/json_schemas/acme/3.11.json @@ -3,7 +3,7 @@ "config": { "properties": { "account_email": { - "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", "type": "string" }, @@ -64,11 +64,11 @@ "type": "array" }, "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "enable_ipv4_common_name": { @@ -190,7 +190,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, diff --git a/json_schemas/ai-azure-content-safety/3.11.json b/json_schemas/ai-azure-content-safety/3.11.json index cfcbebfa..55445bda 100644 --- a/json_schemas/ai-azure-content-safety/3.11.json +++ b/json_schemas/ai-azure-content-safety/3.11.json @@ -55,11 +55,11 @@ "type": "array" }, "content_safety_key": { - "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "content_safety_url": { - "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "description": "Full URL, inc protocol, of the Azure Content Safety instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "halt_on_blocklist_hit": { diff --git a/json_schemas/ai-proxy-advanced/3.11.json b/json_schemas/ai-proxy-advanced/3.11.json index 2d8f9810..ff4b431e 100644 --- a/json_schemas/ai-proxy-advanced/3.11.json +++ b/json_schemas/ai-proxy-advanced/3.11.json @@ -88,23 +88,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -113,7 +113,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -122,11 +122,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -138,11 +138,11 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -223,23 +223,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -248,7 +248,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -257,11 +257,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -273,11 +273,11 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -575,7 +575,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -629,7 +629,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-proxy/3.11.json b/json_schemas/ai-proxy/3.11.json index c59dc832..f3b798d0 100644 --- a/json_schemas/ai-proxy/3.11.json +++ b/json_schemas/ai-proxy/3.11.json @@ -10,23 +10,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -35,7 +35,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -44,11 +44,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -60,11 +60,11 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-rag-injector/3.11.json b/json_schemas/ai-rag-injector/3.11.json index d7b0168b..13cf7792 100644 --- a/json_schemas/ai-rag-injector/3.11.json +++ b/json_schemas/ai-rag-injector/3.11.json @@ -12,11 +12,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { @@ -24,7 +24,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { @@ -37,7 +37,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -50,7 +50,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -66,7 +66,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, @@ -249,7 +249,7 @@ "type": "string" }, "password": { - "description": "the password of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "the password of the pgvector database\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -374,7 +374,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -428,7 +428,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-rate-limiting-advanced/3.11.json b/json_schemas/ai-rate-limiting-advanced/3.11.json index e71d1c05..734c66d1 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.11.json +++ b/json_schemas/ai-rate-limiting-advanced/3.11.json @@ -161,7 +161,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -215,7 +215,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-request-transformer/3.11.json b/json_schemas/ai-request-transformer/3.11.json index a314d401..adc3e244 100644 --- a/json_schemas/ai-request-transformer/3.11.json +++ b/json_schemas/ai-request-transformer/3.11.json @@ -42,11 +42,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -54,7 +54,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -67,7 +67,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -80,7 +80,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -96,7 +96,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-response-transformer/3.11.json b/json_schemas/ai-response-transformer/3.11.json index aae73e51..ed963c32 100644 --- a/json_schemas/ai-response-transformer/3.11.json +++ b/json_schemas/ai-response-transformer/3.11.json @@ -42,11 +42,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -54,7 +54,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -67,7 +67,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -80,7 +80,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -96,7 +96,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-semantic-cache/3.11.json b/json_schemas/ai-semantic-cache/3.11.json index be340741..9bbbc340 100644 --- a/json_schemas/ai-semantic-cache/3.11.json +++ b/json_schemas/ai-semantic-cache/3.11.json @@ -23,11 +23,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -35,7 +35,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -48,7 +48,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -61,7 +61,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -77,7 +77,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -239,7 +239,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -293,7 +293,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-semantic-prompt-guard/3.11.json b/json_schemas/ai-semantic-prompt-guard/3.11.json index 6bab0187..cecaebb0 100644 --- a/json_schemas/ai-semantic-prompt-guard/3.11.json +++ b/json_schemas/ai-semantic-prompt-guard/3.11.json @@ -12,11 +12,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -24,7 +24,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -37,7 +37,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -50,7 +50,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -66,7 +66,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -259,7 +259,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -313,7 +313,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/application-registration/3.11.json b/json_schemas/application-registration/3.11.json index 42680aeb..84b50628 100644 --- a/json_schemas/application-registration/3.11.json +++ b/json_schemas/application-registration/3.11.json @@ -9,7 +9,8 @@ }, "description": { "description": "Unique description displayed in information about a Service in the Developer Portal.", - "type": "string" + "type": "string", + "unique": true }, "display_name": { "description": "Unique display name used for a Service in the Developer Portal.", diff --git a/json_schemas/aws-lambda/3.11.json b/json_schemas/aws-lambda/3.11.json index 166740b4..e90e09aa 100644 --- a/json_schemas/aws-lambda/3.11.json +++ b/json_schemas/aws-lambda/3.11.json @@ -3,7 +3,7 @@ "config": { "properties": { "aws_assume_role_arn": { - "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_imds_protocol_version": { @@ -16,7 +16,7 @@ "type": "string" }, "aws_key": { - "description": "The AWS key credential to be used when invoking the function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The AWS key credential to be used when invoking the function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_region": { @@ -29,7 +29,7 @@ "type": "string" }, "aws_secret": { - "description": "The AWS secret credential to be used when invoking the function. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The AWS secret credential to be used when invoking the function. \nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_sts_endpoint_url": { diff --git a/json_schemas/azure-functions/3.11.json b/json_schemas/azure-functions/3.11.json index 4a188c42..6fc519b4 100644 --- a/json_schemas/azure-functions/3.11.json +++ b/json_schemas/azure-functions/3.11.json @@ -3,7 +3,7 @@ "config": { "properties": { "apikey": { - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "appname": { @@ -11,7 +11,7 @@ "type": "string" }, "clientid": { - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "functionname": { diff --git a/json_schemas/confluent-consume/3.11.json b/json_schemas/confluent-consume/3.11.json index 70519aff..d505c1b9 100644 --- a/json_schemas/confluent-consume/3.11.json +++ b/json_schemas/confluent-consume/3.11.json @@ -35,11 +35,11 @@ "type": "array" }, "cluster_api_key": { - "description": "Username/Apikey for SASL authentication.", + "description": "Username/Apikey for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "cluster_api_secret": { - "description": "Password/ApiSecret for SASL authentication.", + "description": "Password/ApiSecret for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "cluster_name": { @@ -56,11 +56,11 @@ "type": "string" }, "confluent_cloud_api_key": { - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "confluent_cloud_api_secret": { - "description": "The corresponding secret for the Confluent Cloud API key.", + "description": "The corresponding secret for the Confluent Cloud API key.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "keepalive": { diff --git a/json_schemas/confluent/3.11.json b/json_schemas/confluent/3.11.json index 2eda69cb..fc6d9df4 100644 --- a/json_schemas/confluent/3.11.json +++ b/json_schemas/confluent/3.11.json @@ -26,11 +26,11 @@ "type": "array" }, "cluster_api_key": { - "description": "Username/Apikey for SASL authentication.", + "description": "Username/Apikey for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "cluster_api_secret": { - "description": "Password/ApiSecret for SASL authentication.", + "description": "Password/ApiSecret for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "cluster_name": { @@ -38,11 +38,11 @@ "type": "string" }, "confluent_cloud_api_key": { - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "confluent_cloud_api_secret": { - "description": "The corresponding secret for the Confluent Cloud API key.", + "description": "The corresponding secret for the Confluent Cloud API key.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "forward_body": { diff --git a/json_schemas/forward-proxy/3.11.json b/json_schemas/forward-proxy/3.11.json index ad6b829b..c0f4b52a 100644 --- a/json_schemas/forward-proxy/3.11.json +++ b/json_schemas/forward-proxy/3.11.json @@ -3,11 +3,11 @@ "config": { "properties": { "auth_password": { - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "auth_username": { - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_proxy_host": { diff --git a/json_schemas/graphql-proxy-cache-advanced/3.11.json b/json_schemas/graphql-proxy-cache-advanced/3.11.json index 46c5d48b..65438cb1 100644 --- a/json_schemas/graphql-proxy-cache-advanced/3.11.json +++ b/json_schemas/graphql-proxy-cache-advanced/3.11.json @@ -94,7 +94,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -148,7 +148,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/graphql-rate-limiting-advanced/3.11.json b/json_schemas/graphql-rate-limiting-advanced/3.11.json index 6fedc860..acf6b51b 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.11.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.11.json @@ -118,7 +118,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -172,7 +172,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/http-log/3.11.json b/json_schemas/http-log/3.11.json index 2d6b5c6c..927b783f 100644 --- a/json_schemas/http-log/3.11.json +++ b/json_schemas/http-log/3.11.json @@ -26,7 +26,7 @@ "type": "object" }, "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "keepalive": { diff --git a/json_schemas/jwt-signer/3.11.json b/json_schemas/jwt-signer/3.11.json index 6b424d39..c151d0ca 100644 --- a/json_schemas/jwt-signer/3.11.json +++ b/json_schemas/jwt-signer/3.11.json @@ -133,11 +133,11 @@ "type": "string" }, "access_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_jwks_uri_rotate_period": { @@ -155,11 +155,11 @@ "type": "string" }, "access_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_keyset_rotate_period": { @@ -407,11 +407,11 @@ "type": "string" }, "channel_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_jwks_uri_rotate_period": { @@ -429,11 +429,11 @@ "type": "string" }, "channel_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_keyset_rotate_period": { diff --git a/json_schemas/kafka-consume/3.11.json b/json_schemas/kafka-consume/3.11.json index 10ae7600..443f872e 100644 --- a/json_schemas/kafka-consume/3.11.json +++ b/json_schemas/kafka-consume/3.11.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, diff --git a/json_schemas/kafka-log/3.11.json b/json_schemas/kafka-log/3.11.json index 3cc3b73a..f71e86fd 100644 --- a/json_schemas/kafka-log/3.11.json +++ b/json_schemas/kafka-log/3.11.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/kafka-upstream/3.11.json b/json_schemas/kafka-upstream/3.11.json index 4fa1cc92..1c889114 100644 --- a/json_schemas/kafka-upstream/3.11.json +++ b/json_schemas/kafka-upstream/3.11.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/konnect-application-auth/3.11.json b/json_schemas/konnect-application-auth/3.11.json index 6b9a6b29..72694409 100644 --- a/json_schemas/konnect-application-auth/3.11.json +++ b/json_schemas/konnect-application-auth/3.11.json @@ -386,7 +386,7 @@ "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -407,15 +407,15 @@ "type": "string" }, "d": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -425,7 +425,7 @@ "type": "string" }, "k": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { @@ -447,27 +447,27 @@ "type": "string" }, "oth": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -506,7 +506,7 @@ "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -584,7 +584,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -638,7 +638,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1078,7 +1078,7 @@ "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -1468,7 +1468,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1526,7 +1526,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1912,7 +1912,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_storage": { diff --git a/json_schemas/ldap-auth-advanced/3.11.json b/json_schemas/ldap-auth-advanced/3.11.json index d4ce271e..bb1579a3 100644 --- a/json_schemas/ldap-auth-advanced/3.11.json +++ b/json_schemas/ldap-auth-advanced/3.11.json @@ -91,7 +91,7 @@ "type": "string" }, "ldap_password": { - "description": "The password to the LDAP server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The password to the LDAP server.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "ldap_port": { diff --git a/json_schemas/loggly/3.11.json b/json_schemas/loggly/3.11.json index 7a26a98b..81d46c2c 100644 --- a/json_schemas/loggly/3.11.json +++ b/json_schemas/loggly/3.11.json @@ -27,7 +27,7 @@ "type": "string" }, "key": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "log_level": { diff --git a/json_schemas/oauth2-introspection/3.11.json b/json_schemas/oauth2-introspection/3.11.json index 482e4d6e..63faff49 100644 --- a/json_schemas/oauth2-introspection/3.11.json +++ b/json_schemas/oauth2-introspection/3.11.json @@ -9,7 +9,7 @@ "type": "string" }, "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "consumer_by": { diff --git a/json_schemas/oauth2/3.11.json b/json_schemas/oauth2/3.11.json index ccfd1b4a..19901f44 100644 --- a/json_schemas/oauth2/3.11.json +++ b/json_schemas/oauth2/3.11.json @@ -66,7 +66,7 @@ "type": "string" }, "provision_key": { - "description": "The unique key the plugin has generated when it has been added to the Service.", + "description": "The unique key the plugin has generated when it has been added to the Service.\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "realm": { diff --git a/json_schemas/openid-connect/3.11.json b/json_schemas/openid-connect/3.11.json index 3c83ad57..c7d8dba8 100644 --- a/json_schemas/openid-connect/3.11.json +++ b/json_schemas/openid-connect/3.11.json @@ -309,7 +309,7 @@ "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -330,15 +330,15 @@ "type": "string" }, "d": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -348,7 +348,7 @@ "type": "string" }, "k": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { @@ -370,27 +370,27 @@ "type": "string" }, "oth": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -429,7 +429,7 @@ "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -507,7 +507,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -561,7 +561,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1001,7 +1001,7 @@ "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -1391,7 +1391,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1449,7 +1449,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1835,7 +1835,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_storage": { diff --git a/json_schemas/proxy-cache-advanced/3.11.json b/json_schemas/proxy-cache-advanced/3.11.json index d674bb8f..d1dbb059 100644 --- a/json_schemas/proxy-cache-advanced/3.11.json +++ b/json_schemas/proxy-cache-advanced/3.11.json @@ -118,7 +118,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -172,7 +172,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/rate-limiting-advanced/3.11.json b/json_schemas/rate-limiting-advanced/3.11.json index 0050c3da..8eb92513 100644 --- a/json_schemas/rate-limiting-advanced/3.11.json +++ b/json_schemas/rate-limiting-advanced/3.11.json @@ -171,7 +171,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -232,7 +232,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/rate-limiting/3.11.json b/json_schemas/rate-limiting/3.11.json index ea98ab40..085d4cc0 100644 --- a/json_schemas/rate-limiting/3.11.json +++ b/json_schemas/rate-limiting/3.11.json @@ -89,7 +89,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, diff --git a/json_schemas/request-callout/3.11.json b/json_schemas/request-callout/3.11.json index 19da4a70..fdf274f7 100644 --- a/json_schemas/request-callout/3.11.json +++ b/json_schemas/request-callout/3.11.json @@ -92,7 +92,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -146,7 +146,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/response-ratelimiting/3.11.json b/json_schemas/response-ratelimiting/3.11.json index 229ec4dc..e6ad1ba3 100644 --- a/json_schemas/response-ratelimiting/3.11.json +++ b/json_schemas/response-ratelimiting/3.11.json @@ -61,7 +61,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, diff --git a/json_schemas/saml/3.11.json b/json_schemas/saml/3.11.json index 71a92cb9..a67f4b8d 100644 --- a/json_schemas/saml/3.11.json +++ b/json_schemas/saml/3.11.json @@ -11,7 +11,7 @@ "type": "string" }, "idp_certificate": { - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "idp_sso_url": { @@ -101,7 +101,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -159,7 +159,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -242,11 +242,11 @@ "type": "string" }, "request_signing_certificate": { - "description": "The certificate for signing requests.", + "description": "The certificate for signing requests.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "request_signing_key": { - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "response_digest_algorithm": { @@ -259,7 +259,7 @@ "type": "string" }, "response_encryption_key": { - "description": "The private encryption key required to decrypt encrypted assertions.", + "description": "The private encryption key required to decrypt encrypted assertions.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "response_signature_algorithm": { @@ -418,7 +418,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "maxLength": 32, "minLength": 32, "pattern": "^[0-9a-zA-Z/_+]+$", diff --git a/json_schemas/service-protection/3.11.json b/json_schemas/service-protection/3.11.json index a0134073..b443c359 100644 --- a/json_schemas/service-protection/3.11.json +++ b/json_schemas/service-protection/3.11.json @@ -115,7 +115,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -169,7 +169,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/session/3.11.json b/json_schemas/session/3.11.json index ce22bca5..5b276039 100644 --- a/json_schemas/session/3.11.json +++ b/json_schemas/session/3.11.json @@ -150,7 +150,7 @@ }, "secret": { "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", - "description": "The secret that is used in keyed HMAC generation.", + "description": "The secret that is used in keyed HMAC generation.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "stale_ttl": { diff --git a/json_schemas/standard-webhooks/3.11.json b/json_schemas/standard-webhooks/3.11.json index 1faa2af3..e8fec40d 100644 --- a/json_schemas/standard-webhooks/3.11.json +++ b/json_schemas/standard-webhooks/3.11.json @@ -3,7 +3,7 @@ "config": { "properties": { "secret_v1": { - "description": "Webhook secret\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Webhook secret\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "tolerance_second": { diff --git a/json_schemas/upstream-oauth/3.11.json b/json_schemas/upstream-oauth/3.11.json index 52fecf57..eafb73f7 100644 --- a/json_schemas/upstream-oauth/3.11.json +++ b/json_schemas/upstream-oauth/3.11.json @@ -151,7 +151,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -205,7 +205,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -365,11 +365,11 @@ "type": "array" }, "client_id": { - "description": "The client ID for the application registration in the IdP.", + "description": "The client ID for the application registration in the IdP.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "client_secret": { - "description": "The client secret for the application registration in the IdP.", + "description": "The client secret for the application registration in the IdP.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "grant_type": { @@ -382,7 +382,7 @@ "type": "string" }, "password": { - "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "description": "The password to use if `config.oauth.grant_type` is set to `password`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "scopes": { @@ -413,7 +413,7 @@ "type": "object" }, "username": { - "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "description": "The username to use if `config.oauth.grant_type` is set to `password`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, From 165593e2f9c4bb5da7caafbdae07681d59923d35 Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 1 Apr 2025 06:27:58 +0000 Subject: [PATCH 150/165] JSON Schemas for 3.10.x --- json_schemas/acme/3.10.json | 8 ++--- .../ai-azure-content-safety/3.10.json | 2 +- json_schemas/ai-proxy-advanced/3.10.json | 30 ++++++++-------- json_schemas/ai-proxy/3.10.json | 12 +++---- json_schemas/ai-rag-injector/3.10.json | 18 +++++----- .../ai-rate-limiting-advanced/3.10.json | 4 +-- json_schemas/ai-request-transformer/3.10.json | 12 +++---- .../ai-response-transformer/3.10.json | 12 +++---- json_schemas/ai-semantic-cache/3.10.json | 18 +++++----- .../ai-semantic-prompt-guard/3.10.json | 18 +++++----- .../application-registration/3.10.json | 3 +- json_schemas/aws-lambda/3.10.json | 6 ++-- json_schemas/azure-functions/3.10.json | 4 +-- json_schemas/confluent-consume/3.10.json | 8 ++--- json_schemas/confluent/3.10.json | 8 ++--- .../graphql-proxy-cache-advanced/3.10.json | 4 +-- .../graphql-rate-limiting-advanced/3.10.json | 4 +-- json_schemas/http-log/3.10.json | 2 +- json_schemas/jwt-signer/3.10.json | 8 ++--- json_schemas/kafka-consume/3.10.json | 4 +-- json_schemas/kafka-log/3.10.json | 4 +-- json_schemas/kafka-upstream/3.10.json | 4 +-- .../konnect-application-auth/3.10.json | 36 +++++++++---------- json_schemas/ldap-auth-advanced/3.10.json | 2 +- json_schemas/loggly/3.10.json | 2 +- json_schemas/oauth2-introspection/3.10.json | 2 +- json_schemas/oauth2/3.10.json | 2 +- json_schemas/openid-connect/3.10.json | 36 +++++++++---------- json_schemas/proxy-cache-advanced/3.10.json | 4 +-- json_schemas/rate-limiting-advanced/3.10.json | 4 +-- json_schemas/rate-limiting/3.10.json | 2 +- json_schemas/request-callout/3.10.json | 4 +-- json_schemas/response-ratelimiting/3.10.json | 2 +- json_schemas/saml/3.10.json | 14 ++++---- json_schemas/service-protection/3.10.json | 4 +-- json_schemas/session/3.10.json | 2 +- json_schemas/standard-webhooks/3.10.json | 2 +- json_schemas/upstream-oauth/3.10.json | 12 +++---- 38 files changed, 162 insertions(+), 161 deletions(-) diff --git a/json_schemas/acme/3.10.json b/json_schemas/acme/3.10.json index 4e0c2b55..613989a4 100644 --- a/json_schemas/acme/3.10.json +++ b/json_schemas/acme/3.10.json @@ -3,7 +3,7 @@ "config": { "properties": { "account_email": { - "description": "The account identifier. Can be reused in a different plugin instance.", + "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", "type": "string" }, @@ -64,11 +64,11 @@ "type": "array" }, "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "enable_ipv4_common_name": { @@ -190,7 +190,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "minLength": 0, "type": "string" }, diff --git a/json_schemas/ai-azure-content-safety/3.10.json b/json_schemas/ai-azure-content-safety/3.10.json index 06420513..f2f33401 100644 --- a/json_schemas/ai-azure-content-safety/3.10.json +++ b/json_schemas/ai-azure-content-safety/3.10.json @@ -55,7 +55,7 @@ "type": "array" }, "content_safety_key": { - "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "content_safety_url": { diff --git a/json_schemas/ai-proxy-advanced/3.10.json b/json_schemas/ai-proxy-advanced/3.10.json index a9e0e8df..569bdd81 100644 --- a/json_schemas/ai-proxy-advanced/3.10.json +++ b/json_schemas/ai-proxy-advanced/3.10.json @@ -117,11 +117,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { @@ -129,7 +129,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { @@ -142,7 +142,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -155,7 +155,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -171,7 +171,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, @@ -347,11 +347,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { @@ -359,7 +359,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { @@ -372,7 +372,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -385,7 +385,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -401,7 +401,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, @@ -655,7 +655,7 @@ "type": "string" }, "password": { - "description": "the password of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "the password of the pgvector database\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -780,7 +780,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -834,7 +834,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-proxy/3.10.json b/json_schemas/ai-proxy/3.10.json index 7998df25..de9bbc20 100644 --- a/json_schemas/ai-proxy/3.10.json +++ b/json_schemas/ai-proxy/3.10.json @@ -10,11 +10,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { @@ -22,7 +22,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { @@ -35,7 +35,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -48,7 +48,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -64,7 +64,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, diff --git a/json_schemas/ai-rag-injector/3.10.json b/json_schemas/ai-rag-injector/3.10.json index d7b0168b..13cf7792 100644 --- a/json_schemas/ai-rag-injector/3.10.json +++ b/json_schemas/ai-rag-injector/3.10.json @@ -12,11 +12,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { @@ -24,7 +24,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { @@ -37,7 +37,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -50,7 +50,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -66,7 +66,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, @@ -249,7 +249,7 @@ "type": "string" }, "password": { - "description": "the password of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "the password of the pgvector database\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -374,7 +374,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -428,7 +428,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-rate-limiting-advanced/3.10.json b/json_schemas/ai-rate-limiting-advanced/3.10.json index 0c08bf61..c1db89e4 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.10.json +++ b/json_schemas/ai-rate-limiting-advanced/3.10.json @@ -183,7 +183,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -237,7 +237,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-request-transformer/3.10.json b/json_schemas/ai-request-transformer/3.10.json index 6a900cf8..d0d093ff 100644 --- a/json_schemas/ai-request-transformer/3.10.json +++ b/json_schemas/ai-request-transformer/3.10.json @@ -42,11 +42,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { @@ -54,7 +54,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { @@ -67,7 +67,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -80,7 +80,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -96,7 +96,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, diff --git a/json_schemas/ai-response-transformer/3.10.json b/json_schemas/ai-response-transformer/3.10.json index 32684125..02165790 100644 --- a/json_schemas/ai-response-transformer/3.10.json +++ b/json_schemas/ai-response-transformer/3.10.json @@ -42,11 +42,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { @@ -54,7 +54,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { @@ -67,7 +67,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -80,7 +80,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -96,7 +96,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, diff --git a/json_schemas/ai-semantic-cache/3.10.json b/json_schemas/ai-semantic-cache/3.10.json index 5688932a..a542cb7f 100644 --- a/json_schemas/ai-semantic-cache/3.10.json +++ b/json_schemas/ai-semantic-cache/3.10.json @@ -23,11 +23,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { @@ -35,7 +35,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { @@ -48,7 +48,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -61,7 +61,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -77,7 +77,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, @@ -279,7 +279,7 @@ "type": "string" }, "password": { - "description": "the password of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "the password of the pgvector database\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -404,7 +404,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -458,7 +458,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-semantic-prompt-guard/3.10.json b/json_schemas/ai-semantic-prompt-guard/3.10.json index 1cefe6db..9ed25039 100644 --- a/json_schemas/ai-semantic-prompt-guard/3.10.json +++ b/json_schemas/ai-semantic-prompt-guard/3.10.json @@ -12,11 +12,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { @@ -24,7 +24,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { @@ -37,7 +37,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -50,7 +50,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -66,7 +66,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, @@ -299,7 +299,7 @@ "type": "string" }, "password": { - "description": "the password of the pgvector database\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "the password of the pgvector database\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -424,7 +424,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -478,7 +478,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/application-registration/3.10.json b/json_schemas/application-registration/3.10.json index 42680aeb..84b50628 100644 --- a/json_schemas/application-registration/3.10.json +++ b/json_schemas/application-registration/3.10.json @@ -9,7 +9,8 @@ }, "description": { "description": "Unique description displayed in information about a Service in the Developer Portal.", - "type": "string" + "type": "string", + "unique": true }, "display_name": { "description": "Unique display name used for a Service in the Developer Portal.", diff --git a/json_schemas/aws-lambda/3.10.json b/json_schemas/aws-lambda/3.10.json index 166740b4..e90e09aa 100644 --- a/json_schemas/aws-lambda/3.10.json +++ b/json_schemas/aws-lambda/3.10.json @@ -3,7 +3,7 @@ "config": { "properties": { "aws_assume_role_arn": { - "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_imds_protocol_version": { @@ -16,7 +16,7 @@ "type": "string" }, "aws_key": { - "description": "The AWS key credential to be used when invoking the function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The AWS key credential to be used when invoking the function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_region": { @@ -29,7 +29,7 @@ "type": "string" }, "aws_secret": { - "description": "The AWS secret credential to be used when invoking the function. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The AWS secret credential to be used when invoking the function. \nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_sts_endpoint_url": { diff --git a/json_schemas/azure-functions/3.10.json b/json_schemas/azure-functions/3.10.json index 4a188c42..6fc519b4 100644 --- a/json_schemas/azure-functions/3.10.json +++ b/json_schemas/azure-functions/3.10.json @@ -3,7 +3,7 @@ "config": { "properties": { "apikey": { - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "appname": { @@ -11,7 +11,7 @@ "type": "string" }, "clientid": { - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "functionname": { diff --git a/json_schemas/confluent-consume/3.10.json b/json_schemas/confluent-consume/3.10.json index 70519aff..d505c1b9 100644 --- a/json_schemas/confluent-consume/3.10.json +++ b/json_schemas/confluent-consume/3.10.json @@ -35,11 +35,11 @@ "type": "array" }, "cluster_api_key": { - "description": "Username/Apikey for SASL authentication.", + "description": "Username/Apikey for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "cluster_api_secret": { - "description": "Password/ApiSecret for SASL authentication.", + "description": "Password/ApiSecret for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "cluster_name": { @@ -56,11 +56,11 @@ "type": "string" }, "confluent_cloud_api_key": { - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "confluent_cloud_api_secret": { - "description": "The corresponding secret for the Confluent Cloud API key.", + "description": "The corresponding secret for the Confluent Cloud API key.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "keepalive": { diff --git a/json_schemas/confluent/3.10.json b/json_schemas/confluent/3.10.json index be3d6570..32d007b4 100644 --- a/json_schemas/confluent/3.10.json +++ b/json_schemas/confluent/3.10.json @@ -36,11 +36,11 @@ "type": "array" }, "cluster_api_key": { - "description": "Username/Apikey for SASL authentication.", + "description": "Username/Apikey for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "cluster_api_secret": { - "description": "Password/ApiSecret for SASL authentication.", + "description": "Password/ApiSecret for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "cluster_name": { @@ -48,11 +48,11 @@ "type": "string" }, "confluent_cloud_api_key": { - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "confluent_cloud_api_secret": { - "description": "The corresponding secret for the Confluent Cloud API key.", + "description": "The corresponding secret for the Confluent Cloud API key.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "forward_body": { diff --git a/json_schemas/graphql-proxy-cache-advanced/3.10.json b/json_schemas/graphql-proxy-cache-advanced/3.10.json index 46c5d48b..65438cb1 100644 --- a/json_schemas/graphql-proxy-cache-advanced/3.10.json +++ b/json_schemas/graphql-proxy-cache-advanced/3.10.json @@ -94,7 +94,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -148,7 +148,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/graphql-rate-limiting-advanced/3.10.json b/json_schemas/graphql-rate-limiting-advanced/3.10.json index 6fedc860..acf6b51b 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.10.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.10.json @@ -118,7 +118,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -172,7 +172,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/http-log/3.10.json b/json_schemas/http-log/3.10.json index 2d6b5c6c..89e9ad17 100644 --- a/json_schemas/http-log/3.10.json +++ b/json_schemas/http-log/3.10.json @@ -26,7 +26,7 @@ "type": "object" }, "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "keepalive": { diff --git a/json_schemas/jwt-signer/3.10.json b/json_schemas/jwt-signer/3.10.json index d6619d16..34d6a776 100644 --- a/json_schemas/jwt-signer/3.10.json +++ b/json_schemas/jwt-signer/3.10.json @@ -133,7 +133,7 @@ "type": "string" }, "access_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "access_token_jwks_uri_client_username": { @@ -155,7 +155,7 @@ "type": "string" }, "access_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "access_token_keyset_client_username": { @@ -407,7 +407,7 @@ "type": "string" }, "channel_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "channel_token_jwks_uri_client_username": { @@ -429,7 +429,7 @@ "type": "string" }, "channel_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "channel_token_keyset_client_username": { diff --git a/json_schemas/kafka-consume/3.10.json b/json_schemas/kafka-consume/3.10.json index 10ae7600..443f872e 100644 --- a/json_schemas/kafka-consume/3.10.json +++ b/json_schemas/kafka-consume/3.10.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, diff --git a/json_schemas/kafka-log/3.10.json b/json_schemas/kafka-log/3.10.json index 81b292d6..d14f2a5c 100644 --- a/json_schemas/kafka-log/3.10.json +++ b/json_schemas/kafka-log/3.10.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, diff --git a/json_schemas/kafka-upstream/3.10.json b/json_schemas/kafka-upstream/3.10.json index cd93a5bd..7648ad93 100644 --- a/json_schemas/kafka-upstream/3.10.json +++ b/json_schemas/kafka-upstream/3.10.json @@ -24,7 +24,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "strategy": { @@ -39,7 +39,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, diff --git a/json_schemas/konnect-application-auth/3.10.json b/json_schemas/konnect-application-auth/3.10.json index e8b6d2b5..29c7eac8 100644 --- a/json_schemas/konnect-application-auth/3.10.json +++ b/json_schemas/konnect-application-auth/3.10.json @@ -386,7 +386,7 @@ "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -407,15 +407,15 @@ "type": "string" }, "d": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "dp": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "dq": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "e": { @@ -425,7 +425,7 @@ "type": "string" }, "k": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "key_ops": { @@ -447,27 +447,27 @@ "type": "string" }, "oth": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "p": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "q": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "qi": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "r": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "t": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "use": { @@ -506,7 +506,7 @@ "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -584,7 +584,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -638,7 +638,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1078,7 +1078,7 @@ "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -1468,7 +1468,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1526,7 +1526,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1912,7 +1912,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "session_storage": { diff --git a/json_schemas/ldap-auth-advanced/3.10.json b/json_schemas/ldap-auth-advanced/3.10.json index d4ce271e..bb1579a3 100644 --- a/json_schemas/ldap-auth-advanced/3.10.json +++ b/json_schemas/ldap-auth-advanced/3.10.json @@ -91,7 +91,7 @@ "type": "string" }, "ldap_password": { - "description": "The password to the LDAP server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The password to the LDAP server.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "ldap_port": { diff --git a/json_schemas/loggly/3.10.json b/json_schemas/loggly/3.10.json index 7a26a98b..77b0e043 100644 --- a/json_schemas/loggly/3.10.json +++ b/json_schemas/loggly/3.10.json @@ -27,7 +27,7 @@ "type": "string" }, "key": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "log_level": { diff --git a/json_schemas/oauth2-introspection/3.10.json b/json_schemas/oauth2-introspection/3.10.json index 64bc7359..49ec6cde 100644 --- a/json_schemas/oauth2-introspection/3.10.json +++ b/json_schemas/oauth2-introspection/3.10.json @@ -9,7 +9,7 @@ "type": "string" }, "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "consumer_by": { diff --git a/json_schemas/oauth2/3.10.json b/json_schemas/oauth2/3.10.json index ccfd1b4a..19901f44 100644 --- a/json_schemas/oauth2/3.10.json +++ b/json_schemas/oauth2/3.10.json @@ -66,7 +66,7 @@ "type": "string" }, "provision_key": { - "description": "The unique key the plugin has generated when it has been added to the Service.", + "description": "The unique key the plugin has generated when it has been added to the Service.\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "realm": { diff --git a/json_schemas/openid-connect/3.10.json b/json_schemas/openid-connect/3.10.json index 3c83ad57..824c1a99 100644 --- a/json_schemas/openid-connect/3.10.json +++ b/json_schemas/openid-connect/3.10.json @@ -309,7 +309,7 @@ "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -330,15 +330,15 @@ "type": "string" }, "d": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "dp": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "dq": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "e": { @@ -348,7 +348,7 @@ "type": "string" }, "k": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "key_ops": { @@ -370,27 +370,27 @@ "type": "string" }, "oth": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "p": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "q": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "qi": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "r": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "t": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "use": { @@ -429,7 +429,7 @@ "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -507,7 +507,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -561,7 +561,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1001,7 +1001,7 @@ "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -1391,7 +1391,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1449,7 +1449,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1835,7 +1835,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "session_storage": { diff --git a/json_schemas/proxy-cache-advanced/3.10.json b/json_schemas/proxy-cache-advanced/3.10.json index 2e5c8466..66ba7efb 100644 --- a/json_schemas/proxy-cache-advanced/3.10.json +++ b/json_schemas/proxy-cache-advanced/3.10.json @@ -118,7 +118,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -172,7 +172,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/rate-limiting-advanced/3.10.json b/json_schemas/rate-limiting-advanced/3.10.json index 8345e866..2dfaaa69 100644 --- a/json_schemas/rate-limiting-advanced/3.10.json +++ b/json_schemas/rate-limiting-advanced/3.10.json @@ -171,7 +171,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -232,7 +232,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/rate-limiting/3.10.json b/json_schemas/rate-limiting/3.10.json index ea98ab40..ae56c397 100644 --- a/json_schemas/rate-limiting/3.10.json +++ b/json_schemas/rate-limiting/3.10.json @@ -89,7 +89,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "minLength": 0, "type": "string" }, diff --git a/json_schemas/request-callout/3.10.json b/json_schemas/request-callout/3.10.json index 19da4a70..fdf274f7 100644 --- a/json_schemas/request-callout/3.10.json +++ b/json_schemas/request-callout/3.10.json @@ -92,7 +92,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -146,7 +146,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/response-ratelimiting/3.10.json b/json_schemas/response-ratelimiting/3.10.json index 229ec4dc..7e8440df 100644 --- a/json_schemas/response-ratelimiting/3.10.json +++ b/json_schemas/response-ratelimiting/3.10.json @@ -61,7 +61,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "minLength": 0, "type": "string" }, diff --git a/json_schemas/saml/3.10.json b/json_schemas/saml/3.10.json index 71a92cb9..855cbb1f 100644 --- a/json_schemas/saml/3.10.json +++ b/json_schemas/saml/3.10.json @@ -11,7 +11,7 @@ "type": "string" }, "idp_certificate": { - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "idp_sso_url": { @@ -101,7 +101,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -159,7 +159,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -242,11 +242,11 @@ "type": "string" }, "request_signing_certificate": { - "description": "The certificate for signing requests.", + "description": "The certificate for signing requests.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "request_signing_key": { - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "response_digest_algorithm": { @@ -259,7 +259,7 @@ "type": "string" }, "response_encryption_key": { - "description": "The private encryption key required to decrypt encrypted assertions.", + "description": "The private encryption key required to decrypt encrypted assertions.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "response_signature_algorithm": { @@ -418,7 +418,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "maxLength": 32, "minLength": 32, "pattern": "^[0-9a-zA-Z/_+]+$", diff --git a/json_schemas/service-protection/3.10.json b/json_schemas/service-protection/3.10.json index a0134073..b443c359 100644 --- a/json_schemas/service-protection/3.10.json +++ b/json_schemas/service-protection/3.10.json @@ -115,7 +115,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -169,7 +169,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/session/3.10.json b/json_schemas/session/3.10.json index 432e205c..9af064d3 100644 --- a/json_schemas/session/3.10.json +++ b/json_schemas/session/3.10.json @@ -155,7 +155,7 @@ }, "secret": { "default": "WKzHLADIGTA9J6nV29ppiqFxmLWstNnPGEtEJ2gQA70z", - "description": "The secret that is used in keyed HMAC generation.", + "description": "The secret that is used in keyed HMAC generation.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "stale_ttl": { diff --git a/json_schemas/standard-webhooks/3.10.json b/json_schemas/standard-webhooks/3.10.json index edc62a01..fb49687b 100644 --- a/json_schemas/standard-webhooks/3.10.json +++ b/json_schemas/standard-webhooks/3.10.json @@ -3,7 +3,7 @@ "config": { "properties": { "secret_v1": { - "description": "Webhook secret", + "description": "Webhook secret\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "tolerance_second": { diff --git a/json_schemas/upstream-oauth/3.10.json b/json_schemas/upstream-oauth/3.10.json index 52fecf57..19dcdf7a 100644 --- a/json_schemas/upstream-oauth/3.10.json +++ b/json_schemas/upstream-oauth/3.10.json @@ -151,7 +151,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -205,7 +205,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -365,11 +365,11 @@ "type": "array" }, "client_id": { - "description": "The client ID for the application registration in the IdP.", + "description": "The client ID for the application registration in the IdP.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "client_secret": { - "description": "The client secret for the application registration in the IdP.", + "description": "The client secret for the application registration in the IdP.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "grant_type": { @@ -382,7 +382,7 @@ "type": "string" }, "password": { - "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "description": "The password to use if `config.oauth.grant_type` is set to `password`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "scopes": { @@ -413,7 +413,7 @@ "type": "object" }, "username": { - "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "description": "The username to use if `config.oauth.grant_type` is set to `password`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, From 2874a573b9052e6026ce43143929433ee15967b0 Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 1 Apr 2025 06:28:53 +0000 Subject: [PATCH 151/165] JSON Schemas for 3.9.x --- json_schemas/acme/3.9.json | 8 ++-- json_schemas/ai-azure-content-safety/3.9.json | 4 +- json_schemas/ai-proxy-advanced/3.9.json | 44 +++++++++---------- json_schemas/ai-proxy/3.9.json | 20 ++++----- .../ai-rate-limiting-advanced/3.9.json | 4 +- json_schemas/ai-request-transformer/3.9.json | 12 ++--- json_schemas/ai-response-transformer/3.9.json | 12 ++--- json_schemas/ai-semantic-cache/3.9.json | 16 +++---- .../ai-semantic-prompt-guard/3.9.json | 16 +++---- .../application-registration/3.9.json | 3 +- json_schemas/aws-lambda/3.9.json | 6 +-- json_schemas/azure-functions/3.9.json | 4 +- json_schemas/confluent/3.9.json | 8 ++-- json_schemas/forward-proxy/3.9.json | 4 +- .../graphql-proxy-cache-advanced/3.9.json | 4 +- .../graphql-rate-limiting-advanced/3.9.json | 4 +- json_schemas/http-log/3.9.json | 2 +- json_schemas/jwt-signer/3.9.json | 16 +++---- json_schemas/kafka-log/3.9.json | 4 +- json_schemas/kafka-upstream/3.9.json | 4 +- .../konnect-application-auth/3.9.json | 36 +++++++-------- json_schemas/ldap-auth-advanced/3.9.json | 2 +- json_schemas/loggly/3.9.json | 2 +- json_schemas/oauth2-introspection/3.9.json | 2 +- json_schemas/oauth2/3.9.json | 2 +- json_schemas/openid-connect/3.9.json | 36 +++++++-------- json_schemas/proxy-cache-advanced/3.9.json | 4 +- json_schemas/rate-limiting-advanced/3.9.json | 4 +- json_schemas/rate-limiting/3.9.json | 2 +- json_schemas/response-ratelimiting/3.9.json | 2 +- json_schemas/saml/3.9.json | 14 +++--- json_schemas/service-protection/3.9.json | 4 +- json_schemas/session/3.9.json | 2 +- json_schemas/standard-webhooks/3.9.json | 2 +- json_schemas/upstream-oauth/3.9.json | 12 ++--- 35 files changed, 161 insertions(+), 160 deletions(-) diff --git a/json_schemas/acme/3.9.json b/json_schemas/acme/3.9.json index 519cb9e8..68ed1e1b 100644 --- a/json_schemas/acme/3.9.json +++ b/json_schemas/acme/3.9.json @@ -3,7 +3,7 @@ "config": { "properties": { "account_email": { - "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", "type": "string" }, @@ -64,11 +64,11 @@ "type": "array" }, "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "enable_ipv4_common_name": { @@ -190,7 +190,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, diff --git a/json_schemas/ai-azure-content-safety/3.9.json b/json_schemas/ai-azure-content-safety/3.9.json index cfcbebfa..55445bda 100644 --- a/json_schemas/ai-azure-content-safety/3.9.json +++ b/json_schemas/ai-azure-content-safety/3.9.json @@ -55,11 +55,11 @@ "type": "array" }, "content_safety_key": { - "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "content_safety_url": { - "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "description": "Full URL, inc protocol, of the Azure Content Safety instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "halt_on_blocklist_hit": { diff --git a/json_schemas/ai-proxy-advanced/3.9.json b/json_schemas/ai-proxy-advanced/3.9.json index 2d8f9810..ff4b431e 100644 --- a/json_schemas/ai-proxy-advanced/3.9.json +++ b/json_schemas/ai-proxy-advanced/3.9.json @@ -88,23 +88,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -113,7 +113,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -122,11 +122,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -138,11 +138,11 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -223,23 +223,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -248,7 +248,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -257,11 +257,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -273,11 +273,11 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -575,7 +575,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -629,7 +629,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-proxy/3.9.json b/json_schemas/ai-proxy/3.9.json index c59dc832..f3b798d0 100644 --- a/json_schemas/ai-proxy/3.9.json +++ b/json_schemas/ai-proxy/3.9.json @@ -10,23 +10,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -35,7 +35,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -44,11 +44,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -60,11 +60,11 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-rate-limiting-advanced/3.9.json b/json_schemas/ai-rate-limiting-advanced/3.9.json index e71d1c05..734c66d1 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.9.json +++ b/json_schemas/ai-rate-limiting-advanced/3.9.json @@ -161,7 +161,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -215,7 +215,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-request-transformer/3.9.json b/json_schemas/ai-request-transformer/3.9.json index a314d401..adc3e244 100644 --- a/json_schemas/ai-request-transformer/3.9.json +++ b/json_schemas/ai-request-transformer/3.9.json @@ -42,11 +42,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -54,7 +54,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -67,7 +67,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -80,7 +80,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -96,7 +96,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-response-transformer/3.9.json b/json_schemas/ai-response-transformer/3.9.json index aae73e51..ed963c32 100644 --- a/json_schemas/ai-response-transformer/3.9.json +++ b/json_schemas/ai-response-transformer/3.9.json @@ -42,11 +42,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -54,7 +54,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -67,7 +67,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -80,7 +80,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -96,7 +96,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-semantic-cache/3.9.json b/json_schemas/ai-semantic-cache/3.9.json index be340741..9bbbc340 100644 --- a/json_schemas/ai-semantic-cache/3.9.json +++ b/json_schemas/ai-semantic-cache/3.9.json @@ -23,11 +23,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -35,7 +35,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -48,7 +48,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -61,7 +61,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -77,7 +77,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -239,7 +239,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -293,7 +293,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-semantic-prompt-guard/3.9.json b/json_schemas/ai-semantic-prompt-guard/3.9.json index 6bab0187..cecaebb0 100644 --- a/json_schemas/ai-semantic-prompt-guard/3.9.json +++ b/json_schemas/ai-semantic-prompt-guard/3.9.json @@ -12,11 +12,11 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { @@ -24,7 +24,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -37,7 +37,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -50,7 +50,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -66,7 +66,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -259,7 +259,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -313,7 +313,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/application-registration/3.9.json b/json_schemas/application-registration/3.9.json index 42680aeb..84b50628 100644 --- a/json_schemas/application-registration/3.9.json +++ b/json_schemas/application-registration/3.9.json @@ -9,7 +9,8 @@ }, "description": { "description": "Unique description displayed in information about a Service in the Developer Portal.", - "type": "string" + "type": "string", + "unique": true }, "display_name": { "description": "Unique display name used for a Service in the Developer Portal.", diff --git a/json_schemas/aws-lambda/3.9.json b/json_schemas/aws-lambda/3.9.json index 166740b4..e90e09aa 100644 --- a/json_schemas/aws-lambda/3.9.json +++ b/json_schemas/aws-lambda/3.9.json @@ -3,7 +3,7 @@ "config": { "properties": { "aws_assume_role_arn": { - "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_imds_protocol_version": { @@ -16,7 +16,7 @@ "type": "string" }, "aws_key": { - "description": "The AWS key credential to be used when invoking the function.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The AWS key credential to be used when invoking the function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_region": { @@ -29,7 +29,7 @@ "type": "string" }, "aws_secret": { - "description": "The AWS secret credential to be used when invoking the function. \nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The AWS secret credential to be used when invoking the function. \nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_sts_endpoint_url": { diff --git a/json_schemas/azure-functions/3.9.json b/json_schemas/azure-functions/3.9.json index 4a188c42..6fc519b4 100644 --- a/json_schemas/azure-functions/3.9.json +++ b/json_schemas/azure-functions/3.9.json @@ -3,7 +3,7 @@ "config": { "properties": { "apikey": { - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "appname": { @@ -11,7 +11,7 @@ "type": "string" }, "clientid": { - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "functionname": { diff --git a/json_schemas/confluent/3.9.json b/json_schemas/confluent/3.9.json index 2eda69cb..fc6d9df4 100644 --- a/json_schemas/confluent/3.9.json +++ b/json_schemas/confluent/3.9.json @@ -26,11 +26,11 @@ "type": "array" }, "cluster_api_key": { - "description": "Username/Apikey for SASL authentication.", + "description": "Username/Apikey for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "cluster_api_secret": { - "description": "Password/ApiSecret for SASL authentication.", + "description": "Password/ApiSecret for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "cluster_name": { @@ -38,11 +38,11 @@ "type": "string" }, "confluent_cloud_api_key": { - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "confluent_cloud_api_secret": { - "description": "The corresponding secret for the Confluent Cloud API key.", + "description": "The corresponding secret for the Confluent Cloud API key.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "forward_body": { diff --git a/json_schemas/forward-proxy/3.9.json b/json_schemas/forward-proxy/3.9.json index ad6b829b..c0f4b52a 100644 --- a/json_schemas/forward-proxy/3.9.json +++ b/json_schemas/forward-proxy/3.9.json @@ -3,11 +3,11 @@ "config": { "properties": { "auth_password": { - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "auth_username": { - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_proxy_host": { diff --git a/json_schemas/graphql-proxy-cache-advanced/3.9.json b/json_schemas/graphql-proxy-cache-advanced/3.9.json index 46c5d48b..65438cb1 100644 --- a/json_schemas/graphql-proxy-cache-advanced/3.9.json +++ b/json_schemas/graphql-proxy-cache-advanced/3.9.json @@ -94,7 +94,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -148,7 +148,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/graphql-rate-limiting-advanced/3.9.json b/json_schemas/graphql-rate-limiting-advanced/3.9.json index 6fedc860..acf6b51b 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.9.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.9.json @@ -118,7 +118,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -172,7 +172,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/http-log/3.9.json b/json_schemas/http-log/3.9.json index 2d6b5c6c..927b783f 100644 --- a/json_schemas/http-log/3.9.json +++ b/json_schemas/http-log/3.9.json @@ -26,7 +26,7 @@ "type": "object" }, "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "keepalive": { diff --git a/json_schemas/jwt-signer/3.9.json b/json_schemas/jwt-signer/3.9.json index 6b424d39..c151d0ca 100644 --- a/json_schemas/jwt-signer/3.9.json +++ b/json_schemas/jwt-signer/3.9.json @@ -133,11 +133,11 @@ "type": "string" }, "access_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_jwks_uri_rotate_period": { @@ -155,11 +155,11 @@ "type": "string" }, "access_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_keyset_rotate_period": { @@ -407,11 +407,11 @@ "type": "string" }, "channel_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_jwks_uri_rotate_period": { @@ -429,11 +429,11 @@ "type": "string" }, "channel_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_keyset_rotate_period": { diff --git a/json_schemas/kafka-log/3.9.json b/json_schemas/kafka-log/3.9.json index 3cc3b73a..f71e86fd 100644 --- a/json_schemas/kafka-log/3.9.json +++ b/json_schemas/kafka-log/3.9.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/kafka-upstream/3.9.json b/json_schemas/kafka-upstream/3.9.json index 4fa1cc92..1c889114 100644 --- a/json_schemas/kafka-upstream/3.9.json +++ b/json_schemas/kafka-upstream/3.9.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/konnect-application-auth/3.9.json b/json_schemas/konnect-application-auth/3.9.json index 6b9a6b29..72694409 100644 --- a/json_schemas/konnect-application-auth/3.9.json +++ b/json_schemas/konnect-application-auth/3.9.json @@ -386,7 +386,7 @@ "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -407,15 +407,15 @@ "type": "string" }, "d": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -425,7 +425,7 @@ "type": "string" }, "k": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { @@ -447,27 +447,27 @@ "type": "string" }, "oth": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -506,7 +506,7 @@ "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -584,7 +584,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -638,7 +638,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1078,7 +1078,7 @@ "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -1468,7 +1468,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1526,7 +1526,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1912,7 +1912,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_storage": { diff --git a/json_schemas/ldap-auth-advanced/3.9.json b/json_schemas/ldap-auth-advanced/3.9.json index d4ce271e..bb1579a3 100644 --- a/json_schemas/ldap-auth-advanced/3.9.json +++ b/json_schemas/ldap-auth-advanced/3.9.json @@ -91,7 +91,7 @@ "type": "string" }, "ldap_password": { - "description": "The password to the LDAP server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The password to the LDAP server.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "ldap_port": { diff --git a/json_schemas/loggly/3.9.json b/json_schemas/loggly/3.9.json index 7a26a98b..81d46c2c 100644 --- a/json_schemas/loggly/3.9.json +++ b/json_schemas/loggly/3.9.json @@ -27,7 +27,7 @@ "type": "string" }, "key": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "log_level": { diff --git a/json_schemas/oauth2-introspection/3.9.json b/json_schemas/oauth2-introspection/3.9.json index 482e4d6e..63faff49 100644 --- a/json_schemas/oauth2-introspection/3.9.json +++ b/json_schemas/oauth2-introspection/3.9.json @@ -9,7 +9,7 @@ "type": "string" }, "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "consumer_by": { diff --git a/json_schemas/oauth2/3.9.json b/json_schemas/oauth2/3.9.json index ccfd1b4a..19901f44 100644 --- a/json_schemas/oauth2/3.9.json +++ b/json_schemas/oauth2/3.9.json @@ -66,7 +66,7 @@ "type": "string" }, "provision_key": { - "description": "The unique key the plugin has generated when it has been added to the Service.", + "description": "The unique key the plugin has generated when it has been added to the Service.\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "realm": { diff --git a/json_schemas/openid-connect/3.9.json b/json_schemas/openid-connect/3.9.json index 3c83ad57..c7d8dba8 100644 --- a/json_schemas/openid-connect/3.9.json +++ b/json_schemas/openid-connect/3.9.json @@ -309,7 +309,7 @@ "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -330,15 +330,15 @@ "type": "string" }, "d": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -348,7 +348,7 @@ "type": "string" }, "k": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { @@ -370,27 +370,27 @@ "type": "string" }, "oth": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -429,7 +429,7 @@ "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -507,7 +507,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -561,7 +561,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1001,7 +1001,7 @@ "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -1391,7 +1391,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1449,7 +1449,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1835,7 +1835,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_storage": { diff --git a/json_schemas/proxy-cache-advanced/3.9.json b/json_schemas/proxy-cache-advanced/3.9.json index d674bb8f..d1dbb059 100644 --- a/json_schemas/proxy-cache-advanced/3.9.json +++ b/json_schemas/proxy-cache-advanced/3.9.json @@ -118,7 +118,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -172,7 +172,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/rate-limiting-advanced/3.9.json b/json_schemas/rate-limiting-advanced/3.9.json index 0050c3da..8eb92513 100644 --- a/json_schemas/rate-limiting-advanced/3.9.json +++ b/json_schemas/rate-limiting-advanced/3.9.json @@ -171,7 +171,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -232,7 +232,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/rate-limiting/3.9.json b/json_schemas/rate-limiting/3.9.json index ea98ab40..085d4cc0 100644 --- a/json_schemas/rate-limiting/3.9.json +++ b/json_schemas/rate-limiting/3.9.json @@ -89,7 +89,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, diff --git a/json_schemas/response-ratelimiting/3.9.json b/json_schemas/response-ratelimiting/3.9.json index 229ec4dc..e6ad1ba3 100644 --- a/json_schemas/response-ratelimiting/3.9.json +++ b/json_schemas/response-ratelimiting/3.9.json @@ -61,7 +61,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, diff --git a/json_schemas/saml/3.9.json b/json_schemas/saml/3.9.json index 71a92cb9..a67f4b8d 100644 --- a/json_schemas/saml/3.9.json +++ b/json_schemas/saml/3.9.json @@ -11,7 +11,7 @@ "type": "string" }, "idp_certificate": { - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "idp_sso_url": { @@ -101,7 +101,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -159,7 +159,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -242,11 +242,11 @@ "type": "string" }, "request_signing_certificate": { - "description": "The certificate for signing requests.", + "description": "The certificate for signing requests.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "request_signing_key": { - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "response_digest_algorithm": { @@ -259,7 +259,7 @@ "type": "string" }, "response_encryption_key": { - "description": "The private encryption key required to decrypt encrypted assertions.", + "description": "The private encryption key required to decrypt encrypted assertions.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "response_signature_algorithm": { @@ -418,7 +418,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "maxLength": 32, "minLength": 32, "pattern": "^[0-9a-zA-Z/_+]+$", diff --git a/json_schemas/service-protection/3.9.json b/json_schemas/service-protection/3.9.json index a0134073..b443c359 100644 --- a/json_schemas/service-protection/3.9.json +++ b/json_schemas/service-protection/3.9.json @@ -115,7 +115,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -169,7 +169,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/session/3.9.json b/json_schemas/session/3.9.json index ce22bca5..5b276039 100644 --- a/json_schemas/session/3.9.json +++ b/json_schemas/session/3.9.json @@ -150,7 +150,7 @@ }, "secret": { "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", - "description": "The secret that is used in keyed HMAC generation.", + "description": "The secret that is used in keyed HMAC generation.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "stale_ttl": { diff --git a/json_schemas/standard-webhooks/3.9.json b/json_schemas/standard-webhooks/3.9.json index 1faa2af3..e8fec40d 100644 --- a/json_schemas/standard-webhooks/3.9.json +++ b/json_schemas/standard-webhooks/3.9.json @@ -3,7 +3,7 @@ "config": { "properties": { "secret_v1": { - "description": "Webhook secret\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Webhook secret\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "tolerance_second": { diff --git a/json_schemas/upstream-oauth/3.9.json b/json_schemas/upstream-oauth/3.9.json index 52fecf57..eafb73f7 100644 --- a/json_schemas/upstream-oauth/3.9.json +++ b/json_schemas/upstream-oauth/3.9.json @@ -151,7 +151,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -205,7 +205,7 @@ "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -365,11 +365,11 @@ "type": "array" }, "client_id": { - "description": "The client ID for the application registration in the IdP.", + "description": "The client ID for the application registration in the IdP.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "client_secret": { - "description": "The client secret for the application registration in the IdP.", + "description": "The client secret for the application registration in the IdP.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "grant_type": { @@ -382,7 +382,7 @@ "type": "string" }, "password": { - "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "description": "The password to use if `config.oauth.grant_type` is set to `password`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "scopes": { @@ -413,7 +413,7 @@ "type": "object" }, "username": { - "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "description": "The username to use if `config.oauth.grant_type` is set to `password`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, From 618e39fbdfed0fe22531fe4cdfc6913187f9c765 Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 1 Apr 2025 06:29:50 +0000 Subject: [PATCH 152/165] JSON Schemas for 3.8.x --- json_schemas/acl/3.8.json | 28 +- json_schemas/acme/3.8.json | 61 ++- json_schemas/ai-azure-content-safety/3.8.json | 28 +- json_schemas/ai-prompt-decorator/3.8.json | 32 +- json_schemas/ai-prompt-guard/3.8.json | 36 +- json_schemas/ai-prompt-template/3.8.json | 28 +- json_schemas/ai-proxy-advanced/3.8.json | 120 ++++-- json_schemas/ai-proxy/3.8.json | 72 +++- .../ai-rate-limiting-advanced/3.8.json | 48 ++- json_schemas/ai-request-transformer/3.8.json | 72 +++- json_schemas/ai-response-transformer/3.8.json | 76 ++-- json_schemas/ai-semantic-cache/3.8.json | 84 ++-- .../ai-semantic-prompt-guard/3.8.json | 104 +++-- json_schemas/app-dynamics/3.8.json | 27 +- .../application-registration/3.8.json | 15 +- json_schemas/aws-lambda/3.8.json | 30 +- json_schemas/azure-functions/3.8.json | 28 +- json_schemas/basic-auth/3.8.json | 20 +- json_schemas/bot-detection/3.8.json | 36 +- json_schemas/canary/3.8.json | 24 +- json_schemas/confluent/3.8.json | 32 +- json_schemas/correlation-id/3.8.json | 24 +- json_schemas/cors/3.8.json | 36 +- json_schemas/datadog-tracing/3.8.json | 25 +- json_schemas/datadog/3.8.json | 34 +- json_schemas/degraphql/3.8.json | 20 +- json_schemas/exit-transformer/3.8.json | 28 +- json_schemas/file-log/3.8.json | 24 +- json_schemas/forward-proxy/3.8.json | 28 +- .../graphql-proxy-cache-advanced/3.8.json | 52 ++- .../graphql-rate-limiting-advanced/3.8.json | 52 ++- json_schemas/grpc-gateway/3.8.json | 24 +- json_schemas/grpc-web/3.8.json | 24 +- json_schemas/header-cert-auth/3.8.json | 28 +- json_schemas/hmac-auth/3.8.json | 32 +- json_schemas/http-log/3.8.json | 30 +- json_schemas/ip-restriction/3.8.json | 36 +- json_schemas/jq/3.8.json | 44 +- json_schemas/json-threat-protection/3.8.json | 20 +- json_schemas/jwe-decrypt/3.8.json | 24 +- json_schemas/jwt-signer/3.8.json | 136 ++++-- json_schemas/jwt/3.8.json | 40 +- json_schemas/kafka-log/3.8.json | 36 +- json_schemas/kafka-upstream/3.8.json | 36 +- json_schemas/key-auth-enc/3.8.json | 24 +- json_schemas/key-auth/3.8.json | 24 +- .../konnect-application-auth/3.8.json | 402 +++++++++++++----- json_schemas/ldap-auth-advanced/3.8.json | 32 +- json_schemas/ldap-auth/3.8.json | 20 +- json_schemas/loggly/3.8.json | 29 +- json_schemas/mocking/3.8.json | 28 +- json_schemas/mtls-auth/3.8.json | 28 +- json_schemas/oas-validation/3.8.json | 24 +- json_schemas/oauth2-introspection/3.8.json | 30 +- json_schemas/oauth2/3.8.json | 26 +- json_schemas/opa/3.8.json | 20 +- json_schemas/openid-connect/3.8.json | 386 ++++++++++++----- json_schemas/opentelemetry/3.8.json | 46 +- json_schemas/post-function/3.8.json | 100 +++-- json_schemas/pre-function/3.8.json | 100 +++-- json_schemas/prometheus/3.8.json | 24 +- json_schemas/proxy-cache-advanced/3.8.json | 76 +++- json_schemas/proxy-cache/3.8.json | 56 ++- json_schemas/rate-limiting-advanced/3.8.json | 60 ++- json_schemas/rate-limiting/3.8.json | 36 +- json_schemas/request-size-limiting/3.8.json | 24 +- json_schemas/request-termination/3.8.json | 28 +- .../request-transformer-advanced/3.8.json | 212 ++++++--- json_schemas/request-transformer/3.8.json | 168 ++++++-- json_schemas/request-validator/3.8.json | 28 +- json_schemas/response-ratelimiting/3.8.json | 32 +- .../response-transformer-advanced/3.8.json | 220 +++++++--- json_schemas/response-transformer/3.8.json | 152 +++++-- json_schemas/route-by-header/3.8.json | 28 +- .../route-transformer-advanced/3.8.json | 24 +- json_schemas/saml/3.8.json | 58 ++- json_schemas/session/3.8.json | 34 +- json_schemas/standard-webhooks/3.8.json | 26 +- json_schemas/statsd-advanced/3.8.json | 32 +- json_schemas/statsd/3.8.json | 32 +- json_schemas/syslog/3.8.json | 24 +- json_schemas/tcp-log/3.8.json | 24 +- json_schemas/tls-handshake-modifier/3.8.json | 20 +- json_schemas/tls-metadata-headers/3.8.json | 20 +- json_schemas/udp-log/3.8.json | 24 +- json_schemas/upstream-oauth/3.8.json | 92 ++-- json_schemas/upstream-timeout/3.8.json | 24 +- json_schemas/vault-auth/3.8.json | 28 +- json_schemas/websocket-size-limit/3.8.json | 24 +- json_schemas/websocket-validator/3.8.json | 32 +- json_schemas/xml-threat-protection/3.8.json | 36 +- json_schemas/zipkin/3.8.json | 40 +- 92 files changed, 3581 insertions(+), 1310 deletions(-) diff --git a/json_schemas/acl/3.8.json b/json_schemas/acl/3.8.json index 0c3043e1..488af668 100644 --- a/json_schemas/acl/3.8.json +++ b/json_schemas/acl/3.8.json @@ -5,7 +5,9 @@ "allow": { "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -18,7 +20,9 @@ "deny": { "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -33,7 +37,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -51,7 +57,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -64,7 +72,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -75,9 +85,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/acme/3.8.json b/json_schemas/acme/3.8.json index 4f34c195..0bbe30bf 100644 --- a/json_schemas/acme/3.8.json +++ b/json_schemas/acme/3.8.json @@ -3,7 +3,7 @@ "config": { "properties": { "account_email": { - "description": "The account identifier. Can be reused in a different plugin instance.", + "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", "type": "string" }, @@ -56,17 +56,19 @@ "^[^*]*$" ] }, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "enable_ipv4_common_name": { @@ -138,17 +140,22 @@ "type": "number" }, "token": { - "description": "Consul ACL token.", + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "kong": { "additionalProperties": true, - "properties": {}, - "required": [], + "properties": { + }, + "required": [ + + ], "type": "object" }, "redis": { @@ -173,7 +180,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "host": { @@ -181,7 +190,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "minLength": 0, "type": "string" }, @@ -214,11 +223,13 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "auth": { "minLength": 0, @@ -259,7 +270,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "vault": { @@ -318,15 +331,19 @@ "type": "boolean" }, "token": { - "description": "Consul ACL token.", + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "tos_accepted": { @@ -335,7 +352,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -353,11 +372,15 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.8.json b/json_schemas/ai-azure-content-safety/3.8.json index 7fc1e807..55445bda 100644 --- a/json_schemas/ai-azure-content-safety/3.8.json +++ b/json_schemas/ai-azure-content-safety/3.8.json @@ -28,7 +28,9 @@ "blocklist_names": { "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -53,11 +55,11 @@ "type": "array" }, "content_safety_key": { - "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "content_safety_url": { - "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "description": "Full URL, inc protocol, of the Azure Content Safety instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "halt_on_blocklist_hit": { @@ -89,7 +91,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -107,7 +111,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -120,7 +126,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -131,9 +139,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-decorator/3.8.json b/json_schemas/ai-prompt-decorator/3.8.json index f9a591c8..0559463c 100644 --- a/json_schemas/ai-prompt-decorator/3.8.json +++ b/json_schemas/ai-prompt-decorator/3.8.json @@ -65,11 +65,15 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -80,7 +84,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -91,7 +97,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -109,7 +117,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -122,7 +132,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -133,9 +145,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-guard/3.8.json b/json_schemas/ai-prompt-guard/3.8.json index 95c822a7..536e841e 100644 --- a/json_schemas/ai-prompt-guard/3.8.json +++ b/json_schemas/ai-prompt-guard/3.8.json @@ -12,7 +12,9 @@ "items": { "maxLength": 500, "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "maxLength": 10, @@ -23,7 +25,9 @@ "items": { "maxLength": 500, "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "maxLength": 10, @@ -41,7 +45,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -52,7 +58,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -63,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -81,7 +91,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -94,7 +106,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -105,9 +119,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.8.json b/json_schemas/ai-prompt-template/3.8.json index 594030d0..99f12ea0 100644 --- a/json_schemas/ai-prompt-template/3.8.json +++ b/json_schemas/ai-prompt-template/3.8.json @@ -40,7 +40,9 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -51,7 +53,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -62,7 +66,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -80,7 +86,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -93,7 +101,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -104,9 +114,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy-advanced/3.8.json b/json_schemas/ai-proxy-advanced/3.8.json index cc107278..45b9e011 100644 --- a/json_schemas/ai-proxy-advanced/3.8.json +++ b/json_schemas/ai-proxy-advanced/3.8.json @@ -73,7 +73,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "embeddings": { @@ -86,23 +88,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -111,7 +113,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -120,11 +122,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -136,15 +138,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -166,7 +170,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -212,23 +218,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -237,7 +243,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -246,11 +252,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -262,15 +268,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "description": { @@ -290,7 +298,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -326,7 +336,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "gemini": { @@ -344,7 +356,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "input_cost": { @@ -406,7 +420,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -493,7 +509,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -534,7 +552,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -578,14 +596,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -598,7 +618,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -616,11 +636,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -667,7 +689,9 @@ "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -678,7 +702,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -689,7 +715,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -707,7 +735,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -720,7 +750,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -731,9 +763,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.8.json b/json_schemas/ai-proxy/3.8.json index 5e20a580..187757ea 100644 --- a/json_schemas/ai-proxy/3.8.json +++ b/json_schemas/ai-proxy/3.8.json @@ -10,23 +10,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -35,7 +35,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "gcp_use_service_account": { @@ -44,11 +44,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "param_location": { @@ -60,15 +60,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "logging": { @@ -84,7 +86,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "max_request_body_size": { @@ -126,7 +130,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "gemini": { @@ -144,7 +150,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "input_cost": { @@ -206,7 +214,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -224,7 +234,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model_name_header": { @@ -252,7 +264,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -263,7 +277,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -274,7 +290,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -292,7 +310,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -305,7 +325,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -316,9 +338,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.8.json b/json_schemas/ai-rate-limiting-advanced/3.8.json index 2cbb55a9..557f227d 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.8.json +++ b/json_schemas/ai-rate-limiting-advanced/3.8.json @@ -116,7 +116,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -157,7 +159,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -201,14 +203,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -221,7 +225,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -239,11 +243,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -312,7 +318,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -323,7 +331,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -334,7 +344,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -352,7 +364,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -365,7 +379,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -376,9 +392,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.8.json b/json_schemas/ai-request-transformer/3.8.json index 24d8427e..0e27d1d2 100644 --- a/json_schemas/ai-request-transformer/3.8.json +++ b/json_schemas/ai-request-transformer/3.8.json @@ -42,23 +42,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -67,7 +67,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -76,11 +76,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -92,15 +92,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "logging": { @@ -116,7 +118,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -152,7 +156,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "gemini": { @@ -170,7 +176,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "input_cost": { @@ -232,7 +240,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -250,7 +260,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "route_type": { @@ -263,7 +275,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "max_request_body_size": { @@ -281,7 +295,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -292,7 +308,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -310,7 +328,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -323,7 +343,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -334,9 +356,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.8.json b/json_schemas/ai-response-transformer/3.8.json index cb98309b..49b11492 100644 --- a/json_schemas/ai-response-transformer/3.8.json +++ b/json_schemas/ai-response-transformer/3.8.json @@ -42,23 +42,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -67,7 +67,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -76,11 +76,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -92,15 +92,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "logging": { @@ -116,7 +118,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -152,7 +156,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "gemini": { @@ -170,7 +176,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "input_cost": { @@ -232,7 +240,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -250,7 +260,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "route_type": { @@ -263,7 +275,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "max_request_body_size": { @@ -286,7 +300,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -297,7 +313,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -308,7 +326,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -326,7 +346,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -339,7 +361,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -350,9 +374,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-semantic-cache/3.8.json b/json_schemas/ai-semantic-cache/3.8.json index 17a6dee2..e6197fe4 100644 --- a/json_schemas/ai-semantic-cache/3.8.json +++ b/json_schemas/ai-semantic-cache/3.8.json @@ -23,23 +23,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -48,7 +48,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -57,11 +57,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -73,15 +73,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -103,7 +105,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -115,11 +119,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "exact_caching": { @@ -187,7 +195,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -228,7 +238,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -272,14 +282,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -292,7 +304,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -310,11 +322,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -351,11 +365,15 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -366,7 +384,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -384,7 +404,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -397,7 +419,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -408,9 +432,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ai-semantic-prompt-guard/3.8.json b/json_schemas/ai-semantic-prompt-guard/3.8.json index bd82c0ee..8aa8bee7 100644 --- a/json_schemas/ai-semantic-prompt-guard/3.8.json +++ b/json_schemas/ai-semantic-prompt-guard/3.8.json @@ -12,23 +12,23 @@ "type": "boolean" }, "aws_access_key_id": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_secret_access_key": { - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_use_managed_identity": { @@ -37,7 +37,7 @@ "type": "boolean" }, "gcp_service_account_json": { - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "gcp_use_service_account": { @@ -46,11 +46,11 @@ "type": "boolean" }, "header_name": { - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -62,15 +62,17 @@ "type": "string" }, "param_name": { - "description": "If AI model requires authentication via query parameter, specify its name here.", + "description": "If AI model requires authentication via query parameter, specify its name here.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "model": { @@ -92,7 +94,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "provider": { @@ -104,11 +108,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rules": { @@ -118,7 +126,9 @@ "items": { "maxLength": 500, "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "maxLength": 100, @@ -129,7 +139,9 @@ "items": { "maxLength": 500, "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "maxLength": 100, @@ -152,7 +164,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "search": { @@ -163,7 +177,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "vectordb": { @@ -204,7 +220,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -245,7 +263,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -289,14 +307,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -309,7 +329,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -327,11 +347,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -368,11 +390,15 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -383,7 +409,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -394,7 +422,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -412,7 +442,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -425,7 +457,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -436,9 +470,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/app-dynamics/3.8.json b/json_schemas/app-dynamics/3.8.json index 984044ad..fa37327f 100644 --- a/json_schemas/app-dynamics/3.8.json +++ b/json_schemas/app-dynamics/3.8.json @@ -2,8 +2,11 @@ "properties": { "config": { "additionalProperties": true, - "properties": {}, - "required": [], + "properties": { + }, + "required": [ + + ], "type": "object" }, "consumer": { @@ -14,7 +17,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -32,7 +37,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -45,7 +52,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -56,9 +65,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/application-registration/3.8.json b/json_schemas/application-registration/3.8.json index c0e82ee3..84b50628 100644 --- a/json_schemas/application-registration/3.8.json +++ b/json_schemas/application-registration/3.8.json @@ -9,7 +9,8 @@ }, "description": { "description": "Unique description displayed in information about a Service in the Developer Portal.", - "type": "string" + "type": "string", + "unique": true }, "display_name": { "description": "Unique display name used for a Service in the Developer Portal.", @@ -26,7 +27,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -44,11 +47,15 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/aws-lambda/3.8.json b/json_schemas/aws-lambda/3.8.json index 531f6aac..e90e09aa 100644 --- a/json_schemas/aws-lambda/3.8.json +++ b/json_schemas/aws-lambda/3.8.json @@ -3,7 +3,7 @@ "config": { "properties": { "aws_assume_role_arn": { - "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_imds_protocol_version": { @@ -16,7 +16,7 @@ "type": "string" }, "aws_key": { - "description": "The AWS key credential to be used when invoking the function.", + "description": "The AWS key credential to be used when invoking the function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_region": { @@ -29,7 +29,7 @@ "type": "string" }, "aws_secret": { - "description": "The AWS secret credential to be used when invoking the function. ", + "description": "The AWS secret credential to be used when invoking the function. \nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_sts_endpoint_url": { @@ -148,7 +148,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -159,7 +161,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -177,7 +181,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -190,7 +196,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -201,9 +209,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/azure-functions/3.8.json b/json_schemas/azure-functions/3.8.json index 8c4378f8..6fc519b4 100644 --- a/json_schemas/azure-functions/3.8.json +++ b/json_schemas/azure-functions/3.8.json @@ -3,7 +3,7 @@ "config": { "properties": { "apikey": { - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "appname": { @@ -11,7 +11,7 @@ "type": "string" }, "clientid": { - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "functionname": { @@ -49,7 +49,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -60,7 +62,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -85,7 +89,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -98,7 +104,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -109,9 +117,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/basic-auth/3.8.json b/json_schemas/basic-auth/3.8.json index d67e26e6..da803a97 100644 --- a/json_schemas/basic-auth/3.8.json +++ b/json_schemas/basic-auth/3.8.json @@ -17,7 +17,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -39,7 +41,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -52,7 +56,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -63,9 +69,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/bot-detection/3.8.json b/json_schemas/bot-detection/3.8.json index 0a4e686c..2233a89d 100644 --- a/json_schemas/bot-detection/3.8.json +++ b/json_schemas/bot-detection/3.8.json @@ -3,27 +3,37 @@ "config": { "properties": { "allow": { - "default": [], + "default": [ + + ], "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "items": { "is_regex": true, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "deny": { - "default": [], + "default": [ + + ], "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "items": { "is_regex": true, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -41,7 +51,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -54,7 +66,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -65,9 +79,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/canary/3.8.json b/json_schemas/canary/3.8.json index b7ecf25f..39072c60 100644 --- a/json_schemas/canary/3.8.json +++ b/json_schemas/canary/3.8.json @@ -15,7 +15,9 @@ "groups": { "description": "The groups allowed to access the canary release.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -74,7 +76,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "hash": { "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", @@ -98,7 +102,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -111,7 +117,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -122,9 +130,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/confluent/3.8.json b/json_schemas/confluent/3.8.json index 8355c951..bc67e458 100644 --- a/json_schemas/confluent/3.8.json +++ b/json_schemas/confluent/3.8.json @@ -26,11 +26,11 @@ "type": "array" }, "cluster_api_key": { - "description": "Username/Apikey for SASL authentication.", + "description": "Username/Apikey for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "cluster_api_secret": { - "description": "Password/ApiSecret for SASL authentication.", + "description": "Password/ApiSecret for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "cluster_name": { @@ -38,11 +38,11 @@ "type": "string" }, "confluent_cloud_api_key": { - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "confluent_cloud_api_secret": { - "description": "The corresponding secret for the Confluent Cloud API key.", + "description": "The corresponding secret for the Confluent Cloud API key.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "forward_body": { @@ -134,7 +134,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -145,7 +147,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -163,7 +167,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -176,7 +182,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -187,9 +195,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/correlation-id/3.8.json b/json_schemas/correlation-id/3.8.json index a6dd6f8d..776a2f3e 100644 --- a/json_schemas/correlation-id/3.8.json +++ b/json_schemas/correlation-id/3.8.json @@ -23,7 +23,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -34,7 +36,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -52,7 +56,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -65,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -76,9 +84,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/cors/3.8.json b/json_schemas/cors/3.8.json index d3d2518f..b0254d05 100644 --- a/json_schemas/cors/3.8.json +++ b/json_schemas/cors/3.8.json @@ -10,7 +10,9 @@ "exposed_headers": { "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -18,7 +20,9 @@ "headers": { "description": "Value for the `Access-Control-Allow-Headers` header.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -52,7 +56,9 @@ "PUT", "TRACE" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -60,7 +66,9 @@ "origins": { "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -76,7 +84,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -95,7 +105,9 @@ "https" ], "minLength": 1, - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -108,7 +120,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -119,9 +133,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/datadog-tracing/3.8.json b/json_schemas/datadog-tracing/3.8.json index a599aec1..b5723945 100644 --- a/json_schemas/datadog-tracing/3.8.json +++ b/json_schemas/datadog-tracing/3.8.json @@ -17,6 +17,7 @@ "type": "integer" }, "endpoint": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "environment": { @@ -40,7 +41,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -51,7 +54,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -69,7 +74,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -82,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -93,9 +102,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/datadog/3.8.json b/json_schemas/datadog/3.8.json index b32b6dcf..12d04755 100644 --- a/json_schemas/datadog/3.8.json +++ b/json_schemas/datadog/3.8.json @@ -13,7 +13,7 @@ }, "host": { "default": "localhost", - "description": "A string representing a host name, such as example.com.", + "description": "A string representing a host name, such as example.com.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "metrics": { @@ -75,7 +75,9 @@ "description": "List of tags", "items": { "pattern": "^.*[^:]$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -157,7 +159,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "queue_size": { @@ -179,7 +183,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -190,7 +196,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -215,7 +223,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -228,7 +238,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -239,9 +251,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/degraphql/3.8.json b/json_schemas/degraphql/3.8.json index 305dfff1..4d44acc6 100644 --- a/json_schemas/degraphql/3.8.json +++ b/json_schemas/degraphql/3.8.json @@ -8,7 +8,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -26,7 +28,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -39,7 +43,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -50,9 +56,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.8.json b/json_schemas/exit-transformer/3.8.json index 423006b1..f65b3b1f 100644 --- a/json_schemas/exit-transformer/3.8.json +++ b/json_schemas/exit-transformer/3.8.json @@ -4,7 +4,9 @@ "properties": { "functions": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -20,7 +22,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -31,7 +35,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -49,7 +55,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -62,7 +70,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -73,9 +83,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/file-log/3.8.json b/json_schemas/file-log/3.8.json index 1144bb8d..7b34b71e 100644 --- a/json_schemas/file-log/3.8.json +++ b/json_schemas/file-log/3.8.json @@ -18,7 +18,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -29,7 +31,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -54,7 +58,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -67,7 +73,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -78,9 +86,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/forward-proxy/3.8.json b/json_schemas/forward-proxy/3.8.json index 800452c3..c0f4b52a 100644 --- a/json_schemas/forward-proxy/3.8.json +++ b/json_schemas/forward-proxy/3.8.json @@ -3,11 +3,11 @@ "config": { "properties": { "auth_password": { - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "auth_username": { - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "http_proxy_host": { @@ -54,7 +54,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "proxy_host": { "type": "string" @@ -73,7 +75,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -91,7 +95,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -104,7 +110,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -115,9 +123,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/graphql-proxy-cache-advanced/3.8.json b/json_schemas/graphql-proxy-cache-advanced/3.8.json index c79380fc..82eea9ce 100644 --- a/json_schemas/graphql-proxy-cache-advanced/3.8.json +++ b/json_schemas/graphql-proxy-cache-advanced/3.8.json @@ -21,7 +21,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "redis": { @@ -48,7 +50,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -89,7 +93,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -133,14 +137,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -153,7 +159,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -171,11 +177,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -212,13 +220,17 @@ "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -229,7 +241,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -247,7 +261,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -260,7 +276,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -271,9 +289,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.8.json b/json_schemas/graphql-rate-limiting-advanced/3.8.json index 0d3eebbc..aa4f161d 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.8.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.8.json @@ -34,7 +34,9 @@ "limit": { "description": "One or more requests-per-window limits to apply.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -72,7 +74,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -113,7 +117,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -157,14 +161,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -177,7 +183,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -195,11 +201,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -246,7 +254,9 @@ "window_size": { "description": "One or more window sizes to apply a limit to (defined in seconds).", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -261,7 +271,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -272,7 +284,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -290,7 +304,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -303,7 +319,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -314,9 +332,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/grpc-gateway/3.8.json b/json_schemas/grpc-gateway/3.8.json index f9b0ae1e..2ae37a8c 100644 --- a/json_schemas/grpc-gateway/3.8.json +++ b/json_schemas/grpc-gateway/3.8.json @@ -7,7 +7,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -18,7 +20,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -43,7 +47,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -56,7 +62,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -67,9 +75,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/grpc-web/3.8.json b/json_schemas/grpc-web/3.8.json index 41a21e62..31f56172 100644 --- a/json_schemas/grpc-web/3.8.json +++ b/json_schemas/grpc-web/3.8.json @@ -16,7 +16,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -27,7 +29,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -52,7 +56,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -65,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -76,9 +84,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/header-cert-auth/3.8.json b/json_schemas/header-cert-auth/3.8.json index 0b872fc3..cd742de3 100644 --- a/json_schemas/header-cert-auth/3.8.json +++ b/json_schemas/header-cert-auth/3.8.json @@ -23,7 +23,9 @@ "ca_certificates": { "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "items": { - "required": [], + "required": [ + + ], "type": "string", "uuid": true }, @@ -62,7 +64,9 @@ "custom_id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -117,7 +121,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -135,7 +141,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -148,7 +156,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -159,9 +169,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/hmac-auth/3.8.json b/json_schemas/hmac-auth/3.8.json index 163911ba..1e3ae8ec 100644 --- a/json_schemas/hmac-auth/3.8.json +++ b/json_schemas/hmac-auth/3.8.json @@ -17,7 +17,9 @@ "hmac-sha384", "hmac-sha512" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -33,10 +35,14 @@ "type": "number" }, "enforce_headers": { - "default": [], + "default": [ + + ], "description": "A list of headers that the client should at least use for HTTP signature creation.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -56,7 +62,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -78,7 +86,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -91,7 +101,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -102,9 +114,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/http-log/3.8.json b/json_schemas/http-log/3.8.json index 548d1ad5..927b783f 100644 --- a/json_schemas/http-log/3.8.json +++ b/json_schemas/http-log/3.8.json @@ -26,7 +26,7 @@ "type": "object" }, "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "keepalive": { @@ -100,7 +100,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "queue_size": { @@ -117,7 +119,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -128,7 +132,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -153,7 +159,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -166,7 +174,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -177,9 +187,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ip-restriction/3.8.json b/json_schemas/ip-restriction/3.8.json index 00e778e7..83800949 100644 --- a/json_schemas/ip-restriction/3.8.json +++ b/json_schemas/ip-restriction/3.8.json @@ -6,7 +6,9 @@ "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "items": { "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -15,7 +17,9 @@ "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "items": { "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -29,7 +33,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -40,7 +46,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -51,7 +59,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -78,7 +88,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -91,7 +103,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -102,9 +116,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jq/3.8.json b/json_schemas/jq/3.8.json index 562724b3..7a686c75 100644 --- a/json_schemas/jq/3.8.json +++ b/json_schemas/jq/3.8.json @@ -7,7 +7,9 @@ "application/json" ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -38,7 +40,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "response_if_media_type": { @@ -46,7 +50,9 @@ "application/json" ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -58,7 +64,9 @@ "items": { "maximum": 599, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "type": "array" @@ -89,11 +97,15 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -104,7 +116,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -122,7 +136,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -135,7 +151,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -146,9 +164,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/json-threat-protection/3.8.json b/json_schemas/json-threat-protection/3.8.json index 86d98f32..43827bd8 100644 --- a/json_schemas/json-threat-protection/3.8.json +++ b/json_schemas/json-threat-protection/3.8.json @@ -66,7 +66,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -84,7 +86,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -97,7 +101,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -108,9 +114,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.8.json b/json_schemas/jwe-decrypt/3.8.json index dd09fa60..019e6fb1 100644 --- a/json_schemas/jwe-decrypt/3.8.json +++ b/json_schemas/jwe-decrypt/3.8.json @@ -10,7 +10,9 @@ "key_sets": { "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -26,7 +28,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -44,7 +48,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -57,7 +63,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -68,9 +76,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jwt-signer/3.8.json b/json_schemas/jwt-signer/3.8.json index 3be7f441..34d6a776 100644 --- a/json_schemas/jwt-signer/3.8.json +++ b/json_schemas/jwt-signer/3.8.json @@ -14,7 +14,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -22,7 +24,9 @@ "access_token_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -47,7 +51,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -55,7 +61,9 @@ "access_token_introspection_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -72,7 +80,9 @@ "access_token_introspection_jwt_claim": { "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -88,7 +98,9 @@ ], "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -96,7 +108,9 @@ "access_token_introspection_scopes_required": { "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -119,11 +133,11 @@ "type": "string" }, "access_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "access_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_jwks_uri_rotate_period": { @@ -141,11 +155,11 @@ "type": "string" }, "access_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "access_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_keyset_rotate_period": { @@ -174,7 +188,9 @@ ], "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -182,7 +198,9 @@ "access_token_scopes_required": { "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -253,7 +271,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -261,7 +281,9 @@ "channel_token_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -269,7 +291,9 @@ "channel_token_introspection_authorization": { "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -277,7 +301,9 @@ "channel_token_introspection_body_args": { "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -294,7 +320,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -302,7 +330,9 @@ "channel_token_introspection_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -314,7 +344,9 @@ "channel_token_introspection_hint": { "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -322,7 +354,9 @@ "channel_token_introspection_jwt_claim": { "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -338,7 +372,9 @@ ], "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -346,7 +382,9 @@ "channel_token_introspection_scopes_required": { "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -369,11 +407,11 @@ "type": "string" }, "channel_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "channel_token_jwks_uri_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_jwks_uri_rotate_period": { @@ -391,11 +429,11 @@ "type": "string" }, "channel_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "channel_token_keyset_client_username": { - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_keyset_rotate_period": { @@ -423,7 +461,9 @@ ], "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -431,7 +471,9 @@ "channel_token_scopes_required": { "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -497,19 +539,27 @@ "type": "string" }, "remove_access_token_claims": { - "default": [], + "default": [ + + ], "description": "remove claims. It should be an array, and each element is a claim key string.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "remove_channel_token_claims": { - "default": [], + "default": [ + + ], "description": "remove claims. It should be an array, and each element is a claim key string.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -589,7 +639,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -607,7 +659,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -620,7 +674,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -631,9 +687,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/jwt/3.8.json b/json_schemas/jwt/3.8.json index 256f1af8..6a6338ce 100644 --- a/json_schemas/jwt/3.8.json +++ b/json_schemas/jwt/3.8.json @@ -13,16 +13,22 @@ "exp", "nbf" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "cookie_names": { - "default": [], + "default": [ + + ], "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -33,7 +39,9 @@ ], "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -70,13 +78,17 @@ ], "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -94,7 +106,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -107,7 +121,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -118,9 +134,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/kafka-log/3.8.json b/json_schemas/kafka-log/3.8.json index 03450b52..f71e86fd 100644 --- a/json_schemas/kafka-log/3.8.json +++ b/json_schemas/kafka-log/3.8.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "strategy": { @@ -29,11 +29,13 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "bootstrap_servers": { @@ -138,7 +140,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "timeout": { @@ -151,7 +155,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -162,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -184,7 +192,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -197,7 +207,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -208,9 +220,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.8.json b/json_schemas/kafka-upstream/3.8.json index 28be0e0e..15f794bd 100644 --- a/json_schemas/kafka-upstream/3.8.json +++ b/json_schemas/kafka-upstream/3.8.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "strategy": { @@ -29,11 +29,13 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "bootstrap_servers": { @@ -154,7 +156,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "timeout": { @@ -167,7 +171,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -178,7 +184,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -196,7 +204,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -209,7 +219,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -220,9 +232,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/key-auth-enc/3.8.json b/json_schemas/key-auth-enc/3.8.json index e436fd07..393987e0 100644 --- a/json_schemas/key-auth-enc/3.8.json +++ b/json_schemas/key-auth-enc/3.8.json @@ -33,7 +33,9 @@ "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -48,7 +50,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -70,7 +74,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -83,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -94,9 +102,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/key-auth/3.8.json b/json_schemas/key-auth/3.8.json index 42a51f9a..a37eb540 100644 --- a/json_schemas/key-auth/3.8.json +++ b/json_schemas/key-auth/3.8.json @@ -33,7 +33,9 @@ "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -48,7 +50,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -70,7 +74,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -83,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -94,9 +102,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.8.json b/json_schemas/konnect-application-auth/3.8.json index 0796cbc7..7627046f 100644 --- a/json_schemas/konnect-application-auth/3.8.json +++ b/json_schemas/konnect-application-auth/3.8.json @@ -19,7 +19,9 @@ "description": "The names of the headers containing the API key. You can specify multiple header names.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -44,13 +46,17 @@ "description": "The names of the headers containing the API key. You can specify multiple header names.", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "strategy_id": { @@ -80,7 +86,9 @@ "audience": { "description": "The audience passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -91,7 +99,9 @@ ], "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -99,7 +109,9 @@ "audience_required": { "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -129,7 +141,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -137,7 +151,9 @@ "authenticated_groups_claim": { "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -183,7 +199,9 @@ "authorization_query_args_client": { "description": "Extra query arguments passed from the client to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -191,7 +209,9 @@ "authorization_query_args_names": { "description": "Extra query argument names passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -199,7 +219,9 @@ "authorization_query_args_values": { "description": "Extra query argument values passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -227,7 +249,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -285,7 +309,9 @@ "claims_forbidden": { "description": "If given, these claims are forbidden in the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -308,7 +334,9 @@ "RS384", "RS512" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -330,7 +358,9 @@ "self_signed_tls_client_auth", "tls_client_auth" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -348,15 +378,20 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -372,12 +407,15 @@ "type": "string" }, "d": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -387,11 +425,14 @@ "type": "string" }, "k": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -406,21 +447,27 @@ "type": "string" }, "oth": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -431,7 +478,9 @@ }, "x5c": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -449,15 +498,20 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -486,7 +540,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -527,7 +583,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -571,14 +627,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -591,7 +649,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -609,11 +667,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -659,7 +719,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -667,7 +729,9 @@ "consumer_claim": { "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -683,7 +747,9 @@ ], "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -702,7 +768,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -710,7 +778,9 @@ "discovery_headers_names": { "description": "Extra header names passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -718,7 +788,9 @@ "discovery_headers_values": { "description": "Extra header values passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -731,7 +803,9 @@ "domains": { "description": "The allowed values for the `hd` claim.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -747,7 +821,9 @@ "downstream_headers_claims": { "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -755,7 +831,9 @@ "downstream_headers_names": { "description": "The downstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -820,7 +898,9 @@ "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -839,7 +919,9 @@ "description": "Where to redirect the client on forbidden requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -850,7 +932,9 @@ ], "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -858,7 +942,9 @@ "groups_required": { "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -906,13 +992,17 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ignore_signature": { - "default": [], + "default": [ + + ], "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "items": { "enum": [ @@ -924,7 +1014,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -969,7 +1061,9 @@ "introspection_headers_client": { "description": "Extra headers passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -977,15 +1071,20 @@ "introspection_headers_names": { "description": "Extra header names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -998,7 +1097,9 @@ "introspection_post_args_client": { "description": "Extra post arguments passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1006,7 +1107,9 @@ "introspection_post_args_names": { "description": "Extra post argument names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1014,7 +1117,9 @@ "introspection_post_args_values": { "description": "Extra post argument values passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1031,7 +1136,9 @@ "issuers_allowed": { "description": "The issuers allowed to be present in the tokens (`iss` claim).", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1082,7 +1189,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1099,8 +1208,10 @@ "login_redirect_uri": { "description": "Where to redirect the client when `login_action` is set to `redirect`.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1118,7 +1229,9 @@ "refresh_token", "tokens" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1135,7 +1248,9 @@ "GET", "POST" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1151,8 +1266,10 @@ "logout_redirect_uri": { "description": "Where to redirect the client after the logout.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1209,7 +1326,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1265,7 +1384,9 @@ "description": "The redirect URI passed to the authorization and token endpoints.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1294,7 +1415,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -1335,7 +1458,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1383,14 +1506,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1403,7 +1528,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -1425,11 +1550,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -1476,7 +1603,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1523,7 +1652,9 @@ ], "description": "The response type passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1561,7 +1692,9 @@ ], "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1569,7 +1702,9 @@ "roles_required": { "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1585,7 +1720,10 @@ ], "description": "The scopes passed to the authorization and token endpoints.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1596,7 +1734,9 @@ ], "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1604,7 +1744,9 @@ "scopes_required": { "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1730,7 +1872,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1747,7 +1891,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1758,7 +1904,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "session_storage": { @@ -1826,7 +1972,9 @@ "token_headers_client": { "description": "Extra headers passed from the client to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1840,7 +1988,9 @@ "password", "refresh_token" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1848,7 +1998,9 @@ "token_headers_names": { "description": "Extra header names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1860,7 +2012,9 @@ "token_headers_replay": { "description": "The names of token endpoint response headers to forward to the downstream client.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1868,7 +2022,9 @@ "token_headers_values": { "description": "Extra header values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1876,7 +2032,9 @@ "token_post_args_client": { "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1884,7 +2042,9 @@ "token_post_args_names": { "description": "Extra post argument names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1892,7 +2052,9 @@ "token_post_args_values": { "description": "Extra post argument values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1911,7 +2073,9 @@ "description": "Where to redirect the client on unauthorized requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1920,7 +2084,9 @@ "description": "Where to redirect the client when unexpected errors happen with the requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1937,7 +2103,9 @@ "upstream_headers_claims": { "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1945,7 +2113,9 @@ "upstream_headers_names": { "description": "The upstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1998,7 +2168,9 @@ "userinfo_headers_client": { "description": "Extra headers passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2006,7 +2178,9 @@ "userinfo_headers_names": { "description": "Extra header names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2014,7 +2188,9 @@ "userinfo_headers_values": { "description": "Extra header values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2022,7 +2198,9 @@ "userinfo_query_args_client": { "description": "Extra query arguments passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2030,7 +2208,9 @@ "userinfo_query_args_names": { "description": "Extra query argument names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2038,7 +2218,9 @@ "userinfo_query_args_values": { "description": "Extra query argument values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2089,11 +2271,15 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -2111,7 +2297,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2124,7 +2312,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -2135,9 +2325,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.8.json b/json_schemas/ldap-auth-advanced/3.8.json index 3963afba..bb1579a3 100644 --- a/json_schemas/ldap-auth-advanced/3.8.json +++ b/json_schemas/ldap-auth-advanced/3.8.json @@ -17,7 +17,7 @@ "type": "string" }, "bind_dn": { - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "cache_ttl": { @@ -36,7 +36,9 @@ "custom_id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -62,7 +64,9 @@ "groups_required": { "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -87,7 +91,7 @@ "type": "string" }, "ldap_password": { - "description": "The password to the LDAP server.", + "description": "The password to the LDAP server.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "ldap_port": { @@ -125,7 +129,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -147,7 +153,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -160,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -171,9 +181,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.8.json b/json_schemas/ldap-auth/3.8.json index 01d68fe9..e4d24f03 100644 --- a/json_schemas/ldap-auth/3.8.json +++ b/json_schemas/ldap-auth/3.8.json @@ -70,7 +70,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -92,7 +94,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -105,7 +109,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -116,9 +122,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/loggly/3.8.json b/json_schemas/loggly/3.8.json index 5c5621cc..77b0e043 100644 --- a/json_schemas/loggly/3.8.json +++ b/json_schemas/loggly/3.8.json @@ -27,6 +27,7 @@ "type": "string" }, "key": { + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "log_level": { @@ -83,7 +84,9 @@ "kong" ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -93,7 +96,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -104,7 +109,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -129,7 +136,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -142,7 +151,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -153,9 +164,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/mocking/3.8.json b/json_schemas/mocking/3.8.json index ef0dfd5c..ceb3d3a9 100644 --- a/json_schemas/mocking/3.8.json +++ b/json_schemas/mocking/3.8.json @@ -22,7 +22,9 @@ "included_status_codes": { "description": "A global list of the HTTP status codes that can only be selected and returned.", "items": { - "required": [], + "required": [ + + ], "type": "integer" }, "type": "array" @@ -53,7 +55,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -64,7 +68,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -82,7 +88,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -95,7 +103,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -106,9 +116,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.8.json b/json_schemas/mtls-auth/3.8.json index e2d663a5..910e220b 100644 --- a/json_schemas/mtls-auth/3.8.json +++ b/json_schemas/mtls-auth/3.8.json @@ -23,7 +23,9 @@ "ca_certificates": { "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "items": { - "required": [], + "required": [ + + ], "type": "string", "uuid": true }, @@ -50,7 +52,9 @@ "custom_id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -105,7 +109,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -123,7 +129,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -136,7 +144,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -147,9 +157,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/oas-validation/3.8.json b/json_schemas/oas-validation/3.8.json index a73a7a5d..1e421781 100644 --- a/json_schemas/oas-validation/3.8.json +++ b/json_schemas/oas-validation/3.8.json @@ -76,7 +76,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -87,7 +89,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -105,7 +109,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -118,7 +124,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -129,9 +137,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.8.json b/json_schemas/oauth2-introspection/3.8.json index 5b600229..49ec6cde 100644 --- a/json_schemas/oauth2-introspection/3.8.json +++ b/json_schemas/oauth2-introspection/3.8.json @@ -9,7 +9,7 @@ "type": "string" }, "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "consumer_by": { @@ -22,10 +22,14 @@ "type": "string" }, "custom_claims_forward": { - "default": [], + "default": [ + + ], "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -74,7 +78,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -92,7 +98,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -105,7 +113,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -116,9 +126,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/oauth2/3.8.json b/json_schemas/oauth2/3.8.json index 612af7ab..19901f44 100644 --- a/json_schemas/oauth2/3.8.json +++ b/json_schemas/oauth2/3.8.json @@ -66,7 +66,7 @@ "type": "string" }, "provision_key": { - "description": "The unique key the plugin has generated when it has been added to the Service.", + "description": "The unique key the plugin has generated when it has been added to the Service.\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "realm": { @@ -88,7 +88,9 @@ "scopes": { "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -99,7 +101,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -121,7 +125,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -134,7 +140,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -145,9 +153,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/opa/3.8.json b/json_schemas/opa/3.8.json index 60c4b8fc..58dc36d0 100644 --- a/json_schemas/opa/3.8.json +++ b/json_schemas/opa/3.8.json @@ -62,7 +62,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -80,7 +82,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -93,7 +97,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -104,9 +110,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/openid-connect/3.8.json b/json_schemas/openid-connect/3.8.json index 98df9cdd..98502670 100644 --- a/json_schemas/openid-connect/3.8.json +++ b/json_schemas/openid-connect/3.8.json @@ -9,7 +9,9 @@ "audience": { "description": "The audience passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -20,7 +22,9 @@ ], "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -28,7 +32,9 @@ "audience_required": { "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -58,7 +64,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -66,7 +74,9 @@ "authenticated_groups_claim": { "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -112,7 +122,9 @@ "authorization_query_args_client": { "description": "Extra query arguments passed from the client to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -120,7 +132,9 @@ "authorization_query_args_names": { "description": "Extra query argument names passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -128,7 +142,9 @@ "authorization_query_args_values": { "description": "Extra query argument values passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -156,7 +172,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -214,7 +232,9 @@ "claims_forbidden": { "description": "If given, these claims are forbidden in the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -237,7 +257,9 @@ "RS384", "RS512" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -259,7 +281,9 @@ "self_signed_tls_client_auth", "tls_client_auth" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -277,15 +301,20 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -301,12 +330,15 @@ "type": "string" }, "d": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -316,11 +348,14 @@ "type": "string" }, "k": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -335,21 +370,27 @@ "type": "string" }, "oth": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -360,7 +401,9 @@ }, "x5c": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -378,15 +421,20 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -415,7 +463,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -456,7 +506,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -500,14 +550,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -520,7 +572,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -538,11 +590,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -588,7 +642,9 @@ "id", "username" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -596,7 +652,9 @@ "consumer_claim": { "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -612,7 +670,9 @@ ], "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -631,7 +691,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -639,7 +701,9 @@ "discovery_headers_names": { "description": "Extra header names passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -647,7 +711,9 @@ "discovery_headers_values": { "description": "Extra header values passed to the discovery endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -660,7 +726,9 @@ "domains": { "description": "The allowed values for the `hd` claim.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -676,7 +744,9 @@ "downstream_headers_claims": { "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -684,7 +754,9 @@ "downstream_headers_names": { "description": "The downstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -749,7 +821,9 @@ "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -768,7 +842,9 @@ "description": "Where to redirect the client on forbidden requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -779,7 +855,9 @@ ], "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -787,7 +865,9 @@ "groups_required": { "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -835,13 +915,17 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ignore_signature": { - "default": [], + "default": [ + + ], "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "items": { "enum": [ @@ -853,7 +937,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -898,7 +984,9 @@ "introspection_headers_client": { "description": "Extra headers passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -906,15 +994,20 @@ "introspection_headers_names": { "description": "Extra header names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -927,7 +1020,9 @@ "introspection_post_args_client": { "description": "Extra post arguments passed from the client to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -935,7 +1030,9 @@ "introspection_post_args_names": { "description": "Extra post argument names passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -943,7 +1040,9 @@ "introspection_post_args_values": { "description": "Extra post argument values passed to the introspection endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -960,7 +1059,9 @@ "issuers_allowed": { "description": "The issuers allowed to be present in the tokens (`iss` claim).", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1011,7 +1112,9 @@ "session", "userinfo" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1028,8 +1131,10 @@ "login_redirect_uri": { "description": "Where to redirect the client when `login_action` is set to `redirect`.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1047,7 +1152,9 @@ "refresh_token", "tokens" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1064,7 +1171,9 @@ "GET", "POST" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1080,8 +1189,10 @@ "logout_redirect_uri": { "description": "Where to redirect the client after the logout.", "items": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1138,7 +1249,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1194,7 +1307,9 @@ "description": "The redirect URI passed to the authorization and token endpoints.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1223,7 +1338,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -1264,7 +1381,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -1312,14 +1429,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -1332,7 +1451,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -1354,11 +1473,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -1405,7 +1526,9 @@ "header", "query" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1452,7 +1575,9 @@ ], "description": "The response type passed to the authorization endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1490,7 +1615,9 @@ ], "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1498,7 +1625,9 @@ "roles_required": { "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1514,7 +1643,10 @@ ], "description": "The scopes passed to the authorization and token endpoints.", "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -1525,7 +1657,9 @@ ], "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1533,7 +1667,9 @@ "scopes_required": { "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1659,7 +1795,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1676,7 +1814,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1687,7 +1827,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "session_storage": { @@ -1755,7 +1895,9 @@ "token_headers_client": { "description": "Extra headers passed from the client to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1769,7 +1911,9 @@ "password", "refresh_token" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1777,7 +1921,9 @@ "token_headers_names": { "description": "Extra header names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1789,7 +1935,9 @@ "token_headers_replay": { "description": "The names of token endpoint response headers to forward to the downstream client.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1797,7 +1945,9 @@ "token_headers_values": { "description": "Extra header values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1805,7 +1955,9 @@ "token_post_args_client": { "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1813,7 +1965,9 @@ "token_post_args_names": { "description": "Extra post argument names passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1821,7 +1975,9 @@ "token_post_args_values": { "description": "Extra post argument values passed to the token endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1840,7 +1996,9 @@ "description": "Where to redirect the client on unauthorized requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1849,7 +2007,9 @@ "description": "Where to redirect the client when unexpected errors happen with the requests.", "items": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1866,7 +2026,9 @@ "upstream_headers_claims": { "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1874,7 +2036,9 @@ "upstream_headers_names": { "description": "The upstream header names for the claim values.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1927,7 +2091,9 @@ "userinfo_headers_client": { "description": "Extra headers passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1935,7 +2101,9 @@ "userinfo_headers_names": { "description": "Extra header names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1943,7 +2111,9 @@ "userinfo_headers_values": { "description": "Extra header values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1951,7 +2121,9 @@ "userinfo_query_args_client": { "description": "Extra query arguments passed from the client to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1959,7 +2131,9 @@ "userinfo_query_args_names": { "description": "Extra query argument names passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1967,7 +2141,9 @@ "userinfo_query_args_values": { "description": "Extra query argument values passed to the user info endpoint.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -1998,7 +2174,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "authorization_cookie_httponly": { "type": "boolean" @@ -2178,7 +2356,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -2191,7 +2371,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -2202,9 +2384,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.8.json b/json_schemas/opentelemetry/3.8.json index a7e8e181..fae04180 100644 --- a/json_schemas/opentelemetry/3.8.json +++ b/json_schemas/opentelemetry/3.8.json @@ -42,7 +42,7 @@ "type": "string" }, "logs_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "propagation": { @@ -53,7 +53,9 @@ "clear": { "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -84,7 +86,9 @@ "ot", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -103,7 +107,9 @@ "preserve", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -173,7 +179,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "read_timeout": { @@ -201,14 +209,16 @@ "type": "integer" }, "traces_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -222,7 +232,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -240,7 +252,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -253,7 +267,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -264,9 +280,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/post-function/3.8.json b/json_schemas/post-function/3.8.json index 33806f8a..fda803ac 100644 --- a/json_schemas/post-function/3.8.json +++ b/json_schemas/post-function/3.8.json @@ -3,87 +3,129 @@ "config": { "properties": { "access": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "body_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "certificate": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "header_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "log": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "rewrite": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_client_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_close": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_handshake": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_upstream_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -108,7 +150,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -121,7 +165,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -132,9 +178,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/pre-function/3.8.json b/json_schemas/pre-function/3.8.json index 33806f8a..fda803ac 100644 --- a/json_schemas/pre-function/3.8.json +++ b/json_schemas/pre-function/3.8.json @@ -3,87 +3,129 @@ "config": { "properties": { "access": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "body_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "certificate": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "header_filter": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "log": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "rewrite": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_client_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_close": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_handshake": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "ws_upstream_frame": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -108,7 +150,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -121,7 +165,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -132,9 +178,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/prometheus/3.8.json b/json_schemas/prometheus/3.8.json index 30370b04..c2bc326c 100644 --- a/json_schemas/prometheus/3.8.json +++ b/json_schemas/prometheus/3.8.json @@ -33,7 +33,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -44,7 +46,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -69,7 +73,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -82,7 +88,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -93,9 +101,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.8.json b/json_schemas/proxy-cache-advanced/3.8.json index b8acf08c..a40e0b81 100644 --- a/json_schemas/proxy-cache-advanced/3.8.json +++ b/json_schemas/proxy-cache-advanced/3.8.json @@ -25,7 +25,9 @@ ], "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -43,7 +45,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "redis": { @@ -70,7 +74,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -111,7 +117,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -155,14 +161,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -175,7 +183,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -193,11 +201,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -236,7 +246,9 @@ "POST", "PUT" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -251,7 +263,9 @@ "items": { "maximum": 900, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "minLength": 1, @@ -273,7 +287,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "storage_ttl": { @@ -291,7 +307,9 @@ "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -299,13 +317,17 @@ "vary_query_params": { "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -316,7 +338,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -327,7 +351,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -345,7 +371,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -358,7 +386,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -369,9 +399,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.8.json b/json_schemas/proxy-cache/3.8.json index d0b32ca7..c2f2d7c7 100644 --- a/json_schemas/proxy-cache/3.8.json +++ b/json_schemas/proxy-cache/3.8.json @@ -20,7 +20,9 @@ ], "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -37,7 +39,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "request_method": { @@ -54,7 +58,9 @@ "POST", "PUT" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -69,7 +75,9 @@ "items": { "maximum": 900, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "minLength": 1, @@ -91,7 +99,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "storage_ttl": { @@ -108,7 +118,9 @@ "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -116,13 +128,17 @@ "vary_query_params": { "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -133,7 +149,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -144,7 +162,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -169,7 +189,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -182,7 +204,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -193,9 +217,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.8.json b/json_schemas/rate-limiting-advanced/3.8.json index 1dcbce06..6d36c78d 100644 --- a/json_schemas/rate-limiting-advanced/3.8.json +++ b/json_schemas/rate-limiting-advanced/3.8.json @@ -5,7 +5,9 @@ "consumer_groups": { "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -62,7 +64,9 @@ "limit": { "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -99,7 +103,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -140,7 +146,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -184,14 +190,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -204,7 +212,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -222,11 +230,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -273,7 +283,9 @@ "window_size": { "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "items": { - "required": [], + "required": [ + + ], "type": "number" }, "type": "array" @@ -288,7 +300,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -299,7 +313,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -310,7 +326,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -328,7 +346,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -341,7 +361,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -352,9 +374,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting/3.8.json b/json_schemas/rate-limiting/3.8.json index aef90ea0..dec7898e 100644 --- a/json_schemas/rate-limiting/3.8.json +++ b/json_schemas/rate-limiting/3.8.json @@ -89,7 +89,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "minLength": 0, "type": "string" }, @@ -122,11 +122,13 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "second": { @@ -145,7 +147,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "redis_database": { "translate_backwards": [ @@ -222,7 +226,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -233,7 +239,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -251,7 +259,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -264,7 +274,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -275,9 +287,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-size-limiting/3.8.json b/json_schemas/request-size-limiting/3.8.json index 3d4e9633..5259ed13 100644 --- a/json_schemas/request-size-limiting/3.8.json +++ b/json_schemas/request-size-limiting/3.8.json @@ -23,7 +23,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -34,7 +36,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -52,7 +56,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -65,7 +71,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -76,9 +84,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-termination/3.8.json b/json_schemas/request-termination/3.8.json index 96110caf..b9c25a41 100644 --- a/json_schemas/request-termination/3.8.json +++ b/json_schemas/request-termination/3.8.json @@ -31,7 +31,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -42,7 +44,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -53,7 +57,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -71,7 +77,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -84,7 +92,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -95,9 +105,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-transformer-advanced/3.8.json b/json_schemas/request-transformer-advanced/3.8.json index b7a77c42..f2a4a54a 100644 --- a/json_schemas/request-transformer-advanced/3.8.json +++ b/json_schemas/request-transformer-advanced/3.8.json @@ -5,100 +5,146 @@ "add": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "allow": { "properties": { "body": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "dots_in_keys": { @@ -114,98 +160,148 @@ "remove": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "required": [ + + ], "type": "string" }, "type": "array" @@ -214,11 +310,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -229,7 +329,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -240,7 +342,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -258,7 +362,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -271,7 +377,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -282,9 +390,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-transformer/3.8.json b/json_schemas/request-transformer/3.8.json index 8a4551c8..ce375bb6 100644 --- a/json_schemas/request-transformer/3.8.json +++ b/json_schemas/request-transformer/3.8.json @@ -5,63 +5,91 @@ "add": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "http_method": { @@ -72,87 +100,127 @@ "remove": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { "properties": { "body": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "querystring": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -161,11 +229,15 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -176,7 +248,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -187,7 +261,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -212,7 +288,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -225,7 +303,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -236,9 +316,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/request-validator/3.8.json b/json_schemas/request-validator/3.8.json index 5da7629d..71fb676d 100644 --- a/json_schemas/request-validator/3.8.json +++ b/json_schemas/request-validator/3.8.json @@ -8,7 +8,9 @@ ], "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -89,7 +91,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -100,7 +104,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -118,7 +124,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -131,7 +139,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -142,9 +152,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/response-ratelimiting/3.8.json b/json_schemas/response-ratelimiting/3.8.json index 6b390f52..ecbba7f8 100644 --- a/json_schemas/response-ratelimiting/3.8.json +++ b/json_schemas/response-ratelimiting/3.8.json @@ -61,7 +61,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "minLength": 0, "type": "string" }, @@ -94,15 +94,19 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "redis_database": { "translate_backwards": [ @@ -179,7 +183,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -197,7 +203,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -210,7 +218,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -221,9 +231,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/response-transformer-advanced/3.8.json b/json_schemas/response-transformer-advanced/3.8.json index e5c923b4..251e8dc2 100644 --- a/json_schemas/response-transformer-advanced/3.8.json +++ b/json_schemas/response-transformer-advanced/3.8.json @@ -5,100 +5,140 @@ "add": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "allow": { "properties": { "json": { "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "dots_in_keys": { @@ -109,54 +149,78 @@ "remove": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { @@ -166,78 +230,112 @@ "type": "string" }, "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "items": { "enum": [ "boolean", "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "transform": { "properties": { "functions": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "if_status": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -248,7 +346,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -259,7 +359,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -277,7 +379,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -290,7 +394,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -301,9 +407,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/response-transformer/3.8.json b/json_schemas/response-transformer/3.8.json index 340a58e4..c4180b30 100644 --- a/json_schemas/response-transformer/3.8.json +++ b/json_schemas/response-transformer/3.8.json @@ -5,25 +5,35 @@ "add": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "items": { "enum": [ @@ -31,37 +41,51 @@ "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "append": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "items": { "enum": [ @@ -69,83 +93,117 @@ "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "remove": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "rename": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "replace": { "properties": { "headers": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json": { - "default": [], + "default": [ + + ], "items": { "pattern": "^[^:]+:.*$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "json_types": { - "default": [], + "default": [ + + ], "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "items": { "enum": [ @@ -153,17 +211,23 @@ "number", "string" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -174,7 +238,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -185,7 +251,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -203,7 +271,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -216,7 +286,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -227,9 +299,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/route-by-header/3.8.json b/json_schemas/route-by-header/3.8.json index 2e8bace4..308bac74 100644 --- a/json_schemas/route-by-header/3.8.json +++ b/json_schemas/route-by-header/3.8.json @@ -3,7 +3,9 @@ "config": { "properties": { "rules": { - "default": [], + "default": [ + + ], "description": "Route by header rules.", "items": { "properties": { @@ -25,7 +27,9 @@ "type": "array" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -36,7 +40,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -54,7 +60,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -67,7 +75,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -78,9 +88,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/route-transformer-advanced/3.8.json b/json_schemas/route-transformer-advanced/3.8.json index 759d3aa2..55afb37a 100644 --- a/json_schemas/route-transformer-advanced/3.8.json +++ b/json_schemas/route-transformer-advanced/3.8.json @@ -16,7 +16,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -27,7 +29,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -45,7 +49,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -58,7 +64,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -69,9 +77,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/saml/3.8.json b/json_schemas/saml/3.8.json index 9184223a..d39deb2d 100644 --- a/json_schemas/saml/3.8.json +++ b/json_schemas/saml/3.8.json @@ -11,7 +11,7 @@ "type": "string" }, "idp_certificate": { - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "idp_sso_url": { @@ -57,7 +57,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -98,7 +100,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -146,14 +148,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -166,7 +170,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -188,11 +192,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -237,11 +243,11 @@ "type": "string" }, "request_signing_certificate": { - "description": "The certificate for signing requests.", + "description": "The certificate for signing requests.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "request_signing_key": { - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "response_digest_algorithm": { @@ -254,7 +260,7 @@ "type": "string" }, "response_encryption_key": { - "description": "The private encryption key required to decrypt encrypted assertions.", + "description": "The private encryption key required to decrypt encrypted assertions.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "response_signature_algorithm": { @@ -382,7 +388,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -398,7 +406,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -409,7 +419,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "maxLength": 32, "minLength": 32, "pattern": "^[0-9a-zA-Z/_+]+$", @@ -437,7 +447,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "session_auth_ttl": { "type": "number" @@ -618,7 +630,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -631,7 +645,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -642,9 +658,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/session/3.8.json b/json_schemas/session/3.8.json index da0eb72a..bd0661fe 100644 --- a/json_schemas/session/3.8.json +++ b/json_schemas/session/3.8.json @@ -64,7 +64,9 @@ "GET", "POST" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -115,7 +117,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -132,7 +136,9 @@ "subject", "timeout" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -144,7 +150,7 @@ }, "secret": { "default": "7iK18YEanf6i9XHvNwzx4RpdmHdRN6nSpPxC1uQxfsse", - "description": "The secret that is used in keyed HMAC generation.", + "description": "The secret that is used in keyed HMAC generation.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "stale_ttl": { @@ -162,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cookie_discard": { "type": "number" @@ -210,7 +218,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -223,7 +233,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -234,9 +246,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/standard-webhooks/3.8.json b/json_schemas/standard-webhooks/3.8.json index b2cd7c32..e8fec40d 100644 --- a/json_schemas/standard-webhooks/3.8.json +++ b/json_schemas/standard-webhooks/3.8.json @@ -3,7 +3,7 @@ "config": { "properties": { "secret_v1": { - "description": "Webhook secret", + "description": "Webhook secret\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "tolerance_second": { @@ -13,7 +13,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -24,7 +26,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -42,7 +46,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -55,7 +61,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -66,9 +74,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/statsd-advanced/3.8.json b/json_schemas/statsd-advanced/3.8.json index b842a66d..be532c92 100644 --- a/json_schemas/statsd-advanced/3.8.json +++ b/json_schemas/statsd-advanced/3.8.json @@ -6,7 +6,9 @@ "description": "List of status code ranges that are allowed to be logged in metrics.", "items": { "pattern": "^[0-9]+-[0-9]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -178,7 +180,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service_identifier_default": { @@ -214,7 +218,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -225,7 +231,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -250,7 +258,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -263,7 +273,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -274,9 +286,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/statsd/3.8.json b/json_schemas/statsd/3.8.json index 930ae300..a55fdecc 100644 --- a/json_schemas/statsd/3.8.json +++ b/json_schemas/statsd/3.8.json @@ -6,7 +6,9 @@ "description": "List of status code ranges that are allowed to be logged in metrics.", "items": { "pattern": "^[0-9]+-[0-9]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -185,7 +187,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "queue_size": { @@ -232,7 +236,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -243,7 +249,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -268,7 +276,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -281,7 +291,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -292,9 +304,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/syslog/3.8.json b/json_schemas/syslog/3.8.json index fbbdbdbe..90bd9094 100644 --- a/json_schemas/syslog/3.8.json +++ b/json_schemas/syslog/3.8.json @@ -91,7 +91,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -102,7 +104,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -127,7 +131,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -140,7 +146,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -151,9 +159,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/tcp-log/3.8.json b/json_schemas/tcp-log/3.8.json index 028dafde..91b64178 100644 --- a/json_schemas/tcp-log/3.8.json +++ b/json_schemas/tcp-log/3.8.json @@ -37,7 +37,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -48,7 +50,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -73,7 +77,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -86,7 +92,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -97,9 +105,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/tls-handshake-modifier/3.8.json b/json_schemas/tls-handshake-modifier/3.8.json index fcfac7cc..358d3225 100644 --- a/json_schemas/tls-handshake-modifier/3.8.json +++ b/json_schemas/tls-handshake-modifier/3.8.json @@ -11,7 +11,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -26,7 +28,9 @@ "https", "tls" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -39,7 +43,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -50,9 +56,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/tls-metadata-headers/3.8.json b/json_schemas/tls-metadata-headers/3.8.json index d878d7ab..3ae3ee64 100644 --- a/json_schemas/tls-metadata-headers/3.8.json +++ b/json_schemas/tls-metadata-headers/3.8.json @@ -33,7 +33,9 @@ "type": "boolean" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -48,7 +50,9 @@ "https", "tls" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -61,7 +65,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -72,9 +78,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/udp-log/3.8.json b/json_schemas/udp-log/3.8.json index adfff403..1c727685 100644 --- a/json_schemas/udp-log/3.8.json +++ b/json_schemas/udp-log/3.8.json @@ -23,7 +23,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -34,7 +36,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -59,7 +63,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -72,7 +78,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -83,9 +91,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/upstream-oauth/3.8.json b/json_schemas/upstream-oauth/3.8.json index 4bdb02f3..5e1e609b 100644 --- a/json_schemas/upstream-oauth/3.8.json +++ b/json_schemas/upstream-oauth/3.8.json @@ -37,7 +37,9 @@ "items": { "maximum": 599, "minimum": 100, - "required": [], + "required": [ + + ], "type": "integer" }, "type": "array" @@ -49,7 +51,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "cache": { @@ -74,7 +78,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "redis": { @@ -101,7 +107,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, @@ -142,7 +150,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -186,14 +194,16 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "minLength": 1, "type": "array" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -206,7 +216,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -224,11 +234,13 @@ "type": "boolean" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, - "required": [], + "required": [ + + ], "shorthand_fields": { "cluster_addresses": { "items": { @@ -263,7 +275,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "client": { @@ -331,26 +345,32 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "oauth": { "properties": { "audience": { - "default": [], + "default": [ + + ], "description": "List of audiences passed to the IdP when obtaining a new token.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" }, "client_id": { - "description": "The client ID for the application registration in the IdP.", + "description": "The client ID for the application registration in the IdP.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "client_secret": { - "description": "The client secret for the application registration in the IdP.", + "description": "The client secret for the application registration in the IdP.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "grant_type": { @@ -363,7 +383,7 @@ "type": "string" }, "password": { - "description": "The password to use if `config.oauth.grant_type` is set to `password`.", + "description": "The password to use if `config.oauth.grant_type` is set to `password`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "scopes": { @@ -372,7 +392,9 @@ ], "description": "List of scopes to request from the IdP when obtaining a new token.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -392,15 +414,19 @@ "type": "object" }, "username": { - "description": "The username to use if `config.oauth.grant_type` is set to `password`.", + "description": "The username to use if `config.oauth.grant_type` is set to `password`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -411,7 +437,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer_group": { @@ -422,7 +450,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -440,7 +470,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -453,7 +485,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -464,9 +498,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/upstream-timeout/3.8.json b/json_schemas/upstream-timeout/3.8.json index 681120b5..6ba90827 100644 --- a/json_schemas/upstream-timeout/3.8.json +++ b/json_schemas/upstream-timeout/3.8.json @@ -21,7 +21,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -32,7 +34,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -50,7 +54,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -63,7 +69,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -74,9 +82,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/vault-auth/3.8.json b/json_schemas/vault-auth/3.8.json index 3f52bdea..08e8cc3b 100644 --- a/json_schemas/vault-auth/3.8.json +++ b/json_schemas/vault-auth/3.8.json @@ -7,7 +7,9 @@ "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -31,7 +33,9 @@ "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "items": { "description": "A string representing an HTTP header name.", - "required": [], + "required": [ + + ], "type": "string" }, "type": "string" @@ -46,7 +50,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -64,7 +70,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -77,7 +85,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -88,9 +98,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/websocket-size-limit/3.8.json b/json_schemas/websocket-size-limit/3.8.json index b46f162b..483c3c46 100644 --- a/json_schemas/websocket-size-limit/3.8.json +++ b/json_schemas/websocket-size-limit/3.8.json @@ -13,7 +13,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -24,7 +26,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -38,7 +42,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -51,7 +57,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -62,9 +70,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/websocket-validator/3.8.json b/json_schemas/websocket-validator/3.8.json index 8c23be44..65cf170c 100644 --- a/json_schemas/websocket-validator/3.8.json +++ b/json_schemas/websocket-validator/3.8.json @@ -45,7 +45,9 @@ "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "upstream": { @@ -91,11 +93,15 @@ "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -106,7 +112,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -120,7 +128,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -133,7 +143,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -144,9 +156,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/xml-threat-protection/3.8.json b/json_schemas/xml-threat-protection/3.8.json index 0fea5bfa..48a6bd95 100644 --- a/json_schemas/xml-threat-protection/3.8.json +++ b/json_schemas/xml-threat-protection/3.8.json @@ -8,11 +8,15 @@ "type": "boolean" }, "allowed_content_types": { - "default": [], + "default": [ + + ], "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "items": { "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -48,7 +52,9 @@ "description": "A list of Content-Type values with payloads that must be validated.", "items": { "pattern": "^[^\\t\\n\\v\\f\\r ]+\\/[^ ;]+$", - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -149,7 +155,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -160,7 +168,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -178,7 +188,9 @@ "http", "https" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -191,7 +203,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -202,9 +216,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file diff --git a/json_schemas/zipkin/3.8.json b/json_schemas/zipkin/3.8.json index 354c7064..0e5554bb 100644 --- a/json_schemas/zipkin/3.8.json +++ b/json_schemas/zipkin/3.8.json @@ -88,7 +88,9 @@ "clear": { "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "items": { - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -119,7 +121,9 @@ "ot", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -138,7 +142,9 @@ "preserve", "w3c" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -205,7 +211,9 @@ "type": "number" } }, - "required": [], + "required": [ + + ], "type": "object" }, "read_timeout": { @@ -278,7 +286,9 @@ "type": "integer" } }, - "required": [], + "required": [ + + ], "type": "object" }, "consumer": { @@ -289,7 +299,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "protocols": { @@ -314,7 +326,9 @@ "ws", "wss" ], - "required": [], + "required": [ + + ], "type": "string" }, "type": "array" @@ -327,7 +341,9 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" }, "service": { @@ -338,9 +354,13 @@ "type": "string" } }, - "required": [], + "required": [ + + ], "type": "object" } }, - "required": [] + "required": [ + + ] } \ No newline at end of file From cdb1af8e97c5a349b8f083f1cc4bfcc48cadb25c Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 1 Apr 2025 06:31:53 +0000 Subject: [PATCH 153/165] JSON Schemas for 3.7.x --- json_schemas/acme/3.7.json | 14 ++++----- json_schemas/ai-azure-content-safety/3.7.json | 4 +-- json_schemas/ai-proxy/3.7.json | 6 ++-- .../ai-rate-limiting-advanced/3.7.json | 4 +-- json_schemas/ai-request-transformer/3.7.json | 6 ++-- json_schemas/ai-response-transformer/3.7.json | 6 ++-- .../application-registration/3.7.json | 3 +- json_schemas/aws-lambda/3.7.json | 6 ++-- json_schemas/azure-functions/3.7.json | 4 +-- .../graphql-proxy-cache-advanced/3.7.json | 4 +-- .../graphql-rate-limiting-advanced/3.7.json | 4 +-- json_schemas/http-log/3.7.json | 2 +- json_schemas/jwt-signer/3.7.json | 8 ++--- json_schemas/kafka-log/3.7.json | 4 +-- json_schemas/kafka-upstream/3.7.json | 4 +-- .../konnect-application-auth/3.7.json | 30 +++++++++---------- json_schemas/ldap-auth-advanced/3.7.json | 4 +-- json_schemas/loggly/3.7.json | 2 +- json_schemas/oauth2-introspection/3.7.json | 2 +- json_schemas/oauth2/3.7.json | 2 +- json_schemas/openid-connect/3.7.json | 30 +++++++++---------- json_schemas/proxy-cache-advanced/3.7.json | 4 +-- json_schemas/rate-limiting-advanced/3.7.json | 4 +-- json_schemas/rate-limiting/3.7.json | 4 +-- json_schemas/response-ratelimiting/3.7.json | 4 +-- json_schemas/saml/3.7.json | 14 ++++----- json_schemas/session/3.7.json | 2 +- 27 files changed, 91 insertions(+), 90 deletions(-) diff --git a/json_schemas/acme/3.7.json b/json_schemas/acme/3.7.json index b1a9993e..be86ac88 100644 --- a/json_schemas/acme/3.7.json +++ b/json_schemas/acme/3.7.json @@ -3,7 +3,7 @@ "config": { "properties": { "account_email": { - "description": "The account identifier. Can be reused in a different plugin instance.", + "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", "type": "string" }, @@ -64,11 +64,11 @@ "type": "array" }, "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "enable_ipv4_common_name": { @@ -140,7 +140,7 @@ "type": "number" }, "token": { - "description": "Consul ACL token.", + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -190,7 +190,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, @@ -223,7 +223,7 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, @@ -331,7 +331,7 @@ "type": "boolean" }, "token": { - "description": "Consul ACL token.", + "description": "Consul ACL token.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-azure-content-safety/3.7.json b/json_schemas/ai-azure-content-safety/3.7.json index b87a3b14..55445bda 100644 --- a/json_schemas/ai-azure-content-safety/3.7.json +++ b/json_schemas/ai-azure-content-safety/3.7.json @@ -55,11 +55,11 @@ "type": "array" }, "content_safety_key": { - "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "content_safety_url": { - "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "description": "Full URL, inc protocol, of the Azure Content Safety instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "halt_on_blocklist_hit": { diff --git a/json_schemas/ai-proxy/3.7.json b/json_schemas/ai-proxy/3.7.json index db84b20e..641ed27c 100644 --- a/json_schemas/ai-proxy/3.7.json +++ b/json_schemas/ai-proxy/3.7.json @@ -9,7 +9,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -26,7 +26,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -42,7 +42,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-rate-limiting-advanced/3.7.json b/json_schemas/ai-rate-limiting-advanced/3.7.json index 18c7f716..2911d610 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.7.json +++ b/json_schemas/ai-rate-limiting-advanced/3.7.json @@ -132,7 +132,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -169,7 +169,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/ai-request-transformer/3.7.json b/json_schemas/ai-request-transformer/3.7.json index 3a2ada1e..9b5135c4 100644 --- a/json_schemas/ai-request-transformer/3.7.json +++ b/json_schemas/ai-request-transformer/3.7.json @@ -41,7 +41,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -58,7 +58,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -74,7 +74,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/ai-response-transformer/3.7.json b/json_schemas/ai-response-transformer/3.7.json index 28ae8692..95ded4f7 100644 --- a/json_schemas/ai-response-transformer/3.7.json +++ b/json_schemas/ai-response-transformer/3.7.json @@ -41,7 +41,7 @@ "type": "string" }, "azure_client_secret": { - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "azure_tenant_id": { @@ -58,7 +58,7 @@ "type": "string" }, "header_value": { - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "param_location": { @@ -74,7 +74,7 @@ "type": "string" }, "param_value": { - "description": "Specify the full parameter value for 'param_name'.", + "description": "Specify the full parameter value for 'param_name'.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/application-registration/3.7.json b/json_schemas/application-registration/3.7.json index 42680aeb..84b50628 100644 --- a/json_schemas/application-registration/3.7.json +++ b/json_schemas/application-registration/3.7.json @@ -9,7 +9,8 @@ }, "description": { "description": "Unique description displayed in information about a Service in the Developer Portal.", - "type": "string" + "type": "string", + "unique": true }, "display_name": { "description": "Unique display name used for a Service in the Developer Portal.", diff --git a/json_schemas/aws-lambda/3.7.json b/json_schemas/aws-lambda/3.7.json index add72c32..aa150b58 100644 --- a/json_schemas/aws-lambda/3.7.json +++ b/json_schemas/aws-lambda/3.7.json @@ -3,7 +3,7 @@ "config": { "properties": { "aws_assume_role_arn": { - "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_imds_protocol_version": { @@ -16,7 +16,7 @@ "type": "string" }, "aws_key": { - "description": "The AWS key credential to be used when invoking the function.", + "description": "The AWS key credential to be used when invoking the function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_region": { @@ -29,7 +29,7 @@ "type": "string" }, "aws_secret": { - "description": "The AWS secret credential to be used when invoking the function. ", + "description": "The AWS secret credential to be used when invoking the function. \nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_sts_endpoint_url": { diff --git a/json_schemas/azure-functions/3.7.json b/json_schemas/azure-functions/3.7.json index 66d15b39..6fc519b4 100644 --- a/json_schemas/azure-functions/3.7.json +++ b/json_schemas/azure-functions/3.7.json @@ -3,7 +3,7 @@ "config": { "properties": { "apikey": { - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "appname": { @@ -11,7 +11,7 @@ "type": "string" }, "clientid": { - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "functionname": { diff --git a/json_schemas/graphql-proxy-cache-advanced/3.7.json b/json_schemas/graphql-proxy-cache-advanced/3.7.json index f00b2a7d..d065c8f3 100644 --- a/json_schemas/graphql-proxy-cache-advanced/3.7.json +++ b/json_schemas/graphql-proxy-cache-advanced/3.7.json @@ -68,7 +68,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -105,7 +105,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/graphql-rate-limiting-advanced/3.7.json b/json_schemas/graphql-rate-limiting-advanced/3.7.json index 39ee8d45..b363dd44 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.7.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.7.json @@ -92,7 +92,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -129,7 +129,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/http-log/3.7.json b/json_schemas/http-log/3.7.json index f1249e24..a6fa0762 100644 --- a/json_schemas/http-log/3.7.json +++ b/json_schemas/http-log/3.7.json @@ -26,7 +26,7 @@ "type": "object" }, "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "keepalive": { diff --git a/json_schemas/jwt-signer/3.7.json b/json_schemas/jwt-signer/3.7.json index d6619d16..c151d0ca 100644 --- a/json_schemas/jwt-signer/3.7.json +++ b/json_schemas/jwt-signer/3.7.json @@ -133,7 +133,7 @@ "type": "string" }, "access_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_jwks_uri_client_username": { @@ -155,7 +155,7 @@ "type": "string" }, "access_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "access_token_keyset_client_username": { @@ -407,7 +407,7 @@ "type": "string" }, "channel_token_jwks_uri_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_jwks_uri_client_username": { @@ -429,7 +429,7 @@ "type": "string" }, "channel_token_keyset_client_password": { - "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "channel_token_keyset_client_username": { diff --git a/json_schemas/kafka-log/3.7.json b/json_schemas/kafka-log/3.7.json index 3cc3b73a..f71e86fd 100644 --- a/json_schemas/kafka-log/3.7.json +++ b/json_schemas/kafka-log/3.7.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/kafka-upstream/3.7.json b/json_schemas/kafka-upstream/3.7.json index 4fa1cc92..1c889114 100644 --- a/json_schemas/kafka-upstream/3.7.json +++ b/json_schemas/kafka-upstream/3.7.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/konnect-application-auth/3.7.json b/json_schemas/konnect-application-auth/3.7.json index 640075ea..d0bbb8ac 100644 --- a/json_schemas/konnect-application-auth/3.7.json +++ b/json_schemas/konnect-application-auth/3.7.json @@ -376,7 +376,7 @@ "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -397,15 +397,15 @@ "type": "string" }, "d": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -415,7 +415,7 @@ "type": "string" }, "k": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { @@ -437,27 +437,27 @@ "type": "string" }, "oth": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -496,7 +496,7 @@ "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -878,7 +878,7 @@ "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -1487,7 +1487,7 @@ "type": "string" }, "session_redis_password": { - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_redis_port": { @@ -1595,7 +1595,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_storage": { diff --git a/json_schemas/ldap-auth-advanced/3.7.json b/json_schemas/ldap-auth-advanced/3.7.json index d84a3b6c..a251cda7 100644 --- a/json_schemas/ldap-auth-advanced/3.7.json +++ b/json_schemas/ldap-auth-advanced/3.7.json @@ -17,7 +17,7 @@ "type": "string" }, "bind_dn": { - "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", + "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "cache_ttl": { @@ -91,7 +91,7 @@ "type": "string" }, "ldap_password": { - "description": "The password to the LDAP server.", + "description": "The password to the LDAP server.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "ldap_port": { diff --git a/json_schemas/loggly/3.7.json b/json_schemas/loggly/3.7.json index 7a26a98b..81d46c2c 100644 --- a/json_schemas/loggly/3.7.json +++ b/json_schemas/loggly/3.7.json @@ -27,7 +27,7 @@ "type": "string" }, "key": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "log_level": { diff --git a/json_schemas/oauth2-introspection/3.7.json b/json_schemas/oauth2-introspection/3.7.json index 64bc7359..63faff49 100644 --- a/json_schemas/oauth2-introspection/3.7.json +++ b/json_schemas/oauth2-introspection/3.7.json @@ -9,7 +9,7 @@ "type": "string" }, "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "consumer_by": { diff --git a/json_schemas/oauth2/3.7.json b/json_schemas/oauth2/3.7.json index 34faf0bb..1b96075e 100644 --- a/json_schemas/oauth2/3.7.json +++ b/json_schemas/oauth2/3.7.json @@ -66,7 +66,7 @@ "type": "string" }, "provision_key": { - "description": "The unique key the plugin has generated when it has been added to the Service.", + "description": "The unique key the plugin has generated when it has been added to the Service.\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "refresh_token_ttl": { diff --git a/json_schemas/openid-connect/3.7.json b/json_schemas/openid-connect/3.7.json index 18ca4453..2708c871 100644 --- a/json_schemas/openid-connect/3.7.json +++ b/json_schemas/openid-connect/3.7.json @@ -299,7 +299,7 @@ "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -320,15 +320,15 @@ "type": "string" }, "d": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dp": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "dq": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "e": { @@ -338,7 +338,7 @@ "type": "string" }, "k": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "key_ops": { @@ -360,27 +360,27 @@ "type": "string" }, "oth": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "p": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "q": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "qi": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "r": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "t": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "use": { @@ -419,7 +419,7 @@ "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -801,7 +801,7 @@ "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -1410,7 +1410,7 @@ "type": "string" }, "session_redis_password": { - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_redis_port": { @@ -1518,7 +1518,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.", + "description": "The session secret.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_storage": { diff --git a/json_schemas/proxy-cache-advanced/3.7.json b/json_schemas/proxy-cache-advanced/3.7.json index c7c15c2d..2cb128ac 100644 --- a/json_schemas/proxy-cache-advanced/3.7.json +++ b/json_schemas/proxy-cache-advanced/3.7.json @@ -92,7 +92,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -129,7 +129,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/rate-limiting-advanced/3.7.json b/json_schemas/rate-limiting-advanced/3.7.json index 388bd475..44a285db 100644 --- a/json_schemas/rate-limiting-advanced/3.7.json +++ b/json_schemas/rate-limiting-advanced/3.7.json @@ -121,7 +121,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -158,7 +158,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { diff --git a/json_schemas/rate-limiting/3.7.json b/json_schemas/rate-limiting/3.7.json index 7335a799..7d4c8e91 100644 --- a/json_schemas/rate-limiting/3.7.json +++ b/json_schemas/rate-limiting/3.7.json @@ -89,7 +89,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, @@ -122,7 +122,7 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/response-ratelimiting/3.7.json b/json_schemas/response-ratelimiting/3.7.json index 8fe18405..226d6ec6 100644 --- a/json_schemas/response-ratelimiting/3.7.json +++ b/json_schemas/response-ratelimiting/3.7.json @@ -61,7 +61,7 @@ "type": "string" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, @@ -94,7 +94,7 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/saml/3.7.json b/json_schemas/saml/3.7.json index 1a9c27ca..01f9e2d4 100644 --- a/json_schemas/saml/3.7.json +++ b/json_schemas/saml/3.7.json @@ -11,7 +11,7 @@ "type": "string" }, "idp_certificate": { - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "idp_sso_url": { @@ -53,11 +53,11 @@ "type": "string" }, "request_signing_certificate": { - "description": "The certificate for signing requests.", + "description": "The certificate for signing requests.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "request_signing_key": { - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "response_digest_algorithm": { @@ -70,7 +70,7 @@ "type": "string" }, "response_encryption_key": { - "description": "The private encryption key required to decrypt encrypted assertions.", + "description": "The private encryption key required to decrypt encrypted assertions.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "response_signature_algorithm": { @@ -205,7 +205,7 @@ "type": "string" }, "session_redis_password": { - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from", + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_redis_port": { @@ -246,7 +246,7 @@ "type": "boolean" }, "session_redis_username": { - "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "description": "Redis username if the `redis` session storage is defined and ACL authentication is desired.If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "session_remember": { @@ -311,7 +311,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "maxLength": 32, "minLength": 32, "pattern": "^[0-9a-zA-Z/_+]+$", diff --git a/json_schemas/session/3.7.json b/json_schemas/session/3.7.json index 424479e9..4c57adf0 100644 --- a/json_schemas/session/3.7.json +++ b/json_schemas/session/3.7.json @@ -150,7 +150,7 @@ }, "secret": { "default": "4Xkz87KN9Mdq3BsyMOndCz3cjxVWxf4ndnK6tPTGKhYd", - "description": "The secret that is used in keyed HMAC generation.", + "description": "The secret that is used in keyed HMAC generation.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "stale_ttl": { From b7549d95147b9b39b8bc4479b76ee81d42d960e7 Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Tue, 1 Apr 2025 06:32:53 +0000 Subject: [PATCH 154/165] JSON Schemas for 3.4.x --- json_schemas/acme/3.4.json | 6 ++-- .../application-registration/3.4.json | 3 +- json_schemas/aws-lambda/3.4.json | 6 ++-- json_schemas/azure-functions/3.4.json | 4 +-- json_schemas/datadog/3.4.json | 2 +- .../graphql-rate-limiting-advanced/3.4.json | 8 ++--- json_schemas/http-log/3.4.json | 2 +- json_schemas/kafka-log/3.4.json | 4 +-- json_schemas/kafka-upstream/3.4.json | 4 +-- json_schemas/ldap-auth-advanced/3.4.json | 2 +- json_schemas/loggly/3.4.json | 2 +- json_schemas/oauth2-introspection/3.4.json | 2 +- json_schemas/oauth2/3.4.json | 2 +- json_schemas/openid-connect/3.4.json | 30 +++++++++---------- json_schemas/proxy-cache-advanced/3.4.json | 8 ++--- json_schemas/rate-limiting-advanced/3.4.json | 8 ++--- json_schemas/rate-limiting/3.4.json | 4 +-- json_schemas/response-ratelimiting/3.4.json | 4 +-- json_schemas/saml/3.4.json | 12 ++++---- json_schemas/session/3.4.json | 2 +- 20 files changed, 58 insertions(+), 57 deletions(-) diff --git a/json_schemas/acme/3.4.json b/json_schemas/acme/3.4.json index 86754cc8..894a55ed 100644 --- a/json_schemas/acme/3.4.json +++ b/json_schemas/acme/3.4.json @@ -3,7 +3,7 @@ "config": { "properties": { "account_email": { - "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The account identifier. Can be reused in a different plugin instance.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "pattern": "[a-zA-Z0-9]*[!-/:-@[-`{-~]*@+[a-zA-Z0-9]*%.?[a-zA-Z0-9]*", "type": "string" }, @@ -64,11 +64,11 @@ "type": "array" }, "eab_hmac_key": { - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "eab_kid": { - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "enable_ipv4_common_name": { diff --git a/json_schemas/application-registration/3.4.json b/json_schemas/application-registration/3.4.json index 1f224562..10fe65ee 100644 --- a/json_schemas/application-registration/3.4.json +++ b/json_schemas/application-registration/3.4.json @@ -9,7 +9,8 @@ }, "description": { "description": "Unique description displayed in information about a Service in the Developer Portal.", - "type": "string" + "type": "string", + "unique": true }, "display_name": { "description": "Unique display name used for a Service in the Developer Portal.", diff --git a/json_schemas/aws-lambda/3.4.json b/json_schemas/aws-lambda/3.4.json index 482d99c0..e58acc3c 100644 --- a/json_schemas/aws-lambda/3.4.json +++ b/json_schemas/aws-lambda/3.4.json @@ -3,7 +3,7 @@ "config": { "properties": { "aws_assume_role_arn": { - "description": "The target AWS IAM role ARN used to invoke the Lambda function.", + "description": "The target AWS IAM role ARN used to invoke the Lambda function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_imds_protocol_version": { @@ -16,7 +16,7 @@ "type": "string" }, "aws_key": { - "description": "The AWS key credential to be used when invoking the function.", + "description": "The AWS key credential to be used when invoking the function.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_region": { @@ -29,7 +29,7 @@ "type": "string" }, "aws_secret": { - "description": "The AWS secret credential to be used when invoking the function. ", + "description": "The AWS secret credential to be used when invoking the function. \nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "aws_sts_endpoint_url": { diff --git a/json_schemas/azure-functions/3.4.json b/json_schemas/azure-functions/3.4.json index 66d15b39..121e5a57 100644 --- a/json_schemas/azure-functions/3.4.json +++ b/json_schemas/azure-functions/3.4.json @@ -3,7 +3,7 @@ "config": { "properties": { "apikey": { - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "appname": { @@ -11,7 +11,7 @@ "type": "string" }, "clientid": { - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "functionname": { diff --git a/json_schemas/datadog/3.4.json b/json_schemas/datadog/3.4.json index 672b523a..7ce5f0f9 100644 --- a/json_schemas/datadog/3.4.json +++ b/json_schemas/datadog/3.4.json @@ -13,7 +13,7 @@ }, "host": { "default": "localhost", - "description": "A string representing a host name, such as example.com.", + "description": "A string representing a host name, such as example.com.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "metrics": { diff --git a/json_schemas/graphql-rate-limiting-advanced/3.4.json b/json_schemas/graphql-rate-limiting-advanced/3.4.json index a7346df7..40483b87 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.4.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.4.json @@ -92,7 +92,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -129,7 +129,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -142,7 +142,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -167,7 +167,7 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/http-log/3.4.json b/json_schemas/http-log/3.4.json index f1249e24..a6fa0762 100644 --- a/json_schemas/http-log/3.4.json +++ b/json_schemas/http-log/3.4.json @@ -26,7 +26,7 @@ "type": "object" }, "http_endpoint": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "keepalive": { diff --git a/json_schemas/kafka-log/3.4.json b/json_schemas/kafka-log/3.4.json index 5f48ce50..f71e86fd 100644 --- a/json_schemas/kafka-log/3.4.json +++ b/json_schemas/kafka-log/3.4.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Username for SASL authentication.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/kafka-upstream/3.4.json b/json_schemas/kafka-upstream/3.4.json index 4fa1cc92..15f794bd 100644 --- a/json_schemas/kafka-upstream/3.4.json +++ b/json_schemas/kafka-upstream/3.4.json @@ -14,7 +14,7 @@ "type": "string" }, "password": { - "description": "Password for SASL authentication.", + "description": "Password for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "strategy": { @@ -29,7 +29,7 @@ "type": "boolean" }, "user": { - "description": "Username for SASL authentication.", + "description": "Username for SASL authentication.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" } }, diff --git a/json_schemas/ldap-auth-advanced/3.4.json b/json_schemas/ldap-auth-advanced/3.4.json index 8b7ec70a..a5e96ce4 100644 --- a/json_schemas/ldap-auth-advanced/3.4.json +++ b/json_schemas/ldap-auth-advanced/3.4.json @@ -91,7 +91,7 @@ "type": "string" }, "ldap_password": { - "description": "The password to the LDAP server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The password to the LDAP server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "ldap_port": { diff --git a/json_schemas/loggly/3.4.json b/json_schemas/loggly/3.4.json index 7a26a98b..81d46c2c 100644 --- a/json_schemas/loggly/3.4.json +++ b/json_schemas/loggly/3.4.json @@ -27,7 +27,7 @@ "type": "string" }, "key": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "log_level": { diff --git a/json_schemas/oauth2-introspection/3.4.json b/json_schemas/oauth2-introspection/3.4.json index 482e4d6e..49ec6cde 100644 --- a/json_schemas/oauth2-introspection/3.4.json +++ b/json_schemas/oauth2-introspection/3.4.json @@ -9,7 +9,7 @@ "type": "string" }, "authorization_value": { - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "consumer_by": { diff --git a/json_schemas/oauth2/3.4.json b/json_schemas/oauth2/3.4.json index 34faf0bb..1b96075e 100644 --- a/json_schemas/oauth2/3.4.json +++ b/json_schemas/oauth2/3.4.json @@ -66,7 +66,7 @@ "type": "string" }, "provision_key": { - "description": "The unique key the plugin has generated when it has been added to the Service.", + "description": "The unique key the plugin has generated when it has been added to the Service.\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "refresh_token_ttl": { diff --git a/json_schemas/openid-connect/3.4.json b/json_schemas/openid-connect/3.4.json index 1b820c4c..b1c79e16 100644 --- a/json_schemas/openid-connect/3.4.json +++ b/json_schemas/openid-connect/3.4.json @@ -296,7 +296,7 @@ "type": "array" }, "client_id": { - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -316,15 +316,15 @@ "type": "string" }, "d": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "dp": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "dq": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "e": { @@ -334,7 +334,7 @@ "type": "string" }, "k": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "key_ops": { @@ -356,27 +356,27 @@ "type": "string" }, "oth": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "p": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "q": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "qi": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "r": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "t": { - "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "use": { @@ -415,7 +415,7 @@ "type": "array" }, "client_secret": { - "description": "The client secret.", + "description": "The client secret.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -783,7 +783,7 @@ "type": "array" }, "introspection_headers_values": { - "description": "Extra header values passed to the introspection endpoint.", + "description": "Extra header values passed to the introspection endpoint.\nThis field is [encrypted](/gateway/keyring/).", "items": { "description": "This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "required": [ @@ -1310,7 +1310,7 @@ "type": "string" }, "session_redis_password": { - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "session_redis_port": { @@ -1416,7 +1416,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The session secret.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "session_storage": { diff --git a/json_schemas/proxy-cache-advanced/3.4.json b/json_schemas/proxy-cache-advanced/3.4.json index 87bf59fd..5e1378bf 100644 --- a/json_schemas/proxy-cache-advanced/3.4.json +++ b/json_schemas/proxy-cache-advanced/3.4.json @@ -92,7 +92,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "port": { @@ -129,7 +129,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [encrypted](/gateway/keyring/).\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "sentinel_role": { @@ -142,7 +142,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -167,7 +167,7 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/rate-limiting-advanced/3.4.json b/json_schemas/rate-limiting-advanced/3.4.json index a9e577bf..60d17578 100644 --- a/json_schemas/rate-limiting-advanced/3.4.json +++ b/json_schemas/rate-limiting-advanced/3.4.json @@ -120,7 +120,7 @@ "type": "integer" }, "password": { - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "port": { @@ -157,7 +157,7 @@ "type": "string" }, "sentinel_password": { - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "sentinel_role": { @@ -170,7 +170,7 @@ "type": "string" }, "sentinel_username": { - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "server_name": { @@ -195,7 +195,7 @@ "type": "integer" }, "username": { - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. The username **cannot** be set to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/rate-limiting/3.4.json b/json_schemas/rate-limiting/3.4.json index 3599a7b2..d24e236b 100644 --- a/json_schemas/rate-limiting/3.4.json +++ b/json_schemas/rate-limiting/3.4.json @@ -85,7 +85,7 @@ "type": "string" }, "redis_password": { - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, @@ -116,7 +116,7 @@ "type": "number" }, "redis_username": { - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.", + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" }, "second": { diff --git a/json_schemas/response-ratelimiting/3.4.json b/json_schemas/response-ratelimiting/3.4.json index 15f7febd..51c77052 100644 --- a/json_schemas/response-ratelimiting/3.4.json +++ b/json_schemas/response-ratelimiting/3.4.json @@ -58,7 +58,7 @@ "type": "string" }, "redis_password": { - "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.", + "description": "When using the `redis` policy, this property specifies the password to connect to the Redis server.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "minLength": 0, "type": "string" }, @@ -89,7 +89,7 @@ "type": "number" }, "redis_username": { - "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.", + "description": "When using the `redis` policy, this property specifies the username to connect to the Redis server when ACL authentication is desired.\nThis requires Redis v6.0.0+. The username **cannot** be set to `default`.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", "type": "string" } }, diff --git a/json_schemas/saml/3.4.json b/json_schemas/saml/3.4.json index 62644a5d..54af1bd1 100644 --- a/json_schemas/saml/3.4.json +++ b/json_schemas/saml/3.4.json @@ -11,7 +11,7 @@ "type": "string" }, "idp_certificate": { - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "idp_sso_url": { @@ -53,11 +53,11 @@ "type": "string" }, "request_signing_certificate": { - "description": "The certificate for signing requests.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The certificate for signing requests.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "request_signing_key": { - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "response_digest_algorithm": { @@ -70,7 +70,7 @@ "type": "string" }, "response_encryption_key": { - "description": "The private encryption key required to decrypt encrypted assertions.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The private encryption key required to decrypt encrypted assertions.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "response_signature_algorithm": { @@ -205,7 +205,7 @@ "type": "string" }, "session_redis_password": { - "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "Password to use for Redis connection when the `redis` session storage is defined. If undefined, no auth commands are sent to Redis. This value is pulled from\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "session_redis_port": { @@ -311,7 +311,7 @@ "type": "number" }, "session_secret": { - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).", + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "maxLength": 32, "minLength": 32, "pattern": "^[0-9a-zA-Z/_+]+$", diff --git a/json_schemas/session/3.4.json b/json_schemas/session/3.4.json index e563b52e..1e7b3ccd 100644 --- a/json_schemas/session/3.4.json +++ b/json_schemas/session/3.4.json @@ -146,7 +146,7 @@ }, "secret": { "default": "jUVc08J7Ji4ZDXVsLUZRvfCyF1cfFrVZ4rnoj9KTVyAi", - "description": "The secret that is used in keyed HMAC generation.", + "description": "The secret that is used in keyed HMAC generation.\nThis field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).\nThis field is [encrypted](/gateway/keyring/).", "type": "string" }, "stale_ttl": { From bfcd277d893932cead368825430e7df215540b93 Mon Sep 17 00:00:00 2001 From: Michael Heap Date: Thu, 24 Apr 2025 11:09:30 +0100 Subject: [PATCH 155/165] Make encrypted referenceable optional (#122) * Add --skip-custom-annotations flag * Fix regex replacement --- Makefile | 2 ++ lib/convert_json_schema.rb | 39 +++++++++++++++++++++++--------------- 2 files changed, 26 insertions(+), 15 deletions(-) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..4bf1b310 --- /dev/null +++ b/Makefile @@ -0,0 +1,2 @@ +admin-spec: + ./plugins convert_json_schema --plugins $$(ls schemas/) --version 3.10.x --skip-custom-annotations; cp -r json_schemas/* ../kong-admin-spec-generator/data/plugins \ No newline at end of file diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index 562328b5..d28a17db 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -38,6 +38,7 @@ def run! # Fix any broken defaults json_schema = fix_broken_defaults(json_schema) + json_schema = fix_regex(json_schema) # Write the schema to the destination FileUtils.mkdir_p("#{@options[:destination]}/#{plugin_name}") @@ -85,21 +86,24 @@ def convert_to_json_schema(props) fields['format'] = 'uuid' end - if k == 'encrypted' - note = 'This field is [encrypted](/gateway/keyring/).' - if fields.key?('description') - fields['description'] << "\n#{note}" - else - fields['description'] = note + + if !@options[:skip_custom_annotations] + if k == 'encrypted' + note = 'This field is [encrypted](/gateway/keyring/).' + if fields.key?('description') + fields['description'] << "\n#{note}" + else + fields['description'] = note + end end - end - if k == 'referenceable' - note = 'This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).' - if fields.key?('description') - fields['description'] << "\n#{note}" - else - fields['description'] = note + if k == 'referenceable' + note = 'This field is [referenceable](/gateway/entities/vault/#how-do-i-reference-secrets-stored-in-a-vault).' + if fields.key?('description') + fields['description'] << "\n#{note}" + else + fields['description'] = note + end end end @@ -182,7 +186,7 @@ def convert_required_list(schema) end end - + schema end @@ -232,6 +236,7 @@ def fix_regex(schema) # Escape forward slashes schema['pattern'] = schema['pattern'].gsub('%/', '\\/') end + if schema['items'] schema['items'] = fix_regex(schema['items']) end @@ -251,10 +256,14 @@ def fix_broken_defaults(schema) if schema['properties'] schema['properties'].each do |k, v| schema['properties'][k] = fix_broken_defaults(v) - schema['properties'][k] = fix_regex(v) + schema['properties'][k] = fix_regex(schema['properties'][k]) end end + if schema['items'] + schema['items'] = fix_broken_defaults(schema['items']) + end + return schema end From 5162d4c8f7579a9c3f5befc38553170e8186c464 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Thu, 24 Apr 2025 12:42:18 +0200 Subject: [PATCH 156/165] repository dispatch to developer site --- .github/workflows/sync-docs.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/sync-docs.yml b/.github/workflows/sync-docs.yml index 20c963d5..9adf5925 100644 --- a/.github/workflows/sync-docs.yml +++ b/.github/workflows/sync-docs.yml @@ -15,3 +15,9 @@ jobs: token: ${{ secrets.PAT }} repository: Kong/docs.konghq.com event-type: PLUGINS_UPDATED + - name: Repository Dispatch + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 + with: + token: ${{ secrets.PAT }} + repository: Kong/developer.konghq.com + event-type: PLUGINS_UPDATED From 4f0bffcde34df702e3fa8c9cfdc383da575cd3e3 Mon Sep 17 00:00:00 2001 From: tomek-labuk Date: Mon, 5 May 2025 19:33:29 +0200 Subject: [PATCH 157/165] Update samples for ai rate limiting (#123) --- examples/ai-rate-limiting-advanced/_3.10.x.yaml | 8 ++++---- examples/ai-rate-limiting-advanced/_3.11.x.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/examples/ai-rate-limiting-advanced/_3.10.x.yaml b/examples/ai-rate-limiting-advanced/_3.10.x.yaml index 9831356c..c5fb1a98 100644 --- a/examples/ai-rate-limiting-advanced/_3.10.x.yaml +++ b/examples/ai-rate-limiting-advanced/_3.10.x.yaml @@ -2,8 +2,8 @@ name: ai-rate-limiting-advanced config: llm_providers: - name: openai - limit: 1000 - window_size: 3600 + limit: [100, 1000] + window_size: [60, 3600] - name: mistral - limit: 100 - window_size: 60 + limit: [1, 100] + window_size: [1, 60] diff --git a/examples/ai-rate-limiting-advanced/_3.11.x.yaml b/examples/ai-rate-limiting-advanced/_3.11.x.yaml index 9831356c..c5fb1a98 100644 --- a/examples/ai-rate-limiting-advanced/_3.11.x.yaml +++ b/examples/ai-rate-limiting-advanced/_3.11.x.yaml @@ -2,8 +2,8 @@ name: ai-rate-limiting-advanced config: llm_providers: - name: openai - limit: 1000 - window_size: 3600 + limit: [100, 1000] + window_size: [60, 3600] - name: mistral - limit: 100 - window_size: 60 + limit: [1, 100] + window_size: [1, 60] From a0c95e9da1217ea9432876812d030b2bfc7f68ae Mon Sep 17 00:00:00 2001 From: Michael Heap Date: Thu, 15 May 2025 13:11:29 +0100 Subject: [PATCH 158/165] Only remove required from objects with no required children when generating JSON schema (#124) --- lib/convert_json_schema.rb | 2 ++ plugins | 1 + 2 files changed, 3 insertions(+) diff --git a/lib/convert_json_schema.rb b/lib/convert_json_schema.rb index d28a17db..84b9f195 100644 --- a/lib/convert_json_schema.rb +++ b/lib/convert_json_schema.rb @@ -195,6 +195,8 @@ def remove_object_required_optional_children(schema) if schema['required'] && schema['properties'] unused = [] schema['required'].each do |k| + next unless schema['properties'][k]['type'] == 'object' + schema['properties'][k] = remove_object_required_optional_children(schema['properties'][k]) if !schema['properties'][k]['required'] || schema['properties'][k]['required'].size == 0 unused.push(k) diff --git a/plugins b/plugins index 3259f471..7687b9c8 100755 --- a/plugins +++ b/plugins @@ -119,6 +119,7 @@ class Plugins < Thor option :plugins, aliases: '-p', type: :array, required: true, desc: 'List containing the name of the plugins' option :source, aliases: '-s', type: :string, default: './schemas', desc: 'Source folder containing the schemas' option :destination, aliases: '--dest', type: :string, default: './json_schemas', desc: 'Destination folder where the schemas will be written' + option :skip_custom_annotations, aliases: '--skip-custom-annotations', type: :boolean, default: false, desc: 'Skip custom annotations' def convert_json_schema puts 'Converting plugins to JSON schema...' From 900e2d508e6caadbc1a21cd4254260f38de5a694 Mon Sep 17 00:00:00 2001 From: Michael Heap Date: Thu, 15 May 2025 13:30:49 +0100 Subject: [PATCH 159/165] Regenerate all plugin schemas (#125) * Regenerate schemas for 3.4 * Regenerate schemas for 3.7 * Regenerate schemas for 3.8 * Regenerate schemas for 3.9 * Regenerate schemas for 3.10 --- json_schemas/acme/3.10.json | 4 ++-- json_schemas/acme/3.4.json | 4 ++-- json_schemas/acme/3.7.json | 4 ++-- json_schemas/acme/3.8.json | 4 ++-- json_schemas/acme/3.9.json | 4 ++-- json_schemas/ai-azure-content-safety/3.10.json | 4 ++-- json_schemas/ai-azure-content-safety/3.7.json | 4 ++-- json_schemas/ai-azure-content-safety/3.8.json | 4 ++-- json_schemas/ai-azure-content-safety/3.9.json | 4 ++-- json_schemas/ai-prompt-template/3.10.json | 4 ++-- json_schemas/ai-prompt-template/3.7.json | 4 ++-- json_schemas/ai-prompt-template/3.8.json | 4 ++-- json_schemas/ai-prompt-template/3.9.json | 4 ++-- json_schemas/ai-proxy-advanced/3.10.json | 4 ++-- json_schemas/ai-proxy-advanced/3.8.json | 4 ++-- json_schemas/ai-proxy-advanced/3.9.json | 4 ++-- json_schemas/ai-proxy/3.10.json | 7 ++++--- json_schemas/ai-proxy/3.7.json | 7 ++++--- json_schemas/ai-proxy/3.8.json | 7 ++++--- json_schemas/ai-proxy/3.9.json | 7 ++++--- json_schemas/ai-rag-injector/3.10.json | 14 +++++++++----- json_schemas/ai-rate-limiting-advanced/3.10.json | 4 ++-- json_schemas/ai-rate-limiting-advanced/3.7.json | 4 ++-- json_schemas/ai-rate-limiting-advanced/3.8.json | 4 ++-- json_schemas/ai-rate-limiting-advanced/3.9.json | 4 ++-- json_schemas/ai-request-transformer/3.10.json | 10 ++++++---- json_schemas/ai-request-transformer/3.7.json | 10 ++++++---- json_schemas/ai-request-transformer/3.8.json | 10 ++++++---- json_schemas/ai-request-transformer/3.9.json | 10 ++++++---- json_schemas/ai-response-transformer/3.10.json | 10 ++++++---- json_schemas/ai-response-transformer/3.7.json | 10 ++++++---- json_schemas/ai-response-transformer/3.8.json | 10 ++++++---- json_schemas/ai-response-transformer/3.9.json | 10 ++++++---- json_schemas/ai-semantic-cache/3.10.json | 15 ++++++++++----- json_schemas/ai-semantic-cache/3.8.json | 15 ++++++++++----- json_schemas/ai-semantic-cache/3.9.json | 15 ++++++++++----- json_schemas/ai-semantic-prompt-guard/3.10.json | 15 ++++++++++----- json_schemas/ai-semantic-prompt-guard/3.8.json | 15 ++++++++++----- json_schemas/ai-semantic-prompt-guard/3.9.json | 15 ++++++++++----- json_schemas/application-registration/3.10.json | 4 ++-- json_schemas/application-registration/3.4.json | 4 ++-- json_schemas/application-registration/3.7.json | 4 ++-- json_schemas/application-registration/3.8.json | 4 ++-- json_schemas/application-registration/3.9.json | 4 ++-- json_schemas/azure-functions/3.10.json | 5 +++-- json_schemas/azure-functions/3.4.json | 5 +++-- json_schemas/azure-functions/3.7.json | 5 +++-- json_schemas/azure-functions/3.8.json | 5 +++-- json_schemas/azure-functions/3.9.json | 5 +++-- json_schemas/confluent-consume/3.10.json | 6 ++++-- json_schemas/confluent/3.10.json | 6 ++++-- json_schemas/confluent/3.8.json | 6 ++++-- json_schemas/confluent/3.9.json | 6 ++++-- json_schemas/exit-transformer/3.10.json | 4 ++-- json_schemas/exit-transformer/3.4.json | 4 ++-- json_schemas/exit-transformer/3.7.json | 4 ++-- json_schemas/exit-transformer/3.8.json | 4 ++-- json_schemas/exit-transformer/3.9.json | 4 ++-- json_schemas/file-log/3.10.json | 4 ++-- json_schemas/file-log/3.4.json | 4 ++-- json_schemas/file-log/3.7.json | 4 ++-- json_schemas/file-log/3.8.json | 4 ++-- json_schemas/file-log/3.9.json | 4 ++-- .../graphql-rate-limiting-advanced/3.10.json | 6 ++++-- .../graphql-rate-limiting-advanced/3.4.json | 6 ++++-- .../graphql-rate-limiting-advanced/3.7.json | 6 ++++-- .../graphql-rate-limiting-advanced/3.8.json | 6 ++++-- .../graphql-rate-limiting-advanced/3.9.json | 6 ++++-- json_schemas/header-cert-auth/3.10.json | 6 ++++-- json_schemas/header-cert-auth/3.8.json | 6 ++++-- json_schemas/header-cert-auth/3.9.json | 6 ++++-- json_schemas/http-log/3.10.json | 4 ++-- json_schemas/http-log/3.4.json | 4 ++-- json_schemas/http-log/3.7.json | 4 ++-- json_schemas/http-log/3.8.json | 4 ++-- json_schemas/http-log/3.9.json | 4 ++-- json_schemas/jwe-decrypt/3.10.json | 4 ++-- json_schemas/jwe-decrypt/3.4.json | 4 ++-- json_schemas/jwe-decrypt/3.7.json | 4 ++-- json_schemas/jwe-decrypt/3.8.json | 4 ++-- json_schemas/jwe-decrypt/3.9.json | 4 ++-- json_schemas/kafka-consume/3.10.json | 5 +++-- json_schemas/kafka-log/3.10.json | 4 ++-- json_schemas/kafka-log/3.4.json | 4 ++-- json_schemas/kafka-log/3.7.json | 4 ++-- json_schemas/kafka-log/3.8.json | 4 ++-- json_schemas/kafka-log/3.9.json | 4 ++-- json_schemas/kafka-upstream/3.10.json | 4 ++-- json_schemas/kafka-upstream/3.4.json | 4 ++-- json_schemas/kafka-upstream/3.7.json | 4 ++-- json_schemas/kafka-upstream/3.8.json | 4 ++-- json_schemas/kafka-upstream/3.9.json | 4 ++-- json_schemas/konnect-application-auth/3.10.json | 4 ++-- json_schemas/konnect-application-auth/3.4.json | 4 ++-- json_schemas/konnect-application-auth/3.7.json | 4 ++-- json_schemas/konnect-application-auth/3.8.json | 4 ++-- json_schemas/konnect-application-auth/3.9.json | 4 ++-- json_schemas/ldap-auth-advanced/3.10.json | 6 ++++-- json_schemas/ldap-auth-advanced/3.4.json | 6 ++++-- json_schemas/ldap-auth-advanced/3.7.json | 6 ++++-- json_schemas/ldap-auth-advanced/3.8.json | 6 ++++-- json_schemas/ldap-auth-advanced/3.9.json | 6 ++++-- json_schemas/ldap-auth/3.10.json | 6 ++++-- json_schemas/ldap-auth/3.4.json | 6 ++++-- json_schemas/ldap-auth/3.7.json | 6 ++++-- json_schemas/ldap-auth/3.8.json | 6 ++++-- json_schemas/ldap-auth/3.9.json | 6 ++++-- json_schemas/loggly/3.10.json | 4 ++-- json_schemas/loggly/3.4.json | 4 ++-- json_schemas/loggly/3.7.json | 4 ++-- json_schemas/loggly/3.8.json | 4 ++-- json_schemas/loggly/3.9.json | 4 ++-- json_schemas/mtls-auth/3.10.json | 4 ++-- json_schemas/mtls-auth/3.4.json | 4 ++-- json_schemas/mtls-auth/3.7.json | 4 ++-- json_schemas/mtls-auth/3.8.json | 4 ++-- json_schemas/mtls-auth/3.9.json | 4 ++-- json_schemas/oas-validation/3.10.json | 4 ++-- json_schemas/oas-validation/3.4.json | 4 ++-- json_schemas/oas-validation/3.7.json | 4 ++-- json_schemas/oas-validation/3.8.json | 4 ++-- json_schemas/oas-validation/3.9.json | 4 ++-- json_schemas/oauth2-introspection/3.10.json | 5 +++-- json_schemas/oauth2-introspection/3.4.json | 5 +++-- json_schemas/oauth2-introspection/3.7.json | 5 +++-- json_schemas/oauth2-introspection/3.8.json | 5 +++-- json_schemas/oauth2-introspection/3.9.json | 5 +++-- json_schemas/oauth2/3.10.json | 4 ++-- json_schemas/oauth2/3.4.json | 4 ++-- json_schemas/oauth2/3.7.json | 4 ++-- json_schemas/oauth2/3.8.json | 4 ++-- json_schemas/oauth2/3.9.json | 4 ++-- json_schemas/opa/3.10.json | 4 ++-- json_schemas/opa/3.4.json | 4 ++-- json_schemas/opa/3.7.json | 4 ++-- json_schemas/opa/3.8.json | 4 ++-- json_schemas/opa/3.9.json | 4 ++-- json_schemas/openid-connect/3.10.json | 4 ++-- json_schemas/openid-connect/3.4.json | 4 ++-- json_schemas/openid-connect/3.7.json | 4 ++-- json_schemas/openid-connect/3.8.json | 4 ++-- json_schemas/openid-connect/3.9.json | 4 ++-- json_schemas/opentelemetry/3.4.json | 4 ++-- json_schemas/opentelemetry/3.7.json | 4 ++-- json_schemas/proxy-cache-advanced/3.10.json | 4 ++-- json_schemas/proxy-cache-advanced/3.4.json | 4 ++-- json_schemas/proxy-cache-advanced/3.7.json | 4 ++-- json_schemas/proxy-cache-advanced/3.8.json | 4 ++-- json_schemas/proxy-cache-advanced/3.9.json | 4 ++-- json_schemas/proxy-cache/3.10.json | 4 ++-- json_schemas/proxy-cache/3.4.json | 4 ++-- json_schemas/proxy-cache/3.7.json | 4 ++-- json_schemas/proxy-cache/3.8.json | 4 ++-- json_schemas/proxy-cache/3.9.json | 4 ++-- json_schemas/rate-limiting-advanced/3.10.json | 6 ++++-- json_schemas/rate-limiting-advanced/3.4.json | 6 ++++-- json_schemas/rate-limiting-advanced/3.7.json | 6 ++++-- json_schemas/rate-limiting-advanced/3.8.json | 6 ++++-- json_schemas/rate-limiting-advanced/3.9.json | 6 ++++-- json_schemas/redirect/3.10.json | 4 ++-- json_schemas/redirect/3.9.json | 4 ++-- json_schemas/request-callout/3.10.json | 6 +++--- json_schemas/saml/3.10.json | 7 +++++-- json_schemas/saml/3.4.json | 7 +++++-- json_schemas/saml/3.7.json | 7 +++++-- json_schemas/saml/3.8.json | 7 +++++-- json_schemas/saml/3.9.json | 7 +++++-- json_schemas/service-protection/3.10.json | 6 ++++-- json_schemas/service-protection/3.9.json | 6 ++++-- json_schemas/standard-webhooks/3.10.json | 4 ++-- json_schemas/standard-webhooks/3.8.json | 4 ++-- json_schemas/standard-webhooks/3.9.json | 4 ++-- json_schemas/tcp-log/3.10.json | 5 +++-- json_schemas/tcp-log/3.4.json | 5 +++-- json_schemas/tcp-log/3.7.json | 5 +++-- json_schemas/tcp-log/3.8.json | 5 +++-- json_schemas/tcp-log/3.9.json | 5 +++-- json_schemas/udp-log/3.10.json | 5 +++-- json_schemas/udp-log/3.4.json | 5 +++-- json_schemas/udp-log/3.7.json | 5 +++-- json_schemas/udp-log/3.8.json | 5 +++-- json_schemas/udp-log/3.9.json | 5 +++-- json_schemas/upstream-oauth/3.10.json | 6 +++--- json_schemas/upstream-oauth/3.8.json | 6 +++--- json_schemas/upstream-oauth/3.9.json | 6 +++--- json_schemas/vault-auth/3.10.json | 4 ++-- json_schemas/vault-auth/3.4.json | 4 ++-- json_schemas/vault-auth/3.7.json | 4 ++-- json_schemas/vault-auth/3.8.json | 4 ++-- json_schemas/vault-auth/3.9.json | 4 ++-- 190 files changed, 573 insertions(+), 425 deletions(-) diff --git a/json_schemas/acme/3.10.json b/json_schemas/acme/3.10.json index 613989a4..d7efcc36 100644 --- a/json_schemas/acme/3.10.json +++ b/json_schemas/acme/3.10.json @@ -339,7 +339,7 @@ } }, "required": [ - + "account_email" ], "type": "object" }, @@ -367,6 +367,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/acme/3.4.json b/json_schemas/acme/3.4.json index 894a55ed..b2e5492b 100644 --- a/json_schemas/acme/3.4.json +++ b/json_schemas/acme/3.4.json @@ -295,7 +295,7 @@ } }, "required": [ - + "account_email" ], "type": "object" }, @@ -323,6 +323,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/acme/3.7.json b/json_schemas/acme/3.7.json index be86ac88..443e9f1b 100644 --- a/json_schemas/acme/3.7.json +++ b/json_schemas/acme/3.7.json @@ -353,7 +353,7 @@ } }, "required": [ - + "account_email" ], "type": "object" }, @@ -381,6 +381,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/acme/3.8.json b/json_schemas/acme/3.8.json index 0bbe30bf..1b81dd03 100644 --- a/json_schemas/acme/3.8.json +++ b/json_schemas/acme/3.8.json @@ -353,7 +353,7 @@ } }, "required": [ - + "account_email" ], "type": "object" }, @@ -381,6 +381,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/acme/3.9.json b/json_schemas/acme/3.9.json index 68ed1e1b..0ed7b8ad 100644 --- a/json_schemas/acme/3.9.json +++ b/json_schemas/acme/3.9.json @@ -339,7 +339,7 @@ } }, "required": [ - + "account_email" ], "type": "object" }, @@ -367,6 +367,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.10.json b/json_schemas/ai-azure-content-safety/3.10.json index f2f33401..4daed24a 100644 --- a/json_schemas/ai-azure-content-safety/3.10.json +++ b/json_schemas/ai-azure-content-safety/3.10.json @@ -92,7 +92,7 @@ } }, "required": [ - + "content_safety_url" ], "type": "object" }, @@ -146,6 +146,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.7.json b/json_schemas/ai-azure-content-safety/3.7.json index 55445bda..012ff015 100644 --- a/json_schemas/ai-azure-content-safety/3.7.json +++ b/json_schemas/ai-azure-content-safety/3.7.json @@ -92,7 +92,7 @@ } }, "required": [ - + "content_safety_url" ], "type": "object" }, @@ -146,6 +146,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.8.json b/json_schemas/ai-azure-content-safety/3.8.json index 55445bda..012ff015 100644 --- a/json_schemas/ai-azure-content-safety/3.8.json +++ b/json_schemas/ai-azure-content-safety/3.8.json @@ -92,7 +92,7 @@ } }, "required": [ - + "content_safety_url" ], "type": "object" }, @@ -146,6 +146,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-azure-content-safety/3.9.json b/json_schemas/ai-azure-content-safety/3.9.json index 55445bda..012ff015 100644 --- a/json_schemas/ai-azure-content-safety/3.9.json +++ b/json_schemas/ai-azure-content-safety/3.9.json @@ -92,7 +92,7 @@ } }, "required": [ - + "content_safety_url" ], "type": "object" }, @@ -146,6 +146,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.10.json b/json_schemas/ai-prompt-template/3.10.json index 99f12ea0..5824bbb1 100644 --- a/json_schemas/ai-prompt-template/3.10.json +++ b/json_schemas/ai-prompt-template/3.10.json @@ -41,7 +41,7 @@ } }, "required": [ - + "templates" ], "type": "object" }, @@ -121,6 +121,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.7.json b/json_schemas/ai-prompt-template/3.7.json index 40b85af2..91a5b74c 100644 --- a/json_schemas/ai-prompt-template/3.7.json +++ b/json_schemas/ai-prompt-template/3.7.json @@ -35,7 +35,7 @@ } }, "required": [ - + "templates" ], "type": "object" }, @@ -102,6 +102,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.8.json b/json_schemas/ai-prompt-template/3.8.json index 99f12ea0..5824bbb1 100644 --- a/json_schemas/ai-prompt-template/3.8.json +++ b/json_schemas/ai-prompt-template/3.8.json @@ -41,7 +41,7 @@ } }, "required": [ - + "templates" ], "type": "object" }, @@ -121,6 +121,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-prompt-template/3.9.json b/json_schemas/ai-prompt-template/3.9.json index 99f12ea0..5824bbb1 100644 --- a/json_schemas/ai-prompt-template/3.9.json +++ b/json_schemas/ai-prompt-template/3.9.json @@ -41,7 +41,7 @@ } }, "required": [ - + "templates" ], "type": "object" }, @@ -121,6 +121,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy-advanced/3.10.json b/json_schemas/ai-proxy-advanced/3.10.json index 569bdd81..2c803b19 100644 --- a/json_schemas/ai-proxy-advanced/3.10.json +++ b/json_schemas/ai-proxy-advanced/3.10.json @@ -918,7 +918,7 @@ } }, "required": [ - + "targets" ], "type": "object" }, @@ -998,6 +998,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy-advanced/3.8.json b/json_schemas/ai-proxy-advanced/3.8.json index 45b9e011..323a1135 100644 --- a/json_schemas/ai-proxy-advanced/3.8.json +++ b/json_schemas/ai-proxy-advanced/3.8.json @@ -690,7 +690,7 @@ } }, "required": [ - + "targets" ], "type": "object" }, @@ -770,6 +770,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy-advanced/3.9.json b/json_schemas/ai-proxy-advanced/3.9.json index ff4b431e..97baacd0 100644 --- a/json_schemas/ai-proxy-advanced/3.9.json +++ b/json_schemas/ai-proxy-advanced/3.9.json @@ -711,7 +711,7 @@ } }, "required": [ - + "targets" ], "type": "object" }, @@ -791,6 +791,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.10.json b/json_schemas/ai-proxy/3.10.json index de9bbc20..c9522ad3 100644 --- a/json_schemas/ai-proxy/3.10.json +++ b/json_schemas/ai-proxy/3.10.json @@ -273,7 +273,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -303,7 +303,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -383,6 +384,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.7.json b/json_schemas/ai-proxy/3.7.json index 641ed27c..e10cf0a0 100644 --- a/json_schemas/ai-proxy/3.7.json +++ b/json_schemas/ai-proxy/3.7.json @@ -173,7 +173,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -188,7 +188,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -242,6 +243,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.8.json b/json_schemas/ai-proxy/3.8.json index 187757ea..5bbc12ae 100644 --- a/json_schemas/ai-proxy/3.8.json +++ b/json_schemas/ai-proxy/3.8.json @@ -235,7 +235,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -265,7 +265,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -345,6 +346,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-proxy/3.9.json b/json_schemas/ai-proxy/3.9.json index f3b798d0..7c219607 100644 --- a/json_schemas/ai-proxy/3.9.json +++ b/json_schemas/ai-proxy/3.9.json @@ -252,7 +252,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -282,7 +282,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -362,6 +363,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-rag-injector/3.10.json b/json_schemas/ai-rag-injector/3.10.json index 13cf7792..7696ea80 100644 --- a/json_schemas/ai-rag-injector/3.10.json +++ b/json_schemas/ai-rag-injector/3.10.json @@ -189,13 +189,14 @@ } }, "required": [ - + "name", + "provider" ], "type": "object" } }, "required": [ - + "model" ], "type": "object" }, @@ -497,7 +498,9 @@ } }, "required": [ - + "dimensions", + "distance_metric", + "strategy" ], "type": "object" }, @@ -508,7 +511,8 @@ } }, "required": [ - + "embeddings", + "vectordb" ], "type": "object" }, @@ -588,6 +592,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.10.json b/json_schemas/ai-rate-limiting-advanced/3.10.json index c1db89e4..4ca1a424 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.10.json +++ b/json_schemas/ai-rate-limiting-advanced/3.10.json @@ -341,7 +341,7 @@ } }, "required": [ - + "llm_providers" ], "type": "object" }, @@ -421,6 +421,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.7.json b/json_schemas/ai-rate-limiting-advanced/3.7.json index 2911d610..891776cb 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.7.json +++ b/json_schemas/ai-rate-limiting-advanced/3.7.json @@ -260,7 +260,7 @@ } }, "required": [ - + "llm_providers" ], "type": "object" }, @@ -340,6 +340,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.8.json b/json_schemas/ai-rate-limiting-advanced/3.8.json index 557f227d..8a91403a 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.8.json +++ b/json_schemas/ai-rate-limiting-advanced/3.8.json @@ -319,7 +319,7 @@ } }, "required": [ - + "llm_providers" ], "type": "object" }, @@ -399,6 +399,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-rate-limiting-advanced/3.9.json b/json_schemas/ai-rate-limiting-advanced/3.9.json index 734c66d1..0feff88e 100644 --- a/json_schemas/ai-rate-limiting-advanced/3.9.json +++ b/json_schemas/ai-rate-limiting-advanced/3.9.json @@ -319,7 +319,7 @@ } }, "required": [ - + "llm_providers" ], "type": "object" }, @@ -399,6 +399,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.10.json b/json_schemas/ai-request-transformer/3.10.json index d0d093ff..6c6e74b5 100644 --- a/json_schemas/ai-request-transformer/3.10.json +++ b/json_schemas/ai-request-transformer/3.10.json @@ -289,7 +289,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -304,7 +304,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -324,7 +325,8 @@ } }, "required": [ - + "llm", + "prompt" ], "type": "object" }, @@ -391,6 +393,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.7.json b/json_schemas/ai-request-transformer/3.7.json index 9b5135c4..1a5300da 100644 --- a/json_schemas/ai-request-transformer/3.7.json +++ b/json_schemas/ai-request-transformer/3.7.json @@ -205,7 +205,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -220,7 +220,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -234,7 +235,8 @@ } }, "required": [ - + "llm", + "prompt" ], "type": "object" }, @@ -301,6 +303,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.8.json b/json_schemas/ai-request-transformer/3.8.json index 0e27d1d2..c59997d5 100644 --- a/json_schemas/ai-request-transformer/3.8.json +++ b/json_schemas/ai-request-transformer/3.8.json @@ -261,7 +261,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -276,7 +276,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -296,7 +297,8 @@ } }, "required": [ - + "llm", + "prompt" ], "type": "object" }, @@ -363,6 +365,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-request-transformer/3.9.json b/json_schemas/ai-request-transformer/3.9.json index adc3e244..daca3602 100644 --- a/json_schemas/ai-request-transformer/3.9.json +++ b/json_schemas/ai-request-transformer/3.9.json @@ -278,7 +278,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -293,7 +293,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -313,7 +314,8 @@ } }, "required": [ - + "llm", + "prompt" ], "type": "object" }, @@ -380,6 +382,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.10.json b/json_schemas/ai-response-transformer/3.10.json index 02165790..2ba4feef 100644 --- a/json_schemas/ai-response-transformer/3.10.json +++ b/json_schemas/ai-response-transformer/3.10.json @@ -289,7 +289,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -304,7 +304,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -329,7 +330,8 @@ } }, "required": [ - + "llm", + "prompt" ], "type": "object" }, @@ -409,6 +411,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.7.json b/json_schemas/ai-response-transformer/3.7.json index 95ded4f7..4260b5cb 100644 --- a/json_schemas/ai-response-transformer/3.7.json +++ b/json_schemas/ai-response-transformer/3.7.json @@ -205,7 +205,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -220,7 +220,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -239,7 +240,8 @@ } }, "required": [ - + "llm", + "prompt" ], "type": "object" }, @@ -306,6 +308,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.8.json b/json_schemas/ai-response-transformer/3.8.json index 49b11492..270147be 100644 --- a/json_schemas/ai-response-transformer/3.8.json +++ b/json_schemas/ai-response-transformer/3.8.json @@ -261,7 +261,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -276,7 +276,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -301,7 +302,8 @@ } }, "required": [ - + "llm", + "prompt" ], "type": "object" }, @@ -381,6 +383,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-response-transformer/3.9.json b/json_schemas/ai-response-transformer/3.9.json index ed963c32..fc73fb23 100644 --- a/json_schemas/ai-response-transformer/3.9.json +++ b/json_schemas/ai-response-transformer/3.9.json @@ -278,7 +278,7 @@ } }, "required": [ - + "provider" ], "type": "object" }, @@ -293,7 +293,8 @@ } }, "required": [ - + "model", + "route_type" ], "type": "object" }, @@ -318,7 +319,8 @@ } }, "required": [ - + "llm", + "prompt" ], "type": "object" }, @@ -398,6 +400,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-semantic-cache/3.10.json b/json_schemas/ai-semantic-cache/3.10.json index a542cb7f..914d28b9 100644 --- a/json_schemas/ai-semantic-cache/3.10.json +++ b/json_schemas/ai-semantic-cache/3.10.json @@ -200,13 +200,14 @@ } }, "required": [ - + "name", + "provider" ], "type": "object" } }, "required": [ - + "model" ], "type": "object" }, @@ -531,13 +532,17 @@ } }, "required": [ - + "dimensions", + "distance_metric", + "strategy", + "threshold" ], "type": "object" } }, "required": [ - + "embeddings", + "vectordb" ], "type": "object" }, @@ -617,6 +622,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-semantic-cache/3.8.json b/json_schemas/ai-semantic-cache/3.8.json index e6197fe4..38806cf6 100644 --- a/json_schemas/ai-semantic-cache/3.8.json +++ b/json_schemas/ai-semantic-cache/3.8.json @@ -120,13 +120,14 @@ } }, "required": [ - + "name", + "provider" ], "type": "object" } }, "required": [ - + "model" ], "type": "object" }, @@ -366,13 +367,17 @@ } }, "required": [ - + "dimensions", + "distance_metric", + "strategy", + "threshold" ], "type": "object" } }, "required": [ - + "embeddings", + "vectordb" ], "type": "object" }, @@ -439,6 +444,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-semantic-cache/3.9.json b/json_schemas/ai-semantic-cache/3.9.json index 9bbbc340..c137d470 100644 --- a/json_schemas/ai-semantic-cache/3.9.json +++ b/json_schemas/ai-semantic-cache/3.9.json @@ -115,13 +115,14 @@ } }, "required": [ - + "name", + "provider" ], "type": "object" } }, "required": [ - + "model" ], "type": "object" }, @@ -365,13 +366,17 @@ } }, "required": [ - + "dimensions", + "distance_metric", + "strategy", + "threshold" ], "type": "object" } }, "required": [ - + "embeddings", + "vectordb" ], "type": "object" }, @@ -451,6 +456,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-semantic-prompt-guard/3.10.json b/json_schemas/ai-semantic-prompt-guard/3.10.json index 9ed25039..8c712b47 100644 --- a/json_schemas/ai-semantic-prompt-guard/3.10.json +++ b/json_schemas/ai-semantic-prompt-guard/3.10.json @@ -189,13 +189,14 @@ } }, "required": [ - + "name", + "provider" ], "type": "object" } }, "required": [ - + "model" ], "type": "object" }, @@ -551,13 +552,17 @@ } }, "required": [ - + "dimensions", + "distance_metric", + "strategy", + "threshold" ], "type": "object" } }, "required": [ - + "embeddings", + "vectordb" ], "type": "object" }, @@ -637,6 +642,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-semantic-prompt-guard/3.8.json b/json_schemas/ai-semantic-prompt-guard/3.8.json index 8aa8bee7..368c48e6 100644 --- a/json_schemas/ai-semantic-prompt-guard/3.8.json +++ b/json_schemas/ai-semantic-prompt-guard/3.8.json @@ -109,13 +109,14 @@ } }, "required": [ - + "name", + "provider" ], "type": "object" } }, "required": [ - + "model" ], "type": "object" }, @@ -391,13 +392,17 @@ } }, "required": [ - + "dimensions", + "distance_metric", + "strategy", + "threshold" ], "type": "object" } }, "required": [ - + "embeddings", + "vectordb" ], "type": "object" }, @@ -477,6 +482,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ai-semantic-prompt-guard/3.9.json b/json_schemas/ai-semantic-prompt-guard/3.9.json index cecaebb0..706123fb 100644 --- a/json_schemas/ai-semantic-prompt-guard/3.9.json +++ b/json_schemas/ai-semantic-prompt-guard/3.9.json @@ -104,13 +104,14 @@ } }, "required": [ - + "name", + "provider" ], "type": "object" } }, "required": [ - + "model" ], "type": "object" }, @@ -385,13 +386,17 @@ } }, "required": [ - + "dimensions", + "distance_metric", + "strategy", + "threshold" ], "type": "object" } }, "required": [ - + "embeddings", + "vectordb" ], "type": "object" }, @@ -471,6 +476,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/application-registration/3.10.json b/json_schemas/application-registration/3.10.json index 84b50628..88f34f5b 100644 --- a/json_schemas/application-registration/3.10.json +++ b/json_schemas/application-registration/3.10.json @@ -28,7 +28,7 @@ } }, "required": [ - + "display_name" ], "type": "object" }, @@ -56,6 +56,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/application-registration/3.4.json b/json_schemas/application-registration/3.4.json index 10fe65ee..f7b76d33 100644 --- a/json_schemas/application-registration/3.4.json +++ b/json_schemas/application-registration/3.4.json @@ -23,7 +23,7 @@ } }, "required": [ - + "display_name" ], "type": "object" }, @@ -51,6 +51,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/application-registration/3.7.json b/json_schemas/application-registration/3.7.json index 84b50628..88f34f5b 100644 --- a/json_schemas/application-registration/3.7.json +++ b/json_schemas/application-registration/3.7.json @@ -28,7 +28,7 @@ } }, "required": [ - + "display_name" ], "type": "object" }, @@ -56,6 +56,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/application-registration/3.8.json b/json_schemas/application-registration/3.8.json index 84b50628..88f34f5b 100644 --- a/json_schemas/application-registration/3.8.json +++ b/json_schemas/application-registration/3.8.json @@ -28,7 +28,7 @@ } }, "required": [ - + "display_name" ], "type": "object" }, @@ -56,6 +56,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/application-registration/3.9.json b/json_schemas/application-registration/3.9.json index 84b50628..88f34f5b 100644 --- a/json_schemas/application-registration/3.9.json +++ b/json_schemas/application-registration/3.9.json @@ -28,7 +28,7 @@ } }, "required": [ - + "display_name" ], "type": "object" }, @@ -56,6 +56,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/azure-functions/3.10.json b/json_schemas/azure-functions/3.10.json index 6fc519b4..1795248e 100644 --- a/json_schemas/azure-functions/3.10.json +++ b/json_schemas/azure-functions/3.10.json @@ -50,7 +50,8 @@ } }, "required": [ - + "appname", + "functionname" ], "type": "object" }, @@ -124,6 +125,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/azure-functions/3.4.json b/json_schemas/azure-functions/3.4.json index 121e5a57..282003c0 100644 --- a/json_schemas/azure-functions/3.4.json +++ b/json_schemas/azure-functions/3.4.json @@ -50,7 +50,8 @@ } }, "required": [ - + "appname", + "functionname" ], "type": "object" }, @@ -124,6 +125,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/azure-functions/3.7.json b/json_schemas/azure-functions/3.7.json index 6fc519b4..1795248e 100644 --- a/json_schemas/azure-functions/3.7.json +++ b/json_schemas/azure-functions/3.7.json @@ -50,7 +50,8 @@ } }, "required": [ - + "appname", + "functionname" ], "type": "object" }, @@ -124,6 +125,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/azure-functions/3.8.json b/json_schemas/azure-functions/3.8.json index 6fc519b4..1795248e 100644 --- a/json_schemas/azure-functions/3.8.json +++ b/json_schemas/azure-functions/3.8.json @@ -50,7 +50,8 @@ } }, "required": [ - + "appname", + "functionname" ], "type": "object" }, @@ -124,6 +125,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/azure-functions/3.9.json b/json_schemas/azure-functions/3.9.json index 6fc519b4..1795248e 100644 --- a/json_schemas/azure-functions/3.9.json +++ b/json_schemas/azure-functions/3.9.json @@ -50,7 +50,8 @@ } }, "required": [ - + "appname", + "functionname" ], "type": "object" }, @@ -124,6 +125,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/confluent-consume/3.10.json b/json_schemas/confluent-consume/3.10.json index d505c1b9..967161aa 100644 --- a/json_schemas/confluent-consume/3.10.json +++ b/json_schemas/confluent-consume/3.10.json @@ -113,7 +113,9 @@ } }, "required": [ - + "cluster_api_key", + "cluster_api_secret", + "topics" ], "type": "object" }, @@ -180,6 +182,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/confluent/3.10.json b/json_schemas/confluent/3.10.json index 32d007b4..b487f7ad 100644 --- a/json_schemas/confluent/3.10.json +++ b/json_schemas/confluent/3.10.json @@ -159,7 +159,9 @@ } }, "required": [ - + "cluster_api_key", + "cluster_api_secret", + "topic" ], "type": "object" }, @@ -226,6 +228,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/confluent/3.8.json b/json_schemas/confluent/3.8.json index bc67e458..bbfffe10 100644 --- a/json_schemas/confluent/3.8.json +++ b/json_schemas/confluent/3.8.json @@ -135,7 +135,9 @@ } }, "required": [ - + "cluster_api_key", + "cluster_api_secret", + "topic" ], "type": "object" }, @@ -202,6 +204,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/confluent/3.9.json b/json_schemas/confluent/3.9.json index fc6d9df4..b8912edd 100644 --- a/json_schemas/confluent/3.9.json +++ b/json_schemas/confluent/3.9.json @@ -135,7 +135,9 @@ } }, "required": [ - + "cluster_api_key", + "cluster_api_secret", + "topic" ], "type": "object" }, @@ -202,6 +204,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.10.json b/json_schemas/exit-transformer/3.10.json index f65b3b1f..08af8b61 100644 --- a/json_schemas/exit-transformer/3.10.json +++ b/json_schemas/exit-transformer/3.10.json @@ -23,7 +23,7 @@ } }, "required": [ - + "functions" ], "type": "object" }, @@ -90,6 +90,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.4.json b/json_schemas/exit-transformer/3.4.json index f65b3b1f..08af8b61 100644 --- a/json_schemas/exit-transformer/3.4.json +++ b/json_schemas/exit-transformer/3.4.json @@ -23,7 +23,7 @@ } }, "required": [ - + "functions" ], "type": "object" }, @@ -90,6 +90,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.7.json b/json_schemas/exit-transformer/3.7.json index f65b3b1f..08af8b61 100644 --- a/json_schemas/exit-transformer/3.7.json +++ b/json_schemas/exit-transformer/3.7.json @@ -23,7 +23,7 @@ } }, "required": [ - + "functions" ], "type": "object" }, @@ -90,6 +90,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.8.json b/json_schemas/exit-transformer/3.8.json index f65b3b1f..08af8b61 100644 --- a/json_schemas/exit-transformer/3.8.json +++ b/json_schemas/exit-transformer/3.8.json @@ -23,7 +23,7 @@ } }, "required": [ - + "functions" ], "type": "object" }, @@ -90,6 +90,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/exit-transformer/3.9.json b/json_schemas/exit-transformer/3.9.json index f65b3b1f..08af8b61 100644 --- a/json_schemas/exit-transformer/3.9.json +++ b/json_schemas/exit-transformer/3.9.json @@ -23,7 +23,7 @@ } }, "required": [ - + "functions" ], "type": "object" }, @@ -90,6 +90,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/file-log/3.10.json b/json_schemas/file-log/3.10.json index bdc87bcb..6b2e4832 100644 --- a/json_schemas/file-log/3.10.json +++ b/json_schemas/file-log/3.10.json @@ -19,7 +19,7 @@ } }, "required": [ - + "path" ], "type": "object" }, @@ -93,6 +93,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/file-log/3.4.json b/json_schemas/file-log/3.4.json index 7b34b71e..566614b3 100644 --- a/json_schemas/file-log/3.4.json +++ b/json_schemas/file-log/3.4.json @@ -19,7 +19,7 @@ } }, "required": [ - + "path" ], "type": "object" }, @@ -93,6 +93,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/file-log/3.7.json b/json_schemas/file-log/3.7.json index 7b34b71e..566614b3 100644 --- a/json_schemas/file-log/3.7.json +++ b/json_schemas/file-log/3.7.json @@ -19,7 +19,7 @@ } }, "required": [ - + "path" ], "type": "object" }, @@ -93,6 +93,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/file-log/3.8.json b/json_schemas/file-log/3.8.json index 7b34b71e..566614b3 100644 --- a/json_schemas/file-log/3.8.json +++ b/json_schemas/file-log/3.8.json @@ -19,7 +19,7 @@ } }, "required": [ - + "path" ], "type": "object" }, @@ -93,6 +93,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/file-log/3.9.json b/json_schemas/file-log/3.9.json index 7b34b71e..566614b3 100644 --- a/json_schemas/file-log/3.9.json +++ b/json_schemas/file-log/3.9.json @@ -19,7 +19,7 @@ } }, "required": [ - + "path" ], "type": "object" }, @@ -93,6 +93,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.10.json b/json_schemas/graphql-rate-limiting-advanced/3.10.json index acf6b51b..b7780508 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.10.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.10.json @@ -271,7 +271,9 @@ } }, "required": [ - + "limit", + "sync_rate", + "window_size" ], "type": "object" }, @@ -338,6 +340,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.4.json b/json_schemas/graphql-rate-limiting-advanced/3.4.json index 40483b87..42393672 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.4.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.4.json @@ -216,7 +216,9 @@ } }, "required": [ - + "limit", + "sync_rate", + "window_size" ], "type": "object" }, @@ -283,6 +285,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.7.json b/json_schemas/graphql-rate-limiting-advanced/3.7.json index b363dd44..c0517be7 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.7.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.7.json @@ -216,7 +216,9 @@ } }, "required": [ - + "limit", + "sync_rate", + "window_size" ], "type": "object" }, @@ -283,6 +285,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.8.json b/json_schemas/graphql-rate-limiting-advanced/3.8.json index aa4f161d..9891ed6d 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.8.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.8.json @@ -272,7 +272,9 @@ } }, "required": [ - + "limit", + "sync_rate", + "window_size" ], "type": "object" }, @@ -339,6 +341,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/graphql-rate-limiting-advanced/3.9.json b/json_schemas/graphql-rate-limiting-advanced/3.9.json index acf6b51b..b7780508 100644 --- a/json_schemas/graphql-rate-limiting-advanced/3.9.json +++ b/json_schemas/graphql-rate-limiting-advanced/3.9.json @@ -271,7 +271,9 @@ } }, "required": [ - + "limit", + "sync_rate", + "window_size" ], "type": "object" }, @@ -338,6 +340,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/header-cert-auth/3.10.json b/json_schemas/header-cert-auth/3.10.json index cd742de3..48520a27 100644 --- a/json_schemas/header-cert-auth/3.10.json +++ b/json_schemas/header-cert-auth/3.10.json @@ -122,7 +122,9 @@ } }, "required": [ - + "ca_certificates", + "certificate_header_format", + "certificate_header_name" ], "type": "object" }, @@ -176,6 +178,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/header-cert-auth/3.8.json b/json_schemas/header-cert-auth/3.8.json index cd742de3..48520a27 100644 --- a/json_schemas/header-cert-auth/3.8.json +++ b/json_schemas/header-cert-auth/3.8.json @@ -122,7 +122,9 @@ } }, "required": [ - + "ca_certificates", + "certificate_header_format", + "certificate_header_name" ], "type": "object" }, @@ -176,6 +178,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/header-cert-auth/3.9.json b/json_schemas/header-cert-auth/3.9.json index cd742de3..48520a27 100644 --- a/json_schemas/header-cert-auth/3.9.json +++ b/json_schemas/header-cert-auth/3.9.json @@ -122,7 +122,9 @@ } }, "required": [ - + "ca_certificates", + "certificate_header_format", + "certificate_header_name" ], "type": "object" }, @@ -176,6 +178,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/http-log/3.10.json b/json_schemas/http-log/3.10.json index 89e9ad17..03b3342b 100644 --- a/json_schemas/http-log/3.10.json +++ b/json_schemas/http-log/3.10.json @@ -120,7 +120,7 @@ } }, "required": [ - + "http_endpoint" ], "type": "object" }, @@ -194,6 +194,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/http-log/3.4.json b/json_schemas/http-log/3.4.json index a6fa0762..40c97cea 100644 --- a/json_schemas/http-log/3.4.json +++ b/json_schemas/http-log/3.4.json @@ -111,7 +111,7 @@ } }, "required": [ - + "http_endpoint" ], "type": "object" }, @@ -185,6 +185,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/http-log/3.7.json b/json_schemas/http-log/3.7.json index a6fa0762..40c97cea 100644 --- a/json_schemas/http-log/3.7.json +++ b/json_schemas/http-log/3.7.json @@ -111,7 +111,7 @@ } }, "required": [ - + "http_endpoint" ], "type": "object" }, @@ -185,6 +185,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/http-log/3.8.json b/json_schemas/http-log/3.8.json index 927b783f..f69da5eb 100644 --- a/json_schemas/http-log/3.8.json +++ b/json_schemas/http-log/3.8.json @@ -120,7 +120,7 @@ } }, "required": [ - + "http_endpoint" ], "type": "object" }, @@ -194,6 +194,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/http-log/3.9.json b/json_schemas/http-log/3.9.json index 927b783f..f69da5eb 100644 --- a/json_schemas/http-log/3.9.json +++ b/json_schemas/http-log/3.9.json @@ -120,7 +120,7 @@ } }, "required": [ - + "http_endpoint" ], "type": "object" }, @@ -194,6 +194,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.10.json b/json_schemas/jwe-decrypt/3.10.json index 019e6fb1..16d82c56 100644 --- a/json_schemas/jwe-decrypt/3.10.json +++ b/json_schemas/jwe-decrypt/3.10.json @@ -29,7 +29,7 @@ } }, "required": [ - + "key_sets" ], "type": "object" }, @@ -83,6 +83,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.4.json b/json_schemas/jwe-decrypt/3.4.json index 019e6fb1..16d82c56 100644 --- a/json_schemas/jwe-decrypt/3.4.json +++ b/json_schemas/jwe-decrypt/3.4.json @@ -29,7 +29,7 @@ } }, "required": [ - + "key_sets" ], "type": "object" }, @@ -83,6 +83,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.7.json b/json_schemas/jwe-decrypt/3.7.json index 019e6fb1..16d82c56 100644 --- a/json_schemas/jwe-decrypt/3.7.json +++ b/json_schemas/jwe-decrypt/3.7.json @@ -29,7 +29,7 @@ } }, "required": [ - + "key_sets" ], "type": "object" }, @@ -83,6 +83,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.8.json b/json_schemas/jwe-decrypt/3.8.json index 019e6fb1..16d82c56 100644 --- a/json_schemas/jwe-decrypt/3.8.json +++ b/json_schemas/jwe-decrypt/3.8.json @@ -29,7 +29,7 @@ } }, "required": [ - + "key_sets" ], "type": "object" }, @@ -83,6 +83,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/jwe-decrypt/3.9.json b/json_schemas/jwe-decrypt/3.9.json index 019e6fb1..16d82c56 100644 --- a/json_schemas/jwe-decrypt/3.9.json +++ b/json_schemas/jwe-decrypt/3.9.json @@ -29,7 +29,7 @@ } }, "required": [ - + "key_sets" ], "type": "object" }, @@ -83,6 +83,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-consume/3.10.json b/json_schemas/kafka-consume/3.10.json index 443f872e..ea60bb4f 100644 --- a/json_schemas/kafka-consume/3.10.json +++ b/json_schemas/kafka-consume/3.10.json @@ -136,7 +136,8 @@ } }, "required": [ - + "bootstrap_servers", + "topics" ], "type": "object" }, @@ -207,6 +208,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-log/3.10.json b/json_schemas/kafka-log/3.10.json index d14f2a5c..0c4c4f81 100644 --- a/json_schemas/kafka-log/3.10.json +++ b/json_schemas/kafka-log/3.10.json @@ -156,7 +156,7 @@ } }, "required": [ - + "topic" ], "type": "object" }, @@ -227,6 +227,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-log/3.4.json b/json_schemas/kafka-log/3.4.json index f71e86fd..c522f5eb 100644 --- a/json_schemas/kafka-log/3.4.json +++ b/json_schemas/kafka-log/3.4.json @@ -156,7 +156,7 @@ } }, "required": [ - + "topic" ], "type": "object" }, @@ -227,6 +227,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-log/3.7.json b/json_schemas/kafka-log/3.7.json index f71e86fd..c522f5eb 100644 --- a/json_schemas/kafka-log/3.7.json +++ b/json_schemas/kafka-log/3.7.json @@ -156,7 +156,7 @@ } }, "required": [ - + "topic" ], "type": "object" }, @@ -227,6 +227,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-log/3.8.json b/json_schemas/kafka-log/3.8.json index f71e86fd..c522f5eb 100644 --- a/json_schemas/kafka-log/3.8.json +++ b/json_schemas/kafka-log/3.8.json @@ -156,7 +156,7 @@ } }, "required": [ - + "topic" ], "type": "object" }, @@ -227,6 +227,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-log/3.9.json b/json_schemas/kafka-log/3.9.json index f71e86fd..c522f5eb 100644 --- a/json_schemas/kafka-log/3.9.json +++ b/json_schemas/kafka-log/3.9.json @@ -156,7 +156,7 @@ } }, "required": [ - + "topic" ], "type": "object" }, @@ -227,6 +227,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.10.json b/json_schemas/kafka-upstream/3.10.json index 7648ad93..5509f1e2 100644 --- a/json_schemas/kafka-upstream/3.10.json +++ b/json_schemas/kafka-upstream/3.10.json @@ -196,7 +196,7 @@ } }, "required": [ - + "topic" ], "type": "object" }, @@ -263,6 +263,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.4.json b/json_schemas/kafka-upstream/3.4.json index 15f794bd..a6c7aea9 100644 --- a/json_schemas/kafka-upstream/3.4.json +++ b/json_schemas/kafka-upstream/3.4.json @@ -172,7 +172,7 @@ } }, "required": [ - + "topic" ], "type": "object" }, @@ -239,6 +239,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.7.json b/json_schemas/kafka-upstream/3.7.json index 1c889114..060e3c7c 100644 --- a/json_schemas/kafka-upstream/3.7.json +++ b/json_schemas/kafka-upstream/3.7.json @@ -172,7 +172,7 @@ } }, "required": [ - + "topic" ], "type": "object" }, @@ -239,6 +239,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.8.json b/json_schemas/kafka-upstream/3.8.json index 15f794bd..a6c7aea9 100644 --- a/json_schemas/kafka-upstream/3.8.json +++ b/json_schemas/kafka-upstream/3.8.json @@ -172,7 +172,7 @@ } }, "required": [ - + "topic" ], "type": "object" }, @@ -239,6 +239,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/kafka-upstream/3.9.json b/json_schemas/kafka-upstream/3.9.json index 1c889114..060e3c7c 100644 --- a/json_schemas/kafka-upstream/3.9.json +++ b/json_schemas/kafka-upstream/3.9.json @@ -172,7 +172,7 @@ } }, "required": [ - + "topic" ], "type": "object" }, @@ -239,6 +239,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.10.json b/json_schemas/konnect-application-auth/3.10.json index 29c7eac8..75a573b3 100644 --- a/json_schemas/konnect-application-auth/3.10.json +++ b/json_schemas/konnect-application-auth/3.10.json @@ -2284,7 +2284,7 @@ } }, "required": [ - + "scope" ], "type": "object" }, @@ -2338,6 +2338,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.4.json b/json_schemas/konnect-application-auth/3.4.json index 8caa5d3a..710e4275 100644 --- a/json_schemas/konnect-application-auth/3.4.json +++ b/json_schemas/konnect-application-auth/3.4.json @@ -31,7 +31,7 @@ } }, "required": [ - + "scope" ], "type": "object" }, @@ -72,6 +72,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.7.json b/json_schemas/konnect-application-auth/3.7.json index d0bbb8ac..eb5275ed 100644 --- a/json_schemas/konnect-application-auth/3.7.json +++ b/json_schemas/konnect-application-auth/3.7.json @@ -1967,7 +1967,7 @@ } }, "required": [ - + "scope" ], "type": "object" }, @@ -2021,6 +2021,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.8.json b/json_schemas/konnect-application-auth/3.8.json index 7627046f..dc17835a 100644 --- a/json_schemas/konnect-application-auth/3.8.json +++ b/json_schemas/konnect-application-auth/3.8.json @@ -2278,7 +2278,7 @@ } }, "required": [ - + "scope" ], "type": "object" }, @@ -2332,6 +2332,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/konnect-application-auth/3.9.json b/json_schemas/konnect-application-auth/3.9.json index 72694409..48b128a0 100644 --- a/json_schemas/konnect-application-auth/3.9.json +++ b/json_schemas/konnect-application-auth/3.9.json @@ -2286,7 +2286,7 @@ } }, "required": [ - + "scope" ], "type": "object" }, @@ -2340,6 +2340,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.10.json b/json_schemas/ldap-auth-advanced/3.10.json index bb1579a3..ac43f2de 100644 --- a/json_schemas/ldap-auth-advanced/3.10.json +++ b/json_schemas/ldap-auth-advanced/3.10.json @@ -130,7 +130,9 @@ } }, "required": [ - + "attribute", + "base_dn", + "ldap_host" ], "type": "object" }, @@ -188,6 +190,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.4.json b/json_schemas/ldap-auth-advanced/3.4.json index a5e96ce4..22f15e6e 100644 --- a/json_schemas/ldap-auth-advanced/3.4.json +++ b/json_schemas/ldap-auth-advanced/3.4.json @@ -126,7 +126,9 @@ } }, "required": [ - + "attribute", + "base_dn", + "ldap_host" ], "type": "object" }, @@ -184,6 +186,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.7.json b/json_schemas/ldap-auth-advanced/3.7.json index a251cda7..e0e97a8d 100644 --- a/json_schemas/ldap-auth-advanced/3.7.json +++ b/json_schemas/ldap-auth-advanced/3.7.json @@ -126,7 +126,9 @@ } }, "required": [ - + "attribute", + "base_dn", + "ldap_host" ], "type": "object" }, @@ -184,6 +186,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.8.json b/json_schemas/ldap-auth-advanced/3.8.json index bb1579a3..ac43f2de 100644 --- a/json_schemas/ldap-auth-advanced/3.8.json +++ b/json_schemas/ldap-auth-advanced/3.8.json @@ -130,7 +130,9 @@ } }, "required": [ - + "attribute", + "base_dn", + "ldap_host" ], "type": "object" }, @@ -188,6 +190,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth-advanced/3.9.json b/json_schemas/ldap-auth-advanced/3.9.json index bb1579a3..ac43f2de 100644 --- a/json_schemas/ldap-auth-advanced/3.9.json +++ b/json_schemas/ldap-auth-advanced/3.9.json @@ -130,7 +130,9 @@ } }, "required": [ - + "attribute", + "base_dn", + "ldap_host" ], "type": "object" }, @@ -188,6 +190,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.10.json b/json_schemas/ldap-auth/3.10.json index e4d24f03..848b6e63 100644 --- a/json_schemas/ldap-auth/3.10.json +++ b/json_schemas/ldap-auth/3.10.json @@ -71,7 +71,9 @@ } }, "required": [ - + "attribute", + "base_dn", + "ldap_host" ], "type": "object" }, @@ -129,6 +131,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.4.json b/json_schemas/ldap-auth/3.4.json index be31c67d..3a6a79e2 100644 --- a/json_schemas/ldap-auth/3.4.json +++ b/json_schemas/ldap-auth/3.4.json @@ -67,7 +67,9 @@ } }, "required": [ - + "attribute", + "base_dn", + "ldap_host" ], "type": "object" }, @@ -125,6 +127,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.7.json b/json_schemas/ldap-auth/3.7.json index be31c67d..3a6a79e2 100644 --- a/json_schemas/ldap-auth/3.7.json +++ b/json_schemas/ldap-auth/3.7.json @@ -67,7 +67,9 @@ } }, "required": [ - + "attribute", + "base_dn", + "ldap_host" ], "type": "object" }, @@ -125,6 +127,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.8.json b/json_schemas/ldap-auth/3.8.json index e4d24f03..848b6e63 100644 --- a/json_schemas/ldap-auth/3.8.json +++ b/json_schemas/ldap-auth/3.8.json @@ -71,7 +71,9 @@ } }, "required": [ - + "attribute", + "base_dn", + "ldap_host" ], "type": "object" }, @@ -129,6 +131,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/ldap-auth/3.9.json b/json_schemas/ldap-auth/3.9.json index e4d24f03..848b6e63 100644 --- a/json_schemas/ldap-auth/3.9.json +++ b/json_schemas/ldap-auth/3.9.json @@ -71,7 +71,9 @@ } }, "required": [ - + "attribute", + "base_dn", + "ldap_host" ], "type": "object" }, @@ -129,6 +131,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/loggly/3.10.json b/json_schemas/loggly/3.10.json index 77b0e043..1f59ef01 100644 --- a/json_schemas/loggly/3.10.json +++ b/json_schemas/loggly/3.10.json @@ -97,7 +97,7 @@ } }, "required": [ - + "key" ], "type": "object" }, @@ -171,6 +171,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/loggly/3.4.json b/json_schemas/loggly/3.4.json index 81d46c2c..a8c4aa74 100644 --- a/json_schemas/loggly/3.4.json +++ b/json_schemas/loggly/3.4.json @@ -97,7 +97,7 @@ } }, "required": [ - + "key" ], "type": "object" }, @@ -171,6 +171,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/loggly/3.7.json b/json_schemas/loggly/3.7.json index 81d46c2c..a8c4aa74 100644 --- a/json_schemas/loggly/3.7.json +++ b/json_schemas/loggly/3.7.json @@ -97,7 +97,7 @@ } }, "required": [ - + "key" ], "type": "object" }, @@ -171,6 +171,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/loggly/3.8.json b/json_schemas/loggly/3.8.json index 77b0e043..1f59ef01 100644 --- a/json_schemas/loggly/3.8.json +++ b/json_schemas/loggly/3.8.json @@ -97,7 +97,7 @@ } }, "required": [ - + "key" ], "type": "object" }, @@ -171,6 +171,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/loggly/3.9.json b/json_schemas/loggly/3.9.json index 81d46c2c..a8c4aa74 100644 --- a/json_schemas/loggly/3.9.json +++ b/json_schemas/loggly/3.9.json @@ -97,7 +97,7 @@ } }, "required": [ - + "key" ], "type": "object" }, @@ -171,6 +171,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.10.json b/json_schemas/mtls-auth/3.10.json index 0fae0bda..b27f2271 100644 --- a/json_schemas/mtls-auth/3.10.json +++ b/json_schemas/mtls-auth/3.10.json @@ -110,7 +110,7 @@ } }, "required": [ - + "ca_certificates" ], "type": "object" }, @@ -164,6 +164,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.4.json b/json_schemas/mtls-auth/3.4.json index 910e220b..dc596b6f 100644 --- a/json_schemas/mtls-auth/3.4.json +++ b/json_schemas/mtls-auth/3.4.json @@ -110,7 +110,7 @@ } }, "required": [ - + "ca_certificates" ], "type": "object" }, @@ -164,6 +164,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.7.json b/json_schemas/mtls-auth/3.7.json index 910e220b..dc596b6f 100644 --- a/json_schemas/mtls-auth/3.7.json +++ b/json_schemas/mtls-auth/3.7.json @@ -110,7 +110,7 @@ } }, "required": [ - + "ca_certificates" ], "type": "object" }, @@ -164,6 +164,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.8.json b/json_schemas/mtls-auth/3.8.json index 910e220b..dc596b6f 100644 --- a/json_schemas/mtls-auth/3.8.json +++ b/json_schemas/mtls-auth/3.8.json @@ -110,7 +110,7 @@ } }, "required": [ - + "ca_certificates" ], "type": "object" }, @@ -164,6 +164,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/mtls-auth/3.9.json b/json_schemas/mtls-auth/3.9.json index 0fae0bda..b27f2271 100644 --- a/json_schemas/mtls-auth/3.9.json +++ b/json_schemas/mtls-auth/3.9.json @@ -110,7 +110,7 @@ } }, "required": [ - + "ca_certificates" ], "type": "object" }, @@ -164,6 +164,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oas-validation/3.10.json b/json_schemas/oas-validation/3.10.json index 1e421781..c8409584 100644 --- a/json_schemas/oas-validation/3.10.json +++ b/json_schemas/oas-validation/3.10.json @@ -77,7 +77,7 @@ } }, "required": [ - + "api_spec" ], "type": "object" }, @@ -144,6 +144,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oas-validation/3.4.json b/json_schemas/oas-validation/3.4.json index e3168553..01beee4b 100644 --- a/json_schemas/oas-validation/3.4.json +++ b/json_schemas/oas-validation/3.4.json @@ -73,7 +73,7 @@ } }, "required": [ - + "api_spec" ], "type": "object" }, @@ -140,6 +140,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oas-validation/3.7.json b/json_schemas/oas-validation/3.7.json index 1e421781..c8409584 100644 --- a/json_schemas/oas-validation/3.7.json +++ b/json_schemas/oas-validation/3.7.json @@ -77,7 +77,7 @@ } }, "required": [ - + "api_spec" ], "type": "object" }, @@ -144,6 +144,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oas-validation/3.8.json b/json_schemas/oas-validation/3.8.json index 1e421781..c8409584 100644 --- a/json_schemas/oas-validation/3.8.json +++ b/json_schemas/oas-validation/3.8.json @@ -77,7 +77,7 @@ } }, "required": [ - + "api_spec" ], "type": "object" }, @@ -144,6 +144,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oas-validation/3.9.json b/json_schemas/oas-validation/3.9.json index 1e421781..c8409584 100644 --- a/json_schemas/oas-validation/3.9.json +++ b/json_schemas/oas-validation/3.9.json @@ -77,7 +77,7 @@ } }, "required": [ - + "api_spec" ], "type": "object" }, @@ -144,6 +144,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.10.json b/json_schemas/oauth2-introspection/3.10.json index 49ec6cde..9c374df3 100644 --- a/json_schemas/oauth2-introspection/3.10.json +++ b/json_schemas/oauth2-introspection/3.10.json @@ -79,7 +79,8 @@ } }, "required": [ - + "authorization_value", + "introspection_url" ], "type": "object" }, @@ -133,6 +134,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.4.json b/json_schemas/oauth2-introspection/3.4.json index 49ec6cde..9c374df3 100644 --- a/json_schemas/oauth2-introspection/3.4.json +++ b/json_schemas/oauth2-introspection/3.4.json @@ -79,7 +79,8 @@ } }, "required": [ - + "authorization_value", + "introspection_url" ], "type": "object" }, @@ -133,6 +134,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.7.json b/json_schemas/oauth2-introspection/3.7.json index 63faff49..fc8b6d85 100644 --- a/json_schemas/oauth2-introspection/3.7.json +++ b/json_schemas/oauth2-introspection/3.7.json @@ -79,7 +79,8 @@ } }, "required": [ - + "authorization_value", + "introspection_url" ], "type": "object" }, @@ -133,6 +134,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.8.json b/json_schemas/oauth2-introspection/3.8.json index 49ec6cde..9c374df3 100644 --- a/json_schemas/oauth2-introspection/3.8.json +++ b/json_schemas/oauth2-introspection/3.8.json @@ -79,7 +79,8 @@ } }, "required": [ - + "authorization_value", + "introspection_url" ], "type": "object" }, @@ -133,6 +134,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oauth2-introspection/3.9.json b/json_schemas/oauth2-introspection/3.9.json index 63faff49..fc8b6d85 100644 --- a/json_schemas/oauth2-introspection/3.9.json +++ b/json_schemas/oauth2-introspection/3.9.json @@ -79,7 +79,8 @@ } }, "required": [ - + "authorization_value", + "introspection_url" ], "type": "object" }, @@ -133,6 +134,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oauth2/3.10.json b/json_schemas/oauth2/3.10.json index 19901f44..b09630ea 100644 --- a/json_schemas/oauth2/3.10.json +++ b/json_schemas/oauth2/3.10.json @@ -102,7 +102,7 @@ } }, "required": [ - + "provision_key" ], "type": "object" }, @@ -160,6 +160,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oauth2/3.4.json b/json_schemas/oauth2/3.4.json index 1b96075e..d7188ba4 100644 --- a/json_schemas/oauth2/3.4.json +++ b/json_schemas/oauth2/3.4.json @@ -98,7 +98,7 @@ } }, "required": [ - + "provision_key" ], "type": "object" }, @@ -156,6 +156,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oauth2/3.7.json b/json_schemas/oauth2/3.7.json index 1b96075e..d7188ba4 100644 --- a/json_schemas/oauth2/3.7.json +++ b/json_schemas/oauth2/3.7.json @@ -98,7 +98,7 @@ } }, "required": [ - + "provision_key" ], "type": "object" }, @@ -156,6 +156,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oauth2/3.8.json b/json_schemas/oauth2/3.8.json index 19901f44..b09630ea 100644 --- a/json_schemas/oauth2/3.8.json +++ b/json_schemas/oauth2/3.8.json @@ -102,7 +102,7 @@ } }, "required": [ - + "provision_key" ], "type": "object" }, @@ -160,6 +160,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/oauth2/3.9.json b/json_schemas/oauth2/3.9.json index 19901f44..b09630ea 100644 --- a/json_schemas/oauth2/3.9.json +++ b/json_schemas/oauth2/3.9.json @@ -102,7 +102,7 @@ } }, "required": [ - + "provision_key" ], "type": "object" }, @@ -160,6 +160,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/opa/3.10.json b/json_schemas/opa/3.10.json index 58dc36d0..a739ea83 100644 --- a/json_schemas/opa/3.10.json +++ b/json_schemas/opa/3.10.json @@ -63,7 +63,7 @@ } }, "required": [ - + "opa_path" ], "type": "object" }, @@ -117,6 +117,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/opa/3.4.json b/json_schemas/opa/3.4.json index 58dc36d0..a739ea83 100644 --- a/json_schemas/opa/3.4.json +++ b/json_schemas/opa/3.4.json @@ -63,7 +63,7 @@ } }, "required": [ - + "opa_path" ], "type": "object" }, @@ -117,6 +117,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/opa/3.7.json b/json_schemas/opa/3.7.json index 58dc36d0..a739ea83 100644 --- a/json_schemas/opa/3.7.json +++ b/json_schemas/opa/3.7.json @@ -63,7 +63,7 @@ } }, "required": [ - + "opa_path" ], "type": "object" }, @@ -117,6 +117,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/opa/3.8.json b/json_schemas/opa/3.8.json index 58dc36d0..a739ea83 100644 --- a/json_schemas/opa/3.8.json +++ b/json_schemas/opa/3.8.json @@ -63,7 +63,7 @@ } }, "required": [ - + "opa_path" ], "type": "object" }, @@ -117,6 +117,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/opa/3.9.json b/json_schemas/opa/3.9.json index 58dc36d0..a739ea83 100644 --- a/json_schemas/opa/3.9.json +++ b/json_schemas/opa/3.9.json @@ -63,7 +63,7 @@ } }, "required": [ - + "opa_path" ], "type": "object" }, @@ -117,6 +117,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/openid-connect/3.10.json b/json_schemas/openid-connect/3.10.json index 824c1a99..09e76fbd 100644 --- a/json_schemas/openid-connect/3.10.json +++ b/json_schemas/openid-connect/3.10.json @@ -2183,7 +2183,7 @@ } }, "required": [ - + "issuer" ], "shorthand_fields": { "authorization_cookie_httponly": { @@ -2343,6 +2343,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/openid-connect/3.4.json b/json_schemas/openid-connect/3.4.json index b1c79e16..6ff680ca 100644 --- a/json_schemas/openid-connect/3.4.json +++ b/json_schemas/openid-connect/3.4.json @@ -1751,7 +1751,7 @@ } }, "required": [ - + "issuer" ], "shorthand_fields": { "authorization_cookie_httponly": { @@ -1855,6 +1855,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/openid-connect/3.7.json b/json_schemas/openid-connect/3.7.json index 2708c871..51239125 100644 --- a/json_schemas/openid-connect/3.7.json +++ b/json_schemas/openid-connect/3.7.json @@ -1866,7 +1866,7 @@ } }, "required": [ - + "issuer" ], "shorthand_fields": { "authorization_cookie_httponly": { @@ -1970,6 +1970,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/openid-connect/3.8.json b/json_schemas/openid-connect/3.8.json index 98502670..dcb169b1 100644 --- a/json_schemas/openid-connect/3.8.json +++ b/json_schemas/openid-connect/3.8.json @@ -2175,7 +2175,7 @@ } }, "required": [ - + "issuer" ], "shorthand_fields": { "authorization_cookie_httponly": { @@ -2391,6 +2391,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/openid-connect/3.9.json b/json_schemas/openid-connect/3.9.json index c7d8dba8..9db02f24 100644 --- a/json_schemas/openid-connect/3.9.json +++ b/json_schemas/openid-connect/3.9.json @@ -2183,7 +2183,7 @@ } }, "required": [ - + "issuer" ], "shorthand_fields": { "authorization_cookie_httponly": { @@ -2343,6 +2343,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.4.json b/json_schemas/opentelemetry/3.4.json index eb3f2c9b..daa22a9d 100644 --- a/json_schemas/opentelemetry/3.4.json +++ b/json_schemas/opentelemetry/3.4.json @@ -119,7 +119,7 @@ } }, "required": [ - + "endpoint" ], "type": "object" }, @@ -186,6 +186,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/opentelemetry/3.7.json b/json_schemas/opentelemetry/3.7.json index 5995c91b..12c5038e 100644 --- a/json_schemas/opentelemetry/3.7.json +++ b/json_schemas/opentelemetry/3.7.json @@ -201,7 +201,7 @@ } }, "required": [ - + "endpoint" ], "type": "object" }, @@ -268,6 +268,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.10.json b/json_schemas/proxy-cache-advanced/3.10.json index 66ba7efb..ebd27651 100644 --- a/json_schemas/proxy-cache-advanced/3.10.json +++ b/json_schemas/proxy-cache-advanced/3.10.json @@ -325,7 +325,7 @@ } }, "required": [ - + "strategy" ], "type": "object" }, @@ -405,6 +405,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.4.json b/json_schemas/proxy-cache-advanced/3.4.json index 5e1378bf..1411156c 100644 --- a/json_schemas/proxy-cache-advanced/3.4.json +++ b/json_schemas/proxy-cache-advanced/3.4.json @@ -249,7 +249,7 @@ } }, "required": [ - + "strategy" ], "type": "object" }, @@ -316,6 +316,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.7.json b/json_schemas/proxy-cache-advanced/3.7.json index 2cb128ac..7375c7c0 100644 --- a/json_schemas/proxy-cache-advanced/3.7.json +++ b/json_schemas/proxy-cache-advanced/3.7.json @@ -270,7 +270,7 @@ } }, "required": [ - + "strategy" ], "type": "object" }, @@ -350,6 +350,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.8.json b/json_schemas/proxy-cache-advanced/3.8.json index a40e0b81..8667f19e 100644 --- a/json_schemas/proxy-cache-advanced/3.8.json +++ b/json_schemas/proxy-cache-advanced/3.8.json @@ -326,7 +326,7 @@ } }, "required": [ - + "strategy" ], "type": "object" }, @@ -406,6 +406,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache-advanced/3.9.json b/json_schemas/proxy-cache-advanced/3.9.json index d1dbb059..c03ceb11 100644 --- a/json_schemas/proxy-cache-advanced/3.9.json +++ b/json_schemas/proxy-cache-advanced/3.9.json @@ -325,7 +325,7 @@ } }, "required": [ - + "strategy" ], "type": "object" }, @@ -405,6 +405,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.10.json b/json_schemas/proxy-cache/3.10.json index c2f2d7c7..f8853330 100644 --- a/json_schemas/proxy-cache/3.10.json +++ b/json_schemas/proxy-cache/3.10.json @@ -137,7 +137,7 @@ } }, "required": [ - + "strategy" ], "type": "object" }, @@ -224,6 +224,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.4.json b/json_schemas/proxy-cache/3.4.json index f48f4d18..dc2e2d44 100644 --- a/json_schemas/proxy-cache/3.4.json +++ b/json_schemas/proxy-cache/3.4.json @@ -116,7 +116,7 @@ } }, "required": [ - + "strategy" ], "type": "object" }, @@ -190,6 +190,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.7.json b/json_schemas/proxy-cache/3.7.json index c2f2d7c7..f8853330 100644 --- a/json_schemas/proxy-cache/3.7.json +++ b/json_schemas/proxy-cache/3.7.json @@ -137,7 +137,7 @@ } }, "required": [ - + "strategy" ], "type": "object" }, @@ -224,6 +224,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.8.json b/json_schemas/proxy-cache/3.8.json index c2f2d7c7..f8853330 100644 --- a/json_schemas/proxy-cache/3.8.json +++ b/json_schemas/proxy-cache/3.8.json @@ -137,7 +137,7 @@ } }, "required": [ - + "strategy" ], "type": "object" }, @@ -224,6 +224,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/proxy-cache/3.9.json b/json_schemas/proxy-cache/3.9.json index c2f2d7c7..f8853330 100644 --- a/json_schemas/proxy-cache/3.9.json +++ b/json_schemas/proxy-cache/3.9.json @@ -137,7 +137,7 @@ } }, "required": [ - + "strategy" ], "type": "object" }, @@ -224,6 +224,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.10.json b/json_schemas/rate-limiting-advanced/3.10.json index 2dfaaa69..5129786f 100644 --- a/json_schemas/rate-limiting-advanced/3.10.json +++ b/json_schemas/rate-limiting-advanced/3.10.json @@ -331,7 +331,9 @@ } }, "required": [ - + "limit", + "namespace", + "window_size" ], "type": "object" }, @@ -411,6 +413,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.4.json b/json_schemas/rate-limiting-advanced/3.4.json index 60d17578..c10f0aa3 100644 --- a/json_schemas/rate-limiting-advanced/3.4.json +++ b/json_schemas/rate-limiting-advanced/3.4.json @@ -244,7 +244,9 @@ } }, "required": [ - + "limit", + "namespace", + "window_size" ], "type": "object" }, @@ -324,6 +326,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.7.json b/json_schemas/rate-limiting-advanced/3.7.json index 44a285db..0716ada3 100644 --- a/json_schemas/rate-limiting-advanced/3.7.json +++ b/json_schemas/rate-limiting-advanced/3.7.json @@ -245,7 +245,9 @@ } }, "required": [ - + "limit", + "namespace", + "window_size" ], "type": "object" }, @@ -325,6 +327,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.8.json b/json_schemas/rate-limiting-advanced/3.8.json index 6d36c78d..0fb42d5a 100644 --- a/json_schemas/rate-limiting-advanced/3.8.json +++ b/json_schemas/rate-limiting-advanced/3.8.json @@ -301,7 +301,9 @@ } }, "required": [ - + "limit", + "namespace", + "window_size" ], "type": "object" }, @@ -381,6 +383,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/rate-limiting-advanced/3.9.json b/json_schemas/rate-limiting-advanced/3.9.json index 8eb92513..e29aafac 100644 --- a/json_schemas/rate-limiting-advanced/3.9.json +++ b/json_schemas/rate-limiting-advanced/3.9.json @@ -331,7 +331,9 @@ } }, "required": [ - + "limit", + "namespace", + "window_size" ], "type": "object" }, @@ -411,6 +413,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/redirect/3.10.json b/json_schemas/redirect/3.10.json index dea922d4..e83c8f27 100644 --- a/json_schemas/redirect/3.10.json +++ b/json_schemas/redirect/3.10.json @@ -20,7 +20,7 @@ } }, "required": [ - + "location" ], "type": "object" }, @@ -100,6 +100,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/redirect/3.9.json b/json_schemas/redirect/3.9.json index dea922d4..e83c8f27 100644 --- a/json_schemas/redirect/3.9.json +++ b/json_schemas/redirect/3.9.json @@ -20,7 +20,7 @@ } }, "required": [ - + "location" ], "type": "object" }, @@ -100,6 +100,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/request-callout/3.10.json b/json_schemas/request-callout/3.10.json index fdf274f7..c7f7f16a 100644 --- a/json_schemas/request-callout/3.10.json +++ b/json_schemas/request-callout/3.10.json @@ -424,7 +424,7 @@ "method": { "default": "GET", "description": "The HTTP method that will be requested.", - "pattern": "^%u+$", + "pattern": "^[A-Z]+$", "type": "string" }, "query": { @@ -595,7 +595,7 @@ } }, "required": [ - + "callouts" ], "type": "object" }, @@ -675,6 +675,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/saml/3.10.json b/json_schemas/saml/3.10.json index 855cbb1f..5defc374 100644 --- a/json_schemas/saml/3.10.json +++ b/json_schemas/saml/3.10.json @@ -447,7 +447,10 @@ } }, "required": [ - + "assertion_consumer_path", + "idp_sso_url", + "issuer", + "session_secret" ], "shorthand_fields": { "session_auth_ttl": { @@ -604,6 +607,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/saml/3.4.json b/json_schemas/saml/3.4.json index 54af1bd1..8afa0166 100644 --- a/json_schemas/saml/3.4.json +++ b/json_schemas/saml/3.4.json @@ -340,7 +340,10 @@ } }, "required": [ - + "assertion_consumer_path", + "idp_sso_url", + "issuer", + "session_secret" ], "shorthand_fields": { "session_auth_ttl": { @@ -438,6 +441,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/saml/3.7.json b/json_schemas/saml/3.7.json index 01f9e2d4..fd1c8192 100644 --- a/json_schemas/saml/3.7.json +++ b/json_schemas/saml/3.7.json @@ -340,7 +340,10 @@ } }, "required": [ - + "assertion_consumer_path", + "idp_sso_url", + "issuer", + "session_secret" ], "shorthand_fields": { "session_auth_ttl": { @@ -438,6 +441,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/saml/3.8.json b/json_schemas/saml/3.8.json index d39deb2d..f28382c7 100644 --- a/json_schemas/saml/3.8.json +++ b/json_schemas/saml/3.8.json @@ -448,7 +448,10 @@ } }, "required": [ - + "assertion_consumer_path", + "idp_sso_url", + "issuer", + "session_secret" ], "shorthand_fields": { "session_auth_ttl": { @@ -665,6 +668,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/saml/3.9.json b/json_schemas/saml/3.9.json index a67f4b8d..93a75f73 100644 --- a/json_schemas/saml/3.9.json +++ b/json_schemas/saml/3.9.json @@ -447,7 +447,10 @@ } }, "required": [ - + "assertion_consumer_path", + "idp_sso_url", + "issuer", + "session_secret" ], "shorthand_fields": { "session_auth_ttl": { @@ -604,6 +607,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/service-protection/3.10.json b/json_schemas/service-protection/3.10.json index b443c359..3138ec93 100644 --- a/json_schemas/service-protection/3.10.json +++ b/json_schemas/service-protection/3.10.json @@ -268,7 +268,9 @@ } }, "required": [ - + "limit", + "namespace", + "window_size" ], "type": "object" }, @@ -309,6 +311,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/service-protection/3.9.json b/json_schemas/service-protection/3.9.json index b443c359..3138ec93 100644 --- a/json_schemas/service-protection/3.9.json +++ b/json_schemas/service-protection/3.9.json @@ -268,7 +268,9 @@ } }, "required": [ - + "limit", + "namespace", + "window_size" ], "type": "object" }, @@ -309,6 +311,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/standard-webhooks/3.10.json b/json_schemas/standard-webhooks/3.10.json index fb49687b..7fc01489 100644 --- a/json_schemas/standard-webhooks/3.10.json +++ b/json_schemas/standard-webhooks/3.10.json @@ -14,7 +14,7 @@ } }, "required": [ - + "secret_v1" ], "type": "object" }, @@ -81,6 +81,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/standard-webhooks/3.8.json b/json_schemas/standard-webhooks/3.8.json index e8fec40d..40a80744 100644 --- a/json_schemas/standard-webhooks/3.8.json +++ b/json_schemas/standard-webhooks/3.8.json @@ -14,7 +14,7 @@ } }, "required": [ - + "secret_v1" ], "type": "object" }, @@ -81,6 +81,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/standard-webhooks/3.9.json b/json_schemas/standard-webhooks/3.9.json index e8fec40d..40a80744 100644 --- a/json_schemas/standard-webhooks/3.9.json +++ b/json_schemas/standard-webhooks/3.9.json @@ -14,7 +14,7 @@ } }, "required": [ - + "secret_v1" ], "type": "object" }, @@ -81,6 +81,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/tcp-log/3.10.json b/json_schemas/tcp-log/3.10.json index 91b64178..536c9936 100644 --- a/json_schemas/tcp-log/3.10.json +++ b/json_schemas/tcp-log/3.10.json @@ -38,7 +38,8 @@ } }, "required": [ - + "host", + "port" ], "type": "object" }, @@ -112,6 +113,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/tcp-log/3.4.json b/json_schemas/tcp-log/3.4.json index 91b64178..536c9936 100644 --- a/json_schemas/tcp-log/3.4.json +++ b/json_schemas/tcp-log/3.4.json @@ -38,7 +38,8 @@ } }, "required": [ - + "host", + "port" ], "type": "object" }, @@ -112,6 +113,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/tcp-log/3.7.json b/json_schemas/tcp-log/3.7.json index 91b64178..536c9936 100644 --- a/json_schemas/tcp-log/3.7.json +++ b/json_schemas/tcp-log/3.7.json @@ -38,7 +38,8 @@ } }, "required": [ - + "host", + "port" ], "type": "object" }, @@ -112,6 +113,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/tcp-log/3.8.json b/json_schemas/tcp-log/3.8.json index 91b64178..536c9936 100644 --- a/json_schemas/tcp-log/3.8.json +++ b/json_schemas/tcp-log/3.8.json @@ -38,7 +38,8 @@ } }, "required": [ - + "host", + "port" ], "type": "object" }, @@ -112,6 +113,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/tcp-log/3.9.json b/json_schemas/tcp-log/3.9.json index 91b64178..536c9936 100644 --- a/json_schemas/tcp-log/3.9.json +++ b/json_schemas/tcp-log/3.9.json @@ -38,7 +38,8 @@ } }, "required": [ - + "host", + "port" ], "type": "object" }, @@ -112,6 +113,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/udp-log/3.10.json b/json_schemas/udp-log/3.10.json index 1c727685..ce2403da 100644 --- a/json_schemas/udp-log/3.10.json +++ b/json_schemas/udp-log/3.10.json @@ -24,7 +24,8 @@ } }, "required": [ - + "host", + "port" ], "type": "object" }, @@ -98,6 +99,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/udp-log/3.4.json b/json_schemas/udp-log/3.4.json index 1c727685..ce2403da 100644 --- a/json_schemas/udp-log/3.4.json +++ b/json_schemas/udp-log/3.4.json @@ -24,7 +24,8 @@ } }, "required": [ - + "host", + "port" ], "type": "object" }, @@ -98,6 +99,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/udp-log/3.7.json b/json_schemas/udp-log/3.7.json index 1c727685..ce2403da 100644 --- a/json_schemas/udp-log/3.7.json +++ b/json_schemas/udp-log/3.7.json @@ -24,7 +24,8 @@ } }, "required": [ - + "host", + "port" ], "type": "object" }, @@ -98,6 +99,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/udp-log/3.8.json b/json_schemas/udp-log/3.8.json index 1c727685..ce2403da 100644 --- a/json_schemas/udp-log/3.8.json +++ b/json_schemas/udp-log/3.8.json @@ -24,7 +24,8 @@ } }, "required": [ - + "host", + "port" ], "type": "object" }, @@ -98,6 +99,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/udp-log/3.9.json b/json_schemas/udp-log/3.9.json index 1c727685..ce2403da 100644 --- a/json_schemas/udp-log/3.9.json +++ b/json_schemas/udp-log/3.9.json @@ -24,7 +24,8 @@ } }, "required": [ - + "host", + "port" ], "type": "object" }, @@ -98,6 +99,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/upstream-oauth/3.10.json b/json_schemas/upstream-oauth/3.10.json index 19dcdf7a..f7e29e9a 100644 --- a/json_schemas/upstream-oauth/3.10.json +++ b/json_schemas/upstream-oauth/3.10.json @@ -418,13 +418,13 @@ } }, "required": [ - + "token_endpoint" ], "type": "object" } }, "required": [ - + "oauth" ], "type": "object" }, @@ -504,6 +504,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/upstream-oauth/3.8.json b/json_schemas/upstream-oauth/3.8.json index 5e1e609b..d6f48b81 100644 --- a/json_schemas/upstream-oauth/3.8.json +++ b/json_schemas/upstream-oauth/3.8.json @@ -419,13 +419,13 @@ } }, "required": [ - + "token_endpoint" ], "type": "object" } }, "required": [ - + "oauth" ], "type": "object" }, @@ -505,6 +505,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/upstream-oauth/3.9.json b/json_schemas/upstream-oauth/3.9.json index eafb73f7..99da85e3 100644 --- a/json_schemas/upstream-oauth/3.9.json +++ b/json_schemas/upstream-oauth/3.9.json @@ -418,13 +418,13 @@ } }, "required": [ - + "token_endpoint" ], "type": "object" } }, "required": [ - + "oauth" ], "type": "object" }, @@ -504,6 +504,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/vault-auth/3.10.json b/json_schemas/vault-auth/3.10.json index 08e8cc3b..def22e2a 100644 --- a/json_schemas/vault-auth/3.10.json +++ b/json_schemas/vault-auth/3.10.json @@ -51,7 +51,7 @@ } }, "required": [ - + "vault" ], "type": "object" }, @@ -105,6 +105,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/vault-auth/3.4.json b/json_schemas/vault-auth/3.4.json index 08e8cc3b..def22e2a 100644 --- a/json_schemas/vault-auth/3.4.json +++ b/json_schemas/vault-auth/3.4.json @@ -51,7 +51,7 @@ } }, "required": [ - + "vault" ], "type": "object" }, @@ -105,6 +105,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/vault-auth/3.7.json b/json_schemas/vault-auth/3.7.json index 08e8cc3b..def22e2a 100644 --- a/json_schemas/vault-auth/3.7.json +++ b/json_schemas/vault-auth/3.7.json @@ -51,7 +51,7 @@ } }, "required": [ - + "vault" ], "type": "object" }, @@ -105,6 +105,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/vault-auth/3.8.json b/json_schemas/vault-auth/3.8.json index 08e8cc3b..def22e2a 100644 --- a/json_schemas/vault-auth/3.8.json +++ b/json_schemas/vault-auth/3.8.json @@ -51,7 +51,7 @@ } }, "required": [ - + "vault" ], "type": "object" }, @@ -105,6 +105,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file diff --git a/json_schemas/vault-auth/3.9.json b/json_schemas/vault-auth/3.9.json index 08e8cc3b..def22e2a 100644 --- a/json_schemas/vault-auth/3.9.json +++ b/json_schemas/vault-auth/3.9.json @@ -51,7 +51,7 @@ } }, "required": [ - + "vault" ], "type": "object" }, @@ -105,6 +105,6 @@ } }, "required": [ - + "config" ] } \ No newline at end of file From 9e463607e7e188ffde45a7e215c593fd45b4d50e Mon Sep 17 00:00:00 2001 From: Antoine Jacquemin Date: Fri, 16 May 2025 07:04:25 +0200 Subject: [PATCH 160/165] Fix - Rag Doc (#126) * Fix Rag doc * Update _3.10.x.yaml * Update _3.11.x.yaml * Update _3.11.x.yaml * Update _3.11.x.yaml --- examples/ai-rag-injector/_3.10.x.yaml | 6 +++--- examples/ai-rag-injector/_3.11.x.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/ai-rag-injector/_3.10.x.yaml b/examples/ai-rag-injector/_3.10.x.yaml index a60e56ee..b463e8d0 100644 --- a/examples/ai-rag-injector/_3.10.x.yaml +++ b/examples/ai-rag-injector/_3.10.x.yaml @@ -1,8 +1,8 @@ name: ai-rag-injector config: inject_template: | - Only use the following information surrounded by and your existing knowledge to provide the best possible answer to the user. - + Only use the following information surrounded by to and your existing knowledge to provide the best possible answer to the user. + User's question: embeddings: auth: @@ -17,4 +17,4 @@ config: host: exampleredis.com port: 80 distance_metric: cosine - dimensions: 76 \ No newline at end of file + dimensions: 76 diff --git a/examples/ai-rag-injector/_3.11.x.yaml b/examples/ai-rag-injector/_3.11.x.yaml index a60e56ee..b463e8d0 100644 --- a/examples/ai-rag-injector/_3.11.x.yaml +++ b/examples/ai-rag-injector/_3.11.x.yaml @@ -1,8 +1,8 @@ name: ai-rag-injector config: inject_template: | - Only use the following information surrounded by and your existing knowledge to provide the best possible answer to the user. - + Only use the following information surrounded by to and your existing knowledge to provide the best possible answer to the user. + User's question: embeddings: auth: @@ -17,4 +17,4 @@ config: host: exampleredis.com port: 80 distance_metric: cosine - dimensions: 76 \ No newline at end of file + dimensions: 76 From daeca6d779db7b592af9a6052b73382e6dabbba5 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 2 Jun 2025 14:02:13 +0200 Subject: [PATCH 161/165] Add ai-prompt-compressor --- schemas/ai-prompt-compressor/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 schemas/ai-prompt-compressor/.gitkeep diff --git a/schemas/ai-prompt-compressor/.gitkeep b/schemas/ai-prompt-compressor/.gitkeep new file mode 100644 index 00000000..e69de29b From aef0d4b5bf80e6d41f5e71a67180ef90d73baca1 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 2 Jun 2025 14:10:26 +0200 Subject: [PATCH 162/165] add ai-prompt-compressor --- json_schemas/ai-prompt-compressor/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 json_schemas/ai-prompt-compressor/.gitkeep diff --git a/json_schemas/ai-prompt-compressor/.gitkeep b/json_schemas/ai-prompt-compressor/.gitkeep new file mode 100644 index 00000000..e69de29b From 7f9ef4bce4401e75a6335c9416f4fa6f477c4a93 Mon Sep 17 00:00:00 2001 From: fabianrbz <715229+fabianrbz@users.noreply.github.com> Date: Mon, 2 Jun 2025 12:06:55 +0000 Subject: [PATCH 163/165] Download Schemas for 3.11.x --- schemas/acl/3.11.x.json | 54 +- schemas/acme/3.11.x.json | 363 ++-- schemas/ai-azure-content-safety/3.11.x.json | 58 +- schemas/ai-prompt-compressor/3.11.x.json | 138 ++ schemas/ai-prompt-decorator/3.11.x.json | 85 +- schemas/ai-prompt-guard/3.11.x.json | 105 +- schemas/ai-prompt-template/3.11.x.json | 38 +- schemas/ai-proxy-advanced/3.11.x.json | 938 +++++++--- schemas/ai-proxy/3.11.x.json | 431 +++-- schemas/ai-rag-injector/3.11.x.json | 555 +++--- schemas/ai-rate-limiting-advanced/3.11.x.json | 184 +- schemas/ai-request-transformer/3.11.x.json | 404 +++-- schemas/ai-response-transformer/3.11.x.json | 396 +++-- schemas/ai-sanitizer/3.11.x.json | 90 +- schemas/ai-semantic-cache/3.11.x.json | 518 ++++-- schemas/ai-semantic-prompt-guard/3.11.x.json | 558 ++++-- schemas/app-dynamics/3.11.x.json | 18 +- schemas/aws-lambda/3.11.x.json | 96 +- schemas/azure-functions/3.11.x.json | 42 +- schemas/basic-auth/3.11.x.json | 22 +- schemas/bot-detection/3.11.x.json | 38 +- schemas/canary/3.11.x.json | 104 +- schemas/confluent-consume/3.11.x.json | 124 +- schemas/confluent/3.11.x.json | 90 +- schemas/correlation-id/3.11.x.json | 24 +- schemas/cors/3.11.x.json | 54 +- schemas/datadog/3.11.x.json | 198 +-- schemas/degraphql/3.11.x.json | 32 +- schemas/exit-transformer/3.11.x.json | 20 +- schemas/file-log/3.11.x.json | 32 +- schemas/forward-proxy/3.11.x.json | 65 +- .../graphql-proxy-cache-advanced/3.11.x.json | 131 +- .../3.11.x.json | 167 +- schemas/grpc-gateway/3.11.x.json | 20 +- schemas/grpc-web/3.11.x.json | 26 +- schemas/header-cert-auth/3.11.x.json | 60 +- schemas/hmac-auth/3.11.x.json | 62 +- schemas/http-log/3.11.x.json | 74 +- schemas/injection-protection/3.11.x.json | 70 +- schemas/ip-restriction/3.11.x.json | 32 +- schemas/jq/3.11.x.json | 74 +- schemas/json-threat-protection/3.11.x.json | 102 +- schemas/jwe-decrypt/3.11.x.json | 32 +- schemas/jwt-signer/3.11.x.json | 344 ++-- schemas/jwt/3.11.x.json | 80 +- schemas/kafka-consume/3.11.x.json | 127 +- schemas/kafka-log/3.11.x.json | 87 +- schemas/kafka-upstream/3.11.x.json | 106 +- schemas/key-auth-enc/3.11.x.json | 34 +- schemas/key-auth/3.11.x.json | 114 +- schemas/konnect-application-auth/3.11.x.json | 1282 +++++++------- schemas/ldap-auth-advanced/3.11.x.json | 84 +- schemas/ldap-auth/3.11.x.json | 62 +- schemas/loggly/3.11.x.json | 34 +- schemas/mocking/3.11.x.json | 56 +- schemas/mtls-auth/3.11.x.json | 54 +- schemas/oas-validation/3.11.x.json | 52 +- schemas/oauth2-introspection/3.11.x.json | 52 +- schemas/oauth2/3.11.x.json | 88 +- schemas/opa/3.11.x.json | 50 +- schemas/openid-connect/3.11.x.json | 1521 +++++++++-------- schemas/opentelemetry/3.11.x.json | 116 +- schemas/post-function/3.11.x.json | 93 +- schemas/pre-function/3.11.x.json | 93 +- schemas/prometheus/3.11.x.json | 25 +- schemas/proxy-cache-advanced/3.11.x.json | 167 +- schemas/proxy-cache/3.11.x.json | 86 +- schemas/rate-limiting-advanced/3.11.x.json | 244 ++- schemas/rate-limiting/3.11.x.json | 431 ++--- schemas/redirect/3.11.x.json | 40 +- schemas/request-callout/3.11.x.json | 694 ++++---- schemas/request-size-limiting/3.11.x.json | 26 +- schemas/request-termination/3.11.x.json | 36 +- .../request-transformer-advanced/3.11.x.json | 28 +- schemas/request-transformer/3.11.x.json | 54 +- schemas/request-validator/3.11.x.json | 56 +- schemas/response-ratelimiting/3.11.x.json | 409 ++--- .../response-transformer-advanced/3.11.x.json | 34 +- schemas/response-transformer/3.11.x.json | 74 +- schemas/route-by-header/3.11.x.json | 28 +- .../route-transformer-advanced/3.11.x.json | 18 +- schemas/saml/3.11.x.json | 547 +++--- schemas/service-protection/3.11.x.json | 157 +- schemas/session/3.11.x.json | 154 +- schemas/standard-webhooks/3.11.x.json | 28 +- schemas/statsd-advanced/3.11.x.json | 132 +- schemas/statsd/3.11.x.json | 122 +- schemas/syslog/3.11.x.json | 32 +- schemas/tcp-log/3.11.x.json | 36 +- schemas/tls-handshake-modifier/3.11.x.json | 22 +- schemas/tls-metadata-headers/3.11.x.json | 38 +- schemas/udp-log/3.11.x.json | 28 +- schemas/upstream-oauth/3.11.x.json | 245 +-- schemas/upstream-timeout/3.11.x.json | 24 +- schemas/vault-auth/3.11.x.json | 42 +- schemas/websocket-size-limit/3.11.x.json | 18 +- schemas/websocket-validator/3.11.x.json | 74 +- schemas/xml-threat-protection/3.11.x.json | 152 +- schemas/zipkin/3.11.x.json | 135 +- 99 files changed, 8804 insertions(+), 6885 deletions(-) create mode 100644 schemas/ai-prompt-compressor/3.11.x.json diff --git a/schemas/acl/3.11.x.json b/schemas/acl/3.11.x.json index ddcf7860..dcd00029 100644 --- a/schemas/acl/3.11.x.json +++ b/schemas/acl/3.11.x.json @@ -1,46 +1,31 @@ { - "entity_checks": [ - { - "only_one_of": [ - "config.allow", - "config.deny" - ] - }, - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -49,58 +34,73 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "allow": { + "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string" }, - "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "type": "array" } }, { "deny": { + "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string" }, - "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", "type": "array" } }, { "hide_groups_header": { + "required": true, "default": false, "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", - "required": true, "type": "boolean" } }, { "include_consumer_groups": { + "required": false, "default": false, "description": "If enabled (`true`), allows the consumer-groups to be used in the `allow|deny` fields", - "required": false, "type": "boolean" } }, { "always_use_authenticated_groups": { + "required": true, "default": false, "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", - "required": true, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/acme/3.11.x.json b/schemas/acme/3.11.x.json index 677bf267..6bad57d0 100644 --- a/schemas/acme/3.11.x.json +++ b/schemas/acme/3.11.x.json @@ -2,6 +2,10 @@ "entity_checks": [ { "conditional": { + "if_field": "config.api_uri", + "then_match": { + "eq": true + }, "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", "if_match": { "one_of": [ @@ -9,35 +13,31 @@ "https://acme-staging-v02.api.letsencrypt.org" ] }, - "then_field": "config.tos_accepted", - "if_field": "config.api_uri", - "then_match": { - "eq": true - } + "then_field": "config.tos_accepted" } }, { "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.storage_config.redis.host", "if_field": "config.storage", "then_match": { "required": true - } + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.host" } }, { "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.storage_config.redis.port", "if_field": "config.storage", "then_match": { "required": true - } + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.port" } }, { @@ -52,46 +52,45 @@ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "service": { "reference": "services", - "eq": null, "type": "foreign", - "description": "A reference to the 'services' table with a null value allowed." + "description": "A reference to the 'services' table with a null value allowed.", + "eq": null } }, { "route": { "reference": "routes", - "eq": null, "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed." + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -100,79 +99,81 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "account_email": { - "encrypted": true, "match": "%w*%p*@+%w*%.?%w*", - "required": true, + "encrypted": true, "type": "string", + "required": true, "description": "The account identifier. Can be reused in a different plugin instance.", "referenceable": true } }, { "account_key": { - "type": "record", - "description": "The private key associated with the account.", "required": false, + "description": "The private key associated with the account.", "fields": [ { "key_id": { - "description": "The Key ID.", "required": true, + "description": "The Key ID.", "type": "string" } }, { "key_set": { - "type": "string", - "description": "The ID of the key set to associate the Key ID with." + "description": "The ID of the key set to associate the Key ID with.", + "type": "string" } } - ] + ], + "type": "record" } }, { "api_uri": { - "default": "https://acme-v02.api.letsencrypt.org/directory", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "default": "https://acme-v02.api.letsencrypt.org/directory", "type": "string" } }, { "tos_accepted": { - "default": false, "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", + "default": false, "type": "boolean" } }, { "eab_kid": { - "encrypted": true, + "type": "string", "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { "eab_hmac_key": { - "encrypted": true, + "type": "string", "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { "cert_type": { + "type": "string", "default": "rsa", "description": "The certificate type to create. The possible values are `rsa` for RSA certificate or `ecc` for EC certificate.", - "type": "string", "one_of": [ "rsa", "ecc" @@ -181,9 +182,9 @@ }, { "rsa_key_size": { + "type": "number", "default": 4096, "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", - "type": "number", "one_of": [ 2048, 3072, @@ -193,21 +194,15 @@ }, { "renew_threshold_days": { - "default": 14, "description": "Days remaining to renew the certificate before it expires.", + "default": 14, "type": "number" } }, { "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", "elements": { - "match_all": [ - { - "err": "invalid wildcard: must have at most one wildcard", - "pattern": "^[^*]*%*?[^*]*$" - } - ], - "type": "string", "match_any": { "err": "invalid wildcard: must be placed at leftmost or rightmost label", "patterns": [ @@ -215,31 +210,37 @@ "%.%*$", "^[^*]*$" ] - } + }, + "match_all": [ + { + "err": "invalid wildcard: must have at most one wildcard", + "pattern": "^[^*]*%*?[^*]*$" + } + ], + "type": "string" }, - "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", "type": "array" } }, { "allow_any_domain": { - "default": false, "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", + "default": false, "type": "boolean" } }, { "fail_backoff_minutes": { - "default": 5, "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", + "default": 5, "type": "number" } }, { "storage": { + "type": "string", "default": "shm", "description": "The backend storage type to use. In DB-less mode and Konnect, `kong` storage is unavailable. In hybrid mode and Konnect, `shm` storage is unavailable. `shm` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `kong`, `redis`, `consul`, or `vault` in production.", - "type": "string", "one_of": [ "kong", "shm", @@ -251,33 +252,105 @@ }, { "storage_config": { + "required": true, "fields": [ { "shm": { + "required": true, "fields": [ { "shm_name": { - "default": "kong", "description": "Name of shared memory zone used for Kong API gateway storage", + "default": "kong", "type": "string" } } ], - "required": true, "type": "record" } }, { "kong": { + "required": true, "fields": [ ], - "required": true, "type": "record" } }, { "redis": { + "required": true, + "shorthand_fields": [ + { + "auth": { + "len_min": 0, + "deprecation": { + "replaced_with": [ + { + "path": [ + "password" + ] + } + ], + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead" + }, + "type": "string" + } + }, + { + "ssl_server_name": { + "type": "string", + "deprecation": { + "replaced_with": [ + { + "path": [ + "server_name" + ] + } + ], + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead" + } + } + }, + { + "namespace": { + "len_min": 0, + "deprecation": { + "replaced_with": [ + { + "path": [ + "extra_options", + "namespace" + ] + } + ], + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead" + }, + "type": "string" + } + }, + { + "scan_count": { + "type": "integer", + "deprecation": { + "replaced_with": [ + { + "path": [ + "extra_options", + "scan_count" + ] + } + ], + "removal_in_version": "4.0", + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead" + } + } + } + ], "fields": [ { "host": { @@ -310,17 +383,17 @@ { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "encrypted": true, - "referenceable": true, "type": "string", + "len_min": 0, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "len_min": 0 + "referenceable": true } }, { @@ -332,135 +405,65 @@ }, { "ssl": { - "default": false, - "description": "If set to true, uses SSL to connect to Redis.", "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean" } }, { "ssl_verify": { - "default": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "extra_options": { - "type": "record", - "description": "Custom ACME Redis options", "required": true, + "description": "Custom ACME Redis options", "fields": [ { "namespace": { - "required": true, "type": "string", + "required": true, "default": "", - "description": "A namespace to prepend to all keys stored in Redis.", - "len_min": 0 + "len_min": 0, + "description": "A namespace to prepend to all keys stored in Redis." } }, { "scan_count": { + "required": false, "default": 10, "description": "The number of keys to return in Redis SCAN calls.", - "required": false, "type": "number" } } - ] - } - } - ], - "shorthand_fields": [ - { - "auth": { - "type": "string", - "deprecation": { - "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "password" - ] - } - ] - }, - "len_min": 0 - } - }, - { - "ssl_server_name": { - "deprecation": { - "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "server_name" - ] - } - ] - }, - "type": "string" - } - }, - { - "namespace": { - "type": "string", - "deprecation": { - "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "extra_options", - "namespace" - ] - } - ] - }, - "len_min": 0 - } - }, - { - "scan_count": { - "deprecation": { - "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "extra_options", - "scan_count" - ] - } - ] - }, - "type": "integer" + ], + "type": "record" } } ], - "required": true, "type": "record" } }, { "consul": { + "required": true, "fields": [ { "https": { - "default": false, "description": "Boolean representation of https.", + "default": false, "type": "boolean" } }, @@ -472,45 +475,45 @@ }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { "token": { "description": "Consul ACL token.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } } ], - "required": true, "type": "record" } }, { "vault": { + "required": true, "fields": [ { "https": { - "default": false, "description": "Boolean representation of https.", + "default": false, "type": "boolean" } }, @@ -522,51 +525,51 @@ }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "kv_path": { - "type": "string", - "description": "KV prefix path." + "description": "KV prefix path.", + "type": "string" } }, { "timeout": { - "type": "number", - "description": "Timeout in milliseconds." + "description": "Timeout in milliseconds.", + "type": "number" } }, { "token": { "description": "Consul ACL token.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "tls_verify": { - "default": true, "description": "Turn on TLS verification.", + "default": true, "type": "boolean" } }, { "tls_server_name": { - "type": "string", - "description": "SNI used in request, default to host if omitted." + "description": "SNI used in request, default to host if omitted.", + "type": "string" } }, { "auth_method": { + "type": "string", "default": "token", "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", - "type": "string", "one_of": [ "token", "kubernetes" @@ -575,29 +578,27 @@ }, { "auth_path": { - "type": "string", - "description": "Vault's authentication path to use." + "description": "Vault's authentication path to use.", + "type": "string" } }, { "auth_role": { - "type": "string", - "description": "The role to try and assign." + "description": "The role to try and assign.", + "type": "string" } }, { "jwt_path": { - "type": "string", - "description": "The path to the JWT." + "description": "The path to the JWT.", + "type": "string" } } ], - "required": true, "type": "record" } } ], - "required": true, "type": "record" } }, @@ -609,15 +610,19 @@ }, { "enable_ipv4_common_name": { - "default": true, "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", + "default": true, "type": "boolean" } } ], - "required": true, "type": "record" } } - ] + ], + "supported_partials": { + "redis-ce": [ + "config.storage_config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/ai-azure-content-safety/3.11.x.json b/schemas/ai-azure-content-safety/3.11.x.json index 0752c460..6465aa83 100644 --- a/schemas/ai-azure-content-safety/3.11.x.json +++ b/schemas/ai-azure-content-safety/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,87 +18,89 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "content_safety_url": { - "referenceable": true, - "description": "Full URL, inc protocol, of the Azure Content Safety instance.", "required": true, + "description": "Full URL, inc protocol, of the Azure Content Safety instance.", + "referenceable": true, "type": "string" } }, { "azure_api_version": { - "required": true, "type": "string", + "required": true, "default": "2023-10-01", - "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", - "len_min": 1 + "len_min": 1, + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format." } }, { "azure_use_managed_identity": { - "default": false, "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", + "default": false, "type": "boolean" } }, { "azure_client_id": { - "description": "If `azure_use_managed_identity` is true, set the client ID if required.", "required": false, + "description": "If `azure_use_managed_identity` is true, set the client ID if required.", "type": "string" } }, { "azure_client_secret": { - "description": "If `azure_use_managed_identity` is true, set the client secret if required.", "required": false, + "description": "If `azure_use_managed_identity` is true, set the client secret if required.", "type": "string" } }, { "azure_tenant_id": { - "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", "required": false, + "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", "type": "string" } }, { "content_safety_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", "referenceable": true } }, { "text_source": { + "type": "string", "default": "concatenate_all_content", "description": "Select where to pick the 'text' for the Azure Content Services request.", - "type": "string", "one_of": [ "concatenate_all_content", "concatenate_user_content" @@ -111,8 +109,8 @@ }, { "categories": { + "description": "Array of categories, and their thresholds, to measure on.", "elements": { - "type": "record", "required": true, "fields": [ { @@ -127,24 +125,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Array of categories, and their thresholds, to measure on.", "type": "array" } }, { "reveal_failure_reason": { - "default": true, "description": "Set true to tell the caller why their request was rejected, if so.", + "default": true, "type": "boolean" } }, { "output_type": { + "type": "string", "default": "FourSeverityLevels", "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", - "type": "string", "one_of": [ "FourSeverityLevels", "EightSeverityLevels" @@ -153,24 +151,26 @@ }, { "blocklist_names": { + "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", "elements": { "type": "string" }, - "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", "type": "array" } }, { "halt_on_blocklist_hit": { - "default": true, "description": "Tells Azure to reject the request if any blocklist filter is hit.", + "default": true, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-prompt-compressor/3.11.x.json b/schemas/ai-prompt-compressor/3.11.x.json new file mode 100644 index 00000000..2184640b --- /dev/null +++ b/schemas/ai-prompt-compressor/3.11.x.json @@ -0,0 +1,138 @@ +{ + "fields": [ + { + "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + }, + "description": "A set of strings representing HTTP protocols." + } + }, + { + "config": { + "required": true, + "fields": [ + { + "compressor_url": { + "required": true, + "default": "http://localhost:8080", + "description": "The url of the compressor", + "type": "string" + } + }, + { + "timeout": { + "description": "Connection timeout with the compressor", + "default": 10000, + "type": "number" + } + }, + { + "keepalive_timeout": { + "description": "The keepalive timeout for the established http connnection", + "default": 60000, + "type": "number" + } + }, + { + "stop_on_error": { + "description": "Stop processing if an error occurs", + "default": true, + "type": "boolean" + } + }, + { + "log_text_data": { + "description": "Log the text data", + "default": false, + "type": "boolean" + } + }, + { + "message_type": { + "required": true, + "default": [ + "user" + ], + "elements": { + "type": "string", + "one_of": [ + "system", + "assistant", + "user" + ] + }, + "type": "set" + } + }, + { + "compressor_type": { + "type": "string", + "required": true, + "default": "rate", + "description": "What compression type to use to compress with", + "one_of": [ + "rate", + "target_token" + ] + } + }, + { + "compression_ranges": { + "required": true, + "description": "What value to be used to compress with. The 'value' is interpreted as rate or target_token depending on compressor_type.", + "elements": { + "fields": [ + { + "min_tokens": { + "required": true, + "type": "integer" + } + }, + { + "max_tokens": { + "required": true, + "type": "integer" + } + }, + { + "value": { + "required": true, + "type": "number" + } + } + ], + "type": "record" + }, + "type": "array" + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ] +} \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.11.x.json b/schemas/ai-prompt-decorator/3.11.x.json index 4002199f..1a6f3d9c 100644 --- a/schemas/ai-prompt-decorator/3.11.x.json +++ b/schemas/ai-prompt-decorator/3.11.x.json @@ -1,24 +1,15 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.prompts.prepend", - "config.prompts.append" - ] - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -27,31 +18,32 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "prompts": { - "type": "record", "required": false, "fields": [ { "prepend": { - "len_max": 15, - "required": false, "type": "array", + "required": false, + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", + "len_max": 15, "elements": { - "type": "record", "required": false, "fields": [ { "role": { + "required": true, "default": "system", "type": "string", - "required": true, "one_of": [ "system", "assistant", @@ -61,31 +53,31 @@ }, { "content": { - "len_max": 500, - "type": "string", "required": true, - "len_min": 1 + "len_min": 1, + "len_max": 500, + "type": "string" } } - ] - }, - "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages." + ], + "type": "record" + } } }, { "append": { - "len_max": 15, - "required": false, "type": "array", + "required": false, + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", + "len_max": 15, "elements": { - "type": "record", "required": false, "fields": [ { "role": { + "required": true, "default": "system", "type": "string", - "required": true, "one_of": [ "system", "assistant", @@ -95,32 +87,55 @@ }, { "content": { - "len_max": 500, - "type": "string", "required": true, - "len_min": 1 + "len_min": 1, + "len_max": 500, + "type": "string" } } - ] - }, - "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages." + ], + "type": "record" + } } } - ] + ], + "type": "record" } }, { "max_request_body_size": { + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", "default": 8192, - "description": "max allowed body size allowed to be introspected", "gt": 0, "type": "integer" } + }, + { + "llm_format": { + "type": "string", + "required": false, + "default": "openai", + "description": "LLM input and output format and schema to use", + "one_of": [ + "openai", + "bedrock", + "gemini", + "cohere", + "huggingface" + ] + } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.11.x.json b/schemas/ai-prompt-guard/3.11.x.json index 1eb02b54..f2aeb91a 100644 --- a/schemas/ai-prompt-guard/3.11.x.json +++ b/schemas/ai-prompt-guard/3.11.x.json @@ -1,36 +1,15 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow_patterns", - "config.deny_patterns" - ] - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "config.allow_all_conversation_history", - "if_field": "config.match_all_roles", - "then_match": { - "eq": false - } - } - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -39,66 +18,114 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "allow_patterns": { - "len_max": 10, - "required": false, "type": "array", + "required": false, + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", + "len_max": 10, "elements": { - "len_max": 500, "len_min": 1, + "len_max": 500, "type": "string" - }, - "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat." + } } }, { "deny_patterns": { - "len_max": 10, - "required": false, "type": "array", + "required": false, + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", + "len_max": 10, "elements": { - "len_max": 500, "len_min": 1, + "len_max": 500, "type": "string" - }, - "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat." + } } }, { "allow_all_conversation_history": { - "default": false, - "description": "If true, will ignore all previous chat prompts from the conversation history.", "required": true, + "description": "If true, will ignore all previous chat prompts from the conversation history.", + "default": false, "type": "boolean" } }, { "max_request_body_size": { "default": 8192, - "description": "max allowed body size allowed to be introspected", + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", "gt": 0, "type": "integer" } }, { "match_all_roles": { - "default": false, - "description": "If true, will match all roles in addition to 'user' role in conversation history.", "required": true, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", + "default": false, "type": "boolean" } + }, + { + "llm_format": { + "type": "string", + "required": false, + "default": "openai", + "description": "LLM input and output format and schema to use", + "one_of": [ + "openai", + "bedrock", + "gemini", + "cohere", + "huggingface" + ] + } + }, + { + "genai_category": { + "type": "string", + "required": false, + "default": "text/generation", + "description": "Generative AI category of the request", + "one_of": [ + "text/generation", + "text/embeddings" + ] + } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + }, + { + "conditional": { + "if_field": "config.match_all_roles", + "then_match": { + "eq": false + }, + "if_match": { + "eq": true + }, + "then_field": "config.allow_all_conversation_history" + } + } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-template/3.11.x.json b/schemas/ai-prompt-template/3.11.x.json index 2822bb38..40f84fe0 100644 --- a/schemas/ai-prompt-template/3.11.x.json +++ b/schemas/ai-prompt-template/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,67 +18,71 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "templates": { + "required": true, + "description": "Array of templates available to the request context.", "elements": { - "type": "record", "required": true, "fields": [ { "name": { - "description": "Unique name for the template, can be called with `{template://NAME}`", "required": true, + "description": "Unique name for the template, can be called with `{template://NAME}`", "type": "string" } }, { "template": { - "description": "Template string for this request, supports mustache-style `{{placeholders}}`", "required": true, + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", "type": "string" } } - ] + ], + "type": "record" }, - "description": "Array of templates available to the request context.", - "required": true, "type": "array" } }, { "allow_untemplated_requests": { - "default": true, - "description": "Set true to allow requests that don't call or match any template.", "required": true, + "description": "Set true to allow requests that don't call or match any template.", + "default": true, "type": "boolean" } }, { "log_original_request": { - "default": false, - "description": "Set true to add the original request to the Kong log plugin(s) output.", "required": true, + "description": "Set true to add the original request to the Kong log plugin(s) output.", + "default": false, "type": "boolean" } }, { "max_request_body_size": { - "gt": 0, - "description": "max allowed body size allowed to be introspected", "default": 8192, + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "gt": 0, "type": "integer" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-proxy-advanced/3.11.x.json b/schemas/ai-proxy-advanced/3.11.x.json index 0e657ace..9bd8e335 100644 --- a/schemas/ai-proxy-advanced/3.11.x.json +++ b/schemas/ai-proxy-advanced/3.11.x.json @@ -1,33 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.targets" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.targets", - "config.balancer" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -36,48 +18,51 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "balancer": { - "type": "record", "required": true, "fields": [ { "algorithm": { + "type": "string", "default": "round-robin", "description": "Which load balancing algorithm to use.", - "type": "string", "one_of": [ "round-robin", "lowest-latency", "lowest-usage", "consistent-hashing", - "semantic" + "semantic", + "priority" ] } }, { "tokens_count_strategy": { - "default": "total-tokens", - "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", "type": "string", + "default": "total-tokens", + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` and `cost`.", "one_of": [ "total-tokens", "prompt-tokens", - "completion-tokens" + "completion-tokens", + "cost" ] } }, { "latency_strategy": { + "type": "string", "default": "tpot", "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", - "type": "string", "one_of": [ "tpot", "e2e" @@ -86,15 +71,15 @@ }, { "hash_on_header": { - "default": "X-Kong-LLM-Request-ID", "description": "The header to use for consistent-hashing.", + "default": "X-Kong-LLM-Request-ID", "type": "string" } }, { "slots": { - "default": 10000, "description": "The number of slots in the load balancer algorithm.", + "default": 10000, "between": [ 10, 65536 @@ -104,8 +89,8 @@ }, { "retries": { - "default": 5, "description": "The number of retries to execute upon failure to proxy.", + "default": 5, "between": [ 0, 32767 @@ -142,107 +127,180 @@ ], "type": "integer" } + }, + { + "failover_criteria": { + "default": [ + "error", + "timeout" + ], + "description": "Specifies in which cases an upstream response should be failover to the next target. Each option in the array is equivalent to the function of http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream", + "elements": { + "type": "string", + "one_of": [ + "error", + "timeout", + "invalid_header", + "http_500", + "http_502", + "http_503", + "http_504", + "http_403", + "http_404", + "http_429", + "non_idempotent" + ] + }, + "type": "array" + } } - ] + ], + "type": "record" } }, { "embeddings": { + "required": false, + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + } + ], "fields": [ { "auth": { + "required": false, "fields": [ { "header_name": { - "referenceable": true, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, "type": "string" } }, { "header_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "referenceable": true } }, { "param_name": { - "referenceable": true, - "description": "If AI model requires authentication via query parameter, specify its name here.", "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, "type": "string" } }, { "param_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full parameter value for 'param_name'.", "referenceable": true } }, { "param_location": { + "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "required": false, "type": "string" } }, { "azure_use_managed_identity": { - "default": false, - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "required": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, "type": "boolean" } }, { "azure_client_id": { - "referenceable": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, "type": "string" } }, { "azure_client_secret": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "referenceable": true } }, { "azure_tenant_id": { - "referenceable": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, "type": "string" } }, { "gcp_use_service_account": { - "default": false, - "description": "Use service account auth for GCP-based providers and models.", "required": false, + "description": "Use service account auth for GCP-based providers and models.", + "default": false, "type": "boolean" } }, { "gcp_service_account_json": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "referenceable": true } @@ -250,8 +308,8 @@ { "aws_access_key_id": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "referenceable": true } @@ -259,114 +317,255 @@ { "aws_secret_access_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "referenceable": true } }, { "allow_override": { - "default": false, - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "required": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, "type": "boolean" } } ], - "required": false, "type": "record" } }, { "model": { + "required": true, "fields": [ { "provider": { + "required": true, + "description": "AI provider format to use for embeddings API", "one_of": [ "openai", - "mistral" + "mistral", + "huggingface", + "azure", + "bedrock", + "gemini" ], - "description": "AI provider format to use for embeddings API", - "required": true, "type": "string" } }, { "name": { - "description": "Model name to execute.", "required": true, + "description": "Model name to execute.", "type": "string" } }, { "options": { + "required": false, + "description": "Key/value settings for the model", "fields": [ { "upstream_url": { - "description": "upstream url for the embeddings", "required": false, + "description": "upstream url for the embeddings", "type": "string" } + }, + { + "azure": { + "required": true, + "fields": [ + { + "instance": { + "required": false, + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + { + "api_version": { + "required": false, + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "type": "string" + } + }, + { + "deployment_id": { + "required": false, + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + } + } + ], + "type": "record" + } + }, + { + "bedrock": { + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], + "fields": [ + { + "aws_region": { + "required": false, + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + { + "aws_assume_role_arn": { + "required": false, + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + }, + { + "embeddings_normalize": { + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "default": false, + "type": "boolean" + } + } + ], + "type": "record" + } + }, + { + "gemini": { + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "fields": [ + { + "api_endpoint": { + "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + } + }, + { + "project_id": { + "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + { + "location_id": { + "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + } + } + ], + "type": "record" + } + }, + { + "huggingface": { + "required": false, + "fields": [ + { + "use_cache": { + "required": false, + "description": "Use the cache layer on the inference API", + "type": "boolean" + } + }, + { + "wait_for_model": { + "required": false, + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + } + ], + "type": "record" + } } ], - "description": "Key/value settings for the model", - "required": false, "type": "record" } } ], - "required": true, "type": "record" } } ], - "required": false, "type": "record" } }, { "vectordb": { + "required": false, "fields": [ { "strategy": { + "required": true, + "description": "which vector database driver to use", "one_of": [ - "redis" + "redis", + "pgvector" ], - "description": "which vector database driver to use", - "required": true, "type": "string" } }, { "dimensions": { - "description": "the desired dimensionality for the vectors", "required": true, + "description": "the desired dimensionality for the vectors", "type": "integer" } }, { "threshold": { - "description": "the default similarity threshold for accepting semantic search results (float)", "required": true, + "description": "the default similarity threshold for accepting semantic search results (float)", "type": "number" } }, { "distance_metric": { + "required": true, + "description": "the distance metric to use for vector searches", "one_of": [ "cosine", "euclidean" ], - "description": "the distance metric to use for vector searches", - "required": true, "type": "string" } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -390,14 +589,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -428,13 +627,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -451,47 +650,49 @@ "read_timeout" ] } - ] + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, + "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, - "len_min": 1, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, + "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, - "len_min": 1, "type": "array" } } @@ -499,8 +700,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -551,31 +752,31 @@ { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, + "type": "string", "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, + "type": "string", "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { @@ -587,8 +788,8 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -598,11 +799,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -625,15 +826,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -651,21 +853,21 @@ ], "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -683,65 +885,160 @@ ], "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } ] } - } - ], - "required": false, - "type": "record" - } - }, - { - "response_streaming": { - "required": false, - "type": "string", - "default": "allow", - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", - "one_of": [ - "allow", + }, + { + "pgvector": { + "required": true, + "fields": [ + { + "host": { + "description": "the host of the pgvector database", + "default": "127.0.0.1", + "type": "string" + } + }, + { + "port": { + "description": "the port of the pgvector database", + "default": 5432, + "type": "integer" + } + }, + { + "user": { + "referenceable": true, + "description": "the user of the pgvector database", + "default": "postgres", + "type": "string" + } + }, + { + "password": { + "referenceable": true, + "description": "the password of the pgvector database", + "encrypted": true, + "type": "string" + } + }, + { + "database": { + "description": "the database of the pgvector database", + "default": "kong-pgvector", + "type": "string" + } + }, + { + "timeout": { + "description": "the timeout of the pgvector database", + "default": 5000, + "type": "number" + } + }, + { + "ssl": { + "description": "whether to use ssl for the pgvector database", + "default": false, + "type": "boolean" + } + }, + { + "ssl_required": { + "description": "whether ssl is required for the pgvector database", + "default": false, + "type": "boolean" + } + }, + { + "ssl_verify": { + "description": "whether to verify ssl for the pgvector database", + "default": false, + "type": "boolean" + } + }, + { + "ssl_version": { + "one_of": [ + "tlsv1_2", + "tlsv1_3", + "any" + ], + "description": "the ssl version to use for the pgvector database", + "default": "tlsv1_2", + "type": "string" + } + }, + { + "ssl_cert": { + "description": "the path of ssl cert to use for the pgvector database", + "type": "string" + } + }, + { + "ssl_cert_key": { + "description": "the path of ssl cert key to use for the pgvector database", + "type": "string" + } + } + ], + "type": "record" + } + } + ], + "type": "record" + } + }, + { + "response_streaming": { + "type": "string", + "required": false, + "default": "allow", + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "one_of": [ + "allow", "deny", "always" ] @@ -749,25 +1046,30 @@ }, { "max_request_body_size": { + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", "default": 8192, - "description": "max allowed body size allowed to be introspected", "gt": 0, "type": "integer" } }, { "model_name_header": { - "default": true, "description": "Display the model name selected in the X-Kong-LLM-Model response header", + "default": true, "type": "boolean" } }, { "targets": { + "required": true, "elements": { "entity_checks": [ { "conditional": { + "if_field": "model.provider", + "then_match": { + "eq": false + }, "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ @@ -775,11 +1077,7 @@ "gemini" ] }, - "then_field": "auth.allow_override", - "if_field": "model.provider", - "then_match": { - "eq": false - } + "then_field": "auth.allow_override" } }, { @@ -797,100 +1095,100 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] + "then_err": "must set %s for self-hosted providers/models" } }, { @@ -901,117 +1199,125 @@ "logging" ] } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model" + ] + } } ], - "type": "record", - "required": true, "fields": [ { "route_type": { + "required": true, + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "one_of": [ "llm/v1/chat", "llm/v1/completions", + "llm/v1/embeddings", "preserve" ], - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "required": true, "type": "string" } }, { "auth": { + "required": false, "fields": [ { "header_name": { - "referenceable": true, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, "type": "string" } }, { "header_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "referenceable": true } }, { "param_name": { - "referenceable": true, - "description": "If AI model requires authentication via query parameter, specify its name here.", "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, "type": "string" } }, { "param_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full parameter value for 'param_name'.", "referenceable": true } }, { "param_location": { + "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "required": false, "type": "string" } }, { "azure_use_managed_identity": { - "default": false, - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "required": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, "type": "boolean" } }, { "azure_client_id": { - "referenceable": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, "type": "string" } }, { "azure_client_secret": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "referenceable": true } }, { "azure_tenant_id": { - "referenceable": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, "type": "string" } }, { "gcp_use_service_account": { - "default": false, - "description": "Use service account auth for GCP-based providers and models.", "required": false, + "description": "Use service account auth for GCP-based providers and models.", + "default": false, "type": "boolean" } }, { "gcp_service_account_json": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "referenceable": true } @@ -1019,8 +1325,8 @@ { "aws_access_key_id": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "referenceable": true } @@ -1028,30 +1334,32 @@ { "aws_secret_access_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "referenceable": true } }, { "allow_override": { - "default": false, - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "required": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, "type": "boolean" } } ], - "required": false, "type": "record" } }, { "model": { + "required": true, "fields": [ { "provider": { + "required": true, + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ "openai", "azure", @@ -1063,146 +1371,158 @@ "bedrock", "huggingface" ], - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "required": true, "type": "string" } }, { "name": { - "description": "Model name to execute.", "required": false, + "description": "Model name to execute.", "type": "string" } }, { "options": { + "required": false, + "description": "Key/value settings for the model", "fields": [ { "max_tokens": { - "default": 256, - "description": "Defines the max_tokens, if using chat or completion models.", "required": false, + "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer" } }, { "input_cost": { - "gt": 0, - "description": "Defines the cost per 1M tokens in your prompt.", "required": false, + "description": "Defines the cost per 1M tokens in your prompt.", + "gt": 0, "type": "number" } }, { "output_cost": { - "gt": 0, - "description": "Defines the cost per 1M tokens in the output of the AI.", "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "gt": 0, "type": "number" } }, { "temperature": { + "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models.", - "required": false, "type": "number" } }, { "top_p": { + "required": false, + "description": "Defines the top-p probability mass, if supported.", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported.", - "required": false, "type": "number" } }, { "top_k": { + "required": false, + "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported.", - "required": false, "type": "integer" } }, { "anthropic_version": { - "description": "Defines the schema/API version, if using Anthropic provider.", "required": false, + "description": "Defines the schema/API version, if using Anthropic provider.", "type": "string" } }, { "azure_instance": { - "description": "Instance name for Azure OpenAI hosted models.", "required": false, + "description": "Instance name for Azure OpenAI hosted models.", "type": "string" } }, { "azure_api_version": { - "default": "2023-05-15", - "description": "'api-version' for Azure OpenAI instances.", "required": false, + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", "type": "string" } }, { "azure_deployment_id": { - "description": "Deployment ID for Azure OpenAI instances.", "required": false, + "description": "Deployment ID for Azure OpenAI instances.", "type": "string" } }, { "llama2_format": { + "required": false, + "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", "ollama" ], - "description": "If using llama2 provider, select the upstream message format.", - "required": false, "type": "string" } }, { "mistral_format": { + "required": false, + "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" ], - "description": "If using mistral provider, select the upstream message format.", - "required": false, "type": "string" } }, { "upstream_url": { - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "type": "string" } }, { "upstream_path": { - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "deprecation": { + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead", + "removal_in_version": "4.0" + }, "type": "string" } }, + { + "embeddings_dimensions": { + "required": false, + "description": "If using embeddings models, set the number of dimensions to generate.", + "gt": 0, + "type": "integer" + } + }, { "gemini": { + "required": false, "entity_checks": [ { "mutually_required": [ @@ -1215,82 +1535,142 @@ "fields": [ { "api_endpoint": { - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "type": "string" } }, { "project_id": { - "description": "If running Gemini on Vertex, specify the project ID.", "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", "type": "string" } }, { "location_id": { - "description": "If running Gemini on Vertex, specify the location ID.", "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", "type": "string" } } ], - "required": false, "type": "record" } }, { "bedrock": { + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "fields": [ { "aws_region": { + "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + { + "aws_assume_role_arn": { "required": false, + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", "type": "string" } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + }, + { + "embeddings_normalize": { + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "default": false, + "type": "boolean" + } } ], - "required": false, "type": "record" } }, { "huggingface": { + "required": false, "fields": [ { "use_cache": { - "description": "Use the cache layer on the inference API", "required": false, + "description": "Use the cache layer on the inference API", "type": "boolean" } }, { "wait_for_model": { - "description": "Wait for the model if it is not ready", "required": false, + "description": "Wait for the model if it is not ready", "type": "boolean" } } ], + "type": "record" + } + }, + { + "cohere": { "required": false, + "fields": [ + { + "embedding_input_type": { + "type": "string", + "required": false, + "default": "classification", + "description": "The purpose of the input text to calculate embedding vectors.", + "one_of": [ + "search_document", + "search_query", + "classification", + "clustering", + "image" + ] + } + }, + { + "wait_for_model": { + "required": false, + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + } + ], "type": "record" } } ], - "description": "Key/value settings for the model", - "required": false, "type": "record" } } ], - "required": true, "type": "record" } }, { "weight": { - "default": 100, "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "default": 100, "between": [ 1, 65535 @@ -1300,45 +1680,105 @@ }, { "description": { - "description": "The semantic description of the target, required if using semantic load balancing.", "required": false, + "description": "The semantic description of the target, required if using semantic load balancing. Specially, setting this to 'CATCHALL' will indicate such target to be used when no other targets match the semantic threshold.", "type": "string" } }, { "logging": { + "required": true, "fields": [ { "log_statistics": { - "default": false, - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "required": true, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false, "type": "boolean" } }, { "log_payloads": { - "default": false, - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "required": true, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, "type": "boolean" } } ], - "required": true, "type": "record" } } - ] + ], + "type": "record" }, - "required": true, "type": "array" } + }, + { + "llm_format": { + "type": "string", + "required": false, + "default": "openai", + "description": "LLM input and output format and schema to use", + "one_of": [ + "openai", + "bedrock", + "gemini", + "cohere", + "huggingface" + ] + } + }, + { + "genai_category": { + "type": "string", + "required": false, + "default": "text/generation", + "description": "Generative AI category of the request", + "one_of": [ + "text/generation", + "text/embeddings" + ] + } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.llm_format" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.genai_category", + "config.targets" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/ai-proxy/3.11.x.json b/schemas/ai-proxy/3.11.x.json index d66b2f6d..a97be17c 100644 --- a/schemas/ai-proxy/3.11.x.json +++ b/schemas/ai-proxy/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,14 +18,20 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "entity_checks": [ { "conditional": { + "if_field": "model.provider", + "then_match": { + "eq": false + }, "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ @@ -37,11 +39,7 @@ "gemini" ] }, - "then_field": "auth.allow_override", - "if_field": "model.provider", - "then_match": { - "eq": false - } + "then_field": "auth.allow_override" } }, { @@ -59,100 +57,100 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] + "then_err": "must set %s for self-hosted providers/models" } }, { @@ -163,117 +161,125 @@ "logging" ] } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model" + ] + } } ], - "type": "record", - "required": true, "fields": [ { "route_type": { + "required": true, + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "one_of": [ "llm/v1/chat", "llm/v1/completions", + "llm/v1/embeddings", "preserve" ], - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "required": true, "type": "string" } }, { "auth": { + "required": false, "fields": [ { "header_name": { - "referenceable": true, - "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "required": false, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", + "referenceable": true, "type": "string" } }, { "header_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "referenceable": true } }, { "param_name": { - "referenceable": true, - "description": "If AI model requires authentication via query parameter, specify its name here.", "required": false, + "description": "If AI model requires authentication via query parameter, specify its name here.", + "referenceable": true, "type": "string" } }, { "param_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full parameter value for 'param_name'.", "referenceable": true } }, { "param_location": { + "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "one_of": [ "query", "body" ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "required": false, "type": "string" } }, { "azure_use_managed_identity": { - "default": false, - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "required": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, "type": "boolean" } }, { "azure_client_id": { - "referenceable": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", + "referenceable": true, "type": "string" } }, { "azure_client_secret": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "referenceable": true } }, { "azure_tenant_id": { - "referenceable": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "required": false, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", + "referenceable": true, "type": "string" } }, { "gcp_use_service_account": { - "default": false, - "description": "Use service account auth for GCP-based providers and models.", "required": false, + "description": "Use service account auth for GCP-based providers and models.", + "default": false, "type": "boolean" } }, { "gcp_service_account_json": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "referenceable": true } @@ -281,8 +287,8 @@ { "aws_access_key_id": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "referenceable": true } @@ -290,30 +296,32 @@ { "aws_secret_access_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "referenceable": true } }, { "allow_override": { - "default": false, - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "required": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, "type": "boolean" } } ], - "required": false, "type": "record" } }, { "model": { + "required": true, "fields": [ { "provider": { + "required": true, + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "one_of": [ "openai", "azure", @@ -325,146 +333,158 @@ "bedrock", "huggingface" ], - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "required": true, "type": "string" } }, { "name": { - "description": "Model name to execute.", "required": false, + "description": "Model name to execute.", "type": "string" } }, { "options": { + "required": false, + "description": "Key/value settings for the model", "fields": [ { "max_tokens": { - "default": 256, - "description": "Defines the max_tokens, if using chat or completion models.", "required": false, + "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer" } }, { "input_cost": { - "gt": 0, - "description": "Defines the cost per 1M tokens in your prompt.", "required": false, + "description": "Defines the cost per 1M tokens in your prompt.", + "gt": 0, "type": "number" } }, { "output_cost": { - "gt": 0, - "description": "Defines the cost per 1M tokens in the output of the AI.", "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "gt": 0, "type": "number" } }, { "temperature": { + "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models.", - "required": false, "type": "number" } }, { "top_p": { + "required": false, + "description": "Defines the top-p probability mass, if supported.", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported.", - "required": false, "type": "number" } }, { "top_k": { + "required": false, + "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported.", - "required": false, "type": "integer" } }, { "anthropic_version": { - "description": "Defines the schema/API version, if using Anthropic provider.", "required": false, + "description": "Defines the schema/API version, if using Anthropic provider.", "type": "string" } }, { "azure_instance": { - "description": "Instance name for Azure OpenAI hosted models.", "required": false, + "description": "Instance name for Azure OpenAI hosted models.", "type": "string" } }, { "azure_api_version": { - "default": "2023-05-15", - "description": "'api-version' for Azure OpenAI instances.", "required": false, + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", "type": "string" } }, { "azure_deployment_id": { - "description": "Deployment ID for Azure OpenAI instances.", "required": false, + "description": "Deployment ID for Azure OpenAI instances.", "type": "string" } }, { "llama2_format": { + "required": false, + "description": "If using llama2 provider, select the upstream message format.", "one_of": [ "raw", "openai", "ollama" ], - "description": "If using llama2 provider, select the upstream message format.", - "required": false, "type": "string" } }, { "mistral_format": { + "required": false, + "description": "If using mistral provider, select the upstream message format.", "one_of": [ "openai", "ollama" ], - "description": "If using mistral provider, select the upstream message format.", - "required": false, "type": "string" } }, { "upstream_url": { - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "type": "string" } }, { "upstream_path": { - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "deprecation": { + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead", + "removal_in_version": "4.0" + }, "type": "string" } }, + { + "embeddings_dimensions": { + "required": false, + "description": "If using embeddings models, set the number of dimensions to generate.", + "gt": 0, + "type": "integer" + } + }, { "gemini": { + "required": false, "entity_checks": [ { "mutually_required": [ @@ -477,108 +497,168 @@ "fields": [ { "api_endpoint": { - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "type": "string" } }, { "project_id": { - "description": "If running Gemini on Vertex, specify the project ID.", "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", "type": "string" } }, { "location_id": { - "description": "If running Gemini on Vertex, specify the location ID.", "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", "type": "string" } } ], - "required": false, "type": "record" } }, { "bedrock": { + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "fields": [ { "aws_region": { + "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + { + "aws_assume_role_arn": { "required": false, + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", "type": "string" } + }, + { + "aws_role_session_name": { + "type": "string", + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session." + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + }, + { + "embeddings_normalize": { + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "default": false, + "type": "boolean" + } } ], - "required": false, "type": "record" } }, { "huggingface": { + "required": false, "fields": [ { "use_cache": { - "description": "Use the cache layer on the inference API", "required": false, + "description": "Use the cache layer on the inference API", "type": "boolean" } }, { "wait_for_model": { - "description": "Wait for the model if it is not ready", "required": false, + "description": "Wait for the model if it is not ready", "type": "boolean" } } ], + "type": "record" + } + }, + { + "cohere": { "required": false, + "fields": [ + { + "embedding_input_type": { + "type": "string", + "required": false, + "default": "classification", + "description": "The purpose of the input text to calculate embedding vectors.", + "one_of": [ + "search_document", + "search_query", + "classification", + "clustering", + "image" + ] + } + }, + { + "wait_for_model": { + "required": false, + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + } + ], "type": "record" } } ], - "description": "Key/value settings for the model", - "required": false, "type": "record" } } ], - "required": true, "type": "record" } }, { "logging": { + "required": true, "fields": [ { "log_statistics": { - "default": false, - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "required": true, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false, "type": "boolean" } }, { "log_payloads": { - "default": false, - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "required": true, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, "type": "boolean" } } ], - "required": true, "type": "record" } }, { "response_streaming": { - "required": false, "type": "string", - "default": "allow", + "required": false, "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", + "default": "allow", "one_of": [ "allow", "deny", @@ -589,7 +669,7 @@ { "max_request_body_size": { "default": 8192, - "description": "max allowed body size allowed to be introspected", + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", "gt": 0, "type": "integer" } @@ -600,8 +680,123 @@ "description": "Display the model name selected in the X-Kong-LLM-Model response header", "type": "boolean" } + }, + { + "llm_format": { + "type": "string", + "required": false, + "default": "openai", + "description": "LLM input and output format and schema to use", + "one_of": [ + "openai", + "bedrock", + "gemini", + "cohere", + "huggingface" + ] + } + }, + { + "genai_category": { + "type": "string", + "required": false, + "default": "text/generation", + "description": "Generative AI category of the request", + "one_of": [ + "text/generation", + "text/embeddings" + ] + } } - ] + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.llm_format", + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "native provider options in llm_format can only be used with the 'llm/v1/chat' route_type", + "if_match": { + "one_of": [ + "bedrock", + "gemini" + ] + }, + "then_field": "config.route_type" + } + }, + { + "conditional": { + "if_field": "config.llm_format", + "then_match": { + "eq": "bedrock" + }, + "then_err": "native llm_format 'bedrock' can only be used with the 'bedrock' model.provider", + "if_match": { + "eq": "bedrock" + }, + "then_field": "config.model.provider" + } + }, + { + "conditional": { + "if_field": "config.llm_format", + "then_match": { + "eq": "gemini" + }, + "then_err": "native llm_format 'gemini' can only be used with the 'gemini' model.provider", + "if_match": { + "eq": "gemini" + }, + "then_field": "config.model.provider" + } + }, + { + "conditional": { + "if_field": "config.llm_format", + "then_match": { + "eq": "cohere" + }, + "then_err": "native llm_format 'cohere' can only be used with the 'cohere' model.provider", + "if_match": { + "eq": "cohere" + }, + "then_field": "config.model.provider" + } + }, + { + "conditional": { + "if_field": "config.genai_category", + "then_match": { + "one_of": [ + "llm/v1/chat", + "llm/v1/completions", + "preserve" + ] + }, + "then_err": "category 'text/generation' cannot be used with this route_type", + "if_match": { + "eq": "text/generation" + }, + "then_field": "config.route_type" + } + }, + { + "conditional": { + "if_field": "config.genai_category", + "then_match": { + "eq": "llm/v1/embeddings" + }, + "then_err": "category 'text/embeddings' cannot be used with this route_type", + "if_match": { + "eq": "text/embeddings" + }, + "then_field": "config.route_type" } } ] diff --git a/schemas/ai-rag-injector/3.11.x.json b/schemas/ai-rag-injector/3.11.x.json index a4b3943c..f1106f0c 100644 --- a/schemas/ai-rag-injector/3.11.x.json +++ b/schemas/ai-rag-injector/3.11.x.json @@ -1,16 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.inject_template" - ] - } - } - ], "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -20,249 +19,240 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "type": "set", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "stop_on_failure": { + "required": true, "description": "Halt the LLM request process in case of a vectordb or embeddings service failure", - "type": "boolean", "default": false, - "required": true + "type": "boolean" } }, { "inject_as_role": { + "required": true, + "default": "user", + "type": "string", "one_of": [ "system", "assistant", "user" - ], - "type": "string", - "default": "user", - "required": true + ] } }, { "inject_template": { + "required": true, "default": "\n", - "type": "string", - "required": true + "type": "string" } }, { "fetch_chunks_count": { + "required": true, "description": "The maximum number of chunks to fetch from vectordb", - "type": "number", "default": 5, - "required": true + "type": "number" } }, { "vectordb_namespace": { + "required": true, "description": "The namespace of the vectordb to use for embeddings lookup", - "type": "string", "default": "kong_rag_injector", - "required": true + "type": "string" } }, { "embeddings": { + "required": true, "entity_checks": [ { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.instance" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.api_version" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure.deployment_id" - ] + "then_err": "must set %s for azure provider" } } ], - "type": "record", - "required": true, "fields": [ { "auth": { - "type": "record", "required": false, "fields": [ { "header_name": { + "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "required": false, "referenceable": true } }, { "header_value": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", - "encrypted": true, - "required": false + "referenceable": true } }, { "param_name": { + "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "required": false, "referenceable": true } }, { "param_value": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": false, "description": "Specify the full parameter value for 'param_name'.", - "encrypted": true, - "required": false + "referenceable": true } }, { "param_location": { + "required": false, "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "type": "string", "one_of": [ "query", "body" - ], - "required": false + ] } }, { "azure_use_managed_identity": { + "required": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean", "default": false, - "required": false + "type": "boolean" } }, { "azure_client_id": { + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "required": false, "referenceable": true } }, { "azure_client_secret": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", - "encrypted": true, - "required": false + "referenceable": true } }, { "azure_tenant_id": { + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "required": false, "referenceable": true } }, { "gcp_use_service_account": { + "required": false, "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean", "default": false, - "required": false + "type": "boolean" } }, { "gcp_service_account_json": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", - "encrypted": true, - "required": false + "referenceable": true } }, { "aws_access_key_id": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", - "encrypted": true, - "required": false + "referenceable": true } }, { "aws_secret_access_key": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", - "encrypted": true, - "required": false + "referenceable": true } }, { "allow_override": { + "required": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean", "default": false, - "required": false + "type": "boolean" } } - ] + ], + "type": "record" } }, { "model": { - "type": "record", "required": true, "fields": [ { "provider": { + "required": true, "description": "AI provider format to use for embeddings API", "type": "string", "one_of": [ @@ -272,62 +262,61 @@ "azure", "bedrock", "gemini" - ], - "required": true + ] } }, { "name": { + "required": true, "description": "Model name to execute.", - "type": "string", - "required": true + "type": "string" } }, { "options": { - "description": "Key/value settings for the model", - "type": "record", "required": false, + "description": "Key/value settings for the model", "fields": [ { "upstream_url": { + "required": false, "description": "upstream url for the embeddings", - "type": "string", - "required": false + "type": "string" } }, { "azure": { - "type": "record", + "required": true, "fields": [ { "instance": { + "required": false, "description": "Instance name for Azure OpenAI hosted models.", - "type": "string", - "required": false + "type": "string" } }, { "api_version": { + "required": false, "description": "'api-version' for Azure OpenAI instances.", - "type": "string", "default": "2023-05-15", - "required": false + "type": "string" } }, { "deployment_id": { + "required": false, "description": "Deployment ID for Azure OpenAI instances.", - "type": "string", - "required": false + "type": "string" } } ], - "required": true + "type": "record" } }, { "bedrock": { + "required": false, "entity_checks": [ { "mutually_required": [ @@ -336,21 +325,19 @@ ] } ], - "type": "record", - "required": false, "fields": [ { "aws_region": { + "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "type": "string", - "required": false + "type": "string" } }, { "aws_assume_role_arn": { + "required": false, "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", - "type": "string", - "required": false + "type": "string" } }, { @@ -361,15 +348,24 @@ }, { "aws_sts_endpoint_url": { - "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role.", - "type": "string" + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + }, + { + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" } } - ] + ], + "type": "record" } }, { "gemini": { + "required": false, "entity_checks": [ { "mutually_required": [ @@ -379,95 +375,97 @@ ] } ], - "type": "record", - "required": false, "fields": [ { "api_endpoint": { + "required": false, "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "type": "string", - "required": false + "type": "string" } }, { "project_id": { + "required": false, "description": "If running Gemini on Vertex, specify the project ID.", - "type": "string", - "required": false + "type": "string" } }, { "location_id": { + "required": false, "description": "If running Gemini on Vertex, specify the location ID.", - "type": "string", - "required": false + "type": "string" } } - ] + ], + "type": "record" } }, { "huggingface": { - "type": "record", "required": false, "fields": [ { "use_cache": { + "required": false, "description": "Use the cache layer on the inference API", - "type": "boolean", - "required": false + "type": "boolean" } }, { "wait_for_model": { + "required": false, "description": "Wait for the model if it is not ready", - "type": "boolean", - "required": false + "type": "boolean" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } }, { "vectordb": { - "type": "record", + "required": true, "fields": [ { "strategy": { + "required": true, "description": "which vector database driver to use", - "type": "string", "one_of": [ "redis", "pgvector" ], - "required": true + "type": "string" } }, { "dimensions": { + "required": true, "description": "the desired dimensionality for the vectors", - "type": "integer", - "required": true + "type": "integer" } }, { "distance_metric": { + "required": true, "description": "the distance metric to use for vector searches", - "type": "string", "one_of": [ "cosine", "euclidean" ], - "required": true + "type": "string" } }, { @@ -495,14 +493,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -534,6 +532,75 @@ } ], "type": "record", + "required": true, + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } + } + }, + { + "sentinel_addresses": { + "len_min": 1, + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "len_min": 1, + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], "fields": [ { "host": { @@ -544,45 +611,45 @@ }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, @@ -595,9 +662,9 @@ }, { "password": { + "type": "string", "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "type": "string", "referenceable": true } }, @@ -610,16 +677,16 @@ }, { "sentinel_password": { + "type": "string", "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, - "type": "string", "referenceable": true } }, { "database": { - "description": "Database to use for the Redis connection when using the `redis` strategy", "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer" } }, @@ -637,11 +704,11 @@ { "keepalive_backlog": { "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer" } }, { @@ -653,269 +720,199 @@ { "sentinel_role": { "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string", "one_of": [ "master", "slave", "any" - ] + ], + "type": "string" } }, { "sentinel_nodes": { "type": "array", + "required": false, "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string", + "required": true, "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } ], "type": "record" }, - "required": false + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { "type": "array", + "required": false, "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "type": "string", + "required": true, "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } ], "type": "record" }, - "required": false + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "default": false, - "type": "boolean", - "required": false + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "default": false, - "type": "boolean", - "required": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" } }, { "server_name": { + "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", - "type": "string", - "required": false + "type": "string" } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", + "required": false, "default": 5, - "type": "integer", - "required": false + "description": "Maximum retry attempts for redirection.", + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "default": false, - "type": "boolean", - "required": false - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "type": "array", - "elements": { - "type": "string" - }, - "deprecation": { - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - }, - "len_min": 1 - } - }, - { - "cluster_addresses": { - "type": "array", - "elements": { - "type": "string" - }, - "deprecation": { - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - }, - "len_min": 1 + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" } } - ], - "required": true + ] } }, { "pgvector": { - "type": "record", "required": true, "fields": [ { "host": { "description": "the host of the pgvector database", - "type": "string", - "default": "127.0.0.1" + "default": "127.0.0.1", + "type": "string" } }, { "port": { "description": "the port of the pgvector database", - "type": "integer", - "default": 5432 + "default": 5432, + "type": "integer" } }, { "user": { + "referenceable": true, "description": "the user of the pgvector database", - "type": "string", "default": "postgres", - "referenceable": true + "type": "string" } }, { "password": { + "referenceable": true, "description": "the password of the pgvector database", - "type": "string", "encrypted": true, - "referenceable": true + "type": "string" } }, { "database": { "description": "the database of the pgvector database", - "type": "string", - "default": "kong-pgvector" + "default": "kong-pgvector", + "type": "string" } }, { "timeout": { "description": "the timeout of the pgvector database", - "type": "number", - "default": 5000 + "default": 5000, + "type": "number" } }, { "ssl": { "description": "whether to use ssl for the pgvector database", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "ssl_required": { "description": "whether ssl is required for the pgvector database", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "ssl_verify": { "description": "whether to verify ssl for the pgvector database", - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "ssl_version": { - "description": "the ssl version to use for the pgvector database", - "type": "string", "one_of": [ "tlsv1_2", "tlsv1_3", "any" ], - "default": "tlsv1_2" + "description": "the ssl version to use for the pgvector database", + "default": "tlsv1_2", + "type": "string" } }, { @@ -930,15 +927,25 @@ "type": "string" } } - ] + ], + "type": "record" } } ], - "required": true + "type": "record" } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.inject_template" + ] } } ] diff --git a/schemas/ai-rate-limiting-advanced/3.11.x.json b/schemas/ai-rate-limiting-advanced/3.11.x.json index 07010f21..9ca1fe74 100644 --- a/schemas/ai-rate-limiting-advanced/3.11.x.json +++ b/schemas/ai-rate-limiting-advanced/3.11.x.json @@ -11,15 +11,14 @@ "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -28,18 +27,20 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "identifier": { - "required": true, "type": "string", + "required": true, "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", "one_of": [ "ip", "credential", @@ -53,9 +54,9 @@ }, { "window_type": { + "type": "string", "default": "sliding", "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", - "type": "string", "one_of": [ "fixed", "sliding" @@ -70,21 +71,25 @@ }, { "llm_providers": { + "required": true, + "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", "elements": { - "type": "record", "fields": [ { "window_size": { - "description": "The window size to apply a limit (defined in seconds).", "required": true, - "type": "number" + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "elements": { + "type": "number" + }, + "type": "array" } }, { "name": { - "type": "string", - "description": "The LLM provider to which the rate limit applies.", "required": true, + "description": "The LLM provider to which the rate limit applies.", + "type": "string", "one_of": [ "openai", "azure", @@ -101,22 +106,24 @@ }, { "limit": { - "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", "required": true, - "type": "number" + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "elements": { + "type": "number" + }, + "type": "array" } } - ] + ], + "type": "record" }, - "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", - "required": true, "type": "array" } }, { "strategy": { - "required": true, "type": "string", + "required": true, "default": "local", "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ @@ -128,23 +135,23 @@ }, { "dictionary_name": { + "required": true, "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "required": true, "type": "string" } }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "default": false, "type": "boolean" } }, { "retry_after_jitter_max": { - "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "default": 0, "type": "number" } }, @@ -156,21 +163,19 @@ }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", "type": "string" } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -194,14 +199,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -232,12 +237,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -254,47 +260,48 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } @@ -303,8 +310,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -361,9 +368,9 @@ }, { "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "type": "string" } }, @@ -376,23 +383,23 @@ }, { "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, "type": "string" } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -402,11 +409,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -429,16 +436,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -453,24 +460,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -485,48 +492,48 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } @@ -535,44 +542,44 @@ }, { "disable_penalty": { - "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", + "default": false, "type": "boolean" } }, { "request_prompt_count_function": { - "description": "If defined, it use custom function to count requests for the request prompt provider", "required": false, + "description": "If defined, it use custom function to count requests for the request prompt provider", "type": "string" } }, { "error_code": { - "gt": 0, "description": "Set a custom error code to return when the rate limit is exceeded.", "default": 429, + "gt": 0, "type": "number" } }, { "error_message": { - "default": "AI token rate limit exceeded for provider(s): ", "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "AI token rate limit exceeded for provider(s): ", "type": "string" } }, { "error_hide_providers": { - "default": false, "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", + "default": false, "type": "boolean" } }, { "tokens_count_strategy": { - "required": true, "type": "string", + "required": true, "default": "total_tokens", "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", "one_of": [ @@ -582,11 +589,30 @@ "cost" ] } + }, + { + "llm_format": { + "type": "string", + "required": false, + "default": "openai", + "description": "LLM input and output format and schema to use", + "one_of": [ + "openai", + "bedrock", + "gemini", + "cohere", + "huggingface" + ] + } } ], - "required": true, "type": "record" } } - ] + ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/ai-request-transformer/3.11.x.json b/schemas/ai-request-transformer/3.11.x.json index 1373c841..62980c47 100644 --- a/schemas/ai-request-transformer/3.11.x.json +++ b/schemas/ai-request-transformer/3.11.x.json @@ -1,45 +1,15 @@ { - "entity_checks": [ - { - "conditional": { - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_field": "config.llm.route_type", - "if_field": "config.llm.route_type", - "then_match": { - "eq": "llm/v1/chat" - } - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -48,55 +18,57 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "prompt": { - "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", "required": true, + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", "type": "string" } }, { "transformation_extract_pattern": { - "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", "required": false, + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", "type": "string" } }, { "http_timeout": { - "default": 60000, - "description": "Timeout in milliseconds for the AI upstream service.", "required": true, + "description": "Timeout in milliseconds for the AI upstream service.", + "default": 60000, "type": "integer" } }, { "https_verify": { - "default": true, - "description": "Verify the TLS certificate of the AI upstream service.", "required": true, + "description": "Verify the TLS certificate of the AI upstream service.", + "default": true, "type": "boolean" } }, { "max_request_body_size": { - "gt": 0, - "description": "max allowed body size allowed to be introspected", "default": 8192, + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", + "gt": 0, "type": "integer" } }, @@ -108,11 +80,11 @@ }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, @@ -124,19 +96,24 @@ }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "llm": { + "required": true, "entity_checks": [ { "conditional": { + "if_field": "model.provider", + "then_match": { + "eq": false + }, "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ @@ -144,11 +121,7 @@ "gemini" ] }, - "then_field": "auth.allow_override", - "if_field": "model.provider", - "then_match": { - "eq": false - } + "then_field": "auth.allow_override" } }, { @@ -166,100 +139,100 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] + "then_err": "must set %s for self-hosted providers/models" } }, { @@ -270,39 +243,47 @@ "logging" ] } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model" + ] + } } ], "fields": [ { "route_type": { - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "required": true, + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "one_of": [ "llm/v1/chat", "llm/v1/completions", + "llm/v1/embeddings", "preserve" ] } }, { "auth": { - "type": "record", "required": false, "fields": [ { "header_name": { "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "header_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "referenceable": true } @@ -311,24 +292,24 @@ "param_name": { "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "param_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full parameter value for 'param_name'.", "referenceable": true } }, { "param_location": { - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" @@ -337,9 +318,9 @@ }, { "azure_use_managed_identity": { - "default": false, - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "required": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, "type": "boolean" } }, @@ -347,15 +328,15 @@ "azure_client_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "azure_client_secret": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "referenceable": true } @@ -364,23 +345,23 @@ "azure_tenant_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "gcp_use_service_account": { - "default": false, - "description": "Use service account auth for GCP-based providers and models.", "required": false, + "description": "Use service account auth for GCP-based providers and models.", + "default": false, "type": "boolean" } }, { "gcp_service_account_json": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "referenceable": true } @@ -388,8 +369,8 @@ { "aws_access_key_id": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "referenceable": true } @@ -397,33 +378,33 @@ { "aws_secret_access_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "referenceable": true } }, { "allow_override": { - "default": false, - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "required": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, "type": "boolean" } } - ] + ], + "type": "record" } }, { "model": { - "type": "record", "required": true, "fields": [ { "provider": { - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "required": true, + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "one_of": [ "openai", "azure", @@ -439,108 +420,106 @@ }, { "name": { - "description": "Model name to execute.", "required": false, + "description": "Model name to execute.", "type": "string" } }, { "options": { - "type": "record", - "description": "Key/value settings for the model", "required": false, + "description": "Key/value settings for the model", "fields": [ { "max_tokens": { - "default": 256, - "description": "Defines the max_tokens, if using chat or completion models.", "required": false, + "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer" } }, { "input_cost": { - "gt": 0, - "description": "Defines the cost per 1M tokens in your prompt.", "required": false, + "description": "Defines the cost per 1M tokens in your prompt.", + "gt": 0, "type": "number" } }, { "output_cost": { - "gt": 0, - "description": "Defines the cost per 1M tokens in the output of the AI.", "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "gt": 0, "type": "number" } }, { "temperature": { + "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models.", - "required": false, "type": "number" } }, { "top_p": { + "required": false, + "description": "Defines the top-p probability mass, if supported.", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported.", - "required": false, "type": "number" } }, { "top_k": { + "required": false, + "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported.", - "required": false, "type": "integer" } }, { "anthropic_version": { - "description": "Defines the schema/API version, if using Anthropic provider.", "required": false, + "description": "Defines the schema/API version, if using Anthropic provider.", "type": "string" } }, { "azure_instance": { - "description": "Instance name for Azure OpenAI hosted models.", "required": false, + "description": "Instance name for Azure OpenAI hosted models.", "type": "string" } }, { "azure_api_version": { - "default": "2023-05-15", - "description": "'api-version' for Azure OpenAI instances.", "required": false, + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", "type": "string" } }, { "azure_deployment_id": { - "description": "Deployment ID for Azure OpenAI instances.", "required": false, + "description": "Deployment ID for Azure OpenAI instances.", "type": "string" } }, { "llama2_format": { - "type": "string", - "description": "If using llama2 provider, select the upstream message format.", "required": false, + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "one_of": [ "raw", "openai", @@ -550,9 +529,9 @@ }, { "mistral_format": { - "type": "string", - "description": "If using mistral provider, select the upstream message format.", "required": false, + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "one_of": [ "openai", "ollama" @@ -561,20 +540,33 @@ }, { "upstream_url": { - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "type": "string" } }, { "upstream_path": { - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "deprecation": { + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead", + "removal_in_version": "4.0" + }, "type": "string" } }, + { + "embeddings_dimensions": { + "required": false, + "description": "If using embeddings models, set the number of dimensions to generate.", + "gt": 0, + "type": "integer" + } + }, { "gemini": { + "required": false, "entity_checks": [ { "mutually_required": [ @@ -584,109 +576,201 @@ ] } ], - "type": "record", - "required": false, "fields": [ { "api_endpoint": { - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "type": "string" } }, { "project_id": { - "description": "If running Gemini on Vertex, specify the project ID.", "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", "type": "string" } }, { "location_id": { - "description": "If running Gemini on Vertex, specify the location ID.", "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", "type": "string" } } - ] + ], + "type": "record" } }, { "bedrock": { - "type": "record", "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "fields": [ { "aws_region": { + "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + { + "aws_assume_role_arn": { "required": false, + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + } + }, + { + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", "type": "string" } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + }, + { + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + } } - ] + ], + "type": "record" } }, { "huggingface": { - "type": "record", "required": false, "fields": [ { "use_cache": { - "description": "Use the cache layer on the inference API", "required": false, + "description": "Use the cache layer on the inference API", "type": "boolean" } }, { "wait_for_model": { + "required": false, "description": "Wait for the model if it is not ready", + "type": "boolean" + } + } + ], + "type": "record" + } + }, + { + "cohere": { + "required": false, + "fields": [ + { + "embedding_input_type": { + "type": "string", "required": false, + "default": "classification", + "description": "The purpose of the input text to calculate embedding vectors.", + "one_of": [ + "search_document", + "search_query", + "classification", + "clustering", + "image" + ] + } + }, + { + "wait_for_model": { + "required": false, + "description": "Wait for the model if it is not ready", "type": "boolean" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } }, { "logging": { - "type": "record", "required": true, "fields": [ { "log_statistics": { - "default": false, - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "required": true, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false, "type": "boolean" } }, { "log_payloads": { - "default": false, - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "required": true, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, "type": "boolean" } } - ] + ], + "type": "record" } } ], - "required": true, "type": "record" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type" + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.11.x.json b/schemas/ai-response-transformer/3.11.x.json index 30d69cd6..d3855ea2 100644 --- a/schemas/ai-response-transformer/3.11.x.json +++ b/schemas/ai-response-transformer/3.11.x.json @@ -1,45 +1,15 @@ { - "entity_checks": [ - { - "conditional": { - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "then_field": "config.llm.route_type", - "if_field": "config.llm.route_type", - "then_match": { - "eq": "llm/v1/chat" - } - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -48,54 +18,56 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "prompt": { - "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", "required": true, + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", "type": "string" } }, { "transformation_extract_pattern": { - "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", "required": false, + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", "type": "string" } }, { "parse_llm_response_json_instructions": { + "required": true, "default": false, "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", - "required": true, "type": "boolean" } }, { "http_timeout": { + "required": true, "default": 60000, "description": "Timeout in milliseconds for the AI upstream service.", - "required": true, "type": "integer" } }, { "https_verify": { + "required": true, "default": true, "description": "Verify the TLS certificate of the AI upstream service.", - "required": true, "type": "boolean" } }, { "max_request_body_size": { "default": 8192, - "description": "max allowed body size allowed to be introspected", + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", "gt": 0, "type": "integer" } @@ -108,11 +80,11 @@ }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, @@ -124,19 +96,24 @@ }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "llm": { + "required": true, "entity_checks": [ { "conditional": { + "if_field": "model.provider", + "then_match": { + "eq": false + }, "then_err": "bedrock and gemini only support auth.allow_override = false", "if_match": { "one_of": [ @@ -144,11 +121,7 @@ "gemini" ] }, - "then_field": "auth.allow_override", - "if_field": "model.provider", - "then_match": { - "eq": false - } + "then_field": "auth.allow_override" } }, { @@ -166,100 +139,100 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] + "then_err": "must set %s for self-hosted providers/models" } }, { @@ -270,39 +243,47 @@ "logging" ] } + }, + { + "custom_entity_check": { + "field_sources": [ + "route_type", + "model" + ] + } } ], "fields": [ { "route_type": { - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", "required": true, + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "one_of": [ "llm/v1/chat", "llm/v1/completions", + "llm/v1/embeddings", "preserve" ] } }, { "auth": { - "type": "record", "required": false, "fields": [ { "header_name": { "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "header_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "referenceable": true } @@ -311,24 +292,24 @@ "param_name": { "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "param_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full parameter value for 'param_name'.", "referenceable": true } }, { "param_location": { - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" @@ -337,9 +318,9 @@ }, { "azure_use_managed_identity": { - "default": false, - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "required": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, "type": "boolean" } }, @@ -347,15 +328,15 @@ "azure_client_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "azure_client_secret": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "referenceable": true } @@ -364,23 +345,23 @@ "azure_tenant_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "gcp_use_service_account": { - "default": false, - "description": "Use service account auth for GCP-based providers and models.", "required": false, + "description": "Use service account auth for GCP-based providers and models.", + "default": false, "type": "boolean" } }, { "gcp_service_account_json": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "referenceable": true } @@ -388,8 +369,8 @@ { "aws_access_key_id": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "referenceable": true } @@ -397,33 +378,33 @@ { "aws_secret_access_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "referenceable": true } }, { "allow_override": { - "default": false, - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "required": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, "type": "boolean" } } - ] + ], + "type": "record" } }, { "model": { - "type": "record", "required": true, "fields": [ { "provider": { - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", "required": true, + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "one_of": [ "openai", "azure", @@ -439,108 +420,106 @@ }, { "name": { - "description": "Model name to execute.", "required": false, + "description": "Model name to execute.", "type": "string" } }, { "options": { - "type": "record", - "description": "Key/value settings for the model", "required": false, + "description": "Key/value settings for the model", "fields": [ { "max_tokens": { - "default": 256, - "description": "Defines the max_tokens, if using chat or completion models.", "required": false, + "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer" } }, { "input_cost": { - "gt": 0, - "description": "Defines the cost per 1M tokens in your prompt.", "required": false, + "description": "Defines the cost per 1M tokens in your prompt.", + "gt": 0, "type": "number" } }, { "output_cost": { - "gt": 0, - "description": "Defines the cost per 1M tokens in the output of the AI.", "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI.", + "gt": 0, "type": "number" } }, { "temperature": { + "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models.", - "required": false, "type": "number" } }, { "top_p": { + "required": false, + "description": "Defines the top-p probability mass, if supported.", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported.", - "required": false, "type": "number" } }, { "top_k": { + "required": false, + "description": "Defines the top-k most likely tokens, if supported.", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported.", - "required": false, "type": "integer" } }, { "anthropic_version": { - "description": "Defines the schema/API version, if using Anthropic provider.", "required": false, + "description": "Defines the schema/API version, if using Anthropic provider.", "type": "string" } }, { "azure_instance": { - "description": "Instance name for Azure OpenAI hosted models.", "required": false, + "description": "Instance name for Azure OpenAI hosted models.", "type": "string" } }, { "azure_api_version": { - "default": "2023-05-15", - "description": "'api-version' for Azure OpenAI instances.", "required": false, + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", "type": "string" } }, { "azure_deployment_id": { - "description": "Deployment ID for Azure OpenAI instances.", "required": false, + "description": "Deployment ID for Azure OpenAI instances.", "type": "string" } }, { "llama2_format": { - "type": "string", - "description": "If using llama2 provider, select the upstream message format.", "required": false, + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "one_of": [ "raw", "openai", @@ -550,9 +529,9 @@ }, { "mistral_format": { - "type": "string", - "description": "If using mistral provider, select the upstream message format.", "required": false, + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "one_of": [ "openai", "ollama" @@ -561,20 +540,33 @@ }, { "upstream_url": { - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "type": "string" } }, { "upstream_path": { - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", + "deprecation": { + "message": "llm: config.model.options.upstream_path is deprecated, please use config.model.options.upstream_url instead", + "removal_in_version": "4.0" + }, "type": "string" } }, + { + "embeddings_dimensions": { + "required": false, + "description": "If using embeddings models, set the number of dimensions to generate.", + "gt": 0, + "type": "integer" + } + }, { "gemini": { + "required": false, "entity_checks": [ { "mutually_required": [ @@ -584,109 +576,201 @@ ] } ], - "type": "record", - "required": false, "fields": [ { "api_endpoint": { - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "type": "string" } }, { "project_id": { - "description": "If running Gemini on Vertex, specify the project ID.", "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", "type": "string" } }, { "location_id": { - "description": "If running Gemini on Vertex, specify the location ID.", "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", "type": "string" } } - ] + ], + "type": "record" } }, { "bedrock": { - "type": "record", "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], "fields": [ { "aws_region": { + "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + { + "aws_assume_role_arn": { "required": false, + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + } + }, + { + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", "type": "string" } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + }, + { + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + } } - ] + ], + "type": "record" } }, { "huggingface": { - "type": "record", "required": false, "fields": [ { "use_cache": { - "description": "Use the cache layer on the inference API", "required": false, + "description": "Use the cache layer on the inference API", "type": "boolean" } }, { "wait_for_model": { + "required": false, "description": "Wait for the model if it is not ready", + "type": "boolean" + } + } + ], + "type": "record" + } + }, + { + "cohere": { + "required": false, + "fields": [ + { + "embedding_input_type": { + "type": "string", "required": false, + "default": "classification", + "description": "The purpose of the input text to calculate embedding vectors.", + "one_of": [ + "search_document", + "search_query", + "classification", + "clustering", + "image" + ] + } + }, + { + "wait_for_model": { + "required": false, + "description": "Wait for the model if it is not ready", "type": "boolean" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } }, { "logging": { - "type": "record", "required": true, "fields": [ { "log_statistics": { - "default": false, - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "required": true, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", + "default": false, "type": "boolean" } }, { "log_payloads": { - "default": false, - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "required": true, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", + "default": false, "type": "boolean" } } - ] + ], + "type": "record" } } ], - "required": true, "type": "record" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.llm.route_type", + "then_match": { + "eq": "llm/v1/chat" + }, + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_field": "config.llm.route_type" + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-sanitizer/3.11.x.json b/schemas/ai-sanitizer/3.11.x.json index e2540b8c..cd2095cf 100644 --- a/schemas/ai-sanitizer/3.11.x.json +++ b/schemas/ai-sanitizer/3.11.x.json @@ -1,16 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -20,68 +19,63 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "type": "set", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "host": { - "description": "The host of the sanitizer", - "type": "string", + "required": true, "default": "localhost", - "required": true + "description": "The host of the sanitizer", + "type": "string" } }, { "port": { - "description": "The port of the sanitizer", - "type": "number", + "required": true, "default": 8080, - "required": true + "description": "The port of the sanitizer", + "type": "number" } }, { "scheme": { - "description": "The protocol can be http and https", - "type": "string", + "required": true, "default": "http", - "required": true + "description": "The protocol can be http and https", + "type": "string" } }, { "timeout": { - "description": "Connection timeout with the sanitizer", "default": 10000, + "description": "Connection timeout with the sanitizer", "type": "number" } }, { "keepalive_timeout": { - "description": "The keepalive timeout for the established http connnection", "default": 60000, + "description": "The keepalive timeout for the established http connnection", "type": "number" } }, { "stop_on_error": { - "description": "Stop processing if an error occurs", "default": true, + "description": "Stop processing if an error occurs", "type": "boolean" } }, { "anonymize": { + "type": "array", + "required": true, + "description": "List of types to be anonymized", "elements": { "type": "string", "one_of": [ @@ -107,26 +101,23 @@ "all_and_credentials" ] }, - "description": "List of types to be anonymized", "default": [ "all_and_credentials" - ], - "type": "array", - "required": true + ] } }, { "recover_redacted": { - "description": "Whether to recover redacted data", "default": true, + "description": "Whether to recover redacted data", "type": "boolean" } }, { "redact_type": { + "type": "string", "description": "What value to be used to redacted to", "default": "placeholder", - "type": "string", "one_of": [ "placeholder", "synthetic" @@ -136,10 +127,9 @@ { "custom_patterns": { "type": "array", - "len_min": 1, + "required": false, "description": "List of custom patterns to be used for anonymization", "elements": { - "type": "record", "fields": [ { "name": { @@ -155,22 +145,32 @@ }, { "score": { + "required": true, + "default": 0.5, "between": [ 0, 1 ], - "type": "number", - "default": 0.5, - "required": true + "type": "number" } } - ] + ], + "type": "record" }, - "required": false + "len_min": 1 } } ], - "required": true + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/ai-semantic-cache/3.11.x.json b/schemas/ai-semantic-cache/3.11.x.json index afa47df0..4ae8b957 100644 --- a/schemas/ai-semantic-cache/3.11.x.json +++ b/schemas/ai-semantic-cache/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,16 +18,18 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "message_countback": { - "default": 1, "description": "Number of messages in the chat history to Vectorize/Cache", + "default": 1, "between": [ 1, 1000 @@ -41,80 +39,137 @@ }, { "ignore_system_prompts": { - "default": false, "description": "Ignore and discard any system prompts when Vectorizing the request", + "default": false, "type": "boolean" } }, { "ignore_assistant_prompts": { - "default": false, "description": "Ignore and discard any assistant prompts when Vectorizing the request", + "default": false, "type": "boolean" } }, { "ignore_tool_prompts": { - "default": false, "description": "Ignore and discard any tool prompts when Vectorizing the request", + "default": false, "type": "boolean" } }, { "stop_on_failure": { + "required": true, "default": false, "description": "Halt the LLM request process in case of a caching system failure", - "required": true, "type": "boolean" } }, { "cache_ttl": { - "default": 300, "description": "TTL in seconds of cache entities. Must be a value greater than 0.", + "default": 300, "gt": 0, "type": "integer" } }, { "cache_control": { + "required": true, "default": false, "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "required": true, "type": "boolean" } }, { "exact_caching": { + "required": true, "default": false, "description": "When enabled, a first check for exact query will be done. It will impact DB size", - "required": true, "type": "boolean" } }, + { + "llm_format": { + "type": "string", + "required": false, + "default": "openai", + "description": "LLM input and output format and schema to use", + "one_of": [ + "openai", + "bedrock", + "gemini", + "cohere", + "huggingface" + ] + } + }, { "embeddings": { - "type": "record", "required": true, + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + } + ], "fields": [ { "auth": { - "type": "record", "required": false, "fields": [ { "header_name": { "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "header_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "referenceable": true } @@ -123,24 +178,24 @@ "param_name": { "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "param_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full parameter value for 'param_name'.", "referenceable": true } }, { "param_location": { - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" @@ -149,9 +204,9 @@ }, { "azure_use_managed_identity": { - "default": false, - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "required": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, "type": "boolean" } }, @@ -159,15 +214,15 @@ "azure_client_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "azure_client_secret": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "referenceable": true } @@ -176,23 +231,23 @@ "azure_tenant_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "gcp_use_service_account": { - "default": false, - "description": "Use service account auth for GCP-based providers and models.", "required": false, + "description": "Use service account auth for GCP-based providers and models.", + "default": false, "type": "boolean" } }, { "gcp_service_account_json": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "referenceable": true } @@ -200,8 +255,8 @@ { "aws_access_key_id": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "referenceable": true } @@ -209,102 +264,247 @@ { "aws_secret_access_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "referenceable": true } }, { "allow_override": { - "default": false, - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "required": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, "type": "boolean" } } - ] + ], + "type": "record" } }, { "model": { - "type": "record", "required": true, "fields": [ { "provider": { - "type": "string", - "description": "AI provider format to use for embeddings API", "required": true, + "description": "AI provider format to use for embeddings API", + "type": "string", "one_of": [ "openai", - "mistral" + "mistral", + "huggingface", + "azure", + "bedrock", + "gemini" ] } }, { "name": { - "description": "Model name to execute.", "required": true, + "description": "Model name to execute.", "type": "string" } }, { "options": { - "type": "record", - "description": "Key/value settings for the model", "required": false, + "description": "Key/value settings for the model", "fields": [ { "upstream_url": { - "description": "upstream url for the embeddings", "required": false, + "description": "upstream url for the embeddings", "type": "string" } + }, + { + "azure": { + "required": true, + "fields": [ + { + "instance": { + "required": false, + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + { + "api_version": { + "required": false, + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "type": "string" + } + }, + { + "deployment_id": { + "required": false, + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + } + } + ], + "type": "record" + } + }, + { + "bedrock": { + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], + "fields": [ + { + "aws_region": { + "required": false, + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + { + "aws_assume_role_arn": { + "required": false, + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + } + }, + { + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + }, + { + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + } + } + ], + "type": "record" + } + }, + { + "gemini": { + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "fields": [ + { + "api_endpoint": { + "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + } + }, + { + "project_id": { + "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + { + "location_id": { + "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + } + } + ], + "type": "record" + } + }, + { + "huggingface": { + "required": false, + "fields": [ + { + "use_cache": { + "required": false, + "description": "Use the cache layer on the inference API", + "type": "boolean" + } + }, + { + "wait_for_model": { + "required": false, + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + } + ], + "type": "record" + } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } }, { "vectordb": { - "type": "record", "required": true, "fields": [ { "strategy": { - "type": "string", - "description": "which vector database driver to use", "required": true, + "description": "which vector database driver to use", + "type": "string", "one_of": [ - "redis" + "redis", + "pgvector" ] } }, { "dimensions": { - "description": "the desired dimensionality for the vectors", "required": true, + "description": "the desired dimensionality for the vectors", "type": "integer" } }, { "threshold": { - "description": "the default similarity threshold for accepting semantic search results (float)", "required": true, + "description": "the default similarity threshold for accepting semantic search results (float)", "type": "number" } }, { "distance_metric": { - "type": "string", - "description": "the distance metric to use for vector searches", "required": true, + "description": "the distance metric to use for vector searches", + "type": "string", "one_of": [ "cosine", "euclidean" @@ -313,8 +513,6 @@ }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -338,14 +536,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -376,12 +574,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -398,47 +597,48 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } @@ -447,8 +647,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -505,9 +705,9 @@ }, { "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "type": "string" } }, @@ -520,23 +720,23 @@ }, { "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, "type": "string" } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -546,11 +746,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -573,16 +773,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -597,24 +797,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -629,61 +829,161 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } ] } + }, + { + "pgvector": { + "required": true, + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + } + }, + { + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + } + }, + { + "user": { + "type": "string", + "description": "the user of the pgvector database", + "default": "postgres", + "referenceable": true + } + }, + { + "password": { + "type": "string", + "description": "the password of the pgvector database", + "encrypted": true, + "referenceable": true + } + }, + { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + } + }, + { + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + } + }, + { + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + } + }, + { + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + } + }, + { + "ssl_version": { + "type": "string", + "description": "the ssl version to use for the pgvector database", + "default": "tlsv1_2", + "one_of": [ + "tlsv1_2", + "tlsv1_3", + "any" + ] + } + }, + { + "ssl_cert": { + "type": "string", + "description": "the path of ssl cert to use for the pgvector database" + } + }, + { + "ssl_cert_key": { + "type": "string", + "description": "the path of ssl cert key to use for the pgvector database" + } + } + ], + "type": "record" + } } - ] + ], + "type": "record" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-semantic-prompt-guard/3.11.x.json b/schemas/ai-semantic-prompt-guard/3.11.x.json index c1fac108..3cdc8d4c 100644 --- a/schemas/ai-semantic-prompt-guard/3.11.x.json +++ b/schemas/ai-semantic-prompt-guard/3.11.x.json @@ -1,24 +1,15 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.rules.allow_prompts", - "config.rules.deny_prompts" - ] - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -27,35 +18,79 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "embeddings": { - "type": "record", "required": true, + "entity_checks": [ + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.instance" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.api_version" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + }, + { + "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure.deployment_id" + ], + "if_match": { + "one_of": [ + "azure" + ] + }, + "then_err": "must set %s for azure provider" + } + } + ], "fields": [ { "auth": { - "type": "record", "required": false, "fields": [ { "header_name": { "required": false, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "header_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "referenceable": true } @@ -64,24 +99,24 @@ "param_name": { "required": false, "description": "If AI model requires authentication via query parameter, specify its name here.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "param_value": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Specify the full parameter value for 'param_name'.", "referenceable": true } }, { "param_location": { - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", "required": false, + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "one_of": [ "query", "body" @@ -90,9 +125,9 @@ }, { "azure_use_managed_identity": { - "default": false, - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "required": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", + "default": false, "type": "boolean" } }, @@ -100,15 +135,15 @@ "azure_client_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "azure_client_secret": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "referenceable": true } @@ -117,23 +152,23 @@ "azure_tenant_id": { "required": false, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "gcp_use_service_account": { - "default": false, - "description": "Use service account auth for GCP-based providers and models.", "required": false, + "description": "Use service account auth for GCP-based providers and models.", + "default": false, "type": "boolean" } }, { "gcp_service_account_json": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "referenceable": true } @@ -141,8 +176,8 @@ { "aws_access_key_id": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "referenceable": true } @@ -150,102 +185,247 @@ { "aws_secret_access_key": { "encrypted": true, - "required": false, "type": "string", + "required": false, "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "referenceable": true } }, { "allow_override": { - "default": false, - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "required": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", + "default": false, "type": "boolean" } } - ] + ], + "type": "record" } }, { "model": { - "type": "record", "required": true, "fields": [ { "provider": { - "type": "string", - "description": "AI provider format to use for embeddings API", "required": true, + "description": "AI provider format to use for embeddings API", + "type": "string", "one_of": [ "openai", - "mistral" + "mistral", + "huggingface", + "azure", + "bedrock", + "gemini" ] } }, { "name": { - "description": "Model name to execute.", "required": true, + "description": "Model name to execute.", "type": "string" } }, { "options": { - "type": "record", - "description": "Key/value settings for the model", "required": false, + "description": "Key/value settings for the model", "fields": [ { "upstream_url": { - "description": "upstream url for the embeddings", "required": false, + "description": "upstream url for the embeddings", "type": "string" } + }, + { + "azure": { + "required": true, + "fields": [ + { + "instance": { + "required": false, + "description": "Instance name for Azure OpenAI hosted models.", + "type": "string" + } + }, + { + "api_version": { + "required": false, + "description": "'api-version' for Azure OpenAI instances.", + "default": "2023-05-15", + "type": "string" + } + }, + { + "deployment_id": { + "required": false, + "description": "Deployment ID for Azure OpenAI instances.", + "type": "string" + } + } + ], + "type": "record" + } + }, + { + "bedrock": { + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "aws_assume_role_arn", + "aws_role_session_name" + ] + } + ], + "fields": [ + { + "aws_region": { + "required": false, + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", + "type": "string" + } + }, + { + "aws_assume_role_arn": { + "required": false, + "description": "If using AWS providers (Bedrock) you can assume a different role after authentication with the current IAM context is successful.", + "type": "string" + } + }, + { + "aws_role_session_name": { + "description": "If using AWS providers (Bedrock), set the identifier of the assumed role session.", + "type": "string" + } + }, + { + "aws_sts_endpoint_url": { + "type": "string", + "description": "If using AWS providers (Bedrock), override the STS endpoint URL when assuming a different role." + } + }, + { + "embeddings_normalize": { + "default": false, + "description": "If using AWS providers (Bedrock), set to true to normalize the embeddings.", + "type": "boolean" + } + } + ], + "type": "record" + } + }, + { + "gemini": { + "required": false, + "entity_checks": [ + { + "mutually_required": [ + "api_endpoint", + "project_id", + "location_id" + ] + } + ], + "fields": [ + { + "api_endpoint": { + "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", + "type": "string" + } + }, + { + "project_id": { + "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", + "type": "string" + } + }, + { + "location_id": { + "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", + "type": "string" + } + } + ], + "type": "record" + } + }, + { + "huggingface": { + "required": false, + "fields": [ + { + "use_cache": { + "required": false, + "description": "Use the cache layer on the inference API", + "type": "boolean" + } + }, + { + "wait_for_model": { + "required": false, + "description": "Wait for the model if it is not ready", + "type": "boolean" + } + } + ], + "type": "record" + } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } }, { "vectordb": { - "type": "record", "required": true, "fields": [ { "strategy": { - "type": "string", - "description": "which vector database driver to use", "required": true, + "description": "which vector database driver to use", + "type": "string", "one_of": [ - "redis" + "redis", + "pgvector" ] } }, { "dimensions": { - "description": "the desired dimensionality for the vectors", "required": true, + "description": "the desired dimensionality for the vectors", "type": "integer" } }, { "threshold": { - "description": "the default similarity threshold for accepting semantic search results (float)", "required": true, + "description": "the default similarity threshold for accepting semantic search results (float)", "type": "number" } }, { "distance_metric": { - "type": "string", - "description": "the distance metric to use for vector searches", "required": true, + "description": "the distance metric to use for vector searches", + "type": "string", "one_of": [ "cosine", "euclidean" @@ -254,8 +434,6 @@ }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -279,14 +457,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -317,12 +495,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -339,47 +518,48 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } @@ -388,8 +568,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -446,9 +626,9 @@ }, { "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "type": "string" } }, @@ -461,23 +641,23 @@ }, { "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, "type": "string" } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -487,11 +667,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -514,16 +694,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -538,24 +718,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -570,135 +750,267 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } ] } + }, + { + "pgvector": { + "required": true, + "fields": [ + { + "host": { + "default": "127.0.0.1", + "description": "the host of the pgvector database", + "type": "string" + } + }, + { + "port": { + "default": 5432, + "description": "the port of the pgvector database", + "type": "integer" + } + }, + { + "user": { + "type": "string", + "description": "the user of the pgvector database", + "default": "postgres", + "referenceable": true + } + }, + { + "password": { + "type": "string", + "description": "the password of the pgvector database", + "encrypted": true, + "referenceable": true + } + }, + { + "database": { + "default": "kong-pgvector", + "description": "the database of the pgvector database", + "type": "string" + } + }, + { + "timeout": { + "default": 5000, + "description": "the timeout of the pgvector database", + "type": "number" + } + }, + { + "ssl": { + "default": false, + "description": "whether to use ssl for the pgvector database", + "type": "boolean" + } + }, + { + "ssl_required": { + "default": false, + "description": "whether ssl is required for the pgvector database", + "type": "boolean" + } + }, + { + "ssl_verify": { + "default": false, + "description": "whether to verify ssl for the pgvector database", + "type": "boolean" + } + }, + { + "ssl_version": { + "type": "string", + "description": "the ssl version to use for the pgvector database", + "default": "tlsv1_2", + "one_of": [ + "tlsv1_2", + "tlsv1_3", + "any" + ] + } + }, + { + "ssl_cert": { + "type": "string", + "description": "the path of ssl cert to use for the pgvector database" + } + }, + { + "ssl_cert_key": { + "type": "string", + "description": "the path of ssl cert key to use for the pgvector database" + } + } + ], + "type": "record" + } } - ] + ], + "type": "record" } }, { "search": { - "type": "record", "required": false, "fields": [ { "threshold": { + "required": false, "default": 0.5, "description": "Threshold for the similarity score to be considered a match.", - "required": false, "type": "number" } } - ] + ], + "type": "record" } }, { "rules": { - "type": "record", "required": true, "fields": [ { "match_all_conversation_history": { + "required": false, "default": false, "description": "If false, will ignore all previous chat prompts from the conversation history.", - "required": false, "type": "boolean" } }, { "allow_prompts": { - "len_max": 100, - "required": false, "type": "array", + "required": false, + "description": "List of prompts to allow.", + "len_max": 100, "elements": { - "len_max": 500, "len_min": 1, + "len_max": 500, "type": "string" - }, - "description": "List of prompts to allow." + } } }, { "deny_prompts": { - "len_max": 100, - "required": false, "type": "array", + "required": false, + "description": "List of prompts to deny.", + "len_max": 100, "elements": { - "len_max": 500, "len_min": 1, + "len_max": 500, "type": "string" - }, - "description": "List of prompts to deny." + } } }, { "max_request_body_size": { + "description": "max allowed body size allowed to be introspected. 0 means unlimited, but the size of this body will still be limited by Nginx's client_max_body_size.", "default": 8192, - "description": "max allowed body size allowed to be introspected", "gt": 0, "type": "integer" } }, { "match_all_roles": { + "required": true, "default": false, "description": "If true, will match all roles in addition to 'user' role in conversation history.", - "required": true, "type": "boolean" } } + ], + "type": "record" + } + }, + { + "llm_format": { + "type": "string", + "required": false, + "default": "openai", + "description": "LLM input and output format and schema to use", + "one_of": [ + "openai", + "bedrock", + "gemini", + "cohere", + "huggingface" + ] + } + }, + { + "genai_category": { + "type": "string", + "required": false, + "default": "text/generation", + "description": "Generative AI category of the request", + "one_of": [ + "text/generation", + "text/embeddings" ] } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } ] } \ No newline at end of file diff --git a/schemas/app-dynamics/3.11.x.json b/schemas/app-dynamics/3.11.x.json index 8e65202b..205cb1a4 100644 --- a/schemas/app-dynamics/3.11.x.json +++ b/schemas/app-dynamics/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,25 +18,29 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.11.x.json b/schemas/aws-lambda/3.11.x.json index 583a9b6a..23238f0c 100644 --- a/schemas/aws-lambda/3.11.x.json +++ b/schemas/aws-lambda/3.11.x.json @@ -1,31 +1,15 @@ { - "entity_checks": [ - { - "mutually_required": [ - "config.aws_key", - "config.aws_secret" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "config.proxy_url" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -34,58 +18,60 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "timeout": { - "default": 60000, - "description": "An optional timeout in milliseconds when invoking the function.", "required": true, + "description": "An optional timeout in milliseconds when invoking the function.", + "default": 60000, "type": "number" } }, { "keepalive": { - "default": 60000, - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "required": true, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", + "default": 60000, "type": "number" } }, { "aws_key": { - "encrypted": true, + "type": "string", "description": "The AWS key credential to be used when invoking the function.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { "aws_secret": { - "encrypted": true, + "type": "string", "description": "The AWS secret credential to be used when invoking the function. ", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { "aws_assume_role_arn": { - "encrypted": true, + "type": "string", "description": "The target AWS IAM role ARN used to invoke the Lambda function.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { @@ -109,23 +95,23 @@ }, { "function_name": { - "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", "required": false, + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", "type": "string" } }, { "qualifier": { - "description": "The qualifier to use when invoking the function.", - "type": "string" + "type": "string", + "description": "The qualifier to use when invoking the function." } }, { "invocation_type": { - "required": true, "type": "string", - "default": "RequestResponse", + "required": true, "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", + "default": "RequestResponse", "one_of": [ "RequestResponse", "Event", @@ -135,10 +121,10 @@ }, { "log_type": { - "required": true, "type": "string", - "default": "Tail", + "required": true, "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", + "default": "Tail", "one_of": [ "Tail", "None" @@ -164,17 +150,17 @@ }, { "disable_https": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", "between": [ 100, 999 ], - "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", "type": "integer" } }, @@ -242,10 +228,10 @@ }, { "aws_imds_protocol_version": { - "required": true, "type": "string", - "default": "v1", + "required": true, "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", + "default": "v1", "one_of": [ "v1", "v2" @@ -254,10 +240,10 @@ }, { "empty_arrays_mode": { - "required": true, "type": "string", - "default": "legacy", + "required": true, "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", + "default": "legacy", "one_of": [ "legacy", "correct" @@ -265,9 +251,23 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/azure-functions/3.11.x.json b/schemas/azure-functions/3.11.x.json index 19e89278..aab435f7 100644 --- a/schemas/azure-functions/3.11.x.json +++ b/schemas/azure-functions/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,97 +25,101 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "timeout": { - "default": 600000, "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", + "default": 600000, "type": "number" } }, { "keepalive": { - "default": 60000, "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", + "default": 60000, "type": "number" } }, { "https": { - "default": true, "description": "Use of HTTPS to connect with the Azure Functions server.", + "default": true, "type": "boolean" } }, { "https_verify": { - "default": false, "description": "Set to `true` to authenticate the Azure Functions server.", + "default": false, "type": "boolean" } }, { "apikey": { - "encrypted": true, - "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", "referenceable": true, + "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", + "encrypted": true, "type": "string" } }, { "clientid": { - "encrypted": true, - "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", "referenceable": true, + "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", + "encrypted": true, "type": "string" } }, { "appname": { - "description": "The Azure app name.", "required": true, + "description": "The Azure app name.", "type": "string" } }, { "hostdomain": { + "required": true, "default": "azurewebsites.net", "description": "The domain where the function resides.", - "required": true, "type": "string" } }, { "routeprefix": { - "default": "api", "description": "Route prefix to use.", + "default": "api", "type": "string" } }, { "functionname": { - "description": "Name of the Azure function to invoke.", "required": true, + "description": "Name of the Azure function to invoke.", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.11.x.json b/schemas/basic-auth/3.11.x.json index 0a5c8b49..5d19391a 100644 --- a/schemas/basic-auth/3.11.x.json +++ b/schemas/basic-auth/3.11.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -32,20 +30,20 @@ "wss" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "anonymous": { @@ -55,24 +53,26 @@ }, { "hide_credentials": { + "required": true, "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", - "required": true, "type": "boolean" } }, { "realm": { + "required": true, "default": "service", "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "required": true, "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.11.x.json b/schemas/bot-detection/3.11.x.json index d48d260c..3451e38c 100644 --- a/schemas/bot-detection/3.11.x.json +++ b/schemas/bot-detection/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -30,50 +26,54 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "allow": { + "default": [ + + ], + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "elements": { "type": "string", "is_regex": true }, - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", - "default": [ - - ], "type": "array" } }, { "deny": { + "default": [ + + ], + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "elements": { "type": "string", "is_regex": true }, - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", - "default": [ - - ], "type": "array" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/canary/3.11.x.json b/schemas/canary/3.11.x.json index a020f33c..05cd5add 100644 --- a/schemas/canary/3.11.x.json +++ b/schemas/canary/3.11.x.json @@ -1,65 +1,31 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.upstream_uri", - "config.upstream_host", - "config.upstream_port" - ] - }, - { - "conditional": { - "if_match": { - "eq": "header" - }, - "then_field": "config.hash_header", - "if_field": "config.hash", - "then_match": { - "required": true - } - } - }, - { - "conditional": { - "if_match": { - "eq": true - }, - "then_field": "config.upstream_host", - "if_field": "config.upstream_fallback", - "then_match": { - "required": true - } - } - } - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -68,12 +34,13 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", + "required": true, "shorthand_fields": [ { "hash": { @@ -82,7 +49,6 @@ } } ], - "required": true, "fields": [ { "start": { @@ -92,9 +58,9 @@ }, { "hash": { - "default": "consumer", - "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", "type": "string", + "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "default": "consumer", "one_of": [ "consumer", "ip", @@ -129,11 +95,11 @@ }, { "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", "between": [ 0, 100 ], - "description": "The percentage of traffic to be routed to the canary release.", "type": "number" } }, @@ -145,35 +111,35 @@ }, { "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "upstream_uri": { + "len_min": 1, "description": "The URI of the upstream server to be used for the canary release.", - "type": "string", - "len_min": 1 + "type": "string" } }, { "upstream_fallback": { - "default": false, - "description": "Specifies whether to fallback to the upstream server if the canary release fails.", "required": true, + "description": "Specifies whether to fallback to the upstream server if the canary release fails.", + "default": false, "type": "boolean" } }, { "groups": { + "description": "The groups allowed to access the canary release.", "elements": { "type": "string" }, - "description": "The groups allowed to access the canary release.", "type": "array" } }, @@ -183,7 +149,41 @@ "description": "A string representing an HTTP header name." } } - ] + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_field": "config.hash", + "then_match": { + "required": true + }, + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header" + } + }, + { + "conditional": { + "if_field": "config.upstream_fallback", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host" } } ] diff --git a/schemas/confluent-consume/3.11.x.json b/schemas/confluent-consume/3.11.x.json index 4539a378..7c86333c 100644 --- a/schemas/confluent-consume/3.11.x.json +++ b/schemas/confluent-consume/3.11.x.json @@ -1,10 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -14,195 +19,190 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "type": "set", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { + "required": true, "entity_checks": [ ], - "type": "record", "fields": [ { "bootstrap_servers": { "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", - "type": "set", "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "description": "A string representing a host name, such as example.com.", - "type": "string", - "required": true + "type": "string" } }, { "port": { + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true + "type": "integer" } } - ] - } + ], + "type": "record" + }, + "type": "set" } }, { "topics": { "type": "array", + "required": true, "len_min": 1, - "description": "The Kafka topics and their configuration you want to consume from.", "elements": { - "type": "record", "fields": [ { "name": { - "type": "string", - "required": true + "required": true, + "type": "string" } } - ] + ], + "type": "record" }, - "required": true + "description": "The Kafka topics and their configuration you want to consume from." } }, { "mode": { "type": "string", + "required": true, + "default": "http-get", "description": "The mode of operation for the plugin.", "one_of": [ "server-sent-events", "http-get" - ], - "default": "http-get", - "required": true + ] } }, { "message_deserializer": { "type": "string", + "required": true, + "default": "noop", "description": "The deserializer to use for the consumed messages.", "one_of": [ "json", "noop" - ], - "default": "noop", - "required": true + ] } }, { "auto_offset_reset": { "type": "string", + "required": true, + "default": "latest", "description": "The offset to start from when there is no initial offset in the consumer group.", "one_of": [ "earliest", "latest" - ], - "default": "latest", - "required": true + ] } }, { "commit_strategy": { "type": "string", + "required": true, + "default": "auto", "description": "The strategy to use for committing offsets.", "one_of": [ "auto", "off" - ], - "default": "auto", - "required": true + ] } }, { "timeout": { "description": "Socket timeout in milliseconds.", - "type": "integer", - "default": 10000 + "default": 10000, + "type": "integer" } }, { "keepalive": { "description": "Keepalive timeout in milliseconds.", - "type": "integer", - "default": 60000 + "default": 60000, + "type": "integer" } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "cluster_api_key": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": true, "description": "Username/Apikey for SASL authentication.", - "encrypted": true, - "required": true + "referenceable": true } }, { "cluster_api_secret": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": true, "description": "Password/ApiSecret for SASL authentication.", - "encrypted": true, - "required": true + "referenceable": true } }, { "confluent_cloud_api_key": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": false, "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", - "encrypted": true, - "required": false + "referenceable": true } }, { "confluent_cloud_api_secret": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": false, "description": "The corresponding secret for the Confluent Cloud API key.", - "encrypted": true, - "required": false + "referenceable": true } }, { "cluster_name": { + "required": false, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "type": "string", "auto": true, - "required": false + "type": "string" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/confluent/3.11.x.json b/schemas/confluent/3.11.x.json index 534933d8..3f43ced1 100644 --- a/schemas/confluent/3.11.x.json +++ b/schemas/confluent/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,19 +18,21 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "custom_entity_check": { @@ -50,37 +48,61 @@ "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { - "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "required": true, + "description": "A string representing a host name, such as example.com.", "type": "string" } }, { "port": { + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set" } }, + { + "topics_query_arg": { + "required": false, + "description": "The request query parameter name that contains the topics to publish to", + "type": "string" + } + }, + { + "allowed_topics": { + "required": false, + "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", + "elements": { + "type": "string" + }, + "type": "array" + } + }, { "topic": { - "description": "The Kafka topic to publish to.", "required": true, + "description": "The default Kafka topic to publish to if the query parameter defined in the `topics_query_arg` does not exist in the request", + "type": "string" + } + }, + { + "key_query_arg": { + "required": false, + "description": "The request query parameter name that contains the Kafka message key. If specified, messages with the same key will be sent to the same Kafka partition, ensuring consistent ordering.", "type": "string" } }, @@ -107,37 +129,37 @@ { "cluster_api_key": { "encrypted": true, - "referenceable": true, "type": "string", + "required": true, "description": "Username/Apikey for SASL authentication.", - "required": true + "referenceable": true } }, { "cluster_api_secret": { "encrypted": true, - "referenceable": true, "type": "string", + "required": true, "description": "Password/ApiSecret for SASL authentication.", - "required": true + "referenceable": true } }, { "confluent_cloud_api_key": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", - "required": false + "referenceable": true } }, { "confluent_cloud_api_secret": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The corresponding secret for the Confluent Cloud API key.", - "required": false + "referenceable": true } }, { @@ -168,19 +190,29 @@ "type": "boolean" } }, + { + "message_by_lua_functions": { + "required": false, + "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", + "elements": { + "type": "string" + }, + "type": "array" + } + }, { "cluster_name": { - "auto": true, - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "required": false, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true, "type": "string" } }, { "producer_request_acks": { - "default": 1, - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1, "one_of": [ -1, 0, @@ -245,9 +277,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/correlation-id/3.11.x.json b/schemas/correlation-id/3.11.x.json index 46723bf0..38cdb623 100644 --- a/schemas/correlation-id/3.11.x.json +++ b/schemas/correlation-id/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,31 +18,33 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "header_name": { - "default": "Kong-Request-ID", "description": "The HTTP header name to use for the correlation ID.", + "default": "Kong-Request-ID", "type": "string" } }, { "generator": { - "required": true, "type": "string", + "required": true, "default": "uuid#counter", "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "one_of": [ @@ -58,16 +56,18 @@ }, { "echo_downstream": { + "required": true, "default": false, "description": "Whether to echo the header back to downstream (the client).", - "required": true, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/cors/3.11.x.json b/schemas/cors/3.11.x.json index 87f52a0e..f99899e0 100644 --- a/schemas/cors/3.11.x.json +++ b/schemas/cors/3.11.x.json @@ -1,75 +1,73 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { + "required": true, + "len_min": 1, "one_of": [ "grpc", "grpcs", "http", "https" ], - "len_min": 1, - "required": true, "type": "string" - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "origins": { + "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", "elements": { "type": "string" }, - "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", "type": "array" } }, { "headers": { + "description": "Value for the `Access-Control-Allow-Headers` header.", "elements": { "type": "string" }, - "description": "Value for the `Access-Control-Allow-Headers` header.", "type": "array" } }, { "exposed_headers": { + "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", "elements": { "type": "string" }, - "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", "type": "array" } }, @@ -106,38 +104,48 @@ }, { "max_age": { - "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", - "type": "number" + "type": "number", + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." } }, { "credentials": { - "default": false, - "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", "required": true, + "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", + "default": false, "type": "boolean" } }, { "private_network": { - "default": false, - "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", "required": true, + "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", + "default": false, "type": "boolean" } }, { "preflight_continue": { - "default": false, + "required": true, "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", + "default": false, + "type": "boolean" + } + }, + { + "allow_origin_absent": { "required": true, + "description": "A boolean value that skip cors response headers when origin header of request is empty", + "default": true, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/datadog/3.11.x.json b/schemas/datadog/3.11.x.json index 7157cc3d..60483012 100644 --- a/schemas/datadog/3.11.x.json +++ b/schemas/datadog/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,25 +25,27 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "host": { + "referenceable": true, "default": "localhost", "description": "A string representing a host name, such as example.com.", - "referenceable": true, "type": "string" } }, @@ -92,44 +90,45 @@ }, { "retry_count": { - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer", "deprecation": { "old_default": 10, - "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", - "removal_in_version": "4.0" - } + "removal_in_version": "4.0", + "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead" + }, + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" } }, { "queue_size": { - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer", "deprecation": { "old_default": 1, - "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0" - } + "removal_in_version": "4.0", + "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead" + }, + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" } }, { "flush_timeout": { - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number", "deprecation": { "old_default": 2, - "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0" - } + "removal_in_version": "4.0", + "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead" + }, + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { "queue": { + "required": true, "fields": [ { "max_batch_size": { - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -139,8 +138,8 @@ }, { "max_coalescing_delay": { - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -150,8 +149,8 @@ }, { "max_entries": { - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -167,15 +166,15 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60, "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -185,8 +184,8 @@ }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, "between": [ 0.001, 1000000 @@ -196,9 +195,9 @@ }, { "concurrency_limit": { + "type": "integer", "default": 1, "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", "one_of": [ -1, 1 @@ -206,90 +205,38 @@ } } ], - "required": true, "type": "record" } }, { "metrics": { - "required": true, "type": "array", - "default": [ - { - "name": "request_count", - "stat_type": "counter", - "tags": [ - "app:kong" - ], - "sample_rate": 1, - "consumer_identifier": "custom_id" - }, - { - "stat_type": "timer", - "name": "latency", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id" - }, - { - "stat_type": "timer", - "name": "request_size", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id" - }, - { - "stat_type": "timer", - "name": "response_size", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id" - }, - { - "stat_type": "timer", - "name": "upstream_latency", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id" - }, - { - "stat_type": "timer", - "name": "kong_latency", - "tags": [ - "app:kong" - ], - "consumer_identifier": "custom_id" - } - ], + "required": true, "description": "List of metrics to be logged.", "elements": { "entity_checks": [ { "conditional": { + "if_field": "stat_type", + "then_match": { + "required": true + }, "if_match": { "one_of": [ "counter", "gauge" ] }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } + "then_field": "sample_rate" } } ], "fields": [ { "name": { - "type": "string", - "description": "Datadog metric’s name", "required": true, + "description": "Datadog metric’s name", + "type": "string", "one_of": [ "kong_latency", "latency", @@ -302,9 +249,9 @@ }, { "stat_type": { - "type": "string", - "description": "Determines what sort of event the metric represents", "required": true, + "description": "Determines what sort of event the metric represents", + "type": "string", "one_of": [ "counter", "gauge", @@ -318,21 +265,21 @@ }, { "tags": { + "description": "List of tags", "elements": { - "match": "^.*[^:]$", - "type": "string" + "type": "string", + "match": "^.*[^:]$" }, - "description": "List of tags", "type": "array" } }, { "sample_rate": { + "description": "Sampling rate", "between": [ 0, 1 ], - "description": "Sampling rate", "type": "number" } }, @@ -349,13 +296,66 @@ } ], "type": "record" - } + }, + "default": [ + { + "tags": [ + "app:kong" + ], + "consumer_identifier": "custom_id", + "sample_rate": 1, + "name": "request_count", + "stat_type": "counter" + }, + { + "tags": [ + "app:kong" + ], + "name": "latency", + "stat_type": "timer", + "consumer_identifier": "custom_id" + }, + { + "tags": [ + "app:kong" + ], + "name": "request_size", + "stat_type": "timer", + "consumer_identifier": "custom_id" + }, + { + "tags": [ + "app:kong" + ], + "name": "response_size", + "stat_type": "timer", + "consumer_identifier": "custom_id" + }, + { + "tags": [ + "app:kong" + ], + "name": "upstream_latency", + "stat_type": "timer", + "consumer_identifier": "custom_id" + }, + { + "tags": [ + "app:kong" + ], + "name": "kong_latency", + "stat_type": "timer", + "consumer_identifier": "custom_id" + } + ] } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/degraphql/3.11.x.json b/schemas/degraphql/3.11.x.json index 36cd73d3..20ea78e2 100644 --- a/schemas/degraphql/3.11.x.json +++ b/schemas/degraphql/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -30,39 +26,43 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "graphql_server_path": { - "required": true, - "type": "string", - "default": "/graphql", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } ], - "starts_with": "/" + "type": "string", + "required": true, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", + "default": "/graphql" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.11.x.json b/schemas/exit-transformer/3.11.x.json index 11f94588..a895c3a8 100644 --- a/schemas/exit-transformer/3.11.x.json +++ b/schemas/exit-transformer/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,26 +18,28 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "functions": { + "required": true, "elements": { "type": "string" }, - "required": true, "type": "array" } }, @@ -60,9 +58,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/file-log/3.11.x.json b/schemas/file-log/3.11.x.json index 6532d553..f8dc7871 100644 --- a/schemas/file-log/3.11.x.json +++ b/schemas/file-log/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,34 +25,36 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "path": { - "match": "^[^*&%%\\`]+$", - "required": true, - "type": "string", + "match": "^[^%s*&%%\\`][^*&%%\\`]*[^%s*&%%\\`]$", "err": "not a valid filename", + "type": "string", + "required": true, "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." } }, { "reopen": { - "default": false, - "description": "Determines whether the log file is closed and reopened on every request.", "required": true, + "description": "Determines whether the log file is closed and reopened on every request.", + "default": false, "type": "boolean" } }, @@ -64,8 +62,8 @@ "custom_fields_by_lua": { "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, "keys": { "type": "string", @@ -75,9 +73,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.11.x.json b/schemas/forward-proxy/3.11.x.json index 260aadee..329534ee 100644 --- a/schemas/forward-proxy/3.11.x.json +++ b/schemas/forward-proxy/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,21 +18,20 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -63,33 +58,35 @@ ] } ], + "type": "record", + "required": true, "shorthand_fields": [ { "proxy_host": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead" - }, - "type": "string" + "message": "forward-proxy: config.proxy_host is deprecated, please use config.http_proxy_host instead", + "removal_in_version": "4.0" + } } }, { "proxy_port": { + "type": "integer", "deprecation": { - "removal_in_version": "4.0", - "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead" - }, - "type": "integer" + "message": "forward-proxy: config.proxy_port is deprecated, please use config.http_proxy_port instead", + "removal_in_version": "4.0" + } } } ], "fields": [ { "x_headers": { - "required": true, "type": "string", - "default": "append", + "required": true, "description": "Determines how to handle headers when forwarding the request.", + "default": "append", "one_of": [ "append", "transparent", @@ -105,11 +102,11 @@ }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, @@ -121,20 +118,20 @@ }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, { "proxy_scheme": { - "required": true, "type": "string", - "default": "http", + "required": true, "description": "The proxy scheme to use when connecting. Only `http` is supported.", + "default": "http", "one_of": [ "http" ] @@ -142,30 +139,34 @@ }, { "auth_username": { - "referenceable": true, - "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", "required": false, - "type": "string" + "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", + "type": "string", + "referenceable": true } }, { "auth_password": { - "referenceable": true, - "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "encrypted": true, + "type": "string", "required": false, - "type": "string" + "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", + "referenceable": true } }, { "https_verify": { - "default": false, - "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", "required": true, + "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", + "default": false, "type": "boolean" } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.11.x.json b/schemas/graphql-proxy-cache-advanced/3.11.x.json index e805038f..5642f289 100644 --- a/schemas/graphql-proxy-cache-advanced/3.11.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.11.x.json @@ -5,15 +5,14 @@ "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,26 +21,28 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "strategy": { - "required": true, "type": "string", - "default": "memory", + "required": true, "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", + "default": "memory", "one_of": [ "memory", "redis" @@ -50,32 +51,30 @@ }, { "cache_ttl": { - "gt": 0, "description": "TTL in seconds of cache entities. Must be a value greater than 0.", "default": 300, + "gt": 0, "type": "integer" } }, { "memory": { + "required": true, "fields": [ { "dictionary_name": { + "required": true, "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", - "required": true, "type": "string" } } ], - "required": true, "type": "record" } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -99,14 +98,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -137,12 +136,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -159,47 +159,48 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } @@ -208,8 +209,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -266,9 +267,9 @@ }, { "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "type": "string" } }, @@ -281,23 +282,23 @@ }, { "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, "type": "string" } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -307,11 +308,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -334,16 +335,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -358,24 +359,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -390,48 +391,48 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } @@ -440,24 +441,28 @@ }, { "bypass_on_err": { - "default": false, "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "default": false, "type": "boolean" } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array" } } ], - "required": true, "type": "record" } } - ] + ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.11.x.json b/schemas/graphql-rate-limiting-advanced/3.11.x.json index 55336ec3..3f6be463 100644 --- a/schemas/graphql-rate-limiting-advanced/3.11.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.11.x.json @@ -11,15 +11,14 @@ "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -28,26 +27,28 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "identifier": { - "required": true, "type": "string", - "default": "consumer", + "required": true, "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", + "default": "consumer", "one_of": [ "ip", "credential", @@ -57,19 +58,19 @@ }, { "window_size": { + "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds).", "elements": { "type": "number" }, - "description": "One or more window sizes to apply a limit to (defined in seconds).", - "required": true, "type": "array" } }, { "window_type": { - "default": "sliding", - "description": "Sets the time window to either `sliding` or `fixed`.", "type": "string", + "description": "Sets the time window to either `sliding` or `fixed`.", + "default": "sliding", "one_of": [ "fixed", "sliding" @@ -78,34 +79,34 @@ }, { "limit": { + "required": true, + "description": "One or more requests-per-window limits to apply.", "elements": { "type": "number" }, - "description": "One or more requests-per-window limits to apply.", - "required": true, "type": "array" } }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", "required": true, + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", "type": "number" } }, { "namespace": { - "auto": true, "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "type": "string" + "type": "string", + "auto": true } }, { "strategy": { - "required": true, "type": "string", - "default": "cluster", + "required": true, "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", + "default": "cluster", "one_of": [ "cluster", "redis" @@ -114,9 +115,9 @@ }, { "dictionary_name": { - "default": "kong_rate_limiting_counters", - "description": "The shared dictionary where counters will be stored until the next sync cycle.", "required": true, + "description": "The shared dictionary where counters will be stored until the next sync cycle.", + "default": "kong_rate_limiting_counters", "type": "string" } }, @@ -129,9 +130,9 @@ }, { "cost_strategy": { - "default": "default", - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", "type": "string", + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", + "default": "default", "one_of": [ "default", "node_quantifier" @@ -140,25 +141,23 @@ }, { "score_factor": { - "required": false, - "type": "number", "gt": 0, + "type": "number", + "required": false, "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", "default": 1 } }, { "max_cost": { - "default": 0, - "description": "A defined maximum cost per query. 0 means unlimited.", "required": false, + "description": "A defined maximum cost per query. 0 means unlimited.", + "default": 0, "type": "number" } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -182,14 +181,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -220,12 +219,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -242,47 +242,48 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } @@ -291,8 +292,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -349,9 +350,9 @@ }, { "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "type": "string" } }, @@ -364,23 +365,23 @@ }, { "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, "type": "string" } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -390,11 +391,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -417,16 +418,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -441,24 +442,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -473,58 +474,70 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } ] } + }, + { + "pass_all_downstream_headers": { + "required": true, + "description": "pass all downstream headers to the upstream graphql server in introspection request", + "default": false, + "type": "boolean" + } } ], - "required": true, "type": "record" } } - ] + ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/grpc-gateway/3.11.x.json b/schemas/grpc-gateway/3.11.x.json index cb4aab19..5310df69 100644 --- a/schemas/grpc-gateway/3.11.x.json +++ b/schemas/grpc-gateway/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,31 +25,35 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "proto": { - "description": "Describes the gRPC types and methods.", "required": false, + "description": "Describes the gRPC types and methods.", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.11.x.json b/schemas/grpc-web/3.11.x.json index 95633634..719e7406 100644 --- a/schemas/grpc-web/3.11.x.json +++ b/schemas/grpc-web/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,46 +25,50 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "proto": { - "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", "required": false, + "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", "type": "string" } }, { "pass_stripped_path": { - "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", "required": false, + "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", "type": "boolean" } }, { "allow_origin_header": { - "default": "*", - "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", "required": false, + "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", + "default": "*", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/header-cert-auth/3.11.x.json b/schemas/header-cert-auth/3.11.x.json index 380d6860..c179f21b 100644 --- a/schemas/header-cert-auth/3.11.x.json +++ b/schemas/header-cert-auth/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -30,19 +26,21 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "mutually_required": [ @@ -60,16 +58,16 @@ "fields": [ { "certificate_header_name": { - "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", "required": true, + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", "type": "string" } }, { "certificate_header_format": { - "type": "string", - "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", "required": true, + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", + "type": "string", "one_of": [ "base64_encoded", "url_encoded" @@ -78,9 +76,9 @@ }, { "secure_source": { - "default": true, - "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", "required": true, + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", + "default": true, "type": "boolean" } }, @@ -92,8 +90,9 @@ }, { "consumer_by": { - "required": false, "type": "array", + "required": false, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "elements": { "type": "string", "one_of": [ @@ -101,7 +100,6 @@ "custom_id" ] }, - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "default": [ "username", "custom_id" @@ -110,43 +108,43 @@ }, { "ca_certificates": { + "required": true, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "elements": { "uuid": true, "type": "string" }, - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", - "required": true, "type": "array" } }, { "cache_ttl": { - "default": 60, - "description": "Cache expiry time in seconds.", "required": true, + "description": "Cache expiry time in seconds.", + "default": 60, "type": "number" } }, { "skip_consumer_lookup": { - "default": false, - "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "required": true, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "default": false, "type": "boolean" } }, { "allow_partial_chain": { - "default": false, - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "required": true, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "default": false, "type": "boolean" } }, { "authenticated_group_by": { - "required": false, "type": "string", + "required": false, "default": "CN", "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ @@ -157,8 +155,8 @@ }, { "revocation_check_mode": { - "required": false, "type": "string", + "required": false, "default": "IGNORE_CA_ERROR", "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ @@ -196,11 +194,11 @@ }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, @@ -212,18 +210,20 @@ }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.11.x.json b/schemas/hmac-auth/3.11.x.json index b922bd3e..5a564bdf 100644 --- a/schemas/hmac-auth/3.11.x.json +++ b/schemas/hmac-auth/3.11.x.json @@ -1,24 +1,16 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] - } - } - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -38,26 +30,26 @@ "wss" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "hide_credentials": { - "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "required": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "default": false, "type": "boolean" } }, @@ -77,26 +69,33 @@ }, { "validate_request_body": { - "default": false, - "description": "A boolean value telling the plugin to enable body validation.", "required": true, + "description": "A boolean value telling the plugin to enable body validation.", + "default": false, "type": "boolean" } }, { "enforce_headers": { - "elements": { - "type": "string" - }, - "description": "A list of headers that the client should at least use for HTTP signature creation.", "default": [ ], + "description": "A list of headers that the client should at least use for HTTP signature creation.", + "elements": { + "type": "string" + }, "type": "array" } }, { "algorithms": { + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", "elements": { "type": "string", "one_of": [ @@ -106,27 +105,28 @@ "hmac-sha512" ] }, - "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ], "type": "array" } }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/http-log/3.11.x.json b/schemas/http-log/3.11.x.json index 0c018a80..a6156412 100644 --- a/schemas/http-log/3.11.x.json +++ b/schemas/http-log/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,34 +25,36 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "http_endpoint": { "encrypted": true, - "referenceable": true, "type": "string", + "required": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "required": true + "referenceable": true } }, { "method": { - "default": "POST", - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", "type": "string", + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", + "default": "POST", "one_of": [ "POST", "PUT", @@ -66,9 +64,9 @@ }, { "content_type": { - "default": "application/json", - "description": "Indicates the type of data sent. The only available option is `application/json`.", "type": "string", + "description": "Indicates the type of data sent. The only available option is `application/json`.", + "default": "application/json", "one_of": [ "application/json", "application/json; charset=utf-8" @@ -91,46 +89,45 @@ }, { "retry_count": { - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer", "deprecation": { "old_default": 10, "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", "removal_in_version": "4.0" - } + }, + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer" } }, { "queue_size": { - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer", "deprecation": { "old_default": 1, "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0" - } + }, + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer" } }, { "flush_timeout": { - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number", "deprecation": { "old_default": 2, "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0" - } + }, + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number" } }, { "headers": { "values": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "description": "An optional table of headers included in the HTTP message to the upstream server. Values are indexed by header name, and each header name accepts a single string.", "keys": { - "description": "A string representing an HTTP header name.", "match_none": [ { "err": "cannot contain 'Host' header", @@ -145,6 +142,7 @@ "pattern": "^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]%-[Tt][Yy][Pp][Ee]$" } ], + "description": "A string representing an HTTP header name.", "type": "string" }, "type": "map" @@ -152,11 +150,12 @@ }, { "queue": { + "required": true, "fields": [ { "max_batch_size": { - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -166,8 +165,8 @@ }, { "max_coalescing_delay": { - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -177,8 +176,8 @@ }, { "max_entries": { - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -194,15 +193,15 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60, "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -212,8 +211,8 @@ }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, "between": [ 0.001, 1000000 @@ -223,9 +222,9 @@ }, { "concurrency_limit": { + "type": "integer", "default": 1, "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", "one_of": [ -1, 1 @@ -233,7 +232,6 @@ } } ], - "required": true, "type": "record" } }, @@ -241,8 +239,8 @@ "custom_fields_by_lua": { "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, "keys": { "type": "string", @@ -252,9 +250,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/injection-protection/3.11.x.json b/schemas/injection-protection/3.11.x.json index 1f100616..e7478f39 100644 --- a/schemas/injection-protection/3.11.x.json +++ b/schemas/injection-protection/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -30,19 +26,21 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -54,11 +52,8 @@ "fields": [ { "injection_types": { - "required": true, "type": "set", - "default": [ - "sql" - ], + "required": true, "description": "The type of injections to check for.", "elements": { "type": "string", @@ -70,16 +65,16 @@ "xpath_extended", "java_exception" ] - } + }, + "default": [ + "sql" + ] } }, { "locations": { - "required": true, "type": "set", - "default": [ - "path_and_query" - ], + "required": true, "description": "The locations to check for injection.", "elements": { "type": "string", @@ -88,40 +83,43 @@ "path_and_query", "body" ] - } + }, + "default": [ + "path_and_query" + ] } }, { "custom_injections": { + "default": null, + "description": "Custom regexes to check for.", "elements": { - "type": "record", "fields": [ { "name": { - "description": "A unique name for this injection.", "required": true, + "description": "A unique name for this injection.", "type": "string" } }, { "regex": { - "description": "The regex to match against.", - "is_regex": true, "required": true, - "type": "string" + "description": "The regex to match against.", + "type": "string", + "is_regex": true } } - ] + ], + "type": "record" }, - "description": "Custom regexes to check for.", - "default": null, "type": "array" } }, { "enforcement_mode": { - "required": true, "type": "string", + "required": true, "default": "block", "description": "Enforcement mode of the security policy.", "one_of": [ @@ -132,28 +130,30 @@ }, { "error_status_code": { + "type": "integer", + "required": true, + "default": 400, "between": [ 400, 499 ], - "required": true, - "type": "integer", - "default": 400, "description": "The response status code when validation fails." } }, { "error_message": { - "default": "Bad Request", - "description": "The response message when validation fails", "required": true, + "description": "The response message when validation fails", + "default": "Bad Request", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.11.x.json b/schemas/ip-restriction/3.11.x.json index 6ce79129..6902af82 100644 --- a/schemas/ip-restriction/3.11.x.json +++ b/schemas/ip-restriction/3.11.x.json @@ -1,17 +1,9 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "http", "https", @@ -20,7 +12,6 @@ "grpc", "grpcs" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -36,50 +27,59 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "config": { + "required": true, "fields": [ { "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." }, - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "type": "array" } }, { "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "elements": { "type": "string", "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." }, - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "type": "array" } }, { "status": { - "description": "The HTTP status of the requests that will be rejected by the plugin.", "required": false, + "description": "The HTTP status of the requests that will be rejected by the plugin.", "type": "number" } }, { "message": { - "description": "The message to send as a response body to rejected requests.", "required": false, + "description": "The message to send as a response body to rejected requests.", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/jq/3.11.x.json b/schemas/jq/3.11.x.json index 623393bd..321b457a 100644 --- a/schemas/jq/3.11.x.json +++ b/schemas/jq/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -30,11 +26,13 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -52,59 +50,59 @@ }, { "request_jq_program_options": { + "required": false, "default": [ ], - "type": "record", - "required": false, "fields": [ { "compact_output": { - "default": true, "required": true, + "default": true, "type": "boolean" } }, { "raw_output": { - "default": false, "required": true, + "default": false, "type": "boolean" } }, { "join_output": { - "default": false, "required": true, + "default": false, "type": "boolean" } }, { "ascii_output": { - "default": false, "required": true, + "default": false, "type": "boolean" } }, { "sort_keys": { - "default": false, "required": true, + "default": false, "type": "boolean" } } - ] + ], + "type": "record" } }, { "request_if_media_type": { - "elements": { - "type": "string" - }, + "required": false, "default": [ "application/json" ], - "required": false, + "elements": { + "type": "string" + }, "type": "array" } }, @@ -116,64 +114,68 @@ }, { "response_jq_program_options": { + "required": false, "default": [ ], - "type": "record", - "required": false, "fields": [ { "compact_output": { - "default": true, "required": true, + "default": true, "type": "boolean" } }, { "raw_output": { - "default": false, "required": true, + "default": false, "type": "boolean" } }, { "join_output": { - "default": false, "required": true, + "default": false, "type": "boolean" } }, { "ascii_output": { - "default": false, "required": true, + "default": false, "type": "boolean" } }, { "sort_keys": { - "default": false, "required": true, + "default": false, "type": "boolean" } } - ] + ], + "type": "record" } }, { "response_if_media_type": { - "elements": { - "type": "string" - }, + "required": false, "default": [ "application/json" ], - "required": false, + "elements": { + "type": "string" + }, "type": "array" } }, { "response_if_status_code": { + "required": false, + "default": [ + 200 + ], "elements": { "between": [ 100, @@ -181,17 +183,15 @@ ], "type": "integer" }, - "default": [ - 200 - ], - "required": false, "type": "array" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/json-threat-protection/3.11.x.json b/schemas/json-threat-protection/3.11.x.json index e41dd894..756a1ecc 100644 --- a/schemas/json-threat-protection/3.11.x.json +++ b/schemas/json-threat-protection/3.11.x.json @@ -1,34 +1,23 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.max_body_size", - "config.max_container_depth" - ] - } - } - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -37,96 +26,106 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "max_body_size": { + "type": "integer", + "required": false, + "description": "Max size of the request body. -1 means unlimited.", "between": [ -1, 2147483648 ], - "required": false, - "type": "integer", - "default": 8192, - "description": "Max size of the request body. -1 means unlimited." + "default": 8192 } }, { "max_container_depth": { + "type": "integer", + "required": false, + "description": "Max nested depth of objects and arrays. -1 means unlimited.", "between": [ -1, 2147483648 ], - "required": false, - "type": "integer", - "default": -1, - "description": "Max nested depth of objects and arrays. -1 means unlimited." + "default": -1 } }, { "max_object_entry_count": { + "type": "integer", + "required": false, + "description": "Max number of entries in an object. -1 means unlimited.", "between": [ -1, 2147483648 ], - "required": false, - "type": "integer", - "default": -1, - "description": "Max number of entries in an object. -1 means unlimited." + "default": -1 } }, { "max_object_entry_name_length": { + "type": "integer", + "required": false, + "description": "Max string length of object name. -1 means unlimited.", "between": [ -1, 2147483648 ], - "required": false, - "type": "integer", - "default": -1, - "description": "Max string length of object name. -1 means unlimited." + "default": -1 } }, { "max_array_element_count": { + "type": "integer", + "required": false, + "description": "Max number of elements in an array. -1 means unlimited.", "between": [ -1, 2147483648 ], - "required": false, - "type": "integer", - "default": -1, - "description": "Max number of elements in an array. -1 means unlimited." + "default": -1 } }, { "max_string_value_length": { + "type": "integer", + "required": false, + "description": "Max string value length. -1 means unlimited.", "between": [ -1, 2147483648 ], + "default": -1 + } + }, + { + "allow_duplicate_object_entry_name": { "required": false, - "type": "integer", - "default": -1, - "description": "Max string value length. -1 means unlimited." + "default": true, + "description": "Allow or disallow duplicate object entry name.", + "type": "boolean" } }, { "enforcement_mode": { - "required": false, "type": "string", + "required": false, "default": "block", "description": "Enforcement mode of the security policy.", "one_of": [ @@ -137,28 +136,37 @@ }, { "error_status_code": { + "type": "integer", + "required": false, + "description": "The response status code when validation fails.", "between": [ 400, 499 ], - "required": false, - "type": "integer", - "default": 400, - "description": "The response status code when validation fails." + "default": 400 } }, { "error_message": { + "required": false, "default": "Bad Request", "description": "The response message when validation fails", - "required": false, "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/jwe-decrypt/3.11.x.json b/schemas/jwe-decrypt/3.11.x.json index f414e64e..7d58b56b 100644 --- a/schemas/jwe-decrypt/3.11.x.json +++ b/schemas/jwe-decrypt/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,65 +18,69 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "lookup_header_name": { + "required": true, "default": "Authorization", "description": "The name of the header to look for the JWE token.", - "required": true, "type": "string" } }, { "forward_header_name": { + "required": true, "default": "Authorization", "description": "The name of the header that is used to set the decrypted value.", - "required": true, "type": "string" } }, { "key_sets": { + "required": true, + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "elements": { "type": "string" }, - "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", - "required": true, "type": "array" } }, { "strict": { - "default": true, "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", + "default": true, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.11.x.json b/schemas/jwt-signer/3.11.x.json index 613ca8b3..b5ac5e09 100644 --- a/schemas/jwt-signer/3.11.x.json +++ b/schemas/jwt-signer/3.11.x.json @@ -1,36 +1,23 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.access_token_upstream_header", - "config.channel_token_upstream_header", - "config.original_access_token_upstream_header", - "config.original_channel_token_upstream_header" - ] - } - } - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -39,19 +26,21 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "mutually_required": [ @@ -78,155 +67,153 @@ ] } ], - "type": "record", - "required": true, "fields": [ { "realm": { - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "required": false, + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "type": "string" } }, { "enable_hs_signatures": { + "required": false, "default": false, "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", - "required": false, "type": "boolean" } }, { "enable_instrumentation": { + "required": false, "default": false, "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", - "required": false, "type": "boolean" } }, { "access_token_issuer": { + "required": false, "default": "kong", "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", - "required": false, "type": "string" } }, { "access_token_keyset": { + "required": false, "default": "kong", "description": "The name of the keyset containing signing keys.", - "required": false, "type": "string" } }, { "access_token_keyset_client_username": { - "referenceable": true, - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", "required": false, + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", + "referenceable": true, "type": "string" } }, { "access_token_keyset_client_password": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", - "required": false + "referenceable": true } }, { "access_token_keyset_client_certificate": { + "required": false, "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", "reference": "certificates", - "required": false, "type": "foreign" } }, { "access_token_keyset_rotate_period": { + "required": false, "default": 0, "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", - "required": false, "type": "number" } }, { "access_token_jwks_uri": { - "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "required": false, + "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "type": "string" } }, { "access_token_jwks_uri_client_username": { - "referenceable": true, - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", "required": false, + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", + "referenceable": true, "type": "string" } }, { "access_token_jwks_uri_client_password": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", - "required": false + "referenceable": true } }, { "access_token_jwks_uri_client_certificate": { + "required": false, "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", "reference": "certificates", - "required": false, "type": "foreign" } }, { "access_token_jwks_uri_rotate_period": { + "required": false, "default": 0, "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", - "required": false, "type": "number" } }, { "access_token_request_header": { + "required": false, "default": "Authorization", "description": "This parameter tells the name of the header where to look for the access token.", - "required": false, "type": "string" } }, { "access_token_leeway": { + "required": false, "default": 0, "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", - "required": false, "type": "number" } }, { "access_token_scopes_required": { + "required": false, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "elements": { "type": "string" }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", - "required": false, "type": "array" } }, { "access_token_scopes_claim": { - "required": false, "type": "array", + "required": false, + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "elements": { "type": "string" }, - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "default": [ "scope" ] @@ -234,18 +221,19 @@ }, { "access_token_consumer_claim": { + "required": false, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", - "required": false, "type": "array" } }, { "access_token_consumer_by": { - "required": false, "type": "array", + "required": false, + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "elements": { "type": "string", "one_of": [ @@ -254,7 +242,6 @@ "custom_id" ] }, - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "default": [ "username", "custom_id" @@ -263,77 +250,77 @@ }, { "access_token_upstream_header": { + "required": false, "default": "Authorization:Bearer", "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", - "required": false, "type": "string" } }, { "access_token_upstream_leeway": { + "required": false, "default": 0, "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", - "required": false, "type": "number" } }, { "access_token_introspection_endpoint": { - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "required": false, + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "type": "string" } }, { "access_token_introspection_authorization": { - "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "required": false, + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "type": "string" } }, { "access_token_introspection_body_args": { - "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "required": false, + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "type": "string" } }, { "access_token_introspection_hint": { + "required": false, "default": "access_token", "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", - "required": false, "type": "string" } }, { "access_token_introspection_jwt_claim": { + "required": false, + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "elements": { "type": "string" }, - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", - "required": false, "type": "array" } }, { "access_token_introspection_scopes_required": { + "required": false, + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "elements": { "type": "string" }, - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", - "required": false, "type": "array" } }, { "access_token_introspection_scopes_claim": { - "required": true, "type": "array", + "required": true, + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "elements": { "type": "string" }, - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "default": [ "scope" ] @@ -341,18 +328,19 @@ }, { "access_token_introspection_consumer_claim": { + "required": false, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", - "required": false, "type": "array" } }, { "access_token_introspection_consumer_by": { - "required": false, "type": "array", + "required": false, + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "elements": { "type": "string", "one_of": [ @@ -361,7 +349,6 @@ "custom_id" ] }, - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "default": [ "username", "custom_id" @@ -370,23 +357,23 @@ }, { "access_token_introspection_leeway": { + "required": false, "default": 0, "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", - "required": false, "type": "number" } }, { "access_token_introspection_timeout": { - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "required": false, + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "type": "number" } }, { "access_token_signing_algorithm": { - "required": true, "type": "string", + "required": true, "default": "RS256", "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "one_of": [ @@ -410,15 +397,15 @@ "values": { "type": "string" }, - "required": false, "type": "map", - "default": [ - - ], + "required": false, "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" - } + }, + "default": [ + + ] } }, { @@ -426,25 +413,25 @@ "values": { "type": "string" }, - "required": false, "type": "map", - "default": [ - - ], + "required": false, "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" - } + }, + "default": [ + + ] } }, { "remove_access_token_claims": { - "required": false, "type": "array", + "required": false, + "description": "remove claims. It should be an array, and each element is a claim key string.", "elements": { "type": "string" }, - "description": "remove claims. It should be an array, and each element is a claim key string.", "default": [ ] @@ -452,205 +439,205 @@ }, { "original_access_token_upstream_header": { - "description": "The HTTP header name used to store the original access token.", "required": false, + "description": "The HTTP header name used to store the original access token.", "type": "string" } }, { "access_token_optional": { + "required": false, "default": false, "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", - "required": false, "type": "boolean" } }, { "verify_access_token_signature": { + "required": false, "default": true, "description": "Quickly turn access token signature verification off and on as needed.", - "required": false, "type": "boolean" } }, { "verify_access_token_expiry": { + "required": false, "default": true, "description": "Quickly turn access token expiry verification off and on as needed.", - "required": false, "type": "boolean" } }, { "verify_access_token_scopes": { + "required": false, "default": true, "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", - "required": false, "type": "boolean" } }, { "verify_access_token_introspection_expiry": { + "required": false, "default": true, "description": "Quickly turn access token introspection expiry verification off and on as needed.", - "required": false, "type": "boolean" } }, { "verify_access_token_introspection_scopes": { + "required": false, "default": true, "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", - "required": false, "type": "boolean" } }, { "cache_access_token_introspection": { + "required": false, "default": true, "description": "Whether to cache access token introspection results.", - "required": false, "type": "boolean" } }, { "trust_access_token_introspection": { + "required": false, "default": true, "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", - "required": false, "type": "boolean" } }, { "enable_access_token_introspection": { + "required": false, "default": true, "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", - "required": false, "type": "boolean" } }, { "channel_token_issuer": { + "required": false, "default": "kong", "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", - "required": false, "type": "string" } }, { "channel_token_keyset": { + "required": false, "default": "kong", "description": "The name of the keyset containing signing keys.", - "required": false, "type": "string" } }, { "channel_token_keyset_client_username": { - "referenceable": true, - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", "required": false, + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", + "referenceable": true, "type": "string" } }, { "channel_token_keyset_client_password": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", - "required": false + "referenceable": true } }, { "channel_token_keyset_client_certificate": { + "required": false, "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", "reference": "certificates", - "required": false, "type": "foreign" } }, { "channel_token_keyset_rotate_period": { + "required": false, "default": 0, "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", - "required": false, "type": "number" } }, { "channel_token_jwks_uri": { - "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "required": false, + "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "type": "string" } }, { "channel_token_jwks_uri_client_username": { - "referenceable": true, - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", "required": false, + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", + "referenceable": true, "type": "string" } }, { "channel_token_jwks_uri_client_password": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", - "required": false + "referenceable": true } }, { "channel_token_jwks_uri_client_certificate": { + "required": false, "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", "reference": "certificates", - "required": false, "type": "foreign" } }, { "channel_token_jwks_uri_rotate_period": { + "required": false, "default": 0, "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", - "required": false, "type": "number" } }, { "channel_token_request_header": { - "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "required": false, + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "type": "string" } }, { "channel_token_leeway": { + "required": false, "default": 0, "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", - "required": false, "type": "number" } }, { "channel_token_scopes_required": { + "required": false, + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "elements": { "type": "string" }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", - "required": false, "type": "array" } }, { "channel_token_scopes_claim": { - "required": false, "type": "array", + "required": false, + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "elements": { "type": "string" }, - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "default": [ "scope" ] @@ -658,16 +645,21 @@ }, { "channel_token_consumer_claim": { + "required": false, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", - "required": false, "type": "array" } }, { "channel_token_consumer_by": { + "default": [ + "username", + "custom_id" + ], + "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", "elements": { "type": "string", "one_of": [ @@ -676,94 +668,89 @@ "custom_id" ] }, - "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "default": [ - "username", - "custom_id" - ], "type": "array" } }, { "channel_token_upstream_header": { - "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "required": false, + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "type": "string" } }, { "channel_token_upstream_leeway": { + "required": false, "default": 0, "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", - "required": false, "type": "number" } }, { "channel_token_introspection_endpoint": { - "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "required": false, + "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "type": "string" } }, { "channel_token_introspection_authorization": { + "required": false, + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "elements": { "type": "string" }, - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", - "required": false, "type": "string" } }, { "channel_token_introspection_body_args": { + "required": false, + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "elements": { "type": "string" }, - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", - "required": false, "type": "string" } }, { "channel_token_introspection_hint": { + "required": false, + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "elements": { "type": "string" }, - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", - "required": false, "type": "string" } }, { "channel_token_introspection_jwt_claim": { + "required": false, + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "elements": { "type": "string" }, - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", - "required": false, "type": "array" } }, { "channel_token_introspection_scopes_required": { + "required": false, + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "elements": { "type": "string" }, - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", - "required": false, "type": "array" } }, { "channel_token_introspection_scopes_claim": { - "required": false, "type": "array", + "required": false, + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "elements": { "type": "string" }, - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "default": [ "scope" ] @@ -771,18 +758,19 @@ }, { "channel_token_introspection_consumer_claim": { + "required": false, + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "elements": { "type": "string" }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", - "required": false, "type": "array" } }, { "channel_token_introspection_consumer_by": { - "required": false, "type": "array", + "required": false, + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "elements": { "type": "string", "one_of": [ @@ -791,7 +779,6 @@ "custom_id" ] }, - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "default": [ "username", "custom_id" @@ -800,23 +787,23 @@ }, { "channel_token_introspection_leeway": { + "required": false, "default": 0, "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", - "required": false, "type": "number" } }, { "channel_token_introspection_timeout": { - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "required": false, + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "type": "number" } }, { "channel_token_signing_algorithm": { - "required": true, "type": "string", + "required": true, "default": "RS256", "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "one_of": [ @@ -840,15 +827,15 @@ "values": { "type": "string" }, - "required": false, "type": "map", - "default": [ - - ], + "required": false, "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" - } + }, + "default": [ + + ] } }, { @@ -856,25 +843,25 @@ "values": { "type": "string" }, - "required": false, "type": "map", - "default": [ - - ], + "required": false, "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" - } + }, + "default": [ + + ] } }, { "remove_channel_token_claims": { - "required": false, "type": "array", + "required": false, + "description": "remove claims. It should be an array, and each element is a claim key string.", "elements": { "type": "string" }, - "description": "remove claims. It should be an array, and each element is a claim key string.", "default": [ ] @@ -882,79 +869,79 @@ }, { "original_channel_token_upstream_header": { - "description": "The HTTP header name used to store the original channel token.", "required": false, + "description": "The HTTP header name used to store the original channel token.", "type": "string" } }, { "channel_token_optional": { + "required": false, "default": false, "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", - "required": false, "type": "boolean" } }, { "verify_channel_token_signature": { + "required": false, "default": true, "description": "Quickly turn on/off the channel token signature verification.", - "required": false, "type": "boolean" } }, { "verify_channel_token_expiry": { - "default": true, "required": false, + "default": true, "type": "boolean" } }, { "verify_channel_token_scopes": { + "required": false, "default": true, "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", - "required": false, "type": "boolean" } }, { "verify_channel_token_introspection_expiry": { + "required": false, "default": true, "description": "Quickly turn on/off the channel token introspection expiry verification.", - "required": false, "type": "boolean" } }, { "verify_channel_token_introspection_scopes": { + "required": false, "default": true, "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", - "required": false, "type": "boolean" } }, { "cache_channel_token_introspection": { + "required": false, "default": true, "description": "Whether to cache channel token introspection results.", - "required": false, "type": "boolean" } }, { "trust_channel_token_introspection": { + "required": false, "default": true, "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", - "required": false, "type": "boolean" } }, { "enable_channel_token_introspection": { + "required": false, "default": true, "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", - "required": false, "type": "boolean" } }, @@ -963,15 +950,15 @@ "values": { "type": "string" }, - "required": false, "type": "map", - "default": [ - - ], + "required": false, "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" - } + }, + "default": [ + + ] } }, { @@ -979,17 +966,30 @@ "values": { "type": "string" }, - "required": false, "type": "map", - "default": [ - - ], + "required": false, "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "keys": { "type": "string" - } + }, + "default": [ + + ] } } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" ] } } diff --git a/schemas/jwt/3.11.x.json b/schemas/jwt/3.11.x.json index 06e0c528..f51483fa 100644 --- a/schemas/jwt/3.11.x.json +++ b/schemas/jwt/3.11.x.json @@ -1,38 +1,23 @@ { - "entity_checks": [ - { - "conditional": { - "if_match": { - "gt": 0 - }, - "then_field": "config.claims_to_verify", - "if_field": "config.maximum_expiration", - "then_match": { - "contains": "exp" - } - } - } - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -41,41 +26,43 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "uri_param_names": { - "elements": { - "type": "string" - }, - "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", "default": [ "jwt" ], + "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", + "elements": { + "type": "string" + }, "type": "set" } }, { "cookie_names": { - "elements": { - "type": "string" - }, - "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", "default": [ ], + "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", + "elements": { + "type": "string" + }, "type": "set" } }, @@ -88,14 +75,15 @@ }, { "secret_is_base64": { - "default": false, - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", "required": true, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", + "default": false, "type": "boolean" } }, { "claims_to_verify": { + "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", "elements": { "type": "string", "one_of": [ @@ -103,7 +91,6 @@ "nbf" ] }, - "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", "type": "set" } }, @@ -115,9 +102,9 @@ }, { "run_on_preflight": { - "default": true, - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", "required": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", + "default": true, "type": "boolean" } }, @@ -134,27 +121,40 @@ }, { "header_names": { - "elements": { - "type": "string" - }, - "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", "default": [ "authorization" ], + "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", + "elements": { + "type": "string" + }, "type": "set" } }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.maximum_expiration", + "then_match": { + "contains": "exp" + }, + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify" + } + } ] } \ No newline at end of file diff --git a/schemas/kafka-consume/3.11.x.json b/schemas/kafka-consume/3.11.x.json index 727f8b8b..a35bfb86 100644 --- a/schemas/kafka-consume/3.11.x.json +++ b/schemas/kafka-consume/3.11.x.json @@ -1,10 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ], "elements": { "type": "string", "one_of": [ @@ -16,28 +22,20 @@ "wss" ] }, - "type": "set", - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "required": true + "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "description": "Custom type for representing a foreign key with a null value allowed.", "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "custom_entity_check": { @@ -47,45 +45,43 @@ } } ], - "type": "record", "fields": [ { "bootstrap_servers": { + "required": true, "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", - "type": "set", "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "description": "A string representing a host name, such as example.com.", - "type": "string", - "required": true + "type": "string" } }, { "port": { + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true + "type": "integer" } } - ] + ], + "type": "record" }, - "required": true + "type": "set" } }, { "topics": { "type": "array", + "required": true, "len_min": 1, - "description": "The Kafka topics and their configuration you want to consume from.", "elements": { - "type": "record", "fields": [ { "name": { @@ -93,147 +89,152 @@ "type": "string" } } - ] + ], + "type": "record" }, - "required": true + "description": "The Kafka topics and their configuration you want to consume from." } }, { "mode": { "type": "string", + "required": true, + "default": "http-get", "description": "The mode of operation for the plugin.", "one_of": [ "server-sent-events", - "http-get" - ], - "default": "http-get", - "required": true + "http-get", + "websocket" + ] } }, { "message_deserializer": { "type": "string", + "required": true, + "default": "noop", "description": "The deserializer to use for the consumed messages.", "one_of": [ "json", "noop" - ], - "default": "noop", - "required": true + ] } }, { "auto_offset_reset": { "type": "string", + "required": true, + "default": "latest", "description": "The offset to start from when there is no initial offset in the consumer group.", "one_of": [ "earliest", "latest" - ], - "default": "latest", - "required": true + ] } }, { "commit_strategy": { "type": "string", + "required": true, + "default": "auto", "description": "The strategy to use for committing offsets.", "one_of": [ "auto", "off" - ], - "default": "auto", - "required": true + ] } }, { "authentication": { - "type": "record", + "required": true, "fields": [ { "strategy": { + "required": false, "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "type": "string", "one_of": [ "sasl" - ], - "required": false + ] } }, { "mechanism": { + "required": false, "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "required": false + ] } }, { "tokenauth": { + "required": false, "description": "Enable this to indicate `DelegationToken` authentication", - "type": "boolean", - "required": false + "type": "boolean" } }, { "user": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": false, "description": "Username for SASL authentication.", - "encrypted": true, - "required": false + "referenceable": true } }, { "password": { + "encrypted": true, "type": "string", - "referenceable": true, + "required": false, "description": "Password for SASL authentication.", - "encrypted": true, - "required": false + "referenceable": true } } ], - "required": true + "type": "record" } }, { "security": { - "type": "record", + "required": true, "fields": [ { "certificate_id": { + "required": false, "description": "UUID of certificate entity for mTLS authentication.", "type": "string", - "required": false, "uuid": true } }, { "ssl": { + "required": false, "description": "Enables TLS.", - "type": "boolean", - "required": false + "type": "boolean" } } ], - "required": true + "type": "record" } }, { "cluster_name": { + "required": false, "description": "An identifier for the Kafka cluster.", - "type": "string", - "required": false + "type": "string" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/kafka-log/3.11.x.json b/schemas/kafka-log/3.11.x.json index 2b4dc212..e2825924 100644 --- a/schemas/kafka-log/3.11.x.json +++ b/schemas/kafka-log/3.11.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -24,20 +22,20 @@ "wss" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "custom_entity_check": { @@ -50,44 +48,51 @@ "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { - "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "required": true, + "description": "A string representing a host name, such as example.com.", "type": "string" } }, { "port": { + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set" } }, { "topic": { - "description": "The Kafka topic to publish to.", "required": true, + "description": "The Kafka topic to publish to.", + "type": "string" + } + }, + { + "key_query_arg": { + "required": false, + "description": "The request query parameter name that contains the Kafka message key. If specified, messages with the same key will be sent to the same Kafka partition, ensuring consistent ordering.", "type": "string" } }, { "timeout": { - "default": 10000, "description": "Socket timeout in milliseconds.", + "default": 10000, "type": "integer" } }, @@ -105,12 +110,13 @@ }, { "authentication": { + "required": true, "fields": [ { "strategy": { - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string", "one_of": [ "sasl" ] @@ -118,9 +124,9 @@ }, { "mechanism": { - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256` or `SCRAM-SHA-512`.", + "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", @@ -130,36 +136,36 @@ }, { "tokenauth": { - "description": "Enable this to indicate `DelegationToken` authentication", "required": false, + "description": "Enable this to indicate `DelegationToken` authentication", "type": "boolean" } }, { "user": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "Username for SASL authentication.", - "required": false + "referenceable": true } }, { "password": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "Password for SASL authentication.", - "required": false + "referenceable": true } } ], - "required": true, "type": "record" } }, { "security": { + "required": true, "fields": [ { "certificate_id": { @@ -171,29 +177,28 @@ }, { "ssl": { - "description": "Enables TLS.", "required": false, + "description": "Enables TLS.", "type": "boolean" } } ], - "required": true, "type": "record" } }, { "cluster_name": { - "auto": true, - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "required": false, + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "auto": true, "type": "string" } }, { "producer_request_acks": { + "type": "integer", "default": 1, "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", - "type": "integer", "one_of": [ -1, 0, @@ -203,57 +208,57 @@ }, { "producer_request_timeout": { - "default": 2000, "description": "Time to wait for a Produce response in milliseconds", + "default": 2000, "type": "integer" } }, { "producer_request_limits_messages_per_request": { - "default": 200, "description": "Maximum number of messages to include into a single Produce request.", + "default": 200, "type": "integer" } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, "description": "Maximum size of a Produce request in bytes.", + "default": 1048576, "type": "integer" } }, { "producer_request_retries_max_attempts": { - "default": 10, "description": "Maximum number of retry attempts per single Produce request.", + "default": 10, "type": "integer" } }, { "producer_request_retries_backoff_timeout": { - "default": 100, "description": "Backoff interval between retry attempts in milliseconds.", + "default": 100, "type": "integer" } }, { "producer_async": { - "default": true, "description": "Flag to enable asynchronous mode.", + "default": true, "type": "boolean" } }, { "producer_async_flush_timeout": { - "default": 1000, "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", + "default": 1000, "type": "integer" } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", + "default": 50000, "type": "integer" } }, @@ -261,8 +266,8 @@ "custom_fields_by_lua": { "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, "keys": { "type": "string", @@ -272,9 +277,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.11.x.json b/schemas/kafka-upstream/3.11.x.json index e05b530c..a0b02118 100644 --- a/schemas/kafka-upstream/3.11.x.json +++ b/schemas/kafka-upstream/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,19 +18,21 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "custom_entity_check": { @@ -57,37 +55,61 @@ "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "elements": { - "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "required": true, + "description": "A string representing a host name, such as example.com.", "type": "string" } }, { "port": { + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set" } }, + { + "topics_query_arg": { + "required": false, + "description": "The request query parameter name that contains the topics to publish to", + "type": "string" + } + }, + { + "allowed_topics": { + "required": false, + "description": "The list of allowed topic names to which messages can be sent. The default topic configured in the `topic` field is always allowed, regardless of its inclusion in `allowed_topics`.", + "elements": { + "type": "string" + }, + "type": "array" + } + }, { "topic": { - "description": "The Kafka topic to publish to.", "required": true, + "description": "The default Kafka topic to publish to if the query parameter defined in the `topics_query_arg` does not exist in the request", + "type": "string" + } + }, + { + "key_query_arg": { + "required": false, + "description": "The request query parameter name that contains the Kafka message key. If specified, messages with the same key will be sent to the same Kafka partition, ensuring consistent ordering.", "type": "string" } }, @@ -113,12 +135,13 @@ }, { "authentication": { + "required": true, "fields": [ { "strategy": { - "type": "string", - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "required": false, + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string", "one_of": [ "sasl" ] @@ -126,9 +149,9 @@ }, { "mechanism": { - "type": "string", - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "required": false, + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", + "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", @@ -138,54 +161,53 @@ }, { "tokenauth": { - "description": "Enable this to indicate `DelegationToken` authentication.", "required": false, + "description": "Enable this to indicate `DelegationToken` authentication.", "type": "boolean" } }, { "user": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "Username for SASL authentication.", - "required": false + "referenceable": true } }, { "password": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "Password for SASL authentication.", - "required": false + "referenceable": true } } ], - "required": true, "type": "record" } }, { "security": { + "required": true, "fields": [ { "certificate_id": { - "uuid": true, - "description": "UUID of certificate entity for mTLS authentication.", "required": false, - "type": "string" + "description": "UUID of certificate entity for mTLS authentication.", + "type": "string", + "uuid": true } }, { "ssl": { - "description": "Enables TLS.", "required": false, + "description": "Enables TLS.", "type": "boolean" } } ], - "required": true, "type": "record" } }, @@ -217,19 +239,29 @@ "type": "boolean" } }, + { + "message_by_lua_functions": { + "required": false, + "description": "The Lua functions that manipulates the message being sent to the Kafka topic.", + "elements": { + "type": "string" + }, + "type": "array" + } + }, { "cluster_name": { - "auto": true, - "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "required": false, - "type": "string" + "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "type": "string", + "auto": true } }, { "producer_request_acks": { - "default": 1, - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "default": 1, "one_of": [ -1, 0, @@ -294,9 +326,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.11.x.json b/schemas/key-auth-enc/3.11.x.json index 0db052a3..08dd177a 100644 --- a/schemas/key-auth-enc/3.11.x.json +++ b/schemas/key-auth-enc/3.11.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -32,30 +30,30 @@ "wss" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "key_names": { - "required": true, "type": "array", + "required": true, + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "elements": { "type": "string", "description": "A string representing an HTTP header name." }, - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "default": [ "apikey" ] @@ -63,8 +61,8 @@ }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", + "default": false, "type": "boolean" } }, @@ -76,43 +74,45 @@ }, { "key_in_header": { - "default": true, "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", + "default": true, "type": "boolean" } }, { "key_in_query": { - "default": true, "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", + "default": true, "type": "boolean" } }, { "key_in_body": { - "default": false, "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "default": false, "type": "boolean" } }, { "run_on_preflight": { - "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", + "default": true, "type": "boolean" } }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth/3.11.x.json b/schemas/key-auth/3.11.x.json index dbb4a35d..86540e92 100644 --- a/schemas/key-auth/3.11.x.json +++ b/schemas/key-auth/3.11.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -32,30 +30,30 @@ "wss" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "key_names": { - "required": true, "type": "array", + "required": true, + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "elements": { "type": "string", "description": "A string representing an HTTP header name." }, - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "default": [ "apikey" ] @@ -63,9 +61,9 @@ }, { "hide_credentials": { + "required": true, "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", - "required": true, "type": "boolean" } }, @@ -77,47 +75,129 @@ }, { "key_in_header": { + "required": true, "default": true, "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", - "required": true, "type": "boolean" } }, { "key_in_query": { + "required": true, "default": true, "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", - "required": true, "type": "boolean" } }, { "key_in_body": { + "required": true, "default": false, "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "required": true, "type": "boolean" } }, { "run_on_preflight": { + "required": true, "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", - "required": true, "type": "boolean" } }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string" } + }, + { + "identity_realms": { + "default": [ + { + "id": null, + "region": null, + "scope": "cp" + } + ], + "description": "A configuration of Konnect Identity Realms that indicate where to source a consumer from.", + "elements": { + "entity_checks": [ + { + "conditional": { + "if_field": "scope", + "then_match": { + "required": true + }, + "if_match": { + "eq": "realm" + }, + "then_field": "id" + } + }, + { + "conditional": { + "if_field": "scope", + "then_match": { + "required": false, + "eq": null + }, + "if_match": { + "eq": "cp" + }, + "then_field": "id" + } + }, + { + "conditional": { + "if_field": "scope", + "then_match": { + "required": false, + "eq": null + }, + "if_match": { + "eq": "cp" + }, + "then_field": "region" + } + } + ], + "fields": [ + { + "scope": { + "type": "string", + "one_of": [ + "cp", + "realm" + ] + } + }, + { + "id": { + "auto": false, + "description": "A string representing a UUID (universally unique identifier).", + "type": "string", + "uuid": true + } + }, + { + "region": { + "type": "string" + } + } + ], + "type": "record" + }, + "type": "set" + } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.11.x.json b/schemas/konnect-application-auth/3.11.x.json index e7763990..d9180e5d 100644 --- a/schemas/konnect-application-auth/3.11.x.json +++ b/schemas/konnect-application-auth/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -30,32 +26,34 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ ], "fields": [ { "key_names": { - "required": true, "type": "array", + "required": true, + "description": "The names of the headers containing the API key. You can specify multiple header names.", "elements": { "type": "string", "description": "A string representing an HTTP header name." }, - "description": "The names of the headers containing the API key. You can specify multiple header names.", "default": [ "apikey" ] @@ -63,8 +61,8 @@ }, { "auth_type": { - "required": true, "type": "string", + "required": true, "default": "openid-connect", "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "one_of": [ @@ -78,146 +76,132 @@ "scope": { "required": true, "description": "The unique scope identifier for the plugin configuration.", - "unique": true, - "type": "string" + "type": "string", + "unique": true } }, { "v2_strategies": { - "required": false, "type": "record", - "default": [ - - ], + "required": false, "description": "The map of v2 strategies.", "fields": [ { "key_auth": { + "required": false, + "description": "List of key_auth strategies.", "elements": { - "type": "record", "fields": [ { "strategy_id": { - "description": "The strategy id the config is tied to.", "required": true, + "description": "The strategy id the config is tied to.", "type": "string" } }, { "config": { - "type": "record", "required": true, "fields": [ { "key_names": { - "required": true, "type": "array", + "required": true, + "description": "The names of the headers containing the API key. You can specify multiple header names.", "elements": { "type": "string", "description": "A string representing an HTTP header name." }, - "description": "The names of the headers containing the API key. You can specify multiple header names.", "default": [ "apikey" ] } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" }, - "description": "List of key_auth strategies.", - "required": false, "type": "array" } }, { "openid_connect": { + "required": false, + "description": "List of openid_connect strategies.", "elements": { - "type": "record", "fields": [ { "strategy_id": { - "description": "The strategy id the config is tied to.", "required": true, + "description": "The strategy id the config is tied to.", "type": "string" } }, { "config": { "description": "openid-connect plugin configuration.", - "type": "record", "fields": [ { "issuer": { - "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", "required": true, + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", "type": "string" } }, { "using_pseudo_issuer": { - "default": false, - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", "required": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "default": false, "type": "boolean" } }, { "discovery_headers_names": { + "required": false, + "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the discovery endpoint.", - "required": false, "type": "array" } }, { "discovery_headers_values": { + "required": false, + "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" }, - "description": "Extra header values passed to the discovery endpoint.", - "required": false, "type": "array" } }, { "extra_jwks_uris": { + "required": false, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", - "required": false, "type": "set" } }, { "rediscovery_lifetime": { - "default": 30, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "required": false, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "default": 30, "type": "number" } }, { "auth_methods": { - "required": false, "type": "array", - "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ], + "required": false, "description": "Types of credentials/grants to enable.", "elements": { "type": "string", @@ -232,35 +216,48 @@ "refresh_token", "session" ] - } + }, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] } }, { "client_id": { "encrypted": true, - "required": false, "type": "array", + "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "elements": { - "referenceable": true, - "type": "string" - }, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "type": "string", + "referenceable": true + } } }, { "client_secret": { "encrypted": true, - "required": false, "type": "array", + "required": false, + "description": "The client secret.", "elements": { - "referenceable": true, - "type": "string" - }, - "description": "The client secret." + "type": "string", + "referenceable": true + } } }, { "client_auth": { + "required": false, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", "elements": { "type": "string", "one_of": [ @@ -273,15 +270,14 @@ "none" ] }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "required": false, "type": "array" } }, { "client_jwk": { + "required": false, + "description": "The JWK used for the private_key_jwt authentication.", "elements": { - "type": "record", "required": false, "fields": [ { @@ -304,11 +300,11 @@ }, { "key_ops": { + "required": false, "elements": { "required": false, "type": "string" }, - "required": false, "type": "array" } }, @@ -332,11 +328,11 @@ }, { "x5c": { + "required": false, "elements": { "required": false, "type": "string" }, - "required": false, "type": "array" } }, @@ -354,10 +350,10 @@ }, { "k": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { @@ -392,85 +388,86 @@ }, { "d": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "p": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "q": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "dp": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "dq": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "qi": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "oth": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "r": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "t": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } } - ] + ], + "type": "record" }, - "description": "The JWK used for the private_key_jwt authentication.", - "required": false, "type": "array" } }, { "client_alg": { + "required": false, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", "elements": { "type": "string", "one_of": [ @@ -489,125 +486,123 @@ "EdDSA" ] }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "required": false, "type": "array" } }, { "client_arg": { - "default": "client_id", - "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "required": false, + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "default": "client_id", "type": "string" } }, { "redirect_uri": { + "required": false, + "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "The redirect URI passed to the authorization and token endpoints.", - "required": false, "type": "array" } }, { "login_redirect_uri": { + "required": false, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "referenceable": true, "type": "string" }, - "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "required": false, "type": "array" } }, { "logout_redirect_uri": { + "required": false, + "description": "Where to redirect the client after the logout.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "referenceable": true, "type": "string" }, - "description": "Where to redirect the client after the logout.", - "required": false, "type": "array" } }, { "forbidden_redirect_uri": { + "required": false, + "description": "Where to redirect the client on forbidden requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client on forbidden requests.", - "required": false, "type": "array" } }, { "forbidden_error_message": { - "default": "Forbidden", - "description": "The error message for the forbidden requests (when not using the redirection).", "required": false, + "description": "The error message for the forbidden requests (when not using the redirection).", + "default": "Forbidden", "type": "string" } }, { "forbidden_destroy_session": { - "default": true, - "description": "Destroy any active session for the forbidden requests.", "required": false, + "description": "Destroy any active session for the forbidden requests.", + "default": true, "type": "boolean" } }, { "unauthorized_destroy_session": { - "default": true, - "description": "Destroy any active session for the unauthorized requests.", "required": false, + "description": "Destroy any active session for the unauthorized requests.", + "default": true, "type": "boolean" } }, { "unauthorized_redirect_uri": { + "required": false, + "description": "Where to redirect the client on unauthorized requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client on unauthorized requests.", - "required": false, "type": "array" } }, { "unauthorized_error_message": { - "default": "Unauthorized", - "description": "The error message for the unauthorized requests (when not using the redirection).", "required": false, + "description": "The error message for the unauthorized requests (when not using the redirection).", + "default": "Unauthorized", "type": "string" } }, { "unexpected_redirect_uri": { + "required": false, + "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client when unexpected errors happen with the requests.", - "required": false, "type": "array" } }, { "response_mode": { - "required": false, "type": "string", - "default": "query", + "required": false, "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "default": "query", "one_of": [ "query", "form_post", @@ -621,182 +616,182 @@ }, { "response_type": { - "required": false, "type": "array", - "default": [ - "code" - ], + "required": false, "description": "The response type passed to the authorization endpoint.", "elements": { "type": "string" - } + }, + "default": [ + "code" + ] } }, { "scopes": { - "required": false, "type": "array", - "default": [ - "openid" - ], + "required": false, "description": "The scopes passed to the authorization and token endpoints.", "elements": { - "referenceable": true, - "type": "string" - } + "type": "string", + "referenceable": true + }, + "default": [ + "openid" + ] } }, { "audience": { + "required": false, + "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" }, - "description": "The audience passed to the authorization endpoint.", - "required": false, "type": "array" } }, { "issuers_allowed": { + "required": false, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" }, - "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "required": false, "type": "array" } }, { "scopes_required": { + "required": false, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, "type": "array" } }, { "scopes_claim": { - "required": false, "type": "array", - "default": [ - "scope" - ], + "required": false, "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "default": [ + "scope" + ] } }, { "audience_required": { + "required": false, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, "type": "array" } }, { "audience_claim": { - "required": false, "type": "array", - "default": [ - "aud" - ], + "required": false, "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "default": [ + "aud" + ] } }, { "groups_required": { + "required": false, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, "type": "array" } }, { "groups_claim": { - "required": false, "type": "array", - "default": [ - "groups" - ], + "required": false, "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "default": [ + "groups" + ] } }, { "roles_required": { + "required": false, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, "type": "array" } }, { "roles_claim": { - "required": false, "type": "array", - "default": [ - "roles" - ], + "required": false, "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "default": [ + "roles" + ] } }, { "domains": { + "required": false, + "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" }, - "description": "The allowed values for the `hd` claim.", - "required": false, "type": "array" } }, { "max_age": { - "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "type": "number" } }, { "authenticated_groups_claim": { + "required": false, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "type": "array" } }, { "pushed_authorization_request_endpoint": { - "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "pushed_authorization_request_endpoint_auth_method": { - "type": "string", - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -810,106 +805,106 @@ }, { "require_pushed_authorization_requests": { - "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", "required": false, + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", "type": "boolean" } }, { "require_proof_key_for_code_exchange": { - "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", "required": false, + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", "type": "boolean" } }, { "require_signed_request_object": { - "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", "required": false, + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", "type": "boolean" } }, { "authorization_endpoint": { - "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "authorization_query_args_names": { + "required": false, + "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the authorization endpoint.", - "required": false, "type": "array" } }, { "authorization_query_args_values": { + "required": false, + "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the authorization endpoint.", - "required": false, "type": "array" } }, { "authorization_query_args_client": { + "required": false, + "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the authorization endpoint.", - "required": false, "type": "array" } }, { "authorization_rolling_timeout": { - "default": 600, - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "required": false, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 600, "type": "number" } }, { "authorization_cookie_name": { - "default": "authorization", - "description": "The authorization cookie name.", "required": false, + "description": "The authorization cookie name.", + "default": "authorization", "type": "string" } }, { "authorization_cookie_path": { - "required": false, - "type": "string", "default": "/", - "description": "The authorization cookie Path flag.", + "type": "string", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } ], - "starts_with": "/" + "description": "The authorization cookie Path flag.", + "starts_with": "/", + "required": false } }, { "authorization_cookie_domain": { - "description": "The authorization cookie Domain flag.", "required": false, + "description": "The authorization cookie Domain flag.", "type": "string" } }, { "authorization_cookie_same_site": { - "required": false, "type": "string", - "default": "Default", + "required": false, "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Default", "one_of": [ "Strict", "Lax", @@ -920,39 +915,39 @@ }, { "authorization_cookie_http_only": { - "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean" } }, { "authorization_cookie_secure": { - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean" } }, { "preserve_query_args": { - "default": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "required": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "default": false, "type": "boolean" } }, { "token_endpoint": { - "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "token_endpoint_auth_method": { - "type": "string", - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -966,53 +961,55 @@ }, { "token_headers_names": { + "required": false, + "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the token endpoint.", - "required": false, "type": "array" } }, { "token_headers_values": { + "required": false, + "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra header values passed to the token endpoint.", - "required": false, "type": "array" } }, { "token_headers_client": { + "required": false, + "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the token endpoint.", - "required": false, "type": "array" } }, { "token_headers_replay": { + "required": false, + "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" }, - "description": "The names of token endpoint response headers to forward to the downstream client.", - "required": false, "type": "array" } }, { "token_headers_prefix": { - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "type": "string" } }, { "token_headers_grants": { + "required": false, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "elements": { "type": "string", "one_of": [ @@ -1022,53 +1019,51 @@ "refresh_token" ] }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", - "required": false, "type": "array" } }, { "token_post_args_names": { + "required": false, + "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the token endpoint.", - "required": false, "type": "array" } }, { "token_post_args_values": { + "required": false, + "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the token endpoint.", - "required": false, "type": "array" } }, { "token_post_args_client": { + "required": false, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "elements": { "type": "string" }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", - "required": false, "type": "array" } }, { "introspection_endpoint": { - "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "introspection_endpoint_auth_method": { - "type": "string", - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1082,26 +1077,26 @@ }, { "introspection_hint": { - "default": "access_token", - "description": "Introspection hint parameter value passed to the introspection endpoint.", "required": false, + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "default": "access_token", "type": "string" } }, { "introspection_check_active": { - "default": true, - "description": "Check that the introspection response has an `active` claim with a value of `true`.", "required": false, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "default": true, "type": "boolean" } }, { "introspection_accept": { - "required": false, "type": "string", - "default": "application/json", + "required": false, "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "default": "application/json", "one_of": [ "application/json", "application/token-introspection+jwt", @@ -1111,96 +1106,96 @@ }, { "introspection_headers_names": { + "required": false, + "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspection_headers_values": { "encrypted": true, - "required": false, "type": "array", + "required": false, + "description": "Extra header values passed to the introspection endpoint.", "elements": { - "referenceable": true, - "type": "string" - }, - "description": "Extra header values passed to the introspection endpoint." + "type": "string", + "referenceable": true + } } }, { "introspection_headers_client": { + "required": false, + "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspection_post_args_names": { + "required": false, + "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspection_post_args_values": { + "required": false, + "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspection_post_args_client": { + "required": false, + "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspection_post_args_client_headers": { + "required": false, + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client headers to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspect_jwt_tokens": { - "default": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "required": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "default": false, "type": "boolean" } }, { "revocation_endpoint": { - "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "revocation_endpoint_auth_method": { - "type": "string", - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1214,24 +1209,24 @@ }, { "end_session_endpoint": { - "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "userinfo_endpoint": { - "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "userinfo_accept": { - "required": false, "type": "string", - "default": "application/json", + "required": false, "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "default": "application/json", "one_of": [ "application/json", "application/jwt" @@ -1240,180 +1235,180 @@ }, { "userinfo_headers_names": { + "required": false, + "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the user info endpoint.", - "required": false, "type": "array" } }, { "userinfo_headers_values": { + "required": false, + "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra header values passed to the user info endpoint.", - "required": false, "type": "array" } }, { "userinfo_headers_client": { + "required": false, + "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the user info endpoint.", - "required": false, "type": "array" } }, { "userinfo_query_args_names": { + "required": false, + "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the user info endpoint.", - "required": false, "type": "array" } }, { "userinfo_query_args_values": { + "required": false, + "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the user info endpoint.", - "required": false, "type": "array" } }, { "userinfo_query_args_client": { + "required": false, + "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the user info endpoint.", - "required": false, "type": "array" } }, { "token_exchange_endpoint": { - "description": "The token exchange endpoint.", "required": false, + "description": "The token exchange endpoint.", "type": "string" } }, { "session_secret": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The session secret.", - "required": false + "referenceable": true } }, { "session_audience": { - "default": "default", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "required": false, + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default", "type": "string" } }, { "session_cookie_name": { - "default": "session", - "description": "The session cookie name.", "required": false, + "description": "The session cookie name.", + "default": "session", "type": "string" } }, { "session_remember": { - "default": false, - "description": "Enables or disables persistent sessions.", "required": false, + "description": "Enables or disables persistent sessions.", + "default": false, "type": "boolean" } }, { "session_remember_cookie_name": { - "default": "remember", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "required": false, + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember", "type": "string" } }, { "session_remember_rolling_timeout": { - "default": 604800, - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", "required": false, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "default": 604800, "type": "number" } }, { "session_remember_absolute_timeout": { - "default": 2592000, - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "required": false, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 2592000, "type": "number" } }, { "session_idling_timeout": { - "default": 900, - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", "required": false, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "default": 900, "type": "number" } }, { "session_rolling_timeout": { - "default": 3600, - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "required": false, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 3600, "type": "number" } }, { "session_absolute_timeout": { - "default": 86400, - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "required": false, - "type": "number" + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 86400, + "type": "number" } }, { "session_cookie_path": { - "required": false, - "type": "string", "default": "/", - "description": "The session cookie Path flag.", + "type": "string", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } ], - "starts_with": "/" + "description": "The session cookie Path flag.", + "starts_with": "/", + "required": false } }, { "session_cookie_domain": { - "description": "The session cookie Domain flag.", "required": false, + "description": "The session cookie Domain flag.", "type": "string" } }, { "session_cookie_same_site": { - "required": false, "type": "string", - "default": "Lax", + "required": false, "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Lax", "one_of": [ "Strict", "Lax", @@ -1424,21 +1419,23 @@ }, { "session_cookie_http_only": { - "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean" } }, { "session_cookie_secure": { - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean" } }, { "session_request_headers": { + "required": false, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "elements": { "type": "string", "one_of": [ @@ -1451,13 +1448,13 @@ "absolute-timeout" ] }, - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", - "required": false, "type": "set" } }, { "session_response_headers": { + "required": false, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "elements": { "type": "string", "one_of": [ @@ -1470,17 +1467,15 @@ "absolute-timeout" ] }, - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", - "required": false, "type": "set" } }, { "session_storage": { - "required": false, "type": "string", - "default": "cookie", + "required": false, "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "default": "cookie", "one_of": [ "cookie", "memcache", @@ -1491,74 +1486,72 @@ }, { "session_store_metadata": { - "default": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "required": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "default": false, "type": "boolean" } }, { "session_enforce_same_subject": { - "default": false, - "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false, "type": "boolean" } }, { "session_hash_subject": { - "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false, "type": "boolean" } }, { "session_hash_storage_key": { - "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false, "type": "boolean" } }, { "session_memcached_prefix": { - "description": "The memcached session key prefix.", "required": false, + "description": "The memcached session key prefix.", "type": "string" } }, { "session_memcached_socket": { - "description": "The memcached unix socket path.", "required": false, + "description": "The memcached unix socket path.", "type": "string" } }, { "session_memcached_host": { - "default": "127.0.0.1", - "description": "The memcached host.", "required": false, + "description": "The memcached host.", + "default": "127.0.0.1", "type": "string" } }, { "session_memcached_port": { + "type": "integer", + "required": false, + "description": "The memcached port.", "between": [ 0, 65535 ], - "required": false, - "type": "integer", - "default": 11211, - "description": "The memcached port." + "default": 11211 } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -1582,14 +1575,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -1620,13 +1613,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1643,47 +1636,49 @@ "read_timeout" ] } - ] + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, + "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, - "len_min": 1, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, + "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, - "len_min": 1, "type": "array" } } @@ -1691,8 +1686,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -1743,31 +1738,31 @@ { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, + "type": "string", "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, + "type": "string", "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { @@ -1779,8 +1774,8 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -1790,11 +1785,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -1817,15 +1812,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -1843,21 +1839,21 @@ ], "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -1875,60 +1871,59 @@ ], "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } }, { "prefix": { - "description": "The Redis session key prefix.", "required": false, + "description": "The Redis session key prefix.", "type": "string" } }, { "socket": { - "description": "The Redis unix socket path.", "required": false, + "description": "The Redis unix socket path.", "type": "string" } } @@ -1937,36 +1932,31 @@ }, { "reverify": { - "default": false, - "description": "Specifies whether to always verify tokens stored in the session.", "required": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "default": false, "type": "boolean" } }, { "jwt_session_claim": { - "default": "sid", - "description": "The claim to match against the JWT session cookie.", "required": false, + "description": "The claim to match against the JWT session cookie.", + "default": "sid", "type": "string" } }, { "jwt_session_cookie": { - "description": "The name of the JWT session cookie.", "required": false, + "description": "The name of the JWT session cookie.", "type": "string" } }, { "bearer_token_param_type": { - "required": false, "type": "array", - "default": [ - "header", - "query", - "body" - ], + "required": false, "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "elements": { "type": "string", @@ -1976,25 +1966,25 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "bearer_token_cookie_name": { - "description": "The name of the cookie in which the bearer token is passed.", "required": false, + "description": "The name of the cookie in which the bearer token is passed.", "type": "string" } }, { "client_credentials_param_type": { - "required": false, "type": "array", - "default": [ - "header", - "query", - "body" - ], + "required": false, "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "elements": { "type": "string", @@ -2003,18 +1993,18 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "password_param_type": { - "required": false, "type": "array", - "default": [ - "header", - "query", - "body" - ], + "required": false, "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -2023,18 +2013,18 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "id_token_param_type": { - "required": false, "type": "array", - "default": [ - "header", - "query", - "body" - ], + "required": false, "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -2043,25 +2033,25 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "id_token_param_name": { - "description": "The name of the parameter used to pass the id token.", "required": false, + "description": "The name of the parameter used to pass the id token.", "type": "string" } }, { "refresh_token_param_type": { - "required": false, "type": "array", - "default": [ - "header", - "query", - "body" - ], + "required": false, "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -2070,212 +2060,214 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "refresh_token_param_name": { - "description": "The name of the parameter used to pass the refresh token.", "required": false, + "description": "The name of the parameter used to pass the refresh token.", "type": "string" } }, { "refresh_tokens": { - "default": true, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "required": false, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "default": true, "type": "boolean" } }, { "upstream_headers_claims": { + "required": false, + "description": "The upstream header claims. Only top level claims are supported.", "elements": { "type": "string" }, - "description": "The upstream header claims. Only top level claims are supported.", - "required": false, "type": "array" } }, { "upstream_headers_names": { + "required": false, + "description": "The upstream header names for the claim values.", "elements": { "type": "string" }, - "description": "The upstream header names for the claim values.", - "required": false, "type": "array" } }, { "upstream_access_token_header": { - "default": "authorization:bearer", - "description": "The upstream access token header.", "required": false, + "description": "The upstream access token header.", + "default": "authorization:bearer", "type": "string" } }, { "upstream_access_token_jwk_header": { - "description": "The upstream access token JWK header.", "required": false, + "description": "The upstream access token JWK header.", "type": "string" } }, { "upstream_id_token_header": { - "description": "The upstream id token header.", "required": false, + "description": "The upstream id token header.", "type": "string" } }, { "upstream_id_token_jwk_header": { - "description": "The upstream id token JWK header.", "required": false, + "description": "The upstream id token JWK header.", "type": "string" } }, { "upstream_refresh_token_header": { - "description": "The upstream refresh token header.", "required": false, + "description": "The upstream refresh token header.", "type": "string" } }, { "upstream_user_info_header": { - "description": "The upstream user info header.", "required": false, + "description": "The upstream user info header.", "type": "string" } }, { "upstream_user_info_jwt_header": { - "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "type": "string" } }, { "upstream_introspection_header": { - "description": "The upstream introspection header.", "required": false, + "description": "The upstream introspection header.", "type": "string" } }, { "upstream_introspection_jwt_header": { - "description": "The upstream introspection JWT header.", "required": false, + "description": "The upstream introspection JWT header.", "type": "string" } }, { "upstream_session_id_header": { - "description": "The upstream session id header.", "required": false, + "description": "The upstream session id header.", "type": "string" } }, { "downstream_headers_claims": { + "required": false, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "type": "array" } }, { "downstream_headers_names": { + "required": false, + "description": "The downstream header names for the claim values.", "elements": { "type": "string" }, - "description": "The downstream header names for the claim values.", - "required": false, "type": "array" } }, { "downstream_access_token_header": { - "description": "The downstream access token header.", "required": false, + "description": "The downstream access token header.", "type": "string" } }, { "downstream_access_token_jwk_header": { - "description": "The downstream access token JWK header.", "required": false, + "description": "The downstream access token JWK header.", "type": "string" } }, { "downstream_id_token_header": { - "description": "The downstream id token header.", "required": false, + "description": "The downstream id token header.", "type": "string" } }, { "downstream_id_token_jwk_header": { - "description": "The downstream id token JWK header.", "required": false, + "description": "The downstream id token JWK header.", "type": "string" } }, { "downstream_refresh_token_header": { - "description": "The downstream refresh token header.", "required": false, + "description": "The downstream refresh token header.", "type": "string" } }, { "downstream_user_info_header": { - "description": "The downstream user info header.", "required": false, + "description": "The downstream user info header.", "type": "string" } }, { "downstream_user_info_jwt_header": { - "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "type": "string" } }, { "downstream_introspection_header": { - "description": "The downstream introspection header.", "required": false, + "description": "The downstream introspection header.", "type": "string" } }, { "downstream_introspection_jwt_header": { - "description": "The downstream introspection JWT header.", "required": false, + "description": "The downstream introspection JWT header.", "type": "string" } }, { "downstream_session_id_header": { - "description": "The downstream session id header.", "required": false, + "description": "The downstream session id header.", "type": "string" } }, { "login_methods": { - "required": false, "type": "array", - "default": [ - "authorization_code" - ], + "required": false, "description": "Enable login functionality with specified grants.", "elements": { "type": "string", @@ -2290,15 +2282,18 @@ "refresh_token", "session" ] - } + }, + "default": [ + "authorization_code" + ] } }, { "login_action": { - "required": false, "type": "string", - "default": "upstream", + "required": false, "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "default": "upstream", "one_of": [ "upstream", "response", @@ -2308,11 +2303,8 @@ }, { "login_tokens": { - "required": false, "type": "array", - "default": [ - "id_token" - ], + "required": false, "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "elements": { "type": "string", @@ -2323,15 +2315,18 @@ "tokens", "introspection" ] - } + }, + "default": [ + "id_token" + ] } }, { "login_redirect_mode": { - "required": false, "type": "string", - "default": "fragment", + "required": false, "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "default": "fragment", "one_of": [ "query", "fragment" @@ -2340,33 +2335,29 @@ }, { "logout_query_arg": { - "description": "The request query argument that activates the logout.", "required": false, + "description": "The request query argument that activates the logout.", "type": "string" } }, { "logout_post_arg": { - "description": "The request body argument that activates the logout.", "required": false, + "description": "The request body argument that activates the logout.", "type": "string" } }, { "logout_uri_suffix": { - "description": "The request URI suffix that activates the logout.", "required": false, + "description": "The request URI suffix that activates the logout.", "type": "string" } }, { "logout_methods": { - "required": false, "type": "array", - "default": [ - "POST", - "DELETE" - ], + "required": false, "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "elements": { "type": "string", @@ -2375,51 +2366,51 @@ "GET", "DELETE" ] - } + }, + "default": [ + "POST", + "DELETE" + ] } }, { "logout_revoke": { - "default": false, - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", "required": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "default": false, "type": "boolean" } }, { "logout_revoke_access_token": { - "default": true, - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", "required": false, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean" } }, { "logout_revoke_refresh_token": { - "default": true, - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", "required": false, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean" } }, { "consumer_claim": { + "required": false, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "type": "array" } }, { "consumer_by": { - "required": false, "type": "array", - "default": [ - "username", - "custom_id" - ], + "required": false, "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "elements": { "type": "string", @@ -2428,92 +2419,93 @@ "username", "custom_id" ] - } + }, + "default": [ + "username", + "custom_id" + ] } }, { "consumer_optional": { - "default": false, - "description": "Do not terminate the request if consumer mapping fails.", "required": false, + "description": "Do not terminate the request if consumer mapping fails.", + "default": false, "type": "boolean" } }, { "credential_claim": { - "required": false, "type": "array", - "default": [ - "sub" - ], + "required": false, "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "default": [ + "sub" + ] } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string" } }, { "run_on_preflight": { - "default": true, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "required": false, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "default": true, "type": "boolean" } }, { "leeway": { - "default": 0, - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", "required": false, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "default": 0, "type": "number" } }, { "verify_parameters": { - "default": false, - "description": "Verify plugin configuration against discovery.", "required": false, + "description": "Verify plugin configuration against discovery.", + "default": false, "type": "boolean" } }, { "verify_nonce": { - "default": true, - "description": "Verify nonce on authorization code flow.", "required": false, + "description": "Verify nonce on authorization code flow.", + "default": true, "type": "boolean" } }, { "verify_claims": { - "default": true, - "description": "Verify tokens for standard claims.", "required": false, + "description": "Verify tokens for standard claims.", + "default": true, "type": "boolean" } }, { "verify_signature": { - "default": true, - "description": "Verify signature of tokens.", "required": false, + "description": "Verify signature of tokens.", + "default": true, "type": "boolean" } }, { "ignore_signature": { - "required": false, "type": "array", - "default": [ - - ], + "required": false, "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "elements": { "type": "string", @@ -2526,19 +2518,24 @@ "introspection", "userinfo" ] - } + }, + "default": [ + + ] } }, { "enable_hs_signatures": { - "default": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "required": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "default": false, "type": "boolean" } }, { "disable_session": { + "required": false, + "description": "Disable issuing the session cookie with the specified grants.", "elements": { "type": "string", "one_of": [ @@ -2553,115 +2550,113 @@ "session" ] }, - "description": "Disable issuing the session cookie with the specified grants.", - "required": false, "type": "array" } }, { "cache_ttl": { - "default": 3600, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "required": false, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "default": 3600, "type": "number" } }, { "cache_ttl_max": { - "description": "The maximum cache ttl in seconds (enforced).", "required": false, + "description": "The maximum cache ttl in seconds (enforced).", "type": "number" } }, { "cache_ttl_min": { - "description": "The minimum cache ttl in seconds (enforced).", "required": false, + "description": "The minimum cache ttl in seconds (enforced).", "type": "number" } }, { "cache_ttl_neg": { - "description": "The negative cache ttl in seconds.", "required": false, + "description": "The negative cache ttl in seconds.", "type": "number" } }, { "cache_ttl_resurrect": { - "description": "The resurrection ttl in seconds.", "required": false, + "description": "The resurrection ttl in seconds.", "type": "number" } }, { "cache_tokens": { - "default": true, - "description": "Cache the token endpoint requests.", "required": false, + "description": "Cache the token endpoint requests.", + "default": true, "type": "boolean" } }, { "cache_tokens_salt": { - "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "required": false, - "type": "string" + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string", + "auto": true } }, { "cache_introspection": { - "default": true, - "description": "Cache the introspection endpoint requests.", "required": false, + "description": "Cache the introspection endpoint requests.", + "default": true, "type": "boolean" } }, { "cache_token_exchange": { - "default": true, - "description": "Cache the token exchange endpoint requests.", "required": false, + "description": "Cache the token exchange endpoint requests.", + "default": true, "type": "boolean" } }, { "cache_user_info": { - "default": true, - "description": "Cache the user info requests.", "required": false, + "description": "Cache the user info requests.", + "default": true, "type": "boolean" } }, { "search_user_info": { - "default": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "required": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "default": false, "type": "boolean" } }, { "hide_credentials": { - "default": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "required": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "default": false, "type": "boolean" } }, { "http_version": { - "default": 1.1, - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", "required": false, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "default": 1.1, "type": "number" } }, { "http_proxy": { - "description": "The HTTP proxy.", "required": false, + "description": "The HTTP proxy.", "type": "string" } }, @@ -2669,14 +2664,14 @@ "http_proxy_authorization": { "required": false, "description": "The HTTP proxy authorization.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "https_proxy": { - "description": "The HTTPS proxy.", "required": false, + "description": "The HTTPS proxy.", "type": "string" } }, @@ -2684,62 +2679,62 @@ "https_proxy_authorization": { "required": false, "description": "The HTTPS proxy authorization.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "no_proxy": { - "description": "Do not use proxy with these hosts.", "required": false, + "description": "Do not use proxy with these hosts.", "type": "string" } }, { "keepalive": { - "default": true, - "description": "Use keepalive with the HTTP client.", "required": false, + "description": "Use keepalive with the HTTP client.", + "default": true, "type": "boolean" } }, { "ssl_verify": { - "default": false, - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", "required": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "default": false, "type": "boolean" } }, { "timeout": { - "default": 10000, - "description": "Network IO timeout in milliseconds.", "required": false, + "description": "Network IO timeout in milliseconds.", + "default": 10000, "type": "number" } }, { "display_errors": { - "default": false, - "description": "Display errors on failure responses.", "required": false, + "description": "Display errors on failure responses.", + "default": false, "type": "boolean" } }, { "by_username_ignore_case": { - "default": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "required": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "default": false, "type": "boolean" } }, { "resolve_distributed_claims": { - "default": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "required": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "default": false, "type": "boolean" } }, @@ -2759,26 +2754,26 @@ }, { "introspection_token_param_name": { - "default": "token", - "description": "Designate token's parameter name for introspection.", "required": false, + "description": "Designate token's parameter name for introspection.", + "default": "token", "type": "string" } }, { "revocation_token_param_name": { - "default": "token", - "description": "Designate token's parameter name for revocation.", "required": false, + "description": "Designate token's parameter name for revocation.", + "default": "token", "type": "string" } }, { "proof_of_possession_mtls": { - "required": false, "type": "string", - "default": "off", + "required": false, "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "default": "off", "one_of": [ "off", "strict", @@ -2788,56 +2783,56 @@ }, { "proof_of_possession_auth_methods_validation": { - "default": true, - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", "required": false, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "default": true, "type": "boolean" } }, { "tls_client_auth_cert_id": { - "auto": false, + "uuid": true, "required": false, - "type": "string", "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", - "uuid": true + "type": "string", + "auto": false } }, { "tls_client_auth_ssl_verify": { - "default": true, - "description": "Verify identity provider server certificate during mTLS client authentication.", "required": false, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "default": true, "type": "boolean" } }, { "mtls_token_endpoint": { - "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "required": false, + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "type": "string" } }, { "mtls_introspection_endpoint": { - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "required": false, + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "type": "string" } }, { "mtls_revocation_endpoint": { - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "required": false, + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "type": "string" } }, { "proof_of_possession_dpop": { - "required": false, "type": "string", - "default": "off", + "required": false, "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "default": "off", "one_of": [ "off", "strict", @@ -2847,36 +2842,36 @@ }, { "dpop_use_nonce": { - "default": false, - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", "required": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "default": false, "type": "boolean" } }, { "dpop_proof_lifetime": { + "required": false, "default": 300, "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", - "required": false, "type": "number" } }, { "claims_forbidden": { + "required": false, + "description": "If given, these claims are forbidden in the token payload.", "elements": { "type": "string" }, - "description": "If given, these claims are forbidden in the token payload.", - "required": false, "type": "array" } }, { "cluster_cache_strategy": { - "required": false, "type": "string", - "default": "off", + "required": false, "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "default": "off", "one_of": [ "off", "redis" @@ -2885,8 +2880,6 @@ }, { "cluster_cache_redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -2910,14 +2903,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -2948,12 +2941,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -2970,47 +2964,48 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } @@ -3019,8 +3014,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -3077,9 +3072,9 @@ }, { "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "type": "string" } }, @@ -3092,23 +3087,23 @@ }, { "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, "type": "string" } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -3118,11 +3113,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -3145,16 +3140,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -3169,24 +3164,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -3201,71 +3196,76 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } ] } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" }, - "description": "List of openid_connect strategies.", - "required": false, "type": "array" } } + ], + "default": [ + ] } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.11.x.json b/schemas/ldap-auth-advanced/3.11.x.json index 545178ce..e1604245 100644 --- a/schemas/ldap-auth-advanced/3.11.x.json +++ b/schemas/ldap-auth-advanced/3.11.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -30,48 +22,48 @@ "wss" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "ldap_host": { - "description": "Host on which the LDAP server is running.", "required": true, + "description": "Host on which the LDAP server is running.", "type": "string" } }, { "ldap_password": { - "encrypted": true, - "description": "The password to the LDAP server.", "referenceable": true, + "description": "The password to the LDAP server.", + "encrypted": true, "type": "string" } }, { "ldap_port": { - "default": 389, "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", + "default": 389, "type": "number" } }, @@ -84,98 +76,99 @@ }, { "ldaps": { + "required": true, "default": false, "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "required": true, "type": "boolean" } }, { "start_tls": { + "required": true, "default": false, "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "required": true, "type": "boolean" } }, { "verify_ldap_host": { + "required": true, "default": false, "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "required": true, "type": "boolean" } }, { "base_dn": { - "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", "required": true, + "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", "type": "string" } }, { "attribute": { - "description": "Attribute to be used to search the user; e.g., \"cn\".", "required": true, + "description": "Attribute to be used to search the user; e.g., \"cn\".", "type": "string" } }, { "cache_ttl": { + "required": true, "default": 60, "description": "Cache expiry time in seconds.", - "required": true, "type": "number" } }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "default": false, "type": "boolean" } }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", + "default": 10000, "type": "number" } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", + "default": 60000, "type": "number" } }, { "anonymous": { - "default": "", "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "default": "", "len_min": 0, "type": "string" } }, { "header_type": { - "default": "ldap", "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", + "default": "ldap", "type": "string" } }, { "consumer_optional": { + "required": false, "default": false, "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", - "required": false, "type": "boolean" } }, { "consumer_by": { - "required": false, "type": "array", + "required": false, + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "elements": { "type": "string", "one_of": [ @@ -183,7 +176,6 @@ "custom_id" ] }, - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "default": [ "username", "custom_id" @@ -192,52 +184,60 @@ }, { "group_base_dn": { - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", - "type": "string" + "type": "string", + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." } }, { "group_name_attribute": { - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", - "type": "string" + "type": "string", + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." } }, { "group_member_attribute": { - "default": "memberOf", "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", + "default": "memberOf", "type": "string" } }, { "log_search_results": { + "required": false, "default": false, "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", - "required": false, "type": "boolean" } }, { "groups_required": { + "required": false, + "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", "elements": { "type": "string" }, - "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", - "required": false, "type": "array" } }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/ldap-auth/3.11.x.json b/schemas/ldap-auth/3.11.x.json index c165cd47..95dfc79b 100644 --- a/schemas/ldap-auth/3.11.x.json +++ b/schemas/ldap-auth/3.11.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -32,106 +30,106 @@ "wss" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "conditional": { + "if_field": "ldaps", + "then_match": { + "eq": false + }, "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", "if_match": { "eq": true }, - "then_field": "start_tls", - "if_field": "ldaps", - "then_match": { - "eq": false - } + "then_field": "start_tls" } } ], "fields": [ { "ldap_host": { - "description": "A string representing a host name, such as example.com.", "required": true, + "description": "A string representing a host name, such as example.com.", "type": "string" } }, { "ldap_port": { + "type": "integer", + "required": true, + "default": 389, "between": [ 0, 65535 ], - "required": true, - "type": "integer", - "default": 389, "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "ldaps": { - "default": false, - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "required": true, + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", + "default": false, "type": "boolean" } }, { "start_tls": { - "default": false, - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "required": true, + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", + "default": false, "type": "boolean" } }, { "verify_ldap_host": { - "default": false, - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "required": true, + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", + "default": false, "type": "boolean" } }, { "base_dn": { - "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", "required": true, + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", "type": "string" } }, { "attribute": { - "description": "Attribute to be used to search the user; e.g. cn", "required": true, + "description": "Attribute to be used to search the user; e.g. cn", "type": "string" } }, { "cache_ttl": { - "default": 60, - "description": "Cache expiry time in seconds.", "required": true, + "description": "Cache expiry time in seconds.", + "default": 60, "type": "number" } }, { "hide_credentials": { - "default": false, - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "required": true, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", + "default": false, "type": "boolean" } }, @@ -164,15 +162,17 @@ }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/loggly/3.11.x.json b/schemas/loggly/3.11.x.json index 7f4564c6..7bcc20ee 100644 --- a/schemas/loggly/3.11.x.json +++ b/schemas/loggly/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,24 +25,26 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "host": { - "default": "logs-01.loggly.com", "description": "A string representing a host name, such as example.com.", + "default": "logs-01.loggly.com", "type": "string" } }, @@ -63,10 +61,10 @@ }, { "key": { - "encrypted": true, - "referenceable": true, "required": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { @@ -146,16 +144,16 @@ }, { "timeout": { - "default": 10000, - "type": "number" + "type": "number", + "default": 10000 } }, { "custom_fields_by_lua": { "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, "keys": { "type": "string", @@ -165,9 +163,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/mocking/3.11.x.json b/schemas/mocking/3.11.x.json index 246c1047..51bd252a 100644 --- a/schemas/mocking/3.11.x.json +++ b/schemas/mocking/3.11.x.json @@ -1,24 +1,15 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -27,105 +18,114 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "api_specification_filename": { - "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", "required": false, + "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", "type": "string" } }, { "api_specification": { - "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", "required": false, + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", "type": "string" } }, { "random_delay": { - "default": false, "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", + "default": false, "type": "boolean" } }, { "max_delay_time": { - "default": 1, "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", + "default": 1, "type": "number" } }, { "min_delay_time": { - "default": 0.001, "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", + "default": 0.001, "type": "number" } }, { "random_examples": { - "default": false, "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", + "default": false, "type": "boolean" } }, { "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", "elements": { "type": "integer" }, - "description": "A global list of the HTTP status codes that can only be selected and returned.", "type": "array" } }, { "random_status_code": { - "default": false, - "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", "required": true, + "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", + "default": false, "type": "boolean" } }, { "include_base_path": { - "default": false, - "description": "Indicates whether to include the base path when performing path match evaluation.", "required": true, + "description": "Indicates whether to include the base path when performing path match evaluation.", + "default": false, "type": "boolean" } }, { "custom_base_path": { - "required": false, "type": "string", + "required": false, "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "starts_with": "/", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } - ], - "starts_with": "/" + ] } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.11.x.json b/schemas/mtls-auth/3.11.x.json index d65a598b..27fad659 100644 --- a/schemas/mtls-auth/3.11.x.json +++ b/schemas/mtls-auth/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -30,19 +26,21 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "mutually_required": [ @@ -66,8 +64,9 @@ }, { "consumer_by": { - "required": false, "type": "array", + "required": false, + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "elements": { "type": "string", "one_of": [ @@ -75,7 +74,6 @@ "custom_id" ] }, - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "default": [ "username", "custom_id" @@ -84,43 +82,43 @@ }, { "ca_certificates": { + "required": true, + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "elements": { - "uuid": true, - "type": "string" + "type": "string", + "uuid": true }, - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", - "required": true, "type": "array" } }, { "cache_ttl": { - "default": 60, - "description": "Cache expiry time in seconds.", "required": true, + "description": "Cache expiry time in seconds.", + "default": 60, "type": "number" } }, { "skip_consumer_lookup": { - "default": false, - "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "required": true, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", + "default": false, "type": "boolean" } }, { "allow_partial_chain": { - "default": false, - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "required": true, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", + "default": false, "type": "boolean" } }, { "authenticated_group_by": { - "required": false, "type": "string", + "required": false, "default": "CN", "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "one_of": [ @@ -131,8 +129,8 @@ }, { "revocation_check_mode": { - "required": false, "type": "string", + "required": false, "default": "IGNORE_CA_ERROR", "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "one_of": [ @@ -177,11 +175,11 @@ }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } }, @@ -193,18 +191,20 @@ }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.11.x.json b/schemas/oas-validation/3.11.x.json index ada2985b..6216b623 100644 --- a/schemas/oas-validation/3.11.x.json +++ b/schemas/oas-validation/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,149 +18,153 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "api_spec": { - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", "required": true, + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", "type": "string" } }, { "verbose_response": { + "required": false, "default": false, "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", - "required": false, "type": "boolean" } }, { "validate_request_body": { + "required": false, "default": true, "description": "If set to true, validates the request body content against the API specification.", - "required": false, "type": "boolean" } }, { "notify_only_request_validation_failure": { + "required": false, "default": false, "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", - "required": false, "type": "boolean" } }, { "validate_request_header_params": { + "required": false, "default": true, "description": "If set to true, validates HTTP header parameters against the API specification.", - "required": false, "type": "boolean" } }, { "validate_request_query_params": { + "required": false, "default": true, "description": "If set to true, validates query parameters against the API specification.", - "required": false, "type": "boolean" } }, { "validate_request_uri_params": { + "required": false, "default": true, "description": "If set to true, validates URI parameters in the request against the API specification.", - "required": false, "type": "boolean" } }, { "validate_response_body": { + "required": false, "default": false, "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", - "required": false, "type": "boolean" } }, { "notify_only_response_body_validation_failure": { + "required": false, "default": false, "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", - "required": false, "type": "boolean" } }, { "query_parameter_check": { + "required": true, "default": false, "description": "If set to true, checks if query parameters in the request exist in the API specification.", - "required": true, "type": "boolean" } }, { "header_parameter_check": { + "required": true, "default": false, "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", - "required": true, "type": "boolean" } }, { "allowed_header_parameters": { + "required": false, "default": "Host,Content-Type,User-Agent,Accept,Content-Length", "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", - "required": false, "type": "string" } }, { "include_base_path": { + "required": true, "default": false, "description": "Indicates whether to include the base path when performing path match evaluation.", - "required": true, "type": "boolean" } }, { "api_spec_encoded": { + "required": true, "default": true, "description": "Indicates whether the api_spec is URI-Encoded.", - "required": true, "type": "boolean" } }, { "custom_base_path": { - "required": false, "type": "string", + "required": false, "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", + "starts_with": "/", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } - ], - "starts_with": "/" + ] } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.11.x.json b/schemas/oauth2-introspection/3.11.x.json index 8b041407..d595ed6c 100644 --- a/schemas/oauth2-introspection/3.11.x.json +++ b/schemas/oauth2-introspection/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -30,24 +26,26 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "introspection_url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" } }, @@ -67,8 +65,8 @@ { "authorization_value": { "encrypted": true, - "required": true, "type": "string", + "required": true, "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "referenceable": true } @@ -89,9 +87,9 @@ }, { "introspect_request": { - "default": false, - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", "required": true, + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", + "default": false, "type": "boolean" } }, @@ -111,18 +109,18 @@ }, { "anonymous": { - "default": "", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "len_min": 0, + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "default": "", "type": "string" } }, { "consumer_by": { - "required": true, "type": "string", - "default": "username", + "required": true, "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", + "default": "username", "one_of": [ "username", "client_id" @@ -134,34 +132,36 @@ "values": { "type": "string" }, - "required": true, "type": "map", - "default": [ - - ], + "required": true, "description": "A list of custom headers to be added in the introspection request.", "keys": { "type": "string" - } + }, + "default": [ + + ] } }, { "custom_claims_forward": { - "required": true, "type": "set", + "required": true, + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "elements": { "type": "string" }, - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "default": [ ] } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2/3.11.x.json b/schemas/oauth2/3.11.x.json index 2c0e00b3..be7232a2 100644 --- a/schemas/oauth2/3.11.x.json +++ b/schemas/oauth2/3.11.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { + "required": true, "default": [ "grpc", "grpcs", @@ -32,49 +30,49 @@ "wss" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "scopes", "if_field": "mandatory_scope", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "scopes" } } ], "fields": [ { "scopes": { + "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "elements": { "type": "string" }, - "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", "type": "array" } }, { "mandatory_scope": { - "default": false, - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", "required": true, + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", + "default": false, "type": "boolean" } }, @@ -82,65 +80,65 @@ "provision_key": { "encrypted": true, "unique": true, - "type": "string", - "description": "The unique key the plugin has generated when it has been added to the Service.", "required": true, + "description": "The unique key the plugin has generated when it has been added to the Service.", + "type": "string", "auto": true } }, { "token_expiration": { - "default": 7200, - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", "required": true, + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", + "default": 7200, "type": "number" } }, { "enable_authorization_code": { - "default": false, - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", "required": true, + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", + "default": false, "type": "boolean" } }, { "enable_implicit_grant": { - "default": false, - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", "required": true, + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", + "default": false, "type": "boolean" } }, { "enable_client_credentials": { - "default": false, - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", "required": true, + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", + "default": false, "type": "boolean" } }, { "enable_password_grant": { - "default": false, - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", "required": true, + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", + "default": false, "type": "boolean" } }, { "hide_credentials": { - "default": false, - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "required": true, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", + "default": false, "type": "boolean" } }, { "accept_http_if_already_terminated": { - "default": false, - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", "required": true, + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", + "default": false, "type": "boolean" } }, @@ -152,9 +150,9 @@ }, { "global_credentials": { - "default": false, - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", "required": true, + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", + "default": false, "type": "boolean" } }, @@ -167,37 +165,37 @@ }, { "refresh_token_ttl": { + "type": "number", + "required": true, + "default": 1209600, "between": [ 0, 100000000 ], - "required": true, - "type": "number", - "default": 1209600, "description": "Time-to-live value for data" } }, { "reuse_refresh_token": { - "default": false, - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", "required": true, + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", + "default": false, "type": "boolean" } }, { "persistent_refresh_token": { - "default": false, "required": true, + "default": false, "type": "boolean" } }, { "pkce": { - "required": false, "type": "string", - "default": "lax", + "required": false, "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", + "default": "lax", "one_of": [ "none", "lax", @@ -207,15 +205,17 @@ }, { "realm": { - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/opa/3.11.x.json b/schemas/opa/3.11.x.json index 1b302c32..5175aa2a 100644 --- a/schemas/opa/3.11.x.json +++ b/schemas/opa/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -30,25 +26,27 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "opa_protocol": { + "type": "string", "default": "http", "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", - "type": "string", "one_of": [ "http", "https" @@ -57,56 +55,56 @@ }, { "opa_host": { + "required": true, "default": "localhost", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, { "opa_port": { + "type": "integer", + "required": true, + "default": 8181, "between": [ 0, 65535 ], - "required": true, - "type": "integer", - "default": 8181, "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "opa_path": { - "required": true, "type": "string", + "required": true, "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } - ], - "starts_with": "/" + ] } }, { "include_service_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", + "default": false, "type": "boolean" } }, { "include_route_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", + "default": false, "type": "boolean" } }, { "include_consumer_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", + "default": false, "type": "boolean" } }, @@ -118,30 +116,32 @@ }, { "include_parsed_json_body_in_opa_input": { - "default": false, "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", + "default": false, "type": "boolean" } }, { "include_uri_captures_in_opa_input": { - "default": false, "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", + "default": false, "type": "boolean" } }, { "ssl_verify": { + "required": true, "default": true, "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "required": true, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.11.x.json b/schemas/openid-connect/3.11.x.json index 7a0c9dd9..693a0085 100644 --- a/schemas/openid-connect/3.11.x.json +++ b/schemas/openid-connect/3.11.x.json @@ -12,22 +12,21 @@ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -36,161 +35,161 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { - "type": "record", + "required": true, "shorthand_fields": [ { "authorization_cookie_lifetime": { + "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead" - }, - "type": "number" + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead", + "removal_in_version": "4.0" + } } }, { "authorization_cookie_samesite": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead" - }, - "type": "string" + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead", + "removal_in_version": "4.0" + } } }, { "authorization_cookie_httponly": { + "type": "boolean", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead" - }, - "type": "boolean" + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead", + "removal_in_version": "4.0" + } } }, { "session_cookie_lifetime": { + "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" - }, - "type": "number" + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + } } }, { "session_cookie_idletime": { + "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" - }, - "type": "number" + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + } } }, { "session_cookie_samesite": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" - }, - "type": "string" + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + } } }, { "session_cookie_httponly": { + "type": "boolean", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" - }, - "type": "boolean" + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + } } }, { "session_memcache_prefix": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" - }, - "type": "string" + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + } } }, { "session_memcache_socket": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" - }, - "type": "string" + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + } } }, { "session_memcache_host": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" - }, - "type": "string" + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + } } }, { "session_memcache_port": { + "type": "integer", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" - }, - "type": "integer" + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + } } }, { "session_cookie_renew": { + "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_renew option does not exist anymore" - }, - "type": "number" + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + } } }, { "session_cookie_maxsize": { + "type": "integer", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" - }, - "type": "integer" + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + } } }, { "session_strategy": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_strategy option does not exist anymore" - }, - "type": "string" + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + } } }, { "session_compressor": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_compressor option does not exist anymore" - }, - "type": "string" + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + } } }, { "session_redis_prefix": { + "type": "string", "deprecation": { - "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -198,16 +197,16 @@ "prefix" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead" + } } }, { "session_redis_socket": { + "type": "string", "deprecation": { - "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -215,16 +214,16 @@ "socket" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead" + } } }, { "session_redis_host": { + "type": "string", "deprecation": { - "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -232,16 +231,16 @@ "host" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead" + } } }, { "session_redis_port": { + "type": "integer", "deprecation": { - "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -249,16 +248,16 @@ "port" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead" + } } }, { "session_redis_username": { + "type": "string", "deprecation": { - "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -266,16 +265,16 @@ "username" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead" + } } }, { "session_redis_password": { + "type": "string", "deprecation": { - "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -283,16 +282,16 @@ "password" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead" + } } }, { "session_redis_connect_timeout": { + "type": "integer", "deprecation": { - "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -300,16 +299,16 @@ "connect_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead" + } } }, { "session_redis_read_timeout": { + "type": "integer", "deprecation": { - "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -317,16 +316,16 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead" + } } }, { "session_redis_send_timeout": { + "type": "integer", "deprecation": { - "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -334,16 +333,16 @@ "send_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead" + } } }, { "session_redis_ssl": { + "type": "boolean", "deprecation": { - "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -351,16 +350,16 @@ "ssl" ] } - ] - }, - "type": "boolean" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead" + } } }, { "session_redis_ssl_verify": { + "type": "boolean", "deprecation": { - "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -368,16 +367,16 @@ "ssl_verify" ] } - ] - }, - "type": "boolean" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead" + } } }, { "session_redis_server_name": { + "type": "string", "deprecation": { - "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -385,21 +384,33 @@ "server_name" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead" + } } }, { "session_redis_cluster_nodes": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead" + }, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -414,28 +425,16 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "type": "array", - "deprecation": { - "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "cluster_nodes" - ] - } - ] - } + "type": "array" } }, { "session_redis_cluster_max_redirections": { + "type": "integer", "deprecation": { - "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -443,83 +442,72 @@ "cluster_max_redirections" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead" + } } } ], - "required": true, "fields": [ { "issuer": { - "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", "required": true, + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", "type": "string" } }, { "using_pseudo_issuer": { - "default": false, - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", "required": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "default": false, "type": "boolean" } }, { "discovery_headers_names": { + "required": false, + "description": "Extra header names passed to the discovery endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the discovery endpoint.", - "required": false, "type": "array" } }, { "discovery_headers_values": { + "required": false, + "description": "Extra header values passed to the discovery endpoint.", "elements": { "type": "string" }, - "description": "Extra header values passed to the discovery endpoint.", - "required": false, "type": "array" } }, { "extra_jwks_uris": { + "required": false, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", - "required": false, "type": "set" } }, { "rediscovery_lifetime": { - "default": 30, - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "required": false, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "default": 30, "type": "number" } }, { "auth_methods": { - "required": false, "type": "array", - "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ], + "required": false, "description": "Types of credentials/grants to enable.", "elements": { "type": "string", @@ -534,35 +522,48 @@ "refresh_token", "session" ] - } + }, + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] } }, { "client_id": { "encrypted": true, - "required": false, "type": "array", + "required": false, + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "elements": { - "referenceable": true, - "type": "string" - }, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "type": "string", + "referenceable": true + } } }, { "client_secret": { "encrypted": true, - "required": false, "type": "array", + "required": false, + "description": "The client secret.", "elements": { - "referenceable": true, - "type": "string" - }, - "description": "The client secret." + "type": "string", + "referenceable": true + } } }, { "client_auth": { + "required": false, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", "elements": { "type": "string", "one_of": [ @@ -575,15 +576,14 @@ "none" ] }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", - "required": false, "type": "array" } }, { "client_jwk": { + "required": false, + "description": "The JWK used for the private_key_jwt authentication.", "elements": { - "type": "record", "required": false, "fields": [ { @@ -606,11 +606,11 @@ }, { "key_ops": { + "required": false, "elements": { "required": false, "type": "string" }, - "required": false, "type": "array" } }, @@ -634,11 +634,11 @@ }, { "x5c": { + "required": false, "elements": { "required": false, "type": "string" }, - "required": false, "type": "array" } }, @@ -656,10 +656,10 @@ }, { "k": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { @@ -694,85 +694,86 @@ }, { "d": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "p": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "q": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "dp": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "dq": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "qi": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "oth": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "r": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } }, { "t": { - "encrypted": true, "required": false, - "referenceable": true, - "type": "string" + "type": "string", + "encrypted": true, + "referenceable": true } } - ] + ], + "type": "record" }, - "description": "The JWK used for the private_key_jwt authentication.", - "required": false, "type": "array" } }, { "client_alg": { + "required": false, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", "elements": { "type": "string", "one_of": [ @@ -791,125 +792,123 @@ "EdDSA" ] }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", - "required": false, "type": "array" } }, { "client_arg": { - "default": "client_id", - "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "required": false, + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "default": "client_id", "type": "string" } }, { "redirect_uri": { + "required": false, + "description": "The redirect URI passed to the authorization and token endpoints.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "The redirect URI passed to the authorization and token endpoints.", - "required": false, "type": "array" } }, { "login_redirect_uri": { + "required": false, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "referenceable": true, "type": "string" }, - "description": "Where to redirect the client when `login_action` is set to `redirect`.", - "required": false, "type": "array" } }, { "logout_redirect_uri": { + "required": false, + "description": "Where to redirect the client after the logout.", "elements": { "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "referenceable": true, "type": "string" }, - "description": "Where to redirect the client after the logout.", - "required": false, "type": "array" } }, { "forbidden_redirect_uri": { + "required": false, + "description": "Where to redirect the client on forbidden requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client on forbidden requests.", - "required": false, "type": "array" } }, { "forbidden_error_message": { - "default": "Forbidden", - "description": "The error message for the forbidden requests (when not using the redirection).", "required": false, + "description": "The error message for the forbidden requests (when not using the redirection).", + "default": "Forbidden", "type": "string" } }, { "forbidden_destroy_session": { - "default": true, - "description": "Destroy any active session for the forbidden requests.", "required": false, + "description": "Destroy any active session for the forbidden requests.", + "default": true, "type": "boolean" } }, { "unauthorized_destroy_session": { - "default": true, - "description": "Destroy any active session for the unauthorized requests.", "required": false, + "description": "Destroy any active session for the unauthorized requests.", + "default": true, "type": "boolean" } }, { "unauthorized_redirect_uri": { + "required": false, + "description": "Where to redirect the client on unauthorized requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client on unauthorized requests.", - "required": false, "type": "array" } }, { "unauthorized_error_message": { - "default": "Unauthorized", - "description": "The error message for the unauthorized requests (when not using the redirection).", "required": false, + "description": "The error message for the unauthorized requests (when not using the redirection).", + "default": "Unauthorized", "type": "string" } }, { "unexpected_redirect_uri": { + "required": false, + "description": "Where to redirect the client when unexpected errors happen with the requests.", "elements": { "type": "string", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." }, - "description": "Where to redirect the client when unexpected errors happen with the requests.", - "required": false, "type": "array" } }, { "response_mode": { - "required": false, "type": "string", - "default": "query", + "required": false, "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "default": "query", "one_of": [ "query", "form_post", @@ -923,182 +922,182 @@ }, { "response_type": { - "required": false, "type": "array", - "default": [ - "code" - ], + "required": false, "description": "The response type passed to the authorization endpoint.", "elements": { "type": "string" - } + }, + "default": [ + "code" + ] } }, { "scopes": { - "required": false, "type": "array", - "default": [ - "openid" - ], + "required": false, "description": "The scopes passed to the authorization and token endpoints.", "elements": { - "referenceable": true, - "type": "string" - } + "type": "string", + "referenceable": true + }, + "default": [ + "openid" + ] } }, { "audience": { + "required": false, + "description": "The audience passed to the authorization endpoint.", "elements": { "type": "string" }, - "description": "The audience passed to the authorization endpoint.", - "required": false, "type": "array" } }, { "issuers_allowed": { + "required": false, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "elements": { "type": "string" }, - "description": "The issuers allowed to be present in the tokens (`iss` claim).", - "required": false, "type": "array" } }, { "scopes_required": { + "required": false, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, "type": "array" } }, { "scopes_claim": { - "required": false, "type": "array", - "default": [ - "scope" - ], + "required": false, "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "default": [ + "scope" + ] } }, { "audience_required": { + "required": false, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, "type": "array" } }, { "audience_claim": { - "required": false, "type": "array", - "default": [ - "aud" - ], + "required": false, "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "default": [ + "aud" + ] } }, { "groups_required": { + "required": false, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, "type": "array" } }, { "groups_claim": { - "required": false, "type": "array", - "default": [ - "groups" - ], + "required": false, "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "default": [ + "groups" + ] } }, { "roles_required": { + "required": false, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "elements": { "type": "string" }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", - "required": false, "type": "array" } }, { "roles_claim": { - "required": false, "type": "array", - "default": [ - "roles" - ], + "required": false, "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "default": [ + "roles" + ] } }, { "domains": { + "required": false, + "description": "The allowed values for the `hd` claim.", "elements": { "type": "string" }, - "description": "The allowed values for the `hd` claim.", - "required": false, "type": "array" } }, { "max_age": { - "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "type": "number" } }, { "authenticated_groups_claim": { + "required": false, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "type": "array" } }, { "pushed_authorization_request_endpoint": { - "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "pushed_authorization_request_endpoint_auth_method": { - "type": "string", - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1112,106 +1111,106 @@ }, { "require_pushed_authorization_requests": { - "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", "required": false, + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", "type": "boolean" } }, { "require_proof_key_for_code_exchange": { - "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", "required": false, + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", "type": "boolean" } }, { "require_signed_request_object": { - "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", "required": false, + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", "type": "boolean" } }, { "authorization_endpoint": { - "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "authorization_query_args_names": { + "required": false, + "description": "Extra query argument names passed to the authorization endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the authorization endpoint.", - "required": false, "type": "array" } }, { "authorization_query_args_values": { + "required": false, + "description": "Extra query argument values passed to the authorization endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the authorization endpoint.", - "required": false, "type": "array" } }, { "authorization_query_args_client": { + "required": false, + "description": "Extra query arguments passed from the client to the authorization endpoint.", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the authorization endpoint.", - "required": false, "type": "array" } }, { "authorization_rolling_timeout": { - "default": 600, - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "required": false, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 600, "type": "number" } }, { "authorization_cookie_name": { - "default": "authorization", - "description": "The authorization cookie name.", "required": false, + "description": "The authorization cookie name.", + "default": "authorization", "type": "string" } }, { "authorization_cookie_path": { - "required": false, - "type": "string", "default": "/", - "description": "The authorization cookie Path flag.", + "type": "string", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } ], - "starts_with": "/" + "description": "The authorization cookie Path flag.", + "starts_with": "/", + "required": false } }, { "authorization_cookie_domain": { - "description": "The authorization cookie Domain flag.", "required": false, + "description": "The authorization cookie Domain flag.", "type": "string" } }, { "authorization_cookie_same_site": { - "required": false, "type": "string", - "default": "Default", + "required": false, "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Default", "one_of": [ "Strict", "Lax", @@ -1222,39 +1221,39 @@ }, { "authorization_cookie_http_only": { - "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean" } }, { "authorization_cookie_secure": { - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean" } }, { "preserve_query_args": { - "default": false, - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "required": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "default": false, "type": "boolean" } }, { "token_endpoint": { - "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "token_endpoint_auth_method": { - "type": "string", - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1268,53 +1267,55 @@ }, { "token_headers_names": { + "required": false, + "description": "Extra header names passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the token endpoint.", - "required": false, "type": "array" } }, { "token_headers_values": { + "required": false, + "description": "Extra header values passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra header values passed to the token endpoint.", - "required": false, "type": "array" } }, { "token_headers_client": { + "required": false, + "description": "Extra headers passed from the client to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the token endpoint.", - "required": false, "type": "array" } }, { "token_headers_replay": { + "required": false, + "description": "The names of token endpoint response headers to forward to the downstream client.", "elements": { "type": "string" }, - "description": "The names of token endpoint response headers to forward to the downstream client.", - "required": false, "type": "array" } }, { "token_headers_prefix": { - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "type": "string" } }, { "token_headers_grants": { + "required": false, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "elements": { "type": "string", "one_of": [ @@ -1324,53 +1325,51 @@ "refresh_token" ] }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", - "required": false, "type": "array" } }, { "token_post_args_names": { + "required": false, + "description": "Extra post argument names passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the token endpoint.", - "required": false, "type": "array" } }, { "token_post_args_values": { + "required": false, + "description": "Extra post argument values passed to the token endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the token endpoint.", - "required": false, "type": "array" } }, { "token_post_args_client": { + "required": false, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "elements": { "type": "string" }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", - "required": false, "type": "array" } }, { "introspection_endpoint": { - "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "introspection_endpoint_auth_method": { - "type": "string", - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1384,26 +1383,26 @@ }, { "introspection_hint": { - "default": "access_token", - "description": "Introspection hint parameter value passed to the introspection endpoint.", "required": false, + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "default": "access_token", "type": "string" } }, { "introspection_check_active": { - "default": true, - "description": "Check that the introspection response has an `active` claim with a value of `true`.", "required": false, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", + "default": true, "type": "boolean" } }, { "introspection_accept": { - "required": false, "type": "string", - "default": "application/json", + "required": false, "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", + "default": "application/json", "one_of": [ "application/json", "application/token-introspection+jwt", @@ -1413,96 +1412,96 @@ }, { "introspection_headers_names": { + "required": false, + "description": "Extra header names passed to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspection_headers_values": { "encrypted": true, - "required": false, "type": "array", + "required": false, + "description": "Extra header values passed to the introspection endpoint.", "elements": { - "referenceable": true, - "type": "string" - }, - "description": "Extra header values passed to the introspection endpoint." + "type": "string", + "referenceable": true + } } }, { "introspection_headers_client": { + "required": false, + "description": "Extra headers passed from the client to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspection_post_args_names": { + "required": false, + "description": "Extra post argument names passed to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument names passed to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspection_post_args_values": { + "required": false, + "description": "Extra post argument values passed to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post argument values passed to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspection_post_args_client": { + "required": false, + "description": "Extra post arguments passed from the client to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspection_post_args_client_headers": { + "required": false, + "description": "Extra post arguments passed from the client headers to the introspection endpoint.", "elements": { "type": "string" }, - "description": "Extra post arguments passed from the client headers to the introspection endpoint.", - "required": false, "type": "array" } }, { "introspect_jwt_tokens": { - "default": false, - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "required": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "default": false, "type": "boolean" } }, { "revocation_endpoint": { - "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "revocation_endpoint_auth_method": { - "type": "string", - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "required": false, + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "one_of": [ "client_secret_basic", "client_secret_post", @@ -1516,24 +1515,24 @@ }, { "end_session_endpoint": { - "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "userinfo_endpoint": { - "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", "required": false, + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", "type": "string" } }, { "userinfo_accept": { - "required": false, "type": "string", - "default": "application/json", + "required": false, "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", + "default": "application/json", "one_of": [ "application/json", "application/jwt" @@ -1542,180 +1541,180 @@ }, { "userinfo_headers_names": { + "required": false, + "description": "Extra header names passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra header names passed to the user info endpoint.", - "required": false, "type": "array" } }, { "userinfo_headers_values": { + "required": false, + "description": "Extra header values passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra header values passed to the user info endpoint.", - "required": false, "type": "array" } }, { "userinfo_headers_client": { + "required": false, + "description": "Extra headers passed from the client to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra headers passed from the client to the user info endpoint.", - "required": false, "type": "array" } }, { "userinfo_query_args_names": { + "required": false, + "description": "Extra query argument names passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument names passed to the user info endpoint.", - "required": false, "type": "array" } }, { "userinfo_query_args_values": { + "required": false, + "description": "Extra query argument values passed to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra query argument values passed to the user info endpoint.", - "required": false, "type": "array" } }, { "userinfo_query_args_client": { + "required": false, + "description": "Extra query arguments passed from the client to the user info endpoint.", "elements": { "type": "string" }, - "description": "Extra query arguments passed from the client to the user info endpoint.", - "required": false, "type": "array" } }, { "token_exchange_endpoint": { - "description": "The token exchange endpoint.", "required": false, + "description": "The token exchange endpoint.", "type": "string" } }, { "session_secret": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The session secret.", - "required": false + "referenceable": true } }, { "session_audience": { - "default": "default", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "required": false, + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default", "type": "string" } }, { "session_cookie_name": { - "default": "session", - "description": "The session cookie name.", "required": false, + "description": "The session cookie name.", + "default": "session", "type": "string" } }, { "session_remember": { - "default": false, - "description": "Enables or disables persistent sessions.", "required": false, + "description": "Enables or disables persistent sessions.", + "default": false, "type": "boolean" } }, { "session_remember_cookie_name": { - "default": "remember", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "required": false, + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember", "type": "string" } }, { "session_remember_rolling_timeout": { - "default": 604800, - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", "required": false, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "default": 604800, "type": "number" } }, { "session_remember_absolute_timeout": { - "default": 2592000, - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "required": false, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 2592000, "type": "number" } }, { "session_idling_timeout": { - "default": 900, - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", "required": false, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "default": 900, "type": "number" } }, { "session_rolling_timeout": { - "default": 3600, - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "required": false, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "default": 3600, "type": "number" } }, { "session_absolute_timeout": { - "default": 86400, - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "required": false, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "default": 86400, "type": "number" } }, { "session_cookie_path": { - "required": false, - "type": "string", "default": "/", - "description": "The session cookie Path flag.", + "type": "string", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } ], - "starts_with": "/" + "description": "The session cookie Path flag.", + "starts_with": "/", + "required": false } }, { "session_cookie_domain": { - "description": "The session cookie Domain flag.", "required": false, + "description": "The session cookie Domain flag.", "type": "string" } }, { "session_cookie_same_site": { - "required": false, "type": "string", - "default": "Lax", + "required": false, "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", + "default": "Lax", "one_of": [ "Strict", "Lax", @@ -1726,21 +1725,23 @@ }, { "session_cookie_http_only": { - "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean" } }, { "session_cookie_secure": { - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean" } }, { "session_request_headers": { + "required": false, + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "elements": { "type": "string", "one_of": [ @@ -1753,13 +1754,13 @@ "absolute-timeout" ] }, - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", - "required": false, "type": "set" } }, { "session_response_headers": { + "required": false, + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "elements": { "type": "string", "one_of": [ @@ -1772,17 +1773,15 @@ "absolute-timeout" ] }, - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", - "required": false, "type": "set" } }, { "session_storage": { - "required": false, "type": "string", - "default": "cookie", + "required": false, "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", + "default": "cookie", "one_of": [ "cookie", "memcache", @@ -1793,74 +1792,72 @@ }, { "session_store_metadata": { - "default": false, - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "required": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", + "default": false, "type": "boolean" } }, { "session_enforce_same_subject": { - "default": false, - "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false, "type": "boolean" } }, { "session_hash_subject": { - "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false, "type": "boolean" } }, { "session_hash_storage_key": { - "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false, "type": "boolean" } }, { "session_memcached_prefix": { - "description": "The memcached session key prefix.", "required": false, + "description": "The memcached session key prefix.", "type": "string" } }, { "session_memcached_socket": { - "description": "The memcached unix socket path.", "required": false, + "description": "The memcached unix socket path.", "type": "string" } }, { "session_memcached_host": { - "default": "127.0.0.1", - "description": "The memcached host.", "required": false, + "description": "The memcached host.", + "default": "127.0.0.1", "type": "string" } }, { "session_memcached_port": { + "type": "integer", + "required": false, + "description": "The memcached port.", "between": [ 0, 65535 ], - "required": false, - "type": "integer", - "default": 11211, - "description": "The memcached port." + "default": 11211 } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -1884,14 +1881,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -1922,13 +1919,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -1945,47 +1942,49 @@ "read_timeout" ] } - ] + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, + "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, - "len_min": 1, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, + "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, - "len_min": 1, "type": "array" } } @@ -1993,8 +1992,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -2045,31 +2044,31 @@ { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, + "type": "string", "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, + "type": "string", "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { @@ -2081,8 +2080,8 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -2092,11 +2091,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -2119,15 +2118,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -2145,21 +2145,21 @@ ], "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -2177,60 +2177,59 @@ ], "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } }, { "prefix": { - "description": "The Redis session key prefix.", "required": false, + "description": "The Redis session key prefix.", "type": "string" } }, { "socket": { - "description": "The Redis unix socket path.", "required": false, + "description": "The Redis unix socket path.", "type": "string" } } @@ -2239,36 +2238,31 @@ }, { "reverify": { - "default": false, - "description": "Specifies whether to always verify tokens stored in the session.", "required": false, + "description": "Specifies whether to always verify tokens stored in the session.", + "default": false, "type": "boolean" } }, { "jwt_session_claim": { - "default": "sid", - "description": "The claim to match against the JWT session cookie.", "required": false, + "description": "The claim to match against the JWT session cookie.", + "default": "sid", "type": "string" } }, { "jwt_session_cookie": { - "description": "The name of the JWT session cookie.", "required": false, + "description": "The name of the JWT session cookie.", "type": "string" } }, { "bearer_token_param_type": { - "required": false, "type": "array", - "default": [ - "header", - "query", - "body" - ], + "required": false, "description": "Where to look for the bearer token: - `header`: search the `Authorization`, `access-token`, and `x-access-token` HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "elements": { "type": "string", @@ -2278,25 +2272,25 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "bearer_token_cookie_name": { - "description": "The name of the cookie in which the bearer token is passed.", "required": false, + "description": "The name of the cookie in which the bearer token is passed.", "type": "string" } }, { "client_credentials_param_type": { - "required": false, "type": "array", - "default": [ - "header", - "query", - "body" - ], + "required": false, "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "elements": { "type": "string", @@ -2305,18 +2299,18 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "password_param_type": { - "required": false, "type": "array", - "default": [ - "header", - "query", - "body" - ], + "required": false, "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -2325,18 +2319,18 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "id_token_param_type": { - "required": false, "type": "array", - "default": [ - "header", - "query", - "body" - ], + "required": false, "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -2345,25 +2339,25 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "id_token_param_name": { - "description": "The name of the parameter used to pass the id token.", "required": false, + "description": "The name of the parameter used to pass the id token.", "type": "string" } }, { "refresh_token_param_type": { - "required": false, "type": "array", - "default": [ - "header", - "query", - "body" - ], + "required": false, "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "elements": { "type": "string", @@ -2372,212 +2366,214 @@ "query", "body" ] - } + }, + "default": [ + "header", + "query", + "body" + ] } }, { "refresh_token_param_name": { - "description": "The name of the parameter used to pass the refresh token.", "required": false, + "description": "The name of the parameter used to pass the refresh token.", "type": "string" } }, { "refresh_tokens": { - "default": true, - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "required": false, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", + "default": true, "type": "boolean" } }, { "upstream_headers_claims": { + "required": false, + "description": "The upstream header claims. Only top level claims are supported.", "elements": { "type": "string" }, - "description": "The upstream header claims. Only top level claims are supported.", - "required": false, "type": "array" } }, { "upstream_headers_names": { + "required": false, + "description": "The upstream header names for the claim values.", "elements": { "type": "string" }, - "description": "The upstream header names for the claim values.", - "required": false, "type": "array" } }, { "upstream_access_token_header": { - "default": "authorization:bearer", - "description": "The upstream access token header.", "required": false, + "description": "The upstream access token header.", + "default": "authorization:bearer", "type": "string" } }, { "upstream_access_token_jwk_header": { - "description": "The upstream access token JWK header.", "required": false, + "description": "The upstream access token JWK header.", "type": "string" } }, { "upstream_id_token_header": { - "description": "The upstream id token header.", "required": false, + "description": "The upstream id token header.", "type": "string" } }, { "upstream_id_token_jwk_header": { - "description": "The upstream id token JWK header.", "required": false, + "description": "The upstream id token JWK header.", "type": "string" } }, { "upstream_refresh_token_header": { - "description": "The upstream refresh token header.", "required": false, + "description": "The upstream refresh token header.", "type": "string" } }, { "upstream_user_info_header": { - "description": "The upstream user info header.", "required": false, + "description": "The upstream user info header.", "type": "string" } }, { "upstream_user_info_jwt_header": { - "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "type": "string" } }, { "upstream_introspection_header": { - "description": "The upstream introspection header.", "required": false, + "description": "The upstream introspection header.", "type": "string" } }, { "upstream_introspection_jwt_header": { - "description": "The upstream introspection JWT header.", "required": false, + "description": "The upstream introspection JWT header.", "type": "string" } }, { "upstream_session_id_header": { - "description": "The upstream session id header.", "required": false, + "description": "The upstream session id header.", "type": "string" } }, { "downstream_headers_claims": { + "required": false, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "type": "array" } }, { "downstream_headers_names": { + "required": false, + "description": "The downstream header names for the claim values.", "elements": { "type": "string" }, - "description": "The downstream header names for the claim values.", - "required": false, "type": "array" } }, { "downstream_access_token_header": { - "description": "The downstream access token header.", "required": false, + "description": "The downstream access token header.", "type": "string" } }, { "downstream_access_token_jwk_header": { - "description": "The downstream access token JWK header.", "required": false, + "description": "The downstream access token JWK header.", "type": "string" } }, { "downstream_id_token_header": { - "description": "The downstream id token header.", "required": false, + "description": "The downstream id token header.", "type": "string" } }, { "downstream_id_token_jwk_header": { - "description": "The downstream id token JWK header.", "required": false, + "description": "The downstream id token JWK header.", "type": "string" } }, { "downstream_refresh_token_header": { - "description": "The downstream refresh token header.", "required": false, + "description": "The downstream refresh token header.", "type": "string" } }, { "downstream_user_info_header": { - "description": "The downstream user info header.", "required": false, + "description": "The downstream user info header.", "type": "string" } }, { "downstream_user_info_jwt_header": { - "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "type": "string" } }, { "downstream_introspection_header": { - "description": "The downstream introspection header.", "required": false, + "description": "The downstream introspection header.", "type": "string" } }, { "downstream_introspection_jwt_header": { - "description": "The downstream introspection JWT header.", "required": false, + "description": "The downstream introspection JWT header.", "type": "string" } }, { "downstream_session_id_header": { - "description": "The downstream session id header.", "required": false, + "description": "The downstream session id header.", "type": "string" } }, { "login_methods": { - "required": false, "type": "array", - "default": [ - "authorization_code" - ], + "required": false, "description": "Enable login functionality with specified grants.", "elements": { "type": "string", @@ -2592,15 +2588,18 @@ "refresh_token", "session" ] - } + }, + "default": [ + "authorization_code" + ] } }, { "login_action": { - "required": false, "type": "string", - "default": "upstream", + "required": false, "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", + "default": "upstream", "one_of": [ "upstream", "response", @@ -2610,11 +2609,8 @@ }, { "login_tokens": { - "required": false, "type": "array", - "default": [ - "id_token" - ], + "required": false, "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "elements": { "type": "string", @@ -2625,15 +2621,18 @@ "tokens", "introspection" ] - } + }, + "default": [ + "id_token" + ] } }, { "login_redirect_mode": { - "required": false, "type": "string", - "default": "fragment", + "required": false, "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", + "default": "fragment", "one_of": [ "query", "fragment" @@ -2642,33 +2641,29 @@ }, { "logout_query_arg": { - "description": "The request query argument that activates the logout.", "required": false, + "description": "The request query argument that activates the logout.", "type": "string" } }, { "logout_post_arg": { - "description": "The request body argument that activates the logout.", "required": false, + "description": "The request body argument that activates the logout.", "type": "string" } }, { "logout_uri_suffix": { - "description": "The request URI suffix that activates the logout.", "required": false, + "description": "The request URI suffix that activates the logout.", "type": "string" } }, { "logout_methods": { - "required": false, "type": "array", - "default": [ - "POST", - "DELETE" - ], + "required": false, "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "elements": { "type": "string", @@ -2677,51 +2672,51 @@ "GET", "DELETE" ] - } + }, + "default": [ + "POST", + "DELETE" + ] } }, { "logout_revoke": { - "default": false, - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", "required": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", + "default": false, "type": "boolean" } }, { "logout_revoke_access_token": { - "default": true, - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", "required": false, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean" } }, { "logout_revoke_refresh_token": { - "default": true, - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", "required": false, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", + "default": true, "type": "boolean" } }, { "consumer_claim": { + "required": false, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", - "required": false, "type": "array" } }, { "consumer_by": { - "required": false, "type": "array", - "default": [ - "username", - "custom_id" - ], + "required": false, "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "elements": { "type": "string", @@ -2730,92 +2725,93 @@ "username", "custom_id" ] - } + }, + "default": [ + "username", + "custom_id" + ] } }, { "consumer_optional": { - "default": false, - "description": "Do not terminate the request if consumer mapping fails.", "required": false, + "description": "Do not terminate the request if consumer mapping fails.", + "default": false, "type": "boolean" } }, { - "credential_claim": { - "required": false, - "type": "array", - "default": [ - "sub" - ], + "credential_claim": { + "type": "array", + "required": false, "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "elements": { "type": "string" - } + }, + "default": [ + "sub" + ] } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string" } }, { "run_on_preflight": { - "default": true, - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "required": false, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", + "default": true, "type": "boolean" } }, { "leeway": { - "default": 0, - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", "required": false, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", + "default": 0, "type": "number" } }, { "verify_parameters": { - "default": false, - "description": "Verify plugin configuration against discovery.", "required": false, + "description": "Verify plugin configuration against discovery.", + "default": false, "type": "boolean" } }, { "verify_nonce": { - "default": true, - "description": "Verify nonce on authorization code flow.", "required": false, + "description": "Verify nonce on authorization code flow.", + "default": true, "type": "boolean" } }, { "verify_claims": { - "default": true, - "description": "Verify tokens for standard claims.", "required": false, + "description": "Verify tokens for standard claims.", + "default": true, "type": "boolean" } }, { "verify_signature": { - "default": true, - "description": "Verify signature of tokens.", "required": false, + "description": "Verify signature of tokens.", + "default": true, "type": "boolean" } }, { "ignore_signature": { - "required": false, "type": "array", - "default": [ - - ], + "required": false, "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "elements": { "type": "string", @@ -2828,19 +2824,24 @@ "introspection", "userinfo" ] - } + }, + "default": [ + + ] } }, { "enable_hs_signatures": { - "default": false, - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "required": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", + "default": false, "type": "boolean" } }, { "disable_session": { + "required": false, + "description": "Disable issuing the session cookie with the specified grants.", "elements": { "type": "string", "one_of": [ @@ -2855,115 +2856,113 @@ "session" ] }, - "description": "Disable issuing the session cookie with the specified grants.", - "required": false, "type": "array" } }, { "cache_ttl": { - "default": 3600, - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "required": false, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", + "default": 3600, "type": "number" } }, { "cache_ttl_max": { - "description": "The maximum cache ttl in seconds (enforced).", "required": false, + "description": "The maximum cache ttl in seconds (enforced).", "type": "number" } }, { "cache_ttl_min": { - "description": "The minimum cache ttl in seconds (enforced).", "required": false, + "description": "The minimum cache ttl in seconds (enforced).", "type": "number" } }, { "cache_ttl_neg": { - "description": "The negative cache ttl in seconds.", "required": false, + "description": "The negative cache ttl in seconds.", "type": "number" } }, { "cache_ttl_resurrect": { - "description": "The resurrection ttl in seconds.", "required": false, + "description": "The resurrection ttl in seconds.", "type": "number" } }, { "cache_tokens": { - "default": true, - "description": "Cache the token endpoint requests.", "required": false, + "description": "Cache the token endpoint requests.", + "default": true, "type": "boolean" } }, { "cache_tokens_salt": { - "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "required": false, - "type": "string" + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", + "type": "string", + "auto": true } }, { "cache_introspection": { - "default": true, - "description": "Cache the introspection endpoint requests.", "required": false, + "description": "Cache the introspection endpoint requests.", + "default": true, "type": "boolean" } }, { "cache_token_exchange": { - "default": true, - "description": "Cache the token exchange endpoint requests.", "required": false, + "description": "Cache the token exchange endpoint requests.", + "default": true, "type": "boolean" } }, { "cache_user_info": { - "default": true, - "description": "Cache the user info requests.", "required": false, + "description": "Cache the user info requests.", + "default": true, "type": "boolean" } }, { "search_user_info": { - "default": false, - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "required": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", + "default": false, "type": "boolean" } }, { "hide_credentials": { - "default": false, - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "required": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", + "default": false, "type": "boolean" } }, { "http_version": { - "default": 1.1, - "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", "required": false, + "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", + "default": 1.1, "type": "number" } }, { "http_proxy": { - "description": "The HTTP proxy.", "required": false, + "description": "The HTTP proxy.", "type": "string" } }, @@ -2971,14 +2970,14 @@ "http_proxy_authorization": { "required": false, "description": "The HTTP proxy authorization.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "https_proxy": { - "description": "The HTTPS proxy.", "required": false, + "description": "The HTTPS proxy.", "type": "string" } }, @@ -2986,62 +2985,62 @@ "https_proxy_authorization": { "required": false, "description": "The HTTPS proxy authorization.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "no_proxy": { - "description": "Do not use proxy with these hosts.", "required": false, + "description": "Do not use proxy with these hosts.", "type": "string" } }, { "keepalive": { - "default": true, - "description": "Use keepalive with the HTTP client.", "required": false, + "description": "Use keepalive with the HTTP client.", + "default": true, "type": "boolean" } }, { "ssl_verify": { - "default": false, - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", "required": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", + "default": false, "type": "boolean" } }, { "timeout": { - "default": 10000, - "description": "Network IO timeout in milliseconds.", "required": false, + "description": "Network IO timeout in milliseconds.", + "default": 10000, "type": "number" } }, { "display_errors": { - "default": false, - "description": "Display errors on failure responses.", "required": false, + "description": "Display errors on failure responses.", + "default": false, "type": "boolean" } }, { "by_username_ignore_case": { - "default": false, - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "required": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", + "default": false, "type": "boolean" } }, { "resolve_distributed_claims": { - "default": false, - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "required": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", + "default": false, "type": "boolean" } }, @@ -3061,26 +3060,26 @@ }, { "introspection_token_param_name": { - "default": "token", - "description": "Designate token's parameter name for introspection.", "required": false, + "description": "Designate token's parameter name for introspection.", + "default": "token", "type": "string" } }, { "revocation_token_param_name": { - "default": "token", - "description": "Designate token's parameter name for revocation.", "required": false, + "description": "Designate token's parameter name for revocation.", + "default": "token", "type": "string" } }, { "proof_of_possession_mtls": { - "required": false, "type": "string", - "default": "off", + "required": false, "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", + "default": "off", "one_of": [ "off", "strict", @@ -3090,56 +3089,56 @@ }, { "proof_of_possession_auth_methods_validation": { - "default": true, - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", "required": false, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", + "default": true, "type": "boolean" } }, { "tls_client_auth_cert_id": { - "auto": false, + "uuid": true, "required": false, - "type": "string", "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", - "uuid": true + "type": "string", + "auto": false } }, { "tls_client_auth_ssl_verify": { - "default": true, - "description": "Verify identity provider server certificate during mTLS client authentication.", "required": false, + "description": "Verify identity provider server certificate during mTLS client authentication.", + "default": true, "type": "boolean" } }, { "mtls_token_endpoint": { - "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "required": false, + "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "type": "string" } }, { "mtls_introspection_endpoint": { - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "required": false, + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "type": "string" } }, { "mtls_revocation_endpoint": { - "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "required": false, + "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", "type": "string" } }, { "proof_of_possession_dpop": { - "required": false, "type": "string", - "default": "off", + "required": false, "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", + "default": "off", "one_of": [ "off", "strict", @@ -3149,36 +3148,36 @@ }, { "dpop_use_nonce": { - "default": false, - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", "required": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", + "default": false, "type": "boolean" } }, { "dpop_proof_lifetime": { + "required": false, "default": 300, "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", - "required": false, "type": "number" } }, { "claims_forbidden": { + "required": false, + "description": "If given, these claims are forbidden in the token payload.", "elements": { "type": "string" }, - "description": "If given, these claims are forbidden in the token payload.", - "required": false, "type": "array" } }, { "cluster_cache_strategy": { - "required": false, "type": "string", - "default": "off", + "required": false, "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", + "default": "off", "one_of": [ "off", "redis" @@ -3187,8 +3186,6 @@ }, { "cluster_cache_redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -3212,14 +3209,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -3250,12 +3247,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -3272,47 +3270,48 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } @@ -3321,8 +3320,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -3379,9 +3378,9 @@ }, { "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "type": "string" } }, @@ -3394,23 +3393,23 @@ }, { "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, "type": "string" } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -3420,11 +3419,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -3447,16 +3446,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -3471,24 +3470,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -3503,56 +3502,62 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } ] } } - ] + ], + "type": "record" } } - ] + ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/opentelemetry/3.11.x.json b/schemas/opentelemetry/3.11.x.json index 573b5251..19c93756 100644 --- a/schemas/opentelemetry/3.11.x.json +++ b/schemas/opentelemetry/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,21 +18,20 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { - "required": true, - "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -45,15 +40,17 @@ ] } ], + "type": "record", + "required": true, "shorthand_fields": [ { "endpoint": { + "referenceable": true, "deprecation": { "removal_in_version": "4.0", "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead" }, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "referenceable": true, "type": "string" } } @@ -76,8 +73,8 @@ { "headers": { "values": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", "keys": { @@ -102,16 +99,15 @@ }, { "queue": { + "required": true, "default": { "max_batch_size": 200 }, - "type": "record", - "required": true, "fields": [ { "max_batch_size": { - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -121,8 +117,8 @@ }, { "max_coalescing_delay": { - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -132,8 +128,8 @@ }, { "max_entries": { - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -149,15 +145,15 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60, "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -167,8 +163,8 @@ }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, "between": [ 0.001, 1000000 @@ -178,38 +174,39 @@ }, { "concurrency_limit": { + "type": "integer", "default": 1, "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", "one_of": [ -1, 1 ] } } - ] + ], + "type": "record" } }, { "batch_span_count": { - "description": "The number of spans to be sent in a single batch.", - "type": "integer", "deprecation": { "old_default": 200, "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", "removal_in_version": "4.0" - } + }, + "description": "The number of spans to be sent in a single batch.", + "type": "integer" } }, { "batch_flush_delay": { - "description": "The delay, in seconds, between two consecutive batches.", - "type": "integer", "deprecation": { "old_default": 3, "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", "removal_in_version": "4.0" - } + }, + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer" } }, { @@ -252,14 +249,14 @@ }, { "header_type": { - "required": false, - "type": "string", - "default": "preserve", "deprecation": { "old_default": "preserve", "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", "removal_in_version": "4.0" }, + "type": "string", + "required": false, + "default": "preserve", "one_of": [ "preserve", "ignore", @@ -270,98 +267,105 @@ "ot", "aws", "gcp", - "datadog" + "datadog", + "instana" ] } }, { "sampling_rate": { + "required": false, + "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", "between": [ 0, 1 ], - "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", - "required": false, "type": "number" } }, { "propagation": { + "required": true, "default": { "default_format": "w3c" }, "fields": [ { "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", "elements": { "type": "string", "one_of": [ - "gcp", - "jaeger", + "datadog", "aws", - "ot", + "gcp", + "instana", "w3c", - "datadog", - "b3" + "b3", + "jaeger", + "ot" ] }, - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", "type": "array" } }, { "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "elements": { "type": "string" }, - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "type": "array" } }, { "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", "elements": { "type": "string", "one_of": [ "preserve", + "datadog", + "aws", "gcp", + "instana", + "w3c", + "b3", "b3-single", "jaeger", - "aws", - "ot", - "w3c", - "datadog", - "b3" + "ot" ] }, - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", "type": "array" } }, { "default_format": { - "type": "string", - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", "required": true, + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", "one_of": [ + "datadog", + "aws", "gcp", + "instana", + "w3c", + "b3", "b3-single", "jaeger", - "aws", - "ot", - "w3c", - "datadog", - "b3" + "ot" ] } } ], - "required": true, "type": "record" } } ] } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/post-function/3.11.x.json b/schemas/post-function/3.11.x.json index 6835bfd9..7f60eafe 100644 --- a/schemas/post-function/3.11.x.json +++ b/schemas/post-function/3.11.x.json @@ -1,73 +1,31 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ - { - "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "elements": { - "type": "string", - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] - }, - "required": false, - "type": "set" - } - }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -83,14 +41,17 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "config": { + "required": true, "fields": [ { "certificate": { + "required": true, "default": [ ], @@ -98,12 +59,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "rewrite": { + "required": true, "default": [ ], @@ -111,12 +72,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "access": { + "required": true, "default": [ ], @@ -124,12 +85,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "header_filter": { + "required": true, "default": [ ], @@ -137,12 +98,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "body_filter": { + "required": true, "default": [ ], @@ -150,12 +111,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "log": { + "required": true, "default": [ ], @@ -163,12 +124,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "ws_handshake": { + "required": true, "default": [ ], @@ -176,12 +137,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "ws_client_frame": { + "required": true, "default": [ ], @@ -189,12 +150,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "ws_upstream_frame": { + "required": true, "default": [ ], @@ -202,12 +163,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "ws_close": { + "required": true, "default": [ ], @@ -215,14 +176,28 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.11.x.json b/schemas/pre-function/3.11.x.json index 6835bfd9..7f60eafe 100644 --- a/schemas/pre-function/3.11.x.json +++ b/schemas/pre-function/3.11.x.json @@ -1,73 +1,31 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ - { - "protocols": { - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], - "elements": { - "type": "string", - "one_of": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ] - }, - "required": false, - "type": "set" - } - }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -83,14 +41,17 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "config": { + "required": true, "fields": [ { "certificate": { + "required": true, "default": [ ], @@ -98,12 +59,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "rewrite": { + "required": true, "default": [ ], @@ -111,12 +72,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "access": { + "required": true, "default": [ ], @@ -124,12 +85,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "header_filter": { + "required": true, "default": [ ], @@ -137,12 +98,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "body_filter": { + "required": true, "default": [ ], @@ -150,12 +111,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "log": { + "required": true, "default": [ ], @@ -163,12 +124,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "ws_handshake": { + "required": true, "default": [ ], @@ -176,12 +137,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "ws_client_frame": { + "required": true, "default": [ ], @@ -189,12 +150,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "ws_upstream_frame": { + "required": true, "default": [ ], @@ -202,12 +163,12 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } }, { "ws_close": { + "required": true, "default": [ ], @@ -215,14 +176,28 @@ "required": false, "type": "string" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.11.x.json b/schemas/prometheus/3.11.x.json index ff139dbf..65ea5936 100644 --- a/schemas/prometheus/3.11.x.json +++ b/schemas/prometheus/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,19 +25,21 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "per_consumer": { @@ -84,11 +82,20 @@ "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", "type": "boolean" } + }, + { + "wasm_metrics": { + "default": false, + "description": "A boolean value that determines if Wasm metrics should be collected.", + "type": "boolean" + } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.11.x.json b/schemas/proxy-cache-advanced/3.11.x.json index 63d95361..0194f625 100644 --- a/schemas/proxy-cache-advanced/3.11.x.json +++ b/schemas/proxy-cache-advanced/3.11.x.json @@ -11,15 +11,14 @@ "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -28,21 +27,23 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "response_code": { - "required": true, - "type": "array", "default": [ 200, 301, 404 ], + "type": "array", + "required": true, "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "elements": { "between": [ @@ -56,12 +57,8 @@ }, { "request_method": { - "required": true, "type": "array", - "default": [ - "GET", - "HEAD" - ], + "required": true, "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", "elements": { "type": "string", @@ -72,36 +69,40 @@ "PATCH", "PUT" ] - } + }, + "default": [ + "GET", + "HEAD" + ] } }, { "content_type": { - "required": true, "type": "array", - "default": [ - "text/plain", - "application/json" - ], + "required": true, "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "elements": { "type": "string" - } + }, + "default": [ + "text/plain", + "application/json" + ] } }, { "cache_ttl": { - "default": 300, "description": "TTL in seconds of cache entities.", + "default": 300, "gt": 0, "type": "integer" } }, { "strategy": { - "type": "string", - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "required": true, + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", + "type": "string", "one_of": [ "memory", "redis" @@ -110,17 +111,17 @@ }, { "cache_control": { + "required": true, "default": false, "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "required": true, "type": "boolean" } }, { "ignore_uri_case": { + "required": false, "default": false, "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", - "required": false, "type": "boolean" } }, @@ -132,43 +133,42 @@ }, { "memory": { + "required": true, "fields": [ { "dictionary_name": { + "required": true, "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "required": true, "type": "string" } } ], - "required": true, "type": "record" } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration. By default, the max number of params accepted is 100. You can change this value via the `lua_max_post_args` in `kong.conf`.", "elements": { "type": "string" }, - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "type": "array" } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array" } }, { "response_headers": { - "type": "record", - "description": "Caching related diagnostic headers that should be included in cached responses", "required": true, + "description": "Caching related diagnostic headers that should be included in cached responses", "fields": [ { "age": { @@ -188,13 +188,12 @@ "type": "boolean" } } - ] + ], + "type": "record" } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -218,14 +217,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -256,12 +255,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -278,47 +278,48 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } @@ -327,8 +328,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -385,9 +386,9 @@ }, { "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "type": "string" } }, @@ -400,23 +401,23 @@ }, { "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, "type": "string" } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -426,11 +427,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -453,16 +454,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -477,24 +478,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -509,48 +510,48 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } @@ -559,15 +560,19 @@ }, { "bypass_on_err": { - "default": false, "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", + "default": false, "type": "boolean" } } ], - "required": true, "type": "record" } } - ] + ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/proxy-cache/3.11.x.json b/schemas/proxy-cache/3.11.x.json index c639f5af..b49abc3a 100644 --- a/schemas/proxy-cache/3.11.x.json +++ b/schemas/proxy-cache/3.11.x.json @@ -1,25 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -35,22 +25,24 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "config": { + "required": true, "fields": [ { "response_code": { - "required": true, + "len_min": 1, "type": "array", + "required": true, "default": [ 200, 301, 404 ], - "description": "Upstream response status code considered cacheable.", "elements": { "between": [ 100, @@ -58,17 +50,13 @@ ], "type": "integer" }, - "len_min": 1 + "description": "Upstream response status code considered cacheable." } }, { "request_method": { - "required": true, "type": "array", - "default": [ - "GET", - "HEAD" - ], + "required": true, "description": "Downstream request methods considered cacheable.", "elements": { "type": "string", @@ -79,21 +67,25 @@ "PATCH", "PUT" ] - } + }, + "default": [ + "GET", + "HEAD" + ] } }, { "content_type": { - "required": true, "type": "array", - "default": [ - "text/plain", - "application/json" - ], + "required": true, "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "elements": { "type": "string" - } + }, + "default": [ + "text/plain", + "application/json" + ] } }, { @@ -106,9 +98,9 @@ }, { "strategy": { - "type": "string", - "description": "The backing data store in which to hold cache entities.", "required": true, + "description": "The backing data store in which to hold cache entities.", + "type": "string", "one_of": [ "memory" ] @@ -116,64 +108,63 @@ }, { "cache_control": { - "default": false, - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true, + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", + "default": false, "type": "boolean" } }, { "ignore_uri_case": { - "default": false, "required": false, + "default": false, "type": "boolean" } }, { "storage_ttl": { - "type": "integer", - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" } }, { "memory": { + "required": true, "fields": [ { "dictionary_name": { - "default": "kong_db_cache", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true, + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "default": "kong_db_cache", "type": "string" } } ], - "required": true, "type": "record" } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "elements": { "type": "string" }, - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "type": "array" } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "elements": { "type": "string" }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array" } }, { "response_headers": { - "type": "record", - "description": "Caching related diagnostic headers that should be included in cached responses", "required": true, + "description": "Caching related diagnostic headers that should be included in cached responses", "fields": [ { "age": { @@ -193,13 +184,22 @@ "type": "boolean" } } - ] + ], + "type": "record" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/rate-limiting-advanced/3.11.x.json b/schemas/rate-limiting-advanced/3.11.x.json index a2ecf410..8baa938c 100644 --- a/schemas/rate-limiting-advanced/3.11.x.json +++ b/schemas/rate-limiting-advanced/3.11.x.json @@ -11,15 +11,14 @@ "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -28,18 +27,20 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "identifier": { - "required": true, "type": "string", + "required": true, "default": "consumer", - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`. Note if `identifier` is `consumer-group`, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.", "one_of": [ "ip", "credential", @@ -53,6 +54,7 @@ }, { "compound_identifier": { + "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", "elements": { "type": "string", "one_of": [ @@ -65,25 +67,24 @@ "consumer-group" ] }, - "description": "Similar to `identifer`, but supports combining multiple items. The priority of `compound_identifier` is higher than `identifier`, which means if `compound_identifer` is set, it will be used, otherwise `identifier` will be used.", "type": "array" } }, { "window_size": { + "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" }, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", - "required": true, "type": "array" } }, { "window_type": { - "default": "sliding", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "default": "sliding", "one_of": [ "fixed", "sliding" @@ -92,32 +93,32 @@ }, { "limit": { + "required": true, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" }, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", - "required": true, "type": "array" } }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." } }, { "namespace": { - "auto": true, - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", "required": true, + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "auto": true, "type": "string" } }, { "strategy": { - "required": true, "type": "string", + "required": true, "default": "local", "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ @@ -129,31 +130,31 @@ }, { "dictionary_name": { + "required": true, "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "required": true, "type": "string" } }, { "lock_dictionary_name": { + "required": true, "default": "kong_locks", "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declare in nginx-kong.conf.", - "required": true, "type": "string" } }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", + "default": false, "type": "boolean" } }, { "retry_after_jitter_max": { - "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", + "default": 0, "type": "number" } }, @@ -165,21 +166,19 @@ }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", "type": "string" } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -203,14 +202,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -241,13 +240,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -264,47 +263,49 @@ "read_timeout" ] } - ] + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, + "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, - "len_min": 1, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, + "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, - "len_min": 1, "type": "array" } } @@ -312,8 +313,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -364,31 +365,31 @@ { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, + "type": "string", "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, + "type": "string", "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { @@ -400,8 +401,8 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -411,11 +412,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -438,15 +439,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -464,21 +466,21 @@ ], "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -496,104 +498,180 @@ ], "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } }, { "redis_proxy_type": { - "type": "string", - "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", "required": false, + "description": "If the `connection_is_proxied` is enabled, this field indicates the proxy type and version you are using. For example, you can enable this optioin when you want authentication between Kong and Envoy proxy.", "one_of": [ "envoy_v1.31" - ] + ], + "type": "string" } } ] } }, + { + "throttling": { + "required": true, + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "enabled", + "dictionary_name", + "interval", + "retry_times", + "queue_limit" + ] + } + } + ], + "fields": [ + { + "enabled": { + "required": true, + "default": false, + "description": "Determines if the throttling feature is enabled or not", + "type": "boolean" + } + }, + { + "dictionary_name": { + "required": true, + "default": "kong_rate_limiting_throttling", + "description": "The shared dictionary where throttling counters are stored. The default shared dictionary is `kong_rate_limiting_throttling`. The shared dictionary should be declared in nginx-kong.conf.", + "type": "string" + } + }, + { + "interval": { + "type": "number", + "required": true, + "description": "The period between two successive retries for an individual request (in seconds)", + "between": [ + 1, + 1000000 + ], + "default": 5 + } + }, + { + "retry_times": { + "type": "number", + "required": true, + "description": "The maximum number of retries for an individual request", + "between": [ + 1, + 1000000 + ], + "default": 3 + } + }, + { + "queue_limit": { + "type": "number", + "required": true, + "description": "The maximum number of requests allowed for throttling", + "between": [ + 1, + 1000000 + ], + "default": 5 + } + } + ], + "type": "record" + } + }, { "enforce_consumer_groups": { - "default": false, "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", + "default": false, "type": "boolean" } }, { "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "elements": { "type": "string" }, - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "type": "array" } }, { "disable_penalty": { - "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", + "default": false, "type": "boolean" } }, { "error_code": { - "default": 429, "description": "Set a custom error code to return when the rate limit is exceeded.", + "default": 429, "gt": 0, "type": "number" } }, { "error_message": { - "default": "API rate limit exceeded", "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded", "type": "string" } } ], - "required": true, "type": "record" } } - ] + ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/rate-limiting/3.11.x.json b/schemas/rate-limiting/3.11.x.json index fc7061fb..14c8a81a 100644 --- a/schemas/rate-limiting/3.11.x.json +++ b/schemas/rate-limiting/3.11.x.json @@ -12,77 +12,76 @@ }, { "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.host", "if_field": "config.policy", "then_match": { "required": true - } + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host" } }, { "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.port", "if_field": "config.policy", "then_match": { "required": true - } + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port" } }, { "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.timeout", "if_field": "config.policy", "then_match": { "required": true - } + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout" } }, { "conditional": { - "if_match": { - "eq": "header" - }, - "then_field": "config.header_name", "if_field": "config.limit_by", "then_match": { "required": true - } + }, + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name" } }, { "conditional": { - "if_match": { - "eq": "path" - }, - "then_field": "config.path", "if_field": "config.limit_by", "then_match": { "required": true - } + }, + "if_match": { + "eq": "path" + }, + "then_field": "config.path" } } ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -91,59 +90,217 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, + "shorthand_fields": [ + { + "redis_host": { + "type": "string", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead" + } + } + }, + { + "redis_port": { + "type": "integer", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead" + } + } + }, + { + "redis_password": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead" + }, + "len_min": 0, + "type": "string" + } + }, + { + "redis_username": { + "type": "string", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead" + } + } + }, + { + "redis_ssl": { + "type": "boolean", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead" + } + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead" + } + } + }, + { + "redis_server_name": { + "type": "string", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead" + } + } + }, + { + "redis_timeout": { + "type": "integer", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ], + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead" + } + } + }, + { + "redis_database": { + "type": "integer", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ], + "removal_in_version": "4.0", + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead" + } + } + } + ], "fields": [ { "second": { - "gt": 0, "description": "The number of HTTP requests that can be made per second.", + "gt": 0, "type": "number" } }, { "minute": { - "gt": 0, "description": "The number of HTTP requests that can be made per minute.", + "gt": 0, "type": "number" } }, { "hour": { - "gt": 0, "description": "The number of HTTP requests that can be made per hour.", + "gt": 0, "type": "number" } }, { "day": { - "gt": 0, "description": "The number of HTTP requests that can be made per day.", + "gt": 0, "type": "number" } }, { "month": { - "gt": 0, "description": "The number of HTTP requests that can be made per month.", + "gt": 0, "type": "number" } }, { "year": { - "gt": 0, "description": "The number of HTTP requests that can be made per year.", + "gt": 0, "type": "number" } }, { "limit_by": { + "type": "string", "default": "consumer", "description": "The entity that is used when aggregating the limits.", - "type": "string", "one_of": [ "consumer", "credential", @@ -163,22 +320,22 @@ }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } ], + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", "type": "string" } }, { "policy": { "type": "string", - "default": "local", "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "default": "local", "len_min": 0, "one_of": [ "local", @@ -189,17 +346,16 @@ }, { "fault_tolerant": { + "required": true, "default": true, "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", - "required": true, "type": "boolean" } }, { "redis": { - "type": "record", - "description": "Redis configuration", "required": true, + "description": "Redis configuration", "fields": [ { "host": { @@ -232,17 +388,17 @@ { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "encrypted": true, - "referenceable": true, "type": "string", + "len_min": 0, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "len_min": 0 + "referenceable": true } }, { @@ -254,221 +410,70 @@ }, { "ssl": { - "default": false, - "description": "If set to true, uses SSL to connect to Redis.", "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean" } }, { "ssl_verify": { - "default": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } } - ] + ], + "type": "record" } }, { "hide_client_headers": { + "required": true, "default": false, "description": "Optionally hide informative response headers.", - "required": true, "type": "boolean" } }, { "error_code": { - "gt": 0, "description": "Set a custom error code to return when the rate limit is exceeded.", "default": 429, + "gt": 0, "type": "number" } }, { "error_message": { - "default": "API rate limit exceeded", "description": "Set a custom error message to return when the rate limit is exceeded.", + "default": "API rate limit exceeded", "type": "string" } }, { "sync_rate": { + "required": true, "default": -1, "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", - "required": true, "type": "number" } } ], - "shorthand_fields": [ - { - "redis_host": { - "deprecation": { - "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "host" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_port": { - "deprecation": { - "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "port" - ] - } - ] - }, - "type": "integer" - } - }, - { - "redis_password": { - "type": "string", - "deprecation": { - "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "password" - ] - } - ] - }, - "len_min": 0 - } - }, - { - "redis_username": { - "deprecation": { - "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "username" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_ssl": { - "deprecation": { - "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "redis_ssl_verify": { - "deprecation": { - "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl_verify" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "redis_server_name": { - "deprecation": { - "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "server_name" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_timeout": { - "deprecation": { - "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "redis_database": { - "deprecation": { - "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "database" - ] - } - ] - }, - "type": "integer" - } - } - ], - "required": true, "type": "record" } } - ] + ], + "supported_partials": { + "redis-ce": [ + "config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/redirect/3.11.x.json b/schemas/redirect/3.11.x.json index 32153288..619f4754 100644 --- a/schemas/redirect/3.11.x.json +++ b/schemas/redirect/3.11.x.json @@ -1,8 +1,15 @@ { - "entity_checks": [], "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -12,50 +19,45 @@ "https" ] }, - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "type": "set", - "required": true, "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", "required": true, "fields": [ { "status_code": { + "type": "integer", + "required": true, + "description": "The response code to send. Must be an integer between 100 and 599.", "between": [ 100, 599 ], - "default": 301, - "type": "integer", - "required": true, - "description": "The response code to send. Must be an integer between 100 and 599." + "default": 301 } }, { "location": { - "type": "string", "required": true, - "description": "The URL to redirect to" + "description": "The URL to redirect to", + "type": "string" } }, { "keep_incoming_path": { - "type": "boolean", "default": false, - "description": "Use the incoming request's path and query string in the redirect URL" + "description": "Use the incoming request's path and query string in the redirect URL", + "type": "boolean" } } - ] + ], + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-callout/3.11.x.json b/schemas/request-callout/3.11.x.json index 4c92e8f2..02113a74 100644 --- a/schemas/request-callout/3.11.x.json +++ b/schemas/request-callout/3.11.x.json @@ -1,10 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "type": "set", + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], "elements": { "type": "string", "one_of": [ @@ -14,83 +19,72 @@ "https" ] }, - "description": "A set of strings representing HTTP protocols.", - "default": [ - "grpc", - "grpcs", - "http", - "https" - ], - "type": "set", - "required": true + "description": "A set of strings representing HTTP protocols." } }, { "config": { - "type": "record", + "required": true, "fields": [ { "callouts": { - "description": "A collection of callout objects, where each object represents an HTTPrequest made in the context of a proxy request.", - "type": "array", + "required": true, + "description": "A collection of callout objects, where each object represents an HTTP request made in the context of a proxy request.", "elements": { - "type": "record", "fields": [ { "name": { - "description": "A string identifier for a callout. A callout object is referenceablevia its name in the kong.ctx.shared.callouts.", - "type": "string", - "required": true + "required": true, + "description": "A string identifier for a callout. A callout object is referenceable via its name in the `kong.ctx.shared.callouts.`", + "type": "string" } }, { "depends_on": { "type": "array", - "description": "An array of callout names the current callout depends on.This dependency determines the callout execution order.", + "required": true, "default": [ ], "elements": { - "type": "string", - "required": true + "required": true, + "type": "string" }, - "required": true + "description": "An array of callout names the current callout depends on. This dependency list determines the callout execution order via a topological sorting algorithm." } }, { "request": { - "description": "The customizations for the callout request.", - "type": "record", "required": true, + "description": "The customizations for the callout request.", "fields": [ { "url": { - "description": "The URL that will be requested.", - "type": "string", "required": true, - "referenceable": true + "description": "The URL that will be requested.", + "referenceable": true, + "type": "string" } }, { "method": { - "type": "string", "match": "^%u+$", - "description": "The HTTP method that will be requested.", + "type": "string", + "required": true, "default": "GET", - "required": true + "description": "The HTTP method that will be requested." } }, { "http_opts": { - "description": "HTTP connection parameters.", - "type": "record", "required": true, + "description": "HTTP connection parameters.", "fields": [ { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean", - "default": false + "description": "If set to `true`, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, + "type": "boolean" } }, { @@ -101,8 +95,6 @@ }, { "timeouts": { - "description": "Socket timeouts in milliseconds. All or none must be set.", - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -112,351 +104,355 @@ ] } ], + "description": "Socket timeouts in milliseconds. All or none must be set.", "fields": [ { "connect": { "description": "The socket connect timeout.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer" } }, { "write": { "description": "The socket write timeout.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer" } }, { "read": { "description": "The socket read timeout. ", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer" } } - ] + ], + "type": "record" } }, { "proxy": { "description": "Proxy settings.", - "type": "record", "fields": [ { "auth_username": { + "required": false, "description": "The username to authenticate with, if the forward proxy is protected by basic authentication.", - "type": "string", "referenceable": true, - "required": false + "type": "string" } }, { "auth_password": { + "required": false, "description": "The password to authenticate with, if the forward proxy is protected by basic authentication.", - "type": "string", "referenceable": true, - "required": false + "type": "string" } }, { "https_proxy": { - "description": "The HTTPS proxy URL. This proxy server will be used for HTTPS requests.", - "type": "string" + "type": "string", + "description": "The HTTPS proxy URL. This proxy server will be used for HTTPS requests." } }, { "http_proxy": { - "description": "The HTTP proxy URL. This proxy server will be used for HTTP requests.", - "type": "string" + "type": "string", + "description": "The HTTP proxy URL. This proxy server will be used for HTTP requests." } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } }, { "query": { - "description": "Callout request query param customizations.", - "type": "record", "required": true, + "description": "Callout request query param customizations.", "fields": [ { "forward": { - "description": "If true, forwards the incoming request's query params to the callout request. ", - "type": "boolean", - "default": false + "description": "If `true`, forwards the incoming request's query params to the callout request. ", + "default": false, + "type": "boolean" } }, { "custom": { - "type": "map", - "keys": { - "type": "string" - }, - "description": "The custom query params to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", "values": { - "type": "string", + "required": false, "referenceable": true, - "required": false + "type": "string" }, - "required": false + "type": "map", + "required": false, + "description": "The custom query params to be added in the callout HTTP request. Values can contain Lua expressions in the form `$(some_lua_expression)`. The syntax is based on `request-transformer-advanced` templates.", + "keys": { + "type": "string" + } } } - ] + ], + "type": "record" } }, { "headers": { - "description": "Callout request header customizations.", - "type": "record", "required": true, + "description": "Callout request header customizations.", "fields": [ { "forward": { - "description": "If true, forwards the incoming request's headers to the callout request. ", - "type": "boolean", - "default": false + "description": "If `true`, forwards the incoming request's headers to the callout request. ", + "default": false, + "type": "boolean" } }, { "custom": { - "type": "map", - "keys": { - "type": "string" - }, - "description": "The custom headers to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", "values": { - "type": "string", + "required": false, "referenceable": true, - "required": false + "type": "string" }, - "required": false + "type": "map", + "required": false, + "description": "The custom headers to be added in the callout HTTP request. Values can contain Lua expressions in the form `$(some_lua_expression)`. The syntax is based on `request-transformer-advanced` templates.", + "keys": { + "type": "string" + } } } - ] + ], + "type": "record" } }, { "body": { - "description": "Callout request body customizations.", - "type": "record", "required": true, + "description": "Callout request body customizations.", "fields": [ { "forward": { - "description": "If true, forwards the incoming request's body to the callout request.", - "type": "boolean", - "default": false + "description": "If `true`, forwards the incoming request's body to the callout request.", + "default": false, + "type": "boolean" } }, { "decode": { - "description": "If true, decodes the request's body to make it available for customizations.", - "type": "boolean", - "default": false + "description": "If `true`, decodes the request's body and make it available for customizations. Only JSON content type is supported.", + "default": false, + "type": "boolean" } }, { "custom": { - "type": "map", - "keys": { - "type": "string" - }, - "description": "The custom body fields to be added in the callout HTTP request.Values can contain Lua expressions in the form $(some_lua_code).", "values": { - "type": "string", + "required": false, "referenceable": true, - "required": false + "type": "string" }, - "required": false + "type": "map", + "required": false, + "description": "The custom body fields to be added to the callout HTTP request. Values can contain Lua expressions in the form $(some_lua_expression). The syntax is based on `request-transformer-advanced` templates.", + "keys": { + "type": "string" + } } } - ] + ], + "type": "record" } }, { "error": { - "description": "The error handling policy the plugin will apply to TCP and HTTP errors.", - "type": "record", "required": true, + "description": "The error handling policy the plugin will apply to TCP and HTTP errors.", "fields": [ { "on_error": { + "default": "fail", + "type": "string", "one_of": [ "retry", "fail", "continue" - ], - "default": "fail", - "type": "string" + ] } }, { "retries": { "description": "The number of retries the plugin will attempt on TCP and HTTP errors if `on_error` is set to `retry`.", - "type": "integer", - "default": 2 + "default": 2, + "type": "integer" } }, { "http_statuses": { "description": "The list of HTTP status codes considered errors under the error handling policy.", - "type": "array", "elements": { "between": [ 100, 999 ], "type": "integer" - } + }, + "type": "array" } }, { "error_response_code": { "description": "The error code to respond with if `on_error` is `fail` or if `retries` is achieved.", - "type": "integer", - "default": 400 + "default": 400, + "type": "integer" } }, { "error_response_msg": { - "description": "The error mesasge to respond with if `on_error` is `fail` or if `retries` is achieved.Templating with Lua expressions is supported.", - "type": "string", - "default": "service callout error" + "description": "The error mesasge to respond with if `on_error` is set to `fail` or if `retries` is achieved. Templating with Lua expressions is supported.", + "default": "service callout error", + "type": "string" } } - ] + ], + "type": "record" } }, { "by_lua": { - "description": "Lua code that executes before the callout request is made.Standard Lua sandboxing restrictions apply.", - "type": "string", - "required": false + "required": false, + "description": "Lua code that executes before the callout request is made. **Warning** can impact system behavior. Standard Lua sandboxing restrictions apply.", + "type": "string" } } - ] + ], + "type": "record" } }, { "response": { - "description": "Configurations of callout response handling.", - "type": "record", "required": true, + "description": "Configurations of callout response handling.", "fields": [ { "headers": { - "description": "Callout response header customizations.", - "type": "record", "required": true, + "description": "Callout response header customizations.", "fields": [ { "store": { - "description": "If false, skips storing the callout response headers intokong.ctx.shared.callouts..response.headers.", - "type": "boolean", - "default": true + "description": "If `false`, skips storing the callout response headers into kong.ctx.shared.callouts..response.headers.", + "default": true, + "type": "boolean" } } - ] + ], + "type": "record" } }, { "body": { - "type": "record", "required": true, "fields": [ { "store": { - "description": "If false, skips storing the callout response body into kong.ctx.shared.callouts..response.body.", - "type": "boolean", - "default": true + "description": "If `false`, skips storing the callout response body into kong.ctx.shared.callouts..response.body.", + "default": true, + "type": "boolean" } }, { "decode": { - "description": "If true, decodes the response body before storing into the context. Only JSON is supported.", - "type": "boolean", - "default": false + "description": "If `true`, decodes the response body before storing into the context. Only JSON is supported.", + "default": false, + "type": "boolean" } } - ] + ], + "type": "record" } }, { "by_lua": { - "description": "Lua code that executes after the callout request is made, before caching takes place. Standard Lua sandboxing restrictions apply.", - "type": "string", - "required": false + "required": false, + "description": "Lua code that executes after the callout response is received, before caching takes place. Can produce side effects. Standard Lua sandboxing restrictions apply.", + "type": "string" } } - ] + ], + "type": "record" } }, { "cache": { - "description": "Callout caching configuration.", - "type": "record", "required": true, + "description": "Callout caching configuration.", "fields": [ { "bypass": { - "description": "If true, skips caching the callout response.", - "type": "boolean", - "default": false + "description": "If `true`, skips caching the callout response.", + "default": false, + "type": "boolean" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" }, - "required": true + "type": "array" } }, { "cache": { - "description": "Plugin global caching configuration.", - "type": "record", "required": true, + "description": "Plugin global caching configuration.", "fields": [ { "strategy": { "type": "string", + "required": true, + "default": "off", "description": "The backing data store in which to hold cache entities. Accepted values are: `off`, `memory`, and `redis`.", "one_of": [ "memory", "redis", "off" - ], - "default": "off", - "required": true + ] } }, { "memory": { - "type": "record", + "required": true, "fields": [ { "dictionary_name": { - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "type": "string", + "required": true, "default": "kong_db_cache", - "required": true + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", + "type": "string" } } ], - "required": true + "type": "record" } }, { @@ -484,14 +480,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -523,6 +519,75 @@ } ], "type": "record", + "required": true, + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } + } + }, + { + "sentinel_addresses": { + "len_min": 1, + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" + }, + "type": "array" + } + }, + { + "cluster_addresses": { + "len_min": 1, + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" + }, + "type": "array" + } + } + ], "fields": [ { "host": { @@ -533,76 +598,76 @@ }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } }, { "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "type": "integer" } }, { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "password": { + "referenceable": true, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" } }, { "sentinel_password": { + "referenceable": true, "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "encrypted": true, - "type": "string", - "referenceable": true + "type": "string" } }, { @@ -616,27 +681,27 @@ "keepalive_pool_size": { "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "default": 256, - "type": "integer", "between": [ 1, 2147483646 - ] + ], + "type": "integer" } }, { "keepalive_backlog": { "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer", "between": [ 0, 2147483646 - ] + ], + "type": "integer" } }, { "sentinel_master": { - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", - "type": "string" + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." } }, { @@ -653,308 +718,243 @@ { "sentinel_nodes": { "type": "array", + "required": false, "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string", + "required": true, "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ] + ], + "type": "record" }, - "required": false + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { "type": "array", + "required": false, "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "elements": { - "type": "record", "fields": [ { "ip": { - "description": "A string representing a host name, such as example.com.", - "type": "string", + "required": true, "default": "127.0.0.1", - "required": true + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer" } } - ] + ], + "type": "record" }, - "required": false + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { - "description": "If set to true, uses SSL to connect to Redis.", + "required": false, "default": false, - "type": "boolean", - "required": false + "description": "If set to true, uses SSL to connect to Redis.", + "type": "boolean" } }, { "ssl_verify": { - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, "default": false, - "type": "boolean", - "required": false + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "type": "boolean" } }, { "server_name": { + "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", - "type": "string", - "required": false + "type": "string" } }, { "cluster_max_redirections": { - "description": "Maximum retry attempts for redirection.", + "required": false, "default": 5, - "type": "integer", - "required": false + "description": "Maximum retry attempts for redirection.", + "type": "integer" } }, { "connection_is_proxied": { - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, "default": false, - "type": "boolean", - "required": false - } - } - ], - "shorthand_fields": [ - { - "timeout": { - "deprecation": { - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "connect_timeout" - ] - }, - { - "path": [ - "send_timeout" - ] - }, - { - "path": [ - "read_timeout" - ] - } - ], - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - }, - "type": "integer" - } - }, - { - "sentinel_addresses": { - "deprecation": { - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "sentinel_nodes" - ] - } - ], - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - }, - "type": "array", - "elements": { - "type": "string" - }, - "len_min": 1 - } - }, - { - "cluster_addresses": { - "deprecation": { - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "cluster_nodes" - ] - } - ], - "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - }, - "type": "array", - "elements": { - "type": "string" - }, - "len_min": 1 + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "type": "boolean" } } - ], - "required": true + ] } }, { "cache_ttl": { "description": "TTL in seconds of cache entities.", - "type": "integer", "default": 300, - "gt": 0 + "gt": 0, + "type": "integer" } } - ] + ], + "type": "record" } }, { "upstream": { + "required": true, "description": "Customizations to the upstream request.", - "type": "record", "fields": [ { "by_lua": { - "description": "Lua code that executes before the upstream request is made. Standard Lua sandboxing restrictions apply.", - "type": "string", - "required": false + "required": false, + "description": "Lua code that executes before the upstream request is made. Can produce side effects. Standard Lua sandboxing restrictions apply.", + "type": "string" } }, { "query": { - "description": "Upstream request query param customizations.", - "type": "record", "required": true, + "description": "Upstream request query param customizations.", "fields": [ { "forward": { - "description": "If false, does not forward request query params to upstream request.", - "type": "boolean", - "default": true + "description": "If `false`, does not forward request query params to upstream request.", + "default": true, + "type": "boolean" } }, { "custom": { - "type": "map", - "keys": { - "type": "string" - }, - "description": "The custom query params to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code).", "values": { - "type": "string", + "required": false, "referenceable": true, - "required": false + "type": "string" }, - "required": false + "type": "map", + "required": false, + "description": "The custom query params to be added in the upstream HTTP request. Values can contain Lua expressions in the form `$(some_lua_expression)`. The syntax is based on `request-transformer-advanced` templates.", + "keys": { + "type": "string" + } } } - ] + ], + "type": "record" } }, { "headers": { - "description": "Callout request header customizations.", - "type": "record", "required": true, + "description": "Callout request header customizations.", "fields": [ { "forward": { - "description": "If false, does not forward request headers to upstream request.", - "type": "boolean", - "default": true + "description": "If `false`, does not forward request headers to upstream request.", + "default": true, + "type": "boolean" } }, { "custom": { - "type": "map", - "keys": { - "type": "string" - }, - "description": "The custom headers to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_code).", "values": { - "type": "string", + "required": false, "referenceable": true, - "required": false + "type": "string" }, - "required": false + "type": "map", + "required": false, + "description": "The custom headers to be added in the upstream HTTP request. Values can contain Lua expressions in the form $(some_lua_expression). The syntax is based on `request-transformer-advanced` templates.", + "keys": { + "type": "string" + } } } - ] + ], + "type": "record" } }, { "body": { - "description": "Callout request body customizations.", - "type": "record", "required": true, + "description": "Callout request body customizations.", "fields": [ { "forward": { - "description": "If false, skips forwarding the incoming request's body to the upstream request.", - "type": "boolean", - "default": true + "description": "If `false`, skips forwarding the incoming request's body to the upstream request.", + "default": true, + "type": "boolean" } }, { "decode": { - "description": "If true, decodes the request's body to make it available for upstream by_lua customizations.", - "type": "boolean", - "default": true + "description": "If `true`, decodes the request's body to make it available for upstream by_lua customizations. Only JSON content type is supported.", + "default": true, + "type": "boolean" } }, { "custom": { - "type": "map", - "keys": { - "type": "string" - }, - "description": "The custom body fields to be added in the upstream request body. Values can contain Lua expressions in the form $(some_lua_code).", "values": { - "type": "string", + "required": false, "referenceable": true, - "required": false + "type": "string" }, - "required": false + "type": "map", + "required": false, + "description": "The custom body fields to be added in the upstream request body. Values can contain Lua expressions in the form $(some_lua_expression). The syntax is based on `request-transformer-advanced` templates.", + "keys": { + "type": "string" + } } } - ] + ], + "type": "record" } } ], - "required": true + "type": "record" } } ], - "required": true + "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-size-limiting/3.11.x.json b/schemas/request-size-limiting/3.11.x.json index bcef5a46..f902473b 100644 --- a/schemas/request-size-limiting/3.11.x.json +++ b/schemas/request-size-limiting/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,19 +18,21 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "allowed_payload_size": { @@ -45,10 +43,10 @@ }, { "size_unit": { - "required": true, "type": "string", - "default": "megabytes", + "required": true, "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", + "default": "megabytes", "one_of": [ "megabytes", "kilobytes", @@ -58,16 +56,18 @@ }, { "require_content_length": { - "default": false, - "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", "required": true, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", + "default": false, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-termination/3.11.x.json b/schemas/request-termination/3.11.x.json index a95ead36..6c828e61 100644 --- a/schemas/request-termination/3.11.x.json +++ b/schemas/request-termination/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,47 +18,49 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "status_code": { + "type": "integer", + "required": true, + "description": "The response code to send. Must be an integer between 100 and 599.", "between": [ 100, 599 ], - "required": true, - "type": "integer", - "default": 503, - "description": "The response code to send. Must be an integer between 100 and 599." + "default": 503 } }, { "message": { - "description": "The message to send, if using the default response generator.", - "type": "string" + "type": "string", + "description": "The message to send, if using the default response generator." } }, { "content_type": { - "description": "Content type of the raw response configured with `config.body`.", - "type": "string" + "type": "string", + "description": "Content type of the raw response configured with `config.body`." } }, { "body": { - "description": "The raw response body to send. This is mutually exclusive with the `config.message` field.", - "type": "string" + "type": "string", + "description": "The raw response body to send. This is mutually exclusive with the `config.message` field." } }, { "echo": { + "required": true, "default": false, "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", - "required": true, "type": "boolean" } }, @@ -73,9 +71,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.11.x.json b/schemas/request-transformer-advanced/3.11.x.json index 90f58ca4..bdaf4d32 100644 --- a/schemas/request-transformer-advanced/3.11.x.json +++ b/schemas/request-transformer-advanced/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,11 +18,13 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "http_method": { @@ -37,6 +35,7 @@ }, { "remove": { + "required": true, "fields": [ { "body": { @@ -72,12 +71,12 @@ } } ], - "required": true, "type": "record" } }, { "rename": { + "required": true, "fields": [ { "body": { @@ -116,12 +115,12 @@ } } ], - "required": true, "type": "record" } }, { "replace": { + "required": true, "fields": [ { "body": { @@ -181,12 +180,12 @@ } } ], - "required": true, "type": "record" } }, { "add": { + "required": true, "fields": [ { "body": { @@ -241,12 +240,12 @@ } } ], - "required": true, "type": "record" } }, { "append": { + "required": true, "fields": [ { "body": { @@ -301,12 +300,12 @@ } } ], - "required": true, "type": "record" } }, { "allow": { + "required": true, "fields": [ { "body": { @@ -317,21 +316,22 @@ } } ], - "required": true, "type": "record" } }, { "dots_in_keys": { - "default": true, "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", + "default": true, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.11.x.json b/schemas/request-transformer/3.11.x.json index ee8d790f..6cbd5907 100644 --- a/schemas/request-transformer/3.11.x.json +++ b/schemas/request-transformer/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,11 +25,13 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "config": { + "required": true, "fields": [ { "http_method": { @@ -44,65 +42,67 @@ }, { "remove": { + "required": true, "fields": [ { "body": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } }, { "headers": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } }, { "querystring": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } }, { "rename": { + "required": true, "fields": [ { "body": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } }, { "headers": { + "required": true, "default": [ ], @@ -110,44 +110,44 @@ "type": "string", "match": "^[^:]+:.*$" }, - "required": true, "type": "array" } }, { "querystring": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } }, { "replace": { + "required": true, "fields": [ { "body": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } }, { "headers": { + "required": true, "default": [ ], @@ -155,19 +155,18 @@ "type": "string", "match": "^[^:]+:.*$" }, - "required": true, "type": "array" } }, { "querystring": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } }, @@ -177,27 +176,28 @@ } } ], - "required": true, "type": "record" } }, { "add": { + "required": true, "fields": [ { "body": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } }, { "headers": { + "required": true, "default": [ ], @@ -205,44 +205,44 @@ "type": "string", "match": "^[^:]+:.*$" }, - "required": true, "type": "array" } }, { "querystring": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } }, { "append": { + "required": true, "fields": [ { "body": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } }, { "headers": { + "required": true, "default": [ ], @@ -250,31 +250,31 @@ "type": "string", "match": "^[^:]+:.*$" }, - "required": true, "type": "array" } }, { "querystring": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-validator/3.11.x.json b/schemas/request-validator/3.11.x.json index b8b9d41d..8b40edf0 100644 --- a/schemas/request-validator/3.11.x.json +++ b/schemas/request-validator/3.11.x.json @@ -1,25 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -28,19 +18,21 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -52,8 +44,8 @@ "fields": [ { "body_schema": { - "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", "required": false, + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", "type": "string" } }, @@ -72,10 +64,10 @@ }, { "version": { - "required": true, "type": "string", - "default": "kong", + "required": true, "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", + "default": "kong", "one_of": [ "kong", "draft4" @@ -84,6 +76,8 @@ }, { "parameter_schema": { + "required": false, + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", "elements": { "entity_checks": [ { @@ -105,9 +99,9 @@ "fields": [ { "in": { - "type": "string", - "description": "The location of the parameter.", "required": true, + "description": "The location of the parameter.", + "type": "string", "one_of": [ "query", "header", @@ -117,15 +111,15 @@ }, { "name": { - "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", "required": true, + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", "type": "string" } }, { "required": { - "description": "Determines whether this parameter is mandatory.", "required": true, + "description": "Determines whether this parameter is mandatory.", "type": "boolean" } }, @@ -146,8 +140,8 @@ }, { "explode": { - "type": "boolean", - "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" } }, { @@ -159,31 +153,37 @@ ], "type": "record" }, - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", - "required": false, "type": "array" } }, { "verbose_response": { + "required": true, "default": false, "description": "If enabled, the plugin returns more verbose and detailed validation errors.", - "required": true, "type": "boolean" } }, { "content_type_parameter_validation": { + "required": true, "default": true, "description": "Determines whether to enable parameters validation of request content-type.", - "required": true, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/response-ratelimiting/3.11.x.json b/schemas/response-ratelimiting/3.11.x.json index b6e0eba1..1339070a 100644 --- a/schemas/response-ratelimiting/3.11.x.json +++ b/schemas/response-ratelimiting/3.11.x.json @@ -2,53 +2,52 @@ "entity_checks": [ { "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.host", "if_field": "config.policy", "then_match": { "required": true - } + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host" } }, { "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.port", "if_field": "config.policy", "then_match": { "required": true - } + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port" } }, { "conditional": { - "if_match": { - "eq": "redis" - }, - "then_field": "config.redis.timeout", "if_field": "config.policy", "then_match": { "required": true - } + }, + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout" } } ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -57,19 +56,177 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, + "shorthand_fields": [ + { + "redis_host": { + "type": "string", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead" + } + } + }, + { + "redis_port": { + "type": "integer", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead" + } + } + }, + { + "redis_password": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead" + }, + "len_min": 0, + "type": "string" + } + }, + { + "redis_username": { + "type": "string", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead" + } + } + }, + { + "redis_ssl": { + "type": "boolean", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead" + } + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead" + } + } + }, + { + "redis_server_name": { + "type": "string", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead" + } + } + }, + { + "redis_timeout": { + "type": "integer", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ], + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead" + } + } + }, + { + "redis_database": { + "type": "integer", + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ], + "removal_in_version": "4.0", + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead" + } + } + } + ], "fields": [ { "header_name": { @@ -80,9 +237,9 @@ }, { "limit_by": { + "type": "string", "default": "consumer", "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", - "type": "string", "one_of": [ "consumer", "credential", @@ -92,9 +249,9 @@ }, { "policy": { + "type": "string", "default": "local", "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", - "type": "string", "one_of": [ "local", "cluster", @@ -104,17 +261,16 @@ }, { "fault_tolerant": { - "default": true, - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "required": true, + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", + "default": true, "type": "boolean" } }, { "redis": { - "type": "record", - "description": "Redis configuration", "required": true, + "description": "Redis configuration", "fields": [ { "host": { @@ -147,17 +303,17 @@ { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "encrypted": true, - "referenceable": true, "type": "string", + "len_min": 0, "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "len_min": 0 + "referenceable": true } }, { @@ -169,49 +325,51 @@ }, { "ssl": { - "default": false, - "description": "If set to true, uses SSL to connect to Redis.", "required": false, + "description": "If set to true, uses SSL to connect to Redis.", + "default": false, "type": "boolean" } }, { "ssl_verify": { - "default": false, - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "default": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } } - ] + ], + "type": "record" } }, { "block_on_first_violation": { - "default": false, - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "required": true, + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", + "default": false, "type": "boolean" } }, { "hide_client_headers": { - "default": false, - "description": "Optionally hide informative response headers.", "required": true, + "description": "Optionally hide informative response headers.", + "default": false, "type": "boolean" } }, { "limits": { "values": { + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -224,8 +382,6 @@ ] } ], - "type": "record", - "required": true, "fields": [ { "second": { @@ -263,10 +419,11 @@ "type": "number" } } - ] + ], + "type": "record" }, - "required": true, "type": "map", + "required": true, "description": "A map that defines rate limits for the plugin.", "keys": { "type": "string" @@ -275,165 +432,13 @@ } } ], - "shorthand_fields": [ - { - "redis_host": { - "deprecation": { - "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "host" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_port": { - "deprecation": { - "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "port" - ] - } - ] - }, - "type": "integer" - } - }, - { - "redis_password": { - "len_min": 0, - "deprecation": { - "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "password" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_username": { - "deprecation": { - "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "username" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_ssl": { - "deprecation": { - "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "redis_ssl_verify": { - "deprecation": { - "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "ssl_verify" - ] - } - ] - }, - "type": "boolean" - } - }, - { - "redis_server_name": { - "deprecation": { - "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "server_name" - ] - } - ] - }, - "type": "string" - } - }, - { - "redis_timeout": { - "deprecation": { - "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "timeout" - ] - } - ] - }, - "type": "integer" - } - }, - { - "redis_database": { - "deprecation": { - "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "database" - ] - } - ] - }, - "type": "integer" - } - } - ], - "required": true, "type": "record" } } - ] + ], + "supported_partials": { + "redis-ce": [ + "config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/response-transformer-advanced/3.11.x.json b/schemas/response-transformer-advanced/3.11.x.json index acf4ee71..d6c5a792 100644 --- a/schemas/response-transformer-advanced/3.11.x.json +++ b/schemas/response-transformer-advanced/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,14 +18,17 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "remove": { + "required": true, "fields": [ { "json": { @@ -65,12 +64,12 @@ } } ], - "required": true, "type": "record" } }, { "rename": { + "required": true, "fields": [ { "headers": { @@ -96,17 +95,17 @@ } } ], - "required": true, "type": "record" } }, { "replace": { + "required": true, "fields": [ { "body": { - "description": "String with which to replace the entire response body.", - "type": "string" + "type": "string", + "description": "String with which to replace the entire response body." } }, { @@ -159,12 +158,12 @@ } } ], - "required": true, "type": "record" } }, { "add": { + "required": true, "fields": [ { "json": { @@ -216,12 +215,12 @@ } } ], - "required": true, "type": "record" } }, { "append": { + "required": true, "fields": [ { "json": { @@ -273,12 +272,12 @@ } } ], - "required": true, "type": "record" } }, { "allow": { + "required": true, "fields": [ { "json": { @@ -289,12 +288,12 @@ } } ], - "required": true, "type": "record" } }, { "transform": { + "required": true, "fields": [ { "functions": { @@ -330,21 +329,22 @@ } } ], - "required": true, "type": "record" } }, { "dots_in_keys": { - "default": true, "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", + "default": true, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.11.x.json b/schemas/response-transformer/3.11.x.json index eb4a6258..e985b220 100644 --- a/schemas/response-transformer/3.11.x.json +++ b/schemas/response-transformer/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,49 +18,53 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "remove": { + "required": true, "fields": [ { "json": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } }, { "headers": { + "required": true, "default": [ ], "elements": { "type": "string" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } }, { "rename": { + "required": true, "fields": [ { "json": { + "required": true, "default": [ ], @@ -72,12 +72,12 @@ "match": "^[^:]+:.*$", "type": "string" }, - "required": true, "type": "array" } }, { "headers": { + "required": true, "default": [ ], @@ -85,20 +85,20 @@ "type": "string", "match": "^[^:]+:.*$" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } }, { "replace": { + "required": true, "fields": [ { "json": { + "required": true, "default": [ ], @@ -106,17 +106,13 @@ "match": "^[^:]+:.*$", "type": "string" }, - "required": true, "type": "array" } }, { "json_types": { - "required": true, "type": "array", - "default": [ - - ], + "required": true, "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "elements": { "type": "string", @@ -125,11 +121,15 @@ "number", "string" ] - } + }, + "default": [ + + ] } }, { "headers": { + "required": true, "default": [ ], @@ -137,20 +137,20 @@ "match": "^[^:]+:.*$", "type": "string" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } }, { "add": { + "required": true, "fields": [ { "json": { + "required": true, "default": [ ], @@ -158,17 +158,13 @@ "match": "^[^:]+:.*$", "type": "string" }, - "required": true, "type": "array" } }, { "json_types": { - "required": true, "type": "array", - "default": [ - - ], + "required": true, "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "elements": { "type": "string", @@ -177,11 +173,15 @@ "number", "string" ] - } + }, + "default": [ + + ] } }, { "headers": { + "required": true, "default": [ ], @@ -189,20 +189,20 @@ "match": "^[^:]+:.*$", "type": "string" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } }, { "append": { + "required": true, "fields": [ { "json": { + "required": true, "default": [ ], @@ -210,17 +210,13 @@ "match": "^[^:]+:.*$", "type": "string" }, - "required": true, "type": "array" } }, { "json_types": { - "required": true, "type": "array", - "default": [ - - ], + "required": true, "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "elements": { "type": "string", @@ -229,11 +225,15 @@ "number", "string" ] - } + }, + "default": [ + + ] } }, { "headers": { + "required": true, "default": [ ], @@ -241,19 +241,19 @@ "match": "^[^:]+:.*$", "type": "string" }, - "required": true, "type": "array" } } ], - "required": true, "type": "record" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.11.x.json b/schemas/route-by-header/3.11.x.json index fb2008cd..c77e815a 100644 --- a/schemas/route-by-header/3.11.x.json +++ b/schemas/route-by-header/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,19 +18,21 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "rules": { @@ -43,7 +41,6 @@ ], "description": "Route by header rules.", "elements": { - "type": "record", "fields": [ { "upstream_name": { @@ -56,23 +53,26 @@ "values": { "type": "string" }, - "required": true, "type": "map", + "required": true, + "len_min": 1, "keys": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "type": "record" }, "type": "array" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.11.x.json b/schemas/route-transformer-advanced/3.11.x.json index a640c0ff..f058f1c4 100644 --- a/schemas/route-transformer-advanced/3.11.x.json +++ b/schemas/route-transformer-advanced/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,19 +18,21 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -67,9 +65,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/saml/3.11.x.json b/schemas/saml/3.11.x.json index b9a8bf2e..1f352f19 100644 --- a/schemas/saml/3.11.x.json +++ b/schemas/saml/3.11.x.json @@ -12,22 +12,21 @@ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -36,143 +35,143 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { - "type": "record", + "required": true, "shorthand_fields": [ { "session_cookie_lifetime": { + "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead" - }, - "type": "number" + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + } } }, { "session_cookie_idletime": { + "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead" - }, - "type": "number" + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + } } }, { "session_cookie_samesite": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead" - }, - "type": "string" + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + } } }, { "session_cookie_httponly": { + "type": "boolean", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead" - }, - "type": "boolean" + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + } } }, { "session_memcache_prefix": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead" - }, - "type": "string" + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + } } }, { "session_memcache_socket": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead" - }, - "type": "string" + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + } } }, { "session_memcache_host": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead" - }, - "type": "string" + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + } } }, { "session_memcache_port": { + "type": "integer", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead" - }, - "type": "integer" + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + } } }, { "session_cookie_renew": { + "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_renew option does not exist anymore" - }, - "type": "number" + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + } } }, { "session_cookie_maxsize": { + "type": "integer", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore" - }, - "type": "integer" + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + } } }, { "session_strategy": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_strategy option does not exist anymore" - }, - "type": "string" + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + } } }, { "session_compressor": { + "type": "string", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_compressor option does not exist anymore" - }, - "type": "string" + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + } } }, { "session_auth_ttl": { + "type": "number", "deprecation": { - "removal_in_version": "4.0", - "message": "openid-connect: config.session_auth_ttl option does not exist anymore" - }, - "type": "number" + "message": "openid-connect: config.session_auth_ttl option does not exist anymore", + "removal_in_version": "4.0" + } } }, { "session_redis_prefix": { + "type": "string", "deprecation": { - "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -180,16 +179,16 @@ "prefix" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead" + } } }, { "session_redis_socket": { + "type": "string", "deprecation": { - "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -197,16 +196,16 @@ "socket" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead" + } } }, { "session_redis_host": { + "type": "string", "deprecation": { - "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -214,16 +213,16 @@ "host" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead" + } } }, { "session_redis_port": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -231,16 +230,16 @@ "port" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead" + } } }, { "session_redis_username": { + "type": "string", "deprecation": { - "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -248,16 +247,16 @@ "username" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead" + } } }, { "session_redis_password": { + "type": "string", "deprecation": { - "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -265,16 +264,16 @@ "password" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead" + } } }, { "session_redis_connect_timeout": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -282,16 +281,16 @@ "connect_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead" + } } }, { "session_redis_read_timeout": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -299,16 +298,16 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead" + } } }, { "session_redis_send_timeout": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -316,16 +315,16 @@ "send_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead" + } } }, { "session_redis_ssl": { + "type": "boolean", "deprecation": { - "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -333,16 +332,16 @@ "ssl" ] } - ] - }, - "type": "boolean" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead" + } } }, { "session_redis_ssl_verify": { + "type": "boolean", "deprecation": { - "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -350,16 +349,16 @@ "ssl_verify" ] } - ] - }, - "type": "boolean" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead" + } } }, { "session_redis_server_name": { + "type": "string", "deprecation": { - "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -367,21 +366,33 @@ "server_name" ] } - ] - }, - "type": "string" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead" + } } }, { "session_redis_cluster_nodes": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead" + }, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -396,28 +407,16 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "type": "array", - "deprecation": { - "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", - "removal_in_version": "4.0", - "replaced_with": [ - { - "path": [ - "redis", - "cluster_nodes" - ] - } - ] - } + "type": "array" } }, { "session_redis_cluster_max_redirections": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -425,16 +424,16 @@ "cluster_max_redirections" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead" + } } }, { "session_redis_cluster_maxredirections": { + "type": "integer", "deprecation": { - "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -442,75 +441,75 @@ "cluster_max_redirections" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead" + } } } ], - "required": true, "fields": [ { "assertion_consumer_path": { - "required": true, "type": "string", + "required": true, "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } - ], - "starts_with": "/" + ] } }, { "idp_sso_url": { - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" } }, { "idp_certificate": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", - "required": false + "referenceable": true } }, { "response_encryption_key": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The private encryption key required to decrypt encrypted assertions.", - "required": false + "referenceable": true } }, { "request_signing_key": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", - "required": false + "referenceable": true } }, { "request_signing_certificate": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The certificate for signing requests.", - "required": false + "referenceable": true } }, { "request_signature_algorithm": { - "required": false, "type": "string", + "required": false, "default": "SHA256", "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", "one_of": [ @@ -522,8 +521,8 @@ }, { "request_digest_algorithm": { - "required": false, "type": "string", + "required": false, "default": "SHA256", "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", "one_of": [ @@ -534,8 +533,8 @@ }, { "response_signature_algorithm": { - "required": false, "type": "string", + "required": false, "default": "SHA256", "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", "one_of": [ @@ -547,8 +546,8 @@ }, { "response_digest_algorithm": { - "required": false, "type": "string", + "required": false, "default": "SHA256", "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", "one_of": [ @@ -559,15 +558,15 @@ }, { "issuer": { - "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", "required": true, + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", "type": "string" } }, { "nameid_format": { - "required": false, "type": "string", + "required": false, "default": "EmailAddress", "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", "one_of": [ @@ -580,129 +579,129 @@ }, { "validate_assertion_signature": { - "default": true, - "description": "Enable signature validation for SAML responses.", "required": false, + "description": "Enable signature validation for SAML responses.", + "default": true, "type": "boolean" } }, { "anonymous": { - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", "required": false, + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", "type": "string" } }, { "session_secret": { - "len_max": 32, + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", "match": "^[0-9a-zA-Z/_+]+$", - "referenceable": true, + "encrypted": true, "type": "string", "required": true, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", - "encrypted": true, - "len_min": 32 + "len_min": 32, + "len_max": 32, + "referenceable": true } }, { "session_audience": { - "default": "default", - "description": "The session audience, for example \"my-application\"", "required": false, + "description": "The session audience, for example \"my-application\"", + "default": "default", "type": "string" } }, { "session_cookie_name": { - "default": "session", - "description": "The session cookie name.", "required": false, + "description": "The session cookie name.", + "default": "session", "type": "string" } }, { "session_remember": { - "default": false, - "description": "Enables or disables persistent sessions", "required": false, + "description": "Enables or disables persistent sessions", + "default": false, "type": "boolean" } }, { "session_remember_cookie_name": { - "default": "remember", - "description": "Persistent session cookie name", "required": false, + "description": "Persistent session cookie name", + "default": "remember", "type": "string" } }, { "session_remember_rolling_timeout": { - "default": 604800, - "description": "Persistent session rolling timeout in seconds.", "required": false, + "description": "Persistent session rolling timeout in seconds.", + "default": 604800, "type": "number" } }, { "session_remember_absolute_timeout": { - "default": 2592000, - "description": "Persistent session absolute timeout in seconds.", "required": false, + "description": "Persistent session absolute timeout in seconds.", + "default": 2592000, "type": "number" } }, { "session_idling_timeout": { - "default": 900, - "description": "The session cookie idle time in seconds.", "required": false, + "description": "The session cookie idle time in seconds.", + "default": 900, "type": "number" } }, { "session_rolling_timeout": { - "default": 3600, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 3600, "type": "number" } }, { "session_absolute_timeout": { - "default": 86400, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", "required": false, + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 86400, "type": "number" } }, { "session_cookie_path": { - "required": false, - "type": "string", - "default": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "err": "must not have empty segments", "pattern": "//" } ], - "starts_with": "/" + "type": "string", + "required": false, + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "starts_with": "/", + "default": "/" } }, { "session_cookie_domain": { - "description": "The session cookie domain flag.", "required": false, + "description": "The session cookie domain flag.", "type": "string" } }, { "session_cookie_same_site": { - "required": false, "type": "string", + "required": false, "default": "Lax", "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "one_of": [ @@ -715,16 +714,16 @@ }, { "session_cookie_http_only": { - "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "default": true, "type": "boolean" } }, { "session_cookie_secure": { - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean" } }, @@ -764,8 +763,8 @@ }, { "session_storage": { - "required": false, "type": "string", + "required": false, "default": "cookie", "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "one_of": [ @@ -778,74 +777,72 @@ }, { "session_store_metadata": { - "default": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "required": false, + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", + "default": false, "type": "boolean" } }, { "session_enforce_same_subject": { - "default": false, - "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, + "description": "When set to `true`, audiences are forced to share the same subject.", + "default": false, "type": "boolean" } }, { "session_hash_subject": { - "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "required": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "default": false, "type": "boolean" } }, { "session_hash_storage_key": { - "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", + "default": false, "type": "boolean" } }, { "session_memcached_prefix": { - "description": "The memcached session key prefix.", "required": false, + "description": "The memcached session key prefix.", "type": "string" } }, { "session_memcached_socket": { - "description": "The memcached unix socket path.", "required": false, + "description": "The memcached unix socket path.", "type": "string" } }, { "session_memcached_host": { - "default": "127.0.0.1", - "description": "The memcached host.", "required": false, + "description": "The memcached host.", + "default": "127.0.0.1", "type": "string" } }, { "session_memcached_port": { + "type": "integer", + "required": false, + "default": 11211, "between": [ 0, 65535 ], - "required": false, - "type": "integer", - "default": 11211, "description": "An integer representing a port number between 0 and 65535, inclusive." } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -869,14 +866,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -907,13 +904,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -930,47 +927,49 @@ "read_timeout" ] } - ] + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, + "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, - "len_min": 1, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, + "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, - "len_min": 1, "type": "array" } } @@ -978,8 +977,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -1030,31 +1029,31 @@ { "username": { "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { - "encrypted": true, + "type": "string", "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { "sentinel_username": { "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { - "encrypted": true, + "type": "string", "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", - "referenceable": true, - "type": "string" + "encrypted": true, + "referenceable": true } }, { @@ -1066,8 +1065,8 @@ }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -1077,11 +1076,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -1104,15 +1103,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -1130,21 +1130,21 @@ ], "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -1162,68 +1162,73 @@ ], "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } }, { "prefix": { - "description": "The Redis session key prefix.", "required": false, + "description": "The Redis session key prefix.", "type": "string" } }, { "socket": { - "description": "The Redis unix socket path.", "required": false, + "description": "The Redis unix socket path.", "type": "string" } } ] } } - ] + ], + "type": "record" } } - ] + ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/service-protection/3.11.x.json b/schemas/service-protection/3.11.x.json index c53e3deb..0b83e975 100644 --- a/schemas/service-protection/3.11.x.json +++ b/schemas/service-protection/3.11.x.json @@ -12,38 +12,37 @@ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "route": { "reference": "routes", - "eq": null, "type": "foreign", - "description": "A reference to the 'routes' table with a null value allowed." + "description": "A reference to the 'routes' table with a null value allowed.", + "eq": null } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -52,27 +51,29 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "window_size": { + "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" }, - "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", - "required": true, "type": "array" } }, { "window_type": { - "default": "sliding", - "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", "type": "string", + "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "default": "sliding", "one_of": [ "fixed", "sliding" @@ -81,32 +82,32 @@ }, { "limit": { + "required": true, + "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", "elements": { "type": "number" }, - "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", - "required": true, "type": "array" } }, { "sync_rate": { - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", - "type": "number" + "type": "number", + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." } }, { "namespace": { - "auto": true, - "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", "required": true, - "type": "string" + "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `dictionary_name`, need to be the same.", + "type": "string", + "auto": true } }, { "strategy": { - "required": true, "type": "string", + "required": true, "default": "local", "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "one_of": [ @@ -118,17 +119,17 @@ }, { "dictionary_name": { - "default": "kong_rate_limiting_counters", - "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", "required": true, + "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", + "default": "kong_rate_limiting_counters", "type": "string" } }, { "lock_dictionary_name": { - "default": "kong_locks", - "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", "required": true, + "description": "The shared dictionary where concurrency control locks are stored. The default shared dictionary is `kong_locks`. The shared dictionary should be declared in nginx-kong.conf.", + "default": "kong_locks", "type": "string" } }, @@ -148,8 +149,6 @@ }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -173,14 +172,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -211,12 +210,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -233,47 +233,48 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } @@ -282,8 +283,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -340,9 +341,9 @@ }, { "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "type": "string" } }, @@ -355,23 +356,23 @@ }, { "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, "type": "string" } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -381,11 +382,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -408,16 +409,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -432,24 +433,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -464,48 +465,48 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } @@ -535,9 +536,13 @@ } } ], - "required": true, "type": "record" } } - ] + ], + "supported_partials": { + "redis-ee": [ + "config.redis" + ] + } } \ No newline at end of file diff --git a/schemas/session/3.11.x.json b/schemas/session/3.11.x.json index cf9a5e2d..26a49c5d 100644 --- a/schemas/session/3.11.x.json +++ b/schemas/session/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -37,35 +33,74 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, + "shorthand_fields": [ + { + "cookie_lifetime": { + "type": "number" + } + }, + { + "cookie_idletime": { + "type": "number" + } + }, + { + "cookie_renew": { + "type": "number" + } + }, + { + "cookie_discard": { + "type": "number" + } + }, + { + "cookie_samesite": { + "type": "string" + } + }, + { + "cookie_httponly": { + "type": "boolean" + } + }, + { + "cookie_persistent": { + "type": "boolean" + } + } + ], "fields": [ { "secret": { "encrypted": true, - "referenceable": true, "type": "string", - "default": "lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg", + "required": false, "description": "The secret that is used in keyed HMAC generation.", - "required": false + "default": "u5wXN7QNNJmgatltG86z6ikhKMfjijXu22CexN3D0IMh", + "referenceable": true } }, { "storage": { - "default": "cookie", - "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", "type": "string", + "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "default": "cookie", "one_of": [ "cookie", "kong" @@ -74,50 +109,50 @@ }, { "audience": { - "default": "default", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", + "default": "default", "type": "string" } }, { "idling_timeout": { - "default": 900, "description": "The session cookie idle time, in seconds.", + "default": 900, "type": "number" } }, { "rolling_timeout": { - "default": 3600, "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", + "default": 3600, "type": "number" } }, { "absolute_timeout": { - "default": 86400, "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", + "default": 86400, "type": "number" } }, { "stale_ttl": { - "default": 10, "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", + "default": 10, "type": "number" } }, { "cookie_name": { - "default": "session", "description": "The name of the cookie.", + "default": "session", "type": "string" } }, { "cookie_path": { - "default": "/", "description": "The resource in the host where the cookie is available.", + "default": "/", "type": "string" } }, @@ -129,9 +164,9 @@ }, { "cookie_same_site": { + "type": "string", "default": "Strict", "description": "Determines whether and how a cookie may be sent with cross-site requests.", - "type": "string", "one_of": [ "Strict", "Lax", @@ -142,48 +177,49 @@ }, { "cookie_http_only": { - "default": true, "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", + "default": true, "type": "boolean" } }, { "cookie_secure": { - "default": true, "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", + "default": true, "type": "boolean" } }, { "remember": { - "default": false, "description": "Enables or disables persistent sessions.", + "default": false, "type": "boolean" } }, { "remember_cookie_name": { - "default": "remember", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "default": "remember", "type": "string" } }, { "remember_rolling_timeout": { - "default": 604800, "description": "The persistent session rolling timeout window, in seconds.", + "default": 604800, "type": "number" } }, { "remember_absolute_timeout": { - "default": 2592000, "description": "The persistent session absolute timeout limit, in seconds.", + "default": 2592000, "type": "number" } }, { "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", "elements": { "type": "string", "one_of": [ @@ -196,12 +232,12 @@ "absolute-timeout" ] }, - "description": "List of information to include, as headers, in the response to the downstream.", "type": "set" } }, { "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", "elements": { "type": "string", "one_of": [ @@ -214,18 +250,22 @@ "absolute-timeout" ] }, - "description": "List of information to include, as headers, in the response to the downstream.", "type": "set" } }, { "read_body_for_logout": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "logout_methods": { + "default": [ + "POST", + "DELETE" + ], + "description": "A set of HTTP methods that the plugin will respond to.", "elements": { "type": "string", "one_of": [ @@ -234,69 +274,43 @@ "DELETE" ] }, - "description": "A set of HTTP methods that the plugin will respond to.", - "default": [ - "POST", - "DELETE" - ], "type": "set" } }, { "logout_query_arg": { - "default": "session_logout", "description": "The query argument passed to logout requests.", + "default": "session_logout", "type": "string" } }, { "logout_post_arg": { - "default": "session_logout", "description": "The POST argument passed to logout requests. Do not change this property.", - "type": "string" - } - } - ], - "shorthand_fields": [ - { - "cookie_lifetime": { - "type": "number" - } - }, - { - "cookie_idletime": { - "type": "number" - } - }, - { - "cookie_renew": { - "type": "number" - } - }, - { - "cookie_discard": { - "type": "number" - } - }, - { - "cookie_samesite": { + "default": "session_logout", "type": "string" } }, { - "cookie_httponly": { + "hash_subject": { + "description": "Whether to hash or not the subject when store_metadata is enabled.", + "default": false, "type": "boolean" } }, { - "cookie_persistent": { + "store_metadata": { + "description": "Whether to also store metadata of sessions, such as collecting data of sessions for a specific audience belonging to a specific subject.", + "default": false, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/standard-webhooks/3.11.x.json b/schemas/standard-webhooks/3.11.x.json index bf13b5b6..1408f4ec 100644 --- a/schemas/standard-webhooks/3.11.x.json +++ b/schemas/standard-webhooks/3.11.x.json @@ -1,27 +1,23 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -30,34 +26,38 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "secret_v1": { "encrypted": true, - "required": true, "type": "string", + "required": true, "description": "Webhook secret", "referenceable": true } }, { "tolerance_second": { - "required": true, - "type": "integer", "gt": -1, - "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", - "default": 300 + "type": "integer", + "required": true, + "default": 300, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response." } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.11.x.json b/schemas/statsd-advanced/3.11.x.json index aafa408b..4daaa5a9 100644 --- a/schemas/statsd-advanced/3.11.x.json +++ b/schemas/statsd-advanced/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,24 +25,26 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "host": { - "default": "localhost", "description": "A string representing a host name, such as example.com.", + "default": "localhost", "type": "string" } }, @@ -63,8 +61,8 @@ }, { "prefix": { - "default": "kong", "description": "String to prefix to each metric's name.", + "default": "kong", "type": "string" } }, @@ -72,9 +70,9 @@ "metrics": { "default": [ { - "stat_type": "counter", + "name": "request_count", "sample_rate": 1, - "name": "request_count" + "stat_type": "counter" }, { "stat_type": "timer", @@ -85,9 +83,9 @@ "name": "request_size" }, { - "stat_type": "counter", + "name": "status_count", "sample_rate": 1, - "name": "status_count" + "stat_type": "counter" }, { "stat_type": "timer", @@ -98,9 +96,9 @@ "name": "unique_users" }, { - "stat_type": "counter", + "name": "request_per_user", "sample_rate": 1, - "name": "request_per_user" + "stat_type": "counter" }, { "stat_type": "timer", @@ -111,34 +109,34 @@ "name": "kong_latency" }, { - "stat_type": "counter", + "name": "status_count_per_user", "sample_rate": 1, - "name": "status_count_per_user" + "stat_type": "counter" }, { - "stat_type": "counter", + "name": "status_count_per_workspace", "sample_rate": 1, - "name": "status_count_per_workspace" + "stat_type": "counter" }, { - "stat_type": "counter", + "name": "status_count_per_user_per_route", "sample_rate": 1, - "name": "status_count_per_user_per_route" + "stat_type": "counter" }, { - "stat_type": "gauge", + "name": "shdict_usage", "sample_rate": 1, - "name": "shdict_usage" + "stat_type": "gauge" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "cache_datastore_hits_total" + "name": "cache_datastore_hits_total", + "stat_type": "counter" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "cache_datastore_misses_total" + "name": "cache_datastore_misses_total", + "stat_type": "counter" } ], "description": "List of Metrics to be logged.", @@ -146,20 +144,24 @@ "entity_checks": [ { "conditional": { + "if_field": "name", + "then_match": { + "eq": "set" + }, "if_match": { "one_of": [ "unique_users" ] }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "set" - } + "then_field": "stat_type" } }, { "conditional": { + "if_field": "name", + "then_match": { + "eq": "counter" + }, "if_match": { "one_of": [ "request_count", @@ -172,48 +174,44 @@ "cache_datastore_misses_total" ] }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "counter" - } + "then_field": "stat_type" } }, { "conditional": { + "if_field": "name", + "then_match": { + "eq": "gauge" + }, "if_match": { "one_of": [ "shdict_usage" ] }, - "then_field": "stat_type", - "if_field": "name", - "then_match": { - "eq": "gauge" - } + "then_field": "stat_type" } }, { "conditional": { + "if_field": "stat_type", + "then_match": { + "required": true + }, "if_match": { "one_of": [ "counter", "gauge" ] }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } + "then_field": "sample_rate" } } ], "fields": [ { "name": { - "type": "string", "required": true, + "type": "string", "one_of": [ "kong_latency", "latency", @@ -235,8 +233,8 @@ }, { "stat_type": { - "type": "string", "required": true, + "type": "string", "one_of": [ "counter", "gauge", @@ -291,18 +289,18 @@ }, { "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" }, - "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array" } }, { "udp_packet_size": { - "default": 0, "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "default": 0, "between": [ 0, 65507 @@ -312,22 +310,22 @@ }, { "use_tcp": { - "default": false, "description": "Use TCP instead of UDP.", + "default": false, "type": "boolean" } }, { "hostname_in_prefix": { - "default": false, "description": "Include the `hostname` in the `prefix` for each metric name.", + "default": false, "type": "boolean" } }, { "consumer_identifier_default": { - "required": true, "type": "string", + "required": true, "default": "custom_id", "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "one_of": [ @@ -339,8 +337,8 @@ }, { "service_identifier_default": { - "required": true, "type": "string", + "required": true, "default": "service_name_or_host", "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "one_of": [ @@ -353,8 +351,8 @@ }, { "workspace_identifier_default": { - "required": true, "type": "string", + "required": true, "default": "workspace_id", "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "one_of": [ @@ -365,11 +363,12 @@ }, { "queue": { + "required": true, "fields": [ { "max_batch_size": { - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -379,8 +378,8 @@ }, { "max_coalescing_delay": { - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -390,8 +389,8 @@ }, { "max_entries": { - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -407,15 +406,15 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60, "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -425,8 +424,8 @@ }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, "between": [ 0.001, 1000000 @@ -436,9 +435,9 @@ }, { "concurrency_limit": { + "type": "integer", "default": 1, "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", "one_of": [ -1, 1 @@ -446,14 +445,15 @@ } } ], - "required": true, "type": "record" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd/3.11.x.json b/schemas/statsd/3.11.x.json index 042741d2..366ed05b 100644 --- a/schemas/statsd/3.11.x.json +++ b/schemas/statsd/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,31 +25,33 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "host": { - "default": "localhost", "description": "The IP address or hostname of StatsD server to send data to.", + "default": "localhost", "type": "string" } }, { "port": { - "default": 8125, "description": "The port of StatsD server to send data to.", + "default": 8125, "between": [ 0, 65535 @@ -63,8 +61,8 @@ }, { "prefix": { - "default": "kong", "description": "String to prefix to each metric's name.", + "default": "kong", "type": "string" } }, @@ -72,37 +70,37 @@ "metrics": { "default": [ { - "stat_type": "counter", "sample_rate": 1, - "name": "request_count" + "name": "request_count", + "stat_type": "counter" }, { "stat_type": "timer", "name": "latency" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "request_size" + "name": "request_size", + "stat_type": "counter" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "status_count" + "name": "status_count", + "stat_type": "counter" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "response_size" + "name": "response_size", + "stat_type": "counter" }, { "stat_type": "set", "name": "unique_users" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "request_per_user" + "name": "request_per_user", + "stat_type": "counter" }, { "stat_type": "timer", @@ -113,34 +111,34 @@ "name": "kong_latency" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "status_count_per_user" + "name": "status_count_per_user", + "stat_type": "counter" }, { - "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_workspace", - "sample_rate": 1 + "stat_type": "counter" }, { - "stat_type": "counter", "sample_rate": 1, - "name": "status_count_per_user_per_route" + "name": "status_count_per_user_per_route", + "stat_type": "counter" }, { - "stat_type": "gauge", "sample_rate": 1, - "name": "shdict_usage" + "name": "shdict_usage", + "stat_type": "gauge" }, { - "stat_type": "counter", "name": "cache_datastore_hits_total", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" }, { - "stat_type": "counter", "name": "cache_datastore_misses_total", - "sample_rate": 1 + "sample_rate": 1, + "stat_type": "counter" } ], "description": "List of metrics to be logged.", @@ -148,26 +146,26 @@ "entity_checks": [ { "conditional": { + "if_field": "stat_type", + "then_match": { + "required": true + }, "if_match": { "one_of": [ "counter", "gauge" ] }, - "then_field": "sample_rate", - "if_field": "stat_type", - "then_match": { - "required": true - } + "then_field": "sample_rate" } } ], "fields": [ { "name": { - "type": "string", - "description": "StatsD metric’s name.", "required": true, + "description": "StatsD metric’s name.", + "type": "string", "one_of": [ "kong_latency", "latency", @@ -189,9 +187,9 @@ }, { "stat_type": { - "type": "string", - "description": "Determines what sort of event a metric represents.", "required": true, + "description": "Determines what sort of event a metric represents.", + "type": "string", "one_of": [ "counter", "gauge", @@ -204,8 +202,8 @@ }, { "sample_rate": { - "gt": 0, "description": "Sampling rate", + "gt": 0, "type": "number" } }, @@ -250,11 +248,11 @@ }, { "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", "elements": { "type": "string", "match": "^[0-9]+-[0-9]+$" }, - "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array" } }, @@ -270,21 +268,21 @@ }, { "use_tcp": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "hostname_in_prefix": { - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "consumer_identifier_default": { + "required": true, "default": "custom_id", "type": "string", - "required": true, "one_of": [ "consumer_id", "custom_id", @@ -294,9 +292,9 @@ }, { "service_identifier_default": { + "required": true, "default": "service_name_or_host", "type": "string", - "required": true, "one_of": [ "service_id", "service_name", @@ -307,9 +305,9 @@ }, { "workspace_identifier_default": { + "required": true, "default": "workspace_id", "type": "string", - "required": true, "one_of": [ "workspace_id", "workspace_name" @@ -348,8 +346,8 @@ }, { "tag_style": { - "type": "string", "required": false, + "type": "string", "one_of": [ "dogstatsd", "influxdb", @@ -360,11 +358,12 @@ }, { "queue": { + "required": true, "fields": [ { "max_batch_size": { - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -374,8 +373,8 @@ }, { "max_coalescing_delay": { - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -385,8 +384,8 @@ }, { "max_entries": { - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -402,15 +401,15 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60, "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -420,8 +419,8 @@ }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, "between": [ 0.001, 1000000 @@ -431,9 +430,9 @@ }, { "concurrency_limit": { + "type": "integer", "default": 1, "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", "one_of": [ -1, 1 @@ -441,14 +440,15 @@ } } ], - "required": true, "type": "record" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/syslog/3.11.x.json b/schemas/syslog/3.11.x.json index 27f2ac90..87880227 100644 --- a/schemas/syslog/3.11.x.json +++ b/schemas/syslog/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,25 +25,27 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "log_level": { + "required": true, "default": "info", "type": "string", - "required": true, "one_of": [ "debug", "info", @@ -62,9 +60,9 @@ }, { "successful_severity": { + "required": true, "default": "info", "type": "string", - "required": true, "one_of": [ "debug", "info", @@ -79,9 +77,9 @@ }, { "client_errors_severity": { + "required": true, "default": "info", "type": "string", - "required": true, "one_of": [ "debug", "info", @@ -96,9 +94,9 @@ }, { "server_errors_severity": { + "required": true, "default": "info", "type": "string", - "required": true, "one_of": [ "debug", "info", @@ -115,8 +113,8 @@ "custom_fields_by_lua": { "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, "keys": { "type": "string", @@ -127,8 +125,8 @@ }, { "facility": { - "required": true, "type": "string", + "required": true, "default": "user", "description": "The facility is used by the operating system to decide how to handle each log message.", "one_of": [ @@ -156,9 +154,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.11.x.json b/schemas/tcp-log/3.11.x.json index e51f9399..79dbedcc 100644 --- a/schemas/tcp-log/3.11.x.json +++ b/schemas/tcp-log/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,35 +25,37 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "host": { - "description": "The IP address or host name to send data to.", "required": true, + "description": "The IP address or host name to send data to.", "type": "string" } }, { "port": { + "required": true, + "description": "The port to send data to on the upstream server.", "between": [ 0, 65535 ], - "description": "The port to send data to on the upstream server.", - "required": true, "type": "integer" } }, @@ -77,24 +75,24 @@ }, { "tls": { - "default": false, - "description": "Indicates whether to perform a TLS handshake against the remote server.", "required": true, + "description": "Indicates whether to perform a TLS handshake against the remote server.", + "default": false, "type": "boolean" } }, { "tls_sni": { - "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake.", - "type": "string" + "type": "string", + "description": "An optional string that defines the SNI (Server Name Indication) hostname to send in the TLS handshake." } }, { "custom_fields_by_lua": { "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, "keys": { "type": "string", @@ -104,9 +102,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.11.x.json b/schemas/tls-handshake-modifier/3.11.x.json index 28e50f31..33a0000a 100644 --- a/schemas/tls-handshake-modifier/3.11.x.json +++ b/schemas/tls-handshake-modifier/3.11.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { + "required": true, "default": [ "https", "grpcs" @@ -25,36 +23,38 @@ "tls" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "tls_client_certificate": { - "required": false, "type": "string", - "default": "REQUEST", + "required": false, "description": "TLS Client Certificate", + "default": "REQUEST", "one_of": [ "REQUEST" ] } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.11.x.json b/schemas/tls-metadata-headers/3.11.x.json index 68ca8cad..1f290c15 100644 --- a/schemas/tls-metadata-headers/3.11.x.json +++ b/schemas/tls-metadata-headers/3.11.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "protocols": { + "required": true, "default": [ "https", "grpcs" @@ -25,20 +23,20 @@ "tls" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "inject_client_cert_details": { @@ -49,48 +47,50 @@ }, { "client_cert_header_name": { - "default": "X-Client-Cert", - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "required": true, + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", + "default": "X-Client-Cert", "type": "string" } }, { "client_serial_header_name": { - "default": "X-Client-Cert-Serial", - "description": "Define the HTTP header name used for the serial number of the client certificate.", "required": true, + "description": "Define the HTTP header name used for the serial number of the client certificate.", + "default": "X-Client-Cert-Serial", "type": "string" } }, { "client_cert_issuer_dn_header_name": { - "default": "X-Client-Cert-Issuer-DN", - "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "required": true, + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", + "default": "X-Client-Cert-Issuer-DN", "type": "string" } }, { "client_cert_subject_dn_header_name": { - "default": "X-Client-Cert-Subject-DN", - "description": "Define the HTTP header name used for the subject DN of the client certificate.", "required": true, + "description": "Define the HTTP header name used for the subject DN of the client certificate.", + "default": "X-Client-Cert-Subject-DN", "type": "string" } }, { "client_cert_fingerprint_header_name": { - "default": "X-Client-Cert-Fingerprint", - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "required": true, + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", + "default": "X-Client-Cert-Fingerprint", "type": "string" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/udp-log/3.11.x.json b/schemas/udp-log/3.11.x.json index eae6394a..efcd5093 100644 --- a/schemas/udp-log/3.11.x.json +++ b/schemas/udp-log/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,35 +25,37 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "host": { - "description": "A string representing a host name, such as example.com.", "required": true, + "description": "A string representing a host name, such as example.com.", "type": "string" } }, { "port": { + "required": true, + "description": "An integer representing a port number between 0 and 65535, inclusive.", "between": [ 0, 65535 ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "required": true, "type": "integer" } }, @@ -72,8 +70,8 @@ "custom_fields_by_lua": { "description": "Lua code as a key-value map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, "keys": { "type": "string", @@ -83,9 +81,11 @@ } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/upstream-oauth/3.11.x.json b/schemas/upstream-oauth/3.11.x.json index 484a5470..b9b87faf 100644 --- a/schemas/upstream-oauth/3.11.x.json +++ b/schemas/upstream-oauth/3.11.x.json @@ -18,15 +18,14 @@ "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -35,21 +34,24 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "config": { + "required": true, "fields": [ { "client": { + "required": true, "fields": [ { "auth_method": { - "required": true, "type": "string", - "default": "client_secret_post", + "required": true, "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "default": "client_secret_post", "one_of": [ "client_secret_post", "client_secret_basic", @@ -60,10 +62,10 @@ }, { "client_secret_jwt_alg": { - "required": true, "type": "string", - "default": "HS512", + "required": true, "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "default": "HS512", "one_of": [ "HS512", "HS256" @@ -72,87 +74,87 @@ }, { "http_version": { + "required": false, "default": 1.1, "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", - "required": false, "type": "number" } }, { "http_proxy": { - "description": "The proxy to use when making HTTP requests to the IdP.", "required": false, + "description": "The proxy to use when making HTTP requests to the IdP.", "type": "string" } }, { "http_proxy_authorization": { - "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", "required": false, + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", "type": "string" } }, { "https_proxy": { - "description": "The proxy to use when making HTTPS requests to the IdP.", "required": false, + "description": "The proxy to use when making HTTPS requests to the IdP.", "type": "string" } }, { "https_proxy_authorization": { - "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", "required": false, + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", "type": "string" } }, { "no_proxy": { - "description": "A comma-separated list of hosts that should not be proxied.", "required": false, + "description": "A comma-separated list of hosts that should not be proxied.", "type": "string" } }, { "timeout": { + "type": "integer", + "required": true, + "default": 10000, "between": [ 0, 2147483646 ], - "required": true, - "type": "integer", - "default": 10000, "description": "Network I/O timeout for requests to the IdP in milliseconds." } }, { "keep_alive": { + "required": true, "default": true, "description": "Whether to use keepalive connections to the IdP.", - "required": true, "type": "boolean" } }, { "ssl_verify": { - "default": false, - "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", "required": false, + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", + "default": false, "type": "boolean" } } ], - "required": true, "type": "record" } }, { "oauth": { + "required": true, "fields": [ { "token_endpoint": { - "description": "The token endpoint URI.", "required": true, + "description": "The token endpoint URI.", "type": "string" } }, @@ -185,10 +187,10 @@ }, { "grant_type": { - "required": true, "type": "string", - "default": "client_credentials", + "required": true, "description": "The OAuth grant type to be used.", + "default": "client_credentials", "one_of": [ "client_credentials", "password" @@ -198,79 +200,79 @@ { "client_id": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The client ID for the application registration in the IdP.", - "required": false + "referenceable": true } }, { "client_secret": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The client secret for the application registration in the IdP.", - "required": false + "referenceable": true } }, { "username": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The username to use if `config.oauth.grant_type` is set to `password`.", - "required": false + "referenceable": true } }, { "password": { "encrypted": true, - "referenceable": true, "type": "string", + "required": false, "description": "The password to use if `config.oauth.grant_type` is set to `password`.", - "required": false + "referenceable": true } }, { "scopes": { - "required": false, "type": "array", - "default": [ - "openid" - ], + "required": false, "description": "List of scopes to request from the IdP when obtaining a new token.", "elements": { "type": "string" - } + }, + "default": [ + "openid" + ] } }, { "audience": { - "required": false, "type": "array", - "default": [ - - ], + "required": false, "description": "List of audiences passed to the IdP when obtaining a new token.", "elements": { "type": "string" - } + }, + "default": [ + + ] } } ], - "required": true, "type": "record" } }, { "cache": { + "required": true, "fields": [ { "strategy": { - "required": true, "type": "string", - "default": "memory", + "required": true, "description": "The method Kong should use to cache tokens issued by the IdP.", + "default": "memory", "one_of": [ "memory", "redis" @@ -279,24 +281,22 @@ }, { "memory": { + "required": true, "fields": [ { "dictionary_name": { - "default": "kong_db_cache", - "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", "required": true, + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", + "default": "kong_db_cache", "type": "string" } } ], - "required": true, "type": "record" } }, { "redis": { - "required": true, - "type": "record", "entity_checks": [ { "mutually_required": [ @@ -320,14 +320,14 @@ }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "host", "if_field": "connection_is_proxied", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { @@ -358,12 +358,13 @@ } } ], + "type": "record", + "required": true, "shorthand_fields": [ { "timeout": { + "type": "integer", "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ @@ -380,47 +381,48 @@ "read_timeout" ] } - ] - }, - "type": "integer" + ], + "removal_in_version": "4.0", + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" + } } }, { "sentinel_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "sentinel_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } }, { "cluster_addresses": { - "elements": { - "type": "string" - }, "len_min": 1, "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0", "replaced_with": [ { "path": [ "cluster_nodes" ] } - ] + ], + "removal_in_version": "4.0", + "message": "cluster_addresses is deprecated, please use cluster_nodes instead" + }, + "elements": { + "type": "string" }, "type": "array" } @@ -429,8 +431,8 @@ "fields": [ { "host": { - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", + "default": "127.0.0.1", "type": "string" } }, @@ -487,9 +489,9 @@ }, { "password": { - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, "type": "string" } }, @@ -502,23 +504,23 @@ }, { "sentinel_password": { - "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "referenceable": true, + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, "type": "string" } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", + "default": 0, "type": "integer" } }, { "keepalive_pool_size": { - "default": 256, "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, "between": [ 1, 2147483646 @@ -528,11 +530,11 @@ }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "between": [ 0, 2147483646 ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer" } }, @@ -555,16 +557,16 @@ }, { "sentinel_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "host": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -579,24 +581,24 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." } }, { "cluster_nodes": { - "required": false, "type": "array", + "required": false, + "len_min": 1, "elements": { - "type": "record", "fields": [ { "ip": { + "required": true, "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "required": true, "type": "string" } }, @@ -611,48 +613,48 @@ "type": "integer" } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", - "len_min": 1 + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." } }, { "ssl": { + "required": false, "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "required": false, "type": "boolean" } }, { "ssl_verify": { + "required": false, "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "required": false, "type": "boolean" } }, { "server_name": { - "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string" } }, { "cluster_max_redirections": { + "required": false, "default": 5, "description": "Maximum retry attempts for redirection.", - "required": false, "type": "integer" } }, { "connection_is_proxied": { + "required": false, "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "required": false, "type": "boolean" } } @@ -661,75 +663,75 @@ }, { "eagerly_expire": { - "required": true, - "type": "integer", "gt": -1, - "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", - "default": 5 + "type": "integer", + "required": true, + "default": 5, + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`." } }, { "default_ttl": { - "default": 3600, "description": "The lifetime of a token without an explicit `expires_in` value.", + "default": 3600, "gt": 0, "type": "number" } } ], - "required": true, "type": "record" } }, { "behavior": { + "required": true, "fields": [ { "upstream_access_token_header_name": { - "required": true, "type": "string", + "required": true, "default": "Authorization", - "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", - "len_min": 0 + "len_min": 0, + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service." } }, { "idp_error_response_status_code": { + "type": "integer", + "required": true, + "default": 502, "between": [ 500, 599 ], - "required": true, - "type": "integer", - "default": 502, "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP." } }, { "idp_error_response_content_type": { - "required": true, "type": "string", + "required": true, "default": "application/json; charset=utf-8", - "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", - "len_min": 0 + "len_min": 0, + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP." } }, { "idp_error_response_message": { - "required": true, "type": "string", + "required": true, "default": "Failed to authenticate request to upstream", - "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", - "len_min": 0 + "len_min": 0, + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP." } }, { "idp_error_response_body_template": { - "required": true, "type": "string", + "required": true, "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", - "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", - "len_min": 0 + "len_min": 0, + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP." } }, { @@ -749,14 +751,17 @@ } } ], - "required": true, "type": "record" } } ], - "required": true, "type": "record" } } - ] + ], + "supported_partials": { + "redis-ee": [ + "config.cache.redis" + ] + } } \ No newline at end of file diff --git a/schemas/upstream-timeout/3.11.x.json b/schemas/upstream-timeout/3.11.x.json index d14b02ad..f25d94d6 100644 --- a/schemas/upstream-timeout/3.11.x.json +++ b/schemas/upstream-timeout/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,54 +18,58 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 1 and 2^31-2.", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 1 and 2^31-2.", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 1 and 2^31-2.", "between": [ 0, 2147483646 ], - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.11.x.json b/schemas/vault-auth/3.11.x.json index d42bfd70..8ffe7e14 100644 --- a/schemas/vault-auth/3.11.x.json +++ b/schemas/vault-auth/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,64 +18,66 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "consumer": { "reference": "consumers", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "access_token_name": { - "required": true, "type": "string", - "default": "access_token", + "required": true, "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "elements": { "type": "string", "description": "A string representing an HTTP header name." - } + }, + "default": "access_token" } }, { "secret_token_name": { - "required": true, "type": "string", - "default": "secret_token", + "required": true, "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "elements": { "type": "string", "description": "A string representing an HTTP header name." - } + }, + "default": "secret_token" } }, { "vault": { + "required": true, "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", "reference": "vault_auth_vaults", - "required": true, "type": "foreign" } }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", + "default": false, "type": "boolean" } }, @@ -91,22 +89,24 @@ }, { "tokens_in_body": { - "default": false, "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", + "default": false, "type": "boolean" } }, { "run_on_preflight": { - "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", + "default": true, "type": "boolean" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.11.x.json b/schemas/websocket-size-limit/3.11.x.json index 6e1e3593..6e8c7a27 100644 --- a/schemas/websocket-size-limit/3.11.x.json +++ b/schemas/websocket-size-limit/3.11.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "required": true, "default": [ "ws", "wss" @@ -16,20 +14,20 @@ "wss" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -41,28 +39,30 @@ "fields": [ { "client_max_payload": { + "required": false, "between": [ 1, 33554432 ], - "required": false, "type": "integer" } }, { "upstream_max_payload": { + "required": false, "between": [ 1, 33554432 ], - "required": false, "type": "integer" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.11.x.json b/schemas/websocket-validator/3.11.x.json index 4bbf094d..5037e23b 100644 --- a/schemas/websocket-validator/3.11.x.json +++ b/schemas/websocket-validator/3.11.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "required": true, "default": [ "ws", "wss" @@ -16,20 +14,20 @@ "wss" ] }, - "required": true, "type": "set" } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -41,6 +39,7 @@ "fields": [ { "client": { + "required": false, "entity_checks": [ { "at_least_one_of": [ @@ -49,11 +48,10 @@ ] } ], - "type": "record", - "required": false, "fields": [ { "text": { + "required": false, "entity_checks": [ { "custom_entity_check": { @@ -64,14 +62,12 @@ } } ], - "type": "record", - "required": false, "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" ] @@ -79,16 +75,18 @@ }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string" } } - ] + ], + "type": "record" } }, { "binary": { + "required": false, "entity_checks": [ { "custom_entity_check": { @@ -99,14 +97,12 @@ } } ], - "type": "record", - "required": false, "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" ] @@ -114,19 +110,22 @@ }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } }, { "upstream": { + "required": false, "entity_checks": [ { "at_least_one_of": [ @@ -135,11 +134,10 @@ ] } ], - "type": "record", - "required": false, "fields": [ { "text": { + "required": false, "entity_checks": [ { "custom_entity_check": { @@ -150,14 +148,12 @@ } } ], - "type": "record", - "required": false, "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" ] @@ -165,16 +161,18 @@ }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string" } } - ] + ], + "type": "record" } }, { "binary": { + "required": false, "entity_checks": [ { "custom_entity_check": { @@ -185,14 +183,12 @@ } } ], - "type": "record", - "required": false, "fields": [ { "type": { - "type": "string", - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", "required": true, + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "one_of": [ "draft4" ] @@ -200,21 +196,25 @@ }, { "schema": { - "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "required": true, + "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", "type": "string" } } - ] + ], + "type": "record" } } - ] + ], + "type": "record" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.11.x.json b/schemas/xml-threat-protection/3.11.x.json index 5a48ae6a..773ac7bb 100644 --- a/schemas/xml-threat-protection/3.11.x.json +++ b/schemas/xml-threat-protection/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing HTTP protocols.", "elements": { "type": "string", "one_of": [ @@ -22,279 +18,283 @@ "http", "https" ] - } + }, + "description": "A set of strings representing HTTP protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "entity_checks": [ { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "max_namespaces", "if_field": "namespace_aware", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "max_namespaces" } }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "prefix", "if_field": "namespace_aware", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "prefix" } }, { "conditional": { - "if_match": { - "eq": true - }, - "then_field": "namespaceuri", "if_field": "namespace_aware", "then_match": { "required": true - } + }, + "if_match": { + "eq": true + }, + "then_field": "namespaceuri" } } ], "fields": [ { "checked_content_types": { - "required": true, "type": "set", - "default": [ - "application/xml" - ], + "required": true, "description": "A list of Content-Type values with payloads that must be validated.", "elements": { - "match": "^[^%s]+%/[^ ;]+$", "required": true, + "match": "^[^%s]+%/[^ ;]+$", "type": "string" - } + }, + "default": [ + "application/xml" + ] } }, { "allowed_content_types": { - "required": true, "type": "set", - "default": [ - - ], + "required": true, "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "elements": { - "match": "^[^%s]+%/[^ ;]+$", "required": true, + "match": "^[^%s]+%/[^ ;]+$", "type": "string" - } + }, + "default": [ + + ] } }, { "allow_dtd": { + "required": true, "default": false, "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", - "required": true, "type": "boolean" } }, { "namespace_aware": { + "required": true, "default": true, "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", - "required": true, "type": "boolean" } }, { "max_depth": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", "default": 50 } }, { "max_children": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", "default": 100 } }, { "max_attributes": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", "default": 100 } }, { "max_namespaces": { - "required": false, - "type": "integer", "gt": 0, + "type": "integer", + "required": false, "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", "default": 20 } }, { "document": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum size of the entire document.", "default": 10485760 } }, { "buffer": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum size of the unparsed buffer (see below).", "default": 1048576 } }, { "comment": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum size of comments.", "default": 1024 } }, { "localname": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum size of the localname. This applies to tags and attributes.", "default": 1024 } }, { "prefix": { - "required": false, - "type": "integer", "gt": 0, + "type": "integer", + "required": false, "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "default": 1024 } }, { "namespaceuri": { - "required": false, - "type": "integer", "gt": 0, + "type": "integer", + "required": false, "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "default": 1024 } }, { "attribute": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum size of the attribute value.", "default": 1048576 } }, { "text": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "default": 1048576 } }, { "pitarget": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum size of processing instruction targets.", "default": 1024 } }, { "pidata": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum size of processing instruction data.", "default": 1024 } }, { "entityname": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum size of entity names in EntityDecl.", "default": 1024 } }, { "entity": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum size of entity values in EntityDecl.", "default": 1024 } }, { "entityproperty": { - "required": true, - "type": "integer", "gt": 0, + "type": "integer", + "required": true, "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "default": 1024 } }, { "bla_max_amplification": { - "required": true, - "type": "number", "gt": 1, + "type": "number", + "required": true, "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", "default": 100 } }, { "bla_threshold": { - "required": true, - "type": "integer", "gt": 1024, + "type": "integer", + "required": true, "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", "default": 8388608 } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/zipkin/3.11.x.json b/schemas/zipkin/3.11.x.json index f08c4023..cde967b7 100644 --- a/schemas/zipkin/3.11.x.json +++ b/schemas/zipkin/3.11.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "type": "set", + "required": true, "default": [ "grpc", "grpcs", "http", "https" ], - "description": "A set of strings representing protocols.", "elements": { "description": "A string representing a protocol, such as HTTP or HTTPS.", "one_of": [ @@ -29,25 +25,27 @@ "wss" ], "type": "string" - } + }, + "description": "A set of strings representing protocols." } }, { "consumer_group": { "reference": "consumer_groups", - "eq": null, "type": "foreign", - "description": "Custom type for representing a foreign key with a null value allowed." + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null } }, { "config": { + "required": true, "fields": [ { "local_service_name": { + "required": true, "default": "kong", "description": "The name of the service as displayed in Zipkin.", - "required": true, "type": "string" } }, @@ -59,8 +57,8 @@ }, { "sample_ratio": { - "default": 0.001, "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "default": 0.001, "between": [ 0, 1 @@ -76,16 +74,16 @@ }, { "include_credential": { + "required": true, "default": true, "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", - "required": true, "type": "boolean" } }, { "traceid_byte_count": { - "required": true, "type": "integer", + "required": true, "default": 16, "description": "The length in bytes of each request's Trace ID.", "one_of": [ @@ -96,8 +94,13 @@ }, { "header_type": { - "required": true, + "deprecation": { + "old_default": "preserve", + "removal_in_version": "4.0", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead" + }, "type": "string", + "required": true, "default": "preserve", "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "one_of": [ @@ -110,19 +113,20 @@ "ot", "aws", "datadog", - "gcp" - ], - "deprecation": { - "old_default": "preserve", - "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0" - } + "gcp", + "instana" + ] } }, { "default_header_type": { - "required": true, + "deprecation": { + "old_default": "b3", + "removal_in_version": "4.0", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead" + }, "type": "string", + "required": true, "default": "b3", "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "one_of": [ @@ -133,30 +137,27 @@ "ot", "aws", "datadog", - "gcp" - ], - "deprecation": { - "old_default": "b3", - "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", - "removal_in_version": "4.0" - } + "gcp", + "instana" + ] } }, { "tags_header": { + "required": true, "default": "Zipkin-Tags", "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", - "required": true, "type": "string" } }, { "static_tags": { + "description": "The tags specified on this property will be added to the generated request traces.", "elements": { - "type": "record", "fields": [ { "name": { + "required": true, "not_one_of": [ "error", "http.method", @@ -172,7 +173,6 @@ "lc", "peer.hostname" ], - "required": true, "type": "string" } }, @@ -182,16 +182,16 @@ "type": "string" } } - ] + ], + "type": "record" }, - "description": "The tags specified on this property will be added to the generated request traces.", "type": "array" } }, { "http_span_name": { - "required": true, "type": "string", + "required": true, "default": "method", "description": "Specify whether to include the HTTP path in the span name.", "one_of": [ @@ -240,8 +240,8 @@ }, { "phase_duration_flavor": { - "required": true, "type": "string", + "required": true, "default": "annotations", "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "one_of": [ @@ -252,11 +252,12 @@ }, { "queue": { + "required": true, "fields": [ { "max_batch_size": { - "default": 1, "description": "Maximum number of entries that can be processed at a time.", + "default": 1, "between": [ 1, 1000000 @@ -266,8 +267,8 @@ }, { "max_coalescing_delay": { - "default": 1, "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "default": 1, "between": [ 0, 3600 @@ -277,8 +278,8 @@ }, { "max_entries": { - "default": 10000, "description": "Maximum number of entries that can be waiting on the queue.", + "default": 10000, "between": [ 1, 1000000 @@ -294,15 +295,15 @@ }, { "max_retry_time": { - "default": 60, "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", + "default": 60, "type": "number" } }, { "initial_retry_delay": { - "default": 0.01, "description": "Time in seconds before the initial retry is made for a failing batch.", + "default": 0.01, "between": [ 0.001, 1000000 @@ -312,8 +313,8 @@ }, { "max_retry_delay": { - "default": 60, "description": "Maximum time in seconds between retries, caps exponential backoff.", + "default": 60, "between": [ 0.001, 1000000 @@ -323,9 +324,9 @@ }, { "concurrency_limit": { + "type": "integer", "default": 1, "description": "The number of of queue delivery timers. -1 indicates unlimited.", - "type": "integer", "one_of": [ -1, 1 @@ -333,89 +334,93 @@ } } ], - "required": true, "type": "record" } }, { "propagation": { + "required": true, "default": { "default_format": "b3" }, "fields": [ { "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", "elements": { "type": "string", "one_of": [ - "gcp", - "jaeger", + "datadog", "aws", - "ot", + "gcp", + "instana", "w3c", - "datadog", - "b3" + "b3", + "jaeger", + "ot" ] }, - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", "type": "array" } }, { "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "elements": { "type": "string" }, - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "type": "array" } }, { "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", "elements": { "type": "string", "one_of": [ "preserve", + "datadog", + "aws", "gcp", + "instana", + "w3c", + "b3", "b3-single", "jaeger", - "aws", - "ot", - "w3c", - "datadog", - "b3" + "ot" ] }, - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", "type": "array" } }, { "default_format": { - "type": "string", - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", "required": true, + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", "one_of": [ + "datadog", + "aws", "gcp", + "instana", + "w3c", + "b3", "b3-single", "jaeger", - "aws", - "ot", - "w3c", - "datadog", - "b3" + "ot" ] } } ], - "required": true, "type": "record" } } ], - "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file From 97e73e86613c7acee32f999df04a4b8d23fe8ed1 Mon Sep 17 00:00:00 2001 From: Fabian Rodriguez Date: Mon, 2 Jun 2025 14:12:27 +0200 Subject: [PATCH 164/165] Generate ai-prompt-compressor json schema --- json_schemas/ai-prompt-compressor/3.11.json | 151 ++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 json_schemas/ai-prompt-compressor/3.11.json diff --git a/json_schemas/ai-prompt-compressor/3.11.json b/json_schemas/ai-prompt-compressor/3.11.json new file mode 100644 index 00000000..b5aa62c2 --- /dev/null +++ b/json_schemas/ai-prompt-compressor/3.11.json @@ -0,0 +1,151 @@ +{ + "properties": { + "config": { + "properties": { + "compression_ranges": { + "description": "What value to be used to compress with. The 'value' is interpreted as rate or target_token depending on compressor_type.", + "items": { + "properties": { + "max_tokens": { + "type": "integer" + }, + "min_tokens": { + "type": "integer" + }, + "value": { + "type": "number" + } + }, + "required": [ + "max_tokens", + "min_tokens", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "compressor_type": { + "default": "rate", + "description": "What compression type to use to compress with", + "enum": [ + "rate", + "target_token" + ], + "type": "string" + }, + "compressor_url": { + "default": "http://localhost:8080", + "description": "The url of the compressor", + "type": "string" + }, + "keepalive_timeout": { + "default": 60000, + "description": "The keepalive timeout for the established http connnection", + "type": "number" + }, + "log_text_data": { + "default": false, + "description": "Log the text data", + "type": "boolean" + }, + "message_type": { + "default": [ + "user" + ], + "items": { + "enum": [ + "assistant", + "system", + "user" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "stop_on_error": { + "default": true, + "description": "Stop processing if an error occurs", + "type": "boolean" + }, + "timeout": { + "default": 10000, + "description": "Connection timeout with the compressor", + "type": "number" + } + }, + "required": [ + "compression_ranges" + ], + "type": "object" + }, + "consumer": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "consumer_group": { + "additionalProperties": false, + "description": "If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "protocols": { + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols.", + "items": { + "enum": [ + "grpc", + "grpcs", + "http", + "https" + ], + "required": [], + "type": "string" + }, + "type": "array" + }, + "route": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + }, + "service": { + "additionalProperties": false, + "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", + "properties": { + "id": { + "type": "string" + } + }, + "required": [], + "type": "object" + } + }, + "required": [ + "config" + ] +} \ No newline at end of file From f57c332e860a3c9e86d9783fc38c0ecb98fbeaf7 Mon Sep 17 00:00:00 2001 From: Angel Date: Mon, 9 Jun 2025 14:29:24 +0200 Subject: [PATCH 165/165] add solace plugin --- schemas/solace/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 schemas/solace/.gitkeep diff --git a/schemas/solace/.gitkeep b/schemas/solace/.gitkeep new file mode 100644 index 00000000..e69de29b